Download Print this page
   
1
2
Table of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517

Advertisement

HPE FlexNetwork MSR Router Series
Comware 7 Layer 3—IP Services Configuration Guide
Part number: 5998-8832
Software version: CMW710-R0305
Document version: 6PW106-20160308

Advertisement

Troubleshooting

   Also See for HP FlexNetwork MSR2003

   Summary of Contents for HP FlexNetwork MSR2003

  • Page 1

    HPE FlexNetwork MSR Router Series Comware 7 Layer 3—IP Services Configuration Guide Part number: 5998-8832 Software version: CMW710-R0305 Document version: 6PW106-20160308...

  • Page 2

    © Copyright 2016 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

  • Page 3: Table Of Contents

    Contents Configuring ARP ····························································································· 1 Overview ···························································································································································· 1 ARP message format ································································································································· 1 ARP operating mechanism ························································································································ 1 ARP table ··················································································································································· 2 Configuring a static ARP entry ··························································································································· 3 Setting the maximum number of dynamic ARP entries for a device ·································································· 4 Setting the maximum number of dynamic ARP entries for an interface ····························································...

  • Page 4: Table Of Contents

    Configuring ARP direct route advertisement ················································· 23 Overview ·························································································································································· 23 Configuration procedure ·································································································································· 23 Configuring IP addressing ············································································· 24 Overview ·························································································································································· 24 IP address classes ··································································································································· 24 Special IP addresses ······························································································································· 25 Subnetting and masking ··························································································································· 25 Assigning an IP address to an interface ·········································································································· 25 Configuration guidelines ···························································································································...

  • Page 5: Table Of Contents

    Configuring DHCP binding auto backup ·········································································································· 52 Configuring address pool usage alarming ······································································································· 53 Binding gateways to a common MAC address ································································································ 53 Advertising subnets assigned to clients ··········································································································· 54 Applying a DHCP address pool to a VPN instance ·························································································· 55 Enabling client offline detection on the DHCP server ······················································································...

  • Page 6: Table Of Contents

    Application of trusted and untrusted ports ································································································ 84 DHCP snooping support for Option 82 ····································································································· 85 Command and hardware compatibility ············································································································· 85 DHCP snooping configuration task list ············································································································· 85 Configuring basic DHCP snooping ·················································································································· 86 Configuring Option 82 ······································································································································ 86 Configuring DHCP snooping entry auto backup ······························································································...

  • Page 7: Table Of Contents

    Configuring DDNS ······················································································ 116 Overview ························································································································································ 116 DDNS application ··································································································································· 116 DDNS client configuration task list ················································································································· 117 Configuring a DDNS policy ···························································································································· 117 Configuration prerequisites ···················································································································· 118 Configuration procedure ························································································································· 118 Applying the DDNS policy to an interface ······································································································ 119 Setting the DSCP value for outgoing DDNS packets ·····················································································...

  • Page 8: Table Of Contents

    Bidirectional NAT for external-to-internal NAT Server access through domain name configuration example ······························································································································································· 153 NAT hairpin in C/S mode configuration example ··················································································· 156 NAT hairpin in P2P mode configuration example ·················································································· 159 Twice NAT configuration example ········································································································· 162 Load sharing NAT Server configuration example ·················································································· 165 NAT with DNS mapping configuration example ·····················································································...

  • Page 9: Table Of Contents

    Configuring UDP helper ·············································································· 196 Overview ························································································································································ 196 Feature and hardware compatibility ··············································································································· 196 Configuration restrictions and guidelines ······································································································· 196 Configuring UDP helper to convert broadcast to unicast ··············································································· 196 Configuring UDP helper to convert broadcast to multicast ············································································ 197 Configuring UDP helper to convert multicast to broadcast or unicast ····························································...

  • Page 10: Table Of Contents

    Symptom ················································································································································ 235 Solution ·················································································································································· 235 DHCPv6 overview ······················································································· 236 Feature and hardware compatibility ··············································································································· 236 DHCPv6 address/prefix assignment ·············································································································· 236 Rapid assignment involving two messages ··························································································· 236 Assignment involving four messages ····································································································· 236 Address/prefix lease renewal ························································································································· 237 Stateless DHCPv6 ········································································································································· 238 Protocols and standards ································································································································...

  • Page 11: Table Of Contents

    Configuring IPv6 prefix acquisition ················································································································· 265 Configuring IPv6 address and prefix acquisition ···························································································· 265 Configuring stateless DHCPv6 ······················································································································ 265 Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 client ····················································· 265 Displaying and maintaining DHCPv6 client ···································································································· 266 DHCPv6 client configuration examples ··········································································································...

  • Page 12: Table Of Contents

    Configuration example ··························································································································· 309 Configuring a DS-Lite tunnel ·························································································································· 311 Configuration example ··························································································································· 312 Configuring an IPv6 over IPv6 tunnel ············································································································ 314 Configuration example ··························································································································· 315 Displaying and maintaining tunneling configuration ······················································································· 316 Troubleshooting tunneling configuration ········································································································ 317 Symptom ················································································································································ 317 Analysis ··················································································································································...

  • Page 13: Table Of Contents

    Displaying and maintaining ADVPN ··············································································································· 347 ADVPN configuration examples ····················································································································· 349 IPv4 full-mesh ADVPN configuration example ······················································································· 349 IPv6 full-mesh ADVPN configuration example ······················································································· 356 IPv4 hub-spoke ADVPN configuration example ····················································································· 364 IPv6 hub-spoke ADVPN configuration example ····················································································· 372 IPv4 multi-hub-group ADVPN configuration example ············································································ 379 IPv6 multi-hub-group ADVPN configuration example ············································································...

  • Page 14: Table Of Contents

    Document conventions and icons ······························································· 451 Conventions ··················································································································································· 451 Network topology icons ·································································································································· 452 Support and other resources ······································································ 453 Accessing Hewlett Packard Enterprise Support ···························································································· 453 Accessing updates ········································································································································· 453 Websites ················································································································································ 454 Customer self repair ······························································································································· 454 Remote support ······································································································································ 454 Documentation feedback ·······················································································································...

  • Page 15: Configuring Arp, Arp Message Format

    Configuring ARP Overview ARP resolves IP addresses into MAC addresses on Ethernet networks. ARP message format ARP uses two types of messages: ARP request and ARP reply. Figure 1 shows the format of ARP request/reply messages. Numbers in the figure refer to field lengths. Figure 1 ARP message format •...

  • Page 16: Arp Table

    All hosts on this subnet can receive the broadcast request, but only the requested host (Host B) processes the request. Host B compares its own IP address with the target IP address in the ARP request. If they are the same, Host B operates as follows: a.

  • Page 17: Configuring A Static Arp Entry

    • Long static ARP entry—It contains the IP address, MAC address, VLAN, and output interface. It is directly used for forwarding packets. • Short static ARP entry—It contains only the IP address and MAC address. If the output interface is a Layer 3 Ethernet interface, the short ARP entry can be directly used to forward packets.

  • Page 18: Setting The Maximum Number Of Dynamic Arp Entries For A Device

    Step Command Remarks • Configure a long static ARP entry: arp static ip-address mac-address vlan-id interface-type interface-number [ vpn-instance Configure a static ARP By default, no static ARP entry is vpn-instance-name ] entry. configured. • Configure a short static ARP entry: arp static ip-address mac-address [ vpn-instance vpn-instance-name ] Setting the maximum number of dynamic ARP...

  • Page 19: Setting The Aging Timer For Dynamic Arp Entries

    Setting the aging timer for dynamic ARP entries Each dynamic ARP entry in the ARP table has a limited lifetime, called an aging timer. The aging timer of a dynamic ARP entry is reset each time the dynamic ARP entry is updated. A dynamic ARP entry that is not updated before its aging timer expires is deleted from the ARP table.

  • Page 20: Displaying And Maintaining Arp

    To enable the ARP logging function: Step Command Remarks Enter system view. system-view Enable the ARP logging arp check log enable By default, ARP logging is disabled. function. Displaying and maintaining ARP IMPORTANT: Clearing ARP entries from the ARP table might cause communication failures. Make sure the entries to be cleared do not affect current communications.

  • Page 21: Configuration Examples

    Configuration examples Long static ARP entry configuration example Network requirements As shown in Figure 3, hosts are connected to Router B. Router B is connected to Router A through interface GigabitEthernet 2/0/1 in VLAN 10. To ensure secure communications between Router A and Router B, configure a long static ARP entry for Router A on Router B.

  • Page 22: Short Static Arp Entry Configuration Example

    192.168.1.1 00e0-fc01-0000 GE2/0/1 Short static ARP entry configuration example Network requirements As shown in Figure 4, hosts are connected to Router B. Router B is connected to Router A through interface GigabitEthernet 2/0/2. To ensure secure communications between Router A and Router B, configure a short static ARP entry for Router A on Router B.

  • Page 23: Configuring Gratuitous Arp

    Configuring gratuitous ARP Overview In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device. A device sends a gratuitous ARP packet for either of the following purposes: • Determine whether its IP address is already used by another device.

  • Page 24: Configuration Procedure

    • Update MAC entries of devices in the VLANs having ambiguous Dot1q or QinQ termination configured. In VRRP configuration, if ambiguous Dot1q or QinQ termination is configured for multiple VLANs and VRRP groups, interfaces configured with VLAN termination must be disabled from transmitting broadcast/multicast packets.

  • Page 25

    You can use this command to enable the device to display error messages before sending a gratuitous ARP reply or request for conflict confirmation. To enable IP conflict notification: Step Command Remarks Enter system view. system-view Enable IP conflict By default, IP conflict notification is arp ip-conflict log prompt notification.

  • Page 26: Configuring Proxy Arp

    Configuring proxy ARP Proxy ARP enables a device on one network to answer ARP requests for an IP address on another network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they would on the same broadcast domain. Proxy ARP includes common proxy ARP and local proxy ARP.

  • Page 27: Displaying Proxy Arp

    Displaying proxy ARP Execute display commands in any view. Task Command Display common proxy ARP display proxy-arp [ interface interface-type interface-number ] status. Display local proxy ARP status. display local-proxy-arp [ interface interface-type interface-number ] Common proxy ARP configuration example Network requirements As shown in Figure...

  • Page 28: Verifying The Configuration

    [Router-GigabitEthernet2/0/1] ip address 192.168.20.99 255.255.255.0 # Enable common proxy ARP on interface GigabitEthernet 2/0/1. [Router-GigabitEthernet2/0/1] proxy-arp enable [Router-GigabitEthernet2/0/1] quit Verifying the configuration # Verify that Host A and Host D can ping each other.

  • Page 29: Configuring Arp Fast-reply

    Configuring ARP fast-reply Overview ARP fast-reply enables a device to directly answer ARP requests according to DHCP snooping entries. ARP fast-reply functions in a VLAN. For information about DHCP snooping, see "Configuring DHCP snooping." If the target IP address of a received ARP request is the IP address of the VLAN interface, the device delivers the request to the ARP module.

  • Page 30

    Figure 6 Network diagram Client 16 Client 1 VLAN 2 …… DHCP server Router …… Client 17 Client 32 VLAN 2 Configuration procedure # Enable ARP fast-reply for VLAN 2 on the router. [Router-vlan2] arp fast-reply enable [Router-vlan2] quit...

  • Page 31: Configuring Arp Pnp

    Configuring ARP PnP Overview The ARP plug and play (PnP) feature is typically configured on a gateway. This feature allows end users to access the gateway without changing their IP addresses on subnets different from the subnet where the gateway resides. After ARP PnP is enabled on an interface, it provides the following functions: •...

  • Page 32: Displaying And Maintaining Arp Pnp

    Step Command Remarks The following interface types are Enter interface view of the supported: interface interface-type interface that connects to the • interface-number Layer 3 Ethernet interfaces. internal network. • Layer 3 Ethernet subinterfaces. By default, the ARP PnP feature is Enable the ARP PnP feature.

  • Page 33

    [Router-nat-address-group-1] quit # Enable outbound PAT on interface GigabitEthernet 2/0/2 to translate the source address of outgoing packets matching ACL 2000 into the address in address group 1. [Router] interface gigabitethernet 2/0/2 [Router-GigabitEthernet2/0/2] nat outbound 2000 address-group 1 Enable the ARP PnP feature on GigabitEthernet 2/0/1. [Router] interface gigabitethernet 2/0/1 [Router-GigabitEthernet2/0/1] arp pnp [Router-GigabitEthernet2/0/1] quit...

  • Page 34: Configuring Arp Suppression

    Configuring ARP suppression Overview The ARP suppression feature enables a device to directly answer ARP requests by using ARP suppression entries. The device generates ARP suppression entries based on dynamic ARP entries that it learns. This feature is typically configured on the PEs connected to base stations in an MPLS L2VPN that provides access to an L3VPN network.

  • Page 35: Displaying And Maintaining Arp Suppression

    Step Command Remarks Return to cross-connect quit group view. Return to system view. quit (Optional.) Enable the ARP suppression push arp suppression push interval By default, the ARP suppression push function and set a push interval function is disabled. interval. Displaying and maintaining ARP suppression Execute display commands in any view and reset commands in user view.

  • Page 36

    Configuration procedure Configure IP addresses for the interfaces as shown in Figure 9. (Details not shown.) Configure ARP suppression on Router A: # Create a cross-connect group named vpna and create a cross-connect named svc in the group. <RouterA> system-view [RouterA] xconnect-group vpna [RouterA-xcg-vpna] connection svc # Enable ARP suppression for the cross-connect svc in cross-connect group vpna.

  • Page 37: Configuring Arp Direct Route Advertisement

    Configuring ARP direct route advertisement Overview The ARP direct route advertisement feature advertises host routes instead of advertising the network route. This feature is typically configured on PE-aggs to advertise host routes to the connected PEs in the L3VPN. Figure 10 shows a typical application scenario where the PE in the L3VPN has ECMP routes destined to a base station in the L2VPN.

  • Page 38: Configuring Ip Addressing, Ip Address Classes

    Configuring IP addressing The IP addresses in this chapter refer to IPv4 addresses unless otherwise specified. This chapter describes IP addressing basics and manual IP address assignment for interfaces. Dynamic IP address assignment (BOOTP and DHCP) and PPP address negotiation are beyond the scope of this chapter.

  • Page 39: Subnetting And Masking, Assigning An Ip Address To An Interface

    Class Address range Remarks Reserved for future use, except for the broadcast 240.0.0.0 to 255.255.255.255 address 255.255.255.255. Special IP addresses The following IP addresses are for special use and cannot be used as host IP addresses: • IP address with an all-zero net ID—Identifies a host on the local network. For example, IP address 0.0.0.16 indicates the host with a host ID of 16 on the local network.

  • Page 40: Configuration Guidelines

    An interface can have one primary address and multiple secondary addresses. Typically, you need to configure a primary IP address for an interface. If the interface connects to multiple subnets, configure primary and secondary IP addresses on the interface so the subnets can communicate with each other through the interface.

  • Page 41: Displaying And Maintaining Ip Addressing, Ip Address Configuration Example

    Configuration prerequisites Assign an IP address to the interface from which you want to borrow the IP address. Alternatively, you can configure the interface to obtain one through BOOTP, DHCP, or PPP address negotiation. Configuration procedure To configure IP unnumbered on an interface: Step Command Remarks...

  • Page 42

    Figure 13 Network diagram Configuration procedure # Assign a primary IP address and a secondary IP address to GigabitEthernet 2/0/1. <Router> system-view [Router] interface gigabitethernet 2/0/1 [Router-GigabitEthernet2/0/1] ip address 172.16.1.1 255.255.255.0 [Router-GigabitEthernet2/0/1] ip address 172.16.2.1 255.255.255.0 sub # Set the gateway address to 172.16.1.1 on the PCs attached to subnet 172.16.1.0/24, and to 172.16.2.1 on the PCs attached to subnet 172.16.2.0/24.

  • Page 43: Ip Unnumbered Configuration Example

    --- Ping statistics for 172.16.2.2 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 1.000/2.600/7.000/2.245 ms # Verify the connectivity between a host on subnet 172.16.1.0/24 and a host on subnet 172.16.2.0/24. The ping operation succeeds. IP unnumbered configuration example Network requirements As shown in...

  • Page 44

    # Configure interface Serial 2/1/1 to borrow an IP address from GigabitEthernet 2/0/1. [RouterB] interface serial 2/1/1 [RouterB-Serial2/1/1] ip address unnumbered interface gigabitethernet 2/0/1 [RouterB-Serial2/1/1] quit # Configure a static route to the subnet attached to Router A, specifying Serial 2/1/1 as the outgoing interface.

  • Page 45: Dhcp Overview, Dhcp Address Allocation, Allocation Mechanisms

    DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. Figure 15 shows a typical DHCP application scenario where the DHCP clients and the DHCP server reside on the same subnet. The DHCP clients can also obtain configuration parameters from a DHCP server on another subnet through a DHCP relay agent.

  • Page 46: Ip Address Lease Extension

    IP address allocation process Figure 16 IP address allocation process As shown in Figure 16, a DHCP server assigns an IP address to a DHCP client in the following process: The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. Each DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message.

  • Page 47: Dhcp Message Format

    If the client receives no reply, it broadcasts another DHCP-REQUEST message for lease extension when about seven-eighths of the lease duration elapses. Again, depending on the availability of the IP address, the DHCP server returns either a DHCP-ACK unicast or a DHCP-NAK unicast. DHCP message format Figure 17 shows the DHCP message format.

  • Page 48: Dhcp Options

    DHCP options DHCP extends the message format as an extension to BOOTP for compatibility. DHCP uses the options field to carry information for dynamic address allocation and provide additional configuration information for clients. Figure 18 DHCP option format Common DHCP options The following are common DHCP options: •...

  • Page 49

    • Service provider identifier, which is acquired by the CPE from the DHCP server and sent to the ACS for selecting vender-specific configurations and parameters. For more information about CPE and ACS, see Network Management and Monitoring Configuration Guide. • PXE server address, which is used to obtain the boot file or other control information from the PXE server.

  • Page 50: Protocols And Standards

    Relay agent option (Option 82) Option 82 is the relay agent option. It records the location information about the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client's request, it adds Option 82 to the request and sends it to the server.

  • Page 51: Configuring The Dhcp Server, Dhcp Address Pool

    Configuring the DHCP server Overview The DHCP server is well suited to networks where: • Manual configuration and centralized management are difficult to implement. • IP addresses are limited. For example, an ISP limits the number of concurrent online users, and users must acquire IP addresses dynamically.

  • Page 52

    NOTE: All address ranges must belong to the primary subnet. If an address range does not reside on the primary subnet, DHCP cannot assign the addresses in the address range. • Method 2—Specify a primary subnet and multiple secondary subnets in an address pool. The DHCP server selects an IP address from the primary subnet first.

  • Page 53: Ip Address Allocation Sequence, Dhcp Server Configuration Task List

    NOTE: As a best practice, configure at least one matching primary subnet in your network. Otherwise, the DHCP server selects only the first matching secondary subnet for address allocation. If the network has more DHCP clients than the assignable IP addresses in the secondary subnet, not all DHCP clients can obtain IP addresses.

  • Page 54: Configuring An Address Pool On The Dhcp Server

    Tasks at a glance (Optional.) Configuring DHCP logging on the DHCP server Configuring an address pool on the DHCP server Configuration task list Tasks at a glance (Required.) Creating a DHCP address pool Perform at least one of the following tasks: •...

  • Page 55

    • If you use the network or address range command multiple times for the same address pool, the most recent configuration takes effect. • IP addresses specified by the forbidden-ip command are not assignable in the current address pool, but are assignable in other address pools. IP addresses specified by the dhcp server forbidden-ip command are not assignable in any address pool.

  • Page 56

    Specifying a primary subnet and multiple secondary subnets for a DHCP address pool If an address pool has a primary subnet and multiple secondary subnets, the server assigns IP addresses on a secondary subnet when the primary subnet has no assignable IP addresses. Follow these guidelines when you specify a primary subnet and secondary subnets for a DHCP address pool: •...

  • Page 57: Specifying Gateways For Dhcp Clients

    Follow these guidelines when you configure a static binding: • One IP address can be bound to only one client MAC or client ID. You cannot modify bindings that have been created. To change the binding for a DHCP client, you must delete the existing binding first.

  • Page 58: Specifying A Domain Name Suffix For Dhcp Clients

    Step Command Remarks By default, no gateway is (Optional.) Specify gateways. gateway-list ip-address&<1-8> specified. Specifying a domain name suffix for DHCP clients You can specify a domain name suffix in a DHCP address pool on the DHCP server. With this suffix assigned, the client only needs to input part of a domain name, and the system adds the domain name suffix for name resolution.

  • Page 59: Specifying Bims Server For Dhcp Clients

    To configure WINS servers and NetBIOS node type in a DHCP address pool: Step Command Remarks Enter system view. system-view Create a DHCP address By default, no DHCP address pool dhcp server ip-pool pool-name pool and enter its view. exists. This step is optional for b-node.

  • Page 60: Specifying A Server For Dhcp Clients

    Step Command Remarks Create a DHCP address By default, no DHCP dhcp server ip-pool pool-name pool and enter its view. address pool exists. • Specify the IP address of the TFTP You can specify both the IP server: address and name of the Specify the IP address or tftp-server ip-address ip-address TFTP server.

  • Page 61: Customizing Dhcp Options

    Step Command Remarks By default, no primary network calling processor is specified. Specify the IP address of the voice-config ncp-ip primary network calling After you configure this command, ip-address processor. the other Option 184 parameters take effect. (Optional.) Specify the IP address voice-config as-ip By default, no backup network for the backup server.

  • Page 62: Configuring The Dhcp User Class Whitelist

    Step Command Remarks if-match rule rule-number { option option-code [ hex hex-string [ mask Configure a match rule for mask | offset offset length length ] ] By default, no match rule is the DHCP user class. | hardware-address configured for a DHCP user class. hardware-address mask hardware-address-mask } Return to system view.

  • Page 63: Enabling Dhcp

    Step Command Remarks Create a DHCP user class By default, no DHCP user class and enter DHCP user class dhcp class class-name exists. view. if-match rule rule-number { option option-code [ hex hex-string [ mask mask | offset Configure a match rule for By default, no match rule is offset length length ] ] | the DHCP user class.

  • Page 64: Configuring Ip Address Conflict Detection

    Upon receiving a DHCP request from the interface, the DHCP server performs address allocation in the following ways: • If a static binding is found for the client, the server assigns the static IP address and configuration parameters from the address pool that contains the static binding. •...

  • Page 65: Configuring Dhcp Server Compatibility

    To enable the DHCP server to handle Option 82: Step Command Remarks Enter system view. system-view Enable the server to handle dhcp server relay information By default, handling of Option 82. enable Option 82 is enabled. Configuring DHCP server compatibility Perform this task to enable the DHCP server to support DHCP clients that are incompliant with RFC.

  • Page 66: The Dhcp Server

    Configuring the DHCP server to send BOOTP responses in RFC 1048 format Not all BOOTP clients can send requests that are compatible with RFC 1048. By default, the DHCP server does not process the Vend field of RFC 1048-incompliant requests but copies the Vend field into responses.

  • Page 67: Configuring Address Pool Usage Alarming

    Step Command Remarks By default, the DHCP server does not back up the DHCP dhcp server database filename bindings. Configure the DHCP server to { filename | url url [ username With this command executed, back up the bindings to a file. username [ password { cipher | the DHCP server backs up its simple } key ] ] }...

  • Page 68: Advertising Subnets Assigned To Clients

    Figure 22 Network diagram The gateway binding feature on the master device takes effect if the DHCP address pool is bound to a VSRP instance. If the address pool is applied to a VPN instance, the VPN instance must exist. To bind the gateways to a common MAC address: Step Command...

  • Page 69: Applying A Dhcp Address Pool To A Vpn Instance

    To configure the subnet advertisement function: Step Command Remarks Enter system view. system-view Create a DHCP address pool By default, no DHCP address dhcp server ip-pool pool-name and enter its view. pool exists. network network-address By default, the subnets Advertise subnets assigned to [ mask-length | mask mask ] assigned to DHCP clients are DHCP clients.

  • Page 70: Displaying And Maintaining The Dhcp Server

    Configuring DHCP logging on the DHCP server The DHCP logging feature enables the DHCP server to generate DHCP logs and send them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide. Disable this feature when the log generation affects the device performance or reduces the address allocation efficiency.

  • Page 71: Dhcp Server Configuration Examples

    DHCP server configuration examples DHCP networking includes the following types: • The DHCP server and clients reside on the same subnet. • The DHCP server and clients are not on the same subnet and communicate with each other through a DHCP relay agent. The DHCP server configuration for the two types is identical.

  • Page 72: Dynamic Ip Address Assignment Configuration Example

    [RouterA-dhcp-pool-0] static-bind ip-address 10.1.1.5 25 client-identifier 0030-3030-662e-6532-3030-2e30-3030-322d-4574-6865-726e-6574 # Configure a static binding for Router C. [RouterA-dhcp-pool-0] static-bind ip-address 10.1.1.6 25 hardware-address 000f-e200-01c0 # Specify the DNS server and gateway. [RouterA-dhcp-pool-0] dns-list 10.1.1.2 [RouterA-dhcp-pool-0] gateway-list 10.1.1.126 [RouterA-dhcp-pool-0] quit [RouterA] Verifying the configuration # Verify that Router B can obtain IP address 10.1.1.5 and all other network parameters from Router A.

  • Page 73

    Figure 25 Network diagram Configuration procedure Specify IP addresses for interfaces. (Details not shown.) Configure the DHCP server: # Enable DHCP. <RouterA> system-view [RouterA] dhcp enable # Enable the DHCP server on GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2. [RouterA] interface gigabitethernet 2/0/1 [RouterA-GigabitEthernet2/0/1] dhcp select server [RouterA-GigabitEthernet2/0/1] quit [RouterA] interface gigabitethernet 2/0/2...

  • Page 74: Dhcp User Class Configuration Example

    [RouterA-dhcp-pool-2] dns-list 10.1.1.2 [RouterA-dhcp-pool-2] gateway-list 10.1.1.254 Verifying the configuration # Verify that clients on subnets 10.1.1.0/25 and 10.1.1.128/25 can obtain correct IP addresses and all other network parameters from Router A. (Details not shown.) # On the DHCP server, display the IP addresses assigned to the clients. [RouterA] display dhcp server ip-in-use DHCP user class configuration example Network requirements...

  • Page 75: Dhcp User Class Whitelist Configuration Example

    [RouterB-GigabitEthernet2/0/1] quit # Create DHCP user class tt and configure a match rule to match DHCP requests that contain Option 82. [RouterB] dhcp class tt [RouterB-dhcp-class-tt] if-match rule 1 option 82 [RouterB-dhcp-class-tt] quit # Create DHCP user class ss and configure a match rule to match DHCP requests in which the hardware address is six bytes long and begins with aabb-aabb-aab.

  • Page 76: Primary And Secondary Subnets Configuration Example

    <RouterA> system-view [RouterA] dhcp enable # Enable DHCP server on interface GigabitEthernet 2/0/1. [RouterA] interface gigabitethernet 2/0/1 [RouterA-GigabitEthernet2/0/1] dhcp select server [RouterA-GigabitEthernet2/0/1] quit # Create DHCP user class ss and configure a match rule to match DHCP requests in which the hardware address is six bytes long and begins with aabb-aabb.

  • Page 77: Dhcp Option Customization Configuration Example

    Figure 28 Network diagram Router A DHCP server GE2/0/1 10.1.1.1/24 10.1.2.1/24 sub DHCP client DHCP client DHCP client Gateway Configuration procedure # Enable DHCP. <RouterA> system-view [RouterA] dhcp enable # Configure the primary and secondary IP addresses of interface GigabitEthernet 2/0/1, and enable the DHCP server on GigabitEthernet 2/0/1.

  • Page 78

    Configure the address allocation scheme as follows: Assign PXE addresses To clients The hardware address in the request is six bytes long and 2.3.4.5 and 3.3.3.3 begins with aabb-aabb. 1.2.3.4 and 2.2.2.2. Other clients. The DHCP server assigns PXE server addresses to DHCP clients through Option 43, a custom option.

  • Page 79: Troubleshooting Dhcp Server Configuration

    [RouterA-dhcp-pool-0] option 43 hex 800B0000020102030402020202 # Associate DHCP user class ss with option group 1. [RouterA-dhcp-pool-0] class ss option-group 1 Verifying the configuration # Verify that Router B can obtain an IP address on subnet 10.1.1.0/24 and the corresponding PXE server addresses from Router A.

  • Page 80: Configuring The Dhcp Relay Agent

    Configuring the DHCP relay agent Overview The DHCP relay agent enables clients to get IP addresses from a DHCP server on another subnet. This feature avoids deploying a DHCP server for each subnet to centralize management and reduce investment. Figure 30 shows a typical application of the DHCP relay agent.

  • Page 81: Dhcp Relay Agent Support For Option 82, Dhcp Relay Agent Configuration Task List

    Figure 31 DHCP relay agent operation DHCP relay agent support for Option 82 Option 82 records the location information about the DHCP client. It enables the administrator to perform the following tasks: • Locate the DHCP client for security and accounting purposes. •...

  • Page 82: Enabling The Dhcp Relay Agent On An Interface

    Tasks at a glance (Optional.) Configuring the DHCP relay agent to release an IP address (Optional.) Configuring Option 82 (Optional.) Setting the DSCP value for DHCP packets sent by the DHCP relay agent (Optional.) Enabling DHCP server proxy on a DHCP relay agent (Optional.) Configuring a DHCP relay address pool (Optional.)

  • Page 83: Configuring The Dhcp Relay Agent Security Functions

    • The IP address of any specified DHCP server must not reside on the same subnet as the IP address of the relay interface. Otherwise, the clients might fail to obtain IP addresses. • You can specify a maximum of eight DHCP servers. To specify a DHCP server address on a relay agent: Step Command...

  • Page 84: Enabling Dhcp Starvation Attack Protection

    • If the server returns a DHCP-ACK message or does not return any message within an interval, the DHCP relay agent removes the relay entry. In addition, upon receiving the DHCP-ACK message, the relay agent sends a DHCP-RELEASE message to release the IP address. •...

  • Page 85: Configuring The Dhcp Relay Agent To Release An Ip Address

    Step Command Remarks The default aging time is 30 seconds. Set the aging time for MAC dhcp relay check mac-address This command takes effect address check entries. aging-time time only after you execute the dhcp relay check mac-address command. interface interface-type Enter the interface view.

  • Page 86: Setting The Dscp Value For Dhcp Packets Sent By The Dhcp Relay Agent

    Step Command Remarks (Optional.) Configure the strategy dhcp relay information strategy By default, the handling for handling DHCP requests that { drop | keep | replace } strategy is replace. contain Option 82. dhcp relay information circuit-id { bas | string circuit-id | { normal | By default, the padding (Optional.) Configure the padding verbose [ node-identifier { mac |...

  • Page 87: Configuring A Dhcp Relay Address Pool

    Configuring a DHCP relay address pool This feature allows DHCP clients of the same type to obtain IP addresses and other configuration parameters from the DHCP servers specified in the matching relay address pool. It applies to scenarios where the DHCP relay agent connects to clients of the same access type but classified into different types by their locations.

  • Page 88: Specifying A Gateway Address For Dhcp Clients

    Specifying a gateway address for DHCP clients By default, the DHCP relay agent fills the giaddr field of DHCP DISCOVER and REQUEST packets with the primary IP address of the relay interface. You can specify a gateway address on the relay agent for DHCP clients.

  • Page 89: Dhcp Relay Agent Configuration Example

    If DHCP server proxy is enabled, you must configure the sub-option 72 in Option 82 to carry the index of the interface that processes the DHCP request. When receiving a DHCP response, the relay agent forwards the response according to the interface index in sub-option 72. To specify the source address and gateway address in DHCP requests: Step Command...

  • Page 90: Option 82 Configuration Example

    DHCP server configuration is also required to guarantee the client-server communication through the DHCP relay agent. For DHCP server configuration information, see "DHCP server configuration examples." Figure 32 Network diagram DHCP client DHCP client GE2/0/1 GE2/0/2 10.10.1.1/24 10.1.1.2/24 GE2/0/1 10.1.1.1/24 Router A Router B DHCP relay agent...

  • Page 91: Troubleshooting Dhcp Relay Agent Configuration

    # Enable DHCP. <RouterA> system-view [RouterA] dhcp enable # Enable the DHCP relay agent on GigabitEthernet 2/0/1. [RouterA] interface gigabitethernet 2/0/1 [RouterA-GigabitEthernet2/0/1] dhcp select relay # Specify the IP address of the DHCP server on the relay agent. [RouterA-GigabitEthernet2/0/1] dhcp relay server-address 10.1.1.1 # Enable the DHCP relay agent to handle Option 82, and perform Option 82 related configuration.

  • Page 92: Enabling The Dhcp Client On An Interface

    Configuring the DHCP client With DHCP client enabled, an interface uses DHCP to obtain configuration parameters from the DHCP server, for example, an IP address. The DHCP client configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces), VLAN interfaces, and Layer 3 aggregate interfaces. Enabling the DHCP client on an interface Follow these guidelines when you enable the DHCP client on an interface: •...

  • Page 93: Displaying And Maintaining The Dhcp Client

    Step Command Remarks DHCP client ID includes ID type and type value. Each ID type has a fixed type value. You can check the fields for the client ID to verify which type of client ID is used: • If an ASCII string is used as the client ID, display dhcp client the type value is 00.

  • Page 94: Dhcp Client Configuration Example

    Task Command display dhcp client [ verbose ] [ interface interface-type Display DHCP client information. interface-number ] DHCP client configuration example Network requirements As shown in Figure 34, Router B contacts the DHCP server through GigabitEthernet 2/0/1 to obtain an IP address, a DNS server address, and static route information. The DHCP client's IP address resides on subnet 10.1.1.0/24.

  • Page 95

    [RouterA] dhcp server forbidden-ip 10.1.1.2 # Configure DHCP address pool 0. Specify the subnet, lease duration, DNS server address, and a static route to subnet 20.1.1.0/24. [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 [RouterA-dhcp-pool-0] expired day 10 [RouterA-dhcp-pool-0] dns-list 20.1.1.1 [RouterA-dhcp-pool-0] option 121 hex 181401010A010102 Configure Router B:...

  • Page 96

    127.0.0.1/32 Direct 0 127.0.0.1 InLoop0 127.255.255.255/32 Direct 0 127.0.0.1 InLoop0 224.0.0.0/4 Direct 0 0.0.0.0 NULL0 224.0.0.0/24 Direct 0 0.0.0.0 NULL0 255.255.255.255/32 Direct 0 127.0.0.1 InLoop0...

  • Page 97: Configuring Dhcp Snooping

    Configuring DHCP snooping This feature is supported only on the following ports: • Layer 2 Ethernet ports on the following modules: HMIM-8GSW. HMIM-24GSW. HMIM-24GSWP. SIC-4GSW. SIC-4GSWP. • Fixed Layer 2 Ethernet ports on MSR2004-24/2004-48 routers. • Fixed Layer 2 Ethernet ports on MSR1002-4/1003-8S routers. Overview DHCP snooping works between the DHCP client and server, or between the DHCP client and DHCP relay agent.

  • Page 98: Application Of Trusted And Untrusted Ports

    Application of trusted and untrusted ports Configure ports facing the DHCP server as trusted ports, and configure other ports as untrusted ports. As shown in Figure 35, configure the DHCP snooping device's port that is connected to the DHCP server as a trusted port. The trusted port forwards response messages from the DHCP server to the client.

  • Page 99: Dhcp Snooping Support For Option, Dhcp Snooping Configuration Task List

    DHCP snooping support for Option 82 Option 82 records the location information about the DHCP client so the administrator can locate the DHCP client for security and accounting purposes. For more information about Option 82, see "Relay agent option (Option 82)."...

  • Page 100: Configuring Basic Dhcp Snooping

    Configuring basic DHCP snooping Follow these guidelines when you configure basic DHCP snooping: • Specify the ports connected to authorized DHCP servers as trusted ports to make sure that DHCP clients can obtain valid IP addresses. The trusted ports and the ports connected to DHCP clients must be in the same VLAN.

  • Page 101: Configuring Dhcp Snooping Entry Auto Backup

    DHCP snooping receives a DHCP packet with two VLAN tags. For example, if the outer VLAN tag is 10 and the inner VLAN tag is 20, the VLAN ID field is 000a.0014. The hexadecimal digit a represents the outer VLAN tag 10, and the hexadecimal digit 14 represents the inner VLAN tag 20.

  • Page 102

    Step Command Remarks By default, the DHCP snooping device does dhcp snooping not back up DHCP snooping entries. binding database Configure the DHCP filename { filename | With this command executed, the DHCP snooping device to back up url url [ username snooping device backs up DHCP snooping DHCP snooping entries to a entries immediately and runs auto backup.

  • Page 103: Enabling Dhcp-request Attack Protection

    Enabling DHCP-REQUEST attack protection DHCP-REQUEST messages include DHCP lease renewal packets, DHCP-DECLINE packets, and DHCP-RELEASE packets. This function prevents the unauthorized clients that forge the DHCP-REQUEST messages from attacking the DHCP server. Attackers can forge DHCP lease renewal packets to renew leases for legitimate DHCP clients that no longer need the IP addresses.

  • Page 104: Displaying And Maintaining Dhcp Snooping, Dhcp Snooping Configuration Examples

    Displaying and maintaining DHCP snooping Execute display commands in any view, and reset commands in user view. Task Command display dhcp snooping binding [ ip ip-address [ vlan Display DHCP snooping entries. vlan-id ] ] Display Option 82 configuration information on display dhcp snooping information { all | interface the DHCP snooping device.

  • Page 105

    Figure 37 Network diagram Configuration procedure # Enable DHCP snooping. <RouterB> system-view [RouterB] dhcp snooping enable # Configure GigabitEthernet 2/0/1 as a trusted port. [RouterB] interface gigabitethernet 2/0/1 [RouterB-GigabitEthernet2/0/1] dhcp snooping trust [RouterB-GigabitEthernet2/0/1] quit # Enable DHCP snooping to record clients' IP-to-MAC bindings on GigabitEthernet 2/0/2. [RouterB] interface gigabitethernet 2/0/2 [RouterB-GigabitEthernet2/0/2] dhcp snooping binding record [RouterB-GigabitEthernet2/0/2] quit...

  • Page 106

    Figure 38 Network diagram Configuration procedure # Enable DHCP snooping. <RouterB> system-view [RouterB] dhcp snooping enable # Configure GigabitEthernet 2/0/1 as a trusted port. [RouterB] interface gigabitethernet 2/0/1 [RouterB-GigabitEthernet2/0/1] dhcp snooping trust [RouterB-GigabitEthernet2/0/1] quit # Configure Option 82 on GigabitEthernet 2/0/2. [RouterB] interface gigabitethernet 2/0/2 [RouterB-GigabitEthernet2/0/2] dhcp snooping information enable [RouterB-GigabitEthernet2/0/2] dhcp snooping information strategy replace...

  • Page 107: Bootp Application, Obtaining An Ip Address Dynamically

    Configuring the BOOTP client BOOTP client configuration only applies to Layer 3 Ethernet interfaces (including subinterfaces), Layer 3 aggregate interfaces and VLAN interfaces. If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows Server 2000 or Windows Server 2003. BOOTP application An interface that acts as a BOOTP client can use BOOTP to obtain information (such as IP address) from the BOOTP server.

  • Page 108: Bootp Client Configuration Example

    Step Command Remarks Configure an interface to use By default, an interface does not BOOTP for IP address ip address bootp-alloc use BOOTP for IP address acquisition. acquisition. Displaying and maintaining BOOTP client Execute display command in any view. Task Command display bootp client [ interface interface-type Display BOOTP client information.

  • Page 109: Configuring Dns, Static Domain Name Resolution, Dynamic Domain Name Resolution

    Configuring DNS Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. The domain name-to-IP address mapping is called a DNS entry. DNS services can be static or dynamic. After a user specifies a name, the device checks the static name resolution table for an IP address.

  • Page 110: Dns Proxy

    Dynamic domain name resolution allows the DNS client to store latest DNS entries in the dynamic domain name cache. The DNS client does not need to send a request to the DNS server for a repeated query within the aging time. To make sure the entries from the DNS server are up to date, a DNS entry is removed when its aging timer expires.

  • Page 111: Dns Spoofing

    A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS proxy. The destination address of the request is the IP address of the DNS proxy. The DNS proxy searches the local static domain name resolution table and dynamic domain name resolution cache after receiving the request.

  • Page 112: Configuring Static Domain Name Resolution

    Dynamically obtains the DNS server address through DHCP or another autoconfiguration mechanism. Because the DNS entry ages out immediately upon creation, the host sends another DNS request to the device to resolve the HTTP server domain name. The device operates the same as a DNS proxy. For more information, see "DNS proxy."...

  • Page 113: Configuring Dynamic Domain Name Resolution

    Configuring dynamic domain name resolution To use dynamic domain name resolution, configure DNS servers so that DNS queries can be sent to a correct server for resolution. A DNS server manually configured takes precedence over the one dynamically obtained through DHCP, and a DNS server configured earlier takes precedence. A name query is first sent to the DNS server that has the highest priority.

  • Page 114

    Follow these guidelines when you configure static domain name resolution: • For the public network or a VPN, each host name maps to only one IPv6 address. The most recent configuration for a host name takes effect. • You can configure the following items: IPv6 DNS entries for the public network and up to 1024 VPNs.

  • Page 115: Configuring The Dns Proxy

    Step Command Remarks • Specify a DNS server IPv4 address: dns server ip-address [ vpn-instance By default, no DNS server is vpn-instance-name ] specified. • Specify a DNS server. Specify a DNS server IPv6 address: You can specify both the ipv6 dns server ipv6-address IPv4 and IPv6 addresses.

  • Page 116: Configuring Network Mode Tracking For An Output Interface

    To configure DNS spoofing: Step Command Remarks Enter system view. system-view Enable DNS proxy. dns proxy enable By default, DNS proxy is disabled. • Specify an IPv4 address: Enable DNS dns spoofing ip-address By default, no IP address is spoofing and [ vpn-instance vpn-instance-name ] specified for DNS spoofing.

  • Page 117: Configuring The Dns Trusted Interface

    Step Command Remarks Enter system view. system-view By default, no source interface for DNS packets is specified. dns source-interface Specify the source interface-type If you execute the command multiple times, the interface for DNS interface-number most recent configuration takes effect. packets.

  • Page 118: Ipv4 Dns Configuration Examples

    Task Command Display IPv4 DNS server display dns server [ dynamic ] [ vpn-instance vpn-instance-name ] information. Display IPv6 DNS server display ipv6 dns server [ dynamic ] [ vpn-instance information. vpn-instance-name ] display dns domain [ dynamic ] [ vpn-instance Display DNS suffixes.

  • Page 119: Dynamic Domain Name Resolution Configuration Example

    Dynamic domain name resolution configuration example Network requirements As shown in Figure 43, the DNS server at 2.1.1.2/16 has a com domain that stores the mapping between domain name host and IP address 3.1.1.1/16. Configure dynamic DNS and the DNS suffix com on the device that acts as a DNS client. The device can then use the domain name host to access the host with the domain name host.com and the IP address 3.1.1.1/16.

  • Page 120

    Figure 45 Adding a host d. On the page that appears, enter host name host and IP address 3.1.1.1. e. Click Add Host. The mapping between the IP address and host name is created. Figure 46 Adding a mapping between domain name and IP address Configure the DNS client: # Specify the DNS server 2.1.1.2.

  • Page 121: Dns Proxy Configuration Example

    <Sysname> system-view [Sysname] dns server 2.1.1.2 # Specify com as the name suffix. [Sysname] dns domain com Verifying the configuration # Execute the ping host command on the device. [Sysname] ping host Ping host.com (3.1.1.1): 56 data bytes, press CTRL_C to break 56 bytes from 3.1.1.1: icmp_seq=0 ttl=255 time=1.000 ms 56 bytes from 3.1.1.1: icmp_seq=1 ttl=255 time=1.000 ms 56 bytes from 3.1.1.1: icmp_seq=2 ttl=255 time=1.000 ms...

  • Page 122: Ipv6 Dns Configuration Examples

    Configuration procedure Before performing the following configuration, make sure that: • Device A, the DNS server, and the host can reach each other. • The IPv6 addresses of the interfaces are configured as shown in Figure Configure the DNS server: The configuration might vary by DNS server.

  • Page 123

    Figure 48 Network diagram Configuration procedure # Configure a mapping between host name host.com and IPv6 address 1::2. <Device> system-view [Device] ipv6 host host.com 1::2 # Use the ping ipv6 host.com command to verify that the device can use static domain name resolution to resolve domain name host.com into IPv6 address 1::2.

  • Page 124

    Configure the DNS server: The configuration might vary by DNS server. The following configuration is performed on a PC running Windows Server 2003. Make sure that the DNS server supports the IPv6 DNS function, so it can process IPv6 DNS packets and its interfaces can forward IPv6 packets. a.

  • Page 125

    Figure 51 Creating a record d. On the page that appears, select IPv6 Host (AAAA) as the resource record type.

  • Page 126

    Figure 52 Selecting the resource record type e. Type host name host and IPv6 address 1::1. f. Click OK. The mapping between the IPv6 address and host name is created.

  • Page 127

    Figure 53 Adding a mapping between domain name and IPv6 address Configure the DNS client: # Specify the DNS server 2::2. <Device> system-view [Device] ipv6 dns server 2::2 # Configure com as the DNS suffix. [Device] dns domain com Verifying the configuration # Execute the ping ipv6 host command on the device.

  • Page 128

    DNS proxy configuration example Network requirements When the IP address of the DNS server changes, you must configure the new IP address of the DNS server on each device on the LAN. To simplify network management, you can use the DNS proxy function.

  • Page 129: Troubleshooting Ipv4 Dns Configuration

    [DeviceB] ping host.com Ping6(56 data bytes) 2000::1 --> 3000::1, press CTRL_C to break 56 bytes from 3000::1, icmp_seq=0 hlim=128 time=1.000 ms 56 bytes from 3000::1, icmp_seq=1 hlim=128 time=0.000 ms 56 bytes from 3000::1, icmp_seq=2 hlim=128 time=1.000 ms 56 bytes from 3000::1, icmp_seq=3 hlim=128 time=1.000 ms 56 bytes from 3000::1, icmp_seq=4 hlim=128 time=0.000 ms --- Ping6 statistics for host.com --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss...

  • Page 130: Configuring Ddns

    Configuring DDNS Overview DNS provides only the static mappings between domain names and IP addresses. When the IP address of a node changes, your access to the node fails. Dynamic Domain Name System (DDNS) can dynamically update the mappings between domain names and IP addresses for DNS servers.

  • Page 131: Ddns Client Configuration Task List

    By default, the URL address does not include a username or password. To configure the username and password, use the username command and the password command. HP and GNUDIP are common DDNS update protocols. The server-name parameter is the domain name or IP address of the service provider's server using one of the update protocols.

  • Page 132

    • gnudip://—The TCP-based GNUDIP server. • oray://—The TCP-based DDNS server. The domain names of DDNS servers are members.3322.org and phservice2.oray.net. The domain names of PeanutHull DDNS servers can be phservice2.oray.net, phddns60.oray.net, client.oray.net, ph031.oray.net, and so on. Determine the domain name in the URL according to the actual situation. The port number in the URL address is optional.

  • Page 133: Applying The Ddns Policy To An Interface

    Step Command Remarks By default, no SSL client policy is associated with the DDNS policy. (Optional.) Associate an SSL ssl-client-policy This step is only effective and a must for client policy with the DDNS policy-name HTTP-based DDNS update requests. For policy.

  • Page 134: Displaying Ddns

    Step Command Remarks Enter system view. system-view Set the DSCP value for By default, the DSCP value for ddns dscp dscp-value outgoing DDNS packets. outgoing DDNS packets is 0. Displaying DDNS Execute display commands in any view. Task Command Display information about the DDNS policy. display ddns policy [ policy-name ] DDNS configuration examples DDNS configuration example with www.3322.org...

  • Page 135: Ddns Configuration Example With Peanuthull Server

    <Router> system-view [Router] ddns policy 3322.org # Specify for DDNS update requests the URL address with the login ID steven and plaintext password nevets. [Router-ddns-policy-3322.org] url http:// members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a> [Router-ddns-policy-3322.org] username steven [Router-ddns-policy-3322.org] password simple nevets # Set the interval for sending DDNS update requests to 15 minutes. [Router-ddns-policy-3322.org] interval 0 0 15 [Router-ddns-policy-3322.org] quit # Specify the IP address of the DNS server as 1.1.1.1.

  • Page 136

    • Add the domain name whatever.gicp.cn at http://www.oray.cn/. • Add the router's host name-to-IP address mapping to the DNS server. • Make sure the devices can reach each other. # Create a DDNS policy named oray.cn and enter its view. <Router>...

  • Page 137: Configuring Nat

    Configuring NAT Overview Network Address Translation (NAT) translates an IP address in the IP packet header to another IP address. Typically, NAT is configured on gateways to enable private hosts to access external networks and external hosts to access private network resources such as a Web server. Figure 58 NAT operation Direction Before NAT...

  • Page 138: Nat Control, Static Nat, Dynamic Nat

    Bidirectional NAT NAT translates the source and destination IP addresses of incoming packets on the receiving interface and outgoing packets on the sending interface. Bidirectional NAT is applied when source and destination addresses overlap. Twice NAT Twice NAT translates the destination IP address on the receiving interface, and the source IP address on the sending interface.

  • Page 139: Nat Server

    NO-PAT NO-PAT translates a private address to a public address. The public address cannot be used by another internal host until it is released. NO-PAT supports all IP packets. PAT translates multiple private addresses to a single public address by mapping the private address and source port to the public address and a unique port.

  • Page 140: Nat Entries

    Figure 60 NAT Server operation Direction Before NAT After NAT Inbound 20.1.1.1:8080 192.168.1.3:8080 Dst : 192.168.1.3:8080 Dst : 20.1.1.1:8080 Server Host 192.168.1.1 20.1.1.1 Internet Intranet 20.1.1.2 192.168.1.3 Src : 20.1.1.1:8080 Src : 192.168.1.3:8080 Figure 60 displays how NAT Server works: Upon receiving a request from the host, NAT translates the public destination IP address and port number to the private IP address and port number of the internal server.

  • Page 141: Eim Entry

    The session management module maintains the updating and aging of NAT session entries. For information about session management, see Security Configuration Guide. EIM entry An EIM entry maps a private address/port to a public address/port. The same EIM entry applies to subsequent connections originating from the same source IP and port.

  • Page 142: Nat With Dns Mapping

    NAT with DNS mapping NAT with DNS mapping allows an internal host to access an internal server on the same private network by using the domain name of the internal server when the DNS server is on the public network. NAT with DNS mapping must operate with the NAT Server feature.

  • Page 143: Nat Configuration Task List

    NAT configuration task list Tasks at a glance Remarks If you perform all the tasks on an interface, IPv6 packets Perform at least one of the following tasks: are processed by DS-Lite NAT444, and IPv4 packets are • compared against the following NAT rules in order for a Configuring static NAT match: •...

  • Page 144: Configuring Outbound Net-to-net Static Nat

    Step Command Remarks global-ip [ vpn-instance NAT. processes only packets matching global-name ] [ acl { acl-number | the permit rule in the ACL. name acl-name } [ reversible ] ] Return to system view. quit interface interface-type Enter interface view. interface-number Enable static NAT on the nat static enable...

  • Page 145: Configuring Inbound Net-to-net Static Nat

    Step Command Remarks Enter system view. system-view nat static inbound global-ip By default, no mappings exist. Configure a one-to-one [ vpn-instance global-name ] If you specify an ACL, NAT mapping for inbound static local-ip [ vpn-instance processes only packets matching NAT.

  • Page 146: Configuration Restrictions And Guidelines

    Configuration restrictions and guidelines When you configure dynamic NAT, follow these restrictions and guidelines: • You can configure multiple inbound or outbound dynamic NAT rules. • A NAT rule with an ACL takes precedence over a rule without any ACL. •...

  • Page 147: Configuring Inbound Dynamic Nat

    Step Command Remarks name acl-name ] address-group You can configure multiple group-number [ vpn-instance outbound dynamic NAT rules on an vpn-instance-name ] no-pat interface. [ reversible ] • Configure PAT: nat outbound [ acl-number | name acl-name ] [ address-group group-number ] [ vpn-instance vpn-instance-name ] [ port-preserved ]...

  • Page 148: Configuring Nat Server

    Step Command Remarks interface-number nat inbound { acl-number | name By default, inbound dynamic NAT is acl-name } address-group not configured. Configure inbound group-number [ vpn-instance dynamic NAT. You can configure multiple inbound vpn-instance-name ] [ no-pat dynamic NAT rules on an interface. [ reversible ] [ add-route ] ] Configuring NAT Server To configure NAT Server, map a public IP address and port number to the private IP address and port...

  • Page 149: Configuring Load Sharing Nat Server

    Step Command Remarks • A single public address with a single or no public port: nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-name ] inside local-address [ local-port ] [ vpn-instance local-name ] [ acl { acl-number | name acl-name } ] •...

  • Page 150: Configuring Acl-based Nat Server

    Step Command Remarks nat server protocol pro-type global By default, no load { { global-address | current-interface | sharing NAT Server interface interface-type interface-number } mapping exists. { global-port | global-port1 global-port2 } | Configure load sharing global-address1 global-address2 global-port } You can configure NAT Server.

  • Page 151: Configuring Nat With Dns Mapping

    Step Command Remarks parameters. block-size exists. [ extended-block-number The configuration takes effect only on extended-block-number ] PAT translation mode. Return to system view. quit interface interface-type Enter interface view. interface-number nat outbound ds-lite-b4 Configure DS-Lite { ipv6-acl-number | name By default, DS-Lite NAT444 is not NAT444.

  • Page 152: Displaying And Maintaining Nat

    Step Command Remarks interface interface-type Enter interface view. interface-number Enable NAT hairpin. nat hairpin enable By default, NAT hairpin is disabled. Configuring NAT with ALG Configure NAT with ALG for a protocol to translate the IP addresses and port numbers in the payloads for application layer packets.

  • Page 153

    Task Command Display all NAT configuration information. display nat all Display NAT address group information. display nat address-group [ group-number ] Display NAT with DNS mapping configuration. display nat dns-map Display information about NAT EIM entries display nat eim (centralized devices in standalone mode). Display information about NAT EIM entries (distributed devices in standalone display nat eim [ slot slot-number ]...

  • Page 154: Nat Configuration Examples

    Task Command devices in IRF mode). Display NAT444 mappings (distributed display nat port-block { dynamic [ ds-lite-b4 ] | static } devices in IRF mode). [ chassis chassis-number slot slot-number ] Clear NAT sessions (centralized devices in reset nat session standalone mode).

  • Page 155: Outbound Dynamic Nat Configuration Example (non-overlapping Addresses)

    Local flow-table status: Active Interfaces enabled with static NAT: Totally 1 interfaces enabled with static NAT. Interface: GigabitEthernet2/0/2 Config status: Active # Display NAT session information. [Router] display nat session verbose Initiator: Source IP/port: 10.110.10.8/42496 Destination IP/port: 202.38.1.111/2048 DS-Lite tunnel peer: - VPN instance/VLAN ID/VLL ID: -/-/- Protocol: ICMP(1) Inbound interface: GigabitEthernet2/0/1...

  • Page 156

    Figure 64 Network diagram Configuration procedure # Specify IP addresses for the interfaces on the router. (Details not shown.) # Configure address group 0, and add an address range from 202.38.1.2 to 202.38.1.3 to the group. <Router> system-view [Router] nat address-group 0 [Router-address-group-0] address 202.38.1.2 202.38.1.3 [Router-address-group-0] quit # Configure ACL 2000, and create a rule to permit packets only from subnet 192.168.1.0/24 to pass...

  • Page 157

    Config status: Active Global flow-table status: Active NAT logging: Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active : Disabled Port-block-assign : Disabled Port-block-withdraw : Disabled Alarm : Disabled NAT mapping behavior: Mapping mode : Address and Port-Dependent : --- Config status: Active NAT ALG:...

  • Page 158: Outbound Bidirectional Nat Configuration Example

    Inbound interface: GigabitEthernet2/0/2 State: ICMP_REPLY Application: INVALID Start time: 2012-08-15 14:53:29 TTL: 12s Initiator->Responder: 1 packets 84 bytes Responder->Initiator: 1 packets 84 bytes Total sessions found: 1 Outbound bidirectional NAT configuration example Network requirements As shown in Figure 65, the private network where the Web server resides overlaps with the company private network 192.168.1.0/24.

  • Page 159

    # Create address group 1. [Router] nat address-group 1 # Add address 202.38.1.2 to the group. [Router-address-group-1] address 202.38.1.2 202.38.1.2 [Router-address-group-1] quit # Create address group 2. [Router] nat address-group 2 # Add address 202.38.1.3 to the group. [Router-address-group-2] address 202.38.1.3 202.38.1.3 [Router-address-group-2] quit # Enable inbound NO-PAT on interface GigabitEthernet 2/0/2 to translate the source IP address in the DNS reply payload into the address in address group 1, and allow reversible NAT.

  • Page 160

    NAT outbound information: Totally 1 NAT outbound rules. Interface: GigabitEthernet2/0/2 ACL: 2000 Address group: 2 Port-preserved: N NO-PAT: N Reversible: N Config status: Active Global flow-table status: Active NAT logging: Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active : Disabled Port-block-assign...

  • Page 161: Nat Server For External-to-internal Access Configuration Example

    Source IP/port: 192.168.1.10/8080 Destination IP/port: 202.38.1.3/1025 DS-Lite tunnel peer: - VPN instance/VLAN ID/VLL ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet2/0/2 State: TCP_ESTABLISHED Application: HTTP Start time: 2012-08-15 14:53:29 TTL: 3597s Initiator->Responder: 7 packets 308 bytes Responder->Initiator: 5 packets 312 bytes Total sessions found: 1 NAT Server for external-to-internal access configuration example...

  • Page 162

    [Router-GigabitEthernet2/0/2] nat server protocol tcp global 202.38.1.1 80 inside 10.110.10.1 http # Configure NAT Server to allow external users to access the Web server 2 by using the address 202.38.1.1 and port 8080. [Router-GigabitEthernet2/0/2] nat server protocol tcp global 202.38.1.1 8080 inside 10.110.10.2 http # Configure NAT Server to allow external users to access the SMTP server by using the address 202.38.1.1 and port number defined by SMTP.

  • Page 163

    Local flow-table status: Active NAT logging: Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active : Disabled Port-block-assign : Disabled Port-block-withdraw : Disabled Alarm : Disabled NAT mapping behavior: Mapping mode : Address and Port-Dependent : --- Config status: Active NAT ALG: : Enabled : Enabled...

  • Page 164: Nat Server For External-to-internal Access Through Domain Name Configuration Example

    State: TCP_ESTABLISHED Application: FTP Start time: 2012-08-15 14:53:29 TTL: 3597s Initiator->Responder: 7 packets 308 bytes Responder->Initiator: 5 packets 312 bytes Total sessions found: 1 NAT Server for external-to-internal access through domain name configuration example Network requirements As shown in Figure 67, Web server at 10.110.10.2/24 in the internal network provides services for external users.

  • Page 165

    # Create address group 1. [Router] nat address-group 1 # Add address 202.38.1.3 to the group. [Router-address-group-1] address 202.38.1.3 202.38.1.3 [Router-address-group-1] quit # Configure NAT Server on interface GigabitEthernet 2/0/2 to map the address 202.38.1.1 to 10.110.10.3. External users can access the internal DNS server. [Router] interface gigabitethernet 2/0/2 [Router-GigabitEthernet2/0/2] nat server protocol udp global 202.38.1.2 inside 10.110.10.3 dns...

  • Page 166

    Flow-end : Disabled Flow-active : Disabled Port-block-assign : Disabled Port-block-withdraw : Disabled Alarm : Disabled NAT mapping behavior: Mapping mode : Address and Port-Dependent : --- Config status: Active NAT ALG: : Enabled : Enabled H323 : Enabled ICMP-ERROR : Enabled : Enabled MGCP : Enabled...

  • Page 167

    Total sessions found: 1 Bidirectional NAT for external-to-internal NAT Server access through domain name configuration example Network requirements As shown in Figure 68, an intranet uses the subnet 192.168.1.0/24. The Web server at 192.168.1.2/24 provides Web services for external users and the DNS server at 192.168.1.3/24 resolves the domain name of the Web server.

  • Page 168

    [Router-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [Router-acl-ipv4-basic-2000] quit # Create address group 1. [Router] nat address-group 1 # Add address 202.38.1.2 to the address group. [Router-address-group-1] address 202.38.1.2 202.38.1.2 [Router-address-group-1] quit # Create address group 2. [Router] nat address-group 2 # Add address 202.38.1.3 to the address group.

  • Page 169

    Totally 1 NAT inbound rules. Interface: GigabitEthernet2/0/2 ACL: 2000 Address group: 2 Add route: N NO-PAT: N Reversible: N Config status: Active Global flow-table status: Active NAT outbound information: Totally 1 NAT outbound rules. Interface: GigabitEthernet2/0/2 ACL: 2000 Address group: 1 Port-preserved: N NO-PAT: Y Reversible: Y...

  • Page 170: Nat Hairpin In C/s Mode Configuration Example

    : Enabled RTSP : Enabled SCCP : Enabled : Enabled SQLNET : Enabled TFTP : Enabled XDMCP : Enabled # Display NAT session information generated when Host accesses the Web server. [Router] display nat session verbose Initiator: Source IP/port: 192.168.1.2/1694 Destination IP/port: 202.38.1.2/8080 DS-Lite tunnel peer: - VPN instance/VLAN ID/VLL ID: -/-/-...

  • Page 171

    Figure 69 Network diagram 192.168.1.2/24 Host A GE2/0/1 GE2/0/2 192.168.1.1/24 202.38.1.1/24 Internet Router FTP server Host B 192.168.1.4/24 192.168.1.3/24 Requirements analysis To allow external hosts to access the internal FTP server by using a public IP address, configure NAT Server on the interface connected to the external network. To allow internal hosts to access the internal FTP server by using a public IP address, perform the following tasks: •...

  • Page 172

    # Display all NAT configuration and statistics. [Router]display nat all NAT outbound information: Totally 1 NAT outbound rules. Interface: GigabitEthernet2/0/2 ACL: 2000 Address group: --- Port-preserved: N NO-PAT: N Reversible: N Config status: Active Global flow-table status: Active NAT internal server information: Totally 1 internal servers.

  • Page 173: Nat Hairpin In P2p Mode Configuration Example

    : Enabled RTSP : Enabled SCCP : Enabled : Enabled SQLNET : Enabled TFTP : Enabled XDMCP : Enabled # Display NAT session information generated when Host A accesses the FTP server. [Router] display nat session verbose Initiator: Source IP/port: 192.168.1.2/1694 Destination IP/port: 202.38.1.2/21 DS-Lite tunnel peer: - VPN instance/VLAN ID/VLL ID: -/-/-...

  • Page 174

    Figure 70 Network diagram Requirements analysis To meet the network requirements, you must perform the following tasks: • Configure outbound dynamic PAT on the interface connected to the external network, so the internal clients can access the external server for registration. •...

  • Page 175

    [Router] display nat all NAT outbound information: Totally 1 NAT outbound rules. Interface: GigabitEthernet2/0/2 ACL: 2000 Address group: --- Port-preserved: N NO-PAT: N Reversible: N Config status: Active Global flow-table status: Active NAT logging: Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active...

  • Page 176: Twice Nat Configuration Example

    Destination IP/port: 202.38.1.3/1 DS-Lite tunnel peer: - VPN instance/VLAN ID/VLL ID: -/-/- Protocol: UDP(17) Inbound interface: GigabitEthernet2/0/1 Responder: Source IP/port: 192.168.1.2/69 Destination IP/port: 202.38.1.3/1024 DS-Lite tunnel peer: - VPN instance/VLAN ID/VLL ID: -/-/- Protocol: UDP(17) Inbound interface: GigabitEthernet2/0/1 State: UDP_READY Application: TFTP Start time: 2012-08-15 15:53:36 TTL: 46s...

  • Page 177

    [Router-GigabitEthernet2/0/2] quit # Enable static NAT on interface GigabitEthernet 2/0/1. [Router] interface gigabitethernet 2/0/1 [Router-GigabitEthernet2/0/1] nat static enable [Router-GigabitEthernet2/0/1] quit Verifying the configuration # Verify that Host A and Host B can access each other. The public address for Host A is 172.16.1.2 and that for Host B is 172.16.2.2.

  • Page 178

    Mapping mode : Address and Port-Dependent : --- Config status: Active NAT ALG: : Enabled : Enabled H323 : Enabled ICMP-ERROR : Enabled : Enabled MGCP : Enabled : Enabled PPTP : Enabled : Enabled RTSP : Enabled SCCP : Enabled : Enabled SQLNET : Enabled...

  • Page 179: Load Sharing Nat Server Configuration Example

    Load sharing NAT Server configuration example Network requirements As shown in Figure 72, three FTP servers are in the intranet to provide FTP services for external users. Configure NAT so that these external users use the address 202.38.1.1/16 to access the servers and the three FTP servers implement load sharing.

  • Page 180

    Totally 1 internal servers. Interface: GigabitEthernet2/0/2 Protocol: 6(TCP) Global IP/port: 202.38.1.1/21 Local IP/port : server group 0 10.110.10.1/21 (Connections: 1) 10.110.10.2/21 (Connections: 2) 10.110.10.3/21 (Connections: 2) Config status : Active Global flow-table status: Active Local flow-table status: Active NAT logging: Log enable : Disabled Flow-begin...

  • Page 181: Nat With Dns Mapping Configuration Example

    VPN instance/VLAN ID/VLL ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet2/0/2 Responder: Source IP/port: 10.110.10.3/21 Destination IP/port: 202.38.1.25/53957 DS-Lite tunnel peer: - VPN instance/VLAN ID/VLL ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet2/0/1 State: TCP_ESTABLISHED Application: FTP Start time: 2012-08-16 11:06:07 TTL: 26s Initiator->Responder: 1 packets 60 bytes...

  • Page 182

    Configuration procedure # Specify IP addresses for the interfaces on the router. (Details not shown.) # Enable NAT with ALG for DNS. <Router> system-view [Router] nat alg dns # Enter interface view of GigabitEthernet 2/0/2. [Router] interface gigabitethernet 2/0/2 # Configure NAT Server to allow external hosts to access the internal Web server by using the address 202.38.1.2.

  • Page 183

    Protocol: 6(TCP) Global IP/port: 202.38.1.2/80 Local IP/port : 10.110.10.1/80 Config status : Active Global flow-table status: Active Local flow-table status: Active NAT DNS mapping information: Totally 2 NAT DNS mappings. Domain name: ftp.server.com Global IP : 202.38.1.2 Global port: 21 Protocol : TCP(6) Config status: Active...

  • Page 184: Ds-lite Nat444 Configuration Example

    SQLNET : Enabled TFTP : Enabled XDMCP : Enabled DS-Lite NAT444 configuration example Network requirements As shown in Figure 74, configure DS-Lite tunneling and NAT to allow the DS-Lite host to access the IPv4 network over the IPv6 network. Figure 74 Network diagram Configuration procedure Before configuration, make sure the DS-Lite host and AFTR can reach each other through IPv6.

  • Page 185

    # Set the port block size to 300. [Router-address-group-0] port-block block-size 300 [Router-address-group-0] quit # Configure an IPv6 ACL to identify packets from subnet 1::/64. [Router] acl ipv6 basic 2100 [Router-acl-ipv6-basic-2100] rule permit source 1::/64 [Router-acl-ipv6-basic-2100] quit # Configure DS-Lite NAT444 on GigabitEthernet 2/0/1. [Router] interface gigabitethernet 2/0/1 [Router-GigabitEthernet2/0/1] nat outbound ds-lite-b4 2100 address-group 0 [Router-GigabitEthernet2/0/1] quit...

  • Page 186

    # Verify that a NAT444 mapping has been created for the DS-Lite host. [Router] display nat port-block dynamic ds-lite-b4 Local VPN DS-Lite B4 addr Global IP Port block Connections 1::1 20.1.1.11 1024-1323 Total entries found: 1...

  • Page 187: Basic Ip Forwarding On The Device

    Basic IP forwarding on the device The device uses the destination IP address of a received packet to find a match from the forwarding information base (FIB) table. It then uses the matching entry to forward the packet. FIB table A device selects optimal routes from the routing table, and puts them into the FIB table.

  • Page 188: Displaying Fib Table Entries

    Displaying FIB table entries Execute display commands in any view. Task Command display fib [ topology topo-name |vpn-instance Display FIB entries. vpn-instance-name ] [ ip-address [ mask | mask-length ] ]...

  • Page 189: Configuring Load Sharing

    Configuring load sharing If a routing protocol finds multiple equal-cost best routes to the same destination, the device forwards packets over the equal-cost routes to implement load sharing. NOTE: The system allows a maximum of 32 load sharing routes. Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: •...

  • Page 190: Configuring Load Sharing Based On Bandwidth

    Configuring load sharing based on bandwidth This feature load shares flow traffic among multiple output interfaces based on their load percentages. The device calculates the load percentage for each output interface in terms of the interface expected bandwidth. Devices that run load sharing protocols, such as Locator/ID Separation Protocol (LISP), implement load sharing based on the ratios defined by these protocols.

  • Page 191: Configuring Fast Forwarding

    Configuring fast forwarding Overview Fast forwarding reduces route lookup time and improves packet forwarding efficiency by using a high-speed cache and data-flow-based technology. It identifies a data flow by using the following fields: source IP address, source port number, destination IP address, destination port number, and protocol number.

  • Page 192: Displaying And Maintaining Fast Forwarding

    Step Command Remarks Enter system view. system-view Enable fast forwarding load By default, fast forwarding load ip fast-forwarding load-sharing sharing. sharing is enabled. Displaying and maintaining fast forwarding Execute display commands in any view and reset commands in user view. Task Command Display fast forwarding entries (centralized devices...

  • Page 193: Configuring Flow Classification

    Configuring flow classification To implement differentiated services, flow classification categorizes packets to be forwarded by a multicore device according to one of the following flow classification policies: • Flow-based policy—Forwards packets of a flow to the same CPU. A data flow is defined by using the following fields: source IP address, destination IP address, source port number, destination port number, and protocol number.

  • Page 194: Displaying The Adjacency Table

    Displaying the adjacency table Overview The adjacency table stores information about directly connected neighbors for IP forwarding. The neighbor information in this chapter refers to non-Ethernet neighbor information. This table is not user configurable. The neighbor information is generated, updated, and deleted by link layer protocols through negotiation (such as PPP dynamic negotiation) or through manual configuration (such as ATM static configuration).

  • Page 195: Command And Hardware Compatibility

    Item Description Link head Link layer header for MPLS forwarding. information(MPLS) Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954(JH296A/JH297A/JH298A/JH299A) Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. Displaying commands To display adjacency table entries, use one of the following commands in any view: Task...

  • Page 196: Configuring Irdp, Basic Concepts

    Configuring IRDP The term "router" in this chapter refers to a routing-capable device. The term "host" in this chapter refers to the host that supports IRDP. For example, a host that runs the Linux operating system. Overview ICMP Router Discovery Protocol (IRDP), an extension of the ICMP, is independent of any routing protocol.

  • Page 197

    Advertising interval A router interface with IRDP enabled sends out RAs at a random interval between the minimum and maximum advertising intervals. This mechanism prevents the local link from being overloaded by a large number of RAs sent simultaneously from routers. As a best practice, shorten the advertising interval on a link that suffers high packet loss rates.

  • Page 198: Irdp Configuration Example

    Step Command Remarks multicast address 224.0.0.1 as address 255.255.255.255 as the the destination IP address of destination IP address. RAs. Repeat this step to specify multiple proxy-advertised IP addresses. (Optional.) Specify a By default, no IP address is ip irdp address ip-address proxy-advertised IP address specified.

  • Page 199

    [RouterA-GigabitEthernet2/0/1] ip irdp multicast # Specify the IP address 192.168.1.0 and preference 400 for GigabitEthernet 2/0/1 to proxy-advertise. [RouterA-GigabitEthernet2/0/1] ip irdp address 192.168.1.0 400 Configure Router B: # Specify an IP address for GigabitEthernet 2/0/1. <RouterB> system-view [RouterB] interface gigabitethernet 2/0/1 [RouterB-GigabitEthernet2/0/1] ip address 10.154.5.2 24 # Enable IRDP on GigabitEthernet 2/0/1.

  • Page 200: Optimizing Ip Performance

    Optimizing IP performance A customized configuration can help optimize overall IP performance. This chapter describes various techniques you can use to customize your installation. Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S.

  • Page 201: Configuration Example

    Step Command Remarks Enable the interface to By default, an interface cannot receive and forward directed forward directed broadcasts ip forward-broadcast broadcasts destined for the destined for the directly connected directly connected network. network. Configuration example Network requirements As shown in Figure 76, the default gateway of the host is the IP address 1.1.1.2/24 of the interface GigabitEthernet 2/0/1 of Router A.

  • Page 202: Configuring Mtu For An Interface

    Configuring MTU for an interface When a packet exceeds the MTU of the output interface, the device processes it in one of the following ways: • If the packet disallows fragmentation, the device discards it. • If the packet allows fragmentation, the device fragments it and forwards the fragments. Fragmentation and reassembling consume system resources, so set an appropriate MTU for an interface based on the network environment to avoid fragmentation.

  • Page 203: Enabling Tcp Syn Cookie

    TCP path MTU discovery (in RFC 1191) discovers the path MTU between the source and destination ends of a TCP connection. It works as follows: A TCP source device sends a packet with the Don't Fragment (DF) bit set. A router discards the packet that exceeds the MTU of the outgoing interface and returns an ICMP error message.

  • Page 204: Configuring The Tcp Buffer Size

    SYN Cookie can protect the server from SYN Flood attacks. When the server receives a SYN packet, it responds with a SYN ACK packet without establishing a TCP semi-connection. The server establishes a TCP connection and enters ESTABLISHED state only when it receives an ACK packet from the client.

  • Page 205

    The selected route is not created or modified by any ICMP redirect messages. The selected route is not destined for 0.0.0.0. There is no source route option in the received packet. ICMP redirect messages simplify host management and enable hosts to gradually optimize their routing table.

  • Page 206: Configuring Rate Limit For Icmp Error Messages

    Step Command Remarks • Enable sending ICMP redirect messages: ip redirects enable • Enable sending ICMP time exceeded Enable sending ICMP messages: The default settings are error messages. ip ttl-expires enable disabled. • Enable sending ICMP destination unreachable messages: ip unreachables enable Sending ICMP error messages facilitates network management, but sending excessive ICMP messages increases network traffic.

  • Page 207: Enabling Ipv4 Local Fragment Reassembly

    Step Command Remarks ip icmp source By default, the device uses the IP Specify the source [ vpn-instance address of the sending interface as the address for outgoing vpn-instance-name ] source IP address for outgoing ICMP ICMP packets. ip-address packets. Enabling IPv4 local fragment reassembly Perform this task to enable the local reassembly feature for IPv4 fragments that are destined for the local device.

  • Page 208

    Task Command Display brief information about TCP connections (distributed display tcp [ chassis chassis-number slot devices in IRF mode). slot-number ] Display brief information about TCP proxy (centralized display tcp-proxy devices in standalone mode). Display brief information about TCP proxy (distributed devices display tcp-proxy slot slot-number in standalone mode/centralized devices in IRF mode).

  • Page 209

    Task Command Display ICMP statistics (centralized devices in standalone display icmp statistics mode). Display ICMP statistics (distributed devices in standalone display icmp statistics [ slot mode/centralized devices in IRF mode). slot-number ] display icmp statistics [ chassis Display ICMP statistics (distributed devices in IRF mode). chassis-number slot slot-number ] Clear IP packet statistics (centralized devices in standalone reset ip statistics...

  • Page 210: Configuring Udp Helper

    Configuring UDP helper Overview UDP helper can provide the following packet conversion for packets with specific UDP destination port numbers: • Convert broadcast to unicast, and forward the unicast packets to specific destinations. • Convert broadcast to multicast, and forward the multicast packets. •...

  • Page 211: Configuring Udp Helper To Convert Broadcast To Multicast

    • If a match is found, UDP helper duplicates the packet and modifies the destination IP address of the copy to the configured unicast address. Then UDP helper forwards the unicast packet to the unicast address. • If no match is found, UDP helper does not process the packet. To configure UDP helper to convert broadcast to unicast: Step Command...

  • Page 212: Configuring Udp Helper To Convert Multicast To Broadcast Or Unicast

    Step Command Remarks By default, no destination multicast address is specified for UDP helper. Specify a destination If you specify multiple multicast multicast address for udp-helper broadcast-map addresses, UDP helper UDP helper to convert multicast-address [ acl acl-number ] creates one copy for each broadcast to multicast.

  • Page 213: Displaying And Maintaining Udp Helper

    Displaying and maintaining UDP helper Execute display command in any view and reset commands in user view. Task Command Display information about broadcast to display udp-helper interface interface-type unicast conversion by UDP helper on an interface-number interface. Clear packet statistics for UDP helper. reset udp-helper statistics UDP helper configuration examples Configuring UDP helper to convert broadcast to unicast...

  • Page 214

    Interface Server VPN instance Server address Packets sent GigabitEthernet2/0/1 10.2.1.1 Configuring UDP helper to convert broadcast to multicast Network requirements As shown in Figure 78, Router B can receive multicast packets destined for 225.1.1.1. Configure UDP helper to convert broadcast to multicast on GigabitEthernet 2/0/1 of Router A. This feature enables Router A to forward broadcast packets with UDP destination port number 55 to the multicast group 225.1.1.1.

  • Page 215: Configuring Udp Helper To Convert Multicast To Broadcast

    # Configure GigabitEthernet 2/0/2 as a static member of the multicast group 225.1.1.1. [RouterA-GigabitEthernet2/0/2] igmp static-group 225.1.1.1 Verifying the configuration Verify that you can capture multicast packets from Router A on Router B. Configuring UDP helper to convert multicast to broadcast Network requirements As shown in Figure...

  • Page 216: Ipv6 Features

    Configuring basic IPv6 settings Overview IPv6, also called IP next generation (IPng), was designed by the IETF as the successor to IPv4. One significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits.

  • Page 217: Ipv6 Addresses

    • Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and other configuration information by using its link-layer address and the prefix information advertised by a router. To communicate with other hosts on the same link, a host automatically generates a link-local address based on its link-layer address and the link-local address prefix (FE80::/10).

  • Page 218

    • Multicast address—An identifier for a set of interfaces (typically belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all interfaces identified by that address. Broadcast addresses are replaced by multicast addresses in IPv6. •...

  • Page 219: Ipv6 Nd Protocol

    duplicate addresses. Each IPv6 unicast or anycast address has a corresponding solicited-node address. The format of a solicited-node multicast address is FF02:0:0:0:0:1:FFXX:XXXX. FF02:0:0:0:0:1:FF is fixed and consists of 104 bits, and XX:XXXX is the last 24 bits of an IPv6 unicast address or anycast address.

  • Page 220

    ICMPv6 message Type Function Responds to an RS message. Router Advertisement (RA) Advertises information, such as the Prefix Information options and flag bits. Informs the source host of a better next hop on the path to a Redirect particular destination when certain conditions are met. Address resolution This function is similar to ARP in IPv4.

  • Page 221: Ipv6 Path Mtu Discovery

    Figure 83 Duplicate address detection Host A sends an NS message. The source address is the unspecified address and the destination address is the corresponding solicited-node multicast address of the IPv6 address to be detected. The NS message body contains the detected IPv6 address. If Host B uses this IPv6 address, Host B returns an NA message that contains its IPv6 address.

  • Page 222: Ipv6 Transition Technologies

    Figure 84 Path MTU discovery process The source host sends a packet no larger than its MTU to the destination host. If the MTU of a device's output interface is smaller than the packet, the device performs the following tasks: Discards the packet.

  • Page 223: Nat-pt

    NAT-PT Network Address Translation – Protocol Translation (NAT-PT) enables communication between IPv4 and IPv6 nodes by translating between IPv4 and IPv6 packets. It performs IP address translation, and according to different protocols, performs semantic translation for packets. This technology is only suitable for communication between a pure IPv4 node and a pure IPv6 node.

  • Page 224: Ipv6 Basics Configuration Task List

    Compatibility information Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954(JH296A/JH297A/JH298A/JH299A) Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. IPv6 basics configuration task list Tasks at a glance (Required.) Assigning IPv6 addresses to...

  • Page 225: Assigning Ipv6 Addresses To Interfaces

    Assigning IPv6 addresses to interfaces This section describes how to configure an IPv6 global unicast address, an IPv6 link-local address, and an IPv6 anycast address. Configuring an IPv6 global unicast address Use one of the following methods to configure an IPv6 global unicast address for an interface: •...

  • Page 226

    Step Command Remarks interface interface-type Enter interface view. interface-number By default, no IPv6 global unicast address is configured on an interface. Using the undo ipv6 address auto Enable stateless address ipv6 address auto command on an interface removes autoconfiguration. all IPv6 global unicast addresses and link-local addresses that are automatically generated on the interface.

  • Page 227: Configuring An Ipv6 Link-local Address

    To generate a temporary address, an interface must be enabled with stateless address autoconfiguration. Temporary IPv6 addresses do not overwrite public IPv6 addresses, so an interface can have multiple IPv6 addresses with the same address prefix but different interface IDs. If an interface fails to generate a public IPv6 address because of a prefix conflict or other reasons, it does not generate any temporary IPv6 address.

  • Page 228: Configuring A Static Neighbor Entry

    Step Command Remarks By default, no link-local address is configured on an interface. Manually specify an IPv6 ipv6 address ipv6-address link-local address for the After an IPv6 global unicast address is link-local interface. configured on the interface, a link-local address is generated automatically. After you configure an IPv6 global unicast address for an interface, the interface automatically generates a link-local address.

  • Page 229: Setting The Maximum Number Of Dynamic Neighbor Entries

    Do not specify a Reth interface as the outgoing interface in IPv6 static neighbor entries if its member interfaces contain subinterfaces. For more information about Reth interfaces, see High Availability Configuration Guide. To configure a static neighbor entry: Step Command Remarks Enter system view.

  • Page 230: Minimizing Link-local Nd Entries

    Minimizing link-local ND entries Perform this task to minimize link-local ND entries assigned to the driver. Link-local ND entries refer to ND entries that contain link-local addresses. By default, the device assigns all ND entries to the driver. With this function enabled, the device does not add newly learned link-local ND entries whose link local addresses are not the next hop of any route into the driver.

  • Page 231

    Parameter Description Determines whether a host uses stateful autoconfiguration to obtain configuration information other than IPv6 address. O flag If the O flag is set to 1, the host uses stateful autoconfiguration (for example, from a DHCPv6 server) to obtain configuration information other than IPv6 address. Otherwise, the host uses stateless autoconfiguration.

  • Page 232: Configuring The Maximum Number Of Attempts To Send An Ns Message For Dad

    Step Command Remarks [ no-autoconfig | off-link ] * information. If the IPv6 address is manually configured, the prefix uses a fixed valid lifetime of 2592000 seconds (30 days) and a preferred lifetime of 604800 seconds (7 days). If the IPv6 address is automatically obtained, the prefix uses the valid lifetime and preferred lifetime configured for the...

  • Page 233: Enabling Nd Proxy

    Step Command Remarks message for DAD. disabled. Enabling ND proxy About ND proxy ND proxy enables a device to answer an NS message requesting the hardware address of a host on another network. With ND proxy, hosts in different broadcast domains can communicate with each other as they would on the same network.

  • Page 234: Configuring Ipv6 Nd Suppression

    To solve this problem, enable local ND proxy on GigabitEthernet 2/0/2 of the router so that the router can forward messages between Host A and Host B. Local ND proxy implements Layer 3 communication for two hosts in the following cases: The two hosts connect to ports of the same device and the ports must be in different VLANs.

  • Page 235: Configuring Ipv6 Nd Direct Route Advertisement

    Figure 88 Typical application To configure the IPv6 ND suppression feature: Step Command Remarks Enter system view. system-view By default, no cross-connect group is configured on the device. Configure a cross-connect xconnect-group group-name For more information about the group and enter its view. command, see MPLS Command Reference.

  • Page 236: Configuring The Interface Mtu

    Figure 89 Typical application To configure ND direct route advertisement: Step Command Remarks Enter system view. system-view By default, no L3VE interface is configured on the device. Configure an L3VE interface interface ve-l3vpn For more information about the and enter its view. interface-number command, see MPLS Command Reference.

  • Page 237: Configuring A Static Path Mtu For An Ipv6 Address

    Configuring a static path MTU for an IPv6 address You can configure a static path MTU for an IPv6 address. Before sending a packet to the IPv6 address, the device compares the MTU of the output interface with the static path MTU. If the packet exceeds the smaller one of the two values, the device fragments the packet according to the smaller value.

  • Page 238: Enabling Replying To Multicast Echo Requests

    Step Command Remarks Enter system view. system-view By default, the bucket allows a maximum of 10 tokens. A token is Set the bucket size and the placed in the bucket at an interval of interval for tokens to arrive in ipv6 icmpv6 error-interval 100 milliseconds.

  • Page 239: Enabling Sending Icmpv6 Time Exceeded Messages

    Enabling sending ICMPv6 time exceeded messages The device sends the source ICMPv6 time exceeded messages as follows: • If a received packet is not destined for the device and its hop limit is 1, the device sends an ICMPv6 hop limit exceeded in transit message to the source. •...

  • Page 240: Enabling Ipv6 Local Fragment Reassembly

    Step Command Remarks Enter system view. system-view By default, the device uses the Specify an IPv6 address as ipv6 icmpv6 source IPv6 address of the sending the source address for [ vpn-instance interface as the source IPv6 outgoing ICMPv6 packets. vpn-instance-name ] ipv6-address address for outgoing ICMPv6 packets.

  • Page 241: Displaying And Maintaining Ipv6 Basics

    Displaying and maintaining IPv6 basics Execute display commands in any view and reset commands in user view. Task Command display ipv6 fib [ vpn-instance Display IPv6 FIB entries. vpn-instance-name ] [ ipv6-address [ prefix-length ] ] display ipv6 interface [ interface-type Display IPv6 information about the interface.

  • Page 242

    Task Command Display IPv6 and ICMPv6 statistics (distributed display ipv6 statistics [ chassis chassis-number devices in IRF mode). slot slot-number ] Display brief information about IPv6 RawIP connections (centralized devices in standalone display ipv6 rawip mode). Display brief information about IPv6 RawIP connections (distributed devices in standalone display ipv6 rawip [ slot slot-number ] mode/centralized devices in IRF mode).

  • Page 243

    Task Command Display detailed information about IPv6 UDP connections (centralized devices in standalone display ipv6 udp verbose [ pcb pcb-index ] mode). Display detailed information about IPv6 UDP display ipv6 udp verbose [ slot slot-number [ pcb connections (distributed devices in standalone pcb-index ] ] mode/centralized devices in IRF mode).

  • Page 244: Ipv6 Configuration Examples

    Task Command IRF mode). Clear IPv6 and ICMPv6 packet statistics (distributed reset ipv6 statistics [ chassis chassis-number slot devices in IRF mode). slot-number ] Clear IPv6 TCP traffic statistics. reset tcp statistics Clear IPv6 UDP traffic statistics. reset udp statistics IPv6 configuration examples Basic IPv6 configuration example Network requirements...

  • Page 245

    [RouterA] display ipv6 neighbors interface gigabitethernet 2/0/2 Type: S-Static D-Dynamic O-Openflow R-Rule I-Invalid IPv6 Address Link Layer Interface State T Age FE80::215:E9FF:FEA6:7D14 0015-e9a6-7d14 N/A GE2/0/2 STALE D 1238 2001::15B:E0EA:3524:E791 0015-e9a6-7d14 N/A GE2/0/2 STALE D 1248 The output shows that the IPv6 global unicast address that the host obtained is 2001::15B:E0EA:3524:E791.

  • Page 246

    InAddrErrors: InDiscards: OutDiscards: [RouterA] display ipv6 interface gigabitethernet 2/0/2 GigabitEthernet2/0/2 current state: UP Line protocol current state: UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1C0 Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FF00:1C0 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds...

  • Page 247

    OutDiscards: # Display IPv6 interface information on Router B. [RouterB] display ipv6 interface gigabitethernet 2/0/1 GigabitEthernet2/0/1 current state: UP Line protocol current state: UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1234 Global unicast address(es): 3001::2, subnet is 3001::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:2...

  • Page 248: Ipv6 Nd Suppression Configuration Example

    To ping a link-local address, use the –i parameter to specify an interface for the link-local address. [RouterB] ping ipv6 -c 1 3001::1 Ping6(56 data bytes) 3001::2 --> 3001::1, press CTRL_C to break 56 bytes from 3001::1, icmp_seq=0 hlim=64 time=4.404 ms --- Ping6 statistics for 3001::1 --- 1 packet(s) transmitted, 1 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 4.404/4.404/4.404/0.000 ms...

  • Page 249: Troubleshooting Ipv6 Basics Configuration

    IPv6 address MAC address Xconnect-group Connection Aging 2001::1 00e0-fc04-582c vpna 2001::3 0023-89b7-0861 vpna Enable ND debugging on Router B to verify that Router B does not receive an ND request from the base station when the following conditions exist (details not shown): a.

  • Page 250: Dhcpv6 Overview

    DHCPv6 overview DHCPv6 provides a framework to assign IPv6 prefixes, IPv6 addresses, and other configuration parameters to hosts. Feature and hardware compatibility Hardware DHCPv6 compatibility MSR954(JH296A/JH297A/JH298A/JH299A) MSR1002-4/1003-8S MSR2003 MSR2004-24/2004-48 MSR3012/3024/3044/3064 MSR4060/4080 DHCPv6 address/prefix assignment An address/prefix assignment process involves two or four messages. Rapid assignment involving two messages As shown in Figure...

  • Page 251: Address/prefix Lease Renewal

    The Solicit message does not contain a Rapid Commit option. The DHCPv6 server does not support rapid assignment even though the Solicit message contains a Rapid Commit option. The DHCPv6 client might receive multiple Advertise messages offered by different DHCPv6 servers.

  • Page 252: Stateless Dhcpv6

    • If the DHCPv6 client does not receive a response from the DHCPv6 server after sending a Renew message at T1, it multicasts a Rebind message to all DHCPv6 servers at T2. Typically, the value of T2 is 0.8 times the preferred lifetime. •...

  • Page 253

    • RFC 3633, IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6...

  • Page 254: Configuring The Dhcpv6 Server

    Configuring the DHCPv6 server Overview A DHCPv6 server can assign IPv6 addresses, IPv6 prefixes, and other configuration parameters to DHCPv6 clients. IPv6 address assignment As shown in Figure 97, the DHCPv6 server assigns IPv6 addresses, domain name suffixes, DNS server addresses, and other configuration parameters to DHCPv6 clients. The IPv6 addresses assigned to the clients include the following types: •...

  • Page 255: Concepts

    Concepts Multicast addresses used by DHCPv6 DHCPv6 uses the multicast address FF05::1:3 to identify all site-local DHCPv6 servers. It uses the multicast address FF02::1:2 to identify all link-local DHCPv6 servers and relay agents. DUID A DHCP unique identifier (DUID) uniquely identifies a DHCPv6 device (DHCPv6 client, server, or relay agent).

  • Page 256: Ipv6 Address/prefix Allocation Sequence

    Address allocation mechanisms DHCPv6 supports the following address allocation mechanisms: • Static address allocation—To implement static address allocation for a client, create a DHCPv6 address pool, and manually bind the DUID and IAID of the client to an IPv6 address in the DHCPv6 address pool.

  • Page 257: Configuration Task List

    Assignable IPv6 address/prefix in the address pool/prefix pool expected by the client. Assignable IPv6 address/prefix in the address pool/prefix pool. IPv6 address/prefix that was a conflict or passed its lease duration. If no IPv6 address/prefix is assignable, the server does not respond. If a client moves to another subnet, the DHCPv6 server selects an IPv6 address/prefix from the address pool that matches the new subnet.

  • Page 258

    Configuration procedure To configure IPv6 prefix assignment: Step Command Remarks Enter system view. system-view By default, no IPv6 prefixes in the prefix pool are excluded from dynamic assignment. (Optional.) Specify the ipv6 dhcp server forbidden-prefix IPv6 prefixes excluded start-prefix/prefix-len If the excluded IPv6 prefix is in a from dynamic [ end-prefix/prefix-len ] [ vpn-instance static binding, the prefix still can...

  • Page 259

    Temporary address assignment—The server selects addresses from the temporary address range specified by the temporary address range command. If no temporary address range is specified in the address pool, the DHCPv6 server cannot assign temporary addresses to clients. Configuration guidelines •...

  • Page 260: Configuring Network Parameters Assignment

    Step Command Remarks temporary address range By default, no temporary IPv6 start-ipv6-address (Optional.) Specify a address range is specified, and end-ipv6-address temporary IPv6 address the DHCPv6 server cannot [ preferred-lifetime range. assign temporary IPv6 preferred-lifetime valid-lifetime addresses. valid-lifetime ] static-bind address By default, no static binding is ipv6-address/addr-prefix-length | configured.

  • Page 261: Configuring Network Parameters In A Dhcpv6 Option Group

    Configuring network parameters in a DHCPv6 option group A DHCPv6 option group can be created by using the following methods: • Create a static DHCPv6 option group by using the ipv6 dhcp option-group command. • When the device acts as a DHCPv6 client, it automatically creates a dynamic DHCPv6 option group for saving the obtained parameters.

  • Page 262

    • Only one address pool can be applied to an interface. If you use the ipv6 dhcp server apply pool command multiple times, the most recent configuration takes effect. Configuration procedure To configure the DHCPv6 server on an interface: Step Command Remarks Enter system view.

  • Page 263

    To configure DHCPv6 binding auto backup: Step Command Remarks Enter system view. system-view By default, the DHCPv6 server does not back up the DHCPv6 ipv6 dhcp server database bindings. Configure the DHCPv6 server filename { filename | url url to back up the bindings to a With this command executed, [ username username [ password file.

  • Page 264: Applying A Dhcpv6 Address Pool To A Vpn Instance

    Step Command Remarks Enter system view. system-view Create an address pool and By default, no DHCPv6 address ipv6 dhcp pool pool-name enter its view. pool exists. network prefix/prefix-length By default, the subnet assigned Advertise the subnet assigned [ preferred-lifetime to DHCPv6 clients are not to DHCPv6 clients.

  • Page 265: Displaying And Maintaining The Dhcpv6 Server

    Step Command Remarks By default, DHCPv6 logging is Enable DHCPv6 logging. dhcp log enable disabled. Displaying and maintaining the DHCPv6 server Execute display commands in any view and reset commands in user view. Task Command Display the DUID of the local device. display ipv6 dhcp duid Display information about a DHCPv6 display ipv6 dhcp option-group [ option-group-number ]...

  • Page 266: Dhcpv6 Server Configuration Examples

    DHCPv6 server configuration examples Dynamic IPv6 prefix assignment configuration example Network requirements As shown in Figure 101, the router acts as a DHCPv6 server to assign an IPv6 prefix, a DNS server address, a domain name, a SIP server address, and a SIP server name to each DHCPv6 client. router assigns prefix...

  • Page 267

    # Apply prefix pool 1 to address pool 1, and set the preferred lifetime to one day, and the valid lifetime to three days. [Router-dhcp6-pool-1] prefix-pool 1 preferred-lifetime 86400 valid-lifetime 259200 # In address pool 1, bind prefix 2001:0410:0201::/48 to the client DUID 00030001CA0006A40000, and set the preferred lifetime to one day, and the valid lifetime to three days.

  • Page 268: Dynamic Ipv6 Address Assignment Configuration Example

    # Display information about prefix pool 1. [Router-GigabitEthernet2/0/1] display ipv6 dhcp prefix-pool 1 Prefix: 2001:410::/32 Assigned length: 48 Total prefix number: 65536 Available: 65535 In-use: 0 Static: 1 # After the client with the DUID 00030001CA0006A40000 obtains an IPv6 prefix, display the binding information on the DHCPv6 server.

  • Page 269

    Configuration procedure Configure the interfaces on the DHCPv6 server: # Specify an IPv6 address for GigabitEthernet 2/0/1. <RouterA> system-view [RouterA] interface gigabitethernet 2/0/1 [RouterA-GigabitEthernet2/0/1] ipv6 address 1::1:0:0:1/96 # Disable RA message suppression on GigabitEthernet 2/0/1. [RouterA-GigabitEthernet2/0/1] undo ipv6 nd ra halt # Set the M flag to 1 in RA advertisements to be sent on GigabitEthernet 2/0/1.

  • Page 270

    [RouterA] ipv6 dhcp pool 2 [RouterA-dhcp6-pool-2] network 1::2:0:0:0/96 preferred-lifetime 432000 valid-lifetime 864000 [RouterA-dhcp6-pool-2] domain-name aabbcc.com [RouterA-dhcp6-pool-2] dns-server 1::2:0:0:2 [RouterA-dhcp6-pool-2] quit Verifying the configuration # Verify that clients on subnets 1::1:0:0:0/96 and 1::2:0:0:0/96 can obtain IPv6 addresses and all other configuration parameters from the DHCPv6 server (Router A). (Details not shown.) # On the DHCPv6 server, display IPv6 addresses assigned to the clients.

  • Page 271: Configuring The Dhcpv6 Relay Agent

    Configuring the DHCPv6 relay agent Overview A DHCPv6 client usually uses a multicast address to contact the DHCPv6 server on the local link to obtain an IPv6 address and other configuration parameters. As shown in Figure 103, if the DHCPv6 server resides on another subnet, the DHCPv6 clients need a DHCPv6 relay agent to contact the server.

  • Page 272: Dhcpv6 Relay Agent Configuration Task List

    Figure 104 Operating process of a DHCPv6 relay agent DHCPv6 client DHCPv6 relay agent DHCPv6 server Solicit (contains a Rapid Commit option) (2) Relay-forward (3) Relay-reply (4) Reply DHCPv6 relay agent configuration task list Tasks at a glance (Required.) Enabling the DHCPv6 relay agent on an interface (Required.) Specifying DHCPv6 servers on the relay agent (Optional.)

  • Page 273: Setting The Dscp Value For Dhcpv6 Packets Sent By The Dhcpv6 Relay Agent

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no DHCPv6 server is specified. If a DHCPv6 server address is a ipv6 dhcp relay server-address link-local address or multicast Specify a DHCPv6 server. ipv6-address [ interface address, you must specify an interface-type interface-number ] outgoing interface by using the...

  • Page 274: Configuring A Dhcpv6 Relay Address Pool

    Configuring a DHCPv6 relay address pool This feature allows DHCPv6 clients of the same type to obtain IPv6 addresses and other configuration parameters from the DHCPv6 servers specified in the matching relay address pool. It applies to scenarios where the DHCPv6 relay agent connects to clients of the same access type but classified into different types by their locations.

  • Page 275: Displaying And Maintaining The Dhcpv6 Relay Agent

    Step Command Remarks By default, the DHCPv6 relay Specify a gateway address for ipv6 dhcp relay gateway agent uses the first IPv6 DHCPv6 clients. ipv6-address address of the relay interface as the clients' gateway address. Displaying and maintaining the DHCPv6 relay agent Execute display commands in any view and reset commands in user view.

  • Page 276

    Configuration procedure # Specify IPv6 addresses for GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2. <RouterA> system-view [RouterA] interface gigabitethernet 2/0/2 [RouterA-GigabitEthernet2/0/2] ipv6 address 2::1 64 [RouterA-GigabitEthernet2/0/2] quit [RouterA] interface gigabitethernet 2/0/1 [RouterA-GigabitEthernet2/0/1] ipv6 address 1::1 64 # Disable RA message suppression on GigabitEthernet 2/0/1. [RouterA-GigabitEthernet2/0/1] undo ipv6 nd ra halt # Set the M flag to 1 in RA advertisements to be sent on GigabitEthernet 2/0/1.

  • Page 277

    Relay-forward Relay-reply...

  • Page 278: Configuring The Dhcpv6 Client

    Configuring the DHCPv6 client Overview With DHCPv6 client configured, an interface can obtain configuration parameters from the DHCPv6 server. A DHCPv6 client can use DHCPv6 to complete the following functions: • Obtain an IPv6 address, an IPv6 prefix, or both, and obtain other configuration parameters. The client automatically creates a DHCPv6 option group for the obtained parameters.

  • Page 279: Configuring Ipv6 Prefix Acquisition

    Configuring IPv6 prefix acquisition Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Configure the interface to ipv6 dhcp client pd By default, the interface does not use DHCPv6 to obtain an prefix-number [ option-group use DHCPv6 for IPv6 prefix IPv6 prefix and other group-number | rapid-commit ] * acquisition.

  • Page 280: Displaying And Maintaining Dhcpv6 Client

    To set the DSCP value for DHCPv6 packets sent by the DHCPv6 client: Step Command Remarks Enter system view. system-view Set the DSCP value for ipv6 dhcp client dscp By default, the DSCP value in DHCPv6 DHCPv6 packets sent by the dscp-value packets sent by the DHCPv6 client is 56.

  • Page 281

    <Router> system-view [Router] interface gigabitethernet 2/0/1 [Router-GigabitEthernet2/0/1] ipv6 address dhcp-alloc rapid-commit option-group 1 [Router-GigabitEthernet2/0/1] quit Verifying the configuration # Verify that the DHCPv6 client has obtained configuration parameters from the server. [Router] display ipv6 dhcp client GigabitEthernet2/0/1: Type: Stateful client requesting address State: OPEN Client DUID: 00030001d07e28db74fb Preferred server:...

  • Page 282: Ipv6 Prefix Acquisition Configuration Example

    *down: administratively down (s): spoofing Interface Physical Protocol IPv6 Address GigabitEthernet2/0/1 1:1::2 IPv6 prefix acquisition configuration example Network requirements As shown in Figure 107, configure GigabitEthernet 2/0/1 of the router to use DHCPv6 to obtain configuration parameters from the DHCPv6 server. The parameters include IPv6 prefix, DNS server address, domain name suffix, SIP server address, and SIP server domain name.

  • Page 283: Ipv6 Address And Prefix Acquisition Configuration Example

    IA_PD: IAID 0x00000a02, T1 50 sec, T2 80 sec Prefix: 12:34::/48 Preferred lifetime 100 sec, valid lifetime 200 sec Will expire on Feb 4 2014 at 15:37:20(80 seconds left) DNS server addresses: 2000::FF Domain name: example.com SIP server addresses: 2:2::4 SIP server domain names: bbb.com # Verify that the client has obtained an IPv6 prefix.

  • Page 284

    Figure 108 Network diagram Configuration procedure You must configure the DHCPv6 server before configuring the DHCPv6 client. For information about configuring the DHCPv6 server, see "Configuring the DHCPv6 server." # Configure an IPv6 address for GigabitEthernet 2/0/1 that connects to the DHCPv6 server. <Router>...

  • Page 285: Stateless Dhcpv6 Configuration Example

    example.com SIP server addresses: 2:2::4 SIP server domain names: bbb.com # Display brief IPv6 information for all interfaces on the device. The output shows that the DHCPv6 client has obtained an IPv6 address. [Router] display ipv6 interface brief *down: administratively down (s): spoofing Interface Physical...

  • Page 286

    Figure 109 Network diagram Configuration procedure You must configure the DHCPv6 server before configuring the DHCPv6 client. For information about configuring the DHCPv6 server, see "Configuring the DHCPv6 server." Configure the gateway Router B: # Configure an IPv6 address for GigabitEthernet 2/0/1. <RouterB>...

  • Page 287

    Domain name: abc.com # Display DHCPv6 client statistics. [RouterA-GigabitEthernet2/0/1] display ipv6 dhcp client statistics Interface GigabitEthernet2/0/1 Packets received Reply Advertise Reconfigure Invalid Packets sent Solicit Request Renew Rebind Information-request Release Decline...

  • Page 288: Configuring Dhcpv6 Snooping

    Configuring DHCPv6 snooping This feature is supported only on the following ports: • Layer 2 Ethernet ports on the following modules: HMIM-8GSW. HMIM-24GSW. HMIM-24GSW-PoE. SIC-4GSW. SIC-4GSW-PoE. • Fixed Layer 2 Ethernet ports on MSR2004-24/2004-48 routers. • Fixed Layer 2 Ethernet ports on MSR1002-4/1003-8S routers. Overview DHCPv6 snooping works between the DHCPv6 client and server, or between the DHCPv6 client and DHCPv6 relay agent.

  • Page 289

    Figure 110 Trusted and untrusted ports Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954(JH296A/JH297A/JH298A/JH299A) Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. Implementation of Option 18 and Option 37 Option 18 for DHCPv6 snooping Option 18, also called the interface-ID option, is used by the DHCPv6 relay agent to determine the...

  • Page 290: Dhcpv6 Snooping Support For Option 37

    • Option code—Option code. • Option length—Size of the option data. • Port index—Port that receives the DHCPv6 request from the client. • VLAN ID—ID of the outer VLAN. • Second VLAN ID—ID of the inner VLAN. • DUID—DUID of the DHCPv6 client. NOTE: The Second VLAN ID field is optional.

  • Page 291: Configuring Basic Dhcpv6 Snooping

    Tasks at a glance (Optional.) Configuring Option 18 and Option 37 (Optional.) Configuring DHCPv6 snooping entry auto backup (Optional.) Setting the maximum number of DHCPv6 snooping entries (Optional.) Enabling DHCPv6-REQUEST check Configuring basic DHCPv6 snooping Follow these guidelines when you configure basic DHCPv6 snooping: •...

  • Page 292: Configuring Dhcpv6 Snooping Entry Auto Backup

    Step Command Remarks Enable support for Option ipv6 dhcp snooping option By default, Option 18 is not interface-id enable supported. ipv6 dhcp snooping option By default, the DHCPv6 snooping (Optional.) Specify the interface-id [ vlan vlan-id ] string device uses its DUID as the content as the interface ID.

  • Page 293: Setting The Maximum Number Of Dhcpv6 Snooping Entries

    Setting the maximum number of DHCPv6 snooping entries Perform this task to prevent the system resources from being overused. To set the maximum number of DHCPv6 snooping entries: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Set the maximum number By default, the number of DHCPv6...

  • Page 294: Displaying And Maintaining Dhcpv6 Snooping

    Displaying and maintaining DHCPv6 snooping Execute display commands in any view, and reset commands in user view. Task Command Display information about trusted ports. display ipv6 dhcp snooping trust display ipv6 dhcp snooping binding [ address Display DHCPv6 snooping entries. ipv6-address [ vlan vlan-id ] ] Display information about the file that stores DHCPv6 display ipv6 dhcp snooping binding database...

  • Page 295

    Configuration procedure # Enable DHCPv6 snooping. <RouterB> system-view [RouterB] ipv6 dhcp snooping enable # Specify GigabitEthernet 2/0/1 as a trusted port. [RouterB] interface gigabitethernet 2/0/1 [RouterB-GigabitEthernet2/0/1] ipv6 dhcp snooping trust [RouterB-GigabitEthernet2/0/1] quit # Enable recording of client information in DHCPv6 snooping entries. [RouterB]interface gigabitethernet 2/0/2 [RouterB-GigabitEthernet2/0/2] ipv6 dhcp snooping binding record [RouterB-GigabitEthernet2/0/2] quit...

  • Page 296: Configuring Ipv6 Fast Forwarding

    Configuring IPv6 fast forwarding Overview Fast forwarding reduces route lookup time and improves packet forwarding efficiency by using a high-speed cache and data-flow-based technology. It identifies a data flow by using the following fields: • Source IPv6 address. • Destination IPv6 address. •...

  • Page 297: Configuring Ipv6 Fast Forwarding Load Sharing

    Configuring IPv6 fast forwarding load sharing IPv6 fast forwarding load sharing enables the device to load share packets of the same flow. This feature identifies a data flow by using the five-tuple (source IP, source port, destination IP, destination port, and protocol). If IPv6 fast forwarding load sharing is disabled, the device identifies a data flow by the five-tuple and the input interface.

  • Page 298: Configuring Tunneling, Ipv6 Over Ipv4 Tunneling

    Configuring tunneling Overview Tunneling encapsulates the packets of a network protocol within the packets of a second network protocol and transfers them over a virtual point-to-point connection. The virtual connection is called a tunnel. Packets are encapsulated at the tunnel source and de-encapsulated at the tunnel destination.

  • Page 299

    In the IPv4 header, the source IPv4 address is the IPv4 address of the tunnel source, and the destination IPv4 address is the IPv4 address of the tunnel destination. Upon receiving the packet, Device B de-encapsulates the packet. If the destination address of the IPv6 packet is itself, Device B forwards it to the upper-layer protocol.

  • Page 300: Ipv4 Over Ipv4 Tunneling

    • IPv6 over IPv4 manual tunneling—A point-to-point link. This type of tunneling provides the following solutions: Connects isolated IPv6 networks over an IPv4 network. Connects an IPv6 network and an IPv4/IPv6 dual-stack host over an IPv4 network. • Automatic IPv4-compatible IPv6 tunneling—A point-to-multipoint link. Automatic IPv4-compatible IPv6 tunnels have limitations because IPv4-compatible IPv6 addresses must use globally unique IPv4 addresses.

  • Page 301: Ipv4 Over Ipv6 Tunneling

    Figure 117 IPv4 over IPv4 tunnel Figure 117 shows the encapsulation and de-encapsulation processes. • Encapsulation: a. Device A receives an IP packet from an IPv4 host and submits it to the IP protocol stack. b. The IPv4 protocol stack determines how to forward the packet according to the destination address in the IP header.

  • Page 302

    Figure 118 IPv4 over IPv6 tunnel Figure 118 shows the encapsulation and de-encapsulation processes. • Encapsulation: a. Upon receiving an IPv4 packet, Device A delivers it to the IPv4 protocol stack. b. The IPv4 protocol stack uses the destination address of the packet to determine the egress interface.

  • Page 303

    Figure 119 DS-Lite tunnel As shown in Figure 119, the DS-Lite feature contains the following components: Basic Bridging BroadBand (B4) element The B4 element is typically a CPE router that connects end hosts. IPv4 packets entering the B4 router are encapsulated into IPv6 packets and sent to the AFTR. IPv6 packets from the AFTR are de-encapsulated into IPv4 packets and sent to the subscriber's network.

  • Page 304

    Figure 120 Packet forwarding process in DS-Lite 10.0.0.1/24 30.1.1.1/24 10.0.0.2/24 1::1/64 2::1/64 20.1.1.1/24 Private IPv6 network IPv4 network IPv4 network DS-Lite tunnel IPv4 host IPv4 host AFTR IPv4 dst: 30.1.1.1 IPv4 src: 10.0.0.1 TCP dst: 80 IPv6 dst: 2::1 TCP src: 10000 IPv6 src: 1::1 IPv4 dst: 30.1.1.1 Adds an IPv6...

  • Page 305: Ipv6 Over Ipv6 Tunneling

    IPv6 over IPv6 tunneling IPv6 over IPv6 tunneling (RFC 2473) enables isolated IPv6 networks to communicate with each other over another IPv6 network. For example, two isolated IPv6 networks that do not want to show their addresses to the Internet can use an IPv6 over IPv6 tunnel to communicate with each other. Figure 121 Principle of IPv6 over IPv6 tunneling Figure 121 shows the encapsulation and de-encapsulation processes.

  • Page 306: Tunneling Configuration Task List

    Compatibility information Feature and hardware compatibility Hardware Tunneling compatibility MSR954(JH296A/JH297A/JH298A/JH299A) MSR1002-4/1003-8S MSR2003 MSR2004-24/2004-48 MSR3012/3024/3044/3064 MSR4060/4080 Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. Tunneling configuration task list Tasks at a glance (Required.)

  • Page 307

    When an active/standby switchover occurs or the standby card is removed on a distributed device, the tunnel interfaces configured on the active or standby card still exist. To delete a tunnel interface, use the undo interface tunnel command. To configure a tunnel interface: Step Command Remarks...

  • Page 308: Configuring An Ipv6 Over Ipv4 Manual Tunnel

    Step Command Remarks By default, the tunnel destination belongs to the public network. For a tunnel interface to come up, the tunnel source and 12. Specify the VPN instance to tunnel vpn-instance destination must belong to the which the tunnel destination vpn-instance-name same VPN.

  • Page 309

    Step Command Remarks By default, no destination address is configured for the tunnel interface. Configure a destination The tunnel destination address address for the tunnel destination ip-address must be the IP address of the interface. receiving interface on the tunnel peer.

  • Page 310

    [RouterA-Tunnel0] ipv6 address 3001::1/64 # Specify GigabitEthernet 2/0/2 as the source interface of the tunnel interface. [RouterA-Tunnel0] source gigabitethernet 2/0/2 # Specify the destination address for the tunnel interface as the IP address of GigabitEthernet 2/0/2 on Router B. [RouterA-Tunnel0] destination 192.168.50.1 [RouterA-Tunnel0] quit # Configure a static route destined for IPv6 network 2 through Tunnel 0.

  • Page 311: Configuring An Automatic Ipv4-compatible Ipv6 Tunnel

    Configuring an automatic IPv4-compatible IPv6 tunnel Follow these guidelines when you configure an automatic IPv4-compatible IPv6 tunnel: • You do not need to configure a destination address for an automatic IPv4-compatible IPv6 tunnel. The destination address of the tunnel is embedded in the destination IPv4-compatible IPv6 address.

  • Page 312: Configuring A 6to4 Tunnel

    [RouterA] interface gigabitethernet 2/0/1 [RouterA-GigabitEthernet2/0/1] ip address 192.168.100.1 255.255.255.0 [RouterA-GigabitEthernet2/0/1] quit # Create an automatic IPv4-compatible IPv6 tunnel. [RouterA] interface tunnel 0 mode ipv6-ipv4 auto-tunnel # Specify an IPv4-compatible IPv6 address for the tunnel interface. [RouterA-Tunnel0] ipv6 address ::192.168.100.1/96 # Specify GigabitEthernet 2/0/1 as the source interface of the tunnel interface. [RouterA-Tunnel0] source gigabitethernet 2/0/1 •...

  • Page 313: To4 Tunnel Configuration Example

    • Automatic tunnels do not support dynamic routing. You must configure a static route destined for the destination IPv6 network if the destination IPv6 network is not in the same subnet as the IPv6 address of the tunnel interface. You can specify the local tunnel interface as the egress interface of the route or specify the IPv6 address of the peer tunnel interface as the next hop of the route.

  • Page 314

    Requirements analysis To enable communication between 6to4 networks, configure 6to4 addresses for 6to4 routers and hosts in the 6to4 networks. • The IPv4 address of GigabitEthernet 2/0/2 on Router A is 2.1.1.1/24, and the corresponding 6to4 prefix is 2002:0201:0101::/48. Host A must use this prefix. •...

  • Page 315: To4 Relay Configuration Example

    [RouterB] ipv6 route-static 2002:: 16 tunnel 0 Verifying the configuration # Verify that Host A and Host B can ping each other. D:\>ping6 -s 2002:201:101:1::2 2002:501:101:1::2 Pinging 2002:501:101:1::2 from 2002:201:101:1::2 with 32 bytes of data: Reply from 2002:501:101:1::2: bytes=32 time=13ms Reply from 2002:501:101:1::2: bytes=32 time=1ms Reply from 2002:501:101:1::2: bytes=32 time=1ms Reply from 2002:501:101:1::2: bytes=32 time<1ms...

  • Page 316

    <RouterA> system-view [RouterA] interface gigabitethernet 2/0/2 [RouterA-GigabitEthernet2/0/2] ip address 2.1.1.1 255.255.255.0 [RouterA-GigabitEthernet2/0/2] quit # Specify a 6to4 address for GigabitEthernet 2/0/1. [RouterA] interface gigabitethernet 2/0/1 [RouterA-GigabitEthernet2/0/1] ipv6 address 2002:0201:0101:1::1/64 [RouterA-GigabitEthernet2/0/1] quit # Create the 6to4 tunnel interface Tunnel 0. [RouterA] interface tunnel 0 mode ipv6-ipv4 6to4 # Specify an IPv6 address for the tunnel interface.

  • Page 317: Configuring An Isatap Tunnel

    Reply from 2001::2: bytes=32 time=1ms Reply from 2001::2: bytes=32 time=1ms Reply from 2001::2: bytes=32 time<1ms Ping statistics for 2001::2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 13ms, Average = 3ms Configuring an ISATAP tunnel Follow these guidelines when you configure an ISATAP tunnel: •...

  • Page 318

    Configuration example Network requirements As shown in Figure 126, configure an ISATAP tunnel between the router and the ISATAP host so the ISATAP host in the IPv4 network can access the IPv6 network. Figure 126 Network diagram Configuration procedure • Configure the router: # Specify an IPv6 address for GigabitEthernet 2/0/2.

  • Page 319

    does not use Router Discovery routing preference 1 EUI-64 embedded IPv4 address: 0.0.0.0 router link-layer address: 0.0.0.0 preferred link-local fe80::5efe:1.1.1.2, life infinite link MTU 1280 (true link MTU 65515) current hop limit 128 reachable time 42500ms (base 30000ms) retransmission interval 1000ms DAD transmits 0 default site prefix length 48 # Specify an IPv4 address for the ISATAP router.

  • Page 320: Configuring An Ipv4 Over Ipv4 Tunnel

    Reply from 3001::2: time=1ms Ping statistics for 3001::2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms Configuring an IPv4 over IPv4 tunnel Follow these guidelines when you configure an IPv4 over IPv4 tunnel: •...

  • Page 321

    Step Command Remarks (Optional.) Set the DF bit for By default, the DF bit is not set for tunnel dfbit enable tunneled packets. tunneled packets. Configuration example Network requirements As shown in Figure 127, the two subnets IPv4 group 1 and IPv4 group 2 use private IPv4 addresses. Configure an IPv4 over IPv4 tunnel between Router A and Router B to make the two subnets reachable to each other.

  • Page 322: Configuring An Ipv4 Over Ipv6 Manual Tunnel

    <RouterB> system-view [RouterB] interface gigabitethernet 2/0/1 [RouterB-GigabitEthernet2/0/1] ip address 10.1.3.1 255.255.255.0 [RouterB-GigabitEthernet2/0/1] quit # Specify an IPv4 address for Serial 2/1/1, which is the physical interface of the tunnel. [RouterB] interface serial 2/1/1 [RouterB-Serial2/1/1] ip address 3.1.1.1 255.255.255.0 [RouterB-Serial2/1/1] quit # Create the IPv4 over IPv4 tunnel interface Tunnel 2.

  • Page 323

    Configure a static route, and specify the local tunnel interface as the egress interface or specify the IPv6 address of the peer tunnel interface as the next hop. Enable a dynamic routing protocol on both tunnel interfaces to achieve the same purpose. For more information about route configuration, see Layer 3—IP Routing Configuration Guide.

  • Page 324

    [RouterA-GigabitEthernet2/0/1] quit # Specify an IPv6 address for Serial 2/1/0, which is the physical interface of the tunnel. [RouterA] interface serial 2/1/0 [RouterA-Serial2/1/0] ipv6 address 2001::1:1 64 [RouterA-Serial2/1/0] quit # Create the IPv6 tunnel interface Tunnel 1. [RouterA] interface tunnel 1 mode ipv6 # Specify an IPv4 address for the tunnel interface.

  • Page 325: Configuring A Ds-lite Tunnel

    56 bytes from 30.1.3.1: icmp_seq=1 ttl=255 time=1.000 ms 56 bytes from 30.1.3.1: icmp_seq=2 ttl=255 time=0.000 ms 56 bytes from 30.1.3.1: icmp_seq=3 ttl=255 time=1.000 ms 56 bytes from 30.1.3.1: icmp_seq=4 ttl=255 time=1.000 ms --- Ping statistics for 30.1.3.1 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.000/1.200/3.000/0.980 ms Configuring a DS-Lite tunnel A B4 tunnel interface can establish a tunnel with only one AFTR tunnel interface, but an AFTR tunnel...

  • Page 326

    Step Command Remarks By default, no source address or interface is specified for the tunnel. If you specify a source address, it is used as Specify the source source { ipv6-address | the source address of the encapsulated IPv6 address or source interface-type packets.

  • Page 327

    # Create the IPv6 tunnel interface Tunnel 1. [RouterA] interface tunnel 1 mode ipv6 # Specify an IPv4 address for the tunnel interface. [RouterA-Tunnel1] ip address 30.1.2.1 255.255.255.0 # Specify the IP address of GigabitEthernet 2/0/2 as the source address for the tunnel interface. [RouterA-Tunnel1] source 1::1 # Specify IP address of GigabitEthernet 2/0/2 on Router B as the destination address for the tunnel interface.

  • Page 328: Configuring An Ipv6 Over Ipv6 Tunnel

    Reply from 20.1.1.2: bytes=32 time=44ms TTL=255 Reply from 20.1.1.2: bytes=32 time=1ms TTL=255 Reply from 20.1.1.2: bytes=32 time=1ms TTL=255 Ping statistics for 20.1.1.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 51ms, Average = 24ms Configuring an IPv6 over IPv6 tunnel Follow these guidelines when you configure an IPv6 over IPv6 tunnel:...

  • Page 329

    Step Command Remarks (Optional.) Enable dropping By default, IPv6 packets that use IPv6 packets that use tunnel discard IPv4-compatible IPv6 packets are not IPv4-compatible IPv6 ipv4-compatible-packet dropped. addresses. Configuration example Network requirements As shown in Figure 130, configure an IPv6 over IPv6 tunnel between Router A and Router B so the two IPv6 networks can reach each other without disclosing their IPv6 addresses.

  • Page 330: Displaying And Maintaining Tunneling Configuration

    # Specify an IPv6 address for GigabitEthernet 2/0/1. <RouterB> system-view [RouterB] interface gigabitethernet 2/0/1 [RouterB-GigabitEthernet2/0/1] ipv6 address 2002:3::1 64 [RouterB-GigabitEthernet2/0/1] quit # Specify an IPv6 address for Serial 2/1/1, which is the physical interface of the tunnel. [RouterB] interface serial 2/1/1 [RouterB-Serial2/1/1] ipv6 address 2002::22:1 64 [RouterB-Serial2/1/1] quit # Create the IPv6 tunnel interface Tunnel 2.

  • Page 331: Troubleshooting Tunneling Configuration

    Task Command Display IPv6 information on tunnel interfaces. display ipv6 interface [ tunnel [ number ] ] [ brief ] Display information about the connected B4 display ds-lite b4 information routers on the AFTR. Clear statistics on tunnel interfaces. reset counters interface [ tunnel [ number ] ] For more information about the display ipv6 interface command, see Layer 3—IP Services Command Reference.

  • Page 332: Configuring Gre

    Configuring GRE Overview Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate any network layer protocol (such as IPv6) into a virtual point-to-point tunnel over an IP network (such as an IPv4 network). Packets are encapsulated at one tunnel end and de-encapsulated at the other tunnel end. The network layer protocol of the packets before encapsulation and after encapsulation can be the same or different.

  • Page 333: Gre Security Mechanisms

    As shown in Figure 132, an IPv6 protocol packet traverses an IPv4 network through a GRE tunnel as follows: After receiving an IPv6 packet from the interface connected to IPv6 network 1, Device A processes the packet as follows: a. Looks up the routing table to identify the outgoing interface for the IPv6 packet. b.

  • Page 334

    Connecting networks running different protocols over a single backbone Figure 133 Network diagram IPv6 network 1 IPv6 network 2 Internet Device A Device B GRE tunnel IPv4 network 1 IPv4 network 2 As shown in Figure 133, IPv6 network 1 and IPv6 network 2 are IPv6 networks, and IPv4 network 1 and IPv4 network 2 are IPv4 networks.

  • Page 335

    Constructing VPN Figure 135 Network diagram As shown in Figure 135, Site 1 and Site 2 both belong to VPN 1 and are located in different cities. Using a GRE tunnel can connect the two VPN sites across the WAN. Operating with IPsec Figure 136 Network diagram As shown in...

  • Page 336: Configuring A Gre/ipv4 Tunnel

    Configuring a GRE/IPv4 tunnel Perform this task to configure a GRE tunnel on an IPv4 network. Configuration guidelines Follow these guidelines when you configure a GRE/IPv4 tunnel: • You must configure the tunnel source address and destination address at both ends of a tunnel. The tunnel source or destination address at one end must be the tunnel destination or source address at the other end.

  • Page 337: Configuring A Gre/ipv6 Tunnel

    Step Command Remarks By default, no source address or interface is configured for a tunnel interface. If you configure a source address for a Configure a source tunnel interface, the tunnel interface address or source source { ip-address | uses the source address as the source interface for the tunnel interface-type interface-number } address of the encapsulated packets.

  • Page 338

    Configuration guidelines Follow these guidelines when you configure a GRE/IPv6 tunnel: • You must configure the tunnel source address and destination address at both ends of a tunnel. The tunnel source or destination address at one end must be the tunnel destination or source address at the other end.

  • Page 339: Displaying And Maintaining Gre

    Step Command Remarks By default, no source IPv6 address or interface is configured for a tunnel interface. If you configure a source IPv6 address for a tunnel interface, the tunnel interface Configure a source IPv6 source { ipv6-address | uses the source IPv6 address as the address or source interface interface-type source IPv6 address of the encapsulated...

  • Page 340: Gre Configuration Examples

    GRE configuration examples Configuring an IPv4 over IPv4 GRE tunnel Network requirements Group 1 and Group 2 are two private IPv4 networks. The two networks both use private network addresses and belong to the same VPN. Establish a GRE tunnel between Router A and Router B to interconnect the two private IPv4 networks Group 1 and Group 2.

  • Page 341

    [RouterB] ip route-static 10.1.1.0 255.255.255.0 tunnel 0 Verifying the configuration # Display tunnel interface information on Router A. [RouterA] display interface tunnel 0 Tunnel0 Current state: UP Line protocol state: UP Description: Tunnel0 Interface Bandwidth: 64kbps Maximum Transmit Unit: 1476 Internet Address is 10.1.2.1/24 Primary Tunnel source 1.1.1.1, destination 2.2.2.2 Tunnel keepalive disabled...

  • Page 342: Configuring An Ipv4 Over Ipv6 Gre Tunnel

    # From Router B, ping the IP address of GigabitEthernet 2/0/1 on Router A. [RouterB] ping -a 10.1.3.1 10.1.1.1 Ping 10.1.1.1 (10.1.1.1) from 10.1.3.1: 56 data bytes, press CTRL_C to break 56 bytes from 10.1.1.1: icmp_seq=0 ttl=255 time=11.000 ms 56 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=1.000 ms 56 bytes from 10.1.1.1: icmp_seq=2 ttl=255 time=0.000 ms 56 bytes from 10.1.1.1: icmp_seq=3 ttl=255 time=0.000 ms 56 bytes from 10.1.1.1: icmp_seq=4 ttl=255 time=0.000 ms...

  • Page 343

    <RouterB> system-view [RouterB] interface tunnel 0 mode gre ipv6 # Configure an IP address for the tunnel interface. [RouterB-Tunnel0] ip address 10.1.2.2 255.255.255.0 # Configure the source address of the tunnel interface as the IP address of interface GigabitEthernet 2/0/2 on Router B. [RouterB-Tunnel0] source 2001::2:1 # Configure the destination address of the tunnel interface as the IP address of interface GigabitEthernet 2/0/2 on Router A.

  • Page 344: Troubleshooting Gre

    GRE key disabled Checksumming of GRE packets disabled Output queue - Urgent queuing: Size/Length/Discards 0/100/0 Output queue - Protocol queuing: Size/Length/Discards 0/500/0 Output queue - FIFO queuing: Size/Length/Discards 0/75/0 Last clearing of counters: Never Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec Input: 0 packets, 0 bytes, 0 drops Output: 0 packets, 0 bytes, 0 drops...

  • Page 345: Solution

    Solution Execute the display ip routing-table command on Device A and Device C to view whether Device A has a route over tunnel 0 to 10.2.0.0/16 and whether Device C has a route over tunnel 0 to 10.1.0.0/16. If such a route does not exist, execute the ip route-static command in system view to add the route.

  • Page 346: Configuring Advpn

    Configuring ADVPN Overview Auto Discovery Virtual Private Network (ADVPN) enables enterprise branches that use dynamic public addresses to establish a VPN network. ADVPN uses the VPN Address Management (VAM) protocol to collect, maintain, and distribute dynamic public addresses. VAM uses the client/server model. All VAM clients register their public addresses on the VAM server. A VAM client obtains the public addresses of other clients from the server to establish ADVPN tunnels.

  • Page 347

    • Hub-spoke—In a hub-spoke ADVPN, spokes communicate with each other through the hub. The hub acts as both the route exchange center and data forwarding center. As shown in Figure 141, each spoke establishes a permanent tunnel to the hub. Spokes communicate with each other through the hub.

  • Page 348: How Advpn Operates

    Figure 142 Hub-group ADVPN Tunnel 2 Hub3 Group 0 Hub1 Tunnel 2 Tunnel 2 Hub2 VAM server Tunnel 1 Tunnel 1 Tunnel 1 Tunnel 1 Tunnel 1 Tunnel 1 Tunnel 1 Spoke1 Group 1 Spoke2 Group 2 Spoke4 Spoke3 Site 1 Site 5 Site 6 Site 2...

  • Page 349

    The server and the client exchange negotiation acknowledgment packets protected by using the keys. The server and the client use the keys to protect subsequent packets if they can restore the protected negotiation acknowledgment packets. If they cannot restore the packets, the negotiation fails. Figure 143 Connection initialization process Registration Figure 144...

  • Page 350

    To establish a hub-hub tunnel: The hub checks whether a tunnel to each peer hub exists. If not, the hub sends a tunnel establishment request to the peer hub. To establish a spoke-spoke tunnel: In a full-mesh network, when a spoke receives a data packet but finds no tunnel for forwarding the packet, it sends an address resolution request to the server.

  • Page 351: Nat Traversal, Configuring Aaa, Configuring The Vam Server

    the destination address. If the route to the remote private network is learned by using both methods, the route with a lower preference is used. NAT traversal An ADVPN tunnel can traverse a NAT gateway. • If only the tunnel initiator resides behind a NAT gateway, a spoke-spoke tunnel can be established through the NAT gateway.

  • Page 352: Enabling The Vam Server

    Task (Optional.) Configuring keepalive parameters (Optional.) Configuring the retry timer Creating an ADVPN domain Specify a unique ID for an ADVPN domain. To create an ADVPN domain: Step Command Remarks Enter system view. system-view Create an ADVPN domain vam server advpn-domain By default, no ADVPN domain and enter ADVPN domain domain-name [ id domain-id ]...

  • Page 353: Configuring Hub Groups

    Configuring hub groups Hub groups apply to large ADVPN networks. You can classify spokes to different hub groups, and specify one or more hubs for each group. When a VAM client registers with the VAM server, the VAM server selects a hub group for the client as follows: The server matches the private address of the client against the private addresses of hubs in different hub groups in lexicographic order.

  • Page 354: Configuring The Port Number Of The Vam Server

    To configure a spoke private address range in a hub group: Step Command Remarks Enter system view. system-view vam server advpn-domain domain-name [ id Enter ADVPN domain view. domain-id ] Enter hub group view. hub-group group-name • Configure a spoke private IPv4 address range: spoke private-address { network ip-address { mask-length | mask } | range...

  • Page 355: Configuring Keepalive Parameters

    Specifying authentication and encryption algorithms for the VAM server The VAM server uses the specified algorithms to negotiate with the VAM client. The VAM server and client use SHA-1 and AES-CBC-128 during connection initialization, and use the negotiated algorithms after connection initialization. The algorithm specified earlier in a command line has a higher priority.

  • Page 356: Configuring The Vam Client

    A client sends keepalives to the server at the specified interval. If a client does not receive any responses from the server after the maximum keepalive attempts (keepalive retries + 1), the client stops sending keepalives. If the VAM server does not receive any keepalives from a client before the timeout timer expires, the server removes information about the client and logs off the client.

  • Page 357: Creating A Vam Client

    Creating a VAM client Step Command Remarks Enter system view. system-view Create a VAM client and vam client name client-name By default, no client is created. enter its view. Enabling VAM clients Step Command Remarks Enter system view. system-view • Enable one or all VAM clients: vam client enable [ name Use either method.

  • Page 358: Configuring A Pre-shared Key For A Vam Client

    Step Command Remarks Enter VAM client view. vam client name client-name Specify an ADVPN domain By default, no ADVPN domain is advpn-domain domain-name for the VAM client. specified for a VAM client. Configuring a pre-shared key for a VAM client The pre-shared key is used to generate initial encryption and authentication keys during connection initialization.

  • Page 359: Configuring A Username And Password For A Vam Client

    Step Command Remarks Enter VAM client view. vam client name client-name By default, the dumb timer is 120 Set the dumb timer. dumb-time time-interval seconds. Configuring a username and password for a VAM client The VAM client uses the configured username and password for authentication on the server. To configure a username and password for a VAM client: Step Command...

  • Page 360

    Step Command Remarks By default, no source address or source interface is configured for a tunnel interface. The specified source address or the IP address of the specified source interface is used as the Specify a source address or source address of sent ADVPN source { ip-address | source interface for the packets.

  • Page 361: Configuring Routing

    Step Command Remarks By default, the idle timeout time is 600 seconds. 10. (Optional.) Set the idle advpn session idle-time The new idle timeout setting timeout time for the time-interval applies to both existing and spoke-spoke tunnel. subsequently established spoke-spoke tunnels. By default, the dumb time is 120 seconds.

  • Page 362

    Task Command Display IPv4 private-to-public address display vam server address-map [ advpn-domain mapping information for VAM clients domain-name [ private-address private-ip-address ] ] [ verbose ] registered with the VAM server. Display IPv6 private-to-public address display vam server ipv6 address-map [ advpn-domain mapping information for VAM clients domain-name [ private-address private-ipv6-address ] ] registered with the VAM server.

  • Page 363: Advpn Configuration Examples

    ADVPN configuration examples IPv4 full-mesh ADVPN configuration example Network requirements As shown in Figure 146, the primary and secondary VAM servers manage and maintain VAM client information for all hubs and spokes. The AAA server performs authentication and accounting for VAM clients.

  • Page 364

    <PrimaryServer> system-view [PrimaryServer] radius scheme abc [PrimaryServer-radius-abc] primary authentication 1.0.0.10 1812 [PrimaryServer-radius-abc] primary accounting 1.0.0.10 1813 [PrimaryServer-radius-abc] key authentication simple 123 [PrimaryServer-radius-abc] key accounting simple 123 [PrimaryServer-radius-abc] user-name-format without-domain [PrimaryServer-radius-abc] quit [PrimaryServer] radius session-control enable # Configure AAA methods for ISP domain abc. [PrimaryServer] domain abc [PrimaryServer-isp-abc] authentication advpn radius-scheme abc [PrimaryServer-isp-abc] accounting advpn radius-scheme abc...

  • Page 365

    [Hub1-vam-client-Hub1] pre-shared-key simple 123456 # Set both the username and password to hub1. [Hub1-vam-client-Hub1] user hub1 password simple hub1 # Specify the primary and secondary VAM servers. [Hub1-vam-client-Hub1] server primary ip-address 1.0.0.11 [Hub1-vam-client-Hub1] server secondary ip-address 1.0.0.12 # Enable the VAM client. [Hub1-vam-client-Hub1] client enable [Hub1-vam-client-Hub1] quit Configure an IPsec profile:...

  • Page 366

    [Hub2] vam client name Hub2 # Specify ADVPN domain abc for the VAM client. [Hub2-vam-client-Hub2] advpn-domain abc # Set the pre-shared key to 123456. [Hub2-vam-client-Hub2] pre-shared-key simple 123456 # Set both the username and password to hub2. [Hub2-vam-client-Hub2] user hub2 password simple hub2 # Specify the primary and secondary VAM servers.

  • Page 367

    Configuring Spoke 1 Configure IP addresses for the interfaces. (Details not shown.) Configure the VAM client: # Create VAM client Spoke1. <Spoke1> system-view [Spoke1] vam client name Spoke1 # Specify ADVPN domain abc for the VAM client. [Spoke1-vam-client-Spoke1] advpn-domain abc # Set the pre-shared key to 123456.

  • Page 368

    [Spoke1-Tunnel1] vam client Spoke1 [Spoke1-Tunnel1] ospf network-type broadcast [Spoke1-Tunnel1] ospf dr-priority 0 [Spoke1-Tunnel1] source gigabitethernet 2/0/1 [Spoke1-Tunnel1] tunnel protection ipsec profile abc [Spoke1-Tunnel1] undo shutdown [Spoke1-Tunnel1] quit Configuring Spoke 2 Configure IP addresses for the interfaces. (Details not shown.) Configure the VAM client: # Create VAM client Spoke2.

  • Page 369

    [Spoke2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255 [Spoke2-ospf-1-area-0.0.0.0] quit [Spoke2-ospf-1] quit Configure GRE-mode IPv4 ADVPN tunnel interface tunnel1. Configure its DR priority as 0 so Spoke 2 will not participate in DR/BDR election. [Spoke2] interface tunnel1 mode advpn gre [Spoke2-Tunnel1] ip address 192.168.0.4 255.255.255.0 [Spoke2-Tunnel1] vam client Spoke2 [Spoke2-Tunnel1] ospf network-type broadcast [Spoke2-Tunnel1] ospf dr-priority 0...

  • Page 370: Ipv6 Full-mesh Advpn Configuration Example

    [Spoke1] display advpn session Interface : Tunnel1 Number of sessions: 2 Private address Public address Port Type State Holding time 192.168.0.1 1.0.0.1 Success 0H 46M 192.168.0.2 1.0.0.2 Success 0H 46M The output shows that Spoke 1 has established a permanent hub-spoke tunnel to Hub 1 and Hub 2. # Verify that Spoke 1 can ping the private address 192.168.0.4 of Spoke 2.

  • Page 371

    Figure 147 Network diagram Hub1 Hub2 GE2/0/1 GE2/0/1 Tunnel1 AAA server Tunnel1 GE2/0/1 IP network Primary server Tunnel1 Tunnel1 GE2/0/1 GE2/0/1 GE2/0/1 Spoke2 Spoke1 GE2/0/2 GE2/0/2 Secondary server Hub-to-Hub static tunnel Hub-to-Spoke static tunnel Site 1 Site 2 Spoke-to-Spoke dynamic tunnel Table 13 Interface and IP address assignment Device Interface...

  • Page 372

    [PrimaryServer-isp-abc] accounting advpn radius-scheme abc [PrimaryServer-isp-abc] quit [PrimaryServer] domain default enable abc Configure the VAM server: # Create ADVPN domain abc. [PrimaryServer] vam server advpn-domain abc id 1 # Create hub group 0. [PrimaryServer-vam-server-domain-abc] hub-group 0 # Specify hub private IPv6 addresses. [PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::1 [PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address...

  • Page 373

    [Hub1] ike keychain abc [Hub1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456 [Hub1-ike-keychain-abc] quit [Hub1] ike profile abc [Hub1-ike-profile-abc] keychain abc [Hub1-ike-profile-abc] quit # Configure the IPsec profile. [Hub1] ipsec transform-set abc [Hub1-ipsec-transform-set-abc] encapsulation-mode transport [Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1 [Hub1-ipsec-transform-set-abc] quit [Hub1] ipsec profile abc isakmp...

  • Page 374

    [Hub2-vam-client-Hub2] server secondary ipv6-address 1::12 # Enable the VAM client. [Hub2-vam-client-Hub2] client enable [Hub2-vam-client-Hub2] quit Configure an IPsec profile: # Configure IKE. [Hub2] ike keychain abc [Hub2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456 [Hub2-ike-keychain-abc] quit [Hub2] ike profile abc [Hub2-ike-profile-abc] keychain abc [Hub2-ike-profile-abc] quit # Configure the IPsec profile.

  • Page 375

    # Set the pre-shared key to 123456. [Spoke1-vam-client-Spoke1] pre-shared-key simple 123456 # Set both the username and password to spoke1. [Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1 # Specify the primary and secondary VAM servers. [Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.11 [Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.12 # Enable the VAM client.

  • Page 376

    Configuring Spoke 2 Configure IP addresses for the interfaces. (Details not shown.) Configure the VAM client: # Create VAM client Spoke2. <Spoke2> system-view [Spoke2] vam client name Spoke2 # Specify ADVPN domain abc for the VAM client. [Spoke2-vam-client-Spoke2] advpn-domain abc # Set the pre-shared key to 123456.

  • Page 377

    [Spoke2-Tunnel1] vam ipv6 client Spoke2 [Spoke2-Tunnel1] ospfv3 1 area 0 [Spoke2-Tunnel1] ospfv3 network-type broadcast [Spoke2-Tunnel1] ospfv3 dr-priority 0 [Spoke2-Tunnel1] source gigabitethernet 2/0/1 [Spoke2-Tunnel1] tunnel protection ipsec profile abc [Spoke2-Tunnel1] undo shutdown [Spoke2-Tunnel1] quit Verifying the configuration # Display IPv6 address mapping information for all VAM clients registered with the primary VAM server.

  • Page 378: Ipv4 Hub-spoke Advpn Configuration Example

    The output shows that Spoke 1 has established a permanent hub-spoke tunnel to Hub 1 and Hub 2. # Verify that Spoke 1 can ping the private address 192:168::4 of Spoke 2. [Spoke1] ping ipv6 192:168::4 Ping6(56 data bytes) 192:168::4 --> 192:168::4, press CTRL_C to break 56 bytes from 192:168::4, icmp_seq=0 hlim=64 time=3.000 ms 56 bytes from 192:168::4, icmp_seq=1 hlim=64 time=0.000 ms 56 bytes from 192:168::4, icmp_seq=2 hlim=64 time=1.000 ms...

  • Page 379

    Figure 148 Network diagram Hub1 Hub2 GE2/0/1 GE2/0/1 Tunnel1 AAA server Tunnel1 GE2/0/1 IP network Primary server Tunnel1 Tunnel1 GE2/0/1 GE2/0/1 GE2/0/1 Spoke2 Spoke1 GE2/0/2 GE2/0/2 Secondary server Hub-to-Hub static tunnel Site 1 Site 2 Hub-to-Spoke static tunnel Table 14 Interface and IP address assignment Device Interface IP address...

  • Page 380

    [PrimaryServer-isp-abc] quit [PrimaryServer] domain default enable abc Configure the VAM server: # Create ADVPN domain abc. [PrimaryServer] vam server advpn-domain abc id 1 # Create hub group 0. [PrimaryServer-vam-server-domain-abc] hub-group 0 # Specify hub private IPv4 addresses. [PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1 [PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2 # Specify a spoke private IPv4 network.

  • Page 381

    [Hub1-ike-keychain-abc] quit [Hub1] ike profile abc [Hub1-ike-profile-abc] keychain abc [Hub1-ike-profile-abc] quit # Configure the IPsec profile. [Hub1] ipsec transform-set abc [Hub1-ipsec-transform-set-abc] encapsulation-mode transport [Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1 [Hub1-ipsec-transform-set-abc] quit [Hub1] ipsec profile abc isakmp [Hub1-ipsec-profile-isakmp-abc] transform-set abc [Hub1-ipsec-profile-isakmp-abc] ike-profile abc [Hub1-ipsec-profile-isakmp-abc] quit Configure OSPF to advertise the private network.

  • Page 382

    Configure an IPsec profile: # Configure IKE. [Hub2] ike keychain abc [Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456 [Hub2-ike-keychain-abc] quit [Hub2] ike profile abc [Hub2-ike-profile-abc] keychain abc [Hub2-ike-profile-abc] quit # Configure the IPsec profile. [Hub2] ipsec transform-set abc [Hub2-ipsec-transform-set-abc] encapsulation-mode transport [Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1 [Hub2-ipsec-transform-set-abc] quit...

  • Page 383

    [Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.12 # Enable the VAM client. [Spoke1-vam-client-Spoke1] client enable [Spoke1-vam-client-Spoke1] quit Configure an IPsec profile: # Configure IKE. [Spoke1] ike keychain abc [Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456 [Spoke1-ike-keychain-abc] quit [Spoke1] ike profile abc [Spoke1-ike-profile-abc] keychain abc [Spoke1-ike-profile-abc] quit # Configure the IPsec profile.

  • Page 384

    [Spoke2-vam-client-Spoke2] pre-shared-key simple 123456 # Set both the username and password to spoke2. [Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2 # Specify the primary and secondary VAM servers. [Spoke2-vam-client-Spoke2] server primary ip-address 1.0.0.11 [Spoke2-vam-client-Spoke2] server secondary ip-address 1.0.0.12 # Enable the VAM client. [Spoke2-vam-client-Spoke2] client enable [Spoke2-vam-client-Spoke2] quit Configure an IPsec profile:...

  • Page 385

    ADVPN domain name: 1 Total private address mappings: 4 Group Private address Public address Type Holding time 192.168.0.1 1.0.0.1 0H 52M 192.168.0.2 1.0.0.2 0H 47M 31S 192.168.0.3 1.0.0.3 Spoke 0H 28M 25S 192.168.0.4 1.0.0.4 Spoke 0H 19M 15S # Display IPv4 address mapping information for all VAM clients registered with the secondary VAM server.

  • Page 386: Ipv6 Hub-spoke Advpn Configuration Example

    round-trip min/avg/max/std-dev = 0.000/1.000/4.000/1.549 ms IPv6 hub-spoke ADVPN configuration example Network requirements As shown in Figure 149, the primary and secondary VAM servers manage and maintain VAM client information for all hubs and spokes. The AAA server performs authentication and accounting for VAM clients.

  • Page 387

    [PrimaryServer-radius-abc] primary accounting ipv6 1::10 1813 [PrimaryServer-radius-abc] key authentication simple 123 [PrimaryServer-radius-abc] key accounting simple 123 [PrimaryServer-radius-abc] user-name-format without-domain [PrimaryServer-radius-abc] quit [PrimaryServer] radius session-control enable # Configure AAA methods for ISP domain abc. [PrimaryServer] domain abc [PrimaryServer-isp-abc] authentication advpn radius-scheme abc [PrimaryServer-isp-abc] accounting advpn radius-scheme abc [PrimaryServer-isp-abc] quit [PrimaryServer] domain default enable abc...

  • Page 388

    # Set the username and password to hub1. [Hub1-vam-client-Hub1] user hub1 password simple hub1 # Specify the primary and secondary VAM servers. [Hub1-vam-client-Hub1] server primary ipv6-address 1::11 [Hub1-vam-client-Hub1] server secondary ipv6-address 1::12 # Enable the VAM client. [Hub1-vam-client-Hub1] client enable [Hub1-vam-client-Hub1] quit Configure an IPsec profile: # Configure IKE.

  • Page 389

    <Hub2> system-view [Hub2] vam client name Hub2 # Specify ADVPN domain abc for the VAM client. [Hub2-vam-client-Hub2] advpn-domain abc # Set the pre-shared key to 123456. [Hub2-vam-client-Hub2] pre-shared-key simple 123456 # Set both the username and password to hub2. [Hub2-vam-client-Hub2] user hub2 password simple hub2 # Specify the primary and secondary VAM servers.

  • Page 390

    [Hub2-Tunnel1] undo shutdown [Hub2-Tunnel1] quit Configuring Spoke 1 Configure IP addresses for the interfaces. (Details not shown.) Configure the VAM client: # Create VAM client Spoke1. <Spoke1> system-view [Spoke1] vam client name Spoke1 # Specify ADVPN domain abc for the VAM client. [Spoke1-vam-client-Spoke1] advpn-domain abc # Set the pre-shared key to 123456.

  • Page 391

    [Spoke1-Tunnel1] ipv6 address fe80::3 link-local [Spoke1-Tunnel1] vam ipv6 client Spoke1 [Spoke1-Tunnel1] ospfv3 1 area 0 [Spoke1-Tunnel1] ospfv3 network-type p2mp [Spoke1-Tunnel1] source gigabitethernet 2/0/1 [Spoke1-Tunnel1] tunnel protection ipsec profile abc [Spoke1-Tunnel1] undo shutdown [Spoke1-Tunnel1] quit Configuring Spoke 2 Configure IP addresses for the interfaces. (Details not shown.) Configure the VAM client: # Create VAM client Spoke2.

  • Page 392

    [Spoke2-ospfv3-1] area 0 [Spoke2-ospfv3-1-area-0.0.0.0] quit [Spoke2-ospfv3-1] quit Configure GRE-mode IPv6 ADVPN tunnel interface tunnel1. [Spoke2] interface tunnel1 mode advpn gre ipv6 [Spoke2-Tunnel1] ipv6 address 192:168::4 64 [Spoke2-Tunnel1] ipv6 address fe80::4 link-local [Spoke2-Tunnel1] vam ipv6 client Spoke2 [Spoke2-Tunnel1] ospfv3 1 area 0 [Spoke2-Tunnel1] ospfv3 network-type p2mp [Spoke2-Tunnel1] source gigabitethernet 2/0/1 [Spoke2-Tunnel1] tunnel protection ipsec profile abc...

  • Page 393: Ipv4 Multi-hub-group Advpn Configuration Example

    [Spoke1] display advpn ipv6 session Interface : Tunnel1 Number of sessions: 2 Private address Public address Port Type State Holding time 192:168::1 1::1 Success 0H 46M 192:168::2 1::2 Success 0H 46M The output shows that Spoke 1 has established a permanent hub-spoke tunnel to Hub 1 and Hub 2. # Verify that Spoke 1 can ping the private address 192:168::4 of Spoke 2.

  • Page 394

    Figure 150 Network diagram Tunnel 2 Hub3 Hub1 Tunnel 2 Tunnel 2 Group 0 Hub2 GE2/0/1 GE2/0/1 GE2/0/1 Tunnel 1 Tunnel 1 Tunnel 1 AAA server GE2/0/1 Primary server GE2/0/1 Tunnel 1 GE2/0/1 Tunnel 1 Tunnel 1 Tunnel 1 Spoke1 GE2/0/1 Secondary server GE2/0/1...

  • Page 395

    # Configure RADIUS scheme abc. <PrimaryServer> system-view [PrimaryServer] radius scheme abc [PrimaryServer-radius-abc] primary authentication 1.0.0.10 1812 [PrimaryServer-radius-abc] primary accounting 1.0.0.10 1813 [PrimaryServer-radius-abc] key authentication simple 123 [PrimaryServer-radius-abc] key accounting simple 123 [PrimaryServer-radius-abc] user-name-format without-domain [PrimaryServer-radius-abc] quit [PrimaryServer] radius session-control enable # Configure AAA methods for ISP domain abc.

  • Page 396

    # Set the pre-shared key to 123456. [PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456 # Set the authentication mode to CHAP. [PrimaryServer-vam-server-domain-abc] authentication-method chap # Enable the VAM server for the ADVPN domain. [PrimaryServer-vam-server-domain-abc] server enable [PrimaryServer-vam-server-domain-abc] quit Configuring the secondary VAM server # Configure the secondary VAM server in the same way that the primary server is configured.

  • Page 397

    [Hub1-ike-keychain-abc] quit [Hub1] ike profile abc [Hub1-ike-profile-abc] keychain abc [Hub1-ike-profile-abc] quit # Configure the IPsec profile. [Hub1] ipsec transform-set abc [Hub1-ipsec-transform-set-abc] encapsulation-mode transport [Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1 [Hub1-ipsec-transform-set-abc] quit [Hub1] ipsec profile abc isakmp [Hub1-ipsec-profile-isakmp-abc] transform-set abc [Hub1-ipsec-profile-isakmp-abc] ike-profile abc [Hub1-ipsec-profile-isakmp-abc] quit Configure OSPF to advertise private networks.

  • Page 398

    [Hub2] vam client name Hub2Group0 # Specify ADVPN domain abc for the VAM client. [Hub2-vam-client-Hub2Group0] advpn-domain abc # Set the pre-shared key to 123456. [Hub2-vam-client-Hub2Group0] pre-shared-key simple 123456 # Set both the username and password to hub2. [Hub2-vam-client-Hub2Group0] user hub2 password simple hub2 # Specify the primary and secondary VAM servers.

  • Page 399

    [Hub2-ospf-1] area 0 [Hub2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [Hub2-ospf-1-area-0.0.0.0] quit [Hub2-ospf-1] area 1 [Hub2-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 [Hub2-ospf-1-area-0.0.0.1] quit [Hub2-ospf-1] quit Configure ADVPN tunnels: # Configure UDP-mode IPv4 ADVPN tunnel interface tunnel1. [Hub2] interface tunnel 1 mode advpn gre [Hub2-Tunnel1] ip address 192.168.0.2 255.255.255.0 [Hub2-Tunnel1] vam client Hub2 [Hub2-Tunnel1] ospf network-type broadcast [Hub2-Tunnel1] source gigabitethernet 2/0/1...

  • Page 400

    [Hub3-vam-client-Hub3Group1] advpn-domain abc # Set the pre-shared key to 123456. [Hub3-vam-client-Hub3Group1] pre-shared-key simple 123456 # Set both the username and password to hub3. [Hub3-vam-client-Hub3Group1] user hub3 password simple hub3 # Specify the primary and secondary VAM servers. [Hub3-vam-client-Hub3Group1] server primary ip-address 1.0.0.11 [Hub3-vam-client-Hub3Group1] server secondary ip-address 1.0.0.12 # Enable the VAM client.

  • Page 401

    [Hub3-Tunnel1] quit # Configure UDP-mode IPv4 ADVPN tunnel interface tunnel2. [Hub3] interface tunnel2 mode advpn udp [Hub3-Tunnel2] ip address 192.168.0.3 255.255.255.0 [Hub3-Tunnel2] vam client Hub3Group0 [Hub3-Tunnel2] ospf network-type broadcast [Hub3-Tunnel2] source gigabitethernet 2/0/1 [Hub3-Tunnel2] tunnel protection ipsec profile abc [Hub3-Tunnel2] undo shutdown [Hub3-Tunnel2] quit Configuring Spoke 1 Configure IP addresses for the interfaces.

  • Page 402

    [Spoke1] ospf 1 [Spoke1-ospf-1] area 1 [Spoke1-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 [Spoke1-ospf-1-area-0.0.0.1] network 192.168.10.0 0.0.0.255 [Spoke1-ospf-1-area-0.0.0.1] quit [Spoke1-ospf-1] quit Configure UDP-mode IPv4 ADVPN tunnel interface tunnel1. Configure its DR priority as 0 so Spoke 1 will not participate in DR/BDR election. [Spoke1] interface tunnel1 mode advpn udp [Spoke1-Tunnel1] ip address 192.168.1.3 255.255.255.0 [Spoke1-Tunnel1] vam client Spoke1...

  • Page 403

    [Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1 [Spoke2-ipsec-transform-set-abc] quit [Spoke2] ipsec profile abc isakmp [Spoke2-ipsec-profile-isakmp-abc] transform-set abc [Spoke2-ipsec-profile-isakmp-abc] ike-profile abc [Spoke2-ipsec-profile-isakmp-abc] quit Configure OSPF to advertise private networks. [Spoke2] ospf 1 [Spoke2-ospf-1] area 1 [Spoke2-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 [Spoke2-ospf-1-area-0.0.0.1] network 192.168.20.0 0.0.0.255 [Spoke2-ospf-1-area-0.0.0.1] network 192.168.30.0 0.0.0.255 [Spoke2-ospf-1-area-0.0.0.1] quit [Spoke2-ospf-1] quit...

  • Page 404

    # Configure IKE. [Spoke3] ike keychain abc [Spoke3-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456 [Spoke3-ike-keychain-abc] quit [Spoke3] ike profile abc [Spoke3-ike-profile-abc] keychain abc [Spoke3-ike-profile-abc] quit # Configure the IPsec profile. [Spoke3] ipsec transform-set abc [Spoke3-ipsec-transform-set-abc] encapsulation-mode transport [Spoke3-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Spoke3-ipsec-transform-set-abc] esp authentication-algorithm sha1 [Spoke3-ipsec-transform-set-abc] quit [Spoke3] ipsec profile abc isakmp...

  • Page 405

    [Spoke4-vam-client-Spoke4] user spoke4 password simple spoke4 # Specify the primary and secondary VAM servers. [Spoke4-vam-client-Spoke4] server primary ip-address 1.0.0.11 [Spoke4-vam-client-Spoke4] server secondary ip-address 1.0.0.12 # Enable the VAM client. [Spoke4-vam-client-Spoke4] client enable [Spoke4-vam-client-Spoke4] quit Configure an IPsec profile: # Configure IKE. [Spoke4] ike keychain abc [Spoke4-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456 [Spoke4-ike-keychain-abc] quit...

  • Page 406

    Verifying the configuration # Display IPv4 address mapping information for all VAM clients registered with the primary VAM server. [PrimaryServer] display vam server address-map ADVPN domain name: 1 Total private address mappings: 10 Group Private address Public address Type Holding time 192.168.0.1 1.0.0.1 0H 52M...

  • Page 407: Ipv6 Multi-hub-group Advpn Configuration Example

    192.168.0.3 1.0.0.3 18001 H-H Success 0H 27M 27S The output shows that Hub 1 has established a permanent tunnel to Hub 2, Hub3, Spoke 1, and Spoke 2. # Display IPv4 ADVPN tunnel information on Spoke 1 and Spoke 2. This example uses Spoke 1. [Spoke1] display advpn session Interface : Tunnel1...

  • Page 408

    Figure 151 Network diagram Tunnel 2 Hub3 Hub1 Tunnel 2 Tunnel 2 Group 0 Hub2 GE2/0/1 GE2/0/1 GE2/0/1 Tunnel 1 Tunnel 1 Tunnel 1 AAA server GE2/0/1 Primary server GE2/0/1 Tunnel 1 GE2/0/1 Tunnel 1 Tunnel 1 Tunnel 1 Spoke1 GE2/0/1 Secondary server GE2/0/1...

  • Page 409

    # Configure RADIUS scheme abc. <PrimaryServer> system-view [PrimaryServer] radius scheme abc [PrimaryServer-radius-abc] primary authentication ipv6 1::10 1812 [PrimaryServer-radius-abc] primary accounting ipv6 1::10 1813 [PrimaryServer-radius-abc] key authentication simple 123 [PrimaryServer-radius-abc] key accounting simple 123 [PrimaryServer-radius-abc] user-name-format without-domain [PrimaryServer-radius-abc] quit [PrimaryServer] radius session-control enable # Configure AAA methods for ISP domain abc.

  • Page 410

    [PrimaryServer-vam-server-domain-abc-hub-group-2] spoke ipv6 private-address network 192:168:2::0 64 [PrimaryServer-vam-server-domain-abc-hub-group-2] quit # Set the pre-shared key to 123456. [PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456 # Set the authentication mode to CHAP. [PrimaryServer-vam-server-domain-abc] authentication-method chap # Enable the VAM server for the ADVPN domain. [PrimaryServer-vam-server-domain-abc] server enable [PrimaryServer-vam-server-domain-abc] quit Configuring the secondary VAM server # Configure the secondary VAM server in the same way that the primary server is configured.

  • Page 411

    # Configure IKE. [Hub1] ike keychain abc [Hub1-ike-keychain-abc] pre-shared-key address :: 0 key simple 123456 [Hub1-ike-keychain-abc] quit [Hub1] ike profile abc [Hub1-ike-profile-abc] keychain abc [Hub1-ike-profile-abc] quit # Configure the IPsec profile. [Hub1] ipsec transform-set abc [Hub1-ipsec-transform-set-abc] encapsulation-mode transport [Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1 [Hub1-ipsec-transform-set-abc] quit [Hub1] ipsec profile abc isakmp...

  • Page 412

    Configuring Hub 2 Configure IP addresses for the interfaces. (Details not shown.) Configure the VAM client: # Create VAM client Hub2Group0. <Hub2> system-view [Hub2] vam client name Hub2Group0 # Specify ADVPN domain abc for the VAM client. [Hub2-vam-client-Hub2Group0] advpn-domain abc # Set the pre-shared key to 123456.

  • Page 413

    [Hub2] ipsec profile abc isakmp [Hub2-ipsec-profile-isakmp-abc] transform-set abc [Hub2-ipsec-profile-isakmp-abc] ike-profile abc [Hub2-ipsec-profile-isakmp-abc] quit Configure OSPFv3. [Hub2] ospf 1 [Hub2-ospf-1] area 0 [Hub2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [Hub2-ospf-1-area-0.0.0.0] quit [Hub2-ospf-1] area 1 [Hub2-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 [Hub2-ospf-1-area-0.0.0.1] quit [Hub2-ospf-1] quit Configure ADVPN tunnels: # Configure UDP-mode IPv6 ADVPN tunnel interface tunnel1.

  • Page 414

    [Hub3-vam-client-Hub3Group0] user hub3 password simple hub3 # Specify the primary and secondary VAM servers. [Hub3-vam-client-Hub3Group0] server primary ipv6-address 1::11 [Hub3-vam-client-Hub3Group0] server secondary ipv6-address 1::12 # Enable the VAM client. [Hub2-vam-client-Hub2Group0] client enable [Hub2-vam-client-Hub2Group0] quit # Create VAM client Hub3Group1. [Hub3] vam client name Hub3Group1 # Specify ADVPN domain abc for the VAM client.

  • Page 415

    Configure ADVPN tunnels: # Configure UDP-mode IPv6 ADVPN tunnel interface tunnel1. [Hub3] interface tunnel1 mode advpn udp [Hub3-Tunnel1] ipv6 address 192:168:2::1 64 [Hub3-Tunnel1] ipv6 address fe80::2:1 link-local [Hub3-Tunnel1] vam ipv6 client Hub3Group1 [Hub3-Tunnel1] ospfv3 1 area 2 [Hub3-Tunnel1] ospfv3 network-type broadcast [Hub3-Tunnel1] source gigabitethernet 2/0/1 [Hub3-Tunnel1] tunnel protection ipsec profile abc [Hub3-Tunnel1] undo shutdown...

  • Page 416

    [Spoke1-ike-profile-abc] keychain abc [Spoke1-ike-profile-abc] quit # Configure the IPsec profile. [Spoke1] ipsec transform-set abc [Spoke1-ipsec-transform-set-abc] encapsulation-mode transport [Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1 [Spoke1-ipsec-transform-set-abc] quit [Spoke1] ipsec profile abc isakmp [Spoke1-ipsec-profile-isakmp-abc] transform-set abc [Spoke1-ipsec-profile-isakmp-abc] ike-profile abc [Spoke1-ipsec-profile-isakmp-abc] quit Configure OSPFv3.

  • Page 417

    # Set both the username and password to spoke2. [Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2 # Specify the primary and secondary VAM servers. [Spoke2-vam-client-Spoke2] server primary ipv6-address 1::11 [Spoke2-vam-client-Spoke2] server secondary ipv6-address 1::12 # Enable the VAM client. [Spoke2-vam-client-Spoke2] client enable [Spoke2-vam-client-Spoke2] quit Configure an IPsec profile: # Configure IKE.

  • Page 418

    [Spoke2-Tunnel1] ospf dr-priority 0 [Spoke2-Tunnel1] advpn ipv6 network 192:168:20::0 64 [Spoke2-Tunnel1] advpn ipv6 network 192:168:30::0 64 [Spoke2-Tunnel1] source gigabitethernet 2/0/1 [Spoke2-Tunnel1] tunnel protection ipsec profile abc [Spoke2-Tunnel1] undo shutdown [Spoke2-Tunnel1] quit Configuring Spoke 3 Configure IP addresses for the interfaces. (Details not shown.) Configure the VAM client: # Create VAM client Spoke3.

  • Page 419

    [Spoke3-ospfv3-1-area-0.0.0.0] quit [Spoke3-ospfv3-1] area 2 [Spoke3-ospfv3-1-area-0.0.0.2] quit [Spoke3-ospfv3-1] quit [Spoke3] interface gigabitethernet 2/0/2 [Spoke3-GigabitEthernet2/0/2] ospfv3 1 area 2 [Spoke3-GigabitEthernet2/0/2] quit Configure UDP-mode IPv6 ADVPN tunnel interface tunnel1. Configure its DR priority as 0 so Spoke 3 will not participate in DR/BDR election. [Spoke3] interface tunnel1 mode advpn udp [Spoke3-Tunnel1] ipv6 address 192:168:2::2 64 [Spoke3-Tunnel1] ipv6 address fe80::2:2 link-local...

  • Page 420

    # Configure the IPsec profile. [Spoke4] ipsec transform-set abc [Spoke4-ipsec-transform-set-abc] encapsulation-mode transport [Spoke4-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Spoke4-ipsec-transform-set-abc] esp authentication-algorithm sha1 [Spoke4-ipsec-transform-set-abc] quit [Spoke4] ipsec profile abc isakmp [Spoke4-ipsec-profile-isakmp-abc] transform-set abc [Spoke4-ipsec-profile-isakmp-abc] ike-profile abc [Spoke4-ipsec-profile-isakmp-abc] quit Configure OSPFv3. [Spoke4] ospfv3 1 [Spoke4-ospfv3-1] router-id 0.0.0.7 [Spoke4-ospfv3-1] area 0 [Spoke4-ospfv3-1-area-0.0.0.0] quit...

  • Page 421

    192:168::3 1::3 0H 28M 25S 192:168:1::1 1::1 0H 52M 192:168:1::2 1::2 0H 47M 31S 192:168:1::3 1::4 Spoke 0H 18M 26S 192:168:1::4 1::5 Spoke 0H 28M 25S 192:168:2::1 1::3 0H 28M 25S 192:168:2::2 1::6 Spoke 0H 25M 40S 192:168:2::3 1::7 Spoke 0H 25M 31S # Display IPv6 address mapping information for all VAM clients registered with the secondary VAM server.

  • Page 422: Ipv4 Full-mesh Nat Traversal Advpn Configuration Example

    192:168:1::2 1::2 18001 S-H Success 0H 46M The output shows that Spoke 1 has established a permanent hub-spoke tunnel to Hub 1 and Hub 2. # Display IPv6 ADVPN tunnel information on Spoke 3 and Spoke 4. This example uses Spoke 4. [Spoke3] display advpn ipv6 session Interface : Tunnel1...

  • Page 423

    Table 18 Interface and IP address assignment Device Interface IP address Device Interface IP address Hub 1 GE2/0/1 10.0.0.2/24 Spoke 1 GE2/0/1 10.0.0.2/24 Tunnel1 192.168.0.1/24 GE2/0/2 192.168.1.1/24 Hub 2 GE2/0/1 10.0.0.3/24 Tunnel1 192.168.0.3/24 Tunnel1 192.168.0.2/24 Spoke 2 GE2/0/1 10.0.0.2/24 NAT1 GE2/0/1 1.0.0.1/24 GE2/0/2...

  • Page 424

    [PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1 public-address 1.0.0.1 advpn-port 4001 [PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2 public-address 1.0.0.1 advpn-port 4002 # Specify a spoke private IPv4 network. [PrimaryServer-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 255.255.255.0 [PrimaryServer-vam-server-domain-abc-hub-group-0] quit # Set the pre-shared key to 123456. [PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456 # Set the authentication mode to CHAP.

  • Page 425

    [Hub1-ospf-1] quit # Configure a default route. [Hub1] ip route-static 0.0.0.0 0 10.0.0.1 Configure UDP-mode IPv4 ADVPN tunnel interface tunnel1. [Hub1] interface tunnel 1 mode advpn udp [Hub1-Tunnel1] ip address 192.168.0.1 255.255.255.0 [Hub1-Tunnel1] vam client Hub1 [Hub1-Tunnel1] ospf network-type broadcast [Hub1-Tunnel1] source gigabitethernet 2/0/1 [Hub1-Tunnel1] undo shutdown [Hub1-Tunnel1] quit...

  • Page 426

    Configuring Spoke 1 Configure IP addresses for the interfaces. (Details not shown.) Configure the VAM client: # Create VAM client Spoke1. <Spoke1> system-view [Spoke1] vam client name Spoke1 # Specify ADVPN domain abc for the VAM client. [Spoke1-vam-client-Spoke1] advpn-domain abc # Set the pre-shared key to 123456.

  • Page 427

    [Spoke2-vam-client-Spoke2] pre-shared-key simple 123456 # Set both the username and password to spoke2. [Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2 # Specify the primary and secondary VAM servers. [Spoke2-vam-client-Spoke2] server primary ip-address 1.0.0.4 port 4001 [Spoke2-vam-client-Spoke2] server secondary ip-address 1.0.0.4 port 4002 # Enable the VAM client.

  • Page 428

    [NAT1-GigabitEthernet2/0/1] quit # Enable NAT hairpin on GigabitEthernet 2/0/2. [NAT1] interface gigabitethernet 2/0/2 [NAT1-GigabitEthernet2/0/2] nat hairpin enable [NAT1-GigabitEthernet2/0/2] quit Configuring NAT 2 Configure IP addresses for the interfaces. (Details not shown.) Configure NAT internal servers: # Configure ACL 2000 to permit packets sourced from 10.0.0.0/24. <NAT2>...

  • Page 429

    ADVPN domain name: 1 Total private address mappings: 4 Group Private address Public address Type Holding time 192.168.0.1 1.0.0.1 0H 52M 192.168.0.2 1.0.0.1 0H 47M 31S 192.168.0.3 1.0.0.2 Spoke 0H 28M 25S 192.168.0.4 1.0.0.3 Spoke 0H 19M 15S # Display IPv4 address mapping information for all VAM clients registered with the secondary VAM server.

  • Page 430

    round-trip min/avg/max/std-dev = 0.000/1.000/4.000/1.549 ms # Display IPv4 ADVPN tunnel information on Spokes. This example uses Spoke 1. [Spoke1] display advpn session Interface : Tunnel1 Number of sessions: 3 Private address Public address Port Type State Holding time 192.168.0.1 1.0.0.1 4001 Success 0H 46M...

  • Page 431: Configuring Waas

    Configuring WAAS Overview The Wide Area Application Services (WAAS) feature is a set of services that can optimize WAN traffic. WAAS solves WAN issues such as high delay and low bandwidth by using optimization services. WAAS provides the following optimization services: •...

  • Page 432: Lz Compression

    Selective acknowledgement (SACK) allows the receiver to inform the sender of all segments that have arrived successfully. The sender needs to retransmit only the segments that have been lost. DRE reduces the size of data transmitted by replacing repeated data blocks with shorter indexes. A WAAS device synchronizes its data dictionary to its peer devices.

  • Page 433

    Compared with DRE, LZ compression has a lower compression ratio. LZ compression does not require synchronization of compression dictionaries between the local and peer devices, which reduces memory consumption. Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: •...

  • Page 434: Configuring A Waas Policy

    Step Command Remarks match [ match-id ] tcp { any | destination | source } [ ip-address ip-address By default, no match criterion is Configure a match criterion. [ mask-length | mask ] | configured. ipv6-address ipv6-address [ prefix-length ] ] [ port port-list ] Configuring a WAAS policy To configure a WAAS policy, perform the following tasks: Create a WAAS policy.

  • Page 435: Configuring Tfo Parameters

    To apply a WAAS policy to an interface: Step Command Remarks Enter system view. system-view Enter interface view. interface interface-type interface-number Apply a WAAS policy to By default, no WAAS policy waas apply policy [ policy-name ] the interface. is applied to an interface. Configuring TFO parameters The congestion window size changes with the congestion status and transmission speed.

  • Page 436: Deleting All Waas Settings

    Step Command Remarks disabled. Set the aging time for waas tfo auto-discovery blacklist The default setting is 5 blacklist entries. hold-time minutes minutes. Deleting all WAAS settings This feature allows you to delete all configuration data and running data for WAAS and to exit the WAAS process.

  • Page 437: Waas Configuration Examples

    Task Command devices in standalone mode). Display DRE statistics (distributed display waas statistics dre [ peer-id peer-id ] [ slot devices in standalone mode/centralized slot-number ] devices in IRF mode). Display DRE statistics (distributed display waas statistics dre [ peer-id peer-id ] [ chassis chassis-number slot slot-number ] devices in IRF mode).

  • Page 438

    Figure 153 Network diagram Configuration procedure Configure IP addresses for interfaces. (Details not shown.) Configure routing protocols to ensure connectivity. Apply the predefined WAAS policy to interface GigabitEthernet 2/0/1 on Router A. <RouterA> system-view [RouterA] interface gigabitethernet 2/0/1 [RouterA-GigabitEthernet2/0/1] waas apply policy [RouterA-GigabitEthernet2/0/1] quit [RouterA] quit Apply the predefined WAAS policy to interface GigabitEthernet 2/0/1 on Router B.

  • Page 439: User-defined Waas Policy Configuration Example

    Bytes Matched: 0 bytes Space saving: -11% Average latency: 0 usec Decode Statistics Dre msgs: 57050 Bytes in: 14038391 bytes Bytes out: 14079375 bytes Bypass bytes: 0 bytes Space saved: 0% Average latency: 0 usec # After the second download, display the DRE statistics on Router A. <RouterA>...

  • Page 440

    Figure 154 Network diagram Configuration procedure Configure IP addresses for interfaces. (Details not shown.) Configure routing protocols to ensure connectivity. Configure WAAS classes: # Create WAAS class c1 on Router A, and configure the WAAS class to match any TCP packets.

  • Page 441

    <RouterA> system-view [RouterA] interface gigabitethernet 2/0/1 [RouterA-GigabitEthernet2/0/1] waas apply policy [RouterA-GigabitEthernet2/0/1] quit [RouterA] quit # Apply WAAS policy p1 to interface GigabitEthernet 2/0/1 on Router B. [RouterB] interface gigabitethernet 2/0/1 [RouterB-GigabitEthernet2/0/1] waas apply policy p1 [RouterB-GigabitEthernet2/0/1] quit [RouterB] quit Download a test file of 14 MB from the server to the host. Clear the DRE statistics on Router A.

  • Page 442

    Active connections: 0 Encode Statistics Dre msgs: 2 Bytes in: 286 bytes Bytes out: 60 bytes Bypass bytes: 0 bytes Bytes Matched: 256 bytes Space saving: 79% Average latency: 0 usec Decode Statistics Dre msgs: 62687 Bytes in: 2592183 bytes Bytes out: 13972208 bytes Bypass bytes: 0 bytes Space saved: 81%...

  • Page 443: Configuring Aft

    Configuring AFT Overview Address Family Translation (AFT) is a technology that translates an IP address of one address family into an IP address of the other address family. It enables IPv4 network and IPv6 network to communicate with each other. As shown in Figure 155, AFT performs address translation between the IPv4 network and the IPv6...

  • Page 444: Prefix Translation

    NO-PAT NO-PAT translates an IPv6 address to an IPv4 address. The IPv4 address cannot be used by another IPv6 host until it is released. NO-PAT supports all IP packets. PAT translates multiple IPv6 addresses to a single IPv4 address by mapping the IPv6 address and source port to the IPv4 address and a unique port.

  • Page 445: Aft Internal Server

    AFT uses an IVI prefix for IPv6-to-IPv4 source address translation. If a source IPv6 address matches the IVI prefix, AFT translates it to the embedded IPv4 address. AFT internal server AFT internal server creates a mapping between an IPv4 address and port number to the IPv6 address and port number of an IPv6 internal server.

  • Page 446: For Ipv4-initiated Communication

    Figure 158 AFT process for IPv6-imitated communication NAT64 prefix: 2000::/32 IVI prefix: 3000::/32 IPv6 addr: 3000:0:ff02:202:200::/48 IPv4 addr: 1.1.1.1/8 Embedded IPv4 addr: 2.2.2.2/8 Translated IPv6 addr: 2000:0:101:101::/40 IPv6 host IPv4 host Dst: 2000:0:101:101:: Src: 3000:0:ff02:202:200:: Translates addresses based on the NAT64 prefix, IVI prefix, or v6tov4 AFT policy Dst: 1.1.1.1 Src: 2.2.2.2...

  • Page 447: Aft With Alg

    Figure 159 AFT process for IPv4-imitated communication AFT with ALG AFT with ALG translates address or port information in the application layer payloads to ensure connection establishment. For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depends on the payload information of the control connection.

  • Page 448

    For IPv4-initiated communication Task at a glance (Required.) Enabling AFT (Required.) Configuring an IPv4-to-IPv6 destination address translation policy (Required.) Configuring an IPv4-to-IPv6 source address translation policy (Optional.) Configuring AFT logging (Optional.) Setting the Traffic Class field to 0 for translated IPv6 packets Enabling AFT To implement address translation between IPv4 and IPv6 networks, you must enable AFT on interfaces connected to the IPv4 network and interfaces connected the IPv6 network.

  • Page 449: Configuring An Ipv6-to-ipv4 Source Address Translation Policy

    Configuring an IPv6-to-IPv4 source address translation policy AFT compares an IPv6 packet with IPv6-to-IPv4 source address translation policies in the following order: IPv6-to-IPv4 source address static mappings. IVI prefixes. IPv6-to-IPv4 source address dynamic translation policies. To configure an IPv6-to-IPv4 source address translation policy: Step Command Remarks...

  • Page 450: Configuring An Ipv4-to-ipv6 Destination Address Translation Policy

    Configuring an IPv4-to-IPv6 destination address translation policy AFT compares an IPv4 packet with IPv4-to-IPv6 destination address translation policies in the following order: AFT mappings for IPv6 internal servers. IPv6-to-IPv4 source address static mappings. IPv4-to-IPv6 destination address dynamic translation policies. To configure an IPv4-to-IPv6 destination address translation policy: Step Command Remarks...

  • Page 451: Configuring Aft Logging

    Step Command Remarks • Configure an IPv4-to-IPv6 source address dynamic translation policy: aft v4tov6 source acl { number acl-number | name acl-name } prefix-nat64 prefix-nat64 prefix-length [ vpn-instance vpn-instance-name6 ] } • Configure a NAT64 prefix: aft prefix-nat64 prefix-nat64 prefix-length Configuring AFT logging For security auditing, you can configure AFT logging to record AFT session information.

  • Page 452

    Task Command Display AFT configuration. display aft configuration Display AFT address group information. display aft address-group [ group-number ] Display AFT mappings (centralized devices in display aft address-mapping standalone mode). Display AFT mappings (distributed devices in standalone mode/centralized devices in IRF display aft address-mapping [ slot slot-number ] mode).

  • Page 453: Aft Configuration Examples

    Task Command Display AFT statistics (centralized devices in display aft statistics standalone mode). Display AFT statistics (distributed devices in standalone mode/centralized devices in IRF display aft statistics [ slot slot-number ] mode). Display AFT statistics (distributed devices in IRF display aft statistics [ chassis chassis-number slot mode).

  • Page 454: Configuration Process

    Figure 160 Network diagram Configuration process # Specify IP addresses for the interfaces on the router. (Details not shown.) # Create AFT address group 0, and add the address range from 10.1.1.1 to 10.1.1.3 to the group. <Router> system-view [Router] aft address-group 0 [Router-aft-address-group-0] address 10.1.1.1 10.1.1.3 [Router-aft-address-group-0] quit # Configure IPv6 ACL 2000 to permit IPv6 packets only from subnet 2013::/96 to pass through.

  • Page 455

    # Display detailed information about IPv6 AFT sessions on the router. [Router] display aft session ipv6 verbose Initiator: Source IP/port: 2013::100/0 Destination IP/port: 2012::1401:0101/32768 VPN instance/VLAN ID/VLL ID: -/-/- Protocol: IPV6-ICMP(58) Inbound interface: GigabitEthernet2/0/1 Responder: Source IP/port: 2012::1401:0101/0 Destination IP/port: 2013::100/33024 VPN instance/VLAN ID/VLL ID: -/-/- Protocol: IPV6-ICMP(58) Inbound interface: GigabitEthernet2/0/2...

  • Page 456: Providing Ftp Service From An Ipv6 Network To The Ipv4 Internet

    Providing FTP service from an IPv6 network to the IPv4 Internet Network requirements As shown in Figure 161, a company upgrades the network to IPv6, and it has an IPv4 address 10.1.1.1. To allow the IPv6 FTP server to provide FTP services to IPv4 hosts, configure the following AFT policies on the router: •...

  • Page 457: Allowing Mutual Access Between Ipv4 And Ipv6 Networks

    VPN instance/VLAN ID/VLL ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet2/0/1 Responder: Source IP/port: 10.1.1.1/21 Destination IP/port: 20.1.1.1/11025 DS-Lite tunnel peer: - VPN instance/VLAN ID/VLL ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet2/0/2 State: TCP_ESTABLISHED Application: FTP Start time: 2014-03-13 09:07:30 TTL: 3577s Initiator->Responder: 3 packets 124 bytes...

  • Page 458

    • Configure a NAT64 prefix to translate source IPv4 addresses of packets initiated by the IPv4 network to IPv6 addresses. Figure 162 Network diagram Configuration procedure # Specify IP addresses for the interfaces on the router. The IPv6 addresses for IPv6 hosts are calculated by the IVI prefix 2013::/32 and IPv4 addresses in the range of 20.1.1.0/24.

  • Page 459: Allowing Ipv6 Internet Access From An Ipv4 Network

    Initiator: Source IP/port: 2013:0:FF14:0101:0100::/0 Destination IP/port: 2012::0a01:0101/32768 VPN instance/VLAN ID/VLL ID: -/-/- Protocol: IPV6-ICMP(58) Inbound interface: GigabitEthernet2/0/2 Responder: Source IP/port: 2012::0a01:0101/0 Destination IP/port: 2013:0:FF14:0101:0100::/33024 VPN instance/VLAN ID/VLL ID: -/-/- Protocol: IPV6-ICMP(58) Inbound interface: GigabitEthernet2/0/1 State: ICMPV6_REPLY Application: OTHER Start time: 2014-03-13 08:52:59 TTL: 23s Initiator->Responder: 4 packets...

  • Page 460

    To allow IPv4 hosts to access the IPv6 server in the IPv6 Internet, configure the following AFT policies on the router: • Configure an IPv4-to-IPv6 source address dynamic translation policy. • Configure an IPv6-to-IPv4 source address static mapping for the IPv6 server. Figure 163 Network diagram Configuration procedure # Specify IP addresses for the interfaces on the router.

  • Page 461

    [Router] display aft session ipv4 verbose Initiator: Source IP/port: 10.1.1.1/1025 Destination IP/port: 20.1.1.1/2048 DS-Lite tunnel peer: - VPN instance/VLAN ID/VLL ID: -/-/- Protocol: ICMP(1) Inbound interface: GigabitEthernet2/0/1 Responder: Source IP/port: 20.1.1.1/1025 Destination IP/port: 10.1.1.1/0 DS-Lite tunnel peer: - VPN instance/VLAN ID/VLL ID: -/-/- Protocol: ICMP(1) Inbound interface: GigabitEthernet2/0/2 State: ICMP_REPLY...

  • Page 462: Providing Ftp Service From An Ipv4 Network To The Ipv6 Internet

    Providing FTP service from an IPv4 network to the IPv6 Internet Network requirements As shown in Figure 164, a company deploys an IPv4 network, and it has an IPv6 address 2012::1. The Internet migrates to IPv6. To allow the IPv4 FTP server to provide FTP services to IPv6 hosts, configure the following AFT policies on the router: •...

  • Page 463

    # Enable AFT on GigabitEthernet 2/0/2, which is connected to the IPv4 network. [Router] interface gigabitethernet 2/0/2 [Router-GigabitEthernet2/0/2] aft enable [Router-GigabitEthernet2/0/2] quit Verifying the configuration # Verify the connectivity between the IPv6 hosts and the IPv4 FTP server. For example, ping the IPv4 FTP server from IPv6 host A.

  • Page 464

    Protocol: TCP(6) Inbound interface: GigabitEthernet2/0/2 State: TCP_ESTABLISHED Application: FTP Start time: 2014-03-13 09:07:30 TTL: 3577s Initiator->Responder: 3 packets 124 bytes Responder->Initiator: 2 packets 108 bytes Total sessions found: 1...

  • Page 465: Document Conventions And Icons

    Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.

  • Page 466: Network Topology Icons

    Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 467: Support And Other Resources

    Hewlett Packard Enterprise Support Center More Information on Access to Support Materials page: www.hpe.com/support/AccessToSupportMaterials IMPORTANT: Access to some updates might require product entitlement when accessed through the Hewlett Packard Enterprise Support Center. You must have an HP Passport set up with relevant entitlements.

  • Page 468: Documentation Feedback

    Websites Website Link Networking websites Hewlett Packard Enterprise Information Library for www.hpe.com/networking/resourcefinder Networking Hewlett Packard Enterprise Networking website www.hpe.com/info/networking Hewlett Packard Enterprise My Networking website www.hpe.com/networking/support Hewlett Packard Enterprise My Networking Portal www.hpe.com/networking/mynetworking Hewlett Packard Enterprise Networking Warranty www.hpe.com/networking/warranty General websites Hewlett Packard Enterprise Information Library www.hpe.com/info/enterprise/docs Hewlett Packard Enterprise Support Center...

  • Page 469

    part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.

  • Page 470: Index

    Index DHCP gateway bind to common MAC address, Numerics DHCP IP address allocation sequence, DHCP IP address conflict detection, 1NAT configuration (static outbound 1\1), DHCP IP address lease extension, technology, DHCP relay address pool, DHCP server address pool, 6to4 relay, DHCP server address pool creation, relay configuration, DHCP server address pool IP address range,...

  • Page 471

    IPv6-to-IPv4 source address translation policy advertising configuration, ARP direct route advertisement configuration, NAT configuration, 123, 129, IP services IRDP proxy-advertised IP address, NAT configuration IP services IRDP router advertisement (RA), (bidirectional/external-internal access/domain ADVPN name), AAA configuration, NAT configuration (dynamic inbound), configuration, 332, 337, NAT configuration (dynamic outbound), connection initialization,...

  • Page 472

    VAM server configuration, alarm DHCP address pool usage alarm, VAM server enable, IP addressing DHCP address pool usage alarm, VAM server encryption algorithm, VAM server keepalive parameters AFT support, configuration, NAT support, VAM server port number, NAT+ALG configuration, VAM server pre-shared key, VAM server retry timer configuration, algorithm ADVPN VAM server authentication algorithm...

  • Page 473

    gratuitous ARP IP conflict notification, ADVPN VAM server authentication algorithm, gratuitous ARP packet learning, ADVPN VAM server authentication method, gratuitous ARP periodic packet send, ADVPN VAM server configuration, local proxy ARP enable, auto automatic IPv4-compatible IPv6 tunnel, 297, logging enable, DHCP automatic address allocation, long static entry configuration, DHCP binding auto backup,...

  • Page 474

    DHCP snooping Option 82 support, broadcast DHCP server response broadcast, DHCP voice client Option 184 parameters, UDP helper broadcast to multicast DHCPv6 address pool, conversion, 197, DHCPv6 client packet DSCP value, UDP helper broadcast to unicast DHCPv6 configuration, 264, 264, conversion, 196, DHCPv6 IA, UDP helper configuration, 196,...

  • Page 475

    DHCPv6 snooping command and hardware AFT logging, compatibility, ARP, 1, IPv6 basics, ARP direct route advertisement, NAT command and hardware ARP dynamic entry aging timer, compatibility, ARP fast-reply, 15, tunneling command and hardware ARP long static entry, compatibility, 292, ARP PnP, 17, tunneling feature and hardware ARP short static entry, compatibility, 292,...

  • Page 476

    DHCP snooping basics, 86, gratuitous ARP, 9, DHCP snooping Option 82, GRE, 318, DHCP snooping Option 82 configuration, GRE/IPv4 tunnel, DHCP user class whitelist, GRE/IPv6 tunnel, DHCP voice client Option 184 parameters, IP addressing, 24, 27, DHCPv6 binding auto backup, IP addressing IP unnumbered, 26, DHCPv6 client, 264, 264, IP forwarding load sharing,...

  • Page 477

    IPv6 global unicast address, NAT server (external-internal access/domain name), IPv6 ICMPv6 error message rate limit, NAT server (load sharing), 135, IPv6 interface link-local address automatic generation, NAT session logging, IPv6 interface MTU, NAT+ALG, IPv6 link-local address, NAT+DNS mapping, 137, IPv6 load sharing (bandwidth-based), NAT444 (DS-Lite), 136, IPv6 max number NS message sent per-packet or per-flow load sharing,...

  • Page 478

    configuration, 116, DNS proxy, configuration (PeanutHull server), DNS proxy configuration, configuration (www.3322.org), DNS spoofing, display, DNS spoofing configuration, outgoing packet DSCP value, DNS trusted interface, server, IP addressing configuration, 27, IP addressing IP unnumbered configuration, deleting all WAAS settings, IP forwarding, destination address IP forwarding load sharing, IPv4-to-IPv6 destination address translation...

  • Page 479

    BOOTP client configuration, 93, Option 82 (relay agent);Option 082 (relay agent), 34, BOOTP client display, option customization, BOOTP client dynamic IP address acquisition, options (common), BOOTP protocols and standards, options (custom), client auto-configuration file, overview, client BIMS server information, protocols and standards, client configuration, 78, relay agent client gateway address, client display,...

  • Page 480

    snooping. See client stateless DHCPv6, DHCP snooping troubleshoot relay agent configuration, client stateless DHCPv6 configuration, troubleshoot server configuration, client subnet advertisement, user class whitelist configuration, concepts, voice client Option 184 parameters, DHCPv6 binding auto backup, DHCPv6 feature and hardware compatibility, DHCP snooping basic configuration, DUID,...

  • Page 481

    DHCPv6-REQUEST check, configuration, 95, display, DDNS configuration, 116, maintain, DDNS configuration (PeanutHull server), Option 18 configuration;Option 018 DDNS configuration (www.3322.org), configuration, DDNS outgoing packet DSCP value, Option 18;Option 018, DHCP client domain name suffix, Option 37 configuration;Option 037 DHCP client server, configuration, dynamic domain name resolution, Option 37;Option 037,...

  • Page 482

    ADVPN VAM server configuration, DHCPv6 server dynamic IPv6 address assignment, DHCP client domain name suffix, DHCPv6 server dynamic IPv6 prefix name system. Use assignment, DNS domain name resolution, compression process, IPv4 DNS client dynamic domain name decompression process, resolution, 99, WAAS policy configuration, IPv6 DNS client dynamic domain name DSCP...

  • Page 483

    gratuitous ARP IP conflict notification, DHCP server user class, IPPO directed broadcast receive/forward, DHCP server user class whitelist, IPPO ICMP error message send, DHCP snooping basic configuration, IPPO IPv4 local fragment reassembly, DHCPv6 client configuration, 264, IPPO TCP SYN cookie, DHCPv6 client IPv6 address acquisition configuration, IPv6 ICMPv6 destination unreachable...

  • Page 484

    IP forwarding, DHCP relay agent source/gateway address, IP forwarding load sharing, DHCPv6 client gateway address, IP forwarding table entries, DS-Lite NAT444, IP routing table, NAT configuration, 123, 129, per-packet or per-flow load sharing, NAT configuration (bidirectional/external-internal access/domain name), FIN wait timer, NAT configuration (dynamic inbound), flow classification configuration,...

  • Page 485

    troubleshoot hosts cannot ping each other, IPPO ICMP error message rate limit, tunnel operation, IPPO ICMP error message send, IPPO ICMP packet source address group ADVPN hub group configuration, specification, IRDP configuration, 182, Router Discovery Protocol. Use IRDP hairpin ICMPv6 NAT hairpin C/S, IP services destination unreachable message, NAT hairpin configuration,...

  • Page 486

    AFT configuration (between IPv4 network and DHCP address pool, IPv6 network), DHCP address pool usage alarm, AFT configuration (IPv4 Internet to IPv6 DHCP address pool VPN application, server), DHCP binding auto backup, AFT configuration (IPv4 network to IPv6 DHCP BOOTP client configuration, 93, Internet), DHCP BOOTP client dynamic IP address AFT configuration (IPv6 Internet to IPv4...

  • Page 487

    DHCPv6 server network parameters (address IPv6 ICMPv6 redirect message, pool), IPv6 ICMPv6 time exceeded message, DHCPv6 server network parameters (option IPv6 interface address assignment, group), IPv6 interface MTU, DHCPv6 server network parameters IPv6 link-local address configuration, assignment, IPv6 max number NS message sent attempts, DHCPv6 snooping IPv6 multicast echo request reply, configuration, 274, 276,...

  • Page 488

    NAT configuration (dynamic), IP routing bandwidth load sharing, NAT configuration (outbound bidirectional), IP forwarding load sharing, NAT configuration (static inbound 1\1), per-packet or per-flow load sharing, NAT configuration (static inbound IP service net-to-net), AFT process, NAT configuration (static outbound AFT process from IPv4 to IPv6, 1\1), 129, AFT process from IPv6 to IPv4, NAT configuration (static outbound...

  • Page 489

    AFT configuration, 429, 433, DHCP address pool, AFT configuration (between IPv4 network and DHCP address pool application on interface, IPv6 network), DHCP address pool usage alarm, AFT configuration (IPv4 Internet to IPv6 DHCP address pool VPN application, server), DHCP binding auto backup, AFT configuration (IPv4 network to IPv6 DHCP BOOTP application, Internet),...

  • Page 490

    DHCP server address pool, 40, DHCPv6 client maintain, DHCP server address pool IP address range, DHCPv6 client stateless, DHCP server client offline detection, DHCPv6 client subnet advertisement, DHCP server compatibility configuration, DHCPv6 concepts, DHCP server configuration, 37, 39, DHCPv6 configuration, DHCP server display, DHCPv6 IPv6 address assignment, DHCP server enable on interface,...

  • Page 491

    DNS trusted interface, IPv6 fast forwarding aging time configuration, DS-Lite tunnel configuration, 311, IPv6 fast forwarding configuration, dynamic NAT configuration restrictions, IPv6 fast forwarding load sharing configuration, enable IPv6 direct route advertisement, IPv6 features, fast forwarding aging time configuration, IPv6 ICMPv6 destination unreachable fast forwarding configuration, message, fast forwarding load sharing configuration,...

  • Page 492

    maintaining fast forwarding, proxy ARP display, maintaining IPv6 basics, special IP addresses, maintaining IPv6 fast forwarding, stateless DHCPv6, NAT configuration, 123, 129, troubleshooting DHCP relay agent configuration, NAT configuration (bidirectional/external-internal access/domain troubleshooting DHCP server configuration, name), troubleshooting GRE, NAT configuration (dynamic inbound), troubleshooting GRE hosts cannot ping each NAT configuration (dynamic outbound), other,...

  • Page 493

    TCP buffer size, IPv6/IPv4 manual tunnel configuration, 294, TCP path MTU discovery, IPv6/IPv4 tunnel types, TCP SYN cookie, IPv6/IPv4 tunneling implementation, TCP timer, ISATAP tunnel configuration, 303, ISATAP tunneling, IPsec ADVPN tunnel IPsec configuration, special IP addresses, GRE application, tunneling configuration, 284, IP-to-MAC IPv4 address DHCP snooping configuration, 83, 85,...

  • Page 494

    features, ND neighbor reachability detection, global unicast address configuration, ND protocol, GRE application, ND protocol address resolution, GRE encapsulation format, ND proxy enable, GRE/IPv6 tunnel configuration, ND redirection, ICMPv6 destination unreachable message, ND router/prefix discovery, ICMPv6 error message rate limit, ND stale state entry aging timer, ICMPv6 message send, ND stateless address autoconfiguration,...

  • Page 495

    AFT configuration, DHCP snooping basic configuration, DHCPv6 client configuration, 264, 264, IPv6 packet AFT Traffic Class field setting, DHCPv6 client IPv6 address acquisition configuration, IRDP basic concepts, DHCPv6 client IPv6 address+prefix acquisition configuration, configuration, 182, 183, DHCPv6 client IPv6 prefix acquisition operation, configuration, protocols and standards,...

  • Page 496

    ARP configuration, 1, NAT444 configuration (DS-Lite), 136, ARP direct route advertisement configuration, masking IP addressing, ARP dynamic entry check enable, ARP fast-reply configuration, 15, maximum segment size. Use message ARP long static entry configuration, ARP configuration, 1, ARP short static entry configuration, ARP direct route advertisement configuration, ARP suppression configuration, 20, ARP fast-reply configuration, 15,...

  • Page 497

    IPv6 address, ALG configuration, IPv6 address type, ALG support, IPv6 multicast echo request reply, bidirectional NAT, UDP helper broadcast to multicast configuration, 123, 129, conversion, configuration (bidirectional/external-internal UDP helper configuration, access/domain name), UDP helper multicast to broadcast/unicast configuration (dynamic inbound), conversion, configuration (dynamic outbound), multi-hub-group...

  • Page 498

    server configuration (external-internal ADVPN configuration (IPv4 full-mesh NAT access/domain name), traversal), server configuration (load sharing), 135, ADVPN configuration (IPv4 full-mesh), session entry, ADVPN configuration (IPv4 hub-spoke), session logging configuration, ADVPN configuration (IPv4 multi-hub-group), static NAT, ADVPN configuration (IPv6 full-mesh), ADVPN configuration (IPv6 hub-spoke), terminology, traditional NAT, ADVPN configuration (IPv6 multi-hub-group),...

  • Page 499

    DHCP client packet DSCP value, DHCPv6 IPv6 address/prefix allocation sequence, DHCP client server specification, DHCPv6 IPv6 prefix assignment, DHCP relay address pool, DHCPv6 packet DSCP value, DHCP relay agent client gateway address, DHCPv6 prefix allocation, DHCP relay agent enable on interface, DHCPv6 relay address pool configuration, DHCP relay agent packet DSCP value, DHCPv6 relay agent enable on interface,...

  • Page 500

    GRE application scenarios, IPv6 DNS client static domain name resolution, GRE/IPv4 tunnel configuration, IPv6 DNS proxy configuration, GRE/IPv6 tunnel configuration, IPv6 dual stack technology, IP address classes, IPv6 dynamic path MTU aging timer, IP addressing configuration, IPv6 global unicast address, IP addressing interface address, IPv6 ICMPv6 destination unreachable message,...

  • Page 501

    ISATAP tunnel configuration, 303, Network Address Translation-Protocol Translation. NAT-PT Layer 3 virtual tunnel interface, network management NAT configuration adjacency table display, (bidirectional/external-internal access/domain adjacency table displaying commands, name), ADVPN configuration, 332, 337, NAT configuration (dynamic inbound), ADVPN structure, NAT configuration (dynamic outbound), AFT configuration, 429, 433, NAT configuration (dynamic ARP configuration, 1,...

  • Page 502

    IPv6 DNS configuration, DHCP field, IPv6 fast forwarding aging time DHCP option customization, configuration, DHCP server option customization, IPv6 fast forwarding configuration, DHCPv6 relay agent Interface-ID option IPv6 fast forwarding load sharing padding, configuration, Option 121 (DHCP), IPv6 ND suppression configuration, Option 150 (DHCP), NAT configuration, 123, 129, Option 18;Option 018...

  • Page 503

    DDNS outgoing packet DSCP value, IPv6 max number NS message sent attempts, DHCP client packet DSCP value, IPv6 multicast echo request reply, DHCP server packet DSCP value, IPv6 NAT-PT technology, DHCPv6 client packet DSCP value, IPv6 ND configuration, DHCPv6 packet DSCP value, IPv6 ND duplicate address detection, DNS packet source interface, IPv6 ND dynamic neighbor entries max...

  • Page 504

    NAT server configuration (external-internal ADVPN VAM server port number, access/domain name), DHCP snooping trusted port, NAT server configuration (load sharing), DHCP snooping untrusted port, NAT translation control, DHCPv6 snooping basic configuration, NAT+ALG configuration, DHCPv6 snooping configuration, 274, 276, NAT+DNS mapping configuration, DHCPv6 snooping Option 18 configuration, NAT444 configuration (DS-Lite), DHCPv6 snooping Option 37 configuration,...

  • Page 505

    binding DHCP gateways to common MAC configuring ARP dynamic entry aging timer, address, configuring ARP fast-reply, configuring 6to4 relay, configuring ARP long static entry, configuring 6to4 tunnel, 298, configuring ARP PnP, configuring ADVPN, configuring ARP short static entry, configuring ADVPN (IPv4 full-mesh NAT configuring ARP static entry, traversal), configuring ARP suppression,...

  • Page 506

    configuring DHCP snooping entry auto configuring DS-Lite tunnel, 311, backup, configuring gratuitous ARP, configuring DHCP snooping Option 82, 86, configuring GRE/IPv4 tunnel, configuring DHCP user class whitelist, configuring GRE/IPv6 tunnel, configuring DHCP voice client Option 184 configuring IP addressing, parameters, configuring IP addressing IP unnumbered, 26, configuring DHCPv6 binding auto backup, configuring IP services IRDP, 183,...

  • Page 507

    configuring IPv6 interface link-local address configuring NAT hairpin, automatic generation, configuring NAT hairpin (C/S mode), configuring IPv6 interface MTU, configuring NAT hairpin (P2P mode), configuring IPv6 link-local address, configuring NAT server, configuring IPv6 load sharing configuring NAT server (ACL-based), (bandwidth-based), configuring NAT server (common), configuring IPv6 max number NS message sent configuring NAT server (external-internal...

  • Page 508

    displaying DHCP snooping, enabling DHCP-REQUEST message attack protection, displaying DHCPv6 client, enabling DHCPv6 relay agent on interface, displaying DHCPv6 server, enabling DHCPv6-REQUEST check, displaying GRE, enabling direct route advertisement, displaying IP addressing, enabling gratuitous ARP IP conflict notification, displaying IP forwarding FIB table entries, enabling IPPO directed broadcast displaying IP services DHCPv6 relay agent, receive/forward,...

  • Page 509

    setting ADVPN VAM client retry specifying DHCPv6 relay agent Interface-ID option timer/times, padding mode, setting ADVPN VAM client specifying DHCPv6 relay agent server, username+password, specifying DNS packet source interface, setting ARP dynamic entry max (device), specifying flow classification policy, setting ARP dynamic entry max (interface), specifying IPPO ICMP packet source address, setting DDNS outgoing packet DSCP value, specifying IPv6 ICMPv6 packet source address,...

  • Page 510

    DNS proxy configuration, DHCP relay agent configuration, DNS spoofing, DHCP relay agent Option 82, DNS spoofing configuration, DHCP relay agent packet DSCP value, IP services IRDP proxy-advertised IP DHCP relay agent source/gateway address, address, DHCP relay entry periodic refresh, IPv4 DNS proxy configuration, DHCP relay entry recording, IPv6 DNS proxy configuration, DHCP security functions,...

  • Page 511

    IP addressing IP unnumbered, restrictions DHCPv6 client configuration, IP addressing IP unnumbered configuration, dynamic NAT configuration, IP addressing masking, UDP helper configuration, IP addressing subnetting, IP forwarding, retry ADVPN VAM client retry timer/times, IP forwarding optimal route selection, ADVPN VAM server retry timer IP services fast forwarding aging time configuration, configuration,...

  • Page 512

    DHCP relay agent relay entry recording, DHCP server IP address dynamic assignment, DHCP relay agent security functions, DHCP server IP address static assignment, DHCP relay agent starvation attack DHCP server option customization, protection, DHCP server packet DSCP value, DHCP snooping basic configuration, DHCP server response broadcast, DHCP snooping configuration, 83, 85, DHCP server subnet,...

  • Page 513

    DNS outgoing packet DSCP value, DHCPv6 relay agent server, IPv6 ND dynamic neighbor entries max DNS packet source interface, number, flow classification policy, IPv6 ND hop limit, IPPO ICMP packet source address, IPv6 ND stale state entry aging timer, IPv6 ICMPv6 packet source address, snooping IPv6 interface link-local address manually, DHCP snooping configuration, 83, 85,...

  • Page 514

    configuring blacklist autodiscovery, suffix DHCP client domain name suffix, congestion algorithm optimization, DNS client, increased buffering, DNS trusted interface, selective acknowledgement, slow start optimization, suppressing ARP suppression configuration, WAAS policy configuration, switch time IPv6 ND suppression configuration, IP services ICMPv6 time exceeded message, timer IPPO TCP SYN cookie enable, ADVPN VAM client dumb timer, 344,...

  • Page 515

    ADVPN configuration, 332, 337, type bidirectional NAT, ADVPN configuration (IPv4 full-mesh NAT traversal), NAT Easy IP, ADVPN configuration (IPv4 full-mesh), NAT EIM entry, ADVPN configuration (IPv4 hub-spoke), NAT NO-PAT entry, ADVPN configuration (IPv4 NAT session entry, multi-hub-group), traditional NAT, ADVPN configuration (IPv6 full-mesh), twice NAT, ADVPN configuration (IPv6 hub-spoke), ADVPN configuration (IPv6...

  • Page 516

    ADVPN configuration (IPv4 hub-spoke), DHCPv6 client IPv6 address+prefix acquisition configuration, ADVPN configuration (IPv4 multi-hub-group), DHCPv6 client IPv6 prefix acquisition configuration, ADVPN configuration (IPv6 full-mesh), DHCPv6 client stateless DHCPv6 configuration, ADVPN configuration (IPv6 hub-spoke), DHCPv6 relay agent configuration, ADVPN configuration (IPv6 multi-hub-group), DHCPv6 snooping configuration, 274, 276, ADVPN domain creation,...

  • Page 517

    protocols and standards, restoring all WAAS settings, TFO, TFO blacklist autodiscovery configuration, TFO congestion algorithm optimization, TFO increased buffering, TFO parameter configuration, TFO selective acknowledgement, TFO slow start optimization, user-defined WAAS policy configuration, WAAS class configuring, WAAS policy configuring, predefined WAAS policy configuration, TFO congestion algorithm optimization, TFO increased buffering, TFO selective acknowledgement,...

Comments to this Manuals

Symbols: 0
Latest comments: