HP 5920 & 5900 Switch Series Layer 3 - IP Services Configuration Guide Part number: 5998-2894 Software version: Release2207 Document version: 6W100-20121130...
Page 2
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Page 4
Configuration procedure ······································································································································ 19 Verifying the configuration ··································································································································· 19 DHCP overview ·························································································································································· 21 DHCP address allocation ·············································································································································· 21 Allocation mechanisms ········································································································································· 21 Dynamic IP address allocation process··············································································································· 22 IP address lease extension···································································································································· 22 DHCP message format ···················································································································································...
Page 5
DHCP relay agent configuration task list ····················································································································· 49 Enabling DHCP ······························································································································································ 50 Enabling the DHCP relay agent on an interface ········································································································ 50 Specifying DHCP servers on a relay agent ················································································································· 50 Configuring the DHCP relay agent security functions ································································································ 51 ...
Page 6
Configuring DNS ······················································································································································· 73 Overview ········································································································································································· 73 Static domain name resolution ····························································································································· 73 Dynamic domain name resolution ······················································································································· 73 DNS proxy ····························································································································································· 74 DNS spoofing ························································································································································ 75 DNS configuration task list ············································································································································ 76 Configuring the IPv4 DNS client ··································································································································...
Page 7
Configuring TCP MSS for an interface ······················································································································ 103 Configuring TCP path MTU discovery ······················································································································· 104 Enabling TCP SYN Cookie ·········································································································································· 105 Configuring the TCP buffer size ·································································································································· 105 Configuring TCP timers ················································································································································ 105 Enabling sending ICMP error packets ······················································································································· 106 ...
Page 9
GRE over IPv6 configuration example ·············································································································· 187 Troubleshooting GRE ··················································································································································· 190 Support and other resources ·································································································································· 191 Contacting HP ······························································································································································ 191 Subscription service ············································································································································ 191 Related information ······················································································································································ 191 Documents ···························································································································································· 191 ...
Configuring ARP This chapter describes how to configure the Address Resolution Protocol (ARP). Overview ARP resolves IP addresses into MAC addresses on Ethernet networks. ARP message format ARP uses two types of messages: ARP request and ARP reply. Figure 1 shows the format of ARP request/reply messages.
If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request. The payload of the ARP request comprises the following information: Sender IP address and sender MAC address—Host A's IP address and MAC address Target IP address—Host B's IP address Target MAC address—An all-zero MAC address All hosts on this subnet can receive the broadcast request, but only the requested host (Host B)
Static ARP entry A static ARP entry is manually configured and maintained. It does not age out and cannot be overwritten by any dynamic ARP entry. Static ARP entries protect communication between devices because attack packets cannot modify the IP-to-MAC mapping in a static ARP entry. Static ARP entries include long, short, and multiport ARP entries.
Step Command Remarks • Configure a long static ARP entry: arp static ip-address mac-address vlan-id interface-type interface-number Use either command. Configure a static ARP [ vpn-instance vpn-instance-name ] By default, no static ARP entry is entry. • Configure a short static ARP entry: configured.
The Layer-2 interface can learn an ARP entry only when both its maximum number and the VLAN interface's maximum number are not reached. To set the maximum number of dynamic ARP entries that an interface can learn: Step Command Remarks Enter system view.
Displaying and maintaining ARP IMPORTANT: Clearing ARP entries from the ARP table might cause communication failures. Make sure the entries to be cleared do not affect current communications. Execute display commands in any view and reset commands in user view. Task Command display arp [ [ all | dynamic | multiport | static ] [ slot...
Configure a multiport ARP entry to send IP packets with destination IP address 192.168.1.1 to the three servers. Figure 4 Network diagram Swtich XGE1/0/1 XGE1/0/3 XGE1/0/2 Server Server Server Server group 192.168.1.1/24 00e0-fc01-0000 Configuration procedure # Create VLAN 10. <Switch>...
Page 18
# Display ARP information. [Switch] display arp Type: S-Static D-Dynamic M-Multiport I-Invalid IP Address MAC Address VLAN Interface Aging Type 192.168.1.1 00e0-fc01-0000...
Configuring gratuitous ARP Overview In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device. A device sends a gratuitous ARP packet for either of the following purposes: • Determine whether its IP address is already used by another device.
If the virtual IP address of the VRRP group is associated with a virtual MAC address, the sender MAC address in the gratuitous ARP packet is the virtual MAC address of the virtual router. If the virtual IP address of the VRRP group is associated with the real MAC address of an interface, the sender MAC address in the gratuitous ARP packet is the MAC address of the interface on the master router in the VRRP group.
Configuring proxy ARP Proxy ARP enables a device on one network to answer ARP requests for an IP address on another network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they would on the same broadcast domain. Proxy ARP includes common proxy ARP and local proxy ARP.
Common proxy ARP configuration example Network requirements As shown in Figure 5, Host A and Host D have the same IP prefix and mask, but they are located on different subnets separated by the switch (Host A belongs to VLAN 1, and Host D belongs to VLAN 2). No default gateway is configured on Host A and Host D.
Configuring ARP snooping ARP snooping is used in Layer 2 switching networks. It creates ARP snooping entries by using information in ARP packets. If you enable ARP snooping on a VLAN, ARP packets received by any interface in the VLAN are redirected to the CPU.
Configuring IP addressing The IP addresses in this chapter refer to IPv4 addresses unless otherwise specified. This chapter describes IP addressing basic and manual IP address assignment for interfaces. Dynamic IP address assignment (BOOTP and DHCP) and PPP address negotiation are beyond the scope of this chapter.
Class Address range Remarks 192.0.0.0 to 223.255.255.255 224.0.0.0 to 239.255.255.255 Multicast addresses. Reserved for future use, except for the broadcast 240.0.0.0 to 255.255.255.255 address 255.255.255.255. Special IP addresses The following IP addresses are for special use and cannot be used as host IP addresses: IP address with an all-zero net ID—Identifies a host on the local network.
Assigning an IP address to an interface An interface must have an IP address to communicate with other hosts. You can either manually assign an IP address to an interface, or configure the interface to obtain an IP address through BOOTP, or DHCP. If you change the way an interface obtains an IP address, the new IP address will overwrite the previous address.
Configuration prerequisites Assign an IP address to the interface from which you want to borrow the IP address. Alternatively, you can configure the interface to obtain one through BOOTP, or DHCP. Configuration procedure To configure IP unnumbered on an interface: Step Command Remarks...
Figure 8 Network diagram 172.16.1.0/24 Switch Host B Vlan-int1 172.16.1.1/24 172.16.1.2/24 172.16.2.1/24 sub 172.16.2.2/24 Host A 172.16.2.0/24 Configuration procedure # Assign a primary IP address and a secondary IP address to VLAN-interface 1. <Switch> system-view [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 172.16.1.1 255.255.255.0 [Switch-Vlan-interface1] ip address 172.16.2.1 255.255.255.0 sub # Set the gateway address to 172.16.1.1 on the PCs attached to subnet 172.16.1.0/24, and to 172.16.2.1 on the PCs attached to subnet 172.16.2.0/24.
Page 29
56 bytes from 172.16.2.2: icmp_seq=1 ttl=255 time=7.000 ms 56 bytes from 172.16.2.2: icmp_seq=2 ttl=255 time=1.000 ms 56 bytes from 172.16.2.2: icmp_seq=3 ttl=255 time=2.000 ms 56 bytes from 172.16.2.2: icmp_seq=4 ttl=255 time=1.000 ms --- 172.16.2.2 ping statistics --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/stddev = 1.000/2.600/7.000/2.245 ms The output shows that the switch can communicate with the hosts on subnet 172.16.2.0/24.
DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. Figure 9 shows a typical DHCP application scenario where the DHCP clients and the DHCP server reside on the same subnet. The DHCP clients can also obtain configuration parameters from a DHCP server on another subnet through a DHCP relay agent.
Dynamic IP address allocation process Figure 10 Dynamic IP address allocation process The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. Each DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message.
DHCP message format Figure 1 1 shows the DHCP message format. DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes. Figure 11 DHCP message format op—Message type defined in options field. 1 = REQUEST, 2 = REPLY •...
DHCP options DHCP uses the same message format as BOOTP, but DHCP uses the options field to carry information for dynamic address allocation and provide additional configuration information to clients. Figure 12 DHCP option format Common DHCP options The following are common DHCP options: Option 3—Router option.
Page 34
ACS parameters, including the ACS URL, username, and password. • • PXE server address, which is used to obtain the boot file or other control information from the PXE server. Format of Option 43: Figure 13 Option 43 format Network configuration parameters are carried in different sub-options of Option 43 as shown Figure Sub-option type—The field value can be 0x01 (ACS parameter sub-option), 0x02 (service provider identifier sub-option), or 0x80 (PXE server address sub-option).
The administrator can use Option 82 to locate the DHCP client and further implement security control and accounting. The DHCP server can use Option 82 to provide individual configuration policies for the clients. Option 82 can contain up to 255 sub-options and must have one sub-option at least. Option 82 supports two sub-options: sub-option 1 (Circuit ID) and sub-option 2 (Remote ID).
Configuring the DHCP server Overview The DHCP server is well suited to networks where: Manual configuration and centralized management are difficult to implement. • IP addresses are limited. For example, an ISP limits the number of concurrent online users, and users •...
If the DHCP client does not match any DHCP user class, the DHCP server selects an address in the IP address range specified by the address range command. If the address range has no assignable IP addresses or it is not configured, the address allocation fails. NOTE: All address ranges must belong to the primary subnet.
IP address that was ever assigned to the client. IP address designated by the Option 50 field in the DHCP-DISCOVER message sent by the client. Option 50 is the Requested IP Address option. The client uses this option to specify the wanted IP address in a DHCP-DISCOVER message.
Creating a DHCP address pool Step Command Remarks Enter system view. system-view Create a DHCP address pool By default, no DHCP address dhcp server ip-pool pool-name and enter its view. pool is created. Specifying IP address ranges for a DHCP address pool You can configure both static and dynamic address allocation mechanisms in a DHCP address pool.
Page 40
Step Command Remarks Enter address pool view. dhcp server ip-pool pool-name Specify the primary subnet for network network-address By default, no primary subnet is the address pool. [ mask-length | mask mask ] specified. (Optional.) Specify the common address range start-address By default, no IP address range address range.
Page 41
You can specify a maximum of 32 secondary subnets in each address pool. • • IP addresses specified by the forbidden-ip command are not assignable in the current address pool, but are assignable in other address pools. IP addresses specified by the dhcp server forbidden-ip command are not assignable in any address pool.
The IP address of a static binding cannot be the address of the DHCP server interface. Otherwise, • an IP address conflict occurs and the bound client cannot obtain an IP address correctly. To configure a static binding for a DHCP client whose interfaces use the same MAC address, you •...
Configuring a domain name suffix for the client You can specify a domain name suffix in a DHCP address pool on the DHCP server. With this suffix assigned, the client only needs to input part of a domain name, and the system adds the domain name suffix for name resolution.
Step Command Remarks Enter system view. system-view Enter DHCP address pool dhcp server ip-pool pool-name view. This step is optional for b-node. Specify WINS servers. nbns-list ip-address&<1-8> By default, no WINS server is specified. Specify the NetBIOS node netbios-type { b-node | h-node | By default, no NetBIOS node type is type.
Step Command Remarks • Specify the IP address of the TFTP server: Use either command. tftp-server ip-address ip-address Specify the IP address or the By default, no TFTP server is name of a TFTP server. • Specify the name of the TFTP server: specified.
Step Command Remarks (Optional.) Configure the voice voice-config voice-vlan vlan-id By default, no voice VLAN is VLAN. { disable | enable } configured. By default, no failover IP (Optional.) Specify the failover IP voice-config fail-over ip-address address or dialer string is address and dialer string.
Corresponding Recommended option Option Option name command command parameters TFTP server name tftp-server ascii Boot file name bootfile-name ascii Vendor Specific Information Enabling DHCP You must enable DHCP to validate other DHCP configurations. To enable DHCP: Step Command Remarks Enter system view. system-view Enable DHCP.
Step Command Remarks By default, no address pool is applied on an interface. Apply an address pool on the dhcp server apply ip-pool If the applied address pool does not interface. pool-name exist, the DHCP server fails to perform address allocation. Configuring IP address conflict detection Before assigning an IP address, the DHCP server pings that IP address.
Configuring DHCP server compatibility Perform this task to enable the DHCP server to support DHCP clients that are incompliant with RFC. Configuring the DHCP server to broadcast all responses Typically, the DHCP server broadcasts a response only when the broadcast flag in the DHCP request is set to 1.
Step Command Remarks By default, sending BOOTP responses in RFC 1048 format by the DHCP server is disabled. Enable the DHCP server to dhcp server bootp send BOOTP responses in This configuration takes effect only on the reply-rfc-1048 RFC 1048 format. BOOTP clients that request for a statically bound address.
Static IP address assignment configuration example Network requirements As shown in Figure 16, Switch B (DHCP client) and Switch C (BOOTP client) obtain the static IP address, DNS server address, and gateway address from Switch A (DHCP server). The client ID of VLAN-interface 2 on Switch B is: 0030-3030-662e-6532-3439-2e38-3035-302d-566c-616e-2d69-6e74-6572-6661-6365-32.
[SwitchA-dhcp-pool-0] gateway-list 10.1.1.126 [SwitchA-dhcp-pool-0] quit Verifying the configuration After the preceding configuration is complete, Switch B can obtain IP address 10.1.1.5 and other network parameters, and Switch C can obtain IP address 10.1.1.6 and other network parameters from Switch A. You can use the display dhcp server ip-in-use command on the DHCP server to view the IP addresses assigned to the clients.
[SwitchA-Vlan-interface20] quit # Exclude IP addresses (addresses of the DNS server, WINS server and gateways). [SwitchA] dhcp server forbidden-ip 10.1.1.2 [SwitchA] dhcp server forbidden-ip 10.1.1.4 [SwitchA] dhcp server forbidden-ip 10.1.1.126 [SwitchA] dhcp server forbidden-ip 10.1.1.254 # Configure DHCP address pool 1 to assign IP addresses and other configuration parameters to clients in subnet 10.1.1.0/25.
Page 54
Figure 18 Network diagram Configuration procedure Specify IP addresses for interfaces on DHCP server and DHCP relay agent. (Details not shown.) Configure DHCP services: # Enable DHCP and configure the DHCP server to handle Option 82. <SwitchB> system-view [SwitchB] dhcp enable [SwitchB] dhcp server relay information enable # Enable DHCP server on VLAN-interface10.
Self-defined option configuration example Network requirements As shown in Figure 19, the DHCP client (Switch B) obtains an IP address and PXE server addresses from the DHCP server (Switch A). The IP address belongs to subnet 10.1.1.0/24. The PXE server addresses are 1.2.3.4 and 2.2.2.2.
Analysis Another host on the subnet might have the same IP address. Solution Disable the client's network adapter or disconnect the client's network cable. Ping the IP address of the client from another host to check whether there is a host using the same IP address. If a ping response is received, the IP address has been manually configured on a host.
Configuring the DHCP relay agent Overview The DHCP relay agent enables clients to get IP addresses from a DHCP server on another subnet. This feature avoids deploying a DHCP server for each subnet to centralize management and reduce investment. Figure 20 shows a typical application of the DHCP relay agent.
Figure 21 DHCP relay agent operation DHCP relay agent support for Option 82 Option 82 records the location information about the DHCP client. It enables the administrator to locate the DHCP client for security and accounting purposes, and to assign IP addresses in a specific range to clients.
Tasks at a glance (Optional.) Configuring the DHCP relay agent to release an IP address (Optional.) Configuring Option 82 Enabling DHCP You must enable DHCP to validate other DHCP relay agent settings. To enable DHCP: Step Command Remarks Enter system view. system-view Enable DHCP.
Step Command Remarks interface interface-type Enter interface view. interface-number By default, no DHCP server Specify a DHCP server dhcp relay server-address address is specified on the relay address on the relay agent. ip-address agent. Configuring the DHCP relay agent security functions Enabling the DHCP relay agent to record relay entries Perform this task to enable the DHCP relay agent to automatically record clients' IP-to-MAC bindings...
Step Command Remarks By default, the refresh interval is Configure the refresh dhcp relay client-information refresh auto, which is calculated based interval. [ auto | interval interval ] on the number of total relay entries. Enabling DHCP starvation attack protection A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using different MAC addresses in the chaddr field to a DHCP server.
Step Command Remarks Enter system view. system-view Configure the DHCP relay This command can release only the dhcp relay release ip client-ip agent to release an IP IP addresses in the recorded relay [ vpn-instance vpn-instance-name ] address. entries. Configuring Option 82 Follow these guidelines when you configure Option 82: To support Option 82, you must perform related configuration on both the DHCP server and relay •...
[SwitchA-Vlan-interface10] dhcp select relay # Specify the IP address of the DHCP server on the relay agent. [SwitchA-Vlan-interface10] dhcp relay server-address 10.1.1.1 After the preceding configuration is complete, DHCP clients can obtain IP addresses and other network parameters from the DHCP server through the DHCP relay agent. You can use the display dhcp relay statistics command to view the statistics of DHCP packets forwarded by the DHCP relay agent.
Solution To locate the problem, enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information. Check that: • DHCP is enabled on the DHCP server and relay agent. The DHCP server has an address pool on the same subnet as the DHCP clients. •...
Configuring the DHCP client With DHCP client enabled, an interface uses DHCP to obtain configuration parameters from the DHCP server, for example, an IP address. The DHCP client configuration is supported only on VLAN interfaces. When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition through a relay agent, the DHCP server cannot be a Windows Server 2000 or Windows Server 2003.
DHCP client detects IP address conflict through ARP packets. An attacker can act as the IP address owner to send an ARP reply, making the client unable to use the IP address assigned by the server. HP recommends you to disable duplicate address detection when ARP attacks exist on the network.
is 20.1.1.0. The value of the next hop address field is 0A 01 01 02. It is a hexadecimal number indicating that the next hop is 10.1.1.2. Figure 23 Option 121 format Figure 24 Network diagram Configuration procedure Configure Switch A: # Specify the IP address of VLAN-interface 2.
Verifying the configuration # Use the display dhcp client command to display the IP address and other network parameters assigned to Switch B. [SwitchB] display dhcp client verbose Vlan-interface2 DHCP client information: Current state: BOUND Allocated IP: 10.1.1.3 255.255.255.0 Allocated lease: 864000 seconds, T1: 331858 seconds, T2: 756000 seconds Lease from May 21 19:00:29 2012 May 31 19:00:29 2012 DHCP server: 10.1.1.1...
Configuring DHCP snooping DHCP snooping works between the DHCP client and server, or between the DHCP client and relay agent. It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers. Also, it records IP-to-MAC bindings of DHCP clients (called DHCP snooping entries) for security purposes. DHCP snooping does not work between the DHCP server and DHCP relay agent.
Figure 25 Trusted and untrusted ports In a cascaded network as shown in Figure 26, configure each DHCP snooping device's ports connected to other DHCP snooping devices as trusted ports. To save system resources, you can disable the untrusted ports that are not directly connected to DHCP clients from generating DHCP snooping entries. Figure 26 Trusted and untrusted ports in a cascaded network DHCP snooping support for Option 82 Option 82 records the location information about the DHCP client so the administrator can locate the...
Table 4 Handling strategies If a DHCP request Handling DHCP snooping… has… strategy Drop Drops the message. Keep Forwards the message without changing Option 82. Option 82 Forwards the message after replacing the original Option 82 with Replace the Option 82 padded according to the configured padding format, padding content, and code type.
To configure basic DHCP snooping: Step Command Remarks Enter system view. system-view By default, DHCP snooping is Enable DHCP snooping. dhcp snooping enable disabled. interface interface-type This interface is connected to the Enter interface view. interface-number DHCP server. By default, all ports are untrusted Specify the port as a trusted dhcp snooping trust ports after DHCP snooping is...
Step Command Remarks (Optional.) Configure a handling strategy for DHCP dhcp snooping information strategy { drop By default, the handling requests containing Option | keep | replace } strategy is replace. dhcp snooping information circuit-id (Optional.) Configure the By default, the padding { [ vlan vlan-id ] string circuit-id | { normal | padding content and code format is normal and the...
Enabling DHCP starvation attack protection A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that contain identical or different sender MAC addresses in the chaddr field to a DHCP server. This attack exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system resources.
Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, DHCP-REQUEST check is disabled. dhcp snooping check You can enable DHCP-REQUEST Enable DHCP-REQUEST check. request-message check only on Ethernet interfaces, S-channel interfaces, VSIs, and aggregate interfaces. Configuring DHCP packet rate limit Perform this task to configure the maximum rate at which an interface can receive DHCP packets.
Task Command Remarks Display information about trusted display dhcp snooping trust Available in any view. ports. Display information about the file that display dhcp snooping binding database Available in any view. stores DHCP snooping entries. reset dhcp snooping binding { all | ip Available in user Clear DHCP snooping entries.
[SwitchB-Ten-GigabitEthernet1/0/2] dhcp snooping binding record [SwitchB-Ten-GigabitEthernet1/0/2] quit Verifying the configuration After the preceding configuration is complete, the DHCP client can obtain an IP address and other configuration parameters only from the authorized DHCP server. You can view the DHCP snooping entry recorded for the client with the display dhcp snooping binding command.
Page 79
[SwitchB-Ten-GigabitEthernet1/0/2] quit # Configure Option 82 on Ten-GigabitEthernet 1/0/3. [SwitchB] interface Ten-GigabitEthernet 1/0/3 [SwitchB-Ten-GigabitEthernet1/0/3] dhcp snooping information enable [SwitchB-Ten-GigabitEthernet1/0/3] dhcp snooping information strategy replace [SwitchB-Ten-GigabitEthernet1/0/3] dhcp snooping information circuit-id verbose node-identifier sysname format ascii [SwitchB-Ten-GigabitEthernet1/0/3] dhcp snooping information remote-id string device001 Verifying the configuration Use the display dhcp snooping information command to display Option 82 configuration information on Ten-GigabitEthernet 1/0/2 and Ten-GigabitEthernet 1/0/3 on the DHCP snooping device.
Configuring the BOOTP client BOOTP client configuration only applies to VLAN interfaces. If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows Server 2000 or Windows Server 2003. BOOTP application An interface that acts as a BOOTP client can use BOOTP to obtain information (such as IP address) from the BOOTP server.
Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, an interface does not Configure an interface to use use BOOTP for IP address ip address bootp-alloc BOOTP for IP address acquisition. acquisition. Displaying and maintaining BOOTP client Execute display command in any view.
Configuring DNS Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. With DNS, you can use easy-to-remember domain names in some applications and let the DNS server translate them into correct IP addresses. DNS services can be static or dynamic.
The DNS client is made up of the resolver and cache. The user program and DNS client can run on the same device or different devices, but the DNS server and the DNS client usually run on different devices. Dynamic domain name resolution allows the DNS client to store latest mappings between domain names and IP addresses in the dynamic domain name cache.
A DNS proxy operates as follows: A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS proxy. The destination address of the request is the IP address of the DNS proxy. The DNS proxy searches the local static domain name resolution table and dynamic domain name resolution cache after receiving the request.
The IP address configured with DNS spoofing is not the actual IP address of the requested domain name, so the TTL of the DNS reply is set to 0 to prevent the DNS client from generating incorrect domain name-to-IP address mappings. Upon receiving the reply, the host sends an HTTP request to the replied IP address.
Configuring dynamic domain name resolution To use dynamic domain name resolution, configure DNS servers so that DNS queries can be sent to a correct server for resolution. A DNS server manually configured takes precedence over the one dynamically obtained through DHCP, and a DNS server configured earlier takes precedence. A name query is first sent to the DNS server that has the highest priority.
Follow these guidelines when you configure static domain name resolution: • For the public network or a VPN, each host name maps to only one IPv6 address. The last configuration for a host name takes effect. You can configure host name-to-IPv6 address mappings for the public network and up to 1024 •...
Step Command Remarks • Specify a DNS server IPv4 address: dns server ip-address [ vpn-instance vpn-instance-name ] Use at least one command. Specify a DNS server IP • Specify a DNS server IPv6 address: By default, no DNS server IP address.
Step Command Remarks Enter system view. system-view Enable DNS proxy. dns proxy enable By default, DNS proxy is disabled. • Specify a translated IPv4 address: dns spoofing ip-address [ vpn-instance Use at least one command. Enable DNS spoofing and vpn-instance-name ] specify the translated IP By default, no translated IP •...
To configure the DNS trusted interface: Step Command Remarks Enter system view. system-view By default, no DNS trusted interface is specified. Specify the DNS trusted dns trust-interface interface-type interface. interface-number You can configure up to 128 DNS trusted interfaces. Displaying and maintaining IPv4 DNS Execute display commands in any view and reset commands in user view.
# Use the ping host.com command to verify that the device can use static domain name resolution to resolve domain name host.com into IP address 10.1.1.2. [Sysname] ping host.com PING host.com (10.1.1.2): 56 data bytes 56 bytes from 10.1.1.2: icmp_seq=0 ttl=255 time=1.000 ms 56 bytes from 10.1.1.2: icmp_seq=1 ttl=255 time=1.000 ms 56 bytes from 10.1.1.2: icmp_seq=2 ttl=255 time=1.000 ms 56 bytes from 10.1.1.2: icmp_seq=3 ttl=255 time=1.000 ms...
Page 92
Figure 34 Creating a zone On the DNS server configuration page, right-click zone com, and select New Host. Figure 35 Adding a host On the page that appears, enter host name host and IP address 3.1.1.1. Click Add Host. The mapping between the IP address and host name is created.
Figure 36 Adding a mapping between domain name and IP address Configure the DNS client: # Specify the DNS server 2.1.1.2. <Sysname> system-view [Sysname] dns server 2.1.1.2 # Configure com as the name suffix. [Sysname] dns domain com Verifying the configuration # Use the ping host command on the device to verify that the communication between the device and the host is normal and that the translated destination IP address is 3.1.1.1.
Page 94
As shown in Figure • Specify Device A as the DNS server of Device B (the DNS client). Device A acts as a DNS proxy. The IP address of the real DNS server is 4.1.1.1. Configure the IP address of the DNS proxy on Device B. DNS requests of Device B are forwarded •...
56 bytes from 3.1.1.1: icmp_seq=2 ttl=255 time=1.000 ms 56 bytes from 3.1.1.1: icmp_seq=3 ttl=255 time=1.000 ms 56 bytes from 3.1.1.1: icmp_seq=4 ttl=255 time=2.000 ms --- host.com ping statistics --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/stddev = 1.000/1.200/2.000/0.400 ms IPv6 DNS configuration examples Static domain name resolution configuration example Network requirements...
Page 96
Configure dynamic domain name resolution and the domain name suffix com on the device that serves as a DNS client so that the device can use domain name host to access the host with the domain name host.com and the IPv6 address 1::1/64. Figure 39 Network diagram Configuration procedure Before performing the following configuration, make sure that the device and the host can reach each...
Page 97
Figure 41 Creating a record On the page that appears, select IPv6 Host (AAAA) as the resource record type.
Page 98
Figure 42 Selecting the resource record type Type host name host and IPv6 address 1::1. Click OK. The mapping between the IPv6 address and host name is created.
Page 99
Figure 43 Adding a mapping between domain name and IPv6 address Configure the DNS client: # Specify the DNS server 2::2. <Device> system-view [Device] ipv6 dns server 2::2 # Configure com as the DNS suffix. [Device] dns domain com Verifying the configuration # Use the ping ipv6 host command on the device to verify that the communication between the device and the host is normal and that the translated destination IP address is 1::1.
DNS proxy configuration example Network requirements When the IPv6 address of the DNS server changes, you must configure the new IPv6 address of the DNS server on each device on the LAN. To simplify network management, you can use the DNS proxy function.
Verifying the configuration # Use the ping host.com command on Device B to verify that the connection between the device and the host is normal and that the translated destination IP address is 3000::1. [DeviceB] ping host.com PING6(104=40+8+56 bytes) 2000::1 --> 3000::1 56 bytes from 3000::1, icmp_seq=0 hlim=128 time=1.000 ms 56 bytes from 3000::1, icmp_seq=1 hlim=128 time=0.000 ms 56 bytes from 3000::1, icmp_seq=2 hlim=128 time=1.000 ms...
Configuring DDNS Overview DNS provides only the static mappings between domain names and IP addresses. When the IP address of a node changes, your access to the node fails. Dynamic Domain Name System (DDNS) can dynamically update the mappings between domain names and IP addresses for DNS servers to direct you to the latest IP address mapping to a domain name.
NOTE: The DDNS update process does not have a unified standard but depends on the DDNS server that the DDNS client contacts. DDNS client configuration task list Tasks at a glance (Required.) Configuring a DDNS policy (Required.) Applying the DDNS policy to an interface Configuring a DDNS policy A DDNS policy contains the DDNS server address, port number, login ID, password, time interval, associated SSL client policy, and update time interval.
Replace the parameters username and password in the URL with your actual login ID and password registered at the DDNS service provider's website. HP and GNUDIP are common DDNS update protocols. The server-name parameter is the domain name or IP address of the service provider's server using one of the update protocols.
Step Command Remarks (Optional.) Specify the parameter By default, http-get is used. transmission method for sending method { http-get | Use the method http-post command to DDNS update requests to http-post } specify the POST method for DDNS update HTTP/HTTPS-based DDNS with a DHS server.
Displaying DDNS Execute display commands in any view. Task Command Display information about the DDNS policy. display ddns policy [ policy-name ] DDNS configuration examples DDNS configuration example 1 Network requirements As shown in Figure 46, Switch is a Web server with the domain name whatever.3322.org. Switch acquires the IP address through DHCP.
[Switch-ddns-policy-3322.org] interval 0 0 15 [Switch-ddns-policy-3322.org] quit # Specify the IP address of the DNS server as 1.1.1.1. [Switch] dns server 1.1.1.1 # Apply DDNS policy 3322.org to VLAN-interface 2 to enable DDNS update and dynamically update the mapping between domain name whatever.3322.org and the primary IP address of VLAN-interface [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ddns apply policy 3322.org fqdn whatever.3322.org After the preceding configuration is completed, Switch notifies the DNS server of its new domain...
Page 108
# Set the DDNS update request interval to 12 minutes. [Switch-ddns-policy-oray.cn] interval 0 0 12 [Switch-ddns-policy-oray.cn] quit # Specify the IP address of the DNS server as 1.1.1.1. [Switch] dns server 1.1.1.1 # Apply the DDNS policy oray.cn to VLAN-interface 2 to enable DDNS update and to dynamically update the mapping between whatever.gicp.cn and the primary IP address of VLAN-interface 2.
Basic IP forwarding on the device Upon receiving a packet, the device uses the destination IP address of the packet to find a match from the forwarding information base (FIB) table, and then uses the matching entry to forward the packet. FIB table A device selects optimal routes from the routing table, and puts them into the FIB table.
Optimizing IP performance A customized configuration can help optimize overall IP performance. This chapter describes various techniques you can use to customize your installation. Enabling an interface to receive and forward directed broadcasts destined for the directly connected network A directed broadcast packet is destined for all hosts on a specific network. In the destination IP address of the directed broadcast, the network ID identifies the target network, and the host ID is made up of all ones.
This configuration takes effect only for TCP connections established after the configuration rather than the TCP connections that already exist. This configuration is effective only for IP packets. If MPLS is enabled on the interface, do not configure the TCP MSS on the interface. To configure a TCP MSS of the interface: Step Command...
After the age timer expires, the source device uses a larger MSS in the MTU table as described in • RFC 1 191. If no ICMP error message is received within 2 minutes, the source device increases the MSS again •...
SYN wait timer—TCP starts the SYN wait timer after sending a SYN packet. If no response packet • is received within the SYN wait timer interval, TCP fails to establish the connection. FIN wait timer—TCP starts the FIN wait timer when the state changes to FIN_WAIT_2. If no FIN •...
If a packet does not match any route and there is no default route in the routing table, the device sends a Network Unreachable ICMP error packet to the source. If a packet is destined for the device but the transport layer protocol of the packet is not supported by the device, the device sends a Protocol Unreachable ICMP error packet to the source.
Disabling forwarding ICMP fragments Disabling forwarding ICMP fragments can protect your device from ICMP fragments attacks. To disable forwarding ICMP fragments: Step Command Remarks Enter system view. system-view By default, forwarding ICMP Disable forwarding ICMP fragments. ip icmp fragment discarding fragments is enabled.
Configuring UDP helper Overview UDP helper enables a device to convert received UDP broadcast packets into unicast packets and forward them to a specific server. UDP helper is suitable for the scenario where hosts cannot obtain configuration information or device names by broadcasting packets because the target server or host resides on another broadcast domain.
Step Command Remarks Specify a destination By default, no destination server udp-helper server ip-address server. is specified. Displaying and maintaining UDP helper Execute display command in any view and reset command in user view. Task Command Display information about packets forwarded display udp-helper interface interface-type interface-number by UDP helper.
[SwitchA-Vlan-interface1] udp-helper server 10.2.1.1 # Enable the interface to receive directed broadcasts destined for the directly connected network. [SwitchA-Vlan-interface1] ip forward-broadcast Verifying the configuration # Display information about packets forwarded by UDP helper on VLAN-interface 1. [SwitchA-Vlan-interface1] display udp-helper interface vlan-interface 1 Interface Server address Packets sent...
Configuring basic IPv6 settings Overview IPv6, also called IP next generation (IPng), was designed by the IETF as the successor to IPv4. One significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits.
Stateful address autoconfiguration enables a host to acquire an IPv6 address and other • configuration information from a server (for example, a DHCPv6 server). For more information about DHCPv6 server, see "Configuring the DHCPv6 server." Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and •...
Page 123
An IPv6 address prefix is written in IPv6-address/prefix-length notation, where the prefix-length is a decimal number indicating how many leftmost bits of the IPv6 address comprises the address prefix. IPv6 address types IPv6 addresses fall into the following types: Unicast address—An identifier for a single interface, similar to an IPv4 unicast address. A packet •...
Page 125
Table 8 ICMPv6 messages used by ND ICMPv6 message Type Function Acquires the link-layer address of a neighbor. Neighbor Solicitation (NS) Verifies whether a neighbor is reachable. Detects duplicate addresses. Responds to an NS message. Neighbor Advertisement (NA) Notifies the neighboring nodes of link layer changes. Requests an address prefix and other configuration information Router Solicitation (RS) for autoconfiguration after startup.
If Host A receives an NA message from Host B, Host A decides that Host B is reachable. Otherwise, Host B is unreachable. Duplicate address detection After Host A acquires an IPv6 address, it performs Duplicate Address Detection (DAD) to check whether the address is being used by any other node (similar to gratuitous ARP in IPv4).
Figure 54 Path MTU discovery process The source host sends a packet no larger than its MTU to the destination host. If the MTU of a device's output interface is smaller than the packet, the device discards the packet and returns an ICMPv6 error packet containing the interface MTU to the source host. After receiving the ICMPv6 error packet, the source host uses the returned MTU to limit the packet size, performs fragmentation, and sends the packets to the destination host.
RFC 2463, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) • Specification RFC 2464, Transmission of IPv6 Packets over Ethernet Networks • RFC 2526, Reserved IPv6 Subnet Anycast Addresses • RFC 3307, Allocation Guidelines for IPv6 Multicast Addresses •...
Configuring an IPv6 global unicast address Use one of the following methods to configure an IPv6 global unicast address for an interface: EUI-64 IPv6 address—The IPv6 address prefix of the interface is manually configured, and the • interface identifier is generated automatically by the interface. •...
Configuring automatic generation of an IPv6 link-local address for an interface Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no link-local address is configured on an interface. Configure the interface to automatically generate an ipv6 address auto link-local After an IPv6 global unicast address is IPv6 link-local address.
Configuring IPv6 ND This section describes how to configure IPv6 ND. Configuring a static neighbor entry The IPv6 address of a neighboring node can be resolved into a link-layer address dynamically through NS and NA messages or through a manually configured static neighbor entry. The device uniquely identifies a static neighbor entry by the IPv6 address and the local Layer 3 interface number of the neighbor.
Setting the aging timer for ND entries in stale state ND entries in stale state have an aging timer. If an ND entry in stale state is not refreshed before the timer expires, the ND entry changes to the delay state. If it is still not refreshed in 5 seconds, the ND entry changes to the probe state, and the device sends an NS message three times.
Configuring parameters for RA messages You can enable an interface to send RA messages, and configure the interval for sending RA messages and parameters in RA messages. After receiving an RA message, a host can use these parameters to perform corresponding operations. Table 9 describes the configurable parameters in an RA message.
Page 134
Step Command Remarks interface interface-type Enter interface view. interface-number Enable sending of RA undo ipv6 nd ra halt The default setting is disabled. messages. By default, the maximum interval for sending RA messages is 600 seconds, and the minimum interval is 200 seconds.
Step Command Remarks By default, an interface sends NS Set the NS retransmission messages every 1000 milliseconds, and ipv6 nd ns retrans-timer value timer. the value of the Retrans Timer field in RA messages is 0. Set the router preference in ipv6 nd router-preference { high By default, the router preference is RA messages.
Step Command Remarks By default, no interface MTU is configured. This command does not take effect on Configure the interface MTU. ipv6 mtu mtu-size an IPv6 multicast packet for a switch does not check the packet size of an IPv6 multicast packet. Configuring a static path MTU for a specific IPv6 address You can configure a static path MTU for an IPv6 address.
Step Command Remarks Enter system view. system-view Enable replying to multicast ipv6 icmpv6 multicast-echo-reply By default, this function is not echo requests. enable enabled. Enabling sending ICMPv6 destination unreachable messages The device sends ICMPv6 destination unreachable messages as follows: • If a packet does not match any route, the device sends a No Route to Destination ICMPv6 error message to the source.
Step Command Remarks Enter system view. system-view Enable sending ICMPv6 time ipv6 hoplimit-expires enable The default setting is disabled. exceeded messages. Enabling sending ICMPv6 redirect messages Upon receiving a packet from a host, the device sends an ICMPv6 redirect message to inform a better next hop to the host when the following conditions are satisfied: •...
Figure 55 Network diagram Configuration procedure This example assumes that the VLAN interfaces have been created on the switches. Configure Switch A: # Specify a global unicast address for VLAN-interface 2. <SwitchA> system-view [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ipv6 address 3001::1/64 [SwitchA-Vlan-interface2] quit # Specify a global unicast address for VLAN-interface 1, and allow it to advertise RA messages (no interface advertises RA messages by default).
Page 141
Vlan-interface2 current state: UP Line protocol current state: UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:2 Global unicast address(es): 3001::1, subnet is 3001::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FF00:2 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses...
Page 142
Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FF00:1C0 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 600 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses...
Page 143
3001::2, subnet is 3001::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FF00:1234 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: InReceives: InTooShorts:...
1 packet(s) transmitted, 1 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 4.404/4.404/4.404/0.000 ms [SwitchB] ping ipv6 -c 1 2001::15B:E0EA:3524:E791 PING6(104=40+8+56 bytes) 3001::2 --> 2001::15B:E0EA:3524:E791 56 bytes from 2001::15B:E0EA:3524:E791, icmp_seq=0 hlim=64 time=5.404 ms --- 2001::15B:E0EA:3524:E791 ping6 statistics --- 1 packet(s) transmitted, 1 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 5.404/5.404/5.404/0.000 ms The output shows that Switch B can ping Switch A and the host.
DHCPv6 overview DHCPv6 provides a framework to assign IPv6 prefixes, IPv6 addresses, and other configuration parameters to hosts. DHCPv6 address/prefix assignment An address/prefix assignment process involves two or four messages. Rapid assignment involving two messages As shown in Figure 56, rapid assignment operates in the following steps: The DHCPv6 client sends a Solicit message that contains a Rapid Commit option to prefer rapid assignment.
Figure 57 Assignment involving four messages Address/prefix lease renewal An IPv6 address/prefix assigned by a DHCPv6 server has a valid lifetime. After the valid lifetime expires, the DHCPv6 client cannot use the IPv6 address/prefix. To use the IPv6 address/prefix, the DHCPv6 client must renew the lease time.
Stateless DHCPv6 Stateless DHCPv6 enables a device that has obtained an IPv6 address/prefix to get other configuration parameters from a DHCPv6 server. The device decides whether to perform stateless DHCP according to the managed address configuration flag (M flag) and the other stateful configuration flag (O flag) in the RA message received from the router during stateless address autoconfiguration.
Configuring the DHCPv6 server Overview A DHCPv6 server can assign IPv6 addresses or IPv6 prefixes to DHCPv6 clients. IPv6 address assignment As shown in Figure 61, the DHCPv6 server assigns IPv6 addresses, domain name suffixes, DNS server addresses, and other configuration parameters to DHCPv6 clients. The IPv6 addresses assigned to the clients fall into the following types: Temporary IPv6 addresses—Internally used and frequently changed without lease renewal.
Figure 62 IPv6 prefix assignment Concepts Multicast addresses used by DHCPv6 DHCPv6 uses the multicast address FF05::1:3 to identify all site-local DHCPv6 servers, and uses the multicast address FF02::1:2 to identify all link-local DHCPv6 servers and relay agents. DUID A DHCP unique identifier (DUID) uniquely identifies a DHCPv6 device (DHCPv6 client, server, or relay agent).
The DHCPv6 server creates a prefix delegation (PD) for each assigned prefix to record the IPv6 prefix, client DUID, IAID, valid lifetime, preferred lifetime, lease expiration time, and IPv6 address of the requesting client. DHCPv6 address pool The DHCP server selects IPv6 addresses, IPv6 prefixes, and other parameters from an address pool, and assigns them to the DHCP clients.
client against the subnets of all address pools, and selects the address pool with the longest-matching subnet. To avoid wrong address allocation, keep the subnet used for dynamic assignment consistent with the subnet where the interface of the DHCPv6 server or DHCPv6 relay agent resides. IPv6 address/prefix allocation sequence The DHCPv6 server selects an IPv6 address/prefix for a client in the following sequence: IPv6 address/prefix statically bound to the client's DUID and IAID and expected by the client.
Only one prefix pool can be applied to an address pool. You cannot modify prefix pools that have • been applied. To change the prefix pool for an address pool, you must remove the prefix pool application first. • You can apply a prefix pool that has not been created to an address pool. The setting takes effect after the prefix pool is created.
If you only bind a DUID to an IPv6 address, the DUID in a request must match the DUID in the binding before the DHCPv6 server can assign the IPv6 address to the requesting client. Specify a subnet and address ranges in an address pool: •...
Step Command Remarks By default, no IPv6 address network prefix/prefix-length subnet is specified. Specify an IPv6 subnet for [ preferred-lifetime You cannot use this command to dynamic assignment. preferred-lifetime valid-lifetime configure the same subnet in valid-lifetime ] different address pools. address range start-ipv6-address By default, no non-temporary IPv6 (Optional.) Specify a...
Configuring the DHCPv6 server on an interface Enable the DHCP server and configure one of the following address/prefix assignment methods on an interface: Apply an address pool on the interface—The DHCPv6 server selects an IPv6 address/prefix from • the applied address pool for a requesting client. If there is no assignable IPv6 address/prefix in the address pool, the DHCPv6 server cannot to assign an IPv6 address/prefix to a client.
Task Command Display the DUID of the local device. display ipv6 dhcp duid Display DHCPv6 address pool information. display ipv6 dhcp pool [ pool-name ] Display prefix pool information. display ipv6 dhcp prefix-pool [ prefix-pool-number ] Display DHCPv6 server information on an display ipv6 dhcp server [ interface interface-type interface.
Page 157
To assign prefixes in the range of 2001:0410::/48 to 2001:0410:FFFF::/48, specify a prefix 2001:0410::/32 and specify the assigned prefix length as 48 in the pool. Create an address pool. • Specify a subnet where the IPv6 address of the server interface connecting the clients resides. Configure a static prefix binding, apply the prefix pool, and configure other configuration •...
Page 158
[Switch-dhcp6-pool-1] sip-server address 2:2::4 [Switch-dhcp6-pool-1] sip-server domain-name bbb.com [Switch-dhcp6-pool-1] quit # Enable the DHCPv6 server on VLAN-interface 2, enable desired prefix assignment and rapid prefix assignment, and set the preference to the highest. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ipv6 dhcp select server [Switch-Vlan-interface2] ipv6 dhcp server allow-hint preference 255 rapid-commit Verifying the configuration # Display DHCPv6 server configuration on VLAN-interface 2.
Pool: 1 IPv6 prefix Type Lease expiration 2001:410:201::/48 Static(C) Jul 10 19:45:01 2009 # After the other client obtains an IPv6 prefix, display binding information on the DHCPv6 server. [Switch-Vlan-interface2] display ipv6 dhcp server pd-in-use Pool: 1 IPv6 prefix Type Lease expiration 2001:410:201::/48 Static(C) Jul 10 19:45:01 2009...
Page 160
[SwitchA] ipv6 dhcp server forbidden-address 1::2:0:0:2 # Configure the DHCPv6 address pool 1 to assign IPv6 addresses and other configuration parameters to clients in subnet 1::1:0:0:0/96. [SwitchA] ipv6 dhcp pool 1 [SwitchA-dhcp6-pool-1] network 1::1:0:0:0/96 preferred-lifetime 172800 valid-lifetime 345600 [SwitchA-dhcp6-pool-1] domain-name aabbcc.com [SwitchA-dhcp6-pool-1] dns-server 1::1:0:0:2 [SwitchA-dhcp6-pool-1] quit # Configure the DHCPv6 address pool 2 to assign IPv6 addresses and other configuration...
Configuring tunneling Overview Tunneling is an encapsulation technology. One network protocol encapsulates packets of another network protocol and transfers them over a virtual point-to-point connection. The virtual connection is called a tunnel. Packets are encapsulated at the tunnel source end and de-encapsulated at the tunnel destination end.
Page 162
If the destination address of the IPv6 packet is itself, Device B forwards it to the upper-layer protocol. If not, Device B forwards it according to the routing table. Tunnel types IPv6 over IPv4 tunnels fall into manually configured tunnels and automatic tunnels, depending on how the IPv4 address of the tunnel destination is acquired.
address identifies a 6to4 network (an IPv6 network where all hosts use 6to4 addresses). The border router of a 6to4 network must have the IPv4 address abcd:efgh configured on the interface connected to the IPv4 network. The subnet number identifies a subnet in the 6to4 network. The subnet number::interface ID uniquely identifies a host in the 6to4 network.
Packets traveling through a tunnel undergo encapsulation and de-encapsulation, as shown in Figure • Encapsulation: Device A receives an IP packet from an IPv4 host and submits it to the IP protocol stack. The IPv4 protocol stack determines how to forward the packet according to the destination address in the IP header.
The IPv6 protocol stack uses the destination IPv6 address of the packet to look up the routing table, and then sends it out. De-encapsulation: • Upon receiving the IPv6 packet from the attached IPv6 network, Device B delivers the packet to the IPv6 protocol stack to examine the protocol type encapsulated in the data portion of the packet.
Step Command Remarks (Optional.) Configure a By default, the description of a tunnel description text description for the interface. interface is Tunnel number Interface. Set the MTU of the tunnel mtu mtu-size By default, the MTU is 64000 bytes. interface. The default setting is 64 kbps.
Step Command Remarks By default, no source address or source interface is configured for the tunnel interface. Configure a source address or source { ip-address | The specified source address or the source interface for the tunnel interface-type interface-number } primary IP address of the specified interface.
Page 169
[SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ip address 192.168.100.1 255.255.255.0 [SwitchA-Vlan-interface100] quit # Configure an IPv6 address for VLAN-interface 101. [SwitchA] interface vlan-interface 101 [SwitchA-Vlan-interface101] ipv6 address 3002::1 64 [SwitchA-Vlan-interface101] quit # Create service loopback group 1 and specify its service type as tunnel. [SwitchA] service-loopback group 1 type tunnel # Add Ten-GigabitEthernet 1/0/3 to service loopback group 1.
[SwitchB-Tunnel0] destination 192.168.100.1 [SwitchB-Tunnel0] quit # Configure a static route destined for IPv6 network 1 through tunnel 0 on Switch B. [SwitchB] ipv6 route-static 3002:: 64 tunnel 0 Verifying the configuration # Use the display ipv6 interface command to view tunnel interface status on Switch A and Switch B. The output shows that the interface tunnel 0 is up.
Step Command Remarks By default, no source address or source interface is configured for the Configure a source tunnel interface. address or source source { ip-address | interface-type The specified source address or the interface for the tunnel interface-number } primary IP address of the specified interface.
Page 172
Configure Switch A: • # Configure an IPv4 address for VLAN-interface 100. <SwitchA> system-view [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ip address 2.1.1.1 24 [SwitchA-Vlan-interface100] quit # Configure a 6to4 address for VLAN-interface 101. [SwitchA] interface vlan-interface 101 [SwitchA-Vlan-interface101] ipv6 address 2002:0201:0101:1::1/64 [SwitchA-Vlan-interface101] quit # Create service loopback group 1 and specify its service type as tunnel.
# Specify the source interface as VLAN-interface 100 for the tunnel interface. [SwitchB-Tunnel0] source vlan-interface 100 [SwitchB-Tunnel0] quit # Configure a static route destined for 2002::/16 through the tunnel interface. [SwitchB] ipv6 route-static 2002:: 16 tunnel 0 Verifying the configuration # Ping Host B from Host A or ping Host A from Host B.
Step Command Remarks By default, no source address or source interface is configured for the tunnel interface. Configure a source address or source { ip-address | source interface for the tunnel The specified source address or interface-type interface-number } interface. the primary IP address of the specified source interface is used as the source IP address of...
Page 175
[Switch-Vlan-interface101] quit # Create service loopback group 1 and specify its service type as tunnel. [Switch] service-loopback group 1 type tunnel # Assign Ten-GigabitEthernet 1/0/3 to service loopback group 1. [Switch] interface Ten-GigabitEthernet 1/0/3 [Switch-Ten-GigabitEthernet1/0/3] port service-loopback group 1 [Switch-Ten-GigabitEthernet1/0/3] quit # Configure an ISATAP tunnel interface tunnel 0.
# Display information about the ISATAP interface. C:\>ipv6 if 2 Interface 2: Automatic Tunneling Pseudo-Interface Guid {48FCE3FC-EC30-E50E-F1A7-71172AEEE3AE} does not use Neighbor Discovery uses Router Discovery routing preference 1 EUI-64 embedded IPv4 address: 2.1.1.2 router link-layer address: 1.1.1.1 preferred global 2001::5efe:2.1.1.2, life 29d23h59m46s/6d23h59m46s (public) preferred link-local fe80::5efe:2.1.1.2, life infinite link MTU 1500 (true link MTU 65515) current hop limit 255...
If the destination IPv4 network is not on the same subnet as the IPv4 address of the local tunnel • interface, you must configure a route destined for the destination IPv4 network through the tunnel interface. You can configure a static route, and specify the local tunnel interface as the egress interface or specify the IPv4 address of the peer tunnel interface as the next hop.
Page 178
Figure 75 Network diagram Configuration procedure Make sure Switch A and Switch B have the corresponding VLAN interfaces created and can reach each other through IPv4. • Configure Switch A: # Configure an IPv4 address for VLAN-interface 100. <SwitchA> system-view [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ip address 10.1.1.1 255.255.255.0 [SwitchA-Vlan-interface100] quit...
[SwitchB-Vlan-interface100] ip address 10.1.3.1 255.255.255.0 [SwitchB-Vlan-interface100] quit # Configure an IPv4 address for VLAN-interface 101 (the physical interface of the tunnel). [SwitchB] interface vlan-interface 101 [SwitchB-Vlan-interface101] ip address 3.1.1.1 255.255.255.0 [SwitchB-Vlan-interface101] quit # Create service loopback group 1 and specify its service type as tunnel. [SwitchB] service-loopback group 1 type tunnel # Assign Ten-GigabitEthernet 1/0/3 to service loopback group 1.
The destination address specified for the local tunnel interface must be the source address specified • for the peer tunnel interface, and vice versa. Two or more local tunnel interfaces using the same encapsulation protocol must have different • source and destination addresses. If the destination IPv4 network is not on the same subnet as the IPv4 address of the local tunnel •...
Page 181
Figure 76 Network diagram Configuration procedure Make sure Switch A and Switch B have the corresponding VLAN interfaces created and can reach each other through IPv6. Configure Switch A: • # Configure an IPv4 address for VLAN-interface 100. <SwitchA> system-view [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ip address 30.1.1.1 255.255.255.0 [SwitchA-Vlan-interface100] quit...
[SwitchB-Vlan-interface100] ip address 30.1.3.1 255.255.255.0 [SwitchB-Vlan-interface100] quit # Configure an IPv6 address for VLAN-interface 101 (the physical interface of the tunnel). [SwitchB] interface vlan-interface 101 [SwitchB-Vlan-interface101] ipv6 address 2002::2:1 64 [SwitchB-Vlan-interface101] quit # Create service loopback group 1 and specify its service type as tunnel. [SwitchB] service-loopback group 1 type tunnel # Assign Ten-GigabitEthernet 1/0/3 to service loopback group 1.
Page 183
The destination address specified for the local tunnel interface must be the source address specified • for the peer tunnel interface, and vice versa. Two or more local tunnel interfaces using the same encapsulation protocol must have different • source and destination addresses. The IPv6 address of the tunnel interface must not be on the same subnet as the destination address •...
Configuration example Network requirements As shown in Figure 77, configure an IPv6 over IPv6 tunnel between Switch A and Switch B so the two IP networks can reach each other without disclosing their IPv6 addresses. Figure 77 Network diagram Switch A Switch B Vlan-int101 Vlan-int101...
Page 185
[SwitchA] ipv6 route-static 2002:3:: 64 tunnel 1 • Configure Switch B: # Configure an IPv6 address for VLAN-interface 100. <SwitchB> system-view [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ipv6 address 2002:3::1 64 [SwitchB-Vlan-interface100] quit # Configure an IPv6 address for VLAN-interface 101 (the physical interface of the tunnel). [SwitchB] interface vlan-interface 101 [SwitchB-Vlan-interface101] ipv6 address 2002::22:1 64 [SwitchB-Vlan-interface101] quit...
Displaying and maintaining tunneling configuration Execute display commands in any view and reset commands in user view. Task Command Display information about tunnel interfaces. display interface [ tunnel [ number ] ] [ brief [ description ] ] Display IPv6 information on tunnel interfaces. display ipv6 interface [ tunnel [ number ] ] [ brief ] Clear statistics on tunnel interfaces.
Configuring GRE Overview Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate multiple network layer protocols into virtual point-to-point tunnels over an IP network. Packets are encapsulated at one tunnel end and de-encapsulated at the other tunnel end. GRE encapsulation format Figure 78 GRE encapsulation format As shown in...
GRE encapsulation and de-encapsulation Figure 80 X protocol networks interconnected through a GRE tunnel The following takes the network shown in Figure 80 as an example to describe how an X protocol packet traverses an IP network through a GRE tunnel: Encapsulation process After receiving an X protocol packet from the interface connected to Group 1, Device A submits it to the X protocol for processing.
Local tunnel interfaces using the same encapsulation protocol must not have the same tunnel source • and destination addresses. You can use the following methods to configure a route to a destination over the GRE tunnel: • Configure a static route, using the destination address of the original packet as the destination address of the route and the address of the peer tunnel interface as the next hop.
Page 190
Step Command Remarks By default, no source address or interface is configured for a tunnel interface. If you configure a source address for a tunnel interface, the tunnel Configure a source interface uses the source address address or source source { ip-address | interface-type as the source address of the interface for the tunnel interface-number }...
Configuring a GRE over IPv6 tunnel Follow these guidelines when you configure a GRE over IPv6 tunnel: • You must configure the tunnel source address and destination address at both ends of a tunnel, and the tunnel source or destination address at one end must be the tunnel destination or source address at the other end.
Step Command Remarks By default, no source IPv6 address or interface is configured for a tunnel interface. If you configure a source IPv6 address for a tunnel interface, the tunnel interface uses the source Configure a source IPv6 IPv6 address as the source IPv6 source { ipv6-address | address or source interface for address of the encapsulated...
Task Command Remarks For more information about this Display information about display interface [ tunnel [ number ] ] command, see Layer 3—IP Services tunnel interfaces. [ brief ] Command Reference. For more information about this Display IPv6 information about display ipv6 interface [ tunnel command, see Layer 3—IP Services tunnel interface.
Page 194
# Create service loopback group 1, and configure the service type as tunnel. [SwitchA] service-loopback group 1 type tunnel # Add port Ten-GigabitEthernet 1/0/3 to service loopback group 1. [SwitchA] interface Ten-GigabitEthernet 1/0/3 [SwitchA-Ten-GigabitEthernet1/0/3] port service-loopback group 1 [SwitchA-Ten-GigabitEthernet1/0/3] quit # Create a tunnel interface Tunnel1, and specify the tunnel mode as GRE over IPv4.
Page 195
# Configure the source address of tunnel interface as the IP address of VLAN-interface 101 on Switch B. [SwitchB-Tunnel1] source vlan-interface 101 # Configure the destination address of the tunnel interface as the IP address of VLAN-interface 101 on Switch A. [SwitchB-Tunnel1] destination 1.1.1.1 [SwitchB-Tunnel1] quit # Configure a static route from Switch B through the tunnel interface to Group 1.
# From Switch B, ping the IP address of VLAN-interface 100 on Switch A. [SwitchB] ping -a 10.1.3.1 10.1.1.1 PING 10.1.1.1 (10.1.1.1) from 10.1.3.1: 56 data bytes 56 bytes from 10.1.1.1: icmp_seq=0 ttl=255 time=11.000 ms 56 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=1.000 ms 56 bytes from 10.1.1.1: icmp_seq=2 ttl=255 time=0.000 ms 56 bytes from 10.1.1.1: icmp_seq=3 ttl=255 time=0.000 ms 56 bytes from 10.1.1.1: icmp_seq=4 ttl=255 time=0.000 ms...
Page 197
[SwitchA] interface vlan-interface 101 [SwitchA-Vlan-interface101] ipv6 address 2002::1:1 64 [SwitchA-Vlan-interface101] quit # Create service loopback group 1, and configure the service type as tunnel. [SwitchA] service-loopback group 1 type tunnel # Add port Ten-GigabitEthernet 1/0/3 to service loopback group 1. [SwitchA] interface Ten-GigabitEthernet 1/0/3 [SwitchA-Ten-GigabitEthernet1/0/3] port service-loopback group 1 [SwitchA-Ten-GigabitEthernet1/0/3] quit...
Page 198
# Configure an IP address for the tunnel interface. [SwitchB-Tunnel0] ip address 10.1.2.2 255.255.255.0 # Configure the source address of tunnel interface as the IPv6 address of VLAN-interface 101 on Switch B. [SwitchB-Tunnel0] source 2001::2:1 # Configure the destination address of the tunnel interface as the IPv6 address of VLAN-interface 101 on Switch A.
0 packets input, 0 bytes, 0 drops 0 packets output, 0 bytes, 0 drops # From Switch B, ping the IP address of VLAN-interface 100 on Switch A. [SwitchB] ping -a 10.1.3.1 10.1.1.1 PING 10.1.1.1 (10.1.1.1) from 10.1.3.1: 56 data bytes 56 bytes from 10.1.1.1: icmp_seq=0 ttl=255 time=2.000 ms 56 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=1.000 ms 56 bytes from 10.1.1.1: icmp_seq=2 ttl=255 time=1.000 ms...
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 202
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.