Page of 179
Download Table of ContentsContents Print This PagePrint Bookmark
HP A5120 EI Switch Series
Layer 3 - IP Services
Abstract
This document describes the software features for the HP A Series products and guides you through the
software configuration procedures. These configuration guides also provide configuration examples to
help you apply software features to different network scenarios.
This documentation is intended for network planners, field technical support and servicing engineers, and
network administrators working with the HP A Series products.
Part number: 5998-1795
Software version: Release 2208
Document version: 5W100-20110530

Advertising

   Related Manuals for HP A5120 EI Series

   Summary of Contents for HP A5120 EI Series

  • Page 1: Configuration Guide

    Configuration Guide Abstract This document describes the software features for the HP A Series products and guides you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios.

  • Page 2

    The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an...

  • Page 3: Table Of Contents

    Contents ARP configuration ···························································································································································· 1 ARP overview ····································································································································································· 1 ARP function ······························································································································································ 1 ARP message format ················································································································································ 1 Operation of ARP ····················································································································································· 2 ARP table ··································································································································································· 3 Configuring ARP ································································································································································ 3 Configuring a static ARP entry ································································································································ 3 Configuring the maximum number of dynamic ARP entries for an interface ····················································· 4 Setting the age timer for dynamic ARP entries ······································································································...

  • Page 4: Table Of Contents

    Protocols and standards ················································································································································ 28 DHCP server configuration ··········································································································································· 30 Introduction to DHCP server ·········································································································································· 30 Application environment ······································································································································· 30 DHCP address pool··············································································································································· 30 IP address allocation sequence···························································································································· 31 DHCP server configuration task list ······························································································································ 31 Configuring an address pool for the DHCP server····································································································· 32 Configuration task list ···········································································································································...

  • Page 5: Table Of Contents

    Displaying and maintaining the DHCP relay agent ··································································································· 58 DHCP relay agent configuration examples ················································································································· 59 DHCP relay agent configuration example ·········································································································· 59 DHCP relay agent Option 82 support configuration example········································································· 60 Troubleshooting DHCP relay agent configuration ······································································································ 61 DHCP client configuration ············································································································································· 62 Introduction to DHCP client ···········································································································································...

  • Page 6: Table Of Contents

    IPv6 DNS configuration ················································································································································ 90 Introduction to IPv6 DNS ··············································································································································· 90 Configuring the IPv6 DNS client ·································································································································· 90 Configuring static domain name resolution········································································································ 90 Configuring dynamic domain name resolution ·································································································· 90 Displaying and maintaining IPv6 DNS ························································································································ 91 IPv6 DNS configuration examples ······························································································································· 91 Static domain name resolution configuration example ·····················································································...

  • Page 7: Table Of Contents

    Configuring parameters related to RA messages ···························································································· 126 Configuring the maximum number of attempts to send an NS message for DAD ······································· 128 Setting the age timer for ND entries ·················································································································· 129 Configuring ND snooping ·································································································································· 129 Enabling ND proxy ············································································································································· 130 Configuring PMTU discovery ······································································································································...

  • Page 8: Table Of Contents

    Displaying and maintaining DHCPv6 snooping ······································································································· 164 DHCPv6 snooping configuration example ················································································································ 164 Network requirements ········································································································································· 164 Configuration procedure ···································································································································· 165 Support and other resources ····································································································································· 166 Contacting HP ······························································································································································ 166 Subscription service ············································································································································ 166 Related information ······················································································································································ 166 Documents ···························································································································································· 166 Websites ······························································································································································ 166 Conventions ··································································································································································...

  • Page 9: Arp Configuration

    ARP configuration ARP overview ARP function The Address Resolution Protocol (ARP) is used to resolve an IP address into a physical address (Ethernet MAC address, for example). In an Ethernet LAN, a switch uses ARP to resolve the IP address of the next hop to the corresponding MAC address.

  • Page 10: Operation Of Arp

    Operation of ARP If Host A and Host B are on the same subnet and Host A sends a packet to Host B, as shown in Figure Host A looks in its ARP table to see whether there is an ARP entry for Host B. If yes, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B.

  • Page 11: Arp Table

    ARP table After obtaining a host’s MAC address, the switch adds the IP-to-MAC mapping to its own ARP table. This mapping is used for forwarding packets with the same destination in the future. An ARP table contains dynamic and static ARP entries. Dynamic ARP entry A dynamic entry is automatically created and maintained by ARP.

  • Page 12: Configuring The Maximum Number Of Dynamic Arp Entries For An Interface

    To do… Use the command… Remarks Required arp static ip-address mac-address Configure a long static vlan-id interface-type interface- No long static ARP entry is configured by ARP entry number default. Required Configure a short static arp static ip-address mac-address No short static ARP entry is configured by ARP entry default.

  • Page 13: Enabling Dynamic Arp Entry Check

    Enabling dynamic ARP entry check The dynamic ARP entry check function controls whether the switch supports dynamic ARP entries with multicast MAC addresses. When dynamic ARP entry check is enabled, the switch cannot learn dynamic ARP entries containing multicast MAC addresses. When dynamic ARP entry check is disabled, the switch can learn dynamic ARP entries containing multicast MAC addresses.

  • Page 14: Displaying And Maintaining Arp

    NOTE: HP recommends enabling ARP quick update in WLANs only. Displaying and maintaining ARP To do… Use the command… Remarks display arp [ [ all | dynamic | static ] [ slot slot-number ] | vlan vlan-id | interface Display ARP entries in the ARP...

  • Page 15

    Figure 4 Network diagram for configuring static ARP entries Router 192.168.1.1/24 00e0-fc01-0000 GE1/0/1 VLAN 10 Switch Configuration procedure Configure the switch # Create VLAN 10. <Switch> system-view [Switch] vlan 10 [Switch-vlan10] quit # Add interface GigabitEthernet 1/0/1 to VLAN 10. [Switch] interface GigabitEthernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk [Switch-GigabitEthernet1/0/1] port trunk permit vlan 10...

  • Page 16: Gratuitous Arp Configuration

    Gratuitous ARP configuration Introduction to gratuitous ARP In a gratuitous ARP packet, the sender IP address and the target IP address are both the IP address of the switch issuing the packet, the sender MAC address is the MAC address of the switch, and the target MAC address is the broadcast address ff:ff:ff:ff:ff:ff.

  • Page 17

    To do… Use the command… Remarks Enter system view system-view — Optional Enable learning of gratuitous ARP gratuitous-arp-learning enable packets Enabled by default. Required Enable the switch to send By default, the switch does not gratuitous ARP packets upon gratuitous-arp-sending enable send gratuitous ARP packets upon receiving ARP requests from receiving ARP requests from...

  • Page 18: Proxy Arp Configuration

    Proxy ARP configuration Proxy ARP overview Proxy ARP includes common proxy ARP and local proxy ARP. Common proxy ARP allows communication when a sending host considers the receiving host to be  on the same subnet, but the receiving host actually resides on a different subnet. ...

  • Page 19: Local Proxy Arp

    Local Proxy ARP As shown in Figure 6, Host A and Host B belong to VLAN 2, but are isolated at Layer 2. Host A connects to GigabitEthernet 1/0/3 while Host B connects to GigabitEthernet 1/0/1. Enable local proxy ARP on switch A to allow Layer 3 communication between the two hosts.

  • Page 20: Displaying And Maintaining Proxy Arp

    Displaying and maintaining proxy ARP To do… Use the command… Remarks display proxy-arp [ interface interface-type Display whether proxy ARP is interface-number ] [ | { begin | exclude | Available in any view enabled include } regular-expression ] display local-proxy-arp [ interface Display whether local proxy ARP interface-type interface-number ] [ | { Available in any view...

  • Page 21: Local Proxy Arp Configuration Example In Case Of Port Isolation

    # Specify the IP address of interface VLAN-interface 1. [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.10.99 255.255.255.0 # Enable proxy ARP on interface VLAN-interface 1. [Switch-Vlan-interface1] proxy-arp enable [Switch-Vlan-interface1] quit # Specify the IP address of interface VLAN-interface 2. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.20.99 255.255.255.0 # Enable proxy ARP on interface VLAN-interface 2.

  • Page 22: Local Proxy Arp Configuration Example In Isolate-user-vlan

    [SwitchB-vlan2] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] port-isolate enable [SwitchB-GigabitEthernet1/0/2] quit [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] port-isolate enable [SwitchB-GigabitEthernet1/0/3] quit Configure Switch A # Create VLAN 2, and add GigabitEthernet 1/0/2 to VLAN 2. <SwitchA> system-view [SwitchA] vlan 2 [SwitchA-vlan2] port GigabitEthernet 1/0/2 [SwitchA-vlan2] quit [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.10.100 255.255.0.0...

  • Page 23

    Figure 9 Network diagram for configuring local proxy ARP configuration in isolate-user-VLAN Switch A GE1/0/2 VLAN 5 Vlan-int5 192.168.10.100/16 Isolate-user-vlan 5 Secondary VLAN 2 and 3 GE1/0/2 VLAN 5 GE1/0/3 VLAN 2 GE1/0/1 VLAN 3 Host B Host A Switch B 192.168.10.99/16 192.168.10.200/16 Configuration procedure...

  • Page 24

    From Host A, ping Host B. The ping operation is successful after the configuration.

  • Page 25: Ip Addressing Configuration

    IP addressing configuration IP addressing overview IP address classes IP addressing uses a 32-bit address to identify each host on a network. To make addresses easier to read, they are written in dotted decimal notation, each address being four octets in length. For example, address 00001000000000010000000100000001 in binary is written as 10.1.1.1.

  • Page 26: Special Ip Addresses

    Class Address range Remarks 240.0.0.0 to Reserved for future use except for the broadcast address 255.255.255.255 255.255.255.255. Special IP addresses The following IP addresses are for special use, so they cannot be used as host IP addresses. IP address with an all-zero net ID: Identifies a host on the local network. For example, IP address ...

  • Page 27: Configuring Ip Addresses

    Configuring IP addresses An interface must have an IP address to communicate with other hosts. You can manually assign an IP address to an interface, or configure the interface to obtain an IP address through BOOTP or DHCP. If you change the way an interface obtains an IP address, the new IP address will overwrite the previous one.

  • Page 28

    Set the primary IP address of VLAN-interface 1 as the gateway address of the hosts on subnet  172.16.1.0/24. Set the secondary IP address of VLAN-interface 1 as the gateway address of the hosts on subnet  172.16.2.0/24. Figure 12 Network diagram for IP addressing configuration 172.16.1.0/24 Switch Host B...

  • Page 29: Displaying And Maintaining Ip Addressing

    <Switch> ping 172.16.2.2 PING 172.16.2.2: 56 data bytes, press CTRL_C to break Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=255 time=25 ms Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=255 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=3 ttl=255 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=255 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=255 time=26 ms --- 172.16.2.2 ping statistics --- 5 packet(s) transmitted...

  • Page 30: Dhcp Overview

    DHCP overview Introduction to DHCP The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. It uses the client/server model. A typical DHCP application, as shown in Figure 13, includes a DHCP server and multiple clients (PCs and laptops).

  • Page 31: Dynamic Ip Address Allocation Process

    Dynamic IP address allocation process Figure 14 Dynamic IP address allocation process DHCP client DHCP server (1) DHCP-DISCOVER (2) DHCP-OFFER (3) DHCP-REQUEST (4) DHCP-ACK The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. A DHCP server offers configuration parameters, such as an IP address, to the client in a DHCP- OFFER message.

  • Page 32: Dhcp Message Format

    DHCP message format Figure 15 shows the DHCP message format, which is based on the BOOTP message format although DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes. Despite the name ―option‖, some of the parameters in the Options field are required for basic DHCP functionality.

  • Page 33: Dhcp Options

    DHCP options Overview DHCP uses the same message format as BOOTP, but DHCP uses the Option field to carry information for dynamic address allocation and to provide additional configuration information to clients. Figure 16 shows the DHCP option format. Figure 16 DHCP option format Option type Option length Value (variable)

  • Page 34

    Vendor-specific option (Option 43) DHCP servers and clients use Option 43 to exchange vendor-specific configuration information. The client sends a request with Option 43, including a vendor string that identifies a vendor. Upon receiving the request, the DHCP server refers to the vendor-specific options table, and returns a response message with Option 43 to assign the appropriate vendor-specific information to the DHCP client.

  • Page 35

     Figure 19 shows the format of the value field of the PXE server address sub-option. The value of the PXE server type can only be 0. The server number field indicates the number of PXE servers contained in the sub-option. The server IP addresses field contains the IP addresses of the PXE servers.

  • Page 36: Protocols And Standards

    Figure 21 Sub-option 2 in normal padding format Sub-option type (0x02) Length (0x08) Remote ID type (0x00) Length (0x06) MAC Address Verbose padding format Sub-option 1: Padded with the user-specified access node identifier (ID of the switch that adds  Option 82 in DHCP messages), and the type, number, and VLAN ID of the interface that received the client’s request.

  • Page 37

     RFC 2132, DHCP Options and BOOTP Vendor Extensions  RFC 1542, Clarifications and Extensions for the Bootstrap Protocol  RFC 3046, DHCP Relay Agent Information Option  RFC 3442, The Classless Static Route Option for Dynamic Host Configuration Protocol (DHCP) version 4...

  • Page 38: Dhcp Server Configuration

    DHCP server configuration NOTE: The DHCP server configuration is supported only on VLAN interfaces, and loopback interfaces. The secondary IP address pool configuration is not supported on loopback interfaces. Introduction to DHCP server Application environment The DHCP server is well suited to networks where: ...

  • Page 39: Ip Address Allocation Sequence

    Principles for selecting an address pool The DHCP server observes the following principles to select an address pool when assigning an IP address to a client: If there is an address pool where an IP address is statically bound to the MAC address or ID of the client, the DHCP server will select this address pool and assign the statically bound IP address to the client.

  • Page 40: Configuring An Address Pool For The Dhcp Server

    Task Remarks Configuring an address pool for the DHCP server Required Enabling DHCP Required Enabling the DHCP server on an interface Required Required by the extended address pool configuration Applying an extended address pool on an interface When configuring a common address pool, ignore this task.

  • Page 41: Configuring An Address Allocation Mode For A Common Address Pool

    To do… Use the command… Remarks Enter system view system-view — Required Create a DHCP address pool and dhcp server ip-pool pool-name No DHCP address pool is created by enter its view [ extended ] default. NOTE: A common address pool and an extended address pool are different in address allocation mode configuration.

  • Page 42

    To do… Use the command… Remarks Specify the MAC static-bind mac-address mac- Required to configure either of Specify the address address the two MAC address Neither is bound statically by static-bind client-identifier client- or client ID Specify the client ID default.

  • Page 43: Configuring Dynamic Address Allocation For An Extended Address Pool

    To do… Use the command… Remarks Optional Except IP addresses of the DHCP Exclude IP addresses from dhcp server forbidden-ip low-ip- server interfaces, all addresses in automatic allocation address [ high-ip-address ] the DHCP address pool are assignable by default. NOTE: ...

  • Page 44: Configuring A Domain Name Suffix For The Client

    NOTE: Excluded IP addresses specified with the forbidden-ip command in DHCP address pool view are not assignable in the current extended address pool, but are assignable in other address pools. Configuring a domain name suffix for the client You can specify a domain name suffix in each DHCP address pool on the DHCP server to provide the clients with the domain name suffix.

  • Page 45: Configuring Bims Server Information For The Client

     p (peer-to-peer)-node: The p-node client sends the destination name in a unicast message to the WINS server, and the WINS server returns the destination IP address. m (mixed)-node: A combination of broadcast first and peer-to-peer second. The m-node client first ...

  • Page 46: Configuring Option 184 Parameters For The Client With Voice Service

    To do… Use the command… Remarks dhcp server ip-pool pool-name [ Enter DHCP address pool view — extended ] Required Specify gateways gateway-list ip-address&<1-8> No gateway is specified by default. Configuring Option 184 parameters for the client with voice service To assign voice calling parameters along with an IP address to DHCP clients with voice service, you must configure Option 184 on the DHCP server.

  • Page 47: Configuring Self-defined Dhcp Options

    When a router starts up without loading any configuration file, the system sets an active interface (such as the interface of the default VLAN) as the DHCP client to request from the DHCP server for parameters, such as an IP address and name of a TFTP server, and the bootfile name. After getting related parameters, the DHCP client will send a TFTP request to obtain the configuration file from the specified TFTP server for system initialization.

  • Page 48: Enabling Dhcp

    Table 2 Description of common options Option Option name Corresponding command Command parameter Router Option gateway-list ip-address Domain Name Server Option dns-list ip-address Domain Name domain-name ascii NetBIOS over TCP/IP Name nbns-list ip-address Server Option NetBIOS over TCP/IP Node netbios-type Type Option TFTP server name tftp-server...

  • Page 49: Applying An Extended Address Pool On An Interface

    NOTE: If a DHCP relay agent exists between the DHCP server and client, the DHCP server, regardless of whether the subaddress keyword is used, will select an IP address from the address pool containing the primary IP address of the DHCP relay agent’s interface (connected to the client) for a requesting client. When the DHCP server and client are on the same subnet: ...

  • Page 50: Enabling Unauthorized Dhcp Server Detection

    Enabling unauthorized DHCP server detection Unauthorized DHCP servers on a network may assign wrong IP addresses to DHCP clients. With unauthorized DHCP server detection enabled, the DHCP server checks whether a DHCP request contains Option 54 (Server Identifier Option). If yes, the DHCP server records the IP address of each detected DHCP server that assigned an IP address to a requesting DHCP client.

  • Page 51: Specifying The Threshold For Sending Trap Messages

    Configuration prerequisites Before performing this configuration, complete the following configuration on the DHCP server:  Enable DHCP. Configure the DHCP address pool.  Enable Option 82 handling Follow these steps to enable the DHCP server to handle Option 82: To do… Use the command…...

  • Page 52: Displaying And Maintaining The Dhcp Server

    Displaying and maintaining the DHCP server To do… Use the command… Remarks display dhcp server conflict { all | ip ip- Display information about IP address } [ | { begin | exclude | include } Available in any view address conflicts regular-expression ] display dhcp server expired { all | ip ip-...

  • Page 53: Static Ip Address Assignment Configuration Example

    Static IP address assignment configuration example Network requirements As shown in Figure 23, Switch B (DHCP client) and Switch C (BOOTP client) obtain the static IP address, DNS server address, and gateway address from Switch A (DHCP server). The client ID of VLAN-interface 2 on Switch B is 3030-3066-2e65-3234-392e-3830-3530-2d56-6c61- 6e2d-696e-7465-7266-6163-6532.

  • Page 54: Dynamic Ip Address Assignment Configuration Example

    [SwitchA-dhcp-pool-1] static-bind mac-address 000f-e249-8050 [SwitchA-dhcp-pool-1] dns-list 10.1.1.2 [SwitchA-dhcp-pool-1] gateway-list 10.1.1.126 Verification Switch B can obtain IP address 10.1.1.5 and other network parameters, and Switch C can obtain IP address 10.1.1.6 and other network parameters from Switch A. You can use the display dhcp server ip-in- use command on the DHCP server to view the IP addresses assigned to the clients.

  • Page 55: Self-defined Option Configuration Example

    # Enable DHCP. <SwitchA> system-view [SwitchA] dhcp enable # Enable the DHCP server on VLAN-interface 1 and VLAN-interface 2. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] dhcp select server global-pool [SwitchA-Vlan-interface1] quit [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] dhcp select server global-pool [SwitchA-Vlan-interface2] quit # Exclude IP addresses (addresses of the DNS server, WINS server and gateways).

  • Page 56: Troubleshooting Dhcp Server Configuration

    The DHCP server assigns PXE server addresses to DHCP clients through Option 43, a self-defined option. The format of Option 43 and that of the PXE server address sub-option are shown in Figure 17 Figure 19, respectively. The value of Option 43 configured on the DHCP server in this example is 80 0B 00 00 02 01 02 03 04 02 02 02 02.

  • Page 57

    If a ping response is received, the IP address has been manually configured on the host. Execute the dhcp server forbidden-ip command on the DHCP server to exclude the IP address from dynamic allocation. Enable the network adapter or connect the network cable. Release the IP address and obtain another one on the client.

  • Page 58: Dhcp Relay Agent Configuration

    DHCP relay agent configuration NOTE: The DHCP relay agent configuration is supported only on VLAN interfaces. Introduction to DHCP relay agent Application environment Via a relay agent, DHCP clients can communicate with a DHCP server on another subnet to obtain configuration parameters.

  • Page 59: Dhcp Relay Agent Support For Option 82

    Figure 27 DHCP relay agent work process DHCP client DHCP relay agent DHCP server DHCP-DISCOVER DHCP-DISCOVER (broadcast) (unicast) DHCP-OFFER (unicast) DHCP-OFFER DHCP-REQUEST DHCP-REQUEST (broadcast) (unicast) DHCP-ACK DHCP-ACK (unicast) After receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP client, the DHCP relay agent fills the giaddr field of the message with its IP address and forwards the message to the designated DHCP server in unicast mode.

  • Page 60: Dhcp Relay Agent Configuration Task List

    If a client’s Handling requesting Padding format The DHCP relay agent will… strategy message has… Forward the message after adding the — normal Option 82 padded in normal format. Forward the message after adding the no Option 82 — verbose Option 82 padded in verbose format.

  • Page 61: Correlating A Dhcp Server Group With A Relay Agent Interface

    To do… Use the command… Remarks interface interface-type interface- Enter interface view — number Required Enable the DHCP relay agent on dhcp select relay With DHCP enabled, interfaces the current interface work in the DHCP server mode. NOTE: The IP address pool containing the IP address of the DHCP relay agent enabled interface must be configured on the DHCP server.

  • Page 62: Configuring The Dhcp Relay Agent Security Functions

    Configuring the DHCP relay agent security functions Creating static bindings and enabling address check To avoid invalid IP address configuration, you can configure the DHCP relay agent to check whether a requesting client’s IP and MAC addresses match a binding (dynamic or static) on the DHCP relay agent. With this feature enabled, the DHCP relay agent can dynamically record clients’...

  • Page 63

     If the IP address is no longer in use, the server either returns a DHCP-ACK message or does not return any message within the specified interval, and the DHCP relay agent ages out the client entry. When receiving the DHCP-ACK message, the DHCP relay agent sends a DHCP-RELEASE message to release the IP address.

  • Page 64: Enabling Offline Detection

    address field of the frame. If they are the same, the DHCP relay agent decides this request as valid and forwards it to the DHCP server; if not, the DHCP request is discarded. Follow these steps to enable MAC address check: To do…...

  • Page 65: Configuring The Dhcp Relay Agent To Support Option 82

    Follow these steps to configure the DHCP relay agent to release an IP address: To do… Use the command… Remarks Enter system view system-view — Configure the DHCP relay agent to release an dhcp relay release ip client-ip Required IP address CAUTION: ...

  • Page 66: Displaying And Maintaining The Dhcp Relay Agent

    To do… Use the command… Remarks Optional By default, the code type depends on the padding format Configure the code dhcp relay information of Option 82. Each field has its type for the circuit circuit-id format-type { ascii | own code type. ID sub-option hex } The code type configuration...

  • Page 67: Dhcp Relay Agent Configuration Examples

    To do… Use the command… Remarks display dhcp relay security statistics [ | { Display statistics information about Available in any begin | exclude | include } regular- bindings of DHCP relay agents view expression ] Display information about the display dhcp relay security tracker [ | { Available in any refreshing interval for entries of...

  • Page 68: Dhcp Relay Agent Option 82 Support Configuration Example

    [SwitchA] dhcp enable # Add DHCP server 10.1.1.1 into DHCP server group 1. [SwitchA] dhcp relay server-group 1 ip 10.1.1.1 # Enable the DHCP relay agent on VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] dhcp select relay # Correlate VLAN-interface 1 to DHCP server group 1. [SwitchA-Vlan-interface1] dhcp relay server-select 1 Verification DHCP clients can obtain IP addresses and other network parameters through the DHCP relay agent from...

  • Page 69: Troubleshooting Dhcp Relay Agent Configuration

    # Enable the DHCP relay agent to support Option 82, and perform Option 82-related configurations. [SwitchA-Vlan-interface1] dhcp relay information enable [SwitchA-Vlan-interface1] dhcp relay information strategy replace [SwitchA-Vlan-interface1] dhcp relay information circuit-id string company001 [SwitchA-Vlan-interface1] dhcp relay information remote-id string device001 NOTE: Configurations on the DHCP server are also required to make the Option 82 configurations function normally.

  • Page 70: Dhcp Client Configuration

    DHCP client configuration NOTE:  The DHCP client configuration is supported only on VLAN interfaces.  When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition via a relay agent, the DHCP server cannot be a Windows Server 2000 or Windows Server 2003. Introduction to DHCP client With DHCP client enabled, an interface uses DHCP to obtain configuration parameters, such as an IP address, from the DHCP server.

  • Page 71: Dhcp Client Configuration Example

    DHCP client configuration example Network requirements As shown in Figure 29, on a LAN, Switch B contacts the DHCP server via VLAN-interface 2 to obtain an IP address, DNS server address, and static route information. The IP address resides on network 10.1.1.0/24.

  • Page 72

    <SwitchB> system-view [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address dhcp-alloc Verification # Use the display dhcp client command to view the IP address and other network parameters assigned to Switch B. [SwitchB-Vlan-interface2] display dhcp client verbose Vlan-interface2 DHCP client information: Current machine state: BOUND Allocated IP: 10.1.1.3 255.255.255.0 Allocated lease: 864000 seconds, T1: 432000 seconds, T2: 756000 seconds...

  • Page 73: Dhcp Snooping Configuration

    DHCP snooping configuration NOTE: The DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server. DHCP snooping overview Functions of DHCP snooping DHCP snooping is a security feature with the following uses:...

  • Page 74: Application Environment Of Trusted Ports

    Application environment of trusted ports Configuring a trusted port connected to a DHCP server Figure 30 Configure trusted and untrusted ports DHCP server Trusted DHCP snooping Untrusted Untrusted DHCP client Unauthorized DHCP server DHCP reply messages As shown in Figure 30, the trusted port forwards reply messages from the DHCP server to the client, but the untrusted port connected to the unauthorized DHCP server cannot forward any reply messages.

  • Page 75: Dhcp Snooping Support For Option 82

    Table 4 describes roles of the ports shown in Figure Table 4 Roles of ports Trusted port disabled from Trusted port enabled to Device Untrusted port recording binding entries record binding entries Switch A GigabitEthernet 1/0/1 GigabitEthernet 1/0/3 GigabitEthernet 1/0/2 GigabitEthernet 1/0/3 and Switch B GigabitEthernet 1/0/1...

  • Page 76: Dhcp Snooping Configuration Task List

    NOTE: The handling strategy and padding format for Option 82 on the DHCP snooping switch are the same as those on the relay agent. DHCP snooping configuration task list Complete the following tasks to configure DHCP snooping: Task Remarks Configuring DHCP snooping basic functions Required Configuring DHCP snooping to support Option 82 Optional...

  • Page 77: Configuring Dhcp Snooping To Support Option 82

    NOTE:  You must specify the ports connected to the authorized DHCP servers as trusted to ensure that DHCP clients can obtain valid IP addresses. The trusted port and the port connected to the DHCP client must be in the same VLAN. ...

  • Page 78: Configuring Dhcp Snooping Entries Backup

    To do… Use the command… Remarks Optional Configure the By default, the padding content dhcp-snooping information [ vlan vlan-id padding content for the circuit ID ] circuit-id string circuit-id depends on the sub-option padding format of Configure user- Option 82. defined Option Optional Configure the...

  • Page 79: Enabling Dhcp Starvation Attack Protection

    To do… Use the command… Remarks Required Not specified by default. DHCP snooping entries are stored Specify the name of the file for dhcp-snooping binding immediately after this command is storing DHCP snooping entries database filename filename used and then updated at the interval set by the dhcp-snooping binding database update interval command.

  • Page 80: Enabling Dhcp-request Message Attack Protection

    NOTE: You can enable MAC address check only on Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces. Enabling DHCP-REQUEST message attack protection Attackers may forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP clients that no longer need the IP addresses. These forged messages keep a victim DHCP server renewing the leases of IP addresses instead of releasing the IP addresses.

  • Page 81: Displaying And Maintaining Dhcp Snooping

    To do… Use the command… Remarks Configure the maximum Required rate of incoming DHCP dhcp-snooping rate-limit rate Not configured by default. packets NOTE:  You can configure DHCP packet rate limit only on Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces. ...

  • Page 82: Dhcp Snooping Option 82 Support Configuration Example

    Figure 32 Network diagram for DHCP snooping configuration Switch A DHCP server GE1/0/1 Switch B DHCP snooping GE1/0/3 GE1/0/2 DHCP client DHCP client Configuration procedure # Enable DHCP snooping. <SwitchB> system-view [SwitchB] dhcp-snooping # Specify GigabitEthernet 1/0/1 as trusted. [SwitchB] interface GigabitEthernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] dhcp-snooping trust [SwitchB-GigabitEthernet1/0/1] quit DHCP snooping Option 82 support configuration example...

  • Page 83

    [SwitchB-GigabitEthernet1/0/2] dhcp-snooping information circuit-id string company001 [SwitchB-GigabitEthernet1/0/2] dhcp-snooping information remote-id string device001 [SwitchB-GigabitEthernet1/0/2] quit # Configure GigabitEthernet 1/0/3 to support Option 82. [SwitchB] interface GigabitEthernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] dhcp-snooping information enable [SwitchB-GigabitEthernet1/0/3] dhcp-snooping information strategy replace [SwitchB-GigabitEthernet1/0/3] dhcp-snooping information format verbose node-identifier sysname [SwitchB-GigabitEthernet1/0/3] dhcp-snooping information circuit-id format-type ascii [SwitchB-GigabitEthernet1/0/3] dhcp-snooping information remote-id format-type ascii...

  • Page 84: Bootp Client Configuration

    BOOTP client configuration NOTE:  BOOTP client configuration only applies to VLAN interfaces.  If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows Server 2000 or Windows Server 2003. Introduction to BOOTP client BOOTP application After you specify an interface of switch as a BOOTP client, the interface can use BOOTP to get...

  • Page 85: Configuring An Interface To Dynamically Obtain An Ip Address Through Bootp

     RFC 1542, Clarifications and Extensions for the Bootstrap Protocol Configuring an interface to dynamically obtain an IP address through BOOTP Follow these steps to configure an interface to dynamically obtain an IP address: To do… Use the command… Remarks Enter system view system-view —...

  • Page 86: Ipv4 Dns Configuration

    IPv4 DNS configuration DNS overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into corresponding IP addresses. With DNS, you can use easy-to-remember domain names in some applications and let the DNS server translate them into correct IP addresses. DNS services can be static and dynamic.

  • Page 87: Dns Proxy

    Figure 33 shows the relationship between the user program, DNS client, and DNS server. The DNS client is made up of the resolver and cache. The user program and DNS client can run on the same device or different devices, but the DNS server and the DNS client usually run on different devices. Dynamic domain name resolution allows the DNS client to store latest mappings between domain names and IP addresses in the dynamic domain name cache.

  • Page 88: Dns Spoofing

    Figure 34 DNS proxy networking application DNS client DNS proxy IP network DNS server DNS client DNS client Operation of a DNS proxy A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS proxy.

  • Page 89: Configuring The Ipv4 Dns Client

     The device connects to the PSTN/ISDN network through a dial-up interface and triggers the establishment of a dial-up connection only when packets are to be forwarded through the dial-up interface. The device serves as a DNS proxy and is specified as a DNS server on the hosts. After the dial-up ...

  • Page 90: Configuring Dynamic Domain Name Resolution

    To do… Use the command… Remarks Enter system view system-view –– Required Configure a mapping between a host ip host hostname ip-address name and an IPv4 address Not configured by default. NOTE:  The IPv4 address you last assign to the host name overwrites the previous one, if there is any. ...

  • Page 91: Configuring The Dns Proxy

    Configuring the DNS proxy Follow these steps to configure the DNS proxy: To do… Use the command… Remarks Enter system view system-view — Required Enable DNS proxy dns proxy enable Disabled by default. System view dns server ip-address Required Configure the DNS server in at interface interface-type interface- Specify a DNS least one view.

  • Page 92: Ipv4 Dns Configuration Examples

    To do… Use the command… Remarks display dns server [ dynamic ] [ | { begin | Display IPv4 DNS server information Available in any view exclude | include } regular-expression ] display dns domain [ dynamic ] [ | { begin Display DNS suffixes Available in any view | exclude | include } regular-expression ]...

  • Page 93: Dynamic Domain Name Resolution Configuration Example

    0.00% packet loss round-trip min/avg/max = 1/2/4 ms Dynamic domain name resolution configuration example Network requirements As shown in Figure 37, the device wants to access the host by using an easy-to-remember domain name rather than an IP address, and to request the DNS server on the network for an IP address by using dynamic domain name resolution.

  • Page 94

    Figure 38 Create a zone # Create a mapping between host name and IP address. Figure 39 Add a host Figure 39, right click zone com, and then select New Host to bring up a dialog box as shown in Figure 40.

  • Page 95

    Figure 40 Add a mapping between domain name and IP address Configure the DNS client # Enable dynamic domain name resolution. <Sysname> system-view [Sysname] dns resolve # Specify the DNS server 2.1.1.2. [Sysname] dns server 2.1.1.2 # Configure com as the name suffix. [Sysname] dns domain com Configuration verification # Use the ping host command on the device to verify that the communication between the device and the...

  • Page 96: Dns Proxy Configuration Example

    DNS proxy configuration example Network requirements When the IP address of the DNS server changes, you must configure the new IP address of the DNS server on each device on the LAN. To simplify network management, you can use the DNS proxy function.

  • Page 97: Troubleshooting Ipv4 Dns Configuration

    <DeviceB> system-view [DeviceB] dns resolve # Specify the DNS server 2.1.1.2. [DeviceB] dns server 2.1.1.2 Configuration verification # Execute the ping host.com command on Device B to verify that the communication between the device and the host is normal and that the corresponding destination IP address is 3.1.1.1. [DeviceB] ping host.com Trying DNS resolve, press CTRL_C to break Trying DNS server (2.1.1.2)

  • Page 98: Ipv6 Dns Configuration

    IPv6 DNS configuration Introduction to IPv6 DNS IPv6 DNS is responsible for translating domain names into IPv6 addresses. Like IPv4 DNS, IPv6 DNS includes static domain name resolution and dynamic domain name resolution. The functions and implementations of the two types of domain name resolution are the same as those of IPv4 DNS. For more information, see the chapter ―IPv4 DNS configuration.‖...

  • Page 99: Displaying And Maintaining Ipv6 Dns

    To do… Use the command… Remarks Required Not specified by default. dns server ipv6 ipv6-address [ If the IPv6 address of a DNS server is Specify a DNS server interface-type interface-number ] a link-local address, you need to specify the interface-type and interface-number arguments.

  • Page 100

    Figure 42 Network diagram for static domain name resolution 1::2/64 1::1/64 host.com Device Host Configuration procedure # Configure a mapping between host name host.com and IPv6 address 1::2. <Device> system-view [Device] ipv6 host host.com 1::2 # Enable IPv6 packet forwarding. [Device] ipv6 # Use the ping ipv6 host.com command to verify that the device can use static domain name resolution to resolve domain name host.com into IPv6 address 1::2.

  • Page 101: Configuration Procedure

    Figure 43 Network diagram of dynamic domain name resolution IP network 2::2/64 2::1/64 3::1/64 1::1/64 host.com Device DNS server Host DNS client Configuration procedure NOTE:  Before performing the following configuration, make sure that the device and the host are accessible to each other via available routes, and the IPv6 addresses of the interfaces are configured as shown Figure ...

  • Page 102

    Figure 45 Create a record Figure 45, select Other New Records to bring up a dialog box as shown in Figure 46. Select IPv6 Host (AAA) as the resource record type.

  • Page 103

    Figure 46 Select the resource record type As shown in Figure 47, type host name host and IPv6 address 1::1, and then click OK.

  • Page 104

    Figure 47 Add a mapping between domain name and IPv6 address Configure the DNS client # Enable dynamic domain name resolution. <Device> system-view [Device] dns resolve # Specify the DNS server 2::2. [Device] dns server ipv6 2::2 # Configure com as the DNS suffix. [Device] dns domain com Configuration verification # Use the ping ipv6 host command on the device to verify that the communication between the device...

  • Page 105

    Reply from 1::1 bytes=56 Sequence=3 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=4 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=5 hop limit=126 time = 1 ms --- host.com ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/2 ms...

  • Page 106: Ip Performance Optimization Configuration

    IP performance optimization configuration IP performance optimization overview Use the following configurations to optimize IP performance:  Enabling the switch to receive and forward directed broadcasts  Configuring the TCP send/receive buffer size  Configuring TCP timers  Enabling ICMP error packets sending Enabling reception and forwarding of directed broadcasts to a directly connected network Directed broadcast packets are broadcast on a specific network.

  • Page 107: Configuration Example

    To do… Use the command… Remarks interface interface-type interface- Enter interface view — number Required Enable the interface to forward ip forward-broadcast [ acl acl- directed broadcasts number ] Disabled by default. NOTE:  If an ACL is referenced in the ip forward-broadcast command, only packets permitted by the ACL can be forwarded.

  • Page 108: Configuring Tcp Attributes

    Configuring TCP attributes Configuring the TCP send/receive buffer size Follow these steps to configure the TCP send/receive buffer size: To do… Use the command… Remarks Enter system view system-view — Optional Configure the size of TCP tcp window window-size send/receive buffer 8 KB by default.

  • Page 109

    Advantages of sending ICMP error packets ICMP error packets include redirect, timeout, and destination unreachable packets. Sending ICMP redirect packets A host may have only a default route to the default gateway in its routing table after startup. If the following conditions are satisfied, the default gateway will send ICMP redirect packets to the source host, telling it to reselect a correct next hop to send the subsequent packets: The receiving and forwarding interfaces are the same.

  • Page 110: Configuration Procedure

    If a switch receives a lot of malicious packets that cause it to send ICMP error packets, its  performance is reduced. As the redirection function increases the routing table size of a host, the host’s performance is  reduced if its routing table becomes very large. If an attacker sends abnormal traffic that causes the switch to generate ICMP destination ...

  • Page 111

    To do… Use the command… Remarks display fib [ acl acl-number | ip-prefix ip- Display FIB information prefix-name ] [ | { begin | include | exclude Available in any view } regular-expression ] display fib ip-address [ mask | mask-length ] Display FIB information matching [ | { begin | exclude | include } regular- Available in any view...

  • Page 112: Irdp Configuration

    IRDP configuration IRDP overview As an extension of the Internet Control Message Protocol (ICMP), the ICMP Router Discovery Protocol (IRDP) enables hosts to discover the IP addresses of their neighboring routers and set their default routes. NOTE: The hosts in this document support IRDP. Background Before a host can send packets to another network, it must know the IP address of at least one router on the local subnet.

  • Page 113: Terminology

    This mechanism prevents the local link from being overloaded by a large number of RAs sent simultaneously from routers. HP recommends shortening the advertising interval on a link that suffers high packet loss rates. Destination address of RAs An RA uses either of the following destination IP addresses: Broadcast address 255.255.255.255...

  • Page 114: Irdp Configuration Example

    To do… Use the command… Remarks Required Enable IRDP on the interface ip irdp Disabled by default. Optional The preference defaults to 0. The specified preference applies to all Configure the preference of ip irdp preference advertised IP addresses, including the advertised IP addresses preference-value primary IP address and the manually...

  • Page 115

    Figure 49 Network diagram for IRDP configuration 192.168.1.0/24 Vlan-int100 Internal External 10.154.5.1/24 network network 1 Switch A Host A 192.168.2.0/24 Vlan-int100 External 10.154.5.2/24 network 2 Switch B Host B Configuration procedure Configure Switch A # Specify the IP address for Vlan-interface100. <SwitchA>...

  • Page 116

    After enabling IRDP on Host A and Host B, display the routing table for the hosts (Host A for example). [HostA@localhost ~]$ netstat -rne Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.154.5.0 0.0.0.0 255.255.255.0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0...

  • Page 117: Udp Helper Configuration

    UDP Helper configuration NOTE: UDP Helper can be configured on VLAN interfaces only. Introduction to UDP Helper UDP Helper functions as a relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified destination server. This is helpful when a host cannot obtain network configuration information or request device names through broadcasting because the server or host to be requested is located on another broadcast domain.

  • Page 118: Displaying And Maintaining Udp Helper

    CAUTION:  A UDP Helper enabled device cannot forward DHCP broadcast packets. The UDP port number cannot be set to 67 or 68.  You can specify a port number or the corresponding parameter for a UDP port to forward packets. For example, udp-helper port 53 and udp-helper port dns specify the same UDP port number.

  • Page 119

    [SwitchA] ip forward-broadcast # Enable UDP Helper. [SwitchA] udp-helper enable # Enable the forwarding broadcast packets with the UDP destination port 55. [SwitchA] udp-helper port 55 # Specify the destination server 10.2.1.1 on VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.110.1.1 16 [SwitchA-Vlan-interface1] udp-helper server 10.2.1.1...

  • Page 120: Ipv6 Basics Configuration

    IPv6 basics configuration IPv6 overview Internet Protocol Version 6 (IPv6), also called IP next generation (IPng), was designed by the Internet Engineering Task Force (IETF) as the successor to Internet Protocol version 4 (IPv4). The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits. IPv6 features Header format simplification IPv6 removes several IPv4 header fields or moves them to the IPv6 extension headers to reduce the length...

  • Page 121: Ipv6 Addresses

     Stateful address autoconfiguration enables a host to acquire an IPv6 address and other configuration information from a server (for example, a DHCP server). Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and  other configuration information by using its link-layer address and the prefix information advertised by a router.

  • Page 122

    An IPv6 address consists of an address prefix and an interface ID, both of which are equivalent to the network ID and the host ID of an IPv4 address, respectively. An IPv6 address prefix is written in IPv6-address/prefix-length notation, where the IPv6-address is represented in any of the formats previously mentioned and the prefix-length is a decimal number indicating how many leftmost bits of the IPv6 address comprises the address prefix.

  • Page 123

     A loopback address is 0:0:0:0:0:0:0:1 (or ::1). It cannot be assigned to any physical interface and can be used by a node to send an IPv6 packet to itself in the same way as the loopback address in IPv4. An unspecified address is 0:0:0:0:0:0:0:0 (or ::).

  • Page 124: Ipv6 Neighbor Discovery Protocol

    Figure 52 Convert a MAC address into an EUI-64 address-based interface identifier 0012-3400-ABCD MAC address: 0000000000010010 0011010000000000 1010101111001101 Represented in binary: 0000000000010010 0011010011111111 1111111000000000 1010101111001101 Insert FFFE: 0000001000010010 0011010011111111 1111111000000000 1010101111001101 Set U/L bit: EUI-64 address: 0212:34FF:FE00:ABCD  On an interface of another type The EUI-64 address-based interface identifier is generated randomly by the switch.

  • Page 125

    Figure 53 Address resolution Host A Host B ICMP type = 135 Src = A Dst = solicited-node multicast address of B ICMP type = 136 Src = B Dst = A The address resolution operates in the following steps. Host A multicasts an NS message.

  • Page 126: Ipv6 Pmtu Discovery

    If Host B uses this IPv6 address, Host B returns an NA message. The NA message contains the IPv6 address of Host B. Host A learns that the IPv6 address is being used by Host B after receiving the NA message from Host B.

  • Page 127: Ipv6 Transition Technologies

    Figure 55 PMTU discovery process MTU = 1500 MTU = 1500 MTU = 1350 MTU = 1400 Source Destination Packet with MTU = 1500 ICMP error: packet too big; use MTU = 1350 Packet with MTU = 1350 Packet received The PMTU discovery works in the following steps.

  • Page 128

    Protocols and standards Protocols and standards related to IPv6 include: RFC 1881, IPv6 Address Allocation Management  RFC 1887, An Architecture for IPv6 Unicast Address Allocation  RFC 1981, Path MTU Discovery for IP version 6  RFC 2375, IPv6 Multicast Address Assignments ...

  • Page 129: Configuring Basic Ipv6 Functions

    Task Remarks Enabling replying to multicast echo requests Optional Enabling sending of ICMPv6 time exceeded messages Optional Enabling sending of ICMPv6 destination unreachable Optional messages Configuring basic IPv6 functions Enabling IPv6 Enable IPv6 before you perform any IPv6-related configuration. Without IPv6 enabled, an interface cannot forward IPv6 packets even if it has an IPv6 address configured.

  • Page 130

    To do… Use the command… Remarks Required Configure the interface to ipv6 address ipv6-address/prefix- By default, no IPv6 global unicast generate an EUI-64 IPv6 length eui-64 address is configured on an address interface. Manual configuration Follow these steps to specify an IPv6 address manually for an interface: To do...

  • Page 131: Configuring An Ipv6 Link-local Address

     Temporary IPv6 address: Comprises an address prefix provided by the RA message, and a random interface ID generated through MD5. Before sending a packet, the system preferably uses the temporary IPv6 address of the sending interface as the source address of the packet to be sent. When this temporary IPv6 address expires, the system removes it and generates a new one.

  • Page 132: Configure An Ipv6 Anycast Address

    Follow these steps to configure automatic generation of an IPv6 link-local address for an interface: To do... Use the command... Remarks Enter system view system-view — interface interface-type interface- Enter interface view — number Optional By default, no link-local address is Configure the interface to configured on an interface.

  • Page 133: Configuring Ipv6 Nd

    To do... Use the command... Remarks Optional Configure an IPv6 anycast ipv6 address ipv6-address/prefix- By default, no IPv6 anycast address length anycast address is configured on an interface. Configuring IPv6 ND Configuring a static neighbor entry The IPv6 address of a neighboring node can be resolved into a link-layer address dynamically through NS and NA messages or through a manually configured static neighbor entry.

  • Page 134: Configuring Parameters Related To Ra Messages

    To do… Use the command… Remarks Enter system view system-view — interface interface-type interface- Enter interface view — number Configure the maximum number Optional ipv6 neighbors max-learning-num of neighbors dynamically learned number 512 by default. by an interface Configuring parameters related to RA messages You can enable an interface to send RA messages, and configure the interval for sending RA messages and parameters in RA messages.

  • Page 135

    To do… Use the command… Remarks Enter system view system-view — interface interface-type interface- Enter interface view — number Required Disable RA message undo ipv6 nd ra halt suppression By default, RA messages are suppressed. Optional By default, the maximum interval for sending RA messages is 600 seconds, and the Configure the maximum minimum interval is 200 seconds.

  • Page 136: Configuring The Maximum Number Of Attempts To Send An Ns Message For Dad

    To do… Use the command… Remarks Optional Configure the router lifetime in ipv6 nd ra router-lifetime value RA messages 1800 seconds by default. Optional By default, the local interface sends NS messages at 1000 millisecond intervals, and the value of the Retrans Set the NS retransmission timer ipv6 nd ns retrans-timer value Timer field in RA messages sent by the...

  • Page 137: Setting The Age Timer For Nd Entries

    Setting the age timer for ND entries ND entries have an age timer. If an ND entry is not refreshed within a certain time after aging out, the switch sends an NS message for detection. If no response is received, it removes the ND entry. You can set the age timer as needed.

  • Page 138: Enabling Nd Proxy

    source VLAN are consistent with those of the existing entry) is received, the switch stops sending DAD NS messages and updates the receiving port and aging time of the existing entry if the receiving ports are different, or only the aging time of the entry if the receiving ports are the same. If no corresponding NA message is received within five seconds after the first DAD NS message is sent, the switch starts to check the validity of the received ND packet.

  • Page 139: Configuring Pmtu Discovery

    NOTE: ND proxy supports the NS and NA messages only. Introduction If a host sends an NS message requesting the hardware address of another host that is isolated from the sending host at Layer 2, the switch in between must be able to forward the NS message to allow Layer 3 communication between the two hosts.

  • Page 140: Configuring The Aging Time For Dynamic Pmtus

    Follow these steps to configure a static PMTU for a specified IPv6 address: To do… Use the command… Remarks Enter system view system-view — Required Configure a static PMTU for a ipv6 pathmtu ipv6-address [ value By default, no static PMTU is specified IPv6 address configured.

  • Page 141: Configuring Icmpv6 Packet Sending

    Configuring ICMPv6 packet sending Configuring the maximum ICMPv6 error packets sent in an interval If too many ICMPv6 error packets are sent within a short time in a network, network congestion may occur. To avoid network congestion, you can control the maximum number of ICMPv6 error packets sent within a specified time by adopting the token bucket algorithm.

  • Page 142: Enabling Sending Of Icmpv6 Destination Unreachable Messages

     Upon receiving the first fragment of an IPv6 datagram with the destination IP address being the local address, the switch starts a timer. If the timer expires before all the fragments arrive, an ICMPv6 Fragment Reassembly Timeout message is sent to the source. If large amounts of malicious packets are received, the performance of the switch degrades greatly because it has to send back ICMP Time Exceeded messages.

  • Page 143: Displaying And Maintaining Ipv6 Basics Configuration

    Displaying and maintaining IPv6 basics configuration To do… Use the command… Remarks display ipv6 fib [ slot slot-number ] [ ipv6-address Available in any Display the IPv6 FIB entries ] [ | { begin | exclude | include } regular- view expression ] display ipv6 interface [ interface-type [ interface-...

  • Page 144: Ipv6 Configuration Example

    To do… Use the command… Remarks Clear the statistics of all IPv6 Available in user reset udp ipv6 statistics UDP packets view reset ipv6 nd snooping [ ipv6-address | vlan vlan- Available in user Clear ND snooping entries id ] view IPv6 configuration example Network requirements...

  • Page 145

    # Enable IPv6. <SwitchB> system-view [SwitchB] ipv6 # Configure a global unicast address for VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ipv6 address 3001::2/64 [SwitchB-Vlan-interface2] quit # Configure an IPv6 static route with destination IP address 2001::/64 and next hop address 3001::1. [SwitchB] ipv6 route-static 2001:: 64 3001::1 Configure Host # Enable IPv6 for Host to automatically obtain an IPv6 address through IPv6 ND.

  • Page 146

    InBadOptions: ReasmReqds: ReasmOKs: InFragDrops: InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: 25747 OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: [SwitchA] display ipv6 interface vlan-interface 1 verbose Vlan-interface1 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1C0 Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es):...

  • Page 147

    InBadOptions: ReasmReqds: ReasmOKs: InFragDrops: InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: 1012 OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Display the IPv6 interface settings on Switch B. All the IPv6 global unicast addresses configured on the interface are displayed. [SwitchB] display ipv6 interface vlan-interface 2 verbose Vlan-interface2 current state :UP Line protocol current state :UP...

  • Page 148

    ReasmOKs: InFragDrops: InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Ping Switch A and Switch B on Host, and ping Switch A and Host on Switch B to verify that they are connected.

  • Page 149: Troubleshooting Ipv6 Basics Configuration

    Troubleshooting IPv6 basics configuration Symptom The peer IPv6 address cannot be pinged. Solution Use the display current-configuration command in any view or the display this command in system  view to verify that IPv6 is enabled. Use the display ipv6 interface command in any view to verify that the IPv6 address of the interface ...

  • Page 150: Dhcpv6 Overview

    DHCPv6 overview Introduction to DHCPv6 The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) was designed based on IPv6 addressing scheme and is used for assigning IPv6 prefixes, IPv6 addresses and other configuration parameters to hosts. Compared with other IPv6 address allocation methods (such as manual configuration and stateless address autoconfiguration), DHCPv6 can: ...

  • Page 151: Address/prefix Lease Renewal

    Figure 59 Assignment involving four messages DHCPv6 client DHCPv6 server (1) Solicit (2) Advertise (3) Request (4) Reply The assignment involving four messages operates in the following steps. The DHCPv6 client sends out a Solicit message, requesting an IPv6 address/prefix and other configuration parameters.

  • Page 152: Stateless Dhcpv6 Configuration

    Figure 61 Using the Rebind message for address/prefix lease renewal DHCPv6 client DHCPv6 server (1) Renew … … (2) Rebind (3) Reply As shown in Figure 61, if the DHCPv6 client receives no response from the DHCPv6 server after sending out a Renew message at T1, it multicasts a Rebind message to all DHCPv6 servers at T2 (that is, when 80% preferred lifetime expires).

  • Page 153: Operation

    Operation Figure 62 Operation of stateless DHCPv6 DHCPv6 client DHCPv6 server Information-request: includes an Option Request option Reply: includes the requested options As shown in Figure 62, stateless DHCPv6 operates in the following steps. The DHCPv6 client multicasts an Information-request message to the multicast address of all DHCPv6 servers and DHCPv6 relay agents.

  • Page 154: Dhcpv6 Server Configuration

    DHCPv6 server configuration Introduction to the DHCPv6 server Application environment Figure 63 Typical DHCPv6 server application Host A DHCPv6 client DHCPv6 server Host B Host C As shown in Figure 63, the DHCPv6 server assigns the DHCPv6 client an IPv6 prefix to facilitate IPv6 address management and network configuration.

  • Page 155: Prefix Selection Process

    Figure 64 Format of DUID-LL DUID type Hardware type Link layer address A DUID based on link-layer address (DUID-LL) defined in RFC 3315 is used to identify a DHCPv6 switch. Figure 64 shows the DUID-LL format, where:  DUID type: The switch supports DUID-LL as the DUID type with the value of 0x0003. ...

  • Page 156: Dhcpv6 Server Configuration Task List

    DHCPv6 server configuration task list Complete the following tasks to configure the DHCPv6 server: Task Remarks Enabling the DHCPv6 server Required Creating a prefix pool Required Configuring a DHCPv6 address pool Required Applying the address pool to an interface Required Configuration prerequisites Before you configure the DHCPv6 server, enable IPv6 by using the ipv6 command.

  • Page 157: Applying The Address Pool To An Interface

    To do… Use the command… Remarks Create a DHCPv6 address pool Required and enter DHCPv6 address pool ipv6 dhcp pool pool-number Not configured by default. view static-bind prefix prefix/prefix-len duid duid [ iaid iaid ] [ preferred-lifetime Required Configure a static prefix preferred-lifetime valid-lifetime valid- Use either command.

  • Page 158: Displaying And Maintaining The Dhcpv6 Server

    NOTE:  An interface cannot serve as a DHCPv6 server and DHCPv6 relay agent at the same time.  It is not recommended that you enable DHCPv6 server and DHCPv6 client on the same interface.  Only one address pool can be applied to an interface. ...

  • Page 159

    2::2:3. The DHCPv6 clients reside in domain aaa.com. The SIP server address is 2:2::4, and the domain name of the SIP server is bbb.com. Configuration considerations Follow these steps to configure the DHCPv6 server. Enable IPv6 and DHCPv6 server.  Create a prefix pool containing prefix 2001:0410::/32 with the length of the assigned prefix being ...

  • Page 160

    [Switch-ipv6-dhcp-pool-1] dns-server 2:2::3 # Configure the domain name as aaa.com. [Switch-ipv6-dhcp-pool-1] domain-name aaa.com # Configure the SIP server address as 2:2::4, and the domain name of the SIP server as bbb.com. [Switch-ipv6-dhcp-pool-1] sip-server address 2:2::4 [Switch-ipv6-dhcp-pool-1] sip-server domain-name bbb.com [Switch-ipv6-dhcp-pool-1] quit # Apply address pool 1 to VLAN-interface 2, configure the address pool to support the desired prefix assignment and rapid prefix assignment, and set the precedence to the highest.

  • Page 161

    # After the client whose DUID is 00030001CA0006A40000 obtains an IPv6 prefix, display the PD information on the DHCPv6 server. [Switch-Vlan-interface2] display ipv6 dhcp server pd-in-use all Total number = 1 Prefix Type Pool Lease-expiration 2001:410:201::/48 Static(C) 1 Jul 10 2009 19:45:01 # After the other client obtains an IPv6 prefix, display the PD information on the DHCPv6 server.

  • Page 162: Dhcpv6 Relay Agent Configuration

    DHCPv6 relay agent configuration Introduction to the DHCPv6 relay agent Application environment Figure 66 Typical DHCPv6 relay agent application DHCPv6 client DHCPv6 client IPv6 network DHCPv6 relay agent DHCPv6 server DHCPv6 client DHCPv6 client A DHCPv6 client usually uses a multicast address to contact the DHCPv6 server on the local link to obtain an IPv6 address and other configuration parameters.

  • Page 163: Configuring The Dhcpv6 Relay Agent

    The DHCPv6 client sends a Solicit message containing the Rapid Commit option to the multicast address FF02::1:2 of all the DHCPv6 servers and relay agents. After receiving the Solicit message, the DHCPv6 relay agent encapsulates the message into the Relay Message option of a Relay-forward message, and sends the message to the DHCPv6 server. After obtaining the Solicit message from the Relay-forward message, the DHCPv6 server selects an IPv6 address and other required parameters, and adds them to the reply which is encapsulated within the Relay Message option of a Relay-reply message.

  • Page 164: Displaying And Maintaining The Dhcpv6 Relay Agent

    An interface cannot serve as a DHCPv6 relay agent and DHCPv6 server at the same time.  HP does not recommend enabling the DHCPv6 relay agent and DHCPv6 client on the same interface. Displaying and maintaining the DHCPv6 relay agent To do…...

  • Page 165

    Figure 68 DHCPv6 relay agent configuration DHCPv6 client DHCPv6 client Vlan-int3 Vlan-int2 1::1/64 2::1/64 2::2/64 Switch A DHCPv6 server DHCPv6 relay agent DHCPv6 client DHCPv6 client Configuration procedure Configure Switch A as a DHCPv6 relay agent # Enable the IPv6 packet forwarding function. <SwitchA>...

  • Page 166

    REQUEST CONFIRM RENEW REBIND RELEASE DECLINE INFORMATION-REQUEST RELAY-FORWARD RELAY-REPLY Packets sent ADVERTISE RECONFIGURE REPLY RELAY-FORWARD RELAY-REPLY...

  • Page 167: Dhcpv6 Client Configuration

    For more information about the ipv6 address auto command, see the chapter ―IPv6 basics configuration commands.‖  HP does not recommend enabling the DHCPv6 client and DHCPv6 server, or the DHCPv6 client and DHCPv6 relay agent on the same interface at the same time. Displaying and maintaining the DHCPv6 client To do…...

  • Page 168: Stateless Dhcpv6 Configuration Example

    To do… Use the command… Remarks display ipv6 dhcp client statistics [ interface Display DHCPv6 client statistics interface-type interface-number ] [ | { begin | Available in any view exclude | include } regular-expression ] Display the DUID of the local display ipv6 dhcp duid [ | { begin | exclude | Available in any view device...

  • Page 169

    With this command executed, if VLAN-interface 2 has no IPv6 address configured, Switch A will automatically generate a link-local address, and send an RS message, requesting the gateway (Switch B) to reply with an RA message immediately. Verification After receiving an RA message with the M flag set to 0 and the O flag set to 1, Switch A automatically enables the stateless DHCPv6 function.

  • Page 170: Dhcpv6 Snooping Configuration

    DHCPv6 snooping configuration NOTE:  A DHCPv6 snooping switch does not work if it is between a DHCPv6 relay agent and a DHCPv6 server. The DHCPv6 snooping switch works when it is between a DHCPv6 client and a DHCPv6 relay agent or between a DHCPv6 client and a DHCPv6 server.

  • Page 171: Enabling Dhcpv6 Snooping

    they do not forward reply messages from unauthorized DHCPv6 servers. This ensures that the DHCPv6 client can obtain an IPv6 address from the authorized DHCPv6 server only. As shown in Figure 70, configure the port that connects to the DHCPv6 server as a trusted port, and other ports as untrusted.

  • Page 172: Configuring The Maximum Number Of Dhcpv6 Snooping Entries An Interface Can Learn

    NOTE:  You must specify a port connected to an authorized DHCPv6 server as trusted to ensure that DHCPv6 clients can obtain valid IPv6 addresses. The trusted port and the ports connected to the DHCPv6 clients must be in the same VLAN.

  • Page 173

    Figure 71 Network diagram for DHCPv6 snooping configuration Switch A DHCPv6 server GE1/0/1 Switch B DHCPv6 snooping GE1/0/3 GE1/0/2 DHCPv6 client DHCP client or Unauthorized DHCPv6 server Configuration procedure # Enable DHCPv6 snooping globally. <SwitchB> system-view [SwitchB] ipv6 dhcp snooping enable # Add GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 to VLAN 2.

  • Page 174: Support And Other Resources

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. ...

  • Page 175: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...

  • Page 176

    Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 177: Index

    Index A B C D E F I L N O P R S T W Configuring an address allocation mode for a common address pool,33 Allocation mechanisms,22 Configuring an IPv6 global unicast address,121 Application environment,50 Configuring an IPv6 link-local address,123 Application environment,30...

  • Page 178

    Creating static bindings and enabling address Introduction,144 check,54 Introduction to DHCP options,25 IP address allocation sequence,31 IP address classes,17 DHCP address pool,30 IP address lease extension,23 DHCP relay agent configuration example,59 IP addressing configuration example,19 DHCP relay agent Option 82 support configuration IPv6 addresses,1 13 example,60...

  • Page 179

    Static domain name resolution configuration example,91 Static domain name resolution configuration example,84 Static IP address assignment configuration example,45 Subnetting and masking,18 Terminology,105 Working mechanism,104...

Comments to this Manuals

Symbols: 0
Latest comments: