HP 6125XLG Blade Switch Layer 3—IP Services Configuration Guide Part number: 5998-3718 Software version: Release 2306 Document version: 6W100-20130912...
Page 2
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
Page 5
DHCP relay agent support for Option 82 ·········································································································· 51 DHCP relay agent configuration task list ····················································································································· 51 Enabling DHCP ······························································································································································ 52 Enabling the DHCP relay agent on an interface ········································································································ 52 Specifying DHCP servers on a relay agent ················································································································· 52 ...
Page 6
Configuring DNS ······················································································································································· 76 Overview ········································································································································································· 76 Static domain name resolution ····························································································································· 76 Dynamic domain name resolution ······················································································································· 76 DNS proxy ····························································································································································· 77 DNS spoofing ························································································································································ 78 DNS configuration task list ············································································································································ 79 Configuring the IPv4 DNS client ··································································································································...
Page 7
Configuring TCP MSS for an interface ······················································································································ 108 Configuring TCP path MTU discovery ······················································································································· 109 Enabling TCP SYN Cookie ·········································································································································· 110 Configuring the TCP buffer size ·································································································································· 110 Configuring TCP timers ················································································································································ 111 Enabling sending ICMP error packets ······················································································································· 111 ...
Configuring ARP This chapter describes how to configure the Address Resolution Protocol (ARP). Overview ARP resolves IP addresses into MAC addresses on Ethernet networks. ARP message format ARP uses two types of messages: ARP request and ARP reply. Figure 1 shows the format of ARP request/reply messages.
If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request. The payload of the ARP request comprises the following information: Sender IP address and sender MAC address—Host A's IP address and MAC address Target IP address—Host B's IP address Target MAC address—An all-zero MAC address All hosts on this subnet can receive the broadcast request, but only the requested host (Host B)
Static ARP entry A static ARP entry is manually configured and maintained. It does not age out and cannot be overwritten by any dynamic ARP entry. Static ARP entries protect communication between devices because attack packets cannot modify the IP-to-MAC mapping in a static ARP entry. Static ARP entries include long, short, and multiport ARP entries.
Step Command Remarks • Configure a long static ARP entry: arp static ip-address mac-address vlan-id interface-type interface-number Use either command. Configure a static ARP [ vpn-instance vpn-instance-name ] By default, no static ARP entry is entry. • Configure a short static ARP entry: configured.
The Layer-2 interface can learn an ARP entry only when both its maximum number and the VLAN interface's maximum number are not reached. To set the maximum number of dynamic ARP entries that an interface can learn: Step Command Remarks Enter system view.
Step Command Remarks By default, dynamic ARP entry check is Enable dynamic ARP entry check. arp check enable enabled. Configuring ARP fast update ARP fast update for MAC move allows the device to update an ARP entry immediately after the output interface for a MAC address changes.
Task Command Display the ARP entry for a specific IP display arp ip-address [ slot slot-number ] [ verbose ] address. Display the ARP entries for a specific VPN display arp vpn-instance vpn-instance-name [ count ] instance. Display the aging timer for dynamic ARP display arp timer aging entries.
# Create VLAN-interface 10 and configure its IP address. [Switch] interface vlan-interface 10 [Switch-vlan-interface10] ip address 192.168.1.2 8 [Switch-vlan-interface10] quit # Configure a static ARP entry that has IP address 192.168.1.1, MAC address 00e0-fc01-0000, and output interface Ten-GigabitEthernet 1/1/5 in VLAN 10. [Switch] arp static 192.168.1.1 00e0-fc01-0000 10 Ten-GigabitEthernet 1/1/5 # Display information about static ARP entries.
Page 18
# Add Ten-GigabitEthernet 1/1/5, Ten-GigabitEthernet 1/1/6, and Ten-GigabitEthernet 1/1/7 to VLAN 10. [Switch] interface Ten-GigabitEthernet 1/1/5 [Switch-Ten-GigabitEthernet1/1/5] port access vlan 10 [Switch-Ten-GigabitEthernet1/1/5] quit [Switch] interface Ten-GigabitEthernet 1/1/6 [Switch-Ten-GigabitEthernet1/1/6] port access vlan 10 [Switch-Ten-GigabitEthernet1/1/6] quit [Switch] interface Ten-GigabitEthernet 1/1/7 [Switch-Ten-GigabitEthernet1/1/7] port access vlan 10 [Switch-Ten-GigabitEthernet1/1/7] quit # Create VLAN-interface 10 and specify its IP address.
Configuring gratuitous ARP Overview In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device. A device sends a gratuitous ARP packet for either of the following purposes: Determine whether its IP address is already used by another device. If the IP address is already used, •...
If the virtual IP address of the VRRP group is associated with a virtual MAC address, the sender MAC address in the gratuitous ARP packet is the virtual MAC address of the virtual router. If the virtual IP address of the VRRP group is associated with the real MAC address of an interface, the sender MAC address in the gratuitous ARP packet is the MAC address of the interface on the master router in the VRRP group.
Configuring proxy ARP Proxy ARP enables a device on one network to answer ARP requests for an IP address on another network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they would on the same broadcast domain. Proxy ARP includes common proxy ARP and local proxy ARP.
Common proxy ARP configuration example Network requirements As shown in Figure 6, Host A and Host D have the same IP prefix and mask, but they are located on different subnets separated by the switch (Host A belongs to VLAN 1, and Host D belongs to VLAN 2). No default gateway is configured on Host A and Host D.
Page 23
After the configuration, Host A and Host D can ping each other.
Configuring ARP snooping ARP snooping is used in Layer 2 switching networks. It creates ARP snooping entries by using information in ARP packets. If you enable ARP snooping on a VLAN, ARP packets received by any interface in the VLAN are redirected to the CPU.
Configuring IP addressing The IP addresses in this chapter refer to IPv4 addresses unless otherwise specified. This chapter describes IP addressing basic and manual IP address assignment for interfaces. Dynamic IP address assignment (BOOTP and DHCP) and PPP address negotiation are beyond the scope of this chapter.
Class Address range Remarks 192.0.0.0 to 223.255.255.255 224.0.0.0 to 239.255.255.255 Multicast addresses. Reserved for future use, except for the broadcast 240.0.0.0 to 255.255.255.255 address 255.255.255.255. Special IP addresses The following IP addresses are for special use and cannot be used as host IP addresses: IP address with an all-zero net ID—Identifies a host on the local network.
Assigning an IP address to an interface An interface must have an IP address to communicate with other hosts. You can either manually assign an IP address to an interface, or configure the interface to obtain an IP address through BOOTP, or DHCP. If you change the way an interface obtains an IP address, the new IP address will overwrite the previous address.
Configuration guidelines Follow these guidelines when you configure IP unnumbered: • An interface cannot borrow an IP address from an unnumbered interface. Multiple interfaces can use the same unnumbered IP address. • If an interface has multiple manually configured IP addresses, only the manually configured primary •...
IP address configuration example Network requirements As shown in Figure 9, a port in VLAN 1 on a switch is connected to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24. To enable the hosts on the two network segments to communicate with the external network through the switch, and to enable the hosts on the LAN to communicate with each other: Assign a primary IP address and a secondary IP address to VLAN-interface 1 on the switch.
Page 30
Ping 172.16.1.2 (172.16.1.2): 56 data bytes, press CTRL_C to break 56 bytes from 172.16.1.2: icmp_seq=0 ttl=254 time=7.000 ms 56 bytes from 172.16.1.2: icmp_seq=1 ttl=254 time=0.000 ms 56 bytes from 172.16.1.2: icmp_seq=2 ttl=254 time=1.000 ms 56 bytes from 172.16.1.2: icmp_seq=3 ttl=254 time=1.000 ms 56 bytes from 172.16.1.2: icmp_seq=4 ttl=254 time=2.000 ms --- Ping statistics for 172.16.1.2 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss...
DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. Figure 10 shows a typical DHCP application scenario where the DHCP clients and the DHCP server reside on the same subnet. The DHCP clients can also obtain configuration parameters from a DHCP server on another subnet through a DHCP relay agent.
Dynamic IP address allocation process Figure 11 Dynamic IP address allocation process The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. Each DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message.
DHCP message format Figure 12 shows the DHCP message format. DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes. Figure 12 DHCP message format • op—Message type defined in options field. 1 = REQUEST, 2 = REPLY htype, hlen—Hardware address type and length of the DHCP client.
DHCP options DHCP uses the same message format as BOOTP, but DHCP uses the options field to carry information for dynamic address allocation and provide additional configuration information to clients. Figure 13 DHCP option format Common DHCP options The following are common DHCP options: Option 3—Router option.
Page 35
The DHCP client can obtain the following information through Option 43: • ACS parameters, including the ACS URL, username, and password. PXE server address, which is used to obtain the boot file or other control information from the PXE • server.
Relay agent option (Option 82) Option 82 is the relay agent option. It records the location information about the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client's request, it adds Option 82 to the request message and sends it to the server.
Page 37
RFC 1542, Clarifications and Extensions for the Bootstrap Protocol • • RFC 3046, DHCP Relay Agent Information Option RFC 3442, The Classless Static Route Option for Dynamic Host Configuration Protocol (DHCP) • version 4...
Configuring the DHCP server Overview The DHCP server is well suited to networks where: • Manual configuration and centralized management are difficult to implement. IP addresses are limited. For example, an ISP limits the number of concurrent online users, and users •...
Page 39
If the matching user class has no assignable addresses, the DHCP server matches the client against the next user class. If all the matching user classes have no assignable addresses, the DHCP server selects an IP address from the common address range. If the DHCP client does not match any DHCP user class, the DHCP server selects an address in the IP address range specified by the address range command.
IP address allocation sequence The DHCP server selects an IP address for a client in the following sequence: IP address statically bound to the client's MAC address or ID. IP address that was ever assigned to the client. IP address designated by the Option 50 field in the DHCP-DISCOVER message sent by the client. Option 50 is the Requested IP Address option.
Tasks at a glance Perform at least one of the following tasks: • Specifying IP address ranges for a DHCP address pool • Specifying gateways for the client • Specifying a domain name suffix for the client • Specifying DNS servers for the client •...
Page 42
Step Command Remarks Enter system view. system-view Required for client classification. Create a DHCP user class and dhcp class class-name enter DHCP user class view. By default, no DHCP user class exists. Required for client classification. if-match option option-code [ hex Configure the match rule for the hex-string [ offset offset length length By default, no match rule is...
Page 43
request, the DHCP server selects an address from the primary subnet. If no assignable address is found, the server selects an address from the secondary subnets in the order they are configured. In scenarios where the DHCP server and the DHCP clients reside on different subnets and the DHCP clients obtain IP addresses through a DHCP relay agent, the DHCP server needs to use the same address pool to assign IP addresses to clients in different subnets.
Step Command Remarks Except for the IP address of the DHCP server interface, IP addresses in all address pools (Optional.) Exclude the specified dhcp server forbidden-ip are assignable by default. IP addresses from dynamic start-ip-address [ end-ip-address ] allocation globally. To exclude multiple address ranges globally, repeat this step.
The gateway-list command issued in DHCP address pool view specifies gateway addresses for all DHCP clients that obtain IP addresses from this address pool. To specify gateways for clients that obtain IP addresses from a secondary subnet, use the gateway-list command in secondary subnet view. If you specify gateways in both address pool view and secondary subnet view, DHCP preferentially assign the gateway addresses specified in the secondary subnet view to the clients on the secondary subnet.
Specifying WINS servers and NetBIOS node type for the client A Microsoft DHCP client using NetBIOS protocol must contact a WINS server for name resolution. You can specify up to eight WINS servers for such clients in a DHCP address pool. In addition, you must specify a NetBIOS node type for the clients to approach name resolution.
Specifying the TFTP server and boot file name for the client To implement client auto-configuration, you must specify the IP address or name of a TFTP server and the boot file name for the clients, and there is no need to perform any configuration on the DHCP clients. A DHCP client obtains these parameters from the DHCP server, and uses them to contact the TFTP server to get the configuration file used for system initialization.
Configuring Option 184 parameters for the client To assign calling parameters to DHCP clients with voice service, you must configure Option 184 on the DHCP server. For more information about Option 184, see "Option 184." To configure option 184 parameters in a DHCP address pool: Step Command Remarks...
Step Command Remarks By default, the DHCP Enable the DHCP server on dhcp select server server on the interface the interface. is enabled. Applying an address pool on an interface Perform this task to apply a DHCP address pool on an interface. Upon receiving a DHCP request from the interface, the DHCP server assigns configuration parameters from the address pool to the client.
Enabling handling of Option 82 Perform this task to enable the DHCP server to handle Option 82. Upon receiving a DHCP request with Option 82, the DHCP server adds Option 82 into the DHCP response. If you disable the DHCP to handle Option 82, it does not add Option 82 into the response message. You must enable handling of Option 82 on both the DHCP server and the DHCP relay agent to ensure normal operation of Option 82.
To configure the DHCP server to ignore BOOTP requests: Step Command Remarks Enter system view. system-view Configure the DHCP server to By default, the DHCP server dhcp server bootp ignore ignore BOOTP requests. processes BOOTP requests. Configuring the DHCP server to send BOOTP responses in RFC 1048 format Not all BOOTP clients can send requests compatible with RFC 1048.
Task Command Display information about DHCP address display dhcp server pool [ pool-name ] pools. Clear information about IP address conflicts. reset dhcp server conflict [ ip ip-address ] Clear information about lease-expired IP reset dhcp server expired [ ip ip-address | pool pool-name ] addresses.
<SwitchA> system-view [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 10.1.1.1 25 [SwitchA-Vlan-interface2] quit Configure the DHCP server: # Enable DHCP. [SwitchA] dhcp enable # Enable the DHCP server on VLAN-interface 2. [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] dhcp select server [SwitchA-Vlan-interface2] quit # Create DHCP address pool 0.
Page 55
Figure 18 Network diagram Configuration procedure Configure the IP addresses of the VLAN interfaces. (Details not shown.) Configure the DHCP server: # Enable DHCP. <SwitchA> system-view [SwitchA] dhcp enable # Enable the DHCP server on VLAN-interface 10 and VLAN-interface 20. [SwitchA] interface vlan-interface 10 [SwitchA-Vlan-interface10] dhcp select server [SwitchA-Vlan-interface10] quit...
[SwitchA-dhcp-pool-2] domain-name aabbcc.com [SwitchA-dhcp-pool-2] dns-list 10.1.1.2 [SwitchA-dhcp-pool-2] gateway-list 10.1.1.254 Verifying the configuration After the preceding configuration is complete, clients on networks 10.1.1.0/25 and 10.1.1.128/25 can obtain correct IP addresses and other network parameters from Switch A. You can use the display dhcp server ip-in-use command on the DHCP server to view the IP addresses assigned to the clients.
[SwitchB-dhcp-class-tt] if-match option 82 [SwitchB-dhcp-class-tt] quit # Create DHCP address pool aa, specify the address range for the address pool and the address range for user class tt. Specify gateway and DNS server address. [SwitchB] dhcp server ip-pool aa [SwitchB-dhcp-pool-aa] network 10.10.1.0 mask 255.255.255.0 [SwitchB-dhcp-pool-aa] address range 10.10.1.2 10.10.1.100 [SwitchB-dhcp-pool-aa] class tt range 10.10.1.2 10.10.1.10 [SwitchB-dhcp-pool-aa] gateway-list 10.10.1.254...
# Configure DHCP address pool 0. [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 [SwitchA-dhcp-pool-0] option 43 hex 800B0000020102030402020202 Verifying the configuration After the preceding configuration is complete, Switch B can obtain its IP address on 10.1.1.0/24 and the PXE server addresses from the Switch A.
Configuring the DHCP relay agent Overview The DHCP relay agent enables clients to get IP addresses from a DHCP server on another subnet. This feature avoids deploying a DHCP server for each subnet to centralize management and reduce investment. Figure 21 shows a typical application of the DHCP relay agent.
Figure 22 DHCP relay agent operation DHCP relay agent support for Option 82 Option 82 records the location information about the DHCP client. It enables the administrator to locate the DHCP client for security and accounting purposes, and to assign IP addresses in a specific range to clients.
Tasks at a glance (Optional.) Configuring the DHCP relay agent to release an IP address (Optional.) Configuring Option 82 Enabling DHCP You must enable DHCP to validate other DHCP relay agent settings. To enable DHCP: Step Command Remarks Enter system view. system-view Enable DHCP.
To specify a DHCP server address on a relay agent: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no DHCP server Specify a DHCP server dhcp relay server-address address is specified on the relay address on the relay agent.
Step Command Remarks By default, periodic refresh of Enable periodic refresh of dhcp relay client-information refresh dynamic relay entries is dynamic relay entries. enable enabled. By default, the refresh interval is Configure the refresh dhcp relay client-information refresh auto, which is calculated based interval.
Configuring the DHCP relay agent to release an IP address Configure the relay agent to release the IP address for a relay entry. The relay agent sends a DHCP-RELEASE message to the server and meanwhile deletes the relay entry. Upon receiving the DHCP-RELEASE message, the DHCP server releases the IP address.
Displaying and maintaining the DHCP relay agent Execute display commands in any view and reset commands in user view. Task Command Display information about DHCP servers specified display dhcp relay server-address [ interface on the DHCP relay agent interface. interface-type interface-number ] Display Option 82 configuration information on the display dhcp relay information [ interface interface-type DHCP relay agent.
Configuring the DHCP client With DHCP client enabled, an interface uses DHCP to obtain configuration parameters from the DHCP server, for example, an IP address. The DHCP client configuration is supported on VLAN interfaces and management Ethernet interfaces. When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition through a relay agent, the DHCP server cannot be a Windows Server 2000 or Windows Server 2003.
Configuring a DHCP client ID for an interface A DHCP client ID is added to the DHCP option 61. A DHCP server can specify IP addresses for specified clients based on the DHCP client ID. Make sure the IDs for different DHCP clients are unique. To configure a DHCP client ID for an interface: Step Command...
Displaying and maintaining the DHCP client Execute display command in any view. Task Command display dhcp client [ verbose ] [ interface interface-type Display DHCP client information. interface-number ] DHCP client configuration example Network requirements As shown in Figure 25, on a LAN, Switch B contacts the DHCP server through VLAN-interface 2 to obtain an IP address, DNS server address, and static route information.
[SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 10.1.1.1 24 [SwitchA-Vlan-interface2] quit # Enable the DHCP service. [SwitchA] dhcp enable # Exclude an IP address from dynamic allocation. [SwitchA] dhcp server forbidden-ip 10.1.1.2 # Configure DHCP address pool 0 and specify the subnet, lease duration, DNS server address, and a static route to subnet 20.1.1.0/24.
Page 72
Destination/Mask Proto Cost NextHop Interface 0.0.0.0/32 Direct 0 127.0.0.1 InLoop0 10.1.1.0/24 Direct 0 10.1.1.3 Vlan2 10.1.1.0/32 Direct 0 10.1.1.3 Vlan2 10.1.1.3/32 Direct 0 127.0.0.1 InLoop0 10.1.1.255/32 Direct 0 10.1.1.3 Vlan2 20.1.1.0/24 Static 70 10.1.1.2 Vlan2 127.0.0.0/8 Direct 0 127.0.0.1 InLoop0 127.0.0.0/32 Direct 0 127.0.0.1...
Configuring DHCP snooping DHCP snooping works between the DHCP client and server, or between the DHCP client and relay agent. It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers. Also, it records IP-to-MAC bindings of DHCP clients (called DHCP snooping entries) for security purposes. DHCP snooping does not work between the DHCP server and DHCP relay agent.
Figure 26 Trusted and untrusted ports In a cascaded network as shown in Figure 27, configure each DHCP snooping device's ports connected to other DHCP snooping devices as trusted ports. To save system resources, you can disable the untrusted ports that are not directly connected to DHCP clients from generating DHCP snooping entries. Figure 27 Trusted and untrusted ports in a cascaded network DHCP snooping support for Option 82 Option 82 records the location information about the DHCP client so the administrator can locate the...
Table 4 Handling strategies If a DHCP request Handling DHCP snooping… has… strategy Drop Drops the message. Keep Forwards the message without changing Option 82. Option 82 Forwards the message after replacing the original Option 82 with Replace the Option 82 padded according to the configured padding format, padding content, and code type.
Step Command Remarks Enter system view. system-view By default, DHCP snooping is Enable DHCP snooping. dhcp snooping enable disabled. interface interface-type This interface is connected to the Enter interface view. interface-number DHCP server. By default, all ports are untrusted Specify the port as a trusted dhcp snooping trust ports after DHCP snooping is port.
Step Command Remarks (Optional.) Configure a handling strategy for DHCP dhcp snooping information strategy { drop By default, the handling requests containing Option | keep | replace } strategy is replace. dhcp snooping information circuit-id (Optional.) Configure the By default, the padding { [ vlan vlan-id ] string circuit-id | { normal | padding content and code format is normal and the...
Step Command Remarks (Optional.) Set the amount of time to wait after a DHCP dhcp snooping binding database snooping entry changes The default interval is 300 seconds. update interval seconds before updating the database file. Enabling DHCP starvation attack protection A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that contain identical or different sender MAC addresses in the chaddr field to a DHCP server.
compares the entry with the message information. If they are consistent, the message is considered as valid and forwarded to the DHCP server. If they are different, the message is considered as a forged message and is discarded. If no matching entry is found, the message is considered valid and forwarded to the DHCP server.
Task Command Remarks Display Option 82 configuration display dhcp snooping information { all | information on the DHCP snooping Available in any view. interface interface-type interface-number } device. Display DHCP packet statistics on the display dhcp snooping packet statistics Available in any view. DHCP snooping device.
[SwitchB-Ten-GigabitEthernet1/1/5] dhcp snooping trust [SwitchB-Ten-GigabitEthernet1/1/5] quit # Enable DHCP snooping to record clients' IP-MAC bindings on Ten-GigabitEthernet 1/1/6. [SwitchB] interface Ten-GigabitEthernet 1/1/6 [SwitchB-Ten-GigabitEthernet1/1/6] dhcp snooping binding record [SwitchB-Ten-GigabitEthernet1/1/6] quit Verifying the configuration After the preceding configuration is complete, the DHCP client can obtain an IP address and other configuration parameters only from the authorized DHCP server.
Page 82
[SwitchB-Ten-GigabitEthernet1/1/6] dhcp snooping information strategy replace [SwitchB-Ten-GigabitEthernet1/1/6] dhcp snooping information circuit-id string company001 [SwitchB-Ten-GigabitEthernet1/1/6] dhcp snooping information remote-id string device001 [SwitchB-Ten-GigabitEthernet1/1/6] quit # Configure Option 82 on Ten-GigabitEthernet 1/1/7. [SwitchB] interface Ten-GigabitEthernet 1/1/7 [SwitchB-Ten-GigabitEthernet1/1/7] dhcp snooping information enable [SwitchB-Ten-GigabitEthernet1/1/7] dhcp snooping information strategy replace [SwitchB-Ten-GigabitEthernet1/1/7] dhcp snooping information circuit-id verbose node-identifier sysname format ascii [SwitchB-Ten-GigabitEthernet1/1/7] dhcp snooping information remote-id string device001...
Configuring the BOOTP client BOOTP client configuration applies to VLAN interfaces and management Ethernet interfaces. If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows Server 2000 or Windows Server 2003. BOOTP application An interface that acts as a BOOTP client can use BOOTP to obtain information (such as IP address) from the BOOTP server.
Configuring an interface to use BOOTP for IP address acquisition Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, an interface does not Configure an interface to use ip address bootp-alloc use BOOTP for IP address BOOTP for IP address acquisition.
Configuring DNS Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. With DNS, you can use easy-to-remember domain names in some applications and let the DNS server translate them into correct IP addresses. The domain name-to-IP address mapping is called a DNS entry.
Figure 30 shows the relationship between the user program, DNS client, and DNS server. The DNS client is made up of the resolver and cache. The user program and DNS client can run on the same device or different devices, but the DNS server and the DNS client usually run on different devices. Dynamic domain name resolution allows the DNS client to store latest DNS entries in the dynamic domain name cache.
Figure 31 DNS proxy application A DNS proxy operates as follows: A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS proxy. The destination address of the request is the IP address of the DNS proxy. The DNS proxy searches the local static domain name resolution table and dynamic domain name resolution cache after receiving the request.
Figure 32 DNS spoofing application DNS spoofing enables the DNS proxy to send a spoofed reply with a configured IP address even if it cannot reach the DNS server. Without DNS spoofing, the proxy does not answer or forward a DNS request if it cannot find a matching DNS entry and it cannot reach the DNS server.
Tasks at a glance (Optional.) Configuring the DNS trusted interface Configuring the IPv4 DNS client Configuring static domain name resolution Static domain name resolution allows applications such as Telnet to contact hosts by using host names instead of IPv4 addresses. Follow these guidelines when you configure static domain name resolution: On the public network or a VPN, each host name maps to only one IPv4 address.
An IPv4 name query is first sent to the DNS server IPv4 addresses. If no reply is received, it is sent • to the DNS server IPv6 addresses. You can specify domain name suffixes for the public network and up to 1024 VPNs, and specify a •...
Configuring dynamic domain name resolution To send DNS queries to a correct server for resolution, you must enable dynamic domain name resolution and configure DNS servers. A DNS server manually configured takes precedence over the one dynamically obtained through DHCP, and a DNS server configured earlier takes precedence. A name query is first sent to the DNS server that has the highest priority.
A DNS proxy forwards an IPv4 name query first to IPv4 DNS servers, and if no reply is received, it forwards the request to IPv6 DNS servers. The DNS proxy forwards an IPv6 name query first to IPv6 DNS servers, and if no reply is received, it forwards the request to IPv4 DNS servers. To configure the DNS proxy: Step Command...
DNS servers. In some scenarios, the DNS server only responds to DNS requests sourced from a specific IP address. In such cases, you must specify the source interface for the DNS packets so that the device can always uses the primary IP address of the specified source interface as the source IP address of DNS packets.
Task Command Display the domain name resolution display dns host [ ip | ipv6 ] [ vpn-instance vpn-instance-name ] table. Display IPv4 DNS server information. display dns server [ dynamic ] [ vpn-instance vpn-instance-name ] Display IPv6 DNS server information. display ipv6 dns server [ dynamic ] [ vpn-instance vpn-instance-name ] Display DNS suffixes.
Dynamic domain name resolution configuration example Network requirements As shown in Figure 34, the device wants to access the host by using an easy-to-remember domain name rather than an IP address, and to request the DNS server on the network for an IP address by using dynamic domain name resolution.
Page 96
Figure 35 Creating a zone On the DNS server configuration page, right-click zone com, and select New Host. Figure 36 Adding a host On the page that appears, enter host name host and IP address 3.1.1.1. Click Add Host. The mapping between the IP address and host name is created.
Figure 37 Adding a mapping between domain name and IP address Configure the DNS client: # Specify the DNS server 2.1.1.2. <Sysname> system-view [Sysname] dns server 2.1.1.2 # Configure com as the name suffix. [Sysname] dns domain com Verifying the configuration # Use the ping host command on the device to verify that the communication between the device and the host is normal and that the translated destination IP address is 3.1.1.1.
Page 98
As shown in Figure • Specify Device A as the DNS server of Device B (the DNS client). Device A acts as a DNS proxy. The IP address of the real DNS server is 4.1.1.1. Configure the IP address of the DNS proxy on Device B. DNS requests of Device B are forwarded •...
56 bytes from 3.1.1.1: icmp_seq=2 ttl=255 time=1.000 ms 56 bytes from 3.1.1.1: icmp_seq=3 ttl=255 time=1.000 ms 56 bytes from 3.1.1.1: icmp_seq=4 ttl=255 time=2.000 ms --- Ping statistics for host.com --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 1.000/1.200/2.000/0.400 ms IPv6 DNS configuration examples Static domain name resolution configuration example Network requirements...
Dynamic domain name resolution configuration example Network requirements As shown in Figure 40, the device wants to access the host by using an easy-to-remember domain name rather than an IPv6 address. The IPv6 address of the DNS server is 2::2/64, and the server has a com domain, which stores the mapping between domain name host and IPv6 address 1::1/64.
Page 101
Figure 41 Creating a zone On the DNS server configuration page, right-click zone com, and select Other New Records. Figure 42 Creating a record On the page that appears, select IPv6 Host (AAAA) as the resource record type.
Page 102
Figure 43 Selecting the resource record type Type host name host and IPv6 address 1::1. Click OK. The mapping between the IPv6 address and host name is created.
Page 103
Figure 44 Adding a mapping between domain name and IPv6 address Configure the DNS client: # Specify the DNS server 2::2. <Device> system-view [Device] ipv6 dns server 2::2 # Configure com as the DNS suffix. [Device] dns domain com Verifying the configuration # Use the ping ipv6 host command on the device to verify that the communication between the device and the host is normal and that the translated destination IP address is 1::1.
DNS proxy configuration example Network requirements When the IPv6 address of the DNS server changes, you must configure the new IPv6 address of the DNS server on each device on the LAN. To simplify network management, you can use the DNS proxy function.
Verifying the configuration # Use the ping host.com command on Device B to verify that the connection between the device and the host is normal and that the translated destination IP address is 3000::1. [DeviceB] ping host.com Ping6(56 data bytes) 2000::1 --> 3000::1, press CTRL_C to break 56 bytes from 3000::1, icmp_seq=0 hlim=128 time=1.000 ms 56 bytes from 3000::1, icmp_seq=1 hlim=128 time=0.000 ms 56 bytes from 3000::1, icmp_seq=2 hlim=128 time=1.000 ms...
Configuring DDNS Overview DNS provides only the static mappings between domain names and IP addresses. When the IP address of a node changes, your access to the node fails. Dynamic Domain Name System (DDNS) can dynamically update the mappings between domain names and IP addresses for DNS servers to direct you to the latest IP address mapping to a domain name.
NOTE: The DDNS update process does not have a unified standard but depends on the DDNS server that the DDNS client contacts. DDNS client configuration task list Tasks at a glance (Required.) Configuring a DDNS policy (Required.) Applying the DDNS policy to an interface Configuring a DDNS policy A DDNS policy contains the DDNS server address, port number, login ID, password, time interval, associated SSL client policy, and update time interval.
HP and GNUDIP are common DDNS update protocols. The server-name parameter is the domain name or IP address of the service provider's server using one of the update protocols. The URL address for an update request can start with: http://—The HTTP-based DDNS server. •...
Step Command Remarks (Optional.) Specify the parameter By default, http-get is used. transmission method for sending method { http-get | Use the method http-post command to DDNS update requests to http-post } specify the POST method for DDNS update HTTP/HTTPS-based DDNS with a DHS server.
Displaying DDNS Execute display commands in any view. Task Command Display information about the DDNS policy. display ddns policy [ policy-name ] DDNS configuration examples DDNS configuration example with www.3322.org Network requirements As shown in Figure 47, Switch is a Web server with the domain name whatever.3322.org. Switch acquires the IP address through DHCP.
[Switch-ddns-policy-3322.org] password simple nevets # Set the interval for sending DDNS update requests to 15 minutes. [Switch-ddns-policy-3322.org] interval 0 0 15 [Switch-ddns-policy-3322.org] quit # Specify the IP address of the DNS server as 1.1.1.1. [Switch] dns server 1.1.1.1 # Apply DDNS policy 3322.org to VLAN-interface 2 to enable DDNS update and dynamically update the mapping between domain name whatever.3322.org and the primary IP address of VLAN-interface [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ddns apply policy 3322.org fqdn whatever.3322.org...
Page 112
# Specify for DDNS update requests the URL address with the login ID steven and plaintext password nevets. [Switch-ddns-policy-oray.cn] url oray://phservice2.oray.net [Switch-ddns-policy-oray.cn] username steven [Switch-ddns-policy-oray.cn] password simple nevets # Set the DDNS update request interval to 12 minutes. [Switch-ddns-policy-oray.cn] interval 0 0 12 [Switch-ddns-policy-oray.cn] quit # Specify the IP address of the DNS server as 1.1.1.1.
Basic IP forwarding on the device Upon receiving a packet, the device uses the destination IP address of the packet to find a match from the forwarding information base (FIB) table, and then uses the matching entry to forward the packet. FIB table A device selects optimal routes from the routing table, and puts them into the FIB table.
Optimizing IP performance A customized configuration can help optimize overall IP performance. This chapter describes various techniques you can use to customize your installation. Enabling an interface to receive and forward directed broadcasts destined for the directly connected network A directed broadcast packet is destined for all hosts on a specific network. In the destination IP address of the directed broadcast, the network ID identifies the target network, and the host ID is made up of all ones.
Figure 49 Network diagram Configuration procedure # Specify an IP address for VLAN-interface 3. <Switch> system-view [Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ip address 1.1.1.2 24 [Switch-Vlan-interface3] quit # Specify an IP address for VLAN-interface 2, and enable VLAN-interface 2 to forward directed broadcasts destined for the directly connected network.
is smaller than the MSS of the receiver, TCP sends the TCP segment without fragmentation. If not, it fragments the segment according to the receiver's MSS. If you configure a TCP MSS on an interface, the size of each TCP segment received or sent on the interface cannot exceed the MSS value.
When the TCP source device receives an ICMP error message, it reduces the path MTU and starts • an age timer for the path MTU. After the age timer expires, the source device uses a larger MSS in the MTU table as described in •...
Configuring TCP timers You can configure the following TCP timers: • SYN wait timer—TCP starts the SYN wait timer after sending a SYN packet. If no response packet is received within the SYN wait timer interval, TCP fails to establish the connection. FIN wait timer—TCP starts the FIN wait timer when the state changes to FIN_WAIT_2.
If a packet does not match any route and there is no default route in the routing table, the device sends a Network Unreachable ICMP error packet to the source. If a packet is destined for the device but the transport layer protocol of the packet is not supported by the device, the device sends a Protocol Unreachable ICMP error packet to the source.
Displaying and maintaining IP performance optimization Execute display commands in any view and reset commands in user view. Task Command Display brief information about RawIP connections. display rawip [ slot slot-number ] Display detailed information about RawIP display rawip verbose [ slot slot-number [ pcb connections.
Configuring UDP helper Overview UDP helper enables a device to convert received UDP broadcast packets into unicast packets and forward them to a specific server. UDP helper is suitable for the scenario where hosts cannot obtain configuration information or device names by broadcasting packets because the target server or host resides on another broadcast domain.
Step Command Remarks Specify a destination By default, no destination server udp-helper server ip-address server. is specified. Displaying and maintaining UDP helper Execute display command in any view and reset command in user view. Task Command Display information about packets forwarded display udp-helper interface interface-type interface-number by UDP helper.
[SwitchA-Vlan-interface1] ip address 10.110.1.1 16 [SwitchA-Vlan-interface1] udp-helper server 10.2.1.1 # Enable the interface to receive directed broadcasts destined for the directly connected network. [SwitchA-Vlan-interface1] ip forward-broadcast Verifying the configuration # Display information about packets forwarded by UDP helper on VLAN-interface 1. [SwitchA-Vlan-interface1] display udp-helper interface vlan-interface 1 Interface Server address...
Configuring basic IPv6 settings Overview IPv6, also called IP next generation (IPng), was designed by the IETF as the successor to IPv4. One significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits.
Stateful address autoconfiguration enables a host to acquire an IPv6 address and other • configuration information from a server (for example, a DHCPv6 server). For more information about DHCPv6 server, see "Configuring the DHCPv6 server." Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and •...
An IPv6 address consists of an address prefix and an interface ID, which are equivalent to the network ID and the host ID of an IPv4 address. An IPv6 address prefix is written in IPv6-address/prefix-length notation, where the prefix-length is a decimal number indicating how many leftmost bits of the IPv6 address comprises the address prefix.
IPv6 ND protocol The IPv6 Neighbor Discovery (ND) protocol uses the following ICMPv6 messages: Table 8 ICMPv6 messages used by ND ICMPv6 message Type Function Acquires the link-layer address of a neighbor. Neighbor Solicitation (NS) Verifies whether a neighbor is reachable. Detects duplicate addresses.
Neighbor reachability detection After Host A acquires the link-layer address of its neighbor Host B, Host A can use NS and NA messages to test reachability of Host B as follows: Host A sends an NS message whose destination address is the IPv6 address of Host B. If Host A receives an NA message from Host B, Host A decides that Host B is reachable.
Figure 55 Path MTU discovery process The source host sends a packet no larger than its MTU to the destination host. If the MTU of a device's output interface is smaller than the packet, the device discards the packet and returns an ICMPv6 error packet containing the interface MTU to the source host. After receiving the ICMPv6 error packet, the source host uses the returned MTU to limit the packet size, performs fragmentation, and sends the packets to the destination host.
RFC 2460, Internet Protocol, Version 6 (IPv6) Specification • • RFC 2463, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification RFC 2464, Transmission of IPv6 Packets over Ethernet Networks • RFC 2526, Reserved IPv6 Subnet Anycast Addresses •...
Configuring an IPv6 global unicast address Use one of the following methods to configure an IPv6 global unicast address for an interface: • EUI-64 IPv6 address—The IPv6 address prefix of the interface is manually configured, and the interface identifier is generated automatically by the interface. Manual configuration—The IPv6 global unicast address is manually configured.
one. If you delete the manually assigned address, the automatically generated link-local address becomes effective. Configuring automatic generation of an IPv6 link-local address for an interface Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no link-local address is configured on an interface.
Configuring IPv6 ND This section describes how to configure IPv6 ND. Configuring a static neighbor entry The IPv6 address of a neighboring node can be resolved into a link-layer address dynamically through NS and NA messages or through a manually configured static neighbor entry. The device uniquely identifies a static neighbor entry by the IPv6 address and the local Layer 3 interface number of the neighbor.
Setting the aging timer for ND entries in stale state ND entries in stale state have an aging timer. If an ND entry in stale state is not refreshed before the timer expires, the ND entry changes to the delay state. If it is still not refreshed in 5 seconds, the ND entry changes to the probe state, and the device sends an NS message three times.
Configuring parameters for RA messages You can enable an interface to send RA messages, and configure the interval for sending RA messages and parameters in RA messages. After receiving an RA message, a host can use these parameters to perform corresponding operations. Table 9 describes the configurable parameters in an RA message.
Step Command Remarks interface interface-type Enter interface view. interface-number Enable sending of RA undo ipv6 nd ra halt The default setting is disabled. messages. By default, the maximum interval for sending RA messages is 600 seconds, and the minimum interval is 200 seconds.
Step Command Remarks By default, an interface sends NS Set the NS retransmission messages every 1000 milliseconds, and ipv6 nd ns retrans-timer value timer. the value of the Retrans Timer field in RA messages is 0. Set the router preference in ipv6 nd router-preference { high By default, the router preference is RA messages.
Step Command Remarks By default, no interface MTU is configured. This command does not take effect on Configure the interface MTU. ipv6 mtu mtu-size an IPv6 multicast packet for a switch does not check the packet size of an IPv6 multicast packet. Configuring a static path MTU for a specific IPv6 address You can configure a static path MTU for an IPv6 address.
Enabling replying to multicast echo requests The device does not respond to multicast echo requests by default. In some scenarios, however, you must enable the device to answer multicast echo requests so the source host can obtain needed information. To enable the device to answer multicast echo requests: Step Command Remarks...
Upon receiving the first fragment of an IPv6 datagram destined for the device, the device starts a • timer. If the timer expires before all the fragments arrive, the device sends an ICMPv6 Fragment Reassembly Timeout message to the source. If the device receives large numbers of malicious packets, its performance degrades greatly because it must send back ICMP Time Exceeded messages.
IPv6 basics configuration example Network requirements As shown in Figure 56, a host, Switch A, and Switch B are connected through Ethernet ports. Add the Ethernet ports into corresponding VLANs, configure IPv6 addresses for the VLAN interfaces and verify that they are connected. Switch B can reach the host. Enable IPv6 on the host to automatically obtain an IPv6 address through IPv6 ND.
FE80::215:E9FF:FEA6:7D14 0015-e9a6-7d14 XGE1/1/5 STALE D 1238 2001::15B:E0EA:3524:E791 0015-e9a6-7d14 XGE1/1/5 STALE D 1248 The output shows that the IPv6 global unicast address that Host obtained is 2001::15B:E0EA:3524:E791. Verifying the configuration # Display the IPv6 interface settings on Switch A. All IPv6 global unicast addresses configured on the interface are displayed.
Page 146
InAddrErrors: InDiscards: OutDiscards: [SwitchA] display ipv6 interface vlan-interface 1 Vlan-interface1 current state: UP Line protocol current state: UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1C0 Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FF00:1C0 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds...
Page 147
InDiscards: OutDiscards: # Display the IPv6 interface settings on Switch B. All IPv6 global unicast addresses configured on the interface are displayed. [SwitchB] display ipv6 interface vlan-interface 2 Vlan-interface2 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1234 Global unicast address(es): 3001::2, subnet is 3001::/64 Joined group address(es):...
# Ping Switch A and Switch B on the host, and ping Switch A and the host on Switch B to verify that they are connected. NOTE: When you ping a link-local address, use the -i parameter to specify an interface for the link-local address. [SwitchB] ping ipv6 -c 1 3001::1 PING6(104=40+8+56 bytes) 3001::2 -->...
DHCPv6 overview DHCPv6 provides a framework to assign IPv6 prefixes, IPv6 addresses, and other configuration parameters to hosts. DHCPv6 address/prefix assignment An address/prefix assignment process involves two or four messages. Rapid assignment involving two messages As shown in Figure 57, rapid assignment operates in the following steps: The DHCPv6 client sends a Solicit message that contains a Rapid Commit option to prefer rapid assignment.
Figure 58 Assignment involving four messages Address/prefix lease renewal An IPv6 address/prefix assigned by a DHCPv6 server has a valid lifetime. After the valid lifetime expires, the DHCPv6 client cannot use the IPv6 address/prefix. To use the IPv6 address/prefix, the DHCPv6 client must renew the lease time.
Stateless DHCPv6 Stateless DHCPv6 enables a device that has obtained an IPv6 address/prefix to get other configuration parameters from a DHCPv6 server. The device decides whether to perform stateless DHCP according to the managed address configuration flag (M flag) and the other stateful configuration flag (O flag) in the RA message received from the router during stateless address autoconfiguration.
Configuring the DHCPv6 server Overview A DHCPv6 server can assign IPv6 addresses or IPv6 prefixes to DHCPv6 clients. IPv6 address assignment As shown in Figure 62, the DHCPv6 server assigns IPv6 addresses, domain name suffixes, DNS server addresses, and other configuration parameters to DHCPv6 clients. The IPv6 addresses assigned to the clients fall into the following types: •...
Figure 63 IPv6 prefix assignment Concepts Multicast addresses used by DHCPv6 DHCPv6 uses the multicast address FF05::1:3 to identify all site-local DHCPv6 servers, and uses the multicast address FF02::1:2 to identify all link-local DHCPv6 servers and relay agents. DUID A DHCP unique identifier (DUID) uniquely identifies a DHCPv6 device (DHCPv6 client, server, or relay agent).
The DHCPv6 server creates a prefix delegation (PD) for each assigned prefix to record the IPv6 prefix, client DUID, IAID, valid lifetime, preferred lifetime, lease expiration time, and IPv6 address of the requesting client. DHCPv6 address pool The DHCP server selects IPv6 addresses, IPv6 prefixes, and other parameters from an address pool, and assigns them to the DHCP clients.
client against the subnets of all address pools, and selects the address pool with the longest-matching subnet. To avoid wrong address allocation, keep the subnet used for dynamic assignment consistent with the subnet where the interface of the DHCPv6 server or DHCPv6 relay agent resides. IPv6 address/prefix allocation sequence The DHCPv6 server selects an IPv6 address/prefix for a client in the following sequence: IPv6 address/prefix statically bound to the client's DUID and IAID and expected by the client.
Configuration guidelines An IPv6 prefix can be bound to only one DHCPv6 client. You cannot modify bindings that have • been created. To change the binding for a DHCPv6 client, you must delete the existing binding first. • Only one prefix pool can be applied to an address pool. You cannot modify prefix pools that have been applied.
Configuring IPv6 address assignment Use one of the following methods to configure IPv6 address assignment: • Configure a static IPv6 address binding in an address pool: If you bind a DUID and an IAID to an IPv6 address, the DUID and IAID in a request must match those in the binding before the DHCPv6 server can assign the IPv6 address to the requesting client.
Step Command Remarks By default, all IPv6 addresses except for the DHCPv6 server's IP address in a DHCPv6 address pool are assignable. (Optional.) Specify the IPv6 ipv6 dhcp server forbidden-address addresses excluded from start-ipv6-address If the excluded IPv6 address is in dynamic assignment.
Step Command Remarks network prefix/prefix-length Specify an IPv6 subnet for By default, no IPv6 subnet is [ preferred-lifetime preferred-lifetime dynamic assignment. specified. valid-lifetime valid-lifetime ] (Optional.) Specify a DNS By default, no DNS server dns-server ipv6-address server address. address is specified. (Optional.) Specify a domain By default, no domain name domain-name domain-name...
Step Command Remarks By default, the interface discards Enable the DHCPv6 ipv6 dhcp select server DHCPv6 packets from DHCPv6 server on the interface. clients. • Configure global address assignment: ipv6 dhcp server { allow-hint | preference preference-value | Use one of the commands. rapid-commit } * Configure an By default, desired...
DHCPv6 server configuration examples Dynamic IPv6 prefix assignment configuration example Network requirements As shown in Figure 65, Switch serves as a DHCPv6 server to assign the IPv6 prefix, DNS server address, domain name, SIP server address, and SIP server name to each DHCPv6 client. switch assigns prefix...
Page 162
# Configure the DNS server address 2:2::3. [Switch-dhcp6-pool-1] dns-server 2:2::3 # Configure the domain name as aaa.com. [Switch-dhcp6-pool-1] domain-name aaa.com # Configure the SIP server address as 2:2::4, and the SIP server name as bbb.com. [Switch-dhcp6-pool-1] sip-server address 2:2::4 [Switch-dhcp6-pool-1] sip-server domain-name bbb.com [Switch-dhcp6-pool-1] quit # Enable the DHCPv6 server on VLAN-interface 2, enable desired prefix assignment and rapid prefix assignment, and set the preference to the highest.
In-use: 0 Static: 1 # After the client with the DUID 00030001CA0006A40000 obtains an IPv6 prefix, display the binding information on the DHCPv6 server. [Switch-Vlan-interface2] display ipv6 dhcp server pd-in-use Pool: 1 IPv6 prefix Type Lease expiration 2001:410:201::/48 Static(C) Jul 10 19:45:01 2009 # After the other client obtains an IPv6 prefix, display binding information on the DHCPv6 server.
Page 164
[SwitchA-Vlan-interface10] quit [SwitchA] interface vlan-interface20 [SwitchA-Vlan-interface20] ipv6 dhcp select server [SwitchA-Vlan-interface20] quit # Exclude the DNS server address from dynamic assignment. [SwitchA] ipv6 dhcp server forbidden-address 1::1:0:0:2 [SwitchA] ipv6 dhcp server forbidden-address 1::2:0:0:2 # Configure the DHCPv6 address pool 1 to assign IPv6 addresses and other configuration parameters to clients in subnet 1::1:0:0:0/96.
Configuring tunneling Overview Tunneling is an encapsulation technology. One network protocol encapsulates packets of another network protocol and transfers them over a virtual point-to-point connection. The virtual connection is called a tunnel. Packets are encapsulated at the tunnel source end and de-encapsulated at the tunnel destination end.
Page 166
If the destination address of the IPv6 packet is itself, Device B forwards it to the upper-layer protocol. If not, Device B forwards it according to the routing table. Tunnel modes IPv6 over IPv4 tunnels include manually configured tunnels and automatic tunnels, depending on how the IPv4 address of the tunnel destination is acquired.
border router of a 6to4 network must have the IPv4 address abcd:efgh configured on the interface connected to the IPv4 network. The subnet number identifies a subnet in the 6to4 network. The subnet number::interface ID uniquely identifies a host in the 6to4 network. 6to4 tunneling uses an IPv4 address to identify a 6to4 network.
Encapsulation: • Device A receives an IP packet from an IPv4 host and submits it to the IP protocol stack. The IPv4 protocol stack determines how to forward the packet according to the destination address in the IP header. If the packet is destined for the IPv4 host connected to Device B, Device A delivers the packet to the tunnel interface.
De-encapsulation: • Upon receiving the IPv6 packet from the attached IPv6 network, Device B delivers the packet to the IPv6 protocol stack to examine the protocol type encapsulated in the data portion of the packet. If the protocol type is IPv4, the IPv6 protocol stack delivers the packet to the tunneling module. The tunneling module removes the IPv6 header and delivers the remaining IPv4 packet to the IPv4 protocol stack.
Step Command Remarks By default, no tunnel interface is created. When you create a new tunnel interface, you must specify the interface tunnel number mode Create a tunnel interface, specify tunnel mode. When you enter the { gre [ ipv6 ] | ipv4-ipv4 | the tunnel mode, and enter tunnel view of an existing tunnel interface, ipv6 | ipv6-ipv4 [ 6to4 |...
The tunnel destination address specified on the local device must be identical with the tunnel source • address specified on the tunnel peer device. The tunnels in the same mode on a device must not use the same tunnel source and destination •...
Page 173
cannot be automatically obtained from the destination IPv6 addresses of packets, configure an IPv6 over IPv4 manual tunnel. Figure 73 Network diagram Configuration procedure Make sure Switch A and Switch B have the corresponding VLAN interfaces created and can reach each other through IPv4.
[SwitchB-Vlan-interface100] quit # Specify an IPv6 address for VLAN-interface 101. [SwitchB] interface vlan-interface 101 [SwitchB-Vlan-interface101] ipv6 address 3003::1 64 [SwitchB-Vlan-interface101] quit # Create service loopback group 1 and specify its service type as tunnel. [SwitchB] service-loopback group 1 type tunnel # Add Ten-GigabitEthernet 1/1/5 to service loopback group 1.
as the IPv6 address of the tunnel interface. You can specify the local tunnel interface as the egress interface of the route or specify the IPv6 address of the peer tunnel interface as the next hop of the route. For the detailed configuration, see Layer 3—IP Routing Configuration Guide. •...
Figure 74 Network diagram Configuration considerations To enable communication between 6to4 networks, configure 6to4 addresses for 6to4 switches and hosts in the 6to4 networks. The IPv4 address of VLAN-interface 100 on Switch A is 2.1.1.1/24, and the prefix is • 2002:0201:0101::/48 after it is translated to a 6to4 address.
Page 177
[SwitchA-Tunnel0] source vlan-interface 100 [SwitchA-Tunnel0] quit # Configure a static route destined for 2002::/16 through the tunnel interface. [SwitchA] ipv6 route-static 2002:: 16 tunnel 0 Configure Switch B: • # Specify an IPv4 address for VLAN-interface 100. <SwitchB> system-view [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ip address 5.1.1.1 24 [SwitchB-Vlan-interface100] quit # Specify a 6to4 address for VLAN-interface 101.
Configuring an ISATAP tunnel Follow these guidelines when you configure an ISATAP tunnel: • You do not need to configure a destination address for an ISATAP tunnel, because the destination IPv4 address is embedded in the ISATAP address. Because automatic tunnels do not support dynamic routing, configure a static route destined for the •...
Page 179
Figure 75 Network diagram Configuration procedure Make sure the corresponding VLAN interfaces have been created on the switch. Make sure VLAN-interface 101 on the ISATAP switch and the ISATAP host can reach each other through IPv4. Configure the switch: • # Specify an IPv6 address for VLAN-interface 100.
Page 180
# Install IPv6. C:\>ipv6 install # On a host running Windows XP, the ISATAP interface is usually interface 2. Configure the IPv4 address of the ISATAP router on the interface to complete the configuration on the host. Before doing that, view the ISATAP interface information: C:\>ipv6 if 2 Interface 2: Automatic Tunneling Pseudo-Interface Guid {48FCE3FC-EC30-E50E-F1A7-71172AEEE3AE}...
C:\>ping 2001::5efe:1.1.1.1 Pinging 2001::5efe:1.1.1.1 with 32 bytes of data: Reply from 2001::5efe:1.1.1.1: time=1ms Reply from 2001::5efe:1.1.1.1: time=1ms Reply from 2001::5efe:1.1.1.1: time=1ms Reply from 2001::5efe:1.1.1.1: time=1ms Ping statistics for 2001::5efe:1.1.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms Configuring an IPv4 over IPv4 tunnel...
Step Command Remarks By default, no destination address is configured for the tunnel interface. Configure a destination The tunnel destination address must be address for the tunnel destination ip-address the IP address of the receiving interface interface. on the tunnel peer. It is used as the destination IP address of tunneled packets.
Page 183
# Create an IPv4 over IPv4 tunnel interface tunnel 1. [SwitchA] interface tunnel 1 mode ipv4-ipv4 # Specify an IPv4 address for the tunnel interface. [SwitchA-Tunnel1] ip address 10.1.2.1 255.255.255.0 # Specify the IP address of VLAN-interface 101 as the source address for the tunnel interface. [SwitchA-Tunnel1] source 2.1.1.1 # Specify the IP address of VLAN-interface 101 on Switch B as the destination address for the tunnel interface.
# Ping the IPv4 address of the peer interface VLAN-interface 100 from each switch. The following shows the output on Switch A. [SwitchA] ping -a 10.1.1.1 10.1.3.1 Ping 10.1.3.1 (10.1.3.1) from 10.1.1.1: 56 data bytes, press CTRL_C to break 56 bytes from 10.1.3.1: icmp_seq=0 ttl=255 time=2.000 ms 56 bytes from 10.1.3.1: icmp_seq=1 ttl=255 time=1.000 ms 56 bytes from 10.1.3.1: icmp_seq=2 ttl=255 time=0.000 ms 56 bytes from 10.1.3.1: icmp_seq=3 ttl=255 time=1.000 ms...
Step Command Remarks By default, no destination address is configured for the tunnel. Configure the The tunnel destination address must be destination address for destination ipv6-address the IPv6 address of the receiving interface the tunnel interface. on the tunnel peer. It is used as the destination IPv6 address of tunneled packets.
Page 186
# Specify an IPv4 address for the tunnel interface. [SwitchA-Tunnel1] ip address 30.1.2.1 255.255.255.0 # Specify the IP address of VLAN-interface 101 as the source address for the tunnel interface. [SwitchA-Tunnel1] source 2001::1:1 # Specify the IP address of VLAN-interface 101 on Switch B as the destination address for the tunnel interface.
Ping 30.1.3.1 (30.1.3.1) from 30.1.1.1: 56 data bytes, press CTRL_C to break 56 bytes from 30.1.3.1: icmp_seq=0 ttl=255 time=3.000 ms 56 bytes from 30.1.3.1: icmp_seq=1 ttl=255 time=1.000 ms 56 bytes from 30.1.3.1: icmp_seq=2 ttl=255 time=0.000 ms 56 bytes from 30.1.3.1: icmp_seq=3 ttl=255 time=1.000 ms 56 bytes from 30.1.3.1: icmp_seq=4 ttl=255 time=1.000 ms --- Ping statistics for 30.1.3.1 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss...
Step Command Remarks By default, no destination address is configured for the tunnel. Configure the destination The tunnel destination address address for the tunnel destination ipv6-address must be the IPv6 address of the interface. receiving interface on the tunnel peer. It is used as the destination IPv6 address of tunneled packets.
Page 189
# Assign Ten-GigabitEthernet 1/1/5 to service loopback group 1. [SwitchA] interface Ten-GigabitEthernet 1/1/5 [SwitchA-Ten-GigabitEthernet1/1/5] port service-loopback group 1 [SwitchA-Ten-GigabitEthernet1/1/5] quit # Create an IPv6 tunnel interface tunnel 1. [SwitchA] interface tunnel 1 mode ipv6 # Specify an IPv6 address for the tunnel interface. [SwitchA-Tunnel1] ipv6 address 3001::1:1 64 # Specify the IP address of VLAN-interface 101 as the source address for the tunnel interface.
Verifying the configuration # Use the display ipv6 interface command to display the status of the tunnel interfaces on Switch A and Switch B. The output shows that the tunnel interfaces are up. (Details not shown.) # Ping the IPv4 address of the peer interface from each switch. The following shows the output on Switch [SwitchA] ping ipv6 -a 2002:1::1 2002:3::1 Ping6(56 data bytes) 2002:1::1 -->...
Page 191
Use the display ipv6 routing-table or display ip routing-table command to check whether the tunnel destination is reachable. If the route is not available, configure a route to reach the tunnel destination.
Configuring GRE Overview Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate multiple network layer protocols into virtual point-to-point tunnels over an IP network. Packets are encapsulated at one tunnel end and de-encapsulated at the other tunnel end. GRE encapsulation format Figure 79 GRE encapsulation format As shown in...
GRE encapsulation and de-encapsulation Figure 81 X protocol networks interconnected through a GRE tunnel The following takes the network shown in Figure 81 as an example to describe how an X protocol packet traverses an IP network through a GRE tunnel: Encapsulation process After receiving an X protocol packet from the interface connected to Group 1, Device A submits it to the X protocol for processing.
You must configure the tunnel source address and destination address at both ends of a tunnel, and • the tunnel source or destination address at one end must be the tunnel destination or source address at the other end. • Local tunnel interfaces using the same encapsulation protocol must not have the same tunnel source and destination addresses.
Page 195
Step Command Remarks By default, no source address or interface is configured for a tunnel interface. If you configure a source address for a tunnel interface, the tunnel Configure a source interface uses the source address address or source source { ip-address | interface-type as the source address of the interface for the tunnel interface-number }...
Configuring a GRE over IPv6 tunnel Follow these guidelines when you configure a GRE over IPv6 tunnel: • You must configure the tunnel source address and destination address at both ends of a tunnel, and the tunnel source or destination address at one end must be the tunnel destination or source address at the other end.
Step Command Remarks By default, no source IPv6 address or interface is configured for a tunnel interface. If you configure a source IPv6 address for a tunnel interface, the tunnel interface uses the source Configure a source IPv6 IPv6 address as the source IPv6 source { ipv6-address | address or source interface for address of the encapsulated...
Task Command Remarks For more information about this Display information about display interface [ tunnel [ number ] ] command, see Layer 3—IP Services tunnel interfaces. [ brief ] Command Reference. For more information about this Display IPv6 information about display ipv6 interface [ tunnel command, see Layer 3—IP Services tunnel interface.
Page 199
# Create service loopback group 1, and configure the service type as tunnel. [SwitchA] service-loopback group 1 type tunnel # Add port Ten-GigabitEthernet 1/1/5 to service loopback group 1. [SwitchA] interface Ten-GigabitEthernet 1/1/5 [SwitchA-Ten-GigabitEthernet1/1/5] port service-loopback group 1 [SwitchA-Ten-GigabitEthernet1/1/5] quit # Create a tunnel interface Tunnel1, and specify the tunnel mode as GRE over IPv4.
Page 200
# Configure the source address of tunnel interface as the IP address of VLAN-interface 101 on Switch B. [SwitchB-Tunnel1] source vlan-interface 101 # Configure the destination address of the tunnel interface as the IP address of VLAN-interface 101 on Switch A. [SwitchB-Tunnel1] destination 1.1.1.1 [SwitchB-Tunnel1] quit # Configure a static route from Switch B through the tunnel interface to Group 1.
# From Switch B, ping the IP address of VLAN-interface 100 on Switch A. [SwitchB] ping -a 10.1.3.1 10.1.1.1 PING 10.1.1.1 (10.1.1.1) from 10.1.3.1: 56 data bytes 56 bytes from 10.1.1.1: icmp_seq=0 ttl=255 time=11.000 ms 56 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=1.000 ms 56 bytes from 10.1.1.1: icmp_seq=2 ttl=255 time=0.000 ms 56 bytes from 10.1.1.1: icmp_seq=3 ttl=255 time=0.000 ms 56 bytes from 10.1.1.1: icmp_seq=4 ttl=255 time=0.000 ms...
Page 202
[SwitchA] interface vlan-interface 101 [SwitchA-Vlan-interface101] ipv6 address 2002::1:1 64 [SwitchA-Vlan-interface101] quit # Create service loopback group 1, and configure the service type as tunnel. [SwitchA] service-loopback group 1 type tunnel # Add port Ten-GigabitEthernet 1/1/5 to service loopback group 1. [SwitchA] interface Ten-GigabitEthernet 1/1/5 [SwitchA-Ten-GigabitEthernet1/1/5] port service-loopback group 1 [SwitchA-Ten-GigabitEthernet1/1/5] quit...
Page 203
# Configure an IP address for the tunnel interface. [SwitchB-Tunnel0] ip address 10.1.2.2 255.255.255.0 # Configure the source address of tunnel interface as the IPv6 address of VLAN-interface 101 on Switch B. [SwitchB-Tunnel0] source 2001::2:1 # Configure the destination address of the tunnel interface as the IPv6 address of VLAN-interface 101 on Switch A.
# From Switch B, ping the IP address of VLAN-interface 100 on Switch A. [SwitchB] ping -a 10.1.3.1 10.1.1.1 Ping 10.1.1.1 (10.1.1.1) from 10.1.3.1: 56 data bytes, press CTRL_C to break 56 bytes from 10.1.1.1: icmp_seq=0 ttl=255 time=11.000 ms 56 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=1.000 ms 56 bytes from 10.1.1.1: icmp_seq=2 ttl=255 time=0.000 ms 56 bytes from 10.1.1.1: icmp_seq=3 ttl=255 time=0.000 ms 56 bytes from 10.1.1.1: icmp_seq=4 ttl=255 time=0.000 ms...
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.com/support Before contacting HP, collect the following information: Product model names and numbers • • Technical support registration number (if applicable) Product serial numbers •...
HP Education http://www.hp.com/learn • Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional.
Page 207
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Index Numerics DHCPv6 server dynamic IPv6 address assignment, 6to4 DHCPv6 server IPv6 address assignment, tunnel configuration, IP address classes, 6to4 tunnel IP addressing configuration, 16, IPv6/IPv4 tunneling, IP addressing interface IP address, IPv6 addresses, 1 18 address special IP addresses, BOOTP client address acquisition (on stateless DHCPv6, interface),...
Page 209
maintaining, DHCP server BOOTP response format, maintaining snooping, displaying client, max number dynamic entry configuration, maintaining client, message format, broadcast multiport entry configuration, DHCP server response broadcast, operation, UDP helper configuration, 1 15 proxy ARP configuration, buffer snooping configuration, TCP buffer size, 1 10 static configuration, static entry configuration,...
Page 210
common proxy ARP, directed broadcast forward, DDNS, DNS, 76, DDNS (DDNS server), DNS proxy, DDNS (DNS server), DNS spoofing, DDNS client, gratuitous ARP, 10, DDNS policy, GRE, 184, 190, DHCP address pool static binding, GRE over IPv4, DHCP client, 59, GRE over IPv4 tunnel (dynamic routing protocol), DHCP client ID for interface,...
Page 212
TCP SYN cookie, 1 10 message format, TCP timer, 1 1 1 Option #, 25, See also Option # DHCP Option 121, address assignment, Option 150, address pool, Option 184 (reserved), 25, address pool application on interface, Option 3;Option 003, address pool selection, Option 33;Option 033, address pool static binding,...
Page 213
server IP address dynamic assignment, server configuration on interface, server IP address static assignment, server dynamic IPv6 address assignment, server response broadcast, server dynamic IPv6 prefix assignment, server self-defined option configuration, server IPv6 address assignment, server specification on relay agent, server IPv6 prefix assignment, server user class configuration, server network parameters assignment,...
Page 214
IPv6 client static domain name IPv6 DNS client dynamic domain name resolution, 81, resolution, 82, IPv6 configuration, IPv6 dynamic path MTU aging timer, IPv6 proxy configuration, Dynamic Domain Name System. Use DDNS maintaining IPv4 DNS, Dynamic Host Configuration Protocol. See DHCP packet source interface, proxy,...
Page 215
common proxy ARP configuration, encapsulation format, DHCP client configuration, 59, IPv6 tunneling, DHCP server configuration, 29, 31, protocols, DHCP server IP address dynamic standards, assignment, troubleshooting, DHCP server IP address static assignment, tunnel configuration, DHCP server self-defined option configuration, header DHCP server user class configuration, GRE encapsulation, DHCP snooping basic configuration,...
Page 216
ARP dynamic table entry, DHCPv6 server configuration, 147, ARP message format, DHCPv6 server configuration on interface, ARP multiport entry configuration, DHCPv6 server dynamic IPv6 address assignment, ARP operation, DHCPv6 server dynamic IPv6 prefix ARP snooping configuration, assignment, ARP static configuration, DHCPv6 server IPv6 address assignment, ARP static entry configuration, DHCPv6 server IPv6 prefix assignment,...
Page 217
IPv6 ND link-local entry minimization, TCP timer, 1 1 1 IPv6 ND max number dynamic neighbor IP services entries, DHCP address allocation, IPv6 ND neighbor reachability detection, DHCP address pool, IPv6 ND protocol, DHCP address pool application on interface, IPv6 ND protocol address resolution, DHCP client BIMS server information, 37, IPv6 ND redirection, DHCP client DNS server,...
Page 218
DHCP-REQUEST message attack protection, automatic IPv4-compatible tunneling, DHCPv6 configuration, basic settings configuration, 17, 124, DHCPv6 overview, DHCPv6. See DHCPv6 DHCPv6 server configuration, 147, displaying basics, DHCPv6 server dynamic IPv6 address DNS client configuration, assignment, DNS configuration, DHCPv6 server dynamic IPv6 prefix DNS proxy configuration, 82, assignment, DNS spoofing configuration,...
Page 219
ND neighbor reachability detection, UDP helper configuration, 1 15 ND protocol, learning ND protocol address resolution, IPv6 ND max number dynamic neighbor entries, ND redirection, lease ND stale state entry aging timer configuration, DHCP IP address lease extension, ND static neighbor entry configuration, DHCPv6 address/prefix lease renewal, path MTU discovery, DHCPv6 PD,...
Page 220
ARP snooping configuration, IPv4 DNS configuration, ARP static configuration, IPv4 DNS proxy configuration, common proxy ARP configuration, IPv6 DNS client configuration, DHCP format, IPv6 DNS client dynamic domain name resolution, 82, DHCP-REQUEST message attack protection, IPv6 DNS client static domain name DHCPv6 assignment (4 messages), resolution, 81, DHCPv6 rapid assignment (2 messages),...
Page 221
DHCP client DNS server, IP addressing IP unnumbered, DHCP client gateway, IP addressing masking, DHCP client ID configuration for interface, IP addressing subnetting, DHCP client server specification, IP services ARP fast update configuration, DHCP relay agent enable on interface, IPv4 DNS client configuration, DHCP relay agent security functions, IPv4 DNS proxy configuration, DHCP server address pool configuration,...
Page 222
IPv6/IPv4 tunneling, DNS spoofing, IPv6/IPv6 tunnel configuration, gratuitous ARP configuration, IPv6/IPv6 tunneling, IP addressing configuration, 16, ISATAP tunnel configuration, IP forwarding, max number ARP dynamic entry IP performance optimization, configuration, IPv4 DNS configuration, special IP addresses, IPv6 basic settings configuration, 17, 124, TCP buffer size, 1 10...