HPE FlexNetwork MSR Router Series - …h20628. FlexNetwork MSR Router Series ... Configuring Option...

HPE FlexNetwork MSR Router Series Comware 7 Layer 3—IP Services Configuration Guide Part number: 5998-8693a Software version: CMW710-R0305 Document version: 6PW105-20160126

i

© Copyright 2015, 2016 Hewlett Packard Enterprise Development LP

The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license.

Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise website.

Acknowledgments

Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the United States and other countries.

Microsoft® and Windows® are trademarks of the Microsoft group of companies.

Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.

Java and Oracle are registered trademarks of Oracle and/or its affiliates.

UNIX® is a registered trademark of The Open Group.

i

Contents

Configuring ARP ····························································································· 1

Overview ···························································································································································· 1 ARP message format ································································································································· 1 ARP operating mechanism ························································································································ 1 ARP table ··················································································································································· 2

Configuring a static ARP entry ··························································································································· 3 Setting the maximum number of dynamic ARP entries for a device ·································································· 4 Setting the maximum number of dynamic ARP entries for an interface ···························································· 4 Setting the aging timer for dynamic ARP entries ······························································································· 5 Enabling dynamic ARP entry check ··················································································································· 5 Enabling ARP logging ········································································································································ 5 Displaying and maintaining ARP ························································································································ 6 Configuration examples ····································································································································· 7

Long static ARP entry configuration example ···························································································· 7 Short static ARP entry configuration example ···························································································· 8

Configuring gratuitous ARP ············································································ 9

Overview ···························································································································································· 9 Gratuitous ARP packet learning ················································································································· 9 Periodic sending of gratuitous ARP packets ······························································································ 9

Configuration procedure ·································································································································· 10 Enabling IP conflict notification ························································································································ 10

Configuring proxy ARP ················································································· 12

Enabling common proxy ARP ·························································································································· 12 Enabling local proxy ARP ································································································································ 12 Displaying proxy ARP ······································································································································ 13 Common proxy ARP configuration example ···································································································· 13

Network requirements ······························································································································ 13 Configuration procedure ··························································································································· 13 Verifying the configuration ························································································································ 14

Configuring ARP fast-reply ··········································································· 15

Overview ·························································································································································· 15 Configuration procedure ·································································································································· 15 ARP fast-reply configuration example ·············································································································· 15

Network requirements ······························································································································ 15 Configuration procedure ··························································································································· 16

Configuring ARP PnP ··················································································· 17

Overview ·························································································································································· 17 Configuration prerequisites ······························································································································ 17 Configuration procedure ·································································································································· 17 Displaying and maintaining ARP PnP ·············································································································· 18 ARP PnP configuration example ······················································································································ 18


Configuring ARP suppression ······································································· 20

Overview ·························································································································································· 20 Configuration procedure ·································································································································· 20 Displaying and maintaining ARP suppression ································································································· 21 ARP suppression configuration example ········································································································· 21


ii

Configuring ARP direct route advertisement ················································· 23

Overview ·························································································································································· 23 Configuration procedure ·································································································································· 23

Configuring IP addressing ············································································· 24

Overview ·························································································································································· 24 IP address classes ··································································································································· 24 Special IP addresses ······························································································································· 25 Subnetting and masking ··························································································································· 25

Assigning an IP address to an interface ·········································································································· 25 Configuration guidelines ··························································································································· 26 Configuration procedure ··························································································································· 26

Configuring IP unnumbered ····························································································································· 26 Configuration guidelines ··························································································································· 26 Configuration prerequisites ······················································································································ 27 Configuration procedure ··························································································································· 27

Displaying and maintaining IP addressing ······································································································· 27 Configuration examples ··································································································································· 27

IP address configuration example ············································································································ 27 IP unnumbered configuration example ···································································································· 29

DHCP overview ····························································································· 31

DHCP address allocation ································································································································· 31 Allocation mechanisms ···························································································································· 31 IP address allocation process ·················································································································· 32 IP address lease extension ······················································································································ 32

DHCP message format ···································································································································· 33 DHCP options ·················································································································································· 34

Common DHCP options ··························································································································· 34 Custom DHCP options ····························································································································· 34

Protocols and standards ·································································································································· 36

Configuring the DHCP server ······································································· 37

Overview ·························································································································································· 37 DHCP address pool ································································································································· 37 IP address allocation sequence ··············································································································· 39

DHCP server configuration task list ················································································································· 39 Configuring an address pool on the DHCP server ··························································································· 40

Configuration task list ······························································································································· 40 Creating a DHCP address pool ················································································································ 40 Specifying IP address ranges for a DHCP address pool ········································································· 40 Specifying gateways for DHCP clients ····································································································· 43 Specifying a domain name suffix for DHCP clients ·················································································· 44 Specifying DNS servers for DHCP clients ································································································ 44 Specifying WINS servers and NetBIOS node type for DHCP clients ······················································· 44 Specifying BIMS server for DHCP clients ································································································ 45 Specifying the configuration file for DHCP client auto-configuration ························································ 45 Specifying a server for DHCP clients ······································································································· 46 Configuring Option 184 parameters for DHCP clients ············································································· 46 Customizing DHCP options ······················································································································ 47 Configuring the DHCP user class whitelist ······························································································· 48

Enabling DHCP ················································································································································ 49 Enabling the DHCP server on an interface ······································································································ 49 Applying an address pool on an interface ········································································································ 49 Configuring IP address conflict detection ········································································································· 50 Enabling handling of Option 82 ························································································································ 50 Configuring DHCP server compatibility ············································································································ 51

Configuring the DHCP server to broadcast all responses ········································································ 51 Configure the DHCP server to ignore BOOTP requests ·········································································· 51 Configuring the DHCP server to send BOOTP responses in RFC 1048 format ······································ 52

Setting the DSCP value for DHCP packets sent by the DHCP server ····························································· 52

iii

Configuring DHCP binding auto backup ·········································································································· 52 Configuring address pool usage alarming ······································································································· 53 Binding gateways to a common MAC address ································································································ 53 Advertising subnets assigned to clients ··········································································································· 54 Applying a DHCP address pool to a VPN instance ·························································································· 55 Enabling client offline detection on the DHCP server ······················································································ 55 Configuring DHCP logging on the DHCP server ······························································································ 56 Displaying and maintaining the DHCP server ·································································································· 56 DHCP server configuration examples ·············································································································· 57

Static IP address assignment configuration example ·············································································· 57 Dynamic IP address assignment configuration example ········································································· 58 DHCP user class configuration example ·································································································· 60 DHCP user class whitelist configuration example ···················································································· 61 Primary and secondary subnets configuration example ·········································································· 62 DHCP option customization configuration example ················································································· 63

Troubleshooting DHCP server configuration ··································································································· 65 Symptom ·················································································································································· 65 Analysis ···················································································································································· 65 Solution ···················································································································································· 65

Configuring the DHCP relay agent ································································ 66

Overview ·························································································································································· 66 Operation ················································································································································· 66 DHCP relay agent support for Option 82 ································································································· 67

DHCP relay agent configuration task list ········································································································· 67 Enabling DHCP ················································································································································ 68 Enabling the DHCP relay agent on an interface ······························································································ 68 Specifying DHCP servers on a relay agent ······································································································ 68 Configuring the DHCP relay agent security functions ······················································································ 69

Enabling the DHCP relay agent to record relay entries ··········································································· 69 Enabling periodic refresh of dynamic relay entries ·················································································· 69 Enabling DHCP starvation attack protection ···························································································· 70

Configuring the DHCP relay agent to release an IP address ··········································································· 71 Configuring Option 82 ······································································································································ 71 Setting the DSCP value for DHCP packets sent by the DHCP relay agent ····················································· 72 Enabling DHCP server proxy on a DHCP relay agent ····················································································· 72 Configuring a DHCP relay address pool ·········································································································· 73 Specifying a gateway address for DHCP clients ······························································································ 74 Enabling client offline detection on the DHCP relay agent ·············································································· 74 Specifying the source address and gateway address in DHCP requests ························································ 74 Displaying and maintaining the DHCP relay agent ·························································································· 75 DHCP relay agent configuration examples ······································································································ 75

DHCP relay agent configuration example ································································································ 75 Option 82 configuration example ············································································································· 76

Troubleshooting DHCP relay agent configuration ···························································································· 77 Symptom ·················································································································································· 77 Analysis ···················································································································································· 77 Solution ···················································································································································· 77

Configuring the DHCP client ········································································· 78

Enabling the DHCP client on an interface ········································································································ 78 Configuring a DHCP client ID for an interface ································································································· 78 Enabling duplicated address detection ············································································································ 79 Setting the DSCP value for DHCP packets sent by the DHCP client ······························································ 79 Displaying and maintaining the DHCP client ··································································································· 79 DHCP client configuration example ················································································································· 80


Configuring DHCP snooping ········································································· 83

Overview ·························································································································································· 83

iv

Application of trusted and untrusted ports ································································································ 84 DHCP snooping support for Option 82 ····································································································· 85

Command and hardware compatibility ············································································································· 85 DHCP snooping configuration task list ············································································································· 85 Configuring basic DHCP snooping ·················································································································· 86 Configuring Option 82 ······································································································································ 86 Configuring DHCP snooping entry auto backup ······························································································ 87 Enabling DHCP starvation attack protection ···································································································· 88 Enabling DHCP-REQUEST attack protection ·································································································· 89 Setting the maximum number of DHCP snooping entries ··············································································· 89 Displaying and maintaining DHCP snooping ··································································································· 90 DHCP snooping configuration examples ········································································································· 90

Basic DHCP snooping configuration example ························································································· 90 Option 82 configuration example ············································································································· 91

Configuring the BOOTP client ······································································· 93

BOOTP application ·········································································································································· 93 Obtaining an IP address dynamically ··············································································································· 93 Protocols and standards ·································································································································· 93 Configuring an interface to use BOOTP for IP address acquisition ································································· 93 Displaying and maintaining BOOTP client ······································································································· 94 BOOTP client configuration example ··············································································································· 94


Configuring DNS ··························································································· 95

Overview ·························································································································································· 95 Static domain name resolution ················································································································· 95 Dynamic domain name resolution ············································································································ 95 DNS proxy ················································································································································ 96 DNS spoofing ··········································································································································· 97

DNS configuration task list ······························································································································· 98 Configuring the IPv4 DNS client ······················································································································ 98

Configuring static domain name resolution ······························································································ 98 Configuring dynamic domain name resolution ························································································· 99

Configuring the IPv6 DNS client ······················································································································ 99 Configuring static domain name resolution ······························································································ 99 Configuring dynamic domain name resolution ······················································································· 100

Configuring the DNS proxy ···························································································································· 101 Configuring DNS spoofing ····························································································································· 101 Configuring network mode tracking for an output interface ··········································································· 102 Specifying the source interface for DNS packets ··························································································· 102 Configuring the DNS trusted interface ··········································································································· 103 Setting the DSCP value for outgoing DNS packets ······················································································· 103 Displaying and maintaining IPv4 DNS ··········································································································· 103 IPv4 DNS configuration examples ················································································································· 104

Static domain name resolution configuration example ··········································································· 104 Dynamic domain name resolution configuration example ······································································ 105 DNS proxy configuration example ·········································································································· 107

IPv6 DNS configuration examples ················································································································· 108 Static domain name resolution configuration example ··········································································· 108 Dynamic domain name resolution configuration example ······································································ 109 DNS proxy configuration example ·········································································································· 114

Troubleshooting IPv4 DNS configuration ······································································································· 115 Symptom ················································································································································ 115 Solution ·················································································································································· 115

Troubleshooting IPv6 DNS configuration ······································································································· 115 Symptom ················································································································································ 115 Solution ·················································································································································· 115

v

Configuring DDNS ······················································································ 116

Overview ························································································································································ 116 DDNS application ··································································································································· 116

DDNS client configuration task list ················································································································· 117 Configuring a DDNS policy ···························································································································· 117

Configuration prerequisites ···················································································································· 118 Configuration procedure ························································································································· 118

Applying the DDNS policy to an interface ······································································································ 119 Setting the DSCP value for outgoing DDNS packets ····················································································· 119 Displaying DDNS ··········································································································································· 120 DDNS configuration examples ······················································································································· 120

DDNS configuration example with www.3322.org ················································································· 120 DDNS configuration example with PeanutHull server ············································································ 121

Configuring NAT ························································································· 123

Overview ························································································································································ 123 Terminology ··········································································································································· 123 NAT types ·············································································································································· 123 NAT control ············································································································································ 124

Command and hardware compatibility ··········································································································· 124 NAT implementations ····································································································································· 124

Static NAT ·············································································································································· 124 Dynamic NAT ········································································································································· 124 NAT Server ············································································································································ 125 DS-Lite NAT444 ····································································································································· 126

NAT entries ···················································································································································· 126 NAT session entry ·································································································································· 126 EIM entry ················································································································································ 127 NO-PAT entry ········································································································································· 127

Using NAT with other features ······················································································································· 127 VRF-aware NAT ····································································································································· 127 NAT with DNS mapping ························································································································· 128 NAT with ALG ········································································································································ 128

NAT configuration task list ····························································································································· 129 Configuring static NAT ··································································································································· 129

Configuration prerequisites ···················································································································· 129 Configuring outbound one-to-one static NAT ························································································· 129 Configuring outbound net-to-net static NAT ··························································································· 130 Configuring inbound one-to-one static NAT ··························································································· 130 Configuring inbound net-to-net static NAT ····························································································· 131

Configuring dynamic NAT ······························································································································ 131 Configuration restrictions and guidelines ······························································································· 132 Configuration prerequisites ···················································································································· 132 Configuring outbound dynamic NAT ······································································································ 132 Configuring inbound dynamic NAT ········································································································ 133

Configuring NAT Server ································································································································· 134 Configuring common NAT Server ·········································································································· 134 Configuring load sharing NAT Server ···································································································· 135 Configuring ACL-based NAT Server ······································································································ 136

Configuring DS-Lite NAT444 ························································································································· 136 Configuring NAT with DNS mapping ·············································································································· 137 Configuring NAT hairpin ································································································································· 137 Configuring NAT with ALG ····························································································································· 138 Configuring NAT session logging ··················································································································· 138 Displaying and maintaining NAT ···················································································································· 138 NAT configuration examples ·························································································································· 140

Outbound one-to-one static NAT configuration example ······································································· 140 Outbound dynamic NAT configuration example (non-overlapping addresses) ······································ 141 Outbound bidirectional NAT configuration example ··············································································· 144 NAT Server for external-to-internal access configuration example ························································ 147 NAT Server for external-to-internal access through domain name configuration example ···················· 150

vi

Bidirectional NAT for external-to-internal NAT Server access through domain name configuration example ······························································································································································· 153 NAT hairpin in C/S mode configuration example ··················································································· 156 NAT hairpin in P2P mode configuration example ·················································································· 159 Twice NAT configuration example ········································································································· 162 Load sharing NAT Server configuration example ·················································································· 165 NAT with DNS mapping configuration example ····················································································· 167 DS-Lite NAT444 configuration example ································································································· 170

Basic IP forwarding on the device ······························································· 173

FIB table ························································································································································· 173 Displaying FIB table entries ··························································································································· 174

Configuring load sharing ············································································· 175

Command and hardware compatibility ··········································································································· 175 Configuring per-packet or per-flow load sharing ···························································································· 175 Configuring load sharing based on bandwidth ······························································································· 176

Configuring fast forwarding ········································································· 177

Overview ························································································································································ 177 Command and hardware compatibility ··········································································································· 177 Configuring the aging time for fast forwarding entries ··················································································· 177 Configuring fast forwarding load sharing ······································································································· 177 Displaying and maintaining fast forwarding ··································································································· 178

Configuring flow classification ····································································· 179

Feature and hardware compatibility ··············································································································· 179 Specifying a flow classification policy ············································································································ 179

Displaying the adjacency table ··································································· 180

Overview ························································································································································ 180 Command and hardware compatibility ··········································································································· 181 Displaying commands ···································································································································· 181

Configuring IRDP ························································································ 182

Overview ························································································································································ 182 IRDP operation ······································································································································· 182 Basic concepts ······································································································································· 182 Protocols and standards ························································································································ 183

Configuration procedure ································································································································ 183 IRDP configuration example ·························································································································· 184

Network requirements ···························································································································· 184 Configuration procedure ························································································································· 184 Verifying the configuration ······················································································································ 185

Optimizing IP performance ········································································· 186

Command and hardware compatibility ··········································································································· 186 Enabling an interface to receive and forward directed broadcasts destined for the directly connected network ······································································································································································· 186

Configuration procedure ························································································································· 186 Configuration example ··························································································································· 187

Configuring MTU for an interface ··················································································································· 188 Configuring TCP MSS for an interface ··········································································································· 188 Configuring TCP path MTU discovery ··········································································································· 188 Enabling TCP SYN Cookie ···························································································································· 189 Configuring the TCP buffer size ····················································································································· 190 Configuring TCP timers ·································································································································· 190 Enabling sending ICMP error messages ······································································································· 190 Configuring rate limit for ICMP error messages ····························································································· 192 Specifying the source address for ICMP packets ·························································································· 192 Enabling IPv4 local fragment reassembly ······································································································ 193 Displaying and maintaining IP performance optimization ·············································································· 193

vii

Configuring UDP helper ·············································································· 196

Overview ························································································································································ 196 Feature and hardware compatibility ··············································································································· 196 Configuration restrictions and guidelines ······································································································· 196 Configuring UDP helper to convert broadcast to unicast ··············································································· 196 Configuring UDP helper to convert broadcast to multicast ············································································ 197 Configuring UDP helper to convert multicast to broadcast or unicast ···························································· 198 Displaying and maintaining UDP helper ········································································································ 199 UDP helper configuration examples ·············································································································· 199

Configuring UDP helper to convert broadcast to unicast ······································································· 199 Configuring UDP helper to convert broadcast to multicast ···································································· 200 Configuring UDP helper to convert multicast to broadcast ···································································· 201

Configuring basic IPv6 settings ··································································· 202

Overview ························································································································································ 202 IPv6 features ·········································································································································· 202 IPv6 addresses ······································································································································ 203 IPv6 ND protocol ···································································································································· 205 IPv6 path MTU discovery ······················································································································· 207

IPv6 transition technologies ··························································································································· 208 Dual stack ·············································································································································· 208 Tunneling ··············································································································································· 208 NAT-PT ·················································································································································· 209 6PE ························································································································································ 209

Protocols and standards ································································································································ 209 Compatibility information ································································································································ 210

Command and hardware compatibility ··································································································· 210 IPv6 basics configuration task list ·················································································································· 210 Assigning IPv6 addresses to interfaces ········································································································· 211

Configuring an IPv6 global unicast address ··························································································· 211 Configuring an IPv6 link-local address ··································································································· 213 Configuring an IPv6 anycast address ···································································································· 214

Configuring IPv6 ND ······································································································································ 214 Configuring a static neighbor entry ········································································································ 214 Setting the maximum number of dynamic neighbor entries ··································································· 215 Setting the aging timer for ND entries in stale state ··············································································· 215 Minimizing link-local ND entries ············································································································· 216 Setting the hop limit ································································································································ 216 Configuring parameters for RA messages ····························································································· 216 Configuring the maximum number of attempts to send an NS message for DAD ································· 218 Enabling ND proxy ································································································································· 219 Configuring IPv6 ND suppression ·········································································································· 220 Configuring IPv6 ND direct route advertisement ···················································································· 221

Configuring path MTU discovery ···················································································································· 222 Configuring the interface MTU ··············································································································· 222 Configuring a static path MTU for an IPv6 address ··············································································· 223 Configuring the aging time for dynamic path MTUs ··············································································· 223

Controlling sending ICMPv6 messages ········································································································· 223 Configuring the rate limit for ICMPv6 error messages ··········································································· 223 Enabling replying to multicast echo requests ························································································· 224 Enabling sending ICMPv6 destination unreachable messages ····························································· 224 Enabling sending ICMPv6 time exceeded messages ············································································ 225 Enabling sending ICMPv6 redirect messages ······················································································· 225 Specifying the source address for ICMPv6 packets ··············································································· 225

Enabling IPv6 local fragment reassembly ······································································································ 226 Configuring IPv6 load sharing based on bandwidth ······················································································· 226 Displaying and maintaining IPv6 basics ········································································································· 227 IPv6 configuration examples ·························································································································· 230

Basic IPv6 configuration example ·········································································································· 230 IPv6 ND suppression configuration example ························································································· 234

Troubleshooting IPv6 basics configuration ···································································································· 235

viii

Symptom ················································································································································ 235 Solution ·················································································································································· 235

DHCPv6 overview ······················································································· 236

Feature and hardware compatibility ··············································································································· 236 DHCPv6 address/prefix assignment ·············································································································· 236

Rapid assignment involving two messages ··························································································· 236 Assignment involving four messages ····································································································· 236

Address/prefix lease renewal ························································································································· 237 Stateless DHCPv6 ········································································································································· 238 Protocols and standards ································································································································ 238

Configuring the DHCPv6 server ·································································· 240

Overview ························································································································································ 240 IPv6 address assignment ······················································································································· 240 IPv6 prefix assignment ··························································································································· 240 Concepts ················································································································································ 241 DHCPv6 address pool ···························································································································· 241 IPv6 address/prefix allocation sequence ································································································ 242

Configuration task list ····································································································································· 243 Configuring IPv6 prefix assignment ··············································································································· 243

Configuration guidelines ························································································································· 243 Configuration procedure ························································································································· 244

Configuring IPv6 address assignment ··········································································································· 244 Configuration guidelines ························································································································· 245 Configuration procedure ························································································································· 245

Configuring network parameters assignment ································································································ 246 Configuring network parameters in a DHCPv6 address pool ································································· 246 Configuring network parameters in a DHCPv6 option group ································································· 247

Configuring the DHCPv6 server on an interface ···························································································· 247 Configuration guidelines ························································································································· 247 Configuration procedure ························································································································· 248

Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 server ··················································· 248 Configuring DHCPv6 binding auto backup ···································································································· 248 Advertising subnets assigned to clients ········································································································· 249 Applying a DHCPv6 address pool to a VPN instance ···················································································· 250 Configuring DHCPv6 logging on the DHCPv6 server ···················································································· 250 Displaying and maintaining the DHCPv6 server ···························································································· 251 DHCPv6 server configuration examples ········································································································ 252

Dynamic IPv6 prefix assignment configuration example········································································ 252 Dynamic IPv6 address assignment configuration example ···································································· 254

Configuring the DHCPv6 relay agent ·························································· 257

Overview ························································································································································ 257 DHCPv6 relay agent configuration task list ···································································································· 258 Enabling the DHCPv6 relay agent on an interface ························································································ 258 Specifying DHCPv6 servers on the relay agent ····························································································· 258 Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 relay agent ··········································· 259 Specifying a padding mode for the Interface-ID option ·················································································· 259 Configuring a DHCPv6 relay address pool ···································································································· 260 Specifying a gateway address for DHCPv6 clients ························································································ 260 Displaying and maintaining the DHCPv6 relay agent ···················································································· 261 DHCPv6 relay agent configuration example ·································································································· 261


Configuring the DHCPv6 client ··································································· 264

Overview ························································································································································ 264 Configuration restrictions and guidelines ······································································································· 264 DHCPv6 client configuration task list ············································································································· 264 Configuring IPv6 address acquisition ············································································································· 264

ix

Configuring IPv6 prefix acquisition ················································································································· 265 Configuring IPv6 address and prefix acquisition ···························································································· 265 Configuring stateless DHCPv6 ······················································································································ 265 Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 client ····················································· 265 Displaying and maintaining DHCPv6 client ···································································································· 266 DHCPv6 client configuration examples ·········································································································· 266

IPv6 address acquisition configuration example ···················································································· 266 IPv6 prefix acquisition configuration example ························································································ 268 IPv6 address and prefix acquisition configuration example ··································································· 269 Stateless DHCPv6 configuration example ····························································································· 271

Configuring DHCPv6 snooping ··································································· 274

Overview ························································································································································ 274 Application of trusted and untrusted ports ······························································································ 274

Command and hardware compatibility ··········································································································· 275 Implementation of Option 18 and Option 37 ·································································································· 275

Option 18 for DHCPv6 snooping ············································································································ 275 DHCPv6 snooping support for Option 37 ······························································································· 276

DHCPv6 snooping configuration task list ······································································································· 276 Configuring basic DHCPv6 snooping ············································································································· 277 Configuring Option 18 and Option 37 ············································································································ 277 Configuring DHCPv6 snooping entry auto backup ························································································ 278 Setting the maximum number of DHCPv6 snooping entries ·········································································· 279 Enabling DHCPv6-REQUEST check ············································································································· 279 Displaying and maintaining DHCPv6 snooping ····························································································· 280 DHCPv6 snooping configuration example ····································································································· 280


Configuring IPv6 fast forwarding ································································· 282

Overview ························································································································································ 282 Compatibility information ································································································································ 282

Command and hardware compatibility ··································································································· 282 Configuring the aging time for IPv6 fast forwarding entries ··········································································· 282 Configuring IPv6 fast forwarding load sharing ······························································································· 283 Displaying and maintaining IPv6 fast forwarding ··························································································· 283

Configuring tunneling ·················································································· 284

Overview ························································································································································ 284 IPv6 over IPv4 tunneling ························································································································ 284 IPv4 over IPv4 tunneling ························································································································ 286 IPv4 over IPv6 tunneling ························································································································ 287 IPv6 over IPv6 tunneling ························································································································ 291 Protocols and standards ························································································································ 291

Compatibility information ································································································································ 292 Feature and hardware compatibility ······································································································· 292 Command and hardware compatibility ··································································································· 292

Tunneling configuration task list ····················································································································· 292 Configuring a tunnel interface ························································································································ 292 Configuring an IPv6 over IPv4 manual tunnel ································································································ 294

Configuration example ··························································································································· 295 Configuring an automatic IPv4-compatible IPv6 tunnel ················································································· 297

Configuration example ··························································································································· 297 Configuring a 6to4 tunnel ······························································································································· 298

6to4 tunnel configuration example ········································································································· 299 6to4 relay configuration example ··········································································································· 301

Configuring an ISATAP tunnel ······················································································································· 303 Configuration example ··························································································································· 304

Configuring an IPv4 over IPv4 tunnel ············································································································ 306 Configuration example ··························································································································· 307

Configuring an IPv4 over IPv6 manual tunnel ································································································ 308

x

Configuration example ··························································································································· 309 Configuring a DS-Lite tunnel ·························································································································· 311

Configuration example ··························································································································· 312 Configuring an IPv6 over IPv6 tunnel ············································································································ 314

Configuration example ··························································································································· 315 Displaying and maintaining tunneling configuration ······················································································· 316 Troubleshooting tunneling configuration ········································································································ 317

Symptom ················································································································································ 317 Analysis ·················································································································································· 317 Solution ·················································································································································· 317

Configuring GRE ························································································· 318

Overview ························································································································································ 318 GRE encapsulation format ····················································································································· 318 GRE tunnel operating principle ·············································································································· 318 GRE security mechanisms ····················································································································· 319 GRE application scenarios ····················································································································· 319 Protocols and standards ························································································································ 321

Configuring a GRE/IPv4 tunnel ······················································································································ 322 Configuration guidelines ························································································································· 322 Configuration procedure ························································································································· 322

Configuring a GRE/IPv6 tunnel ······················································································································ 323 Configuration guidelines ························································································································· 324 Configuration procedure ························································································································· 324

Displaying and maintaining GRE ··················································································································· 325 GRE configuration examples ························································································································· 326

Configuring an IPv4 over IPv4 GRE tunnel ···························································································· 326 Configuring an IPv4 over IPv6 GRE tunnel ···························································································· 328

Troubleshooting GRE ···································································································································· 330 Symptom ················································································································································ 330 Analysis ·················································································································································· 330 Solution ·················································································································································· 331

Configuring ADVPN ···················································································· 332

Overview ························································································································································ 332 ADVPN structures ·································································································································· 332 How ADVPN operates ···························································································································· 334 NAT traversal ········································································································································· 337

ADVPN configuration task list ························································································································ 337 Configuring AAA ············································································································································ 337 Configuring the VAM server ··························································································································· 337

Creating an ADVPN domain ·················································································································· 338 Enabling the VAM server ······················································································································· 338 Configuring a pre-shared key for the VAM server ·················································································· 338 Configuring hub groups ·························································································································· 339 Configuring the port number of the VAM server ····················································································· 340 Specifying authentication and encryption algorithms for the VAM server ·············································· 341 Configuring an authentication method ··································································································· 341 Configuring keepalive parameters ········································································································· 341 Configuring the retry timer ······················································································································ 342

Configuring the VAM client ···························································································································· 342 Creating a VAM client ···························································································································· 343 Enabling VAM clients ····························································································································· 343 Specifying VAM servers ························································································································· 343 Specifying an ADVPN domain for a VAM client ····················································································· 343 Configuring a pre-shared key for a VAM client ······················································································ 344 Setting the retry timer and retry times for a VAM client ·········································································· 344 Setting the dumb timer for a VAM client ································································································· 344 Configuring a username and password for a VAM client ······································································· 345

Configuring an ADVPN tunnel interface ········································································································· 345 Configuring routing ········································································································································· 347 Configuring IPsec for ADVPN tunnels ··········································································································· 347

xi

Displaying and maintaining ADVPN ··············································································································· 347 ADVPN configuration examples ····················································································································· 349

IPv4 full-mesh ADVPN configuration example ······················································································· 349 IPv6 full-mesh ADVPN configuration example ······················································································· 356 IPv4 hub-spoke ADVPN configuration example ····················································································· 364 IPv6 hub-spoke ADVPN configuration example ····················································································· 372 IPv4 multi-hub-group ADVPN configuration example ············································································ 379 IPv6 multi-hub-group ADVPN configuration example ············································································ 393 IPv4 full-mesh NAT traversal ADVPN configuration example ································································ 408

Configuring WAAS ······················································································ 417

Overview ························································································································································ 417 TFO ························································································································································ 417 DRE ························································································································································ 418 LZ compression ······································································································································ 418

Command and hardware compatibility ··········································································································· 419 Protocols and standards ································································································································ 419 WAAS configuration task list ·························································································································· 419 Configuring a WAAS class ····························································································································· 419 Configuring a WAAS policy ···························································································································· 420 Applying a WAAS policy to an interface ········································································································· 420 Configuring TFO parameters ························································································································· 421 Configuring the TFO blacklist autodiscovery feature ····················································································· 421 Deleting all WAAS settings ···························································································································· 422 Restoring predefined WAAS settings ············································································································· 422 Displaying and maintaining WAAS ················································································································ 422 WAAS configuration examples ······················································································································ 423

Predefined WAAS policy configuration example ···················································································· 423 User-defined WAAS policy configuration example ················································································· 425

Configuring AFT ·························································································· 429

Overview ························································································································································ 429 Compatibility information ································································································································ 429

Command and hardware compatibility ··································································································· 429 AFT implementations ····································································································································· 429

Static AFT ·············································································································································· 429 Dynamic AFT ········································································································································· 429 Prefix translation ···································································································································· 430 AFT internal server ································································································································· 431

AFT translation process ································································································································· 431 For IPv6-initiated communication ··········································································································· 431 For IPv4-initiated communication ··········································································································· 432

AFT with ALG ················································································································································· 433 AFT configuration task list ······························································································································ 433

For IPv6-initiated communication ··········································································································· 433 For IPv4-initiated communication ··········································································································· 434

Enabling AFT ················································································································································· 434 Configuring an IPv6-to-IPv4 destination address translation policy ······························································· 434 Configuring an IPv6-to-IPv4 source address translation policy ····································································· 435 Configuring an IPv4-to-IPv6 destination address translation policy ······························································· 436 Configuring an IPv4-to-IPv6 source address translation policy ····································································· 436 Configuring AFT logging ································································································································ 437 Setting the ToS field to 0 for translated IPv4 packets ···················································································· 437 Setting the Traffic Class field to 0 for translated IPv6 packets ······································································· 437 Displaying and maintaining AFT ···················································································································· 437 AFT configuration examples ·························································································································· 439

Allowing IPv4 Internet access from an IPv6 network ············································································· 439 Providing FTP service from an IPv6 network to the IPv4 Internet ·························································· 442 Allowing mutual access between IPv4 and IPv6 networks ···································································· 443 Allowing IPv6 Internet access from an IPv4 network ············································································· 445 Providing FTP service from an IPv4 network to the IPv6 Internet ·························································· 448

xii

Document conventions and icons ······························································· 451

Conventions ··················································································································································· 451 Network topology icons ·································································································································· 452

Support and other resources ······································································ 453

Accessing Hewlett Packard Enterprise Support ···························································································· 453 Accessing updates ········································································································································· 453

Websites ················································································································································ 454 Customer self repair ······························································································································· 454 Remote support ······································································································································ 454 Documentation feedback ······················································································································· 454

Index ··········································································································· 456

1

Configuring ARP

Overview ARP resolves IP addresses into MAC addresses on Ethernet networks.

ARP message format ARP uses two types of messages: ARP request and ARP reply. Figure 1 shows the format of ARP request/reply messages. Numbers in the figure refer to field lengths.

Figure 1 ARP message format

• Hardware type—Hardware address type. The value 1 represents Ethernet. • Protocol type—Type of the protocol address to be mapped. The hexadecimal value 0x0800

represents IP. • Hardware address length and protocol address length—Length, in bytes, of a hardware

address and a protocol address. For an Ethernet address, the value of the hardware address length field is 6. For an IPv4 address, the value of the protocol address length field is 4.

• OP—Operation code, which describes the type of ARP message. The value 1 represents an ARP request, and the value 2 represents an ARP reply.

• Sender hardware address—Hardware address of the device sending the message. • Sender protocol address—Protocol address of the device sending the message. • Target hardware address—Hardware address of the device to which the message is being

sent. • Target protocol address—Protocol address of the device to which the message is being sent.

ARP operating mechanism As shown in Figure 2, Host A and Host B are on the same subnet. Host A sends a packet to Host B as follows: 1. Host A looks through the ARP table for an ARP entry for Host B. If one entry is found, Host A

uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame. Then Host A sends the frame to Host B.

2. If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request. The payload of the ARP request contains the following information:

Sender IP address and sender MAC address—Host A's IP address and MAC address. Target IP address—Host B's IP address. Target MAC address—An all-zero MAC address.

2

All hosts on this subnet can receive the broadcast request, but only the requested host (Host B) processes the request.

3. Host B compares its own IP address with the target IP address in the ARP request. If they are the same, Host B operates as follows: a. Adds the sender IP address and sender MAC address into its ARP table. b. Encapsulates its MAC address into an ARP reply. c. Unicasts the ARP reply to Host A.

4. After receiving the ARP reply, Host A operates as follows: a. Adds the MAC address of Host B into its ARP table. b. Encapsulates the MAC address into the packet and sends the packet to Host B.

Figure 2 ARP address resolution process

If Host A and Host B are on different subnets, Host A sends a packet to Host B as follows: 1. Host A broadcasts an ARP request where the target IP address is the IP address of the

gateway. 2. The gateway responds with its MAC address in an ARP reply to Host A. 3. Host A uses the gateway's MAC address to encapsulate the packet, and then sends the packet

to the gateway. 4. If the gateway has an ARP entry for Host B, it forwards the packet to Host B directly. If not, the

gateway broadcasts an ARP request, in which the target IP address is the IP address of Host B. 5. After the gateway gets the MAC address of Host B, it sends the packet to Host B.

ARP table An ARP table stores dynamic, static, OpenFlow, and Rule ARP entries.

Dynamic ARP entry ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the output interface goes down. In addition, a dynamic ARP entry can be overwritten by a static ARP entry.

Static ARP entry A static ARP entry is manually configured and maintained. It does not age out and cannot be overwritten by any dynamic ARP entry.

Static ARP entries protect communication between devices because attack packets cannot modify the IP-to-MAC mapping in a static ARP entry.

The device supports the following types of static ARP entries:

3

• Long static ARP entry—It contains the IP address, MAC address, VLAN, and output interface. It is directly used for forwarding packets.

• Short static ARP entry—It contains only the IP address and MAC address. If the output interface is a Layer 3 Ethernet interface, the short ARP entry can be directly

used to forward packets. If the output interface is a VLAN interface, the device sends an ARP request whose target IP

address is the IP address in the short entry. If the sender IP and MAC addresses in the received ARP reply match the short static ARP entry, the device performs the following operations: − Adds the interface that received the ARP reply to the short static ARP entry. − Uses the resolved short static ARP entry to forward IP packets.

To communicate with a host by using a fixed IP-to-MAC mapping, configure a short static ARP entry on the device. To communicate with a host by using a fixed IP-to-MAC mapping through an interface in a VLAN, configure a long static ARP entry on the device.

OpenFlow ARP entry ARP creates OpenFlow ARP entries by learning from the OpenFlow module. An OpenFlow ARP entry does not age out, and it cannot be updated. It can be overwritten by a static ARP entry. An OpenFlow ARP entry can be used directly to forward packets. For more information about OpenFlow, see OpenFlow Configuration Guide.

Rule ARP entry ARP creates Rule ARP entries by learning from the IPoE or portal module. A Rule ARP entry does not age out, and it cannot be updated. It can be overwritten by a static ARP entry. A Rule ARP entry can be used directly to forward packets. For more information about IPoE, see Layer 2—WAN Access Configuration Guide. For more information about portal, see Security Configuration Guide.

Configuring a static ARP entry A static ARP entry is effective when the device functions correctly. If a VLAN or VLAN interface is deleted, long static ARP entries in the VLAN are deleted, and resolved short static ARP entries in the VLAN become unresolved.

A resolved short static ARP entry becomes unresolved upon certain events. For example, it becomes unresolved when the resolved output interface goes down.

A long static ARP entry is ineffective in either of the following situations: • The IP address in the entry conflicts with a local IP address. • No local interface has an IP address in the same subnet as the IP address in the ARP entry.

Follow these guidelines when you configure a long static ARP entry: • The vlan-id argument must be the ID of an existing VLAN where the ARP entry resides. The

specified Ethernet interface must belong to that VLAN. • The VLAN interface must be created. Its IP address and the IP address specified by the

ip-address argument must be on the same subnet.

To configure a static ARP entry:

Step Command Remarks 1. Enter system view. system-view N/A

4

Step Command Remarks

2. Configure a static ARP entry.

• Configure a long static ARP entry: arp static ip-address mac-address vlan-id interface-type interface-number [ vpn-instance vpn-instance-name ]

• Configure a short static ARP entry: arp static ip-address mac-address [ vpn-instance vpn-instance-name ]

By default, no static ARP entry is configured.

Setting the maximum number of dynamic ARP entries for a device

A device can dynamically learn ARP entries. To prevent a device from holding too many ARP entries, you can set the maximum number of dynamic ARP entries that the device can learn. When the maximum number is reached, the device stops learning ARP entries.

If you set a value lower than the number of existing dynamic ARP entries, the device does not remove the existing entries unless they are aged out.

To set the maximum number of dynamic ARP entries for a device:


2. Set the maximum number of dynamic ARP entries for the device.

arp max-learning-number number

If the value for the number argument is set to 0, the device is disabled from learning dynamic ARP entries.

Setting the maximum number of dynamic ARP entries for an interface

An interface can dynamically learn ARP entries. To prevent an interface from holding too many ARP entries, you can set the maximum number of dynamic ARP entries that the interface can learn. When the maximum number is reached, the interface stops learning ARP entries.

You can set limits for both a Layer 2 interface and the VLAN interface for a permitted VLAN on the Layer 2 interface. The Layer 2 interface learns an ARP entry only when neither limit is reached.

To set the maximum number of dynamic ARP entries for an interface:


2. Enter interface view. interface interface-type interface-number N/A

3. Set the maximum number of dynamic ARP entries for the interface.

arp max-learning-num number

If the value of the number argument is set to 0, the interface is disabled from learning dynamic ARP entries.

5

Setting the aging timer for dynamic ARP entries Each dynamic ARP entry in the ARP table has a limited lifetime, called an aging timer. The aging timer of a dynamic ARP entry is reset each time the dynamic ARP entry is updated. A dynamic ARP entry that is not updated before its aging timer expires is deleted from the ARP table.

To set the aging timer for dynamic ARP entries:


2. Set the aging timer for dynamic ARP entries. arp timer aging aging-time By default, the aging time for dynamic ARP

entries is 20 minutes.

Enabling dynamic ARP entry check The dynamic ARP entry check function disables the device from supporting dynamic ARP entries that contain multicast MAC addresses. The device cannot learn dynamic ARP entries containing multicast MAC addresses. You cannot manually add static ARP entries containing multicast MAC addresses.

When dynamic ARP entry check is disabled, ARP entries containing multicast MAC addresses are supported. The device can learn dynamic ARP entries containing multicast MAC addresses obtained from the ARP packets sourced from a unicast MAC address. You can also manually add static ARP entries containing multicast MAC addresses.

To enable dynamic ARP entry check:


2. Enable dynamic ARP entry check. arp check enable By default, dynamic ARP entry check is

enabled.

Enabling ARP logging This function enables a device to log ARP events when ARP cannot resolve IP addresses correctly. The device can log the following ARP events: • On a proxy ARP-disabled interface, the target IP address of a received ARP packet is not one of

the following IP addresses: The IP address of the receiving interface. The virtual IP address of the VRRP group. The public IP address after NAT.

• The sender IP address of a received ARP reply conflicts with one of the following IP addresses: The IP address of the receiving interface. The virtual IP address of the VRRP group. The public IP address after NAT.

The device sends ARP log messages to the information center. You can use the info-center source command to specify the log output rules for the information center. For more information about information center, see Network Management and Monitoring Configuration Guide.

6

To enable the ARP logging function:


2. Enable the ARP logging function. arp check log enable By default, ARP logging is disabled.

Displaying and maintaining ARP IMPORTANT:

Clearing ARP entries from the ARP table might cause communication failures. Make sure the entries to be cleared do not affect current communications.

Execute display commands in any view and reset commands in user view.

Task Command Display ARP entries (centralized devices in standalone mode).

display arp [ [ all | dynamic | static ] | vlan vlan-id | interface interface-type interface-number ] [ count | verbose ]

Display ARP entries (distributed devices in standalone mode/centralized devices in IRF mode).

display arp [ [ all | dynamic | static ] [ slot slot-number ] | vlan vlan-id | interface interface-type interface-number ] [ count | verbose ]

Display ARP entries (distributed devices in IRF mode).

display arp [ [ all | dynamic | static ] [ chassis chassis-number slot slot-number ] | vlan vlan-id | interface interface-type interface-number ] [ count | verbose ]

Display the ARP entry for an IP address (centralized devices in standalone mode). display arp ip-address [ verbose ]

Display the ARP entry for an IP address (distributed devices in standalone mode/centralized devices in IRF mode).

display arp ip-address [ slot slot-number ] [ verbose ]

Display the ARP entry for an IP address (distributed devices in IRF mode).

display arp ip-address [ chassis chassis-number slot slot-number ] [ verbose ]

Display the ARP entries for a VPN instance. display arp vpn-instance vpn-instance-name [ count ]

Display the aging timer of dynamic ARP entries. display arp timer aging

Clear ARP entries from the ARP table (centralized devices in standalone mode).

reset arp { all | dynamic | interface interface-type interface-number | static }

Clear ARP entries from the ARP table (distributed devices in standalone mode/centralized devices in IRF mode).

reset arp { all | dynamic | interface interface-type interface-number | slot slot-number | static }

Clear ARP entries from the ARP table (distributed devices in IRF mode).

reset arp { all | chassis chassis-number slot slot-number | dynamic | interface interface-type interface-number | static }

7

Configuration examples Long static ARP entry configuration example Network requirements

As shown in Figure 3, hosts are connected to Router B. Router B is connected to Router A through interface GigabitEthernet 2/0/1 in VLAN 10.

To ensure secure communications between Router A and Router B, configure a long static ARP entry for Router A on Router B.

Figure 3 Network diagram

Configuration procedure # Create VLAN 10. <RouterB> system-view

[RouterB] vlan 10

[RouterB-vlan10] quit

# Add interface GigabitEthernet 2/0/1 to VLAN 10. [RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] port access vlan 10

[RouterB-GigabitEthernet2/0/1] quit

# Create VLAN-interface 10 and configure its IP address. [RouterB] interface vlan-interface 10

[RouterB-vlan-interface10] ip address 192.168.1.2 8

[RouterB-vlan-interface10] quit

# Configure a static ARP entry that has IP address 192.168.1.1, MAC address 00e0-fc01-0000, and output interface GigabitEthernet 2/0/1 in VLAN 10. [RouterB] arp static 192.168.1.1 00e0-fc01-0000 10 gigabitethernet 2/0/1

Verifying the configuration # Verify that Router B has a long static ARP entry for Router A. [RouterB] display arp static

Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid

IP address MAC address VLAN Interface Aging Type

8

192.168.1.1 00e0-fc01-0000 10 GE2/0/1 N/A S

Short static ARP entry configuration example Network requirements

As shown in Figure 4, hosts are connected to Router B. Router B is connected to Router A through interface GigabitEthernet 2/0/2.

To ensure secure communications between Router A and Router B, configure a short static ARP entry for Router A on Router B.


Configuration procedure # Configure an IP address for GigabitEthernet 2/0/2. <RouterB> system-view

[RouterB] interface gigabitethernet 2/0/2

[RouterB-GigabitEthernet2/0/2] ip address 192.168.1.2/24


# Configure a static ARP entry that has IP address 192.168.1.1 and MAC address 00e0-fc01-001f. [RouterB] arp static 192.168.1.1 00e0-fc01-001f

Verifying the configuration # Verify that Router B has a short static ARP entry for Router A. [RouterB] display arp static

Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid

IP address MAC address VLAN Interface Aging Type

192.168.1.1 00e0-fc01-001f N/A N/A N/A S

9

Configuring gratuitous ARP

Overview In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device.

A device sends a gratuitous ARP packet for either of the following purposes: • Determine whether its IP address is already used by another device. If the IP address is already

used, the device is informed of the conflict by an ARP reply. • Inform other devices of a MAC address change.

Gratuitous ARP packet learning This function enables a device to create or update ARP entries by using the sender IP and MAC addresses in received gratuitous ARP packets.

When this function is disabled, the device uses received gratuitous ARP packets to update existing ARP entries only. ARP entries are not created based on the received gratuitous ARP packets, which saves ARP table space.

Periodic sending of gratuitous ARP packets Enabling periodic sending of gratuitous ARP packets helps downstream devices update ARP entries or MAC entries in a timely manner.

This feature can implement the following functions: • Prevent gateway spoofing.

Gateway spoofing occurs when an attacker uses the gateway address to send gratuitous ARP packets to the hosts on a network. The traffic destined for the gateway from the hosts is sent to the attacker instead. As a result, the hosts cannot access the external network. To prevent such gateway spoofing attacks, you can enable the gateway to send gratuitous ARP packets at intervals. Gratuitous ARP packets contain the primary IP address and manually configured secondary IP addresses of the gateway, so hosts can learn correct gateway information.

• Prevent ARP entries from aging out. If network traffic is heavy or if the host CPU usage is high, received ARP packets can be discarded or are not promptly processed. Eventually, the dynamic ARP entries on the receiving host age out. The traffic between the host and the corresponding devices is interrupted until the host re-creates the ARP entries. To prevent this problem, you can enable the gateway to send gratuitous ARP packets periodically. Gratuitous ARP packets contain the primary IP address and manually configured secondary IP addresses of the gateway, so the receiving hosts can update ARP entries in a timely manner.

• Prevent the virtual IP address of a VRRP group from being used by a host. The master router of a VRRP group can periodically send gratuitous ARP packets to the hosts on the local network. The hosts can then update local ARP entries and avoid using the virtual IP address of the VRRP group. The sender MAC address in the gratuitous ARP packet is the virtual MAC address of the virtual router. For more information about VRRP, see High Availability Configuration Guide.

10

• Update MAC entries of devices in the VLANs having ambiguous Dot1q or QinQ termination configured. In VRRP configuration, if ambiguous Dot1q or QinQ termination is configured for multiple VLANs and VRRP groups, interfaces configured with VLAN termination must be disabled from transmitting broadcast/multicast packets. Also, a VRRP control VLAN must be configured so that VRRP advertisements can be transmitted within the control VLAN only. In such cases, you can enable periodic sending of gratuitous ARP packets containing the following addresses:

The VRRP virtual IP address. The primary IP address or a manually configured secondary IP address of the sending

interface on the subinterfaces.

When a VRRP failover occurs, devices in the VLANs can use the gratuitous ARP packets to update their corresponding MAC entries in a timely manner. For more information about ambiguous Dot1q or QinQ termination, see Layer 2—LAN Switching Configuration Guide.

Configuration procedure The following conditions apply to the gratuitous ARP configuration: • You can enable periodic sending of gratuitous ARP packets on a maximum of 1024 interfaces. • Periodic sending of gratuitous ARP packets takes effect only when the link of the enabled

interface goes up and an IP address has been assigned to the interface. • If you change the interval for sending gratuitous ARP packets, the configuration is effective at

the next sending interval. • The frequency of sending gratuitous ARP packets might be much lower than the sending

interval set by the user in any of the following circumstances: This function is enabled on multiple interfaces. Each interface is configured with multiple secondary IP addresses. A small sending interval is configured when the previous two conditions exist.

To configure gratuitous ARP:


2. Enable learning of gratuitous ARP packets. gratuitous-arp-learning enable By default, learning of gratuitous

ARP packets is enabled.

3. Enable the device to send gratuitous ARP packets upon receiving ARP requests whose sender IP address belongs to a different subnet.

gratuitous-arp-sending enable

By default, a device does not send gratuitous ARP packets upon receiving ARP requests whose sender IP address belongs to a different subnet.


5. Enable periodic sending of gratuitous ARP packets and set the sending interval.

arp send-gratuitous-arp [ interval milliseconds ]

By default, periodic sending of gratuitous ARP packets is disabled.

Enabling IP conflict notification By default, if the sender IP address of an ARP packet is being used by the receiving device, the receiving device sends a gratuitous ARP request. It also displays an error message after it receives an ARP reply about the conflict.

11

You can use this command to enable the device to display error messages before sending a gratuitous ARP reply or request for conflict confirmation.

To enable IP conflict notification:


2. Enable IP conflict notification. arp ip-conflict log prompt By default, IP conflict notification is

disabled.

12

Configuring proxy ARP Proxy ARP enables a device on one network to answer ARP requests for an IP address on another network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they would on the same broadcast domain.

Proxy ARP includes common proxy ARP and local proxy ARP. • Common proxy ARP—Allows communication between hosts that connect to different Layer 3

interfaces and reside in different broadcast domains. • Local proxy ARP—Allows communication between hosts that connect to the same Layer 3

interface and reside in different broadcast domains.

Enabling common proxy ARP Step Command Remarks 1. Enter system view. system-view N/A

2. Enter interface view. interface interface-type interface-number

The following interface types are supported: • VLAN interface. • Layer 3 Ethernet interface. • Layer 3 Ethernet subinterface. • Layer 3 aggregate interface. • Layer 3 aggregate subinterface.

3. Enable common proxy ARP. proxy-arp enable By default, common proxy ARP is disabled.

Enabling local proxy ARP Step Command Remarks 1. Enter system view. system-view N/A


The following interface types are supported: • VLAN interface. • Layer 3 Ethernet interface. • Layer 3 Ethernet subinterface. • Layer 3 aggregate interface. • Layer 3 aggregate subinterface.

3. Enable local proxy ARP. local-proxy-arp enable [ ip-range startIP to endIP ]

By default, local proxy ARP is disabled.

13

Displaying proxy ARP Execute display commands in any view.

Task Command Display common proxy ARP status. display proxy-arp [ interface interface-type interface-number ]

Display local proxy ARP status. display local-proxy-arp [ interface interface-type interface-number ]

Common proxy ARP configuration example Network requirements

As shown in Figure 5, Host A and Host D have the same prefix and mask, but they are located on different subnets. No default gateway is configured on Host A and Host D.

Configure common proxy ARP on the router to enable communication between Host A and Host D.


Configuration procedure # Configure the IP address of interface GigabitEthernet 2/0/2. <Router> system-view

[Router] interface gigabitethernet 2/0/2

[Router-GigabitEthernet2/0/2] ip address 192.168.10.99 255.255.255.0

# Enable common proxy ARP on interface GigabitEthernet 2/0/2. [Router-GigabitEthernet2/0/2] proxy-arp enable

[Router-GigabitEthernet2/0/2] quit

# Configure the IP address of interface GigabitEthernet 2/0/1. [Router] interface gigabitethernet 2/0/1

14


# Enable common proxy ARP on interface GigabitEthernet 2/0/1. [Router-GigabitEthernet2/0/1] proxy-arp enable


Verifying the configuration # Verify that Host A and Host D can ping each other.

15

Configuring ARP fast-reply

Overview ARP fast-reply enables a device to directly answer ARP requests according to DHCP snooping entries. ARP fast-reply functions in a VLAN. For information about DHCP snooping, see "Configuring DHCP snooping."

If the target IP address of a received ARP request is the IP address of the VLAN interface, the device delivers the request to the ARP module. If not, the device takes the following steps to process the packet: 1. Search the DHCP snooping table for a match by using the target IP address. 2. If a match is found, whether the device returns a reply depends on the type of interface in the

matching entry. If the interface is the Ethernet interface that received the ARP request, the device does not

return a reply. If the interface is a wireless interface or an Ethernet interface other than the receiving

interface, the device returns a reply according to the matching entry. 3. If no matching DHCP snooping entry is found, the ARP request is forwarded to other interfaces

except the receiving interface in the VLAN, or delivered to other modules.

Configuration procedure To configure ARP fast-reply:


2. Enter VLAN view. vlan vlan-id N/A

3. Enable ARP fast-reply. arp fast-reply enable By default, ARP fast-reply is disabled.

ARP fast-reply configuration example Network requirements

As shown in Figure 6, the router is a DHCP snooping device. All clients are in VLAN 2, and access the network through the router. The clients obtain IP addresses from the DHCP server through DHCP.

Enable ARP fast-reply for VLAN 2. The router directly returns an ARP reply without broadcasting received ARP requests in the VLAN.

16


Configuration procedure # Enable ARP fast-reply for VLAN 2 on the router. [Router-vlan2] arp fast-reply enable

[Router-vlan2] quit

Router

Client 1 Client 16

Client 17 Client 32

……

……

DHCP server

VLAN 2

VLAN 2

17

Configuring ARP PnP

Overview The ARP plug and play (PnP) feature is typically configured on a gateway. This feature allows end users to access the gateway without changing their IP addresses on subnets different from the subnet where the gateway resides.

After ARP PnP is enabled on an interface, it provides the following functions: • ARP PnP enables the interface to always reply to users' ARP requests with the interface's MAC

address. • Upon receiving a packet from the user, ARP PnP replaces the source IP address of the packet

with an agent IP address. The agent IP address is on the same subnet as the interface IP address.

• Upon receiving the return packet destined to the agent IP address, ARP PnP replaces the agent IP with the user's original IP address.

Configuration prerequisites Before you configure the ARP PnP feature on an interface, perform the following tasks: • Assign the interface a primary IP address. ARP PnP generates agent IP addresses based on

the primary IP address and mask length of the interface. • Use the reset arp command to delete all ARP entries on the interface. • Configure NAT on the interface that connects to the external network. For more information

about NAT, see "Configuring NAT."

Configuration procedure Step Command Remarks 1. Enter system view. system-view N/A

2. Configure an address group and enter its view.

nat address-group group-number By default, no address group exists.

3. Add an IP address range to the address group.

address start-address end-address

By default, an address group has no IP address range. You can add multiple IP address ranges to an address group. The IP address ranges must not overlap.

4. Enter interface view of the interface that connects to the external network.

interface interface-type interface-number

The following interface types are supported: • Layer 3 Ethernet interfaces. • Layer 3 Ethernet subinterfaces.

5. Configure outbound dynamic NAT.

nat outbound address-group group-number

By default, outbound dynamic NAT is not configured.

6. Return to system view. quit N/A

18


7. Enter interface view of the interface that connects to the internal network.

interface interface-type interface-number

The following interface types are supported: • Layer 3 Ethernet interfaces. • Layer 3 Ethernet subinterfaces.

8. Enable the ARP PnP feature. arp pnp By default, the ARP PnP feature is disabled.

Displaying and maintaining ARP PnP Execute display commands in any view.

Task Command Display ARP PnP mappings. display arp pnp [ interface interface-type interface-number ]

ARP PnP configuration example Network requirements

As shown in Figure 7, configure the ARP PnP feature to allow the host at 1.2.3.4 to access the external server through GigabitEthernet 2/0/1.


Configuration procedure 1. Configure NAT:

# Specify IP addresses for GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2. <Router> system-view


[Router-GigabitEthernet2/0/1] ip address 192.168.0.2 24





# Configure ACL 2000 to identify packets from subnet 192.168.0.0/24. [Router] acl number 2000

[Router-acl-basic-2000] rule permit source 192.168.0.0 0.0.0.255

[Router-acl-basic-2000] quit

# Create address group 1, and add address 202.38.1.100 to the group. [Router] nat address-group 1

[Router-nat-address-group-1] address 202.38.1.100 202.38.1.100

19

[Router-nat-address-group-1] quit

# Enable outbound PAT on interface GigabitEthernet 2/0/2 to translate the source address of outgoing packets matching ACL 2000 into the address in address group 1. [Router] interface gigabitethernet 2/0/2

[Router-GigabitEthernet2/0/2] nat outbound 2000 address-group 1

2. Enable the ARP PnP feature on GigabitEthernet 2/0/1. [Router] interface gigabitethernet 2/0/1

[Router-GigabitEthernet2/0/1] arp pnp


Verifying the configuration # Verify that the router creates an ARP PnP mapping for the host IP address 1.2.3.4 on GigabitEthernet 2/0/1. [Router] display arp pnp interface gigabitethernet 2/0/1

Total number of entries : 1

Agent IP address User IP address MAC address Interface Aging

192.168.0.3 1.2.3.4 00e0-fc00-0001 GE2/0/1 10

20

Configuring ARP suppression

Overview The ARP suppression feature enables a device to directly answer ARP requests by using ARP suppression entries. The device generates ARP suppression entries based on dynamic ARP entries that it learns. This feature is typically configured on the PEs connected to base stations in an MPLS L2VPN that provides access to an L3VPN network.

You can also configure the ARP suppression push function to push ARP suppression entries at intervals by broadcasting gratuitous ARP packets.

Figure 8 shows a typical application scenario. ARP suppression is enabled on the PE that connects to the base station. The PE generates ARP suppression entries for the base station, PE-agg 1, and PE-agg 2, and it directly replies subsequent ARP requests for these devices.

Figure 8 Typical application


2. Create a cross-connect group and enter its view. xconnect-group group-name

By default, no cross-connect group exists. For more information about this command, see MPLS Command Reference.

3. Create a cross-connect and enter its view. connection connection-name

By default, no cross-connect exists. For more information about this command, see MPLS Command Reference.

4. Enable ARP suppression. arp suppression enable By default, ARP suppression is

disabled.

21

Step Command Remarks 5. Return to cross-connect

group view. quit N/A


7. (Optional.) Enable the ARP suppression push function and set a push interval.

arp suppression push interval interval

By default, the ARP suppression push function is disabled.

Displaying and maintaining ARP suppression Execute display commands in any view and reset commands in user view.

Task Command Display ARP suppression entries (centralized devices in standalone mode).

display arp suppression xconnect-group [ name group-name ] [ count ]

Display ARP suppression entries (distributed devices in standalone mode/centralized devices in IRF mode).

display arp suppression xconnect-group [ name group-name ] [ slot slot-number ] [ count ]

Display ARP suppression entries (distributed devices in IRF mode).

display arp suppression xconnect-group [ name group-name ] [ chassis chassis-number slot slot-number ] [ count ]

Clear ARP suppression entries (centralized devices in standalone mode). reset arp suppression xconnect-group

Clear ARP suppression entries (distributed devices in standalone mode/centralized devices in IRF mode).

reset arp suppression xconnect-group [ name group-name ] [ slot slot-number ]

Clear ARP suppression entries (distributed devices in IRF mode).

reset arp suppression xconnect-group [ name group-name ] [ chassis chassis-number slot slot-number ]

ARP suppression configuration example Network requirements

As shown in Figure 9, the base station, Router A, and Router B are in an MPLS L2VPN. The base station can reach the L3VE interface VE-L3VPN 1 of Router B.

Enable ARP suppression on Router A to directly reply to ARP requests for Router B.


22

Configuration procedure 1. Configure IP addresses for the interfaces as shown in Figure 9. (Details not shown.) 2. Configure ARP suppression on Router A:

# Create a cross-connect group named vpna and create a cross-connect named svc in the group. <RouterA> system-view

[RouterA] xconnect-group vpna

[RouterA-xcg-vpna] connection svc

# Enable ARP suppression for the cross-connect svc in cross-connect group vpna. [RouterA-xcg-vpna-svc] arp suppression enable

Verifying the configuration 1. On the base station, clear ARP entries, and ping the L3VE interface VE-L3VPN 1 of Router B.

(Details not shown.) 2. Verify that Router A has ARP suppression entries for the base station and Router B.

[RouterA-xcg-vpna-svc] display arp suppression xconnect-group

IP address MAC address Xconnect-group Connection Aging

10.1.1.1 00e0-fc04-582c vpna svc 25

10.1.1.3 0023-89b7-0861 vpna svc 25

3. Enable ARP debugging on Router B to verify that Router B does not receive an ARP request from the base station under the following conditions (details not shown): a. Clear ARP entries on the base station. b. Ping the L3VE interface VE-L3VPN 1 of Router B from the base station.

23

Configuring ARP direct route advertisement

Overview The ARP direct route advertisement feature advertises host routes instead of advertising the network route. This feature is typically configured on PE-aggs to advertise host routes to the connected PEs in the L3VPN.

Figure 10 shows a typical application scenario where the PE in the L3VPN has ECMP routes destined to a base station in the L2VPN. Traffic from the PE in the L3VPN to the base station can be load shared by PE-agg 1 and PE-agg 2. If PE-agg 1 fails, the PE uses the host route through PE-agg 2 to forward traffic.



2. Create an L3VE interface and enter its view.

interface ve-l3vpn interface-number

By default, no L3VE interface exists. For more information about this command, see MPLS Command Reference.

3. Enable the ARP direct route advertisement feature.

arp route-direct advertise By default, the ARP direct route advertisement feature is disabled.

24

Configuring IP addressing The IP addresses in this chapter refer to IPv4 addresses unless otherwise specified.

This chapter describes IP addressing basics and manual IP address assignment for interfaces. Dynamic IP address assignment (BOOTP and DHCP) and PPP address negotiation are beyond the scope of this chapter.

Overview This section describes the IP addressing basics.

IP addressing uses a 32-bit address to identify each host on an IPv4 network. To make addresses easier to read, they are written in dotted decimal notation, each address being four octets in length. For example, address 00001010000000010000000100000001 in binary is written as 10.1.1.1.

IP address classes Each IP address breaks down into the following sections: • Net ID—Identifies a network. The first several bits of a net ID, known as the class field or class

bits, identify the class of the IP address. • Host ID—Identifies a host on a network.

IP addresses are divided into five classes, as shown in Figure 11. The shaded areas represent the address class. The first three classes are most commonly used.

Figure 11 IP address classes

Table 1 IP address classes and ranges

Class Address range Remarks

A 0.0.0.0 to 127.255.255.255

The IP address 0.0.0.0 is used by a host at startup for temporary communication. This address is never a valid destination address. Addresses starting with 127 are reserved for loopback test. Packets destined to these addresses are processed locally as input packets rather than sent to the link.

B 128.0.0.0 to 191.255.255.255 N/A

C 192.0.0.0 to 223.255.255.255 N/A

D 224.0.0.0 to 239.255.255.255 Multicast addresses.

25

Class Address range Remarks

E 240.0.0.0 to 255.255.255.255 Reserved for future use, except for the broadcast address 255.255.255.255.

Special IP addresses The following IP addresses are for special use and cannot be used as host IP addresses: • IP address with an all-zero net ID—Identifies a host on the local network. For example, IP

address 0.0.0.16 indicates the host with a host ID of 16 on the local network. • IP address with an all-zero host ID—Identifies a network. • IP address with an all-one host ID—Identifies a directed broadcast address. For example, a

packet with the destination address of 192.168.1.255 will be broadcast to all the hosts on the network 192.168.1.0.

Subnetting and masking Subnetting divides a network into smaller networks called subnets by using some bits of the host ID to create a subnet ID.

Masking identifies the boundary between the host ID and the combination of net ID and subnet ID.

Each subnet mask comprises 32 bits that correspond to the bits in an IP address. In a subnet mask, consecutive ones represent the net ID and subnet ID, and consecutive zeros represent the host ID.

Before being subnetted, Class A, B, and C networks use these default masks (also called natural masks): 255.0.0.0, 255.255.0.0, and 255.255.255.0, respectively.

Figure 12 Subnetting a Class B network

Subnetting increases the number of addresses that cannot be assigned to hosts. Therefore, using subnets means accommodating fewer hosts.

For example, a Class B network without subnetting can accommodate 1022 more hosts than the same network subnetted into 512 subnets. • Without subnetting—65534 (216 – 2) hosts. (The two deducted addresses are the broadcast

address, which has an all-one host ID, and the network address, which has an all-zero host ID.) • With subnetting—Using the first nine bits of the host-id for subnetting provides 512 (29)

subnets. However, only seven bits remain available for the host ID. This allows 126 (27 – 2) hosts in each subnet, a total of 64512 (512 × 126) hosts.

Assigning an IP address to an interface An interface must have an IP address to communicate with other hosts. You can either manually assign an IP address to an interface, or configure the interface to obtain an IP address through BOOTP, DHCP, or PPP address negotiation. If you change the way an interface obtains an IP address, the new IP address will overwrite the previous address.

26

An interface can have one primary address and multiple secondary addresses.

Typically, you need to configure a primary IP address for an interface. If the interface connects to multiple subnets, configure primary and secondary IP addresses on the interface so the subnets can communicate with each other through the interface.

Configuration guidelines Follow these guidelines when you assign an IP address to an interface: • An interface can have only one primary IP address. A newly configured primary IP address

overwrites the previous one. • You cannot assign secondary IP addresses to an interface that obtains an IP address through

BOOTP, DHCP, PPP address negotiation, or IP unnumbered. • The primary and secondary IP addresses assigned to the interface can be located on the same

network segment. Different interfaces on your device must reside on different network segments.

Configuration procedure To assign an IP address to an interface:



3. Assign an IP address to the interface.

ip address ip-address { mask | mask-length } [ sub ]

By default, no IP address is assigned to the interface.

Configuring IP unnumbered Typically, you assign an IP address to an interface either manually or through DHCP. If the IP addresses are not enough, or the interface is used only occasionally, you can configure an interface to borrow an IP address from other interfaces. This is called IP unnumbered, and the interface borrowing the IP address is called IP unnumbered interface.

You can use IP unnumbered to save IP addresses either when available IP addresses are inadequate or when an interface is brought up only for occasional use.

Configuration guidelines Follow these guidelines when you configure IP unnumbered: • Loopback interfaces cannot borrow IP addresses of other interfaces, but other interfaces can

borrow IP addresses of loopback interfaces. • An interface cannot borrow an IP address from an unnumbered interface. • Multiple interfaces can use the same unnumbered IP address. • If an interface has multiple manually configured IP addresses, only the manually configured

primary IP address can be borrowed.

27

Configuration prerequisites Assign an IP address to the interface from which you want to borrow the IP address. Alternatively, you can configure the interface to obtain one through BOOTP, DHCP, or PPP address negotiation.

Configuration procedure To configure IP unnumbered on an interface:



3. Specify the interface to borrow the IP address of the specified interface.

ip address unnumbered interface interface-type interface-number

By default, the interface does not borrow IP addresses from other interfaces.

A dynamic routing protocol cannot be enabled on the interface where IP unnumbered is configured. To enable the interface to communicate with other devices, configure a static route to the peer device on the interface. For more configuration information, see "IP unnumbered configuration example."

Displaying and maintaining IP addressing Execute display commands in any view.

Task Command Display IP configuration and statistics for the specified or all Layer 3 interfaces.

display ip interface [ interface-type interface-number ]

Display brief IP configuration for Layer 3 interfaces. display ip interface [ interface-type [ interface-number ] ] brief [ description ]

Configuration examples IP address configuration example Network requirements

As shown in Figure 13, GigabitEthernet 2/0/1 on the router is connected to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24.

To enable the hosts on the two network segments to communicate with the external network through the router, and to enable the hosts on the LAN to communicate with each other: • Assign a primary IP address and a secondary IP address to GigabitEthernet 2/0/1 on the router. • Set the primary IP address of the router as the gateway address of the PCs on subnet

172.16.1.0/24. Set the secondary IP address of the router as the gateway address of the PCs on subnet 172.16.2.0/24.

28


Configuration procedure # Assign a primary IP address and a secondary IP address to GigabitEthernet 2/0/1. <Router> system-view



[Router-GigabitEthernet2/0/1] ip address 172.16.2.1 255.255.255.0 sub

# Set the gateway address to 172.16.1.1 on the PCs attached to subnet 172.16.1.0/24, and to 172.16.2.1 on the PCs attached to subnet 172.16.2.0/24.

Verifying the configuration # Verify the connectivity between a host on subnet 172.16.1.0/24 and the router. <Router> ping 172.16.1.2

Ping 172.16.1.2 (172.16.1.2): 56 data bytes, press CTRL_C to break

56 bytes from 172.16.1.2: icmp_seq=0 ttl=128 time=7.000 ms





--- Ping statistics for 172.16.1.2 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/2.600/7.000/2.245 ms

# Verify the connectivity between a host on subnet 172.16.2.0/24 and the router. <Router> ping 172.16.2.2







29




# Verify the connectivity between a host on subnet 172.16.1.0/24 and a host on subnet 172.16.2.0/24. The ping operation succeeds.

IP unnumbered configuration example Network requirements

As shown in Figure 14, two routers on an intranet are connected to each other through serial interfaces across a Digital Data Network. Each router connects to a LAN through an Ethernet interface.

To save IP addresses, configure the serial interfaces to borrow IP addresses from the Ethernet interfaces.


Configuration procedure 1. Configure Router A:

# Assign a primary IP address to GigabitEthernet 2/0/1. <RouterA> system-view

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] ip address 172.16.10.1 255.255.255.0

[RouterA-GigabitEthernet2/0/1] quit

# Configure Serial 2/1/1 to borrow an IP address from GigabitEthernet 2/0/1. [RouterA] interface serial 2/1/1

[RouterA-Serial2/1/1] ip address unnumbered interface gigabitethernet 2/0/1

[RouterA-Serial2/1/1] quit

# Configure a static route to the subnet attached to Router B, specifying Serial 2/1/1 as the outgoing interface. [RouterA] ip route-static 172.16.20.0 255.255.255.0 serial 2/1/1

2. Configure Router B: # Assign a primary IP address to GigabitEthernet 2/0/1. <RouterB> system-view


[RouterB-GigabitEthernet2/0/1] ip address 172.16.20.1 255.255.255.0


Ser2/1/1 Ser2/1/1

GE2/0/1172.16.10.1/24

GE2/0/1172.16.20.1/24

DDN

Router BRouter A

30

# Configure interface Serial 2/1/1 to borrow an IP address from GigabitEthernet 2/0/1. [RouterB] interface serial 2/1/1

[RouterB-Serial2/1/1] ip address unnumbered interface gigabitethernet 2/0/1

[RouterB-Serial2/1/1] quit

# Configure a static route to the subnet attached to Router A, specifying Serial 2/1/1 as the outgoing interface. [RouterB] ip route-static 172.16.10.0 255.255.255.0 serial 2/1/1

Verifying the configuration # Verify that a host attached to Router B can be pinged from Router A. [RouterA] ping 172.16.20.2










31

DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices.

Figure 15 shows a typical DHCP application scenario where the DHCP clients and the DHCP server reside on the same subnet. The DHCP clients can also obtain configuration parameters from a DHCP server on another subnet through a DHCP relay agent. For more information about the DHCP relay agent, see "Configuring the DHCP relay agent."

Figure 15 A typical DHCP application

DHCP address allocation Allocation mechanisms

DHCP supports the following allocation mechanisms: • Static allocation—The network administrator assigns an IP address to a client, such as a

WWW server, and DHCP conveys the assigned address to the client. • Automatic allocation—DHCP assigns a permanent IP address to a client. • Dynamic allocation—DHCP assigns an IP address to a client for a limited period of time,

which is called a lease. Most DHCP clients obtain their addresses in this way.

32

IP address allocation process Figure 16 IP address allocation process

As shown in Figure 16, a DHCP server assigns an IP address to a DHCP client in the following process: 1. The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. 2. Each DHCP server offers configuration parameters such as an IP address to the client in a

DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message. For more information, see "DHCP message format."

3. If the client receives multiple offers, it accepts the first received offer, and broadcasts it in a DHCP-REQUEST message to formally request the IP address. (IP addresses offered by other DHCP servers can be assigned to other clients.)

4. All DHCP servers receive the DHCP-REQUEST message. However, only the server selected by the client does one of the following operations:

Returns a DHCP-ACK message to confirm that the IP address has been allocated to the client.

Returns a DHCP-NAK message to deny the IP address allocation.

After receiving the DHCP-ACK message, the client verifies the following details before using the assigned IP address: • The assigned IP address is not in use. To verify this, the client broadcasts a gratuitous ARP

packet. The assigned IP address is not in use if no response is received within the specified time.

• The assigned IP address is not on the same subnet as any IP address in use on the client.

Otherwise, the client sends a DHCP-DECLINE message to the server to request an IP address again.

IP address lease extension A dynamically assigned IP address has a lease. When the lease expires, the IP address is reclaimed by the DHCP server. To continue using the IP address, the client must extend the lease duration.

When about half of the lease duration elapses, the DHCP client unicasts a DHCP-REQUEST to the DHCP server to extend the lease. Depending on the availability of the IP address, the DHCP server returns one of the following messages: • A DHCP-ACK unicast confirming that the client's lease duration has been extended. • A DHCP-NAK unicast denying the request.

33

If the client receives no reply, it broadcasts another DHCP-REQUEST message for lease extension when about seven-eighths of the lease duration elapses. Again, depending on the availability of the IP address, the DHCP server returns either a DHCP-ACK unicast or a DHCP-NAK unicast.

DHCP message format Figure 17 shows the DHCP message format. DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes.

Figure 17 DHCP message format

• op—Message type defined in options field. 1 = REQUEST, 2 = REPLY • htype, hlen—Hardware address type and length of the DHCP client. • hops—Number of relay agents a request message traveled. • xid—Transaction ID, a random number chosen by the client to identify an IP address allocation. • secs—Filled in by the client, the number of seconds elapsed since the client began address

acquisition or renewal process. This field is reserved and set to 0. • flags—The leftmost bit is defined as the BROADCAST (B) flag. If this flag is set to 0, the DHCP

server sent a reply back by unicast. If this flag is set to 1, the DHCP server sent a reply back by broadcast. The remaining bits of the flags field are reserved for future use.

• ciaddr—Client IP address if the client has an IP address that is valid and usable. Otherwise, set to zero. (The client does not use this field to request an IP address to lease.)

• yiaddr—Your IP address. It is an IP address assigned by the DHCP server to the DHCP client. • siaddr—Server IP address, from which the client obtained configuration parameters. • giaddr—Gateway IP address. It is the IP address of the first relay agent to which a request

message travels. • chaddr—Client hardware address. • sname—Server host name, from which the client obtained configuration parameters. • file—Boot file (also called system software image) name and path information, defined by the

server to the client. • options—Optional parameters field that is variable in length. Optional parameters include the

message type, lease duration, subnet mask, domain name server IP address, and WINS IP address.

34

DHCP options DHCP extends the message format as an extension to BOOTP for compatibility. DHCP uses the options field to carry information for dynamic address allocation and provide additional configuration information for clients.

Figure 18 DHCP option format

Common DHCP options The following are common DHCP options: • Option 3—Router option. It specifies the gateway address. • Option 6—DNS server option. It specifies the DNS server's IP address. • Option 33—Static route option. It specifies a list of classful static routes (the destination

addresses in these static routes are classful) that a client should add into its routing table. If both Option 33 and Option 121 exist, Option 33 is ignored.

• Option 51—IP address lease option. • Option 53—DHCP message type option. It identifies the type of the DHCP message. • Option 55—Parameter request list option. It is used by a DHCP client to request specified

configuration parameters. The option includes values that correspond to the parameters requested by the client.

• Option 60—Vendor class identifier option. A DHCP client uses this option to identify its vendor. A DHCP server uses this option to distinguish DHCP clients, and assigns IP addresses to them.

• Option 66—TFTP server name option. It specifies a TFTP server to be assigned to the client. • Option 67—Boot file name option. It specifies the boot file name to be assigned to the client. • Option 121—Classless route option. It specifies a list of classless static routes (the destination

addresses in these static routes are classless) that a client should add into its routing table. If both Option 33 and Option 121 exist, Option 33 is ignored.

• Option 150—TFTP server IP address option. It specifies the TFTP server IP address to be assigned to the client.

For more information about DHCP options, see RFC 2132 and RFC 3442.

Custom DHCP options Some options, such as Option 43, Option 82, and Option 184, have no standard definitions in RFC 2132.

Vendor-specific option (Option 43) DHCP servers and clients use Option 43 to exchange vendor-specific configuration information.

The DHCP client can obtain the following information through Option 43: • ACS parameters, including the ACS URL, username, and password.

35

• Service provider identifier, which is acquired by the CPE from the DHCP server and sent to the ACS for selecting vender-specific configurations and parameters. For more information about CPE and ACS, see Network Management and Monitoring Configuration Guide.

• PXE server address, which is used to obtain the boot file or other control information from the PXE server.

• AC address, which is used by an AP to obtain the boot file or other control information from the AC.

1. Format of Option 43:

Figure 19 Option 43 format

Network configuration parameters are carried in different sub-options of Option 43 as shown in Figure 19.

Sub-option type—The field value can be 0x01 (ACS parameter sub-option), 0x02 (service provider identifier sub-option), or 0x80 (PXE server address sub-option).

Sub-option length—Excludes the sub-option type and sub-option length fields. Sub-option value—The value format varies by sub-option.

2. Sub-option value field formats: ACS parameter sub-option value field—Includes the ACS URL, username, and

password separated by spaces (0x20) as shown in Figure 20.

Figure 20 ACS parameter sub-option value field

Service provider identifier sub-option value field—Includes the service provider identifier.

PXE server address sub-option value field—Includes the PXE server type that can only be 0, the server number that indicates the number of PXE servers contained in the sub-option, and server IP addresses, as shown in Figure 21.

Figure 21 PXE server address sub-option value field

36

Relay agent option (Option 82) Option 82 is the relay agent option. It records the location information about the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client's request, it adds Option 82 to the request and sends it to the server.

The administrator can use Option 82 to locate the DHCP client and further implement security control and accounting. The DHCP server can use Option 82 to provide individual configuration policies for the clients.

Option 82 can include up to 255 sub-options and must have one sub-option at least. Option 82 supports two sub-options: sub-option 1 (Circuit ID) and sub-option 2 (Remote ID). Option 82 has no standard definition. Its padding formats vary by vendor. • Circuit ID has the following padding modes:

String padding mode—Includes a character string specified by the user. Normal padding mode—Includes the VLAN ID and interface number of the interface that

receives the client's request. Verbose padding mode—Includes the access node identifier specified by the user, and

the VLAN ID, interface number and interface type of the interface that receives the client's request.

• Remote ID has the following padding modes: String padding mode—Includes a character string specified by the user. Normal padding mode—Includes the MAC address of the DHCP relay agent interface or

the MAC address of the DHCP snooping device that receives the client's request. Sysname padding mode—Includes the device name of the device. To set the device name

for the device, use the sysname command in system view.

Option 184 Option 184 is a reserved option. You can define the parameters in the option as needed. The device supports Option 184 carrying voice related parameters, so a DHCP client with voice functions can get voice parameters from the DHCP server.

Option 184 has the following sub-options: • Sub-option 1—Specifies the IP address of the primary network calling processor. The primary

processor acts as the network calling control source and provides program download services. For Option 184, you must define sub-option 1 to make other sub-options take effect.

• Sub-option 2—Specifies the IP address of the backup network calling processor. DHCP clients contact the backup processor when the primary one is unreachable.

• Sub-option 3—Specifies the voice VLAN ID and the result whether the DHCP client takes this VLAN as the voice VLAN.

• Sub-option 4—Specifies the failover route that includes the IP address and the number of the target user. A SIP VoIP user uses this IP address and number to directly establish a connection to the target SIP user when both the primary and backup calling processors are unreachable.

Protocols and standards • RFC 2131, Dynamic Host Configuration Protocol • RFC 2132, DHCP Options and BOOTP Vendor Extensions • RFC 1542, Clarifications and Extensions for the Bootstrap Protocol • RFC 3046, DHCP Relay Agent Information Option • RFC 3442, The Classless Static Route Option for Dynamic Host Configuration Protocol (DHCP)

version 4

37

Configuring the DHCP server

Overview The DHCP server is well suited to networks where: • Manual configuration and centralized management are difficult to implement. • IP addresses are limited. For example, an ISP limits the number of concurrent online users, and

users must acquire IP addresses dynamically. • Most hosts do not need fixed IP addresses.

An MCE acting as the DHCP server can assign IP addresses not only to clients on public networks, but also to clients on private networks. The IP address ranges of public and private networks or those of private networks on the DHCP server cannot overlap. For more information about MCE, see MPLS Configuration Guide.

DHCP address pool Each DHCP address pool has a group of assignable IP addresses and network configuration parameters. The DHCP server selects IP addresses and other parameters from the address pool and assigns them to the DHCP clients.

Address assignment mechanisms Configure the following address assignment mechanisms as needed: • Static address allocation—Manually bind the MAC address or ID of a client to an IP address

in a DHCP address pool. When the client requests an IP address, the DHCP server assigns the IP address in the static binding to the client.

• Dynamic address allocation—Specify IP address ranges in a DHCP address pool. Upon receiving a DHCP request, the DHCP server dynamically selects an IP address from the matching IP address range in the address pool.

You can specify IP address ranges in an address pool by using either of the following methods: • Method 1—Specify a primary subnet in an address pool and divide the subnet into multiple

address ranges. These address ranges include a common IP address range and IP address ranges for DHCP user classes. Upon receiving a DHCP request, the DHCP server finds a user class matching the client and selects an IP address in the address range of the user class for the client. A user class can include multiple matching rules, and a client matches the user class as long as it matches any of the rules. In address pool view, you can specify different address ranges for different user classes. The DHCP server selects an IP address for a client by performing the following steps: a. DHCP server compares the client against DHCP user classes in the order they are

configured. b. If the client matches a user class, the DHCP server selects an IP address from the address

range of the user class. c. If the matching user class has no assignable addresses, the DHCP server compares the

client against the next user class. If all the matching user classes have no assignable addresses, the DHCP server selects an IP address from the common address range.

d. If the DHCP client does not match any DHCP user class, the DHCP server selects an address in the IP address range specified by the address range command. If the address range has no assignable IP addresses or it is not configured, the address allocation fails.

38

NOTE: All address ranges must belong to the primary subnet. If an address range does not reside on the primary subnet, DHCP cannot assign the addresses in the address range.

• Method 2—Specify a primary subnet and multiple secondary subnets in an address pool. The DHCP server selects an IP address from the primary subnet first. If there is no assignable IP address on the primary subnet, the DHCP server selects an IP address from secondary subnets in the order they are configured.

Principles for selecting an address pool The DHCP server observes the following principles to select an address pool for a client: 1. If there is an address pool where an IP address is statically bound to the MAC address or ID of

the client, the DHCP server selects this address pool and assigns the statically bound IP address and other configuration parameters to the client.

2. If the receiving interface has an address pool applied, the DHCP server selects an IP address and other configuration parameters from this address pool.

3. If no static address pool is configured and no address pool is applied to the receiving interface, the DHCP server selects an address pool depending on the client location.

Client on the same subnet as the server—The DHCP server compares the IP address of the receiving interface with the primary subnets of all address pools. − If a match is found, the server selects the address pool with the longest-matching

primary subnet. − If no match is found, the DHCP server compares the IP address with the secondary

subnets of all address pools. The server selects the address pool with the longest-matching secondary subnet.

Client on a different subnet than the server—The DHCP server compares the IP address in the giaddr field of the DHCP request with the primary subnets of all address pools. − If a match is found, the server selects the address pool with the longest-matching

primary subnet. − If no match is found, the DHCP server compares the IP address with the secondary

subnets of all address pools. The server selects the address pool with the longest-matching secondary subnet.

For example, two address pools 1.1.1.0/24 and 1.1.1.0/25 are configured but not applied to any DHCP server's interfaces. • If the IP address of the receiving interface is 1.1.1.1/25, the DHCP server selects the address

pool 1.1.1.0/25. If the address pool has no available IP addresses, the DHCP server will not select the other pool and the address allocation will fail.

• If the IP address of the receiving interface is 1.1.1.130/25, the DHCP server selects the address pool 1.1.1.0/24.

To ensure correct address allocation, keep the IP addresses used for dynamic allocation on one of the subnets: • Clients on the same subnet as the server—Subnet where the DHCP server receiving

interface resides. • Clients on a different subnet than the server—Subnet where the first DHCP relay interface

that faces the clients resides.

39

NOTE: As a best practice, configure at least one matching primary subnet in your network. Otherwise, the DHCP server selects only the first matching secondary subnet for address allocation. If the networkhas more DHCP clients than the assignable IP addresses in the secondary subnet, not all DHCP clients can obtain IP addresses.

IP address allocation sequence The DHCP server selects an IP address for a client in the following sequence: 1. IP address statically bound to the client's MAC address or ID. 2. IP address that was ever assigned to the client. 3. IP address designated by the Option 50 field in the DHCP-DISCOVER message sent by the

client. Option 50 is the Requested IP Address option. The client uses this option to specify the wanted IP address in a DHCP-DISCOVER message. The content of Option 50 is user defined.

4. First assignable IP address found in the way discussed in "DHCP address pool." 5. IP address that was a conflict or passed its lease duration. If no IP address is assignable, the

server does not respond.

NOTE: • If a client moves to another subnet, the DHCP server selects an IP address in the address pool

matching the new subnet. It does not assign the IP address that was once assigned to the client.• Conflicted IP addresses can be assigned to other DHCP clients only after the addresses are in

conflict for an hour.

DHCP server configuration task list Tasks at a glance (Required.) Configuring an address pool on the DHCP server

(Required.) Enabling DHCP

(Required.) Enabling the DHCP server on an interface

(Optional.) Applying an address pool on an interface

(Optional.) Configuring IP address conflict detection

(Optional.) Enabling handling of Option 82

(Optional.) Configuring DHCP server compatibility

(Optional.) Setting the DSCP value for DHCP packets sent by the DHCP server

(Optional.) Configuring DHCP binding auto backup

(Optional.) Configuring address pool usage alarming

(Optional.) Binding gateways to a common MAC address

(Optional.) Advertising subnets assigned to clients

(Optional.) Applying a DHCP address pool to a VPN instance

(Optional.) Enabling client offline detection on the DHCP server

40

Tasks at a glance (Optional.) Configuring DHCP logging on the DHCP server

Configuring an address pool on the DHCP server Configuration task list

Tasks at a glance (Required.) Creating a DHCP address pool

Perform at least one of the following tasks: • Specifying IP address ranges for a DHCP address pool • Specifying gateways for DHCP clients • Specifying a domain name suffix for DHCP clients • Specifying DNS servers for DHCP clients • Specifying WINS servers and NetBIOS node type for DHCP clients • Specifying BIMS server for DHCP clients • Specifying the configuration file for DHCP client auto-configuration • Specifying a server for DHCP clients • Configuring Option 184 parameters for DHCP clients • Customizing DHCP options • Configuring the DHCP user class whitelist

Creating a DHCP address pool


2. Create a DHCP address pool and enter its view. dhcp server ip-pool pool-name By default, no DHCP address

pool exists.

Specifying IP address ranges for a DHCP address pool You can configure both static and dynamic address allocation mechanisms in a DHCP address pool. For dynamic address allocation, you can specify either a primary subnet with multiple address ranges or a primary subnet with multiple secondary subnets for a DHCP address pool. You cannot configure both.

Specifying a primary subnet and multiple address ranges for a DHCP address pool Some scenarios need to classify DHCP clients on the same subnet into different address groups. To meet this need, you can configure DHCP user classes and specify different address ranges for the classes. The clients matching a user class can then get the IP addresses of an address range. In addition, you can specify a common address range for the clients that do not match any user class. If no common address range is specified, such clients fail to obtain IP addresses.

If there is no need to classify clients, you do not need to configure DHCP user classes or their address ranges.

Follow these guidelines when you specify a primary subnet and multiple address ranges for a DHCP address pool:

41

• If you use the network or address range command multiple times for the same address pool, the most recent configuration takes effect.

• IP addresses specified by the forbidden-ip command are not assignable in the current address pool, but are assignable in other address pools. IP addresses specified by the dhcp server forbidden-ip command are not assignable in any address pool.

To specify a primary subnet and multiple address ranges for a DHCP address pool:


2. Create a DHCP user class and enter DHCP user class view. dhcp class class-name

Required for client classification. By default, no DHCP user class exists.

3. Configure the match rule for the DHCP user class.

if-match rule rule-number { option option-code [ hex hex-string [ mask mask | offset offset length length ] ] | hardware-address hardware-address mask hardware-address-mask }

Required for client classification. By default, no match rule is configured for a DHCP user class.



pool exists.

6. Specify the primary subnet for the address pool.

network network-address [ mask-length | mask mask ]

By default, no primary subnet is specified.

7. (Optional.) Specify the common address range.

address range start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ]

By default, no IP address range is specified.

8. (Optional.) Specify an IP address range for a DHCP user class.

class class-name range start-ip-address end-ip-address

By default, no IP address range is specified for a user class. The DHCP user class must already exist. To specify address ranges for multiple DHCP user classes, repeat this step.

9. (Optional.) Set the address lease duration.

expired { day day [ hour hour [ minute minute [ second second ] ] ] | unlimited }

The default setting is 1 day.

10. (Optional.) Exclude the specified IP addresses in the address pool from dynamic allocation.

forbidden-ip ip-address&<1-8>

By default, all the IP addresses in the DHCP address pool are assignable. To exclude multiple address ranges from dynamic allocation, repeat this step.


12. (Optional.) Exclude the specified IP addresses from automatic allocation globally.

dhcp server forbidden-ip start-ip-address [ end-ip-address ]

By default, except for the IP address of the DHCP server interface, all IP addresses in address pools are assignable. To exclude multiple IP address ranges, repeat this step.

42

Specifying a primary subnet and multiple secondary subnets for a DHCP address pool If an address pool has a primary subnet and multiple secondary subnets, the server assigns IP addresses on a secondary subnet when the primary subnet has no assignable IP addresses.

Follow these guidelines when you specify a primary subnet and secondary subnets for a DHCP address pool: • You can specify only one primary subnet in each address pool. If you use the network

command multiple times, the most recent configuration takes effect. • You can specify a maximum of 32 secondary subnets in each address pool. • IP addresses specified by the forbidden-ip command are not assignable in the current address

pool, but are assignable in other address pools. IP addresses specified by the dhcp server forbidden-ip command are not assignable in any address pool.

To specify a primary subnet and secondary subnets for a DHCP address pool:


2. Create a DHCP address pool and enter its view. dhcp server ip-pool pool-name By default, no DHCP

address pool exists.

3. Specify the primary subnet. network network-address [ mask-length | mask mask ]

By default, no primary subnet is specified.

4. (Optional.) Specify a secondary subnet.

network network-address [ mask-length | mask mask ] secondary

By default, no secondary subnet is specified.

5. (Optional.) Return to address pool view. quit N/A

6. (Optional.) Set the address lease duration.



7. (Optional.) Exclude the specified IP addresses from dynamic allocation.

forbidden-ip ip-address&<1-8>

By default, all the IP addresses in the DHCP address pool can be dynamically allocated. To exclude multiple address ranges from the address pool, repeat this step.


9. (Optional.) Exclude the specified IP addresses from dynamic allocation globally.

dhcp server forbidden-ip start-ip-address [ end-ip-address ]

Except for the IP address of the DHCP server interface, IP addresses in all address pools are assignable by default. To exclude multiple address ranges globally, repeat this step.

Configuring a static binding in a DHCP address pool Some DHCP clients, such as a WWW server, need fixed IP addresses. To provide a fixed IP address for a client, you can statically bind the MAC address or ID of the client to an IP address in a DHCP address pool. When the client requests an IP address, the DHCP server assigns the IP address in the static binding to the client.

43

Follow these guidelines when you configure a static binding: • One IP address can be bound to only one client MAC or client ID. You cannot modify bindings

that have been created. To change the binding for a DHCP client, you must delete the existing binding first.

• The IP address of a static binding cannot be the address of the DHCP server interface. Otherwise, an IP address conflict occurs and the bound client cannot obtain an IP address correctly.

• Multiple interfaces on the same device might all use DHCP to request a static IP address. In this case, use client IDs rather than the device's MAC address to identify the interfaces. Otherwise, IP address allocation will fail.

To configure a static binding:



pool exists.

3. Configure a static binding.

static-bind ip-address ip-address [ mask-length | mask mask ] { client-identifier client-identifier | hardware-address hardware-address [ ethernet | token-ring ] }

By default, no static binding is configured. To add more static bindings, repeat this step.

4. (Optional.) Set the lease duration for the IP address.



Specifying gateways for DHCP clients DHCP clients send packets destined for other networks to a gateway. The DHCP server can assign the gateway address to the DHCP clients.

You can specify gateway addresses in each address pool on the DHCP server. A maximum of eight gateways can be specified in DHCP address pool view or secondary subnet view.

The DHCP server assigns gateway addresses to clients on a secondary subnet in the following ways: • If gateways are specified in both address pool view and secondary subnet view, DHCP assigns

those specified in the secondary subnet view. • If gateways are specified in address pool view but not in secondary subnet view, DHCP assigns

those specified in address pool view.

To configure gateways in the DHCP address pool:




3. Specify gateways. gateway-list ip-address&<1-8> By default, no gateway is specified.

4. (Optional.) Enter secondary subnet view

network network-address [ mask-length | mask mask ] secondary N/A

44


5. (Optional.) Specify gateways. gateway-list ip-address&<1-8> By default, no gateway is specified.

Specifying a domain name suffix for DHCP clients You can specify a domain name suffix in a DHCP address pool on the DHCP server. With this suffix assigned, the client only needs to input part of a domain name, and the system adds the domain name suffix for name resolution. For more information about DNS, see "Configuring DNS."

To configure a domain name suffix in the DHCP address pool:



pool exists.

3. Specify a domain name suffix. domain-name domain-name By default, no domain name is specified.

Specifying DNS servers for DHCP clients To access hosts on the Internet through domain names, a DHCP client must contact a DNS server to resolve names. You can specify up to eight DNS servers in a DHCP address pool.

To specify DNS servers in a DHCP address pool:




3. Specify DNS servers. dns-list ip-address&<1-8> By default, no DNS server is specified.

Specifying WINS servers and NetBIOS node type for DHCP clients

A Microsoft DHCP client using NetBIOS protocol must contact a WINS server for name resolution. You can specify up to eight WINS servers for such clients in a DHCP address pool.

In addition, you must specify a NetBIOS node type for the clients to approach name resolution. There are four NetBIOS node types: • b (broadcast)-node—A b-node client sends the destination name in a broadcast message.

The destination returns its IP address to the client after receiving the message. • p (peer-to-peer)-node—A p-node client sends the destination name in a unicast message to

the WINS server. The WINS server returns the destination IP address. • m (mixed)-node—An m-node client broadcasts the destination name. If it receives no

response, it unicasts the destination name to the WINS server to get the destination IP address. • h (hybrid)-node—An h-node client unicasts the destination name to the WINS server. If it

receives no response, it broadcasts the destination name to get the destination IP address.

45

To configure WINS servers and NetBIOS node type in a DHCP address pool:


2. Create a DHCP address pool and enter its view. dhcp server ip-pool pool-name By default, no DHCP address pool

exists.

3. Specify WINS servers. nbns-list ip-address&<1-8> This step is optional for b-node. By default, no WINS server is specified.

4. Specify the NetBIOS node type.

netbios-type { b-node | h-node | m-node | p-node }

By default, no NetBIOS node type is specified.

Specifying BIMS server for DHCP clients Perform this task to provide the BIMS server IP address, port number, and shared key for the clients. The DHCP clients contact the BIMS server to get configuration files and perform software upgrade and backup.

To configure the BIMS server IP address, port number, and shared key in the DHCP address pool:




3. Specify the BIMS server IP address, port number, and shared key.

bims-server ip ip-address [ port port-number ] sharekey { cipher | simple } key

By default, no BIMS server information is specified.

Specifying the configuration file for DHCP client auto-configuration

Auto-configuration enables a device to obtain a set of configuration settings automatically from servers when the device starts up without a configuration file. It requires the cooperation of the DHCP server, HTTP server, DNS server, and TFTP server. For more information about auto-configuration, see Fundamentals Configuration Guide.

Follow these guidelines to specify the parameters on the DHCP server for configuration file acquisition: • If the configuration file is on a TFTP server, specify the IP address or name of the TFTP server,

and the configuration file name. • If the configuration file is on an HTTP server, specify the configuration file URL.

The DHCP client uses the obtained parameters to contact the TFTP server or the HTTP server to get the configuration file.

To specify the configuration file name in a DHCP address pool:


46

Step Command Remarks 2. Create a DHCP address

pool and enter its view. dhcp server ip-pool pool-name By default, no DHCP address pool exists.

3. Specify the IP address or the name of a TFTP server.

• Specify the IP address of the TFTP server: tftp-server ip-address ip-address

• Specify the name of the TFTP server: tftp-server domain-name domain-name

You can specify both the IP address and name of the TFTP server. By default, no TFTP server is specified.

4. Specify the configuration file name. bootfile-name bootfile-name By default, no configuration

file name is specified.

To specify the configuration file URL in a DHCP address pool:




3. Specify the URL of the configuration file. bootfile-name url By default, no configuration

file URL is specified.

Specifying a server for DHCP clients Some DHCP clients need to obtain configuration information from a server, such as a TFTP server. You can specify the IP address of that server. The DHCP server sends the server's IP address to DHCP clients along with other configuration information.

To specify the IP address of a server:



pool exists.

3. Specify the IP address of a server. next-server ip-address By default, no server is specified.

Configuring Option 184 parameters for DHCP clients To assign calling parameters to DHCP clients with voice service, you must configure Option 184 on the DHCP server. For more information about Option 184, see "Option 184."

To configure option 184 parameters in a DHCP address pool:


2. Create a DHCP address pool and enter its view.

dhcp server ip-pool pool-name

By default, no DHCP address pool exists.

47


3. Specify the IP address of the primary network calling processor.

voice-config ncp-ip ip-address

By default, no primary network calling processor is specified. After you configure this command, the other Option 184 parameters take effect.

4. (Optional.) Specify the IP address for the backup server.

voice-config as-ip ip-address

By default, no backup network calling processor is specified.

5. (Optional.) Configure the voice VLAN.

voice-config voice-vlan vlan-id { disable | enable }

By default, no voice VLAN is configured.

6. (Optional.) Specify the failover IP address and dialer string.

voice-config fail-over ip-address dialer-string

By default, no failover IP address or dialer string is specified.

Customizing DHCP options

IMPORTANT: Use caution when customizing DHCP options because the configuration might affect DHCP operation.

You can customize options for the following purposes: • Add newly released options. • Add options for which the vendor defines the contents, for example, Option 43. • Add options for which the CLI does not provide a dedicated configuration command. For

example, you can use the option 4 ip-address 1.1.1.1 command to define the time server address 1.1.1.1 for DHCP clients.

• Add all option values if the actual requirement exceeds the limit for a dedicated option configuration command. For example, the dns-list command can specify up to eight DNS servers. To specify more than eight DNS servers, you must use the option 6 command to define all DNS servers.

To customize a DHCP option in a DHCP address pool:


2. Create a DHCP address pool and enter its view.

dhcp server ip-pool pool-name By default, no DHCP address pool exists.

3. Customize a DHCP option.

option code { ascii ascii-string | hex hex-string | ip-address ip-address&<1-8> }

By default, no DHCP option is customized in a DHCP address pool. DHCP options specified in DHCP option groups take precedence over those specified in DHCP address pools.

To customize a DHCP option in a DHCP option group:


2. Create a DHCP user class and enter DHCP user class view.

dhcp class class-name By default, no DHCP user class exists.

48


3. Configure a match rule for the DHCP user class.


By default, no match rule is configured for a DHCP user class.


5. Create a DHCP option group and enter DHCP option group view.

dhcp option group option-group-number

By default, no DHCP option group exists.

6. Customize a DHCP option.

option code { ascii ascii-string | hex hex-string | ip-address ip-address&<1-8> }

By default, no DHCP option is customized in a DHCP option group. DHCP options specified in DHCP option groups take precedence over those specified in DHCP address pools.

7. Create a DHCP address pool and enter DHCP address pool view.


8. Specify the DHCP option group for the DHCP user class.

class class-name option group option-group-number

By default, no DHCP option group is specified for a DHCP user class.

Table 2 Common DHCP options

Option Option name Corresponding command

Recommended option command parameters

3 Router Option gateway-list ip-address

6 Domain Name Server Option dns-list ip-address

15 Domain Name domain-name ascii

44 NetBIOS over TCP/IP Name Server Option nbns-list ip-address

46 NetBIOS over TCP/IP Node Type Option netbios-type hex

66 TFTP server name tftp-server ascii

67 Boot file name bootfile-name ascii

43 Vendor Specific Information N/A hex

Configuring the DHCP user class whitelist The DHCP user class whitelist allows the DHCP server to process requests only from clients on the DHCP user class whitelist. The whitelist does not take effect on clients who request static IP addresses, and the server always processes their requests.

To configure the DHCP user class whitelist:


49

Step Command Remarks 2. Create a DHCP user class

and enter DHCP user class view.

dhcp class class-name By default, no DHCP user class exists.

3. Configure a match rule for the DHCP user class.


By default, no match rule is configured for a DHCP user class.


5. Create a DHCP address pool and enter DHCP address pool view.


6. Enable the DHCP user class whitelist. verify class By default, the DHCP user class

whitelist is disabled.

7. Add DHCP user classes to the DHCP user class whitelist.

valid class class-name&<1-8> By default, no DHCP user class is on the DHCP user class whitelist.

Enabling DHCP You must enable DHCP to validate other DHCP configurations.

To enable DHCP:


2. Enable DHCP. dhcp enable By default, DHCP is disabled.

Enabling the DHCP server on an interface Perform this task to enable the DHCP server on an interface. Upon receiving a DHCP request on the interface, the DHCP server assigns the client an IP address and other configuration parameters from a DHCP address pool.

To enable the DHCP server on an interface:



3. Enable the DHCP server on the interface. dhcp select server By default, the DHCP server on

the interface is enabled.

Applying an address pool on an interface Perform this task to apply a DHCP address pool on an interface.

50

Upon receiving a DHCP request from the interface, the DHCP server performs address allocation in the following ways: • If a static binding is found for the client, the server assigns the static IP address and

configuration parameters from the address pool that contains the static binding. • If no static binding is found for the client, the server uses the address pool applied to the

interface for address and configuration parameter allocation.

To apply an address pool on an interface:



3. Apply an address pool on the interface.

dhcp server apply ip-pool pool-name

By default, no address pool is applied on an interface. If the applied address pool does not exist, the DHCP server fails to perform dynamic address allocation.

Configuring IP address conflict detection Before assigning an IP address, the DHCP server pings that IP address. • If the server receives a response within the specified period, it selects and pings another IP

address. • If it receives no response, the server continues to ping the IP address until a specific number of

ping packets are sent. If still no response is received, the server assigns the IP address to the requesting client. The DHCP client uses gratuitous ARP to perform IP address conflict detection.

To configure IP address conflict detection:


2. (Optional.) Set the maximum number of ping packets to be sent for conflict detection.

dhcp server ping packets number

The default setting is one. The value 0 disables IP address conflict detection.

3. (Optional.) Set the ping timeout time.

dhcp server ping timeout milliseconds

The default setting is 500 ms. The value 0 disables IP address conflict detection.

Enabling handling of Option 82 Perform this task to enable the DHCP server to handle Option 82. Upon receiving a DHCP request that contains Option 82, the DHCP server adds Option 82 into the DHCP response.

If you disable the DHCP to handle Option 82, it does not add Option 82 into the response message.

You must enable handling of Option 82 on both the DHCP server and the DHCP relay agent to ensure correct processing for Option 82. For information about enabling handling of Option 82 on the DHCP relay agent, see "Configuring Option 82."

51

To enable the DHCP server to handle Option 82:


2. Enable the server to handle Option 82.

dhcp server relay information enable

By default, handling of Option 82 is enabled.

Configuring DHCP server compatibility Perform this task to enable the DHCP server to support DHCP clients that are incompliant with RFC.

Configuring the DHCP server to broadcast all responses By default, the DHCP server broadcasts a response only when the broadcast flag in the DHCP request is set to 1. You can configure the DHCP server to ignore the broadcast flag and always broadcast a response. This function is useful when some clients set the broadcast flag to 0 but do not accept unicast responses.

The DHCP server always unicasts a response in the following situations, regardless of whether this function is configured or not: • The DHCP request is from a DHCP client that has an IP address (the ciaddr field is not 0). • The DHCP request is forwarded by a DHCP relay agent from a DHCP client (the giaddr field is

not 0).

To configure the DHCP server to broadcast all responses:


2. Enable the DHCP server to broadcast all responses.

dhcp server always-broadcast

By default, the DHCP server looks at the broadcast flag to decide whether to broadcast or unicast a response.

Configure the DHCP server to ignore BOOTP requests The lease duration of the IP addresses obtained by the BOOTP clients is unlimited. For some scenarios that do not allow unlimited leases, you can configure the DHCP server to ignore BOOTP requests.

To configure the DHCP server to ignore BOOTP requests:


2. Configure the DHCP server to ignore BOOTP requests. dhcp server bootp ignore By default, the DHCP server

processes BOOTP requests.

52

Configuring the DHCP server to send BOOTP responses in RFC 1048 format

Not all BOOTP clients can send requests that are compatible with RFC 1048. By default, the DHCP server does not process the Vend field of RFC 1048-incompliant requests but copies the Vend field into responses.

This function enables the DHCP server to fill the Vend field in RFC 1048-compliant format in DHCP responses to RFC 1048-incompliant requests sent by BOOTP clients.

This function is effective for the BOOTP clients that request statically bound addresses.

To configure the DHCP server to send BOOTP responses in RFC 1048 format:


2. Enable the DHCP server to send BOOTP responses in RFC 1048 format to the RFC 1048-incompliant BOOTP requests for statically bound addresses.

dhcp server bootp reply-rfc-1048

By default, the DHCP server directly copies the Vend field of such requests into the responses.

Setting the DSCP value for DHCP packets sent by the DHCP server

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.

To set the DSCP value for DHCP packets sent by the DHCP server:


2. Set the DSCP value for DHCP packets sent by the DHCP server.

dhcp dscp dscp-value By default, the DSCP value in DHCP packets sent by the DHCP server is 56.

Configuring DHCP binding auto backup The auto backup function saves bindings to a backup file and allows the DHCP server to download the bindings from the backup file at the server reboot. The bindings include the lease bindings and conflicted IP addresses. They cannot survive a reboot on the DHCP server.

The DHCP server does not provide services during the download process. If a connection error occurs during the process and cannot be repaired in a short amount of time, you can terminate the download operation. Manual interruption allows the DHCP server to provide services without waiting for the connection to be repaired.

To configure DHCP binding auto backup:


53


2. Configure the DHCP server to back up the bindings to a file.

dhcp server database filename { filename | url url [ username username [ password { cipher | simple } key ] ] }

By default, the DHCP server does not back up the DHCP bindings. With this command executed, the DHCP server backs up its bindings immediately and runs auto backup.

3. (Optional.) Manually save the DHCP bindings to the backup file.

dhcp server database update now N/A

4. (Optional.) Set the waiting time after a DHCP binding change for the DHCP server to update the backup file.

dhcp server database update interval seconds

The default waiting time is 300 seconds. If no DHCP binding changes, the backup file is not updated.

5. (Optional.) Terminate the download of DHCP bindings from the backup file.

dhcp server database update stop N/A

Configuring address pool usage alarming Perform this task to set the threshold for address pool usage alarming. When the threshold is exceeded, the system sends log messages to the information center. According to the log information, you can optimize the address pool configuration. For more information about the information center, see Network Management and Monitoring Configuration Guide.

To configure address pool usage alarming:



pool exists.

3. Set the threshold for address pool usage alarming.

ip-in-use threshold threshold-value The default threshold is 100%.

Binding gateways to a common MAC address This feature enables DHCP clients of different types to obtain different gateway IP addresses but the same MAC address. In addition to assigning gateway IP addresses to the clients, the DHCP server adds the gateway IP addresses and server's MAC address to the address management module. The ARP module can use the entries to reply ARP requests from the clients.

As shown in Figure 22, the DHCP server is configured on the access device that provides access for clients of different service types, such as broadband, IP TV, and IP telephone. The clients of different types obtain IP addresses on different subnets. For the clients to access the network, the access interface typically has no IP address configured. You must bind the gateways to a MAC address when specifying gateways for the DHCP clients.

54


The gateway binding feature on the master device takes effect if the DHCP address pool is bound to a VSRP instance. If the address pool is applied to a VPN instance, the VPN instance must exist.

To bind the gateways to a common MAC address:



pool exists.

3. Bind the gateways to the device's MAC address.

gateway-list ip-address&<1-8> export-route

By default, gateways are not bound to any MAC address.

Advertising subnets assigned to clients This feature enables the route management module to advertise subnets assigned to DHCP clients. This feature achieves symmetric routing for traffic of the same host.

As shown in Figure 23, Router A and Router B act as both the DHCP server and the BRAS device. The BRAS devices send accounting packets to the RADIUS server. To enable the BRAS devices to collect correct accounting information for each RADIUS user, configure the DHCP server to advertise subnets assigned to clients. The upstream and downstream traffic of a RADIUS user will pass through the same BRAS device.


The subnet advertising on the master device of a VSRP instance takes effect. If the address pool is applied to a VPN instance, the VPN instance must exist.

...

Host B

Host A

Host CUpstream trafficDownstream traffic

Router ADHCP server

BRASGE1/0/1 GE1/0/2

2.2.2.2/24

GE1/0/1GE1/0/22.2.2.3/24

Router BDHCP server

BRAS

Layer 2 switch

IP network

RADIUS server

55

To configure the subnet advertisement function:



pool exists.

3. Advertise subnets assigned to DHCP clients.

network network-address [ mask-length | mask mask ] export-route [ secondary ]

By default, the subnets assigned to DHCP clients are not advertised.

Applying a DHCP address pool to a VPN instance If a DHCP address pool is applied to a VPN instance, the DHCP server assigns IP addresses in this address pool to clients in the VPN instance. Addresses in this address pool will not be assigned to clients on the public network.

The DHCP server can obtain the VPN instance to which a DHCP client belongs from the following information: • The client's VPN information stored in authentication modules, such as IPoE. • The VPN information of the DHCP server's interface that receives DHCP packets from the

client.

The VPN information from authentication modules takes priority over the VPN information of the receiving interface.

To apply a DHCP address pool to a VPN instance:



pool exists.

3. Apply the address pool to a VPN instance. vpn-instance vpn-instance-name By default, no VPN instance is

applied to the address pool.

Enabling client offline detection on the DHCP server

The client offline detection feature reclaims an assigned IP address and deletes the binding entry when the ARP entry for the IP address ages out. The feature does not function if an ARP entry is manually deleted.

To enable client offline detection on the DHCP server:



3. Enable client offline detection. dhcp client-detect By default, client offline detection is disabled on the DHCP server.

56

Configuring DHCP logging on the DHCP server The DHCP logging feature enables the DHCP server to generate DHCP logs and send them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

Disable this feature when the log generation affects the device performance or reduces the address allocation efficiency. For example, this situation might occur when a large number of clients frequently come online or go offline.

To configure DHCP logging on the DHCP server:


2. Enable DHCP logging. dhcp log enable By default, DHCP logging is disabled.

Displaying and maintaining the DHCP server IMPORTANT:

A restart of the DHCP server or execution of the reset dhcp server ip-in-use command deletes alllease information. The DHCP server denies any DHCP request for lease extension, and the client must request an IP address again.


Task Command Display information about IP address conflicts.

display dhcp server conflict [ ip ip-address ] [ vpn-instance vpn-instance-name ]

Display information about DHCP binding auto backup. display dhcp server database

Display information about lease-expired IP addresses.

display dhcp server expired [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]

Display information about assignable IP addresses.

display dhcp server free-ip [ pool pool-name | vpn-instance vpn-instance-name ]

Display information about assigned IP addresses.

display dhcp server ip-in-use [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]

Display DHCP server statistics. display dhcp server statistics [ pool pool-name | vpn-instance vpn-instance-name ]

Display information about DHCP address pools.

display dhcp server pool [ pool-name | vpn-instance vpn-instance-name ]

Clear information about IP address conflicts. reset dhcp server conflict [ ip ip-address ] [ vpn-instance vpn-instance-name ]

Clear information about lease-expired IP addresses.

reset dhcp server expired [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]

Clear information about assigned IP addresses.

reset dhcp server ip-in-use [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]

Clear DHCP server statistics. reset dhcp server statistics [ vpn-instance vpn-instance-name ]

57

DHCP server configuration examples DHCP networking includes the following types: • The DHCP server and clients reside on the same subnet. • The DHCP server and clients are not on the same subnet and communicate with each other

through a DHCP relay agent.

The DHCP server configuration for the two types is identical.

Static IP address assignment configuration example Network requirements

As shown in Figure 24, Router A (DHCP server) assigns a static IP address, a DNS server address, and a gateway address to Router B (DHCP client) and Router C (BOOTP client).

The client ID of the interface GigabitEthernet 2/0/1 on Router B is:

0030-3030-662e-6532-3030-2e30-3030-322d-4574-6865-726e-6574.

The MAC address of the interface GigabitEthernet 2/0/1 on Router C is 000f-e200-01c0.


Configuration procedure 1. Specify an IP address for GigabitEthernet 2/0/1 on Router A:

<RouterA> system-view


[RouterA-GigabitEthernet2/0/1] ip address 10.1.1.1 25


2. Configure the DHCP server: # Enable DHCP. [RouterA] dhcp enable

# Enable the DHCP server on GigabitEthernet 2/0/1. [RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] dhcp select server


# Create DHCP address pool 0. [RouterA] dhcp server ip-pool 0

# Configure a static binding for Router B.

58

[RouterA-dhcp-pool-0] static-bind ip-address 10.1.1.5 25 client-identifier 0030-3030-662e-6532-3030-2e30-3030-322d-4574-6865-726e-6574

# Configure a static binding for Router C. [RouterA-dhcp-pool-0] static-bind ip-address 10.1.1.6 25 hardware-address 000f-e200-01c0

# Specify the DNS server and gateway. [RouterA-dhcp-pool-0] dns-list 10.1.1.2

[RouterA-dhcp-pool-0] gateway-list 10.1.1.126

[RouterA-dhcp-pool-0] quit

[RouterA]

Verifying the configuration # Verify that Router B can obtain IP address 10.1.1.5 and all other network parameters from Router A. (Details not shown.)

# Verify that Router C can obtain IP address 10.1.1.6 and all other network parameters from Router A. (Details not shown.)

# On the DHCP server, display the IP addresses assigned to the clients. [RouterA] display dhcp server ip-in-use

IP address Client identifier/ Lease expiration Type

Hardware address

10.1.1.5 0030-3030-662e-6532- Jan 21 14:27:27 2014 Static(C)

3030-2e30-3030-322d-

4574-6865-726e-6574

10.1.1.6 000f-e200-01c0 Unlimited Static(C)

Dynamic IP address assignment configuration example Network requirements

As shown in Figure 25, the DHCP server (Router A) assigns IP addresses to clients on subnet 10.1.1.0/24, which is subnetted into 10.1.1.0/25 and 10.1.1.128/25.

Configure DHCP server on Router A to implement the following assignment scheme.

Table 3 Assignment scheme

DHCP clients IP address Lease Other configuration parameters

Clients that connect to GigabitEthernet 2/0/1

IP addresses on subnet 10.1.1.0/25

10 days and 12 hours

• Gateway: 10.1.1.126/25 • DNS server: 10.1.1.2/25 • Domain name: aabbcc.com • WINS server: 10.1.1.4/25

Clients that connect to GigabitEthernet 2/0/2

IP addresses on subnet 10.1.1.128/25 Five days

• Gateway: 10.1.1.254/25 • DNS server: 10.1.1.2/25 • Domain name: aabbcc.com

59


Configuration procedure 1. Specify IP addresses for interfaces. (Details not shown.) 2. Configure the DHCP server:

# Enable DHCP. <RouterA> system-view

[RouterA] dhcp enable

# Enable the DHCP server on GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2. [RouterA] interface gigabitethernet 2/0/1






# Exclude addresses of the DNS server, WINS server, and gateways from dynamic allocation. [RouterA] dhcp server forbidden-ip 10.1.1.2

[RouterA] dhcp server forbidden-ip 10.1.1.4



# Configure DHCP address pool 1 to assign IP addresses and other configuration parameters to clients on subnet 10.1.1.0/25. [RouterA] dhcp server ip-pool 1

[RouterA-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.128

[RouterA-dhcp-pool-1] expired day 10 hour 12

[RouterA-dhcp-pool-1] domain-name aabbcc.com

[RouterA-dhcp-pool-1] dns-list 10.1.1.2


[RouterA-dhcp-pool-1] nbns-list 10.1.1.4

[RouterA-dhcp-pool-1] quit

# Configure DHCP address pool 2 to assign IP addresses and other configuration parameters to clients on subnet 10.1.1.128/25. [RouterA] dhcp server ip-pool 2


[RouterA-dhcp-pool-2] expired day 5

[RouterA-dhcp-pool-2] domain-name aabbcc.com

60



Verifying the configuration # Verify that clients on subnets 10.1.1.0/25 and 10.1.1.128/25 can obtain correct IP addresses and all other network parameters from Router A. (Details not shown.)


DHCP user class configuration example Network requirements

As shown in Figure 26, the DHCP relay agent (Router A) forwards DHCP packets between DHCP clients and the DHCP server (Router B). Enable Router A to handle Option 82 so that it can add Option 82 in DHCP requests and then convey them to the DHCP server.

Configure the address allocation scheme as follows:

Assign IP addresses To clients 10.10.1.2 to 10.10.1.10 The DHCP request contains Option 82.

10.10.1.11 to 10.10.1.26 The hardware address in the request is six bytes long and begins with aabb-aabb-aab.

Router B assigns the DNS server address 10.10.1.20/24 and the gateway address 10.10.1.254/24 to clients on subnet 10.10.1.0/24.


Configuration procedure 1. Specify IP addresses for the interfaces on DHCP server. (Details not shown.) 2. Configure DHCP:

# Enable DHCP and configure the DHCP server to handle Option 82. <RouterB> system-view

[RouterB] dhcp enable

[RouterB] dhcp server relay information enable

# Enable the DHCP server on the interface GigabitEthernet 2/0/1. [RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] dhcp select server

61


# Create DHCP user class tt and configure a match rule to match DHCP requests that contain Option 82. [RouterB] dhcp class tt

[RouterB-dhcp-class-tt] if-match rule 1 option 82

[RouterB-dhcp-class-tt] quit

# Create DHCP user class ss and configure a match rule to match DHCP requests in which the hardware address is six bytes long and begins with aabb-aabb-aab. [RouterB] dhcp class ss

[RouterB-dhcp-class-ss] if-match rule 1 hardware-address aabb-aabb-aab0 mask ffff-ffff-fff0

[RouterB-dhcp-class-ss] quit

# Create DHCP address pool aa. [RouterB] dhcp server ip-pool aa

# Specify the subnet for dynamic allocation. [RouterB-dhcp-pool-aa] network 10.10.1.0 mask 255.255.255.0

# Specify the address range for dynamic allocation. [RouterB-dhcp-pool-aa] address range 10.10.1.2 10.10.1.100

# Specify the address range for the user class tt. [RouterB-dhcp-pool-aa] class tt range 10.10.1.2 10.10.1.10

# Specify the address range for the user class ss. [RouterB-dhcp-pool-aa] class ss range 10.10.1.11 10.10.1.26

# Specify the gateway and the DNS server. [RouterB-dhcp-pool-aa] gateway-list 10.10.1.254

[RouterB-dhcp-pool-aa] dns-list 10.10.1.20

Verifying the configuration # Verify that clients matching the DHCP user classes can obtain IP addresses in the specified ranges and all other configuration parameters from the DHCP server. (Details not shown.)

# On the DHCP server, display the IP addresses assigned to the clients. [RouterB] display dhcp server ip-in-use

DHCP user class whitelist configuration example Network requirements

As shown in Figure 27, configure the DHCP user class whitelist to allow the DHCP server to assign IP addresses to clients whose hardware addresses are six bytes long and begin with aabb-aabb.


Configuration procedure 1. Specify IP addresses for the interfaces on the DHCP server. (Details not shown.) 2. Configure DHCP:

# Enable DHCP.

62



# Enable DHCP server on interface GigabitEthernet 2/0/1. [RouterA] interface gigabitethernet 2/0/1



# Create DHCP user class ss and configure a match rule to match DHCP requests in which the hardware address is six bytes long and begins with aabb-aabb. [RouterA] dhcp class ss

[RouterA-dhcp-class-ss] if-match rule 1 hardware-address aabb-aabb-0000 mask ffff-ffff-0000

[RouterA-dhcp-class-ss] quit

# Create DHCP address pool aa. [RouterA] dhcp server ip-pool aa

# Specify the subnet for dynamic allocation. [RouterA-dhcp-pool-aa] network 10.1.1.0 mask 255.255.255.0

# Enable DHCP user class whitelist. [RouterA-dhcp-pool-aa] verify class

# Add DHCP user class ss to the DHCP user class whitelist. [RouterA-dhcp-pool-aa] valid class ss

Verifying the configuration # Verify that clients matching the DHCP user class can obtain IP addresses on subnet 10.1.1.0/24 from the DHCP server. (Details not shown.)


Primary and secondary subnets configuration example Network requirements

As shown in Figure 28, the DHCP server (Router A) assigns IP addresses to DHCP clients in the LAN.

Configure two subnets in the address pool on the DHCP server: 10.1.1.0/24 as the primary subnet and 10.1.2.0/24 as the secondary subnet. The DHCP server selects an IP address from the secondary subnet when the primary subnet has no assignable addresses.

Router A assigns the following parameters: • The default gateway 10.1.1.254/24 to clients on subnet 10.1.1.0/24. • The default gateway 10.1.2.254/24 to clients on subnet 10.1.2.0/24.

63


Configuration procedure # Enable DHCP. <RouterA> system-view


# Configure the primary and secondary IP addresses of interface GigabitEthernet 2/0/1, and enable the DHCP server on GigabitEthernet 2/0/1. [RouterA] interface gigabitethernet 2/0/1


[RouterA-GigabitEthernet2/0/1] ip address 10.1.2.1 24 sub



# Create DHCP address pool aa. [RouterA] dhcp server ip-pool aa

# Specify the primary subnet and the gateway for dynamic allocation. [RouterA-dhcp-pool-aa] network 10.1.1.0 mask 255.255.255.0

[RouterA-dhcp-pool-aa] gateway-list 10.1.1.254

# Specify the secondary subnet and the gateway for dynamic allocation. [RouterA-dhcp-pool-aa] network 10.1.2.0 mask 255.255.255.0 secondary

[RouterA-dhcp-pool-aa-secondary] gateway-list 10.1.2.254

[RouterA-dhcp-pool-aa-secondary] quit

[RouterA-dhcp-pool-aa]

Verifying the configuration # Verify that the DHCP server assigns clients IP addresses and gateway address from the secondary subnet when no assignable address is available from the primary subnet. (Details not shown.)

# On the DHCP server, display IP addresses assigned to the clients. [RouterA] display dhcp server ip-in-use

DHCP option customization configuration example Network requirements

As shown in Figure 29, DHCP clients obtain IP addresses and PXE server addresses from the DHCP server (Router A). The subnet for address allocation is 10.1.1.0/24.

...

GatewayDHCP client DHCP client DHCP client

Router ADHCP server

GE2/0/110.1.1.1/2410.1.2.1/24 sub

64

Configure the address allocation scheme as follows:

Assign PXE addresses To clients

2.3.4.5 and 3.3.3.3 The hardware address in the request is six bytes long and begins with aabb-aabb.

1.2.3.4 and 2.2.2.2. Other clients.

The DHCP server assigns PXE server addresses to DHCP clients through Option 43, a custom option. The formats of Option 43 and PXE server address sub-option are shown in Figure 19 and Figure 21. For example, the value of Option 43 configured in the DHCP address pool is 80 0B 00 00 02 01 02 03 04 02 02 02 02. • The number 80 is the value of the sub-option type. • The number 0B is the value of the sub-option length. • The numbers 00 00 are the value of the PXE server type. • The number 02 indicates the number of servers. • The numbers 01 02 03 04 02 02 02 02 indicate that the PXE server addresses are 1.2.3.4 and

2.2.2.2.


Configuration procedure 1. Specify an IP address for interface GigabitEthernet 2/0/1. (Details not shown.) 2. Configure the DHCP server:



# Create DHCP user class ss and configure a match rule to match DHCP requests in which the hardware address is six bytes long and begins with aabb-aabb. [RouterA] dhcp class ss

[RouterA-dhcp-class-ss] if-match rule 1 hardware-address aabb-aabb-0000 mask ffff-ffff-0000

[RouterA-dhcp-class-ss] quit

# Create DHCP option group 1 and customize Option 43. [RouterA] dhcp option-group 1

[RouterA-dhcp-option-group-1] option 43 hex 800B0000020203040503030303

# Enable the DHCP server on GigabitEthernet 2/0/1. [RouterA] interface gigabitethernet 2/0/1



# Create DHCP address pool 0. [RouterA] dhcp server ip-pool 0

# Specify the subnet for dynamic address allocation. [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0

# Customize Option 43.

65

[RouterA-dhcp-pool-0] option 43 hex 800B0000020102030402020202

# Associate DHCP user class ss with option group 1. [RouterA-dhcp-pool-0] class ss option-group 1

Verifying the configuration # Verify that Router B can obtain an IP address on subnet 10.1.1.0/24 and the corresponding PXE server addresses from Router A. (Details not shown.)


Troubleshooting DHCP server configuration Symptom

A client's IP address obtained from the DHCP server conflicts with another IP address.

Analysis Another host on the subnet might have the same IP address.

Solution 1. Disable the client's network adapter or disconnect the client's network cable. Ping the IP

address of the client from another host to check whether there is a host using the same IP address.

2. If a ping response is received, the IP address has been manually configured on a host. Execute the dhcp server forbidden-ip command on the DHCP server to exclude the IP address from dynamic allocation.

3. Enable the network adapter or connect the network cable, release the IP address, and obtain another one on the client. For example, to release the IP address and obtain another one on a Windows XP DHCP client: a. In Windows environment, execute the cmd command to enter the DOS environment. b. Enter ipconfig /release to relinquish the IP address. c. Enter ipconfig /renew to obtain another IP address.

66

Configuring the DHCP relay agent

Overview The DHCP relay agent enables clients to get IP addresses from a DHCP server on another subnet. This feature avoids deploying a DHCP server for each subnet to centralize management and reduce investment. Figure 30 shows a typical application of the DHCP relay agent.

Figure 30 DHCP relay agent application

An MCE device acting as the DHCP relay agent can forward DHCP packets between a DHCP server and clients on either a public network or a private network. For more information about MCE, see MPLS Configuration Guide.

Operation The DHCP server and client interact with each other in the same way regardless of whether the relay agent exists. For the interaction details, see "IP address allocation process." The following only describes steps related to the DHCP relay agent: 1. After receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP

client, the DHCP relay agent processes the message as follows: a. Fills the giaddr field of the message with its IP address. b. Unicasts the message to the designated DHCP server.

2. Based on the giaddr field, the DHCP server returns an IP address and other configuration parameters in a response.

3. The relay agent conveys the response to the client.

67

Figure 31 DHCP relay agent operation

DHCP relay agent support for Option 82 Option 82 records the location information about the DHCP client. It enables the administrator to perform the following tasks: • Locate the DHCP client for security and accounting purposes. • Assign IP addresses in a specific range to clients.

For more information about Option 82, see "Relay agent option (Option 82)."

If the DHCP relay agent supports Option 82, it handles DHCP requests by following the strategies described in Table 4.

If a response returned by the DHCP server contains Option 82, the DHCP relay agent removes the Option 82 before forwarding the response to the client.

Table 4 Handling strategies of the DHCP relay agent

If a DHCP request has…

Handling strategy The DHCP relay agent…

Option 82

Drop Drops the message.

Keep Forwards the message without changing Option 82.

Replace Forwards the message after replacing the original Option 82 with the Option 82 padded according to the configured padding format, padding content, and code type.

No Option 82 N/A Forwards the message after adding Option 82 padded according to the configured padding format, padding content, and code type.

DHCP relay agent configuration task list Tasks at a glance (Required.) Enabling DHCP

(Required.) Enabling the DHCP relay agent on an interface

(Required.) Specifying DHCP servers on a relay agent

(Optional.) Configuring the DHCP relay agent security functions

68

Tasks at a glance (Optional.) Configuring the DHCP relay agent to release an IP address

(Optional.) Configuring Option 82

(Optional.) Setting the DSCP value for DHCP packets sent by the DHCP relay agent

(Optional.) Enabling DHCP server proxy on a DHCP relay agent

(Optional.) Configuring a DHCP relay address pool

(Optional.) Specifying a gateway address for DHCP clients

(Optional.) Enabling client offline detection on the DHCP relay agent

(Optional.) Specifying the source address and gateway address in DHCP requests

Enabling DHCP You must enable DHCP to validate other DHCP relay agent settings.

To enable DHCP:


2. Enable DHCP. dhcp enable By default, DHCP is disabled.

Enabling the DHCP relay agent on an interface With the DHCP relay agent enabled, an interface forwards incoming DHCP requests to a DHCP server.

An IP address pool that contains the IP address of the DHCP relay interface must be configured on the DHCP server. Otherwise, the DHCP clients connected to the relay agent cannot obtain correct IP addresses.

To enable the DHCP relay agent on an interface:



3. Enable the DHCP relay agent. dhcp select relay

By default, when DHCP is enabled, an interface operates in the DHCP server mode.

Specifying DHCP servers on a relay agent To improve availability, you can specify several DHCP servers on the DHCP relay agent. When the interface receives request messages from clients, the relay agent forwards them to all DHCP servers.

Follow these guidelines when you specify a DHCP server address on a relay agent:

69

• The IP address of any specified DHCP server must not reside on the same subnet as the IP address of the relay interface. Otherwise, the clients might fail to obtain IP addresses.

• You can specify a maximum of eight DHCP servers.

To specify a DHCP server address on a relay agent:



3. Specify a DHCP server address on the relay agent.

dhcp relay server-address ip-address

By default, no DHCP server address is specified on the relay agent.

Configuring the DHCP relay agent security functions Enabling the DHCP relay agent to record relay entries

Perform this task to enable the DHCP relay agent to automatically record clients' IP-to-MAC bindings (relay entries) after they obtain IP addresses through DHCP.

Some security functions use the relay entries to check incoming packets and block packets that do not match any entry. In this way, illegal hosts are not able to access external networks through the relay agent. Examples of the security functions are ARP address check, authorized ARP, and IP source guard.

To enable the DHCP relay agent to record relay entries:


2. Enable the relay agent to record relay entries. dhcp relay client-information record By default, the relay agent

does not record relay entries.

NOTE: The DHCP relay agent does not record IP-to-MAC bindings for DHCP clients running on synchronous/asynchronous serial interfaces.

Enabling periodic refresh of dynamic relay entries A DHCP client unicasts a DHCP-RELEASE message to the DHCP server to release its IP address. The DHCP relay agent conveys the message to the DHCP server and does not remove the IP-to-MAC entry of the client.

With this feature, the DHCP relay agent uses the following information to periodically send a DHCP-REQUEST message to the DHCP server: • The IP address of a relay entry. • The MAC address of the DHCP relay interface.

The relay agent maintains the relay entries depending on what it receives from the DHCP server:

70

• If the server returns a DHCP-ACK message or does not return any message within an interval, the DHCP relay agent removes the relay entry. In addition, upon receiving the DHCP-ACK message, the relay agent sends a DHCP-RELEASE message to release the IP address.

• If the server returns a DHCP-NAK message, the relay agent keeps the relay entry.

To enable periodic refresh of dynamic relay entries:


2. Enable periodic refresh of dynamic relay entries.

dhcp relay client-information refresh enable

By default, periodic refresh of dynamic relay entries is enabled.

3. Set the refresh interval. dhcp relay client-information refresh [ auto | interval interval ]

By default, the refresh interval is auto, which is calculated based on the number of total relay entries.

Enabling DHCP starvation attack protection A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system resources. The following methods are available to relieve or prevent such attacks. • To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different

source MAC addresses, you can use one of the following methods: Limit the number of ARP entries that a Layer 3 interface can learn. Limit the number of MAC addresses that a Layer 2 port can learn. Configure an interface that has learned the maximum MAC addresses to discard packets

whose source MAC addresses are not in the MAC address table. • To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same

source MAC address, you can enable MAC address check on the DHCP relay agent. The DHCP relay agent compares the chaddr field of a received DHCP request with the source MAC address in the frame header. If they are the same, the DHCP relay agent forwards the request to the DHCP server. If not, the relay agent discards the request.

Enable MAC address check only on the DHCP relay agent directly connected to the DHCP clients. A DHCP relay agent changes the source MAC address of DHCP packets before sending them. If you enable this feature on an intermediate relay agent, it might discard valid DHCP packets. Then the sending clients will not obtain IP addresses.

A MAC address check entry has an aging time. When the aging time expires, both of the following occur: • The entry ages out. • The DHCP relay agent rechecks the validity of DHCP requests sent from the MAC address in

the entry.

To enable MAC address check:


71


2. Set the aging time for MAC address check entries.

dhcp relay check mac-address aging-time time

The default aging time is 30 seconds. This command takes effect only after you execute the dhcp relay check mac-address command.

3. Enter the interface view. interface interface-type interface-number N/A

4. Enable MAC address check. dhcp relay check mac-address By default, MAC address check is disabled.

Configuring the DHCP relay agent to release an IP address

Configure the relay agent to release the IP address for a relay entry. The relay agent sends a DHCP-RELEASE message to the server and meanwhile deletes the relay entry. Upon receiving the DHCP-RELEASE message, the DHCP server releases the IP address.

To configure the DHCP relay agent to release an IP address:


2. Configure the DHCP relay agent to release an IP address.

dhcp relay release ip client-ip [ vpn-instance vpn-instance-name ]

This command can release only the IP addresses in the recorded relay entries.

Configuring Option 82 Follow these guidelines when you configure Option 82: • To support Option 82, you must perform related configuration on both the DHCP server and

relay agent. For DHCP server Option 82 configuration, see "Enabling handling of Option 82." • If the handling strategy is replace, configure a padding mode and padding format for Option 82.

If the handling strategy is keep or drop, you do not need to configure any padding mode or padding format for Option 82. The settings do not take effect even if you configure them.

• The device name (sysname) must not include spaces if it is configured as the padding content for sub-option 1. Otherwise, the DHCP relay agent will fail to add or replace Option 82.

To configure Option 82:



3. Enable the relay agent to handle Option 82. dhcp relay information enable By default, handling of

Option 82 is disabled.

72

Step Command Remarks 4. (Optional.) Configure the strategy

for handling DHCP requests that contain Option 82.

dhcp relay information strategy { drop | keep | replace }

By default, the handling strategy is replace.

5. (Optional.) Configure the padding mode and padding format for the Circuit ID sub-option.

dhcp relay information circuit-id { bas | string circuit-id | { normal | verbose [ node-identifier { mac | sysname | user-defined node-identifier } ] [ interface ] } [ format { ascii | hex } ] }

By default, the padding mode for Circuit ID sub-option is normal, and the padding format is hex.

6. (Optional.) Configure the padding mode and padding format for the Remote ID sub-option.

dhcp relay information remote-id { normal [ format { ascii | hex } ] | string remote-id | sysname }

By default, the padding mode for the Remote ID sub-option is normal, and the padding format is hex.

Setting the DSCP value for DHCP packets sent by the DHCP relay agent


To set the DSCP value for DHCP packets sent by the DHCP relay agent:


2. Set the DSCP value for DHCP packets sent by the DHCP relay agent.

dhcp dscp dscp-value By default, the DSCP value in DHCP packets sent by the DHCP relay agent is 56.

Enabling DHCP server proxy on a DHCP relay agent

The DHCP server proxy feature isolates DHCP servers from DHCP clients and protects DHCP servers against attacks.

Upon receiving a response from the server, the DHCP server proxy modifies the server's IP address as the relay interface's IP address before sending out the response. The DHCP client takes the DHCP relay agent as the DHCP server.

To configure DHCP server proxy on a DHCP relay agent:



3. Enable DHCP relay agent and DHCP server proxy on the interface.

dhcp select relay proxy By default, the interface operates in DHCP server mode.

73

Configuring a DHCP relay address pool This feature allows DHCP clients of the same type to obtain IP addresses and other configuration parameters from the DHCP servers specified in the matching relay address pool.

It applies to scenarios where the DHCP relay agent connects to clients of the same access type but classified into different types by their locations. In this case, the relay interface typically has no IP address configured. You can use the gateway-list command to specify the gateway address for clients matching the same relay address pool and bind the gateway address to the device's MAC address.

Upon receiving a DHCP DISCOVER or REQUEST from a client that matches a relay address pool, the relay agent processes the packet as follows: • Fills the giaddr field of the packet with the specified gateway address. • Forwards the packet to all DHCP servers in the matching relay address pool.

The DHCP servers select an address pool according to the gateway address.

If PPPoE users are in the network, follow these restrictions and guidelines when you configure the relay address pool: • Enable the DHCP relay agent to record DHCP relay entries by using the dhcp relay

client-information record command. When a PPPoE user goes offline, the DHCP relay agent can find a matching relay entry and send a DHCP-RELEASE message to the DHCP server. This mechanism ensures the DHCP server to be aware of the releasing of the IP address in a timely manner.

• The remote-server command also configures the device as a DHCP relay agent. You do not need to enable the DHCP relay agent by using the dhcp select relay command.

To configure a DHCP relay address pool:


2. Create a DHCP relay address pool and enter its view.

dhcp server ip-pool pool-name

By default, no DHCP relay address pool exists. This command is the same for creating DHCP address pools on a DHCP server. However, the relay address pool names are not necessarily the same as the server address pool names.

3. Specify gateway addresses for the clients matching the relay address pool.

gateway-list ip-address&<1-8> [ export-route ]

By default, no gateway address is specified. You can specify a maximum of eight gateway addresses, but only the first one takes effect.

4. Specify DHCP servers for the relay address pool.

remote-server ip-address&<1-8>

By default, no DHCP server is specified for the relay address pool.You can specify a maximum of eight DHCP servers for one relay address pool for high availability. The relay agent forwards DHCP DISCOVER and REQUEST packets to all DHCP servers in the relay address pool.

74

Specifying a gateway address for DHCP clients By default, the DHCP relay agent fills the giaddr field of DHCP DISCOVER and REQUEST packets with the primary IP address of the relay interface. You can specify a gateway address on the relay agent for DHCP clients. The DHCP relay agent uses the specified gateway address to fill the giaddr field of DHCP DISCOVER and REQUEST packets.

To specify a gateway address for DHCP clients:



3. Specify a gateway address for DHCP clients. dhcp relay gateway ip-address

By default, the DHCP relay agent uses the primary IP address of the relay interface as the clients' gateway address.

Enabling client offline detection on the DHCP relay agent

When an ARP entry ages out, the client offline detection feature deletes the relay entry for the IP address and sends a RELEASE message to the DHCP server. The feature does not function if an ARP entry is manually deleted.

To enable client offline detection on the DHCP relay agent:



3. Enable the DHCP relay agent. dhcp select relay By default, when DHCP is enabled, an interface operates in the DHCP server mode.

4. Enable the relay agent to record relay entries.

dhcp relay client-information record

By default, the relay agent does not record relay entries. Without relay entries, client offline detection cannot function correctly.

5. Enable client offline detection. dhcp client-detect By default, client offline detection is disabled on the DHCP relay agent.

Specifying the source address and gateway address in DHCP requests

Perform this task to configure the relay agent to pad the source address and gateway address in DHCP requests with the public IP address of the loopback interface. This configuration is required for successful packet forwarding when the DHCP server is in the public network and the DHCP clients are in a private network.

75

If DHCP server proxy is enabled, you must configure the sub-option 72 in Option 82 to carry the index of the interface that processes the DHCP request. When receiving a DHCP response, the relay agent forwards the response according to the interface index in sub-option 72.

To specify the source address and gateway address in DHCP requests:



3. Specify an IP address as the source address and gateway address in DHCP requests.

dhcp relay source-address ip-address

By default, the IP address of the interface is used as the source address and gateway address in DHCP requests.

Displaying and maintaining the DHCP relay agent Execute display commands in any view and reset commands in user view.

Task Command Display information about DHCP servers on an interface.

display dhcp relay server-address [ interface interface-type interface-number ]

Display Option 82 configuration information on the DHCP relay agent.

display dhcp relay information [ interface interface-type interface-number ]

Display relay entries on the DHCP relay agent. display dhcp relay client-information [ interface interface-type interface-number | ip ip-address [ vpn-instance vpn-instance-name ] ]

Display packet statistics on the DHCP relay agent. display dhcp relay statistics [ interface interface-type interface-number ]

Display MAC address check entries on the DHCP relay agent. display dhcp relay check mac-address

Clear relay entries on the DHCP relay agent. reset dhcp relay client-information [ interface interface-type interface-number | ip ip-address [ vpn-instance vpn-instance-name ] ]

Clear packet statistics on the DHCP relay agent. reset dhcp relay statistics [ interface interface-type interface-number ]

DHCP relay agent configuration examples DHCP relay agent configuration example Network requirements

As shown in Figure 32, configure the DHCP relay agent on Router A. The DHCP relay agent enables DHCP clients to obtain IP addresses and other configuration parameters from the DHCP server on another subnet.

Because the DHCP relay agent and server are on different subnets, you need to configure static or dynamic routing to make them reachable to each other.

76

DHCP server configuration is also required to guarantee the client-server communication through the DHCP relay agent. For DHCP server configuration information, see "DHCP server configuration examples."


Configuration procedure # Specify IP addresses for the interfaces. (Details not shown.)



# Enable the DHCP relay agent on GigabitEthernet 2/0/1. [RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] dhcp select relay

# Specify the IP address of the DHCP server on the relay agent. [RouterA-GigabitEthernet2/0/1] dhcp relay server-address 10.1.1.1

Verifying the configuration # Verify that DHCP clients can obtain IP addresses and all other network parameters from the DHCP server through the DHCP relay agent. (Details not shown.)

# Display the statistics of DHCP packets forwarded by the DHCP relay agent. [RouterA] display dhcp relay statistics

# Display relay entries if you have enabled relay entry recording on the DHCP relay agent. [RouterA] display dhcp relay client-information

Option 82 configuration example Network requirements

As shown in Figure 32, the DHCP relay agent (Router A) replaces Option 82 in DHCP requests before forwarding them to the DHCP server (Router B). • The Circuit ID sub-option is company001. • The Remote ID sub-option is device001.

To use Option 82, you must also enable the DHCP server to handle Option 82.

Configuration procedure # Specify IP addresses for the interfaces. (Details not shown.)

Router BDHCP server

Router ADHCP relay agent

DHCP client DHCP client

DHCP clientDHCP client

GE2/0/210.1.1.2/24

GE2/0/110.10.1.1/24

GE2/0/110.1.1.1/24

77



# Enable the DHCP relay agent on GigabitEthernet 2/0/1. [RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] dhcp select relay

# Specify the IP address of the DHCP server on the relay agent. [RouterA-GigabitEthernet2/0/1] dhcp relay server-address 10.1.1.1

# Enable the DHCP relay agent to handle Option 82, and perform Option 82 related configuration. [RouterA-GigabitEthernet2/0/1] dhcp relay information enable

[RouterA-GigabitEthernet2/0/1] dhcp relay information strategy replace

[RouterA-GigabitEthernet2/0/1] dhcp relay information circuit-id string company001

[RouterA-GigabitEthernet2/0/1] dhcp relay information remote-id string device001

Troubleshooting DHCP relay agent configuration Symptom

DHCP clients cannot obtain configuration parameters through the DHCP relay agent.

Analysis Some problems might occur with the DHCP relay agent or server configuration.

Solution To locate the problem, enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information.

Check that: • DHCP is enabled on the DHCP server and relay agent. • The DHCP server has an address pool on the same subnet as the DHCP clients. • The DHCP server and DHCP relay agent can reach each other. • The DHCP server address specified on the DHCP relay interface connected to the DHCP

clients is correct.

78

Configuring the DHCP client With DHCP client enabled, an interface uses DHCP to obtain configuration parameters from the DHCP server, for example, an IP address.

The DHCP client configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces), VLAN interfaces, and Layer 3 aggregate interfaces.

Enabling the DHCP client on an interface Follow these guidelines when you enable the DHCP client on an interface: • On some device models, if the number of IP address request failures reaches the

system-defined amount, the DHCP client-enabled interface uses a default IP address. • An interface can be configured to acquire an IP address in multiple ways. The new configuration

overwrites the old. • Secondary IP addresses cannot be configured on an interface that is enabled with the DHCP

client. • If the interface obtains an IP address on the same segment as another interface on the device,

the interface does not use the assigned address. Instead, it requests a new IP address from the DHCP server.

To enable the DHCP client on an interface:



3. Configure an interface to use DHCP for IP address acquisition.

ip address dhcp-alloc By default, an interface does not use DHCP for IP address acquisition.

Configuring a DHCP client ID for an interface A DHCP client ID is added to the DHCP option 61. A DHCP server can specify IP addresses for clients based on the DHCP client ID.

Make sure the IDs for different DHCP clients are unique.

To configure a DHCP client ID for an interface:



3. Configure a DHCP client ID for the interface.

dhcp client identifier { ascii string | hex string | mac interface-type interface-number }

By default, an interface generates the DHCP client ID based on its MAC address. If the interface has no MAC address, it uses the MAC address of the first Ethernet interface to generate its client ID.

79


4. Verify the client ID configuration.

display dhcp client [ verbose ] [ interface interface-type interface-number ]

DHCP client ID includes ID type and type value. Each ID type has a fixed type value. You can check the fields for the client ID to verify which type of client ID is used: • If an ASCII string is used as the client ID,

the type value is 00. • If a hex string is used as the client ID, the

type value is the first two characters in the string.

• If the MAC address of an interface is used as the client ID, the type value is 01.

Enabling duplicated address detection DHCP client detects IP address conflict through ARP packets. An attacker can act as the IP address owner to send an ARP reply. The spoofing attack makes the client unable to use the IP address assigned by the server. As a best practice, disable duplicate address detection when ARP attacks exist on the network.

To enable duplicated address detection:


2. Enable duplicate address detection. dhcp client dad enable

By default, the duplicate address detection feature is enabled on an interface.

Setting the DSCP value for DHCP packets sent by the DHCP client


To set the DSCP value for DHCP packets sent by the DHCP client:


2. Set the DSCP value for DHCP packets sent by the DHCP client.

dhcp client dscp dscp-value

By default, the DSCP value in DHCP packets sent by the DHCP client is 56.

Displaying and maintaining the DHCP client Execute display command in any view.

80

Task Command

Display DHCP client information. display dhcp client [ verbose ] [ interface interface-type interface-number ]

DHCP client configuration example Network requirements

As shown in Figure 34, Router B contacts the DHCP server through GigabitEthernet 2/0/1 to obtain an IP address, a DNS server address, and static route information. The DHCP client's IP address resides on subnet 10.1.1.0/24. The DNS server address is 20.1.1.1. The next hop of the static route to subnet 20.1.1.0/24 is 10.1.1.2.

The DHCP server uses Option 121 to assign static route information to DHCP clients. Figure 33 shows the Option 121 format. The destination descriptor field contains the following parts: subnet mask length and destination network address, both in hexadecimal notation. In this example, the destination descriptor is 18 14 01 01 (the subnet mask length is 24 and the network address is 20.1.1.0 in dotted decimal notation). The next hop address is 0A 01 01 02 (10.1.1.2 in dotted decimal notation).




# Specify the IP address of GigabitEthernet 2/0/1. <RouterA> system-view




# Enable DHCP. [RouterA] dhcp enable

# Exclude an IP address from dynamic allocation.

Router BDHCP Client

DNS server

Router ADHCP server

GE2/0/110.1.1.1/24

GE2/0/1Router C

10.1.1.2/24 20.1.1.2/24

20.1.1.1/24

81


# Configure DHCP address pool 0. Specify the subnet, lease duration, DNS server address, and a static route to subnet 20.1.1.0/24. [RouterA] dhcp server ip-pool 0


[RouterA-dhcp-pool-0] expired day 10


[RouterA-dhcp-pool-0] option 121 hex 181401010A010102

2. Configure Router B: # Configure GigabitEthernet 2/0/1 to use DHCP for IP address acquisition. <RouterB> system-view


[RouterB-GigabitEthernet2/0/1] ip address dhcp-alloc


Verifying the configuration # Display the IP address and other network parameters assigned to Router B. [RouterB] display dhcp client verbose

GigabitEthernet2/0/1 DHCP client information:

Current machine state: BOUND

Allocated IP: 10.1.1.3 255.255.255.0

Allocated lease: 864000 seconds, T1: 331858 seconds, T2: 756000 seconds

Lease from May 21 19:00:29 2012 to May 31 19:00:29 2012

DHCP server: 10.1.1.1

Transaction ID: 0xcde72232

Classless static route:

Destination: 20.1.1.0, Mask: 255.255.255.0, NextHop: 10.1.1.2

DNS server: 20.1.1.1

Client ID type: acsii(type value=00)

Client ID value: 000c.29d3.8659-GE2/0/1

Client ID (with type) hex: 0030-3030-632e-3239-

6433-2e38-3635-392d-

4574-6830-2f30-2f32

T1 will timeout in 3 days 19 hours 48 minutes 43 seconds.

# Display the route information on Router B. The output shows that a static route to subnet 20.1.1.0/24 is added to the routing table. [RouterB] display ip routing-table

Destinations : 11 Routes : 11

Destination/Mask Proto Pre Cost NextHop Interface

10.1.1.0/24 Direct 0 0 10.1.1.3 GE2/0/1

10.1.1.3/32 Direct 0 0 127.0.0.1 InLoop0

20.1.1.0/24 Static 70 0 10.1.1.2 GE2/0/1

10.1.1.255/32 Direct 0 0 10.1.1.3 GE2/0/1

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

82

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0

255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

83

Configuring DHCP snooping This feature is supported only on the following ports: • Layer 2 Ethernet ports on the following modules:

HMIM-8GSW. HMIM-24GSW. HMIM-24GSWP. SIC-4GSW. SIC-4GSWP.

• Fixed Layer 2 Ethernet ports on MSR2004-24/2004-48 routers. • Fixed Layer 2 Ethernet ports on MSR1002-4/1003-8S routers.

Overview DHCP snooping works between the DHCP client and server, or between the DHCP client and DHCP relay agent. It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers. Also, it records IP-to-MAC bindings of DHCP clients (called DHCP snooping entries) for security purposes.

DHCP snooping does not work between the DHCP server and DHCP relay agent.

DHCP snooping defines trusted and untrusted ports to make sure clients obtain IP addresses only from authorized DHCP servers. • Trusted—A trusted port can forward DHCP messages correctly to make sure the clients get IP

addresses from authorized DHCP servers. • Untrusted—An untrusted port discards received DHCP-ACK and DHCP-OFFER messages to

prevent unauthorized servers from assigning IP addresses.

DHCP snooping reads DHCP-ACK messages received from trusted ports and DHCP-REQUEST messages to create DHCP snooping entries. A DHCP snooping entry includes the MAC and IP addresses of a client, the port that connects to the DHCP client, and the VLAN.

The following features need to use DHCP snooping entries: • ARP fast-reply—Uses DHCP snooping entries to reduce ARP broadcast traffic. For more

information, see "Configuring ARP fast-reply." • ARP detection—Uses DHCP snooping entries to filter ARP packets from unauthorized clients.

For more information, see Security Configuration Guide. • MAC-forced forwarding (MFF)—Auto-mode MFF performs the following tasks:

Intercepts ARP requests from clients. Uses DHCP snooping entries to find the gateway address. Returns the gateway MAC address to the clients.

This feature forces the client to send all traffic to the gateway so that the gateway can monitor client traffic to prevent malicious attacks among clients. For more information, see Security Configuration Guide.

• IP source guard—Uses DHCP snooping entries to filter illegal packets on a per-port basis. For more information, see Security Configuration Guide.

• VLAN mapping—Uses DHCP snooping entries to replace service provider VLAN in packets with customer VLAN before sending the packets to clients. For more information, see Layer 2—LAN Switching Configuration Guide.

84

Application of trusted and untrusted ports Configure ports facing the DHCP server as trusted ports, and configure other ports as untrusted ports.

As shown in Figure 35, configure the DHCP snooping device's port that is connected to the DHCP server as a trusted port. The trusted port forwards response messages from the DHCP server to the client. The untrusted port connected to the unauthorized DHCP server discards incoming DHCP response messages.

Figure 35 Trusted and untrusted ports

In a cascaded network as shown in Figure 36, configure each DHCP snooping device's ports connected to other DHCP snooping devices as trusted ports. To save system resources, you can disable the untrusted ports that are not directly connected to DHCP clients from generating DHCP snooping entries.

Figure 36 Trusted and untrusted ports in a cascaded network

DHCP snoopingSwitch A

DHCP snoopingSwitch C

DHCP clientHost D

DHCP clientHost C

DHCP clientHost B

DHCP serverDevice

DHCP snoopingSwitch B

GE1/0/4 GE1/0/2

GE1/0/3

GE1/0/1 GE1/0/2

GE1/0/3

GE1/0/4 GE1/0/2 GE1/0/1

GE1/0/3

GE1/0/1

DHCP clientHost A

GE1/0/1

Untrusted ports enabled to record snooping entriesUntrusted ports disabled from recording snooping entriesTrusted ports

85

DHCP snooping support for Option 82 Option 82 records the location information about the DHCP client so the administrator can locate the DHCP client for security and accounting purposes. For more information about Option 82, see "Relay agent option (Option 82)."

DHCP snooping uses the same strategies as the DHCP relay agent to handle Option 82 for DHCP request messages, as shown in Table 5. If a response returned by the DHCP server contains Option 82, DHCP snooping removes Option 82 before forwarding the response to the client. If the response contains no Option 82, DHCP snooping forwards it directly.

Table 5 Handling strategies

If a DHCP request has…

Handling strategy DHCP snooping…

Option 82

Drop Drops the message.

Keep Forwards the message without changing Option 82.

Replace Forwards the message after replacing the original Option 82 with the Option 82 padded according to the configured padding format, padding content, and code type.

No Option 82 N/A Forwards the message after adding the Option 82 padded according to the configured padding format, padding content, and code type.

Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954(JH296A/JH297A/JH298A/JH299A)

Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers.

DHCP snooping configuration task list The DHCP snooping configuration does not take effect on a Layer 2 Ethernet interface that is an aggregation member port. The configuration takes effect when the interface leaves the aggregation group.

Tasks at a glance (Required.) Configuring basic DHCP snooping

(Optional.) Configuring Option 82

(Optional.) Configuring DHCP snooping entry auto backup

(Optional.) Enabling DHCP starvation attack protection

(Optional.) Enabling DHCP-REQUEST attack protection

(Optional.) Setting the maximum number of DHCP snooping entries

86

Configuring basic DHCP snooping Follow these guidelines when you configure basic DHCP snooping: • Specify the ports connected to authorized DHCP servers as trusted ports to make sure that

DHCP clients can obtain valid IP addresses. The trusted ports and the ports connected to DHCP clients must be in the same VLAN.

• You can specify Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces as trusted ports. For more information about aggregate interfaces, see Layer 2—LAN Switching Configuration Guide.

• The DHCP snooping configuration on a Layer 2 Ethernet interface that has been added to an aggregation group does not take effect unless the interface leaves the aggregation group.

• DHCP snooping can work with QinQ to record VLAN tags for DHCP packets received from clients. For more information about QinQ, see Layer 2—LAN Switching Configuration Guide.

To configure basic DHCP snooping:


2. Enable DHCP snooping. dhcp snooping enable By default, DHCP snooping is disabled.


This interface must connect to the DHCP server.

4. Specify the port as a trusted port. dhcp snooping trust

By default, all ports are untrusted ports after DHCP snooping is enabled.



This interface must connect to the DHCP client.

7. (Optional.) Enable recording of DHCP snooping entries.

dhcp snooping binding record

By default, after DHCP snooping is enabled, recording of DHCP snooping entries is disabled.

Configuring Option 82 Follow these guidelines when you configure Option 82: • The Option 82 configuration on a Layer 2 Ethernet interface that has been added to an

aggregation group does not take effect unless the interface leaves the aggregation group. • To support Option 82, you must configure Option 82 on both the DHCP server and the DHCP

snooping device. For information about configuring Option 82 on the DHCP server, see "Enabling handling of Option 82."

• If the handling strategy is replace, configure a padding mode and padding format for Option 82. If the handling strategy is keep or drop, you do not need to configure any padding mode or padding format for Option 82. The settings do not take effect even if you configure them.

• If Option 82 contains the device name, the device name must contain no spaces. Otherwise, DHCP snooping drops the message. You can use the sysname command to specify the device name. For more information about this command, see Fundamentals Command Reference.

• DHCP snooping uses "outer VLAN tag.inner VLAN tag" to fill the VLAN ID field of sub-option 1 in verbose padding format if either of the following conditions exists:

DHCP snooping and QinQ work together.

87

DHCP snooping receives a DHCP packet with two VLAN tags. For example, if the outer VLAN tag is 10 and the inner VLAN tag is 20, the VLAN ID field is 000a.0014. The hexadecimal digit a represents the outer VLAN tag 10, and the hexadecimal digit 14 represents the inner VLAN tag 20.

• The device name (sysname) must not include spaces if it is configured as the padding content for sub-option 1. Otherwise, the DHCP snooping device will fail to add or replace Option 82.

To configure DHCP snooping to support Option 82:



3. Enable DHCP snooping to support Option 82. dhcp snooping information enable

By default, DHCP snooping does not support Option 82.

4. (Optional.) Configure a handling strategy for DHCP requests that contain Option 82.

dhcp snooping information strategy { drop | keep | replace }

By default, the handling strategy is replace.

5. (Optional.) Configure the padding mode and padding format for the Circuit ID sub-option.

dhcp snooping information circuit-id { [ vlan vlan-id ] string circuit-id | { normal | verbose [ node-identifier { mac | sysname | user-defined node-identifier } ] } [ format { ascii | hex } ] }

By default, the padding mode is normal and the padding format is hex for the Circuit ID sub-option.

6. (Optional.) Configure the padding mode and padding format for the Remote ID sub-option.

dhcp snooping information remote-id { normal [ format { ascii | hex } ] | [ vlan vlan-id ] string remote-id | sysname }

By default, the padding mode is normal and the padding format is hex for the Remote ID sub-option.

Configuring DHCP snooping entry auto backup The auto backup function saves DHCP snooping entries to a backup file, and allows the DHCP snooping device to download the entries from the backup file at device reboot. The entries on the DHCP snooping device cannot survive a reboot. The auto backup helps the security features provide services if these features (such as IP source guard) must use DHCP snooping entries for user authentication.

NOTE: If you disable DHCP snooping with the undo dhcp snooping enable command, the device deletesall DHCP snooping entries, including those stored in the backup file.

To save DHCP snooping entries:


88


2. Configure the DHCP snooping device to back up DHCP snooping entries to a file.

dhcp snooping binding database filename { filename | url url [ username username [ password { cipher | simple } key ] ] }

By default, the DHCP snooping device does not back up DHCP snooping entries. With this command executed, the DHCP snooping device backs up DHCP snooping entries immediately and runs auto backup. This command automatically creates the file if you specify a non-existent file.

3. (Optional.) Manually save DHCP snooping entries to the backup file.

dhcp snooping binding database update now

N/A

4. (Optional.) Set the waiting time after a DHCP snooping entry change for the DHCP snooping device to update the backup file.

dhcp snooping binding database update interval seconds

The default waiting time is 300 seconds. When a DHCP snooping entry is learned, updated, or removed, the waiting period starts. The DHCP snooping device updates the backup file when the specified waiting period is reached. All changed entries during the period will be saved to the backup file. If no DHCP snooping entry changes, the backup file is not updated.

Enabling DHCP starvation attack protection A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that contain identical or different sender MAC addresses in the chaddr field to a DHCP server. This attack exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system resources. For information about the fields of DHCP packet, see "DHCP message format."

You can prevent DHCP starvation attacks in the following ways: • If the forged DHCP requests contain different sender MAC addresses, use the mac-address

max-mac-count command to limit the number of MAC addresses that a Layer 2 port can learn. For more information about the command, see Layer 2—LAN Switching Command Reference.

• If the forged DHCP requests contain the same sender MAC address, perform this task to enable MAC address check for DHCP snooping. This function compares the chaddr field of a received DHCP request with the source MAC address field in the frame header. If they are the same, the request is considered valid and forwarded to the DHCP server. If not, the request is discarded.

To enable MAC address check:



3. Enable MAC address check. dhcp snooping check mac-address By default, MAC address check is disabled.

89

Enabling DHCP-REQUEST attack protection DHCP-REQUEST messages include DHCP lease renewal packets, DHCP-DECLINE packets, and DHCP-RELEASE packets. This function prevents the unauthorized clients that forge the DHCP-REQUEST messages from attacking the DHCP server.

Attackers can forge DHCP lease renewal packets to renew leases for legitimate DHCP clients that no longer need the IP addresses. These forged messages disable the victim DHCP server from releasing the IP addresses.

Attackers can also forge DHCP-DECLINE or DHCP-RELEASE packets to terminate leases for legitimate DHCP clients that still need the IP addresses.

To prevent such attacks, you can enable DHCP-REQUEST check. This feature uses DHCP snooping entries to check incoming DHCP-REQUEST messages. • If a matching entry is found for a message, this feature compares the entry with the message

information. If they are consistent, the message is considered as valid and forwarded to the DHCP

server. If they are different, the message is considered as a forged message and is discarded.

• If no matching entry is found, the message is considered valid and forwarded to the DHCP server.

To enable DHCP-REQUEST check:



3. Enable DHCP-REQUEST check.

dhcp snooping check request-message

By default, DHCP-REQUEST check is disabled. You can enable DHCP-REQUEST check only on Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces.

Setting the maximum number of DHCP snooping entries

Perform this task to prevent the system resources from being overused.

To set the maximum number of DHCP snooping entries:



3. Set the maximum number of DHCP snooping entries for the interface to learn.

dhcp snooping max-learning-num number

By default, the number of DHCP snooping entries for an interface to learn is unlimited.

90

Displaying and maintaining DHCP snooping Execute display commands in any view, and reset commands in user view.

Task Command

Display DHCP snooping entries. display dhcp snooping binding [ ip ip-address [ vlan vlan-id ] ]

Display Option 82 configuration information on the DHCP snooping device.

display dhcp snooping information { all | interface interface-type interface-number }

Display DHCP packet statistics on the DHCP snooping device (centralized devices in standalone mode).

display dhcp snooping packet statistics

Display DHCP packet statistics on the DHCP snooping device (distributed devices in standalone mode/centralized devices in IRF mode).

display dhcp snooping packet statistics [ slot slot-number ]

Display DHCP packet statistics on the DHCP snooping device (distributed devices in IRF mode).

display dhcp snooping packet statistics [ chassis chassis-number slot slot-number ]

Display information about trusted ports. display dhcp snooping trust

Display information about the file that stores DHCP snooping entries. display dhcp snooping binding database

Clear DHCP snooping entries. reset dhcp snooping binding { all | ip ip-address [ vlan vlan-id ] }

Clear DHCP packet statistics on the DHCP snooping device (centralized devices in standalone mode).

reset dhcp snooping packet statistics

Clear DHCP packet statistics on the DHCP snooping device (distributed devices in standalone mode/centralized devices in IRF mode).

reset dhcp snooping packet statistics [ slot slot-number ]

Clear DHCP packet statistics on the DHCP snooping device (distributed devices in IRF mode).

reset dhcp snooping packet statistics [ chassis chassis-number slot slot-number ]

DHCP snooping configuration examples Basic DHCP snooping configuration example Network requirements

As shown in Figure 37: • Configure the port GigabitEthernet 2/0/1 connected to the DHCP server as a trusted port. • Configure other ports as untrusted ports. • Enable DHCP snooping to record clients' IP-to-MAC bindings by reading DHCP-ACK

messages received from the trusted port and DHCP-REQUEST messages.

91


Configuration procedure # Enable DHCP snooping. <RouterB> system-view

[RouterB] dhcp snooping enable

# Configure GigabitEthernet 2/0/1 as a trusted port. [RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] dhcp snooping trust


# Enable DHCP snooping to record clients' IP-to-MAC bindings on GigabitEthernet 2/0/2. [RouterB] interface gigabitethernet 2/0/2

[RouterB-GigabitEthernet2/0/2] dhcp snooping binding record


Verifying the configuration # Verify that the DHCP client can obtain an IP address and other configuration parameters only from the authorized DHCP server. (Details not shown.)

# Display the DHCP snooping entry recorded for the client. [RouterB] display dhcp snooping binding

Option 82 configuration example Network requirements

As shown in Figure 38, enable DHCP snooping and configure Option 82 on Router B as follows: • Configure the handling strategy for DHCP requests that contain Option 82 as replace. • On GigabitEthernet 2/0/2, configure the padding content for the Circuit ID sub-option as

company001 and for the Remote ID sub-option as device001. • On GigabitEthernet 2/0/3, configure the padding mode for the Circuit ID sub-option as verbose,

access node identifier as sysname, and padding format as ascii. Configure the padding content for the Remote ID sub-option as device001.

92


Configuration procedure # Enable DHCP snooping. <RouterB> system-view

[RouterB] dhcp snooping enable

# Configure GigabitEthernet 2/0/1 as a trusted port. [RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] dhcp snooping trust


# Configure Option 82 on GigabitEthernet 2/0/2. [RouterB] interface gigabitethernet 2/0/2

[RouterB-GigabitEthernet2/0/2] dhcp snooping information enable

[RouterB-GigabitEthernet2/0/2] dhcp snooping information strategy replace

[RouterB-GigabitEthernet2/0/2] dhcp snooping information circuit-id string company001

[RouterB-GigabitEthernet2/0/2] dhcp snooping information remote-id string device001


# Configure Option 82 on GigabitEthernet 2/0/3. [RouterB] interface gigabitethernet 2/0/3

[RouterB-GigabitEthernet2/0/3] dhcp snooping information enable

[RouterB-GigabitEthernet2/0/3] dhcp snooping information strategy replace

[RouterB-GigabitEthernet2/0/3] dhcp snooping information circuit-id verbose node-identifier sysname format ascii

[RouterB-GigabitEthernet2/0/3] dhcp snooping information remote-id string device001

Verifying the configuration # Display Option 82 configuration information on GigabitEthernet 2/0/2 and GigabitEthernet 2/0/3 on the DHCP snooping device. [RouterB] display dhcp snooping information

93

Configuring the BOOTP client BOOTP client configuration only applies to Layer 3 Ethernet interfaces (including subinterfaces), Layer 3 aggregate interfaces and VLAN interfaces.

If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows Server 2000 or Windows Server 2003.

BOOTP application An interface that acts as a BOOTP client can use BOOTP to obtain information (such as IP address) from the BOOTP server.

To use BOOTP, an administrator must configure a BOOTP parameter file for each BOOTP client on the BOOTP server. The parameter file contains information such as MAC address and IP address of a BOOTP client. When a BOOTP client sends a request to the BOOTP server, the BOOTP server searches for the BOOTP parameter file and returns the corresponding configuration information.

BOOTP is usually used in relatively stable environments. In network environments that change frequently, DHCP is more suitable.

Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to assign an IP address to the BOOTP client. You do not need to configure a BOOTP server.

Obtaining an IP address dynamically A BOOTP client dynamically obtains an IP address from a BOOTP server as follows: 1. The BOOTP client broadcasts a BOOTP request, which contains its own MAC address. 2. Upon receiving the request, the BOOTP server searches the configuration file for the IP

address and other information according to the BOOTP client's MAC address. 3. The BOOTP server returns a BOOTP response to the BOOTP client. 4. The BOOTP client obtains the IP address from the received response.

A DHCP server can take the place of the BOOTP server in the following dynamic IP address acquisition.

Protocols and standards • RFC 951, Bootstrap Protocol (BOOTP) • RFC 2132, DHCP Options and BOOTP Vendor Extensions • RFC 1542, Clarifications and Extensions for the Bootstrap Protocol

Configuring an interface to use BOOTP for IP address acquisition



94

Step Command Remarks 3. Configure an interface to use

BOOTP for IP address acquisition.

ip address bootp-alloc By default, an interface does not use BOOTP for IP address acquisition.

Displaying and maintaining BOOTP client Execute display command in any view.

Task Command

Display BOOTP client information. display bootp client [ interface interface-type interface-number ]

BOOTP client configuration example Network requirements

As shown in Figure 25, GigabitEthernet 2/0/1 of Router B connects to the LAN to obtain an IP address from the DHCP server by using BOOTP.

To make the BOOTP client obtain an IP address from the DHCP server, perform configuration on the DHCP server. For more information, see "DHCP server configuration examples."

Configuration procedure The following describes the configuration on Router B, which acts as a client.

# Configure GigabitEthernet 2/0/1 to use BOOTP to obtain an IP address. <RouterB> system-view


[RouterB-GigabitEthernet2/0/1] ip address bootp-alloc

Verifying the configuration # Display the IP address assigned to the BOOTP client. [RouterB] display bootp client

95

Configuring DNS

Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. The domain name-to-IP address mapping is called a DNS entry.

DNS services can be static or dynamic. After a user specifies a name, the device checks the static name resolution table for an IP address. If no IP address is available, it contacts the DNS server for dynamic name resolution, which takes more time than static name resolution. To improve efficiency, you can add DNS entries for domain names whose IP addresses are fixed to the local static name resolution table.

Static domain name resolution Static domain name resolution means manually creating mappings between domain names and IP addresses. For example, you can create a static DNS mapping for a device so that you can Telnet to the device by using the domain name.

Dynamic domain name resolution Resolution process

1. A user program sends a name query to the resolver of the DNS client. 2. The DNS resolver looks up the local domain name cache for a match. If the resolver finds a

match, it sends the corresponding IP address back. If not, it sends a query to the DNS server. 3. The DNS server looks up the corresponding IP address of the domain name in its DNS

database. If no match is found, the server sends a query to other DNS servers. This process continues until a result, whether successful or not, is returned.

4. After receiving a response from the DNS server, the DNS client returns the resolution result to the user program.

Figure 39 shows the relationship between the user program, DNS client, and DNS server.

The DNS client includes the resolver and cache. The user program and DNS client can run on the same device or different devices. The DNS server and the DNS client usually run on different devices.

Figure 39 Dynamic domain name resolution

Request

Response Response

Request

SaveRead

DNS client

DNS server

Resolver

Cache

User program

96

Dynamic domain name resolution allows the DNS client to store latest DNS entries in the dynamic domain name cache. The DNS client does not need to send a request to the DNS server for a repeated query within the aging time. To make sure the entries from the DNS server are up to date, a DNS entry is removed when its aging timer expires. The DNS server determines how long a mapping is valid, and the DNS client obtains the aging information from DNS responses.

DNS suffixes You can configure a domain name suffix list so that the resolver can use the list to supply the missing part of an incomplete name.

For example, you can configure com as the suffix for aabbcc.com. The user only needs to enter aabbcc to obtain the IP address of aabbcc.com. The resolver adds the suffix and delimiter before passing the name to the DNS server.

The name resolver handles the queries based on the domain names that the user enters: • If the user enters a domain name without a dot (.) (for example, aabbcc), the resolver considers

the domain name as a host name. It adds a DNS suffix to the host name before performing the query operation. If no match is found for any host name and suffix combination, the resolver uses the user-entered domain name (for example, aabbcc) for the IP address query.

• If the user enters a domain name with a dot (.) among the letters (for example, www.aabbcc), the resolver directly uses this domain name for the query operation. If the query fails, the resolver adds a DNS suffix for another query operation.

• If the user enters a domain name with a dot (.) at the end (for example, aabbcc.com.), the resolver considers the domain name an FQDN and returns the successful or failed query result. The dot at the end of the domain name is considered a terminating symbol.

The device supports static and dynamic DNS client services.

If an alias is configured for a domain name on the DNS server, the device can resolve the alias into the IP address of the host.

DNS proxy As shown in Figure 40, the DNS proxy performs the following operations: • Forwards the request from the DNS client to the designated DNS server. • Conveys the reply from the DNS server to the client.

The DNS proxy simplifies network management. When the DNS server address is changed, you can change the configuration only on the DNS proxy instead of on each DNS client.

Figure 40 DNS proxy application

A DNS proxy operates as follows:

97

1. A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS proxy. The destination address of the request is the IP address of the DNS proxy.

2. The DNS proxy searches the local static domain name resolution table and dynamic domain name resolution cache after receiving the request. If the requested information is found, the DNS proxy returns a DNS reply to the client.

3. If the requested information is not found, the DNS proxy sends the request to the designated DNS server for domain name resolution.

4. After receiving a reply from the DNS server, the DNS proxy records the IP address-to-domain name mapping and forwards the reply to the DNS client.

If no DNS server is designated or no route is available to the designated DNS server, the DNS proxy does not forward DNS requests.

DNS spoofing DNS spoofing is applied to the dial-up network, as shown in Figure 41. • The device connects to a PSTN/ISDN network through a dial-up interface. The device triggers

the establishment of a dial-up connection only when packets are to be forwarded through the dial-up interface.

• The device acts as a DNS proxy and is specified as a DNS server on the hosts. After the dial-up connection is established, the device dynamically obtains the DNS server address through DHCP or another autoconfiguration mechanism.

Figure 41 DNS spoofing application

The DNS proxy does not have the DNS server address or cannot reach the DNS server after startup. A host accesses the HTTP server in the following steps: 1. The host sends a DNS request to the device to resolve the domain name of the HTTP server

into an IP address. 2. Upon receiving the request, the device searches the local static and dynamic DNS entries for a

match. Because no match is found, the device spoofs the host by replying a configured IP address. The device must have a route to the IP address with the dial-up interface as the output interface. The IP address configured for DNS spoofing is not the actual IP address of the requested domain name. Therefore, the TTL field is set to 0 in the DNS reply. When the DNS client receives the reply, it creates a DNS entry and ages it out immediately.

3. Upon receiving the reply, the host sends an HTTP request to the replied IP address. 4. When forwarding the HTTP request through the dial-up interface, the device performs the

following operations: Establishes a dial-up connection with the network.

98

Dynamically obtains the DNS server address through DHCP or another autoconfiguration mechanism.

5. Because the DNS entry ages out immediately upon creation, the host sends another DNS request to the device to resolve the HTTP server domain name.

6. The device operates the same as a DNS proxy. For more information, see "DNS proxy." 7. After obtaining the IP address of the HTTP server, the host can access the HTTP server.

Without DNS spoofing, the device forwards the DNS requests from the host to the DNS server if it cannot find a matching local DNS entry. However, the device cannot obtain the DNS server address, because no dial-up connection is established. Therefore, the device cannot forward or answer the requests from the client. DNS resolution fails, and the client cannot access the HTTP server.

DNS configuration task list Tasks at a glance Perform one of the following tasks: • Configuring the IPv4 DNS client • Configuring the IPv6 DNS client

(Optional.) Configuring the DNS proxy

(Optional.) Configuring DNS spoofing

(Optional.) Configuring network mode tracking for an output interface

(Optional.) Specifying the source interface for DNS packets

(Optional.) Configuring the DNS trusted interface

(Optional.) Setting the DSCP value for outgoing DNS packets

Configuring the IPv4 DNS client Configuring static domain name resolution

Static domain name resolution allows applications such as Telnet to contact hosts by using host names instead of IPv4 addresses.

Follow these guidelines when you configure static domain name resolution: • On the public network or a VPN, each host name maps to only one IPv4 address. The most

recent configuration for a host name takes effect. • You can configure the following:

IPv4 DNS entries for the public network and up to 1024 VPNs. A maximum of 1024 IPv4 DNS entries for the public network or each VPN.

To configure static domain name resolution:


2. Configure a mapping between a host name and an IPv4 address.

ip host host-name ip-address [ vpn-instance vpn-instance-name ]

By default, no mapping between a host name and an IPv4 address is configured.

99

Configuring dynamic domain name resolution To use dynamic domain name resolution, configure DNS servers so that DNS queries can be sent to a correct server for resolution. A DNS server manually configured takes precedence over the one dynamically obtained through DHCP, and a DNS server configured earlier takes precedence. A name query is first sent to the DNS server that has the highest priority. If no reply is received, it is sent to the DNS server that has the second highest priority, and so on.

In addition, you can configure a DNS suffix that the system automatically adds to the provided domain name for resolution. A DNS suffix manually configured takes precedence over the one dynamically obtained through DHCP, and a DNS suffix configured earlier takes precedence. The DNS resolver first uses the suffix that has the highest priority. If the name resolution fails, the DNS resolver uses the suffix that has the second highest priority, and so on.

Configuration guidelines Follow these guidelines when you configure dynamic domain name resolution: • You can specify DNS server IPv4 addresses as follows:

Specify DNS server IPv4 addresses for the public network and up to 1024 VPNs. Specify a maximum of six DNS server IPv4 addresses for the public network or each VPN.

• You can specify DNS server IPv6 addresses as follows: Specify DNS server IPv6 addresses for the public network and up to 1024 VPNs. Specify a maximum of six DNS server IPv6 addresses for the public network or each VPN.

An IPv4 name query is first sent to the DNS server IPv4 addresses. If no reply is received, it is sent to the DNS server IPv6 addresses.

• You can specify DNS suffixes as follows: Specify DNS suffixes for the public network and up to 1024 VPNs. Specify a maximum of 16 DNS suffixes for the public network or each VPN.

Configuration procedure To configure dynamic domain name resolution:


2. Specify a DNS server.

• Specify a DNS server IPv4 address: dns server ip-address [ vpn-instance vpn-instance-name ]

• Specify a DNS server IPv6 address: ipv6 dns server ipv6-address [ interface-type interface-number ] [ vpn-instance vpn-instance-name ]

By default, no DNS server is specified. You can specify both the IPv4 and IPv6 addresses.

3. (Optional.) Configure a DNS suffix.

dns domain domain-name [ vpn-instance vpn-instance-name ]

By default, no DNS suffix is configured and only the provided domain name is resolved.

Configuring the IPv6 DNS client Configuring static domain name resolution

Static domain name resolution allows applications such as Telnet to contact hosts by using host names instead of IPv6 addresses.

100

Follow these guidelines when you configure static domain name resolution: • For the public network or a VPN, each host name maps to only one IPv6 address. The most

recent configuration for a host name takes effect. • You can configure the following items:

IPv6 DNS entries for the public network and up to 1024 VPNs. A maximum of 1024 IPv6 DNS entries for the public network or each VPN.

To configure static domain name resolution:


2. Configure a mapping between a host name and an IPv6 address.

ipv6 host host-name ipv6-address [ vpn-instance vpn-instance-name ]

By default, no mapping between a host name and an IPv6 address is configured.

Configuring dynamic domain name resolution To send DNS queries to a correct server for resolution, you must enable dynamic domain name resolution and configure DNS servers. A DNS server manually configured takes precedence over the one dynamically obtained through DHCP, and a DNS server configured earlier takes precedence. A name query is first sent to the DNS server that has the highest priority. If no reply is received, it is sent to the DNS server that has the second highest priority, and so on.

In addition, you can configure a DNS suffix that the system automatically adds to the provided domain name for resolution. A DNS suffix manually configured takes precedence over the one dynamically obtained through DHCP, and a DNS suffix configured earlier takes precedence. The DNS resolver first uses the suffix that has the highest priority. If the name resolution fails, the DNS resolver uses the suffix that has the second highest priority, and so on.

Configuration guidelines Follow these guidelines when you configure dynamic domain name resolution: • You can specify DNS server IPv4 addresses as follows:

Specify DNS server IPv4 addresses for the public network and up to 1024 VPNs. Specify a maximum of six DNS server IPv4 addresses for the public network or each VPN.

• You can specify DNS server IPv6 addresses as follows: Specify DNS server IPv6 addresses for the public network and up to 1024 VPNs. Specify a maximum of six DNS server IPv6 addresses for the public network or each VPN.

An IPv6 name query is first sent to the IPv6 DNS servers. If no reply is received, it is sent to the IPv4 DNS servers.

• You can specify DNS suffixes as follows: Specify DNS suffixes for the public network and up to 1024 VPNs. Specify a maximum of 16 DNS suffixes for the public network or each VPN.

Configuration procedure To configure dynamic domain name resolution:


101





By default, no DNS server is specified. You can specify both the IPv4 and IPv6 addresses.

3. (Optional.) Configure a DNS suffix.

dns domain domain-name [ vpn-instance vpn-instance-name ]

By default, no DNS suffix is configured. Only the provided domain name is resolved.

Configuring the DNS proxy You can specify multiple DNS servers. The DNS proxy forwards a request to the DNS server that has the highest priority. If having not received a reply, it forwards the request to a DNS server that has the second highest priority, and so on.

A DNS proxy forwards an IPv4 name query first to IPv4 DNS servers. If no reply is received, it forwards the request to IPv6 DNS servers.

A DNS proxy forwards an IPv6 name query first to IPv6 DNS servers. If no reply is received, it forwards the request to IPv4 DNS servers.

To configure the DNS proxy:


2. Enable DNS proxy. dns proxy enable By default, DNS proxy is disabled.




By default, no DNS server is specified. You can specify both the IPv4 and IPv6 DNS addresses.

Configuring DNS spoofing DNS spoofing takes effect only when the following conditions are met: • The DNS proxy is enabled on the device. • No DNS server or route to any DNS server is specified on the device. • In a 3G or 4G network, network mode tracking is enabled for a 2G output interface.

Follow these guidelines when you configure DNS spoofing: • You can configure only one replied IPv4 address and one replied IPv6 address for the public

network or a VPN. If you use the command multiple times, the most recent configuration takes effect.

• You can configure DNS spoofing for the public network and a maximum of 1024 VPNs. • DNS spoofing spoofs a DNS request even though a matching static DNS entry exists.

102

To configure DNS spoofing:



3. Enable DNS spoofing and specify the IP address used to spoof DNS requests.

• Specify an IPv4 address: dns spoofing ip-address [ vpn-instance vpn-instance-name ]

• Specify an IPv6 address: ipv6 dns spoofing ipv6-address [ vpn-instance vpn-instance-name ]

By default, no IP address is specified for DNS spoofing. You can specify both an IPv4 address and an IPv6 address.

Configuring network mode tracking for an output interface

This feature tracks the network mode of an output interface and spoofs DNS requests if the network mode is 2G. This feature takes effect on the cellular interface when the interface acts as the output interface to reach the DNS server. Spoofing DNS requests avoids DNS packet loss that might be caused by limited 2G network bandwidth.

To configure network mode tracking for an output interface:



3. Enable DNS spoofing and specify the IP address used to spoof DNS requests.

• Specify an IPv4 address: dns spoofing ip-address [ vpn-instance vpn-instance-name ]

• Specify an IPv6 address: ipv6 dns spoofing ipv6-address [ vpn-instance vpn-instance-name ]

By default, no IP address is specified for spoofing. You can specify both an IPv4 address and an IPv6 address. As a best practice, specify a private IP address on the device.

4. Configure the device to track the network mode of an output interface.

dns spoofing track controller interface-type interface-number

By default, the device does not track the network mode of an output interface.

Specifying the source interface for DNS packets This task enables the device to always use the primary IP address of the specified source interface as the source IP address of outgoing DNS packets. This feature applies to scenarios in which the DNS server responds only to DNS requests sourced from a specific IP address. If no IP address is configured on the source interface, no DNS packets can be sent out.

When sending an IPv6 DNS request, the device follows the method defined in RFC 3484 to select an IPv6 address of the source interface.

You can configure only one source interface on the public network or a VPN. You can configure the source interface for the public network and a maximum of 1024 VPNs.

To specify the source interface for DNS packets:

103


2. Specify the source interface for DNS packets.

dns source-interface interface-type interface-number [ vpn-instance vpn-instance-name ]

By default, no source interface for DNS packets is specified. If you execute the command multiple times, the most recent configuration takes effect. If you specify the vpn-instance vpn-instance-name option, make sure the source interface is on the specified VPN.

Configuring the DNS trusted interface This task enables the device to use only the DNS suffix and domain name server information obtained through the trusted interface. The device can then obtain the correct resolved IP address. This feature protects the device against attackers that act as the DHCP server to assign incorrect DNS suffix and domain name server address.

To configure the DNS trusted interface:


2. Specify the DNS trusted interface.

dns trust-interface interface-type interface-number

By default, no DNS trusted interface is specified. You can configure up to 128 DNS trusted interfaces.

Setting the DSCP value for outgoing DNS packets The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.

To set the DSCP value for outgoing DNS packets:


2. Set the DSCP value for outgoing DNS packets.

• DSCP value for IPv4 DNS packets: dns dscp dscp-value

• DSCP value for IPv6 DNS packets: ipv6 dns dscp dscp-value

By default, the DSCP value for outgoing DNS packets is 0. The configuration is available on DNS clients and DNS proxy devices.

Displaying and maintaining IPv4 DNS Execute display commands in any view and reset commands in user view.

Task Command Display the domain name resolution table. display dns host [ ip | ipv6 ] [ vpn-instance vpn-instance-name ]

104

Task Command Display IPv4 DNS server information. display dns server [ dynamic ] [ vpn-instance vpn-instance-name ]

Display IPv6 DNS server information.

display ipv6 dns server [ dynamic ] [ vpn-instance vpn-instance-name ]

Display DNS suffixes. display dns domain [ dynamic ] [ vpn-instance vpn-instance-name ]

Clear information about the dynamic domain name cache. reset dns host [ ip | ipv6 ] [ vpn-instance vpn-instance-name ]

IPv4 DNS configuration examples Static domain name resolution configuration example Network requirements

As shown in Figure 42, the device wants to access the host by using an easy-to-remember domain name rather than an IP address.

Configure static domain name resolution on the device, so the device can use the domain name host.com to access the host whose IP address is 10.1.1.2.


Configuration procedure # Configure a mapping between host name host.com and IP address 10.1.1.2. <Sysname> system-view

[Sysname] ip host host.com 10.1.1.2

# Use the ping host.com command to verify that the device can use static domain name resolution to resolve domain name host.com into IP address 10.1.1.2. [Sysname] ping host.com

Ping host.com (10.1.1.2): 56 data bytes, press CTRL_C to break






--- Ping statistics for host.com ---



105

Dynamic domain name resolution configuration example Network requirements

As shown in Figure 43, the DNS server at 2.1.1.2/16 has a com domain that stores the mapping between domain name host and IP address 3.1.1.1/16.

Configure dynamic DNS and the DNS suffix com on the device that acts as a DNS client. The device can then use the domain name host to access the host with the domain name host.com and the IP address 3.1.1.1/16.


Configuration procedure Before performing the following configuration, make sure that: • The device and the host can reach each other. • The IP addresses of the interfaces are configured as shown in Figure 43. 1. Configure the DNS server:

The configuration might vary by DNS server. The following configuration is performed on a PC running Windows Server 2000. a. Select Start > Programs > Administrative Tools > DNS.

The DNS server configuration page appears, as shown in Figure 44. b. Right-click Forward Lookup Zones, select New Zone, and then follow the wizard to create

a new zone named com.

Figure 44 Creating a zone

c. On the DNS server configuration page, right-click zone com, and select New Host.

106

Figure 45 Adding a host

d. On the page that appears, enter host name host and IP address 3.1.1.1. e. Click Add Host.

The mapping between the IP address and host name is created.

Figure 46 Adding a mapping between domain name and IP address

2. Configure the DNS client: # Specify the DNS server 2.1.1.2.

107

<Sysname> system-view

[Sysname] dns server 2.1.1.2

# Specify com as the name suffix. [Sysname] dns domain com

Verifying the configuration # Execute the ping host command on the device. [Sysname] ping host







--- Ping statistics for host ---



The output shows that the communication between the device and the host is normal and that the translated destination IP address is 3.1.1.1.

DNS proxy configuration example Network requirements

When the IP address of the DNS server changes, you must configure the new IPv6 address of the DNS server on each device on the LAN. To simplify network management, you can use the DNS proxy function.

As shown in Figure 47: • Specify Device A as the DNS server of Device B (the DNS client). Device A acts as a DNS proxy.

The IPv6 address of the real DNS server is 4.1.1.1. • Configure the IP address of the DNS proxy on Device B. DNS requests of Device B are

forwarded to the real DNS server through the DNS proxy.


108

Configuration procedure Before performing the following configuration, make sure that: • Device A, the DNS server, and the host can reach each other. • The IPv6 addresses of the interfaces are configured as shown in Figure 47. 1. Configure the DNS server:

The configuration might vary by DNS server. When a PC running Windows Server 2000 acts as the DNS server, see "Dynamic domain name resolution configuration example" for configuration information.

2. Configure the DNS proxy: # Specify the DNS server 4.1.1.1. <DeviceA> system-view

[DeviceA] dns server 4.1.1.1

# Enable DNS proxy. [DeviceA] dns proxy enable

3. Configure the DNS client: <DeviceB> system-view

# Specify the DNS server 2.1.1.2. [DeviceB] dns server 2.1.1.2

Verifying the configuration # Execute the ping host.com command on Device B. [DeviceB] ping host.com







--- Ping statistics for host.com ---



The output shows that the communication between Device B and the host is normal and that the translated destination IP address is 3.1.1.1.

IPv6 DNS configuration examples Static domain name resolution configuration example Network requirements

As shown in Figure 48, the device wants to access the host by using an easy-to-remember domain name rather than an IPv6 address. Configure static domain name resolution on the device, so the device can use domain name host.com to access the host whose IPv6 address is 1::2.

109


Configuration procedure # Configure a mapping between host name host.com and IPv6 address 1::2. <Device> system-view

[Device] ipv6 host host.com 1::2

# Use the ping ipv6 host.com command to verify that the device can use static domain name resolution to resolve domain name host.com into IPv6 address 1::2. [Sysname] ping ipv6 host.com

Ping6(56 data bytes) 1::1 --> 1::2, press CTRL_C to break

56 bytes from 1::2, icmp_seq=0 hlim=128 time=1.000 ms





--- Ping6 statistics for host.com ---



Dynamic domain name resolution configuration example Network requirements

As shown in Figure 49, the DNS server at 2::2/64 has a com domain. The server stores the mapping between domain name host and IPv6 address 1::1/64.

Configure dynamic DNS and the DNS suffix com on the device that acts as a DNS client. The device can then use domain name host to access the host with the domain name host.com and the IPv6 address 1::1/64.


Configuration procedure Before performing the following configuration, make sure that: • The device and the host can reach each other. • The IPv6 addresses of the interfaces are configured as shown in Figure 49.

110

1. Configure the DNS server: The configuration might vary by DNS server. The following configuration is performed on a PC running Windows Server 2003. Make sure that the DNS server supports the IPv6 DNS function, so it can process IPv6 DNS packets and its interfaces can forward IPv6 packets. a. Select Start > Programs > Administrative Tools > DNS.

The DNS server configuration page appears, as shown in Figure 50. b. Right-click Forward Lookup Zones, select New Zone, and then follow the wizard to create

a new zone named com.

Figure 50 Creating a zone

c. On the DNS server configuration page, right-click zone com, and select Other New Records.

111

Figure 51 Creating a record

d. On the page that appears, select IPv6 Host (AAAA) as the resource record type.

112

Figure 52 Selecting the resource record type

e. Type host name host and IPv6 address 1::1. f. Click OK.

The mapping between the IPv6 address and host name is created.

113

Figure 53 Adding a mapping between domain name and IPv6 address

2. Configure the DNS client: # Specify the DNS server 2::2. <Device> system-view

[Device] ipv6 dns server 2::2

# Configure com as the DNS suffix. [Device] dns domain com

Verifying the configuration # Execute the ping ipv6 host command on the device. [Device] ping ipv6 host







--- Ping6 statistics for host ---



The output shows that the communication between the device and the host is normal and that the translated destination IP address is 1::1.

114

DNS proxy configuration example Network requirements

When the IP address of the DNS server changes, you must configure the new IP address of the DNS server on each device on the LAN. To simplify network management, you can use the DNS proxy function.

As shown in Figure 54: • Specify Device A as the DNS server of Device B (the DNS client). Device A acts as a DNS proxy.

The IP address of the real DNS server is 4000::1. • Configure the IP address of the DNS proxy on Device B. DNS requests of Device B are

forwarded to the real DNS server through the DNS proxy.


Configuration procedure Before performing the following configuration, make sure that: • Device A, the DNS server, and the host are reachable to each other. • The IP addresses of the interfaces are configured as shown in Figure 54. 1. Configure the DNS server:

This configuration might vary by DNS server. When a PC running Windows Server 2003 acts as the DNS server, see "Dynamic domain name resolution configuration example" for configuration information.

2. Configure the DNS proxy: # Specify the DNS server 4000::1. <DeviceA> system-view

[DeviceA] ipv6 dns server 4000::1

# Enable DNS proxy. [DeviceA] dns proxy enable

3. Configure the DNS client: # Specify the DNS server 2000::2. <DeviceB> system-view

[DeviceB] ipv6 dns server 2000::2

Verifying the configuration # Execute the ping host.com command on Device B.

115

[DeviceB] ping host.com







--- Ping6 statistics for host.com ---



The output shows that the communication between Device B and the host is normal and that the translated destination IP address is 3000::1.

Troubleshooting IPv4 DNS configuration Symptom

After enabling dynamic domain name resolution, the user cannot get the correct IP address.

Solution 1. Use the display dns host ip command to verify that the specified domain name is in the cache. 2. If the specified domain name does not exist, check that the DNS client can communicate with

the DNS server. 3. If the specified domain name is in the cache, but the IP address is incorrect, check that the DNS

client has the correct IP address of the DNS server. 4. Verify that the mapping between the domain name and IP address is correct on the DNS server.

Troubleshooting IPv6 DNS configuration Symptom

After enabling dynamic domain name resolution, the user cannot get the correct IPv6 address.

Solution 1. Use the display dns host ipv6 command to verify that the specified domain name is in the

cache. 2. If the specified domain name does not exist, check that dynamic domain name resolution is

enabled, and that the DNS client can communicate with the DNS server. 3. If the specified domain name is in the cache, but the IPv6 address is incorrect, check that the

DNS client has the correct IPv6 address of the DNS server. 4. Verify that the mapping between the domain name and IPv6 address is correct on the DNS

server.

116

Configuring DDNS

Overview DNS provides only the static mappings between domain names and IP addresses. When the IP address of a node changes, your access to the node fails.

Dynamic Domain Name System (DDNS) can dynamically update the mappings between domain names and IP addresses for DNS servers.

DDNS is supported only by IPv4 DNS, and it is used to update the mappings between domain names and IPv4 addresses.

DDNS application As shown in Figure 55, DDNS works on the client-server model. • DDNS client—A device that needs to update the mapping between its domain name and IP

address dynamically on the DNS server when its IP address changes. An Internet user typically accesses an application layer server such as an HTTP server or an FTP server by using the server's domain name. When its IP address changes, the application layer server runs as a DDNS client. It sends a request to the DDNS server for updating the mapping between its domain name and its IP address.

• DDNS server—Informs the DNS server of latest mappings. When receiving the mapping update request from a DDNS client, the DDNS server tells the DNS server to re-map the domain name and the IP address of the DDNS client. Therefore, the Internet users can use the same domain name to access the DDNS client even if the IP address of the DDNS client has changed.

Figure 55 DDNS application

With the DDNS client configured, a device can dynamically update the latest mapping between its domain name and IP address on the DNS server through DDNS servers.

NOTE: The DDNS update process does not have a unified standard but varies by DDNS server that the DDNS client contacts.

HTTP serverDDNS client

DDNS server

DNS server

IP network

HTTP client

117

DDNS client configuration task list Tasks at a glance (Required.) Configuring a DDNS policy

(Required.) Applying the DDNS policy to an interface

(Optional.) Setting the DSCP value for outgoing DDNS packets

Configuring a DDNS policy A DDNS policy contains the DDNS server address, port number, login ID, password, time interval, associated SSL client policy, and update time interval. After creating a DDNS policy, you can apply it to multiple interfaces to simplify DDNS configuration.

The URL addresses configured for update requests vary by DDNS server.

Table 6 Common URL addresses

DDNS server URL addresses for DDNS update requests

www.3322.org http://members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>

DYNDNS http://members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>

DYNS http://www.dyns.cx/postscript.php?host=<h>&ip=<a>

ZONEEDIT http://dynamic.zoneedit.com/auth/dynamic.html?host=<h>&dnsto=<a>

TZO http://cgi.tzo.com/webclient/signedon.html?TZOName=<h>IPAddress=<a>

EASYDNS http://members.easydns.com/dyn/ez-ipupdate.php?action=edit&myip=<a>&host_id=<h>

HEIPV6TB http://dyn.dns.he.net/nic/update?hostname=<h>&myip=<a>

CHANGE-IP http://nic.changeip.com/nic/update?hostname=<h>&offline=1

NO-IP http://dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a>

DHS http://members.dhs.org/nic/hosts?domain=dyn.dhs.org&hostname=<h>&hostscmd=edit&hostscmdstage=2&type=1&ip=<a>

HP https://server-name/nic/update?group=group-name&myip=<a>

ODS ods://update.ods.org

GNUDIP gnudip://server-name

PeanutHull oray://phservice2.oray.net

By default, the URL address does not include a username or password. To configure the username and password, use the username command and the password command.

HP and GNUDIP are common DDNS update protocols. The server-name parameter is the domain name or IP address of the service provider's server using one of the update protocols.

The URL address for an update request can start with: • http://—The HTTP-based DDNS server. • https://—The HTTPS-based DDNS server. • ods://—The TCP-based ODS server.

118

• gnudip://—The TCP-based GNUDIP server. • oray://—The TCP-based DDNS server.

The domain names of DDNS servers are members.3322.org and phservice2.oray.net. The domain names of PeanutHull DDNS servers can be phservice2.oray.net, phddns60.oray.net, client.oray.net, ph031.oray.net, and so on. Determine the domain name in the URL according to the actual situation.

The port number in the URL address is optional. If no port is specified, the system uses the default port numbers: port 80 for HTTP, port 443 for HTTPS, and port 6060 for PeanutHull DDNS server.

The system automatically performs the following tasks: • Fills <h> with the FQDN upon a DDNS policy application to the interface. • Fills <a> with the primary IP address of the interface to which the DDNS policy is applied.

You can also manually specify an FQDN and an IP address in <h> and <a>. In this case, the FQDN specified upon the DDNS policy application does not take effect. You are not encouraged to manually change the <h> and <a> because your configuration might be incorrect. For more information about applying DDNS policies, see "Applying the DDNS policy to an interface."

No FQDN or IP address can be specified in the URL address for update requests sent to the PeanutHull DDNS server. You can specify the FQDN when applying the DDNS policy to an interface. The IP address is the primary IP address of the interface to which the DDNS policy is applied.

TIP: The FQDN is the only identification of a node in the network. An FQDN consists of a local host name and a parent domain name and can be translated into an IP address.

Configuration prerequisites Visit the website of a DDNS service provider, register an account, and apply for a domain name for the DDNS client. When the DDNS client updates the mapping between the domain name and the IP address through the DDNS server, the DDNS server checks the following: • Whether the account information is correct. • Whether the domain name to be updated belongs to the account.

Configuration procedure To configure a DDNS policy:


2. Create a DDNS policy and enter its view.

ddns policy policy-name By default, no DDNS policy is created.

3. Specify a URL address for DDNS update requests. url request-url By default, no URL address is specified

for DDNS update requests.

4. Specify the username to be contained in the URL address. username username By default, no username is specified.

5. Specify the password to be contained in the URL address.

password { cipher | simple } password By default, no password is specified.

6. (Optional.) Specify the parameter transmission method for sending DDNS update requests to HTTP/HTTPS-based DDNS servers.

method { http-get | http-post }

By default, http-get is used. Use the method http-post command to specify the POST method for DDNS update with a DHS server.

119


7. (Optional.) Associate an SSL client policy with the DDNS policy.

ssl-client-policy policy-name

By default, no SSL client policy is associated with the DDNS policy. This step is only effective and a must for HTTP-based DDNS update requests. For SSL client policy configuration, see Security Configuration Guide.

8. (Optional.) Specify the interval for sending update requests.

interval days [ hours [ minutes ] ] By default, the time interval is one hour.

Applying the DDNS policy to an interface After you apply the DDNS policy to an interface and specify the FQDN for update, the DDNS client sends requests to the DDNS server to update the mapping between the domain name and the primary IP address of the interface at the specified interval.

Before you apply a DDNS policy to an interface, complete the following tasks: • Specify the primary IP address of the interface and make sure the DDNS server and the

interface can reach each other. • Configure static or dynamic domain name resolution to translate the domain name of the DDNS

server into the IPv4 address. For more information, see "Configuring the IPv4 DNS client."

To apply the DDNS policy to an interface:



3. Apply the DDNS policy to the interface to update the mapping between the specified FQDN and the primary IP address of the interface, and enable DDNS update.

ddns apply policy policy-name [ fqdn domain-name ]

By default, no DDNS policy is applied to the interface, no FQDN is specified for update, and DDNS update is disabled.The fqdn domain-name option must be specified for all DDNS servers except the PeanutHull DDNS server.

NOTE: If no FQDN is specified for the PeanutHull DDNS server, the DDNS server updates all domain names of the DDNS client account. If an FQDN is specified, the DDNS server updates only the mapping between the specified FQDN and the primary IP address.

Setting the DSCP value for outgoing DDNS packets

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.

To set the DSCP value for outgoing DDNS packets:

120


2. Set the DSCP value for outgoing DDNS packets. ddns dscp dscp-value By default, the DSCP value for

outgoing DDNS packets is 0.

Displaying DDNS Execute display commands in any view.

Task Command Display information about the DDNS policy. display ddns policy [ policy-name ]

DDNS configuration examples DDNS configuration example with www.3322.org Network requirements

As shown in Figure 56, the router is a Web server with the domain name whatever.3322.org.

The router acquires the IP address through DHCP. Through DDNS service provided by www.3322.org, the router informs the DNS server of the latest mapping between its domain name and IP address. The router uses the DNS server to translate www.3322.org into its IP address.


Configuration procedure Before configuring DDNS on the router, perform the following tasks: • Register with username steven and password nevets at http://www.3322.org/. • Create the dynamic domain name whatever.3322.org at http://www.3322.org/. • Add the router's host name-to-IP address mapping to the DNS server. • Make sure the devices can reach each other.

# Create a DDNS policy named 3322.org, and enter its view.

RouterDDNS client

www.3322.orgDDNS server

DNS server

IP networkGE2/0/1

1.1.1.1

121

<Router> system-view

[Router] ddns policy 3322.org

# Specify for DDNS update requests the URL address with the login ID steven and plaintext password nevets. [Router-ddns-policy-3322.org] url http:// members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>

[Router-ddns-policy-3322.org] username steven

[Router-ddns-policy-3322.org] password simple nevets

# Set the interval for sending DDNS update requests to 15 minutes. [Router-ddns-policy-3322.org] interval 0 0 15

[Router-ddns-policy-3322.org] quit

# Specify the IP address of the DNS server as 1.1.1.1. [Router] dns server 1.1.1.1

# Apply DDNS policy 3322.org to GigabitEthernet 2/0/1 to enable DDNS update. The mapping between domain name whatever.3322.org and the primary IP address of GigabitEthernet 2/0/1 will be dynamically updated. [Router] interface gigabitethernet 2/0/1

[Router-GigabitEthernet2/0/1] ddns apply policy 3322.org fqdn whatever.3322.org

After the configuration is completed, the router notifies the DNS server of its new domain name-to-IP address mapping through the DDNS server provided by www.3322.org, whenever its IP address changes. Therefore, the router can always provide Web service at whatever.3322.org.

DDNS configuration example with PeanutHull server Network requirements

As shown in Figure 57, the router is a Web server with domain name whatever.gicp.cn. The router acquires the IP address through DHCP. Through the PeanutHull server, the router informs the DNS server of the latest mapping between its domain name and IP address. The router uses the DNS server to translate www.oray.cn into its IP address.


Configuration procedure Before configuring DDNS on the router, perform the following tasks: • Register with username steven and password nevets at http://www.oray.cn/.

RouterDDNS client

www.oray.cnDDNS server

DNS server

IP networkGE2/0/1

1.1.1.1

122

• Add the domain name whatever.gicp.cn at http://www.oray.cn/. • Add the router's host name-to-IP address mapping to the DNS server. • Make sure the devices can reach each other.

# Create a DDNS policy named oray.cn and enter its view. <Router> system-view

[Router] ddns policy oray.cn

# Specify for DDNS update requests the URL address with the login ID steven and plaintext password nevets. [Router-ddns-policy-oray.cn] url oray://phservice2.oray.net

[Router-ddns-policy-oray.cn] username steven

[Router-ddns-policy-oray.cn] password simple nevets

# Set the DDNS update request interval to 12 minutes. [Router-ddns-policy-oray.cn] interval 0 0 12

[Router-ddns-policy-oray.cn] quit

# Specify the IP address of the DNS server as 1.1.1.1. [Router] dns server 1.1.1.1

# Apply the DDNS policy to GigabitEthernet 2/0/1 to enable DDNS update. The mapping between whatever.gicp.cn and the primary IP address of GigabitEthernet 2/0/1 will be dynamically updated. [Router] interface gigabitethernet 2/0/1

[Router-GigabitEthernet2/0/1] ddns apply policy oray.cn fqdn whatever.gicp.cn

After the configuration is completed, the router notifies the DNS server of its new domain name-to-IP address mapping through the PeanutHull server, whenever its IP address changes. Therefore, the router can always provide Web service at whatever.gicp.cn.

123

Configuring NAT

Overview Network Address Translation (NAT) translates an IP address in the IP packet header to another IP address. Typically, NAT is configured on gateways to enable private hosts to access external networks and external hosts to access private network resources such as a Web server.

Figure 58 NAT operation

As shown in Figure 58: 1. Upon receiving a request from the host to the server, NAT translates the private source address

192.168.1.3 to the public address 20.1.1.1 and forwards the NATed packet. NAT adds a mapping for the two addresses to its NAT table.

2. Upon receiving a response from the server, NAT translates the destination public address to the private address, and forwards the packet to the host.

The NAT operation is transparent to the terminals. NAT hides the private network from the external users and shows that the IP address of the internal host is 20.1.1.1.

Terminology The following describes NAT terminologies: • NAT device—A device configured with NAT.

• NAT interface—An interface enabled with NAT. • NAT entry—Stores the mapping between a private address and a public address. For more

information, see "NAT entries." • Easy IP—Uses the IP address of an interface as the public address. The IP address of the

interface is obtained through DHCP or PPPoE.

NAT types Traditional NAT

Traditional NAT applies to the interface connected to the public network. It translates the source IP addresses of outgoing packets and destination IP addresses of incoming packets.

192.168.1.3

Src : 192.168.1.3Dst : 1.1.1.2

Src : 20.1.1.1Dst : 1.1.1.2

192.168.1.1 20.1.1.1

Src : 1.1.1.2Dst : 20.1.1.1

Src : 1.1.1.2Dst : 192.168.1.3

1.1.1.2

ServerHost NAT

Intranet Internet

Before NAT

192.168.1.3

After NAT

20.1.1.1

Direction

Outbound

20.1.1.1 192.168.1.3Inbound

124

Bidirectional NAT NAT translates the source and destination IP addresses of incoming packets on the receiving interface and outgoing packets on the sending interface.

Bidirectional NAT is applied when source and destination addresses overlap.

Twice NAT Twice NAT translates the destination IP address on the receiving interface, and the source IP address on the sending interface. The receiving and sending interfaces are both NAT interfaces.

Twice NAT allows VPNs with overlapping addresses to access each other.

NAT hairpin NAT hairpin allows internal hosts to access each other through NAT. The source and destination IP address of the packets are translated on the interface connected to the internal network.

NAT hairpin includes P2P and C/S modes: • P2P—Allows internal hosts to access each other through NAT.

• C/S—Allows internal hosts to access internal servers through NAT.

NAT control You can use ACLs to implement NAT control. The match criteria in the ACLs include the source IP address, source port number, destination IP address, destination port number, transport layer protocol, and VPN instance. Only packets permitted by an ACL are processed by NAT.



NAT implementations Static NAT

Static NAT creates a fixed mapping between a private address and a public address. Static NAT allows bidirectional connection initiation, both from and to the internal host. Static NAT applies to regular communications.

Dynamic NAT Dynamic NAT uses an address pool to translate addresses. Dynamic NAT includes Not Port Address Translation (NO-PAT) and Port Address Translation (PAT) modes.

125

NO-PAT NO-PAT translates a private address to a public address. The public address cannot be used by another internal host until it is released.

NO-PAT supports all IP packets.

PAT PAT translates multiple private addresses to a single public address by mapping the private address and source port to the public address and a unique port. PAT supports TCP and UDP packets, and ICMP request packets.

Figure 59 PAT operation

As shown in Figure 59, PAT translates the source IP addresses of the three packets to the same public address and translates their port numbers to different port numbers. Upon receiving a response, PAT translates the destination address and port number of the response, and forwards it to the target host.

PAT supports the following mappings: • Endpoint-Independent Mapping—Uses the same IP and port mapping (EIM entry) for

packets from the same source IP and port to any destination. EIM allows external hosts to initiate connections to the translated IP addresses and ports of internal hosts. It allows internal hosts behind different NAT gateways to access each other.

• Address and Port-Dependent Mapping—Uses different IP and port mappings for packets from the same source IP and port to different destination IP addresses and ports. APDM allows an external host to initiate connections to an internal host only under the condition that the internal host has previously accessed the external host. It is secure, but it does not allow internal hosts behind different NAT gateways to access each other.

NAT Server The NAT Server feature maps a public address and port number to the private IP address and port number of an internal server. This feature allows servers in the private network to provide services for external users.

126

Figure 60 NAT Server operation

Figure 60 displays how NAT Server works: 1. Upon receiving a request from the host, NAT translates the public destination IP address and

port number to the private IP address and port number of the internal server. 2. Upon receiving a response from the server, NAT translates the private source IP address and

port number to the public IP address and port number.

DS-Lite NAT444 DS-Lite combines tunneling and NAT to allow an IPv4 private network to access the IPv4 public network over an IPv6 network. For more information about DS-Lite, see "Configuring tunneling."

DS-Lite NAT444 is configured on the AFTR and performs dynamic NAT444 based on the B4 element. The B4 element refers to a B4 router or a DS-Lite host. DS-Lite NAT444 dynamically maps a public IPv4 address and a port block to the IPv6 address of the B4 element. The DS-Lite host or hosts behind the B4 router use the mapped public IPv4 address and port block to access the public IPv4 network.

DS-Lite NAT444 supports user tracing for DS-Lite hosts based on the port block.

Figure 61 DS-Lite NAT444

NAT entries NAT session entry

NAT creates a NAT session entry for a session and creates an address mapping for the first packet in the session.

A NAT session entry contains extended NAT information, such as interface and translation method. Subsequent packets of the session are translated by using this entry.

192.168.1.3

192.168.1.1 20.1.1.1

20.1.1.2

NAT

Intranet Internet

HostServer Dst : 20.1.1.1:8080Dst : 192.168.1.3:8080

Src : 192.168.1.3:8080 Src : 20.1.1.1:8080

Before NAT

20.1.1.1:8080

After NAT

192.168.1.3:8080

Direction

Inbound

IPv4 network

Host

NAT gateway

Log server

Application server

B4 AFTR

IPv6 networkDS-Lite tunnel

DS-Lite tunnel

DS-Lite host

127

The session management module maintains the updating and aging of NAT session entries. For information about session management, see Security Configuration Guide.

EIM entry An EIM entry maps a private address/port to a public address/port. The same EIM entry applies to subsequent connections originating from the same source IP and port.

An EIM entry ages out after all related NAT session entries age out.

NO-PAT entry A NO-PAT entry maps a private address to a public address. The same mapping applies to subsequent connections originating from the same source IP.

A NO-PAT entry can also be created during the ALG process for NAT. For information about NAT with ALG, see "NAT with ALG."

A NO-PAT entry ages out after all related NAT session entries age out.

Using NAT with other features VRF-aware NAT

The following matrix shows the feature and hardware compatibility:

Hardware VRF-aware NAT compatibility MSR954(JH296A/JH297A/JH298A/JH299A) No

MSR1002-4/1003-8S Yes

MSR2003 Yes

MSR2004-24/2004-48 Yes

MSR3012/3024/3044/3064 Yes

MSR4060/4080 Yes

VRF-aware NAT allows users from different VRF (VPN instances) to access external networks and to access each other. 1. Upon receiving a request from a user in a VRF to an external network, NAT performs the

following tasks: Translates the private source IP address and port number to a public IP address and port

number. Records the VRF information, such as the VRF name.

2. When a response packet arrives, NAT performs the following tasks: Translates the destination public IP address and port number to the private IP address and

port number. Forwards the packet to the target VRF.

128

NAT with DNS mapping NAT with DNS mapping allows an internal host to access an internal server on the same private network by using the domain name of the internal server when the DNS server is on the public network.

NAT with DNS mapping must operate with the NAT Server feature.

Figure 62 NAT with DNS mapping

As shown in Figure 62, NAT with DNS mapping works as follows: 1. The host sends a DNS request containing the domain name of the internal Web server. 2. Upon receiving the DNS response, the NAT device performs a DNS mapping lookup by using

the domain name in the response. A DNS mapping for NAT maps the domain name to the public IP address, public port number, and the protocol type for the internal server.

3. If a match is found, the NAT continues to compare the public address, public port number, and the protocol type with the NAT Server configuration. The NAT Server configuration maps the public IP address and port number to the private IP address and port number for the internal server.

4. If a match is found, NAT translates the public IP address in the response into the private IP address of the Web server.

5. The internal host receives the DNS response, and obtains the private IP address of the Web server.

DNS mapping can also be used by DNS ALG. The DNS reply from the external DNS server contains only the domain name and public IP address of the internal server in the payload. The NAT interface might have multiple internal servers configured with the same public IP address but different private IP addresses. DNS ALG might find an incorrect internal server by using only the public IP address. If a DNS mapping is configured, DNS ALG can obtain the public IP address, public port number, and protocol type of the internal server by using the domain name. Then it can find the correct internal server by using the public IP address, public port number, and protocol type of the internal server.

NAT with ALG NAT with ALG translates address or port information in the application layer payloads to ensure connection establishment.

For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depend on the payload information of the control connection. This requires NAT with ALG to translate the address and port information for data connection establishment.

129

NAT configuration task list Tasks at a glance Remarks

Perform at least one of the following tasks: • Configuring static NAT • Configuring dynamic NAT • Configuring NAT Server • Configuring DS-Lite NAT444

If you perform all the tasks on an interface, IPv6 packets are processed by DS-Lite NAT444, and IPv4 packets are compared against the following NAT rules in order for a match: • NAT Server. • Static NAT. • Dynamic NAT.

Configuring NAT with DNS mapping N/A

(Optional.) Configuring NAT hairpin N/A

(Optional.) Configuring NAT with ALG N/A

(Optional.) Configuring NAT session logging N/A

Configuring static NAT Static NAT includes one-to-one static NAT and net-to-net static NAT for outbound and inbound translation. Do not configure inbound static NAT alone. Typically, inbound static NAT functions with outbound dynamic NAT, NAT Server, or outbound static NAT to implement bidirectional NAT.

Configuration prerequisites Perform the following tasks before configuring static NAT: • Configure an ACL to identify the IP addresses to be translated. The match criteria include the

source IP address, source port number, destination IP address, destination port number, transport layer protocol, and VPN instance. For more information about ACLs, see ACL and QoS Configuration Guide.

• Manually add a route for inbound static NAT. Use local-ip or local-network as the destination address, and use global-ip, an address in global-network, or the next hop directly connected to the output interface as the next hop.

Configuring outbound one-to-one static NAT For address translation from a private IP address to a public IP address, configure outbound one-to-one static NAT on the interface connected to the external network. • When the source IP address of a packet from the private network matches the local-ip, the

source IP address is translated into the global-ip. • When the destination IP address of a packet from the public network matches the global-ip, the

destination IP address is translated into the local-ip.

To configure outbound one-to-one static NAT:


2. Configure a one-to-one mapping for outbound static

nat static outbound local-ip [ vpn-instance local-name ]

By default, no mappings exist. If you specify an ACL, NAT

130

Step Command Remarks NAT. global-ip [ vpn-instance

global-name ] [ acl { acl-number | name acl-name } [ reversible ] ]

processes only packets matching the permit rule in the ACL.



5. Enable static NAT on the interface. nat static enable By default, static NAT is disabled.

Configuring outbound net-to-net static NAT For address translation from a private network to a public network, configure outbound net-to-net static NAT on the interface connected to the external network. • When the source IP address of a packet from the private network matches the private address

range, the source IP address is translated into a public address in the public address range. • When the destination IP address of a packet from the public network matches the public

address range, the destination IP address is translated into a private address in the private address range.

To configure outbound net-to-net static NAT:


2. Configure a net-to-net mapping for outbound static NAT.

nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local -name ] global global-network { mask-length | mask } [ vpn-instance global-name ] [ acl { acl-number | name acl-name } [ reversible ] ]

By default, no mappings exist. If you specify an ACL, NAT processes only packets matching the permit rule in the ACL.




Configuring inbound one-to-one static NAT For address translation from a public IP address to a private IP address, configure inbound one-to-one static NAT. • When the source IP address of a packet from the public network to the private network matches

the global-ip, the source IP address is translated into the local-ip. • When the destination IP address of a packet from the private network to the public network

matches the local-ip, the destination IP address is translated into the global-ip.

To configure inbound one-to-one static NAT:

131


2. Configure a one-to-one mapping for inbound static NAT.

nat static inbound global-ip [ vpn-instance global-name ] local-ip [ vpn-instance local-name ] [ acl { acl-number | name acl-name } [ reversible ] ]





Configuring inbound net-to-net static NAT For address translation from a public network to a private network, configure inbound net-to-net static NAT. • When the source IP address of a packet from the public network matches the public address

range, the source IP address is translated into a private address in the private address range. • When the destination IP address of a packet from the private network matches the private

address range, the destination IP address is translated into a public address in the public address range.

To configure inbound net-to-net static NAT:


2. Configure a net-to-net mapping for inbound static NAT.

nat static inbound net-to-net global-start-address global-end-address [ vpn-instance global -name ] local local-network { mask-length | mask } [ vpn-instance local-name ] [ acl { acl-number | name acl-name } [ reversible ] ]





Configuring dynamic NAT Dynamic NAT translates a group of private IP addresses into a smaller number of public addresses. You can specify an address group (or the IP address of an interface) and an ACL to implement dynamic NAT.

132

Configuration restrictions and guidelines When you configure dynamic NAT, follow these restrictions and guidelines: • You can configure multiple inbound or outbound dynamic NAT rules. • A NAT rule with an ACL takes precedence over a rule without any ACL. • The priority for the ACL-based dynamic NAT rules depends on ACL number. A higher ACL

number represents a higher priority.

Configuration prerequisites Perform the following tasks before configuring dynamic NAT: • Configure an ACL to identify the IP addresses to be translated. The match criteria include the

source IP address, source port number, destination IP address, destination port number, transport layer protocol, and VPN instance. For more information about ACLs, see ACL and QoS Configuration Guide.

• Determine whether to enable the Easy IP function. If you use the IP address of an interface as the public address, you are configuring Easy IP.

• Determine a public IP address pool for address translation. • Determine whether to translate port numbers. Use NO-PAT to translate only IP addresses and

PAT to translate both IP addresses and port numbers.

Configuring outbound dynamic NAT To translate private IP addresses into public IP addresses, configure outbound dynamic NAT on the interface connected to the external network.

The source IP addresses of the outgoing packets that match the ACL permit rule are translated into IP addresses in the address group.

The reversible keyword enables the device to perform the following operations: • Compare the destination IP address in the first packet from the public network with existing

NO-PAT entries. • Translate the destination address into the private address in a matching NO-PAT entry.

To configure outbound dynamic NAT:




3. Add an address range to the address group. address start-address end-address

By default, no address range exists.You can add multiple address ranges to an address group. The address ranges must not overlap.



6. Configure outbound dynamic NAT.

• Configure NO-PAT: nat outbound [ acl-number |

By default, outbound dynamic NAT is not configured.

133

Step Command Remarks name acl-name ] address-group group-number [ vpn-instance vpn-instance-name ] no-pat [ reversible ]

• Configure PAT: nat outbound [ acl-number | name acl-name ] [ address-group group-number ] [ vpn-instance vpn-instance-name ] [ port-preserved ]

You can configure multiple outbound dynamic NAT rules on an interface.


8. (Optional.) Configure a PAT mapping mode.

nat mapping-behavior endpoint-independent [ acl { acl-number | name acl-name } ]

The default mapping mode is Address and Port-Dependent Mapping. This command takes effect only on outbound dynamic NAT for PAT.

Configuring inbound dynamic NAT Inbound dynamic NAT enables translation from public IP addresses to private IP addresses. Do not configure it alone. Typically, inbound dynamic NAT functions with outbound dynamic NAT, NAT Server, or outbound static NAT to implement bidirectional NAT.

The source IP address of a received packet that is permitted by the ACL is translated into a public address in the address group.

The add-route keyword enables the device to automatically add a route destined for the private address when an inbound dynamic NAT rule is matched. The output interface is the NAT interface, and the next hop is the source address before translation. If you do not specify this keyword, you must manually add the route. As a best practice, create a route manually because it takes time to automatically add routes.

The reversible keyword enables the device to perform the following operations: • Compare the destination IP address in the first packet from the private network with existing

NO-PAT entries. • Translate the destination address into the public address in a matching NO-PAT entry.

Inbound dynamic NAT does not support Easy IP.

To configure inbound dynamic NAT:





By default, no address range exists.You can add multiple address ranges to an address group. The address ranges must not overlap.


5. Enter interface view. interface interface-type N/A

134

Step Command Remarks interface-number

6. Configure inbound dynamic NAT.

nat inbound { acl-number | name acl-name } address-group group-number [ vpn-instance vpn-instance-name ] [ no-pat [ reversible ] [ add-route ] ]

By default, inbound dynamic NAT is not configured. You can configure multiple inbound dynamic NAT rules on an interface.

Configuring NAT Server To configure NAT Server, map a public IP address and port number to the private IP address and port number of an internal server on the interface connected to the external network.

An internal server can be located in a common private network or a VPN instance. The NAT Server feature supports VRF-aware NAT for external users to access the servers in a VPN instance. For example, to enable a host at 10.110.1.1 in VPN 1 to provide Web services for Internet users, configure NAT Server to use 202.110.10.20 as the public IP address of the Web server.

If you specify the acl keyword for the common NAT Server or load sharing NAT Server configuration, only packets matching the ACL permit rule are translated. The match criteria include the source IP address, source port number, destination IP address, destination port number, transport layer protocol, and VPN instance.

Configuring common NAT Server

Step Command Remarks 1. Enter system

view. system-view N/A


135


3. Configure one or more common NAT Server mappings.

• A single public address with a single or no public port: nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-name ] inside local-address [ local-port ] [ vpn-instance local-name ] [ acl { acl-number | name acl-name } ]

• A single public address with consecutive public ports: nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 [ vpn-instance global-name ] inside { { local-address | local-address1 local-address2 } local-port | local-address local-port1 local-port2 } [ vpn-instance local-name ] [ acl { acl-number | name acl-name } ]

• Consecutive public addresses with a single or no public port: nat server protocol pro-type global global-address1 global-address2 [ global-port ] [ vpn-instance global-name ] inside { local-address | local-address1 local-address2 } [ local-port ] [ vpn-instance local-name ] [ acl { acl-number | name acl-name } ]

• Consecutive public addresses with a single public port: nat server protocol pro-type global global-address1 global-address2 global-port [ vpn-instance global-name ] inside local-address local-port1 local-port2 [ vpn-instance local-name ] [ acl { acl-number | name acl-name } ]

By default, no NAT Server mapping exists. You can configure multiple NAT Server mappings on an interface.

Configuring load sharing NAT Server You can add multiple internal servers to an internal server group so that these servers provide the same service for external hosts. The NAT device chooses one internal server based on the weight and number of connections of the servers to respond to a request from an external host to the public address of the internal server group.

To configure load sharing NAT Server:


2. Configure a NAT Server group and enter its view. nat server-group group-number By default, no NAT

Server group exists.

3. Add an internal server into the group.

inside ip inside-ip port port-number [ weight weight-value ]

By default, no internal server is in the group. You can add multiple internal servers to a group.



136


6. Configure load sharing NAT Server.

nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } [ vpn-instance global-name ] inside server-group group-number [ vpn-instance local-name ] [ acl { acl-number | name acl-name } ]

By default, no load sharing NAT Server mapping exists. You can configure multiple load sharing NAT Server mappings on an interface.

Configuring ACL-based NAT Server ACL-based NAT Server is an extension of common NAT Server. Common NAT Server maps the private IP address of the internal server to a single public IP address. ACL-based NAT Server maps the private IP address of the internal server to a set of public IP addresses defined by an ACL. If the packet's destination IP address matches a permit rule, it is translated into the private IP address of the internal server.

To configure ACL-based NAT Server:



3. Configure ACL-based NAT Server.

nat server global { global-acl-number | name global-acl-name } inside local-address [ local-port ] [ vpn-instance local-name ]

By default, no ACL-based NAT Server mapping exists.You can configure multiple NAT Server mappings on an interface.

Configuring DS-Lite NAT444 DS-Lite NAT444 is configured on the AFTR's interface connected to the external network. DS-Lite NAT444 supports only dynamic NAT444. DS-Lite NAT444 uses an IPv6 ACL to identify packets to be NATed.

To configure DS-Lite NAT444:


2. Create a NAT address group, and enter its view.

nat address-group group-number

By default, no NAT address group exists.

3. Add a public IP address range to the NAT address group.

address start-address end-address

By default, no public IP address range exists in the NAT address group. You can add multiple public IP address ranges to an address group, but they cannot overlap.

4. Configure the port range for the public IP addresses.

port-range start-port-number end-port-number

By default, the port range is 1 to 65535.The configuration takes effect only on PAT translation mode.

5. Configure port block port-block block-size By default, no port block parameter

137

Step Command Remarks parameters. block-size

[ extended-block-number extended-block-number ]

exists. The configuration takes effect only on PAT translation mode.



8. Configure DS-Lite NAT444.

nat outbound ds-lite-b4 { ipv6-acl-number | name ipv6-acl-name } address-group group-number

By default, DS-Lite NAT444 is not configured.


10. (Optional.) Configure a PAT mapping mode.

nat mapping-behavior endpoint-independent [ acl { acl-number | name acl-name } ]

The default mapping mode is Address and Port-Dependent Mapping.

Configuring NAT with DNS mapping NAT with DNS mapping must operate together with NAT Server and NAT with ALG.

To configure NAT with DNS mapping:


2. Configure a DNS mapping for NAT.

nat dns-map domain domain-name protocol pro-type { interface interface-type interface-number | ip global-ip } port global-port

By default, no DNS mapping for NAT exists. You can configure multiple DNS mappings for NAT.

Configuring NAT hairpin Configure NAT hairpin on the interface connected to the internal network. NAT hairpin supports P2P mode and C/S mode. • To configure the P2P mode, you must configure outbound PAT on the interface connected to the

external network and enable the EIM mapping mode. Internal hosts first register their public addresses to an external server. Then, the hosts communicate with each other by using the registered IP addresses.

• In C/S mode, the destination IP address of the packet going to the internal server is translated by matching the NAT Server configuration. The source IP address is translated by matching the outbound dynamic or static NAT entries.

NAT hairpin typically operates with NAT Server, outbound dynamic NAT, or outbound static NAT. They must be configured on interfaces of the same interface card. Otherwise, NAT hairpin cannot function correctly.

To configure NAT hairpin:


138



3. Enable NAT hairpin. nat hairpin enable By default, NAT hairpin is disabled.

Configuring NAT with ALG Configure NAT with ALG for a protocol to translate the IP addresses and port numbers in the payloads for application layer packets.

To configure NAT with ALG:


2. Configure NAT with ALG for a protocol or all protocols.

nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp }

By default, NAT with ALG is enabled.

Configuring NAT session logging NAT session logging records NAT session information, including translation information and access information.

A NAT device generates NAT session logs for the following events: • NAT session establishment. • NAT session removal. This event occurs when you add a configuration with a higher priority,

remove a configuration, change ACLs, when a NAT session ages out, or when you manually delete a NAT session.

• Active NAT session logging.

To enable NAT session logging:


2. Enable NAT logging. nat log enable [ acl acl-number ] By default, NAT logging is disabled.

3. Enable NAT session logging.

• For NAT session establishment events: nat log flow-begin

• For NAT session removal events: nat log flow-end

• For active NAT flows: nat log flow-active time-value

By default, NAT session logging is disabled.

Displaying and maintaining NAT Execute display commands in any view and reset commands in user view.

139

Task Command Display all NAT configuration information. display nat all

Display NAT address group information. display nat address-group [ group-number ]

Display NAT with DNS mapping configuration. display nat dns-map

Display information about NAT EIM entries (centralized devices in standalone mode). display nat eim

Display information about NAT EIM entries (distributed devices in standalone mode/centralized devices in IRF mode).

display nat eim [ slot slot-number ]

Display information about NAT EIM entries (distributed devices in IRF mode).

display nat eim [ chassis chassis-number slot slot-number ]

Display information about inbound dynamic NAT. display nat inbound

Display NAT logging configuration. display nat log

Display information about NAT NO-PAT entries (centralized devices in standalone mode).

display nat no-pat

Display information about NAT NO-PAT entries (distributed devices in standalone mode/centralized devices in IRF mode).

display nat no-pat [ slot slot-number ]

Display information about NAT NO-PAT entries (distributed devices in IRF mode).

display nat no-pat [ chassis chassis-number slot slot-number ]

Display information about outbound dynamic NAT. display nat outbound

Display NAT Server configuration. display nat server

Display internal server group configuration. display nat server-group [ group-number ]

Display sessions that have been NATed (centralized devices in standalone mode).

display nat session [ { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn-name ] ] [ verbose ]

Display sessions that have been NATed (distributed devices in standalone mode/centralized devices in IRF mode).

display nat session [ { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn -name ] ] [ slot slot-number ] [ verbose ]

Display sessions that have been NATed (distributed devices in IRF mode).

display nat session [ { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn -name ] ] [ chassis chassis-number slot slot-number ] [ verbose ]

Display static NAT mappings. display nat static

Display NAT statistics (centralized devices in standalone mode). display nat statistics [ summary ]

Display NAT statistics (distributed devices in standalone mode/centralized devices in IRF mode).

display nat statistics [ summary ] [ slot slot-number ]

Display NAT statistics (distributed devices in IRF mode).

display nat statistics [ summary ] [ chassis chassis-number slot slot-number ]

Display NAT444 mappings (centralized devices in standalone mode). display nat port-block { dynamic [ ds-lite-b4 ] | static }

Display NAT444 mappings (distributed devices in standalone mode/centralized

display nat port-block { dynamic [ ds-lite-b4 ] | static } [ slot slot-number ]

140

Task Command devices in IRF mode).

Display NAT444 mappings (distributed devices in IRF mode).

display nat port-block { dynamic [ ds-lite-b4 ] | static } [ chassis chassis-number slot slot-number ]

Clear NAT sessions (centralized devices in standalone mode). reset nat session

Clear NAT sessions (distributed devices in standalone mode/centralized devices in IRF mode).

reset nat session [ slot slot-number ]

Clear NAT sessions (distributed devices in IRF mode).

reset nat session [ chassis chassis-number slot slot-number ]

NAT configuration examples Outbound one-to-one static NAT configuration example Network requirements

Configure static NAT to allow the host at 10.110.10.8/24 to access the Internet.


Configuration procedure # Specify IP addresses for the interfaces on the router. (Details not shown.)

# Configure a one-to-one static NAT mapping between the private address 10.110.10.8 and the public address 202.38.1.100. <Router> system-view

[Router] nat static outbound 10.110.10.8 202.38.1.100

# Enable static NAT on GigabitEthernet 2/0/2. [Router] interface gigabitethernet 2/0/2

[Router-GigabitEthernet2/0/2] nat static enable


Verifying the configuration # Verify that the host at 10.110.10.8/24 can access the server on the Internet. (Details not shown.)

# Display static NAT configuration. [Router] display nat static

Static NAT mappings:

Totally 1 outbound static NAT mappings.

IP-to-IP:

Local IP : 10.110.10.8

Global IP : 202.38.1.100

Config status: Active

Global flow-table status: Active

141

Local flow-table status: Active

Interfaces enabled with static NAT:

Totally 1 interfaces enabled with static NAT.

Interface: GigabitEthernet2/0/2


# Display NAT session information. [Router] display nat session verbose

Initiator:

Source IP/port: 10.110.10.8/42496

Destination IP/port: 202.38.1.111/2048

DS-Lite tunnel peer: -

VPN instance/VLAN ID/VLL ID: -/-/-

Protocol: ICMP(1)

Inbound interface: GigabitEthernet2/0/1

Responder:

Source IP/port: 202.38.1.111/42496




Protocol: ICMP(1)


State: ICMP_REPLY

Application: INVALID

Start time: 2012-08-16 09:30:49 TTL: 27s

Initiator->Responder: 5 packets 420 bytes

Responder->Initiator: 5 packets 420 bytes

Total sessions found: 1

Outbound dynamic NAT configuration example (non-overlapping addresses) Network requirements

As shown in Figure 64, a company has a private address 192.168.0.0/16 and two public IP addresses 202.38.1.2 and 202.38.1.3. Configure outbound dynamic NAT to allow only internal users on subnet 192.168.1.0/24 to access the Internet.

142



# Configure address group 0, and add an address range from 202.38.1.2 to 202.38.1.3 to the group. <Router> system-view

[Router] nat address-group 0

[Router-address-group-0] address 202.38.1.2 202.38.1.3

[Router-address-group-0] quit

# Configure ACL 2000, and create a rule to permit packets only from subnet 192.168.1.0/24 to pass through. [Router] acl basic 2000

[Router-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255

[Router-acl-ipv4-basic-2000] quit

# Enable outbound dynamic PAT on interface GigabitEthernet 2/0/2. The source IP addresses of the packets permitted by the ACL rule is translated into the addresses in address group 0. [Router] interface gigabitethernet 2/0/2

[Router-GigabitEthernet2/0/2] nat outbound 2000 address-group 0


Verifying the configuration # Verify that Host A can access the WWW server, while Host B cannot. (Details not shown.)

# Display all NAT configuration and statistics. [Router] display nat all

NAT address group information:

Totally 1 NAT address groups.

Address group 0:

Port range: 1-65535

Address information:

Start address End address

202.38.1.2 202.38.1.3

NAT outbound information:

Totally 1 NAT outbound rules.


ACL: 2000 Address group: 0 Port-preserved: N

NO-PAT: N Reversible: N

143



NAT logging:

Log enable : Disabled

Flow-begin : Disabled

Flow-end : Disabled

Flow-active : Disabled

Port-block-assign : Disabled

Port-block-withdraw : Disabled

Alarm : Disabled

NAT mapping behavior:

Mapping mode : Address and Port-Dependent

ACL : ---


NAT ALG:

DNS : Enabled

FTP : Enabled

H323 : Enabled

ICMP-ERROR : Enabled

ILS : Enabled

MGCP : Enabled

NBT : Enabled

PPTP : Enabled

RSH : Enabled

RTSP : Enabled

SCCP : Enabled

SIP : Enabled

SQLNET : Enabled

TFTP : Enabled

XDMCP : Enabled

# Display NAT session information generated when Host A accesses the WWW server. [Router] display nat session verbose

Initiator:

Source IP/port: 192.168.1.10/52992




Protocol: ICMP(1)


Responder:

Source IP/port: 200.1.1.10/4




Protocol: ICMP(1)

144


State: ICMP_REPLY


Start time: 2012-08-15 14:53:29 TTL: 12s




Outbound bidirectional NAT configuration example Network requirements

As shown in Figure 65, the private network where the Web server resides overlaps with the company private network 192.168.1.0/24. The company has two public IP addresses 202.38.1.2 and 202.38.1.3. Configure NAT to allow internal users to access the external Web server by using the server's domain name.


Requirements analysis To meet the network requirements, you must perform the following tasks: • Configure inbound dynamic NAT with ALG to make sure the internal host reaches the Web

server instead of another internal host. NAT with ALG can translate the Web server's IP address in the DNS reply payload to a dynamically assigned public address.

• Configure outbound dynamic NAT to translate the source IP address of packets from an internal host to a dynamically assigned public address.

• Add a static route to the public IP address of the external Web server.


# Enable NAT with ALG and DNS. <Router> system-view

[Router] nat alg dns




145

# Create address group 1. [Router] nat address-group 1

# Add address 202.38.1.2 to the group. [Router-address-group-1] address 202.38.1.2 202.38.1.2





# Enable inbound NO-PAT on interface GigabitEthernet 2/0/2 to translate the source IP address in the DNS reply payload into the address in address group 1, and allow reversible NAT. [Router] interface gigabitethernet 2/0/2

[Router-GigabitEthernet2/0/2] nat inbound 2000 address-group 1 no-pat reversible

# Enable outbound PAT on interface GigabitEthernet 2/0/2 to translate the source address of outgoing packets into the address in address group 2. [Router-GigabitEthernet2/0/2] nat outbound 2000 address-group 2


# Configure a static route to 202.38.1.2 with GigabitEthernet 2/0/2 as the output interface and 20.2.2.2 as the next hop. (The next hop address varies by network.) [Router] ip route-static 202.38.1.2 32 gigabitethernet 2/0/2 20.2.2.2

Verifying the configuration # Verify that Host A can access the Web server by using its domain name. (Details not shown.)




Address group 1:

Port range: 1-65535



202.38.1.2 202.38.1.2

Address group 2:

Port range: 1-65535



202.38.1.3 202.38.1.3

NAT inbound information:

Totally 1 NAT inbound rules.


ACL: 2000 Address group: 1 Add route: N

NO-PAT: Y Reversible: Y



146








NAT logging:



Flow-end : Disabled




Alarm : Disabled



ACL : ---


NAT ALG:

DNS : Enabled

FTP : Enabled

H323 : Enabled


ILS : Enabled

MGCP : Enabled

NBT : Enabled

PPTP : Enabled

RSH : Enabled

RTSP : Enabled

SCCP : Enabled

SIP : Enabled

SQLNET : Enabled

TFTP : Enabled

XDMCP : Enabled

# Display NAT session information generated when Host A accesses the Web server. [Router] display nat session verbose

Initiator:

Source IP/port: 192.168.1.10/1694




Protocol: TCP(6)


Responder:

147

Source IP/port: 192.168.1.10/8080




Protocol: TCP(6)


State: TCP_ESTABLISHED

Application: HTTP

Start time: 2012-08-15 14:53:29 TTL: 3597s




NAT Server for external-to-internal access configuration example Network requirements

As shown in Figure 66, two Web servers, one FTP server and one SMTP server are in the internal network to provide services for external users. The internal network address is 10.110.0.0/16. The company has three public IP addresses from 202.38.1.1/24 to 202.38.1.3/24.

Configure the NAT Server feature to allow the external user to access the internal servers with public address 202.38.1.1/24.



# Enter interface view of GigabitEthernet 2/0/2. <Router> system-view


# Configure NAT Server to allow external users to access the FTP server by using the address 202.38.1.1 and port 21. [Router-GigabitEthernet2/0/2] nat server protocol tcp global 202.38.1.1 21 inside 10.110.10.3 ftp

# Configure NAT Server to allow external users to access the Web server 1 by using the address 202.38.1.1 and port 80.

148

[Router-GigabitEthernet2/0/2] nat server protocol tcp global 202.38.1.1 80 inside 10.110.10.1 http

# Configure NAT Server to allow external users to access the Web server 2 by using the address 202.38.1.1 and port 8080. [Router-GigabitEthernet2/0/2] nat server protocol tcp global 202.38.1.1 8080 inside 10.110.10.2 http

# Configure NAT Server to allow external users to access the SMTP server by using the address 202.38.1.1 and port number defined by SMTP. [Router-GigabitEthernet2/0/2] nat server protocol tcp global 202.38.1.1 smtp inside 10.110.10.4 smtp


Verifying the configuration # Verify that the host on the external network can access the internal servers by using the public addresses. (Details not shown.)


NAT internal server information:

Totally 4 internal servers.


Protocol: 6(TCP)

Global IP/port: 202.38.1.1/21

Local IP/port : 10.110.10.3/21

Config status : Active




Protocol: 6(TCP)


Local IP/port : 10.110.10.4/25





Protocol: 6(TCP)


Local IP/port : 10.110.10.1/80





Protocol: 6(TCP)

Global IP/port: 202.38.1.1/8080

Local IP/port : 10.110.10.2/80



149


NAT logging:



Flow-end : Disabled




Alarm : Disabled



ACL : ---


NAT ALG:

DNS : Enabled

FTP : Enabled

H323 : Enabled


ILS : Enabled

MGCP : Enabled

NBT : Enabled

PPTP : Enabled

RSH : Enabled

RTSP : Enabled

SCCP : Enabled

SIP : Enabled

SQLNET : Enabled

TFTP : Enabled

XDMCP : Enabled

# Display NAT session information generated when Host accesses the FTP server. [Router] display nat session verbose

Initiator:

Source IP/port: 202.38.1.10/1694




Protocol: TCP(6)


Responder:





Protocol: TCP(6)


150


Application: FTP

Start time: 2012-08-15 14:53:29 TTL: 3597s




NAT Server for external-to-internal access through domain name configuration example Network requirements

As shown in Figure 67, Web server at 10.110.10.2/24 in the internal network provides services for external users. A DNS server at 10.110.10.3/24 is used to resolve the domain name of the Web server. The company has two public IP addresses: 202.38.1.2 and 202.38.1.3.

Configure NAT Server to allow external users to access the internal Web server by using the domain name.


Requirements analysis To meet the network requirements, you must perform the following tasks: • Configure NAT Server to map the private IP address and port of the DNS server to a public

address and port. NAT Server allows the external host to access the internal DNS server for domain name resolution.

• Enable ALG for DNS and configure outbound dynamic NAT to translate the private IP address of the Web server in the payload of the DNS response packet into a public IP address.


# Enable NAT with ALG for DNS. <Router> system-view


# Configure ACL 2000, and create a rule to permit packets only from 10.110.10.2 to pass through. [Router] acl basic 2000

[Router-acl-ipv4-basic-2000] rule permit source 10.110.10.2 0


151




# Configure NAT Server on interface GigabitEthernet 2/0/2 to map the address 202.38.1.1 to 10.110.10.3. External users can access the internal DNS server. [Router] interface gigabitethernet 2/0/2

[Router-GigabitEthernet2/0/2] nat server protocol udp global 202.38.1.2 inside 10.110.10.3 dns

# Enable outbound NO-PAT on interface GigabitEthernet 2/0/2. Use the address in address group 1 to translate the private address in DNS response payload, and allow reversible NAT. [Router-GigabitEthernet2/0/2] nat outbound 2000 address-group 1 no-pat reversible


Verifying the configuration # Verify that the host on the external network can access the internal Web server by using the server's domain name. (Details not shown.)




Address group 1:

Port range: 1-65535



202.38.1.3 202.38.1.3











Protocol: 17(UDP)


Local IP/port : 10.110.10.3/53




NAT logging:



152

Flow-end : Disabled




Alarm : Disabled



ACL : ---


NAT ALG:

DNS : Enabled

FTP : Enabled

H323 : Enabled


ILS : Enabled

MGCP : Enabled

NBT : Enabled

PPTP : Enabled

RSH : Enabled

RTSP : Enabled

SCCP : Enabled

SIP : Enabled

SQLNET : Enabled

TFTP : Enabled

XDMCP : Enabled

# Display NAT session information generated when Host accesses Web server. [Router] display nat session verbose

Initiator:





Protocol: TCP(6)


Responder:

Source IP/port: 10.110.10.2/8080




Protocol: TCP(6)



Application: HTTP

Start time: 2012-08-15 14:53:29 TTL: 3597s



153


Bidirectional NAT for external-to-internal NAT Server access through domain name configuration example Network requirements

As shown in Figure 68, an intranet uses the subnet 192.168.1.0/24. The Web server at 192.168.1.2/24 provides Web services for external users and the DNS server at 192.168.1.3/24 resolves the domain name of the Web server. The company has 3 public addresses 202.38.1.2, 202.38.1.3, and 202.38.1.4.

Configure NAT to allow external host at 192.168.1.2 in the external network to use the domain name to access the internal Web server.


Requirements analysis To meet the network requirements, you must perform the following tasks: • Configure NAT Server to map the private IP address and port of the DNS server to a public IP

address and port. NAT Server allows the external host to access the internal DNS server for domain name resolution.

• Configure outbound dynamic NAT and enable ALG for DNS. The Web server's IP address is the same as the external host's IP address. NAT with ALG can translate the Web server's private address in the payload of the DNS response packet to a dynamically assigned public address.

• Configure inbound dynamic NAT. The external host's IP address is the same as the Web server's IP address. Inbound dynamic NAT can translate the external host's IP address into a dynamically assigned public address.

• Add a static route to the public IP address of the external host with GigabitEthernet 2/0/2 as the output interface.





154




# Add address 202.38.1.2 to the address group. [Router-address-group-1] address 202.38.1.2 202.38.1.2



# Add address 202.38.1.3 to the address group. [Router-address-group-2] address 202.38.1.3 202.38.1.3


# Configure NAT Server on interface GigabitEthernet 2/0/2 to allow external hosts to access the internal DNS server by using the address 202.38.1.4. [Router] interface gigabitethernet 2/0/2

[Router-GigabitEthernet2/0/2] nat server protocol udp global 202.38.1.4 inside 192.168.1.3 dns

# Enable outbound NO-PAT on interface GigabitEthernet 2/0/2 to translate IP address of the Web server in the DNS response payload into the address in address group 1, and allow reversible NAT. [Router-GigabitEthernet2/0/2] nat outbound 2000 address-group 1 no-pat reversible

# Enable inbound PAT on interface GigabitEthernet 2/0/2 to translate the source address of packets going to the internal network to the address in address group 2. [Router-GigabitEthernet2/0/2] nat inbound 2000 address-group 2


# Configure a static route to 202.38.1.3 with GigabitEthernet 2/0/2 as the output interface and 20.2.2.2 as the next hop. (The next hop address varies by network.) [Router] ip route-static 202.38.1.3 32 gigabitethernet 2/0/2 20.2.2.2

Verifying the configuration # Verify that the host on the external network can use the domain name to access the internal Web server whose address is the same as the host. (Details not shown.)




Address group 1:

Port range: 1-65535



202.38.1.2 202.38.1.2

Address group 2:

Port range: 1-65535



202.38.1.3 202.38.1.3

NAT inbound information:

155

Totally 1 NAT inbound rules.


ACL: 2000 Address group: 2 Add route: N














Protocol: 17(UDP)


Local IP/port : 200.1.1.3/53




NAT logging:



Flow-end : Disabled




Alarm : Disabled



ACL : ---


NAT ALG:

DNS : Enabled

FTP : Enabled

H323 : Enabled


ILS : Enabled

MGCP : Enabled

NBT : Enabled

PPTP : Enabled

156

RSH : Enabled

RTSP : Enabled

SCCP : Enabled

SIP : Enabled

SQLNET : Enabled

TFTP : Enabled

XDMCP : Enabled

# Display NAT session information generated when Host accesses the Web server. [Router] display nat session verbose

Initiator:

Source IP/port: 192.168.1.2/1694




Protocol: TCP(6)


Responder:

Source IP/port: 192.168.1.2/8080




Protocol: TCP(6)



Application: HTTP

Start time: 2012-08-15 14:53:29 TTL: 3597s




NAT hairpin in C/S mode configuration example Network requirements

As shown in Figure 69, the internal FTP server at 192.168.1.4/24 provides services for internal and external users. The private network uses two public IP addresses 202.38.1.1 and 202.38.1.2.

Configure NAT hairpin in C/S mode to allow external and internal users to access the internal FTP server by using public IP address 202.38.1.2.

157


Requirements analysis To allow external hosts to access the internal FTP server by using a public IP address, configure NAT Server on the interface connected to the external network.

To allow internal hosts to access the internal FTP server by using a public IP address, perform the following tasks: • Enable NAT hairpin on the interface connected to the internal network. • Configure outbound NAT on the interface where NAT Server is configured. The destination

address is translated by matching the NAT Server. The source address is translated by matching the outbound NAT.


# Configure ACL 2000, and create a rule to permit packets only from subnet 192.168.1.0/24 to be translated. <Router> system-view

[Router] acl basic 2000



# Configure NAT Server on interface GigabitEthernet 2/0/2 to map the IP address of the FTP server to a public address, allowing external users to access the internal FTP server. [Router] interface gigabitethernet 2/0/2

[Router-GigabitEthernet2/0/2] nat server protocol tcp global 202.38.1.2 inside 192.168.1.4 ftp

# Enable outbound NAT with Easy IP on interface GigabitEthernet 2/0/2 so that NAT translates the source addresses of the packets from internal hosts into the IP address of interface GigabitEthernet 2/0/2. [Router-GigabitEthernet2/0/2] nat outbound 2000


# Enable NAT hairpin on interface GigabitEthernet 2/0/1. [Router] interface gigabitethernet 2/0/1

[Router-GigabitEthernet2/0/1] nat hairpin enable


Verifying the configuration # Verify that both internal and external hosts can access the internal FTP server through the public address. (Details not shown.)

Internet

Host B192.168.1.3/24

192.168.1.2/24Host A

GE2/0/1192.168.1.1/24

GE2/0/2202.38.1.1/24

Router

FTP server192.168.1.4/24

158

# Display all NAT configuration and statistics. [Router]display nat all




ACL: 2000 Address group: --- Port-preserved: N







Protocol: 6(TCP)


Local IP/port : 192.168.1.4/21




NAT logging:



Flow-end : Disabled




Alarm : Disabled

NAT hairpinning:

Totally 1 interfaces enabled with NAT hairpinning.





ACL : ---


NAT ALG:

DNS : Enabled

FTP : Enabled

H323 : Enabled


ILS : Enabled

MGCP : Enabled

NBT : Enabled

PPTP : Enabled

159

RSH : Enabled

RTSP : Enabled

SCCP : Enabled

SIP : Enabled

SQLNET : Enabled

TFTP : Enabled

XDMCP : Enabled

# Display NAT session information generated when Host A accesses the FTP server. [Router] display nat session verbose

Initiator:

Source IP/port: 192.168.1.2/1694




Protocol: TCP(6)


Responder:





Protocol: TCP(6)



Application: HTTP

Start time: 2012-08-15 14:53:29 TTL: 3597s




NAT hairpin in P2P mode configuration example Network requirements

In the P2P application, internal clients must register their IP address to the external server and the server records the registered IP addresses and port numbers of the internal clients. An internal client must request the IP address and port number of another client from the external server before accessing the client.

Configure NAT hairpin so that: • The internal clients can register the same public address to the external server. • The internal clients can access each other through the IP address and port number obtained

from the server.

160


Requirements analysis To meet the network requirements, you must perform the following tasks: • Configure outbound dynamic PAT on the interface connected to the external network, so the

internal clients can access the external server for registration. • Configure the mapping behavior for PAT as Endpoint-Independent Mapping because the

registered IP address and port number should be accessible for any source address. • Enable NAT hairpin on the interface connected to the internal network so that internal clients

can access each other through the public address.


# Configure ACL 2000, and create a rule to permit packets only from subnet 192.168.1.0/24 to be translated. <Router> system-view




# Configure outbound dynamic PAT with Easy IP on interface GigabitEthernet 2/0/2. The IP address of GigabitEthernet 2/0/2 is used as the public address for the source address translation of the packets from internal to external. [Router] interface gigabitethernet 2/0/2

[Router-GigabitEthernet2/0/2] nat outbound 2000


# Configure the Endpoint-Independent Mapping mode for PAT. For packets with the same source address and port number and permitted by ACL 2000, the source address and port number are translated to the same public address and port number. [Router] nat mapping-behavior endpoint-independent acl 2000

# Enable NAT hairpin on interface GigabitEthernet 2/0/1. [Router] interface gigabitethernet 2/0/1

[Router-GigabitEthernet2/0/1] nat hairpin enable


Verifying the configuration # Verify that Host A, Host B, and Host C can access each other after they register their IP addresses and port numbers to the external server. (Details not shown.)

# Display all NAT configuration and statistics.

161

[Router] display nat all




ACL: 2000 Address group: --- Port-preserved: N




NAT logging:



Flow-end : Disabled




Alarm : Disabled

NAT hairpinning:

Totally 1 interfaces enabled with NAT hairpinning.




Mapping mode : Endpoint-Independent

ACL : 2000


NAT ALG:

DNS : Enabled

FTP : Enabled

H323 : Enabled


ILS : Enabled

MGCP : Enabled

NBT : Enabled

PPTP : Enabled

RSH : Enabled

RTSP : Enabled

SCCP : Enabled

SIP : Enabled

SQLNET : Enabled

TFTP : Enabled

XDMCP : Enabled

# Display NAT session information generated when Client A accesses Client B. [Router] display nat session verbose

Initiator:

Source IP/port: 192.168.1.3/44929

162




Protocol: UDP(17)


Responder:





Protocol: UDP(17)


State: UDP_READY

Application: TFTP

Start time: 2012-08-15 15:53:36 TTL: 46s




Twice NAT configuration example Network requirements

As shown in Figure 71, two departments are in different VPN instances with overlapping addresses. Configure twice NAT so that Host A and Host B in different departments can access each other.


Requirements analysis This is a typical application of twice NAT. Both the source and destination addresses of packets between the two VPNs need to be translated. Configure static NAT on both interfaces connected to the VPNs on the NAT device.

Configuration procedure # Specify VPN instances and IP addresses for the interfaces on the router. (Details not shown.)

# Configure a static outbound NAT mapping between 192.168.1.2 in vpn 1 and 172.16.1.2 in vpn 2. <Router> system-view

[Router] nat static outbound 192.168.1.2 vpn-instance vpn1 172.16.1.2 vpn-instance vpn2

# Configure a static outbound NAT mapping between 192.168.1.2 in vpn 2 and 172.16.2.2 in vpn 1. [Router] nat static outbound 192.168.1.2 vpn-instance vpn2 172.16.2.2 vpn-instance vpn1

# Enable static NAT on interface GigabitEthernet 2/0/2. [Router] interface gigabitethernet 2/0/2


163


# Enable static NAT on interface GigabitEthernet 2/0/1. [Router] interface gigabitethernet 2/0/1



Verifying the configuration # Verify that Host A and Host B can access each other. The public address for Host A is 172.16.1.2 and that for Host B is 172.16.2.2. (Details not shown.)


Static NAT mappings:

Totally 2 outbound static NAT mappings.

IP-to-IP:

Local IP : 192.168.1.2

Global IP : 172.16.1.2

Local VPN : vpn1

Global VPN : vpn2




IP-to-IP:

Local IP : 192.168.1.2

Global IP : 172.16.2.2

Local VPN : vpn2

Global VPN : vpn1




Interfaces enabled with static NAT:

Totally 2 interfaces enabled with static NAT.





NAT logging:



Flow-end : Disabled




Alarm : Disabled


164


ACL : ---


NAT ALG:

DNS : Enabled

FTP : Enabled

H323 : Enabled


ILS : Enabled

MGCP : Enabled

NBT : Enabled

PPTP : Enabled

RSH : Enabled

RTSP : Enabled

SCCP : Enabled

SIP : Enabled

SQLNET : Enabled

TFTP : Enabled

XDMCP : Enabled

# Display NAT session information generated when Host A accesses Host B. [Router] display nat session verbose

Initiator:

Source IP/port: 192.168.1.2/42496



VPN instance/VLAN ID/VLL ID: vpn1/-/-

Protocol: ICMP(1)


Responder:

Source IP/port: 192.168.1.2/42496



VPN instance/VLAN ID/VLL ID: vpn2/-/-

Protocol: ICMP(1)


State: ICMP_REPLY


Start time: 2012-08-16 09:30:49 TTL: 27s




165

Load sharing NAT Server configuration example Network requirements

As shown in Figure 72, three FTP servers are in the intranet to provide FTP services for external users. Configure NAT so that these external users use the address 202.38.1.1/16 to access the servers and the three FTP servers implement load sharing.



# Create NAT Server group 0, and add members to the group. <Router> system-view

[Router] nat server-group 0

[Router-nat-server-group-0] inside ip 10.110.10.1 port 21



[Router-nat-server-group-0] quit

# Associate NAT Server group 0 with GigabitEthernet 2/0/2 so that servers in the server group can provide FTP services. [Router] interface gigabitethernet 2/0/2

[Router-GigabitEthernet2/0/2] nat server protocol tcp global 202.38.1.1 ftp inside server-group 0


Verifying the configuration # Verify that external hosts can access the internal FTP server group. (Details not shown.)


NAT server group information:

Totally 1 NAT server groups.

Group Number Inside IP Port Weight

0 10.110.10.1 21 100

10.110.10.2 21 100

10.110.10.3 21 100


166



Protocol: 6(TCP)


Local IP/port : server group 0

10.110.10.1/21 (Connections: 1)

10.110.10.2/21 (Connections: 2)

10.110.10.3/21 (Connections: 2)




NAT logging:



Flow-end : Disabled




Alarm : Disabled



ACL : ---


NAT ALG:

DNS : Enabled

FTP : Enabled

H323 : Enabled


ILS : Enabled

MGCP : Enabled

NBT : Enabled

PPTP : Enabled

RSH : Enabled

RTSP : Enabled

SCCP : Enabled

SIP : Enabled

SQLNET : Enabled

TFTP : Enabled

XDMCP : Enabled

# Display NAT session information generated when external hosts access an internal FTP server. [Router] display nat session verbose

Initiator:

Source IP/port: 202.38.1.25/53957



167


Protocol: TCP(6)


Responder:





Protocol: TCP(6)



Application: FTP

Start time: 2012-08-16 11:06:07 TTL: 26s




NAT with DNS mapping configuration example Network requirements

As shown in Figure 73, the internal Web server at 10.110.10.1/16 and FTP server at 10.110.10.2/16 provide services for external user. The company has three public addresses 202.38.1.1 through 202.38.1.3. The DNS server at 202.38.1.4 is on the external network.

Configure NAT so that: • The public IP address 202.38.1.2 is used by external users to access the Web and FTP servers. • External users can use the public address or domain name of internal servers to access them. • Internal users can access the internal servers by using their domain names.


Requirements analysis To meet the network requirements, perform the following tasks: • Configure NAT Server by mapping the public IP addresses and port numbers of the internal

servers to a public address and port numbers so that external users can access the interval servers.

• Configure NAT with DNS mapping and ALG so that the public IP address of the internal server in the payload of the DNS response packet can be translated to the private IP address.

168




# Enter interface view of GigabitEthernet 2/0/2. [Router] interface gigabitethernet 2/0/2

# Configure NAT Server to allow external hosts to access the internal Web server by using the address 202.38.1.2. [Router-GigabitEthernet2/0/2] nat server protocol tcp global 202.38.1.2 inside 10.110.10.1 http

# Configure NAT Server to allow external hosts to access the internal FTP server by using the address 202.38.1.2. [Router-GigabitEthernet2/0/2] nat server protocol tcp global 202.38.1.2 inside 10.110.10.2 ftp

# Enable outbound NAT with Easy IP on interface GigabitEthernet 2/0/2. [Router-GigabitEthernet2/0/2] nat outbound


# Configure two DNS mapping entries by mapping the domain name www.server.com of the Web server to 202.38.1.2, and ftp.server.com of the FTP server to 202.38.1.2. [Router] nat dns-map domain www.server.com protocol tcp ip 202.38.1.2 port http

[Router] nat dns-map domain ftp.server.com protocol tcp ip 202.38.1.2 port ftp

[Router] quit

Verifying the configuration # Verify that both internal and external hosts can access the internal servers by using domain names. (Details not shown.)





ACL: --- Address group: --- Port-preserved: N







Protocol: 6(TCP)


Local IP/port : 10.110.10.2/21





169

Protocol: 6(TCP)


Local IP/port : 10.110.10.1/80




NAT DNS mapping information:

Totally 2 NAT DNS mappings.

Domain name: ftp.server.com

Global IP : 202.38.1.2

Global port: 21

Protocol : TCP(6)


Domain name: www.server.com

Global IP : 202.38.1.2

Global port: 80

Protocol : TCP(6)


NAT logging:



Flow-end : Disabled




Alarm : Disabled


Mapping mode: Address and Port-Dependent

ACL : ---


NAT ALG:

DNS : Enabled

FTP : Enabled

H323 : Enabled


ILS : Enabled

MGCP : Enabled

NBT : Enabled

PPTP : Enabled

RSH : Enabled

RTSP : Enabled

SCCP : Enabled

SIP : Enabled

170

SQLNET : Enabled

TFTP : Enabled

XDMCP : Enabled

DS-Lite NAT444 configuration example Network requirements

As shown in Figure 74, configure DS-Lite tunneling and NAT to allow the DS-Lite host to access the IPv4 network over the IPv6 network.


Configuration procedure Before configuration, make sure the DS-Lite host and AFTR can reach each other through IPv6. 1. Configure the AFTR:

# Specify an IP address for GigabitEthernet 2/0/1. <Router> system-view




# Specify an IP address for GigabitEthernet 2/0/2. [Router] interface gigabitethernet 2/0/2

[Router-GigabitEthernet2/0/2] ipv6 address 2::2 64


# Create a tunnel interface on the AFTR. [Router] interface tunnel 2 mode ds-lite-aftr

# Specify an IP address for the tunnel interface. [Router-Tunnel2] ip address 30.1.2.2 255.255.255.0

# Specify GigabitEthernet 2/0/2 as the source interface for the tunnel. [Router-Tunnel2] source gigabitethernet 2/0/2

[Router-Tunnel2] quit

# Enable DS-Lite tunneling on GigabitEthernet 2/0/1. [Router] interface gigabitethernet 2/0/1

[Router-GigabitEthernet2/0/1] ds-lite enable


# Create public address group 0. [Router] nat address-group 0

# Add public IP addresses 20.1.1.11 and 20.1.1.12 to the NAT address group. [Router-address-group-0] address 20.1.1.11 20.1.1.12

# Configure the port range as 1024 to 65535. [Router-address-group-0] port-range 1024 65535

171

# Set the port block size to 300. [Router-address-group-0] port-block block-size 300


# Configure an IPv6 ACL to identify packets from subnet 1::/64. [Router] acl ipv6 basic 2100

[Router-acl-ipv6-basic-2100] rule permit source 1::/64


# Configure DS-Lite NAT444 on GigabitEthernet 2/0/1. [Router] interface gigabitethernet 2/0/1

[Router-GigabitEthernet2/0/1] nat outbound ds-lite-b4 2100 address-group 0


2. Configure the DS-Lite host: # Configure the IPv4 and IPv6 addresses of the DS-Lite host as 10.0.0.1 and 1::1/64. (Details not shown.) # Configure a static route to the destination IPv4 network. (Details not shown.)

Verifying the configuration # Use the display tunnel interface command to verify that the tunnel interface is up on the AFTR. (Details not shown.)

# Verify that the DS-Lite host can ping the IPv4 application server. C:\> ping 20.1.1.2

Pinging 20.1.1.2 with 32 bytes of data:

Reply from 20.1.1.2: bytes=32 time=51ms TTL=255




Ping statistics for 20.1.1.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 51ms, Average = 24ms

# Verify that the DS-Lite NAT444 configuration is correct. [Router] display nat outbound




DS-Lite B4 ACL: 2100 Address group: 0 Port-preserved: N



# Verify that the DS-Lite NAT444 configuration takes effect by checking the port block assignment. [Router] display nat statistics

Total session entries: 0

Total EIM entries: 0

Total inbound NO-PAT entries: 0

Total outbound NO-PAT entries: 0

Total static port block entries: 0

Total dynamic port block entries: 430

Active static port block entries: 0

Active dynamic port block entries: 1

172

# Verify that a NAT444 mapping has been created for the DS-Lite host. [Router] display nat port-block dynamic ds-lite-b4

Local VPN DS-Lite B4 addr Global IP Port block Connections

--- 1::1 20.1.1.11 1024-1323 1

Total entries found: 1

173

Basic IP forwarding on the device The device uses the destination IP address of a received packet to find a match from the forwarding information base (FIB) table. It then uses the matching entry to forward the packet.

FIB table A device selects optimal routes from the routing table, and puts them into the FIB table. Each FIB entry specifies the next hop IP address and output interface for packets destined for a specific subnet or host.

For more information about the routing table, see Layer 3—IP Routing Configuration Guide.

Use the display fib command to display FIB table entries. The following example displays the entire FIB table. <Sysname> display fib

Destination count: 4 FIB entry count: 4

Flag:

U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static

R:Relay F:FRR

Destination/Mask Nexthop Flag OutInterface/Token Label

10.2.0.0/16 10.2.1.1 U GE2/0/1 Null

10.2.1.1/32 127.0.0.1 UH InLoop0 Null

127.0.0.0/8 127.0.0.1 U InLoop0 Null

127.0.0.1/32 127.0.0.1 UH InLoop0 Null

A FIB entry includes the following items: • Destination—Destination IP address. • Mask—Network mask. The mask and the destination address identify the destination network.

A logical AND operation between the destination address and the network mask yields the address of the destination network. For example, if the destination address is 192.168.1.40 and the mask 255.255.255.0, the address of the destination network is 192.168.1.0. A network mask includes a certain number of consecutive 1s. It can be expressed in dotted decimal format or by the number of the 1s.

• Nexthop—IP address of the next hop. • Flag—Route flag. • OutInterface—Output interface. • Token—MPLS Label Switched Path index number. • Label—Inner label.

174

Displaying FIB table entries Execute display commands in any view.

Task Command

Display FIB entries. display fib [ topology topo-name |vpn-instance vpn-instance-name ] [ ip-address [ mask | mask-length ] ]

175

Configuring load sharing If a routing protocol finds multiple equal-cost best routes to the same destination, the device forwards packets over the equal-cost routes to implement load sharing.

NOTE: The system allows a maximum of 32 load sharing routes.



Configuring per-packet or per-flow load sharing Per-flow load sharing allows the device to forward flows over equal-cost routes. Packets of one flow travel along the same routes. You can configure the device to identify a flow based on the following criteria: source IP address, destination IP address, source port number, destination port number, and IP protocol number.

In a complex network, when these criteria cannot distinguish flows, you can use the algorithm keyword to specify an algorithm to identify flows for load sharing.

To configure per-flow load sharing:


2. Configure load sharing.

• Centralized devices in standalone mode: ip load-sharing mode { per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ]

• Distributed devices in standalone mode/centralized devices in IRF mode: ip load-sharing mode { per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] | per-packet } [ slot slot-number ]

• Distributed devices in IRF mode: ip load-sharing mode { per-flow | [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] | per-packet } [ chassis chassis-number slot slot-number ]

By default, load sharing is disabled.

176

Configuring load sharing based on bandwidth This feature load shares flow traffic among multiple output interfaces based on their load percentages. The device calculates the load percentage for each output interface in terms of the interface expected bandwidth.

Devices that run load sharing protocols, such as Locator/ID Separation Protocol (LISP), implement load sharing based on the ratios defined by these protocols.

To configure load sharing based on bandwidth:


2. Enable IPv4 load sharing based on bandwidth. bandwidth-based-sharing By default, the IPv4 load sharing

based on bandwidth is disabled.


4. Configure the expected bandwidth of the interface. bandwidth bandwidth

By default, the expected bandwidth is the physical bandwidth of the interface.

177

Configuring fast forwarding

Overview Fast forwarding reduces route lookup time and improves packet forwarding efficiency by using a high-speed cache and data-flow-based technology. It identifies a data flow by using the following fields: source IP address, source port number, destination IP address, destination port number, and protocol number. After a flow's first packet is forwarded through the routing table, fast forwarding creates an entry and uses the entry to forward subsequent packets of the flow.

Fast forwarding can process fragmented IP packets, but it does not fragment IP packets.



Configuring the aging time for fast forwarding entries

The fast forwarding table uses an aging timer for each forwarding entry. If an entry is not updated before the timer expires, the device deletes the entry. If an entry has a hit within the aging time, the aging timer restarts.

To configure the aging time for fast forwarding entries:


2. Configure the aging time for fast forwarding entries.

ip fast-forwarding aging-time aging-time

By default, the aging time is 30 seconds.

Configuring fast forwarding load sharing Fast forwarding load sharing enables the device to load share packets of the same flow. This feature identifies a data flow by using the five-tuple (source IP, source port, destination IP, destination port, and protocol).

If fast forwarding load sharing is disabled, the device identifies a data flow by the five-tuple and the input interface. No load sharing is implemented.

To configure fast forwarding load sharing:

178


2. Enable fast forwarding load sharing. ip fast-forwarding load-sharing By default, fast forwarding load

sharing is enabled.

Displaying and maintaining fast forwarding Execute display commands in any view and reset commands in user view.

Task Command Display fast forwarding entries (centralized devices in standalone mode). display ip fast-forwarding cache [ ip-address ]

Display fast forwarding entries (distributed devices in standalone mode/centralized devices in IRF mode).

display ip fast-forwarding cache [ ip-address ] [ slot slot-number ]

Display fast forwarding entries (distributed devices in IRF mode).

display ip fast-forwarding cache [ ip-address ] [ chassis chassis-number slot slot-number ]

Display fast forwarding entries about fragmented packets (centralized devices in standalone mode). display ip fast-forwarding fragcache [ ip-address ]

Display fast forwarding entries about fragmented packets (distributed devices in standalone mode/centralized devices in IRF mode).

display ip fast-forwarding fragcache [ ip-address ] [ slot slot-number ]

Display fast forwarding entries for fragmented packets (distributed devices in IRF mode).

display ip fast-forwarding fragcache [ ip-address ] [ chassis chassis-number slot slot-number ]

Display the aging time of fast forwarding entries. display ip fast-forwarding aging-time

Clear the fast forwarding table (centralized devices in standalone mode). reset ip fast-forwarding cache

Clear the fast forwarding table (distributed devices in standalone mode/centralized devices in IRF mode). reset ip fast-forwarding cache [ slot slot-number ]

Clear the fast forwarding table (distributed devices in IRF mode).

reset ip fast-forwarding cache [ chassis chassis-number slot slot-number ]

179

Configuring flow classification To implement differentiated services, flow classification categorizes packets to be forwarded by a multicore device according to one of the following flow classification policies: • Flow-based policy—Forwards packets of a flow to the same CPU. A data flow is defined by

using the following fields: source IP address, destination IP address, source port number, destination port number, and protocol number. This policy takes the first-in first-out rule.

• Packet-based policy—Forwards packets in sequence to different CPUs, even though they are the same flow. This policy does not ensure packet order.

Feature and hardware compatibility Hardware Flow classification compatibility MSR954(JH296A/JH297A/JH298A/JH299A) No

MSR1002-4/1003-8S No

MSR2003 No

MSR2004-24/2004-48 No

MSR3012/3024/3044/3064 Yes

MSR4060/4080 Yes

Specifying a flow classification policy IMPORTANT:

If a service requires packets of a flow to be received by the same CPU, you must use the flow-based policy.

To specify a flow classification policy:


2. Specify a flow classification policy.

forwarding policy { per-flow | per-packet } By default, flow-based policy is used.

180

Displaying the adjacency table

Overview The adjacency table stores information about directly connected neighbors for IP forwarding. The neighbor information in this chapter refers to non-Ethernet neighbor information.

This table is not user configurable. The neighbor information is generated, updated, and deleted by link layer protocols through negotiation (such as PPP dynamic negotiation) or through manual configuration (such as ATM static configuration). An adjacency entry includes the following information: • Neighbor network layer address (next hop). • Output interface. • Link layer protocol type. • Link layer address. This field displays PVC for ATM, and it is not available for PPP.

When forwarding an IP packet, the device performs the following tasks: • Searches the FIB to find the output interface and next hop. • Uses the output interface and next hop address to search the adjacency table for link layer

forwarding information.

NOTE: Ethernet and non-Ethernet neighbor information are stored and managed together.

The following table shows the items in an adjacency table output:

Item Description

IP address IP address of the next hop in FIB table. This address is used for adjacency table lookup.

IPv6 address IPv6 address of the next hop in FIB table. This address is used for adjacency table lookup.

Routing interface Output interface in the matching route entry. This interface is used for adjacency table lookup, and it can be logical or physical.

Physical interface

Output physical interface that sends matching packets. • If the routing interface is physical, the routing interface and physical

interface are the same. • If the routing interface is logical, the routing interface and physical

interface are different.

Logical interface Logical interface for sending packets, such as a virtual-Ethernet interface for ATM, or a Virtual-Template interface for MP.

Service type Link layer protocol type, such as PPP or HDLC.

Action type Action to be taken on the matching packet: Forwarding or Drop.

Link media type Related to the link layer protocol used by the routing interface. • P2P—Point-to-point link. • NBMA—Non-broadcast multi-access link.

Link head information(IP) Link layer header for IP forwarding.

Link head information(IPv6) Link layer header for IPv6 forwarding.

181

Item Description Link head information(MPLS) Link layer header for MPLS forwarding.



Displaying commands To display adjacency table entries, use one of the following commands in any view:

Task Command Display IPv4 adjacency table information (centralized devices in standalone mode).

display adjacent-table { all | physical-interface interface-type interface-number | routing-interface interface-type interface-number } [ count | verbose ]

Display IPv4 adjacency table information (distributed devices in standalone mode/centralized devices in IRF mode).

display adjacent-table { all | physical-interface interface-type interface-number | routing-interface interface-type interface-number | slot slot-number } [ count | verbose ]

Display IPv4 adjacency table information (distributed devices in IRF mode).

display adjacent-table { all | physical-interface interface-type interface-number | routing-interface interface-type interface-number | chassis chassis-number slot slot-number } [ count | verbose ]

Display IPv6 adjacency table information (centralized devices in standalone mode).

display ipv6 adjacent-table { all | physical-interface interface-type interface-number | routing-interface interface-type interface-number } [ count | verbose ]

Display IPv6 adjacency table information (distributed devices in standalone mode/centralized devices in IRF mode).

display ipv6 adjacent-table { all | physical-interface interface-type interface-number | routing-interface interface-type interface-number | slot slot-number } [ count | verbose ]

Display IPv6 adjacency table information (distributed devices in IRF mode).

display ipv6 adjacent-table { all | physical-interface interface-type interface-number | routing-interface interface-type interface-number | chassis chassis-number slot slot-number } [ count | verbose ]

182

Configuring IRDP The term "router" in this chapter refers to a routing-capable device.

The term "host" in this chapter refers to the host that supports IRDP. For example, a host that runs the Linux operating system.

Overview ICMP Router Discovery Protocol (IRDP), an extension of the ICMP, is independent of any routing protocol. It allows hosts to discover the IP addresses of neighboring routers that can act as default gateways to reach devices on other IP networks.

IRDP enables hosts to track dynamic changes in router availability and requires a minimal amount of manual configuration.

IRDP operation IRDP uses the following types of ICMP messages: • Router advertisement (RA)—Sent by a router to advertise IP addresses (including the primary

and secondary IP addresses) and preference. • Router solicitation (RS)—Sent by a host to request the IP addresses of routers on the subnet.

An interface with IRDP enabled periodically broadcasts or multicasts an RA message to advertise its IP addresses. A receiving host adds the IP addresses to its routing table, and selects the IP address with the highest preference as the default gateway.

When a host attached to the subnet starts up, the host multicasts an RS message to request immediate advertisements. If the host does not receive any advertisements, it retransmits the RS several times. If the host does not discover the IP addresses of neighboring routers because of network problems, the host can still discover them from periodic RAs.

IRDP allows hosts to discover neighboring routers, but it does not suggest the best route to a destination. If a host sends a packet to a router that is not the best next hop, the host will receive an ICMP redirect message from the router.

Basic concepts Preference of an IP address

Every IP address advertised in RAs has a preference value. A larger preference value represents a higher preference. The IP address with the highest preference is selected as the default gateway address.

You can specify the preference for IP addresses to be advertised on a router interface.

An address with the minimum preference value (-2147483648) will not be used as a default gateway address.

Lifetime of an IP address An RA contains a lifetime field that specifies the lifetime of advertised IP addresses. If the host does not receive a new RA for an IP address within the address lifetime, the host removes the route entry.

All the IP addresses advertised by an interface have the same lifetime.

183

Advertising interval A router interface with IRDP enabled sends out RAs at a random interval between the minimum and maximum advertising intervals. This mechanism prevents the local link from being overloaded by a large number of RAs sent simultaneously from routers.

As a best practice, shorten the advertising interval on a link that suffers high packet loss rates.

Destination address of RAs An RA uses either of the following destination IP addresses: • Broadcast address 255.255.255.255. • Multicast address 224.0.0.1, which identifies all hosts on the local link.

By default, the destination IP address of an RA is the broadcast address. If all listening hosts in a local area network support IP multicast, specify 224.0.0.1 as the destination IP address.

Proxy-advertised IP addresses By default, an interface advertises its primary and secondary IP addresses. You can specify IP addresses of other gateways for an interface to proxy-advertise.

Protocols and standards RFC 1256: ICMP Router Discovery Messages

Configuration procedure To configure IRDP:



The interface can be a Layer 3 Ethernet interface or VLAN interface.

3. Enable IRDP on the interface. ip irdp

By default, IRDP is disabled. After IRDP is enabled on an interface, the IRDP configuration takes effect, and the device sends RA messages out of the interface.

4. (Optional.) Specify the preference of advertised primary and secondary IP addresses on the interface.

ip irdp preference preference-value The default preference is 0.

5. (Optional.) Set the lifetime of IP addresses to be advertised. ip irdp lifetime lifetime-value

The default lifetime is 1800 seconds.The lifetime applies to all advertised IP addresses, including proxy-advertised IP addresses on the interface. The lifetime cannot be shorter than the maximum advertising interval.

6. (Optional.) Set the maximum and minimum advertising intervals.

ip irdp interval max-interval-value [ min-interval-value ]

By default, the maximum interval is 600 seconds, and the minimum interval is 3/4 of the maximum interval.

7. (Optional.) Specify the ip irdp multicast By default, RAs use the broadcast

184

Step Command Remarks multicast address 224.0.0.1 as the destination IP address of RAs.

address 255.255.255.255 as the destination IP address.

8. (Optional.) Specify a proxy-advertised IP address and its preference.

ip irdp address ip-address preference-value

Repeat this step to specify multiple proxy-advertised IP addresses. By default, no IP address is specified. You can specify a maximum of four proxy-advertised IP addresses on an interface.

IRDP configuration example Network requirements

As shown in Figure 75, Host A and Host B that run the Linux support IRDP, and they are in the internal network. Router A and Router B act as the egress routers and connect to external networks 192.168.1.0/24 and 192.168.2.0/24, respectively.

Configure Router A as the default gateway for the hosts. Packets to the external networks can be correctly routed.



# Specify an IP address for GigabitEthernet 2/0/1. <RouterA> system-view



# Enable IRDP on GigabitEthernet 2/0/1. [RouterA-GigabitEthernet2/0/1] ip irdp

# Specify preference 1000 for advertised IP addresses on GigabitEthernet 2/0/1. [RouterA-GigabitEthernet2/0/1] ip irdp preference 1000

# Specify the multicast address 224.0.0.1 as the destination IP address for RAs sent by GigabitEthernet 2/0/1.

185

[RouterA-GigabitEthernet2/0/1] ip irdp multicast

# Specify the IP address 192.168.1.0 and preference 400 for GigabitEthernet 2/0/1 to proxy-advertise. [RouterA-GigabitEthernet2/0/1] ip irdp address 192.168.1.0 400

2. Configure Router B: # Specify an IP address for GigabitEthernet 2/0/1. <RouterB> system-view


[RouterB-GigabitEthernet2/0/1] ip address 10.154.5.2 24

# Enable IRDP on GigabitEthernet 2/0/1. [RouterB-GigabitEthernet2/0/1] ip irdp

# Specify preference 500 for advertised IP addresses on GigabitEthernet 2/0/1. [RouterB-GigabitEthernet2/0/1] ip irdp preference 500

# Specify the multicast address 224.0.0.1 as the destination IP address for RAs sent by GigabitEthernet 2/0/1. [RouterB-GigabitEthernet2/0/1] ip irdp multicast

# Specify the IP address 192.168.2.0 and preference 400 for GigabitEthernet 2/0/1 to proxy-advertise. [RouterB-GigabitEthernet2/0/1] ip irdp address 192.168.2.0 400

Verifying the configuration # Display the routing table for Host A. [HostA@localhost ~]$ netstat -rne

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

10.154.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

0.0.0.0 10.154.5.1 0.0.0.0 UG 0 0 0 eth1

The output shows that the default route on Host A points to IP address 10.154.5.1, and Host A has routes to 192.168.1.0/24 and 192.168.2.0/24.

# Display the routing table for Host B. [HostB@localhost ~]$ netstat -rne

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

10.154.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

0.0.0.0 10.154.5.1 0.0.0.0 UG 0 0 0 eth1

The output shows that the default route on Host B points to IP address 10.154.5.1, and Host B has routes to 192.168.1.0/24 and 192.168.2.0/24.

186

Optimizing IP performance A customized configuration can help optimize overall IP performance. This chapter describes various techniques you can use to customize your installation.



Enabling an interface to receive and forward directed broadcasts destined for the directly connected network

A directed broadcast packet is destined for all hosts on a specific network. In the destination IP address of the directed broadcast, the network ID identifies the target network, and the host ID is made up of all ones.

If an interface is allowed to forward directed broadcasts destined for the directly connected network, hackers can exploit this vulnerability to attack the target network. In some scenarios, however, an interface must receive and send such directed broadcast packets to support UDP helper and Wake on LAN.

This task enables an interface to accept directed broadcast packets that are destined for and received from the directly connected network to support UDP helper. UDP helper converts the directed broadcasts to unicasts and forwards them to a specific server.

The task also enables the interface to forward directed broadcast packets that are destined for the directly connected network and are received from another subnet to support Wake on LAN. Wake on LAN sends the directed broadcasts to wake up the hosts on the target network.

Configuration procedure To enable an interface to receive and forward directed broadcasts destined to the directly connected network:



187

Step Command Remarks 3. Enable the interface to

receive and forward directed broadcasts destined for the directly connected network.

ip forward-broadcast By default, an interface cannot forward directed broadcasts destined for the directly connected network.

Configuration example Network requirements

As shown in Figure 76, the default gateway of the host is the IP address 1.1.1.2/24 of the interface GigabitEthernet 2/0/1 of Router A. Configure a static route destined for the host on Router B. Router B can receive directed broadcasts from the host to IP address 2.2.2.255.



# Specify IP addresses for GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2. <RouterA> system-view






# Enable GigabitEthernet 2/0/2 to forward directed broadcasts destined for the directly connected network. [RouterA-GigabitEthernet2/0/2] ip forward-broadcast

2. Configure Router B: # Configure a static route to the host. <RouterB> system-view

[RouterB] ip route-static 1.1.1.1 24 2.2.2.2

# Specify an IP address for GigabitEthernet 2/0/2. [RouterB] interface gigabitethernet 2/0/2


# Enable GigabitEthernet 2/0/2 to receive directed broadcasts destined for the directly connected network. [RouterB-GigabitEthernet2/0/2] ip forward-broadcast

After the configurations are completed, if you ping the subnet-directed broadcast address 2.2.2.255 on the host, the interface GigabitEthernet 2/0/2 of Router B can receive the ping packets. If you remove the ip forward-broadcast configuration on any router, the interface GigabitEthernet 2/0/2 of Router B cannot receive the ping packets.

188

Configuring MTU for an interface When a packet exceeds the MTU of the output interface, the device processes it in one of the following ways: • If the packet disallows fragmentation, the device discards it. • If the packet allows fragmentation, the device fragments it and forwards the fragments.

Fragmentation and reassembling consume system resources, so set an appropriate MTU for an interface based on the network environment to avoid fragmentation.

To configure an MTU for an interface:



3. Configure an MTU for the interface. ip mtu mtu-size By default, no MTU is

configured.

Configuring TCP MSS for an interface The maximum segment size (MSS) option informs the receiver of the largest segment that the sender can accept. Each end announces its MSS during TCP connection establishment. If the size of a TCP segment is smaller than the MSS of the receiver, TCP sends the TCP segment without fragmentation. If not, it fragments the segment according to the receiver's MSS.

If you configure a TCP MSS on an interface, the size of each TCP segment received or sent on the interface cannot exceed the MSS value.

This configuration takes effect only for TCP connections established after the configuration rather than the TCP connections that already exist.

This configuration is effective only for IP packets. If MPLS is enabled on the interface, do not configure the TCP MSS on the interface.

To configure a TCP MSS for the interface:



3. Configure a TCP MSS for the interface. tcp mss value By default, no TCP MSS is configured.

Configuring TCP path MTU discovery IMPORTANT:

All devices on a TCP connection must be enabled to send ICMP error messages by using the ip unreachables enable command.

189

TCP path MTU discovery (in RFC 1191) discovers the path MTU between the source and destination ends of a TCP connection. It works as follows: 1. A TCP source device sends a packet with the Don't Fragment (DF) bit set. 2. A router discards the packet that exceeds the MTU of the outgoing interface and returns an

ICMP error message. The error message contains the MTU of the outgoing interface. 3. Upon receiving the ICMP message, the TCP source device calculates the current path MTU of

the TCP connection. 4. The TCP source device sends subsequent TCP segments that each are smaller than the MSS

(MSS = path MTU – IP header length – TCP header length).

If the TCP source device still receives ICMP error messages when the MSS is smaller than 32 bytes, the TCP source device will fragment packets.

An ICMP error message received from a router that does not support RFC 1191 has the MTU of the outgoing interface set to 0. Upon receiving the ICMP message, the TCP source device selects the path MTU smaller than the current path MTU from the MTU table as described in RFC 1191. Based on the selected path MTU, the TCP source device calculates the TCP MSS. The MTU table contains MTUs of 68, 296, 508, 1006, 1280, 1492, 2002, 4352, 8166, 17914, 32000, and 65535 bytes. Because the minimum TCP MSS specified by the system is 32 bytes, the actual minimum MTU is 72 bytes.

After you enable TCP path MTU discovery, all new TCP connections will detect the path MTU. The device uses the path MTU to calculate the MSS to avoid IP fragmentation.

The path MTU uses the following aging mechanism to make sure the source device can increase the path MTU when the minimum link MTU on the path increases: • When the TCP source device receives an ICMP error message, it reduces the path MTU and

starts an aging timer for the path MTU. • After the aging timer expires, the source device uses a larger MSS in the MTU table, as

described in RFC 1191. • If no ICMP error message is received within two minutes, the source device increases the MSS

again until the MSS negotiated during TCP three-way handshake is reached.

To enable TCP path MTU discovery:


2. Enable TCP path MTU discovery.

tcp path-mtu-discovery [ aging age-time | no-aging ]

The default setting is disabled.

Enabling TCP SYN Cookie A TCP connection is established through a three-way handshake: 1. The sender sends a SYN packet to the server. 2. The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED

state, and replies with a SYN ACK packet to the sender. 3. The sender receives the SYN ACK packet and replies with an ACK packet. A TCP connection is

established.

An attacker can exploit this mechanism to mount SYN Flood attacks. The attacker sends a large number of SYN packets, but does not respond to the SYN ACK packets from the server. As a result, the server establishes a large number of TCP semi-connections and can no longer handle normal services.

190

SYN Cookie can protect the server from SYN Flood attacks. When the server receives a SYN packet, it responds with a SYN ACK packet without establishing a TCP semi-connection. The server establishes a TCP connection and enters ESTABLISHED state only when it receives an ACK packet from the client.

To enable TCP SYN Cookie:


2. Enable SYN Cookie. tcp syn-cookie enable The default setting is disabled.

Configuring the TCP buffer size Step Command Remarks 1. Enter system view. system-view N/A

2. Configure the size of TCP receive/send buffer.

tcp window window-size The default buffer size is 64 KB.

Configuring TCP timers You can configure the following TCP timers: • SYN wait timer—TCP starts the SYN wait timer after sending a SYN packet. Within the SYN

wait timer if no response is received or the upper limit on TCP connection tries is reached, TCP fails to establish the connection.

• FIN wait timer—TCP starts the FIN wait timer when the state changes to FIN_WAIT_2. If no FIN packet is received within the timer interval, TCP terminates the connection. If a FIN packet is received, TCP changes the connection state to TIME_WAIT. If a non-FIN packet is received, TCP restarts the timer, and tears down the connection when the timer expires.

To configure TCP timers:


2. Configure TCP timers.

• Configure the TCP SYN wait timer: tcp timer syn-timeout time-value

• Configure the TCP FIN wait timer: tcp timer fin-timeout time-value

By default: • The TCP SYN wait timer is 75

seconds. • The TCP FIN wait timer is

675 seconds.

Enabling sending ICMP error messages Perform this task to enable sending ICMP error messages, including redirect, time exceeded, and destination unreachable messages. • ICMP redirect messages

A host that has only one default route sends all packets to the default gateway. The default gateway sends an ICMP redirect message to inform the host of a correct next hop by following these rules:

The receiving and sending interfaces are the same.

191

The selected route is not created or modified by any ICMP redirect messages. The selected route is not destined for 0.0.0.0. There is no source route option in the received packet.

ICMP redirect messages simplify host management and enable hosts to gradually optimize their routing table.

• ICMP time exceeded messages A device sends ICMP time exceeded messages by following these rules:

The device sends the source an ICMP TTL exceeded in transit message when the following conditions are met: − The received packet is not destined for the device. − The TTL field of the packet is 1.

When the device receives the first fragment of an IP datagram destined for it, it starts a timer. If the timer expires before all the fragments of the datagram are received, the device sends an ICMP fragment reassembly time exceeded message to the source.

• ICMP destination unreachable messages A device sends ICMP destination unreachable messages by following these rules:

The device sends the source an ICMP network unreachable message when the following conditions are met: − The packet does not match any route. − No default route exists in the routing table.

The device sends the source an ICMP protocol unreachable message when the following conditions are met: − The packet is destined for the device. − The transport layer protocol of the packet is not supported by the device.

NOTE: If a DHCP enabled device receives an ICMP echo reply without sending any ICMP echo requests, the device does not send any ICMP protocol unreachable messages to the source. For more information about DHCP, see Layer 3—IP Services Configuration Guide.

The device sends the source an ICMP port unreachable message when the following conditions are met: − The UDP packet is destined for the device. − The packet's port number does not match the corresponding process.

The device sends the source an ICMP source route failed message when the following conditions are met: − The source uses Strict Source Routing to send packets. − The intermediate device finds that the next hop specified by the source is not directly

connected. The device sends the source an ICMP fragmentation needed and DF set message when

the following conditions are met: − The MTU of the sending interface is smaller than the packet. − The packet has DF set.

To enable sending ICMP error messages:


192


2. Enable sending ICMP error messages.

• Enable sending ICMP redirect messages:ip redirects enable

• Enable sending ICMP time exceeded messages: ip ttl-expires enable

• Enable sending ICMP destination unreachable messages: ip unreachables enable

The default settings are disabled.

Sending ICMP error messages facilitates network management, but sending excessive ICMP messages increases network traffic. The device performance degrades if it receives a lot of malicious ICMP messages that cause it to respond with ICMP error messages.

To prevent such problems, you can disable the device from sending ICMP error messages. A device that is disabled from sending ICMP time exceeded messages does not send ICMP TTL exceeded in transit messages. However, it can still send ICMP fragment reassembly time exceeded messages.

Configuring rate limit for ICMP error messages To avoid sending excessive ICMP error messages within a short period that might cause network congestion, you can limit the rate at which ICMP error messages are sent. A token bucket algorithm is used with one token representing one ICMP error message.

A token is placed in the bucket at intervals until the maximum number of tokens that the bucket can hold is reached.

A token is removed from the bucket when an ICMP error message is sent. When the bucket is empty, ICMP error messages are not sent until a new token is placed in the bucket.

To configure rate limit for ICMP error messages:


2. Set the bucket size and the interval for tokens to arrive in the bucket for ICMP error messages.

ip icmp error-interval milliseconds [ bucketsize ]

By default, the bucket allows a maximum of 10 tokens. A token is placed in the bucket at an interval of 100 milliseconds. To disable the ICMP rate limit, set the interval to 0 milliseconds.

Specifying the source address for ICMP packets Perform this task to specify the source IP address for outgoing ping echo request and ICMP error messages. As a best practice, specify the IP address of the loopback interface as the source IP address. This feature helps users to locate the sending device easily.

If you specify an IP address in the ping command, ping echo requests use the specified address as the source IP address rather than the IP address specified by the ip icmp source command.

To specify the source IP address for ICMP packets:


193


2. Specify the source address for outgoing ICMP packets.

ip icmp source [ vpn-instance vpn-instance-name ] ip-address

By default, the device uses the IP address of the sending interface as the source IP address for outgoing ICMP packets.

Enabling IPv4 local fragment reassembly Perform this task to enable the local reassembly feature for IPv4 fragments that are destined for the local device. This feature enables the receiving LPU to reassemble the IPv4 fragments instead of delivering them to the active MPU for reassembly. It improves the fragment reassembly performance.

To enable IPv4 local fragment reassembly:


2. Enable IPv4 local fragment reassembly. ip reassemble local enable

By default, IPv4 local fragment reassembly is disabled. This feature applies only to fragments received by the same LPU.

Displaying and maintaining IP performance optimization


Task Command Display brief information about RawIP connections (centralized devices in standalone mode). display rawip

Display brief information about RawIP connections (distributed devices in standalone mode/centralized devices in IRF mode).

display rawip [ slot slot-number ]

Display brief information about RawIP connections (distributed devices in IRF mode).

display rawip [ chassis chassis-number slot slot-number ]

Display detailed information about RawIP connections (centralized devices in standalone mode). display rawip verbose [ pcb pcb-index ]

Display detailed information about RawIP connections (distributed devices in standalone mode/centralized devices in IRF mode).

display rawip verbose [ slot slot-number [ pcb pcb-index ] ]

Display detailed information about RawIP connections (distributed devices in IRF mode).

display rawip verbose [ chassis chassis-number slot slot-number [ pcb pcb-index ] ]

Display brief information about TCP connections (centralized devices in standalone mode). display tcp

Display brief information about TCP connections (distributed devices in standalone mode/centralized devices in IRF mode). display tcp [ slot slot-number ]

194

Task Command Display brief information about TCP connections (distributed devices in IRF mode).

display tcp [ chassis chassis-number slot slot-number ]

Display brief information about TCP proxy (centralized devices in standalone mode). display tcp-proxy

Display brief information about TCP proxy (distributed devices in standalone mode/centralized devices in IRF mode). display tcp-proxy slot slot-number

Display brief information about TCP proxy (distributed devices in IRF mode).

display tcp-proxy chassis chassis-number slot slot-number

Display detailed information about TCP connections (centralized devices in standalone mode). display tcp verbose [ pcb pcb-index ]

Display detailed information about TCP connections (distributed devices in standalone mode/centralized devices in IRF mode).

display tcp verbose [ slot slot-number [ pcb pcb-index ] ]

Display detailed information about TCP connections (distributed devices in IRF mode).

display tcp verbose [ chassis chassis-number slot slot-number [ pcb pcb-index ] ]

Display brief information about UDP connections (centralized devices in standalone mode). display udp

Display brief information about UDP connections (distributed devices in standalone mode/centralized devices in IRF mode). display udp [ slot slot-number ]

Display brief information about UDP connections (distributed devices in IRF mode).

display udp [ chassis chassis-number slot slot-number ]

Display detailed information about UDP connections (centralized devices in standalone mode). display udp verbose [ pcb pcb-index ]

Display detailed information about UDP connections (distributed devices in standalone mode/centralized devices in IRF mode).

display udp verbose [ slot slot-number [ pcb pcb-index ] ]

Display detailed information about UDP connections (distributed devices in IRF mode).

display udp verbose [ chassis chassis-number slot slot-number [ pcb pcb-index ] ]

Display IP packet statistics (centralized devices in standalone mode). display ip statistics

Display IP packet statistics (distributed devices in standalone mode/centralized devices in IRF mode). display ip statistics [ slot slot-number ]

Display IP packet statistics (distributed devices in IRF mode). display ip statistics [ chassis chassis-number slot slot-number ]

Display TCP traffic statistics (centralized devices in standalone mode). display tcp statistics

Display TCP traffic statistics (distributed devices in standalone mode/centralized devices in IRF mode). display tcp statistics [ slot slot-number ]

Display TCP traffic statistics (distributed devices in IRF mode).

display tcp statistics [ chassis chassis-number slot slot-number ]

Display UDP traffic statistics (centralized devices in standalone mode). display udp statistics

Display UDP traffic statistics (distributed devices in standalone mode/centralized devices in IRF mode). display udp statistics [ slot slot-number ]

Display UDP traffic statistics (distributed devices in IRF mode).

display udp statistics [ chassis chassis-number slot slot-number ]

195

Task Command Display ICMP statistics (centralized devices in standalone mode). display icmp statistics

Display ICMP statistics (distributed devices in standalone mode/centralized devices in IRF mode).

display icmp statistics [ slot slot-number ]

Display ICMP statistics (distributed devices in IRF mode). display icmp statistics [ chassis chassis-number slot slot-number ]

Clear IP packet statistics (centralized devices in standalone mode). reset ip statistics

Clear IP packet statistics (distributed devices in standalone mode/centralized devices in IRF mode). reset ip statistics [ slot slot-number ]

Clear IP packet statistics (distributed devices in IRF mode). reset ip statistics [ chassis chassis-number slot slot-number ]

Clear TCP traffic statistics. reset tcp statistics

Clear UDP traffic statistics. reset udp statistics

196

Configuring UDP helper

Overview UDP helper can provide the following packet conversion for packets with specific UDP destination port numbers: • Convert broadcast to unicast, and forward the unicast packets to specific destinations. • Convert broadcast to multicast, and forward the multicast packets. • Convert multicast to broadcast or unicast, and forward the broadcast or unicast packets.

Feature and hardware compatibility Hardware UDP helper compatibility MSR954(JH296A/JH297A/JH298A/JH299A) No

MSR1002-4/1003-8S Yes

MSR2003 Yes

MSR2004-24/2004-48 Yes

MSR3012/3024/3044/3064 Yes

MSR4060/4080 Yes

Configuration restrictions and guidelines When you configure UDP helper, follow these restrictions and guidelines: • By default, an interface on the device does not receive directed broadcasts destined for the

directly connected network. To use UDP helper, execute the ip forward-broadcast command. For more information about receiving directed broadcasts destined for the directly connected network, see "Optimizing IP performance."

• Do not set UDP ports 67 and 68 for UDP helper, because UDP helper cannot forward DHCP broadcast packets.

• You can specify a maximum of 256 UDP ports for UDP helper. • You can specify a maximum of 20 unicast and multicast addresses for UDP helper to convert

broadcast packets on an interface. • You can map one multicast address to a maximum of 16 broadcast and unicast addresses for

UDP helper to convert multicast packets on an interface.

Configuring UDP helper to convert broadcast to unicast

You can configure UDP helper to convert broadcast packets with specific UDP port numbers to unicast packets.

Upon receiving a UDP broadcast packet, UDP helper uses the configured UDP ports to match the UDP destination port number of the packet.

197

• If a match is found, UDP helper duplicates the packet and modifies the destination IP address of the copy to the configured unicast address. Then UDP helper forwards the unicast packet to the unicast address.

• If no match is found, UDP helper does not process the packet.

To configure UDP helper to convert broadcast to unicast:


2. Enable UDP helper. udp-helper enable By default, UDP helper is disabled.

3. Specify a UDP port. udp-helper port { port-number | dns | netbios-ds | netbios-ns | tacacs | tftp | time }

By default, no UDP port is specified.


5. Specify a destination server for UDP helper to convert broadcast to unicast.

udp-helper server ip-address [ global | vpn-instance vpn-instance-name ]

By default, no destination server is specified. If you specify multiple destination servers, UDP helper creates one copy for each server. Use this command on the interface that receives broadcast packets.

Configuring UDP helper to convert broadcast to multicast

You can configure UDP helper to convert broadcast packets with specific UDP port numbers to multicast packets.

Upon receiving a UDP broadcast packet, UDP helper uses the configured UDP ports to match the UDP destination port number of the packet. • If a match is found, UDP helper duplicates the packet and modifies the destination IP address of

the copy to the configured multicast address. Then UDP helper forwards the packet to the multicast group.

• If no match is found, UDP helper does not process the packet.

To configure UDP helper to convert broadcast to multicast:






198


5. Specify a destination multicast address for UDP helper to convert broadcast to multicast.

udp-helper broadcast-map multicast-address [ acl acl-number ]

By default, no destination multicast address is specified for UDP helper. If you specify multiple multicast addresses, UDP helper creates one copy for each address. Use this command on the interface that receives broadcast packets.

Configuring UDP helper to convert multicast to broadcast or unicast

You can configure UDP helper to convert multicast packets with specific UDP port numbers and multicast addresses to broadcast or unicast packets.

Upon receiving a UDP multicast packet, UDP helper uses the configured UDP ports to match the UDP destination port number of the packet. • If a match is found, UDP helper searches the configured mappings based on the packet's

destination multicast address. UDP helper duplicates the packet and modifies the copy's destination IP address to the

broadcast or unicast address in the matched mapping. Then UDP helper forwards the packet to its destination.

If no match is found, UDP helper does not process the packet. • If the packet's destination port number does not match the configured UDP ports, UDP helper

does not process the packet.

To configure UDP helper to convert multicast to broadcast or unicast:






5. Map a multicast address to a directed broadcast or a unicast address for UDP helper.

udp-helper multicast-map multicast-address ip-address [ global | vpn-instance vpn-instance-name ] [ acl acl-number ]

By default, no address mapping is specified for UDP helper. If you specify multiple multicast and unicast addresses, UDP helper creates one copy for each address. For multicast to broadcast conversion, do not specify a limited broadcast address for the ip-address argument.Use this command on the interface that receives multicast packets.

199

Displaying and maintaining UDP helper Execute display command in any view and reset commands in user view.

Task Command Display information about broadcast to unicast conversion by UDP helper on an interface.

display udp-helper interface interface-type interface-number

Clear packet statistics for UDP helper. reset udp-helper statistics

UDP helper configuration examples Configuring UDP helper to convert broadcast to unicast Network requirements

As shown in Figure 77, configure UDP helper to convert broadcast to unicast on GigabitEthernet 2/0/1 of Router A. This feature enables Router A to forward broadcast packets with UDP destination port 55 to the destination server 10.2.1.1/16.


Configuration procedure Make sure Router A can reach the subnet 10.2.0.0/16.

# Enable UDP helper. <RouterA> system-view

[RouterA] udp-helper enable

# Enable UDP helper to forward broadcast packets with the UDP destination port 55. [RouterA] udp-helper port 55

# Specify the destination server 10.2.1.1 on GigabitEthernet 2/0/1. [RouterA] interface gigabitethernet 2/0/1


[RouterA-GigabitEthernet2/0/1] udp-helper server 10.2.1.1

Verifying the configuration # Display information about broadcast to unicast conversion by UDP helper on GigabitEthernet 2/0/1. [RouterA-GigabitEthernet2/0/1] display udp-helper interface gigabitethernet 2/0/1

200

Interface Server VPN instance Server address Packets sent

GigabitEthernet2/0/1 N/A 10.2.1.1 5

Configuring UDP helper to convert broadcast to multicast Network requirements

As shown in Figure 78, Router B can receive multicast packets destined for 225.1.1.1.

Configure UDP helper to convert broadcast to multicast on GigabitEthernet 2/0/1 of Router A. This feature enables Router A to forward broadcast packets with UDP destination port number 55 to the multicast group 225.1.1.1.



# Enable UDP Helper. <RouterA> system-view


# Enable UDP helper to forward broadcast packets with the UDP destination port 55. [RouterA] udp-helper port 55

# Configure UDP helper to convert broadcast packets to multicast packets destined for 225.1.1.1 on GigabitEthernet 2/0/1. [RouterA] interface gigabitethernet 2/0/1


[RouterA-GigabitEthernet2/0/1] udp-helper broadcast-map 225.1.1.1


# Enable IP multicast routing globally. [RouterA] multicast routing

[RouterA-mrib] quit

# Enable PIM-DIM and IGMP on GigabitEthernet 2/0/1. [RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] pim dm

[RouterA-GigabitEthernet2/0/1] igmp enable

# Configure GigabitEthernet 2/0/1 as a static member of the multicast group 225.1.1.1. [RouterA-GigabitEthernet2/0/1] igmp static-group 225.1.1.1

# Enable PIM-DIM and IGMP on GigabitEthernet 2/0/2. [RouterA-GigabitEthernet2/0/2] pim dm

[RouterA-GigabitEthernet2/0/2] igmp enable

201

# Configure GigabitEthernet 2/0/2 as a static member of the multicast group 225.1.1.1. [RouterA-GigabitEthernet2/0/2] igmp static-group 225.1.1.1

Verifying the configuration Verify that you can capture multicast packets from Router A on Router B.

Configuring UDP helper to convert multicast to broadcast Network requirements

As shown in Figure 79, GigabitEthernet 2/0/1 of Router B is a member of the multicast group 225.1.1.1.

Configure UDP helper to convert multicast to broadcast on GigabitEthernet 2/0/1 of Router A. This feature enables Router A to forward multicast packets from Router B to all hosts on 10.110.0.0/16. The multicast packets have the following details: • UDP destination port number 55. • Destination IP address 225.1.1.1.



# Enable UDP helper. <RouterA> system-view


# Enable UDP helper to forward multicast packets with the UDP destination port 55. [RouterA] udp-helper port 55

# Configure UDP helper to convert multicast packets from 225.1.1.1 to broadcast packets destined for 10.110.255.255. [RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] udp-helper multicast-map 225.1.1.1 10.110.255.255

Verifying the configuration Verify that you can capture broadcast packets on all hosts on the network segment 10.110.0.0/16. The broadcast packets are from Router A.

202

Configuring basic IPv6 settings

Overview IPv6, also called IP next generation (IPng), was designed by the IETF as the successor to IPv4. One significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits.

IPv6 features Simplified header format

IPv6 removes several IPv4 header fields or moves them to the IPv6 extension headers to reduce the length of the basic IPv6 packet header. The basic IPv6 packet header has a fixed length of 40 bytes to simplify IPv6 packet handling and improve forwarding efficiency. Although the IPv6 address size is four times the IPv4 address size, the basic IPv6 packet header size is only twice the size of the option-less IPv4 packet header.

Figure 80 IPv4 packet header format and basic IPv6 packet header format

Larger address space IPv6 can provide 3.4 x 1038 addresses to meet the requirements of hierarchical address assignment for both public and private networks.

Hierarchical address structure IPv6 uses a hierarchical address structure to speed up route lookup and reduce the IPv6 routing table size through route aggregation.

Address autoconfiguration To simplify host configuration, IPv6 supports stateful and stateless address autoconfiguration. • Stateful address autoconfiguration enables a host to acquire an IPv6 address and other

configuration information from a server (for example, a DHCPv6 server). For more information about DHCPv6 server, see "Configuring the DHCPv6 server."

203

• Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and other configuration information by using its link-layer address and the prefix information advertised by a router.

To communicate with other hosts on the same link, a host automatically generates a link-local address based on its link-layer address and the link-local address prefix (FE80::/10).

Built-in security IPv6 defines extension headers to support IPsec. IPsec provides end-to-end security and enhances interoperability among different IPv6 applications.

QoS support The Flow Label field in the IPv6 header allows the device to label the packets of a specific flow for special handling.

Enhanced neighbor discovery mechanism The IPv6 neighbor discovery protocol uses a group of ICMPv6 messages to manage information exchange among neighboring nodes on the same link. The group of ICMPv6 messages replaces ARP messages, ICMPv4 router discovery messages, and ICMPv4 redirect messages and provides a series of other functions.

Flexible extension headers IPv6 eliminates the Options field in the header and introduces optional extension headers to provide scalability and improve efficiency. The Options field in the IPv4 packet header contains a maximum of 40 bytes, whereas the IPv6 extension headers are restricted to the maximum size of IPv6 packets.

IPv6 addresses IPv6 address formats

An IPv6 address is represented as a set of 16-bit hexadecimals separated by colons (:). An IPv6 address is divided into eight groups, and each 16-bit group is represented by four hexadecimal numbers, for example, 2001:0000:130F:0000:0000:09C0:876A:130B.

To simplify the representation of IPv6 addresses, you can handle zeros in IPv6 addresses by using the following methods: • The leading zeros in each group can be removed. For example, the above address can be

represented in a shorter format as 2001:0:130F:0:0:9C0:876A:130B. • If an IPv6 address contains one or more consecutive groups of zeros, they can be replaced by

a double colon (::). For example, the above address can be represented in the shortest format as 2001:0:130F::9C0:876A:130B.

IMPORTANT: A double colon can appear once or not at all in an IPv6 address. This limit allows the device to determine how many zeros the double colon represents and correctly convert it to zeros to restore a 128-bit IPv6 address.

An IPv6 address consists of an address prefix and an interface ID, which are equivalent to the network ID and the host ID of an IPv4 address.

An IPv6 address prefix is written in IPv6-address/prefix-length notation. The prefix-length is a decimal number indicating how many leftmost bits of the IPv6 address are in the address prefix.

IPv6 address types IPv6 addresses include the following types: • Unicast address—An identifier for a single interface, similar to an IPv4 unicast address. A

packet sent to a unicast address is delivered to the interface identified by that address.

204

• Multicast address—An identifier for a set of interfaces (typically belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all interfaces identified by that address. Broadcast addresses are replaced by multicast addresses in IPv6.

• Anycast address—An identifier for a set of interfaces (typically belonging to different nodes). A packet sent to an anycast address is delivered to the nearest interface among the interfaces identified by that address. The nearest interface is chosen according to the routing protocol's measure of distance.

The type of an IPv6 address is designated by the first several bits, called the format prefix.

Table 7 Mappings between address types and format prefixes

Type Format prefix (binary) IPv6 prefix ID

Unicast address

Unspecified address 00...0 (128 bits) ::/128

Loopback address 00...1 (128 bits) ::1/128

Link-local address 1111111010 FE80::/10

Global unicast address Other forms N/A

Multicast address 11111111 FF00::/8

Anycast address Anycast addresses use the unicast address space and have the identical structure of unicast addresses.

Unicast addresses Unicast addresses include global unicast addresses, link-local unicast addresses, the loopback address, and the unspecified address. • Global unicast addresses—Equivalent to public IPv4 addresses, global unicast addresses

are provided for Internet service providers. This type of address allows for prefix aggregation to restrict the number of global routing entries.

• Link-local addresses—Used for communication among link-local nodes for neighbor discovery and stateless autoconfiguration. Packets with link-local source or destination addresses are not forwarded to other links.

• A loopback address—0:0:0:0:0:0:0:1 (or ::1). It has the same function as the loopback address in IPv4. It cannot be assigned to any physical interface. A node uses this address to send an IPv6 packet to itself.

• An unspecified address—0:0:0:0:0:0:0:0 (or ::). It cannot be assigned to any node. Before acquiring a valid IPv6 address, a node fills this address in the source address field of IPv6 packets. The unspecified address cannot be used as a destination IPv6 address.

Multicast addresses IPv6 multicast addresses listed in Table 8 are reserved for special purposes.

Table 8 Reserved IPv6 multicast addresses

Address Application FF01::1 Node-local scope all-nodes multicast address.

FF02::1 Link-local scope all-nodes multicast address.

FF01::2 Node-local scope all-routers multicast address.

FF02::2 Link-local scope all-routers multicast address.

Multicast addresses also include solicited-node addresses. A node uses a solicited-node multicast address to acquire the link-layer address of a neighboring node on the same link and to detect

205

duplicate addresses. Each IPv6 unicast or anycast address has a corresponding solicited-node address. The format of a solicited-node multicast address is FF02:0:0:0:0:1:FFXX:XXXX. FF02:0:0:0:0:1:FF is fixed and consists of 104 bits, and XX:XXXX is the last 24 bits of an IPv6 unicast address or anycast address.

EUI-64 address-based interface identifiers An interface identifier is 64-bit long and uniquely identifies an interface on a link. Interfaces generate EUI-64 address-based interface identifiers differently. • On an IEEE 802 interface (such as an Ethernet interface and a VLAN interface)—The

interface identifier is derived from the link-layer address (typically a MAC address) of the interface. The MAC address is 48-bit long. To obtain an EUI-64 address-based interface identifier, follow these steps: a. Insert the 16-bit binary number 1111111111111110 (hexadecimal value of FFFE) behind

the 24th high-order bit of the MAC address. b. Invert the universal/local (U/L) bit (the seventh high-order bit). This operation makes the

interface identifier have the same local or global significance as the MAC address.

Figure 81 Converting a MAC address into an EUI-64 address-based interface identifier

• On a tunnel interface—The lower 32 bits of the EUI-64 address-based interface identifier are the source IPv4 address of the tunnel interface. The higher 32 bits of the EUI-64 address-based interface identifier of an ISATAP tunnel interface are 0000:5EFE, whereas those of other tunnel interfaces are all zeros. For more information about tunnels, see "Configuring tunneling."

• On an interface of another type (such as a serial interface)—The EUI-64 address-based interface identifier is generated randomly by the device.

IPv6 ND protocol The IPv6 Neighbor Discovery (ND) protocol uses the following ICMPv6 messages:

Table 9 ICMPv6 messages used by ND

ICMPv6 message Type Function

Neighbor Solicitation (NS) 135

Acquires the link-layer address of a neighbor.

Verifies whether a neighbor is reachable.

Detects duplicate addresses.

Neighbor Advertisement (NA) 136

Responds to an NS message.

Notifies the neighboring nodes of link layer changes.

Router Solicitation (RS) 133 Requests an address prefix and other configuration information for autoconfiguration after startup.

206

ICMPv6 message Type Function

Router Advertisement (RA) 134 Responds to an RS message.

Advertises information, such as the Prefix Information options and flag bits.

Redirect 137 Informs the source host of a better next hop on the path to a particular destination when certain conditions are met.

Address resolution This function is similar to ARP in IPv4. An IPv6 node acquires the link-layer addresses of neighboring nodes on the same link through NS and NA messages. Figure 82 shows how Host A acquires the link-layer address of Host B on the same link.

Figure 82 Address resolution

The address resolution procedure is as follows: 1. Host A multicasts an NS message. The source address of the NS message is the IPv6 address

of the sending interface of Host A. The destination address is the solicited-node multicast address of Host B. The NS message body contains the link-layer address of Host A and the target IPv6 address.

2. After receiving the NS message, Host B determines whether the target address of the packet is its IPv6 address. If it is, Host B learns the link-layer address of Host A, and then unicasts an NA message containing its link-layer address.

3. Host A acquires the link-layer address of Host B from the NA message.

Neighbor reachability detection After Host A acquires the link-layer address of its neighbor Host B, Host A can use NS and NA messages to test reachability of Host B as follows: 1. Host A sends an NS message whose destination address is the IPv6 address of Host B. 2. If Host A receives an NA message from Host B, Host A decides that Host B is reachable.

Otherwise, Host B is unreachable.

Duplicate address detection After Host A acquires an IPv6 address, it performs Duplicate Address Detection (DAD) to check whether the address is being used by any other node. This is similar to gratuitous ARP in IPv4. DAD is accomplished through NS and NA messages.

207

Figure 83 Duplicate address detection

1. Host A sends an NS message. The source address is the unspecified address and the destination address is the corresponding solicited-node multicast address of the IPv6 address to be detected. The NS message body contains the detected IPv6 address.

2. If Host B uses this IPv6 address, Host B returns an NA message that contains its IPv6 address. 3. Host A knows that the IPv6 address is being used by Host B after receiving the NA message

from Host B. If receiving no NA message, Host A decides that the IPv6 address is not in use and uses this address.

Router/prefix discovery and stateless address autoconfiguration A node performs router/prefix discovery and stateless address autoconfiguration as follows: 1. At startup, a node sends an RS message to request configuration information from a router. 2. The router returns an RA message containing the Prefix Information option and other

configuration information. (The router also periodically sends an RA message.) 3. The node automatically generates an IPv6 address and other configuration parameters

according to the configuration information in the RA message.

The Prefix Information option contains an address prefix and the preferred lifetime and valid lifetime of the address prefix. A node updates the preferred lifetime and valid lifetime upon receiving a periodic RA message.

The generated IPv6 address is valid within the valid lifetime and becomes invalid when the valid lifetime expires.

After the preferred lifetime expires, the node cannot use the generated IPv6 address to establish new connections, but can receive packets destined for the IPv6 address. The preferred lifetime cannot be greater than the valid lifetime.

Redirection Upon receiving a packet from a host, the gateway sends an ICMPv6 redirect message to inform the host of a better next hop when the following conditions are met: • The interface receiving the packet is the same as the interface forwarding the packet. • The selected route is not created or modified by an ICMPv6 redirect message. • The selected route is not a default route on the device. • The forwarded IPv6 packet does not contain the routing extension header.

IPv6 path MTU discovery The links that a packet passes from a source to a destination can have different MTUs, among which the minimum MTU is the path MTU. If a packet exceeds the path MTU, the source end fragments the packet to reduce the processing pressure on intermediate devices and to use network resources effectively.

A source end uses path MTU discovery to find the path MTU to a destination, as shown in Figure 84.

208

Figure 84 Path MTU discovery process

1. The source host sends a packet no larger than its MTU to the destination host. 2. If the MTU of a device's output interface is smaller than the packet, the device performs the

following tasks: Discards the packet. Returns an ICMPv6 error message containing the interface MTU to the source host.

3. Upon receiving the ICMPv6 error message, the source host performs the following tasks: Uses the returned MTU to limit the packet size. Performs fragmentation. Sends the fragments to the destination host.

4. Step 2 and step 3 are repeated until the destination host receives the packet. In this way, the source host finds the minimum MTU of all links in the path to the destination host.

IPv6 transition technologies IPv6 transition technologies enable communication between IPv4 and IPv6 networks. The following IPv6 transition technologies can be used for different applications: • Dual stack (RFC 2893) • Tunneling (RFC 2893) • NAT-PT (RFC 2766) • IPv6 on the provider edge routers (6PE)

Dual stack Dual stack is the most direct transition approach. A network node that supports both IPv4 and IPv6 is a dual-stack node. A dual-stack node configured with an IPv4 address and an IPv6 address can forward both IPv4 and IPv6 packets. An application that supports both IPv4 and IPv6 prefers IPv6 at the network layer.

Dual stack is suitable for communication between IPv4 nodes or between IPv6 nodes. It is the basis of all transition technologies. However, it does not solve the IPv4 address depletion issue because each dual-stack node must have a globally unique IPv4 address.

Tunneling Tunneling uses one network protocol to encapsulate the packets of another network protocol and transfers them over the network. For more information about tunneling, see "Configuring tunneling."

209

NAT-PT Network Address Translation – Protocol Translation (NAT-PT) enables communication between IPv4 and IPv6 nodes by translating between IPv4 and IPv6 packets. It performs IP address translation, and according to different protocols, performs semantic translation for packets. This technology is only suitable for communication between a pure IPv4 node and a pure IPv6 node. For more information about NAT-PT, see "Configuring NAT-PT."

6PE 6PE enables communication between isolated IPv6 networks over an IPv4 backbone network.

6PE adds labels to the IPv6 routing information about customer networks and advertises the information into the IPv4 backbone network over internal Border Gateway Protocol (IBGP) sessions. IPv6 packets are labeled and forwarded over tunnels on the backbone network. The tunnels can be GRE tunnels or MPLS LSPs.


6PE is a highly efficient solution. When an ISP wants to utilize the existing IPv4/MPLS network to provide IPv6 traffic switching, it only needs to upgrade the PE routers. In addition, the operation risk of 6PE is very low. For more information about 6PE, see Layer 3—IP Routing Configuration Guide.

Protocols and standards Protocols and standards related to IPv6 include: • RFC 1881, IPv6 Address Allocation Management • RFC 1887, An Architecture for IPv6 Unicast Address Allocation • RFC 1981, Path MTU Discovery for IP version 6 • RFC 2375, IPv6 Multicast Address Assignments • RFC 2460, Internet Protocol, Version 6 (IPv6) Specification • RFC 2464, Transmission of IPv6 Packets over Ethernet Networks • RFC 2526, Reserved IPv6 Subnet Anycast Addresses • RFC 3307, Allocation Guidelines for IPv6 Multicast Addresses • RFC 4191, Default Router Preferences and More-Specific Routes • RFC 4291, IP Version 6 Addressing Architecture • RFC 4443, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6

(IPv6) Specification • RFC 4861, Neighbor Discovery for IP Version 6 (IPv6) • RFC 4862, IPv6 Stateless Address Autoconfiguration

210

Compatibility information Command and hardware compatibility

Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954(JH296A/JH297A/JH298A/JH299A)


IPv6 basics configuration task list Tasks at a glance (Required.) Assigning IPv6 addresses to interfaces: • Configuring an IPv6 global unicast address • Configuring an IPv6 link-local address • Configuring an IPv6 anycast address

(Optional.) Configuring IPv6 ND: • Configuring a static neighbor entry • Setting the maximum number of dynamic neighbor entries • Setting the aging timer for ND entries in stale state • Minimizing link-local ND entries • Setting the hop limit • Configuring parameters for RA messages • Configuring the maximum number of attempts to send an NS message for DAD • Enabling ND proxy • Configuring IPv6 ND suppression • Configuring IPv6 ND direct route advertisement

(Optional.) Configuring path MTU discovery: • Configuring the interface MTU • Configuring a static path MTU for an IPv6 address • Configuring the aging time for dynamic path MTUs

(Optional.) Controlling sending ICMPv6 messages: • Configuring the rate limit for ICMPv6 error messages • Enabling replying to multicast echo requests • Enabling sending ICMPv6 destination unreachable messages • Enabling sending ICMPv6 time exceeded messages • Enabling sending ICMPv6 redirect messages • Specifying the source address for ICMPv6 packets

(Optional.) Enabling IPv6 local fragment reassembly

(Optional.) Configuring IPv6 load sharing based on bandwidth

211

Assigning IPv6 addresses to interfaces This section describes how to configure an IPv6 global unicast address, an IPv6 link-local address, and an IPv6 anycast address.

Configuring an IPv6 global unicast address Use one of the following methods to configure an IPv6 global unicast address for an interface: • EUI-64 IPv6 address—The IPv6 address prefix of the interface is manually configured, and the

interface ID is generated automatically by the interface. • Manual configuration—The IPv6 global unicast address is manually configured. • Stateless address autoconfiguration—The IPv6 global unicast address is generated

automatically based on the address prefix information contained in the RA message.

You can configure multiple IPv6 global unicast addresses on an interface.

Manually configured global unicast addresses (including EUI-64 IPv6 addresses) take precedence over automatically generated ones. If you manually configure a global unicast address with the same address prefix as an existing global unicast address on an interface, the manually configured one takes effect. However, it does not overwrite the automatically generated address. If you remove the manually configured global unicast address, the device uses the automatically generated one.

EUI-64 IPv6 address To configure an interface to generate an EUI-64 IPv6 address:



3. Configure the interface to generate an EUI-64 IPv6 address.

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64

By default, no EUI-64 IPv6 address is configured on an interface.

Manual configuration To configure an IPv6 global unicast address for an interface:



3. Configure an IPv6 global unicast address for the interface.

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }

By default, no IPv6 global unicast address is configured on an interface.

Stateless address autoconfiguration To configure an interface to generate an IPv6 address through stateless address autoconfiguration:


212



3. Enable stateless address autoconfiguration. ipv6 address auto

By default, no IPv6 global unicast address is configured on an interface. Using the undo ipv6 address auto command on an interface removes all IPv6 global unicast addresses and link-local addresses that are automatically generated on the interface.

After this configuration is completed, the interface automatically generates an IPv6 global unicast address by using the address prefix in the received RA message and the interface ID. On an IEEE 802 interface (such as an Ethernet interface or a VLAN interface), the interface ID is generated based on the interface's MAC address and is globally unique. An attacker can exploit this rule to identify the sending device easily.

To fix the vulnerability, you can configure the temporary address function. With this function, an IEEE 802 interface generates the following addresses: • Public IPv6 address—Includes the address prefix in the RA message and a fixed interface ID

generated based on the MAC address of the interface. • Temporary IPv6 address—Includes the address prefix in the RA message and a random

interface ID generated through MD5.

You can also configure the interface to preferentially use the temporary IPv6 address as the source address of sent packets. When the valid lifetime of the temporary IPv6 address expires, the interface removes the address and generates a new one. This function enables the system to send packets with different source addresses through the same interface. If the temporary IPv6 address cannot be used because of a DAD conflict, the public IPv6 address is used.

The preferred lifetime and valid lifetime for a temporary IPv6 address are determined as follows: • The preferred lifetime of a temporary IPv6 address takes the smaller of the following values:

The preferred lifetime of the address prefix in the RA message. The preferred lifetime configured for temporary IPv6 addresses minus DESYNC_FACTOR

(a random number ranging from 0 to 600 seconds). • The valid lifetime of a temporary IPv6 address takes the smaller of the following values:

The valid lifetime of the address prefix. The valid lifetime configured for temporary IPv6 addresses.

To configure the temporary address function:


2. Enable the temporary IPv6 address function.

ipv6 temporary-address [ valid-lifetime preferred-lifetime ]

By default, the temporary IPv6 address function is disabled.

3. Enable the system to preferentially use the temporary IPv6 address as the source address of the packet.

ipv6 prefer temporary-address By default, the system does not preferentially use the temporary IPv6 address as the source address of the packet.

213

To generate a temporary address, an interface must be enabled with stateless address autoconfiguration. Temporary IPv6 addresses do not overwrite public IPv6 addresses, so an interface can have multiple IPv6 addresses with the same address prefix but different interface IDs.

If an interface fails to generate a public IPv6 address because of a prefix conflict or other reasons, it does not generate any temporary IPv6 address.

Configuring a static IPv6 prefix


2. Configure a static IPv6 prefix. ipv6 prefix prefix-number ipv6-prefix/prefix-length

By default, the device has no static IPv6 prefix.

Configuring an IPv6 link-local address Configure IPv6 link-local addresses using one of the following methods: • Automatic generation—The device automatically generates a link-local address for an

interface according to the link-local address prefix (FE80::/10) and the link-layer address of the interface.

• Manual assignment—Manually configure an IPv6 link-local address for an interface.

An interface can have only one link-local address. To avoid link-local address conflicts, use the automatic generation method.

Manual assignment takes precedence over automatic generation. • If you first use automatic generation and then manual assignment, the manually assigned

link-local address overwrites the automatically generated one. • If you first use manual assignment and then automatic generation, both of the following occur:

The automatically generated link-local address does not take effect. The link-local address is still the manually assigned one.

If you delete the manually assigned address, the automatically generated link-local address takes effect.

Configuring automatic generation of an IPv6 link-local address for an interface



3. Configure the interface to automatically generate an IPv6 link-local address.

ipv6 address auto link-local

By default, no link-local address is configured on an interface. After an IPv6 global unicast address is configured on the interface, a link-local address is generated automatically.

Manually specifying an IPv6 link-local address for an interface



214


3. Manually specify an IPv6 link-local address for the interface.

ipv6 address ipv6-address link-local

By default, no link-local address is configured on an interface. After an IPv6 global unicast address is configured on the interface, a link-local address is generated automatically.

After you configure an IPv6 global unicast address for an interface, the interface automatically generates a link-local address. The automatically generated link-local address is the same as the one generated by using the ipv6 address auto link-local command. If a link-local address is manually assigned to an interface, this manual link-local address takes effect. If the manually assigned link-local address is removed, the automatically generated link-local address takes effect.

Using the undo ipv6 address auto link-local command on an interface only removes the link-local address generated by the ipv6 address auto link-local command. If the interface has an IPv6 global unicast address, it still has a link-local address. If the interface has no IPv6 global unicast address, it has no link-local address.

Configuring an IPv6 anycast address



3. Configure an IPv6 anycast address.

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } anycast

By default, no IPv6 anycast address is configured on an interface.

Configuring IPv6 ND This section describes how to configure IPv6 ND.

Configuring a static neighbor entry A neighbor entry stores information about a link-local node. The entry can be created dynamically through NS and NA messages, or configured statically.

The device uniquely identifies a static neighbor entry by the IPv6 address and the local Layer 3 interface number of the neighbor. You can configure a static neighbor entry by using one of the following methods: • Method 1—Associate a neighbor's IPv6 address and link-layer address with the local Layer 3

interface. If you use Method 1, the device automatically finds the Layer 2 port connected to the neighbor.

• Method 2—Associate a neighbor's IPv6 address and link-layer address with a Layer 2 port in a VLAN. If you use Method 2, make sure the Layer 2 port belongs to the specified VLAN and the corresponding VLAN interface already exists. The device associates the VLAN interface with the neighbor IPv6 address to identify the static neighbor entry.

215

Do not specify a Reth interface as the outgoing interface in IPv6 static neighbor entries if its member interfaces contain subinterfaces. For more information about Reth interfaces, see High Availability Configuration Guide.

To configure a static neighbor entry:


2. Configure a static neighbor entry.

ipv6 neighbor ipv6-address mac-address { vlan-id port-type port-number | interface interface-type interface-number } [ vpn-instance vpn-instance-name ]

By default, no static neighbor entry exists on the device.

Setting the maximum number of dynamic neighbor entries The device can dynamically acquire the link-layer address of a neighboring node through NS and NA messages and add it into the neighbor table. When the number of dynamic neighbor entries reaches the threshold, the interface stops learning neighbor information. To prevent an interface from occupying too many neighbor table resources, you can set the maximum number of dynamic neighbors that an interface can learn.

To set the maximum number of dynamic neighbor entries:



3. Set the maximum number of dynamic neighbor entries that the interface can learn.

ipv6 neighbors max-learning-num number

The default setting for different device models is as follows: • MSR1002-4/1003-8S: 2048. • MSR2003: 2048. • MSR2004-24/2004-48: 2048. • MSR3012/3024/3044/3064:

4096. • MSR4060/4080.

Setting the aging timer for ND entries in stale state ND entries in stale state have an aging timer. If an ND entry in stale state is not refreshed before the timer expires, the ND entry changes to the delay state. If it is still not refreshed in 5 seconds, the ND entry changes to the probe state, and the device sends an NS message three times. If no response is received, the device removes the ND entry.

To set the aging timer for ND entries in stale state:


2. Set the aging timer for ND entries in stale state.

ipv6 neighbor stale-aging aging-time

The default setting is 240 minutes.

216

Minimizing link-local ND entries Perform this task to minimize link-local ND entries assigned to the driver. Link-local ND entries refer to ND entries that contain link-local addresses.

By default, the device assigns all ND entries to the driver. With this function enabled, the device does not add newly learned link-local ND entries whose link local addresses are not the next hop of any route into the driver. This saves driver resources.

This function takes effect only on newly learned link-local ND entries.

To minimize link-local ND entries:


2. Minimize link-local ND entries.

ipv6 neighbor link-local minimize

By default, the device assigns all ND entries to the driver.

Setting the hop limit The device advertises the hop limit in RA messages. All RA message receivers use the advertised value to fill in the Hop Limit field for IPv6 packets to be sent. To disable the device from advertising the hop limit, use the ipv6 nd ra hop-limit unspecified command.

To set the hop limit:


2. Set the Hop Limit field in the IP header. ipv6 hop-limit value The default setting is 64.

Configuring parameters for RA messages You can enable an interface to send RA messages, and configure the interval for sending RA messages and parameters in RA messages. After receiving an RA message, a host can use these parameters to perform corresponding operations. Table 10 describes the configurable parameters in an RA message.

Table 10 Parameters in an RA message and their descriptions

Parameter Description

Hop Limit Maximum number of hops in RA messages. A host receiving the RA message fills the value in the Hop Limit field of sent IPv6 packets.

Prefix information After receiving the prefix information, the hosts on the same link can perform stateless autoconfiguration.

MTU Guarantees that all nodes on the link use the same MTU.

M flag

Determines whether a host uses stateful autoconfiguration to obtain an IPv6 address. If the M flag is set to 1, the host uses stateful autoconfiguration (for example, from a DHCPv6 server) to obtain an IPv6 address. Otherwise, the host uses stateless autoconfiguration to generate an IPv6 address according to its link-layer address and the prefix information in the RA message.

217

Parameter Description

O flag

Determines whether a host uses stateful autoconfiguration to obtain configuration information other than IPv6 address. If the O flag is set to 1, the host uses stateful autoconfiguration (for example, from a DHCPv6 server) to obtain configuration information other than IPv6 address. Otherwise, the host uses stateless autoconfiguration.

Router Lifetime Tells the receiving hosts how long the advertising router can live. If the lifetime of a router is 0, the router cannot be used as the default gateway.

Retrans Timer If the device does not receive a response message within the specified time after sending an NS message, it retransmits the NS message.

Reachable Time

If the neighbor reachability detection shows that a neighbor is reachable, the device considers the neighbor reachable within the specified reachable time. If the device needs to send a packet to the neighbor after the specified reachable time expires, the device reconfirms whether the neighbor is reachable.

Router Preference Specifies the router preference in a RA message. A host selects a router as the default gateway according to the router preference. If router preferences are the same, the host selects the router from which the first RA message is received.

The maximum interval for sending RA messages should be less than (or equal to) the router lifetime in RA messages. In this way, the router can be updated by an RA message before expiration.

The values of the NS retransmission timer and the reachable time configured for an interface are sent in RA messages to hosts. This interface sends NS messages at the interval of the NS retransmission timer and considers a neighbor reachable within the reachable time.

Enabling sending of RA messages



3. Enable sending of RA messages. undo ipv6 nd ra halt The default setting is disabled.

4. Configure the maximum and minimum intervals for sending RA messages.

ipv6 nd ra interval max-interval-value min-interval-value

By default, the maximum interval for sending RA messages is 600 seconds, and the minimum interval is 200 seconds. The device sends RA messages at random intervals between the maximum interval and the minimum interval. The minimum interval should be less than or equal to 0.75 times the maximum interval.

Configuring parameters for RA messages



3. Configure the prefix information in RA messages.

ipv6 nd ra prefix { ipv6-prefix prefix-length | ipv6-prefix/prefix-length } valid-lifetime preferred-lifetime

By default, no prefix information is configured for RA messages, and the IPv6 address of the interface sending RA messages is used as the prefix

218

Step Command Remarks [ no-autoconfig | off-link ] * information. If the IPv6 address is

manually configured, the prefix uses a fixed valid lifetime of 2592000 seconds (30 days) and a preferred lifetime of 604800 seconds (7 days). If the IPv6 address is automatically obtained, the prefix uses the valid lifetime and preferred lifetime configured for the IPv6 address.

4. Turn off the MTU option in RA messages. ipv6 nd ra no-advlinkmtu By default, RA messages contain the

MTU option.

5. Specify unlimited hops in RA messages.

ipv6 nd ra hop-limit unspecified

By default, the maximum number of hops in RA messages is 64.

6. Set the M flag bit to 1. ipv6 nd autoconfig managed-address-flag

By default, the M flag bit is set to 0 in RA advertisements. Hosts receiving the advertisements will obtain IPv6 addresses through stateless autoconfiguration.

7. Set the O flag bit to 1. ipv6 nd autoconfig other-flag

By default, the O flag bit is set to 0 in RA advertisements. Hosts receiving the advertisements will acquire other configuration information through stateless autoconfiguration.

8. Configure the router lifetime in RA messages.

ipv6 nd ra router-lifetime value

By default, the router lifetime is 1800 seconds.

9. Set the NS retransmission timer.

ipv6 nd ns retrans-timer value

By default, an interface sends NS messages every 1000 milliseconds, and the value of the Retrans Timer field in RA messages is 0.

10. Set the router preference in RA messages.

ipv6 nd router-preference { high | low | medium }

By default, the router preference is medium.

11. Set the reachable time. ipv6 nd nud reachable-time value

By default, the neighbor reachable time is 30000 milliseconds, and the value of the Reachable Time field in sent RA messages is 0.

Configuring the maximum number of attempts to send an NS message for DAD

An interface sends an NS message for DAD for an obtained IPv6 address. The interface resends the NS message if it does not receive a response within the time specified by the ipv6 nd ns retrans-timer command. If the interface receives no response after making the maximum attempts specified by the ipv6 nd dad attempts command, the interface uses the IPv6 address.

To configure the attempts to send an NS message for DAD:



3. Configure the number of attempts to send an NS ipv6 nd dad attempts value The default setting is 1. When the

value argument is set to 0, DAD is

219

Step Command Remarks message for DAD. disabled.

Enabling ND proxy About ND proxy

ND proxy enables a device to answer an NS message requesting the hardware address of a host on another network. With ND proxy, hosts in different broadcast domains can communicate with each other as they would on the same network.

ND proxy includes common ND proxy and local ND proxy. • Common ND proxy.

As shown in Figure 86, GigabitEthernet 2/0/1 with IPv6 address 4:1::99/64 and GigabitEthernet 2/0/2 with IPv6 address 4:2::99/64 belong to different subnets. Host A and Host B reside on the same network but in different broadcast domains.

Figure 86 Application environment of ND proxy

Because Host A's IPv6 address is on the same subnet as Host B's, Host A directly sends an NS message to obtain Host B's MAC address. However, Host B cannot receive the NS message because they belong to different broadcast domains. To solve this problem, enable common ND proxy on GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2 of the router. The router replies to the NS message from Host A, and forwards packets from other hosts to Host B.

• Local ND proxy. As shown in Figure 87, Host A belongs to VLAN 2 and Host B belongs to VLAN 3. Host A and Host B connect to GigabitEthernet 2/0/1 and GigabitEthernet 2/0/3, respectively.

Figure 87 Application environment of local ND proxy

Because Host A's IPv6 address is on the same subnet as Host B's, Host A directly sends an NS message to obtain Host B's MAC address. However, Host B cannot receive the NS message because they belong to different VLANs.

220

To solve this problem, enable local ND proxy on GigabitEthernet 2/0/2 of the router so that the router can forward messages between Host A and Host B. Local ND proxy implements Layer 3 communication for two hosts in the following cases:

The two hosts connect to ports of the same device and the ports must be in different VLANs. The two hosts connect to isolated Layer 2 ports in the same isolation group of a VLAN. If super VLAN is used, the two hosts must belong to different sub VLANs. If Private VLAN is used, the two hosts must belong to different secondary VLANs.

Configuration procedure You can enable common ND proxy and local ND proxy in VLAN interface view, Layer 3 Ethernet interface view, or Layer 3 Ethernet subinterface view.

To enable common ND proxy:



3. Enable common ND proxy. proxy-nd enable By default, common ND proxy is disabled.

To enable local ND proxy:



3. Enable local ND proxy. local-proxy-nd enable By default, local ND proxy is disabled.

Configuring IPv6 ND suppression The ND suppression feature enables a device to directly answer ND requests by using ND suppression entries. The device generates ND suppression entries based on dynamic ND entries that it learns. This feature is typically configured on the PEs connected to base stations in an L2VPN that provides access to an L3VPN network.

You can also configure the ND suppression push function to push ND suppression entries at intervals by advertising NA messages.

Figure 88 shows a typical application scenario. ND suppression is enabled on the PE that connects to the base station. The PE generates ND suppression entries for the base station, PE-agg 1, and PE-agg 2, and it directly replies subsequent ND requests for these devices.

221


To configure the IPv6 ND suppression feature:


2. Configure a cross-connect group and enter its view. xconnect-group group-name

By default, no cross-connect group is configured on the device.For more information about the command, see MPLS Command Reference.

3. Configure a cross-connect and enter it view. connection connection-name

By default, no cross-connect is configured on the device. For more information about the command, see MPLS Command Reference.

4. Enable IPv6 ND suppression. ipv6 nd suppression enable By default, the IPv6 ND

suppression function is disabled.

5. Quit cross-connect view. quit N/A

6. Quit cross-connect group view. quit N/A

7. Enable the suppression push function and set a push interval.

ipv6 nd suppression push interval interval

By default, the ND suppression push function is disabled.

Configuring IPv6 ND direct route advertisement The ND direct route advertisement feature advertises host routes instead of advertising the network route. This feature is typically configured on PE-aggs to advertise host routes to PEs in the L3VPN.

Figure 89 shows a typical application scenario where the PE in the L3VPN has ECMP routes destined to a base station in the L2VPN. Traffic from the PE in the L3VPN to the base station can be load shared by PE-agg 1 and PE-agg 2. If PE-agg 1 fails, the PE uses the host route through PE-agg 2 to forward traffic.

222


To configure ND direct route advertisement:


2. Configure an L3VE interface and enter its view.

interface ve-l3vpn interface-number

By default, no L3VE interface is configured on the device. For more information about the command, see MPLS Command Reference.

3. Enable ND direct route advertisement. ipv6 nd route-direct advertise

Optional. By default, ND direct route advertisement is disabled.

Configuring path MTU discovery Configuring the interface MTU

IPv6 routers do not support packet fragmentation. If the size of a packet exceeds the MTU of the output interface, the router discards the packet and sends a packet too big message to the source host. The source host fragments the packet according to the MTU. To avoid this situation, configure a proper interface MTU.

To configure the interface MTU:



3. Configure the interface MTU. ipv6 mtu mtu-size By default, no interface MTU is configured.

223

Configuring a static path MTU for an IPv6 address You can configure a static path MTU for an IPv6 address. Before sending a packet to the IPv6 address, the device compares the MTU of the output interface with the static path MTU. If the packet exceeds the smaller one of the two values, the device fragments the packet according to the smaller value. After sending the fragmented packets, the device dynamically finds the path MTU to a destination host (see "IPv6 path MTU discovery").

To configure a static path MTU for a destination IPv6 address:


2. Configure a static path MTU for a destination IPv6 address.

ipv6 pathmtu [ vpn-instance vpn-instance-name ] ipv6-address value

By default, no path MTU is configured for any IPv6 address.

Configuring the aging time for dynamic path MTUs After the device dynamically finds the path MTU to a destination host (see "IPv6 path MTU discovery"), it performs the following tasks: • Sends packets to the destination host based on the path MTU. • Starts the aging timer.

When the aging timer expires, the device removes the dynamic path MTU and finds the path MTU again.

To configure the aging time for dynamic path MTUs:


2. Configure the aging time for dynamic path MTUs. ipv6 pathmtu age age-time

The default setting is 10 minutes.The aging time is invalid for a static path MTU.

Controlling sending ICMPv6 messages This section describes how to configure ICMPv6 message sending.

Configuring the rate limit for ICMPv6 error messages To avoid sending excessive ICMPv6 error messages within a short period that might cause network congestion, you can limit the rate at which ICMPv6 error messages are sent. A token bucket algorithm is used with one token representing one ICMPv6 error message.

A token is placed in the bucket at intervals until the maximum number of tokens that the bucket can hold is reached.

A token is removed from the bucket when an ICMPv6 error message is sent. When the bucket is empty, ICMPv6 error messages are not sent until a new token is placed in the bucket.

To configure the rate limit for ICMPv6 error messages:

224


2. Set the bucket size and the interval for tokens to arrive in the bucket for ICMPv6 error messages.

ipv6 icmpv6 error-interval milliseconds [ bucketsize ]

By default, the bucket allows a maximum of 10 tokens. A token is placed in the bucket at an interval of 100 milliseconds. To disable the ICMPv6 rate limit, set the interval to 0 milliseconds.

Enabling replying to multicast echo requests The device does not respond to multicast echo requests by default. In some scenarios, you must enable the device to answer multicast echo requests so the source host can obtain needed information.

To enable the device to answer multicast echo requests:


2. Enable replying to multicast echo requests.

ipv6 icmpv6 multicast-echo-reply enable

By default, this function is disabled.

Enabling sending ICMPv6 destination unreachable messages

The device sends the source the following ICMPv6 destination unreachable messages: • ICMPv6 No Route to Destination message—A packet to be forwarded does not match any

route. • ICMPv6 Communication with Destination Administratively Prohibited message—An

administrative prohibition is preventing successful communication with the destination. This is typically caused by a firewall or an ACL on the device.

• ICMPv6 Beyond Scope of Source Address message—The destination is beyond the scope of the source IPv6 address. For example, a packet's source IPv6 address is a link-local address, and its destination IPv6 address is a global unicast address.

• ICMPv6 Address Unreachable message—The device fails to resolve the link layer address for the destination IPv6 address of a packet.

• ICMPv6 Port Unreachable message—No port process on the destination device exists for a received UDP packet.

If a device is generating ICMPv6 destination unreachable messages incorrectly, disable the sending of ICMPv6 destination unreachable messages to prevent attack risks.

To enable sending ICMPv6 destination unreachable messages:


2. Enable sending ICMPv6 destination unreachable messages. ipv6 unreachables enable By default, this function is

disabled.

225

Enabling sending ICMPv6 time exceeded messages The device sends the source ICMPv6 time exceeded messages as follows: • If a received packet is not destined for the device and its hop limit is 1, the device sends an

ICMPv6 hop limit exceeded in transit message to the source. • Upon receiving the first fragment of an IPv6 datagram destined for the device, the device starts

a timer. If the timer expires before all the fragments arrive, the device sends an ICMPv6 fragment reassembly time exceeded message to the source.

If the device receives large numbers of malicious packets, its performance degrades greatly because it must send back ICMP time exceeded messages. To prevent such attacks, disable sending ICMPv6 time exceeded messages.

To enable sending ICMPv6 time exceeded messages:


2. Enable sending ICMPv6 time exceeded messages.

ipv6 hoplimit-expires enable The default setting is disabled.

Enabling sending ICMPv6 redirect messages Upon receiving a packet from a host, the device sends an ICMPv6 redirect message to inform the host of a better next hop when the following conditions are met: • The interface receiving the packet is the interface forwarding the packet. • The selected route is not created or modified by any ICMPv6 redirect messages. • The selected route is not a default route. • The forwarded packet does not contain the routing extension header.

The ICMPv6 redirect function simplifies host management by enabling hosts that hold few routes to optimize their routing table gradually. However, to avoid adding too many routes on hosts, this function is disabled by default.

To enable sending ICMPv6 redirect messages:


2. Enable sending ICMPv6 redirect messages. ipv6 redirects enable By default, sending ICMPv6

redirect messages is disabled.

Specifying the source address for ICMPv6 packets Perform this task to specify the source IPv6 address for outgoing ping echo requests and ICMPv6 error messages. It is a good practice to specify the IPv6 address of the loopback interface as the source IPv6 address. This function helps users to easily locate the sending device.

If you specify an IPv6 address in the ping command, ping echo requests use the specified address as the source IPv6 address. Otherwise, ping echo requests use the IPv6 address specified by the ipv6 icmpv6 source command.

To specify the source IPv6 address for ICMPv6 packets:

226

Step Command Remarks 1. Enter system view. system-view N/A 2. Specify an IPv6 address as

the source address for outgoing ICMPv6 packets.

ipv6 icmpv6 source [ vpn-instance vpn-instance-name ] ipv6-address

By default, the device uses the IPv6 address of the sending interface as the source IPv6 address for outgoing ICMPv6 packets.

Enabling IPv6 local fragment reassembly Perform this task to enable the local reassembly function for IPv6 fragments that are destined for the local device. This function enables the receiving LPU to reassemble the IPv6 fragments instead of delivering them to the active MPU for reassembly. It improves the fragment reassembly performance.

To enable IPv6 local fragment reassembly:

Step Command Remarks1. Enter system view. system-view N/A

2. Enable IPv6 local fragment reassembly.

ipv6 reassemble local enable

By default, IPv6 local fragment reassembly is disabled. This function applies only to fragments received by the same LPU.

Configuring IPv6 load sharing based on bandwidth

This feature shares IPv6 traffic among multiple output interfaces based on their expected load percentages. The device calculates the load percentage for each output interface in terms of the interface expected bandwidth.

For devices that run load sharing protocols such as Locator/ID Separation Protocol (LISP), they implement load sharing based on the ratios defined by these protocols.

To configure IPv6 load sharing based on bandwidth:

Step Command Remarks1. Enter system view. system-view N/A

2. Enable IPv6 load sharing based on bandwidth.

ipv6 bandwidth-based-sharing

By default, IPv6 bandwidth-based load sharing is disabled.


4. Configure the expected bandwidth of an interface.

bandwidth bandwidth By default, the expected bandwidth of an interface equals the absolute bandwidth of the link.

227

Displaying and maintaining IPv6 basics Execute display commands in any view and reset commands in user view.

Task Command

Display IPv6 FIB entries. display ipv6 fib [ vpn-instance vpn-instance-name ] [ ipv6-address [ prefix-length ] ]

Display IPv6 information about the interface. display ipv6 interface [ interface-type [ interface-number ] ] [ brief ]

Display IPv6 prefix information about the interface. display ipv6 interface interface-type interface-number prefix

Display ND suppression entries (centralized devices in standalone mode).

display ipv6 nd suppression xconnect-group [ name group-name ] [ count ]

Display ND suppression entries (distributed devices in standalone mode/centralized devices in IRF mode).

display ipv6 nd suppression xconnect-group [ name group-name ] [ slot slot-number ] [ count ]

Display ND suppression entries (distributed devices in IRF mode).

display ipv6 nd suppression xconnect-group [ name group-name ] [ chassis chassis-number slot slot-number ] [ count ]

Display neighbor information (centralized devices in standalone mode).

display ipv6 neighbors { ipv6-address | all | dynamic | interface interface-type interface-number | static | vlan vlan-id } [ verbose ]

Display neighbor information (distributed devices in standalone mode/centralized devices in IRF mode).

display ipv6 neighbors { { ipv6-address | all | dynamic | static } [ slot slot-number ] | interface interface-type interface-number | vlan vlan-id } [ verbose ]

Display neighbor information (distributed devices in IRF mode).

display ipv6 neighbors { { ipv6-address | all | dynamic | static } [ chassis chassis-number slot slot-number ] | interface interface-type interface-number | vlan vlan-id } [ verbose ]

Display the total number of neighbor entries (centralized devices in standalone mode).

display ipv6 neighbors { all | dynamic | interface interface-type interface-number | static | vlan vlan-id } count

Display the total number of neighbor entries (distributed devices in standalone mode/centralized devices in IRF mode).

display ipv6 neighbors { { all | dynamic | static } [ slot slot-number ] | interface interface-type interface-number | vlan vlan-id } count

Display the total number of neighbor entries (distributed devices in IRF mode).

display ipv6 neighbors { { all | dynamic | static } [ chassis chassis-number slot slot-number ] | interface interface-type interface-number | vlan vlan-id } count

Display neighbor information for a VPN. display ipv6 neighbors vpn-instance vpn-instance-name [ count ]

Display the IPv6 path MTU information. display ipv6 pathmtu [ vpn-instance vpn-instance-name ] { ipv6-address | { all | dynamic | static } [ count ] }

Display the IPv6 prefix information. display ipv6 prefix [ prefix-number ]

Display IPv6 and ICMPv6 packet statistics (centralized devices in standalone mode). display ipv6 statistics

Display IPv6 and ICMPv6 statistics (distributed devices in standalone mode/centralized devices in IRF mode).

display ipv6 statistics [ slot slot-number ]

228

Task Command Display IPv6 and ICMPv6 statistics (distributed devices in IRF mode).

display ipv6 statistics [ chassis chassis-number slot slot-number ]

Display brief information about IPv6 RawIP connections (centralized devices in standalone mode).

display ipv6 rawip

Display brief information about IPv6 RawIP connections (distributed devices in standalone mode/centralized devices in IRF mode).

display ipv6 rawip [ slot slot-number ]

Display brief information about IPv6 RawIP connections (distributed devices in IRF mode).

display ipv6 rawip [ chassis chassis-number slot slot-number ]

Display detailed information about IPv6 RawIP connections (centralized devices in standalone mode).

display ipv6 rawip verbose [ pcb pcb-index ]

Display detailed information about IPv6 RawIP connections (distributed devices in standalone mode/centralized devices in IRF mode).

display ipv6 rawip verbose [ slot slot-number [ pcb pcb-index ] ]

Display detailed information about IPv6 RawIP connections (distributed devices in IRF mode).

display ipv6 rawip verbose [ chassis chassis-number slot slot-number [ pcb pcb-index ] ]

Display brief information about IPv6 TCP connections (centralized devices in standalone mode).

display ipv6 tcp

Display brief information about IPv6 TCP connections (distributed devices in standalone mode/centralized devices in IRF mode).

display ipv6 tcp [ slot slot-number ]

Display brief information about IPv6 TCP connections (distributed devices in IRF mode).

display ipv6 tcp [ chassis chassis-number slot slot-number ]

Display brief information about IPv6 TCP proxy (centralized devices in standalone mode). display ipv6 tcp-proxy

Display brief information about IPv6 TCP proxy (distributed devices in standalone mode/centralized devices in IRF mode).

display ipv6 tcp-proxy slot slot-number

Display brief information about IPv6 TCP proxy (distributed devices in IRF mode).

display ipv6 tcp-proxy chassis chassis-number slot slot-number

Display detailed information about IPv6 TCP connections (centralized devices in standalone mode).

display ipv6 tcp verbose [ pcb pcb-index ]

Display detailed information about IPv6 TCP connections (distributed devices in standalone mode/centralized devices in IRF mode).

display ipv6 tcp verbose [ slot slot-number [ pcb pcb-index ] ]

Display detailed information about IPv6 TCP connections (distributed devices in IRF mode).

display ipv6 tcp verbose [ chassis chassis-number slot slot-number [ pcb pcb-index ] ]

Display brief information about IPv6 UDP connections (centralized devices in standalone mode).

display ipv6 udp

Display brief information about IPv6 UDP connections (distributed devices in standalone mode/centralized devices in IRF mode).

display ipv6 udp [ slot slot-number ]

Display brief information about IPv6 UDP connections (distributed devices in IRF mode).

display ipv6 udp [ chassis chassis-number slot slot-number ]

229

Task Command Display detailed information about IPv6 UDP connections (centralized devices in standalone mode).

display ipv6 udp verbose [ pcb pcb-index ]

Display detailed information about IPv6 UDP connections (distributed devices in standalone mode/centralized devices in IRF mode).

display ipv6 udp verbose [ slot slot-number [ pcb pcb-index ] ]

Display detailed information about IPv6 UDP connections (distributed devices in IRF mode).

display ipv6 udp verbose [ chassis chassis-number slot slot-number [ pcb pcb-index ] ]

Display ICMPv6 traffic statistics (centralized devices in standalone mode). display ipv6 icmp statistics

Display ICMPv6 traffic statistics (distributed devices in standalone mode/centralized devices in IRF mode).

display ipv6 icmp statistics [ slot slot-number ]

Display ICMPv6 traffic statistics (distributed devices in IRF mode).

display ipv6 icmp statistics [ chassis chassis-number slot slot-number ]

Display IPv6 TCP traffic statistics (centralized devices in standalone mode). display tcp statistics

Display IPv6 TCP traffic statistics (distributed devices in standalone mode/centralized devices in IRF mode).

display tcp statistics [ slot slot-number ]

Display IPv6 TCP traffic statistics (distributed devices in IRF mode).

display tcp statistics [ chassis chassis-number slot slot-number ]

Display IPv6 UDP traffic statistics (centralized devices in standalone mode). display udp statistics

Display IPv6 UDP traffic statistics (distributed devices in standalone mode/centralized devices in IRF mode).

display udp statistics [ slot slot-number ]

Display IPv6 UDP traffic statistics (distributed devices in IRF mode).

display udp statistics [ chassis chassis-number slot slot-number ]

Clear ND suppression entries (centralized devices in standalone mode).

reset ipv6 nd suppression xconnect-group [ name group-name ]

Clear ND suppression entries (distributed devices in standalone mode/centralized devices in IRF mode).

reset ipv6 nd suppression xconnect-group [ name group-name ] [ slot slot-number ]

Clear ND suppression entries (distributed devices in IRF mode).

reset ipv6 nd suppression xconnect-group [ name group-name ] [ chassis chassis-number slot slot-number ]

Clear IPv6 neighbor information (centralized devices in standalone mode).

reset ipv6 neighbors { all | dynamic | interface interface-type interface-number | static }

Clear IPv6 neighbor information (distributed devices in standalone mode/centralized devices in IRF mode).

reset ipv6 neighbors { all | dynamic | interface interface-type interface-number | slot slot-number | static }

Clear IPv6 neighbor information (distributed devices in IRF mode).

reset ipv6 neighbors { all | dynamic | interface interface-type interface-number | chassis chassis-number slot slot-number | static }

Clear path MTUs. reset ipv6 pathmtu { all | dynamic | static }

Clear IPv6 and ICMPv6 packet statistics (centralized devices in standalone mode). reset ipv6 statistics

Clear IPv6 and ICMPv6 packet statistics (distributed devices in standalone mode/centralized devices in

reset ipv6 statistics [ slot slot-number ]

230

Task Command IRF mode).

Clear IPv6 and ICMPv6 packet statistics (distributed devices in IRF mode).

reset ipv6 statistics [ chassis chassis-number slot slot-number ]

Clear IPv6 TCP traffic statistics. reset tcp statistics

Clear IPv6 UDP traffic statistics. reset udp statistics

IPv6 configuration examples Basic IPv6 configuration example Network requirements

As shown in Figure 90, configure IPv6 addresses for the routers and verify that they can reach each other. Configure a route to the host on Router B. Enable IPv6 for the host to automatically obtain an IPv6 address through IPv6 ND. The host has a route to Router B.



# Configure a global unicast address for interface GigabitEthernet 2/0/1. <RouterA> system-view


[RouterA-GigabitEthernet2/0/1] ipv6 address 3001::1/64


# Configure a global unicast address for interface GigabitEthernet 2/0/2 and enable it to advertise RA messages (an interface does not advertises RA messages by default). [RouterA] interface gigabitethernet 2/0/2

[RouterA-GigabitEthernet2/0/2] ipv6 address 2001::1/64

[RouterA-GigabitEthernet2/0/2] undo ipv6 nd ra halt


2. Configure Router B: # Configure a global unicast address for interface GigabitEthernet 2/0/1. <RouterB> system-view


[RouterB-GigabitEthernet2/0/1] ipv6 address 3001::2/64


# Configure an IPv6 static route to the host. [RouterB] ipv6 route-static 2001:: 64 3001::1

3. Configure the host: Enable IPv6 on the host to automatically obtain an IPv6 address through IPv6 ND. # Display neighbor information for GigabitEthernet 2/0/2 on Router A.

231

[RouterA] display ipv6 neighbors interface gigabitethernet 2/0/2

Type: S-Static D-Dynamic O-Openflow R-Rule I-Invalid

IPv6 Address Link Layer VID Interface State T Age

FE80::215:E9FF:FEA6:7D14 0015-e9a6-7d14 N/A GE2/0/2 STALE D 1238

2001::15B:E0EA:3524:E791 0015-e9a6-7d14 N/A GE2/0/2 STALE D 1248

The output shows that the IPv6 global unicast address that the host obtained is 2001::15B:E0EA:3524:E791.

Verifying the configuration # Display IPv6 interface information on Router A. [RouterA] display ipv6 interface gigabitethernet 2/0/1

GigabitEthernet2/0/1 current state: UP

Line protocol current state: UP

IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:2

Global unicast address(es):

3001::1, subnet is 3001::/64

Joined group address(es):

FF02::1

FF02::2

FF02::1:FF00:1

FF02::1:FF00:2

MTU is 1500 bytes

ND DAD is enabled, number of DAD attempts: 1

ND reachable time is 30000 milliseconds

ND retransmit interval is 1000 milliseconds

Hosts use stateless autoconfig for addresses

IPv6 Packet statistics:

InReceives: 25829

InTooShorts: 0

InTruncatedPkts: 0

InHopLimitExceeds: 0

InBadHeaders: 0

InBadOptions: 0

ReasmReqds: 0

ReasmOKs: 0

InFragDrops: 0

InFragTimeouts: 0

OutFragFails: 0

InUnknownProtos: 0

InDelivers: 47

OutRequests: 89

OutForwDatagrams: 48

InNoRoutes: 0

InTooBigErrors: 0

OutFragOKs: 0

OutFragCreates: 0

InMcastPkts: 6

InMcastNotMembers: 25747

OutMcastPkts: 48

232

InAddrErrors: 0

InDiscards: 0

OutDiscards: 0

[RouterA] display ipv6 interface gigabitethernet 2/0/2



IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1C0


2001::1, subnet is 2001::/64


FF02::1

FF02::2

FF02::1:FF00:1

FF02::1:FF00:1C0

MTU is 1500 bytes




ND advertised reachable time is 0 milliseconds

ND advertised retransmit interval is 0 milliseconds

ND router advertisements are sent every 600 seconds

ND router advertisements live for 1800 seconds



InReceives: 272

InTooShorts: 0

InTruncatedPkts: 0


InBadHeaders: 0

InBadOptions: 0

ReasmReqds: 0

ReasmOKs: 0

InFragDrops: 0

InFragTimeouts: 0

OutFragFails: 0

InUnknownProtos: 0

InDelivers: 159

OutRequests: 1012

OutForwDatagrams: 35

InNoRoutes: 0

InTooBigErrors: 0

OutFragOKs: 0

OutFragCreates: 0

InMcastPkts: 79


OutMcastPkts: 938

InAddrErrors: 0

InDiscards: 0

233

OutDiscards: 0

# Display IPv6 interface information on Router B. [RouterB] display ipv6 interface gigabitethernet 2/0/1



IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1234


3001::2, subnet is 3001::/64


FF02::1

FF02::2

FF02::1:FF00:2

FF02::1:FF00:1234

MTU is 1500 bytes






InReceives: 117

InTooShorts: 0

InTruncatedPkts: 0


InBadHeaders: 0

InBadOptions: 0

ReasmReqds: 0

ReasmOKs: 0

InFragDrops: 0

InFragTimeouts: 0

OutFragFails: 0

InUnknownProtos: 0

InDelivers: 117

OutRequests: 83

OutForwDatagrams: 0

InNoRoutes: 0

InTooBigErrors: 0

OutFragOKs: 0

OutFragCreates: 0

InMcastPkts: 28


OutMcastPkts: 7

InAddrErrors: 0

InDiscards: 0

OutDiscards: 0

# Ping Router A and Router B from the host, and ping Router A and the host from Router B to verify that they can reach each other.

NOTE:

234

To ping a link-local address, use the –i parameter to specify an interface for the link-local address.

[RouterB] ping ipv6 -c 1 3001::1



--- Ping6 statistics for 3001::1 ---



[RouterB] ping ipv6 -c 1 2001::15B:E0EA:3524:E791

Ping6(56 data bytes) 3001::2 --> 2001::15B:E0EA:3524:E791, press CTRL_C to break

56 bytes from 2001::15B:E0EA:3524:E791, icmp_seq=0 hlim=64 time=5.404 ms

--- Ping6 statistics for 2001::15B:E0EA:3524:E791 ---



The output shows that Router B can ping Router A and the host. The host can also ping Router B and Router A (output not shown).

IPv6 ND suppression configuration example Network requirements

As shown in Figure 91, the base station, Router A, and Router B are in an MPLS L2VPN. The base station can reach the L3VE interface L3VE1 of Router B.

Enable IPv6 ND suppression on Router A to directly answer ND packets for Router B.


Configuration procedure 1. Configure IPv6 addresses for the interfaces as shown in Figure 91. Make sure the base station

can reach the L3VE interface of Router B. (Details not shown.) 2. Configure IPv6 ND suppression:

# Create a cross-connect group named vpna. <RouterA> syatem-view

[RouterA] xconnect-group vpna

# Create a cross-connect named svc. [RouterA-xcg-vpna] connection svc

# Enable IPv6 ND suppression for the cross-connect svc in cross-connect group vpna. [RouterA-xcg-vpna-svc] ipv6 nd suppression enable

Verifying the configuration 1. On the base station, clear the ND suppression entries, and ping the L3VE interface VE-L3VPN

1 of Router B. (Details not shown.) 2. Verify that Router A has ND suppression entries for the base station and Router B.

[RouterA-xcg-vpna-svc] display ipv6 nd suppression xconnect-group

L3VE12001::3/64

Router A Router BBase station

GE2/0/12001::1/64

GE2/0/12001::2/64

GE2/0/21::1/64

GE2/0/21::2/64

235

IPv6 address MAC address Xconnect-group Connection Aging

2001::1 00e0-fc04-582c vpna svc 25

2001::3 0023-89b7-0861 vpna svc 25

3. Enable ND debugging on Router B to verify that Router B does not receive an ND request from the base station when the following conditions exist (details not shown): a. Clear ND suppression entries on the base station. b. Ping L3VE interface VE-L3VPN 1 of Router B from the base station.

Troubleshooting IPv6 basics configuration Symptom

An IPv6 address cannot be pinged.

Solution 1. Use the display ipv6 interface command in any view to verify that the IPv6 address of the

output interface is correct and the interface is up. 2. Use the debugging ipv6 packet command in user view to enable the debugging for IPv6

packets to locate the fault.

236

DHCPv6 overview DHCPv6 provides a framework to assign IPv6 prefixes, IPv6 addresses, and other configuration parameters to hosts.

Feature and hardware compatibility Hardware DHCPv6 compatibility MSR954(JH296A/JH297A/JH298A/JH299A) No

MSR1002-4/1003-8S Yes

MSR2003 Yes

MSR2004-24/2004-48 Yes

MSR3012/3024/3044/3064 Yes

MSR4060/4080 Yes

DHCPv6 address/prefix assignment An address/prefix assignment process involves two or four messages.

Rapid assignment involving two messages As shown in Figure 92, rapid assignment operates in the following steps: 1. The DHCPv6 client sends to the DHCPv6 server a Solicit message that contains a Rapid

Commit option to prefer rapid assignment. 2. If the DHCPv6 server supports rapid assignment, it responds with a Reply message containing

the assigned IPv6 address/prefix and other configuration parameters. If the DHCPv6 server does not support rapid assignment, Assignment involving four messages is performed.

Figure 92 Rapid assignment involving two messages

Assignment involving four messages As shown in Figure 93, four-message assignment operates using the following steps: 1. The DHCPv6 client sends a Solicit message to request an IPv6 address/prefix and other

configuration parameters. 2. The DHCPv6 server responds with an Advertise message that contains the assignable

address/prefix and other configuration parameters if either of the following conditions exists:

237

The Solicit message does not contain a Rapid Commit option. The DHCPv6 server does not support rapid assignment even though the Solicit message

contains a Rapid Commit option. 3. The DHCPv6 client might receive multiple Advertise messages offered by different DHCPv6

servers. It selects an offer according to the receiving sequence and server priority, and sends a Request message to the selected server for confirmation.

4. The DHCPv6 server sends a Reply message to the client, confirming that the address/prefix and other configuration parameters are assigned to the client.

Figure 93 Assignment involving four messages

Address/prefix lease renewal An IPv6 address/prefix assigned by a DHCPv6 server has a valid lifetime. After the valid lifetime expires, the DHCPv6 client cannot use the IPv6 address/prefix. To use the IPv6 address/prefix, the DHCPv6 client must renew the lease time.

Figure 94 Using the Renew message for address/prefix lease renewal

As shown in Figure 94, at T1, the DHCPv6 client sends a Renew message to the DHCPv6 server. The recommended value of T1 is half the preferred lifetime. The DHCPv6 server responds with a Reply message, informing the client whether the lease is renewed.

Figure 95 Using the Rebind message for address/prefix lease renewal

As shown in Figure 95:

238

• If the DHCPv6 client does not receive a response from the DHCPv6 server after sending a Renew message at T1, it multicasts a Rebind message to all DHCPv6 servers at T2. Typically, the value of T2 is 0.8 times the preferred lifetime.

• The DHCPv6 server responds with a Reply message, informing the client whether the lease is renewed.

• If the DHCPv6 client does not receive a response from any DHCPv6 server before the valid lifetime expires, the client stops using the address/prefix.

For more information about the valid lifetime and the preferred lifetime, see "Configuring basic IPv6 settings."

Stateless DHCPv6 Stateless DHCPv6 enables a device that has obtained an IPv6 address/prefix to get other configuration parameters from a DHCPv6 server.

The device performs stateless DHCPv6 if an RA message with the following flags is received from the router during stateless address autoconfiguration: • The managed address configuration flag (M flag) is set to 0. • The other stateful configuration flag (O flag) is set to 1.

For more information about stateless address autoconfiguration, see "Configuring basic IPv6 settings."

Figure 96 Stateless DHCPv6 operation

As shown in Figure 96, stateless DHCPv6 operates in the following steps: 1. The DHCPv6 client sends an Information-request message to the multicast address of all

DHCPv6 servers and DHCPv6 relay agents. The Information-request message contains an Option Request option that specifies the requested configuration parameters.

2. The DHCPv6 server returns to the client a Reply message containing the requested configuration parameters.

3. The client checks the Reply message. If the obtained configuration parameters match those requested in the Information-request message, the client uses these parameters to complete configuration. If not, the client ignores the configuration parameters. If the client receives multiple replies with configuration parameters matching those requested in the Information-request message, it uses the first received reply.

Protocols and standards • RFC 3736, Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6 • RFC 3315, Dynamic Host Configuration Protocol for IPv6 (DHCPv6) • RFC 2462, IPv6 Stateless Address Autoconfiguration

239

• RFC 3633, IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6

240

Configuring the DHCPv6 server

Overview A DHCPv6 server can assign IPv6 addresses, IPv6 prefixes, and other configuration parameters to DHCPv6 clients.

IPv6 address assignment As shown in Figure 97, the DHCPv6 server assigns IPv6 addresses, domain name suffixes, DNS server addresses, and other configuration parameters to DHCPv6 clients.

The IPv6 addresses assigned to the clients include the following types: • Temporary IPv6 addresses—Frequently changed without lease renewal. • Non-temporary IPv6 addresses—Correctly used by DHCP clients, with lease renewal.

Figure 97 IPv6 address assignment

IPv6 prefix assignment As shown in Figure 98, the DHCPv6 server assigns an IPv6 prefix to the DHCPv6 client. The client advertises the prefix information in a multicast RA message so that hosts on the subnet can automatically configure their IPv6 addresses by using the prefix.

Figure 98 IPv6 prefix assignment

DHCPv6 client DHCPv6 client


DHCPv6 server

241

Concepts Multicast addresses used by DHCPv6

DHCPv6 uses the multicast address FF05::1:3 to identify all site-local DHCPv6 servers. It uses the multicast address FF02::1:2 to identify all link-local DHCPv6 servers and relay agents.

DUID A DHCP unique identifier (DUID) uniquely identifies a DHCPv6 device (DHCPv6 client, server, or relay agent). A DHCPv6 device adds its DUID in a sent packet.

Figure 99 DUID-LL format

The device supports the DUID format based on link-layer address (DUID-LL) defined in RFC 3315. Figure 99 shows the DUID-LL format, which includes the following fields: • DUID type—The device supports the DUID type of DUID-LL with the value of 0x0003. • Hardware type—The device supports the hardware type of Ethernet with the value of 0x0001. • Link layer address—Takes the value of the bridge MAC address of the device.

IA Identified by an IAID, an identity association (IA) provides a construct through which a client manages the obtained addresses, prefixes, and other configuration parameters. A client can have multiple IAs, for example, one for each of its interfaces.

IAID An IAID uniquely identifies an IA. It is chosen by the client and must be unique on the client.

PD The DHCPv6 server creates a prefix delegation (PD) for each assigned prefix to record the following details: • IPv6 prefix. • Client DUID. • IAID. • Valid lifetime. • Preferred lifetime. • Lease expiration time. • IPv6 address of the requesting client.

DHCPv6 address pool The DHCP server selects IPv6 addresses, IPv6 prefixes, and other parameters from an address pool, and assigns them to the DHCP clients.

242

Address allocation mechanisms DHCPv6 supports the following address allocation mechanisms: • Static address allocation—To implement static address allocation for a client, create a

DHCPv6 address pool, and manually bind the DUID and IAID of the client to an IPv6 address in the DHCPv6 address pool. When the client requests an IPv6 address, the DHCPv6 server assigns the IPv6 address in the static binding to the client.

• Dynamic address allocation—To implement dynamic address allocation for clients, create a DHCPv6 address pool, specify a subnet for the pool, and divide the subnet into temporary and non-temporary IPv6 address ranges. Upon receiving a DHCP request, the DHCPv6 server selects an IPv6 address from the temporary or non-temporary IPv6 address range based on the address type in the client request.

Prefix allocation mechanisms DHCPv6 supports the following prefix allocation mechanisms: • Static prefix allocation—To implement static prefix allocation for a client, create a DHCPv6

address pool, and manually bind the DUID and IAID of the client to an IPv6 prefix in the DHCPv6 address pool. When the client requests an IPv6 prefix, the DHCPv6 server assigns the IPv6 prefix in the static binding to the client.

• Dynamic prefix allocation—To implement dynamic prefix allocation for clients, create a DHCPv6 address pool and a prefix pool, specify a subnet for the address pool, and apply the prefix pool to the address pool. Upon receiving a DHCP request, the DHCPv6 server dynamically selects an IPv6 prefix from the prefix pool in the address pool.

Address pool selection The DHCPv6 server observes the following principles when selecting an IPv6 address or prefix for a client: 1. If there is an address pool where an IPv6 address is statically bound to the DUID or IAID of the

client, the DHCPv6 server selects this address pool. It assigns the statically bound IPv6 address or prefix and other configuration parameters to the client.

2. If the receiving interface has an address pool applied, the DHCP server selects an IPv6 address or prefix and other configuration parameters from this address pool.

3. If no static address pool is configured and no address pool is applied to the receiving interface, the DHCPv6 server selects an address pool depending on the client location.

Client on the same subnet as the server—The DHCPv6 server compares the IPv6 address of the receiving interface with the subnets of all address pools. It selects the address pool with the longest-matching subnet.

Client on a different subnet than the server—The DHCPv6 server compares the IPv6 address of the DHCPv6 relay agent interface closest to the client with the subnets of all address pools. It also selects the address pool with the longest-matching subnet.

To make sure IPv6 address allocation functions correctly, keep the subnet used for dynamic assignment consistent with the subnet where the interface of the DHCPv6 server or DHCPv6 relay agent resides.

IPv6 address/prefix allocation sequence The DHCPv6 server selects an IPv6 address/prefix for a client in the following sequence: 1. IPv6 address/prefix statically bound to the client's DUID and IAID and expected by the client. 2. IPv6 address/prefix statically bound to the client's DUID and IAID. 3. IPv6 address/prefix statically bound to the client's DUID and expected by the client. 4. IPv6 address/prefix statically bound to the client's DUID. 5. IPv6 address/prefix that was ever assigned to the client.

243

6. Assignable IPv6 address/prefix in the address pool/prefix pool expected by the client. 7. Assignable IPv6 address/prefix in the address pool/prefix pool. 8. IPv6 address/prefix that was a conflict or passed its lease duration. If no IPv6 address/prefix is

assignable, the server does not respond.

If a client moves to another subnet, the DHCPv6 server selects an IPv6 address/prefix from the address pool that matches the new subnet.

Conflicted IPv6 addresses can be assigned to other DHCPv6 clients only after the addresses are in conflict for one hour.

Configuration task list Tasks at a glance (Optional.) Perform the following tasks: • Configuring IPv6 prefix assignment • Configuring IPv6 address assignment • Configuring network parameters assignment

(Required.) Configuring the DHCPv6 server on an interface

(Optional.) Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 server

(Optional.) Configuring DHCPv6 binding auto backup

(Optional.) Advertising subnets assigned to clients

(Optional.) Applying a DHCPv6 address pool to a VPN instance

(Optional.) Configuring DHCPv6 logging on the DHCPv6 server

Configuring IPv6 prefix assignment Use the following methods to configure IPv6 prefix assignment: • Configure a static IPv6 prefix binding in an address pool—If you bind a DUID and an IAID

to an IPv6 prefix, the DUID and IAID in a request must match those in the binding before the DHCPv6 server can assign the IPv6 prefix to the DHCPv6 client. If you only bind a DUID to an IPv6 prefix, the DUID in the request must match the DUID in the binding before the DHCPv6 server can assign the IPv6 prefix to the DHCPv6 client.

• Apply a prefix pool to an address pool—The DHCPv6 server dynamically assigns an IPv6 prefix from the prefix pool in the address pool to a DHCPv6 client.

Configuration guidelines • An IPv6 prefix can be bound to only one DHCPv6 client. You cannot modify bindings that have

been created. To change the binding for a DHCPv6 client, you must delete the existing binding first.

• Only one prefix pool can be applied to an address pool. You cannot modify prefix pools that have been applied. To change the prefix pool for an address pool, you must remove the prefix pool application first.

• You can apply a prefix pool that has not been created to an address pool. The setting takes effect after the prefix pool is created.

244

Configuration procedure To configure IPv6 prefix assignment:


2. (Optional.) Specify the IPv6 prefixes excluded from dynamic assignment.

ipv6 dhcp server forbidden-prefix start-prefix/prefix-len [ end-prefix/prefix-len ] [ vpn-instance vpn-instance-name ]

By default, no IPv6 prefixes in the prefix pool are excluded from dynamic assignment. If the excluded IPv6 prefix is in a static binding, the prefix still can be assigned to the client. To exclude multiple IPv6 prefix ranges, repeat this step.

3. Create a prefix pool. ipv6 dhcp prefix-pool prefix-pool-number prefix prefix/prefix-len assign-len assign-len [ vpn-instance vpn-instance-name ]

This step is required for dynamic prefix assignment. By default, no prefix pool is configured.

4. Create a DHCPv6 address pool and enter its view.

ipv6 dhcp pool pool-name By default, no DHCPv6 address pool is configured.

5. Specify an IPv6 subnet for dynamic assignment.

network prefix/prefix-length [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

By default, no IPv6 subnet is specified for dynamic assignment.

6. Configure static prefix assignment, dynamic prefix assignment, or both.

• Configure a static prefix binding: static-bind prefix prefix/prefix-len duid duid [ iaid iaid ] [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

• Apply the prefix pool to the address pool: prefix-pool prefix-pool-number [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

By default, static or dynamic prefix assignment is not configured for an address pool. To add multiple static IPv6 prefix bindings, use the static-bind prefix command multiple times.

Configuring IPv6 address assignment Use one of the following methods to configure IPv6 address assignment: • Configure a static IPv6 address binding in an address pool.

If you bind a DUID and an IAID to an IPv6 address, the DUID and IAID in a request must match those in the binding before the DHCPv6 server can assign the IPv6 address to the requesting client. If you only bind a DUID to an IPv6 address, the DUID in a request must match the DUID in the binding before the DHCPv6 server can assign the IPv6 address to the requesting client.

• Specify a subnet and address ranges in an address pool. Non-temporary address assignment—The server selects addresses from the

non-temporary address range specified by the address range command. If no non-temporary address range is specified, the server selects addresses on the subnet specified by the network command.

245

Temporary address assignment—The server selects addresses from the temporary address range specified by the temporary address range command. If no temporary address range is specified in the address pool, the DHCPv6 server cannot assign temporary addresses to clients.

Configuration guidelines • You can specify only one non-temporary address range and one temporary address range in an

address pool. • The address ranges specified by the address range and temporary address range

commands must be on the subnet specified by the network command. Otherwise, the addresses are unassignable.

• Only one prefix pool can be applied to an address pool. You can apply a prefix pool that has not been created to an address pool. The setting takes effect after the prefix pool is created.

• An IPv6 address can be bound to only one DHCPv6 client. You cannot modify bindings that have been created. To change the binding for a DHCPv6 client, you must delete the existing binding first.

• Only one subnet can be specified in an address pool. If you use the network command multiple times in a DHCPv6 address pool, the most recent configuration takes effect. If you use this command to specify only new lifetimes, the settings do not affect existing leases. The IPv6 addresses assigned after the modification will use the new lifetimes.

Configuration procedure To configure IPv6 address assignment:


2. (Optional.) Specify the IPv6 addresses excluded from dynamic assignment.

ipv6 dhcp server forbidden-address start-ipv6-address [ end-ipv6-address ] [ vpn-instance vpn-instance-name ]

By default, all IPv6 addresses except for the DHCPv6 server's IP address in a DHCPv6 address pool are assignable. If the excluded IPv6 address is in a static binding, the address still can be assigned to the client. To exclude multiple IPv6 prefix ranges, repeat this step.

3. Create a DHCPv6 address pool and enter its view. ipv6 dhcp pool pool-name By default, no DHCPv6 address

pool is configured.



By default, no IPv6 address subnet is specified. You cannot use this command to configure the same subnet in different address pools.

5. (Optional.) Specify a non-temporary IPv6 address range.

address range start-ipv6-address end-ipv6-address [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

By default, no non-temporary IPv6 address range is specified, and all unicast addresses on the subnet are assignable.

246


6. (Optional.) Specify a temporary IPv6 address range.

temporary address range start-ipv6-address end-ipv6-address [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

By default, no temporary IPv6 address range is specified, and the DHCPv6 server cannot assign temporary IPv6 addresses.

7. (Optional.) Create a static binding.

static-bind address ipv6-address/addr-prefix-length | duid duid [ iaid iaid ] [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

By default, no static binding is configured. To add more static bindings, repeat this step.

Configuring network parameters assignment In addition to IPv6 prefixes and IPv6 addresses, you can configure up to eight DNS server addresses, one domain name suffix, eight SIP server addresses, and eight SIP server domain names in an address pool.

You can configure network parameters on a DHCPv6 server by using one of the following methods: • Configure network parameters in a DHCPv6 address pool. • Configure network parameters in a DHCPv6 option group, and reference the option group in a

DHCPv6 address pool.

Network parameters configured in a DHCPv6 address pool take precedence over those configured in a DHCPv6 option group.

Configuring network parameters in a DHCPv6 address pool


2. Create a DHCPv6 address pool and enter its view. ipv6 dhcp pool pool-name

By default, no DHCPv6 address pool exists on the DHCPv6 server.



By default, no IPv6 subnet is specified.

4. (Optional.) Specify a DNS server address. dns-server ipv6-address By default, no DNS server

address is specified.

5. (Optional.) Specify a domain name suffix. domain-name domain-name By default, no domain name

suffix is specified.

6. (Optional.) Specify a SIP server address or domain name.

sip-server { address ipv6-address | domain-name domain-name }

By default, no SIP server address or domain name is specified.

7. (Optional.) Configure a self-defined DHCPv6 option. option code hex hex-string

By default, no self-defined DHCPv6 option is configured.

247

Configuring network parameters in a DHCPv6 option group A DHCPv6 option group can be created by using the following methods: • Create a static DHCPv6 option group by using the ipv6 dhcp option-group command. • When the device acts as a DHCPv6 client, it automatically creates a dynamic DHCPv6 option

group for saving the obtained parameters. For more information about creating a dynamic DHCPv6 option group, see "Configuring the DHCPv6 client."

To create a static DHCPv6 option group:


2. Create a static DHCPv6 option group and enter its view.

ipv6 dhcp option-group option-group-number

By default, no static DHCPv6 option group exists on the DHCPv6 server.

3. (Optional.) Specify a DNS server address. dns-server ipv6-address By default, no DNS server

address is specified.

4. (Optional.) Specify a domain name suffix. domain-name domain-name By default, no domain name

suffix is specified.

5. (Optional.) Specify a SIP server address or domain name.

sip-server { address ipv6-address | domain-name domain-name }

By default, no SIP server address or domain name is specified.

6. (Optional.) Configure a self-defined DHCPv6 option. option code hex hex-string

By default, no self-defined DHCPv6 option is configured.

Configuring the DHCPv6 server on an interface Enable the DHCP server and configure one of the following address/prefix assignment methods on an interface: • Apply an address pool on the interface—The DHCPv6 server selects an IPv6 address/prefix

from the applied address pool for a requesting client. If there is no assignable IPv6 address/prefix in the address pool, the DHCPv6 server cannot to assign an IPv6 address/prefix to a client.

• Configure global address assignment on the interface—The DHCPv6 server selects an IPv6 address/prefix in the global DHCPv6 address pool that matches the server interface address or the DHCPv6 relay agent address for a requesting client.

If you configure both methods on an interface, the DHCPv6 server uses the specified address pool for address assignment without performing global address assignment.

Configuration guidelines • An interface cannot act as a DHCPv6 server and DHCPv6 relay agent at the same time. • Do not enable DHCPv6 server and DHCPv6 client on the same interface. • If you use the ipv6 dhcp server command multiple times, the most recent configuration takes

effect. • You can apply an address pool that has not been created to an interface. The setting takes

effect after the address pool is created.

248

• Only one address pool can be applied to an interface. If you use the ipv6 dhcp server apply pool command multiple times, the most recent configuration takes effect.

Configuration procedure To configure the DHCPv6 server on an interface:



3. Enable the DHCPv6 server on the interface. ipv6 dhcp select server

By default, the interface discards DHCPv6 packets from DHCPv6 clients.

4. Configure an address/prefix assignment method.

• Configure global address assignment: ipv6 dhcp server { allow-hint | preference preference-value | rapid-commit } *

• Apply a DHCPv6 address pool to the interface: ipv6 dhcp server apply pool pool-name [ allow-hint | preference preference-value | rapid-commit ] *

By default, desired address/prefix assignment and rapid assignment are disabled, and the default preference is 0.

Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 server


To set the DSCP value for DHCPv6 packets sent by the DHCPv6 server:


2. Set the DSCP value for DHCPv6 packets sent by the DHCPv6 server.

ipv6 dhcp dscp dscp-value

By default, the DSCP value in DHCPv6 packets sent by the DHCPv6 server is 56.

Configuring DHCPv6 binding auto backup The auto backup function saves DHCPv6 bindings to a backup file, and allows the DHCPv6 server to download the bindings from the backup file at the server reboot. The bindings include the lease bindings and conflicted IPv6 addresses. They cannot survive a reboot on the DHCPv6 server.

The DHCPv6 server does not provide services during the download process. If a connection error occurs during the process and cannot be repaired in a short amount of time, you can terminate the download operation. Manual interruption allows the DHCPv6 server to provide services without waiting for the connection to be repaired.

249

To configure DHCPv6 binding auto backup:


2. Configure the DHCPv6 server to back up the bindings to a file.

ipv6 dhcp server database filename { filename | url url [ username username [ password { cipher | simple } key ] ] }

By default, the DHCPv6 server does not back up the DHCPv6 bindings. With this command executed, the DHCPv6 server backs up its bindings immediately and runs auto backup.

3. (Optional.) Manually save the DHCPv6 bindings to the backup file.

ipv6 dhcp server database update now N/A

4. (Optional.) Set the waiting time after a DHCPv6 binding change for the DHCPv6 server to update the backup file.

ipv6 dhcp server database update interval seconds

The default waiting time is 300 seconds. If no DHCPv6 binding changes, the backup file is not updated.

5. (Optional.) Terminate the download of DHCPv6 bindings from the backup file.

ipv6 dhcp server database update stop N/A

Advertising subnets assigned to clients This feature enables the route management module to advertise subnets assigned to DHCPv6 clients. This feature achieves symmetric routing for traffic of the same host.

As shown in Figure 100, Router A and Router B act as both the DHCPv6 server and the BRAS device. The BRAS devices send accounting packets to the RADIUS server. To enable the BRAS devices to collect correct accounting information for each RADIUS user, configure the DHCPv6 server to advertise subnets assigned to clients. The upstream and downstream traffic of a RADIUS user will pass through the same BRAS device.


The subnet advertising on the master device of a VSRP instance takes effect. If the address pool is applied to a VPN instance, the VPN instance must exist.

To configure the subnet advertisement function:

250


2. Create an address pool and enter its view. ipv6 dhcp pool pool-name By default, no DHCPv6 address

pool exists.

3. Advertise the subnet assigned to DHCPv6 clients.

network prefix/prefix-length [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ] export-route

By default, the subnet assigned to DHCPv6 clients are not advertised.

Applying a DHCPv6 address pool to a VPN instance

If a DHCPv6 address pool is applied to a VPN instance, the DHCPv6 server assigns IPv6 addresses in this address pool to clients in the VPN instance. Addresses in this address pool will not be assigned to clients on the public network.

The DHCPv6 server can obtain the VPN instance to which a DHCPv6 client belongs from the following information: • The client's VPN information stored in authentication modules, such as IPoE. • The VPN information of the DHCPv6 server's interface that receives DHCPv6 packets from the

client.

The VPN information from authentication modules takes priority over the VPN information of the receiving interface.

To apply a DHCPv6 address pool to a VPN instance:


2. Create an address pool and enter its view. ipv6 dhcp pool pool-name By default, no DHCPv6 address

pool exists.

3. Apply the address pool to a VPN instance. vpn-instance vpn-instance-name

By default, the address pool is not applied to any VPN instance.

Configuring DHCPv6 logging on the DHCPv6 server

The DHCPv6 logging feature enables the DHCPv6 server to generate DHCPv6 logs and send them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

Disable this feature when the log generation affects the device performance or reduces the address and prefix allocation efficiency. For example, this situation might occur when a large number of clients frequently come online or go offline.

To configure DHCPv6 logging on the DHCPv6 server:


251


2. Enable DHCPv6 logging. dhcp log enable By default, DHCPv6 logging is disabled.

Displaying and maintaining the DHCPv6 server Execute display commands in any view and reset commands in user view.

Task Command Display the DUID of the local device. display ipv6 dhcp duid

Display information about a DHCPv6 option group. display ipv6 dhcp option-group [ option-group-number ]

Display DHCPv6 address pool information.

display ipv6 dhcp pool [ pool-name | vpn-instance vpn-instance-name ]

Display prefix pool information. display ipv6 dhcp prefix-pool [ prefix-pool-number ] [ vpn-instance vpn-instance-name ]

Display DHCPv6 server information on an interface.

display ipv6 dhcp server [ interface interface-type interface-number ]

Display information about IPv6 address conflicts.

display ipv6 dhcp server conflict [ address ipv6-address ] [ vpn-instance vpn-instance-name ]

Display information about DHCPv6 binding auto backup display ipv6 dhcp server database

Display information about expired IPv6 addresses.

display ipv6 dhcp server expired [ [ address ipv6-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]

Display information about IPv6 address bindings.

display ipv6 dhcp server ip-in-use [ [ address ipv6-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]

Display information about IPv6 prefix bindings.

display ipv6 dhcp server pd-in-use [ pool pool-name | [ prefix prefix/prefix-len ] [ vpn-instance vpn-instance-name ] ]

Display packet statistics on the DHCPv6 server.

display ipv6 dhcp server statistics [ pool pool-name | vpn-instance vpn-instance-name ]

Clear information about IPv6 address conflicts.

reset ipv6 dhcp server conflict [ address ipv6-address ] [ vpn-instance vpn-instance-name ]

Clear information about expired IPv6 address bindings.

reset ipv6 dhcp server expired [ [ address ipv6-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]

Clear information about IPv6 address bindings.

reset ipv6 dhcp server ip-in-use [ [ address ipv6-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]

Clear information about IPv6 prefix bindings.

reset ipv6 dhcp server pd-in-use [ pool pool-name | [ prefix prefix/prefix-len ] [ vpn-instance vpn-instance-name ] ]

Clear packets statistics on the DHCPv6 server.

reset ipv6 dhcp server statistics [ vpn-instance vpn-instance-name ]

252

DHCPv6 server configuration examples Dynamic IPv6 prefix assignment configuration example Network requirements

As shown in Figure 101, the router acts as a DHCPv6 server to assign an IPv6 prefix, a DNS server address, a domain name, a SIP server address, and a SIP server name to each DHCPv6 client.

The router assigns prefix 2001:0410:0201::/48 to the client whose DUID is 00030001CA0006A40000, and assigns prefixes in the range of 2001:0410::/48 to 2001:0410:FFFF::/48 (excluding 2001:0410:0201::/48) to other clients. The DNS server address is 2::2:3. The DHCPv6 clients reside in domain aaa.com. The SIP server address is 2:2::4, and the SIP server name is bbb.com.


Configuration procedure # Specify an IPv6 address for GigabitEthernet 2/0/1. <Router> system-view


[Router-GigabitEthernet2/0/1] ipv6 address 1::1/64

# Disable RA message suppression on GigabitEthernet 2/0/1. [Router-GigabitEthernet2/0/1] undo ipv6 nd ra halt

# Set the M flag to 1 in RA advertisements to be sent on GigabitEthernet 2/0/1. Hosts that receive the advertisements will obtain IPv6 addresses through DHCPv6. [Router-GigabitEthernet2/0/1] ipv6 nd autoconfig managed-address-flag

# Set the O flag to 1 in RA advertisements to be sent on GigabitEthernet 2/0/1. Hosts that receive the advertisements will obtain information other than IPv6 address through DHCPv6. [Router-GigabitEthernet2/0/1] ipv6 nd autoconfig other-flag


# Create prefix pool 1, and specify the prefix 2001:0410::/32 with assigned prefix length 48. [Router] ipv6 dhcp prefix-pool 1 prefix 2001:0410::/32 assign-len 48

# Create address pool 1. [Router] ipv6 dhcp pool 1

# In address pool 1, specify subnet 1::/64 where the server interface resides. [Router-dhcp6-pool-1] network 1::/64

253

# Apply prefix pool 1 to address pool 1, and set the preferred lifetime to one day, and the valid lifetime to three days. [Router-dhcp6-pool-1] prefix-pool 1 preferred-lifetime 86400 valid-lifetime 259200

# In address pool 1, bind prefix 2001:0410:0201::/48 to the client DUID 00030001CA0006A40000, and set the preferred lifetime to one day, and the valid lifetime to three days. [Router-dhcp6-pool-1] static-bind prefix 2001:0410:0201::/48 duid 00030001CA0006A40000 preferred-lifetime 86400 valid-lifetime 259200

# Configure the DNS server address as 2:2::3. [Router-dhcp6-pool-1] dns-server 2:2::3

# Configure the domain name as aaa.com. [Router-dhcp6-pool-1] domain-name aaa.com

# Configure the SIP server address as 2:2::4, and the SIP server name as bbb.com. [Router-dhcp6-pool-1] sip-server address 2:2::4

[Router-dhcp6-pool-1] sip-server domain-name bbb.com

[Router-dhcp6-pool-1] quit

# Enable the DHCPv6 server on interface GigabitEthernet 2/0/1, enable desired prefix assignment and rapid prefix assignment, and set the preference to the highest. [Router] interface gigabitethernet 2/0/1

[Router-GigabitEthernet2/0/1] ipv6 dhcp select server

[Router-GigabitEthernet2/0/1] ipv6 dhcp server allow-hint preference 255 rapid-commit

Verifying the configuration # Display the DHCPv6 server configuration on GigabitEthernet 2/0/1. [Router-GigabitEthernet2/0/1] display ipv6 dhcp server interface gigabitethernet 2/0/1

Using pool: global

Preference value: 255

Allow-hint: Enabled

Rapid-commit: Enabled

# Display information about address pool 1. [Router-GigabitEthernet2/0/1] display ipv6 dhcp pool 1

DHCPv6 pool: 1

Network: 1::/64

Preferred lifetime 604800, valid lifetime 2592000

Prefix pool: 1


Static bindings:

DUID: 00030001ca0006a4

IAID: Not configured

Prefix: 2001:410:201::/48


DNS server addresses:

2:2::3

Domain name:

aaa.com

SIP server addresses:

2:2::4

SIP server domain names:

bbb.com

254

# Display information about prefix pool 1. [Router-GigabitEthernet2/0/1] display ipv6 dhcp prefix-pool 1

Prefix: 2001:410::/32

Assigned length: 48

Total prefix number: 65536

Available: 65535

In-use: 0

Static: 1

# After the client with the DUID 00030001CA0006A40000 obtains an IPv6 prefix, display the binding information on the DHCPv6 server. [Router-GigabitEthernet2/0/1] display ipv6 dhcp server pd-in-use

Pool: 1

IPv6 prefix Type Lease expiration

2001:410:201::/48 Static(C) Jul 10 19:45:01 2009

# After the other client obtains an IPv6 prefix, display the binding information on the DHCPv6 server. [Router-GigabitEthernet2/0/1] display ipv6 dhcp server pd-in-use

Pool: 1

IPv6 prefix Type Lease expiration

2001:410:201::/48 Static(C) Jul 10 19:45:01 2009

2001:410::/48 Auto(C) Jul 10 20:44:05 2009

Dynamic IPv6 address assignment configuration example Network requirements

As shown in Figure 102, Router A acts as a DHCPv6 server to assign IPv6 addresses to the clients on subnets 1::1:0:0:0/96 and 1::2:0:0:0/96.

On Router A, configure the IPv6 address 1::1:0:0:1/96 for GigabitEthernet 2/0/1 and 1::2:0:0:1/96 for GigabitEthernet 2/0/2. The lease duration of the addresses on subnet 1::1:0:0:0/96 is 172800 seconds (two days), the valid time is 345600 seconds (four days), the domain name is aabbcc.com, and the DNS server address is 1::1:0:0:2/96. The lease duration of the addresses on subnet 1::2:0:0:0/96 is 432000 seconds (five days), the valid time is 864000 seconds (ten days), the domain name is aabbcc.com, and the DNS server address is 1::2:0:0:2/96.


255

Configuration procedure 1. Configure the interfaces on the DHCPv6 server:

# Specify an IPv6 address for GigabitEthernet 2/0/1. <RouterA> system-view


[RouterA-GigabitEthernet2/0/1] ipv6 address 1::1:0:0:1/96

# Disable RA message suppression on GigabitEthernet 2/0/1. [RouterA-GigabitEthernet2/0/1] undo ipv6 nd ra halt

# Set the M flag to 1 in RA advertisements to be sent on GigabitEthernet 2/0/1. Hosts that receive the advertisements will obtain IPv6 addresses through DHCPv6. [RouterA-GigabitEthernet2/0/1] ipv6 nd autoconfig managed-address-flag

# Set the O flag to 1 in RA advertisements to be sent on GigabitEthernet 2/0/1. Hosts that receive the advertisements will obtain information other than IPv6 address through DHCPv6. [RouterA-GigabitEthernet2/0/1] ipv6 nd autoconfig other-flag


# Specify an IPv6 address for GigabitEthernet 2/0/2. [RouterA] interface gigabitethernet 2/0/2

[RouterA-GigabitEthernet2/0/2] ipv6 address 1::2:0:0:1/96


# Set the M flag to 1 in RA advertisements to be sent on GigabitEthernet 2/0/2. Hosts that receive the advertisements will obtain IPv6 addresses through DHCPv6. [RouterA-GigabitEthernet2/0/2] ipv6 nd autoconfig managed-address-flag

# Set the O flag to 1 in RA advertisements to be sent on GigabitEthernet 2/0/2. Hosts that receive the advertisements will obtain information other than IPv6 address through DHCPv6. [RouterA-GigabitEthernet2/0/2] ipv6 nd autoconfig other-flag


2. Configure DHCPv6: # Enable the DHCPv6 server on the interfaces GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2. [RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] ipv6 dhcp select server



[RouterA-GigabitEthernet2/0/2] ipv6 dhcp select server


# Exclude the DNS server address from dynamic assignment. [RouterA] ipv6 dhcp server forbidden-address 1::1:0:0:2

[RouterA] ipv6 dhcp server forbidden-address 1::2:0:0:2

# Create DHCPv6 address pool 1 to assign IPv6 addresses and other configuration parameters to clients on subnet 1::1:0:0:0/96. [RouterA] ipv6 dhcp pool 1

[RouterA-dhcp6-pool-1] network 1::1:0:0:0/96 preferred-lifetime 172800 valid-lifetime 345600

[RouterA-dhcp6-pool-1] domain-name aabbcc.com

[RouterA-dhcp6-pool-1] dns-server 1::1:0:0:2

[RouterA-dhcp6-pool-1] quit

# Create DHCPv6 address pool 2 to assign IPv6 addresses and other configuration parameters to clients on subnet 1::2:0:0:0/96.

256

[RouterA] ipv6 dhcp pool 2

[RouterA-dhcp6-pool-2] network 1::2:0:0:0/96 preferred-lifetime 432000 valid-lifetime 864000

[RouterA-dhcp6-pool-2] domain-name aabbcc.com

[RouterA-dhcp6-pool-2] dns-server 1::2:0:0:2

[RouterA-dhcp6-pool-2] quit

Verifying the configuration # Verify that clients on subnets 1::1:0:0:0/96 and 1::2:0:0:0/96 can obtain IPv6 addresses and all other configuration parameters from the DHCPv6 server (Router A). (Details not shown.)

# On the DHCPv6 server, display IPv6 addresses assigned to the clients. [RouterA] display ipv6 dhcp server ip-in-use

257

Configuring the DHCPv6 relay agent

Overview A DHCPv6 client usually uses a multicast address to contact the DHCPv6 server on the local link to obtain an IPv6 address and other configuration parameters. As shown in Figure 103, if the DHCPv6 server resides on another subnet, the DHCPv6 clients need a DHCPv6 relay agent to contact the server. The relay agent feature avoids deploying a DHCP server on each subnet.

Figure 103 Typical DHCPv6 relay agent application

As shown in Figure 104, a DHCPv6 client obtains an IPv6 address and other network configuration parameters from a DHCPv6 server through a DHCPv6 relay agent. The following example uses rapid assignment to describe the process: • The DHCPv6 client sends a Solicit message containing the Rapid Commit option to the

multicast address FF02::1:2 of all the DHCPv6 servers and relay agents. • After receiving the Solicit message, the DHCPv6 relay agent encapsulates the message into

the Relay Message option of a Relay-forward message, and sends the message to the DHCPv6 server.

• After obtaining the Solicit message from the Relay-forward message, the DHCPv6 server performs the following tasks:

Selects an IPv6 address and other required parameters. Adds them to a reply that is encapsulated within the Relay Message option of a Relay-reply

message. Sends the Relay-reply message to the DHCPv6 relay agent.

• The DHCPv6 relay agent obtains the reply from the Relay-reply message and sends the reply to the DHCPv6 client.

• The DHCPv6 client uses the IPv6 address and other network parameters assigned by the DHCPv6 server to complete network configuration.

IPv6 network

DHCPv6 server

DHCPv6 relay agent


DHCPv6 clientDHCPv6 client

258

Figure 104 Operating process of a DHCPv6 relay agent

DHCPv6 relay agent configuration task list Tasks at a glance (Required.) Enabling the DHCPv6 relay agent on an interface

(Required.) Specifying DHCPv6 servers on the relay agent

(Optional.) Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 relay agent

(Optional.) Specifying a padding mode for the Interface-ID option

(Optional.) Configuring a DHCPv6 relay address pool

(Optional.) Specifying a gateway address for DHCPv6 clients

Enabling the DHCPv6 relay agent on an interface Step Command Remarks 1. Enter system view. system-view N/A


3. Enable DHCPv6 relay agent on the interface. ipv6 dhcp select relay

By default, the DHCPv6 relay agent is disabled on the interface. Do not enable the DHCPv6 relay agent and DHCPv6 client on the same interface.

Specifying DHCPv6 servers on the relay agent You can use the ipv6 dhcp relay server-address command to specify a maximum of eight DHCPv6 servers on the DHCP relay agent interface. The DHCPv6 relay agent forwards DHCP requests to all the specified DHCPv6 servers.

To specify a DHCPv6 server on a relay agent:

(1) Solicit (contains a Rapid Commit option)

(4) Reply

DHCPv6 client DHCPv6 relay agent DHCPv6 server

(2) Relay-forward

(3) Relay-reply

259



3. Specify a DHCPv6 server. ipv6 dhcp relay server-address ipv6-address [ interface interface-type interface-number ]

By default, no DHCPv6 server is specified. If a DHCPv6 server address is a link-local address or multicast address, you must specify an outgoing interface by using the interface keyword in this command. Otherwise, DHCPv6 packets might fail to reach the DHCPv6 server.

Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 relay agent


To set the DSCP value for DHCPv6 packets sent by the DHCPv6 relay agent:


2. Set the DSCP value for DHCPv6 packets sent by the DHCPv6 relay agent.

ipv6 dhcp dscp dscp-value The default DSCP value is 56.

Specifying a padding mode for the Interface-ID option

This function enables the relay agent to fill the Interface-ID option in the specified mode. When receiving a DHCPv6 packet from a client, the relay agent fills the Interface-ID option in the mode and then forwards the packet to the DHCPv6 server.

To specify a padding mode for the Interface-ID option:



3. Specify a padding mode for the Interface-ID option.

ipv6 dhcp relay interface-id { bas | interface }

By default, the relay agent fills the Interface-ID option with the interface index of the interface.

260

Configuring a DHCPv6 relay address pool This feature allows DHCPv6 clients of the same type to obtain IPv6 addresses and other configuration parameters from the DHCPv6 servers specified in the matching relay address pool.

It applies to scenarios where the DHCPv6 relay agent connects to clients of the same access type but classified into different types by their locations. In this case, the relay interface typically has no IPv6 address configured. You can use the gateway-list command to specify the gateway address for clients matching the same relay address pool.

Upon receiving a DHCPv6 Solicit or Request from a client that matches a relay address pool, the relay agent processes the packet as follows: • Fills the link-address field of the packet with the specified gateway address. • Forwards the packet to all DHCPv6 servers in the matching relay address pool.

The DHCPv6 servers select an address pool according to the gateway address.

To configure a DHCPv6 relay address pool:


2. Create a DHCPv6 relay address pool and enter its view.

ipv6 dhcp pool pool-name

By default, no DHCPv6 relay address pool exists. This command is the same for creating DHCPv6 address pools on a DHCPv6 server. However, the relay address pool name is not necessarily the same as the server address pool name.

3. Specify gateway addresses for the clients matching the relay address pool.

gateway-list ipv6-address&<1-8>

By default, no gateway address is specified. You can specify a maximum of eight gateway addresses, but only the first one takes effect.

4. Specify DHCPv6 servers for the relay address pool.

remote-server ipv6-address [ interface interface-type interface-number ]

By default, no DHCPv6 server is specified for the relay address pool. You can specify a maximum of eight DHCPv6 servers for one relay address pool for high availability. The relay agent forwards DHCPv6 Solicit and Request packets to all DHCPv6 servers in the relay address pool.

Specifying a gateway address for DHCPv6 clients By default, the DHCPv6 relay agent fills the link-address field of DHCPv6 Solicit and Request packets with the first IPv6 address of the relay interface. You can specify a gateway address on the relay agent for DHCPv6 clients. The DHCPv6 relay agent uses the specified gateway address to fill the link-address field of DHCPv6 Solicit and Request packets.

To specify a gateway address for DHCPv6 clients:



261


3. Specify a gateway address for DHCPv6 clients.

ipv6 dhcp relay gateway ipv6-address

By default, the DHCPv6 relay agent uses the first IPv6 address of the relay interface as the clients' gateway address.

Displaying and maintaining the DHCPv6 relay agent


Task Command Display the DUID of the local device. display ipv6 dhcp duid

Display DHCPv6 server addresses specified on the DHCPv6 relay agent.

display ipv6 dhcp relay server-address [ interface interface-type interface-number ]

Display packet statistics on the DHCPv6 relay agent.

display ipv6 dhcp relay statistics [ interface interface-type interface-number ]

Clear packets statistics on the DHCPv6 relay agent.

reset ipv6 dhcp relay statistics [ interface interface-type interface-number ]

DHCPv6 relay agent configuration example Network requirements

As shown in Figure 105, configure the DHCPv6 relay agent on Router A to relay DHCP packets between DHCPv6 clients and the DHCPv6 server.

Router A acts as the gateway of network 1::/64. It sends RA messages to notify the hosts to obtain IPv6 addresses and other configuration parameters through DHCPv6. For more information about RA messages, see "Configuring basic IPv6 settings."


262

Configuration procedure # Specify IPv6 addresses for GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2. <RouterA> system-view


[RouterA-GigabitEthernet2/0/2] ipv6 address 2::1 64





# Set the M flag to 1 in RA advertisements to be sent on GigabitEthernet 2/0/1. Hosts that receive the RA messages will obtain IPv6 addresses through DHCPv6. [RouterA-GigabitEthernet2/0/1] ipv6 nd autoconfig managed-address-flag

# Set the O flag to 1 in RA advertisements to be sent on GigabitEthernet 2/0/1. Hosts that receive the RA messages will obtain information other than IPv6 address through DHCPv6. [RouterA-GigabitEthernet2/0/1] ipv6 nd autoconfig other-flag

# Enable the DHCPv6 relay agent on GigabitEthernet 2/0/1 and specify the DHCPv6 server on the relay agent. [RouterA-GigabitEthernet2/0/1] ipv6 dhcp select relay

[RouterA-GigabitEthernet2/0/1] ipv6 dhcp relay server-address 2::2

Verifying the configuration # Display DHCPv6 server address information on Router A. [RouterA-GigabitEthernet2/0/1] display ipv6 dhcp relay server-address


Server address Outgoing Interface

2::2

# Display packet statistics on the DHCPv6 relay agent. [RouterA-GigabitEthernet2/0/1] display ipv6 dhcp relay statistics

Packets dropped : 0

Packets received : 14

Solicit : 0

Request : 0

Confirm : 0

Renew : 0

Rebind : 0

Release : 0

Decline : 0

Information-request : 7

Relay-forward : 0

Relay-reply : 7

Packets sent : 14

Advertise : 0

Reconfigure : 0

Reply : 7

263

Relay-forward : 7

Relay-reply : 0

264

Configuring the DHCPv6 client

Overview With DHCPv6 client configured, an interface can obtain configuration parameters from the DHCPv6 server.

A DHCPv6 client can use DHCPv6 to complete the following functions: • Obtain an IPv6 address, an IPv6 prefix, or both, and obtain other configuration parameters. The

client automatically creates a DHCPv6 option group for the obtained parameters. With the obtained IPv6 prefix, the client can generate its global unicast address.

• Support stateless DHCPv6 to obtain configuration parameters except IPv6 address and IPv6 prefix. The client obtains an IPv6 address through stateless IPv6 address autoconfiguration. If the client receives an RA message with the M flag set to 0 and the O flag set to 1 during address acquisition, stateless DHCPv6 starts.

Configuration restrictions and guidelines When you configure DHCPv6 client, follow these restrictions and guidelines: • The DHCPv6 client configuration is supported only on Layer 3 Ethernet interfaces, Layer 3

Ethernet subinterfaces, Layer 3 aggregate interfaces, Layer 3 aggregate subinterfaces, and VLAN interfaces.

• Do not configure the DHCPv6 client on the same interface as the DHCPv6 server or the DHCPv6 relay agent.

DHCPv6 client configuration task list Tasks at a glance (Required.) Perform one of the following tasks: • Configuring IPv6 address acquisition • Configuring IPv6 prefix acquisition • Configuring IPv6 address and prefix acquisition • Configuring stateless DHCPv6

(Optional.) Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 client

Configuring IPv6 address acquisition Step Command Remarks 1. Enter system view. system-view N/A


3. Configure the interface to use DHCPv6 to obtain an IPv6 address and other configuration parameters.

ipv6 address dhcp-alloc [ option-group group-number | rapid-commit ] *

By default, the interface does not use DHCPv6 for IPv6 address acquisition.

265

Configuring IPv6 prefix acquisition Step Command Remarks 1. Enter system view. system-view N/A


3. Configure the interface to use DHCPv6 to obtain an IPv6 prefix and other configuration parameters.

ipv6 dhcp client pd prefix-number [ option-group group-number | rapid-commit ] *

By default, the interface does not use DHCPv6 for IPv6 prefix acquisition.

Configuring IPv6 address and prefix acquisition Step Command Remarks 1. Enter system view. system-view N/A


3. Configure the interface to use DHCPv6 to obtain an IPv6 address, an IPv6 prefix, and other configuration parameters.

ipv6 dhcp client stateful prefix prefix-number [ option-group option-group-number | rapid-commit ] *

By default, the interface does not use DHCPv6 for IPv6 address and prefix acquisition.

Configuring stateless DHCPv6 Step Command Remarks 1. Enter system view. system-view N/A


3. Configure the interface to support stateless DHCPv6.

• Enable stateless IPv6 address autoconfiguration: ipv6 address auto

• Enable stateless DHCPv6: ipv6 dhcp client stateless enable

By default, the interface does not support stateless DHCPv6. You can perform both tasks. If you use only the ipv6 address auto command, make sure the M flag is set to 0 and the O flag is set to 1 in the RA message. Otherwise, stateless DHCPv6 cannot be triggered.

Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 client


266

To set the DSCP value for DHCPv6 packets sent by the DHCPv6 client:


2. Set the DSCP value for DHCPv6 packets sent by the DHCPv6 client.

ipv6 dhcp client dscp dscp-value

By default, the DSCP value in DHCPv6 packets sent by the DHCPv6 client is 56.

Displaying and maintaining DHCPv6 client Execute the display commands in any view, and execute the reset command in user view.

Task Command

Display the DHCPv6 client information. display ipv6 dhcp client [ interface interface-type interface-number ]

Display the DHCPv6 client statistics. display ipv6 dhcp client statistics [ interface interface-type interface-number ]

Clear the DHCPv6 client statistics. reset ipv6 dhcp client statistics [ interface interface-type interface-number ]

DHCPv6 client configuration examples IPv6 address acquisition configuration example Network requirements

As shown in Figure 106, configure GigabitEthernet 2/0/1 of the router to use DHCPv6 to obtain configuration parameters from the DHCPv6 server. The parameters include IPv6 address, DNS server address, domain name suffix, SIP server address, and SIP server domain name.


Configuration procedure You must configure the DHCPv6 server before configuring the DHCPv6 client. For information about configuring the DHCPv6 server, see "Configuring the DHCPv6 server."

# Configure GigabitEthernet 2/0/1 to support DHCPv6 rapid address assignment. Enable the DHCPv6 client to create dynamic DHCPv6 option group 1 for saving configuration parameters.

267

<Router> system-view


[Router-GigabitEthernet2/0/1] ipv6 address dhcp-alloc rapid-commit option-group 1


Verifying the configuration # Verify that the DHCPv6 client has obtained configuration parameters from the server. [Router] display ipv6 dhcp client

GigabitEthernet2/0/1:

Type: Stateful client requesting address

State: OPEN

Client DUID: 00030001d07e28db74fb

Preferred server:

Reachable via address: FE80::2E0:1FF:FE00:19

Server DUID: 00030001000fe20a0a00

IA_NA: IAID 0x00000a02, T1 50 sec, T2 80 sec

Address: 1:2::2/128

Preferred lifetime 100 sec, valid lifetime 200 sec

Will expire on Mar 27 2014 at 15:35:55 (196 seconds left)


2000::FF

Domain name:

example.com


2:2::4


bbb.com

# Verify that the client has created a dynamic DHCPv6 option group for saving configuration parameters. [Router-GigabitEthernet2/0/1] display ipv6 dhcp option-group 1

DHCPv6 option group: 1


Type: Dynamic (DHCPv6 address allocation)


2000::FF

Domain name:



example.com




2:2::4




bbb.com

# Verify that the DHCPv6 client has obtained an IPv6 address. [Router] display ipv6 interface brief

268

*down: administratively down

(s): spoofing

Interface Physical Protocol IPv6 Address

GigabitEthernet2/0/1 up up 1:1::2

IPv6 prefix acquisition configuration example Network requirements

As shown in Figure 107, configure GigabitEthernet 2/0/1 of the router to use DHCPv6 to obtain configuration parameters from the DHCPv6 server. The parameters include IPv6 prefix, DNS server address, domain name suffix, SIP server address, and SIP server domain name.

Figure 107 Network requirements


# Configure an IPv6 address for GigabitEthernet 2/0/1 that connects to the DHCPv6 server. <Router> system-view



# Configure GigabitEthernet 2/0/1 to support DHCPv6 rapid prefix assignment. Enable the DHCPv6 client to assign an ID to the obtained IPv6 prefix and create a dynamic DHCPv6 option group for saving configuration parameters. [Router-GigabitEthernet2/0/1] ipv6 dhcp client pd 1 rapid-commit option-group 1


Verifying the configuration # Verify that the DHCPv6 client has obtained an IPv6 prefix and other configuration parameters from the DHCPv6 server. [Router] display ipv6 dhcp client


Type: Stateful client requesting prefix

State: OPEN


Preferred server:


Server DUID: 0003000100e001000000

269

IA_PD: IAID 0x00000a02, T1 50 sec, T2 80 sec

Prefix: 12:34::/48


Will expire on Feb 4 2014 at 15:37:20(80 seconds left)


2000::FF

Domain name:

example.com


2:2::4


bbb.com

# Verify that the client has obtained an IPv6 prefix. [Router] display ipv6 prefix 1

Number: 1

Type : Dynamic

Prefix: 12:34::/48


# Verify that the client has created a dynamic DHCPv6 option group for saving configuration parameters. [Router] display ipv6 dhcp option-group 1


DNS server addresses

Type: Dynamic (DHCPv6 prefix allocation)


2000::FF

Domain name:



example.com




2:2::4




bbb.com

IPv6 address and prefix acquisition configuration example Network requirements

As shown in Figure 108, configure GigabitEthernet 2/0/1 of the router to use DHCPv6 to obtain configuration parameters from the DHCPv6 server. The parameters include IPv6 address, IPv6 prefix, DNS server address, domain name suffix, SIP server address, and SIP server domain name.

270



# Configure an IPv6 address for GigabitEthernet 2/0/1 that connects to the DHCPv6 server. <Router> system-view



# Configure GigabitEthernet 2/0/1 to use DHCPv6 for IPv6 address and prefix acquisition. Specify IDs for the dynamic IPv6 prefix and dynamic DHCPv6 option group, and configure the client to support rapid address and prefix assignment. [Router-GigabitEthernet2/0/1] ipv6 dhcp client stateful prefix 1 rapid-commit option-group 1


Verifying the configuration # Display DHCPv6 client information. The output shows that the DHCPv6 client has obtained an IPv6 address, an IPv6 prefix, and other configuration parameters from the DHCPv6 server. [Router] display ipv6 dhcp client


Type: Stateful client requesting address and prefix

State: OPEN


Preferred server:


Server DUID: 0003000100e001000000

IA_NA: IAID 0x00000a02, T1 50 sec, T2 80 sec

Address: 1:1::2/128



IA_PD: IAID 0x00000a02, T1 50 sec, T2 80 sec

Prefix: 12:34::/48




2000::FF

Domain name:

271

example.com


2:2::4


bbb.com

# Display brief IPv6 information for all interfaces on the device. The output shows that the DHCPv6 client has obtained an IPv6 address. [Router] display ipv6 interface brief

*down: administratively down

(s): spoofing

Interface Physical Protocol IPv6 Address

GigabitEthernet2/0/1 up up 1:1::2

# Display information about the dynamic IPv6 prefix. The output shows that the client has obtained an IPv6 prefix. [Router] display ipv6 prefix 1

Number: 1

Type : Dynamic

Prefix: 12:34::/48


# Display information about the dynamic DHCPv6 option group. The output shows that the client has created a dynamic DHCPv6 option group for saving configuration parameters. [Router] display ipv6 dhcp option-group 1



Type: Dynamic (DHCPv6 address and prefix allocation)


2000::FF

Domain name:



example.com




2:2::4




bbb.com

Stateless DHCPv6 configuration example Network requirements

As shown in Figure 109, configure GigabitEthernet 2/0/1 on Router A to use stateless DHCPv6 to obtain configuration parameters except IPv6 address and IPv6 prefix. Router B acts as the gateway and advertises RA messages periodically.

272


Configuration procedure You must configure the DHCPv6 server before configuring the DHCPv6 client. For information about configuring the DHCPv6 server, see "Configuring the DHCPv6 server." 1. Configure the gateway Router B:

# Configure an IPv6 address for GigabitEthernet 2/0/1. <RouterB> system-view


[RouterB-GigabitEthernet2/0/1] ipv6 address 1::1 64

# Set the O flag to 1 in RA advertisements to be sent on GigabitEthernet 2/0/1. Hosts that receive the RA advertisements will obtain information other than IPv6 address through DHCPv6. [RouterB-GigabitEthernet2/0/1] ipv6 nd autoconfig other-flag

# Disable RA message suppression on GigabitEthernet 2/0/1. [RouterB-GigabitEthernet2/0/1] undo ipv6 nd ra halt

2. Configure the DHCPv6 client on Router A: # Enable stateless IPv6 address autoconfiguration on GigabitEthernet 2/0/1. <RouterA> system-view


[RouterA-GigabitEthernet2/0/1] ipv6 address auto

With stateless IPv6 address autoconfiguration enabled, but no IPv6 address configured for GigabitEthernet 2/0/1, Router A generates a link local address. It sends an RS message to Router B to request configuration information for IPv6 address generation. Upon receiving the RS message, Router B sends back an RA message. After receiving an RA message with the M flag set to 0 and the O flag set to 1, Router A performs stateless DHCPv6 to get other configuration parameters.

Verifying the configuration # Display DHCPv6 client information for GigabitEthernet 2/0/1. [RouterA-GigabitEthernet2/0/1] display ipv6 dhcp client interface gigabitethernet 2/0/1


Type: Stateless client

State: OPEN

IAID: 0xf0019

Client DUID: 00030001000fe2ff0000

Preferred server:

Reachable via address: FE80::213:7FFF:FEF6:C818

Server DUID: 0003000100137ff6c818


1:2:4::5

1:2:4::7

273

Domain name:

abc.com

# Display DHCPv6 client statistics. [RouterA-GigabitEthernet2/0/1] display ipv6 dhcp client statistics

Interface : GigabitEthernet2/0/1

Packets received : 1

Reply : 1

Advertise : 0

Reconfigure : 0

Invalid : 0

Packets sent : 5

Solicit : 0

Request : 0

Renew : 0

Rebind : 0

Information-request : 5

Release : 0

Decline : 0

274

Configuring DHCPv6 snooping This feature is supported only on the following ports: • Layer 2 Ethernet ports on the following modules:

HMIM-8GSW. HMIM-24GSW. HMIM-24GSW-PoE. SIC-4GSW. SIC-4GSW-PoE.

• Fixed Layer 2 Ethernet ports on MSR2004-24/2004-48 routers. • Fixed Layer 2 Ethernet ports on MSR1002-4/1003-8S routers.

Overview DHCPv6 snooping works between the DHCPv6 client and server, or between the DHCPv6 client and DHCPv6 relay agent. It guarantees that DHCPv6 clients obtain IP addresses from authorized DHCPv6 servers. Also, it records IP-to-MAC bindings of DHCPv6 clients (called DHCPv6 snooping entries) for security purposes.

DHCPv6 snooping does not work between the DHCPv6 server and DHCPv6 relay agent.

DHCPv6 snooping defines trusted and untrusted ports to make sure that clients obtain IPv6 addresses only from authorized DHCPv6 servers. • Trusted—A trusted port can forward DHCPv6 messages correctly to make sure the clients get

IPv6 addresses from authorized DHCPv6 servers. • Untrusted—An untrusted port discards received messages sent by DHCPv6 servers to

prevent unauthorized servers from assigning IPv6 addresses.

DHCPv6 snooping reads DHCP-ACK messages received from trusted ports and DHCP-REQUEST messages to create DHCPv6 snooping entries. A DHCPv6 snooping entry includes the MAC and IP addresses of a client, the port that connects to the DHCPv6 client, and the VLAN. You can use the display ipv6 dhcp snooping binding command to display the IP addresses of users for management.

Application of trusted and untrusted ports Configure ports facing the DHCPv6 server as trusted ports, and configure other ports as untrusted ports.

As shown in Figure 110, configure the DHCPv6 snooping device's port that is connected to the DHCPv6 server as a trusted port. The trusted port forwards response messages from the DHCPv6 server to the client. The untrusted port connected to the unauthorized DHCPv6 server discards incoming DHCPv6 response messages.

275

Figure 110 Trusted and untrusted ports



Implementation of Option 18 and Option 37 Option 18 for DHCPv6 snooping

Option 18, also called the interface-ID option, is used by the DHCPv6 relay agent to determine the interface to use to forward RELAY-REPLY message.

The DHCPv6 snooping device adds Option 18 to the received DHCPv6 request message before forwarding it to the DHCPv6 server. The server then assigns IP address to the client based on the client information in Option 18.


Figure 111 shows the Option 18 format, which includes the following fields:

276

• Option code—Option code.

• Option length—Size of the option data. • Port index—Port that receives the DHCPv6 request from the client. • VLAN ID—ID of the outer VLAN. • Second VLAN ID—ID of the inner VLAN. • DUID—DUID of the DHCPv6 client.

NOTE: The Second VLAN ID field is optional. If the received DHCPv6 request does not contain a second VLAN, Option 18 also does not contain it.

DHCPv6 snooping support for Option 37 Option 37, also called the remote-ID option, is used to identify the client.

The DHCPv6 snooping device adds Option 37 to the received DHCPv6 request message before forwarding it to the DHCPv6 server. This option provides client information about address allocation.


Figure 112 shows the Option 37 format, which includes the following fields: • Option code—Option code. • Option length—Size of the option data. • Enterprise number—Enterprise number. • Port index—Port that receives the DHCPv6 request from the client. • VLAN ID—ID of the outer VLAN. • Second VLAN ID—ID of the inner VLAN. • DUID—DUID of the DHCPv6 client.

NOTE: The Second VLAN ID field is optional. If the received DHCPv6 request does not contain a second VLAN, Option 37 also does not contain it.

DHCPv6 snooping configuration task list Tasks at a glance (Required.) Configuring basic DHCPv6 snooping

277

Tasks at a glance (Optional.) Configuring Option 18 and Option 37

(Optional.) Configuring DHCPv6 snooping entry auto backup

(Optional.) Setting the maximum number of DHCPv6 snooping entries

(Optional.) Enabling DHCPv6-REQUEST check

Configuring basic DHCPv6 snooping Follow these guidelines when you configure basic DHCPv6 snooping: • To make sure DHCPv6 clients can obtain valid IPv6 addresses, specify the ports connected to

authorized DHCPv6 servers as trusted ports. The trusted ports and the ports connected to DHCPv6 clients must be in the same VLAN.

• If you configure DHCPv6 snooping settings on a Layer 2 Ethernet interface that is a member port of a Layer 2 aggregate interface, the settings do not take effect unless the interface is removed from the aggregation group.

To configure basic DHCPv6 snooping:


2. Enable DHCPv6 snooping. ipv6 dhcp snooping enable By default, DHCPv6 snooping is disabled.


This interface must connect to the DHCPv6 server.

4. Specify the port as a trusted port. ipv6 dhcp snooping trust

By default, all ports are untrusted ports after DHCPv6 snooping is enabled.



This interface must connect to the DHCPv6 client.

7. (Optional.) Enable recording of client information in DHCPv6 snooping entries.

ipv6 dhcp snooping binding record

By default, DHCPv6 snooping does not record client information.

Configuring Option 18 and Option 37 Step Command Remarks 1. Enter system view. system-view N/A

2. Enter interface view.

• Enter Layer 2 Ethernet interface view: interface interface-type interface-number

• Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number

N/A

278

Step Command Remarks 3. Enable support for Option

18. ipv6 dhcp snooping option interface-id enable

By default, Option 18 is not supported.

4. (Optional.) Specify the content as the interface ID.

ipv6 dhcp snooping option interface-id [ vlan vlan-id ] string interface-id

By default, the DHCPv6 snooping device uses its DUID as the content for Option 18.

5. Enable support for Option 37.

ipv6 dhcp snooping option remote-id enable

By default, Option 37 is not supported.

• (Optional.) Specify the content as the remote ID.

ipv6 dhcp snooping option remote-id [ vlan vlan-id ] string remote-id

By default, the DHCPv6 snooping device uses its DUID as the content for Option 37.

Configuring DHCPv6 snooping entry auto backup The auto backup function saves DHCPv6 snooping entries to a backup file, and allows the DHCPv6 snooping device to download the entries from the backup file at reboot. The entries on the DHCPv6 snooping device cannot survive a reboot. The auto backup helps the security features provide services if these features (such as IP source guard) must use DHCPv6 snooping entries for user authentication.

IMPORTANT: If you disable DHCPv6 snooping with the undo ipv6 dhcp snooping enable command, the device deletes all DHCPv6 snooping entries, including those stored in the backup file.

To configure DHCPv6 snooping entry auto backup:


2. Configure the DHCPv6 snooping device to back up DHCPv6 snooping entries to a file.

ipv6 dhcp snooping binding database filename { filename | url url [ username username [ password { cipher | simple } key ] ] }

By default, the DHCPv6 snooping device does not back up the DHCPv6 snooping entries. With this command executed, the DHCPv6 snooping device backs up DHCPv6 snooping entries immediately and runs auto backup. This command automatically creates the file if you specify a non-existent file.

3. (Optional.) Manually save DHCPv6 snooping entries to the backup file.

ipv6 dhcp snooping binding database update now

N/A

4. (Optional.) Set the waiting time after a DHCPv6 snooping entry change for the DHCPv6 snooping device to update the backup file.

ipv6 dhcp snooping binding database update interval seconds

The default waiting time is 300 seconds. The waiting period starts when a DHCPv6 snooping entry is learned, updated, or removed. The DHCPv6 snooping device updates the backup file when the specified waiting period is reached. All changed entries during the period will be saved to the backup file. If no DHCPv6 snooping entry changes, the backup file is not updated.

279

Setting the maximum number of DHCPv6 snooping entries

Perform this task to prevent the system resources from being overused.

To set the maximum number of DHCPv6 snooping entries:



3. Set the maximum number of DHCPv6 snooping entries for the interface to learn.

ipv6 dhcp snooping max-learning-num number

By default, the number of DHCPv6 snooping entries for an interface to learn is not limited.

Enabling DHCPv6-REQUEST check Perform this task to use the DHCPv6-REQUEST check function to protect the DHCPv6 server against DHCPv6 client spoofing attacks. Attackers can forge DHCPv6-RENEW messages to renew leases for legitimate DHCPv6 clients that no longer need the IP addresses. The forged messages disable the victim DHCPv6 server from releasing the IP addresses. Attackers can also forge DHCPv6-DECLINE or DHCPv6-RELEASE messages to terminate leases for legitimate DHCPv6 clients that still need the IP addresses.

The DHCPv6-REQUEST check function enables the DHCPv6 snooping device to check every received DHCPv6-RENEW, DHCPv6-DECLINE, or DHCPv6-RELEASE message against DHCPv6 snooping entries. • If any criterion in an entry is matched, the device compares the entry with the message

information. If they are consistent, the device considers the message valid and forwards it to the

DHCPv6 server. If they are different, the device considers the message forged and discards it.

• If no matching entry is found, the device forwards the message to the DHCPv6 server.

To enable DHCPv6-REQUEST check:



3. Enable DHCPv6-REQUEST check.

ipv6 dhcp snooping check request-message

By default, DHCPv6-REQUEST check is disabled. You can enable the function only on Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces.

280

Displaying and maintaining DHCPv6 snooping Execute display commands in any view, and reset commands in user view.

Task Command Display information about trusted ports. display ipv6 dhcp snooping trust

Display DHCPv6 snooping entries. display ipv6 dhcp snooping binding [ address ipv6-address [ vlan vlan-id ] ]

Display information about the file that stores DHCPv6 snooping entries. display ipv6 dhcp snooping binding database

Display DHCPv6 packet statistics for DHCPv6 snooping (centralized devices in standalone mode). display ipv6 dhcp snooping packet statistics

Display DHCPv6 packet statistics for DHCPv6 snooping (distributed devices in standalone mode/centralized devices in IRF mode).

display ipv6 dhcp snooping packet statistics [ slot slot-number ]

Display DHCPv6 packet statistics for DHCPv6 snooping (distributed devices in IRF mode).

display ipv6 dhcp snooping packet statistics [ chassis chassis-number slot slot-number ]

Clear DHCPv6 snooping entries. reset ipv6 dhcp snooping binding { all | address ipv6-address [ vlan vlan-id ] }

Clear DHCPv6 packet statistics for DHCPv6 snooping (centralized devices in standalone mode). reset ipv6 dhcp snooping packet statistics

Clear DHCPv6 packet statistics for DHCPv6 snooping (distributed devices in standalone mode/centralized devices in IRF mode).

reset ipv6 dhcp snooping packet statistics [ slot slot-number ]

Clear DHCPv6 packet statistics for DHCPv6 snooping (distributed devices in IRF mode).

reset ipv6 dhcp snooping packet statistics [ chassis chassis-number slot slot-number ]

DHCPv6 snooping configuration example Network requirements

As shown in Figure 113, configure GigabitEthernet 2/0/1 connecting to the DHCPv6 server as a trusted port. Enable DHCPv6 snooping to record client information in DHCPv6 snooping entries.


281

Configuration procedure # Enable DHCPv6 snooping. <RouterB> system-view

[RouterB] ipv6 dhcp snooping enable

# Specify GigabitEthernet 2/0/1 as a trusted port. [RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] ipv6 dhcp snooping trust


# Enable recording of client information in DHCPv6 snooping entries. [RouterB]interface gigabitethernet 2/0/2

[RouterB-GigabitEthernet2/0/2] ipv6 dhcp snooping binding record


Verifying the configuration # Verify that the DHCPv6 client obtains an IPv6 address and all other configuration parameters only from the authorized DHCPv6 server. (Details not shown.)

# Display DHCPv6 snooping entries on the DHCPv6 snooping device. [RouterB] display ipv6 dhcp snooping binding

282

Configuring IPv6 fast forwarding

Overview Fast forwarding reduces route lookup time and improves packet forwarding efficiency by using a high-speed cache and data-flow-based technology. It identifies a data flow by using the following fields: • Source IPv6 address. • Destination IPv6 address. • Source port number. • Destination port number. • Protocol number. • VPN instance name.

After a flow's first packet is forwarded through the routing table, fast forwarding creates an entry and uses the entry to forward subsequent packets of the flow.


Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954(JH296A/JH297A/JH298A/JH299A)


Configuring the aging time for IPv6 fast forwarding entries

The IPv6 fast forwarding table uses an aging timer for each forwarding entry. If an entry is not updated before the timer expires, the device deletes the entry. If an entry has a hit within the aging time, the aging timer restarts.

To configure the aging time for IPv6 fast forwarding entries:


2. Set the aging time for IPv6 fast forwarding entries.

ipv6 fast-forwarding aging-time aging-time By default, the aging time is 30 seconds.

283

Configuring IPv6 fast forwarding load sharing IPv6 fast forwarding load sharing enables the device to load share packets of the same flow. This feature identifies a data flow by using the five-tuple (source IP, source port, destination IP, destination port, and protocol).

If IPv6 fast forwarding load sharing is disabled, the device identifies a data flow by the five-tuple and the input interface. No load sharing is implemented.

To configure IPv6 fast forwarding load sharing:


2. Enable IPv6 fast forwarding load sharing.

Ipv6 fast-forwarding load-sharing

By default, IPv6 fast forwarding load sharing is enabled.

Displaying and maintaining IPv6 fast forwarding Execute display commands in any view and reset commands in user view.

Task Command Display IPv6 fast forwarding entries (centralized devices in standalone mode). display ipv6 fast-forwarding cache [ ipv6-address ]

Display IPv6 fast forwarding entries (distributed devices in standalone mode/centralized devices in IRF mode).

display ipv6 fast-forwarding cache [ ipv6-address ] [ slot slot-number ]

Display IPv6 fast forwarding entries (distributed devices in IRF mode).

display ipv6 fast-forwarding cache [ ipv6-address ] [ chassis chassis-number slot slot-number ]

Display the aging time of the IPv6 fast forwarding entries. display ipv6 fast-forwarding aging-time

Clear the IPv6 fast forwarding table (centralized devices in standalone mode). reset ipv6 fast-forwarding cache

Clear IPv6 fast forwarding table information (distributed devices in standalone mode/centralized devices in IRF mode).

reset ipv6 fast-forwarding cache [ slot slot-number ]

Clear the IPv6 fast forwarding table (distributed devices in IRF mode).

reset ipv6 fast-forwarding cache [ chassis chassis-number slot slot-number ]

284

Configuring tunneling

Overview Tunneling encapsulates the packets of a network protocol within the packets of a second network protocol and transfers them over a virtual point-to-point connection. The virtual connection is called a tunnel. Packets are encapsulated at the tunnel source and de-encapsulated at the tunnel destination.

Tunneling supports the following technologies: • Transition techniques, such as IPv6 over IPv4 tunneling, to interconnect IPv4 and IPv6

networks. • VPN, such as IPv4 over IPv4 tunneling, IPv4/IPv6 over IPv6 tunneling, GRE, ADVPN, and

IPsec tunneling. • Traffic engineering, such as MPLS TE, to prevent network congestion.

Unless otherwise specified, the term "tunnel" in this document refers to IPv6 over IPv4, IPv4 over IPv4, IPv4 over IPv6, and IPv6 over IPv6 tunnels.

IPv6 over IPv4 tunneling Implementation

IPv6 over IPv4 tunneling enables isolated IPv6 networks to communicate, as shown in Figure 114.

NOTE: The devices at both ends of an IPv6 over IPv4 tunnel must support the IPv4/IPv6 dual stack.

Figure 114 IPv6 over IPv4 tunnel

The IPv6 over IPv4 tunnel processes packets by using the following steps: 1. A host in the IPv6 network sends an IPv6 packet to Device A at the tunnel source. 2. After Device A receives the IPv6 packet, it processes the packet as follows:

a. Searches the routing table to identify the outgoing interface for the IPv6 packet. The outgoing interface is the tunnel interface, so Device A knows that the packet needs to be forwarded through the tunnel.

b. Adds an IPv4 header to the IPv6 packet and forwards the packet through the physical interface of the tunnel.

285

In the IPv4 header, the source IPv4 address is the IPv4 address of the tunnel source, and the destination IPv4 address is the IPv4 address of the tunnel destination.

3. Upon receiving the packet, Device B de-encapsulates the packet. 4. If the destination address of the IPv6 packet is itself, Device B forwards it to the upper-layer

protocol. If it is not, Device B forwards it according to the routing table.

Tunnel modes IPv6 over IPv4 tunnels include manually configured tunnels and automatic tunnels, depending on how the IPv4 address of the tunnel destination is obtained. • Manually configured tunnel—The destination IPv4 address of the tunnel cannot be

automatically obtained from the destination IPv6 address of an IPv6 packet at the tunnel source. It must be manually configured.

• Automatic tunnel—The destination IPv4 address of the tunnel can be automatically obtained from the destination IPv6 address (with an IPv4 address embedded) of an IPv6 packet at the tunnel source.

The source IPv4 addresses for all IPv6 over IPv4 tunnels are manually configured.

According to the way an IPv6 packet is encapsulated, IPv6 over IPv4 tunnels are divided into the modes shown in the following table:

Table 11 IPv6 over IPv4 tunnel modes and key parameters

Tunnel type Tunnel mode Destination IPv6 address format Manually configured tunnel

IPv6 over IPv4 manual tunneling Ordinary IPv6 address.

Automatic tunnel

Automatic IPv4-compatible IPv6 tunneling

IPv4-compatible IPv6 address. The address format is 0:0:0:0:0:0:a.b.c.d/96, where a.b.c.d is the IPv4 address of the tunnel destination. NOTE: The tunnel source also uses an IPv4-compatible IPv6 address.

6to4 tunneling

6to4 address. The address format is 2002:abcd:efgh:subnet number::interface ID/48. • 2002 is the fixed IPv6 address prefix. • abcd:efgh represents a 32-bit globally unique IPv4 address in

hexadecimal notation. For example, 1.1.1.1 can be represented by 0101:0101. The IPv4 address identifies a 6to4 network (an IPv6 network where all hosts use 6to4 addresses). The border router of a 6to4 network must have the IPv4 address abcd:efgh configured on the interface connected to the IPv4 network.

• The subnet number identifies a subnet in the 6to4 network. • The subnet number::interface ID uniquely identifies a host in

the 6to4 network. NOTE: The destination IPv4 address of a 6to4 tunnel is embedded in the destination 6to4 address. This mechanism enables the device to automatically obtain the tunnel destination address.

ISATAP tunneling

ISATAP address. The address format is prefix:0:5EFE:abcd:efgh/64. • The 64-bit prefix is a valid IPv6 unicast address prefix. • The abcd:efgh/64 segments represent a 32-bit IPv4 address,

which identifies the tunnel destination but does not require global uniqueness.

286

• IPv6 over IPv4 manual tunneling—A point-to-point link. This type of tunneling provides the following solutions:

Connects isolated IPv6 networks over an IPv4 network. Connects an IPv6 network and an IPv4/IPv6 dual-stack host over an IPv4 network.

• Automatic IPv4-compatible IPv6 tunneling—A point-to-multipoint link. Automatic IPv4-compatible IPv6 tunnels have limitations because IPv4-compatible IPv6 addresses must use globally unique IPv4 addresses.

• 6to4 tunneling Ordinary 6to4 tunneling—A point-to-multipoint automatic tunnel. It is used to connect

multiple isolated IPv6 networks over an IPv4 network. 6to4 tunneling uses an IPv4 address to identify a 6to4 network. This method overcomes the limitations of automatic IPv4-compatible IPv6 tunneling.

6to4 relay—Connects a 6to4 network and an IPv6 network that uses an IP prefix other than 2002::/16. A 6to4 relay router is a gateway that forwards packets from a 6to4 network to an IPv6 network. As shown in Figure 115, 6to4 network Site 1 communicates with IPv6 network Site 3 over a 6to4 tunnel. Configure a static route on the border router (Device A) in the 6to4 network. The next hop address must be the 6to4 address of the 6to4 relay router (Device C). Device A forwards all packets destined for the IPv6 network over the 6to4 tunnel, and Device C then forwards them to the IPv6 network.

Figure 115 Principle of 6to4 tunneling and 6to4 relay

• ISATAP tunneling—A point-to-multipoint automatic tunnel. It provides a solution to connect an IPv6 host and an IPv6 network over an IPv4 network. ISATAP tunnels are mainly used for communication between IPv6 routers or between an IPv6 host and an IPv6 router over an IPv4 network.

Figure 116 Principle of ISATAP tunneling

IPv4 over IPv4 tunneling IPv4 over IPv4 tunneling (RFC 1853) enables isolated IPv4 networks to communicate. For example, an IPv4 over IPv4 tunnel can connect isolated private IPv4 networks over a public IPv4 network.

287


Figure 117 shows the encapsulation and de-encapsulation processes. • Encapsulation:

a. Device A receives an IP packet from an IPv4 host and submits it to the IP protocol stack. b. The IPv4 protocol stack determines how to forward the packet according to the destination

address in the IP header. If the packet is destined for the IPv4 host connected to Device B, Device A delivers the packet to the tunnel interface.

c. The tunnel interface adds a new IPv4 header to the IPv4 packet and submits it to the IP protocol stack. In the new header, the source IP address specifies the tunnel source, and the destination IP address specifies the tunnel destination.

d. The IP protocol stack uses the destination IP address of the new IP header to look up the routing table, and then sends the packet out.

• De-encapsulation: a. After receiving the packet, Device B delivers it to the IP protocol stack. b. If the protocol number is 4 (indicating an IPv4 packet is encapsulated within the packet), the

IP protocol stack delivers the packet to the tunnel module for de-encapsulation. c. The tunnel module de-encapsulates the IP packet and sends it back to the IP protocol stack. d. The protocol stack forwards the de-encapsulated packet.

IPv4 over IPv6 tunneling Implementation

IPv4 over IPv6 tunneling adds an IPv6 header to IPv4 packets so that the IPv4 packets can pass an IPv6 network through a tunnel to realize interworking between isolated IPv4 networks.

288



a. Upon receiving an IPv4 packet, Device A delivers it to the IPv4 protocol stack. b. The IPv4 protocol stack uses the destination address of the packet to determine the egress

interface. If the egress interface is the tunnel interface, the IPv4 protocol stack delivers the packet to the tunnel interface.

c. The tunnel interface adds an IPv6 header to the original IPv4 packet and delivers the packet to the IPv6 protocol stack.

d. The IPv6 protocol stack uses the destination IPv6 address of the packet to look up the routing table, and then sends it out.

• De-encapsulation: a. Upon receiving the IPv6 packet from the attached IPv6 network, Device B delivers the

packet to the IPv6 protocol stack to examine the protocol type encapsulated in the data portion of the packet.

b. If the protocol type is IPv4, the IPv6 protocol stack delivers the packet to the tunneling module.

c. The tunneling module removes the IPv6 header and delivers the remaining IPv4 packet to the IPv4 protocol stack.

d. The IPv4 protocol stack forwards the IPv4 packet.

Tunnel modes • IPv4 over IPv6 manual tunnel

A point-to-point link and its source and destination IPv6 addresses are manually configured. You can establish an IPv4 over IPv6 manual tunnel to connect isolated IPv4 networks over an IPv6 network.

• DS-Lite tunnel Dual Stack Lite (DS-Lite) is a combination of the tunneling and NAT technologies. NAT translates the private IPv4 addresses of the IPv4 hosts before the hosts reach the IPv4 public network. DS-Lite tunnel supports only an IPv4 host in a private network initiating communication with an IPv4 host on the Internet. It does not support an IPv4 host on the Internet initiating communication with an IPv4 host in a private network.

289

Figure 119 DS-Lite tunnel

As shown in Figure 119, the DS-Lite feature contains the following components: Basic Bridging BroadBand (B4) element

The B4 element is typically a CPE router that connects end hosts. IPv4 packets entering the B4 router are encapsulated into IPv6 packets and sent to the AFTR. IPv6 packets from the AFTR are de-encapsulated into IPv4 packets and sent to the subscriber's network. Hosts that can act as the B4 router are referred to as DS-Lite hosts.

Address Family Transition Router (AFTR) An AFTR resides in the ISP network and terminates the tunnel from the B4 router. NAT is also implemented on the interface that connects the public IPv4 network. An AFTR de-encapsulates the tunneled packet, translates the network address, and routes the packet to the destination IPv4 network. For IPv4 packets coming from the public IPv4 network, the AFTR performs reverse address translation and sends them to the B4 router by using the DS-Lite tunnel.

290

Figure 120 Packet forwarding process in DS-Lite

As shown in Figure 120, the packet forwarding process in DS-Lite is as follows: a. Upon receiving a packet from the private IPv4 network, the B4 router adds an IPv6 header

to the packet and sends the IPv6 packet to the AFTR through the tunnel. b. The AFTR performs the following operations:

− Removes the IPv6 header from the tunneled packet. − Assigns a tunnel ID for the B4 router. − Records the mapping between the IPv6 address of the B4 router (the source IPv6

address of the packet), and the tunnel ID. c. After de-encapsulation, the AFTR translates the source private IPv4 address of the packet

into a public IPv4 address and sends the packet to the destination IPv4 host. The AFTR also maps the NAT entries to the tunnel ID so that IPv4 networks connected to different B4 routers can use the same address space.

d. Upon receiving the response packet from the public network, the AFTR translates the destination public IPv4 address into the private IPv4 address. The AFTR performs the following operations: − Looks up the IPv6 address-tunnel ID mapping to obtain the IP address of the B4 router. − Uses the address as the destination address of the encapsulated IPv6 packet. − Forwards the packet to the B4 router.

Figure 120 shows an example of PAT translation for dynamic NAT. Typically, dynamic NAT is used. When you use static NAT for DS-Lite tunneling, make sure the IP addresses of private IPv4 networks connected to different B4 routers do not overlap. For more information about NAT, see "Configuring NAT."

PrivateIPv4 network IPv4 network

IPv4 host IPv4 hostB4 AFTR

IPv4 dst: 30.1.1.1IPv4 src: 10.0.0.1TCP dst: 80TCP src: 10000

IPv4 dst: 20.1.1.1IPv4 src: 30.1.1.1

TCP dst: 5000TCP src: 80

IPv6 networkDS-Lite tunnel

30.1.1.1/2410.0.0.1/2410.0.0.2/24 1::1/64 2::1/64 20.1.1.1/24

IPv6 dst: 2::1IPv6 src: 1::1IPv4 dst: 30.1.1.1IPv4 src: 10.0.0.1TCP dst: 80TCP src: 10000

IPv4 dst: 30.1.1.1IPv4 src: 20.1.1.1TCP dst: 80TCP src: 5000

IPv6 dst: 1::1IPv6 src: 2::1

IPv4 dst: 10.0.0.1IPv4 src: 30.1.1.1


IPv4 dst: 10.0.0.1IPv4 src: 30.1.1.1


Removes the IPv6 header and performs

NAT

Performs NAT and adds an IPv6 header

Removes the IPv6 header

Adds an IPv6 header

291

IPv6 over IPv6 tunneling IPv6 over IPv6 tunneling (RFC 2473) enables isolated IPv6 networks to communicate with each other over another IPv6 network. For example, two isolated IPv6 networks that do not want to show their addresses to the Internet can use an IPv6 over IPv6 tunnel to communicate with each other.

Figure 121 Principle of IPv6 over IPv6 tunneling


a. After receiving an IPv6 packet, Device A submits it to the IPv6 protocol stack. b. The IPv6 protocol stack uses the destination IPv6 address of the packet to find the egress

interface. If the egress interface is the tunnel interface, the stack delivers it to the tunnel interface.

c. After receiving the packet, the tunnel interface adds an IPv6 header to it and submits it to the IPv6 protocol stack.

d. The IPv6 protocol stack forwards the packet according to its destination IPv6 address. • De-encapsulation:

a. Upon receiving the IPv6 packet, Device B delivers it to the IPv6 protocol stack. b. The IPv6 protocol stack checks the protocol type of the data portion encapsulated in the

IPv6 packet. If the encapsulation protocol is IPv6, the stack delivers the packet to the tunnel module.

c. The tunnel module de-encapsulates the packet and sends it back to the IPv6 protocol stack. d. The IPv6 protocol stack forwards the IPv6 packet.

Protocols and standards • RFC 1853, IP in IP Tunneling • RFC 2473, Generic Packet Tunneling in IPv6 Specification • RFC 2893, Transition Mechanisms for IPv6 Hosts and Routers • RFC 3056, Connection of IPv6 Domains via IPv4 Clouds • RFC 4214, Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) • RFC 6333, Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion

292

Compatibility information Feature and hardware compatibility

Hardware Tunneling compatibility MSR954(JH296A/JH297A/JH298A/JH299A) No

MSR1002-4/1003-8S Yes

MSR2003 Yes

MSR2004-24/2004-48 Yes

MSR3012/3024/3044/3064 Yes

MSR4060/4080 Yes

Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064.


Tunneling configuration task list Tasks at a glance (Required.) Configuring a tunnel interface

Perform one of the following tasks: • Configuring an IPv6 over IPv4 tunnel:

Configuring an IPv6 over IPv4 manual tunnel Configuring an automatic IPv4-compatible IPv6 tunnel Configuring a 6to4 tunnel Configuring an ISATAP tunnel

• Configuring an IPv4 over IPv4 tunnel • Configuring an IPv4 over IPv6 tunnel:

Configuring an IPv4 over IPv6 manual tunnel Configuring a DS-Lite tunnel

• Configuring an IPv6 over IPv6 tunnel

Configuring a tunnel interface Configure a Layer 3 virtual tunnel interface on each device on a tunnel so that devices at both ends can send, identify, and process packets from the tunnel.

293

When an active/standby switchover occurs or the standby card is removed on a distributed device, the tunnel interfaces configured on the active or standby card still exist. To delete a tunnel interface, use the undo interface tunnel command.

To configure a tunnel interface:


2. Create a tunnel interface, specify the tunnel mode, and enter tunnel interface view.

interface tunnel number mode { advpn { gre | udp } [ ipv6 ] | ds-lite-aftr | evi | gre [ ipv6 ] | ipv4-ipv4 | ipv6 | ipv6-ipv4 [ 6to4 | auto-tunnel | isatap ] | mpls-te | nve }

By default, no tunnel interface is created. When you create a new tunnel interface, you must specify the tunnel mode. When you enter the view of an existing tunnel interface, you do not need to specify the tunnel mode. For packet tunneling to succeed, the two ends of a tunnel must use the same tunnel mode.

3. (Optional.) Configure a description for the interface. description text

By default, the description for a tunnel interface is Tunnel number Interface.

4. (Optional.) Specify a primary traffic processing unit for the tunnel interface (distributed devices in standalone mode/centralized devices in IRF mode).

service slot slot-number By default, no primary traffic processing unit is specified.

5. (Optional.) Specify a primary traffic processing unit for the tunnel interface (distributed devices in IRF mode).

service chassis chassis-number slot slot-number

By default, no primary traffic processing unit is specified.

6. (Optional.) Specify a backup traffic processing unit for the tunnel interface (distributed devices in standalone mode/centralized devices in IRF mode).

service standby slot slot-number By default, no backup traffic processing unit is specified.

7. (Optional.) Specify a backup traffic processing unit for the tunnel interface (distributed devices in IRF mode).

service standby chassis chassis-number slot slot-number

By default, no backup traffic processing unit is specified.

8. Set the MTU of the tunnel interface. mtu size By default, the MTU is 64000

bytes.

9. Set the expected bandwidth for the tunnel interface. bandwidth bandwidth-value

The default expected bandwidth (in kbps) is the interface maximum rate divided by 1000. The expected bandwidth for the tunnel interface affects the link cost value. For more information, see Layer 3—IP Routing Configuration Guide.

10. Set the ToS for tunneled packets. tunnel tos tos-value The default setting is the same

as the ToS of the original packet.

11. Set the TTL for tunneled packets. tunnel ttl ttl-value The default TTL for tunneled

packets is 255.

294


12. Specify the VPN instance to which the tunnel destination belongs.

tunnel vpn-instance vpn-instance-name

By default, the tunnel destination belongs to the public network. For a tunnel interface to come up, the tunnel source and destination must belong to the same VPN. To specify a VPN instance for the tunnel source, use the ip binding vpn-instance command on the tunnel source interface.

13. (Optional.) Restore the default settings of the tunnel interface.

default N/A

14. (Optional.) Shut down the tunnel interface. shutdown By default, the tunnel interface is

up.

Configuring an IPv6 over IPv4 manual tunnel Follow these guidelines when you configure an IPv6 over IPv4 manual tunnel: • The tunnel destination address specified on the local device must be identical with the tunnel

source address specified on the tunnel peer device. • Do not specify the same tunnel source and destination addresses for the tunnel interfaces in the

same mode on a device. • To ensure correct packet forwarding, identify whether the destination IPv6 network and the IPv6

address of the local tunnel interface are on the same subnet. If they are not, configure a route reaching the destination IPv6 network through the tunnel interface. You can configure the route by using one of the following methods:

Configure a static route, and specify the local tunnel interface as the egress interface or specify the IPv6 address of the peer tunnel interface as the next hop.

Enable a dynamic routing protocol on both tunnel interfaces to achieve the same purpose. For more information about route configuration, see Layer 3—IP Routing Configuration Guide.

To configure an IPv6 over IPv4 manual tunnel:


2. Enter IPv6 over IPv4 manual tunnel interface view.

interface tunnel number [ mode ipv6-ipv4 ] N/A

3. Specify an IPv6 address for the tunnel interface.

See "Configuring basic IPv6 settings."

By default, no IPv6 address is configured for the tunnel interface.

4. Configure a source address or source interface for the tunnel interface.

source { ip-address | interface-type interface-number }

By default, no source address or source interface is configured for the tunnel interface. The specified source address or the primary IP address of the specified source interface is used as the source IP address of tunneled packets.

295


5. Configure a destination address for the tunnel interface.

destination ip-address

By default, no destination address is configured for the tunnel interface. The tunnel destination address must be the IP address of the receiving interface on the tunnel peer. It is used as the destination IP address of tunneled packets.

6. (Optional.) Set the DF bit for tunneled packets. tunnel dfbit enable By default, the DF bit is not set for

tunneled packets.


8. (Optional.) Enable dropping IPv6 packets that use IPv4-compatible IPv6 addresses.

tunnel discard ipv4-compatible-packet

By default, IPv6 packets that use IPv4-compatible IPv6 packets are not dropped.


As shown in Figure 122, configure an IPv6 over IPv4 tunnel between Router A and Router B so the two IPv6 networks can reach each other over the IPv4 network. Because the tunnel destination IPv4 address cannot be automatically obtained from the destination IPv6 addresses, configure an IPv6 over IPv4 manual tunnel.


Configuration procedure Make sure Router A and Router B can reach each other through IPv4. • Configure Router A:





# Specify an IPv6 address for GigabitEthernet 2/0/1. [RouterA] interface gigabitethernet 2/0/1



# Create the IPv6 over IPv4 manual tunnel interface Tunnel 0. [RouterA] interface tunnel 0 mode ipv6-ipv4

# Specify an IPv6 address for the tunnel interface.

296

[RouterA-Tunnel0] ipv6 address 3001::1/64

# Specify GigabitEthernet 2/0/2 as the source interface of the tunnel interface. [RouterA-Tunnel0] source gigabitethernet 2/0/2

# Specify the destination address for the tunnel interface as the IP address of GigabitEthernet 2/0/2 on Router B. [RouterA-Tunnel0] destination 192.168.50.1

[RouterA-Tunnel0] quit

# Configure a static route destined for IPv6 network 2 through Tunnel 0. [RouterA] ipv6 route-static 3003:: 64 tunnel 0

• Configure Router B: # Specify an IPv4 address for GigabitEthernet 2/0/2. <RouterB> system-view




# Specify an IPv6 address for GigabitEthernet 2/0/1. [RouterB] interface gigabitethernet 2/0/1



# Create the IPv6 over IPv4 manual tunnel interface Tunnel 0. [RouterB] interface tunnel 0 mode ipv6-ipv4

# Specify an IPv6 address for the tunnel interface. [RouterB-Tunnel0] ipv6 address 3001::2/64

# Specify GigabitEthernet 2/0/2 as the source interface of the tunnel interface. [RouterB-Tunnel0] source gigabitethernet 2/0/2

# Specify the destination address for the tunnel interface as the IP address of GigabitEthernet 2/0/2 on Router A. [RouterB-Tunnel0] destination 192.168.50.1

[RouterB-Tunnel0] quit

# Configure a static route destined for IPv6 network 1 through Tunnel 0. [RouterB] ipv6 route-static 3002:: 64 tunnel 0

Verifying the configuration # Use the display ipv6 interface command to display tunnel interface status on Router A and Router B. Verify that the interface tunnel 0 is up. (Details not shown.)

# Verify that Router B and Router A can ping the IPv6 address of GigabitEthernet 2/0/1 of each other. The following shows the output on Router A. [RouterA] ping ipv6 3003::1

Ping6(56 data bytes) 3001::1 --> 3003::1, press CTRL C to break






--- Ping6 statistics for 3003::1 ---



297

Configuring an automatic IPv4-compatible IPv6 tunnel

Follow these guidelines when you configure an automatic IPv4-compatible IPv6 tunnel: • You do not need to configure a destination address for an automatic IPv4-compatible IPv6

tunnel. The destination address of the tunnel is embedded in the destination IPv4-compatible IPv6 address.

• Do not specify the same source addresses for local tunnel interfaces in the same tunnel mode.

To configure an automatic IPv4-compatible IPv6 tunnel:


2. Enter automatic IPv4-compatible IPv6 tunnel interface view.

interface tunnel number [ mode ipv6-ipv4 auto-tunnel ] N/A








tunneled packets.



As shown in Figure 123, dual-stack routers Router A and Router B communicate over an IPv4 network. Configure an automatic IPv4-compatible IPv6 tunnel between the two routers to enable IPv6 communications over the IPv4 network.




298




# Create an automatic IPv4-compatible IPv6 tunnel. [RouterA] interface tunnel 0 mode ipv6-ipv4 auto-tunnel

# Specify an IPv4-compatible IPv6 address for the tunnel interface. [RouterA-Tunnel0] ipv6 address ::192.168.100.1/96






# Create an automatic IPv4-compatible IPv6 tunnel. [RouterB] interface tunnel 0 mode ipv6-ipv4 auto-tunnel

# Specify an IPv4-compatible IPv6 address for the tunnel interface. [RouterB-Tunnel0] ipv6 address ::192.168.50.1/96


Verifying the configuration # Use the display ipv6 interface command to display tunnel interface status on Router A and Router B. Verify that the interface tunnel 0 is up. (Details not shown.)

# Verify that Router B and Router A can ping the IPv4-compatible IPv6 address of each other. The following shows the output on Router A. [RouterA-Tunnel0] ping ipv6 ::192.168.50.1

Ping6(56 data bytes) ::192.168.100.1 --> ::192.168.50.1, press CTRL_C to break

56 bytes from ::192.168.50.1, icmp_seq=0 hlim=64 time=17.000 ms





--- Ping6 statistics for ::192.168.50.1 ---



Configuring a 6to4 tunnel Follow these guidelines when you configure a 6to4 tunnel: • You do not need to configure a destination address for a 6to4 tunnel, because the destination

IPv4 address is embedded in the 6to4 IPv6 address. • Do not specify the same source addresses for local tunnel interfaces in the same tunnel mode.

299

• Automatic tunnels do not support dynamic routing. You must configure a static route destined for the destination IPv6 network if the destination IPv6 network is not in the same subnet as the IPv6 address of the tunnel interface. You can specify the local tunnel interface as the egress interface of the route or specify the IPv6 address of the peer tunnel interface as the next hop of the route. For more information about route configuration, see Layer 3—IP Routing Configuration Guide.

To configure a 6to4 tunnel:


2. Enter 6to4 tunnel interface view.

interface tunnel number [ mode ipv6-ipv4 6to4 ] N/A








tunneled packets.





6to4 tunnel configuration example Network requirements

As shown in Figure 124, configure a 6to4 tunnel between 6to4 routers Router A and Router B so Host A and Host B can reach each other over the IPv4 network.


300

Requirements analysis To enable communication between 6to4 networks, configure 6to4 addresses for 6to4 routers and hosts in the 6to4 networks. • The IPv4 address of GigabitEthernet 2/0/2 on Router A is 2.1.1.1/24, and the corresponding

6to4 prefix is 2002:0201:0101::/48. Host A must use this prefix. • The IPv4 address of GigabitEthernet 2/0/2 on Router B is 5.1.1.1/24, and the corresponding

6to4 prefix is 2002:0501:0101::/48. Host B must use this prefix.






# Specify a 6to4 address for GigabitEthernet 2/0/1. [RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] ipv6 address 2002:0201:0101:1::1/64


# Create the 6to4 tunnel interface Tunnel 0. [RouterB] interface tunnel 0 mode ipv6-ipv4 6to4

# Specify an IPv6 address for the tunnel interface. [RouterA-Tunnel0] ipv6 address 3001::1/64

# Specify the source interface as GigabitEthernet 2/0/2 for the tunnel interface. [RouterA-Tunnel0] source gigabitethernet 2/0/2


# Configure a static route destined for 2002::/16 through the tunnel interface. [RouterA] ipv6 route-static 2002:: 16 tunnel 0





# Specify a 6to4 address for GigabitEthernet 2/0/1. [RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] ipv6 address 2002:0501:0101:1::1/64




# Specify the source interface as GigabitEthernet 2/0/2 for the tunnel interface. [RouterB-Tunnel0] source gigabitethernet 2/0/2


# Configure a static route destined for 2002::/16 through the tunnel interface.

301

[RouterB] ipv6 route-static 2002:: 16 tunnel 0

Verifying the configuration # Verify that Host A and Host B can ping each other. D:\>ping6 -s 2002:201:101:1::2 2002:501:101:1::2

Pinging 2002:501:101:1::2

from 2002:201:101:1::2 with 32 bytes of data:

Reply from 2002:501:101:1::2: bytes=32 time=13ms



Reply from 2002:501:101:1::2: bytes=32 time<1ms

Ping statistics for 2002:501:101:1::2:




6to4 relay configuration example Network requirements

As shown in Figure 125, Router A is a 6to4 router, and 6to4 addresses are used on the connected IPv6 network. Router B acts as a 6to4 relay router and is connected to an IPv6 network (2001::/16). Configure a 6to4 tunnel between Router A and Router B to make Host A and Host B reachable to each other.

The configuration on a 6to4 relay router is similar to that on a 6to4 router. However, to enable communication between the 6to4 network and the IPv6 network, you must configure a route to the IPv6 network on the 6to4 router. The IPv4 address of GigabitEthernet 2/0/2 on the relay router is 6.1.1.1/24 and its corresponding 6to4 prefix is 2002:0601:0101::/48. The next hop of the static route must be an address using this prefix.



# Specify an IPv4 address for GigabitEthernet 2/0/2.

302





# Specify a 6to4 address for GigabitEthernet 2/0/1. [RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] ipv6 address 2002:0201:0101:1::1/64


# Create the 6to4 tunnel interface Tunnel 0. [RouterA] interface tunnel 0 mode ipv6-ipv4 6to4

# Specify an IPv6 address for the tunnel interface. [RouterA-Tunnel0] ipv6 address 2002::1/64



# Configure a static route to the 6to4 relay router. [RouterA] ipv6 route-static 2002:0601:0101:: 64 tunnel 0

# Configure a default route to reach the IPv6 network, which specifies the next hop as the 6to4 address of the relay router. [RouterA] ipv6 route-static :: 0 2002:0601:0101::1





# Specify an IPv6 address for GigabitEthernet 2/0/1. [RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] ipv6 address 2001::1/16






# Configure a static route destined for 2002::/16 through the tunnel interface. [RouterB] ipv6 route-static 2002:: 16 tunnel 0

Verifying the configuration # Verify that Host A and Host B can ping each other. D:\>ping6 -s 2002:201:101:1::2 2001::2

Pinging 2001::2

from 2002:201:101:1::2 with 32 bytes of data:

Reply from 2001::2: bytes=32 time=13ms

303



Reply from 2001::2: bytes=32 time<1ms

Ping statistics for 2001::2:




Configuring an ISATAP tunnel Follow these guidelines when you configure an ISATAP tunnel: • You do not need to configure a destination address for an ISATAP tunnel, because the

destination IPv4 address is embedded in the ISATAP address. • Do not specify the same source addresses for local tunnel interfaces in the same tunnel mode. • Because automatic tunnels do not support dynamic routing, configure a static route destined for

the destination IPv6 network at each tunnel end. You can specify the local tunnel interface as the egress interface of the route or specify the IPv6 address of the peer tunnel interface as the next hop of the route. For more information about route configuration, see Layer 3—IP Routing Configuration Guide.

To configure an ISATAP tunnel:


2. Enter ISATAP tunnel interface view.

interface tunnel number [ mode ipv6-ipv4 isatap ] N/A







5. (Optional.) Set the DF bit for tunneled packets. tunnel dfbit enable By default, the DF bit is not set

for tunneled packets.





304


As shown in Figure 126, configure an ISATAP tunnel between the router and the ISATAP host so the ISATAP host in the IPv4 network can access the IPv6 network.


Configuration procedure • Configure the router:

# Specify an IPv6 address for GigabitEthernet 2/0/2. <Router> system-view




# Specify an IPv4 address for GigabitEthernet 2/0/1. [Router] interface gigabitethernet 2/0/1



# Create the ISATAP tunnel interface Tunnel 0. [Router] interface tunnel 0 mode ipv6-ipv4 isatap

# Specify an EUI-64 IPv6 address for the tunnel interface. [Router-Tunnel0] ipv6 address 2001:: 64 eui-64

# Specify GigabitEthernet 2/0/1 as the source interface of the tunnel interface. [Router-Tunnel0] source gigabitethernet 2/0/1

# Disable RA suppression so that the ISATAP host can acquire information such as the address prefix from the RA message advertised by the ISATAP router. [Router-Tunnel0] undo ipv6 nd ra halt

[Router-Tunnel0] quit

• Configure the ISATAP host: Configurations on the ISATAP host vary by operating system. The following configuration is performed on Windows XP. # Install IPv6. C:\>ipv6 install

# On a host running Windows XP, the ISATAP interface is typically interface 2. Display information about the ISATAP interface. C:\>ipv6 if 2

Interface 2: Automatic Tunneling Pseudo-Interface

Guid {48FCE3FC-EC30-E50E-F1A7-71172AEEE3AE}

does not use Neighbor Discovery

305

does not use Router Discovery

routing preference 1

EUI-64 embedded IPv4 address: 0.0.0.0

router link-layer address: 0.0.0.0

preferred link-local fe80::5efe:1.1.1.2, life infinite

link MTU 1280 (true link MTU 65515)

current hop limit 128

reachable time 42500ms (base 30000ms)

retransmission interval 1000ms

DAD transmits 0

default site prefix length 48

# Specify an IPv4 address for the ISATAP router. C:\>netsh interface ipv6 isatap set router 1.1.1.1

# Display information about the ISATAP interface. C:\>ipv6 if 2

Interface 2: Automatic Tunneling Pseudo-Interface

Guid {48FCE3FC-EC30-E50E-F1A7-71172AEEE3AE}

does not use Neighbor Discovery

uses Router Discovery

routing preference 1

EUI-64 embedded IPv4 address: 1.1.1.2

router link-layer address: 1.1.1.1

preferred global 2001::5efe:1.1.1.2, life 29d23h59m46s/6d23h59m46s (public)

preferred link-local fe80::5efe:1.1.1.2, life infinite

link MTU 1500 (true link MTU 65515)

current hop limit 255

reachable time 42500ms (base 30000ms)

retransmission interval 1000ms

DAD transmits 0

default site prefix length 48

The host has obtained the prefix 2001::/64 and has automatically generated the global unicast address 2001::5efe:1.1.1.2. The message "uses Router Discovery" indicates that the router discovery function is enabled on the host. # Display information about IPv6 routes on the host. C:\>ipv6 rt

2001::/64 -> 2 pref 1if+8=9 life 29d23h59m43s (autoconf)

::/0 -> 2/fe80::5efe:1.1.1.1 pref 1if+256=257 life 29m43s (autoconf)

• On the IPv6 host, configure a route to the boarder router. C:\>netsh interface ipv6 set route 2001::/64 5 3001::1

Verifying the configuration # Verify that the ISATAP host can ping the IPv6 host. C:\>ping 3001::2

Pinging 3001::2 with 32 bytes of data:

Reply from 3001::2: time=1ms



306


Ping statistics for 3001::2:




Configuring an IPv4 over IPv4 tunnel Follow these guidelines when you configure an IPv4 over IPv4 tunnel: • The tunnel destination address specified on the local device must be identical with the tunnel

source address specified on the tunnel peer device. • Do not specify the same source and destination addresses for local tunnel interfaces in the

same tunnel mode. • The IPv4 address of the local tunnel interface cannot be on the same subnet as the destination

address configured on the tunnel interface. • To ensure correct packet forwarding, identify whether the destination IPv4 network and the IPv4




• The destination address of the route passing the tunnel interface cannot be on the same subnet as the destination address configured on the tunnel interface.

To configure an IPv4 over IPv4 tunnel:


2. Enter IPv4 over IPv4 tunnel interface view.

interface tunnel number [ mode ipv4-ipv4 ] N/A

3. Configure an IPv4 address for the tunnel interface.





By default, no source address or source interface is configured for the tunnel interface. The specified source address or the IPv6 address of the specified source interface is used as the source IP address of tunneled packets.



By default, no destination address is configured for the tunnel interface. The tunnel destination address must be the IP address of the receiving interface on the tunnel peer. It is used as the destination IP address of tunneled packets.

307

Step Command Remarks 6. (Optional.) Set the DF bit for

tunneled packets. tunnel dfbit enable By default, the DF bit is not set for tunneled packets.


As shown in Figure 127, the two subnets IPv4 group 1 and IPv4 group 2 use private IPv4 addresses. Configure an IPv4 over IPv4 tunnel between Router A and Router B to make the two subnets reachable to each other.







# Specify an IPv4 address for Serial 2/1/0, which is the physical interface of the tunnel. [RouterA] interface serial 2/1/0

[RouterA-Serial2/1/0] ip address 2.1.1.1 255.255.255.0


# Create the IPv4 over IPv4 tunnel interface Tunnel 1. [RouterA] interface tunnel 1 mode ipv4-ipv4

# Specify an IPv4 address for the tunnel interface. [RouterA-Tunnel1] ip address 10.1.2.1 255.255.255.0

# Specify the IP address of Serial 2/1/0 as the source address for the tunnel interface. [RouterA-Tunnel1] source 2.1.1.1

# Specify the IP address of Serial 2/1/1 on Router B as the destination address for the tunnel interface. [RouterA-Tunnel1] destination 3.1.1.1


# Configure a static route destined for IPv4 group 2 through the tunnel interface. [RouterA] ip route-static 10.1.3.0 255.255.255.0 tunnel 1

• Configure Router B: # Specify an IPv4 address for GigabitEthernet 2/0/1.

308

<RouterB> system-view




# Specify an IPv4 address for Serial 2/1/1, which is the physical interface of the tunnel. [RouterB] interface serial 2/1/1

[RouterB-Serial2/1/1] ip address 3.1.1.1 255.255.255.0


# Create the IPv4 over IPv4 tunnel interface Tunnel 2. [RouterB] interface tunnel 2 mode ipv4-ipv4

# Specify an IPv4 address for the tunnel interface. [RouterB-Tunnel2] ip address 10.1.2.2 255.255.255.0

# Specify the IP address of Serial 2/1/1 as the source address for the tunnel interface. [RouterB-Tunnel2] source 3.1.1.1

# Specify the IP address of Serial 2/1/0 on Router A as a destination address for the tunnel interface. [RouterB-Tunnel2] destination 2.1.1.1


# Configure a static route destined for IPv4 group 1 through the tunnel interface. [RouterB] ip route-static 10.1.1.0 255.255.255.0 tunnel 2

Verifying the configuration # Use the display interface tunnel command to display the status of the tunnel interfaces on Router A and Router B. Verify that the tunnel interfaces are up. (Details not shown.)

# Verify that Router A and Router B can ping the IPv4 address of the peer interface GigabitEthernet 2/0/1. The following shows the output on Router A. [RouterA] ping -a 10.1.1.1 10.1.3.1

Ping 10.1.3.1 (10.1.3.1) from 10.1.1.1: 56 data bytes, press CTRL_C to break









Configuring an IPv4 over IPv6 manual tunnel Follow these guidelines when you configure an IPv4 over IPv6 manual tunnel: • The tunnel destination address specified on the local device must be identical with the tunnel


same tunnel mode. • To ensure correct packet forwarding, identify whether the destination IPv4 network and the IPv4


309



To configure an IPv4 over IPv6 manual tunnel:


2. Enter IPv6 tunnel interface view.

interface tunnel number [ mode ipv6 ] N/A




4. Configure the source address or interface for the tunnel interface.

source { ipv6-address | interface-type interface-number }

By default, no source address or interface is configured for the tunnel. The specified source address or the primary IPv6 address of the specified source interface is used as the source IPv6 address of tunneled packets.

5. Configure the destination address for the tunnel interface.

destination ipv6-address

By default, no destination address is configured for the tunnel. The tunnel destination address must be the IPv6 address of the receiving interface on the tunnel peer. It is used as the destination IPv6 address of tunneled packets.


As shown in Figure 128, configure an IPv4 over IPv6 manual tunnel between Router A and Router B so the two IPv4 networks can reach each other over the IPv6 network.






310



[RouterA-Serial2/1/0] ipv6 address 2001::1:1 64


# Create the IPv6 tunnel interface Tunnel 1. [RouterA] interface tunnel 1 mode ipv6


# Specify the IP address of Serial 2/1/0 as the source address for the tunnel interface. [RouterA-Tunnel1] source 2001::1:1

# Specify the IP address of Serial 2/1/1 on Router B as the destination address for the tunnel interface. [RouterA-Tunnel1] destination 2002::2:1


# Configure a static route destined for IPv4 network 2 through the tunnel interface. [RouterA] ip route-static 30.1.3.0 255.255.255.0 tunnel 1






[RouterB-Serial2/1/1] ipv6 address 2002::2:1 64


# Create the IPv6 tunnel interface Tunnel 2. [RouterB] interface tunnel 2 mode ipv6

# Specify an IPv4 address for the tunnel interface. [RouterB-Tunnel2] ip address 30.1.2.2 255.255.255.0

# Specify the IP address of Serial 2/1/1 as the source address for the tunnel interface. [RouterB-Tunnel2] source 2002::2:1

# Specify the IP address of Serial 2/1/0 on Router A as the destination address for the tunnel interface. [RouterB-Tunnel2] destination 2001::1:1


# Configure a static route destined for IPv4 network 1 through the tunnel interface. [RouterB] ip route-static 30.1.1.0 255.255.255.0 tunnel 2


# Verify that Router A and Router B can ping the IPv4 address of the peer interface GigabitEthernet 2/0/1. The following shows the output on Router A. [RouterA] ping -a 30.1.1.1 30.1.3.1



311








Configuring a DS-Lite tunnel A B4 tunnel interface can establish a tunnel with only one AFTR tunnel interface, but an AFTR tunnel interface can establish tunnels with multiple B4 tunnel interfaces.

Follow these guidelines when you configure the B4 router of a DS-Lite tunnel: • Do not specify the same source addresses for local tunnel interfaces in the same tunnel mode. • The destination address specified for the tunnel interface on the B4 router must be the source

address specified for the tunnel interface on the AFTR. • To ensure correct packet forwarding, identify whether the destination IPv4 network and the IPv4




Follow these guidelines when you configure the AFTR of a DS-Lite tunnel: • Do not specify the same source addresses for local tunnel interfaces in the same tunnel mode. • Enable NAT on the interface that connects to the public IPv4 interface. • The tunnel destination cannot be configured on the AFTR. The AFTR uses the address of the

B4 router as the IPv6 address of the tunnel destination. • It is not necessary to configure a route to the destination IPv4 address for forwarding packets

through the tunnel interface.

This section describes only the AFTR configuration. For information about B4 router configuration, see "Configuring an IPv4 over IPv6 manual tunnel."

To configure the AFTR of a DS-Lite tunnel:


2. Enter the view of the tunnel interface on the AFTR.

interface tunnel number [ mode ds-lite-aftr ]

N/A



By default, no IPv4 address is specified for the tunnel interface.

312


4. Specify the source address or source interface for the tunnel.


By default, no source address or interface is specified for the tunnel. If you specify a source address, it is used as the source address of the encapsulated IPv6 packets. If you specify a source interface, the address of this interface is used as the source address of the encapsulated IPv6 packets.


6. Enter the view of the interface that connects the IPv4 public network.

interface interface-type interface-number N/A

7. Enable DS-Lite tunneling on the interface. ds-lite enable

By default, DS-Lite tunneling is disabled. Only after you use this command, the AFTR can tunnel IPv4 packets from the public IPv4 network to the B4 router.


As shown in Figure 129, configure a DS-Lite tunnel between Router A and Router B, and configure NAT on GigabitEthernet 2/0/1 on the AFTR, so hosts in the private IPv4 network can access the public IPv4 network.







# Specify an IPv6 address for GigabitEthernet 2/0/2, which is the physical interface of the tunnel. [RouterA] interface gigabitethernet 2/0/2



313



# Specify the IP address of GigabitEthernet 2/0/2 as the source address for the tunnel interface. [RouterA-Tunnel1] source 1::1

# Specify IP address of GigabitEthernet 2/0/2 on Router B as the destination address for the tunnel interface. [RouterA-Tunnel1] destination 2::2


# Configure a static route to the public IPv4 network through the tunnel interface. [RouterA] ip route-static 20.1.1.0 255.255.255.0 tunnel 1





# Specify an IPv6 address for GigabitEthernet 2/0/2, which is the physical interface of the tunnel. [RouterB] interface gigabitethernet 2/0/2



# Create the DS-Lite tunnel interface Tunnel 2. [RouterB] interface tunnel 2 mode ds-lite-aftr

# Configure an IPv4 address for the tunnel interface. [RouterB-Tunnel2] ip address 30.1.2.2 255.255.255.0



# Enable DS-Lite tunneling on GigabitEthernet 2/0/1. [RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] ds-lite enable

# Enable NAT on GigabitEthernet 2/0/1 and use the IP address of GigabitEthernet 2/0/1 as the translated address. [RouterB-GigabitEthernet2/0/1] nat outbound


• On host A, specify the IP address for the host as 10.0.0.1 and configure a static route to 20.1.1.0/24 with next hop 10.0.0.2. (Details not shown.)

• On host B, specify the IP address for the host as 20.1.1.2. (Details not shown.)


# Verify that host A can ping host B. C:\> ping 20.1.1.2



314




Ping statistics for 20.1.1.2:




Configuring an IPv6 over IPv6 tunnel Follow these guidelines when you configure an IPv6 over IPv6 tunnel: • The tunnel destination address specified on the local device must be identical with the tunnel


same tunnel mode. • The IPv6 address of the tunnel interface cannot be on the same subnet as the destination

address configured for the tunnel interface. • To ensure correct packet forwarding, identify whether the destination IPv6 network and the IPv6




• The destination address of the route passing the tunnel interface cannot be on the same subnet as the destination address configured for the tunnel interface.

To configure an IPv6 over IPv6 tunnel:


2. Enter IPv6 tunnel interface view.

interface tunnel number [ mode ipv6 ] N/A




4. Configure the source address or source interface for the tunnel interface.


By default, no source address or interface is configured for the tunnel. The specified source address or the IPv6 address of the specified source interface is used as the source IPv6 address of tunneled packets.

5. Configure the destination address for the tunnel interface.


By default, no destination address is configured for the tunnel. The tunnel destination address must be the IPv6 address of the receiving interface on the tunnel peer. It is used as the destination IPv6 address of tunneled packets.


315

Step Command Remarks 7. (Optional.) Enable dropping

IPv6 packets that use IPv4-compatible IPv6 addresses.




As shown in Figure 130, configure an IPv6 over IPv6 tunnel between Router A and Router B so the two IPv6 networks can reach each other without disclosing their IPv6 addresses.





[RouterA-GigabitEthernet2/0/1] ipv6 address 2002:1::1 64



[RouterA-Serial2/1/0] ipv6 address 2001::11:1 64



# Specify an IPv6 address for the tunnel interface. [RouterA-Tunnel1] ipv6 address 3001::1:1 64

# Specify the IP address of Serial 2/1/0 as the source address for the tunnel interface. [RouterA-Tunnel1] source 2001::11:1

# Specify the IP address of Serial 2/1/1 on Router B as the destination address for the tunnel interface. [RouterA-Tunnel1] destination 2002::22:1


# Configure a static route destined for the IPv6 network group 2 through the tunnel interface. [RouterA] ipv6 route-static 2002:3:: 64 tunnel 1

• Configure Router B:

316

# Specify an IPv6 address for GigabitEthernet 2/0/1. <RouterB> system-view


[RouterB-GigabitEthernet2/0/1] ipv6 address 2002:3::1 64



[RouterB-Serial2/1/1] ipv6 address 2002::22:1 64


# Create the IPv6 tunnel interface Tunnel 2. [RouterB] interface tunnel 2 mode ipv6

# Specify an IPv6 address for the tunnel interface. [RouterB-Tunnel2] ipv6 address 3001::1:2 64

# Specify the IP address of Serial 2/1/1 as the source address for the tunnel interface. [RouterB-Tunnel2] source 2002::22:1

# Specify the IP address of Serial 2/1/0 on Router A as the destination address for the tunnel interface. [RouterB-Tunnel2] destination 2001::11:1


# Configure a static route destined for the IPv6 network group 1 through the tunnel interface. [RouterB] ipv6 route-static 2002:1:: 64 tunnel 2

Verifying the configuration # Use the display ipv6 interface command to display the status of the tunnel interfaces on Router A and Router B. Verify that the tunnel interfaces are up. (Details not shown.)

# Verify that Router A and Router B can ping the IPv6 address of the peer interface GigabitEthernet 2/0/1. The following shows the output on Router A. [RouterA] ping ipv6 -a 2002:1::1 2002:3::1

Ping6(56 data bytes) 2002:1::1 --> 2002:3::1, press CTRL_C to break

56 bytes from 2002:3::1, icmp_seq=0 hlim=64 time=9.000 ms





--- Ping6 statistics for 2002:3::1 ---



Displaying and maintaining tunneling configuration


Task Command

Display information about tunnel interfaces. display interface [ tunnel [ number ] ] [ brief [ description | down ] ]

317

Task Command Display IPv6 information on tunnel interfaces. display ipv6 interface [ tunnel [ number ] ] [ brief ]

Display information about the connected B4 routers on the AFTR. display ds-lite b4 information

Clear statistics on tunnel interfaces. reset counters interface [ tunnel [ number ] ]

For more information about the display ipv6 interface command, see Layer 3—IP Services Command Reference.

Troubleshooting tunneling configuration Symptom

A tunnel interface configured with related parameters such as tunnel source address, tunnel destination address, and tunnel mode cannot come up.

Analysis The physical interface of the tunnel does not come up, or the tunnel destination is unreachable.

Solution 1. To resolve the problem:

Use the display interface or display ipv6 interface command to verify that the physical interface of the tunnel is up. If the physical interface is down, check the network connection.

Use the display ipv6 routing-table or display ip routing-table command to verify that the tunnel destination is reachable. If the route is not available, configure a route to reach the tunnel destination.

2. If the problem persists, contact Hewlett Packard Enterprise Support.

318

Configuring GRE

Overview Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate any network layer protocol (such as IPv6) into a virtual point-to-point tunnel over an IP network (such as an IPv4 network). Packets are encapsulated at one tunnel end and de-encapsulated at the other tunnel end. The network layer protocol of the packets before encapsulation and after encapsulation can be the same or different.

GRE encapsulation format Figure 131 GRE encapsulation format

As shown in Figure 131, a GRE-tunneled packet includes the following parts: • Payload packet—Original packet. The protocol type of the payload packet is called the

passenger protocol. The passenger protocol can be any network layer protocol. • GRE header—Header that is added to the payload packet to change the payload packet to a

GRE packet. A GRE header includes the number of encapsulations, version, passenger protocol type, checksum, and key. GRE is called the encapsulation protocol.

• Delivery header—Header that is added to the GRE packet to deliver it to the tunnel end. The transport protocol (or delivery protocol) is the network layer protocol that transfers GRE packets.

The device supports GRE tunnels with IPv4 and IPv6 as the transport protocols. When the transport protocol is IPv4, the GRE tunnel mode is GRE over IPv4 (GRE/IPv4). When the transport protocol is IPv6, the GRE tunnel mode is GRE over IPv6 (GRE/IPv6).

GRE tunnel operating principle Figure 132 IPv6 networks interconnected through a GRE tunnel

319

As shown in Figure 132, an IPv6 protocol packet traverses an IPv4 network through a GRE tunnel as follows: 1. After receiving an IPv6 packet from the interface connected to IPv6 network 1, Device A

processes the packet as follows: a. Looks up the routing table to identify the outgoing interface for the IPv6 packet. b. Submits the IPv6 packet to the outgoing interface—the GRE tunnel interface Tunnel 0.

2. Upon receiving the packet, the tunnel interface encapsulates the packet with GRE and then with IPv4. In the IPv4 header:

The source address is the tunnel's source address (the IP address of interface GigabitEthernet 2/0/1 of Device A).

The destination address is the tunnel's destination address (the IP address of interface GigabitEthernet 2/0/1 of Device B).

3. Device A looks up the routing table according to the destination address in the IPv4 header, and forwards the IPv4 packet out of the physical interface (GigabitEthernet 2/0/1) of the GRE tunnel.

4. When the IPv4 arrives at the GRE tunnel destination Device B, Device B checks the destination address. Because the destination is Device B itself and the protocol number in the IP header is 47 (the protocol number for GRE), Device B submits the packet to GRE for de-encapsulation.

5. GRE first removes the IPv4 header, and then checks the GRE key, checksum, and packet sequence number. After GRE finishes the checking, it removes the GRE header, and submits the payload to the IPv6 protocol for forwarding.

NOTE: GRE encapsulation and de-encapsulation can decrease the forwarding efficiency of tunnel-end devices.

GRE security mechanisms GRE supports the following security mechanisms: • GRE key—Ensures packet validity. The sender adds a GRE key into a packet. The receiver

compares the GRE key with its own GRE key. If the two keys are the same, the receiver accepts the packet. Otherwise, it drops the packet.

• GRE checksum—Ensures packet integrity. The sender calculates a checksum for the GRE header and payload and sends the packet containing the checksum to the tunnel peer. The receiver calculates a checksum for the received packet and compares it with that carried in the packet. If the checksums are the same, the receiver considers the packet intact and continues to process the packet. Otherwise, the receiver discards the packet.

GRE application scenarios The following shows typical GRE application scenarios:

320

Connecting networks running different protocols over a single backbone Figure 133 Network diagram

As shown in Figure 133, IPv6 network 1 and IPv6 network 2 are IPv6 networks, and IPv4 network 1 and IPv4 network 2 are IPv4 networks. Through the GRE tunnel between Device A and Device B, IPv6 network 1 can communicate with IPv6 network 2 and IPv4 network 1 can communicate with IPv4 network 2, without affecting each other.

Enlarging network scope Figure 134 Network diagram

In an IP network, the maximum TTL value of a packet is 255. If two devices have more than 255 hops in between, they cannot communicate with each other. By using a GRE tunnel, you can hide some hops to enlarge the network scope. As shown in Figure 134, only the tunnel-end devices (Device A and Device D) of the GRE tunnel are counted in hop count calculation. Therefore, there are only three hops between Host A and Host B.

IPv6 network 1

Internet

IPv4 network 1

IPv6 network 2

IPv4 network 2

Device A Device B

GRE tunnel

Device A

Device B Device C

Device D

Host A Host B

IP network

GRE tunnel

IP network

IP network

321

Constructing VPN Figure 135 Network diagram

As shown in Figure 135, Site 1 and Site 2 both belong to VPN 1 and are located in different cities. Using a GRE tunnel can connect the two VPN sites across the WAN.

Operating with IPsec Figure 136 Network diagram

As shown in Figure 136, GRE can be used together with IPsec to form a GRE over IPsec tunnel. Packets (for example, routing protocol packets, voice data, and video data) are first encapsulated with GRE and then with IPsec. GRE over IPsec delivers the following benefits: • Improves transmission security. • Allows IPsec to protect not only unicast packets. GRE supports encapsulating multicast,

broadcast, and non-IP packets. After GRE encapsulation, these packets become common unicast packets, which can be protected by IPsec.

• Simplifies IPsec configuration. Packets are first encapsulated by GRE. You can define the packets to be protected by IPsec according to the GRE tunnel's source and destination addresses, without considering the source and destination addresses of the original packets.

GRE and IPsec can also form IPsec over GRE tunnels. As a best practice, use GRE over IPsec tunnels instead of IPsec over GRE tunnels.

For more information about IPsec, see Security Configuration Guide.

Protocols and standards • RFC 1701, Generic Routing Encapsulation (GRE) • RFC 1702, Generic Routing Encapsulation over IPv4 networks • RFC 2784, Generic Routing Encapsulation (GRE) • RFC 2890, Key and Sequence Number Extensions to GRE

322

Configuring a GRE/IPv4 tunnel Perform this task to configure a GRE tunnel on an IPv4 network.

Configuration guidelines Follow these guidelines when you configure a GRE/IPv4 tunnel: • You must configure the tunnel source address and destination address at both ends of a tunnel.

The tunnel source or destination address at one end must be the tunnel destination or source address at the other end.

• As a best practice, do not configure the same tunnel source and destination addresses for local tunnel interfaces that use the same tunnel mode.

• You can enable or disable GRE checksum at each end of a tunnel. If GRE checksum is enabled at a tunnel end, the tunnel end sends packets carrying the checksum to the peer end. A tunnel end checks the GRE checksum of a received packet if the packet carries a GRE checksum, whether or not the tunnel end is enabled with GRE checksum.

• To ensure correct packet forwarding, identify whether the destination network of packets and the IP address of the local tunnel interface are on the same subnet. If they are not, configure a route reaching the destination network through the tunnel interface. You can configure the route by using one of the following methods:

Configure a static route, using the local tunnel interface as the outgoing interface of the route.

Enable a dynamic routing protocol on both the tunnel interface and the interface connecting the private network. This allows the dynamic routing protocol to establish a routing entry with the tunnel interface as the outgoing interface.

• The IP address of the tunnel interface and the tunnel destination address configured on the tunnel interface must be in different subnets.

For information about tunnel interfaces, and the interface tunnel, source, destination, tunnel dfbit enable, and tunnel discard ipv4-compatible-packet commands, see "Configuring tunneling."

Configuration procedure To configure a GRE/IPv4 tunnel:


2. Create a GRE tunnel interface, and specify the tunnel mode as GRE/IPv4.

interface tunnel interface-number mode gre

By default, the device has no tunnel interface. You must configure the same tunnel mode on both ends of a tunnel. Otherwise, packet delivery might fail.

3. Configure an IPv4 or IPv6 address for the tunnel interface.

For information about how to assign an IPv4 address to an interface, see "Configuring IP addressing." For information about how to assign an IPv6 address to an interface, see "Configuring basic IPv6 settings."

By default, no IPv4 or IPv6 address is configured for a tunnel interface. When the passenger protocol is IPv4, configure an IPv4 address for the tunnel interface. When the passenger protocol is IPv6, configure an IPv6 address for the tunnel interface.

323




By default, no source address or interface is configured for a tunnel interface. If you configure a source address for a tunnel interface, the tunnel interface uses the source address as the source address of the encapsulated packets. If you configure a source interface for a tunnel interface, the tunnel interface uses the primary IP address of the source interface as the source address of the encapsulated packets.



By default, no destination address is configured for a tunnel interface. The destination address is the address of the physical interface that the tunnel remote end uses to receive packets from the GRE tunnel. The tunnel local end uses this address as the destination address of the encapsulated packets.

6. (Optional.) Enable GRE keepalive, and set the keepalive interval and keepalive number.

keepalive [ interval [ times ] ] By default, GRE keepalive is disabled.

7. (Optional.) Enable GRE checksum. gre checksum By default, GRE checksum is disabled.

8. (Optional.) Configure a GRE key for the GRE tunnel interface.

gre key key-number

By default, no GRE key is configured for a GRE tunnel interface. The two ends of a GRE tunnel must have the same key or both have no key.

9. (Optional.) Set the DF bit for encapsulated packets.

tunnel dfbit enable By default, the DF bit is not set, allowing encapsulated packets to be fragmented.


11. (Optional.) Configure the device to discard IPv6 packets with IPv4-compatible IPv6 addresses.


By default, the device does not discard such IPv6 packets.

Configuring a GRE/IPv6 tunnel Perform this task to configure a GRE tunnel on an IPv6 network.

324

Configuration guidelines Follow these guidelines when you configure a GRE/IPv6 tunnel: • You must configure the tunnel source address and destination address at both ends of a tunnel.

The tunnel source or destination address at one end must be the tunnel destination or source address at the other end.

• As a best practice, do not configure the same tunnel source and destination addresses for local tunnel interfaces that use the same tunnel mode.

• You can enable or disable GRE checksum at each end of a tunnel. If GRE checksum is enabled at a tunnel end, the tunnel end sends packets carrying the checksum to the peer end. A tunnel end checks the GRE checksum of a received packet if the packet carries a GRE checksum, whether or not the tunnel end is enabled with GRE checksum.

• To ensure correct packet forwarding, identify whether the destination network of packets and the IP address of the local tunnel interface are on the same subnet. If they are not, configure a route reaching the destination network through the tunnel interface. You can configure the route by using the following methods:

Configure a static route, using the local tunnel interface as the outgoing interface of the route.

Enable a dynamic routing protocol on both the tunnel interface and the interface connecting the private network. This allows the dynamic routing protocol to establish a routing entry with the tunnel interface as the outgoing interface.

• The IP address of the tunnel interface and the tunnel destination address configured on the tunnel interface must be in different subnets.

For information about tunnel interfaces, the interface tunnel, source, destination, and tunnel discard ipv4-compatible-packet commands, and additional configuration commands on a tunnel interface, see "Configuring tunneling."

Configuration procedure To configure a GRE/IPv6 tunnel:


2. Create a GRE tunnel interface, and specify the tunnel mode as GRE/IPv6.

interface tunnel interface-number mode gre ipv6

By default, the device has no tunnel interface. You must configure the same tunnel mode on both ends of a tunnel. Otherwise, packet delivery might fail.

3. Configure an IPv4 or IPv6 address for the tunnel interface.

For information about how to assign an IPv4 address to an interface, see "Configuring IP addressing." For information about how to assign an IPv6 address to an interface, see "Configuring basic IPv6 settings."

By default, no IPv4 or IPv6 address is configured for a tunnel interface. When the passenger protocol is IPv4, configure an IPv4 address for the tunnel interface. When the passenger protocol is IPv6, configure an IPv6 address for the tunnel interface.

325


4. Configure a source IPv6 address or source interface for the tunnel interface.


By default, no source IPv6 address or interface is configured for a tunnel interface. If you configure a source IPv6 address for a tunnel interface, the tunnel interface uses the source IPv6 address as the source IPv6 address of the encapsulated packets. If you configure a source interface for a tunnel interface, the tunnel interface uses the IPv6 address of the source interface as the source IPv6 address of the encapsulated packets.

5. Configure a destination IPv6 address for the tunnel interface.


By default, no destination IPv6 address is configured for a tunnel interface. The destination IPv6 address is the IPv6 address of the physical interface that the tunnel remote end uses to receive packets from the GRE tunnel. The tunnel local end uses this address as the destination IPv6 address of the encapsulated packets.

6. (Optional.) Enable GRE checksum. gre checksum By default, GRE checksum is disabled.

7. (Optional.) Configure a GRE key for the tunnel interface. gre key key-number

By default, no GRE key is configured for a GRE tunnel interface. The two ends of a GRE tunnel must have the same key or both have no key.


9. (Optional.) Configure the device to discard IPv6 packets with IPv4-compatible IPv6 addresses


By default, the device does not discard such IPv6 packets.

Displaying and maintaining GRE Execute display commands in any view and reset commands in user view.

Task Command Remarks

Display information about tunnel interfaces.

display interface [ tunnel [ number ] ] [ brief [ description | down ] ]

For more information about the commands, see Layer 3—IP Services Command Reference.

Display IPv6 information about tunnel interface.

display ipv6 interface [ tunnel [ number ] ] [ brief ]

For more information about this command, see Layer 3—IP Services Command Reference.

Clear tunnel interface statistics.

reset counters interface [ tunnel [ number ] ]

For more information about this command, see Layer 3—IP Services Command Reference.

326

GRE configuration examples Configuring an IPv4 over IPv4 GRE tunnel Network requirements

Group 1 and Group 2 are two private IPv4 networks. The two networks both use private network addresses and belong to the same VPN. Establish a GRE tunnel between Router A and Router B to interconnect the two private IPv4 networks Group 1 and Group 2.


Configuration procedure Before performing the following configuration, configure an IP address for each interface, and make sure Router A and Router B can reach each other. 1. Configure Router A:

# Create a tunnel interface Tunnel 0, and specify the tunnel mode as GRE/IPv4. <RouterA> system-view

[RouterA] interface tunnel 0 mode gre

# Configure an IP address for the tunnel interface. [RouterA-Tunnel0] ip address 10.1.2.1 255.255.255.0

# Configure the source address of the tunnel interface as the IP address of GigabitEthernet 2/0/2 on Router A. [RouterA-Tunnel0] source 1.1.1.1

# Configure the destination address of the tunnel interface as the IP address of GigabitEthernet 2/0/2 on Router B. [RouterA-Tunnel0] destination 2.2.2.2


# Configure a static route from Router A through the tunnel interface to Group 2. [RouterA] ip route-static 10.1.3.0 255.255.255.0 tunnel 0

2. Configure Router B: # Create tunnel interface Tunnel 0 and specify the tunnel mode as GRE/IPv4. <RouterB> system-view

[RouterB] interface tunnel 0 mode gre

# Configure an IP address for the tunnel interface. [RouterB-Tunnel0] ip address 10.1.2.2 255.255.255.0

# Configure the source address of the tunnel interface as the IP address of interface GigabitEthernet 2/0/2 on Router B. [RouterB-Tunnel0] source 2.2.2.2

# Configure the destination address of the tunnel interface as the IP address of the interface GigabitEthernet 2/0/2 on Router A. [RouterB-Tunnel0] destination 1.1.1.1


# Configure a static route from Router B through the tunnel interface to Group 1.

IPv4Group 2

IPv4Group 1

GE2/0/110.1.1.1/24

GE2/0/110.1.3.1/24

Tunnel010.1.2.1/24

GE2/0/21.1.1.1/24

GE2/0/22.2.2.2/24

InternetGRE tunnel

Tunnel010.1.2.2/24

Router A Router B

327

[RouterB] ip route-static 10.1.1.0 255.255.255.0 tunnel 0

Verifying the configuration # Display tunnel interface information on Router A. [RouterA] display interface tunnel 0

Tunnel0

Current state: UP

Line protocol state: UP

Description: Tunnel0 Interface

Bandwidth: 64kbps

Maximum Transmit Unit: 1476

Internet Address is 10.1.2.1/24 Primary

Tunnel source 1.1.1.1, destination 2.2.2.2

Tunnel keepalive disabled

Tunnel TTL 255

Tunnel protocol/transport GRE/IP

GRE key disabled

Checksumming of GRE packets disabled

Output queue - Urgent queuing: Size/Length/Discards 0/100/0

Output queue - Protocol queuing: Size/Length/Discards 0/500/0

Output queue - FIFO queuing: Size/Length/Discards 0/75/0

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# Display tunnel interface information on Router B. [RouterB] display interface tunnel 0

Tunnel0

Current state: UP



Bandwidth: 64kbps



Tunnel source 2.2.2.2, destination 1.1.1.1

Tunnel keepalive disabled

Tunnel TTL 255

Tunnel protocol/transport GRE/IP

GRE key disabled










328

# From Router B, ping the IP address of GigabitEthernet 2/0/1 on Router A. [RouterB] ping -a 10.1.3.1 10.1.1.1










The output shows that Router B can successfully ping Router A.

Configuring an IPv4 over IPv6 GRE tunnel Network requirements

Two IPv4 subnets Group 1 and Group 2 are connected to an IPv6 network. Create a GRE/IPv6 tunnel between Router A and Router B, so the two IPv4 subnets can communicate with each other through the GRE tunnel over the IPv6 network.


Configuration procedure Before performing the following configuration, configure an IP address for each interface, and make sure Router A and Router B can reach each other. 1. Configure Router A:

# Create a tunnel interface Tunnel 0, and specify the tunnel mode as GRE/IPv6. <RouterA> system-view

[RouterA] interface tunnel 0 mode gre ipv6

# Configure an IP address for the tunnel interface. [RouterA-Tunnel0] ip address 10.1.2.1 255.255.255.0

# Configure the source address of the tunnel interface as the IP address of interface GigabitEthernet 2/0/2 on Router A. [RouterA-Tunnel0] source 2002::1:1

# Configure the destination address of the tunnel interface as the IP address of interface GigabitEthernet 2/0/2 on Router B. [RouterA-Tunnel0] destination 2001::2:1


# Configure a static route from Router A through the tunnel interface to Group 2. [RouterA] ip route-static 10.1.3.0 255.255.255.0 tunnel 0

2. Configure Router B: # Create a tunnel interface Tunnel 0, and specify the tunnel mode as GRE/IPv6.

329

<RouterB> system-view

[RouterB] interface tunnel 0 mode gre ipv6

# Configure an IP address for the tunnel interface. [RouterB-Tunnel0] ip address 10.1.2.2 255.255.255.0

# Configure the source address of the tunnel interface as the IP address of interface GigabitEthernet 2/0/2 on Router B. [RouterB-Tunnel0] source 2001::2:1

# Configure the destination address of the tunnel interface as the IP address of interface GigabitEthernet 2/0/2 on Router A. [RouterB-Tunnel0] destination 2002::1:1


# Configure a static route from Router B through the tunnel interface to Group 1. [RouterB] ip route-static 10.1.1.0 255.255.255.0 tunnel 0

Verifying the configuration # Display tunnel interface information on Router A. [RouterA] display interface tunnel 0

Tunnel0

Current state: UP



Bandwidth: 64kbps



Tunnel source 2002::1:1, destination 2001::2:1

Tunnel TTL 255

Tunnel protocol/transport GRE/IPv6

GRE key disabled










# Display tunnel interface information on Router B. [RouterB] display interface tunnel 0

Tunnel0

Current state: UP



Bandwidth: 64kbps



Tunnel source 2002::2:1, destination 2001::1:1

Tunnel TTL 255

Tunnel protocol/transport GRE/IPv6

330

GRE key disabled










# From Router B, ping the IP address of interface GigabitEthernet 2/0/1 on Router A. [RouterB] ping -a 10.1.3.1 10.1.1.1










The output shows that Router B can successfully ping Router A.

Troubleshooting GRE The key to configuring GRE is to keep the configuration consistent. Most faults can be located by using the debugging gre or debugging tunnel command. This section analyzes one type of fault for illustration, with the scenario shown in Figure 139.


Symptom The interfaces at both ends of the tunnel are configured correctly and can ping each other, but Host A and Host B cannot ping each other.

Analysis It might be because that Device A or Device C has no route to reach the peer network.

331

Solution 1. Execute the display ip routing-table command on Device A and Device C to view whether

Device A has a route over tunnel 0 to 10.2.0.0/16 and whether Device C has a route over tunnel 0 to 10.1.0.0/16.

2. If such a route does not exist, execute the ip route-static command in system view to add the route. Take Device A as an example: [DeviceA] ip route-static 10.2.0.0 255.255.0.0 tunnel 0

332

Configuring ADVPN

Overview Auto Discovery Virtual Private Network (ADVPN) enables enterprise branches that use dynamic public addresses to establish a VPN network. ADVPN uses the VPN Address Management (VAM) protocol to collect, maintain, and distribute dynamic public addresses.

VAM uses the client/server model. All VAM clients register their public addresses on the VAM server. A VAM client obtains the public addresses of other clients from the server to establish ADVPN tunnels.

ADVPN structures ADVPN uses domains to identify VPNs. VAM clients in a VPN must be assigned to the same ADVPN domain. A VAM client can belong to only one ADVPN domain. A VAM server can serve multiple ADVPN domains and manage their clients.

VAM clients include hubs and spokes: • Hub—A hub is the exchange center of routing information. A hub in a hub-spoke network is also

a data forwarding center. • Spoke—A spoke is the gateway of a branch. It does not forward data received from other

ADVPN nodes.

ADVPN supports the following structures: • Full-mesh—In a full-mesh ADVPN, spokes can directly communicate with each other. The hub

acts as the route exchange center. As shown in Figure 140, the spokes register with the VAM server and get hub information in the ADVPN domain. Then, they establish permanent tunnels to the hub. Any two spokes can establish a dynamic tunnel to directly exchange data. The tunnel is deleted if no data exists during the idle timeout time.

Figure 140 Full-mesh ADVPN

333

• Hub-spoke—In a hub-spoke ADVPN, spokes communicate with each other through the hub. The hub acts as both the route exchange center and data forwarding center. As shown in Figure 141, each spoke establishes a permanent tunnel to the hub. Spokes communicate with each other through the hub.

Figure 141 Hub-spoke ADVPN

• Hub-group—A hub-group ADVPN can accommodate more ADVPN clients. This allows one hub to manage all clients. As shown in Figure 142, a hub-group ADVPN contains multiple hub groups. Each hub group has one or multiple hubs and spokes. Follow these guidelines to classify hub groups:

All hubs must belong to the backbone hub group. This hub group forms the full-mesh backbone area. All hubs obtain information about other hubs from the VAM server and establish permanent ADVPN tunnels to each other.

Spokes must belong to non-backbone hub groups. Each non-backbone hub group includes at least one hub and uses either the full-mesh or hub-spoke structure. Spokes obtain hub information in the ADVPN domain from the VAM server, and establish permanent tunnels to the hub. Spokes can establish tunnels only to the hubs in the hub group.

Tunnel establishment and data forwarding in a hub group depend on the network structure. Inter-group communications between spokes need to pass the hubs of the groups. To reduce the pressure on hubs during inter-group communications, you can allow spokes in different hub groups to establish a dynamic tunnel. The dynamic tunnel is deleted if no data exists during the idle timeout time.

334

Figure 142 Hub-group ADVPN

How ADVPN operates The VAM server must have a static public address. VAM clients have both a public address and a private address. The public address is the address of the interface connected to the public network. It can be manually configured or dynamically assigned. The private address is the address of the ADVPN tunnel interface. It must be manually configured. All the private addresses of clients in an ADVPN domain must belong to the same network segment.

ADVPN includes the following phases: • Connection initialization. • Registration. • Tunnel establishment. • Route learning and packet forwarding.

Connection initialization As shown in Figure 143, a client and a server perform the following operations to initialize a connection: 1. The client sends encryption and authentication algorithms to the server in a connection request. 2. The server compares the algorithm list of the client to its own algorithm list in priority order. 3. The server sends the matching algorithms to the client.

If no match is found, the negotiation fails. 4. The server and the client generate encryption and authentication keys based on the pre-shared

key. If authentication and encryption are not needed, they do not generate keys.

Hub3Hub1

Group 1 Group 2

Group 0

Spoke1

Spoke4

Hub2Tunnel 1 Tunnel 1

Tunnel 1Tunnel 1

Tunnel 1Tunnel 1

Spoke2Spoke3

Tunnel 1

Tunnel 2

Tunnel 2 Tunnel 2

Site 1 Site 2 Site 3 Site 4 Site 5 Site 6

VAM server

Spoke-to-Spoke dynamic tunnel between two groups

Hub-to-Hub static tunnel

Hub-to-Spoke static tunnel

Spoke-to-Spoke dynamic tunnel in one group

335

5. The server and the client exchange negotiation acknowledgment packets protected by using the keys.

6. The server and the client use the keys to protect subsequent packets if they can restore the protected negotiation acknowledgment packets. If they cannot restore the packets, the negotiation fails.

Figure 143 Connection initialization process

Registration Figure 144 shows the following registration process: 1. The client sends the server a registration request that includes its public address, private

address, and the connected private network. 2. The server sends the client an identity authentication request that specifies the authentication

algorithm. If authentication is not required, the server directly registers the client and sends the client a registration acknowledgement. VAM supports both PAP and CHAP authentication.

3. The client submits its identity information to the server. 4. The server performs authentication and accounting for the client through the AAA server. 5. The server sends the client a registration acknowledgement that includes hub information.

Figure 144 Registration process

Tunnel establishment A spoke can establish permanent tunnels to any number of hubs. Hubs in an ADVPN domain must establish permanent tunnels.

Figure 145 shows the tunnel establishment process: 1. The initiator originates a tunnel establishment request.

To establish a hub-spoke tunnel: The spoke checks whether a tunnel to each hub exists. If not, the spoke sends a tunnel establishment request to the hub.

Client Server

1) Registration request

2) Identity authentication request

3) Identity information

4) Registration acknowledgement

336

To establish a hub-hub tunnel: The hub checks whether a tunnel to each peer hub exists. If not, the hub sends a tunnel establishment request to the peer hub.

To establish a spoke-spoke tunnel: In a full-mesh network, when a spoke receives a data packet but finds no tunnel for forwarding the packet, it sends an address resolution request to the server. After receiving the resolved address, the spoke sends a tunnel establishment request to the peer spoke.

2. The receiver saves tunnel information in the request and sends a response to the sender.

Figure 145 Tunnel establishment process

Route learning and packet forwarding ADVPN nodes use the following methods to learn private routes: • Static or dynamic routing—It must be configured for private networks and ADVPN tunnel

interfaces to ensure connectivity among private networks. A dynamic routing protocol discovers neighbors, updates routes, and establishes a routing table over ADVPN tunnels. From the perspective of private networks, ADVPN tunnels are links that connect different private networks. The routing protocol exchanges routes between hub and hub, and between hub and spoke. It does not directly exchange routes between spoke and spoke. When a spoke receives a packet destined to a remote private network, it performs the following operations to forward the packet: a. Locates the private next hop from the routing table. b. Uses the private next hop to obtain the corresponding public address from the VAM server. c. Sends the packet to the public address over the ADVPN tunnel. Full-mesh and hub-spoke structures are determined by routing. If the next hop is a spoke, the structure is full-mesh. If the next hop is a hub, the structure is hub-spoke.

• Registration and query from the VAM server—VAM clients register information about the connected private networks on the VAM server. When a spoke receives a packet destined to a remote private network, it performs the following operations to forward the packet: a. Sends the destination address of the packet to the VAM server. b. Queries the VAM server for information about the ADVPN node (public and private

addresses of the node) connected to the remote private network. c. Generates a route to the remote private network through the ADVPN node. d. Sends the packet to the public address of the ADVPN node over the ADVPN tunnel.

If both methods are used, the spoke sends both the private next hop and the destination address of the packet to the VAM server. The VAM server preferentially obtains the private network according to

337

the destination address. If the route to the remote private network is learned by using both methods, the route with a lower preference is used.

NAT traversal An ADVPN tunnel can traverse a NAT gateway. • If only the tunnel initiator resides behind a NAT gateway, a spoke-spoke tunnel can be

established through the NAT gateway. • If the tunnel receiver resides behind a NAT gateway, packets must be forwarded by a hub

before the receiver originates a tunnel establishment request. If the NAT gateway uses Endpoint-Independent Mapping, a spoke-spoke tunnel can be established through the NAT gateway.

• If both ends reside behind a NAT gateway, no tunnel can be established and packets between them must be forwarded by a hub.

ADVPN configuration task list Configure ADVPN in the order of VAM servers, hubs, and spokes.

Perform the following tasks to configure ADVPN:

Tasks at a glance (Optional.) Configuring AAA

(Required.) Configuring the VAM server

(Required.) Configuring the VAM client

(Required.) Configuring an ADVPN tunnel interface

(Required.) Configuring routing

(Optional.) Configuring IPsec for ADVPN tunnels

Configuring AAA The VAM server can use AAA to authenticate clients. Clients passing AAA authentication can access the ADVPN domain. For information about AAA configuration, see Security Configuration Guide.

Configuring the VAM server Task (Required.) Creating an ADVPN domain

(Required.) Enabling the VAM server

(Required.) Configuring a pre-shared key for the VAM server

(Required.) Configuring hub groups

(Optional.) Configuring the port number of the VAM server

(Optional.) Specifying authentication and encryption algorithms for the VAM server

(Optional.) Configuring an authentication method

338

Task (Optional.) Configuring keepalive parameters

(Optional.) Configuring the retry timer

Creating an ADVPN domain Specify a unique ID for an ADVPN domain.

To create an ADVPN domain:


2. Create an ADVPN domain and enter ADVPN domain view.

vam server advpn-domain domain-name [ id domain-id ]

By default, no ADVPN domain exists.

Enabling the VAM server


2. Enable the VAM server.

• Enable the VAM server for one or all ADVPN domains: vam server enable [ advpn-domain domain-name ]

• Enable the VAM server for an ADVPN domain: a. vam server advpn-domain

domain-name [ id domain-id ] b. server enable

Use either command. By default, the VAM server is disabled.

Configuring a pre-shared key for the VAM server The pre-shared key is used to generate initial encryption and authentication keys during connection initialization. It is also used to generate encryption and authentication keys for subsequent packets if encryption and authentication are needed.

The VAM server must have the same pre-shared key as the clients in the same ADVPN domain. If they have different pre-shared keys, decryption and authentication will fail, and they cannot establish a connection.

To configure a pre-shared key for the VAM server:


2. Enter ADVPN domain view. vam server advpn-domain domain-name [ id domain-id ] N/A

3. Configure a pre-shared key for the VAM server.

pre-shared-key { cipher cipher-string | simple simple-string }

By default, no pre-shared key is configured.

339

Configuring hub groups Hub groups apply to large ADVPN networks. You can classify spokes to different hub groups, and specify one or more hubs for each group.

When a VAM client registers with the VAM server, the VAM server selects a hub group for the client as follows: 1. The server matches the private address of the client against the private addresses of hubs in

different hub groups in lexicographic order. 2. If a match is found, the server assigns the client to the hub group as a hub. 3. If no match is found, the server matches the client's private address against the private

addresses of spokes in different hub groups in lexicographic order. 4. If a match is found, the server assigns the client to the hub group as a spoke. 5. If no match is found, the registration fails.

The VAM server only assigns hub information in the matching hub group to the client. The client only establishes permanent ADVPN tunnels to the hubs in the matching hub group.

Creating a hub group



3. Create a hub group and enter hub group view. hub-group group-name By default, no hub group exists.

Configuring hub private addresses in a hub group A hub group must have at least one hub private address.

To configure hub private addresses in the hub group:



3. Enter hub group view. hub-group group-name N/A

4. Configure a hub private address.

• Configure a hub private IPv4 address: hub private-address private-ip-address [ public-address { public-ip-address | public-ipv6-address } [ advpn-port port-number ] ]

• Configure a hub private IPv6 address: hub ipv6 private-address private-ipv6-address [ public-address { public-ip-address | public-ipv6-address } [ advpn-port port-number ] ]

Use either command. By default, no hub private address is configured.

Configuring a spoke private address range in a hub group You can configure multiple spoke private address ranges in a hub group. The ranges are listed from low to high.

340

To configure a spoke private address range in a hub group:




4. Configure a spoke private address range.

• Configure a spoke private IPv4 address range: spoke private-address { network ip-address { mask-length | mask } | range start-address end-address }

• Configure a spoke private IPv6 address range: spoke ipv6 private-address { network prefix prefix-length | range start-ipv6-address end-ipv6-address }

Use either command.By default, no spoke private address range is configured.

Specifying an ACL to control establishing spoke-to-spoke tunnels The VAM server assigns the specified ACL to an online hub. The hub uses the ACL to match received packets. If a match is found, the hub sends a redirect packet to the spoke that sent the packet. Then, the spoke sends the VAM server the destination address of the packet, obtains the remote spoke information, and establishes a direct tunnel to the remote spoke.

To specify an ACL to control establishing spoke-to-spoke tunnels:




4. Specify an ACL to control establishing spoke-to-spoke tunnels.

• Specify an ACL to control establishing IPv4 spoke-to-spoke tunnels: shortcut interest { acl { acl-number | name acl-name } all }

• Specify an ACL to control establishing IPv6 spoke-to-spoke tunnels: shortcut ipv6 interest { acl { ipv6-acl-number | name ipv6-acl-name } all }

Use either command. By default, spokes are not allowed to establish direct tunnels.

Configuring the port number of the VAM server


2. Set the port number of the VAM server.

vam server listen-port port-number

The default port number is 18000.The port number of the VAM server must be the same as that configured on the VAM clients.

341

Specifying authentication and encryption algorithms for the VAM server

The VAM server uses the specified algorithms to negotiate with the VAM client.

The VAM server and client use SHA-1 and AES-CBC-128 during connection initialization, and use the negotiated algorithms after connection initialization.

The algorithm specified earlier in a command line has a higher priority. The configuration of the commands that specify authentication and encryption algorithms does not affect registered VAM clients. It applies to subsequently registered VAM clients.

To specify authentication and encryption algorithms for the VAM server:



3. Specify authentication algorithms.

authentication-algorithm { aes-xcbc-mac | md5 | none | sha-1 | sha-256 } *

The default authentication algorithm is SHA-1.

4. Specify encryption algorithms.

encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | des-cbc | none } *

The default encryption algorithms are AES-CBC-256, AES-CBC-192, AES-CBC-128, AES-CTR-256, AES-CTR-192, AES-CTR-128, 3DES-CBC, and DES-CBC in descending order of priority.

Configuring an authentication method The VAM server uses the specified method to authenticate clients in the ADVPN domain. The VAM server supports PAP and CHAP authentication.

If the specified ISP domain does not exist, the authentication will fail. A newly configured authentication method does not affect registered VAM clients. It applies to subsequently registered VAM clients.

To configure an authentication method:



3. Specify an authentication method.

authentication-method { none | { chap | pap } [ domain isp-name ] }

By default, the authentication method is CHAP, and the default domain is used.

Configuring keepalive parameters Keepalive parameters include a keepalive interval and a maximum number of keepalive retries. The VAM server assigns the configured keepalive parameters to clients in the ADVPN domain.

342

A client sends keepalives to the server at the specified interval. If a client does not receive any responses from the server after the maximum keepalive attempts (keepalive retries + 1), the client stops sending keepalives. If the VAM server does not receive any keepalives from a client before the timeout timer expires, the server removes information about the client and logs off the client. The timeout time is the product of the keepalive interval and keepalive attempts.

Newly configured keepalive parameters do not affect registered VAM clients. They apply to subsequently registered clients.

If a device configured with dynamic NAT exists between the VAM server and VAM clients, configure the keepalive interval to be shorter than the aging time of NAT entries.

To configure keepalive parameters:



3. Configure keepalive parameters.

keepalive interval time-interval retry retry-times

By default, the keepalive interval is 180 seconds, and the maximum number of keepalive retries is 3.

Configuring the retry timer The VAM server starts the retry timer after it sends a request to a client. If the server does not receive a response from the client before the retry timer expires, the server resends the request. The server stops sending the request after receiving a response from the client or after the timeout timer (product of the keepalive interval and keepalive attempts) expires.

To configure the retry timer:


2. Enter ADVPN domain view.

vam server advpn-domain domain-name [ id domain-id ] N/A

3. Set the retry timer. retry interval time-interval By default, the retry timer is 5 seconds.

Configuring the VAM client Tasks at a glance (Required.) Creating a VAM client

(Required.) Enabling VAM clients

(Required.) Specifying VAM servers

(Required.) Specifying an ADVPN domain for a VAM client

(Required.) Configuring a pre-shared key for a VAM client

(Optional.) Setting the retry timer and retry times for a VAM client

(Optional.) Setting the dumb timer for a VAM client

(Optional.) Configuring a username and password for a VAM client

343

Creating a VAM client


2. Create a VAM client and enter its view. vam client name client-name By default, no client is created.

Enabling VAM clients


2. Enable VAM clients.

• Enable one or all VAM clients: vam client enable [ name client-name ]

• Enable a VAM client: a. vam client name client-name b. client enable

Use either method. By default, no VAM client is enabled.

Specifying VAM servers You can specify a primary VAM server and a secondary VAM server for a VAM client. The client registers with both servers, and accepts settings from the server that first registers the client. When the server fails, the client uses the settings from the other server.

If the specified primary and secondary VAM servers have the same address or name, only the primary VAM server takes effect.

The port number of a VAM server must be the same as that configured on the VAM server.

To specify VAM servers for a client:


2. Enter VAM client view. vam client name client-name N/A

3. Specify the primary VAM server.

server primary { ip-address ip-address | ipv6-address ipv6-address | name host-name } [ port port-number ]

By default, no VAM server is specified.

4. (Optional.) Specify the secondary VAM server.

server secondary { ip-address ip-address | ipv6-address ipv6-address | name host-name } [ port port-number ]

By default, no VAM server is specified.

Specifying an ADVPN domain for a VAM client


344

Step Command Remarks 2. Enter VAM client view. vam client name client-name N/A

3. Specify an ADVPN domain for the VAM client. advpn-domain domain-name By default, no ADVPN domain is

specified for a VAM client.

Configuring a pre-shared key for a VAM client The pre-shared key is used to generate initial encryption and authentication keys during connection initialization. It is also used to generate encryption and authentication keys for subsequent packets if encryption and authentication are needed.

All VAM clients and the VAM server in an ADVPN domain must have the same pre-shared key. If they have different pre-shared keys, the decryption and authentication will fail, and they cannot establish any connection.

To configure a pre-shared key for a VAM client:



3. Configure a pre-shared key for the VAM client.

pre-shared-key { cipher cipher-string | simple simple-string }

By default, no pre-shared key is configured for a VAM client.

Setting the retry timer and retry times for a VAM client A VAM client starts a retry timer after sending a request to the server. If the client does not receive a response before the retry timer expires, it resends the request. If the client fails to receive a response after maximum attempts (retry times), the client considers the server is unreachable.

The retry-times setting does not apply to register and update requests. The client sends those requests at the retry interval until it goes offline.

To set the retry timer and retry times for a VAM client:



3. Set the retry timer and retry times.

retry interval time-interval count retry-times

By default, the retry timer is 5 seconds, and the retry times are 3.

Setting the dumb timer for a VAM client A VAM client starts the dumb timer after the timeout timer expires. The client does not process any packets during the dumb time. When the dumb timer expires, the client sends a new connection request to the VAM server.

To set the dumb timer for a VAM client:


345

Step Command Remarks 2. Enter VAM client view. vam client name client-name N/A

3. Set the dumb timer. dumb-time time-interval By default, the dumb timer is 120 seconds.

Configuring a username and password for a VAM client The VAM client uses the configured username and password for authentication on the server.

To configure a username and password for a VAM client:



3. Configure a username and password for the client.

user username password { cipher cipher-string | simple simple-string }

By default, no username and password is configured for the client.

Configuring an ADVPN tunnel interface ADVPN establishes tunnels over ADVPN tunnel interfaces.

To configure an ADVPN tunnel interface:


2. Create an ADVPN tunnel interface and enter its view.

interface tunnel number [ mode advpn { gre | udp } [ ipv6 ] ]

By default, no tunnel interface is created. The two ends of an ADVPN tunnel must use the same tunnel mode.

3. Configure a private IPv4 or IPv6 address for the tunnel interface.

• Configure a private IPv4 address: ip address ip-address { mask | mask-length } [ sub ]

• Configure a private IPv6 address: ipv6 address ipv6-address prefix-length

By default, no private address is configured for the tunnel interface.All tunnel interfaces in a hub group must reside in the same private network.

346


4. Specify a source address or source interface for the tunnel interface.


By default, no source address or source interface is configured for a tunnel interface. The specified source address or the IP address of the specified source interface is used as the source address of sent ADVPN packets. If multiple GRE ADVPN tunnel interfaces have the same source address or source interface, you must configure different GRE keys for the interfaces. For information about GRE keys, see Layer 3—IP Services Configuration Guide.

5. (Optional.) Set the DF bit for ADVPN packets. tunnel dfbit enable By default, the DF bit is not set for

ADVPN packets.

6. (Optional.) Set the source UDP port number of ADVPN packets.

advpn source-port port-number

By default, the source UDP port number of ADVPN packets is 18001. This command is available when the tunnel mode is UDP. If the vam client command configured on the tunnel interface has the compatible keyword, the tunnel interface must have a different source UDP port number from other tunnel interfaces.

7. Bind a VAM client to the tunnel interface.

• Bind an IPv4 VAM client to the tunnel interface: vam client client-name [ compatible advpn0 ]

• Bind an IPv6 VAM client to the tunnel interface: vam ipv6 client client-name

By default, no VAM client is bound to an ADVPN tunnel interface. A VAM client can be bound to only one IPv4 or IPv6 ADVPN tunnel interface.

8. (Optional.) Configure a private network for the tunnel interface.

• Configure a private IPv4 network for the tunnel interface: advpn network ip-address { mask-length | mask } [ preference preference-value ]

• Configure a private IPv6 network for the tunnel interface: advpn ipv6 network prefix prefix-length [ preference preference-value ]

By default, no private network is configured for the tunnel interface.Set the preference of the private network route to be higher than other dynamic routing protocols, and lower than static routing.

9. (Optional.) Set the keepalive interval and the maximum number of keepalive attempts for the tunnel interface.

keepalive interval time-interval retry retry-times

By default, the keepalive interval is 180 seconds, and the maximum number of keepalive attempts is 3.The keepalive interval and the maximum number of keepalive attempts must be the same on the tunnel interfaces in an ADVPN domain.

347


10. (Optional.) Set the idle timeout time for the spoke-spoke tunnel.

advpn session idle-time time-interval

By default, the idle timeout time is 600 seconds. The new idle timeout setting applies to both existing and subsequently established spoke-spoke tunnels.

11. (Optional.) Set the dumb time for the tunnel interface.

advpn session dumb-time time-interval

By default, the dumb time is 120 seconds. The new dumb time setting only applies to subsequently established tunnels.

For more information about tunnel interface configurations and commands, see Layer 3—IP Services Configuration Guide and Layer 3—IP Services Command Reference.

Configuring routing ADVPN supports OSPF, RIP, and BGP for IPv4: • When OSPF is used, set the network type of an OSPF interface to broadcast in a full-mesh

network or to P2MP in a hub-spoke network. • When RIP is used, you can use RIP-1 or RIP-2 broadcast in a full-mesh network, or use RIP-2

multicast and disable split horizon in a hub-spoke network. • When BGP is used, configure a routing policy to make sure the next hop of a route destined for

a remote private network is the IP address of the peer spoke in a full-mesh network (EBGP does not support full-mesh), or is the IP address of the hub in a hub-spoke network.

ADVPN supports OSPFv3, RIPng, and IPv6 BGP for IPv6: • When OSPFv3 is used, set the network type of an OSPFv3 interface to broadcast in a full-mesh

network or to P2MP in a hub-spoke network. • When RIPng is used, only the full-mesh network is supported. • When IPv6 BGP is used, configure a routing policy to make sure the next hop of a route

destined for a remote private network is the IP address of the peer spoke in a full-mesh network (EBGP does not support full-mesh), or is the IP address of the hub in a hub-spoke network.

For more information about routing protocols and policies, see Layer 3—IP Routing Configuration Guide.

Configuring IPsec for ADVPN tunnels You can configure an IPsec profile to secure ADVPN tunnels: 1. Configure IPsec transform sets to specify the security protocols, authentication and encryption

algorithms, and the encapsulation mode. 2. Configure an IKE-mode IPsec profile that references the IPsec transform sets. 3. Apply the IPsec profile to an ADVPN tunnel interface.

For more information about IPsec configuration, see Security Configuration Guide.

Displaying and maintaining ADVPN Execute display commands in any view and reset commands in user view.

348

Task Command Display IPv4 private-to-public address mapping information for VAM clients registered with the VAM server.

display vam server address-map [ advpn-domain domain-name [ private-address private-ip-address ] ] [ verbose ]

Display IPv6 private-to-public address mapping information for VAM clients registered with the VAM server.

display vam server ipv6 address-map [ advpn-domain domain-name [ private-address private-ipv6-address ] ] [ verbose ]

Display IPv4 private networks for VAM clients registered with the VAM server.

display vam server private-network [ advpn-domain domain-name [ private-address private-ip-address ] ]

Display IPv6 private networks for VAM clients registered with the VAM server.

display vam server ipv6 private-network [ advpn-domain domain-name [ private-address private-ipv6-address ] ]

Display ADVPN domain statistics on the VAM server. display vam server statistics [ advpn-domain domain-name ]

Display FSM information for VAM clients. display vam client fsm [ name client-name ]

Display statistics for VAM clients. display vam client statistics [ name client-name ]

Display IPv4 spoke-to-spoke tunnel establishment rules for VAM clients. display vam client shortcut interest [ name client-name ]

Display IPv6 spoke-to-spoke tunnel establishment rules for VAM clients. display vam client shortcut ipv6 interest [ name client-name ]

Display IPv4 ADVPN tunnel information.

display advpn session [ interface tunnel number [ private-address private-ip-address ] ] [ verbose ]

Display IPv6 ADVPN tunnel information.

display advpn ipv6 session [ interface tunnel number [ private-address private-ipv6-address ] ] [ verbose ]

Clear IPv4 private-to-public address mapping information for VAM clients registered with the VAM server.

reset vam server address-map [ advpn-domain domain-name [ private-address private-ip-address ] ]

Clear IPv6 private-to-public address mapping information for VAM clients registered with the VAM server.

reset vam server ipv6 address-map [ advpn-domain domain-name [ private-address private-ipv6-address ] ]

Clear ADVPN domain statistics on the VAM server. reset vam server statistics [ advpn-domain domain-name ]

Reset the FSM for VAM clients. reset vam client [ ipv6 ] fsm [ name client-name ]

Clear statistics for VAM client. reset vam client statistics [ name client-name ]

Delete IPv4 ADVPN tunnels. reset advpn session statistics [ interface tunnel number [ private-address private-ip-address ] ]

Delete IPv6 ADVPN tunnels. reset advpn ipv6 session statistics [ interface tunnel number [ private-address private-ipv6-address ] ]

Clear statistics for IPv4 ADVPN tunnels. reset advpn session statistics [ interface tunnel number [ private-address private-ip-address ] ]

Clear statistics for IPv6 ADVPN tunnels. reset advpn ipv6 session statistics [ interface tunnel number [ private-address private-ipv6-address ] ]

349

ADVPN configuration examples IPv4 full-mesh ADVPN configuration example Network requirements

As shown in Figure 146, the primary and secondary VAM servers manage and maintain VAM client information for all hubs and spokes. The AAA server performs authentication and accounting for VAM clients. The two hubs back up each other, and perform data forwarding and route exchange. • Establish a permanent ADVPN tunnel between each spoke and each hub. • Establish a temporary ADVPN tunnel dynamically between the two spokes in the same ADVPN

domain.


Table 12 Interface and IP address assignment

Device Interface IP address Device Interface IP address Hub 1 GE2/0/1 1.0.0.1/24 Spoke 1 GE2/0/1 1.0.0.3/24

Tunnel1 192.168.0.1/24 GE2/0/2 192.168.1.1/24

Hub 2 GE2/0/1 1.0.0.2/24 Tunnel1 192.168.0.3/24

Tunnel1 192.168.0.2/24 Spoke 2 GE2/0/1 1.0.0.4/24

AAA server 1.0.0.10/24 GE2/0/2 192.168.2.1/24

Primary server GE2/0/1 1.0.0.11/24 Tunnel1 192.168.0.4/24

Secondary server GE2/0/1 1.0.0.12/24

Configuring the primary VAM server 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure AAA:

# Configure RADIUS scheme abc.

IP network

Spoke1 Spoke2

Site 1 Site 2

Hub1 Hub2

Tunnel1 Tunnel1

Tunnel1 Tunnel1Primary server

Secondary server

AAA server

GE2/0/1

GE2/0/1

GE2/0/1

GE2/0/1

GE2/0/1

GE2/0/1

GE2/0/2 GE2/0/2



Spoke-to-Spoke dynamic tunnel

350

<PrimaryServer> system-view

[PrimaryServer] radius scheme abc

[PrimaryServer-radius-abc] primary authentication 1.0.0.10 1812

[PrimaryServer-radius-abc] primary accounting 1.0.0.10 1813

[PrimaryServer-radius-abc] key authentication simple 123

[PrimaryServer-radius-abc] key accounting simple 123

[PrimaryServer-radius-abc] user-name-format without-domain

[PrimaryServer-radius-abc] quit

[PrimaryServer] radius session-control enable

# Configure AAA methods for ISP domain abc. [PrimaryServer] domain abc

[PrimaryServer-isp-abc] authentication advpn radius-scheme abc

[PrimaryServer-isp-abc] accounting advpn radius-scheme abc

[PrimaryServer-isp-abc] quit

[PrimaryServer] domain default enable abc

3. Configure the VAM server: # Create ADVPN domain abc. [PrimaryServer] vam server advpn-domain abc id 1

# Create hub group 0. [PrimaryServer-vam-server-domain-abc] hub-group 0

# Specify hub private IPv4 addresses. [PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1

[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2

# Specify a spoke private IPv4 network. [PrimaryServer-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 255.255.255.0

[PrimaryServer-vam-server-domain-abc-hub-group-0] quit

# Set the pre-shared key to 123456. [PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456

# Set the authentication mode to CHAP. [PrimaryServer-vam-server-domain-abc] authentication-method chap

# Enable the VAM server for the ADVPN domain. [PrimaryServer-vam-server-domain-abc] server enable

[PrimaryServer-vam-server-domain-abc] quit

Configuring the secondary VAM server # Configure the secondary VAM server in the same way that the primary server is configured. (Details not shown.)

Configuring Hub 1 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure the VAM client:

# Create VAM client Hub1. <Hub1> system-view

[Hub1] vam client name Hub1

# Specify ADVPN domain abc for the VAM client. [Hub1-vam-client-Hub1] advpn-domain abc

# Set the pre-shared key to 123456.

351

[Hub1-vam-client-Hub1] pre-shared-key simple 123456

# Set both the username and password to hub1. [Hub1-vam-client-Hub1] user hub1 password simple hub1

# Specify the primary and secondary VAM servers. [Hub1-vam-client-Hub1] server primary ip-address 1.0.0.11

[Hub1-vam-client-Hub1] server secondary ip-address 1.0.0.12

# Enable the VAM client. [Hub1-vam-client-Hub1] client enable

[Hub1-vam-client-Hub1] quit

3. Configure an IPsec profile: # Configure IKE. [Hub1] ike keychain abc

[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

[Hub1-ike-keychain-abc] quit

[Hub1] ike profile abc

[Hub1-ike-profile-abc] keychain abc

[Hub1-ike-profile-abc] quit

# Configure the IPsec profile. [Hub1] ipsec transform-set abc

[Hub1-ipsec-transform-set-abc] encapsulation-mode transport

[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub1-ipsec-transform-set-abc] quit

[Hub1] ipsec profile abc isakmp

[Hub1-ipsec-profile-isakmp-abc] transform-set abc

[Hub1-ipsec-profile-isakmp-abc] ike-profile abc

[Hub1-ipsec-profile-isakmp-abc] quit

4. Configure OSPF to advertise the private network. [Hub1] ospf 1

[Hub1-ospf-1] area 0

[Hub1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Hub1-ospf-1-area-0.0.0.0] quit

[Hub1-ospf-1] quit

5. Configure GRE-mode IPv4 ADVPN tunnel interface tunnel1. [Hub1] interface tunnel1 mode advpn gre

[Hub1-Tunnel1] ip address 192.168.0.1 255.255.255.0

[Hub1-Tunnel1] vam client Hub1

[Hub1-Tunnel1] ospf network-type broadcast

[Hub1-Tunnel1] source gigabitethernet 2/0/1

[Hub1-Tunnel1] tunnel protection ipsec profile abc

[Hub1-Tunnel1] undo shutdown

[Hub1-Tunnel1] quit



352



# Set the pre-shared key to 123456. [Hub2-vam-client-Hub2] pre-shared-key simple 123456

























[Hub2-ospf-1] quit

5. Configure GRE-mode IPv4 ADVPN tunnel interface tunnel1. [Hub2] interface tunnel 1 mode advpn gre







[Hub2-Tunnel1] quit

353

Configuring Spoke 1 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure the VAM client:

# Create VAM client Spoke1. <Spoke1> system-view

[Spoke1] vam client name Spoke1

# Specify ADVPN domain abc for the VAM client. [Spoke1-vam-client-Spoke1] advpn-domain abc

# Set the pre-shared key to 123456. [Spoke1-vam-client-Spoke1] pre-shared-key simple 123456

# Set both the username and password to spoke1. [Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1

# Specify the primary and secondary VAM servers. [Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.11

[Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.12

# Enable the VAM client. [Spoke1-vam-client-Spoke1] client enable

[Spoke1-vam-client-Spoke1] quit

3. Configure an IPsec profile: # Configure IKE. [Spoke1] ike keychain abc

[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

[Spoke1-ike-keychain-abc] quit

[Spoke1] ike profile abc

[Spoke1-ike-profile-abc] keychain abc

[Spoke1-ike-profile-abc] quit

# Configure the IPsec profile. [Spoke1] ipsec transform-set abc

[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke1-ipsec-transform-set-abc] quit

[Spoke1] ipsec profile abc isakmp

[Spoke1-ipsec-profile-isakmp-abc] transform-set abc

[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke1-ipsec-profile-isakmp-abc] quit

4. Configure OSPF to advertise private networks. [Spoke1] ospf 1

[Spoke1-ospf-1] area 0

[Spoke1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255


[Spoke1-ospf-1-area-0.0.0.0] quit

[Spoke1-ospf-1] quit

5. Configure GRE-mode IPv4 ADVPN tunnel interface tunnel1. Configure its DR priority as 0 so Spoke 1 will not participate in DR/BDR election. [Spoke1] interface tunnel1 mode advpn gre

[Spoke1-Tunnel1] ip address 192.168.0.3 255.255.255.0

354

[Spoke1-Tunnel1] vam client Spoke1

[Spoke1-Tunnel1] ospf network-type broadcast

[Spoke1-Tunnel1] ospf dr-priority 0

[Spoke1-Tunnel1] source gigabitethernet 2/0/1

[Spoke1-Tunnel1] tunnel protection ipsec profile abc

[Spoke1-Tunnel1] undo shutdown

[Spoke1-Tunnel1] quit





























355




5. Configure GRE-mode IPv4 ADVPN tunnel interface tunnel1. Configure its DR priority as 0 so Spoke 2 will not participate in DR/BDR election. [Spoke2] interface tunnel1 mode advpn gre









Verifying the configuration # Display IPv4 address mapping information for all VAM clients registered with the primary VAM server. [PrimaryServer] display vam server address-map

ADVPN domain name: 1

Total private address mappings: 4

Group Private address Public address Type NAT Holding time

0 192.168.0.1 1.0.0.1 Hub No 0H 52M 7S

0 192.168.0.2 1.0.0.2 Hub No 0H 47M 31S

0 192.168.0.3 1.0.0.3 Spoke No 0H 28M 25S

0 192.168.0.4 1.0.0.4 Spoke No 0H 19M 15S

# Display IPv4 address mapping information for all VAM clients registered with the secondary VAM server. [SecondaryServer] display vam server address-map




0 192.168.0.1 1.0.0.1 Hub No 0H 52M 7S

0 192.168.0.2 1.0.0.2 Hub No 0H 47M 31S

0 192.168.0.3 1.0.0.3 Spoke No 0H 28M 25S

0 192.168.0.4 1.0.0.4 Spoke No 0H 19M 15S

The output shows that Hub 1, Hub 2, Spoke 1, and Spoke 2 all have registered their address mapping information with the VAM servers.

# Display IPv4 ADVPN tunnel information on Hubs. This example uses Hub 1. [Hub1] display advpn session

Interface : Tunnel1

Number of sessions: 3

Private address Public address Port Type State Holding time

192.168.0.2 1.0.0.2 -- H-H Success 0H 46M 8S

192.168.0.3 1.0.0.3 -- H-S Success 0H 27M 27S

192.168.0.4 1.0.0.4 -- H-S Success 0H 18M 18S

The output shows that Hub 1 has established a permanent tunnel to Hub 2, Spoke 1, and Spoke 2.

# Display IPv4 ADVPN tunnel information on Spokes. This example uses Spoke 1.

356

[Spoke1] display advpn session

Interface : Tunnel1



192.168.0.1 1.0.0.1 -- S-H Success 0H 46M 8S

192.168.0.2 1.0.0.2 -- S-H Success 0H 46M 8S

The output shows that Spoke 1 has established a permanent hub-spoke tunnel to Hub 1 and Hub 2.

# Verify that Spoke 1 can ping the private address 192.168.0.4 of Spoke 2. [Spoke1] ping 192.168.0.4








5 packets transmitted, 5 packets received, 0.0% packet loss


# Display IPv4 ADVPN tunnel information on Spokes. This example uses Spoke 1. [Spoke1] display advpn session

Interface : Tunnel1



192.168.0.1 1.0.0.1 -- S-H Success 0H 46M 8S

192.168.0.2 1.0.0.2 -- S-H Success 0H 46M 8S

192.168.0.4 1.0.0.4 -- S-S Success 0H 0M 1S

The output shows the following information: • Spoke 1 has established a permanent hub-spoke tunnel to Hub 1 and Hub 2. • Spoke 1 has established a temporary spoke-spoke tunnel to Spoke 2.

IPv6 full-mesh ADVPN configuration example Network requirements

As shown in Figure 147, the primary and secondary VAM servers manage and maintain VAM client information for all hubs and spokes. The AAA server performs authentication and accounting for VAM clients. The two hubs back up each other, and perform data forwarding and route exchange. • Establish a permanent ADVPN tunnel between each spoke and each hub. • Establish a temporary ADVPN tunnel dynamically between the two spokes in the same ADVPN

domain.

357



Device Interface IP address Device Interface IP address Hub 1 GE2/0/1 1::1/64 Spoke 1 GE2/0/1 1::3/64

Tunnel1 192:168::1/64 GE2/0/2 192:168:1::1/64

Hub 2 GE2/0/1 1::2/64 Tunnel1 192:168::3/64

Tunnel1 192:168::2/64 Spoke 2 GE2/0/1 1::4/64

AAA server 1::10/64 GE2/0/2 192:168:2::1/64

Primary server GE2/0/1 1::11/64 Tunnel1 192:168::4/64

Secondary server GE2/0/1 1::12/64


# Configure RADIUS scheme abc. <PrimaryServer> system-view


[PrimaryServer-radius-abc] primary authentication ipv6 1::10 1812

[PrimaryServer-radius-abc] primary accounting ipv6 1::10 1813








IP network

Spoke1 Spoke2

Site 1 Site 2

Hub1 Hub2

Tunnel1 Tunnel1


Secondary server

AAA server

GE2/0/1

GE2/0/1

GE2/0/1

GE2/0/1

GE2/0/1

GE2/0/1

GE2/0/2 GE2/0/2



Spoke-to-Spoke dynamic tunnel

358






# Specify hub private IPv6 addresses. [PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::1

[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::2

# Specify a spoke private IPv6 network. [PrimaryServer-vam-server-domain-abc-hub-group-0] spoke ipv6 private-address network 192:168::0 64












# Specify the primary and secondary VAM servers. [Hub1-vam-client-Hub1] server primary ipv6-address 1::11

[Hub1-vam-client-Hub1] server secondary ipv6-address 1::12



3. Configure an IPsec profile: # Configure IKE.

359

[Hub1] ike keychain abc

[Hub1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456














4. Configure OSPFv3. [Hub1] ospfv3 1

[Hub1-ospfv3-1] router-id 0.0.0.1

[Hub1-ospfv3-1] area 0

[Hub1-ospfv3-1-area-0.0.0.0] quit

[Hub1-ospfv3-1] quit

5. Configure GRE-mode IPv6 ADVPN tunnel interface tunnel1. [Hub1] interface tunnel1 mode advpn gre ipv6

[Hub1-Tunnel1] ipv6 address 192:168::1 64

[Hub1-Tunnel1] ipv6 address fe80::1 link-local

[Hub1-Tunnel1] vam ipv6 client Hub1

[Hub1-Tunnel1] ospfv3 1 area 0

[Hub1-Tunnel1] ospfv3 network-type broadcast




[Hub1-Tunnel1] quit








360

































[Hub2-Tunnel1] quit





361








[Spoke1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456














4. Configure OSPFv3. [Spoke1] ospfv3 1

[Spoke1-ospfv3-1] router-id 0.0.0.3

[Spoke1-ospfv3-1] area 0

[Spoke1-ospfv3-1-area-0.0.0.0] quit

[Spoke1-ospfv3-1] quit

5. Configure GRE-mode IPv6 ADVPN tunnel interface tunnel1. Configure its DR priority as 0 so Spoke 1 will not participate in DR/BDR election. [Spoke1] interface tunnel1 mode advpn gre ipv6

[Spoke1-Tunnel1] ipv6 address 192:168::3 64

[Spoke1-Tunnel1] ipv6 address fe80::3 link-local

[Spoke1-Tunnel1] vam ipv6 client Spoke1

[Spoke1-Tunnel1] ospfv3 1 area 0

[Spoke1-Tunnel1] ospfv3 network-type broadcast

[Spoke1-Tunnel1] ospfv3 dr-priority 0





362







# Specify the primary and secondary VAM servers. [Spoke2-vam-client-Spoke2] server primary ipv6-address 1::11

[Spoke2-vam-client-Spoke2] server secondary ipv6-address 1::12























5. Configure GRE-mode IPv6 ADVPN tunnel interface tunnel1. Configure its DR priority as 0 so Spoke 2 will not participate in DR/BDR election. [Spoke2] interface tunnel1 mode advpn gre ipv6



363




[Spoke2-Tunnel1] ospfv3 dr-priority 0





Verifying the configuration # Display IPv6 address mapping information for all VAM clients registered with the primary VAM server. [PrimaryServer] display vam server ipv6 address-map




0 192:168::1 1::1 Hub No 0H 52M 7S

0 192:168::2 1::2 Hub No 0H 47M 31S

0 192:168::3 1::3 Spoke No 0H 28M 25S

0 192:168::4 1::4 Spoke No 0H 19M 15S

# Display IPv6 address mapping information for all VAM clients registered with the secondary VAM server. [SecondaryServer] display vam server ipv6 address-map




0 192:168::1 1::1 Hub No 0H 52M 7S

0 192:168::2 1::2 Hub No 0H 47M 31S

0 192:168::3 1::3 Spoke No 0H 28M 25S

0 192:168::4 1::4 Spoke No 0H 19M 15S

The output shows that Hub 1, Hub 2, Spoke 1, Spoke 2, and Spoke 3 all have registered their address mapping information with the VAM servers.

# Display IPv6 ADVPN tunnel information on Hubs. This example uses Hub 1. [Hub1] display advpn ipv6 session

Interface : Tunnel1



192:168::2 1::2 -- H-H Success 0H 46M 8S

192:168::3 1::3 -- H-S Success 0H 27M 27S

192:168::4 1::4 -- H-S Success 0H 18M 18S


# Display IPv6 ADVPN tunnel information on Spoke 1. [Spoke1] display advpn ipv6 session

Interface : Tunnel1



192:168::1 1::1 -- S-H Success 0H 46M 8S

192:168::2 1::2 -- S-H Success 0H 46M 8S

364


# Verify that Spoke 1 can ping the private address 192:168::4 of Spoke 2. [Spoke1] ping ipv6 192:168::4










# Display IPv6 ADVPN tunnel information on Spokes. This example uses Spoke 1. [Spoke1] display advpn ipv6 session

Interface : Tunnel1



192:168::1 1::1 -- S-H Success 0H 46M 8S

192:168::2 1::2 -- S-H Success 0H 46M 8S

192.168::4 1::4 -- S-S Success 0H 0M 1S


IPv4 hub-spoke ADVPN configuration example Network requirements

As shown in Figure 148, the primary and secondary VAM servers manage and maintain VAM client information for all hubs and spokes. The AAA server performs authentication and accounting for VAM clients. The two hubs back up each other, and perform data forwarding and route exchange.

Establish a permanent ADVPN tunnel between each spoke and each hub.

365




Tunnel1 192.168.0.1/24 GE2/0/2 192.168.1.1/24

Hub 2 GE2/0/1 1.0.0.2/24 Tunnel1 192.168.0.3/24

Tunnel1 192.168.0.2/24 Spoke 2 GE2/0/1 1.0.0.4/24

AAA server 1.0.0.10/24 GE2/0/2 192.168.2.1/24

Primary server GE2/0/1 1.0.0.11/24 Tunnel1 192.168.0.4/24















IP network

Spoke1 Spoke2

Site 1 Site 2

Hub1 Hub2

Tunnel1 Tunnel1


Secondary server

AAA server

GE2/0/1

GE2/0/1

GE2/0/1

GE2/0/1

GE2/0/1

GE2/0/1

GE2/0/2 GE2/0/2



366


























367


















[Hub1-ospf-1] quit




[Hub1-Tunnel1] ospf network-type p2mp




[Hub1-Tunnel1] quit











368




















[Hub2-ospf-1] quit




[Hub2-Tunnel1] ospf network-type p2mp




[Hub2-Tunnel1] quit








369

























5. Configure GRE-mode IPv4 ADVPN tunnel interface tunnel1. [Spoke1] interface tunnel1 mode advpn gre



[Spoke1-Tunnel1] ospf network-type p2mp










370

[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456



























5. Configure GRE-mode IPv4 ADVPN tunnel interface tunnel1. [Spoke2] interface tunnel1 mode advpn gre



[Spoke2-Tunnel1] ospf network-type p2mp






371




0 192.168.0.1 1.0.0.1 Hub No 0H 52M 7S

0 192.168.0.2 1.0.0.2 Hub No 0H 47M 31S

0 192.168.0.3 1.0.0.3 Spoke No 0H 28M 25S

0 192.168.0.4 1.0.0.4 Spoke No 0H 19M 15S





0 192.168.0.1 1.0.0.1 Hub No 0H 52M 7S

0 192.168.0.2 1.0.0.2 Hub No 0H 47M 31S

0 192.168.0.3 1.0.0.3 Spoke No 0H 28M 25S

0 192.168.0.4 1.0.0.4 Spoke No 0H 19M 15S



Interface : Tunnel1



192.168.0.2 1.0.0.2 -- H-H Success 0H 46M 8S

192.168.0.3 1.0.0.3 -- H-S Success 0H 27M 27S

192.168.0.4 1.0.0.4 -- H-S Success 0H 18M 18S



Interface : Tunnel1



192.168.0.1 1.0.0.1 -- S-H Success 0H 46M 8S

192.168.0.2 1.0.0.2 -- S-H Success 0H 46M 8S











372


IPv6 hub-spoke ADVPN configuration example Network requirements

As shown in Figure 149, the primary and secondary VAM servers manage and maintain VAM client information for all hubs and spokes. The AAA server performs authentication and accounting for VAM clients. The two hubs back up each other, and perform data forwarding and route exchange.

Establish a permanent ADVPN tunnel between each spoke and each hub.




Tunnel1 192:168::1/64 GE2/0/2 192:168:1::1/64

Hub 2 GE2/0/1 1::2/64 Tunnel1 192:168::3/64

Tunnel1 192:168::2/64 Spoke 2 GE2/0/1 1::4/64

AAA server 1::10/64 GE2/0/2 192:168:2::1/64

Primary server GE2/0/1 1::11/64 Tunnel1 192:168::4/64

Secondary server GE2/0/1 1::12/64





IP network

Spoke1 Spoke2

Site 1 Site 2

Hub1 Hub2

Tunnel1 Tunnel1


Secondary server

AAA server

GE2/0/1

GE2/0/1

GE2/0/1

GE2/0/1

GE2/0/1

GE2/0/1

GE2/0/2 GE2/0/2



373
















# Specify a spoke private IPv6 network. [PrimaryServer-vam-server-domain-abc-hub-group-0] spoke ipv6 private-address network 192:168::0 64












374

# Set the username and password to hub1. [Hub1-vam-client-Hub1] user hub1 password simple hub1






























[Hub1-Tunnel1] ospfv3 network-type p2mp




[Hub1-Tunnel1] quit


# Create VAM client Hub2.

375

<Hub2> system-view


































[Hub2-Tunnel1] ospfv3 network-type p2mp



376


[Hub2-Tunnel1] quit































5. Configure GRE-mode IPv6 ADVPN tunnel interface tunnel1. [Spoke1] interface tunnel1 mode advpn gre ipv6


377




[Spoke1-Tunnel1] ospfv3 network-type p2mp
































378




5. Configure GRE-mode IPv6 ADVPN tunnel interface tunnel1. [Spoke2] interface tunnel1 mode advpn gre ipv6





[Spoke2-Tunnel1] ospfv3 network-type p2mp









0 192:168::1 1::1 Hub No 0H 52M 7S

0 192:168::2 1::2 Hub No 0H 47M 31S

0 192:168::3 1::3 Spoke No 0H 28M 25S

0 192:168::4 1::4 Spoke No 0H 19M 15S





0 192:168::1 1::1 Hub No 0H 52M 7S

0 192:168::2 1::2 Hub No 0H 47M 31S

0 192:168::3 1::3 Spoke No 0H 28M 25S

0 192:168::4 1::4 Spoke No 0H 19M 15S



Interface : Tunnel1



192:168::2 1::2 -- H-H Success 0H 46M 8S

192:168::3 1::3 -- H-S Success 0H 27M 27S

192:168::4 1::4 -- H-S Success 0H 18M 18S


# Display IPv6 ADVPN tunnel information on Spokes. This example uses Spoke 1.

379

[Spoke1] display advpn ipv6 session

Interface : Tunnel1



192:168::1 1::1 -- S-H Success 0H 46M 8S

192:168::2 1::2 -- S-H Success 0H 46M 8S


# Verify that Spoke 1 can ping the private address 192:168::4 of Spoke 2. [Spoke1] ping ipv6 192:168::4










IPv4 multi-hub-group ADVPN configuration example Network requirements

As shown in Figure 150, the primary and secondary VAM servers manage and maintain VAM client information for all hubs and spokes. The AAA server performs authentication and accounting for VAM clients. • Configure three hub groups to accommodate all ADVPN nodes:

Hub group 0 contains Hub 1, Hub 2, and Hub 3. Hub group 1 contains Hub 1, Hub 2, Spoke 1, and Spoke 2. Hub 1 and Hub 2 back up each

other. Hub group 2 contains Hub 3, Spoke 3, and Spoke 4. Hub groups 1 and 2 use full-mesh

networking. • Allow any two spokes to establish a direct spoke-spoke tunnel.

380




Tunnel1 192.168.1.1/24 GE2/0/2 192.168.10.1/24

Tunnel2 192.168.0.1/24 Tunnel1 192.168.1.3/24

Hub 2 GE2/0/1 1.0.0.2/24 Spoke 2 GE2/0/1 1.0.0.5/24

Tunnel1 192.168.1.2/24 GE2/0/2 192.168.20.1/24

Tunnel2 192.168.0.2/24 GE2/0/3 192.168.30.1/24

Hub 3 GE2/0/1 1.0.0.3/24 Tunnel1 192.168.1.4/24

Tunnel1 192.168.2.1/24 Spoke 3 GE2/0/1 1.0.0.6/24

Tunnel2 192.168.0.3/24 GE2/0/2 192.168.40.1/24

AAA server 1.0.0.10/24 Tunnel1 192.168.2.2/24

Primary server GE2/0/1 1.0.0.11/24 Spoke 4 GE2/0/1 1.0.0.7/24

Secondary server GE2/0/1 1.0.0.12/24 GE2/0/2 192.168.50.1/24

GE2/0/3 192.168.60.1/24

Tunnel1 192.168.2.3/24


AAA server

Hub3Hub1

Group 1 Group 2

Group 0

Spoke1

Spoke4


Tunnel 1Tunnel 1

Tunnel 1Tunnel 1

Spoke2Spoke3

GE2/0/1

GE2/0/2

GE2/0/1

GE2/0/2 GE2/0/3

GE2/0/1

GE2/0/2GE2/0/3

GE2/0/1

GE2/0/1 GE2/0/1 GE2/0/1

Tunnel 1

GE2/0/2

Tunnel 2

Tunnel 2Tunnel 2


Primary server

Secondary server

GE2/0/1

GE2/0/1





381

























# Allow establishing direct spoke-spoke tunnels. [PrimaryServer-vam-server-domain-abc-hub-group-1] shortcut interest all



# Specify the hub private IPv4 address. [PrimaryServer-vam-server-domain-abc-hub-group-2] hub private-address 192.168.2.1


# Allow establishing direct spoke-spoke tunnels. [PrimaryServer-vam-server-domain-abc-hub-group-2] shortcut interest all


382







# Create VAM client Hub1Group0. <Hub1> system-view

[Hub1] vam client name Hub1Group0

# Specify ADVPN domain abc for the VAM client. [Hub1-vam-client-Hub1Group0] advpn-domain abc

# Set the pre-shared key to 123456. [Hub1-vam-client-Hub1Group0] pre-shared-key simple 123456

# Set both the username and password to hub1. [Hub1-vam-client-Hub1Group0] user hub1 password simple hub1

# Specify the primary and secondary VAM servers. [Hub1-vam-client-Hub1Group0] server primary ip-address 1.0.0.11

[Hub1-vam-client-Hub1Group0] server secondary ip-address 1.0.0.12

# Enable the VAM client. [Hub1-vam-client-Hub1Group0] client enable

[Hub1-vam-client-Hub1Group0] quit

# Create VAM client Hub1Group1. [Hub1] vam client name Hub1Group1



# Set the username and password to hub1. [Hub1-vam-client-Hub1Group1] user hub1 password simple hub1







383














4. Configure OSPF to advertise private networks. [Hub1] ospf 1







[Hub1-ospf-1] quit

5. Configure ADVPN tunnels: # Configure UDP-mode IPv4 ADVPN tunnel interface tunnel1. [Hub1] interface tunnel1 mode advpn udp


[Hub1-Tunnel1] vam client Hub1Group1





[Hub1-Tunnel1] quit

# Configure UDP-mode IPv4 ADVPN tunnel interface tunnel2. [Hub1] interface tunnel2 mode advpn udp







[Hub1-Tunnel2] quit



384












# Set both the username and password to hub2. [Hub2-vam-client-Hub2Group1] user Hub2 password simple Hub2





















385







[Hub2-ospf-1] quit

5. Configure ADVPN tunnels: # Configure UDP-mode IPv4 ADVPN tunnel interface tunnel1. [Hub2] interface tunnel 1 mode advpn gre







[Hub2-Tunnel1] quit








[Hub2-Tunnel2] quit












# Specify ADVPN domain abc for the VAM client.

386

[Hub3-vam-client-Hub3Group1] advpn-domain abc





























[Hub3-ospf-1] quit








387

[Hub3-Tunnel1] quit








[Hub3-Tunnel2] quit


























4. Configure OSPF to advertise private networks.

388

[Spoke1] ospf 1






5. Configure UDP-mode IPv4 ADVPN tunnel interface tunnel1. Configure its DR priority as 0 so Spoke 1 will not participate in DR/BDR election. [Spoke1] interface tunnel1 mode advpn udp





[Spoke1-Tunnel1] advpn network 192.168.10.0 255.255.255.0























389




































3. Configure an IPsec profile:

390

# Configure IKE. [Spoke3] ike keychain abc





















5. Configure UDP-mode IPv4 ADVPN tunnel interface tunnel1. Configure its DR priority as 0 so Spoke 3 will not participate in DR/BDR election. [Spoke3] interface tunnel 1 mode advpn udp















# Set both the username and password to spoke4.

391

[Spoke4-vam-client-Spoke4] user spoke4 password simple spoke4






































392





0 192.168.0.1 1.0.0.1 Hub No 0H 52M 7S

0 192.168.0.2 1.0.0.2 Hub No 0H 47M 31S

0 192.168.0.3 1.0.0.3 Hub No 0H 28M 25S

1 192.168.1.1 1.0.0.1 Hub No 0H 52M 7S

1 192.168.1.2 1.0.0.2 Hub No 0H 47M 31S

1 192.168.1.3 1.0.0.4 Spoke No 0H 18M 26S

1 192.168.1.4 1.0.0.5 Spoke No 0H 28M 25S

2 192.168.2.1 1.0.0.3 Hub No 0H 28M 25S

2 192.168.2.2 1.0.0.6 Spoke No 0H 25M 40S

2 192.168.2.3 1.0.0.7 Spoke No 0H 25M 31S





0 192.168.0.1 1.0.0.1 Hub No 0H 52M 7S

0 192.168.0.2 1.0.0.2 Hub No 0H 47M 31S

0 192.168.0.3 1.0.0.3 Hub No 0H 28M 25S

1 192.168.1.1 1.0.0.1 Hub No 0H 52M 7S

1 192.168.1.2 1.0.0.2 Hub No 0H 47M 31S

1 192.168.1.3 1.0.0.4 Spoke No 0H 18M 26S

1 192.168.1.4 1.0.0.5 Spoke No 0H 28M 25S

2 192.168.2.1 1.0.0.3 Hub No 0H 28M 25S

2 192.168.2.2 1.0.0.6 Spoke No 0H 25M 40S

2 192.168.2.3 1.0.0.7 Spoke No 0H 25M 31S

The output shows that Hub 1, Hub 2, Hub3, Spoke 1, Spoke 2, Spoke 3, and Spoke4 all have registered their address mapping information with the VAM servers.


Interface : Tunnel1



192.168.1.2 1.0.0.2 18001 H-H Success 0H 46M 8S

192.168.1.3 1.0.0.3 18001 H-S Success 0H 27M 27S

192.168.1.4 1.0.0.4 18001 H-S Success 0H 18M 18S

Interface : Tunnel2



192.168.0.2 1.0.0.2 18001 H-H Success 0H 46M 8S

393

192.168.0.3 1.0.0.3 18001 H-H Success 0H 27M 27S

The output shows that Hub 1 has established a permanent tunnel to Hub 2, Hub3, Spoke 1, and Spoke 2.

# Display IPv4 ADVPN tunnel information on Spoke 1 and Spoke 2. This example uses Spoke 1. [Spoke1] display advpn session

Interface : Tunnel1



192.168.1.1 1.0.0.1 18001 S-H Success 0H 46M 8S

192.168.1.2 1.0.0.2 18001 S-H Success 0H 46M 8S


# Display IPv4 ADVPN tunnel information on Spoke 3 and Spoke 4. This example uses Spoke 3. [Spoke3] display advpn session

Interface : Tunnel1



192.168.2.1 1.0.0.3 18001 S-H Success 0H 46M 8S

The output shows that Spoke 3 has established a permanent hub-spoke tunnel to Hub 3.

IPv6 multi-hub-group ADVPN configuration example Network requirements

As shown in Figure 151, the primary and secondary VAM servers manage and maintain VAM client information for all hubs and spokes. The AAA server performs authentication and accounting for VAM clients. • Configure three hub groups to accommodate all ADVPN nodes:

Hub group 0 contains Hub1, Hub2, and Hub3. Hub group 1 contains Hub1, Hub2, Spoke1, and Spoke2. Hub 1 and Hub 2 back up each

other. Hub group 2 contains Hub3, Spoke3, and Spoke4. Hub groups 1 and 2 use full-mesh

networking. • Allow any two spokes to establish a direct spoke-spoke tunnel.

394




Tunnel1 192:168:1::1/64 GE2/0/2 192:168:10::1/64

Tunnel2 192:168::1/64 Tunnel1 192:168:1::3/64

Hub 2 GE2/0/1 1::2/64 Spoke 2 GE2/0/1 1::5/64

Tunnel1 192:168:1::2/64 GE2/0/2 192:168:20::1/64

Tunnel2 192:168::2/64 GE2/0/3 192:168:30::1/64

Hub 3 GE2/0/1 1::3/64 Tunnel1 192:168:1::4/64

Tunnel1 192:168:2::1/64 Spoke 3 GE2/0/1 1::6/64

Tunnel2 192:168::3/64 GE2/0/2 192:168:40::1/64

AAA server 1::10/64 Tunnel1 192:168:2::2/64

Primary server GE2/0/1 1::11/64 Spoke 4 GE2/0/1 1::7/64

Secondary server GE2/0/1 1::12/64 GE2/0/2 192:168:50::1/64

GE2/0/3 192:168:60::1/64

Tunnel1 192:168:2::3/64


AAA server

Hub3Hub1

Group 1 Group 2

Group 0

Spoke1

Spoke4


Tunnel 1Tunnel 1

Tunnel 1Tunnel 1

Spoke2Spoke3

GE2/0/1

GE2/0/2

GE2/0/1

GE2/0/2 GE2/0/3

GE2/0/1

GE2/0/2GE2/0/3

GE2/0/1

GE2/0/1 GE2/0/1 GE2/0/1

Tunnel 1

GE2/0/2

Tunnel 2

Tunnel 2Tunnel 2


Primary server

Secondary server

GE2/0/1

GE2/0/1





395






















# Specify hub private IPv6 addresses. [PrimaryServer-vam-server-domain-abc-hub-group-1] hub ipv6 private-address 192:168:1::1

[PrimaryServer-vam-server-domain-abc-hub-group-1] hub ipv6 private-address 192:168:1::2

# Specify a spoke private IPv6 network. [PrimaryServer-vam-server-domain-abc-hub-group-1] spoke ipv6 private-address network 192:168:1::0 64

# Allow establishing spoke-spoke tunnels. [PrimaryServer-vam-server-domain-abc-hub-group-1] shortcut ipv6 interest all



# Specify the hub private IPv6 address. [PrimaryServer-vam-server-domain-abc-hub-group-2] hub ipv6 private-address 192:168:2::1

# Specify a spoke private IPv6 network.

396

[PrimaryServer-vam-server-domain-abc-hub-group-2] spoke ipv6 private-address network 192:168:2::0 64













# Specify the primary and secondary VAM servers. [Hub1-vam-client-Hub1Group0] server primary ipv6-address 1::11

[Hub1-vam-client-Hub1Group0] server secondary ipv6-address 1::12











3. Configure an IPsec profile:

397

# Configure IKE. [Hub1] ike keychain abc

[Hub1-ike-keychain-abc] pre-shared-key address :: 0 key simple 123456






















[Hub1-Tunnel1] ipv6 address 192:168:1::1 64

[Hub1-Tunnel1] ipv6 address fe80::1:1 link-local

[Hub1-Tunnel1] vam ipv6 client Hub1Group1






[Hub1-Tunnel1] quit










[Hub1-Tunnel2] quit

398














# Set both the username and password to hub2. [Hub2-vam-client-Hub2Group1] user Hub2 password simple Hub2






[Hub2-ike-keychain-abc] pre-shared-key address :: 0 key simple 123456










399





4. Configure OSPFv3. [Hub2] ospf 1







[Hub2-ospf-1] quit










[Hub2-Tunnel1] quit










[Hub2-Tunnel2] quit






# Set both the username and password to hub3.

400

[Hub3-vam-client-Hub3Group0] user hub3 password simple hub3



































401










[Hub3-Tunnel1] quit










[Hub3-Tunnel2] quit












[Spoke1-ike-keychain-abc] pre-shared-key address :: 0 key simple 123456



402



















[Spoke1] interface gigabitethernet 2/0/2

[Spoke1-GigabitEthernet2/0/2] ospfv3 1 area 1

[Spoke1-GigabitEthernet2/0/2] quit


[Spoke1-Tunnel1] ipv6 address 192:168:1::3 64

[Spoke1-Tunnel1] ipv6 address fe80::1:3 link-local





[Spoke1-Tunnel1] advpn ipv6 network 192:168:10::0 64










403








































404




































405




































406








































0 192:168::1 1::1 Hub No 0H 52M 7S

0 192:168::2 1::2 Hub No 0H 47M 31S

407

0 192:168::3 1::3 Hub No 0H 28M 25S

1 192:168:1::1 1::1 Hub No 0H 52M 7S

1 192:168:1::2 1::2 Hub No 0H 47M 31S

1 192:168:1::3 1::4 Spoke No 0H 18M 26S

1 192:168:1::4 1::5 Spoke No 0H 28M 25S

2 192:168:2::1 1::3 Hub No 0H 28M 25S

2 192:168:2::2 1::6 Spoke No 0H 25M 40S

2 192:168:2::3 1::7 Spoke No 0H 25M 31S





0 192:168::1 1::1 Hub No 0H 52M 7S

0 192:168::2 1::2 Hub No 0H 47M 31S

0 192:168::3 1::3 Hub No 0H 28M 25S

1 192:168:1::1 1::1 Hub No 0H 52M 7S

1 192:168:1::2 1::2 Hub No 0H 47M 31S

1 192:168:1::3 1::4 Spoke No 0H 18M 26S

1 192:168:1::4 1::5 Spoke No 0H 28M 25S

2 192:168:2::1 1::3 Hub No 0H 28M 25S

2 192:168:2::2 1::6 Spoke No 0H 25M 40S

2 192:168:2::3 1::7 Spoke No 0H 25M 31S

The output shows that Hub 1, Hub 2, Hub3, Spoke 1, Spoke 2, Spoke 3, and Spoke4 all have registered their address mapping information with the VAM servers.


Interface : Tunnel1



192:168:1::2 1::2 18001 H-H Success 0H 46M 8S

192:168:1::3 1::3 18001 H-S Success 0H 27M 27S

192:168:1::4 1::4 18001 H-S Success 0H 18M 18S

Interface : Tunnel2



192:168::2 1::2 18001 H-H Success 0H 46M 8S

192:168::3 1::3 18001 H-H Success 0H 27M 27S

The output shows that Hub 1 has established a permanent tunnel to Hub 2, Hub3, Spoke 1, and Spoke 2.

# Display IPv6 ADVPN tunnel information on Spoke 1 and Spoke 2. This example uses Spoke 1. [Spoke1] display advpn ipv6 session

Interface : Tunnel1



192:168:1::1 1::1 18001 S-H Success 0H 46M 8S

408

192:168:1::2 1::2 18001 S-H Success 0H 46M 8S


# Display IPv6 ADVPN tunnel information on Spoke 3 and Spoke 4. This example uses Spoke 4. [Spoke3] display advpn ipv6 session

Interface : Tunnel1



192:168:2::1 1::3 18001 S-H Success 0H 46M 8S

The output shows that Spoke 3 has established a permanent hub-spoke tunnel to Hub 3.

IPv4 full-mesh NAT traversal ADVPN configuration example Network requirements

As shown in Figure 152, all the VAM servers and VAM clients reside behind a NAT gateway. The primary and secondary VAM servers manage and maintain VAM client information for all hubs and spokes. The AAA server performs authentication and accounting for VAM clients. The two hubs back up each other, and perform data forwarding and route exchange. • Establish a permanent ADVPN tunnel between each spoke and each hub. • Establish a temporary ADVPN tunnel dynamically between the two spokes in the same ADVPN

domain.


409



Tunnel1 192.168.0.1/24 GE2/0/2 192.168.1.1/24

Hub 2 GE2/0/1 10.0.0.3/24 Tunnel1 192.168.0.3/24

Tunnel1 192.168.0.2/24 Spoke 2 GE2/0/1 10.0.0.2/24

NAT1 GE2/0/1 1.0.0.1/24 GE2/0/2 192.168.2.1/24

GE2/0/2 10.0.0.1/24 Tunnel1 192.168.0.4/24

NAT2 GE2/0/1 1.0.0.2/24 NAT4 GE2/0/1 1.0.0.4/24

GE2/0/2 10.0.0.1/24 GE2/0/2 10.0.0.1/24

NAT3 GE2/0/1 1.0.0.3/24 AAA server 10.0.0.2/24

GE2/0/2 10.0.0.1/24 Primary server GE2/0/1 10.0.0.3/24



















# Configure hubs in hub group 0: Hub1—The private address is 192.168.0.1, the public address is 1.0.0.1 (after NAT), and

the source port number of ADVPN packets is 4001 (after NAT). Hub2—The private address is 192.168.0.2, the public address is 1.0.0.1 (after NAT), and

the source port number of ADVPN packets is 4002 (after NAT).

410

[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1 public-address 1.0.0.1 advpn-port 4001

[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2 public-address 1.0.0.1 advpn-port 4002







# Configure a default route. [PrimaryServer] ip route-static 0.0.0.0 0 10.0.0.1








# Specify the primary VAM server IP address as 1.0.0.4 (after NAT) and the port number as 4001 (after NAT). [Hub1-vam-client-Hub1] server primary ip-address 1.0.0.4 port 4001

# Specify the secondary VAM server IP address as 1.0.0.4 (after NAT) and the port number as 4002 (after NAT). [Hub1-vam-client-Hub1] server secondary ip-address 1.0.0.4 port 4002



3. Configure OSPF: # Configure OSPF to advertise the private network. [Hub1] ospf 1




411

[Hub1-ospf-1] quit

# Configure a default route. [Hub1] ip route-static 0.0.0.0 0 10.0.0.1

4. Configure UDP-mode IPv4 ADVPN tunnel interface tunnel1. [Hub1] interface tunnel 1 mode advpn udp






[Hub1-Tunnel1] quit







# Specify the primary and secondary VAM servers. [Hub2-vam-client-Hub2] server primary ip-address 1.0.0.4 port 4001

[Hub2-vam-client-Hub2] server secondary ip-address 1.0.0.4 port 4002



3. Configure OSPF: # Configure OSPF to advertise the private network. [Hub1] ospf 1




[Hub1-ospf-1] quit


4. Configure UDP-mode IPv4 ADVPN tunnel interface tunnel1. [Hub2] interface tunnel1 mode advpn udp






[Hub2-Tunnel1] quit

412







# Specify the primary and secondary VAM servers. [Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.4 port 4001

[Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.4 port 4002



3. Configure OSPF: # Configure OSPF to advertise the private network. [Spoke1] ospf 1





# Configure a default route. [Spoke1] ip route-static 0.0.0.0 0 10.0.0.1














413

[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456


# Specify the primary and secondary VAM servers. [Spoke2-vam-client-Spoke2] server primary ip-address 1.0.0.4 port 4001

[Spoke2-vam-client-Spoke2] server secondary ip-address 1.0.0.4 port 4002



3. Configure OSPF: # Configure OSPF to advertise the private network. [Spoke2] ospf 1














Configuring NAT 1 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure NAT internal servers:

# Configure ACL 2000 to permit packets sourced from 10.0.0.0/24. <NAT1> system-view

[NAT1] acl number 2000

[NAT1-acl-basic-2000] rule permit source 10.0.0.0 0.0.0.255

[NAT1-acl-basic-2000] quit

# Configure NAT internal servers on GigabitEthernet 2/0/1: Allow external ADVPN nodes to access Hub 1 and Hub 2 by using the public address

1.0.0.1. Specify the source UDP port number as 18001 for both Hub 1 and Hub 2. Specify the UDP port number after NAT as 4001 for Hub 1, and as 4002 for Hub 2.

[NAT1] interface gigabitethernet 2/0/1

[NAT1-GigabitEthernet2/0/1] nat server protocol udp global current-interface 4001 inside 10.0.0.2 18001


[NAT1-GigabitEthernet2/0/1] nat outbound 2000

414

[NAT1-GigabitEthernet2/0/1] quit

# Enable NAT hairpin on GigabitEthernet 2/0/2. [NAT1] interface gigabitethernet 2/0/2

[NAT1-GigabitEthernet2/0/2] nat hairpin enable


Configuring NAT 2 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure NAT internal servers:

# Configure ACL 2000 to permit packets sourced from 10.0.0.0/24. <NAT2> system-view

[NAT2] acl number 2000

[NAT2-acl-basic-2000] rule permit source 10.0.0.0 0.0.0.255

[NAT2-acl-basic-2000] quit

# Create address group 1. [NAT2] nat address-group 1

# Add address 1.0.0.2 into the group. [NAT2-nat-address-group-1] address 1.0.0.2 1.0.0.2

[NAT2-nat-address-group-1] quit

# Configure NAT on GigabitEthernet 2/0/1. [NAT2] interface gigabitethernet 2/0/1

[NAT2-GigabitEthernet2/0/1] nat outbound 2000 address-group 1


# Configure EIM for PAT to translate the source address and source port of packets matching ACL 2000 from the same address and port to the same source public address and port. [NAT2] nat mapping-behavior endpoint-independent acl 2000

Configuring NAT 3 # Configure NAT 3 in the same way that NAT 2 is configured. (Details not shown.)

Configuring NAT 4 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure NAT internal servers on GigabitEthernet 2/0/1:

Allow external VAM clients to access VAM and AAA servers by using the public address 1.0.0.4.

Specify the source UDP port number as 18000 for both the primary and secondary VAM servers.

Specify the UDP port number after NAT as 4001 for the primary server, and as 4002 for the secondary server.

<NAT4> system-view

[NAT4] interface gigabitethernet 2/0/1




415




0 192.168.0.1 1.0.0.1 Hub Yes 0H 52M 7S

0 192.168.0.2 1.0.0.1 Hub Yes 0H 47M 31S

0 192.168.0.3 1.0.0.2 Spoke Yes 0H 28M 25S

0 192.168.0.4 1.0.0.3 Spoke Yes 0H 19M 15S





0 192.168.0.1 1.0.0.1 Hub Yes 0H 52M 7S

0 192.168.0.2 1.0.0.1 Hub Yes 0H 47M 31S

0 192.168.0.3 1.0.0.2 Spoke Yes 0H 28M 25S

0 192.168.0.4 1.0.0.3 Spoke Yes 0H 19M 15S



Interface : Tunnel1



192.168.0.2 1.0.0.1 4002 H-H Success 0H 46M 8S

192.168.0.3 1.0.0.2 2001 H-S Success 0H 27M 27S

192.168.0.4 1.0.0.3 2001 H-S Success 0H 18M 18S



Interface : Tunnel1



192.168.0.1 1.0.0.1 4001 S-H Success 0H 46M 8S

192.168.0.2 1.0.0.1 4002 S-H Success 0H 46M 8S











416



Interface : Tunnel1



192.168.0.1 1.0.0.1 4001 S-H Success 0H 46M 8S

192.168.0.2 1.0.0.1 4002 S-H Success 0H 46M 8S

192.168.0.4 1.0.0.3 2001 S-S Success 0H 0M 1S


417

Configuring WAAS

Overview The Wide Area Application Services (WAAS) feature is a set of services that can optimize WAN traffic. WAAS solves WAN issues such as high delay and low bandwidth by using optimization services. WAAS provides the following optimization services: • Transport Flow Optimization (TFO). • Data Redundancy Elimination (DRE). • Lempel-Ziv compression (LZ compression).

TFO TFO optimizes TCP traffic without modifying packet header information. TFO includes the following optimization methods: • Slow start optimization. • Increased buffering. • Congestion algorithm optimization. • Selective acknowledgement.

Slow start optimization The initial congestion window size for TCP slow start is one TCP segment. During slow start, TCP doubles the congestion window size for each received ACK that acknowledges new data. In this manner, the congestion window will reach an appropriate value by examining the congestion status. In a WAN environment, the congestion window takes a long time to reach an appropriate size because of high delay.

Slow start optimization shortens the slow start process by increasing the initial congestion window size.

Increased buffering TCP has a maximum buffer size of 64 KB. After the sender sends 64 KB data, it must wait for an ACK from the receiver before continuing to send data. This mechanism wastes bandwidth on the WAN link.

Increased buffering increases the TCP buffer size to a maximum of 16384 KB, improving link efficiency.

Congestion algorithm optimization TCP uses the congestion window to control congestion. The window size indicates the size of data that can be sent out before an ACK is received. The window size changes with the congestion status. The greater the window size, the faster the data rate, which more likely causes congestion. The smaller the window size, the lower the data rate, which causes low link efficiency.

Congestion algorithm optimization achieves a trade-off between the data rate and congestion by selecting the optimum window size.

Selective acknowledgement TCP uses a cumulative acknowledgement scheme. This scheme forces the sender to either wait a roundtrip time to know each lost packet, or to unnecessarily retransmit segments that have been correctly received. When multiple nonconsecutive segments are lost, this scheme reduces overall TCP throughput.

418

Selective acknowledgement (SACK) allows the receiver to inform the sender of all segments that have arrived successfully. The sender needs to retransmit only the segments that have been lost.

DRE DRE reduces the size of data transmitted by replacing repeated data blocks with shorter indexes. A WAAS device synchronizes its data dictionary to its peer devices. A data dictionary stores mappings between repeated data blocks and indexes.

Replacing repeated data blocks with indexes is called DRE compression. Replacing indexes with repeated data blocks is called DRE decompression.

DRE compression process DRE compresses data in the following process: 1. The sending WAAS device caches TCP data and sends a large data block to the DRE module. 2. The DRE module divides the large data block into non-overlapping data blocks.

For a repeated data block, the DRE module performs the following operations: − Replaces it with its index and creates an MD5 digest for the data block. − Sends the index and MD5 digest to the peer.

For a non-repeated data block, the DRE module performs the following operations: − Creates an index for the data block and adds them to the local data dictionary. − Creates an MD5 digest for the data block and sends the data block, index, and MD5

digest to the peer.

WAAS uses the sliding window technology to segment data and detect data redundancy. This technology has the following advantages: • High calculation speed. • Effective repeated data block detection—It uses a fixed-size window to compare the original

data with data blocks in the dictionary byte by byte.

DRE decompression process DRE decompresses data in the following process: 1. The receiving WAAS device reconstructs the original data.

For an index, the device replaces the index with its data block after querying the data dictionary. If the query fails, the decompression fails, and the receiving WAAS device waits for the peer to retransmit the data.

For an index and a data block, the device creates an entry for them and adds the entry to the local data dictionary.

2. The receiving WAAS device calculates an MD5 digest for the original data and compares the calculated MD5 digest with the MD5 digest in the packet.

If the two MD5 digests are the same, the decompression succeeds. If the two MD5 digests are different, the decompression fails, and the receiving WAAS

device waits for the peer to retransmit the data.

LZ compression LZ compression is a lossless compression algorithm that uses a compression dictionary to replace repeated data in the same message. The compression dictionary is carried in the compression result. The sending device uses the sliding window technology to detect repeated data.

419

Compared with DRE, LZ compression has a lower compression ratio. LZ compression does not require synchronization of compression dictionaries between the local and peer devices, which reduces memory consumption.



Protocols and standards • RFC 1323, TCP Extensions for High Performance • RFC 3390, Increasing TCP's Initial Window • RFC 2581, TCP Congestion Control • RFC 2018, TCP Selective Acknowledgment Options • RFC 3042, Enhancing TCP's Loss Recovery Using Limited Transmit • RFC 2582, The NewReno Modification to TCP's Fast Recovery Algorithm

WAAS configuration task list Tasks at a glance (Required.) Configuring a WAAS class

(Required.) Configuring a WAAS policy

(Required.) Applying a WAAS policy to an interface

(Optional.) Configuring TFO parameters

(Optional.) Configuring the TFO blacklist autodiscovery feature

(Optional.) Deleting all WAAS settings

(Optional.) Restoring predefined WAAS settings

Configuring a WAAS class Step Command Remarks 1. Enter system view. system-view N/A

2. Create a WAAS class and enter WAAS class view. waas class class-name By default, only predefined WAAS

classes exist.

420


3. Configure a match criterion.

match [ match-id ] tcp { any | destination | source } [ ip-address ip-address [ mask-length | mask ] | ipv6-address ipv6-address [ prefix-length ] ] [ port port-list ]

By default, no match criterion is configured.

Configuring a WAAS policy To configure a WAAS policy, perform the following tasks: 1. Create a WAAS policy. 2. Use a WAAS class in the WAAS policy. 3. Configure actions for the WAAS class. 4. Enable optimization features.

You can configure the following actions for a WAAS class: • Optimization actions—Optimize matching TCP traffic and include TFO, DRE, and LZ

compression. TFO is required. DRE and LZ compression are optional. • Passthrough action—Allows matching TCP traffic to pass through unoptimized.

To configure a WAAS policy:


2. Create a WAAS policy and enter WAAS policy view. waas policy policy-name

By default, only the predefined WAAS policy exists. As a best practice, configure a WAAS policy by modifying the predefined WAAS policy.

3. Specify a WAAS class and enter WAAS policy class view.

class class-name [ insert-before existing_class ]

By default, no WAAS class is specified.

4. Configure optimization actions or the passthrough action.

• optimize tfo [ dre | lz ] * • passthrough

By default, no action is configured. An optimization action takes effect only when the corresponding feature is enabled.


6. Enable DRE. waas tfo optimize dre By default, DRE is enabled.

7. Enable LZ compression. waas tfo optimize lz By default, LZ compression is enabled.

Applying a WAAS policy to an interface Apply a WAAS policy to the interface that connects to the WAN. The device optimizes or passes through the traffic entering and leaving the WAN according to the configured policy. If traffic enters and leaves the device on interfaces that are both connected to the WAN, the traffic is not optimized.

A WAAS policy can be applied to multiple interfaces. Only one WAAS policy can be applied to an interface.

421

To apply a WAAS policy to an interface:



3. Apply a WAAS policy to the interface. waas apply policy [ policy-name ] By default, no WAAS policy

is applied to an interface.

Configuring TFO parameters The congestion window size changes with the congestion status and transmission speed. An appropriate initial congestion window size can quickly restore the network to its full transmission capacity after congestion occurs.

After you enable TFO keepalives, the system starts the 2-hour TCP keepalive timer. If the local device does not send or receive any data when the timer expires, it sends a keepalive to the peer to maintain the connection.

The receiving buffer size specifies the size of data that can be received. It affects network throughput.

To configure TFO parameters:


2. Set the initial congestion window size.

waas tfo base-congestion-window segments

The default setting is two segments.

3. Enable TFO keepalives. waas tfo keepalive By default, TFO keepalives are disabled.

4. Set the receiving buffer size. waas tfo receive-buffer buffer-size The default setting is 64 KB.

Configuring the TFO blacklist autodiscovery feature

This feature automatically discover servers that cannot receive TCP packets with options and adds the server IP addresses and port numbers to a blacklist. The system automatically removes blacklist entries after a user-configured aging time.

During the 3-way handshake, the local device considers the TCP connection attempt failed if either of the following situations occurs: • The peer device does not respond within the specified time period. • The peer device closes the TCP connection.

To configure the TFO blacklist autodiscovery feature:


2. Enable the TFO blacklist autodiscovery feature.

waas tfo auto-discovery blacklist enable

By default, the TFO blacklist autodiscovery feature is

422

Step Command Remarks disabled.

3. Set the aging time for blacklist entries.

waas tfo auto-discovery blacklist hold-time minutes

The default setting is 5 minutes.

Deleting all WAAS settings This feature allows you to delete all configuration data and running data for WAAS and to exit the WAAS process.

To delete all WAAS settings:

Step Command 1. Enter system view. system-view

2. Delete all WAAS settings. waas config remove-all

Restoring predefined WAAS settings This feature allows you to restore the predefined WAAS policy and WAAS classes to their configurations when the WAAS process starts for the first time.

To restore predefined WAAS settings:


2. Restore predefined WAAS settings.

waas config restore-default

To successfully restore predefined WAAS settings, make sure none of the interfaces has a WAAS policy applied.

Displaying and maintaining WAAS Execute display commands in any view and reset commands in user view.

Task Command Display WAAS class configuration. display waas class [ class-name ]

Display WAAS policy configuration. display waas policy [ policy-name ]

Display WAAS session information (centralized devices in standalone mode).

display waas session { ipv4 | ipv6 } [ client-ip client-ip ] [ client-port client-port ] [ server-ip server-ip ] [ server-port server-port ] [ peer-id peer-id ] [ verbose ]

Display WAAS session information (distributed devices in standalone mode/centralized devices in IRF mode).

display waas session { ipv4 | ipv6 } [ client-ip client-ip ] [ client-port client-port ] [ server-ip server-ip ] [ server-port server-port ] [ peer-id peer-id ] [ verbose ] [ slot slot-number ]

Display WAAS session information (distributed devices in IRF mode).

display waas session { ipv4 | ipv6 } [ client-ip client-ip ] [ client-port client-port ] [ server-ip server-ip ] [ server-port server-port ] [ peer-id peer-id ] [ verbose ] [ chassis chassis-number slot slot-number ]

Display DRE statistics (centralized display waas statistics dre [ peer-id peer-id ]

423

Task Command devices in standalone mode).

Display DRE statistics (distributed devices in standalone mode/centralized devices in IRF mode).

display waas statistics dre [ peer-id peer-id ] [ slot slot-number ]

Display DRE statistics (distributed devices in IRF mode).

display waas statistics dre [ peer-id peer-id ] [ chassis chassis-number slot slot-number ]

Display the global WAAS status. display waas status

Display autodiscovered blacklist information (centralized devices in standalone mode).

display waas tfo auto-discovery blacklist { ipv4 | ipv6 }

Display autodiscovered blacklist information (distributed devices in standalone mode/centralized devices in IRF mode).

display waas tfo auto-discovery blacklist { ipv4 | ipv6 } [ slot slot-number ]

Display autodiscovered blacklist information (distributed devices in IRF mode).

display waas tfo auto-discovery blacklist { ipv4 | ipv6 } [ chassis chassis-number slot slot-number ]

Clear the DRE data dictionary. reset waas cache dre [ peer-id peer-id ]

Clear DRE statistics. reset waas statistics dre [ peer-id peer-id ]

Clear all blacklist entries. reset waas tfo auto-discovery blacklist

WAAS configuration examples Predefined WAAS policy configuration example Network requirements

As shown in Figure 153, apply the predefined WAAS policy on Router A and Router B.

The host downloads data from the server. Examine the optimization effect by comparing DRE statistics for the first download and second download. • For the first download, both WAAS devices need to create data dictionary entries and Router A

sends both indexes and metadata. • For the second download, Router A replaces repeated data with indexes.

424


Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure routing protocols to ensure connectivity. 3. Apply the predefined WAAS policy to interface GigabitEthernet 2/0/1 on Router A.



[RouterA-GigabitEthernet2/0/1] waas apply policy


[RouterA] quit

4. Apply the predefined WAAS policy to interface GigabitEthernet 2/0/1 on Router B. <RouterB> system-view


[RouterB-GigabitEthernet2/0/1] waas apply policy

5. Download a test file of 14 MB from the server to the host. 6. Clear the DRE statistics on Router A.

<RouterA> reset waas statistic dre

7. Download the same file from the server to the host.

Verifying the configuration # After the first download, display the DRE statistics on Router A. <RouterA> display waas statistic dre

Peer-ID: cc3e-5fd8-5158

Peer version: 1.0

Cache in storage: 12710912 bytes

Index number: 49652

Age: 00 weeks, 00 days, 00 hours, 00 minutes, 35 seconds

Total connections: 1

Active connections: 0

Encode Statistics

Dre msgs: 2

Bytes in: 286 bytes

Bytes out: 318 bytes

Bypass bytes: 0 bytes

425

Bytes Matched: 0 bytes

Space saving: -11%

Average latency: 0 usec

Decode Statistics

Dre msgs: 57050

Bytes in: 14038391 bytes



Space saved: 0%


# After the second download, display the DRE statistics on Router A. <RouterA> display waas statistic dre


Peer version: 1.0


Index number: 50200




Encode Statistics

Dre msgs: 2

Bytes in: 286 bytes

Bytes out: 60 bytes



Space saving: 79%


Decode Statistics

Dre msgs: 62791




Space saved: 81%


In the second download, the number of received bytes for decompression is much more smaller, and the download speed is much faster.

User-defined WAAS policy configuration example Network requirements

As shown in Figure 154, configure and apply a user-defined WAAS policy on Router A and Router B.

The host downloads data from the server. Examine the optimization effect by comparing DRE statistics for the first download and second download. • For the first download, both WAAS devices need to create data dictionary entries and Router A

sends both indexes and metadata. • For the second download, Router A replaces repeated data with indexes.

426


Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure routing protocols to ensure connectivity. 3. Configure WAAS classes:

# Create WAAS class c1 on Router A, and configure the WAAS class to match any TCP packets. <RouterA> system-view

[RouterA] waas class c1

[RouterA-waasclass-c1] match 1 tcp any

[RouterA-waasclass-c1] quit

# Create WAAS class c1 on Router B, and configure the WAAS class to match any TCP packets. <RouterB> system-view

[RouterB] waas class c1

[RouterB-waasclass-c1] match tcp any

[RouterB-waasclass-c1] quit

4. Configure WAAS policies: # Create WAAS policy p1 on Router A, use WAAS class c1, and configure TFO, DRE, and LZ optimization actions in the WAAS class. [RouterA] waas policy p1

[RouterA-waaspolicy-p1] class c1

[RouterA-waaspolicy-p1-c1] optimize tfo dre lz

[RouterA-waaspolicy-p1-c1] quit

[RouterA-waaspolicy-p1] quit

# Create WAAS policy p1 on Router B, use WAAS class c1, and configure TFO, DRE, and LZ optimization actions in the WAAS class. [RouterB] waas policy p1

[RouterB-waaspolicy-p1] class c1

[RouterB-waaspolicy-p1-c1] optimize tfo dre lz

[RouterB-waaspolicy-p1-c1] quit

[RouterB-waaspolicy-p1] quit

5. Apply WAAS policies: # Apply WAAS policy p1 to interface GigabitEthernet 2/0/1 on Router A.

427



[RouterA-GigabitEthernet2/0/1] waas apply policy


[RouterA] quit

# Apply WAAS policy p1 to interface GigabitEthernet 2/0/1 on Router B. [RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] waas apply policy p1


[RouterB] quit

6. Download a test file of 14 MB from the server to the host. 7. Clear the DRE statistics on Router A.

<RouterA> reset waas statistic dre

8. Download the same file from the server to the host.

Verifying the configuration # After the first download, display the DRE statistics on Router A. <RouterA> display waas statistic dre


Peer version: 1.0


Index number: 49682




Encode Statistics

Dre msgs: 2

Bytes in: 286 bytes




Space saving: -11%


Decode Statistics

Dre msgs: 56959




Space saved: 0%


# After the second download, display the DRE statistics on Router A. <RouterA> display waas statistic dre


Peer version: 1.0


Index number: 50226



428


Encode Statistics

Dre msgs: 2

Bytes in: 286 bytes

Bytes out: 60 bytes



Space saving: 79%


Decode Statistics

Dre msgs: 62687




Space saved: 81%


In the second download, the number of received bytes for decompression is much more smaller, and the download speed is much faster.

429

Configuring AFT

Overview Address Family Translation (AFT) is a technology that translates an IP address of one address family into an IP address of the other address family. It enables IPv4 network and IPv6 network to communicate with each other.

As shown in Figure 155, AFT performs address translation between the IPv4 network and the IPv6 network. The IPv4 host and the IPv6 host can communicate with each other without changing the existing configuration.

Figure 155 AFT application scenario


Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064.


AFT implementations Static AFT

Static AFT creates a fixed mapping between an IPv4 address and an IPv6 address.

Dynamic AFT Dynamic AFT creates a dynamic mapping between an IPv4 address and an IPv6 address.

When dynamic AFT performs IPv6-to-IPv4 source address translation, two modes are available, Not Port Address Translation (NO-PAT) and Port Address Translation (PAT).

430

NO-PAT NO-PAT translates an IPv6 address to an IPv4 address. The IPv4 address cannot be used by another IPv6 host until it is released.

NO-PAT supports all IP packets.

PAT PAT translates multiple IPv6 addresses to a single IPv4 address by mapping the IPv6 address and source port to the IPv4 address and a unique port. PAT supports the following packet types: • TCP packets. • UDP packets. • ICMPv6 echo request and echo reply messages.

Prefix translation NAT64 prefix translation

NAT64 prefix is an IPv6 address prefix used to construct an IPv6 address representing an IPv4 node in an IPv6 network. No IPv6 host uses a constructed IPv6 address as its real IP address. The length of a NAT64 prefix can be 32, 40, 48, 56, 64, or 96.

As shown in Figure 156, the construction methods vary depending on the NAT64 prefix length. • If the prefix length is 32, 64, or 96 bits, the IPv4 address is embedded as a whole. • If the prefix length is 40, 48, or 56 bits, the IPv4 address is separated by bits 64 through 71 in an

IPv6 address.

Figure 156 IPv6 address construction with NAT 64 prefix and IPv4 address

AFT uses a NAT64 prefix to perform the following translation: • IPv4-to-IPv6 source address translation. AFT translates a source IPv4 address to an IPv6

address constructed by using the NAT64 prefix and the IPv4 address. • IPv6-to-IPv4 destination address translation. AFT uses the NAT64 prefix to match destination

IPv6 addresses and extracts the embedded IPv4 address from matching IPv6 addresses.

IVI prefix translation An IVI prefix is a 32-bit IPv6 address prefix. An IVI address is the IPv6 address that an IPv6 node actually uses. As shown in Figure 157, the IVI address includes an IVI prefix and an IPv4 address.

Figure 157 IVI address format

431

AFT uses an IVI prefix for IPv6-to-IPv4 source address translation. If a source IPv6 address matches the IVI prefix, AFT translates it to the embedded IPv4 address.

AFT internal server AFT internal server creates a mapping between an IPv4 address and port number to the IPv6 address and port number of an IPv6 internal server. It allows the IPv6 internal server to provide services to IPv4 hosts.

AFT translation process The address translation differs for IPv6-initiated communication and IPv4-initiated communication.

For IPv6-initiated communication As shown in Figure 158, when the IPv6 host initiates the access to the IPv4 host, AFT operates as follows: 1. Upon receiving a packet from the IPv6 host, AFT compares the packet with IPv6-to-IPv4

destination address translation policies. If a matching policy is found, AFT translates the destination IPv6 address according to the

policy. If no matching policy is found, AFT does not process the packet.

2. AFT performs the pre-lookup to determine the output interface for the translated packet. PBR is not used for the pre-lookup.

If a matching route is found, the process goes to step 3. If no matching route is found, AFT discards the packet.

3. AFT compares the source IPv6 address of the packet with IPv6-to-IPv4 source address translation policies.

If a matching policy is found, AFT translates the source IPv6 address according to the policy.

If no matching policy is found, AFT discards the packet. 4. AFT forwards the translated packet and records the mappings between IPv6 addresses and

IPv4 addresses. 5. AFT translates the IPv4 addresses in the response packet header to IPv6 addresses based on

the address mappings before packet forwarding.

For more information about IPv6-to-IPv4 destination address translation policies, see "Configuring an IPv6-to-IPv4 destination address translation policy".

For more information about IPv6-to-IPv4 source address translation policies, see "Configuring an IPv6-to-IPv4 source address translation policy".

432

Figure 158 AFT process for IPv6-imitated communication

For IPv4-initiated communication As shown in Figure 159, when the IPv4 host initiates the access to the IPv6 host, AFT operates as follows: 1. Upon receiving a packet from the IPv4 host, AFT compares the packet with IPv4-to-IPv6

destination address translation policies. If a matching policy is found, AFT translates the destination IPv4 address according to the

policy. If no matching policy is found, AFT does not perform address translation.

2. AFT performs the pre-lookup to determine output interface for the translated packet. PBR is not used for the pre-lookup.

If a matching route is found, the process goes to step 3. If no matching route is found, the router discards the packet.

3. AFT compares the source IPv4 address with IPv4-to-IPv6 source address translation policies. If a matching policy is found, AFT translates the source IPv4 address according to the

policy. If no matching policy is found, AFT discards the packet.

4. AFT forwards the translated packet and records the mapping between IPv4 addresses and IPv6 addresses.

5. AFT translates the IPv6 addresses in the response packet header to IPv4 addresses based on the address mappings before packet forwarding.

For more information about IPv4-to-IPv6 destination address translation policies, see "Configuring an IPv4-to-IPv6 destination address translation policy".

For more information about IPv4-to-IPv6 source address translation policies, see "Configuring an IPv4-to-IPv6 source address translation policy".

IPv6 host IPv4 hostAFT

Dst: 2000:0:101:101::Src: 3000:0:ff02:202:200::

IPv6 addr: 3000:0:ff02:202:200::/48Embedded IPv4 addr: 2.2.2.2/8

IPv4 addr: 1.1.1.1/8Translated IPv6 addr: 2000:0:101:101::/40

NAT64 prefix: 2000::/32IVI prefix: 3000::/32

Dst: 1.1.1.1Src: 2.2.2.2

Dst: 2.2.2.2Src: 1.1.1.1

Dst: 3000:0:ff02:202:200::Src: 2000:0:101:101::

Translates addresses based on the NAT64 prefix, IVI prefix, or

v6tov4 AFT policy

Translates addresses based on the recorded mappings

433

Figure 159 AFT process for IPv4-imitated communication

AFT with ALG AFT with ALG translates address or port information in the application layer payloads to ensure connection establishment.

For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depends on the payload information of the control connection. This requires AFT with ALG to translate the address and port information for data connection establishment.

AFT with ALG supports the following protocol packets: FTP packets, DNS packets, and ICMP error messages.

AFT configuration task list For IPv6-initiated communication

Task at a glance (Required.) Enabling AFT

(Required.) Configuring an IPv6-to-IPv4 destination address translation policy

(Required.) Configuring an IPv6-to-IPv4 source address translation policy

(Optional.) Configuring AFT logging

(Optional.) Setting the ToS field to 0 for translated IPv4 packets

434

For IPv4-initiated communication

Task at a glance (Required.) Enabling AFT

(Required.) Configuring an IPv4-to-IPv6 destination address translation policy

(Required.) Configuring an IPv4-to-IPv6 source address translation policy

(Optional.) Configuring AFT logging

(Optional.) Setting the Traffic Class field to 0 for translated IPv6 packets

Enabling AFT To implement address translation between IPv4 and IPv6 networks, you must enable AFT on interfaces connected to the IPv4 network and interfaces connected the IPv6 network.

To enable AFT:



3. Enable AFT. aft enable By default, AFT is disabled.

Configuring an IPv6-to-IPv4 destination address translation policy

AFT compares an IPv6 packet with IPv6-to-IPv4 destination address translation policies in the following order: 1. IPv4-to-IPv6 source address static mappings. 2. NAT64 prefixes.

To configure an IPv6-to-IPv4 destination address translation policy:


2. Configure an IPv6-to-IPv4 destination address translation policy.

• Configure an IPv4-to-IPv6 source address static mapping: aft v4tov6 source ipv4-address [ vpn-instance vpn-instance-name4 ] ipv6-address [ vpn-instance vpn-instance-name6 ]

• Configure a NAT64 prefix: aft prefix-nat64 prefix-nat64 prefix-length

By default, no IPv6-to-IPv4 destination address translation policy exists.

435

Configuring an IPv6-to-IPv4 source address translation policy

AFT compares an IPv6 packet with IPv6-to-IPv4 source address translation policies in the following order: 1. IPv6-to-IPv4 source address static mappings. 2. IVI prefixes. 3. IPv6-to-IPv4 source address dynamic translation policies.

To configure an IPv6-to-IPv4 source address translation policy:


2. Create an AFT address group and enter AFT address group view.

aft address-group group-number

By default, no AFT address group exists. This step is required if you decide to use an address group in an IPv6-to-IPv4 source address dynamic translation policy.


By default, no address range exists. You can add multiple address ranges to an address group. The address ranges must not overlap.


5. Configure an IPv6-to-IPv4 source address translation policy.


• Configure an IPv6-to-IPv4 source address dynamic translation policy:aft v6tov4 source { acl ipv6 { number acl6-number | name acl6-name } | prefix-nat64 prefix-nat64 prefix-length [ vpn-instance vpn-instance-name6 ] } { address-group group-number [ no-pat | port-block-size blocksize ] | interface interface-type interface-number } [ vpn-instance vpn-instance-name4 ]

• Configure an IVI prefix: aft prefix-ivi prefix-ivi

By default, no IPv6-to-IPv4 source address translation policy exists.

436

Configuring an IPv4-to-IPv6 destination address translation policy

AFT compares an IPv4 packet with IPv4-to-IPv6 destination address translation policies in the following order: 1. AFT mappings for IPv6 internal servers. 2. IPv6-to-IPv4 source address static mappings. 3. IPv4-to-IPv6 destination address dynamic translation policies.

To configure an IPv4-to-IPv6 destination address translation policy:


2. Configure an IPv4-to-IPv6 destination address translation policy.

• Configure an AFT mapping for an IPv6 internal server: aft v6server protocol protocol-type ipv4-destination-address ipv4-port-number [ vpn-instance vpn-instance-name4 ] ipv6-destination-address ipv6-port-number [ vpn-instance vpn-instance-name6 ]


• Configure an IPv4-to-IPv6 destination address dynamic translation policy: aft v4tov6 destination acl { number acl-number | name acl-name } prefix-ivi prefix-ivi [ vpn-instance vpn-instance-name6 ]

By default, no IPv4-to-IPv6 destination address translation policy exists.

Configuring an IPv4-to-IPv6 source address translation policy

AFT compares an IPv4 packet with IPv4-to-IPv6 source address translation policies in the following order: 1. IPv4-to-IPv6 source address static mappings. 2. IPv4-to-IPv6 source address dynamic translation policies. 3. NAT64 prefixes.

For a packet that does not match a mapping or policy, AFT uses the first NAT64 prefix to translate the source IPv4 address.

To configure an IPv4-to-IPv6 source address translation policy:


2. Configure an IPv4-to-IPv6 source address translation policy.


By default, no IPv4-to-IPv6 source address translation policy exists.

437

Step Command Remarks • Configure an IPv4-to-IPv6 source address

dynamic translation policy: aft v4tov6 source acl { number acl-number | name acl-name } prefix-nat64 prefix-nat64 prefix-length [ vpn-instance vpn-instance-name6 ] }

• Configure a NAT64 prefix: aft prefix-nat64 prefix-nat64 prefix-length

Configuring AFT logging For security auditing, you can configure AFT logging to record AFT session information. AFT sessions refer to sessions whose source and destination addresses have been translated by AFT.

To configure AFT logging:


2. Enable AFT logging. aft log enable By default, AFT logging is disabled.

Setting the ToS field to 0 for translated IPv4 packets


2. Set the ToS field to 0 for IPv4 packets translated from IPv6 packets.

aft turn-off tos By default, the ToS field value of translated IPv4 packets is the same as the Traffic Class field value of original IPv6 packets.

Setting the Traffic Class field to 0 for translated IPv6 packets


2. Set the Traffic Class field to 0 for IPv6 packets translated from IPv4 packets.

aft turn-off traffic-class By default, the Traffic Class field value of translated IPv6 packets is the same as the ToS field value of original IPv4 packets.

Displaying and maintaining AFT Execute display commands in any view and reset commands in user view.

438

Task Command Display AFT configuration. display aft configuration

Display AFT address group information. display aft address-group [ group-number ]

Display AFT mappings (centralized devices in standalone mode). display aft address-mapping

Display AFT mappings (distributed devices in standalone mode/centralized devices in IRF mode).

display aft address-mapping [ slot slot-number ]

Display AFT mappings (distributed devices in IRF mode).

display aft address-mapping [ chassis chassis-number slot slot-number ]

Display information about AFT NO-PAT entries (centralized devices in standalone mode). display aft no-pat

Display information about AFT NO-PAT entries (distributed devices in standalone mode/centralized devices in IRF mode).

display aft no-pat [ slot slot-number ]

Display information about AFT NO-PAT entries (distributed devices in IRF mode).

display aft no-pat [ chassis chassis-number slot slot-number ]

Display AFT port block mappings (centralized devices in standalone mode). display aft port-block

Display AFT port block mappings (distributed devices in standalone mode/centralized devices in IRF mode).

display aft port-block [ slot slot-number ]

Display AFT port block mappings (distributed devices in IRF mode).

display aft port-block [ chassis chassis-number slot slot-number ]

Display information about AFT sessions (centralized devices in standalone mode).

display aft session ipv4 [ { source-ip source-ip-address | destination-ip destination-ip-address } * [ vpn-instance vpn-instance-name4 ] ] [ verbose ] display aft session ipv6 [ { source-ip source-ipv6-address | destination-ip destination-ipv6-address } * [ vpn-instance vpn-instance-name6 ] ] [ verbose ]

Display information about AFT sessions (distributed devices in standalone mode/centralized devices in IRF mode).

display aft session ipv4 [ { source-ip source-ip-address | destination-ip destination-ip-address } * [ vpn-instance vpn-instance-name4 ] ] [ slot slot-number ] [ verbose ] display aft session ipv6 [ { source-ip source-ipv6-address | destination-ip destination-ipv6-address } * [ vpn-instance vpn-instance-name6 ] ] [ slot slot-number ] [ verbose ]

Display information about AFT sessions (distributed devices in IRF mode).

display aft session ipv4 [ { source-ip source-ip-address | destination-ip destination-ip-address } * [ vpn-instance vpn –instance-name4 ] ] [ chassis chassis-number slot slot-number ] [ verbose ] display aft session ipv6 [ { source-ip source-ipv6-address | destination-ip destination-ipv6-address } * [ vpn-instance vpn-instance-name6 ] ] [ chassis chassis-number slot slot-number ] [ verbose ]

439

Task Command Display AFT statistics (centralized devices in standalone mode). display aft statistics

Display AFT statistics (distributed devices in standalone mode/centralized devices in IRF mode).

display aft statistics [ slot slot-number ]

Display AFT statistics (distributed devices in IRF mode).

display aft statistics [ chassis chassis-number slot slot-number ]

Clear AFT sessions (centralized devices in standalone mode). reset aft session

Clear AFT sessions (distributed devices in standalone mode/centralized devices in IRF mode).

reset aft session [ slot slot-number ]

Clear AFT sessions (distributed devices in IRF mode).

reset aft session [ chassis chassis-number slot slot-number ]

Clear AFT statistics (centralized devices in standalone mode). reset aft statistics

Clear AFT statistics (distributed devices in standalone mode/centralized devices in IRF mode).

reset aft statistics [ slot slot-number ]

Clear AFT statistics (distributed devices in IRF mode).

reset aft statistics [ chassis chassis-number slot slot-number ]

AFT configuration examples Allowing IPv4 Internet access from an IPv6 network Network requirements

As shown in Figure 160, a company upgrades the network to IPv6 and has IPv4 addresses from 10.1.1.1 to 10.1.1.3.

To allow IPv6 hosts on subnet 2013::/96 to access the IPv4 Internet, configure the following AFT policies on the router: • Configure a NAT64 prefix to translate IPv4 addresses of IPv4 servers to IPv6 addresses. • Configure an IPv6-to-IPv4 source address dynamic translation policy to translate source IPv6

addresses of IPv6-initiated packets to IPv4 addresses in the range of 10.1.1.1 to 10.1.1.3.

440


Configuration process # Specify IP addresses for the interfaces on the router. (Details not shown.)

# Create AFT address group 0, and add the address range from 10.1.1.1 to 10.1.1.3 to the group. <Router> system-view

[Router] aft address-group 0

[Router-aft-address-group-0] address 10.1.1.1 10.1.1.3

[Router-aft-address-group-0] quit

# Configure IPv6 ACL 2000 to permit IPv6 packets only from subnet 2013::/96 to pass through. [Router] acl ipv6 basic 2000

[Router-acl6-basic-2000] rule permit source 2013:: 96

[Router-acl6-basic-2000] rule deny

[Router-acl6-basic-2000] quit

# Configure the router to translate source IPv6 addresses of packets permitted by IPv6 ACL 2000 to IPv4 addresses in address group 0. [Router] aft v6tov4 source acl ipv6 number 2000 address-group 0

# Configure the router to use NAT64 prefix 2012::/96 to translate destination IPv6 addresses of IPv6 packets. [Router] aft prefix-nat64 2012:: 96

# Enable AFT on GigabitEthernet 2/0/1, which is connected to the IPv6 network. [Router] interface gigabitethernet 2/0/1

[Router-GigabitEthernet2/0/1] aft enable


# Enable AFT on GigabitEthernet 2/0/2, which is connected to the IPv4 Internet. [Router] interface gigabitethernet 2/0/2



Verifying the configuration # Verify the connectivity between IPv6 hosts and IPv4 servers. This example pings IPv4 server A from IPv6 host A. D:\>ping 2012::20.1.1.1

Pinging 2012::20.1.1.1 with 32 bytes of data:

Reply from 2012::20.1.1.1: time=3ms




441

# Display detailed information about IPv6 AFT sessions on the router. [Router] display aft session ipv6 verbose

Initiator:

Source IP/port: 2013::100/0

Destination IP/port: 2012::1401:0101/32768


Protocol: IPV6-ICMP(58)


Responder:

Source IP/port: 2012::1401:0101/0

Destination IP/port: 2013::100/33024




State: ICMPV6_REPLY

Application: OTHER

Start time: 2014-03-13 08:52:59 TTL: 23s





Initiator:





Protocol: ICMP(1)


Responder:





Protocol: ICMP(1)


State: ICMP_REPLY

Application: OTHER

Start time: 2014-03-13 08:52:59 TTL: 27s




442

Providing FTP service from an IPv6 network to the IPv4 Internet Network requirements

As shown in Figure 161, a company upgrades the network to IPv6, and it has an IPv4 address 10.1.1.1.

To allow the IPv6 FTP server to provide FTP services to IPv4 hosts, configure the following AFT policies on the router: • Map the IPv6 address with TCP port number of the IPv6 FTP server to company's IPv4 address

with TCP port number. • Configure a NAT64 prefix to translate source IPv4 addresses of IPv4 packets to source IPv6

addresses.



# Map IPv4 address 10.1.1.1 with TCP port 21 to IPv6 address 2013::102 with TCP port 21 for the IPv6 internal FTP server. <Router> system-view

[Router] aft v6server protocol tcp 10.1.1.1 21 2013::102 21

# Configure the router to use NAT64 prefix 2012:: 96 to translate source addresses of IPv4 packets. [Router] aft prefix-nat64 2012:: 96




# Enable AFT on GigabitEthernet 2/0/2, which is connected to the IPv6 FTP server. [Router] interface gigabitethernet 2/0/2



Verifying the configuration # Verify that IPv4 hosts can use FTP to access the IPv6 FTP server. (Details not shown.)


Initiator:




443


Protocol: TCP(6)


Responder:





Protocol: TCP(6)



Application: FTP

Start time: 2014-03-13 09:07:30 TTL: 3577s





Initiator:

Source IP/port: 2012::1401:0101/1029



Protocol: TCP(6)


Responder:


Destination IP/port: 2012::1401:0101/1029


Protocol: TCP(6)



Application: FTP

Start time: 2014-03-13 09:07:30 TTL: 3582s




Allowing mutual access between IPv4 and IPv6 networks Network requirements

As shown in Figure 162, a company deploys both an IPv4 network and an IPv6 network.

To allow mutual access between the IPv4 network and the IPv6 network, configure the following AFT policies on the router: • Assign an IVI prefix and an IPv4 subnet to the IPv6 network. Each IPv6 host uses the IPv6

addresses formed by the IVI prefix and an IPv4 address on the IPv4 subnet.

444

• Configure a NAT64 prefix to translate source IPv4 addresses of packets initiated by the IPv4 network to IPv6 addresses.


Configuration procedure # Specify IP addresses for the interfaces on the router. The IPv6 addresses for IPv6 hosts are calculated by the IVI prefix 2013::/32 and IPv4 addresses in the range of 20.1.1.0/24. (Details not shown.)

# Configure IPv4 ACL 2000 to permits all IPv4 packets to pass through. <Router> system-view


[Router-acl-basic-2000] rule permit


# Configure the router to use NAT64 prefix 2012:: 96 to translate source addresses of IPv4 packets. The router also uses the prefix to translate destination addresses of IPv6 packets. [Router] aft prefix-nat64 2012:: 96

# Configure the router to use IVI prefix 2013:: to translate source addresses of IPv6 packets. [Router] aft prefix-ivi 2013::

# Configure the router to use IVI prefix 2013:: to translate destination addresses of packets permitted by IPv4 ACL 2000. [Router] aft v4tov6 destination acl number 2000 prefix-ivi 2013::







Verifying the configuration # Verify the connectivity between IPv6 hosts and IPv4 hosts. This example pings IPv4 host A from IPv6 host A. D:\>ping 2012::a01:0101

Pinging 2012::a01:0101 with 32 bytes of data:

Reply from 2012::a01:0101: time=3ms




# Display information about IPv6 AFT sessions on the router. [Router] display aft session ipv6 verbose

445

Initiator:

Source IP/port: 2013:0:FF14:0101:0100::/0

Destination IP/port: 2012::0a01:0101/32768




Responder:

Source IP/port: 2012::0a01:0101/0

Destination IP/port: 2013:0:FF14:0101:0100::/33024




State: ICMPV6_REPLY

Application: OTHER

Start time: 2014-03-13 08:52:59 TTL: 23s




# Display information about IPv4 AFT sessions on the router. [Router] display aft session ipv4 verbose

Initiator:





Protocol: ICMP(1)


Responder:





Protocol: ICMP(1)


State: ICMP_REPLY

Application: OTHER

Start time: 2014-03-13 08:52:59 TTL: 27s




Allowing IPv6 Internet access from an IPv4 network Network requirements

As shown in Figure 163, a company deploys an IPv4 network, and the Internet migrates to IPv6.

446

To allow IPv4 hosts to access the IPv6 server in the IPv6 Internet, configure the following AFT policies on the router: • Configure an IPv4-to-IPv6 source address dynamic translation policy. • Configure an IPv6-to-IPv4 source address static mapping for the IPv6 server.



# Configure IPv4 ACL 2000 to permit IPv4 packets only from subnet 10.1.1.0/24 to pass through. <Router> system-view

[Router] acl number 2000

[Router-acl-basic-2000] rule permit source 10.1.1.0 0.0.0.255

[Router-acl-basic-2000] rule deny


# Configure NAT64 prefix 2012:: 96. [Router] aft prefix-nat64 2012:: 96

# Configure the router to use NAT64 prefix 2012:: 96 to translate source addresses of packets permitted by IPv4 ACL 2000. [Router] aft v4tov6 source acl number 2000 prefix-nat64 2012:: 96

# Map source IPv6 address 2013:0:ff14:0101:100:: to source IPv4 address 20.1.1.1. [Router] aft v6tov4 source 2013:0:ff14:0101:100:: 20.1.1.1







Verifying the configuration # Verify the connectivity between the IPv4 hosts and the IPv6 server. This example uses the ping utility on an IPv4 host. D:\>ping 20.1.1.1






# Display detailed information about IPv6 AFT sessions on the router.

447

[Router] display aft session ipv4 verbose

Initiator:





Protocol: ICMP(1)


Responder:





Protocol: ICMP(1)


State: ICMP_REPLY

Application: OTHER

Start time: 2014-03-13 08:52:59 TTL: 27s





Initiator:

Source IP/port: 2012::0A01:0101/0

Destination IP/port: 2013:0:FF14:0101:0100::/32768




Responder:

Source IP/port: 2013:0:FF14:0101:0100::/0

Destination IP/port: 2012::0A01:0101/33024




State: ICMPV6_REPLY

Application: OTHER

Start time: 2014-03-13 08:52:59 TTL: 23s




448

Providing FTP service from an IPv4 network to the IPv6 Internet Network requirements

As shown in Figure 164, a company deploys an IPv4 network, and it has an IPv6 address 2012::1. The Internet migrates to IPv6.

To allow the IPv4 FTP server to provide FTP services to IPv6 hosts, configure the following AFT policies on the router: • Configure an IPv4-to-IPv6 source address static mapping for the IPv4 FTP server. The router

uses the mapping to translate the destination IPv6 address of IPv6-initiated addresses to the IPv4 address.

• Configure an IPv6-to-IPv4 source address dynamic translation policy. The router translates source IPv6 addresses of IPv6-initiated packets to source IPv4 addresses 30.1.1.1 and 30.1.1.2.



# Map source IPv4 address 20.1.1.1 to source IPv6 address 2012::1. <Router> system-view

[Router] aft v4tov6 source 20.1.1.1 2012::1

# Configure address group 0, and add the address range from 30.1.1.1 to 30.1.1.2 to the group. [Router] aft address-group 0

[Router-aft-address-group-0] address 30.1.1.1 30.1.1.2

[Router-aft-address-group-0] quit

# Configure IPv6 ACL 2000 to permit all IPv6 packets to pass through. [Router] acl ipv6 basic 2000

[Router-acl6-basic-2000] rule permit

[Router-acl6-basic-2000] quit

# Configure the router to translate source addresses of IPv6 packets permitted by IPv6 ACL 2000 to IPv4 addresses in address group 0. [Router] aft v6tov4 source acl ipv6 number 2000 address-group 0




449




Verifying the configuration # Verify the connectivity between the IPv6 hosts and the IPv4 FTP server. For example, ping the IPv4 FTP server from IPv6 host A. D:\>ping 2012::1

Pinging 2012::1 with 32 bytes of data:






Initiator:

Source IP/port: 2013:0:FF0A:0101:0100::/1029



Protocol: TCP(6)


Responder:


Destination IP/port: 2013:0:FF0A:0101:0100::/1029


Protocol: TCP(6)



Application: FTP

Start time: 2014-03-13 09:07:30 TTL: 3582s





Initiator:





Protocol: TCP(6)


Responder:





450

Protocol: TCP(6)



Application: FTP

Start time: 2014-03-13 09:07:30 TTL: 3577s




451

Document conventions and icons

Conventions This section describes the conventions used in the documentation.

Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device.

Command conventions

Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.

Italic Italic text represents arguments that you replace with actual values.

[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.

{ x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.

[ x | y | ... ] Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none.

{ x | y | ... } * Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one.

[ x | y | ... ] * Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you select one choice, multiple choices, or none.

&<1-n> The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times.

# A line that starts with a pound (#) sign is comments.

GUI conventions

Convention Description

Boldface Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK.

> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.

Symbols

Convention Description

WARNING! An alert that calls attention to important information that if not understood or followed can result in personal injury.

CAUTION: An alert that calls attention to important information that if not understood or followed can result in data loss, data corruption, or damage to hardware or software.

IMPORTANT: An alert that calls attention to essential information.

NOTE: An alert that contains additional or supplementary information.

TIP: An alert that provides helpful information.

452

Network topology icons Convention Description

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

Represents an access controller, a unified wired-WLAN module, or the access controller engine on a unified wired-WLAN switch.

Represents an access point.

Represents a wireless terminator unit.

Represents a wireless terminator.

Represents a mesh access point.

Represents omnidirectional signals.

Represents directional signals.

Represents a security product, such as a firewall, UTM, multiservice security gateway, or load balancing device.

Represents a security card, such as a firewall, load balancing, NetStream, SSL VPN, IPS, or ACG card.

TT

TT

453

Support and other resources

Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website:

www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support

Center website: www.hpe.com/support/hpesc

Information to collect • Technical support registration number (if applicable) • Product name, model or version, and serial number • Operating system name and version • Firmware version • Error messages • Product-specific reports and logs • Add-on products or components • Third-party products or components

Accessing updates • Some software products provide a mechanism for accessing software updates through the

product interface. Review your product documentation to identify the recommended software update method.

• To download product updates, go to either of the following: Hewlett Packard Enterprise Support Center Get connected with updates page:

www.hpe.com/support/e-updates Software Depot website:

www.hpe.com/support/softwaredepot • To view and update your entitlements, and to link your contracts, Care Packs, and warranties

with your profile, go to the Hewlett Packard Enterprise Support Center More Information on Access to Support Materials page: www.hpe.com/support/AccessToSupportMaterials

IMPORTANT: Access to some updates might require product entitlement when accessed through the HewlettPackard Enterprise Support Center. You must have an HP Passport set up with relevant entitlements.

http://www.hpe.com/assistance�

http://www.hpe.com/support/hpesc�

http://www.hpe.com/support/e-updates�

http://www.hpe.com/support/softwaredepot�

http://www.hpe.com/support/AccessToSupportMaterials�

454

Websites

Website Link Networking websites

Hewlett Packard Enterprise Information Library for Networking www.hpe.com/networking/resourcefinder

Hewlett Packard Enterprise Networking website www.hpe.com/info/networking

Hewlett Packard Enterprise My Networking website www.hpe.com/networking/support

Hewlett Packard Enterprise My Networking Portal www.hpe.com/networking/mynetworking

Hewlett Packard Enterprise Networking Warranty www.hpe.com/networking/warranty

General websites

Hewlett Packard Enterprise Information Library www.hpe.com/info/enterprise/docs

Hewlett Packard Enterprise Support Center www.hpe.com/support/hpesc

Hewlett Packard Enterprise Support Services Central ssc.hpe.com/portal/site/ssc/

Contact Hewlett Packard Enterprise Worldwide www.hpe.com/assistance

Subscription Service/Support Alerts www.hpe.com/support/e-updates

Software Depot www.hpe.com/support/softwaredepot

Customer Self Repair (not applicable to all devices) www.hpe.com/support/selfrepair

Insight Remote Support (not applicable to all devices) www.hpe.com/info/insightremotesupport/docs

Customer self repair Hewlett Packard Enterprise customer self repair (CSR) programs allow you to repair your product. If a CSR part needs to be replaced, it will be shipped directly to you so that you can install it at your convenience. Some parts do not qualify for CSR. Your Hewlett Packard Enterprise authorized service provider will determine whether a repair can be accomplished by CSR.

For more information about CSR, contact your local service provider or go to the CSR website:

www.hpe.com/support/selfrepair

Remote support Remote support is available with supported devices as part of your warranty, Care Pack Service, or contractual support agreement. It provides intelligent event diagnosis, and automatic, secure submission of hardware event notifications to Hewlett Packard Enterprise, which will initiate a fast and accurate resolution based on your product’s service level. Hewlett Packard Enterprise strongly recommends that you register your device for remote support.

For more information and device support details, go to the following website:

www.hpe.com/info/insightremotesupport/docs

Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback ([email protected]). When submitting your feedback, include the document title,

www.hpe.com/networking/resourcefinder�

www.hpe.com/info/networking�

www.hpe.com/networking/support�

http://www.hpe.com/networking/mynetworking�

http://www.hpe.com/networking/warranty�

www.hpe.com/info/enterprise/docs�

http://www.hpe.com/support/hpesc�

http://www.hpe.com/assistance�

http://www.hpe.com/support/e-updates�

http://www.hpe.com/support/softwaredepot�

http://www.hpe.com/support/selfrepair�

http://www.hpe.com/info/insightremotesupport/docs�

http://www.hpe.com/support/selfrepair�

http://www.hpe.com/info/insightremotesupport/docs�

mailto:[email protected]�

455

part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.

456

Index Numerics

1\ 1NAT configuration (static outbound 1\1), 140

6PE technology, 209

6to4 relay, 285 relay configuration, 301 tunnel, 285 tunnel configuration, 298, 299

A

AAA ADVPN AAA configuration, 337

ACL NAT translation control, 124

address ADVPN hub group hub private address, 339 ADVPN hub group spoke private address range, 339 AFT configuration, 429, 433, 439 AFT configuration (between IPv4 network and IPv6 network), 443 AFT configuration (IPv4 Internet to IPv6 server), 442 AFT configuration (IPv4 network to IPv6 Internet), 445 AFT configuration (IPv6 Internet to IPv4 server), 448 AFT configuration (IPv6 network to IPv4 Internet), 439 AFT enabling, 434 DHCP address assignment, 37 DHCP address pool, 37 DHCP address pool application on interface, 49 DHCP address pool selection, 38 DHCP address pool usage alarm, 53 DHCP address pool VPN application, 55 DHCP allocation, 31 DHCP binding auto backup, 52 DHCP BOOTP client address acquisition, 93 DHCP client duplicated address detection, 79 DHCP client subnet advertisement, 54

DHCP gateway bind to common MAC address, 53 DHCP IP address allocation sequence, 39 DHCP IP address conflict detection, 50 DHCP IP address lease extension, 32 DHCP relay address pool, 73 DHCP server address pool, 40 DHCP server address pool creation, 40 DHCP server address pool IP address range, 40 DHCPv6 address allocation, 242 DHCPv6 address pool, 241 DHCPv6 address pool selection, 242 DHCPv6 address pool VPN application, 250 DHCPv6 address/prefix assignment, 236 DHCPv6 address/prefix lease renewal, 237 DHCPv6 binding auto backup, 248 DHCPv6 client IPv6 address acquisition, 264 DHCPv6 client IPv6 address+prefix acquisition, 265 DHCPv6 client subnet advertisement, 249 DHCPv6 IA, 241 DHCPv6 IAID, 241 DHCPv6 IPv6 address assignment, 240 DHCPv6 IPv6 address/prefix allocation sequence, 242 DHCPv6 multicast, 241 DHCPv6 overview, 236 DHCPv6 server dynamic IPv6 address assignment, 254 DHCPv6 server IPv6 address assignment, 244 IP address classes, 24 IP addressing configuration, 24, 27, 27 IP addressing interface address, 25 IP addressing IP unnumbered configuration, 29 IPPO ICMP packet source address, 192 IPv4-to-IPv6 destination address translation policy configuration, 436 IPv4-to-IPv6 source address translation policy configuration, 436 IPv6 addresses, 203 IPv6 ICMPv6 packet source address, 225 IPv6-to-IPv4 destination address translation policy configuration, 434

457

IPv6-to-IPv4 source address translation policy configuration, 435 NAT configuration, 123, 129, 140 NAT configuration (bidirectional/external-internal access/domain name), 153 NAT configuration (dynamic inbound), 133 NAT configuration (dynamic outbound), 132 NAT configuration (dynamic outbound/non-overlapping addresses), 141 NAT configuration (dynamic), 131 NAT configuration (outbound bidirectional), 144 NAT configuration (static inbound 1\1), 130 NAT configuration (static inbound net-to-net), 131 NAT configuration (static outbound 1\1), 129, 140 NAT configuration (static outbound net-to-net), 130 NAT configuration (static), 129 NAT hairpin, 137 NAT hairpin configuration (C/S mode), 156 NAT hairpin configuration (P2P mode), 159 NAT server configuration (external-internal access), 147 NAT server configuration (external-internal access/domain name), 150 NAT server configuration (load sharing), 165 NAT translation control, 124 NAT+DNS mapping configuration, 167 NAT444 configuration (DS-Lite), 170 special IP addresses, 25 stateless DHCPv6, 238 twice NAT configuration, 162

address family AFT configuration, 429 AFT enabling, 434 AFT prefix translation, 430

address prefix translation AFT prefix, 430

Address Resolution Protocol. Use ARP adjacency table

adjacency table command and hardware compatibility, 181 display, 180 displaying commands, 181

advertising ARP direct route advertisement configuration, 23 IP services IRDP proxy-advertised IP address, 182 IP services IRDP router advertisement (RA), 182

ADVPN AAA configuration, 337 configuration, 332, 337, 349 connection initialization, 334 display, 347 domain creation, 338 hub group configuration, 339 hub group creation, 339 hub group hub private address, 339 hub group spoke private address range, 339 IPv4 full-mesh configuration, 349 IPv4 full-mesh NAT traversal configuration, 408 IPv4 hub-spoke configuration, 364 IPv4 multi-hub-group configuration, 379 IPv6 full-mesh configuration, 356 IPv6 hub-spoke configuration, 372 IPv6 multi-hub-group configuration, 393 maintain, 347 NAT traversal, 337 operation, 334 packet forwarding, 336 registration, 335 route learning, 336 routing configuration, 347 specifying ACL to control establishing spoke-to-spoke tunnel, 340 structure, 332 tunnel establishment, 335 tunnel interface configuration, 345 tunnel IPsec configuration, 347 VAM client configuration, 342 VAM client creation, 343 VAM client domain, 343 VAM client dumb timer, 344 VAM client enable, 343 VAM client pre-shared key, 344 VAM client retry timer/times, 344 VAM client server configuration, 343 VAM client username+password, 345 VAM server authentication algorithm, 341 VAM server authentication method, 341

458

VAM server configuration, 337 VAM server enable, 338 VAM server encryption algorithm, 341 VAM server keepalive parameters configuration, 341 VAM server port number, 340 VAM server pre-shared key, 338 VAM server retry timer configuration, 342

AFT AFT command and hardware compatibility, 429 AFT compatibility information, 429 ALG support, 433 between IPv4 network and IPv6 network, 443 configuration, 429, 433, 439 display, 437 dynamic AFT, 429 implementations, 429 IPv4 Internet to IPv6 server, 442 IPv4 network to IPv6 Internet, 445 IPv4-to-IPv6 destination address translation policy configuration, 436 IPv4-to-IPv6 source address translation policy configuration, 436 IPv6 Internet to IPv4 server, 448 IPv6 network to IPv4 Internet, 439 IPv6-to-IPv4 destination address translation policy configuration, 434 IPv6-to-IPv4 source address translation policy configuration, 435 logging configuration, 437 maintain, 437 NAT64 prefix, 430 NO-PAT, 430 PAT, 430 prefix translation, 430 server, 431 static AFT, 429 ToS field setting, 437 Traffic Class field setting, 437

AFT prefix IVI prefix, 430

AFT process, 431 IPv4 to IPv6, 432 IPv6 to IPv4, 431

AFT session AFT logging enabling, 437

alarm DHCP address pool usage alarm, 53 IP addressing DHCP address pool usage alarm, 53

ALG AFT support, 433 NAT support, 128 NAT+ALG configuration, 138

algorithm ADVPN VAM server authentication algorithm configuration, 341 ADVPN VAM server encryption algorithm configuration, 341

allocating DHCP address allocation, 37 DHCP addresses allocation, 31 DHCP IP address allocation sequence, 39 DHCPv6 address/prefix allocation sequence, 242 DHCPv6 dynamic address allocation, 242 DHCPv6 dynamic prefix allocation, 242 DHCPv6 static address allocation, 242 DHCPv6 static prefix allocation, 242

Anycast IPv6 address type, 203 IPv6 anycast address configuration, 214

application scenario GRE, 319

applying DDNS client policy to interface, 119 DHCP address pool on interface, 49 DHCPv6 address pool to a VPN instance, 250 DHCPv6 snooping trusted port, 274 DHCPv6 snooping untrusted port, 274 WAAS policy to interface, 420

ARP common proxy ARP configuration, 13 common proxy ARP enable, 12 configuration, 1, 7 direct route advertisement configuration, 23 display, 6 dynamic entry aging timer configuration, 5 dynamic entry check enable, 5 dynamic entry max (device), 4 dynamic entry max (interface), 4 dynamic table entry, 2 fast-reply configuration, 15, 15 gratuitous ARP configuration, 9, 10

459

gratuitous ARP IP conflict notification, 10 gratuitous ARP packet learning, 9 gratuitous ARP periodic packet send, 9 local proxy ARP enable, 12 logging enable, 5 long static entry configuration, 7 maintain, 6 message format, 1 OpenFlow table entry, 3 operation, 1 PnP configuration, 17, 18 PnP display, 18 proxy ARP configuration, 12 Rule entry, 3 short static entry configuration, 8 static entry configuration, 3 static table entry, 2 suppression configuration, 20, 21 suppression display, 21 suppression maintain, 21 table, 2

assembling IPv6 local fragment reassembly, 226

assigning DHCP address, 37 DHCPv6 address/prefix, 236 DHCPv6 assignment (4 messages), 236 DHCPv6 IPv6 address, 240 DHCPv6 IPv6 prefix, 240 DHCPv6 rapid assignment (2 messages), 236 DHCPv6 server dynamic IPv6 address assignment, 254 DHCPv6 server dynamic IPv6 prefix assignment, 252 DHCPv6 server IPv6 address assignment, 244 DHCPv6 server IPv6 prefix assignment, 243 DHCPv6 server network parameters (address pool), 246 DHCPv6 server network parameters (option group), 247 DHCPv6 server network parameters assignment, 246 IP addressing interface address, 25 IPv6 interface addresses, 211

authenticating ADVPN AAA configuration, 337

ADVPN VAM server authentication algorithm, 341 ADVPN VAM server authentication method, 341 ADVPN VAM server configuration, 337

auto automatic IPv4-compatible IPv6 tunnel, 297, 297 DHCP automatic address allocation, 31 DHCP binding auto backup, 52 DHCP client auto-configuration file, 45 DHCP snooping entry auto backup, 87 DHCPv6 binding auto backup, 248 DHCPv6 snooping entry auto backup, 278 IPv6 interface link-local address automatic generation, 213 IPv6 link-local address automatic generation, 213 IPv6 ND stateless address autoconfiguration, 207 IPv6 stateless address autoconfiguration, 211 IPv6/IPv4 automatic tunnel type, 285

Auto Discovery Virtual Private Network. Use ADVPN

B

backing up DHCP binding auto backup, 52 DHCP snooping entries, 87 DHCPv6 binding auto backup, 248 DHCPv6 snooping entry auto backup, 278

between IPv4 network and IPv6 network AFT configuration, 443

BGP ADVPN routing configuration, 347

bidirectional NAT, 124 NAT configuration (bidirectional/external-internal access/domain name), 153 NAT configuration (outbound bidirectional), 144

BIMS server information (DHCP client), 45 binding

DHCP gateway to common MAC address, 53 BOOTP

client configuration, 93, 94 client display, 94 client dynamic IP address acquisition, 93 DHCP application, 93 DHCP client address acquisition, 93 DHCP server BOOTP request ignore, 51 DHCP server BOOTP response format, 52 protocols and standards, 93

Bootstrap Protocol. Use BOOTP

460

broadcast DHCP server response broadcast, 51 UDP helper broadcast to multicast conversion, 197, 200 UDP helper broadcast to unicast conversion, 196, 199 UDP helper configuration, 196, 199 UDP helper multicast to broadcast conversion, 201 UDP helper multicast to broadcast/unicast conversion, 198

buffer IPPO TCP buffer size, 190

C

CHAP ADVPN VAM server authentication method, 341

checksum security feature (GRE), 319 class

DHCP user class whitelist, 48 IP address class, 24

client ADVPN VAM client configuration, 342 ADVPN VAM client creation, 343 ADVPN VAM client domain, 343 ADVPN VAM client dumb timer, 344 ADVPN VAM client enable, 343 ADVPN VAM client pre-shared key, 344 ADVPN VAM client retry timer/times, 344 ADVPN VAM client server, 343 ADVPN VAM client username+password, 345 DHCP BOOTP configuration, 93, 94 DHCP client auto-configuration file, 45 DHCP client BIMS server information, 45 DHCP client configuration, 78, 80 DHCP client display, 79 DHCP client DNS server, 44 DHCP client domain name suffix, 44 DHCP client duplicated address detection, 79 DHCP client enable (interface), 78 DHCP client gateway, 43 DHCP client ID configuration (interface), 78 DHCP client NetBIOS node type, 44 DHCP client packet DSCP value, 79 DHCP client WINS server, 44 DHCP server specification, 46

DHCP snooping Option 82 support, 85 DHCP voice client Option 184 parameters, 46 DHCPv6 address pool, 241 DHCPv6 client packet DSCP value, 265 DHCPv6 configuration, 264, 264, 266 DHCPv6 IA, 241 DHCPv6 IAID, 241 DHCPv6 IPv6 address acquisition, 264 DHCPv6 IPv6 address acquisition configuration, 266 DHCPv6 IPv6 address+prefix acquisition, 265 DHCPv6 IPv6 address+prefix acquisition configuration, 269 DHCPv6 IPv6 prefix acquisition, 265 DHCPv6 IPv6 prefix acquisition configuration, 268 DHCPv6 IPv6 prefix assignment, 240 DHCPv6 relay agent configuration, 257, 261 DHCPv6 stateless, 265 DHCPv6 stateless DHCPv6 configuration, 271

command adjacency table command and hardware compatibility, 181 AFT command and hardware compatibility, 429 DHCP snooping command and hardware compatibility, 85 DHCPv6 snooping command and hardware compatibility, 275 NAT command and hardware compatibility, 124 tunneling command and hardware compatibility, 292

command and hardware compatibility fast forwarding, 177 IP forwarding load sharing, 175 IPv6 fast forwarding, 282 WAAS, 419

common DHCP options, 34

compatibility adjacency table command and hardware compatibility, 181 AFT command and hardware compatibility, 429 AFT compatibility information, 429 DHCP snooping command and hardware compatibility, 85 DHCPv6 feature and hardware compatibility, 236

461

DHCPv6 snooping command and hardware compatibility, 275 IPv6 basics, 210 NAT command and hardware compatibility, 124 tunneling command and hardware compatibility, 292, 292 tunneling feature and hardware compatibility, 292, 292 tunneling information, 292

compatibility information IPv6 fast forwarding, 282

configuring 6to4 relay, 301 6to4 tunnel, 298, 299 ADVPN, 332, 337, 349 ADVPN (IPv4 full-mesh NAT traversal), 408 ADVPN (IPv4 full-mesh), 349 ADVPN (IPv4 hub-spoke), 364 ADVPN (IPv4 multi-hub-group), 379 ADVPN (IPv6 full-mesh), 356 ADVPN (IPv6 hub-spoke), 372 ADVPN (IPv6 multi-hub-group), 393 ADVPN AAA, 337 ADVPN hub group, 339 ADVPN hub group hub private address, 339 ADVPN hub group spoke private address range, 339 ADVPN routing, 347 ADVPN tunnel interface configuration, 345 ADVPN tunnel IPsec, 347 ADVPN VAM client, 342 ADVPN VAM client username+password, 345 ADVPN VAM server, 337 ADVPN VAM server authentication method, 341 ADVPN VAM server keepalive parameters, 341 ADVPN VAM server port number, 340 ADVPN VAM server pre-shared key, 338 ADVPN VAM server retry timer, 342 AFT, 429, 433, 439 AFT (between IPv4 network and IPv6 network), 443 AFT (IPv4 Internet to IPv6 server), 442 AFT (IPv4 network to IPv6 Internet), 445 AFT (IPv6 Internet to IPv4 server), 448 AFT (IPv6 network to IPv4 Internet), 439

AFT logging, 437 ARP, 1, 7 ARP direct route advertisement, 23 ARP dynamic entry aging timer, 5 ARP fast-reply, 15, 15 ARP long static entry, 7 ARP PnP, 17, 18 ARP short static entry, 8 ARP static entry, 3 ARP suppression, 20, 21 automatic IPv4-compatible IPv6 tunnel, 297, 297 bandwidth load sharing, 176 common proxy ARP, 13 DDNS, 116, 120 DDNS (PeanutHull server), 121 DDNS (www.3322.org), 120 DDNS client, 117 DDNS client policy, 117 DHCP address pool usage alarm, 53 DHCP address pool VPN application, 55 DHCP binding auto backup, 52 DHCP BOOTP client, 93, 94 DHCP BOOTP client address acquisition, 93 DHCP client, 78, 80 DHCP client ID (interface), 78 DHCP client subnet advertisement, 54 DHCP IP address conflict detection, 50 DHCP relay address pool, 73 DHCP relay agent, 66, 67, 75 DHCP relay agent IP address release, 71 DHCP relay agent Option 82, 71, 76 DHCP relay agent security functions, 69 DHCP server, 37, 39, 57 DHCP server address pool, 40 DHCP server BOOTP request ignore, 51 DHCP server BOOTP response format, 52 DHCP server compatibility, 51 DHCP server IP address dynamic assignment, 58 DHCP server IP address static assignment, 57 DHCP server option customization, 63 DHCP server response broadcast, 51 DHCP server subnet, 62 DHCP server user class, 60 DHCP server user class whitelist, 61 DHCP snooping, 83, 85, 90

462

DHCP snooping basics, 86, 90 DHCP snooping Option 82, 91 DHCP snooping Option 82 configuration, 86 DHCP user class whitelist, 48 DHCP voice client Option 184 parameters, 46 DHCPv6 binding auto backup, 248 DHCPv6 client, 264, 264, 266 DHCPv6 client IPv6 address acquisition, 264, 266 DHCPv6 client IPv6 address+prefix acquisition, 265, 269 DHCPv6 client IPv6 prefix acquisition, 265, 268 DHCPv6 client stateless, 265 DHCPv6 client stateless DHCPv6, 271 DHCPv6 client subnet advertisement, 249 DHCPv6 relay address pool, 260 DHCPv6 relay agent, 257, 258, 261 DHCPv6 server, 240, 243, 252 DHCPv6 server dynamic IPv6 address assignment, 254 DHCPv6 server dynamic IPv6 prefix assignment, 252 DHCPv6 server IPv6 address assignment, 244 DHCPv6 server IPv6 prefix assignment, 243 DHCPv6 server logging, 250 DHCPv6 server network parameters (address pool), 246 DHCPv6 server network parameters (option group), 247 DHCPv6 server network parameters assignment, 246 DHCPv6 server on interface, 247 DHCPv6 snooping, 274, 276, 280 DHCPv6 snooping basics, 277 DHCPv6 snooping entry auto backup, 278 DHCPv6 snooping Option 18, 277 DHCPv6 snooping Option 37, 277 DNS, 95, 98 DNS network mode tracking, 102 DNS proxy, 101 DNS spoofing, 101 DNS trusted interface, 103 DS-Lite tunnel, 311, 312 fast forwarding entry aging time, 177 fast forwarding load sharing, 177 flow classification, 179

gratuitous ARP, 9, 10 GRE, 318, 326 GRE/IPv4 tunnel, 322 GRE/IPv6 tunnel, 323 IP addressing, 24, 27, 27 IP addressing IP unnumbered, 26, 29 IP forwarding load sharing, 175 IP services fast forwarding, 177 IP services IRDP, 182, 183, 184 IPPO directed broadcast receive/forward, 187 IPPO ICMP error message rate limit, 192 IPPO interface MTU, 188 IPPO interface TCP MSS, 188 IPPO TCP buffer size, 190 IPPO TCP path MTU discovery, 188 IPPO TCP timers, 190 IPv4 DNS, 104 IPv4 DNS client, 98 IPv4 DNS client dynamic domain name resolution, 99, 105 IPv4 DNS client static domain name resolution, 98, 104 IPv4 DNS proxy, 107 IPv4/IPv4 GRE tunnel, 326 IPv4/IPv4 tunnel, 306, 307 IPv4/IPv6 GRE tunnel, 328 IPv4/IPv6 manual tunnel, 308, 309 IPv4-to-IPv6 destination address translation policy, 436 IPv4-to-IPv6 source address translation policy, 436 IPv6 anycast address, 214 IPv6 basic settings, 202, 210, 230 IPv6 basics, 230 IPv6 DNS, 108 IPv6 DNS client, 99 IPv6 DNS client dynamic domain name resolution, 100, 109 IPv6 DNS client static domain name resolution, 99, 108 IPv6 DNS proxy, 114 IPv6 dynamic path MTU aging timer, 223 IPv6 EUI-64 address, 211 IPv6 fast forwarding, 282 IPv6 fast forwarding entry aging time, 282 IPv6 fast forwarding load sharing, 283

463

IPv6 global unicast address, 211 IPv6 ICMPv6 error message rate limit, 223 IPv6 interface link-local address automatic generation, 213 IPv6 interface MTU, 222 IPv6 link-local address, 213 IPv6 load sharing (bandwidth-based), 226 IPv6 max number NS message sent attempts, 218 IPv6 ND, 214 IPv6 ND static neighbor entry, 214 IPv6 ND suppression, 220, 234 IPv6 path MTU discovery, 222 IPv6 RA message parameter, 216, 217 IPv6 stateless address autoconfiguration, 211 IPv6 static path MTU, 223 IPv6 static prefix, 213 IPv6/IPv4 manual tunnel, 294, 295 IPv6/IPv6 tunnel, 314, 315 IPv6-to-IPv4 destination address translation policy, 434 IPv6-to-IPv4 source address translation policy, 435 ISATAP tunnel, 303, 304 Layer 3 virtual tunnel interface, 292 NAT, 123, 129, 140 NAT (bidirectional/external-internal access/domain name), 153 NAT (dynamic inbound), 133 NAT (dynamic outbound), 132 NAT (dynamic outbound/non-overlapping addresses), 141 NAT (dynamic), 131 NAT (outbound bidirectional), 144 NAT (static inbound 1\1), 130 NAT (static inbound net-to-net), 131 NAT (static outbound 1\1), 129, 140 NAT (static outbound net-to-net), 130 NAT (static), 129 NAT hairpin, 137 NAT hairpin (C/S mode), 156 NAT hairpin (P2P mode), 159 NAT server, 134 NAT server (ACL-based), 136 NAT server (common), 134 NAT server (external-internal access), 147

NAT server (external-internal access/domain name), 150 NAT server (load sharing), 135, 165 NAT session logging, 138 NAT+ALG, 138 NAT+DNS mapping, 137, 167 NAT444 (DS-Lite), 136, 170 per-packet or per-flow load sharing, 175 predefined WAAS policy, 423 proxy ARP, 12 TFO blacklist autodiscovery, 421 TFO parameters, 421 tunneling, 284, 292 twice NAT, 162 UDP helper, 196, 199 UDP helper broadcast to multicast conversion, 197, 200 UDP helper broadcast to unicast conversion, 196, 199 UDP helper multicast to broadcast conversion, 201 UDP helper multicast to broadcast/unicast conversion, 198 user-defined WAAS policy, 425 WAAS, 417, 423 WAAS class, 419 WAAS policy, 420

controlling IPv6 ICMPv6 message send, 223

cookie (TCP SYN), 189 creating

ADVPN domain, 338 ADVPN hub group, 339 ADVPN VAM client, 343 DHCP server address pool, 40

customizing DHCP options, 34, 47 DHCP server option customization, 63

D

Data Redundancy Elimination. Use DRE DDNS, 116, See also DNS

application, 116 client, 116 client configuration, 117 client policy application, 119 client policy configuration, 117

464

configuration, 116, 120 configuration (PeanutHull server), 121 configuration (www.3322.org), 120 display, 120 outgoing packet DSCP value, 119 server, 116

deleting all WAAS settings, 422

destination address IPv4-to-IPv6 destination address translation policy configuration, 436 IPv6-to-IPv4 destination address translation policy configuration, 434

destination unreachable message (ICMPv6), 224 detecting

DHCP client duplicated address detection, 79 DHCP client offline detection, 55 DHCP IP address conflict detection, 50 DHCP relay agent client offline detection, 74 IPv6 ND duplicate address detection, 206 IPv6 ND neighbor reachability detection, 206 IPv6 ND redirection, 207 IPv6 ND router/prefix discovery, 207

device ARP dynamic entry max (device), 4 ARP dynamic entry max (interface), 4 ARP suppression configuration, 21 bandwidth load sharing, 176 common proxy ARP configuration, 13 DDNS client policy application, 119 DDNS outgoing packet DSCP value, 119 DHCP client packet DSCP value, 79 DHCP overview, 31 DHCP relay agent packet DSCP value, 72 DHCP server configuration, 37, 39 DHCP server packet DSCP value, 52 DHCP snooping entry max, 89 DHCPv6 client packet DSCP value, 265 DHCPv6 DUID, 241 DHCPv6 IA, 241 DHCPv6 IAID, 241 DHCPv6 packet DSCP value, 248 DHCPv6 PD, 241 DHCPv6 server configuration, 240, 243 DNS outgoing packet DSCP value, 103 DNS packet source interface, 102

DNS proxy, 96 DNS proxy configuration, 101 DNS spoofing, 97 DNS spoofing configuration, 101 DNS trusted interface, 103 IP addressing configuration, 27, 27 IP addressing IP unnumbered configuration, 29 IP forwarding, 173 IP forwarding load sharing, 175 IPPO directed broadcast receive/forward configuration, 187 IPPO ICMP error message send, 190 IPPO interface MTU configuration, 188 IPPO interface TCP MSS configuration, 188 IPPO TCP buffer size, 190 IPPO TCP path MTU discovery, 188 IPPO TCP SYN cookie, 189 IPPO TCP timer, 190 IPv4 DNS client configuration, 98 IPv4 DNS proxy configuration, 107 IPv6 basics configuration, 230 IPv6 DNS client configuration, 99 IPv6 DNS proxy configuration, 114 IPv6 ND suppression configuration, 234 NAT server (ACL-based), 136 NAT server (common), 134 NAT server (load sharing), 135 NAT server configuration, 134 per-packet or per-flow load sharing, 175 stateless DHCPv6, 238 UDP helper broadcast to multicast conversion, 200 UDP helper broadcast to unicast conversion, 199 UDP helper configuration, 199 UDP helper multicast to broadcast conversion, 201

DHCP address allocation, 31 address assignment, 37 address pool, 37 address pool application on interface, 49 address pool selection, 38 address pool usage alarm, 53 address pool VPN application, 55 binding auto backup, 52 BOOTP application, 93 BOOTP client address acquisition, 93

465

BOOTP client configuration, 93, 94 BOOTP client display, 94 BOOTP client dynamic IP address acquisition, 93 BOOTP protocols and standards, 93 client auto-configuration file, 45 client BIMS server information, 45 client configuration, 78, 80 client display, 79 client DNS server specification, 44 client domain name suffix specification, 44 client duplicated address detection, 79 client enable (interface), 78 client gateway specification, 43 client ID configuration (interface), 78 client NetBIOS node type, 44 client packet DSCP value, 79 client server specification, 46 client subnet advertisement, 54 client WINS server specification, 44 DHCPv6. See DHCPv6 enable, 49 enabling Option 82 handling, 50 gateway bind to common MAC address, 53 IP address allocation, 32 IP address allocation sequence, 39 IP address conflict detection, 50 IP address lease extension, 32 message format, 33 Option #, 34, See also Option # Option 121, 34 Option 150, 34 Option 184 (reserved), 34, 36 Option 3;Option 003, 34 Option 33;Option 033, 34 Option 43 (vendor-specific);Option 043 (vendor-specific), 34, 34 Option 51;Option 051, 34 Option 53;Option 053, 34 Option 55;Option 055, 34 Option 6;Option 006, 34 Option 60;Option 060, 34 Option 66;Option 066, 34 Option 67;Option 067, 34

Option 82 (relay agent);Option 082 (relay agent), 34, 36 option customization, 47 options (common), 34 options (custom), 34 overview, 31 protocols and standards, 36 relay agent client gateway address, 74 relay agent client offline detection, 74 relay agent configuration, 66, 67, 75 relay agent display, 75 relay agent enable on interface, 68 relay agent entry periodic refresh, 69 relay agent IP address release, 71 relay agent maintain, 75 relay agent operation, 66 relay agent Option 82 configuration, 71, 76 relay agent Option 82 support, 67 relay agent packet DSCP value, 72 relay agent relay entry recording, 69 relay agent security functions, 69 relay agent server, 68 relay agent server proxy, 72 relay agent source/gateway address, 74 relay agent starvation attack protection, 70 server address pool configuration, 40 server address pool creation, 40 server address pool IP address range, 40 server BOOTP request ignore, 51 server BOOTP response format, 52 server client offline detection, 55 server compatibility configuration, 51 server configuration, 37, 39, 57 server display, 56 server enable on interface, 49 server IP address dynamic assignment, 58 server IP address static assignment, 57 server logging, 56 server maintain, 56 server option customization configuration, 63 server packet DSCP value, 52 server response broadcast, 51 server subnet configuration, 62 server user class configuration, 60 server user class whitelist configuration, 61

466

snooping. See DHCP snooping troubleshoot relay agent configuration, 77 troubleshoot server configuration, 65 user class whitelist configuration, 48 voice client Option 184 parameters, 46

DHCP snooping basic configuration, 86 basics configuration, 90 configuration, 83, 85, 90 DHCP snooping command and hardware compatibility, 85 DHCP-REQUEST message attack protection, 89 display, 90 entry auto backup, 87 entry max, 89 maintain, 90 Option 82 configuration, 86 Option 82 support, 85 Option 82 support configuration, 91 starvation attack protection, 88 trusted port, 84 untrusted port, 84

DHCP-REQUEST message attack protection, 89 DHCPv6

address allocation, 242 address pool, 241 address pool selection, 242 address pool VPN application, 250 address/prefix assignment, 236 address/prefix lease renewal, 237 assignment (4 messages), 236 client configuration, 264, 264, 266 client configuration restrictions, 264 client display, 266 client gateway address, 260 client IPv6 address acquisition, 264 client IPv6 address acquisition configuration, 266 client IPv6 address+prefix acquisition, 265 client IPv6 address+prefix acquisition configuration, 269 client IPv6 prefix acquisition, 265 client IPv6 prefix acquisition configuration, 268 client maintain, 266 client packet DSCP value, 265

client stateless DHCPv6, 265 client stateless DHCPv6 configuration, 271 client subnet advertisement, 249 concepts, 241 DHCPv6 binding auto backup, 248 DHCPv6 feature and hardware compatibility, 236 DUID, 241 IA, 241 IAID, 241 IPv6 address assignment, 240 IPv6 address/prefix allocation sequence, 242 IPv6 prefix assignment, 240 multicast address, 241 overview, 236 PD, 241 prefix allocation, 242 protocols and standards, 238 rapid assignment (2 messages), 236 relay address pool configuration, 260 relay agent configuration, 257, 258, 261 relay agent display, 261 relay agent enable on interface, 258 relay agent Interface-ID option padding mode, 259 relay agent maintain, 261 relay agent packet DSCP value, 259 relay agent server, 258 server configuration, 240, 243, 252 server configuration on interface, 247 server display, 251 server dynamic IPv6 address assignment, 254 server dynamic IPv6 prefix assignment, 252 server IPv6 address assignment, 244 server IPv6 prefix assignment, 243 server logging, 250 server maintain, 251 server network parameters (address pool), 246 server network parameters (option group), 247 server network parameters assignment, 246 snooping. See DHCPv6 snooping stateless DHCPv6, 238

DHCPv6 snooping basic configuration, 277 configuration, 274, 276, 280 DHCPv6 snooping command and hardware compatibility, 275

467

DHCPv6-REQUEST check, 279 display, 280 maintain, 280 Option 18 configuration;Option 018 configuration, 277 Option 18;Option 018, 275 Option 37 configuration;Option 037 configuration, 277 Option 37;Option 037, 275 snooping entry auto backup, 278 snooping entry max, 279

DHCPv6-REQUEST check, 279 direct route advertisement (ARP), 23 displaying

adjacency table, 180 adjacency table commands, 181 ADVPN, 347 AFT, 437 ARP, 6 ARP PnP, 18 ARP suppression, 21 DDNS, 120 DHCP BOOTP client, 94 DHCP client, 79 DHCP relay agent, 75 DHCP server, 56 DHCP snooping, 90 DHCPv6 client, 266 DHCPv6 relay agent, 261 DHCPv6 server, 251 DHCPv6 snooping, 280 GRE, 325 IP addressing, 27 IP forwarding FIB table entries, 174 IP services fast forwarding, 178 IPPO, 193 IPv4 DNS, 103 IPv6 basics, 227 IPv6 fast forwarding, 283 NAT, 138 proxy ARP, 13 tunneling configuration, 316 UDP helper, 199 WAAS, 422

DNS, 116, See also DDNS

configuration, 95, 98 DDNS configuration, 116, 120 DDNS configuration (PeanutHull server), 121 DDNS configuration (www.3322.org), 120 DDNS outgoing packet DSCP value, 119 DHCP client domain name suffix, 44 DHCP client server, 44 dynamic domain name resolution, 95 IPv4 client configuration, 98 IPv4 client dynamic domain name resolution, 99, 105 IPv4 client static domain name resolution, 98, 104 IPv4 configuration, 104 IPv4 DNS display, 103 IPv4 DNS maintain, 103 IPv4 proxy configuration, 107 IPv6 client configuration, 99 IPv6 client dynamic domain name resolution, 100, 109 IPv6 client static domain name resolution, 99, 108 IPv6 configuration, 108 IPv6 proxy configuration, 114 NAT DNS mapping support, 128 NAT server configuration (external-internal access/domain name), 150 NAT+DNS mapping configuration, 137, 167 network mode tracking configuration, 102 outgoing packet DSCP value, 103 packet source interface, 102 proxy, 96 proxy configuration, 101 spoofing, 97 spoofing configuration, 101 static domain name resolution, 95 suffixes, 96 troubleshoot IPv4 DNS configuration, 115 troubleshoot IPv4 DNS incorrect IP address, 115 troubleshoot IPv6 DNS configuration, 115 troubleshoot IPv6 DNS incorrect IP address, 115 trusted interface configuration, 103

domain ADVPN AAA configuration, 337 ADVPN domain creation, 338 ADVPN VAM client configuration, 342 ADVPN VAM client domain, 343

468

ADVPN VAM server configuration, 337 DHCP client domain name suffix, 44 name system. Use DNS

DRE compression process, 418 decompression process, 418 WAAS policy configuration, 420

DSCP DDNS outgoing packet DSCP value, 119 DHCP client packet DSCP value, 79 DHCP relay agent packet DSCP value, 72 DHCP server packet DSCP value, 52 DHCPv6 client packet DSCP value, 265 DHCPv6 packet value, 248 DHCPv6 relay agent packet DSCP value, 259 DNS outgoing packet DSCP value, 103

DS-Lite NAT444, 126 NAT444 configuration, 136 NAT444 configuration (DS-Lite), 170

DS-Lite tunnel configuration, 311, 312 IPv4 tunneling, 288

dual stack technology, 208 DUID (DHCPv6), 241 dumb

ADVPN VAM client dumb timer, 344 duplicated address detection (DHCP), 79 dynamic

AFT (dynamic), 429 ARP dynamic entry aging timer, 5 ARP dynamic entry check enable, 5 ARP dynamic entry max (device), 4 ARP dynamic entry max (interface), 4 ARP table entry, 2 DDNS client configuration, 117 DDNS configuration, 116, 120 DDNS configuration (PeanutHull server), 121 DDNS configuration (www.3322.org), 120 DHCP address allocation, 31, 37 DHCP relay agent entry periodic refresh, 69 DHCP server IP address assignment, 58 DHCP server user class, 60 DHCP server user class whitelist, 61 DHCPv6 dynamic address allocation, 242 DHCPv6 dynamic prefix allocation, 242

DHCPv6 server dynamic IPv6 address assignment, 254 DHCPv6 server dynamic IPv6 prefix assignment, 252 DNS domain name resolution, 95 IPv4 DNS client dynamic domain name resolution, 99, 105 IPv6 DNS client dynamic domain name resolution, 100, 109 IPv6 dynamic path MTU aging timer, 223 NAT (dynamic), 124 NAT configuration, 131 NAT configuration (dynamic inbound), 133 NAT configuration (dynamic outbound), 132 NAT444 configuration (DS-Lite), 136, 170

Dynamic Domain Name System. Use DDNS Dynamic Host Configuration Protocol. Use DHCP

E

Easy IP (NAT), 123 enable

IPv6 ND direct route advertisement, 221 enabling

ADVPN VAM client, 343 ADVPN VAM server, 338 AFT, 434 ARP dynamic entry check, 5 ARP logging, 5 common proxy ARP, 12 DHCP, 49 DHCP client (interface), 78 DHCP client duplicated address detection, 79 DHCP Option 82 handling, 50 DHCP relay agent client offline detection, 74 DHCP relay agent entry periodic refresh, 69 DHCP relay agent on interface, 68 DHCP relay agent relay entry recording, 69 DHCP relay agent server proxy, 72 DHCP relay agent starvation attack protection, 70 DHCP server client offline detection, 55 DHCP server logging, 56 DHCP server on interface, 49 DHCP snooping starvation attack protection, 88 DHCP-REQUEST message attack protection, 89 DHCPv6 relay agent on interface, 258 DHCPv6-REQUEST check, 279

469

gratuitous ARP IP conflict notification, 10 IPPO directed broadcast receive/forward, 186 IPPO ICMP error message send, 190 IPPO IPv4 local fragment reassembly, 193 IPPO TCP SYN cookie, 189 IPv6 ICMPv6 destination unreachable message, 224 IPv6 ICMPv6 redirect message, 225 IPv6 ICMPv6 time exceeded message, 225 IPv6 local fragment reassembly, 226 IPv6 multicast echo request reply, 224 IPv6 ND proxy, 219 IPv6 RA message send, 217 local proxy ARP, 12

encapsulating GRE configuration, 318, 326 GRE encapsulation format, 318 IPv4/IPv4 GRE tunnel, 326 IPv4/IPv6 GRE tunnel, 328 tunneling configuration, 284, 292

encrypting ADVPN VAM server configuration, 337 ADVPN VAM server encryption algorithm, 341

error IPPO ICMP error message sending, 190

establishing ADVPN tunnel, 335

Ethernet adjacency table display, 180 adjacency table displaying commands, 181 ARP configuration, 1, 7 ARP direct route advertisement configuration, 23 ARP fast-reply configuration, 15, 15 ARP long static entry configuration, 7 ARP PnP configuration, 17, 18 ARP short static entry configuration, 8 ARP suppression configuration, 20, 21 common proxy ARP configuration, 13 DHCP BOOTP client configuration, 93, 94 DHCP client configuration, 78, 80 DHCP server configuration, 37, 39, 57 DHCP server IP address dynamic assignment, 58 DHCP server IP address static assignment, 57 DHCP server option customization, 63 DHCP server subnet, 62

DHCP server user class, 60 DHCP server user class whitelist, 61 DHCP snooping basic configuration, 90 DHCPv6 client configuration, 264, 266 DHCPv6 client IPv6 address acquisition configuration, 266 DHCPv6 client IPv6 address+prefix acquisition configuration, 269 DHCPv6 client IPv6 prefix acquisition configuration, 268 DHCPv6 client stateless DHCPv6 configuration, 271 DHCPv6 snooping configuration, 274, 276, 280 gratuitous ARP configuration, 9 proxy ARP configuration, 12 UDP helper broadcast to multicast conversion, 197 UDP helper broadcast to unicast conversion, 196 UDP helper configuration, 196, 199 UDP helper multicast to broadcast/unicast conversion, 198

EUI-64 address IP services address-based interface identifiers, 205 IP services configuration, 211

extending DHCP IP address lease extension, 32

F

fast forwarding command and hardware compatibility, 177 configuration, 177 displaying, 178 IPv6 configuration, 282 maintaining, 178

fast forwarding aging time configuration, 177

fast forwarding load sharing configuration, 177

fast-reply (ARP), 15, 15 feature

DHCPv6 feature and hardware compatibility, 236 tunneling feature and hardware compatibility, 292

feature and hardware compatibility flow classification, 179 UDP helper, 196

FIB adjacency table display, 180 adjacency table displaying commands, 181 bandwidth load sharing, 176

470

IP forwarding, 173 IP forwarding load sharing, 175 IP forwarding table entries, 174 IP routing table, 173 per-packet or per-flow load sharing, 175

FIN wait timer, 190 flow classification

configuration, 179 feature and hardware compatibility, 179 policy (flow-based), 179 policy (packet-based), 179 policy specification, 179

format ARP message format, 1 DHCP message, 33 DHCP server BOOTP response format, 52 GRE encapsulation format, 318 IPv6 addresses, 203

forwarding ADVPN packet forwarding, 336 IP services fast forwarding aging time configuration, 177 IP services fast forwarding configuration, 177 IP services fast forwarding load sharing configuration, 177 IPPO directed broadcast receive/forward, 186 IPv6 fast forwarding aging time configuration, 282 IPv6 fast forwarding configuration, 282 IPv6 fast forwarding load sharing configuration, 283

fragment IPv6 local fragment reassembly, 226

full-mesh ADVPN configuration (IPv4 full-mesh NAT traversal), 408 ADVPN configuration (IPv4 full-mesh), 349 ADVPN configuration (IPv6 full-mesh), 356 ADVPN structure, 332

G

gateway AFT configuration, 433, 439 DHCP client gateway specification, 43 DHCP gateway bind to common MAC address, 53 DHCP relay agent client gateway address, 74

DHCP relay agent source/gateway address, 74 DHCPv6 client gateway address, 260 DS-Lite NAT444, 126 NAT configuration, 123, 129, 140 NAT configuration (bidirectional/external-internal access/domain name), 153 NAT configuration (dynamic inbound), 133 NAT configuration (dynamic outbound), 132 NAT configuration (dynamic outbound/non-overlapping addresses), 141 NAT configuration (dynamic), 131 NAT configuration (outbound bidirectional), 144 NAT configuration (static inbound 1\1), 130 NAT configuration (static inbound net-to-net), 131 NAT configuration (static outbound 1\1), 129, 140 NAT configuration (static outbound net-to-net), 130 NAT configuration (static), 129 NAT hairpin configuration (C/S mode), 156 NAT hairpin configuration (P2P mode), 159 NAT server configuration (external-internal access), 147 NAT server configuration (external-internal access/domain name), 150 NAT server configuration (load sharing), 165 NAT+DNS mapping configuration, 167 NAT444 configuration (DS-Lite), 170 twice NAT configuration, 162

Generic Routing Encapsulation. Use GRE gratuitous ARP

configuration, 9, 10 IP conflict notification, 10 packet learning, 9 periodic packet send, 9

GRE, 284, See also tunneling application scenarios, 319 configuration, 318, 326 display, 325 encapsulation format, 318 GRE/IPv4 tunnel configuration, 322 GRE/IPv6 tunnel configuration, 323 IPv4/IPv4 GRE tunnel configuration, 326 IPv4/IPv6 GRE tunnel configuration, 328 maintain, 325 protocols and standards, 321 security features, 319 troubleshoot, 330

471

troubleshoot hosts cannot ping each other, 330 tunnel operation, 318

group ADVPN hub group configuration, 339

H

hairpin NAT hairpin C/S, 124 NAT hairpin configuration, 137 NAT hairpin configuration (C/S mode), 156 NAT hairpin configuration (P2P mode), 159 NAT hairpin P2P, 124

hardware adjacency table command and hardware compatibility, 181 AFT command and hardware compatibility, 429 DHCP snooping command and hardware compatibility, 85 DHCPv6 feature and hardware compatibility, 236 DHCPv6 snooping command and hardware compatibility, 275 NAT command and hardware compatibility, 124 tunneling command and hardware compatibility, 292 tunneling feature and hardware compatibility, 292

hardware compatibility IP performance optimization, 186

hub ADVPN hub group configuration, 339 ADVPN hub group creation, 339 ADVPN hub group hub private address, 339 ADVPN hub group spoke private address range, 339

hub-group ADVPN structure, 332

hub-spoke ADVPN configuration (IPv4 hub-spoke), 364 ADVPN configuration (IPv6 hub-spoke), 372 ADVPN structure, 332

I

IA (DHCPv6), 241 IAID (DHCPv6), 241 ICMP

IP services IRDP configuration, 184

IPPO ICMP error message rate limit, 192 IPPO ICMP error message send, 190 IPPO ICMP packet source address specification, 192 IRDP configuration, 182, 183 Router Discovery Protocol. Use IRDP

ICMPv6 IP services destination unreachable message, 224 IP services error message rate limit, 223 IP services packet source address, 225 IP services redirect message, 225 IP services time exceeded message, 225 IPv6 message send control, 223 IPv6 ND duplicate address detection, 206 IPv6 ND neighbor reachability detection, 206 IPv6 ND protocol, 205 IPv6 ND protocol address resolution, 206 IPv6 ND redirection, 207 IPv6 ND router/prefix discovery, 207 IPv6 ND stateless address autoconfiguration, 207

ID DHCPv6 relay agent Interface-ID option padding mode, 259 IP address class Host ID, 24 IP address class Net ID, 24

identity association. See IA association ID. See IAID

ignoring DHCP server BOOTP requests, 51

implementing IPv4/IPv4 tunneling, 286 IPv4/IPv6 tunneling, 287 IPv6/IPv4 tunneling, 284 IPv6/IPv6 tunneling, 291

initializing ADVPN connection, 334

interval ADVPN VAM server keepalive parameters configuration, 341

IP addressing 6to4 relay configuration, 301 6to4 tunnel configuration, 298, 299 address classes, 24 AFT configuration, 429, 433, 439

472

AFT configuration (between IPv4 network and IPv6 network), 443 AFT configuration (IPv4 Internet to IPv6 server), 442 AFT configuration (IPv4 network to IPv6 Internet), 445 AFT configuration (IPv6 Internet to IPv4 server), 448 AFT configuration (IPv6 network to IPv4 Internet), 439 AFT logging, 437, 437 AFT ToS field setting, 437 AFT Traffic Class field setting, 437 ARP configuration, 1, 7 ARP direct route advertisement configuration, 23 ARP dynamic entry aging timer, 5 ARP dynamic entry check enable, 5 ARP dynamic entry max (device), 4 ARP dynamic entry max (interface), 4 ARP dynamic table entry, 2 ARP fast-reply configuration, 15, 15 ARP long static entry configuration, 7 ARP message format, 1 ARP OpenFlow table entry, 3 ARP operation, 1 ARP PnP configuration, 17, 18 ARP Rule entry, 3 ARP short static entry configuration, 8 ARP static entry, 3 ARP static table entry, 2 ARP suppression configuration, 20, 21 ARP table, 2 automatic IPv4-compatible IPv6 tunnel, 297, 297 common proxy ARP configuration, 13 configuration, 24, 27, 27 DDNS client configuration, 117 DDNS client policy, 117 DDNS client policy application, 119 DDNS configuration, 116, 120 DDNS configuration (PeanutHull server), 121 DDNS configuration (www.3322.org), 120 DHCP address allocation, 31, 32 DHCP address allocation sequence, 39 DHCP address assignment, 37 DHCP address conflict detection, 50

DHCP address pool, 37 DHCP address pool usage alarm, 53 DHCP address pool VPN application, 55 DHCP binding auto backup, 52 DHCP BOOTP client configuration, 93, 94 DHCP BOOTP client dynamic IP address acquisition, 93 DHCP client configuration, 78, 80 DHCP client subnet advertisement, 54 DHCP gateway bind to common MAC address, 53 DHCP lease extension, 32 DHCP message format, 33 DHCP relay agent IP address release, 71 DHCP server address pool IP address range, 40 DHCP server IP address dynamic assignment, 58 DHCP server IP address static assignment, 57 DHCP server option customization, 63 DHCP server subnet, 62 DHCP server user class, 60 DHCP server user class whitelist, 61 DHCP snooping basic configuration, 86 DHCP snooping configuration, 83, 85, 90 DHCP user class whitelist, 48 DHCPv6 client configuration, 264, 266 DHCPv6 client IPv6 address acquisition, 264 DHCPv6 client IPv6 address acquisition configuration, 266 DHCPv6 client IPv6 address+prefix acquisition, 265 DHCPv6 client IPv6 address+prefix acquisition configuration, 269 DHCPv6 client IPv6 prefix acquisition, 265 DHCPv6 client IPv6 prefix acquisition configuration, 268 DHCPv6 client stateless, 265 DHCPv6 client stateless DHCPv6 configuration, 271 DHCPv6 configuration, 240 DHCPv6 overview, 236 DHCPv6 server configuration, 243, 252 DHCPv6 server configuration on interface, 247 DHCPv6 server dynamic IPv6 address assignment, 254 DHCPv6 server dynamic IPv6 prefix assignment, 252 DHCPv6 server IPv6 address assignment, 244 DHCPv6 server IPv6 prefix assignment, 243

473

DHCPv6 server network parameters (address pool), 246 DHCPv6 server network parameters (option group), 247 DHCPv6 server network parameters assignment, 246 DHCPv6 snooping configuration, 274, 276, 280 display, 27 DNS configuration, 95, 98 DNS dynamic domain name resolution, 95 DNS packet source interface, 102 DNS spoofing, 97 DNS spoofing configuration, 101 DNS static domain name resolution, 95 DNS trusted interface, 103 DS-Lite tunnel configuration, 311, 312 gratuitous ARP configuration, 9, 10 gratuitous ARP IP conflict notification, 10 gratuitous ARP packet learning, 9 gratuitous ARP periodic packet send, 9 interface IP address assignment, 25 IP services Pv6 ND protocol address resolution, 206 IP unnumbered configuration, 26, 29 IPv4/IPv4 tunnel configuration, 306, 307 IPv4/IPv6 manual tunnel configuration, 308, 309 IPv4-to-IPv6 destination address translation policy configuration, 436 IPv4-to-IPv6 source address translation policy configuration, 436 IPv6 6PE technology, 209 IPv6 address formats, 203 IPv6 address type, 203 IPv6 addresses, 203 IPv6 anycast address configuration, 214 IPv6 basic settings configuration, 202, 210, 230 IPv6 basics configuration, 230 IPv6 dual stack technology, 208 IPv6 dynamic path MTU aging timer, 223 IPv6 global unicast address, 211 IPv6 ICMPv6 destination unreachable message, 224 IPv6 ICMPv6 error message rate limit, 223 IPv6 ICMPv6 message send, 223

IPv6 ICMPv6 redirect message, 225 IPv6 ICMPv6 time exceeded message, 225 IPv6 interface address assignment, 211 IPv6 interface MTU, 222 IPv6 link-local address configuration, 213 IPv6 max number NS message sent attempts, 218 IPv6 multicast echo request reply, 224 IPv6 NAT-PT technology, 209 IPv6 ND configuration, 214 IPv6 ND duplicate address detection, 206 IPv6 ND dynamic neighbor entries max number, 215 IPv6 ND hop limit, 216 IPv6 ND link-local entry minimization, 216 IPv6 ND neighbor reachability detection, 206 IPv6 ND protocol, 205 IPv6 ND proxy, 219 IPv6 ND redirection, 207 IPv6 ND router/prefix discovery, 207 IPv6 ND stale state entry aging timer, 215 IPv6 ND stateless address autoconfiguration, 207 IPv6 ND static neighbor entry, 214 IPv6 path MTU discovery, 207, 222 IPv6 RA message parameter, 216 IPv6 static path MTU, 223 IPv6 transition technologies, 208 IPv6 tunneling technology, 208 IPv6/IPv4 manual tunnel configuration, 294, 295 IPv6/IPv6 tunnel configuration, 314, 315 IPv6-to-IPv4 destination address translation policy configuration, 434 IPv6-to-IPv4 source address translation policy configuration, 435 IRDP configuration, 182, 183, 184 IRDP primary IP address, 182 IRDP proxy-advertised IP address, 182 ISATAP tunnel configuration, 303, 304 masking, 25 NAT configuration, 123, 129, 140 NAT configuration (bidirectional/external-internal access/domain name), 153 NAT configuration (dynamic inbound), 133 NAT configuration (dynamic outbound), 132 NAT configuration (dynamic outbound/non-overlapping addresses), 141

474

NAT configuration (dynamic), 131 NAT configuration (outbound bidirectional), 144 NAT configuration (static inbound 1\1), 130 NAT configuration (static inbound net-to-net), 131 NAT configuration (static outbound 1\1), 129, 140 NAT configuration (static outbound net-to-net), 130 NAT configuration (static), 129 NAT hairpin, 137 NAT hairpin configuration (C/S mode), 156 NAT hairpin configuration (P2P mode), 159 NAT server (ACL-based), 136 NAT server (common), 134 NAT server (load sharing), 135 NAT server configuration, 134 NAT server configuration (external-internal access), 147 NAT server configuration (external-internal access/domain name), 150 NAT server configuration (load sharing), 165 NAT session logging, 138 NAT translation control, 124 NAT+ALG configuration, 138 NAT+DNS mapping configuration, 137, 167 NAT444 configuration (DS-Lite), 136, 170 proxy ARP configuration, 12 special IP addresses, 25 subnetting, 25 twice NAT configuration, 162

IP addressing IRDP secondary IP address, 182

IP forwarding bandwidth load sharing, 176 device, 173 FIB table, 173 FIB table entries, 174 load sharing, 175 optimal route selection, 173 per-packet or per-flow load sharing, 175

IP forwarding load sharing command and hardware compatibility, 175

IP performance optimization. See IPPO hardware compatibility, 186

IP routing bandwidth load sharing, 176 IP forwarding load sharing, 175 per-packet or per-flow load sharing, 175

IP service AFT process, 431 AFT process from IPv4 to IPv6, 432 AFT process from IPv6 to IPv4, 431

IP services 6to4 relay configuration, 301 6to4 tunnel configuration, 298, 299 adjacency table display, 180 adjacency table displaying commands, 181 ADVPN AAA configuration, 337 ADVPN configuration, 332, 337, 349 ADVPN configuration (IPv4 full-mesh NAT traversal), 408 ADVPN configuration (IPv4 full-mesh), 349 ADVPN configuration (IPv4 hub-spoke), 364 ADVPN configuration (IPv4 multi-hub-group), 379 ADVPN configuration (IPv6 full-mesh), 356 ADVPN configuration (IPv6 hub-spoke), 372 ADVPN configuration (IPv6 multi-hub-group), 393 ADVPN connection initialization, 334 ADVPN display, 347 ADVPN domain creation, 338 ADVPN hub group configuration, 339 ADVPN maintain, 347 ADVPN NAT traversal, 337 ADVPN operation, 334 ADVPN packet forwarding, 336 ADVPN registration, 335 ADVPN route learning, 336 ADVPN routing configuration, 347 ADVPN tunnel establishment, 335 ADVPN tunnel interface configuration, 345 ADVPN tunnel IPsec configuration, 347 ADVPN VAM client configuration, 342 ADVPN VAM server authentication algorithm, 341 ADVPN VAM server authentication method, 341 ADVPN VAM server configuration, 337 ADVPN VAM server enable, 338 ADVPN VAM server encryption algorithm, 341 ADVPN VAM server port number, 340 ADVPN VAM server pre-shared key, 338

475

AFT configuration, 429, 433, 439 AFT configuration (between IPv4 network and IPv6 network), 443 AFT configuration (IPv4 Internet to IPv6 server), 442 AFT configuration (IPv4 network to IPv6 Internet), 445 AFT configuration (IPv6 Internet to IPv4 server), 448 AFT configuration (IPv6 network to IPv4 Internet), 439 AFT display, 437 AFT enabling, 434 AFT implementations, 429 AFT logging, 437 AFT maintain, 437 AFT prefix, 430 AFT ToS field setting, 437 AFT Traffic Class field setting, 437 ARP configuration, 1 ARP direct route advertisement configuration, 23 ARP display, 6 ARP dynamic entry check enable, 5 ARP dynamic entry max (device), 4 ARP dynamic entry max (interface), 4 ARP fast-reply configuration, 15, 15 ARP logging enable, 5 ARP maintain, 6 ARP PnP configuration, 17, 18 ARP static entry, 3 ARP suppression configuration, 20 ARP suppression display, 21 ARP suppression maintain, 21 automatic IPv4-compatible IPv6 tunnel, 297, 297 common proxy ARP configuration, 13 DDNS client configuration, 117 DDNS client policy, 117 DDNS client policy application, 119 DDNS configuration, 116, 120 DDNS configuration (PeanutHull server), 121 DDNS configuration (www.3322.org), 120 DDNS display, 120 DDNS outgoing packet DSCP value, 119 DHCP address allocation, 31, 32 DHCP address allocation sequence, 39

DHCP address pool, 37 DHCP address pool application on interface, 49 DHCP address pool usage alarm, 53 DHCP address pool VPN application, 55 DHCP binding auto backup, 52 DHCP BOOTP application, 93 DHCP BOOTP client address acquisition, 93 DHCP BOOTP client dynamic IP address acquisition, 93 DHCP client BIMS server information, 45 DHCP client DNS server, 44 DHCP client domain name suffix, 44 DHCP client gateway, 43 DHCP client NetBIOS node type, 44 DHCP client server specification, 46 DHCP client subnet advertisement, 54 DHCP client WINS server, 44 DHCP enable, 49 DHCP gateway bind to common MAC address, 53 DHCP IP address conflict detection, 50 DHCP IP address lease extension, 32 DHCP message format, 33 DHCP Option 82 handling, 50 DHCP option customization, 47 DHCP options (common), 34 DHCP options (custom), 34 DHCP overview, 31 DHCP protocols and standards, 36 DHCP relay agent, 75 DHCP relay agent client gateway address, 74 DHCP relay agent client offline detection, 74 DHCP relay agent configuration, 66, 67 DHCP relay agent enable on interface, 68 DHCP relay agent entry periodic refresh, 69 DHCP relay agent IP address release, 71 DHCP relay agent operation, 66 DHCP relay agent Option 82, 76 DHCP relay agent Option 82 configuration, 71 DHCP relay agent Option 82 support, 67 DHCP relay agent relay entry recording, 69 DHCP relay agent security functions, 69 DHCP relay agent server, 68 DHCP relay agent server proxy, 72 DHCP relay agent source/gateway address, 74 DHCP relay agent starvation attack protection, 70

476

DHCP server address pool, 40, 40 DHCP server address pool IP address range, 40 DHCP server client offline detection, 55 DHCP server compatibility configuration, 51 DHCP server configuration, 37, 39, 57 DHCP server display, 56 DHCP server enable on interface, 49 DHCP server IP address dynamic assignment, 58 DHCP server IP address static assignment, 57 DHCP server logging, 56 DHCP server maintain, 56 DHCP server option customization, 63 DHCP server subnet, 62 DHCP server user class, 60 DHCP server user class whitelist, 61 DHCP snooping basic configuration, 90 DHCP snooping configuration, 83 DHCP snooping display, 90 DHCP snooping entry auto backup, 87 DHCP snooping maintain, 90 DHCP snooping Option 82 configuration, 86 DHCP snooping Option 82 support, 85 DHCP snooping Option 82 support configuration, 91 DHCP snooping starvation attack protection, 88 DHCP snooping trusted port, 84 DHCP snooping untrusted port, 84 DHCP user class whitelist, 48 DHCP voice client Option 184 parameter, 46 DHCP-REQUEST message attack protection, 89 DHCPv6 address pool, 241 DHCPv6 address pool VPN application, 250 DHCPv6 address/prefix allocation sequence, 242 DHCPv6 address/prefix assignment, 236 DHCPv6 address/prefix lease renewal, 237 DHCPv6 binding auto backup, 248 DHCPv6 client configuration, 264, 264 DHCPv6 client display, 266 DHCPv6 client gateway address, 260 DHCPv6 client IPv6 address acquisition, 264 DHCPv6 client IPv6 address+prefix acquisition, 265 DHCPv6 client IPv6 prefix acquisition, 265

DHCPv6 client maintain, 266 DHCPv6 client stateless, 265 DHCPv6 client subnet advertisement, 249 DHCPv6 concepts, 241 DHCPv6 configuration, 240 DHCPv6 IPv6 address assignment, 240 DHCPv6 IPv6 prefix assignment, 240 DHCPv6 overview, 236 DHCPv6 protocols and standards, 238 DHCPv6 relay agent configuration, 257, 258, 261 DHCPv6 relay agent display, 261 DHCPv6 relay agent enable on interface, 258 DHCPv6 relay agent Interface-ID option padding mode, 259 DHCPv6 relay agent maintain, 261 DHCPv6 relay agent server, 258 DHCPv6 server configuration, 243, 252 DHCPv6 server display, 251 DHCPv6 server dynamic IPv6 address assignment, 254 DHCPv6 server dynamic IPv6 prefix assignment, 252 DHCPv6 server IPv6 address assignment, 244 DHCPv6 server IPv6 prefix assignment, 243 DHCPv6 server logging, 250 DHCPv6 server maintain, 251 DHCPv6 snooping basics, 277 DHCPv6 snooping configuration, 274, 276, 280 DHCPv6 snooping display, 280 DHCPv6 snooping entry auto backup, 278 DHCPv6 snooping entry max, 279 DHCPv6 snooping maintain, 280 DHCPv6 snooping Option 18 configuration, 277 DHCPv6 snooping Option 37 configuration, 277 DHCPv6-REQUEST check, 279 displaying fast forwarding, 178 displaying IPv6 basics, 227 displaying IPv6 fast forwarding, 283 DNS configuration, 95, 98 DNS outgoing packet DSCP value, 103 DNS packet source interface, 102 DNS proxy, 96 DNS proxy configuration, 101 DNS spoofing, 97 DNS spoofing configuration, 101

477

DNS trusted interface, 103 DS-Lite tunnel configuration, 311, 312 dynamic NAT configuration restrictions, 132 enable IPv6 direct route advertisement, 221 fast forwarding aging time configuration, 177 fast forwarding configuration, 177 fast forwarding load sharing configuration, 177 flow classification, 179 flow classification policy, 179 gratuitous ARP configuration, 9, 10 gratuitous ARP IP conflict notification, 10 GRE application, 319 GRE configuration, 318, 326 GRE display, 325 GRE encapsulation format, 318 GRE maintain, 325 GRE operation, 318 GRE protocols and standards, 321 GRE/IPv4 tunnel configuration, 322 GRE/IPv6 tunnel configuration, 323 ICMPv6 error message rate limit, 223 IP address classes, 24 IP addressing display, 27 IP addressing interface address, 25 IP addressing subnetting, 25 IP addressingconfiguration, 24 IP unnumbered configuration, 26 IPv4 DNS configuration, 104 IPv4/IPv4 GRE tunnel, 326 IPv4/IPv4 tunnel configuration, 306, 307 IPv4/IPv4 tunneling implementation, 286 IPv4/IPv6 GRE tunnel, 328 IPv4/IPv6 manual tunnel configuration, 308, 309 IPv4/IPv6 tunneling implementation, 287 IPv4-to-IPv6 destination address translation policy configuration, 436 IPv4-to-IPv6 source address translation policy configuration, 436 IPv6 addresses, 203 IPv6 anycast address configuration, 214 IPv6 basic settings configuration, 202, 210, 230 IPv6 basics configuration, 230 IPv6 DNS configuration, 108 IPv6 dynamic path MTU aging timer, 223

IPv6 fast forwarding aging time configuration, 282 IPv6 fast forwarding configuration, 282 IPv6 fast forwarding load sharing configuration, 283 IPv6 features, 202 IPv6 ICMPv6 destination unreachable message, 224 IPv6 ICMPv6 message send, 223 IPv6 ICMPv6 packet source address specification, 225 IPv6 ICMPv6 redirect message, 225 IPv6 ICMPv6 time exceeded message, 225 IPv6 interface address assignment, 211 IPv6 interface MTU, 222 IPv6 link-local address configuration, 213 IPv6 load sharing configuration (bandwidth-based), 226 IPv6 local fragment reassembly, 226 IPv6 max number NS message sent attempts, 218 IPv6 multicast echo request reply, 224 IPv6 ND configuration, 214 IPv6 ND dynamic neighbor entries max number, 215 IPv6 ND hop limit, 216 IPv6 ND link-local entry minimization, 216 IPv6 ND protocol, 205 IPv6 ND proxy enable, 219 IPv6 ND stale state entry aging timer, 215 IPv6 ND static neighbor entry, 214 IPv6 ND suppression configuration, 220, 234 IPv6 path MTU discovery, 207, 222 IPv6 protocols and standards, 209 IPv6 RA message parameter, 216 IPv6 static path MTU, 223 IPv6 transition technologies, 208 IPv6/IPv4 manual tunnel configuration, 294, 295 IPv6/IPv4 tunneling implementation, 284 IPv6/IPv6 tunnel configuration, 314, 315 IPv6/IPv6 tunneling implementation, 291 IPv6-to-IPv4 destination address translation policy configuration, 434 IPv6-to-IPv4 source address translation policy configuration, 435 IRDP configuration, 182, 183, 184 ISATAP tunnel configuration, 303, 304 Layer 3 virtual tunnel interface, 292

478

maintaining fast forwarding, 178 maintaining IPv6 basics, 227 maintaining IPv6 fast forwarding, 283 NAT configuration, 123, 129, 140 NAT configuration (bidirectional/external-internal access/domain name), 153 NAT configuration (dynamic inbound), 133 NAT configuration (dynamic outbound), 132 NAT configuration (dynamic outbound/non-overlapping addresses), 141 NAT configuration (dynamic), 131 NAT configuration (outbound bidirectional), 144 NAT configuration (static inbound 1\1), 130 NAT configuration (static inbound net-to-net), 131 NAT configuration (static outbound 1\1), 129, 140 NAT configuration (static outbound net-to-net), 130 NAT configuration (static), 129 NAT display, 138 NAT entry types, 126 NAT hairpin, 137 NAT hairpin configuration (C/S mode), 156 NAT hairpin configuration (P2P mode), 159 NAT implementations, 124 NAT maintain, 138 NAT server (ACL-based), 136 NAT server (common), 134 NAT server (load sharing), 135 NAT server configuration, 134 NAT server configuration (external-internal access), 147 NAT server configuration (external-internal/through domain name), 150 NAT server configuration (load sharing), 165 NAT session logging, 138 NAT terminology, 123 NAT translation control, 124 NAT types, 123 NAT+ALG configuration, 138 NAT+DNS mapping configuration, 137, 167 NAT444 configuration (DS-Lite), 136, 170 proxy ARP configuration, 12

proxy ARP display, 13 special IP addresses, 25 stateless DHCPv6, 238 troubleshooting DHCP relay agent configuration, 77 troubleshooting DHCP server configuration, 65 troubleshooting GRE, 330 troubleshooting GRE hosts cannot ping each other, 330 troubleshooting IPv4 DNS configuration, 115 troubleshooting IPv4 DNS incorrect IP address, 115 troubleshooting IPv6 address cannot be pinged, 235 troubleshooting IPv6 basics configuration, 235 troubleshooting IPv6 DNS configuration, 115 troubleshooting IPv6 DNS incorrect IP address, 115 troubleshooting tunneling configuration, 317 tunneling configuration, 284 tunneling configuration display, 316 tunneling configuration maintain, 316 tunneling protocols and standards, 291 twice NAT configuration, 162 UDP helper broadcast to multicast conversion, 197, 200 UDP helper broadcast to unicast conversion, 196, 199 UDP helper configuration, 196, 199 UDP helper display, 199 UDP helper maintain, 199 UDP helper multicast to broadcast conversion, 201 UDP helper multicast to broadcast/unicast conversion, 198

IPng, 202, See also IPv6 IPPO

configuration, 186 directed broadcast receive/forward configuration, 187 directed broadcast receive/forward enable, 186 displaying, 193 ICMP error message rate limit, 192 ICMP error message send, 190 ICMP packet source address, 192 interface MTU configuration, 188 interface TCP MSS configuration, 188 IPv4 local fragment reassembly, 193 maintaining, 193

479

TCP buffer size, 190 TCP path MTU discovery, 188 TCP SYN cookie, 189 TCP timer, 190

IPsec ADVPN tunnel IPsec configuration, 347 GRE application, 319

IP-to-MAC DHCP snooping configuration, 83, 85, 90

IPv4 6to4 relay configuration, 301 6to4 tunnel configuration, 298, 299 ADVPN configuration (IPv4 full-mesh NAT traversal), 408 ADVPN configuration (IPv4 full-mesh), 349 ADVPN configuration (IPv4 hub-spoke), 364 ADVPN configuration (IPv4 multi-hub-group), 379 automatic IPv4-compatible IPv6 tunnel, 297, 297 DNS client configuration, 98 DNS configuration, 104 DNS proxy configuration, 101, 107 DNS spoofing configuration, 101 DS-Lite tunnel configuration, 311, 312 DS-Lite tunneling, 288 GRE application, 319 GRE encapsulation format, 318 GRE/IPv4 tunnel configuration, 322 IP address classes, 24 IP addressing configuration, 24, 27, 27 IP addressing interface address, 25 IP addressing IP unnumbered, 26 IP addressing IP unnumbered configuration, 29 IP addressing masking, 25 IP addressing subnetting, 25 IP services 6PE technology, 209 IPv4/IPv4 GRE tunnel, 326 IPv4/IPv4 tunnel configuration, 306, 307 IPv4/IPv4 tunneling implementation, 286 IPv4/IPv6 GRE tunnel, 328 IPv4/IPv6 manual tunnel configuration, 308, 309 IPv4/IPv6 tunnel types, 288 IPv4/IPv6 tunneling implementation, 287

IPv6/IPv4 manual tunnel configuration, 294, 295 IPv6/IPv4 tunnel types, 285 IPv6/IPv4 tunneling implementation, 284 ISATAP tunnel configuration, 303, 304 ISATAP tunneling, 285 special IP addresses, 25 tunneling configuration, 284, 292

IPv4 address AFT configuration, 429 NAT64 prefix, 430 IPv4 fragment IPPO IPv4 local fragment reassembly, 193

IPv4 Internet to IPv6 server AFT configuration, 442

IPv4 network to IPv6 Internet AFT configuration, 445

IPv4 packet AFT ToS field setting, 437

IPv6, 202, See also IPng 6PE technology, 209 6to4 relay configuration, 301 6to4 tunnel configuration, 298, 299 address formats, 203 address type, 203 addresses, 203 ADVPN configuration (IPv6 full-mesh), 356 ADVPN configuration (IPv6 hub-spoke), 372 ADVPN configuration (IPv6 multi-hub-group), 393 anycast address configuration, 214 automatic IPv4-compatible IPv6 tunnel, 297, 297 basic configuration, 230 basic settings configuration, 202, 210, 230 DHCPv6. See DHCPv6 displaying basics, 227 displaying fast forwarding, 283 DNS client configuration, 99 DNS configuration, 108 DNS proxy configuration, 101, 114 DNS spoofing configuration, 101 dual stack technology, 208 dynamic path MTU aging timer, 223 enable ND direct route advertisement, 221 EUI-64 address configuration, 211 EUI-64 address-based interface identifiers, 205 fast forwarding configuration, 282

480

features, 202 global unicast address configuration, 211 GRE application, 319 GRE encapsulation format, 318 GRE/IPv6 tunnel configuration, 323 ICMPv6 destination unreachable message, 224 ICMPv6 error message rate limit, 223 ICMPv6 message send, 223 ICMPv6 packet source address specification, 225 ICMPv6 redirect message, 225 ICMPv6 time exceeded message, 225 interface address assignment, 211 interface link-local address automatic generation, 213 interface link-local address manual specification, 213 interface MTU configuration, 222 IPv4/IPv6 GRE tunnel, 328 IPv4/IPv6 manual tunnel configuration, 308, 309 IPv4/IPv6 tunnel types, 288 IPv4/IPv6 tunneling implementation, 287 IPv6/IPv4 manual tunnel configuration, 294, 295 IPv6/IPv4 tunnel types, 285 IPv6/IPv4 tunneling implementation, 284 IPv6/IPv6 tunnel configuration, 314, 315 IPv6/IPv6 tunneling implementation, 291 ISATAP tunnel configuration, 303, 304 ISATAP tunneling, 285 link-local address configuration, 213 load sharing configuration (bandwidth-based), 226 local fragment reassembly enable, 226 maintaining basics, 227 maintaining fast forwarding, 283 max number NS message sent attempts, 218 multicast address type, 204 multicast echo request reply, 224 NAT-PT technology, 209 ND configuration, 214 ND duplicate address detection, 206 ND dynamic neighbor entries max number, 215 ND hop limit, 216 ND link-local entry minimization, 216

ND neighbor reachability detection, 206 ND protocol, 205 ND protocol address resolution, 206 ND proxy enable, 219 ND redirection, 207 ND router/prefix discovery, 207 ND stale state entry aging timer, 215 ND stateless address autoconfiguration, 207 ND static neighbor entry configuration, 214 ND suppression configuration, 220, 234 path MTU discovery, 207 path MTU discovery configuration, 222 protocols and standards, 209 RA message parameter, 217 RA message parameter configuration, 216 RA message send enable, 217 stateless address autoconfiguration, 211 static path MTU configuration, 223 static prefix configuration, 213 transition technologies, 208 troubleshooting address cannot be pinged, 235 troubleshooting basics configuration, 235 tunneling configuration, 284, 292 tunneling technology, 208

IPv6 address AFT configuration, 429 IVI prefix, 430

IPv6 addressing DHCPv6 address pool VPN application, 250 DHCPv6 binding auto backup, 248 DHCPv6 client subnet advertisement, 249 DHCPv6 server logging, 250

IPv6 basics compatibility, 210

IPv6 BGP ADVPN routing configuration, 347

IPv6 fast forwarding command and hardware compatibility, 282 compatibility information, 282

IPv6 fast forwarding aging time configuration, 282

IPv6 fast forwarding load sharing configuration, 283

IPv6 Internet to IPv4 server AFT configuration, 448

IPv6 network to IPv4 Internet

481

AFT configuration, 439 IPv6 packet

AFT Traffic Class field setting, 437 IRDP

basic concepts, 182 configuration, 182, 183, 184 operation, 182 protocols and standards, 183 RA (router advertisement), 182 RS (router solicitation), 182

IRF DHCP overview, 31

ISATAP IPv6 tunneling, 285

ISATAP tunnel configuration, 303, 304

IVI prefix, 430

K

keepalive ADVPN VAM server keepalive parameters configuration, 341

key ADVPN VAM client configuration, 342 ADVPN VAM client pre-shared key, 344 ADVPN VAM server configuration, 337 ADVPN VAM server pre-shared key, 338 GRE key security feature, 319

L

LAN IPPO (IPPO), 186

Layer 3 DHCP BOOTP client configuration, 93, 94 DHCP client configuration, 78, 80 DHCP overview, 31 DHCP relay agent, 75 DHCP relay agent configuration, 66, 67 DHCP relay agent Option 82, 76 DHCP server configuration, 37, 39, 57 DHCP server IP address dynamic assignment, 58 DHCP server IP address static assignment, 57 DHCP server option customization, 63 DHCP server subnet, 62 DHCP server user class, 60 DHCP server user class whitelist, 61

DHCP snooping basic configuration, 90 DHCPv6 client configuration, 264, 264, 266 DHCPv6 client IPv6 address acquisition configuration, 266 DHCPv6 client IPv6 address+prefix acquisition configuration, 269 DHCPv6 client IPv6 prefix acquisition configuration, 268 DHCPv6 client stateless DHCPv6 configuration, 271 DHCPv6 relay agent configuration, 258 DHCPv6 snooping configuration, 274, 276, 280 UDP helper broadcast to multicast conversion, 197, 200 UDP helper broadcast to unicast conversion, 196, 199 UDP helper configuration, 196, 199 UDP helper multicast to broadcast conversion, 201 UDP helper multicast to broadcast/unicast conversion, 198 virtual tunnel interface, 292

learning ADVPN route learning, 336 IPv6 ND dynamic neighbor entries max number, 215

lease DHCPv6 PD, 241

leasing DHCP IP address lease extension, 32 DHCPv6 address/prefix lease renewal, 237

limiting IPPO ICMP error message rate limit, 192 IPv6 ICMPv6 error message rate limit, 223

load sharing IPv6 load sharing configuration (bandwidth-based), 226 NAT server (load sharing), 135 NAT server configuration (load sharing), 165

logging AFT, 437 ARP logging enable, 5 DHCP server logging, 56 DHCPv6 server logging, 250

LZ compression WAAS policy configuration, 420

M

MAC addressing

482

ARP configuration, 1, 7 ARP direct route advertisement configuration, 23 ARP dynamic entry check enable, 5 ARP fast-reply configuration, 15, 15 ARP long static entry configuration, 7 ARP short static entry configuration, 8 ARP suppression configuration, 20, 21 common proxy ARP configuration, 13 DHCP BOOTP client configuration, 93, 94 DHCP client configuration, 78, 80 DHCP gateway bind to common MAC address, 53 gratuitous ARP configuration, 9 gratuitous ARP packet learning, 9 gratuitous ARP periodic packet send, 9 IPv6 EUI-64 address-based interface identifiers, 205 proxy ARP configuration, 12

maintaining ADVPN, 347 AFT, 437 ARP, 6 ARP suppression, 21 DHCP relay agent, 75 DHCP server, 56 DHCP snooping, 90 DHCPv6 client, 266 DHCPv6 relay agent, 261 DHCPv6 server, 251 DHCPv6 snooping, 280 GRE, 325 IP services fast forwarding, 178 IPPO, 193 IPv4 DNS, 103 IPv6 basics, 227 IPv6 fast forwarding, 283 NAT, 138 tunneling configuration, 316 UDP helper, 199 WAAS, 422

manual IPv6/IPv4 manually configured tunnel type, 285

mapping NAT DNS mapping support, 128 NAT+DNS mapping configuration, 137, 167

NAT444 configuration (DS-Lite), 136, 170 masking

IP addressing, 25 maximum segment size. Use MSS message

ARP configuration, 1, 7 ARP direct route advertisement configuration, 23 ARP fast-reply configuration, 15, 15 ARP long static entry configuration, 7 ARP message format, 1 ARP PnP configuration, 17, 18 ARP short static entry configuration, 8 ARP suppression configuration, 20, 21 common proxy ARP configuration, 13 DHCP format, 33 DHCP-REQUEST message attack protection, 89 DHCPv6 assignment (4 messages), 236 DHCPv6 rapid assignment (2 messages), 236 gratuitous ARP configuration, 9 gratuitous ARP packet learning, 9 gratuitous ARP periodic packet send, 9 IPPO ICMP error message rate limit, 192 IPPO ICMP error message sending, 190 IPv6 ICMPv6 error message rate limit, 223 IPv6 ICMPv6 message send, 223 IPv6 ND protocol, 205 proxy ARP configuration, 12

minimizing IPv6 ND link-local entries, 216 mode

DHCPv6 relay agent Interface-ID option padding, 259 DNS network mode tracking, 102 NAT hairpin C/S, 124 NAT hairpin P2P, 124

MSS IPPO interface TCP MSS configuration, 188

MTU IPPO interface MTU configuration, 188 IPPO TCP path MTU discovery, 188 IPv6 dynamic path MTU aging timer, 223 IPv6 interface MTU configuration, 222 IPv6 path MTU discovery, 207 IPv6 path MTU discovery configuration, 222 IPv6 static path MTU configuration, 223

multicast DHCPv6 address, 241

483

IPv6 address, 204 IPv6 address type, 203 IPv6 multicast echo request reply, 224 UDP helper broadcast to multicast conversion, 197 UDP helper configuration, 199 UDP helper multicast to broadcast/unicast conversion, 198

multi-hub-group ADVPN configuration (IPv4 multi-hub-group), 379 ADVPN configuration (IPv6 multi-hub-group), 393

N

name DDNS client configuration, 117 DDNS configuration, 116, 120 DDNS configuration (PeanutHull server), 121 DDNS configuration (www.3322.org), 120 DNS configuration, 95, 98 DNS dynamic domain name resolution, 95 DNS proxy configuration, 101 DNS spoofing configuration, 101 DNS static domain name resolution, 95 IPv4 DNS client configuration, 98 IPv4 DNS client dynamic domain name resolution, 99 IPv4 DNS configuration, 104 IPv6 DNS client configuration, 99

naming DHCP client domain name suffix, 44 IPv4 DNS client dynamic domain name resolution, 105 IPv4 DNS client static domain name resolution, 98, 104 IPv4 DNS proxy configuration, 107 IPv6 DNS client dynamic domain name resolution, 100, 109 IPv6 DNS client static domain name resolution, 99, 108 IPv6 DNS configuration, 108 IPv6 DNS proxy configuration, 114

NAT ADVPN configuration (IPv4 full-mesh NAT traversal), 408 ADVPN NAT traversal, 337

ALG configuration, 138 ALG support, 128 bidirectional NAT, 124 configuration, 123, 129, 140 configuration (bidirectional/external-internal access/domain name), 153 configuration (dynamic inbound), 133 configuration (dynamic outbound), 132 configuration (dynamic outbound/non-overlapping addresses), 141 configuration (dynamic), 131 configuration (outbound bidirectional), 144 configuration (static inbound 1\1), 130 configuration (static inbound net-to-net), 131 configuration (static outbound 1\1), 129, 140 configuration (static outbound net-to-net), 130 configuration (static), 129 configuration restrictions (dynamic), 132 display, 138 DNS mapping configuration, 137 DNS mapping support, 128 DS-Lite NAT444, 126 dynamic NAT, 124 Easy IP, 123 EIM entry, 127 enabling, 434 entry types, 126 feature support, 127 hairpin, 124 hairpin configuration, 137 hairpin configuration (C/S mode), 156 hairpin configuration (P2P mode), 159 implementations, 124 maintain, 138 NAT command and hardware compatibility, 124 NAT+DNS mapping configuration, 167 NAT444 configuration (DS-Lite), 136, 170 NO-PAT, 125 NO-PAT entry, 127 PAT, 125 server, 125 server configuration, 134 server configuration (ACL-based), 136 server configuration (common), 134 server configuration (external-internal access), 147

484

server configuration (external-internal access/domain name), 150 server configuration (load sharing), 135, 165 session entry, 126 session logging configuration, 138 static NAT, 124 terminology, 123 traditional NAT, 123 translation control, 124 twice NAT, 124 twice NAT configuration, 162 types, 123 VRF-aware, 127

NAT444 DS-Lite configuration, 136, 170 DS-Lite NAT444, 126

NAT64 prefix translation, 430 NAT-PT

technology, 209 neighbor

adjacency table display, 180 adjacency table displaying commands, 181

neighbor discovery enable IPv6 direct route advertisement, 221 IPv6 duplicate address detection, 206 IPv6 ND address resolution, 206 IPv6 ND configuration, 214 IPv6 ND dynamic neighbor entries max number, 215 IPv6 ND hop limit, 216 IPv6 ND link-local entry minimization, 216 IPv6 ND protocol, 205 IPv6 ND stale state entry aging timer, 215 IPv6 ND static neighbor entry, 214 IPv6 ND suppression configuration, 220 IPv6 neighbor reachability detection, 206 IPv6 redirection, 207 IPv6 router/prefix discovery, 207 IPv6 stateless address autoconfiguration, 207

NetBIOS DHCP client node type, 44

network 6to4 relay configuration, 301 6to4 tunnel configuration, 298, 299 Address Family Translation. Use AFT

ADVPN configuration (IPv4 full-mesh NAT traversal), 408 ADVPN configuration (IPv4 full-mesh), 349 ADVPN configuration (IPv4 hub-spoke), 364 ADVPN configuration (IPv4 multi-hub-group), 379 ADVPN configuration (IPv6 full-mesh), 356 ADVPN configuration (IPv6 hub-spoke), 372 ADVPN configuration (IPv6 multi-hub-group), 393 ADVPN NAT traversal, 337 ADVPN operation, 334 ADVPN tunnel interface configuration, 345 AFT (between IPv4 network and IPv6 network), 443 AFT (IPv4 Internet to IPv6 server), 442 AFT (IPv4 network to IPv6 Internet), 445 AFT (IPv6 Internet to IPv4 server), 448 AFT (IPv6 network to IPv4 Internet), 439 AFT enabling, 434 ARP dynamic entry aging timer, 5 ARP dynamic entry check enable, 5 ARP dynamic entry max (device), 4 ARP dynamic entry max (interface), 4 ARP dynamic table entry, 2 ARP logging enable, 5 ARP long static entry configuration, 7 ARP message format, 1 ARP OpenFlow table entry, 3 ARP operation, 1 ARP Rule entry, 3 ARP short static entry configuration, 8 ARP static entry, 3 ARP static table entry, 2 ARP table, 2 automatic IPv4-compatible IPv6 tunnel, 297, 297 bandwidth load sharing, 176 DDNS client configuration, 117 DDNS client policy, 117 DDNS client policy application, 119 DDNS configuration (PeanutHull server), 121 DDNS configuration (www.3322.org), 120 DDNS outgoing packet DSCP value, 119 DHCP address pool, 37 DHCP BOOTP client address acquisition, 93 DHCP client DNS server, 44 DHCP client gateway, 43 DHCP client ID configuration (interface), 78

485

DHCP client packet DSCP value, 79 DHCP client server specification, 46 DHCP relay address pool, 73 DHCP relay agent client gateway address, 74 DHCP relay agent enable on interface, 68 DHCP relay agent packet DSCP value, 72 DHCP relay agent security functions, 69 DHCP relay agent server, 68, 72 DHCP relay agent source/gateway address, 74 DHCP server address pool, 40 DHCP server address pool IP address range, 40 DHCP server BOOTP request ignore, 51 DHCP server compatibility configuration, 51 DHCP server IP address dynamic assignment, 58 DHCP server IP address static assignment, 57 DHCP server option customization, 63 DHCP server packet DSCP value, 52 DHCP server response broadcast, 51 DHCP server subnet, 62 DHCP server user class, 60 DHCP server user class whitelist, 61 DHCP snooping basic configuration, 86, 90 DHCP snooping Option 82 configuration, 91 DHCP snooping trusted port, 84 DHCP snooping untrusted port, 84 DHCPv6 address allocation, 242 DHCPv6 address pool, 241 DHCPv6 address pool selection, 242 DHCPv6 address/prefix assignment, 236 DHCPv6 client gateway address, 260 DHCPv6 client IPv6 address acquisition, 264 DHCPv6 client IPv6 address acquisition configuration, 266 DHCPv6 client IPv6 address+prefix acquisition, 265 DHCPv6 client IPv6 address+prefix acquisition configuration, 269 DHCPv6 client IPv6 prefix acquisition, 265 DHCPv6 client IPv6 prefix acquisition configuration, 268 DHCPv6 client packet DSCP value, 265 DHCPv6 client stateless, 265 DHCPv6 client stateless DHCPv6 configuration, 271 DHCPv6 IPv6 address assignment, 240

DHCPv6 IPv6 address/prefix allocation sequence, 242 DHCPv6 IPv6 prefix assignment, 240 DHCPv6 packet DSCP value, 248 DHCPv6 prefix allocation, 242 DHCPv6 relay address pool configuration, 260 DHCPv6 relay agent enable on interface, 258 DHCPv6 relay agent Interface-ID option padding mode, 259 DHCPv6 relay agent packet DSCP value, 259 DHCPv6 relay agent server, 258 DHCPv6 server configuration on interface, 247 DHCPv6 server dynamic IPv6 address assignment, 254 DHCPv6 server dynamic IPv6 prefix assignment, 252 DHCPv6 server IPv6 address assignment, 244 DHCPv6 server IPv6 prefix assignment, 243 DHCPv6 server network parameters (address pool), 246 DHCPv6 server network parameters (option group), 247 DHCPv6 server network parameters assignment, 246 DHCPv6 snooping basic configuration, 277 DHCPv6 snooping entry auto backup, 278 DHCPv6 snooping entry max, 279 DHCPv6 snooping Option 18 configuration, 277 DHCPv6 snooping Option 37 configuration, 277 DHCPv6-REQUEST check, 279 DNS network mode tracking configuration, 102 DNS outgoing packet DSCP value, 103 DNS packet source interface, 102 DNS proxy, 96 DNS proxy configuration, 101 DNS spoofing, 97 DNS spoofing configuration, 101 DNS suffixes, 96 DNS trusted interface, 103 DS-Lite tunnel configuration, 311, 312 enable IPv6 direct route advertisement, 221 flow classification policy, 179 gratuitous ARP configuration, 10 gratuitous ARP IP conflict notification, 10 gratuitous ARP packet learning, 9 gratuitous ARP periodic packet send, 9

486

GRE application scenarios, 319 GRE/IPv4 tunnel configuration, 322 GRE/IPv6 tunnel configuration, 323 IP address classes, 24 IP addressing configuration, 27 IP addressing interface address, 25 IP addressing IP unnumbered, 26 IP addressing IP unnumbered configuration, 29 IP addressing masking, 25 IP addressing subnetting, 25 IP forwarding load sharing, 175 IPPO directed broadcast receive/forward, 186 IPPO directed broadcast receive/forward configuration, 187 IPPO ICMP error message rate limit, 192 IPPO ICMP error message send, 190 IPPO interface MTU configuration, 188 IPPO interface TCP MSS configuration, 188 IPPO IPv4 local fragment reassembly, 193 IPPO TCP buffer size, 190 IPPO TCP path MTU discovery, 188 IPPO TCP SYN cookie, 189 IPPO TCP timer, 190 IPv4 DNS client configuration, 98 IPv4 DNS client dynamic domain name resolution, 105 IPv4 DNS client static domain name resolution, 104 IPv4 DNS proxy configuration, 107 IPv4/IPv4 GRE tunnel, 326 IPv4/IPv4 tunnel configuration, 306, 307 IPv4/IPv4 tunneling implementation, 286 IPv4/IPv6 GRE tunnel, 328 IPv4/IPv6 manual tunnel configuration, 308, 309 IPv4/IPv6 tunneling, 287 IPv4-to-IPv6 destination address translation policy configuration, 436 IPv4-to-IPv6 source address translation policy configuration, 436 IPv6 6PE technology, 209 IPv6 addresses, 203 IPv6 anycast address configuration, 214 IPv6 DNS client configuration, 99 IPv6 DNS client dynamic domain name resolution, 109

IPv6 DNS client static domain name resolution, 108 IPv6 DNS proxy configuration, 114 IPv6 dual stack technology, 208 IPv6 dynamic path MTU aging timer, 223 IPv6 global unicast address, 211 IPv6 ICMPv6 destination unreachable message, 224 IPv6 ICMPv6 error message rate limit, 223 IPv6 ICMPv6 message send, 223 IPv6 ICMPv6 redirect message, 225 IPv6 ICMPv6 time exceeded message, 225 IPv6 interface address assignment, 211 IPv6 interface MTU, 222 IPv6 link-local address configuration, 213 IPv6 max number NS message sent attempts, 218 IPv6 multicast echo request reply, 224 IPv6 NAT-PT technology, 209 IPv6 ND configuration, 214 IPv6 ND duplicate address detection, 206 IPv6 ND dynamic neighbor entries max number, 215 IPv6 ND hop limit, 216 IPv6 ND link-local entry minimization, 216 IPv6 ND neighbor reachability detection, 206 IPv6 ND protocol, 205 IPv6 ND protocol address resolution, 206 IPv6 ND redirection, 207 IPv6 ND router/prefix discovery, 207 IPv6 ND stale state entry aging timer, 215 IPv6 ND stateless address autoconfiguration, 207 IPv6 ND static neighbor entry, 214 IPv6 ND suppression configuration, 220 IPv6 path MTU discovery, 207, 222 IPv6 RA message parameter, 216 IPv6 static path MTU, 223 IPv6 transition technologies, 208 IPv6 tunneling technology, 208 IPv6/IPv4 manual tunnel configuration, 294, 295 IPv6/IPv4 tunneling implementation, 284 IPv6/IPv6 tunnel configuration, 314, 315 IPv6/IPv6 tunneling implementation, 291 IPv6-to-IPv4 destination address translation policy configuration, 434 IPv6-to-IPv4 source address translation policy configuration, 435

487

ISATAP tunnel configuration, 303, 304 Layer 3 virtual tunnel interface, 292 NAT configuration (bidirectional/external-internal access/domain name), 153 NAT configuration (dynamic inbound), 133 NAT configuration (dynamic outbound), 132 NAT configuration (dynamic outbound/non-overlapping addresses), 141 NAT configuration (dynamic), 131 NAT configuration (outbound bidirectional), 144 NAT configuration (static inbound 1\1), 130 NAT configuration (static inbound net-to-net), 131 NAT configuration (static outbound 1\1), 129, 140 NAT configuration (static outbound net-to-net), 130 NAT configuration (static), 129 NAT hairpin, 137 NAT hairpin configuration (C/S mode), 156 NAT hairpin configuration (P2P mode), 159 NAT server (ACL-based), 136 NAT server (common), 134 NAT server (load sharing), 135 NAT server configuration, 134 NAT server configuration (external-internal access), 147 NAT server configuration (external-internal access/domain name), 150 NAT server configuration (load sharing), 165 NAT+DNS mapping configuration, 167 NAT444 configuration (DS-Lite), 136, 170 Network Address Translation. Use NAT per-packet or per-flow load sharing, 175 special IP addresses, 25 twice NAT configuration, 162 UDP helper broadcast to multicast conversion, 197, 200 UDP helper broadcast to unicast conversion, 196, 199 UDP helper multicast to broadcast conversion, 201 UDP helper multicast to broadcast/unicast conversion, 198

Network Address Translation-Protocol Translation. Use NAT-PT network management

adjacency table display, 180 adjacency table displaying commands, 181 ADVPN configuration, 332, 337, 349 ADVPN structure, 332 AFT configuration, 429, 433, 439 ARP configuration, 1, 7 ARP direct route advertisement configuration, 23 ARP fast-reply configuration, 15, 15 ARP PnP configuration, 17, 18 ARP suppression configuration, 20, 21 common proxy ARP configuration, 13 DDNS configuration, 116, 120 DHCP BOOTP client configuration, 93, 94 DHCP client configuration, 78, 80 DHCP overview, 31 DHCP relay agent, 75 DHCP relay agent configuration, 66, 67 DHCP relay agent Option 82, 76 DHCP server configuration, 37, 39, 57 DHCP snooping configuration, 83, 85, 90 DHCPv6 client configuration, 264, 264, 266 DHCPv6 concepts, 241 DHCPv6 overview, 236 DHCPv6 relay agent configuration, 257, 258, 261 DHCPv6 server configuration, 240, 243, 252 DHCPv6 snooping configuration, 274, 276, 280 DNS configuration, 95, 98 flow classification, 179 gratuitous ARP configuration, 9 GRE configuration, 318, 326 IP addressing configuration, 24, 27 IP forwarding, 173 IP services fast forwarding aging time configuration, 177 IP services fast forwarding configuration, 177 IP services fast forwarding load sharing configuration, 177 IP services IRDP configuration, 182, 183, 184 IPPO (IPPO), 186 IPv4 DNS configuration, 104 IPv6 basic settings configuration, 202, 210, 230 IPv6 basics configuration, 230

488

IPv6 DNS configuration, 108 IPv6 fast forwarding aging time configuration, 282 IPv6 fast forwarding configuration, 282 IPv6 fast forwarding load sharing configuration, 283 IPv6 ND suppression configuration, 234 NAT configuration, 123, 129, 140 proxy ARP configuration, 12 tunneling configuration, 284, 292 UDP helper configuration, 196, 199

node DHCP client NetBIOS node b (broadcast) type, 44 DHCP client NetBIOS node h (hybrid) type, 44 DHCP client NetBIOS node m (mixed) type, 44 DHCP client NetBIOS node p (peer-to-peer) type, 44

non-temporary DHCPv6 non-temporary address assignment, 244 DHCPv6 non-temporary IPv6 address, 240

NO-PAT (AFT), 430 NO-PAT (NAT), 125

O

offline DHCP client offline detection, 55 DHCP relay agent client offline detection, 74

OpenFlow ARP OpenFlow table entry, 3

operation IP services IRDP, 182

optimal IP forwarding optimal route selection, 173

optimizing IP performance, 186 IPPO directed broadcasts, 186 IPPO ICMP error message rate limit, 192 IPPO ICMP error messages, 190 IPPO interface MTU, 188 IPPO interface TCP MSS, 188 IPPO IPv4 local fragment reassembly, 193 IPPO TCP path MTU discovery, 188 IPPO TCP SYN cookie, 189 IPPO TCP timers, 190

option

DHCP field, 34 DHCP option customization, 47 DHCP server option customization, 63 DHCPv6 relay agent Interface-ID option padding, 259

Option 121 (DHCP), 34 Option 150 (DHCP), 34 Option 18;Option 018

DHCPv6 snooping, 275, 275 Option 184 (DHCP)

reserved option, 34, 36 voice client parameters, 46

Option 3 (DHCP);Option 003 (DHCP), 34 Option 33 (DHCP);Option 033 (DHCP), 34 Option 37;Option 037

DHCPv6 snooping, 275, 276 Option 43 (DHCP);Option 043 (DHCP), 34, 34 Option 51 (DHCP);Option 051 (DHCP), 34 Option 53 (DHCP);Option 053 (DHCP), 34 Option 55 (DHCP);Option 055 (DHCP), 34 Option 6 (DHCP);Option 006 (DHCP), 34 Option 60 (DHCP);Option 060 (DHCP), 34 Option 66 (DHCP);Option 066 (DHCP), 34 Option 67 (DHCP);Option 067 (DHCP), 34 Option 82 (DHCP);Option 082 (DHCP)

handling enable, 50 relay agent, 34, 36, 76 relay agent configuration, 71 relay agent support, 67 snooping configuration, 86, 91 snooping support, 85

OSPF ADVPN routing configuration, 347

OSPFv3 ADVPN routing configuration, 347

P

packet AFT configuration, 429, 433, 439 AFT configuration (between IPv4 network and IPv6 network), 443 AFT configuration (IPv4 Internet to IPv6 server), 442 AFT configuration (IPv4 network to IPv6 Internet), 445 AFT configuration (IPv6 Internet to IPv4 server), 448 AFT configuration (IPv6 network to IPv4 Internet), 439 AFT enabling, 434

489

DDNS outgoing packet DSCP value, 119 DHCP client packet DSCP value, 79 DHCP server packet DSCP value, 52 DHCPv6 client packet DSCP value, 265 DHCPv6 packet DSCP value, 248 DNS packet source interface, 102 enable IPv6 direct route advertisement, 221 flow classification, 179 flow classification packet-based policy, 179 flow classification policy, 179 gratuitous ARP packet learning, 9 gratuitous ARP periodic packet send, 9 GRE checksum security feature, 319 GRE encapsulation format, 318 GRE key security feature, 319 GRE tunnel operation, 318 IP addressing configuration, 24, 27, 27 IP addressing IP unnumbered configuration, 29 IP forwarding, 173 IP performance optimization, 186 IPPO ICMP error message rate limit, 192 IPPO ICMP packet source address, 192 IPv4/IPv4 tunneling implementation, 286 IPv4/IPv6 tunneling, 287 IPv4-to-IPv6 destination address translation policy configuration, 436 IPv4-to-IPv6 source address translation policy, 436 IPv6 6PE technology, 209 IPv6 addresses, 203 IPv6 anycast address configuration, 214 IPv6 basic settings configuration, 202, 210, 230 IPv6 basics configuration, 230 IPv6 dual stack technology, 208 IPv6 dynamic path MTU aging timer, 223 IPv6 global unicast address, 211 IPv6 ICMPv6 destination unreachable message, 224 IPv6 ICMPv6 error message rate limit, 223 IPv6 ICMPv6 packet source address, 225 IPv6 ICMPv6 redirect message, 225 IPv6 ICMPv6 time exceeded message, 225 IPv6 interface address assignment, 211 IPv6 interface MTU, 222 IPv6 link-local address configuration, 213

IPv6 max number NS message sent attempts, 218 IPv6 multicast echo request reply, 224 IPv6 NAT-PT technology, 209 IPv6 ND configuration, 214 IPv6 ND duplicate address detection, 206 IPv6 ND dynamic neighbor entries max number, 215 IPv6 ND hop limit, 216 IPv6 ND link-local entry minimization, 216 IPv6 ND neighbor reachability detection, 206 IPv6 ND protocol address resolution, 206 IPv6 ND redirection, 207 IPv6 ND router/prefix discovery, 207 IPv6 ND stale state entry aging timer, 215 IPv6 ND stateless address autoconfiguration, 207 IPv6 ND static neighbor entry, 214 IPv6 ND suppression configuration, 220, 234 IPv6 path MTU discovery, 207, 222 IPv6 RA message parameter, 216 IPv6 static path MTU, 223 IPv6 transition technologies, 208 IPv6 tunneling technology, 208 IPv6/IPv4 tunneling implementation, 284 IPv6/IPv6 tunneling implementation, 291 IPv6-to-IPv4 destination address translation policy configuration, 434 IPv6-to-IPv4 source address translation policy, 435 NAT configuration, 123, 129, 140 NAT configuration (bidirectional/external-internal access/domain name), 153 NAT configuration (dynamic inbound), 133 NAT configuration (dynamic outbound), 132 NAT configuration (dynamic outbound/non-overlapping addresses), 141 NAT configuration (dynamic), 131 NAT configuration (outbound bidirectional), 144 NAT configuration (static inbound 1\1), 130 NAT configuration (static inbound net-to-net), 131 NAT configuration (static outbound 1\1), 129, 140 NAT configuration (static outbound net-to-net), 130 NAT configuration (static), 129 NAT hairpin configuration (C/S mode), 156 NAT hairpin configuration (P2P mode), 159 NAT server configuration (external-internal access), 147

490

NAT server configuration (external-internal access/domain name), 150 NAT server configuration (load sharing), 165 NAT translation control, 124 NAT+ALG configuration, 138 NAT+DNS mapping configuration, 167 NAT444 configuration (DS-Lite), 170 tunneling configuration, 284, 292 twice NAT configuration, 162 UDP helper broadcast to multicast conversion, 197 UDP helper broadcast to unicast conversion, 196 UDP helper configuration, 196 UDP helper multicast to broadcast/unicast conversion, 198

PAP ADVPN VAM server authentication method, 341

parameter DHCPv6 server network parameters (address pool), 246 DHCPv6 server network parameters (option group), 247 DHCPv6 server network parameters assignment, 246 IPv6 RA message parameter, 216, 217 stateless DHCPv6, 238

password ADVPN VAM client username+password, 345

PAT (AFT), 430 PAT (NAT), 125 PD (DHCPv6), 241 periodic gratuitous ARP packet send, 9 plug and play. See PnP PnP

ARP configuration, 17, 18 policy

DDNS client, 117 DDNS client application, 119 flow classification flow-based, 179 flow classification packet-based, 179

pool DHCP relay address pool, 73 DHCPv6 address pool, 241 DHCPv6 address pool selection, 242 DHCPv6 relay address pool configuration, 260

port

ADVPN VAM server port number, 340 DHCP snooping trusted port, 84 DHCP snooping untrusted port, 84 DHCPv6 snooping basic configuration, 277 DHCPv6 snooping configuration, 274, 276, 280 DHCPv6 snooping Option 18 configuration, 277 DHCPv6 snooping Option 37 configuration, 277 DHCPv6 snooping trusted port, 274 DHCPv6 snooping untrusted port, 274 DS-Lite NAT444, 126 NAT server (ACL-based), 136 NAT server (common), 134 NAT server (load sharing), 135 NAT server configuration, 134 NAT444 configuration (DS-Lite), 136

prefix delegation. See PD DHCPv6 address/prefix assignment, 236 DHCPv6 address/prefix lease renewal, 237 DHCPv6 client IPv6 address+prefix acquisition, 265 DHCPv6 client IPv6 prefix acquisition, 265 DHCPv6 dynamic prefix allocation, 242 DHCPv6 IPv6 address assignment, 240 DHCPv6 IPv6 address/prefix allocation sequence, 242 DHCPv6 IPv6 prefix assignment, 240 DHCPv6 server dynamic IPv6 prefix assignment, 252 DHCPv6 server IPv6 prefix assignment, 243 DHCPv6 static prefix allocation, 242 IPv6 static prefix configuration, 213 stateless DHCPv6, 238

procedure advertising DHCP client subnets assignment, 54 advertising DHCPv6 client subnets, 249 AFT ToS field setting, 437 AFT Traffic Class field setting, 437 applying DDNS client policy to interface, 119 applying DHCP address pool on interface, 49 applying DHCP address pool to VPN instance, 55 applying DHCPv6 address pool to a VPN instance, 250 applying WAAS policy to interface, 420 assigning IP addressing interface address, 25 assigning IPv6 interface addresses, 211

491

binding DHCP gateways to common MAC address, 53 configuring 6to4 relay, 301 configuring 6to4 tunnel, 298, 299 configuring ADVPN, 337 configuring ADVPN (IPv4 full-mesh NAT traversal), 408 configuring ADVPN (IPv4 full-mesh), 349 configuring ADVPN (IPv4 hub-spoke), 364 configuring ADVPN (IPv4 multi-hub-group), 379 configuring ADVPN (IPv6 full-mesh), 356 configuring ADVPN (IPv6 hub-spoke), 372 configuring ADVPN (IPv6 multi-hub-group), 393 configuring ADVPN AAA, 337 configuring ADVPN domain, 338 configuring ADVPN hub group, 339 configuring ADVPN hub group hub private address, 339 configuring ADVPN hub group spoke private address range, 339 configuring ADVPN routing, 347 configuring ADVPN tunnel interface, 345 configuring ADVPN tunnel IPsec, 347 configuring ADVPN VAM client, 342 configuring ADVPN VAM server, 337 configuring ADVPN VAM server authentication method, 341 configuring ADVPN VAM server keepalive parameters, 341 configuring ADVPN VAM server port number, 340 configuring ADVPN VAM server pre-shared key, 338 configuring ADVPN VAM server retry timer, 342 configuring AFT, 433 configuring AFT (between IPv4 network and IPv6 network), 443 configuring AFT (IPv4 Internet to IPv6 server), 442 configuring AFT (IPv4 network to IPv6 Internet), 445 configuring AFT (IPv6 Internet to IPv4 server), 448 configuring AFT (IPv6 network to IPv4 Internet), 439 configuring AFT logging, 437

configuring ARP dynamic entry aging timer, 5 configuring ARP fast-reply, 15 configuring ARP long static entry, 7 configuring ARP PnP, 18 configuring ARP short static entry, 8 configuring ARP static entry, 3 configuring ARP suppression, 21 configuring automatic IPv4-compatible IPv6 tunnel, 297, 297 configuring common proxy ARP, 13 configuring DDNS (PeanutHull server), 121 configuring DDNS (www.3322.org), 120 configuring DDNS client, 117 configuring DDNS client policy, 117 configuring DHCP address pool usage alarm, 53 configuring DHCP binding auto backup, 52 configuring DHCP BOOTP client, 94 configuring DHCP BOOTP client address acquisition, 93 configuring DHCP client, 80 configuring DHCP client ID (interface), 78 configuring DHCP IP address conflict detection, 50 configuring DHCP relay address pool, 73 configuring DHCP relay agent, 67, 75 configuring DHCP relay agent IP address release, 71 configuring DHCP relay agent Option 82, 71, 76 configuring DHCP relay agent security functions, 69 configuring DHCP server, 39, 57 configuring DHCP server address pool, 40 configuring DHCP server BOOTP response format, 52 configuring DHCP server compatibility, 51 configuring DHCP server IP address dynamic assignment, 58 configuring DHCP server IP address static assignment, 57 configuring DHCP server option customization, 63 configuring DHCP server response broadcast, 51 configuring DHCP server subnet, 62 configuring DHCP server to ignore BOOTP requests, 51 configuring DHCP server user class, 60 configuring DHCP server user class whitelist, 61 configuring DHCP snooping, 85, 90 configuring DHCP snooping basics, 86, 90

492

configuring DHCP snooping entry auto backup, 87 configuring DHCP snooping Option 82, 86, 91 configuring DHCP user class whitelist, 48 configuring DHCP voice client Option 184 parameters, 46 configuring DHCPv6 binding auto backup, 248 configuring DHCPv6 client, 264, 266 configuring DHCPv6 client IPv6 address acquisition, 264, 266 configuring DHCPv6 client IPv6 address+prefix acquisition, 265, 269 configuring DHCPv6 client IPv6 prefix acquisition, 265, 268 configuring DHCPv6 client stateless, 265 configuring DHCPv6 client stateless DHCPv6, 271 configuring DHCPv6 relay address pool, 260 configuring DHCPv6 relay agent, 258, 261 configuring DHCPv6 server, 243 configuring DHCPv6 server dynamic IPv6 address assignment, 254 configuring DHCPv6 server dynamic IPv6 prefix assignment, 252 configuring DHCPv6 server IPv6 address assignment, 244 configuring DHCPv6 server IPv6 prefix assignment, 243 configuring DHCPv6 server logging, 250 configuring DHCPv6 server network parameters (address pool), 246 configuring DHCPv6 server network parameters (option group), 247 configuring DHCPv6 server network parameters assignment, 246 configuring DHCPv6 server on interface, 247 configuring DHCPv6 snooping, 276, 280 configuring DHCPv6 snooping basics, 277 configuring DHCPv6 snooping entry auto backup, 278 configuring DHCPv6 snooping Option 18, 277 configuring DHCPv6 snooping Option 37, 277 configuring DNS, 98 configuring DNS network mode tracking, 102 configuring DNS proxy, 101 configuring DNS spoofing, 101 configuring DNS trusted interface, 103

configuring DS-Lite tunnel, 311, 312 configuring gratuitous ARP, 10 configuring GRE/IPv4 tunnel, 322 configuring GRE/IPv6 tunnel, 323 configuring IP addressing, 27 configuring IP addressing IP unnumbered, 26, 29 configuring IP services IRDP, 183, 184 configuring IPPO directed broadcast receive/forward, 187 configuring IPPO ICMP error message rate limit, 192 configuring IPPO interface MTU, 188 configuring IPPO interface TCP MSS, 188 configuring IPPO TCP buffer size, 190 configuring IPPO TCP path MTU discovery, 188 configuring IPPO TCP timer, 190 configuring IPv4 DNS client, 98 configuring IPv4 DNS client dynamic domain name resolution, 99, 105 configuring IPv4 DNS client static domain name resolution, 98, 104 configuring IPv4 DNS proxy, 107 configuring IPv4/IPv4 GRE tunnel, 326 configuring IPv4/IPv4 tunnel, 306, 307 configuring IPv4/IPv6 GRE tunnel, 328 configuring IPv4/IPv6 manual tunnel, 308, 309 configuring IPv4-to-IPv6 destination address translation policy, 436 configuring IPv4-to-IPv6 source address translation policy, 436 configuring IPv6 anycast address, 214 configuring IPv6 basic settings, 210 configuring IPv6 basics, 230 configuring IPv6 DNS client, 99 configuring IPv6 DNS client dynamic domain name resolution, 100, 109 configuring IPv6 DNS client static domain name resolution, 99, 108 configuring IPv6 DNS proxy, 114 configuring IPv6 dynamic path MTU aging timer, 223 configuring IPv6 EUI-64 address, 211 configuring IPv6 global unicast address, 211 configuring IPv6 ICMPv6 error message rate limit, 223

493

configuring IPv6 interface link-local address automatic generation, 213 configuring IPv6 interface MTU, 222 configuring IPv6 link-local address, 213 configuring IPv6 load sharing (bandwidth-based), 226 configuring IPv6 max number NS message sent attempts, 218 configuring IPv6 ND, 214 configuring IPv6 ND dynamic neighbor entries max number, 215 configuring IPv6 ND stale state entry aging timer, 215 configuring IPv6 ND static neighbor entry, 214 configuring IPv6 ND suppression, 220, 234 configuring IPv6 path MTU discovery, 222 configuring IPv6 RA message parameters, 216, 217 configuring IPv6 stateless address with autoconfiguration, 211 configuring IPv6 static path MTU, 223 configuring IPv6 static prefix, 213 configuring IPv6/IPv4 manual tunnel, 294, 295 configuring IPv6/IPv6 tunnel, 314, 315 configuring IPv6-to-IPv4 destination address translation policy, 434 configuring IPv6-to-IPv4 source address translation policy, 435 configuring ISATAP tunnel, 303, 304 configuring Layer 3 virtual tunnel interface, 292 configuring NAT, 129 configuring NAT (bidirectional/external-internal access/domain name), 153 configuring NAT (dynamic inbound), 133 configuring NAT (dynamic outbound), 132 configuring NAT (dynamic outbound/non-overlapping addresses), 141 configuring NAT (dynamic), 131 configuring NAT (outbound bidirectional), 144 configuring NAT (static inbound 1\1), 130 configuring NAT (static inbound net-to-net), 131 configuring NAT (static outbound 1\1), 129, 140 configuring NAT (static outbound net-to-net), 130 configuring NAT (static), 129

configuring NAT hairpin, 137 configuring NAT hairpin (C/S mode), 156 configuring NAT hairpin (P2P mode), 159 configuring NAT server, 134 configuring NAT server (ACL-based), 136 configuring NAT server (common), 134 configuring NAT server (external-internal access), 147 configuring NAT server (external-internal access/domain name), 150 configuring NAT server (load sharing), 135, 165 configuring NAT session logging, 138 configuring NAT+ALG, 138 configuring NAT+DNS mapping, 137, 167 configuring NAT444 (DS-Lite), 136, 170 configuring TFO blacklist autodiscovery, 421 configuring TFO parameters, 421 configuring tunneling, 292 configuring twice NAT, 162 configuring UDP helper, 199 configuring UDP helper broadcast to multicast conversion, 197, 200 configuring UDP helper broadcast to unicast conversion, 196, 199 configuring UDP helper multicast to broadcast conversion, 201 configuring UDP helper multicast to broadcast/unicast conversion, 198 configuring WAAS class, 419 configuring WAAS policy, 420 controlling IPv6 ICMPv6 message send, 223 creating ADVPN hub group, 339 creating ADVPN VAM client, 343 creating DHCP server address pool, 40 customizing DHCP options, 47 deleting all WAAS settings, 422 displaying ADVPN, 347 displaying AFT, 437 displaying ARP, 6 displaying ARP PnP, 18 displaying ARP suppression, 21 displaying DDNS, 120 displaying DHCP BOOTP client, 94 displaying DHCP client, 79 displaying DHCP relay agent, 75 displaying DHCP server, 56

494

displaying DHCP snooping, 90 displaying DHCPv6 client, 266 displaying DHCPv6 server, 251 displaying GRE, 325 displaying IP addressing, 27 displaying IP forwarding FIB table entries, 174 displaying IP services DHCPv6 relay agent, 261 displaying IP services DHCPv6 snooping, 280 displaying IP services fast forwarding, 178 displaying IPPO, 193 displaying IPv4 DNS, 103 displaying IPv6 basics, 227 displaying IPv6 fast forwarding, 283 displaying NAT, 138 displaying proxy ARP, 13 displaying tunneling configuration, 316 displaying UDP helper, 199 displaying WAAS, 422 enabling ADVPN VAM client, 343 enabling ADVPN VAM server, 338 enabling AFT, 434 enabling ARP dynamic entry check, 5 enabling ARP logging, 5 enabling common proxy ARP, 12 enabling DHCP, 49 enabling DHCP client (interface), 78 enabling DHCP client duplicated address detection, 79 enabling DHCP Option 82 handling, 50 enabling DHCP relay agent client offline detection, 74 enabling DHCP relay agent entry periodic refresh, 69 enabling DHCP relay agent on interface, 68 enabling DHCP relay agent relay entry recording, 69 enabling DHCP relay agent server proxy, 72 enabling DHCP relay agent starvation attack protection, 70 enabling DHCP server client offline detection, 55 enabling DHCP server logging, 56 enabling DHCP server on interface, 49 enabling DHCP snooping starvation attack protection, 88

enabling DHCP-REQUEST message attack protection, 89 enabling DHCPv6 relay agent on interface, 258 enabling DHCPv6-REQUEST check, 279 enabling direct route advertisement, 221 enabling gratuitous ARP IP conflict notification, 10 enabling IPPO directed broadcast receive/forward, 186 enabling IPPO ICMP error message send, 190 enabling IPPO IPv4 local fragment reassembly, 193 enabling IPPO TCP SYN cookie, 189 enabling IPv6 ICMPv6 destination unreachable message send, 224 enabling IPv6 ICMPv6 redirect message send, 225 enabling IPv6 ICMPv6 time exceeded message send, 225 enabling IPv6 local fragment reassembly, 226 enabling IPv6 multicast echo request reply, 224 enabling IPv6 ND proxy, 219 enabling IPv6 RA message send, 217 enabling local proxy ARP, 12 maintaining ADVPN, 347 maintaining AFT, 437 maintaining ARP, 6 maintaining ARP suppression, 21 maintaining DHCP relay agent, 75 maintaining DHCP server, 56 maintaining DHCP snooping, 90 maintaining DHCPv6 client, 266 maintaining DHCPv6 server, 251 maintaining DHCPv6 snooping, 280 maintaining GRE, 325 maintaining IP services DHCPv6 relay agent, 261 maintaining IP services fast forwarding, 178 maintaining IPPO, 193 maintaining IPv4 DNS, 103 maintaining IPv6 basics, 227 maintaining IPv6 fast forwarding, 283 maintaining NAT, 138 maintaining tunneling configuration, 316 maintaining UDP helper, 199 maintaining WAAS, 422 minimizing IPv6 ND link-local entry, 216 restoring all WAAS settings, 422 setting ADVPN VAM client dumb timer, 344

495

setting ADVPN VAM client retry timer/times, 344 setting ADVPN VAM client username+password, 345 setting ARP dynamic entry max (device), 4 setting ARP dynamic entry max (interface), 4 setting DDNS outgoing packet DSCP value, 119 setting DHCP client packet DSCP value, 79 setting DHCP relay agent packet DSCP value, 72 setting DHCP server packet DSCP value, 52 setting DHCP snooping entry max, 89 setting DHCPv6 client packet DSCP value, 265 setting DHCPv6 packet DSCP value, 248 setting DHCPv6 relay agent packet DSCP value, 259 setting DHCPv6 snooping entry max, 279 setting DNS outgoing packet DSCP value, 103 setting IPv6 ND hop limit, 216 specifying ADVPN ACL to control establishing spoke-to-spoke tunnel, 340 specifying ADVPN VAM client domain, 343 specifying ADVPN VAM client pre-shared key, 344 specifying ADVPN VAM client server, 343 specifying ADVPN VAM server authentication algorithm, 341 specifying ADVPN VAM server encryption algorithm, 341 specifying DHCP client auto-configuration file, 45 specifying DHCP client BIMS server information, 45 specifying DHCP client DNS server, 44 specifying DHCP client domain name suffix, 44 specifying DHCP client gateway, 43 specifying DHCP client server, 46 specifying DHCP client WINS server, 44 specifying DHCP relay agent client gateway address, 74 specifying DHCP relay agent server, 68 specifying DHCP relay agent source/gateway address, 74 specifying DHCP server address pool IP address range, 40 specifying DHCPv6 client gateway address, 260

specifying DHCPv6 relay agent Interface-ID option padding mode, 259 specifying DHCPv6 relay agent server, 258 specifying DNS packet source interface, 102 specifying flow classification policy, 179 specifying IPPO ICMP packet source address, 192 specifying IPv6 ICMPv6 packet source address, 225 specifying IPv6 interface link-local address manually, 213 specifyingDHCP client NetBIOS node type, 44 troubleshooting DHCP address conflict, 65 troubleshooting GRE hosts cannot ping each other, 330 troubleshooting IPv4 DNS incorrect IP address, 115 troubleshooting IPv6 address cannot be pinged, 235 troubleshooting IPv6 DNS incorrect IP address, 115 troubleshooting tunnel cannot come up, 317

process AFT, 431 AFT from IPv4 to IPv6, 432 AFT from IPv6 to IPv4, 431

protecting DHCP relay agent starvation attack protection, 70 DHCP snooping starvation attack protection, 88 DHCP-REQUEST message attack protection, 89

protocols and standards BOOTP, 93 DHCP, 36 DHCP overview, 31 DHCPv6, 238 GRE, 321 IP services IRDP, 183 IPv6, 209 IRDP configuration, 182, 183 tunneling, 291 WAAS, 419

proxy ARP common proxy ARP configuration, 13 common proxy ARP enable, 12 configuration, 12 displaying, 13 local proxy ARP enable, 12

proxying DHCP relay agent server, 72 DNS proxy, 96

496

DNS proxy configuration, 101 DNS spoofing, 97 DNS spoofing configuration, 101 IP services IRDP proxy-advertised IP address, 182 IPv4 DNS proxy configuration, 107 IPv6 DNS proxy configuration, 114 IPv6 ND proxy enable, 219

PSK ADVPN VAM client configuration, 342 ADVPN VAM client pre-shared key, 344 ADVPN VAM server configuration, 337 ADVPN VAM server pre-shared key, 338

Q

QoS AFT ToS field setting, 437 AFT Traffic Class field setting, 437

R

rapid assignment (2 messages), 236 rate limit

IPPO ICMP error message rate limit, 192 rate limiting

IPv6 ICMPv6 error message rate limit, 223 reassembling

IPPO IPv4 local fragment reassembly, 193 IPv6 local fragment reassembly, 226

receiving IPPO directed broadcast receive/forward, 186

redirecting IPv6 ND, 207

registrating ADVPN registration, 335

relay agent DHCP configuration, 66, 67 DHCP enable, 68 DHCP enable on interface, 68 DHCP IP address release, 71 DHCP operation, 66 DHCP Option 82, 34, 36 DHCP Option 82 configuration, 71 DHCP Option 82 support, 67 DHCP overview, 31 DHCP relay address pool configuration, 73 DHCP relay agent client gateway address, 74 DHCP relay agent client offline detection, 74

DHCP relay agent configuration, 75 DHCP relay agent Option 82, 76 DHCP relay agent packet DSCP value, 72 DHCP relay agent source/gateway address, 74 DHCP relay entry periodic refresh, 69 DHCP relay entry recording, 69 DHCP security functions, 69 DHCP server proxy, 72 DHCP server specification on relay agent, 68 DHCP snooping configuration, 83, 85, 90 DHCP starvation attack protection, 70 DHCPv6 client gateway address, 260 DHCPv6 configuration, 257, 258, 261 DHCPv6 DUID, 241 DHCPv6 enable on interface, 258 DHCPv6 Interface-ID option padding mode, 259 DHCPv6 relay address pool configuration, 260 DHCPv6 relay agent packet DSCP value, 259 DHCPv6 relay agent server, 258 DHCPv6 snooping Option 18, 275 display, 75, 261 maintain, 75, 261 troubleshooting DHCP configuration, 77

releasing DHCP relay agent IP address release, 71

reserved DHCP Option 184, 34, 36 resolving

DDNS client configuration, 117 DDNS configuration, 116, 120 DDNS configuration (PeanutHull server), 121 DDNS configuration (www.3322.org), 120 DNS configuration, 95, 98 DNS dynamic domain name resolution, 95 DNS static domain name resolution, 95 IPv4 DNS client dynamic domain name resolution, 99, 105 IPv4 DNS client static domain name resolution, 98, 104 IPv4 DNS configuration, 104 IPv6 DNS client dynamic domain name resolution, 100, 109 IPv6 DNS client static domain name resolution, 99, 108 IPv6 DNS configuration, 108

restoring all WAAS settings, 422

497

restrictions DHCPv6 client configuration, 264 dynamic NAT configuration, 132 UDP helper configuration, 196

retry ADVPN VAM client retry timer/times, 344 ADVPN VAM server retry timer configuration, 342

RIP ADVPN routing configuration, 347

RIPng ADVPN routing configuration, 347

route IP forwarding optimal route selection, 173

router IPPO directed broadcast receive/forward configuration, 187 IPv6 basics configuration, 230 IPv6 ND router/prefix discovery, 207

routing ADVPN routing configuration, 347 DDNS client configuration, 117 DDNS client policy, 117 DDNS client policy application, 119 DDNS configuration, 116, 120 DDNS configuration (PeanutHull server), 121 DDNS configuration (www.3322.org), 120 DDNS outgoing packet DSCP value, 119 DHCP snooping configuration, 83 DHCP snooping trusted port, 84 DHCP snooping untrusted port, 84 DHCPv6 snooping configuration, 274, 280 DHCPv6snooping configuration, 276 DNS configuration, 95, 98 DNS outgoing packet DSCP value, 103 DNS packet source interface, 102 DNS proxy, 96 DNS proxy configuration, 101 DNS spoofing configuration, 101 DNS trusted interface, 103 GRE configuration, 318, 326 GRE/IPv4 tunnel configuration, 322 GRE/IPv6 tunnel configuration, 323 IP address classes, 24 IP addressing configuration, 24, 27, 27 IP addressing interface address, 25

IP addressing IP unnumbered, 26 IP addressing IP unnumbered configuration, 29 IP addressing masking, 25 IP addressing subnetting, 25 IP forwarding, 173 IP forwarding optimal route selection, 173 IP services fast forwarding aging time configuration, 177 IP services fast forwarding configuration, 177 IP services fast forwarding load sharing configuration, 177 IP services IRDP configuration, 182, 183, 184 IPPO (IPPO), 186 IPPO directed broadcast receive/forward, 186 IPPO directed broadcast receive/forward configuration, 187 IPPO ICMP error message send, 190 IPPO interface MTU configuration, 188 IPPO interface TCP MSS configuration, 188 IPPO TCP buffer size, 190 IPPO TCP path MTU discovery, 188 IPPO TCP SYN cookie, 189 IPPO TCP timer, 190 IPv4 DNS client configuration, 98 IPv4 DNS configuration, 104 IPv4 DNS proxy configuration, 107 IPv4/IPv4 GRE tunnel, 326 IPv4/IPv6 GRE tunnel, 328 IPv6 DNS client configuration, 99 IPv6 DNS configuration, 108 IPv6 DNS proxy configuration, 114 IPv6 fast forwarding aging time configuration, 282 IPv6 fast forwarding load sharing configuration, 283 special IP addresses, 25

rule NAT translation control, 124

Rule ARP Rule entry, 3

S

security ADVPN tunnel IPsec configuration, 347 ADVPN VAM client username+password, 345 DHCP relay agent entry periodic refresh, 69 DHCP relay agent IP address release, 71

498

DHCP relay agent relay entry recording, 69 DHCP relay agent security functions, 69 DHCP relay agent starvation attack protection, 70 DHCP snooping basic configuration, 86 DHCP snooping configuration, 83, 85, 90 DHCP snooping entry auto backup, 87 DHCP snooping starvation attack protection, 88 DHCP-REQUEST message attack protection, 89 DHCPv6 snooping basic configuration, 277 DHCPv6 snooping configuration, 274, 276, 280 DHCPv6 snooping entry auto backup, 278 DHCPv6 snooping entry max, 279 DHCPv6 snooping Option 18 configuration, 277 DHCPv6 snooping Option 37 configuration, 277 DHCPv6-REQUEST check, 279 GRE checksum feature, 319 GRE key feature, 319

selecting DHCP address pool, 38 DHCPv6 address pool selection, 242 IP forwarding optimal route selection, 173

sending DHCP server BOOTP response format, 52

server ADVPN VAM client server, 343 AFT server, 431 DHCP address pool, 40 DHCP address pool creation, 40 DHCP address pool IP address range, 40 DHCP client auto-configuration file, 45 DHCP client BIMS server information, 45 DHCP client gateway specification, 43 DHCP client NetBIOS node type, 44 DHCP client offline detection, 55 DHCP client server specification, 46 DHCP client WINS server, 44 DHCP compatibility configuration, 51 DHCP configuration, 37, 39, 57 DHCP logging, 56 DHCP relay agent server, 68, 72 DHCP server BOOTP request ignore, 51 DHCP server BOOTP response format, 52

DHCP server IP address dynamic assignment, 58 DHCP server IP address static assignment, 57 DHCP server option customization, 63 DHCP server packet DSCP value, 52 DHCP server response broadcast, 51 DHCP server subnet, 62 DHCP server user class, 60 DHCP server user class whitelist, 61 DHCP voice client Option 184 parameters, 46 DHCPv6 address pool, 241 DHCPv6 configuration, 240, 243, 252 DHCPv6 configuration on interface, 247 DHCPv6 DUID, 241 DHCPv6 dynamic IPv6 address assignment, 254 DHCPv6 dynamic IPv6 prefix assignment, 252 DHCPv6 IPv6 address assignment, 244 DHCPv6 IPv6 prefix assignment, 243 DHCPv6 network parameters (address pool), 246 DHCPv6 network parameters (option group), 247 DHCPv6 network parameters assignment, 246 DHCPv6 packet DSCP value, 248 DHCPv6 PD, 241 DHCPv6 relay agent server, 258 NAT server, 125 VAM server enable, 338

services DHCP snooping entry max, 89

session NAT session logging, 138

setting ADVPN VAM client dumb timer, 344 ADVPN VAM client retry timer/times, 344 AFT ToS field, 437 AFT Traffic Class field, 437 ARP dynamic entry max (device), 4 ARP dynamic entry max (interface), 4 DDNS packet DSCP value, 119 DHCP client packet DSCP value, 79 DHCP relay agent packet DSCP value, 72 DHCP server packet DSCP value, 52 DHCP snooping entry max, 89 DHCPv6 client packet DSCP value, 265 DHCPv6 packet DSCP value, 248 DHCPv6 relay agent packet DSCP value, 259 DHCPv6 snooping entry max, 279

499

DNS outgoing packet DSCP value, 103 IPv6 ND dynamic neighbor entries max number, 215 IPv6 ND hop limit, 216 IPv6 ND stale state entry aging timer, 215

snooping DHCP snooping configuration, 83, 85, 90 DHCP snooping Option 82 configuration, 91 DHCP snooping Option 82 support, 85 DHCPv6 snooping configuration, 274, 280 DHCPv6snooping configuration, 276

soliciting IP services IRDP router solicitation (RS), 182

source IPPO ICMP packet source address, 192 IPv6 ICMPv6 packet source address, 225

source address IPv4-to-IPv6 source address translation policy configuration, 436 IPv6-to-IPv4 source address translation policy configuration, 435

special IP addresses, 25 specifying

ADVPN ACL to control establishing spoke-to-spoke tunnel, 340 ADVPN VAM client domain, 343 ADVPN VAM client pre-shared key, 344 ADVPN VAM client server, 343 ADVPN VAM server authentication algorithm, 341 ADVPN VAM server encryption algorithm, 341 DHCP client auto-configuration file, 45 DHCP client BIMS server information, 45 DHCP client DNS server, 44 DHCP client domain name suffix, 44 DHCP client gateway, 43 DHCP client NetBIOS node type, 44 DHCP client server, 46 DHCP client WINS server, 44 DHCP relay agent client gateway address, 74 DHCP relay agent server, 68 DHCP relay agent source/gateway address, 74 DHCP server address pool IP address range, 40 DHCPv6 client gateway address, 260 DHCPv6 relay agent Interface-ID option padding mode, 259

DHCPv6 relay agent server, 258 DNS packet source interface, 102 flow classification policy, 179 IPPO ICMP packet source address, 192 IPv6 ICMPv6 packet source address, 225 IPv6 interface link-local address manually, 213

spoke ADVPN hub group spoke private address range, 339 ADVPN specifying ACL to control establishing spoke-to-spoke tunnel, 340

spoofing DNS, 97 DNS spoofing configuration, 101

starvation attack DHCP relay agent protection, 70 DHCP snooping protection, 88

stateless DHCPv6, 238 DHCPv6 client, 265

static AFT (static), 429 ARP table entry, 2 DHCP address allocation, 31, 37 DHCP server IP address assignment, 57 DHCPv6 static address allocation, 242 DHCPv6 static prefix allocation, 242 DNS domain name resolution, 95 IPv4 DNS client static domain name resolution, 98, 104 IPv6 DNS client static domain name resolution, 99, 108 IPv6 ND static neighbor entry, 214 IPv6 static path MTU, 223 NAT (static), 124 NAT configuration, 129 NAT configuration (static inbound 1\1), 130 NAT configuration (static inbound net-to-net), 131 NAT configuration (static outbound 1\1), 129 NAT configuration (static outbound net-to-net), 130

subnetting DHCP address pool VPN application, 55 DHCP client subnet advertisement, 54 DHCP server subnet, 62 DHCPv6 client subnet advertisement, 249 DHCPv6 relay agent configuration, 257, 261 IP addressing, 25

500

suffix DHCP client domain name suffix, 44 DNS client, 96 DNS trusted interface, 103

suppressing ARP suppression configuration, 20

switch IPv6 ND suppression configuration, 234

SYN IPPO TCP SYN cookie enable, 189 IPPO wait timer, 190

T

table ARP static entry, 3 IP forwarding FIB table entries, 174

TCP DRE compression process, 418 DRE decompression process, 418 IPPO buffer size, 190 IPPO interface TCP MSS configuration, 188 IPPO TCP path MTU discovery, 188 IPPO TCP SYN cookie, 189 IPPO TCP timer configuration, 190 TFO congestion algorithm optimization, 417 TFO increased buffering, 417 TFO selective acknowledgement, 417 TFO slow start optimization, 417 WAAS DRE, 418 WAAS TFO, 417

TCP/IP DDNS client configuration, 117 DDNS configuration, 116, 120 DDNS configuration (PeanutHull server), 121 DDNS configuration (www.3322.org), 120 DNS configuration, 95, 98 IPv4 DNS configuration, 104 IPv6 DNS configuration, 108

temporary DHCPv6 temporary address assignment, 244 DHCPv6 temporary IPv6 address, 240

terminology NAT device, 123 NAT entry, 123 NAT interface, 123

TFO

configuring blacklist autodiscovery, 421 congestion algorithm optimization, 417 increased buffering, 417 selective acknowledgement, 417 slow start optimization, 417 WAAS policy configuration, 420

time IP services ICMPv6 time exceeded message, 225

timer ADVPN VAM client dumb timer, 344, 344 ADVPN VAM client retry timer/times, 344, 344 ADVPN VAM server retry timer configuration, 342 ARP dynamic entry aging timer, 5 IPPO TCP FIN wait timer, 190 IPPO TCP SYN wait timer, 190 IPv6 dynamic path MTU aging timer, 223 IPv6 ND stale state entry aging timer, 215

tracking DNS network mode tracking, 102

traditional NAT, 123 traffic

Layer 3 virtual tunnel interface, 292 traffic engineering

tunneling configuration, 284, 292 transition technologies, 208 Transport Flow Optimization. Use TFO troubleshooting

DHCP relay agent configuration, 77 DHCP server configuration, 65 GRE, 330 GRE hosts cannot ping each other, 330 IPv4 DNS configuration, 115 IPv4 DNS incorrect IP address, 115 IPv6 address cannot be pinged, 235 IPv6 basics configuration, 235 IPv6 DNS configuration, 115 IPv6 DNS incorrect IP address, 115 tunneling configuration, 317

trusted DHCP snooping trusted port, 84 DHCPv6 snooping trusted port, 274

tunneling, 284, See also GRE 6to4 relay configuration, 301 6to4 tunnel configuration, 298, 299 ADVPN ACL to control establishing spoke-to-spoke tunnel, 340

501

ADVPN configuration, 332, 337, 349 ADVPN configuration (IPv4 full-mesh NAT traversal), 408 ADVPN configuration (IPv4 full-mesh), 349 ADVPN configuration (IPv4 hub-spoke), 364 ADVPN configuration (IPv4 multi-hub-group), 379 ADVPN configuration (IPv6 full-mesh), 356 ADVPN configuration (IPv6 hub-spoke), 372 ADVPN configuration (IPv6 multi-hub-group), 393 ADVPN tunnel interface configuration, 345 ADVPN tunnel IPsec configuration, 347 automatic IPv4-compatible IPv6 tunnel, 297, 297 command and hardware compatibility, 292 compatibility information, 292 configuration, 284, 292 display, 316 DS-Lite tunnel configuration, 311, 312 feature and hardware compatibility, 292 GRE configuration, 318, 326 GRE encapsulation format, 318 GRE operation, 318 GRE/IPv4 tunnel configuration, 322 GRE/IPv6 tunnel configuration, 323 IPv4/IPv4 GRE tunnel, 326 IPv4/IPv4 tunnel configuration, 306, 307 IPv4/IPv4 tunneling implementation, 286 IPv4/IPv6 GRE tunnel, 328 IPv4/IPv6 manual tunnel configuration, 308, 309 IPv4/IPv6 tunneling implementation, 287 IPv6 tunneling technology, 208 IPv6/IPv4 manual tunnel configuration, 294, 295 IPv6/IPv4 tunneling implementation, 284 IPv6/IPv6 tunnel configuration, 314, 315 IPv6/IPv6 tunneling implementation, 291 ISATAP tunnel configuration, 303, 304 Layer 3 virtual tunnel interface, 292 maintain, 316 protocols and standards, 291 troubleshoot configuration, 317 tunnel types, 285, 288

twice NAT, 124

type bidirectional NAT, 124 NAT Easy IP, 123 NAT EIM entry, 127 NAT NO-PAT entry, 127 NAT session entry, 126 traditional NAT, 123 twice NAT, 124

U

UDP helper broadcast to multicast conversion, 197, 200 broadcast to unicast conversion, 196, 199 configuration, 196, 199 configuration restrictions, 196 display, 199 feature and hardware compatibility, 196 IPPO (IPPO), 186 maintain, 199 multicast to broadcast conversion, 201 multicast to broadcast/unicast conversion, 198

unicast IPv6 address (global), 204 IPv6 address (link-local), 204 IPv6 address (loopback), 204 IPv6 address (unspecified), 204 IPv6 address global unicast configuration, 211 IPv6 address type, 203 UDP helper broadcast to unicast conversion, 196 UDP helper multicast to broadcast/unicast conversion, 198

unnumbered IP addressing IP unnumbered configuration, 26, 29

untrusted DHCP snooping untrusted port, 84

untrusted port DHCPv6 snooping untrusted port, 274

User Datagram Protocol. Use UDP username

ADVPN VAM client username+password, 345

V

VAM ADVPN configuration, 332, 337, 349 ADVPN configuration (IPv4 full-mesh NAT traversal), 408 ADVPN configuration (IPv4 full-mesh), 349

502

ADVPN configuration (IPv4 hub-spoke), 364 ADVPN configuration (IPv4 multi-hub-group), 379 ADVPN configuration (IPv6 full-mesh), 356 ADVPN configuration (IPv6 hub-spoke), 372 ADVPN configuration (IPv6 multi-hub-group), 393 ADVPN domain creation, 338 client configuration, 342 client creation, 343 client domain configuration, 343 client dumb timer, 344 client enable, 343 client pre-shared key, 344 client retry timer/times, 344 client server configuration, 343 client username+password, 345 server authentication algorithm configuration, 341 server authentication method configuration, 341 server configuration, 337 server enable, 338 server encryption algorithm configuration, 341 server keepalive parameters configuration, 341 server port number configuration, 340 server retry timer configuration, 342

VAM server pre-shared key configuration, 338

vendor DHCP Option 43 vendor-specific, 34, 34

VLAN DHCP BOOTP client configuration, 93, 94 DHCP client configuration, 78, 80 DHCP relay agent, 75 DHCP relay agent configuration, 66, 67 DHCP relay agent Option 82, 76 DHCP server configuration, 37, 39, 57 DHCP server IP address dynamic assignment, 58 DHCP server IP address static assignment, 57 DHCP server option customization, 63 DHCP server user class, 60 DHCP snooping basic configuration, 90 DHCPv6 client configuration, 264, 264, 266 DHCPv6 client IPv6 address acquisition configuration, 266

DHCPv6 client IPv6 address+prefix acquisition configuration, 269 DHCPv6 client IPv6 prefix acquisition configuration, 268 DHCPv6 client stateless DHCPv6 configuration, 271 DHCPv6 relay agent configuration, 258 DHCPv6 snooping configuration, 274, 276, 280 UDP helper broadcast to multicast conversion, 197, 200 UDP helper broadcast to unicast conversion, 196, 199 UDP helper configuration, 196, 199 UDP helper multicast to broadcast conversion, 201 UDP helper multicast to broadcast/unicast conversion, 198

VPN ADVPN configuration, 332, 337, 349 ADVPN configuration (IPv4 full-mesh NAT traversal), 408 ADVPN configuration (IPv4 full-mesh), 349 ADVPN configuration (IPv4 hub-spoke), 364 ADVPN configuration (IPv4 multi-hub-group), 379 ADVPN configuration (IPv6 full-mesh), 356 ADVPN configuration (IPv6 hub-spoke), 372 ADVPN configuration (IPv6 multi-hub-group), 393 ADVPN structure, 332 DHCP address pool VPN application, 55 DHCPv6 address pool VPN application, 250 GRE application, 319 tunneling configuration, 284, 292 VRF-aware NAT, 127

VRF NAT, 127

W

WAAS class configuration, 419 command and hardware compatibility, 419 configuration, 417, 423 deleting all WAAS settings, 422 display, 422 DRE, 418 maintain, 422 policy application to interface, 420 policy configuration, 420 predefined WAAS policy configuration, 423

503

protocols and standards, 419 restoring all WAAS settings, 422 TFO, 417 TFO blacklist autodiscovery configuration, 421 TFO congestion algorithm optimization, 417 TFO increased buffering, 417 TFO parameter configuration, 421 TFO selective acknowledgement, 417 TFO slow start optimization, 417 user-defined WAAS policy configuration, 425

WAAS class configuring, 419

WAAS policy configuring, 420

WAN predefined WAAS policy configuration, 423 TFO congestion algorithm optimization, 417 TFO increased buffering, 417 TFO selective acknowledgement, 417 TFO slow start optimization, 417 user-defined WAAS policy configuration, 425 WAAS configuration, 417, 423 WAAS policy application to interface, 420

whitelist DHCP server user class whitelist, 61 DHCP user class whitelist, 48

Wide Area Application Services. Use WAAS Windows

DHCP BOOTP client configuration, 93, 94 DHCP client configuration, 78, 80 DHCP client WINS server, 44 Internet Naming Service. Use WINS

HPE FlexNetwork MSR Router Series - …h20628. FlexNetwork MSR Router Series ... Configuring Option...

Documents

Transcript of HPE FlexNetwork MSR Router Series - …h20628. FlexNetwork MSR Router Series ... Configuring Option...