HPE FlexNetwork MSR Series Comware 7 Layer 3 - Ip Services Configuration Manuals
  1. Manuals
  2. Brands
  3. HPE Manuals
  4. Network Router
  5. FlexNetwork MSR Series
  6. Comware 7 layer 3 - ip services configuration manuals

HPE FlexNetwork MSR Series Comware 7 Layer 3 - Ip Services Configuration Manuals

Hide thumbs Also See for FlexNetwork MSR Series:
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual
HPE FlexNetwork MSR Router Series
Comware 7 Layer 3 - IP Services Configuration Guides
Part number: 5998-8785
Software version: CMW710-E0407
Document version: 6W100-20160526

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the FlexNetwork MSR Series and is the answer not in the manual?

Questions and answers

Related Manuals for HPE FlexNetwork MSR Series

Summary of Contents for HPE FlexNetwork MSR Series

  • Page 1 HPE FlexNetwork MSR Router Series Comware 7 Layer 3 - IP Services Configuration Guides Part number: 5998-8785 Software version: CMW710-E0407 Document version: 6W100-20160526...
  • Page 2 © Copyright 2016 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

  • Page 3: Table Of Contents

    Contents Configuring ARP ····························································································· 1 Overview ···························································································································································· 1 ARP message format ································································································································· 1 ARP operating mechanism ························································································································ 1 ARP table ··················································································································································· 2 Command and hardware compatibility ··············································································································· 3 Configuring a static ARP entry ··························································································································· 3 Setting the maximum number of dynamic ARP entries for a device ·································································· 4 Setting the maximum number of dynamic ARP entries for an interface ····························································...
  • Page 4 Configuring ARP suppression ······································································· 23 Overview ·························································································································································· 23 Configuration procedure ·································································································································· 23 Displaying and maintaining ARP suppression ································································································· 24 ARP suppression configuration example ········································································································· 24 Network requirements ······························································································································ 24 Configuration procedure ··························································································································· 25 Verifying the configuration ························································································································ 25 Configuring ARP direct route advertisement ················································· 26 Overview ··························································································································································...
  • Page 5 Enabling the DHCP server on an interface ······································································································ 53 Applying an address pool on an interface ········································································································ 53 Configuring a DHCP policy for dynamic address assignment ········································································· 53 Configuring IP address conflict detection ········································································································· 54 Enabling handling of Option 82 ························································································································ 55 Configuring DHCP server compatibility ············································································································...
  • Page 6 Configuring a DHCP client ID for an interface ································································································· 86 Enabling duplicated address detection ············································································································ 87 Setting the DSCP value for DHCP packets sent by the DHCP client ······························································ 87 Displaying and maintaining the DHCP client ··································································································· 87 DHCP client configuration example ················································································································· 88 Network requirements ······························································································································...
  • Page 7 Dynamic domain name resolution configuration example ······································································ 116 DNS proxy configuration example ·········································································································· 119 IPv6 DNS configuration examples ················································································································· 120 Static domain name resolution configuration example ··········································································· 120 Dynamic domain name resolution configuration example ······································································ 121 DNS proxy configuration example ·········································································································· 123 Troubleshooting IPv4 DNS configuration ·······································································································...
  • Page 8 Configuring inbound dynamic NAT ········································································································ 147 Configuring NAT Server ································································································································· 148 Configuring common NAT Server ·········································································································· 148 Configuring load sharing NAT Server ···································································································· 149 Configuring ACL-based NAT Server ······································································································ 150 Configuring NAT444 ······································································································································ 150 Configuring static NAT444 ····················································································································· 150 Configuring dynamic NAT444 ················································································································ 151 Enabling global mapping sharing for dynamic NAT444 ·········································································...
  • Page 9 Configuring IRDP ························································································ 204 Overview ························································································································································ 204 IRDP operation ······································································································································· 204 Basic concepts ······································································································································· 204 Protocols and standards ························································································································ 205 Configuration procedure ································································································································ 205 IRDP configuration example ·························································································································· 206 Network requirements ···························································································································· 206 Configuration procedure ························································································································· 206 Verifying the configuration ······················································································································ 207 Optimizing IP performance ·········································································...
  • Page 10 Setting the maximum number of dynamic neighbor entries ··································································· 237 Setting the aging timer for ND entries in stale state ··············································································· 238 Minimizing link-local ND entries ············································································································· 238 Setting the hop limit ································································································································ 238 Configuring parameters for RA messages ····························································································· 239 Setting the maximum number of attempts to send an NS message for DAD ········································...
  • Page 11 Configuring DHCPv6 binding auto backup ···································································································· 273 Advertising subnets assigned to clients ········································································································· 274 Applying a DHCPv6 address pool to a VPN instance ···················································································· 274 Enabling DHCPv6 logging on the DHCPv6 server ························································································ 275 Displaying and maintaining the DHCPv6 server ···························································································· 275 DHCPv6 server configuration examples ········································································································...
  • Page 12 Configuring the aging time for IPv6 fast forwarding entries ··········································································· 306 Configuring IPv6 fast forwarding load sharing ······························································································· 307 Displaying and maintaining IPv6 fast forwarding ··························································································· 307 Configuring tunneling ·················································································· 308 Overview ························································································································································ 308 IPv6 over IPv4 tunneling ························································································································ 308 IPv4 over IPv4 tunneling ························································································································...
  • Page 13 Configuring ADVPN ···················································································· 357 Overview ························································································································································ 357 ADVPN structures ·································································································································· 357 How ADVPN operates ···························································································································· 359 NAT traversal ········································································································································· 362 ADVPN configuration task list ························································································································ 362 Configuring AAA ············································································································································ 362 Configuring the VAM server ··························································································································· 362 Creating an ADVPN domain ·················································································································· 363 Enabling the VAM server ·······················································································································...
  • Page 14 Displaying and maintaining AFT ···················································································································· 449 AFT configuration examples ·························································································································· 451 Allowing IPv4 Internet access from an IPv6 network ············································································· 451 Providing FTP service from an IPv6 network to the IPv4 Internet ·························································· 453 Allowing mutual access between IPv4 and IPv6 networks ···································································· 455 Allowing IPv6 Internet access from an IPv4 network ·············································································...

  • Page 15: Configuring Arp

    Configuring ARP Overview ARP resolves IP addresses into MAC addresses on Ethernet networks. ARP message format ARP uses two types of messages: ARP request and ARP reply. Figure 1 shows the format of ARP request/reply messages. Numbers in the figure refer to field lengths. Figure 1 ARP message format •...

  • Page 16: Arp Table

    All hosts on this subnet can receive the broadcast request, but only the requested host (Host B) processes the request. Host B compares its own IP address with the target IP address in the ARP request. If they are the same, Host B operates as follows: a.

  • Page 17: Command And Hardware Compatibility

    • Long static ARP entry—It contains the IP address, MAC address, and one of the following combinations: VLAN and output interface. Receiving and output interfaces. A long static ARP entry is directly used for forwarding packets. • Short static ARP entry—It contains only the IP address and MAC address. If the output interface is a Layer 3 Ethernet interface, the short ARP entry can be directly used to forward packets.

  • Page 18: Setting The Maximum Number Of Dynamic Arp Entries For A Device

    Long static ARP entries can be effective or ineffective. Ineffective long static ARP entries cannot be used for packet forwarding. A long static ARP entry is ineffective when any of the following conditions exists: • The corresponding VLAN interface or output interface is down. •...

  • Page 19: Setting The Maximum Number Of Dynamic Arp Entries For An Interface

    Setting the maximum number of dynamic ARP entries for an interface An interface can dynamically learn ARP entries. To prevent an interface from holding too many ARP entries, you can set the maximum number of dynamic ARP entries that the interface can learn. When the maximum number is reached, the interface stops learning ARP entries.

  • Page 20: Enabling Arp Logging

    To enable dynamic ARP entry check: Step Command Remarks Enter system view. system-view Enable dynamic ARP entry By default, dynamic ARP entry check is arp check enable check. enabled. Enabling ARP logging This feature enables a device to log ARP events when ARP cannot resolve IP addresses correctly. The device can log the following ARP events: •...

  • Page 21: Configuration Examples

    Task Command display arp [ [ all | dynamic | static ] [ chassis chassis-number Display ARP entries (distributed devices slot slot-number ] | vlan vlan-id | interface interface-type in IRF mode). interface-number ] [ count | verbose ] Display the ARP entry for an IP address display arp ip-address [ verbose ] (centralized devices in standalone mode).

  • Page 22: Short Static Arp Entry Configuration Example

    Configuration procedure # Create VLAN 10. <RouterB> system-view [RouterB] vlan 10 [RouterB-vlan10] quit # Add interface GigabitEthernet 2/0/1 to VLAN 10. [RouterB] interface gigabitethernet 2/0/1 [RouterB-GigabitEthernet2/0/1] port access vlan 10 [RouterB-GigabitEthernet2/0/1] quit # Create VLAN-interface 10 and configure its IP address. [RouterB] interface vlan-interface 10 [RouterB-vlan-interface10] ip address 192.168.1.2 8 [RouterB-vlan-interface10] quit...
  • Page 23 Configuration procedure # Configure an IP address for GigabitEthernet 2/0/2. <RouterB> system-view [RouterB] interface gigabitethernet 2/0/2 [RouterB-GigabitEthernet2/0/2] ip address 192.168.1.2/24 [RouterB-GigabitEthernet2/0/2] quit # Configure a short static ARP entry that has IP address 192.168.1.1 and MAC address 00e0-fc01-001f. [RouterB] arp static 192.168.1.1 00e0-fc01-001f Verifying the configuration # Verify that Router B has a short static ARP entry for Router A.

  • Page 24: Configuring Gratuitous Arp

    Configuring gratuitous ARP Overview In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device. A device sends a gratuitous ARP packet for either of the following purposes: • Determine whether its IP address is already used by another device.

  • Page 25: Configuration Procedure

    • Update MAC entries of devices in the VLANs having ambiguous Dot1q or QinQ termination configured. In VRRP configuration, if ambiguous Dot1q or QinQ termination is configured for multiple VLANs and VRRP groups, interfaces configured with VLAN termination must be disabled from transmitting broadcast/multicast packets.

  • Page 26: Enabling Ip Conflict Notification

    Enabling IP conflict notification By default, if the sender IP address of an ARP packet is being used by the receiving device, the receiving device sends a gratuitous ARP request. It also displays an error message after it receives an ARP reply about the conflict. You can use this command to enable the device to display error messages before sending a gratuitous ARP reply or request for conflict confirmation.

  • Page 27: Configuring Proxy Arp

    Configuring proxy ARP Proxy ARP enables a device on one network to answer ARP requests for an IP address on another network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they would on the same broadcast domain. Proxy ARP includes common proxy ARP and local proxy ARP.

  • Page 28: Common Proxy Arp Configuration Example

    Task Command Display common proxy ARP display proxy-arp [ interface interface-type interface-number ] status. Display local proxy ARP status. display local-proxy-arp [ interface interface-type interface-number ] Common proxy ARP configuration example Network requirements As shown in Figure 5, Host A and Host D have the same prefix and mask, but they are located on different subnets.

  • Page 29: Verifying The Configuration

    [Router-GigabitEthernet1/0/1] quit Verifying the configuration # Verify that Host A and Host D can ping each other.

  • Page 30: Configuring Arp Snooping

    Configuring ARP snooping This feature is supported only on the following ports: • Layer 2 Ethernet ports on Ethernet switching modules. • Fixed Layer 2 Ethernet ports of MSR2004-24 and MSR2004-48 routers. Overview ARP snooping is used in Layer 2 switching networks. It creates ARP snooping entries by using information in ARP packets.

  • Page 31: Displaying And Maintaining Arp Snooping

    Step Command Remarks By default, ARP snooping is Enable ARP snooping arp snooping enable disabled. Displaying and maintaining ARP snooping Execute display commands in any view and reset commands in user view. Task Command Display ARP snooping entries display arp snooping [ vlan vlan-id ] [ count ] (centralized devices in standalone display arp snooping ip ip-address mode).

  • Page 32: Configuring Arp Fast-Reply

    Configuring ARP fast-reply Overview ARP fast-reply enables a device to directly answer ARP requests according to DHCP snooping entries or ARP snooping entries. ARP fast-reply functions in a VLAN. For information about DHCP snooping, see "Configuring DHCP snooping." If the target IP address of a received ARP request is the IP address of the VLAN interface, the device delivers the request to the ARP module.

  • Page 33: Configuration Procedure

    Figure 6 Network diagram Configuration procedure # Enable ARP snooping for VLAN 2 on the router. <Router> system-view [Router] vlan 2 [Router-vlan2] arp snooping enable # Enable ARP fast-reply for VLAN 2 on the router. [Router-vlan2] arp fast-reply enable [Router-vlan2] quit...

  • Page 34: Configuring Arp Pnp

    Configuring ARP PnP Overview The ARP plug and play (PnP) feature is typically configured on a gateway. This feature allows end users to access the gateway without changing their IP addresses on subnets different from the subnet where the gateway resides. After ARP PnP is enabled on an interface, it provides the following functions: •...

  • Page 35: Displaying And Maintaining Arp Pnp

    Step Command Remarks interface that connects to the interface-number supported: internal network. • Layer 3 Ethernet interfaces. • Layer 3 Ethernet subinterfaces. By default, the ARP PnP feature is Enable the ARP PnP feature. arp pnp disabled. Displaying and maintaining ARP PnP Execute display commands in any view.

  • Page 36: Verifying The Configuration

    [Router] nat address-group 1 [Router-nat-address-group-1] address 202.38.1.100 202.38.1.100 [Router-nat-address-group-1] quit # Enable outbound PAT on interface GigabitEthernet 1/0/2 to translate the source address of outgoing packets matching ACL 2000 into the address in address group 1. [Router] interface gigabitethernet 1/0/2 [Router-GigabitEthernet1/0/2] nat outbound 2000 address-group 1 Enable the ARP PnP feature on GigabitEthernet 1/0/1.

  • Page 37: Configuring Arp Suppression

    Configuring ARP suppression Overview The ARP suppression feature enables a device to directly answer ARP requests by using ARP suppression entries. The device generates ARP suppression entries based on dynamic ARP entries that it learns. This feature is typically configured on the PEs connected to base stations in an MPLS L2VPN that provides access to an L3VPN network.

  • Page 38: Displaying And Maintaining Arp Suppression

    Step Command Remarks group view. Return to system view. quit (Optional.) Enable the ARP suppression push arp suppression push interval By default, the ARP suppression push feature and set a push feature is disabled. interval interval. Displaying and maintaining ARP suppression Execute display commands in any view and reset commands in user view.

  • Page 39: Configuration Procedure

    Configuration procedure Configure IP addresses for the interfaces, and make sure the base station can reach the L3VE interface VE-L3VPN 1 of Router B. (Details not shown.) Configure ARP suppression on Router A: # Create a cross-connect group named vpna and create a cross-connect named svc in the group.

  • Page 40: Configuring Arp Direct Route Advertisement

    Configuring ARP direct route advertisement Overview The ARP direct route advertisement feature advertises host routes instead of advertising the network route. This feature is typically configured on PE-aggs to advertise host routes to the connected PEs in the L3VPN. Figure 10 shows a typical application scenario where the PE in the L3VPN has ECMP routes destined to a base station in the L2VPN.

  • Page 41: Configuring Ip Addressing

    Configuring IP addressing The IP addresses in this chapter refer to IPv4 addresses unless otherwise specified. This chapter describes IP addressing basics and manual IP address assignment for interfaces. Dynamic IP address assignment (BOOTP and DHCP) and PPP address negotiation are beyond the scope of this chapter.

  • Page 42: Special Ip Addresses

    Class Address range Remarks address 255.255.255.255. Special IP addresses The following IP addresses are for special use and cannot be used as host IP addresses: • IP address with an all-zero net ID—Identifies a host on the local network. For example, IP address 0.0.0.16 indicates the host with a host ID of 16 on the local network.

  • Page 43: Configuration Guidelines

    Typically, you need to configure a primary IP address for an interface. If the interface connects to multiple subnets, configure primary and secondary IP addresses on the interface so the subnets can communicate with each other through the interface. Configuration guidelines Follow these guidelines when you assign an IP address to an interface: •...

  • Page 44: Configuration Prerequisites

    Configuration prerequisites Assign an IP address to the interface from which you want to borrow the IP address. Alternatively, you can configure the interface to obtain one through BOOTP, DHCP, or PPP address negotiation. Configuration procedure To configure IP unnumbered on an interface: Step Command Remarks...
  • Page 45 Figure 13 Network diagram Configuration procedure # Assign a primary IP address and a secondary IP address to GigabitEthernet 1/0/1. <Router> system-view [Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] ip address 172.16.1.1 255.255.255.0 [Router-GigabitEthernet1/0/1] ip address 172.16.2.1 255.255.255.0 sub # Set the gateway address to 172.16.1.1 on the PCs attached to subnet 172.16.1.0/24, and to 172.16.2.1 on the PCs attached to subnet 172.16.2.0/24.

  • Page 46: Ip Unnumbered Configuration Example

    --- Ping statistics for 172.16.2.2 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 1.000/2.600/7.000/2.245 ms # Verify the connectivity between a host on subnet 172.16.1.0/24 and a host on subnet 172.16.2.0/24. The ping operation succeeds. IP unnumbered configuration example Network requirements As shown in...
  • Page 47 # Configure interface Serial 2/1/1 to borrow an IP address from GigabitEthernet 1/0/1. [RouterB] interface serial 2/1/1 [RouterB-Serial2/1/1] ip address unnumbered interface gigabitethernet 1/0/1 [RouterB-Serial2/1/1] quit # Configure a static route to the subnet attached to Router A, specifying Serial 2/1/1 as the outgoing interface.

  • Page 48: Dhcp Overview

    DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. Figure 15 shows a typical DHCP application scenario where the DHCP clients and the DHCP server reside on the same subnet. The DHCP clients can also obtain configuration parameters from a DHCP server on another subnet through a DHCP relay agent.

  • Page 49: Ip Address Allocation Process

    IP address allocation process Figure 16 IP address allocation process As shown in Figure 16, a DHCP server assigns an IP address to a DHCP client in the following process: The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. Each DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message.

  • Page 50: Dhcp Message Format

    If the client receives no reply, it broadcasts another DHCP-REQUEST message for lease extension when about seven-eighths of the lease duration elapses. Again, depending on the availability of the IP address, the DHCP server returns either a DHCP-ACK unicast or a DHCP-NAK unicast. DHCP message format Figure 17 shows the DHCP message format.

  • Page 51: Dhcp Options

    DHCP options DHCP extends the message format as an extension to BOOTP for compatibility. DHCP uses the options field to carry information for dynamic address allocation and provide additional configuration information for clients. Figure 18 DHCP option format Common DHCP options The following are common DHCP options: •...
  • Page 52 • Service provider identifier, which is acquired by the CPE from the DHCP server and sent to the ACS for selecting vender-specific configurations and parameters. For more information about CPE and ACS, see Network Management and Monitoring Configuration Guide. • PXE server address, which is used to obtain the boot file or other control information from the PXE server.

  • Page 53: Protocols And Standards

    Relay agent option (Option 82) Option 82 is the relay agent option. It records the location information about the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client's request, it adds Option 82 to the request and sends it to the server.

  • Page 54: Configuring The Dhcp Server

    Configuring the DHCP server Overview The DHCP server is well suited to networks where: • Manual configuration and centralized management are difficult to implement. • IP addresses are limited. For example, an ISP limits the number of concurrent online users, and users must acquire IP addresses dynamically.
  • Page 55 NOTE: All address ranges must belong to the primary subnet. If an address range does not reside on the primary subnet, DHCP cannot assign the addresses in the address range. • Method 2—Specify a primary subnet and multiple secondary subnets in an address pool. The DHCP server selects an IP address from the primary subnet first.

  • Page 56: Ip Address Allocation Sequence

    NOTE: As a best practice, configure a minimum of one matching primary subnet in your network. Otherwise, the DHCP server selects only the first matching secondary subnet for address allocation. If the network has more DHCP clients than the assignable IP addresses in the secondary subnet, not all DHCP clients can obtain IP addresses.

  • Page 57: Configuring An Address Pool On The Dhcp Server

    Tasks at a glance (Optional.) Enabling client offline detection on the DHCP server (Optional.) Enabling DHCP logging on the DHCP server Configuring an address pool on the DHCP server Configuration task list Tasks at a glance (Required.) Creating a DHCP address pool Perform one or more of the following tasks: •...
  • Page 58 Follow these guidelines when you specify a primary subnet and multiple address ranges for a DHCP address pool: • If you use the network or address range command multiple times for the same address pool, the most recent configuration takes effect. •...
  • Page 59 Step Command Remarks automatic allocation globally. [ vpn-instance interface, all IP addresses in vpn-instance-name ] address pools are assignable. To exclude multiple IP address ranges, repeat this step. Specifying a primary subnet and multiple secondary subnets for a DHCP address pool If an address pool has a primary subnet and multiple secondary subnets, the server assigns IP addresses on a secondary subnet when the primary subnet has no assignable IP addresses.

  • Page 60: Specifying Gateways For Dhcp Clients

    Step Command Remarks step. Configuring a static binding in a DHCP address pool Some DHCP clients, such as a WWW server, need fixed IP addresses. To provide a fixed IP address for a client, you can statically bind the MAC address or ID of the client to an IP address in a DHCP address pool.

  • Page 61: Specifying A Domain Name Suffix For Dhcp Clients

    Step Command Remarks Enter system view. system-view Create a DHCP address pool By default, no DHCP dhcp server ip-pool pool-name and enter its view. address pool exists. By default, no gateway is Specify gateways. gateway-list ip-address&<1-64> specified. (Optional.) Enter secondary network network-address [ mask-length subnet view | mask mask ] secondary...

  • Page 62: Specifying Bims Server For Dhcp Clients

    In addition, you must specify a NetBIOS node type for the clients to approach name resolution. There are four NetBIOS node types: • b (broadcast)-node—A b-node client sends the destination name in a broadcast message. The destination returns its IP address to the client after receiving the message. •...

  • Page 63: Specifying A Server For Dhcp Clients

    • If the configuration file is on a TFTP server, specify the IP address or name of the TFTP server, and the configuration file name. • If the configuration file is on an HTTP server, specify the configuration file URL. The DHCP client uses the obtained parameters to contact the TFTP server or the HTTP server to get the configuration file.

  • Page 64: Configuring Option 184 Parameters For Dhcp Clients

    Configuring Option 184 parameters for DHCP clients To assign calling parameters to DHCP clients with voice service, you must configure Option 184 on the DHCP server. For more information about Option 184, see "Option 184." To configure option 184 parameters in a DHCP address pool: Step Command Remarks...
  • Page 65 Step Command Remarks option. hex-string | ip-address customized in a DHCP address ip-address&<1-8> } pool. DHCP options specified in DHCP option groups take precedence over those specified in DHCP address pools. To customize a DHCP option in a DHCP option group: Step Command Remarks...

  • Page 66: Configuring The Dhcp User Class Whitelist

    Corresponding Recommended option Option Option name command command parameters TFTP server name tftp-server ascii Boot file name bootfile-name ascii Vendor Specific Information Configuring the DHCP user class whitelist The DHCP user class whitelist allows the DHCP server to process requests only from clients on the DHCP user class whitelist.

  • Page 67: Enabling The Dhcp Server On An Interface

    Enabling the DHCP server on an interface Perform this task to enable the DHCP server on an interface. Upon receiving a DHCP request on the interface, the DHCP server assigns the client an IP address and other configuration parameters from a DHCP address pool.

  • Page 68: Configuring Ip Address Conflict Detection

    • If no match is found, the server assigns an IP address and other parameters from the default DHCP address pool. If no default address pool is specified or the default address pool does not have assignable IP addresses, the address assignment fails. For successful address assignment, make sure the applied DHCP policy and the bound address pools exist.

  • Page 69: Enabling Handling Of Option 82

    Step Command Remarks conflict detection. The default setting is 500 ms. (Optional.) Set the ping dhcp server ping timeout The value 0 disables IP address timeout time. milliseconds conflict detection. Enabling handling of Option 82 Perform this task to enable the DHCP server to handle Option 82. Upon receiving a DHCP request that contains Option 82, the DHCP server adds Option 82 into the DHCP response.

  • Page 70: Configure The Dhcp Server To Ignore Bootp Requests

    Configure the DHCP server to ignore BOOTP requests The lease duration of the IP addresses obtained by the BOOTP clients is unlimited. For some scenarios that do not allow unlimited leases, you can configure the DHCP server to ignore BOOTP requests.

  • Page 71: Configuring Dhcp Binding Auto Backup

    Configuring DHCP binding auto backup The auto backup feature saves bindings to a backup file and allows the DHCP server to download the bindings from the backup file at the server reboot. The bindings include the lease bindings and conflicted IP addresses. They cannot survive a reboot on the DHCP server. The DHCP server does not provide services during the download process.

  • Page 72: Binding Gateways To A Common Mac Address

    Binding gateways to a common MAC address This feature enables DHCP clients of different types to obtain different gateway IP addresses but the same MAC address. In addition to assigning gateway IP addresses to the clients, the DHCP server adds the gateway IP addresses and server's MAC address to the address management module. The ARP module can use the entries to reply ARP requests from the clients.

  • Page 73: Applying A Dhcp Address Pool To A Vpn Instance

    Figure 23 Network diagram Router A DHCP server Host A BRAS GE1/0/2 GE1/0/1 2.2.2.2/24 RADIUS server IP network Host B GE1/0/2 GE1/0/1 2.2.2.3/24 Layer 2 switch Upstream traffic Router B Host C Downstream traffic DHCP server BRAS The subnet advertising on the master device takes effect if the DHCP address pool is bound to a VSRP instance.

  • Page 74: Enabling Client Offline Detection On The Dhcp Server

    • The VPN information of the DHCP server's interface that receives DHCP packets from the client. The VPN information from authentication modules takes priority over the VPN information of the receiving interface. To apply a DHCP address pool to a VPN instance: Step Command Remarks...

  • Page 75: Displaying And Maintaining The Dhcp Server

    Displaying and maintaining the DHCP server IMPORTANT: A restart of the DHCP server or execution of the reset dhcp server ip-in-use command deletes all lease information. The DHCP server denies any DHCP request for lease extension, and the client must request an IP address again. Execute display commands in any view and reset commands in user view.
  • Page 76 The client ID of the interface GigabitEthernet 1/0/1 on Router B is: 0030-3030-662e-6532-3030-2e30-3030-322d-4574-6865-726e-6574. The MAC address of the interface GigabitEthernet 1/0/1 on Router C is 000f-e200-01c0. Figure 24 Network diagram Configuration procedure Specify an IP address for GigabitEthernet 1/0/1 on Router A: <RouterA>...

  • Page 77: Dynamic Ip Address Assignment Configuration Example

    # Verify that Router C can obtain IP address 10.1.1.6 and all other network parameters from Router A. (Details not shown.) # On the DHCP server, display the IP addresses assigned to the clients. [RouterA] display dhcp server ip-in-use IP address Client identifier/ Lease expiration Type...
  • Page 78 # Enable the DHCP server on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. [RouterA] interface gigabitethernet 1/0/1 [RouterA-GigabitEthernet1/0/1] dhcp select server [RouterA-GigabitEthernet1/0/1] quit [RouterA] interface gigabitethernet 1/0/2 [RouterA-GigabitEthernet1/0/2] dhcp select server [RouterA-GigabitEthernet1/0/2] quit # Exclude addresses of the DNS server, WINS server, and gateways from dynamic allocation. [RouterA] dhcp server forbidden-ip 10.1.1.2 [RouterA] dhcp server forbidden-ip 10.1.1.4 [RouterA] dhcp server forbidden-ip 10.1.1.126...

  • Page 79: Dhcp User Class Configuration Example

    7052-0201-2013-1e02 0201-9068-23 10.1.1.132 2020-1220-1102-3021- Jan 9 10:45:11 2015 Auto(C) 7e52-0211-2025-3402 0201-9068-9a 10.1.1.133 2021-d012-0202-4221- Jan 9 10:45:11 2015 Auto(C) 8852-0203-2022-55e0 3921-0104-31 DHCP user class configuration example Network requirements As shown in Figure 26, the DHCP relay agent (Router A) forwards DHCP packets between DHCP clients and the DHCP server (Router B).

  • Page 80: Dhcp User Class Whitelist Configuration Example

    [RouterB-GigabitEthernet1/0/1] quit # Create DHCP user class tt and configure a match rule to match DHCP requests that contain Option 82. [RouterB] dhcp class tt [RouterB-dhcp-class-tt] if-match rule 1 option 82 [RouterB-dhcp-class-tt] quit # Create DHCP user class ss and configure a match rule to match DHCP requests in which the hardware address is six bytes long and begins with aabb-aabb-aab.

  • Page 81: Primary And Secondary Subnets Configuration Example

    Figure 27 Network diagram Configuration procedure Specify IP addresses for the interfaces on the DHCP server. (Details not shown.) Configure DHCP: # Enable DHCP. <RouterB> system-view [RouterB] dhcp enable # Enable DHCP server on interface GigabitEthernet 1/0/1. [RouterB] interface gigabitethernet 1/0/1 [RouterB-GigabitEthernet1/0/1] dhcp select server [RouterB-GigabitEthernet1/0/1] quit # Create DHCP user class ss and configure a match rule to match DHCP requests in which the...
  • Page 82 Configure two subnets in the address pool on the DHCP server: 10.1.1.0/24 as the primary subnet and 10.1.2.0/24 as the secondary subnet. The DHCP server selects an IP address from the secondary subnet when the primary subnet has no assignable addresses. Router A assigns the following parameters: •...

  • Page 83: Dhcp Option Customization Configuration Example

    IP address Client identifier/ Lease expiration Type Hardware address 10.1.1.2 0031-3865-392e-6262- Jan 14 22:25:03 2015 Auto(C) 3363-2e30-3230-352d- 4745-302f-30 10.1.2.2 3030-3030-2e30-3030- Jan 14 22:25:03 2015 Auto(C) 662e-3030-3033-2d45- 7568-6572-1e DHCP option customization configuration example Network requirements As shown in Figure 29, DHCP clients obtain IP addresses and PXE server addresses from the DHCP server (Router A).

  • Page 84: Troubleshooting Dhcp Server Configuration

    [RouterA-dhcp-class-ss] if-match rule 1 hardware-address aabb-aabb-0000 mask ffff-ffff-0000 [RouterA-dhcp-class-ss] quit # Create DHCP option group 1 and customize Option 43. [RouterA] dhcp option-group 1 [RouterA-dhcp-option-group-1] option 43 hex 800B0000020203040503030303 # Enable the DHCP server on GigabitEthernet 1/0/1. [RouterA] interface gigabitethernet 1/0/1 [RouterA-GigabitEthernet1/0/1] dhcp select server [RouterA-GigabitEthernet1/0/1] quit # Create DHCP address pool 0.
  • Page 85 Enable the network adapter or connect the network cable, release the IP address, and obtain another one on the client. For example, to release the IP address and obtain another one on a Windows XP DHCP client: a. In Windows environment, execute the cmd command to enter the DOS environment. b.

  • Page 86: Configuring The Dhcp Relay Agent

    Configuring the DHCP relay agent Overview The DHCP relay agent enables clients to get IP addresses from a DHCP server on another subnet. This feature avoids deploying a DHCP server for each subnet to centralize management and reduce investment. Figure 30 shows a typical application of the DHCP relay agent.

  • Page 87: Dhcp Relay Agent Support For Option 82

    Figure 31 DHCP relay agent operation DHCP relay agent support for Option 82 Option 82 records the location information about the DHCP client. It enables the administrator to perform the following tasks: • Locate the DHCP client for security and accounting purposes. •...

  • Page 88: Enabling Dhcp

    Tasks at a glance (Optional.) Configuring the DHCP relay agent security features (Optional.) Configuring the DHCP relay agent to release an IP address (Optional.) Configuring Option 82 (Optional.) Setting the DSCP value for DHCP packets sent by the DHCP relay agent (Optional.) Enabling DHCP server proxy on a DHCP relay agent (Optional.)

  • Page 89: Specifying The Source Address And Gateway Address In Dhcp Requests

    Follow these guidelines when you specify a DHCP server address on a relay agent: • The IP address of any specified DHCP server must not reside on the same subnet as the IP address of the relay interface. Otherwise, the clients might fail to obtain IP addresses. •...

  • Page 90: Enabling Periodic Refresh Of Dynamic Relay Entries

    To enable the DHCP relay agent to record relay entries: Step Command Remarks Enter system view. system-view Enable the relay agent to By default, the relay agent dhcp relay client-information record record relay entries. does not record relay entries. NOTE: The DHCP relay agent does not record IP-to-MAC bindings for DHCP clients running on synchronous/asynchronous serial interfaces.

  • Page 91: Configuring The Dhcp Relay Agent To Release An Ip Address

    Configure an interface that has learned the maximum MAC addresses to discard packets whose source MAC addresses are not in the MAC address table. • To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source MAC address, you can enable MAC address check on the DHCP relay agent. After you enable this feature, the DHCP relay agent processes a DHCP request as follows: Directly forwards the DHCP request if the giaddr field is not zero.

  • Page 92: Configuring Option 82

    Configuring Option 82 Follow these guidelines when you configure Option 82: • To support Option 82, you must perform related configuration on both the DHCP server and relay agent. For DHCP server Option 82 configuration, see "Enabling handling of Option 82."...

  • Page 93: Enabling Dhcp Server Proxy On A Dhcp Relay Agent

    Enabling DHCP server proxy on a DHCP relay agent The DHCP server proxy feature isolates DHCP servers from DHCP clients and protects DHCP servers against attacks. Upon receiving a response from the server, the DHCP server proxy modifies the server's IP address as the relay interface's IP address before sending out the response.

  • Page 94: Specifying A Gateway Address For Dhcp Clients

    Step Command Remarks By default, no DHCP relay address pool exists. This command is the same for Create a DHCP relay creating DHCP address pools on a address pool and enter its dhcp server ip-pool pool-name DHCP server. However, the relay view.

  • Page 95: Configuring The Dhcp Smart Relay Feature

    Step Command Remarks record relay entries. client-information record record relay entries. Without relay entries, client offline detection cannot function correctly. interface interface-type Enter interface view. interface-number By default, when DHCP is enabled, Enable the DHCP relay agent. dhcp select relay an interface operates in the DHCP server mode.

  • Page 96: Displaying And Maintaining The Dhcp Relay Agent

    Step Command Remarks interface interface-type Enter interface view. interface-number By default, an interface operates in Enable the DHCP relay agent. dhcp select relay the DHCP server mode when DHCP is enabled. Return to system view. quit By default, no DHCP relay address pool exists.

  • Page 97: Dhcp Relay Agent Configuration Examples

    Task Command [ vpn-instance vpn-instance-name ] ] reset dhcp relay statistics [ interface interface-type Clear packet statistics on the DHCP relay agent. interface-number ] DHCP relay agent configuration examples DHCP relay agent configuration example Network requirements As shown in Figure 32, configure the DHCP relay agent on Router A.

  • Page 98: Option 82 Configuration Example

    # Display the statistics of DHCP packets forwarded by the DHCP relay agent. [RouterA] display dhcp relay statistics # Display relay entries if you have enabled relay entry recording on the DHCP relay agent. [RouterA] display dhcp relay client-information Option 82 configuration example Network requirements As shown in Figure...
  • Page 99 • The DHCP server has an address pool on the same subnet as the DHCP clients. • The DHCP server and DHCP relay agent can reach each other. • The DHCP server address specified on the DHCP relay interface connected to the DHCP clients is correct.

  • Page 100: Configuring The Dhcp Client

    Configuring the DHCP client With DHCP client enabled, an interface uses DHCP to obtain configuration parameters from the DHCP server, for example, an IP address. The DHCP client configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces), VLAN interfaces, and Layer 3 aggregate interfaces. Enabling the DHCP client on an interface Follow these guidelines when you enable the DHCP client on an interface: •...

  • Page 101: Enabling Duplicated Address Detection

    Step Command Remarks DHCP client ID includes ID type and type value. Each ID type has a fixed type value. You can check the fields for the client ID to verify which type of client ID is used: • If an ASCII string is used as the client display dhcp client ID, the type value is 00.

  • Page 102: Dhcp Client Configuration Example

    Task Command display dhcp client [ verbose ] [ interface interface-type Display DHCP client information. interface-number ] DHCP client configuration example Network requirements As shown in Figure 34, Router B contacts the DHCP server through GigabitEthernet 1/0/1 to obtain an IP address, a DNS server address, and static route information. The DHCP client's IP address resides on subnet 10.1.1.0/24.

  • Page 103: Verifying The Configuration

    # Configure DHCP address pool 0. Specify the subnet, lease duration, DNS server address, and a static route to subnet 20.1.1.0/24. [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 [RouterA-dhcp-pool-0] expired day 10 [RouterA-dhcp-pool-0] dns-list 20.1.1.1 [RouterA-dhcp-pool-0] option 121 hex 181401010A010102 Configure Router B: # Configure GigabitEthernet 1/0/1 to use DHCP for IP address acquisition.
  • Page 104 127.255.255.255/32 Direct 0 127.0.0.1 InLoop0 224.0.0.0/4 Direct 0 0.0.0.0 NULL0 224.0.0.0/24 Direct 0 0.0.0.0 NULL0 255.255.255.255/32 Direct 0 127.0.0.1 InLoop0...

  • Page 105: Configuring Dhcp Snooping

    Configuring DHCP snooping Overview DHCP snooping works between the DHCP client and server, or between the DHCP client and DHCP relay agent. It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers. Also, it records IP-to-MAC bindings of DHCP clients (called DHCP snooping entries) for security purposes.

  • Page 106: Dhcp Snooping Support For Option 82

    Figure 35 Trusted and untrusted ports In a cascaded network as shown in Figure 36, configure the DHCP snooping devices' ports facing the DHCP server as trusted ports. To save system resources, you can enable only the untrusted ports directly connected to the DHCP clients to record DHCP snooping entries. Figure 36 Trusted and untrusted ports in a cascaded network DHCP client Host A...

  • Page 107: Command And Hardware Compatibility

    Table 5 Handling strategies If a DHCP request Handling DHCP snooping… has… strategy Drop Drops the message. Keep Forwards the message without changing Option 82. Option 82 Forwards the message after replacing the original Option 82 with Replace the Option 82 padded according to the configured padding format, padding content, and code type.

  • Page 108: Configuring Basic Dhcp Snooping

    Configuring basic DHCP snooping The following matrix shows the feature and hardware compatibility: DHCP snooping entry recording Hardware compatibility MSR954(JH296A/JH297A/JH298A/JH299A/JH373A) MSR958(JH300A/JH301A) MSR1002-4/1003-8S MSR2003 MSR2004-24/2004-48 MSR3012/3024/3044/3064 MSR4060/4080 Follow these guidelines when you configure basic DHCP snooping: • Specify the ports connected to authorized DHCP servers as trusted ports to make sure that DHCP clients can obtain valid IP addresses.

  • Page 109: Configuring Option 82

    Configuring Option 82 The following matrix shows the feature and hardware compatibility: Hardware Option 82 compatibility MSR954(JH296A/JH297A/JH298A/JH299A/JH373A) MSR958(JH300A/JH301A) MSR1002-4/1003-8S MSR2003 MSR2004-24/2004-48 MSR3012/3024/3044/3064 MSR4060/4080 Follow these guidelines when you configure Option 82: • The Option 82 configuration on a Layer 2 Ethernet interface that has been added to an aggregation group does not take effect unless the interface leaves the aggregation group.

  • Page 110: Configuring Dhcp Snooping Entry Auto Backup

    Step Command Remarks dhcp snooping information circuit-id (Optional.) Configure the { [ vlan vlan-id ] string circuit-id | { normal By default, the padding padding mode and padding | verbose [ node-identifier { mac | mode is normal and the format for the Circuit ID sysname | user-defined padding format is hex for...

  • Page 111: Enabling Dhcp Starvation Attack Protection

    Step Command Remarks If no DHCP snooping entry changes, the backup file is not updated. Enabling DHCP starvation attack protection A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that contain identical or different sender MAC addresses in the chaddr field to a DHCP server. This attack exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses.

  • Page 112: Setting The Maximum Number Of Dhcp Snooping Entries

    DHCP-REQUEST messages include DHCP lease renewal packets, DHCP-DECLINE packets, and DHCP-RELEASE packets. This feature prevents the unauthorized clients that forge the DHCP-REQUEST messages from attacking the DHCP server. Attackers can forge DHCP lease renewal packets to renew leases for legitimate DHCP clients that no longer need the IP addresses.

  • Page 113: Configuring Dhcp Packet Rate Limit

    Configuring DHCP packet rate limit The following matrix shows the feature and hardware compatibility: Hardware DHCP packet rate limit compatibility MSR954(JH296A/JH297A/JH298A/JH299A/JH373A) MSR958(JH300A/JH301A) MSR1002-4/1003-8S MSR2003 MSR2004-24/2004-48 MSR3012/3024/3044/3064 MSR4060/4080 Perform this task to set the maximum rate at which an interface can receive DHCP packets. This feature discards exceeding DHCP packets to prevent attacks that send large numbers of DHCP packets.

  • Page 114: Enabling Dhcp Snooping Logging

    DHCP packet blocking port Hardware compatibility MSR3012/3024/3044/3064 MSR4060/4080 Perform this task to configure a port as a DHCP packet blocking port. This blocking port drops all incoming DHCP requests. To configure a DHCP packet blocking port: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view.

  • Page 115: Dhcp Snooping Configuration Examples

    Task Command Remarks devices in standalone mode/centralized devices in IRF mode). Display DHCP packet statistics on the display dhcp snooping packet statistics Available in any DHCP snooping device (distributed [ chassis chassis-number slot view. devices in IRF mode). slot-number ] Display information about trusted Available in any display dhcp snooping trust...

  • Page 116: Option 82 Configuration Example

    Figure 37 Network diagram Configuration procedure # Enable DHCP snooping. <SwitchB> system-view [SwitchB] dhcp snooping enable # Configure GigabitEthernet 1/0/1 as a trusted port. [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] dhcp snooping trust [SwitchB-GigabitEthernet1/0/1] quit # Enable DHCP snooping to record clients' IP-to-MAC bindings on GigabitEthernet 1/0/2. [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] dhcp snooping binding record [SwitchB-GigabitEthernet1/0/2] quit...
  • Page 117 Figure 38 Network diagram Configuration procedure # Enable DHCP snooping. <SwitchB> system-view [SwitchB] dhcp snooping enable # Configure GigabitEthernet 1/0/1 as a trusted port. [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] dhcp snooping trust [SwitchB-GigabitEthernet1/0/1] quit # Configure Option 82 on GigabitEthernet 1/0/2. [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] dhcp snooping information enable [SwitchB-GigabitEthernet1/0/2] dhcp snooping information strategy replace...

  • Page 118: Configuring The Bootp Client

    Configuring the BOOTP client BOOTP client configuration only applies to Layer 3 Ethernet interfaces (including subinterfaces), Layer 3 aggregate interfaces and VLAN interfaces. BOOTP application An interface that acts as a BOOTP client can use BOOTP to obtain information (such as IP address) from the BOOTP server.

  • Page 119: Displaying And Maintaining Bootp Client

    Step Command Remarks acquisition. acquisition. Displaying and maintaining BOOTP client Execute display command in any view. Task Command display bootp client [ interface interface-type Display BOOTP client information. interface-number ] BOOTP client configuration example Network requirements As shown in Figure 25, GigabitEthernet 1/0/1 of Router B connects to the LAN to obtain an IP address from the DHCP server by using BOOTP.

  • Page 120: Configuring Dns

    Configuring DNS Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. The domain name-to-IP address mapping is called a DNS entry. DNS services can be static or dynamic. After a user specifies a name, the device checks the static name resolution table for an IP address.

  • Page 121: Dns Proxy

    Dynamic domain name resolution allows the DNS client to store latest DNS entries in the dynamic domain name cache. The DNS client does not need to send a request to the DNS server for a repeated query within the aging time. To make sure the entries from the DNS server are up to date, a DNS entry is removed when its aging timer expires.

  • Page 122: Dns Spoofing

    A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS proxy. The destination address of the request is the IP address of the DNS proxy. The DNS proxy searches the local static domain name resolution table and dynamic domain name resolution cache after receiving the request.

  • Page 123: Dns Configuration Task List

    Dynamically obtains the DNS server address through DHCP or another autoconfiguration mechanism. Because the DNS entry ages out immediately upon creation, the host sends another DNS request to the device to resolve the HTTP server domain name. The device operates the same as a DNS proxy. For more information, see "DNS proxy."...

  • Page 124: Configuring Dynamic Domain Name Resolution

    Configuring dynamic domain name resolution To use dynamic domain name resolution, a DNS server address is required so that DNS queries can be sent to a correct server for resolution. In addition, you can configure a DNS suffix that the system automatically adds to the incomplete domain name that a user enters.

  • Page 125: Configuring The Ipv6 Dns Client

    Step Command Remarks IPv6 address. [ interface-type interface-number ] [ vpn-instance vpn-instance-name ] Configuring the IPv6 DNS client Configuring static domain name resolution Static domain name resolution allows applications such as Telnet to contact hosts by using host names instead of IPv6 addresses. Follow these guidelines when you configure static domain name resolution: •...

  • Page 126: Configuring The Dns Proxy

    obtained, for example, through DHCP. The device first sends a DNS query to the DNS server address of the highest priority. If the first query fails, it sends the DNS query to the DNS server address of the second highest priority, and so on. •...

  • Page 127: Configuring Dns Spoofing

    Step Command Remarks Enter interface view: By default, no DNS server interface interface-type address is specified. Specify a DNS server interface-number IPv4 address in Specify a DNS server IPv4 address: interface view. dns server ip-address [ vpn-instance vpn-instance-name ] ipv6 dns server ipv6-address Specify a DNS server [ interface-type interface-number ] IPv6 address.

  • Page 128: Specifying The Source Interface For Dns Packets

    Step Command Remarks Enter system view. system-view Enable DNS proxy. dns proxy enable By default, DNS proxy is disabled. • Specify an IPv4 address: By default, DNS spoofing is dns spoofing ip-address disabled. [ vpn-instance Enable DNS spoofing and vpn-instance-name ] specify the IP address You can specify both an IPv4 •...

  • Page 129: Setting The Dscp Value For Outgoing Dns Packets

    Step Command Remarks Enter system view. system-view By default, no DNS trusted interface is specified. Specify the DNS trusted dns trust-interface interface-type interface. interface-number You can configure up to 128 DNS trusted interfaces. Setting the DSCP value for outgoing DNS packets The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.

  • Page 130: Dynamic Domain Name Resolution Configuration Example

    Figure 42 Network diagram Configuration procedure # Configure a mapping between the host name host.com and the IP address 10.1.1.2. <Sysname> system-view [Sysname] ip host host.com 10.1.1.2 # Verify that the device can use static domain name resolution to resolve the domain name host.com into the IP address 10.1.1.2.
  • Page 131 The configuration might vary by DNS server. The following configuration is performed on a PC running Windows Server 2008 R2. a. Select Start > Programs > Administrative Tools > DNS. The DNS server configuration page appears, as shown in Figure b.
  • Page 132 Figure 45 Adding a host d. On the page that appears, enter the host name host and the IP address 3.1.1.1. e. Click Add Host. The mapping between the IP address and host name is created. Figure 46 Adding a mapping between domain name and IP address Configure the DNS client: # Specify the DNS server 2.1.1.2.

  • Page 133: Dns Proxy Configuration Example

    <Sysname> system-view [Sysname] dns server 2.1.1.2 # Specify com as the name suffix. [Sysname] dns domain com Verifying the configuration # Verify that the device can use the dynamic domain name resolution to resolve the domain name host.com into the IP address 3.1.1.1. [Sysname] ping host Ping host.com (3.1.1.1): 56 data bytes, press CTRL_C to break 56 bytes from 3.1.1.1: icmp_seq=0 ttl=255 time=1.000 ms...

  • Page 134: Ipv6 Dns Configuration Examples

    The configuration might vary by DNS server. When a PC running Windows Server 2008 R2 acts as the DNS server, see "Dynamic domain name resolution configuration example" for configuration information. Configure the DNS proxy: # Specify the DNS server 4.1.1.1. <DeviceA>...

  • Page 135: Dynamic Domain Name Resolution Configuration Example

    # Verify that the device can use static domain name resolution to resolve the domain name host.com into the IPv6 address 1::2. [Sysname] ping ipv6 host.com Ping6(56 data bytes) 1::1 --> 1::2, press CTRL_C to break 56 bytes from 1::2, icmp_seq=0 hlim=128 time=1.000 ms 56 bytes from 1::2, icmp_seq=1 hlim=128 time=0.000 ms 56 bytes from 1::2, icmp_seq=2 hlim=128 time=1.000 ms 56 bytes from 1::2, icmp_seq=3 hlim=128 time=1.000 ms...
  • Page 136 Figure 50 Creating a zone c. On the DNS server configuration page, right-click zone com and select New Host. Figure 51 Adding a host d. On the page that appears, enter the host name host and the IPv6 address 1::1. e.

  • Page 137: Dns Proxy Configuration Example

    Figure 52 Adding a mapping between domain name and IPv6 address Configure the DNS client: # Specify the DNS server 2::2. <Device> system-view [Device] ipv6 dns server 2::2 # Configure com as the DNS suffix. [Device] dns domain com Verifying the configuration # Verify that the device can use the dynamic domain name resolution to resolve the domain name host.com into the IP address 1::1.
  • Page 138 Figure 53 Network diagram Configuration procedure Before performing the following configuration, make sure that: • Device A, the DNS server, and the host are reachable to each other. • The IPv6 addresses of the interfaces are configured as shown in Figure Configure the DNS server: This configuration might vary by DNS server.

  • Page 139: Troubleshooting Ipv4 Dns Configuration

    Troubleshooting IPv4 DNS configuration Symptom After enabling dynamic domain name resolution, the user cannot get the correct IP address. Solution Use the display dns host ip command to verify that the specified domain name is in the cache. If the specified domain name does not exist, check that the DNS client can communicate with the DNS server.

  • Page 140: Configuring Ddns

    Configuring DDNS Overview DNS provides only the static mappings between domain names and IP addresses. When the IP address of a node changes, your access to the node fails. Dynamic Domain Name System (DDNS) can dynamically update the mappings between domain names and IP addresses for DNS servers.

  • Page 141: Ddns Client Configuration Task List

    DDNS client configuration task list Tasks at a glance (Required.) Configuring a DDNS policy (Required.) Applying the DDNS policy to an interface (Optional.) Setting the DSCP value for outgoing DDNS packets Configuring a DDNS policy A DDNS policy contains the DDNS server address, port number, login ID, password, time interval, associated SSL client policy, and update time interval.

  • Page 142: Configuration Prerequisites

    • gnudip://—The TCP-based GNUDIP server. • oray://—The TCP-based DDNS server. The domain names of DDNS servers are members.3322.org and phservice2.oray.net. The domain names of PeanutHull DDNS servers can be phservice2.oray.net, phddns60.oray.net, client.oray.net, ph031.oray.net, and so on. Determine the domain name in the URL according to the actual situation. The port number in the URL address is optional.

  • Page 143: Applying The Ddns Policy To An Interface

    Step Command Remarks DDNS servers. By default, no SSL client policy is associated with the DDNS policy. (Optional.) Associate an SSL ssl-client-policy This step is only effective and a must for client policy with the DDNS policy-name HTTP-based DDNS update requests. For policy.

  • Page 144: Displaying Ddns

    Step Command Remarks Enter system view. system-view Set the DSCP value for By default, the DSCP value for ddns dscp dscp-value outgoing DDNS packets. outgoing DDNS packets is 0. Displaying DDNS Execute display commands in any view. Task Command Display DDNS policy information. display ddns policy [ policy-name ] DDNS configuration examples DDNS configuration example with www.3322.org...

  • Page 145: Ddns Configuration Example With Peanuthull Server

    • Make sure the devices can reach each other. # Create a DDNS policy named 3322.org, and enter its view. <Router> system-view [Router] ddns policy 3322.org # Specify the URL address, username, and password for DDNS update requests. [Router-ddns-policy-3322.org] url http://members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>...
  • Page 146 Configuration procedure Before configuring DDNS on Router, perform the following tasks: • Register with username steven and password nevets at http://www.oray.cn/. • Configure a DDNS policy to update the mapping between the router's FQDN and IP address. • Make sure the devices can reach each other. # Create a DDNS policy named oray.cn and enter its view.

  • Page 147: Configuring Nat

    Configuring NAT Overview Network Address Translation (NAT) translates an IP address in the IP packet header to another IP address. Typically, NAT is configured on gateways to enable private hosts to access external networks and external hosts to access private network resources such as a Web server. Figure 57 NAT operation Direction Before NAT...

  • Page 148: Nat Control

    Bidirectional NAT NAT translates the source and destination IP addresses of incoming packets on the receiving interface and outgoing packets on the sending interface. Bidirectional NAT is applied when source and destination addresses overlap. Twice NAT Twice NAT translates the destination IP address on the receiving interface, and the source IP address on the sending interface.

  • Page 149: Nat Server

    NO-PAT NO-PAT translates a private address to a public address. The public address cannot be used by another internal host until it is released. NO-PAT supports all IP packets. PAT translates multiple private addresses to a single public address by mapping the private address and source port to the public address and a unique port.

  • Page 150: Nat444

    Figure 59 NAT Server operation Direction Before NAT After NAT Inbound 20.1.1.1:8080 192.168.1.3:8080 Dst : 192.168.1.3:8080 Dst : 20.1.1.1:8080 Server Host 192.168.1.1 20.1.1.1 Internet Intranet 20.1.1.2 192.168.1.3 Src : 20.1.1.1:8080 Src : 192.168.1.3:8080 Figure 59 displays how NAT Server works: Upon receiving a request from the host, NAT translates the public destination IP address and port number to the private IP address and port number of the internal server.
  • Page 151 Figure 60 NAT444 application diagram Static NAT444 The NAT444 gateway computes a static NAT444 mapping before address translation. The mapping is between a private IP address and a public IP address with a port block. The NAT444 gateway uses private IP addresses, public IP addresses, a port range, and a port block size to compute static mappings: Divides the port range by the port block size to get the number of available port blocks for each public IP address.

  • Page 152: Ds-Lite Nat444

    NAT444 gateway and BRAS device Hardware unification compatibility MSR1002-4/1003-8S MSR2003 MSR2004-24/2004-48 MSR3012/3024/3044/3064 MSR4060/4080 NAT444 gateway and BRAS device unification is supported only for PPP users. To unify the NAT444 gateway and BRAS device, specify the user address type in the ISP domain. Supported user address types include private IPv4 address, private-DS address, and DS-Lite address.

  • Page 153: Nat Entries

    IPv4 address and a port block to the IPv6 address of the B4 element. The DS-Lite host or hosts behind the B4 router use the mapped public IPv4 address and port block to access the public IPv4 network. DS-Lite NAT444 supports user tracing for DS-Lite hosts based on the port block. Figure 62 DS-Lite NAT444 Log server DS-Lite host...

  • Page 154: Using Nat With Other Features

    Using NAT with other features VRF-aware NAT VRF-aware NAT allows users from different VRF (VPN instances) to access external networks and to access each other. Upon receiving a request from a user in a VRF to an external network, NAT performs the following tasks: Translates the private source IP address and port number to a public IP address and port number.

  • Page 155: Nat With Alg

    The internal host receives the DNS response, and obtains the private IP address of the Web server. DNS mapping can also be used by DNS ALG. The DNS reply from the external DNS server contains only the domain name and public IP address of the internal server in the payload. The NAT interface might have multiple internal servers configured with the same public IP address but different private IP addresses.

  • Page 156: Configuring Static Nat

    Configuring static NAT Static NAT includes one-to-one static NAT and net-to-net static NAT for outbound and inbound translation. Do not configure inbound static NAT alone. Typically, inbound static NAT functions with outbound dynamic NAT, NAT Server, or outbound static NAT to implement bidirectional NAT. Configuration prerequisites Perform the following tasks before configuring static NAT: •...

  • Page 157: Configuring Object Group-Based Outbound Static Nat

    • When the destination IP address of a packet from the public network matches the public address range, the destination IP address is translated into a private address in the private address range. To configure outbound net-to-net static NAT: Step Command Remarks Enter system view.

  • Page 158: Configuring Inbound One-To-One Static Nat

    Step Command Remarks interface-number Enable static NAT on the nat static enable By default, static NAT is disabled. interface. Configuring inbound one-to-one static NAT For address translation from a public IP address to a private IP address, configure inbound one-to-one static NAT. •...

  • Page 159: Configuring Object Group-Based Inbound Static Nat

    Step Command Remarks global-vpn-instance-name ] local permitted by the ACL. local-network { mask-length | mask } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ] [ disable ] Return to system view. quit interface interface-type Enter interface view.

  • Page 160: Configuration Restrictions And Guidelines

    Configuration restrictions and guidelines When you configure dynamic NAT, follow these restrictions and guidelines: • You can configure multiple inbound or outbound dynamic NAT rules. • A NAT rule with an ACL takes precedence over a rule without any ACL. •...

  • Page 161: Configuring Inbound Dynamic Nat

    Step Command Remarks name ipv4-acl-name ] You can configure multiple address-group { group-id | name outbound dynamic NAT rules on an group-name } [ vpn-instance interface. vpn-instance-name ] no-pat [ reversible ] [ disable ] • Configure PAT: nat outbound [ ipv4-acl-number | name ipv4-acl-name ] [ address-group { group-id | name group-name } ]...

  • Page 162: Configuring Nat Server

    Step Command Remarks interface interface-type Enter interface view. interface-number nat inbound { ipv4-acl-number | name ipv4-acl-name } By default, no inbound dynamic NAT address-group { group-id | name rules exist. Configure inbound group-name } [ vpn-instance dynamic NAT. You can configure multiple inbound vpn-instance-name ] [ no-pat dynamic NAT rules on an interface.

  • Page 163: Configuring Load Sharing Nat Server

    Step Command Remarks • A single public address with a single or no public port: nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ] inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ reversible ] [ disable ] •...

  • Page 164: Configuring Acl-Based Nat Server

    Step Command Remarks nat server protocol pro-type global { { global-address | current-interface | By default, no load interface interface-type interface-number } sharing NAT Server { global-port | global-port1 global-port2 } | mappings exist. Configure load sharing global-address1 global-address2 global-port } You can configure NAT Server.

  • Page 165: Configuring Dynamic Nat444

    Step Command Remarks By default, no private IP address ranges exist. Add a private IP address local-ip-address range to the port block You can add multiple private IP address start-address end-address group. ranges to one port block group, but they cannot overlap.

  • Page 166: Enabling Global Mapping Sharing For Dynamic Nat444

    Step Command Remarks [ extended-block-number The configuration takes effect only on extended-block-number ] PAT translation mode. Return to system view. quit interface interface-type Enter interface view. interface-number nat outbound [ ipv4-acl-number | name By default, no outbound dynamic NAT ipv4-acl-name ] rules exist.

  • Page 167: Configuring Nat With Dns Mapping

    Step Command Remarks By default, no public IP address ranges exist. Add a public IP address address start-address range to the NAT You can add multiple public IP address end-address address group. ranges to an address group, but they cannot overlap. By default, the port range is 1 to 65535.

  • Page 168: Configuring Nat With Alg

    • In C/S mode, the destination IP address of the packet going to the internal server is translated by matching the NAT Server configuration. The source IP address is translated by matching the outbound dynamic or static NAT entries. NAT hairpin typically operates with NAT Server, outbound dynamic NAT, or outbound static NAT. They must be configured on interfaces of the same interface card.

  • Page 169: Configuring Nat444 User Logging

    Step Command Remarks Enter system view. system-view nat log enable [ acl { ipv4-acl-number | By default, NAT logging is Enable NAT logging. name ipv4-acl-name } ] disabled. • For NAT session establishment events: nat log flow-begin Enable NAT session By default, NAT session •...

  • Page 170: Configuring Nat444 Alarm Logging

    Step Command Remarks withdrawal. Configuring NAT444 alarm logging If the public IP addresses, port blocks, or ports in selected port blocks (including extended ones) are all occupied, the NAT444 gateway cannot perform address translation and packets will be dropped. To monitor the usage of public IP addresses and port block resources, you can configure NAT444 alarm logging.

  • Page 171: Displaying And Maintaining Nat

    Displaying and maintaining NAT Execute display commands in any view and reset commands in user view. Task Command Display the NAT with ALG status for all display nat alg supported protocols. Display all NAT configuration information. display nat all Display NAT address group information. display nat address-group [ group-id ] Display NAT with DNS mapping configuration.

  • Page 172: Nat Configuration Examples

    Task Command standalone mode). Display NAT statistics (distributed devices in standalone mode/centralized devices in IRF display nat statistics [ summary ] [ slot slot-number ] mode). Display NAT statistics (distributed devices in display nat statistics [ summary ] [ chassis IRF mode).
  • Page 173 # Enable static NAT on GigabitEthernet 2/0/2. [Router] interface gigabitethernet 2/0/2 [Router-GigabitEthernet2/0/2] nat static enable [Router-GigabitEthernet2/0/2] quit Verifying the configuration # Verify that the host at 10.110.10.8/24 can access the server on the Internet. (Details not shown.) # Display static NAT configuration. [Router] display nat static Static NAT mappings: Totally 1 outbound static NAT mappings.

  • Page 174: Outbound Dynamic Nat Configuration Example (Non-Overlapping Addresses)

    Outbound dynamic NAT configuration example (non-overlapping addresses) Network requirements As shown in Figure 65, a company has a private address 192.168.0.0/16 and two public IP addresses 202.38.1.2 and 202.38.1.3. Configure outbound dynamic NAT to allow only internal users on subnet 192.168.1.0/24 to access the Internet. Figure 65 Network diagram Configuration procedure # Specify IP addresses for the interfaces on the router.
  • Page 175 Start address End address 202.38.1.2 202.38.1.3 NAT outbound information: Totally 1 NAT outbound rules. Interface: GigabitEthernet2/0/2 ACL: 2000 Address group: 0 Port-preserved: N NO-PAT: N Reversible: N Config status: Active Global flow-table status: Active Static NAT mappings: Totally 1 outbound static NAT mappings. IP-to-IP: Local IP : 10.110.10.8...

  • Page 176: Outbound Bidirectional Nat Configuration Example

    Static NAT load balancing: Disabled # Display NAT session information generated when Host A accesses the WWW server. [Router] display nat session verbose Slot 1: Initiator: Source IP/port: 192.168.1.10/52992 Destination IP/port: 200.1.1.10/2048 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: ICMP(1) Inbound interface: GigabitEthernet2/0/1 Responder:...
  • Page 177 Requirements analysis To meet the network requirements, you must perform the following tasks: • Configure inbound dynamic NAT with ALG to make sure the internal host reaches the Web server instead of another internal host. NAT with ALG can translate the Web server's IP address in the DNS reply payload to a dynamically assigned public address.
  • Page 178 Address group 1: Port range: 1-65535 Address information: Start address End address 202.38.1.2 202.38.1.2 Address group 2: Port range: 1-65535 Address information: Start address End address 202.38.1.3 202.38.1.3 NAT inbound information: Totally 1 NAT inbound rules. Interface: GigabitEthernet2/0/2 ACL: 2000 Address group: 1 Add route: N NO-PAT: Y...

  • Page 179: Nat Server For External-To-Internal Access Configuration Example

    PPTP : Enabled RTSP : Enabled : Disabled SCCP : Disabled : Disabled SQLNET : Disabled TFTP : Disabled XDMCP : Disabled Static NAT load balancing: Disabled # Display NAT session information generated when Host A accesses the Web server. [Router] display nat session verbose Slot 1: Initiator:...
  • Page 180 Figure 67 Network diagram Configuration procedure # Specify IP addresses for the interfaces on the router. (Details not shown.) # Enter interface view of GigabitEthernet 2/0/2. <Router> system-view [Router] interface gigabitethernet 2/0/2 # Configure NAT Server to allow external users to access the FTP server by using the address 202.38.1.1 and port 21.
  • Page 181 Interface: GigabitEthernet2/0/2 Protocol: 6(TCP) Global IP/port: 202.38.1.1/25 Local IP/port : 10.110.10.4/25 Config status : Active Interface: GigabitEthernet2/0/2 Protocol: 6(TCP) Global IP/port: 202.38.1.1/80 Local IP/port : 10.110.10.1/80 Config status : Active Interface: GigabitEthernet2/0/2 Protocol: 6(TCP) Global IP/port: 202.38.1.1/8080 Local IP/port : 10.110.10.2/80 Config status : Active NAT logging: Log enable...

  • Page 182: Nat Server For External-To-Internal Access Through Domain Name Configuration Example

    XDMCP : Disabled Static NAT load balancing: Disabled # Display NAT session information generated when Host accesses the FTP server. [Router] display nat session verbose Slot 1: Initiator: Source IP/port: 202.38.1.10/1694 Destination IP/port: 202.38.1.1/21 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet2/0/2 Responder:...
  • Page 183 Figure 68 Network diagram Requirements analysis To meet the network requirements, you must perform the following tasks: • Configure NAT Server to map the private IP address and port of the DNS server to a public address and port. NAT Server allows the external host to access the internal DNS server for domain name resolution.
  • Page 184 # Display all NAT configuration and statistics. [Router] display nat all NAT address group information: Totally 1 NAT address groups. Address group 1: Port range: 1-65535 Address information: Start address End address 202.38.1.3 202.38.1.3 NAT outbound information: Totally 1 NAT outbound rules. Interface: GigabitEthernet2/0/2 ACL: 2000 Address group: 1...

  • Page 185: Bidirectional Nat For External-To-Internal Nat Server Access Through Domain Name Configuration Example

    RTSP : Enabled : Disabled SCCP : Disabled : Disabled SQLNET : Disabled TFTP : Disabled XDMCP : Disabled Static NAT load balancing: Disabled # Display NAT session information generated when Host accesses Web server. [Router] display nat session verbose Slot 1: Initiator: Source...
  • Page 186 Figure 69 Network diagram Requirements analysis To meet the network requirements, you must perform the following tasks: • Configure NAT Server to map the private IP address and port of the DNS server to a public IP address and port. NAT Server allows the external host to access the internal DNS server for domain name resolution.
  • Page 187 # Configure NAT Server on interface GigabitEthernet 2/0/2 to allow external hosts to access the internal DNS server by using the address 202.38.1.4. [Router] interface gigabitethernet 2/0/2 [Router-GigabitEthernet2/0/2] nat server protocol udp global 202.38.1.4 inside 192.168.1.3 dns # Enable outbound NO-PAT on interface GigabitEthernet 2/0/2 to translate IP address of the Web server in the DNS response payload into the address in address group 1, and allow reversible NAT.
  • Page 188 NAT internal server information: Totally 1 internal servers. Interface: GigabitEthernet2/0/2 Protocol: 17(UDP) Global IP/port: 202.38.1.4/53 Local IP/port : 200.1.1.3/53 Config status : Active NAT logging: Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active : Disabled Port-block-assign : Disabled Port-block-withdraw : Disabled Alarm : Disabled...

  • Page 189: Nat Hairpin In C/S Mode Configuration Example

    Protocol: TCP(6) Inbound interface: GigabitEthernet2/0/2 Responder: Source IP/port: 192.168.1.2/8080 Destination IP/port: 202.38.1.3/1025 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet2/0/1 State: TCP_ESTABLISHED Application: HTTP Start time: 2012-08-15 14:53:29 TTL: 3597s Initiator->Responder: 7 packets 308 bytes Responder->Initiator: 5 packets 312 bytes...
  • Page 190 Configuration procedure # Specify IP addresses for the interfaces on the router. (Details not shown.) # Configure ACL 2000, and create a rule to permit packets only from subnet 192.168.1.0/24 to be translated. <Router> system-view [Router] acl basic 2000 [Router-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [Router-acl-ipv4-basic-2000] quit # Configure NAT Server on interface GigabitEthernet 2/0/2 to map the IP address of the FTP server to a public address, allowing external users to access the internal FTP server.
  • Page 191 Port-block-assign : Disabled Port-block-withdraw : Disabled Alarm : Disabled NAT hairpinning: Totally 1 interfaces enabled with NAT hairpinning. Interface: GigabitEthernet2/0/1 Config status: Active NAT mapping behavior: Mapping mode : Address and Port-Dependent : --- Config status: Active NAT ALG: : Enabled : Enabled H323 : Disabled...

  • Page 192: Nat Hairpin In P2P Mode Configuration Example

    Inbound interface: GigabitEthernet2/0/1 State: TCP_ESTABLISHED Application: FTP Start time: 2012-08-15 14:53:29 TTL: 3597s Initiator->Responder: 7 packets 308 bytes Responder->Initiator: 5 packets 312 bytes Total sessions found: 1 NAT hairpin in P2P mode configuration example Network requirements In the P2P application, internal clients must register their IP address to the external server and the server records the registered IP addresses and port numbers of the internal clients.
  • Page 193 [Router-acl-ipv4-basic-2000] quit # Configure outbound dynamic PAT with Easy IP on interface GigabitEthernet 2/0/2. The IP address of GigabitEthernet 2/0/2 is used as the public address for the source address translation of the packets from internal to external. [Router] interface gigabitethernet 2/0/2 [Router-GigabitEthernet2/0/2] nat outbound 2000 [Router-GigabitEthernet2/0/2] quit # Configure the Endpoint-Independent Mapping mode for PAT.

  • Page 194: Twice Nat Configuration Example

    : Enabled H323 : Disabled ICMP-ERROR : Enabled : Disabled MGCP : Disabled : Disabled PPTP : Enabled RTSP : Enabled : Disabled SCCP : Disabled : Disabled SQLNET : Disabled TFTP : Disabled XDMCP : Disabled Static NAT load balancing: Disabled # Display NAT session information generated when Client A accesses Client B.
  • Page 195 Figure 72 Network diagram Requirements analysis This is a typical application of twice NAT. Both the source and destination addresses of packets between the two VPNs need to be translated. Configure static NAT on both interfaces connected to the VPNs on the NAT device. Configuration procedure # Specify VPN instances and IP addresses for the interfaces on the router.
  • Page 196 Interfaces enabled with static NAT: Totally 2 interfaces enabled with static NAT. Interface: GigabitEthernet2/0/1 Config status: Active Interface: GigabitEthernet2/0/2 Config status: Active NAT logging: Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active : Disabled Port-block-assign : Disabled Port-block-withdraw : Disabled Alarm : Disabled...

  • Page 197: Nat With Dns Mapping Configuration Example

    VPN instance/VLAN ID/Inline ID: vpn1/-/- Protocol: ICMP(1) Inbound interface: GigabitEthernet2/0/1 Responder: Source IP/port: 192.168.1.2/42496 Destination IP/port: 172.16.1.2/0 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: vpn2/-/- Protocol: ICMP(1) Inbound interface: GigabitEthernet2/0/2 State: ICMP_REPLY Application: INVALID Start time: 2012-08-16 09:30:49 TTL: 27s Initiator->Responder: 5 packets 420 bytes...
  • Page 198 Configuration procedure # Specify IP addresses for the interfaces on the router. (Details not shown.) # Enable NAT with ALG for DNS. <Router> system-view [Router] nat alg dns # Enter interface view of GigabitEthernet 2/0/2. [Router] interface gigabitethernet 2/0/2 # Configure NAT Server to allow external hosts to access the internal Web server by using the address 202.38.1.2.
  • Page 199 Config status : Active NAT DNS mapping information: Totally 2 NAT DNS mappings. Domain name: ftp.server.com Global IP : 202.38.1.2 Global port: 21 Protocol : TCP(6) Config status: Active Domain name: www.server.com Global IP : 202.38.1.2 Global port: 80 Protocol : TCP(6) Config status: Active NAT logging:...

  • Page 200: Static Nat444 Configuration Example

    Static NAT444 configuration example Network requirements As shown in Figure 74, configure static NAT444 to allow users at private IP addresses 10.110.10.1 to 10.110.10.10 to use public IP address 202.38.1.100 for accessing the Internet. Configure the port range as 10001 to 15000, and set the port block size to 500. Figure 74 Network diagram Configuration procedure # Specify IP addresses for the interfaces on the router.
  • Page 201 NAT mapping behavior: Mapping mode : Address and Port-Dependent : --- Config status: Active NAT ALG: : Enabled : Enabled H323 : Disabled ICMP-ERROR : Enabled : Disabled MGCP : Disabled : Disabled PPTP : Enabled RTSP : Enabled : Disabled SCCP : Disabled : Disabled...

  • Page 202: Dynamic Nat444 Configuration Example

    10.110.10.2 202.38.1.100 10501-11000 10.110.10.3 202.38.1.100 11001-11500 10.110.10.4 202.38.1.100 11501-12000 10.110.10.5 202.38.1.100 12001-12500 10.110.10.6 202.38.1.100 12501-13000 10.110.10.7 202.38.1.100 13001-13500 10.110.10.8 202.38.1.100 13501-14000 10.110.10.9 202.38.1.100 14001-14500 10.110.10.10 202.38.1.100 14501-15000 Dynamic NAT444 configuration example Network requirements As shown in Figure 75, a company uses private IP address on network 192.168.0.0/16 and public IP addresses 202.38.1.2 and 202.38.1.3.
  • Page 203 [Router] acl basic 2000 [Router-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [Router-acl-ipv4-basic-2000] quit # Configure outbound NAT444 on interface GigabitEthernet 2/0/2. [Router] interface gigabitethernet 2/0/2 [Router-GigabitEthernet2/0/2] nat outbound 2000 address-group 0 [Router-GigabitEthernet2/0/2] quit Verifying the configuration # Verify that Host A can access external servers, but Host B and Host C cannot. (Details not shown.) # Display all NAT configuration and statistics.

  • Page 204: Ds-Lite Nat444 Configuration Example

    : Disabled MGCP : Disabled : Disabled PPTP : Enabled RTSP : Enabled : Disabled SCCP : Disabled : Disabled SQLNET : Disabled TFTP : Disabled XDMCP : Disabled Static NAT load balancing: Disabled # Display NAT statistics. [Router] display nat statistics Total session entries: 0 Total EIM entries: 0 Total inbound NO-PAT entries: 0...
  • Page 205 [Router-GigabitEthernet2/0/2] quit # Create a tunnel interface on the AFTR. [Router] interface tunnel 2 mode ds-lite-aftr # Specify an IP address for the tunnel interface. [Router-Tunnel2] ip address 30.1.2.2 255.255.255.0 # Specify GigabitEthernet 2/0/2 as the source interface for the tunnel. [Router-Tunnel2] source gigabitethernet 2/0/2 [Router-Tunnel2] quit # Enable DS-Lite tunneling on GigabitEthernet 2/0/1.

  • Page 206: Nat444 Gateway Unified With Bras Device Configuration Example

    # Verify that the DS-Lite NAT444 configuration is correct. [Router] display nat outbound NAT outbound information: Totally 1 NAT outbound rules. Interface: GigabitEthernet2/0/1 DS-Lite B4 ACL: 2100 Address group: 0 Port-preserved: N NO-PAT: N Reversible: N Config status: Active # Verify that the DS-Lite NAT444 configuration takes effect by checking the port block assignment. [Router] display nat statistics Total session entries: 0 Total EIM entries: 0...
  • Page 207 • The PPPoE server uses shared key expert for secure RADIUS communication, and sends usernames with domain names to the RADIUS server. • NAT444 cooperates with BRAS, and assigns a public IP address and a port block after the host passes authentication and obtains a private IP address.
  • Page 208 [Router-Virtual-Template1] ip address 10.210.0.1 24 [Router-Virtual-Template1] quit # Enable PPPoE server on GigabitEthernet 2/0/1 and bind the interface to Virtual-Template 1. [Router] interface gigabitethernet 2/0/1 [Router-GigabitEthernet2/0/1] pppoe-server bind virtual-template 1 [Router-GigabitEthernet2/0/1] quit # Configure ACL 2000 to identify packets from subnet 10.210.0.0/24. [Router] acl basic 2000 [Router-acl-ipv4-basic-2000] rule 0 permit source 10.210.0.0 0.0.0.255 [Router-acl-ipv4-basic-2000] quit...

  • Page 209: Basic Ip Forwarding On The Device

    Basic IP forwarding on the device The device uses the destination IP address of a received packet to find a match from the forwarding information base (FIB) table. It then uses the matching entry to forward the packet. FIB table A device selects optimal routes from the routing table, and puts them into the FIB table.
  • Page 210 Task Command display fib [ topology topology-name | vpn-instance Display FIB entries. vpn-instance-name ] [ ip-address [ mask | mask-length ] ]...

  • Page 211: Configuring Load Sharing

    Configuring load sharing If a routing protocol finds multiple equal-cost best routes to the same destination, the device forwards packets over the equal-cost routes to implement load sharing. Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: •...

  • Page 212: Configuring Load Sharing Based On Bandwidth

    Configuring load sharing based on bandwidth This feature load shares flow traffic among multiple output interfaces based on their load percentages. The device calculates the load percentage for each output interface in terms of the interface expected bandwidth. Devices that run load sharing protocols, such as Locator/ID Separation Protocol (LISP), implement load sharing based on the ratios defined by these protocols.

  • Page 213: Configuring Fast Forwarding

    Configuring fast forwarding Overview Fast forwarding reduces route lookup time and improves packet forwarding efficiency by using a high-speed cache and data-flow-based technology. It identifies a data flow by using the following fields: source IP address, source port number, destination IP address, destination port number, and protocol number.

  • Page 214: Displaying And Maintaining Fast Forwarding

    Step Command Remarks Enter system view. system-view Enable fast forwarding load By default, fast forwarding load ip fast-forwarding load-sharing sharing. sharing is enabled. Displaying and maintaining fast forwarding Execute display commands in any view and reset commands in user view. Task Command Display fast forwarding entries (centralized devices...

  • Page 215: Configuring Flow Classification

    Configuring flow classification To implement differentiated services, flow classification categorizes packets to be forwarded by a multicore device according to one of the following flow classification policies: • Flow-based policy—Forwards packets of a flow to the same CPU. A data flow is defined by using the following fields: source IP address, destination IP address, source port number, destination port number, and protocol number.

  • Page 216: Displaying The Adjacency Table

    Displaying the adjacency table Overview The adjacency table stores information about directly connected neighbors for IP forwarding. The neighbor information in this chapter refers to non-Ethernet neighbor information. This table is not user configurable. The neighbor information is generated, updated, and deleted by link layer protocols through negotiation (such as PPP dynamic negotiation) or through manual configuration (such as ATM static configuration).

  • Page 217: Command And Hardware Compatibility

    Item Description Link head Link layer header for MPLS forwarding. information(MPLS) Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954(JH296A/JH297A/JH298A/JH299A/JH373A). • MSR958(JH300A/JH301A). Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. Displaying commands To display adjacency table entries, use one of the following commands in any view: Task...

  • Page 218: Configuring Irdp

    Configuring IRDP The term "router" in this chapter refers to a routing-capable device. The term "host" in this chapter refers to the host that supports IRDP. For example, a host that runs the Linux operating system. Overview ICMP Router Discovery Protocol (IRDP), an extension of the ICMP, is independent of any routing protocol.

  • Page 219: Protocols And Standards

    Advertising interval A router interface with IRDP enabled sends out RAs randomly between the minimum and maximum advertising intervals. This mechanism prevents the local link from being overloaded by a large number of RAs sent simultaneously from routers. As a best practice, shorten the advertising interval on a link that suffers high packet loss rates. Destination address of RAs An RA uses either of the following destination IP addresses: •...

  • Page 220: Irdp Configuration Example

    Step Command Remarks multicast address 224.0.0.1 as address 255.255.255.255 as the the destination IP address of destination IP address. RAs. Repeat this step to specify multiple proxy-advertised IP addresses. (Optional.) Specify a By default, no IP address is ip irdp address ip-address proxy-advertised IP address specified.

  • Page 221: Verifying The Configuration

    [RouterA-GigabitEthernet1/0/1] ip irdp multicast # Specify the IP address 192.168.1.0 and preference 400 for GigabitEthernet 1/0/1 to proxy-advertise. [RouterA-GigabitEthernet1/0/1] ip irdp address 192.168.1.0 400 Configure Router B: # Specify an IP address for GigabitEthernet 1/0/1. <RouterB> system-view [RouterB] interface gigabitethernet 1/0/1 [RouterB-GigabitEthernet1/0/1] ip address 10.154.5.2 24 # Enable IRDP on GigabitEthernet 1/0/1.

  • Page 222: Optimizing Ip Performance

    Optimizing IP performance A customized configuration can help optimize overall IP performance. This chapter describes various techniques you can use to customize your installation. Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S.

  • Page 223: Configuration Example

    Step Command Remarks broadcasts destined for the forward directed broadcasts directly connected network. destined for the directly connected network. Configuration example Network requirements As shown in Figure 79, the default gateway of the host is the IP address 1.1.1.2/24 of the interface GigabitEthernet 1/0/1 of Router A.

  • Page 224: Setting Mtu For An Interface

    Setting MTU for an interface When a packet exceeds the MTU of the output interface, the device processes it in one of the following ways: • If the packet disallows fragmentation, the device discards it. • If the packet allows fragmentation, the device fragments it and forwards the fragments. Fragmentation and reassembling consume system resources, so set the appropriate MTU for an interface based on the network environment to avoid fragmentation.

  • Page 225: Enabling Tcp Syn Cookie

    A TCP source device sends a packet with the Don't Fragment (DF) bit set. A router discards the packet that exceeds the MTU of the outgoing interface and returns an ICMP error message. The error message contains the MTU of the outgoing interface. Upon receiving the ICMP message, the TCP source device calculates the current path MTU of the TCP connection.

  • Page 226: Setting The Tcp Buffer Size

    establishes a TCP connection and enters ESTABLISHED state only when it receives an ACK packet from the client. To enable TCP SYN Cookie: Step Command Remarks Enter system view. system-view Enable TCP SYN Cookie. tcp syn-cookie enable The default setting is disabled. Setting the TCP buffer size Step Command...
  • Page 227 The selected route is not created or modified by any ICMP redirect messages. The selected route is not destined for 0.0.0.0. There is no source route option in the received packet. ICMP redirect messages simplify host management and enable hosts to gradually optimize their routing table.

  • Page 228: Configuring Rate Limit For Icmp Error Messages

    Step Command Remarks • Enable sending ICMP redirect messages: ip redirects enable • Enable sending ICMP time exceeded Enable sending ICMP messages: The default settings are error messages. ip ttl-expires enable disabled. • Enable sending ICMP destination unreachable messages: ip unreachables enable Sending ICMP error messages facilitates network management, but sending excessive ICMP messages increases network traffic.

  • Page 229: Enabling Ipv4 Local Fragment Reassembly

    Step Command Remarks Enter system view. system-view ip icmp source By default, the device uses the IP Specify the source [ vpn-instance address of the sending interface as the address for outgoing vpn-instance-name ] source IP address for outgoing ICMP ICMP packets.
  • Page 230 Task Command Display brief information about TCP connections display tcp (centralized devices in standalone mode). Display brief information about TCP connections (distributed devices in standalone mode/centralized display tcp [ slot slot-number ] devices in IRF mode). Display brief information about TCP connections display tcp [ chassis chassis-number slot (distributed devices in IRF mode).
  • Page 231 Task Command Display TCP traffic statistics (centralized devices in display tcp statistics standalone mode). Display TCP traffic statistics (distributed devices in display tcp statistics [ slot slot-number ] standalone mode/centralized devices in IRF mode). Display TCP traffic statistics (distributed devices in display tcp statistics [ chassis chassis-number IRF mode).

  • Page 232: Configuring Udp Helper

    Configuring UDP helper Overview UDP helper can provide the following packet conversion for packets with specific UDP destination port numbers: • Convert broadcast to unicast, and forward the unicast packets to specific destinations. • Convert broadcast to multicast, and forward the multicast packets. •...

  • Page 233: Configuring Udp Helper To Convert Broadcast To Multicast

    Step Command Remarks time } Enter interface view. interface interface-type interface-number By default, no destination server is specified. If you specify multiple Specify a destination destination servers, UDP server for UDP helper to udp-helper server ip-address [ global | helper creates one copy for convert broadcast to vpn-instance vpn-instance-name ] each server.

  • Page 234: Configuring Udp Helper To Convert Multicast To Broadcast Or Unicast

    Configuring UDP helper to convert multicast to broadcast or unicast You can configure UDP helper to convert multicast packets with specific UDP port numbers and multicast addresses to broadcast or unicast packets. Upon receiving a UDP multicast packet, UDP helper uses the configured UDP ports to match the UDP destination port number of the packet.

  • Page 235: Udp Helper Configuration Examples

    UDP helper configuration examples Configuring UDP helper to convert broadcast to unicast Network requirements As shown in Figure 80, configure UDP helper to convert broadcast to unicast on GigabitEthernet 1/0/1 of Router A. This feature enables Router A to forward broadcast packets with UDP destination port 55 to the destination server 10.2.1.1/16.
  • Page 236 Figure 81 Network diagram Configuration procedure Make sure Router A can reach the subnet 10.2.0.0/16. # Enable UDP helper. <RouterA> system-view [RouterA] udp-helper enable # Enable the UDP port 55 for UDP helper. [RouterA] udp-helper port 55 # Configure UDP helper to convert broadcast packets to multicast packets destined for 225.1.1.1 on GigabitEthernet 1/0/1.

  • Page 237: Configuring Udp Helper To Convert Multicast To Broadcast

    Configuring UDP helper to convert multicast to broadcast Network requirements As shown in Figure 82, GigabitEthernet 1/0/1 of Router B is a member of the multicast group 225.1.1.1. Configure UDP helper to convert multicast to broadcast on GigabitEthernet 1/0/1 of Router A. This feature enables Router A to forward multicast packets from Router B to all hosts on 10.110.0.0/16.

  • Page 238: Configuring Basic Ipv6 Settings

    Configuring basic IPv6 settings Overview IPv6, also called IP next generation (IPng), was designed by the IETF as the successor to IPv4. One significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits.

  • Page 239: Ipv6 Addresses

    • Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and other configuration information by using its link-layer address and the prefix information advertised by a router. To communicate with other hosts on the same link, a host automatically generates a link-local address based on its link-layer address and the link-local address prefix (FE80::/10).
  • Page 240 • Multicast address—An identifier for a set of interfaces (typically belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all interfaces identified by that address. Broadcast addresses are replaced by multicast addresses in IPv6. •...

  • Page 241: Ipv6 Nd Protocol

    duplicate addresses. Each IPv6 unicast or anycast address has a corresponding solicited-node address. The format of a solicited-node multicast address is FF02:0:0:0:0:1:FFXX:XXXX. FF02:0:0:0:0:1:FF is fixed and consists of 104 bits, and XX:XXXX is the last 24 bits of an IPv6 unicast address or anycast address.
  • Page 242 ICMPv6 message Type Function Responds to an RS message. Router Advertisement (RA) Advertises information, such as the Prefix Information options and flag bits. Informs the source host of a better next hop on the path to a Redirect particular destination when certain conditions are met. Address resolution This function is similar to ARP in IPv4.

  • Page 243: Ipv6 Path Mtu Discovery

    Figure 86 Duplicate address detection Host A Host B 2000::1 ICMPv6 type = 135 Src = :: Dst = FF02::1:FF00:1 ICMPv6 type = 136 Src = 2000::1 Dst = FF02::1 Host A sends an NS message. The source address is the unspecified address and the destination address is the corresponding solicited-node multicast address of the IPv6 address to be detected.

  • Page 244: Ipv6 Transition Technologies

    Figure 87 Path MTU discovery process The source host sends a packet no larger than its MTU to the destination host. If the MTU of a device's output interface is smaller than the packet, the device performs the following operations: Discards the packet.

  • Page 245: Nat-Pt

    NAT-PT Network Address Translation – Protocol Translation (NAT-PT) enables communication between IPv4 and IPv6 nodes by translating between IPv4 and IPv6 packets. It performs IP address translation, and according to different protocols, performs semantic translation for packets. This technology is only suitable for communication between a pure IPv4 node and a pure IPv6 node.

  • Page 246: Ipv6 Basics Configuration Task List

    • RFC 2460, Internet Protocol, Version 6 (IPv6) Specification • RFC 2464, Transmission of IPv6 Packets over Ethernet Networks • RFC 2526, Reserved IPv6 Subnet Anycast Addresses • RFC 3307, Allocation Guidelines for IPv6 Multicast Addresses • RFC 4191, Default Router Preferences and More-Specific Routes •...

  • Page 247: Assigning Ipv6 Addresses To Interfaces

    Assigning IPv6 addresses to interfaces This section describes how to configure an IPv6 global unicast address, an IPv6 link-local address, and an IPv6 anycast address. Configuring an IPv6 global unicast address Use one of the following methods to configure an IPv6 global unicast address for an interface: •...
  • Page 248 Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, the stateless address autoconfiguration feature is disabled Enable stateless address on an interface. autoconfiguration on an Using the undo ipv6 address auto interface, so that the ipv6 address auto command on an interface deletes all interface can automatically...

  • Page 249: Configuring An Ipv6 Link-Local Address

    To generate a temporary address, an interface must be enabled with stateless address autoconfiguration. Temporary IPv6 addresses do not overwrite public IPv6 addresses, so an interface can have multiple IPv6 addresses with the same address prefix but different interface IDs. If an interface fails to generate a public IPv6 address because of a prefix conflict or other reasons, it does not generate any temporary IPv6 address.

  • Page 250: Configuring An Ipv6 Anycast Address

    Configuring automatic generation of an IPv6 link-local address for an interface Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no link-local address is configured on an interface. Configure the interface to automatically generate an ipv6 address auto link-local After an IPv6 global unicast address is IPv6 link-local address.

  • Page 251: Configuring A Static Neighbor Entry

    Configuring a static neighbor entry A neighbor entry stores information about a link-local node. The entry can be created dynamically through NS and NA messages, or configured statically. The device uniquely identifies a static neighbor entry by the IPv6 address and the local Layer 3 interface number of the neighbor.

  • Page 252: Setting The Aging Timer For Nd Entries In Stale State

    Step Command Remarks • MSR3012/3024/3044/3064: 4096. • MSR4060/4080: 4096. Setting the aging timer for ND entries in stale state ND entries in stale state have an aging timer. If an ND entry in stale state is not refreshed before the timer expires, the ND entry changes to the delay state.

  • Page 253: Configuring Parameters For Ra Messages

    Configuring parameters for RA messages You can enable an interface to send RA messages, and configure the interval for sending RA messages and parameters in RA messages. After receiving an RA message, a host can use these parameters to perform corresponding operations. Table 10 describes the configurable parameters in an RA message.
  • Page 254 Step Command Remarks By default, the maximum interval for sending RA messages is 600 seconds, and the minimum interval is 200 seconds. Set the maximum and ipv6 nd ra interval The device sends RA messages at minimum intervals for max-interval min-interval random intervals between the maximum sending RA messages.

  • Page 255: Setting The Maximum Number Of Attempts To Send An Ns Message For Dad

    Step Command Remarks time is 30000 milliseconds, and the value of the Reachable Time field in sent RA messages is 0. Setting the maximum number of attempts to send an NS message for DAD An interface sends an NS message for DAD for an obtained IPv6 address. The interface resends the NS message if it does not receive a response within the time specified by the ipv6 nd ns retrans-timer command.
  • Page 256 As shown in Figure 90, Host A belongs to VLAN 2 and Host B belongs to VLAN 3. Host A and Host B connect to GigabitEthernet 1/0/1 and GigabitEthernet 1/0/3, respectively. Figure 90 Application environment of local ND proxy Because Host A's IPv6 address is on the same subnet as Host B's, Host A directly sends an NS message to obtain Host B's MAC address.

  • Page 257: Configuring Ipv6 Nd Suppression

    Configuring IPv6 ND suppression The ND suppression feature enables a device to directly answer ND requests by using ND suppression entries. The device generates ND suppression entries based on dynamic ND entries that it learns. This feature is typically configured on the PEs connected to base stations in an L2VPN that provides access to an L3VPN network.

  • Page 258: Configuring Ipv6 Nd Direct Route Advertisement

    Step Command Remarks interval. Configuring IPv6 ND direct route advertisement The ND direct route advertisement feature advertises host routes instead of advertising the network route. This feature is typically configured on PE-aggs to advertise host routes to PEs in the L3VPN. Figure 92 shows a typical application scenario where the PE in the L3VPN has ECMP routes destined to a base station in the L2VPN.

  • Page 259: Setting A Static Path Mtu For An Ipv6 Address

    host. The source host fragments the packet according to the MTU. To avoid this situation, set a proper interface MTU. To set the interface MTU: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no interface MTU is Set the interface MTU.

  • Page 260: Configuring The Rate Limit For Icmpv6 Error Messages

    Configuring the rate limit for ICMPv6 error messages To avoid sending excessive ICMPv6 error messages within a short period that might cause network congestion, you can limit the rate at which ICMPv6 error messages are sent. A token bucket algorithm is used with one token representing one ICMPv6 error message. A token is placed in the bucket at intervals until the maximum number of tokens that the bucket can hold is reached.

  • Page 261: Enabling Sending Icmpv6 Time Exceeded Messages

    • ICMPv6 Port Unreachable message—No port process on the destination device exists for a received UDP packet. If a device is generating ICMPv6 destination unreachable messages incorrectly, disable the sending of ICMPv6 destination unreachable messages to prevent attack risks. To enable sending ICMPv6 destination unreachable messages: Step Command Remarks...

  • Page 262: Specifying The Source Address For Icmpv6 Packets

    Specifying the source address for ICMPv6 packets Perform this task to specify the source IPv6 address for outgoing ping echo requests and ICMPv6 error messages. It is a good practice to specify the IPv6 address of the loopback interface as the source IPv6 address.

  • Page 263: Enabling Ipv6 Local Fragment Reassembly

    Enabling IPv6 local fragment reassembly Perform this task on a distributed device to improve IPv6 local fragment reassembly efficiency. This feature allows the receiving LPU to reassemble the fragments of an IPv6 packet if all fragments arrive at it. If this feature is disabled, all fragments are delivered to the active MPU for reassembly. To enable IPv6 local fragment reassembly: Step Command...

  • Page 264: Displaying And Maintaining Ipv6 Basics

    Step Command Remarks Enable the device to discard By default, the device does not ipv6 extension-header drop IPv6 packets that contain discard IPv6 packets that contain enable extension headers. extension headers. Displaying and maintaining IPv6 basics Execute display commands in any view and reset commands in user view. Task Command display ipv6 fib [ vpn-instance vpn-instance-name ]...
  • Page 265 Task Command Display the IPv6 prefix information. display ipv6 prefix [ prefix-number ] Display IPv6 and ICMPv6 packet display ipv6 statistics statistics (centralized devices in standalone mode). Display IPv6 and ICMPv6 statistics (distributed devices in standalone display ipv6 statistics [ slot slot-number ] mode/centralized devices in IRF mode).
  • Page 266 Task Command devices in standalone mode). Display the usage of non-well known ports for IPv6 TCP proxy (distributed display ipv6 tcp-proxy port-info slot slot-number devices in standalone mode/centralized devices in IRF mode). Display the usage of non-well known display ipv6 tcp-proxy port-info chassis chassis-number slot ports for IPv6 TCP proxy (distributed slot-number devices in IRF mode).
  • Page 267 Task Command Display IPv6 TCP traffic statistics display tcp statistics [ chassis chassis-number slot (distributed devices in IRF mode). slot-number ] Display IPv6 UDP traffic statistics (centralized devices in standalone display udp statistics mode). Display IPv6 UDP traffic statistics (distributed devices in standalone display udp statistics [ slot slot-number ] mode/centralized devices in IRF mode).

  • Page 268: Ipv6 Configuration Examples

    IPv6 configuration examples Basic IPv6 configuration example Network requirements As shown in Figure 94, configure IPv6 addresses for the routers and verify that they can reach each other. Configure a route to the host on Router B. Enable IPv6 for the host to automatically obtain an IPv6 address through IPv6 ND.
  • Page 269 Verifying the configuration # Display IPv6 interface information on Router A. [RouterA] display ipv6 interface gigabitethernet 1/0/1 GigabitEthernet1/0/1 current state: UP Line protocol current state: UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:2 Global unicast address(es): 3001::1, subnet is 3001::/64 Joined group address(es): FF02::1 FF02::2...
  • Page 270 Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FF00:1C0 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 600 seconds ND router advertisements live for 1800 seconds...
  • Page 271 3001::2, subnet is 3001::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:2 FF02::1:FF00:1234 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: InReceives: InTooShorts:...

  • Page 272: Ipv6 Nd Suppression Configuration Example

    round-trip min/avg/max/std-dev = 4.404/4.404/4.404/0.000 ms [RouterB] ping ipv6 -c 1 2001::15B:E0EA:3524:E791 Ping6(56 data bytes) 3001::2 --> 2001::15B:E0EA:3524:E791, press CTRL_C to break 56 bytes from 2001::15B:E0EA:3524:E791, icmp_seq=0 hlim=64 time=5.404 ms --- Ping6 statistics for 2001::15B:E0EA:3524:E791 --- 1 packet(s) transmitted, 1 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 5.404/5.404/5.404/0.000 ms The output shows that Router B can ping Router A and the host.

  • Page 273: Troubleshooting Ipv6 Basics Configuration

    Troubleshooting IPv6 basics configuration Symptom An IPv6 address cannot be pinged. Solution Use the display ipv6 interface command in any view to verify that the IPv6 address of the output interface is correct and the interface is up. Use the debugging ipv6 packet command in user view to enable the debugging for IPv6 packets to locate the fault.

  • Page 274: Dhcpv6 Overview

    DHCPv6 overview DHCPv6 provides a framework to assign IPv6 prefixes, IPv6 addresses, and other configuration parameters to hosts. DHCPv6 address/prefix assignment An address/prefix assignment process involves two or four messages. Rapid assignment involving two messages As shown in Figure 96, rapid assignment operates in the following steps: The DHCPv6 client sends to the DHCPv6 server a Solicit message that contains a Rapid Commit option to prefer rapid assignment.

  • Page 275: Address/Prefix Lease Renewal

    Figure 97 Assignment involving four messages Address/prefix lease renewal An IPv6 address/prefix assigned by a DHCPv6 server has a valid lifetime. After the valid lifetime expires, the DHCPv6 client cannot use the IPv6 address/prefix. To use the IPv6 address/prefix, the DHCPv6 client must renew the lease time.

  • Page 276: Stateless Dhcpv6

    Stateless DHCPv6 Stateless DHCPv6 enables a device that has obtained an IPv6 address/prefix to get other configuration parameters from a DHCPv6 server. The device performs stateless DHCPv6 if an RA message with the following flags is received from the router during stateless address autoconfiguration: •...

  • Page 277: Configuring The Dhcpv6 Server

    Configuring the DHCPv6 server Overview A DHCPv6 server can assign IPv6 addresses, IPv6 prefixes, and other configuration parameters to DHCPv6 clients. IPv6 address assignment As shown in Figure 101, the DHCPv6 server assigns IPv6 addresses, domain name suffixes, DNS server addresses, and other configuration parameters to DHCPv6 clients. The IPv6 addresses assigned to the clients include the following types: •...

  • Page 278: Concepts

    Concepts Multicast addresses used by DHCPv6 DHCPv6 uses the multicast address FF05::1:3 to identify all site-local DHCPv6 servers. It uses the multicast address FF02::1:2 to identify all link-local DHCPv6 servers and relay agents. DUID A DHCP unique identifier (DUID) uniquely identifies a DHCPv6 device (DHCPv6 client, server, or relay agent).

  • Page 279: Ipv6 Address/Prefix Allocation Sequence

    Address allocation mechanisms DHCPv6 supports the following address allocation mechanisms: • Static address allocation—To implement static address allocation for a client, create a DHCPv6 address pool, and manually bind the DUID and IAID of the client to an IPv6 address in the DHCPv6 address pool.

  • Page 280: Configuration Task List

    Assignable IPv6 address/prefix in the address pool/prefix pool expected by the client. Assignable IPv6 address/prefix in the address pool/prefix pool. IPv6 address/prefix that was a conflict or passed its lease duration. If no IPv6 address/prefix is assignable, the server does not respond. If a client moves to another subnet, the DHCPv6 server selects an IPv6 address/prefix from the address pool that matches the new subnet.

  • Page 281: Configuration Procedure

    Configuration procedure To configure IPv6 prefix assignment: Step Command Remarks Enter system view. system-view By default, no IPv6 prefixes in the prefix pool are excluded from dynamic assignment. (Optional.) Specify the ipv6 dhcp server forbidden-prefix IPv6 prefixes excluded start-prefix/prefix-len If the excluded IPv6 prefix is in a from dynamic [ end-prefix/prefix-len ] [ vpn-instance static binding, the prefix still can...

  • Page 282: Configuration Guidelines

    If you bind a DUID and an IAID to an IPv6 address, the DUID and IAID in a request must match those in the binding before the DHCPv6 server can assign the IPv6 address to the requesting client. If you only bind a DUID to an IPv6 address, the DUID in a request must match the DUID in the binding before the DHCPv6 server can assign the IPv6 address to the requesting client.

  • Page 283: Configuring Network Parameters Assignment

    Step Command Remarks preferred-lifetime valid-lifetime If you specify an IPv6 prefix by valid-lifetime ] its ID, make sure the IPv6 prefix is in effect. Otherwise, the configuration does not take effect. address range start-ipv6-address By default, no non-temporary (Optional.) Specify a end-ipv6-address IPv6 address range is specified, non-temporary IPv6 address...

  • Page 284: Configuring Network Parameters In A Dhcpv6 Option Group

    Step Command Remarks take effect. (Optional.) Specify a DNS By default, no DNS server dns-server ipv6-address server address. address is specified. (Optional.) Specify a domain By default, no domain name domain-name domain-name name suffix. suffix is specified. (Optional.) Specify a SIP By default, no SIP server sip-server { address ipv6-address | server address or domain...

  • Page 285: Configuring A Dhcpv6 Policy For Ipv6 Address And Prefix Assignment

    Configuring a DHCPv6 policy for IPv6 address and prefix assignment In a DHCPv6 policy, each DHCPv6 user class has a bound DHCPv6 address pool. Clients matching different user classes obtain IPv6 addresses, IPv6 prefixes, and other parameters from different address pools. The DHCPv6 policy must be applied to the interface that acts as the DHCPv6 server. When receiving a DHCPv6 request, the DHCPv6 server compares the packet against the user classes in the order that they are configured.

  • Page 286: Configuring The Dhcpv6 Server On An Interface

    Configuring the DHCPv6 server on an interface Enable the DHCP server and configure one of the following address/prefix assignment methods on an interface: • Apply an address pool on the interface—The DHCPv6 server selects an IPv6 address/prefix from the applied address pool for a requesting client. If there is no assignable IPv6 address/prefix in the address pool, the DHCPv6 server cannot to assign an IPv6 address/prefix to a client.

  • Page 287: Setting The Dscp Value For Dhcpv6 Packets Sent By The Dhcpv6 Server

    Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 server The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. To set the DSCP value for DHCPv6 packets sent by the DHCPv6 server: Step Command Remarks...

  • Page 288: Advertising Subnets Assigned To Clients

    Advertising subnets assigned to clients This feature enables the route management module to advertise subnets assigned to DHCPv6 clients. This feature achieves symmetric routing for traffic of the same host. As shown in Figure 104, Router A and Router B act as both the DHCPv6 server and the BRAS device.

  • Page 289: Enabling Dhcpv6 Logging On The Dhcpv6 Server

    The VPN information from authentication modules takes priority over the VPN information of the receiving interface. To apply a DHCPv6 address pool to a VPN instance: Step Command Remarks Enter system view. system-view Create an address pool and By default, no DHCPv6 address ipv6 dhcp pool pool-name enter its view.

  • Page 290: Dhcpv6 Server Configuration Examples

    Task Command addresses. [ vpn-instance vpn-instance-name ] | pool pool-name ] display ipv6 dhcp server ip-in-use [ [ address ipv6-address ] Display information about IPv6 address bindings. [ vpn-instance vpn-instance-name ] | pool pool-name ] Display information about IPv6 prefix display ipv6 dhcp server pd-in-use [ pool pool-name | bindings.
  • Page 291 <Router> system-view [Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] ipv6 address 1::1/64 # Disable RA message suppression on GigabitEthernet 1/0/1. [Router-GigabitEthernet1/0/1] undo ipv6 nd ra halt # Set the M flag to 1 in RA advertisements to be sent on GigabitEthernet 1/0/1. Hosts that receive the advertisements will obtain IPv6 addresses through DHCPv6.

  • Page 292: Dynamic Ipv6 Address Assignment Configuration Example

    [Router-GigabitEthernet1/0/1] display ipv6 dhcp pool 1 DHCPv6 pool: 1 Network: 1::/64 Preferred lifetime 604800, valid lifetime 2592000 Prefix pool: 1 Preferred lifetime 86400, valid lifetime 259200 Static bindings: DUID: 00030001CA0006A40000 IAID: Not configured Prefix: 2001:410:201::/48 Preferred lifetime 86400, valid lifetime 259200 DNS server addresses: 2:2::3 Domain name:...
  • Page 293 and the DNS server address is 1::1:0:0:2/96. The lease duration of the addresses on subnet 1::2:0:0:0/96 is 432000 seconds (five days), the valid time is 864000 seconds (ten days), the domain name is aabbcc.com, and the DNS server address is 1::2:0:0:2/96. Figure 106 Network diagram Configuration procedure Configure the interfaces on the DHCPv6 server:...
  • Page 294 [RouterA-GigabitEthernet1/0/1] quit [RouterA] interface gigabitethernet 1/0/2 [RouterA-GigabitEthernet1/0/2] ipv6 dhcp select server [RouterA-GigabitEthernet1/0/2] quit # Exclude the DNS server address from dynamic assignment. [RouterA] ipv6 dhcp server forbidden-address 1::1:0:0:2 [RouterA] ipv6 dhcp server forbidden-address 1::2:0:0:2 # Create DHCPv6 address pool 1 to assign IPv6 addresses and other configuration parameters to clients on subnet 1::1:0:0:0/96.

  • Page 295: Configuring The Dhcpv6 Relay Agent

    Configuring the DHCPv6 relay agent Overview A DHCPv6 client usually uses a multicast address to contact the DHCPv6 server on the local link to obtain an IPv6 address and other configuration parameters. As shown in Figure 107, if the DHCPv6 server resides on another subnet, the DHCPv6 clients need a DHCPv6 relay agent to contact the server.

  • Page 296: Dhcpv6 Relay Agent Configuration Task List

    Figure 108 Operating process of a DHCPv6 relay agent DHCPv6 client DHCPv6 relay agent DHCPv6 server Solicit (contains a Rapid Commit option) (2) Relay-forward (3) Relay-reply (4) Reply DHCPv6 relay agent configuration task list Tasks at a glance (Required.) Enabling the DHCPv6 relay agent on an interface (Required.) Specifying DHCPv6 servers on the relay agent (Optional.)

  • Page 297: Setting The Dscp Value For Dhcpv6 Packets Sent By The Dhcpv6 Relay Agent

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no DHCPv6 server is specified. If a DHCPv6 server address is a ipv6 dhcp relay server-address link-local address or multicast Specify a DHCPv6 server. ipv6-address [ interface address, you must specify an interface-type interface-number ] outgoing interface by using the...

  • Page 298: Configuring A Dhcpv6 Relay Address Pool

    Configuring a DHCPv6 relay address pool This feature allows DHCPv6 clients of the same type to obtain IPv6 addresses and other configuration parameters from the DHCPv6 servers specified in the matching relay address pool. It applies to scenarios where the DHCPv6 relay agent connects to clients of the same access type but classified into different types by their locations.

  • Page 299: Displaying And Maintaining The Dhcpv6 Relay Agent

    Step Command Remarks interface interface-type Enter interface view. interface-number By default, the DHCPv6 relay Specify a gateway address for ipv6 dhcp relay gateway agent uses the first IPv6 DHCPv6 clients. ipv6-address address of the relay interface as the clients' gateway address. Displaying and maintaining the DHCPv6 relay agent Execute display commands in any view and reset commands in user view.

  • Page 300: Configuration Procedure

    Configuration procedure # Specify IPv6 addresses for GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. <RouterA> system-view [RouterA] interface gigabitethernet 1/0/2 [RouterA-GigabitEthernet1/0/2] ipv6 address 2::1 64 [RouterA-GigabitEthernet1/0/2] quit [RouterA] interface gigabitethernet 1/0/1 [RouterA-GigabitEthernet1/0/1] ipv6 address 1::1 64 # Disable RA message suppression on GigabitEthernet 1/0/1. [RouterA-GigabitEthernet1/0/1] undo ipv6 nd ra halt # Set the M flag to 1 in RA advertisements to be sent on GigabitEthernet 1/0/1.
  • Page 301 Relay-forward Relay-reply...

  • Page 302: Configuring The Dhcpv6 Client

    Configuring the DHCPv6 client Overview With DHCPv6 client configured, an interface can obtain configuration parameters from the DHCPv6 server. A DHCPv6 client can use DHCPv6 to complete the following functions: • Obtain an IPv6 address, an IPv6 prefix, or both, and obtain other configuration parameters. The client automatically creates a DHCPv6 option group for the obtained parameters.

  • Page 303: Configuring Ipv6 Prefix Acquisition

    Step Command Remarks Configure the interface to ipv6 address dhcp-alloc By default, the interface does not use DHCPv6 to obtain an [ option-group group-number | use DHCPv6 for IPv6 address IPv6 address and other rapid-commit ] * acquisition. configuration parameters. Configuring IPv6 prefix acquisition Step Command...

  • Page 304: Configuring The Dhcpv6 Client Duid

    Step Command Remarks By default, the interface does not support stateless DHCPv6. • Enable stateless IPv6 address You can perform both tasks. autoconfiguration: ipv6 address auto Configure the interface to If you use only the ipv6 address • auto command, make sure the support stateless DHCPv6.

  • Page 305: Displaying And Maintaining Dhcpv6 Client

    Displaying and maintaining DHCPv6 client Execute the display commands in any view, and execute the reset command in user view. Task Command display ipv6 dhcp client [ interface interface-type Display the DHCPv6 client information. interface-number ] display ipv6 dhcp client statistics [ interface Display the DHCPv6 client statistics.
  • Page 306 GigabitEthernet1/0/1: Type: Stateful client requesting address State: OPEN Client DUID: 00030001d07e28db74fb Preferred server: Reachable via address: FE80::2E0:1FF:FE00:19 Server DUID: 00030001000fe20a0a00 IA_NA: IAID 0x00000a02, T1 50 sec, T2 80 sec Address: 1:2::2/128 Preferred lifetime 100 sec, valid lifetime 200 sec Will expire on Mar 27 2014 at 15:35:55 (196 seconds left) DNS server addresses: 2000::FF Domain name:...

  • Page 307: Ipv6 Prefix Acquisition Configuration Example

    IPv6 prefix acquisition configuration example Network requirements As shown in Figure 111, configure GigabitEthernet 1/0/1 of the router to use DHCPv6 to obtain configuration parameters from the DHCPv6 server. The parameters include IPv6 prefix, DNS server address, domain name suffix, SIP server address, and SIP server domain name. Figure 111 Network requirements Configuration procedure You must configure the DHCPv6 server before configuring the DHCPv6 client.

  • Page 308: Ipv6 Address And Prefix Acquisition Configuration Example

    2000::FF Domain name: example.com SIP server addresses: 2:2::4 SIP server domain names: bbb.com # Verify that the client has obtained an IPv6 prefix. [Router] display ipv6 prefix 1 Number: 1 Type : Dynamic Prefix: 12:34::/48 Preferred lifetime 100 sec, valid lifetime 200 sec # Verify that the client has created a dynamic DHCPv6 option group for saving configuration parameters.
  • Page 309 Figure 112 Network diagram Configuration procedure You must configure the DHCPv6 server before configuring the DHCPv6 client. For information about configuring the DHCPv6 server, see "Configuring the DHCPv6 server." # Configure an IPv6 address for GigabitEthernet 1/0/1 that connects to the DHCPv6 server. <Router>...

  • Page 310: Stateless Dhcpv6 Configuration Example

    example.com SIP server addresses: 2:2::4 SIP server domain names: bbb.com # Display brief IPv6 information for all interfaces on the device. The output shows that the DHCPv6 client has obtained an IPv6 address. [Router] display ipv6 interface brief *down: administratively down (s): spoofing Interface Physical...
  • Page 311 Figure 113 Network diagram Configuration procedure You must configure the DHCPv6 server before configuring the DHCPv6 client. For information about configuring the DHCPv6 server, see "Configuring the DHCPv6 server." Configure the gateway Router B: # Configure an IPv6 address for GigabitEthernet 1/0/1. <RouterB>...
  • Page 312 abc.com # Display DHCPv6 client statistics. [RouterA-GigabitEthernet1/0/1] display ipv6 dhcp client statistics Interface GigabitEthernet1/0/1 Packets received Reply Advertise Reconfigure Invalid Packets sent Solicit Request Renew Rebind Information-request Release Decline...

  • Page 313: Configuring Dhcpv6 Snooping

    Configuring DHCPv6 snooping Overview DHCPv6 snooping works between the DHCPv6 client and server, or between the DHCPv6 client and DHCPv6 relay agent. It guarantees that DHCPv6 clients obtain IP addresses from authorized DHCPv6 servers. Also, it records IP-to-MAC bindings of DHCPv6 clients (called DHCPv6 snooping entries) for security purposes.

  • Page 314: Command And Hardware Compatibility

    Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954(JH296A/JH297A/JH298A/JH299A/JH373A). • MSR958(JH300A/JH301A). Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. DHCPv6 snooping configuration task list Tasks at a glance (Required.) Configuring basic DHCPv6 snooping...

  • Page 315: Configuring Option 18 And Option 37

    Step Command Remarks Return to system view. quit interface interface-type This interface must connect to the Enter interface view. interface-number DHCPv6 client. (Optional.) Enable recording ipv6 dhcp snooping binding By default, DHCPv6 snooping of client information in record does not record client information. DHCPv6 snooping entries.

  • Page 316: Setting The Maximum Number Of Dhcpv6 Snooping Entries

    Step Command Remarks up DHCPv6 snooping filename { filename | url entries. entries to a file. url [ username username With this command executed, the DHCPv6 [ password { cipher | snooping device backs up DHCPv6 snooping simple } string ] ] } entries immediately and runs auto backup.

  • Page 317: Configuring A Dhcpv6 Packet Blocking Port

    If they are consistent, the device considers the message valid and forwards it to the DHCPv6 server. If they are different, the device considers the message forged and discards it. • If no matching entry is found, the device forwards the message to the DHCPv6 server. To enable DHCPv6-REQUEST check: Step Command...

  • Page 318: Displaying And Maintaining Dhcpv6 Snooping

    Displaying and maintaining DHCPv6 snooping Execute display commands in any view, and reset commands in user view. Task Command Display information about trusted ports. display ipv6 dhcp snooping trust display ipv6 dhcp snooping binding [ address Display DHCPv6 snooping entries. ipv6-address [ vlan vlan-id ] ] Display information about the file that stores DHCPv6 display ipv6 dhcp snooping binding database...

  • Page 319: Configuration Procedure

    Configuration procedure # Enable DHCPv6 snooping. <SwitchB> system-view [SwitchB] ipv6 dhcp snooping enable # Specify GigabitEthernet 1/0/1 as a trusted port. [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] ipv6 dhcp snooping trust [SwitchB-GigabitEthernet1/0/1] quit # Enable recording of client information in DHCPv6 snooping entries. [SwitchB]interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] ipv6 dhcp snooping binding record [SwitchB-GigabitEthernet1/0/2] quit...

  • Page 320: Configuring Ipv6 Fast Forwarding

    Configuring IPv6 fast forwarding Overview Fast forwarding reduces route lookup time and improves packet forwarding efficiency by using a high-speed cache and data-flow-based technology. It identifies a data flow by using the following fields: • Source IPv6 address. • Destination IPv6 address. •...

  • Page 321: Configuring Ipv6 Fast Forwarding Load Sharing

    Configuring IPv6 fast forwarding load sharing IPv6 fast forwarding load sharing enables the device to load share packets of the same flow. This feature identifies a data flow by using the five-tuple (source IP, source port, destination IP, destination port, and protocol). If IPv6 fast forwarding load sharing is disabled, the device identifies a data flow by the five-tuple and the input interface.

  • Page 322: Configuring Tunneling

    Configuring tunneling Overview Tunneling encapsulates the packets of a network protocol within the packets of a second network protocol and transfers them over a virtual point-to-point connection. The virtual connection is called a tunnel. Packets are encapsulated at the tunnel source and de-encapsulated at the tunnel destination.
  • Page 323 In the IPv4 header, the source IPv4 address is the IPv4 address of the tunnel source, and the destination IPv4 address is the IPv4 address of the tunnel destination. Upon receiving the packet, Device B de-encapsulates the packet. If the destination address of the IPv6 packet is itself, Device B forwards it to the upper-layer protocol.

  • Page 324: Ipv4 Over Ipv4 Tunneling

    • IPv6 over IPv4 manual tunneling—A point-to-point link. This type of tunneling provides the following solutions: Connects isolated IPv6 networks over an IPv4 network. Connects an IPv6 network and an IPv4/IPv6 dual-stack host over an IPv4 network. • Automatic IPv4-compatible IPv6 tunneling—A point-to-multipoint link. Automatic IPv4-compatible IPv6 tunnels have limitations because IPv4-compatible IPv6 addresses must use globally unique IPv4 addresses.

  • Page 325: Ipv4 Over Ipv6 Tunneling

    Figure 119 IPv4 over IPv4 tunnel Figure 119 shows the encapsulation and de-encapsulation processes. • Encapsulation: a. Device A receives an IP packet from an IPv4 host and submits it to the IP protocol stack. b. The IPv4 protocol stack determines how to forward the packet according to the destination address in the IP header.
  • Page 326 Figure 120 IPv4 over IPv6 tunnel Figure 120 shows the encapsulation and de-encapsulation processes. • Encapsulation: a. Upon receiving an IPv4 packet, Device A delivers it to the IPv4 protocol stack. b. The IPv4 protocol stack uses the destination address of the packet to determine the egress interface.
  • Page 327 Figure 121 DS-Lite tunnel As shown in Figure 121, the DS-Lite feature contains the following components: Basic Bridging BroadBand (B4) element The B4 element is typically a CPE router that connects end hosts. IPv4 packets entering the B4 router are encapsulated into IPv6 packets and sent to the AFTR. IPv6 packets from the AFTR are de-encapsulated into IPv4 packets and sent to the subscriber's network.
  • Page 328 Figure 122 Packet forwarding process in DS-Lite 10.0.0.1/24 30.1.1.1/24 10.0.0.2/24 1::1/64 2::1/64 20.1.1.1/24 Private IPv6 network IPv4 network IPv4 network DS-Lite tunnel IPv4 host IPv4 host AFTR IPv4 dst: 30.1.1.1 IPv4 src: 10.0.0.1 TCP dst: 80 IPv6 dst: 2::1 TCP src: 10000 IPv6 src: 1::1 IPv4 dst: 30.1.1.1 Adds an IPv6...

  • Page 329: Ipv6 Over Ipv6 Tunneling

    IPv6 over IPv6 tunneling IPv6 over IPv6 tunneling (RFC 2473) enables isolated IPv6 networks to communicate with each other over another IPv6 network. For example, two isolated IPv6 networks that do not want to show their addresses to the Internet can use an IPv6 over IPv6 tunnel to communicate with each other. Figure 123 Principle of IPv6 over IPv6 tunneling Figure 123 shows the encapsulation and de-encapsulation processes.

  • Page 330: Compatibility Information

    Compatibility information Feature and hardware compatibility Hardware IPv6 tunneling compatibility MSR954(JH296A/JH297A/JH298A/JH299A/JH373A) MSR958(JH300A/JH301A) MSR1002-4/1003-8S MSR2003 MSR2004-24/2004-48 MSR3012/3024/3044/3064 MSR4060/4080 Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. •...

  • Page 331: Configuring A Tunnel Interface

    Configuring a tunnel interface Configure a tunnel interface (Layer 3 virtual interface) at both ends of a tunnel. The devices use the tunnel interface to identify, process, and send packets for the tunnel. When an active/standby switchover occurs or the standby card is removed on a distributed device, the tunnel interfaces configured on the active or standby card still exist.

  • Page 332: Configuring An Ipv6 Over Ipv4 Manual Tunnel

    Step Command Remarks The default expected bandwidth (in kbps) is the interface maximum rate divided by 1000. Set the expected bandwidth The expected bandwidth for the bandwidth bandwidth-value for the tunnel interface. tunnel interface affects the link cost value. For more information, see Layer 3—IP Routing Configuration Guide.

  • Page 333: Configuration Example

    Step Command Remarks Enter IPv6 over IPv4 manual interface tunnel number tunnel interface view. [ mode ipv6-ipv4 ] Specify an IPv6 address for See "Configuring basic IPv6 By default, no IPv6 address is the tunnel interface. settings." configured for the tunnel interface. By default, no source address or source interface is configured for the tunnel interface.
  • Page 334 • Configure Router A: # Specify an IPv4 address for GigabitEthernet 2/0/2. <RouterA> system-view [RouterA] interface gigabitethernet 2/0/2 [RouterA-GigabitEthernet2/0/2] ip address 192.168.100.1 255.255.255.0 [RouterA-GigabitEthernet2/0/2] quit # Specify an IPv6 address for GigabitEthernet 2/0/1. [RouterA] interface gigabitethernet 2/0/1 [RouterA-GigabitEthernet2/0/1] ipv6 address 3002::1 64 [RouterA-GigabitEthernet2/0/1] quit # Create the IPv6 over IPv4 manual tunnel interface Tunnel 0.

  • Page 335: Configuring An Automatic Ipv4-Compatible Ipv6 Tunnel

    # Verify that Router B and Router A can ping the IPv6 address of GigabitEthernet 2/0/1 of each other. This example uses Router A. [RouterA] ping ipv6 3003::1 Ping6(56 data bytes) 3001::1 --> 3003::1, press CTRL C to break 56 bytes from 3003::1, icmp_seq=0 hlim=64 time=45.000 ms 56 bytes from 3003::1, icmp_seq=1 hlim=64 time=10.000 ms 56 bytes from 3003::1, icmp_seq=2 hlim=64 time=4.000 ms 56 bytes from 3003::1, icmp_seq=3 hlim=64 time=10.000 ms...

  • Page 336: Configuration Example

    Configuration example Network requirements As shown in Figure 125, dual-stack routers Router A and Router B communicate over an IPv4 network. Configure an automatic IPv4-compatible IPv6 tunnel between the two routers to enable IPv6 communications over the IPv4 network. Figure 125 Network diagram Configuration procedure Make sure Router A and Router B can reach each other through IPv4.

  • Page 337: Configuring A 6To4 Tunnel

    56 bytes from ::192.168.50.1, icmp_seq=0 hlim=64 time=17.000 ms 56 bytes from ::192.168.50.1, icmp_seq=1 hlim=64 time=9.000 ms 56 bytes from ::192.168.50.1, icmp_seq=2 hlim=64 time=11.000 ms 56 bytes from ::192.168.50.1, icmp_seq=3 hlim=64 time=9.000 ms 56 bytes from ::192.168.50.1, icmp_seq=4 hlim=64 time=11.000 ms --- Ping6 statistics for ::192.168.50.1 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 9.000/11.400/17.000/2.939 ms...

  • Page 338: 6To4 Tunnel Configuration Example

    6to4 tunnel configuration example Network requirements As shown in Figure 126, configure a 6to4 tunnel between 6to4 routers Router A and Router B so the two hosts can reach each other over the IPv4 network. Figure 126 Network diagram 6to4 router 6to4 router GE2/0/2 GE2/0/2...

  • Page 339: 6To4 Relay Configuration Example

    • Configure Router B: # Specify an IPv4 address for GigabitEthernet 2/0/2. <RouterB> system-view [RouterB] interface gigabitethernet 2/0/2 [RouterB-GigabitEthernet2/0/2] ip address 5.1.1.1 24 [RouterB-GigabitEthernet2/0/2] quit # Specify a 6to4 address for GigabitEthernet 2/0/1. [RouterB] interface gigabitethernet 2/0/1 [RouterB-GigabitEthernet2/0/1] ipv6 address 2002:0501:0101:1::1/64 [RouterB-GigabitEthernet2/0/1] quit # Create the 6to4 tunnel interface Tunnel 0.
  • Page 340 Figure 127 Network diagram Configuration procedure Make sure Router A and Router B can reach each other through IPv4. • Configure Router A: # Specify an IPv4 address for GigabitEthernet 2/0/2. <RouterA> system-view [RouterA] interface gigabitethernet 2/0/2 [RouterA-GigabitEthernet2/0/2] ip address 2.1.1.1 255.255.255.0 [RouterA-GigabitEthernet2/0/2] quit # Specify a 6to4 address for GigabitEthernet 2/0/1.

  • Page 341: Configuring An Isatap Tunnel

    # Create the 6to4 tunnel interface Tunnel 0. [RouterB] interface tunnel 0 mode ipv6-ipv4 6to4 # Specify an IPv6 address for the tunnel interface. [RouterB-Tunnel0] ipv6 address 2003::1/64 # Specify GigabitEthernet 2/0/2 as the source interface of the tunnel interface. [RouterB-Tunnel0] source gigabitethernet 2/0/2 [RouterB-Tunnel0] quit # Configure a static route destined for 2002::/16 through the tunnel interface.

  • Page 342: Configuration Example

    Step Command Remarks tunnel interface. interface-type interface-number } source interface is configured for the tunnel interface. If you specify a source address, it is used as the source IP address of tunneled packets. If you specify a source interface, the primary IP address of this interface is used as the source IP address of tunneled packets.
  • Page 343 [Router-Tunnel0] source gigabitethernet 2/0/1 # Disable RA suppression so that the ISATAP host can acquire information such as the address prefix from the RA message advertised by the ISATAP router. [Router-Tunnel0] undo ipv6 nd ra halt [Router-Tunnel0] quit • Configure the ISATAP host: Configurations on the ISATAP host vary by operating system.

  • Page 344: Configuring An Ipv4 Over Ipv4 Tunnel

    The host has obtained the prefix 2001::/64 and has automatically generated the global unicast address 2001::5efe:1.1.1.2. The message "uses Router Discovery" indicates that the router discovery feature is enabled on the host. # Display information about IPv6 routes on the host. C:\>ipv6 rt 2001::/64 ->...

  • Page 345: Configuration Example

    Step Command Remarks Enter system view. system-view Enter IPv4 over IPv4 tunnel interface tunnel number [ mode interface view. ipv4-ipv4 ] Configure an IPv4 address ip address ip-address { mask | By default, no IPv4 address is for the tunnel interface. mask-length } [ sub ] configured for the tunnel interface.
  • Page 346 [RouterA-GigabitEthernet2/0/1] ip address 10.1.1.1 255.255.255.0 [RouterA-GigabitEthernet2/0/1] quit # Specify an IPv4 address for Serial 2/1/0, which is the physical interface of the tunnel. [RouterA] interface serial 2/1/0 [RouterA-Serial2/1/0] ip address 2.1.1.1 255.255.255.0 [RouterA-Serial2/1/0] quit # Create the IPv4 over IPv4 tunnel interface Tunnel 1. [RouterA] interface tunnel 1 mode ipv4-ipv4 # Specify an IPv4 address for the tunnel interface.

  • Page 347: Configuring An Ipv4 Over Ipv6 Manual Tunnel

    56 bytes from 10.1.3.1: icmp_seq=0 ttl=255 time=2.000 ms 56 bytes from 10.1.3.1: icmp_seq=1 ttl=255 time=1.000 ms 56 bytes from 10.1.3.1: icmp_seq=2 ttl=255 time=0.000 ms 56 bytes from 10.1.3.1: icmp_seq=3 ttl=255 time=1.000 ms 56 bytes from 10.1.3.1: icmp_seq=4 ttl=255 time=1.000 ms --- Ping statistics for 10.1.3.1 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.000/1.000/2.000/0.632 ms...

  • Page 348: Configuration Example

    Step Command Remarks By default, no destination address is configured for the tunnel. Configure the destination The tunnel destination address address for the tunnel destination ipv6-address must be the IPv6 address of the interface. receiving interface on the tunnel peer. It is used as the destination IPv6 address of tunneled packets.

  • Page 349: Configuring A Ds-Lite Tunnel

    [RouterA-Tunnel1] quit # Configure a static route destined for IPv4 network 2 through the tunnel interface. [RouterA] ip route-static 30.1.3.0 255.255.255.0 tunnel 1 • Configure Router B: # Specify an IPv4 address for GigabitEthernet 2/0/1. <RouterB> system-view [RouterB] interface gigabitethernet 2/0/1 [RouterB-GigabitEthernet2/0/1] ip address 30.1.3.1 255.255.255.0 [RouterB-GigabitEthernet2/0/1] quit # Specify an IPv6 address for Serial 2/1/1, which is the physical interface of the tunnel.
  • Page 350 • Do not specify the same source addresses for local tunnel interfaces in the same tunnel mode. • The destination address specified for the tunnel interface on the B4 router must be the source address specified for the tunnel interface on the AFTR. •...

  • Page 351: Configuration Example

    Step Command Remarks Specify an IPv4 address ip address ip-address { mask | By default, no IPv4 address is for the tunnel interface. mask-length } [ sub ] specified for the tunnel interface. By default, no source address or interface is specified for the tunnel. Specify the source source { ipv6-address | The specified source address or the...
  • Page 352 [RouterA] interface gigabitethernet 2/0/2 [RouterA-GigabitEthernet2/0/2] ipv6 address 1::1 64 [RouterA-GigabitEthernet2/0/2] quit # Create the IPv6 tunnel interface Tunnel 1. [RouterA] interface tunnel 1 mode ipv6 # Specify an IPv4 address for the tunnel interface. [RouterA-Tunnel1] ip address 30.1.2.1 255.255.255.0 # Specify the IP address of GigabitEthernet 2/0/2 as the source address for the tunnel interface. [RouterA-Tunnel1] source 1::1 # Specify IP address of GigabitEthernet 2/0/2 on Router B as the destination address for the tunnel interface.

  • Page 353: Configuring An Ipv6 Over Ipv6 Tunnel

    C:\> ping 20.1.1.2 Pinging 20.1.1.2 with 32 bytes of data: Reply from 20.1.1.2: bytes=32 time=51ms TTL=255 Reply from 20.1.1.2: bytes=32 time=44ms TTL=255 Reply from 20.1.1.2: bytes=32 time=1ms TTL=255 Reply from 20.1.1.2: bytes=32 time=1ms TTL=255 Ping statistics for 20.1.1.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 51ms, Average = 24ms Configuring an IPv6 over IPv6 tunnel...

  • Page 354: Configuration Example

    Step Command Remarks address of tunneled packets. By default, no destination address is configured for the tunnel. The tunnel destination Configure the destination address must be the IPv6 address for the tunnel destination ipv6-address address of the receiving interface. interface on the tunnel peer.
  • Page 355 [RouterA-Serial2/1/0] quit # Create the IPv6 tunnel interface Tunnel 1. [RouterA] interface tunnel 1 mode ipv6 # Specify an IPv6 address for the tunnel interface. [RouterA-Tunnel1] ipv6 address 3001::1:1 64 # Specify the IP address of Serial 2/1/0 as the source address for the tunnel interface. [RouterA-Tunnel1] source 2001::11:1 # Specify the IP address of Serial 2/1/1 on Router B as the destination address for the tunnel interface.

  • Page 356: Displaying And Maintaining Tunneling Configuration

    --- Ping6 statistics for 2002:3::1 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.000/2.000/9.000/3.521 ms Displaying and maintaining tunneling configuration Execute display commands in any view and reset commands in user view. Task Command display interface [ tunnel [ number ] ] [ brief [ description | Display information about tunnel interfaces.

  • Page 357: Configuring Gre

    Configuring GRE Overview Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a protocol (such as IP, MPLS, or Ethernet) into a virtual point-to-point tunnel over a network (such as an IP network). Packets are encapsulated at one tunnel end and de-encapsulated at the other tunnel end. The network layer protocol of the packets before encapsulation and after encapsulation can be the same or different.

  • Page 358: Gre Security Mechanisms

    As shown in Figure 134, an IPv6 protocol packet traverses an IPv4 network through a GRE tunnel as follows: After receiving an IPv6 packet from the interface connected to IPv6 network 1, Device A processes the packet as follows: a. Looks up the routing table to identify the outgoing interface for the IPv6 packet. b.
  • Page 359 Connecting networks running different protocols over a single backbone Figure 135 Network diagram IPv6 network 1 IPv6 network 2 Internet Device A Device B GRE tunnel IPv4 network 1 IPv4 network 2 As shown in Figure 135, IPv6 network 1 and IPv6 network 2 are IPv6 networks, and IPv4 network 1 and IPv4 network 2 are IPv4 networks.

  • Page 360: Protocols And Standards

    Constructing VPN Figure 137 Network diagram As shown in Figure 137, Site 1 and Site 2 both belong to VPN 1 and are located in different cities. Using a GRE tunnel can connect the two VPN sites across the WAN. Operating with IPsec Figure 138 Network diagram As shown in...

  • Page 361: Configuring A Gre/Ipv4 Tunnel

    Configuring a GRE/IPv4 tunnel Perform this task to configure a GRE tunnel on an IPv4 network. Configuration guidelines Follow these guidelines when you configure a GRE/IPv4 tunnel: • You must configure the tunnel source address and destination address at both ends of a tunnel. The tunnel source or destination address at one end must be the tunnel destination or source address at the other end.
  • Page 362 Step Command Remarks tunnel interface. By default, no source address or interface is configured for a tunnel interface. If you configure a source address for a tunnel interface, the tunnel interface uses the source address Configure a source address source { ip-address | as the source address of the or source interface for the interface-type interface-number }...

  • Page 363: Configuring A Gre/Ipv6 Tunnel

    Configuring a GRE/IPv6 tunnel The following matrix shows the feature and hardware compatibility: Hardware GRE/IPv6 tunnel compatibility MSR954(JH296A/JH297A/JH298A/JH299A/JH373A) MSR958(JH300A/JH301A) MSR1002-4/1003-8S MSR2003 MSR2004-24/2004-48 MSR3012/3024/3044/3064 MSR4060/4080 Perform this task to configure a GRE tunnel on an IPv6 network. Configuration guidelines Follow these guidelines when you configure a GRE/IPv6 tunnel: •...
  • Page 364 Step Command Remarks Enter system view. system-view By default, no tunnel interfaces exist. Create a GRE tunnel interface tunnel You must configure the same interface, and specify the interface-number mode gre ipv6 tunnel mode on both ends of a tunnel mode as GRE/IPv6. tunnel.

  • Page 365: Displaying And Maintaining Gre

    Step Command Remarks (Optional.) Configure the device to discard IPv6 tunnel discard By default, the device does not packets with IPv4-compatible ipv4-compatible-packet discard such IPv6 packets. IPv6 addresses Displaying and maintaining GRE Execute display commands in any view and reset commands in user view. Task Command Remarks...
  • Page 366 [RouterA-Tunnel0] ip address 10.1.2.1 255.255.255.0 # Configure the source address of the tunnel interface as the IP address of GigabitEthernet 1/0/2 on Router A. [RouterA-Tunnel0] source 1.1.1.1 # Configure the destination address of the tunnel interface as the IP address of GigabitEthernet 1/0/2 on Router B.

  • Page 367: Configuring An Ipv4 Over Ipv6 Gre Tunnel

    Output: 0 packets, 0 bytes, 0 drops # Display tunnel interface information on Router B. [RouterB] display interface tunnel 0 Tunnel0 Current state: UP Line protocol state: UP Description: Tunnel0 Interface Bandwidth: 64kbps Maximum Transmit Unit: 1476 Internet Address is 10.1.2.2/24 Primary Tunnel source 2.2.2.2, destination 1.1.1.1 Tunnel keepalive disabled Tunnel TTL 255...
  • Page 368 Figure 140 Network diagram Configuration procedure Before performing the following configuration, configure an IP address for each interface, and make sure Router A and Router B can reach each other. Configure Router A: # Create a tunnel interface Tunnel 0, and specify the tunnel mode as GRE/IPv6. <RouterA>...
  • Page 369 Bandwidth: 64kbps Maximum Transmit Unit: 1456 Internet Address is 10.1.2.1/24 Primary Tunnel source 2002::1:1, destination 2001::2:1 Tunnel TTL 255 Tunnel protocol/transport GRE/IPv6 GRE key disabled Checksumming of GRE packets disabled Output queue - Urgent queuing: Size/Length/Discards 0/100/0 Output queue - Protocol queuing: Size/Length/Discards 0/500/0 Output queue - FIFO queuing: Size/Length/Discards 0/75/0 Last clearing of counters: Never Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec...

  • Page 370: Troubleshooting Gre

    5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.000/1.000/2.000/0.632 ms The output shows that Router B can successfully ping Router A. Troubleshooting GRE The key to configuring GRE is to keep the configuration consistent. Most faults can be located by using the debugging gre or debugging tunnel command.

  • Page 371: Configuring Advpn

    Configuring ADVPN Overview Auto Discovery Virtual Private Network (ADVPN) enables enterprise branches that use dynamic public addresses to establish a VPN network. ADVPN uses the VPN Address Management (VAM) protocol to collect, maintain, and distribute dynamic public addresses. VAM uses the client/server model. All VAM clients register their public addresses on the VAM server. A VAM client obtains the public addresses of other clients from the server to establish ADVPN tunnels.
  • Page 372 • Hub-spoke—In a hub-spoke ADVPN, spokes communicate with each other through the hub. The hub acts as both the route exchange center and data forwarding center. As shown in Figure 143, each spoke establishes a permanent tunnel to the hub. Spokes communicate with each other through the hub.

  • Page 373: How Advpn Operates

    Figure 144 Hub-group ADVPN Tunnel 2 Hub3 Group 0 Hub1 Tunnel 2 Tunnel 2 Hub2 VAM server Tunnel 1 Tunnel 1 Tunnel 1 Tunnel 1 Tunnel 1 Tunnel 1 Tunnel 1 Spoke1 Group 1 Spoke2 Group 2 Spoke4 Spoke3 Site 1 Site 5 Site 6 Site 2...
  • Page 374 The server and the client exchange negotiation acknowledgment packets protected by using the keys. The server and the client use the keys to protect subsequent packets if they can restore the protected negotiation acknowledgment packets. If they cannot restore the packets, the negotiation fails. Figure 145 Connection initialization process Registration Figure 146...
  • Page 375 To establish a hub-hub tunnel: The hub checks whether a tunnel to each peer hub exists. If not, the hub sends a tunnel establishment request to the peer hub. To establish a spoke-spoke tunnel: In a full-mesh network, when a spoke receives a data packet but finds no tunnel for forwarding the packet, it sends an address resolution request to the server.

  • Page 376: Nat Traversal

    the destination address. If the route to the remote private network is learned by using both methods, the route with a lower preference is used. NAT traversal An ADVPN tunnel can traverse a NAT gateway. • If only the tunnel initiator resides behind a NAT gateway, a spoke-spoke tunnel can be established through the NAT gateway.

  • Page 377: Creating An Advpn Domain

    Tasks at a glance (Optional.) Configuring keepalive parameters (Optional.) Setting the retry timer Creating an ADVPN domain Step Command Remarks Enter system view. system-view By default, no ADVPN domains Create an ADVPN domain exist. vam server advpn-domain and enter ADVPN domain domain-name [ id domain-id ] Set a unique ID for an ADVPN view.

  • Page 378: Configuring Hub Groups

    Configuring hub groups Hub groups apply to large ADVPN networks. You can classify spokes to different hub groups, and specify one or more hubs for each group. When a VAM client registers with the VAM server, the VAM server selects a hub group for the client as follows: The server matches the private address of the client against the private addresses of hubs in different hub groups in lexicographic order.

  • Page 379: Setting The Port Number Of The Vam Server

    Configuring a spoke private address range in a hub group You can configure multiple spoke private address ranges in a hub group. The ranges are listed from low to high. To configure a spoke private address range in a hub group: Step Command Remarks...

  • Page 380: Specifying Authentication And Encryption Algorithms For The Vam Server

    Step Command Remarks The default port number is 18000. Set the port number of the vam server listen-port The port number of the VAM VAM server. port-number server must be the same as that configured on the VAM clients. Specifying authentication and encryption algorithms for the VAM server The VAM server uses the specified algorithms to negotiate with the VAM client.

  • Page 381: Configuring Keepalive Parameters

    Configuring keepalive parameters Keepalive parameters include a keepalive interval and a maximum number of keepalive retries. The VAM server assigns the configured keepalive parameters to clients in the ADVPN domain. A client sends keepalives to the server at the specified interval. If a client does not receive any responses from the server after the maximum keepalive attempts (keepalive retries + 1), the client stops sending keepalives.

  • Page 382: Creating A Vam Client

    Tasks at a glance (Required.) Specifying an ADVPN domain for a VAM client (Required.) Configuring a pre-shared key for a VAM client (Optional.) Setting the retry interval and retry number for a VAM client (Optional.) Setting the dumb timer for a VAM client (Optional.) Configuring a username and password for a VAM client Creating a VAM client...

  • Page 383: Specifying An Advpn Domain For A Vam Client

    Step Command Remarks server secondary { ip-address (Optional.) Specify the ip-address | ipv6-address By default, no VAM server is secondary VAM server. ipv6-address | name host-name } specified. [ port port-number ] Specifying an ADVPN domain for a VAM client Step Command Remarks...

  • Page 384: Setting The Dumb Timer For A Vam Client

    Setting the dumb timer for a VAM client A VAM client starts the dumb timer after the timeout timer expires. The client does not process any packets during the dumb time. When the dumb timer expires, the client sends a new connection request to the VAM server.
  • Page 385 Step Command Remarks By default, no source address or source interface is configured for a tunnel interface. The specified source address or the IP address of the specified source interface is used as the source address of sent ADVPN Specify a source address or source { ip-address | packets.

  • Page 386: Configuring Routing

    Step Command Remarks By default, the idle timeout time is 600 seconds. 10. (Optional.) Set the idle advpn session idle-time The new idle timeout setting timeout time for the time-interval applies to both existing and spoke-spoke tunnel. subsequently established spoke-spoke tunnels. By default, the dumb time is 120 seconds.

  • Page 387: Displaying And Maintaining Advpn

    For more information about IPsec configuration, see Security Configuration Guide. Displaying and maintaining ADVPN Execute display commands in any view and reset commands in user view. Task Command Display IPv4 private-to-public address display vam server address-map [ advpn-domain mapping information for VAM clients domain-name [ private-address private-ip-address ] ] [ verbose ] registered with the VAM server.

  • Page 388: Advpn Configuration Examples

    ADVPN configuration examples IPv4 full-mesh ADVPN configuration example Network requirements As shown in Figure 148, the primary and secondary VAM servers manage and maintain VAM client information for all hubs and spokes. The AAA server performs authentication and accounting for VAM clients.
  • Page 389 # Configure RADIUS scheme abc. <PrimaryServer> system-view [PrimaryServer] radius scheme abc [PrimaryServer-radius-abc] primary authentication 1.0.0.10 1812 [PrimaryServer-radius-abc] primary accounting 1.0.0.10 1813 [PrimaryServer-radius-abc] key authentication simple 123 [PrimaryServer-radius-abc] key accounting simple 123 [PrimaryServer-radius-abc] user-name-format without-domain [PrimaryServer-radius-abc] quit [PrimaryServer] radius session-control enable # Configure AAA methods for ISP domain abc.
  • Page 390 # Set the pre-shared key to 123456. [Hub1-vam-client-Hub1] pre-shared-key simple 123456 # Set both the username and password to hub1. [Hub1-vam-client-Hub1] user hub1 password simple hub1 # Specify the primary and secondary VAM servers. [Hub1-vam-client-Hub1] server primary ip-address 1.0.0.11 [Hub1-vam-client-Hub1] server secondary ip-address 1.0.0.12 # Enable the VAM client.
  • Page 391 [Hub2] vam client name Hub2 # Specify ADVPN domain abc for the VAM client. [Hub2-vam-client-Hub2] advpn-domain abc # Set the pre-shared key to 123456. [Hub2-vam-client-Hub2] pre-shared-key simple 123456 # Set both the username and password to hub2. [Hub2-vam-client-Hub2] user hub2 password simple hub2 # Specify the primary and secondary VAM servers.
  • Page 392 Configure the VAM client: # Create VAM client Spoke1. <Spoke1> system-view [Spoke1] vam client name Spoke1 # Specify ADVPN domain abc for the VAM client. [Spoke1-vam-client-Spoke1] advpn-domain abc # Set the pre-shared key to 123456. [Spoke1-vam-client-Spoke1] pre-shared-key simple 123456 # Set both the username and password to spoke1. [Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1 # Specify the primary and secondary VAM servers.
  • Page 393 [Spoke1-Tunnel1] ospf dr-priority 0 [Spoke1-Tunnel1] source gigabitethernet 2/0/1 [Spoke1-Tunnel1] tunnel protection ipsec profile abc [Spoke1-Tunnel1] quit Configuring Spoke 2 Configure IP addresses for the interfaces. (Details not shown.) Configure the VAM client: # Create VAM client Spoke2. <Spoke2> system-view [Spoke2] vam client name Spoke2 # Specify ADVPN domain abc for the VAM client.
  • Page 394 Configure GRE-mode IPv4 ADVPN tunnel interface tunnel1. Configure its DR priority as 0 so Spoke 2 will not participate in DR/BDR election. [Spoke2] interface tunnel1 mode advpn gre [Spoke2-Tunnel1] ip address 192.168.0.4 255.255.255.0 [Spoke2-Tunnel1] vam client Spoke2 [Spoke2-Tunnel1] ospf network-type broadcast [Spoke2-Tunnel1] ospf dr-priority 0 [Spoke2-Tunnel1] source gigabitethernet 2/0/1 [Spoke2-Tunnel1] tunnel protection ipsec profile abc...

  • Page 395: Ipv6 Full-Mesh Advpn Configuration Example

    192.168.0.1 1.0.0.1 Success 0H 46M 192.168.0.2 1.0.0.2 Success 0H 46M The output shows that Spoke 1 has established a permanent hub-spoke tunnel to Hub 1 and Hub 2. # Verify that Spoke 1 can ping the private address 192.168.0.4 of Spoke 2. [Spoke1] ping 192.168.0.4 Ping 192.168.0.4 (192.168.0.4): 56 data bytes, press CTRL_C to break 56 bytes from 192.168.0.4: icmp_seq=0 ttl=255 time=4.000 ms...
  • Page 396 Figure 149 Network diagram Table 13 Interface and IP address assignment Device Interface IP address Device Interface IP address Hub 1 GE2/0/1 1::1/64 Spoke 1 GE2/0/1 1::3/64 Tunnel1 192:168::1/64 GE2/0/2 192:168:1::1/64 Hub 2 GE2/0/1 1::2/64 Tunnel1 192:168::3/64 Tunnel1 192:168::2/64 Spoke 2 GE2/0/1 1::4/64 AAA server...
  • Page 397 [PrimaryServer-isp-abc] quit [PrimaryServer] domain default enable abc Configure the VAM server: # Create ADVPN domain abc. [PrimaryServer] vam server advpn-domain abc id 1 # Create hub group 0. [PrimaryServer-vam-server-domain-abc] hub-group 0 # Specify hub private IPv6 addresses. [PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::1 [PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::2...
  • Page 398 [Hub1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456 [Hub1-ike-keychain-abc] quit [Hub1] ike profile abc [Hub1-ike-profile-abc] keychain abc [Hub1-ike-profile-abc] quit # Configure the IPsec profile. [Hub1] ipsec transform-set abc [Hub1-ipsec-transform-set-abc] encapsulation-mode transport [Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1 [Hub1-ipsec-transform-set-abc] quit [Hub1] ipsec profile abc isakmp [Hub1-ipsec-profile-isakmp-abc] transform-set abc...
  • Page 399 [Hub2-vam-client-Hub2] client enable [Hub2-vam-client-Hub2] quit Configure an IPsec profile: # Configure IKE. [Hub2] ike keychain abc [Hub2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456 [Hub2-ike-keychain-abc] quit [Hub2] ike profile abc [Hub2-ike-profile-abc] keychain abc [Hub2-ike-profile-abc] quit # Configure the IPsec profile. [Hub2] ipsec transform-set abc [Hub2-ipsec-transform-set-abc] encapsulation-mode transport [Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc...
  • Page 400 [Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1 # Specify the primary and secondary VAM servers. [Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.11 [Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.12 # Enable the VAM client. [Spoke1-vam-client-Spoke1] client enable [Spoke1-vam-client-Spoke1] quit Configure an IPsec profile: # Configure IKE. [Spoke1] ike keychain abc [Spoke1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456 [Spoke1-ike-keychain-abc] quit...
  • Page 401 <Spoke2> system-view [Spoke2] vam client name Spoke2 # Specify ADVPN domain abc for the VAM client. [Spoke2-vam-client-Spoke2] advpn-domain abc # Set the pre-shared key to 123456. [Spoke2-vam-client-Spoke2] pre-shared-key simple 123456 # Set both the username and password to spoke2. [Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2 # Specify the primary and secondary VAM servers.
  • Page 402 [Spoke2-Tunnel1] tunnel protection ipsec profile abc [Spoke2-Tunnel1] quit Verifying the configuration # Display IPv6 address mapping information for all VAM clients registered with the primary VAM server. [PrimaryServer] display vam server ipv6 address-map ADVPN domain name: abc Total private address mappings: 4 Group Private address Public address...

  • Page 403: Ipv4 Hub-Spoke Advpn Configuration Example

    56 bytes from 192:168::4, icmp_seq=2 hlim=64 time=1.000 ms 56 bytes from 192:168::4, icmp_seq=3 hlim=64 time=1.000 ms 56 bytes from 192:168::4, icmp_seq=4 hlim=64 time=1.000 ms --- Ping6 statistics for 192:168::4 --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.000/1.200/3.000/0.980 ms # Display IPv6 ADVPN tunnel information on Spokes.
  • Page 404 Table 14 Interface and IP address assignment Interfac Device IP address Device Interface IP address Hub 1 GE2/0/1 1.0.0.1/24 Spoke 1 GE2/0/1 1.0.0.3/24 Tunnel1 192.168.0.1/24 GE2/0/2 192.168.1.1/24 Hub 2 GE2/0/1 1.0.0.2/24 Tunnel1 192.168.0.3/24 Tunnel1 192.168.0.2/24 Spoke 2 GE2/0/1 1.0.0.4/24 AAA server 1.0.0.10/24 GE2/0/2 192.168.2.1/24...
  • Page 405 [PrimaryServer-vam-server-domain-abc] authentication-method chap # Enable the VAM server for the ADVPN domain. [PrimaryServer-vam-server-domain-abc] server enable [PrimaryServer-vam-server-domain-abc] quit Configuring the secondary VAM server # Configure the secondary VAM server in the same way that the primary server is configured. (Details not shown.) Configuring Hub 1 Configure IP addresses for the interfaces.
  • Page 406 [Hub1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [Hub1-ospf-1-area-0.0.0.0] quit [Hub1-ospf-1] quit Configure GRE-mode IPv4 ADVPN tunnel interface tunnel1. [Hub1] interface tunnel1 mode advpn gre [Hub1-Tunnel1] ip address 192.168.0.1 255.255.255.0 [Hub1-Tunnel1] vam client Hub1 [Hub1-Tunnel1] ospf network-type p2mp [Hub1-Tunnel1] source gigabitethernet 2/0/1 [Hub1-Tunnel1] tunnel protection ipsec profile abc [Hub1-Tunnel1] quit Configuring Hub 2 Configure IP addresses for the interfaces.
  • Page 407 Configure OSPF to advertise the private network. [Hub2] ospf 1 [Hub2-ospf-1] area 0 [Hub2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [Hub2-ospf-1-area-0.0.0.0] quit [Hub2-ospf-1] quit Configure GRE-mode IPv4 ADVPN tunnel interface tunnel1. [Hub2] interface tunnel1 mode advpn gre [Hub2-Tunnel1] ip address 192.168.0.2 255.255.255.0 [Hub2-Tunnel1] vam client Hub2 [Hub2-Tunnel1] ospf network-type p2mp [Hub2-Tunnel1] source gigabitethernet 2/0/1 [Hub2-Tunnel1] tunnel protection ipsec profile abc...
  • Page 408 [Spoke1-ipsec-profile-isakmp-abc] transform-set abc [Spoke1-ipsec-profile-isakmp-abc] ike-profile abc [Spoke1-ipsec-profile-isakmp-abc] quit Configure OSPF to advertise private networks. [Spoke1] ospf 1 [Spoke1-ospf-1] area 0 [Spoke1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [Spoke1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [Spoke1-ospf-1-area-0.0.0.0] quit [Spoke1-ospf-1] quit Configure GRE-mode IPv4 ADVPN tunnel interface tunnel1. [Spoke1] interface tunnel1 mode advpn gre [Spoke1-Tunnel1] ip address 192.168.0.3 255.255.255.0 [Spoke1-Tunnel1] vam client Spoke1 [Spoke1-Tunnel1] ospf network-type p2mp...
  • Page 409 [Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1 [Spoke2-ipsec-transform-set-abc] quit [Spoke2] ipsec profile abc isakmp [Spoke2-ipsec-profile-isakmp-abc] transform-set abc [Spoke2-ipsec-profile-isakmp-abc] ike-profile abc [Spoke2-ipsec-profile-isakmp-abc] quit Configure OSPF to advertise private networks. [Spoke2] ospf 1 [Spoke2-ospf-1] area 0 [Spoke2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [Spoke2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255 [Spoke2-ospf-1-area-0.0.0.0] quit [Spoke2-ospf-1] quit Configure GRE-mode IPv4 ADVPN tunnel interface tunnel1.

  • Page 410: Ipv6 Hub-Spoke Advpn Configuration Example

    Interface : Tunnel1 Number of sessions: 3 Private address Public address Port Type State Holding time 192.168.0.2 1.0.0.2 Success 0H 46M 192.168.0.3 1.0.0.3 Success 0H 27M 27S 192.168.0.4 1.0.0.4 Success 0H 18M 18S The output shows that Hub 1 has established a permanent tunnel to Hub 2, Spoke 1, and Spoke 2. # Display IPv4 ADVPN tunnel information on Spokes.
  • Page 411 Figure 151 Network diagram Table 15 Interface and IP address assignment Interfac Device IP address Device Interface IP address Hub 1 GE2/0/1 1::1/64 Spoke 1 GE2/0/1 1::3/64 Tunnel1 192:168::1/64 GE2/0/2 192:168:1::1/64 Hub 2 GE2/0/1 1::2/64 Tunnel1 192:168::3/64 Tunnel1 192:168::2/64 Spoke 2 GE2/0/1 1::4/64 AAA server...
  • Page 412 [PrimaryServer-isp-abc] accounting advpn radius-scheme abc [PrimaryServer-isp-abc] quit [PrimaryServer] domain default enable abc Configure the VAM server: # Create ADVPN domain abc. [PrimaryServer] vam server advpn-domain abc id 1 # Create hub group 0. [PrimaryServer-vam-server-domain-abc] hub-group 0 # Specify hub private IPv6 addresses. [PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::1 [PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address...
  • Page 413 # Configure IKE. [Hub1] ike keychain abc [Hub1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456 [Hub1-ike-keychain-abc] quit [Hub1] ike profile abc [Hub1-ike-profile-abc] keychain abc [Hub1-ike-profile-abc] quit # Configure the IPsec profile. [Hub1] ipsec transform-set abc [Hub1-ipsec-transform-set-abc] encapsulation-mode transport [Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1 [Hub1-ipsec-transform-set-abc] quit [Hub1] ipsec profile abc isakmp...
  • Page 414 [Hub2-vam-client-Hub2] server secondary ipv6-address 1::12 # Enable the VAM client. [Hub2-vam-client-Hub2] client enable [Hub2-vam-client-Hub2] quit Configure an IPsec profile: # Configure IKE. [Hub2] ike keychain abc [Hub2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456 [Hub2-ike-keychain-abc] quit [Hub2] ike profile abc [Hub2-ike-profile-abc] keychain abc [Hub2-ike-profile-abc] quit # Configure the IPsec profile.
  • Page 415 [Spoke1-vam-client-Spoke1] pre-shared-key simple 123456 # Set both the username and password to spoke1. [Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1 # Specify the primary and secondary VAM servers. [Spoke1-vam-client-Spoke1] server primary ipv6-address 1::11 [Spoke1-vam-client-Spoke1] server secondary ipv6-address 1::12 # Enable the VAM client. [Spoke1-vam-client-Spoke1] client enable [Spoke1-vam-client-Spoke1] quit Configure an IPsec profile:...
  • Page 416 <Spoke2> system-view [Spoke2] vam client name Spoke2 # Specify ADVPN domain abc for the VAM client. [Spoke2-vam-client-Spoke2] advpn-domain abc # Set the pre-shared key to 123456. [Spoke2-vam-client-Spoke2] pre-shared-key simple 123456 # Set both the username and password to spoke2. [Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2 # Specify the primary and secondary VAM servers.
  • Page 417 [Spoke2-Tunnel1] quit Verifying the configuration # Display IPv6 address mapping information for all VAM clients registered with the primary VAM server. [PrimaryServer] display vam server ipv6 address-map ADVPN domain name: abc Total private address mappings: 4 Group Private address Public address Type Holding time 192:168::1...

  • Page 418: Ipv4 Multi-Hub-Group Advpn Configuration Example

    56 bytes from 192:168::4, icmp_seq=3 hlim=64 time=1.000 ms 56 bytes from 192:168::4, icmp_seq=4 hlim=64 time=1.000 ms --- Ping6 statistics for 192:168::4 --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.000/1.200/3.000/0.980 ms IPv4 multi-hub-group ADVPN configuration example Network requirements As shown in Figure...
  • Page 419 Device Interface IP address Device Interface IP address Tunnel1 192.168.1.1/24 GE2/0/2 192.168.10.1/24 Tunnel2 192.168.0.1/24 Tunnel1 192.168.1.3/24 Hub 2 GE2/0/1 1.0.0.2/24 Spoke 2 GE2/0/1 1.0.0.5/24 Tunnel1 192.168.1.2/24 GE2/0/2 192.168.20.1/24 Tunnel2 192.168.0.2/24 GE2/0/3 192.168.30.1/24 Hub 3 GE2/0/1 1.0.0.3/24 Tunnel1 192.168.1.4/24 Tunnel1 192.168.2.1/24 Spoke 3 GE2/0/1 1.0.0.6/24...
  • Page 420 # Create hub group 1. [PrimaryServer-vam-server-domain-abc] hub-group 1 # Specify hub private IPv4 addresses. [PrimaryServer-vam-server-domain-abc-hub-group-1] hub private-address 192.168.1.1 [PrimaryServer-vam-server-domain-abc-hub-group-1] hub private-address 192.168.1.2 # Specify a spoke private IPv4 network. [PrimaryServer-vam-server-domain-abc-hub-group-1] spoke private-address network 192.168.1.0 255.255.255.0 # Allow establishing direct spoke-spoke tunnels. [PrimaryServer-vam-server-domain-abc-hub-group-1] shortcut interest all [PrimaryServer-vam-server-domain-abc-hub-group-1] quit # Create hub group 2.
  • Page 421 # Enable the VAM client. [Hub1-vam-client-Hub1Group0] client enable [Hub1-vam-client-Hub1Group0] quit # Create VAM client Hub1Group1. [Hub1] vam client name Hub1Group1 # Specify ADVPN domain abc for the VAM client. [Hub1-vam-client-Hub1Group1] advpn-domain abc # Set the pre-shared key to 123456. [Hub1-vam-client-Hub1Group1] pre-shared-key simple 123456 # Set the username and password to hub1.
  • Page 422 [Hub1-Tunnel1] ip address 192.168.1.1 255.255.255.0 [Hub1-Tunnel1] vam client Hub1Group1 [Hub1-Tunnel1] ospf network-type broadcast [Hub1-Tunnel1] source gigabitethernet 2/0/1 [Hub1-Tunnel1] tunnel protection ipsec profile abc [Hub1-Tunnel1] quit # Configure UDP-mode IPv4 ADVPN tunnel interface tunnel2. [Hub1] interface tunnel2 mode advpn udp [Hub1-Tunnel2] ip address 192.168.0.1 255.255.255.0 [Hub1-Tunnel2] vam client Hub1Group0 [Hub1-Tunnel2] ospf network-type broadcast [Hub1-Tunnel2] source gigabitethernet 2/0/1...
  • Page 423 [Hub2-vam-client-Hub2Group1] quit Configure an IPsec profile: # Configure IKE. [Hub2] ike keychain abc [Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456 [Hub2-ike-keychain-abc] quit [Hub2] ike profile abc [Hub2-ike-profile-abc] keychain abc [Hub2-ike-profile-abc] quit # Configure the IPsec profile. [Hub2] ipsec transform-set abc [Hub2-ipsec-transform-set-abc] encapsulation-mode transport [Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1...
  • Page 424 Configure the VAM client: # Create VAM client Hub3Group0. <Hub3> system-view [Hub3] vam client name Hub3Group0 # Specify ADVPN domain abc for the VAM client. [Hub3-vam-client-Hub3Group0] advpn-domain abc # Set the pre-shared key to 123456. [Hub3-vam-client-Hub3Group0] pre-shared-key simple 123456 # Set both the username and password to hub3. [Hub3-vam-client-Hub3Group0] user hub3 password simple hub3 # Specify the primary and secondary VAM servers.
  • Page 425 [Hub3-ipsec-profile-isakmp-abc] quit Configure OSPF to advertise private networks. [Hub3] ospf 1 [Hub3-ospf-1] area 0 [Hub3-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [Hub3-ospf-1-area-0.0.0.0] quit [Hub3-ospf-1] area 2 [Hub3-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255 [Hub3-ospf-1-area-0.0.0.2] quit [Hub3-ospf-1] quit Configure ADVPN tunnels: # Configure UDP-mode IPv4 ADVPN tunnel interface tunnel1. [Hub3] interface tunnel1 mode advpn udp [Hub3-Tunnel1] ip address 192.168.2.1 255.255.255.0 [Hub3-Tunnel1] vam client Hub3Group1...
  • Page 426 # Configure IKE. [Spoke1] ike keychain abc [Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456 [Spoke1-ike-keychain-abc] quit [Spoke1] ike profile abc [Spoke1-ike-profile-abc] keychain abc [Spoke1-ike-profile-abc] quit # Configure the IPsec profile. [Spoke1] ipsec transform-set abc [Spoke1-ipsec-transform-set-abc] encapsulation-mode transport [Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1 [Spoke1-ipsec-transform-set-abc] quit [Spoke1] ipsec profile abc isakmp...
  • Page 427 # Specify the primary and secondary VAM servers. [Spoke2-vam-client-Spoke2] server primary ip-address 1.0.0.11 [Spoke2-vam-client-Spoke2] server secondary ip-address 1.0.0.12 # Enable the VAM client. [Spoke2-vam-client-Spoke2] client enable [Spoke2-vam-client-Spoke2] quit Configure an IPsec profile: # Configure IKE. [Spoke2] ike keychain abc [Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456 [Spoke2-ike-keychain-abc] quit [Spoke2] ike profile abc [Spoke2-ike-profile-abc] keychain abc...
  • Page 428 # Create VAM client Spoke3. <Spoke3> system-view [Spoke3] vam client name Spoke3 # Specify ADVPN domain abc for the VAM client. [Spoke3-vam-client-Spoke3] advpn-domain abc # Set the pre-shared key to 123456. [Spoke3-vam-client-Spoke3] pre-shared-key simple 123456 # Set both the username and password to spoke3. [Spoke3-vam-client-Spoke3] user spoke3 password simple spoke3 # Specify the primary and secondary VAM servers.
  • Page 429 [Spoke3-Tunnel1] source gigabitethernet 2/0/1 [Spoke3-Tunnel1] tunnel protection ipsec profile abc [Spoke3-Tunnel1] quit Configuring Spoke 4 Configure IP addresses for the interfaces. (Details not shown.) Configure the VAM client: # Create VAM client Spoke4. <Spoke4> system-view [Spoke4] vam client name Spoke4 # Specify ADVPN domain abc for the VAM client.
  • Page 430 Configure UDP-mode IPv4 ADVPN tunnel interface tunnel1. Configure its DR priority as 0 so Spoke 4 will not participate in DR/BDR election. [Spoke4] interface tunnel1 mode advpn udp [Spoke4-Tunnel1] ip address 192.168.2.3 255.255.255.0 [Spoke4-Tunnel1] vam client Spoke4 [Spoke4-Tunnel1] ospf network-type broadcast [Spoke4-Tunnel1] ospf dr-priority 0 [Spoke4-Tunnel1] advpn network 192.168.50.0 255.255.255.0 [Spoke4-Tunnel1] advpn network 192.168.60.0 255.255.255.0...

  • Page 431: Ipv6 Multi-Hub-Group Advpn Configuration Example

    [Hub1] display advpn session Interface : Tunnel1 Number of sessions: 3 Private address Public address Port Type State Holding time 192.168.1.2 1.0.0.2 18001 H-H Success 0H 46M 192.168.1.3 1.0.0.3 18001 H-S Success 0H 27M 27S 192.168.1.4 1.0.0.4 18001 H-S Success 0H 18M 18S Interface : Tunnel2...
  • Page 432 Figure 153 Network diagram Tunnel 2 Hub3 Hub1 Tunnel 2 Tunnel 2 Group 0 Hub2 GE2/0/1 GE2/0/1 GE2/0/1 Tunnel 1 Tunnel 1 Tunnel 1 AAA server GE2/0/1 Primary server GE2/0/1 Tunnel 1 GE2/0/1 Tunnel 1 Tunnel 1 Tunnel 1 Spoke1 GE2/0/1 Secondary server GE2/0/1...
  • Page 433 # Configure RADIUS scheme abc. <PrimaryServer> system-view [PrimaryServer] radius scheme abc [PrimaryServer-radius-abc] primary authentication ipv6 1::10 1812 [PrimaryServer-radius-abc] primary accounting ipv6 1::10 1813 [PrimaryServer-radius-abc] key authentication simple 123 [PrimaryServer-radius-abc] key accounting simple 123 [PrimaryServer-radius-abc] user-name-format without-domain [PrimaryServer-radius-abc] quit [PrimaryServer] radius session-control enable # Configure AAA methods for ISP domain abc.
  • Page 434 [PrimaryServer-vam-server-domain-abc-hub-group-2] spoke ipv6 private-address network 192:168:2::0 64 [PrimaryServer-vam-server-domain-abc-hub-group-2] quit # Set the pre-shared key to 123456. [PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456 # Set the authentication mode to CHAP. [PrimaryServer-vam-server-domain-abc] authentication-method chap # Enable the VAM server for the ADVPN domain. [PrimaryServer-vam-server-domain-abc] server enable [PrimaryServer-vam-server-domain-abc] quit Configuring the secondary VAM server # Configure the secondary VAM server in the same way that the primary server is configured.
  • Page 435 # Configure IKE. [Hub1] ike keychain abc [Hub1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456 [Hub1-ike-keychain-abc] quit [Hub1] ike profile abc [Hub1-ike-profile-abc] keychain abc [Hub1-ike-profile-abc] quit # Configure the IPsec profile. [Hub1] ipsec transform-set abc [Hub1-ipsec-transform-set-abc] encapsulation-mode transport [Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1 [Hub1-ipsec-transform-set-abc] quit [Hub1] ipsec profile abc isakmp...
  • Page 436 Configuring Hub 2 Configure IP addresses for the interfaces. (Details not shown.) Configure the VAM client: # Create VAM client Hub2Group0. <Hub2> system-view [Hub2] vam client name Hub2Group0 # Specify ADVPN domain abc for the VAM client. [Hub2-vam-client-Hub2Group0] advpn-domain abc # Set the pre-shared key to 123456.
  • Page 437 [Hub2] ipsec profile abc isakmp [Hub2-ipsec-profile-isakmp-abc] transform-set abc [Hub2-ipsec-profile-isakmp-abc] ike-profile abc [Hub2-ipsec-profile-isakmp-abc] quit Configure OSPFv3. [Hub2] ospf 1 [Hub2-ospf-1] area 0 [Hub2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [Hub2-ospf-1-area-0.0.0.0] quit [Hub2-ospf-1] area 1 [Hub2-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 [Hub2-ospf-1-area-0.0.0.1] quit [Hub2-ospf-1] quit Configure ADVPN tunnels: # Configure UDP-mode IPv6 ADVPN tunnel interface tunnel1.
  • Page 438 [Hub3-vam-client-Hub3Group0] server primary ipv6-address 1::11 [Hub3-vam-client-Hub3Group0] server secondary ipv6-address 1::12 # Enable the VAM client. [Hub2-vam-client-Hub2Group0] client enable [Hub2-vam-client-Hub2Group0] quit # Create VAM client Hub3Group1. [Hub3] vam client name Hub3Group1 # Specify ADVPN domain abc for the VAM client. [Hub3-vam-client-Hub3Group1] advpn-domain abc # Set the pre-shared key to 123456.
  • Page 439 [Hub3] interface tunnel1 mode advpn udp ipv6 [Hub3-Tunnel1] ipv6 address 192:168:2::1 64 [Hub3-Tunnel1] ipv6 address fe80::2:1 link-local [Hub3-Tunnel1] vam ipv6 client Hub3Group1 [Hub3-Tunnel1] ospfv3 1 area 2 [Hub3-Tunnel1] ospfv3 network-type broadcast [Hub3-Tunnel1] source gigabitethernet 2/0/1 [Hub3-Tunnel1] tunnel protection ipsec profile abc [Hub3-Tunnel1] quit # Configure UDP-mode IPv6 ADVPN tunnel interface tunnel2.
  • Page 440 [Spoke1-ipsec-transform-set-abc] encapsulation-mode transport [Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1 [Spoke1-ipsec-transform-set-abc] quit [Spoke1] ipsec profile abc isakmp [Spoke1-ipsec-profile-isakmp-abc] transform-set abc [Spoke1-ipsec-profile-isakmp-abc] ike-profile abc [Spoke1-ipsec-profile-isakmp-abc] quit Configure OSPFv3. [Spoke1] ospfv3 1 [Spoke1-ospfv3-1] router-id 0.0.0.4 [Spoke1-ospfv3-1] area 0 [Spoke1-ospfv3-1-area-0.0.0.0] quit [Spoke1-ospfv3-1] area 1 [Spoke1-ospfv3-1-area-0.0.0.1] quit [Spoke1-ospfv3-1] quit [Spoke1] interface gigabitethernet 2/0/2...
  • Page 441 # Enable the VAM client. [Spoke2-vam-client-Spoke2] client enable [Spoke2-vam-client-Spoke2] quit Configure an IPsec profile: # Configure IKE. [Spoke2] ike keychain abc [Spoke2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456 [Spoke2-ike-keychain-abc] quit [Spoke2] ike profile abc [Spoke2-ike-profile-abc] keychain abc [Spoke2-ike-profile-abc] quit # Configure the IPsec profile.
  • Page 442 [Spoke2-Tunnel1] quit Configuring Spoke 3 Configure IP addresses for the interfaces. (Details not shown.) Configure the VAM client: # Create VAM client Spoke3. <Spoke3> system-view [Spoke3] vam client name Spoke3 # Specify ADVPN domain abc for the VAM client. [Spoke3-vam-client-Spoke3] advpn-domain abc # Set the pre-shared key to 123456.
  • Page 443 [Spoke3-GigabitEthernet2/0/2] quit Configure UDP-mode IPv6 ADVPN tunnel interface tunnel1. Configure its DR priority as 0 so Spoke 3 will not participate in DR/BDR election. [Spoke3] interface tunnel1 mode advpn udp ipv6 [Spoke3-Tunnel1] ipv6 address 192:168:2::2 64 [Spoke3-Tunnel1] ipv6 address fe80::2:2 link-local [Spoke3-Tunnel1] vam ipv6 client Spoke3 [Spoke3-Tunnel1] ospfv3 1 area 2 [Spoke3-Tunnel1] ospfv3 network-type broadcast...
  • Page 444 [Spoke4-ipsec-profile-isakmp-abc] transform-set abc [Spoke4-ipsec-profile-isakmp-abc] ike-profile abc [Spoke4-ipsec-profile-isakmp-abc] quit Configure OSPFv3. [Spoke4] ospfv3 1 [Spoke4-ospfv3-1] router-id 0.0.0.7 [Spoke4-ospfv3-1] area 0 [Spoke4-ospfv3-1-area-0.0.0.0] quit [Spoke4-ospfv3-1] area 2 [Spoke4-ospfv3-1-area-0.0.0.2] quit [Spoke4-ospfv3-1] quit [Spoke4] interface gigabitethernet 2/0/2 [Spoke4-GigabitEthernet2/0/2] ospfv3 1 area 2 [Spoke4-GigabitEthernet2/0/2] quit [Spoke4] interface gigabitethernet 2/0/3 [Spoke4-GigabitEthernet2/0/3] ospfv3 1 area 2 [Spoke4-GigabitEthernet2/0/3] quit Configure UDP-mode IPv6 ADVPN tunnel interface tunnel1.
  • Page 445 # Display IPv6 address mapping information for all VAM clients registered with the secondary VAM server. [SecondaryServer] display vam server ipv6 address-map ADVPN domain name: abc Total private address mappings: 10 Group Private address Public address Type Holding time 192:168::1 1::1 0H 52M 192:168::2...

  • Page 446: Ipv4 Full-Mesh Nat Traversal Advpn Configuration Example

    The output shows that Spoke 3 has established a permanent hub-spoke tunnel to Hub 3. IPv4 full-mesh NAT traversal ADVPN configuration example Network requirements As shown in Figure 154, all the VAM servers and VAM clients reside behind a NAT gateway. The primary and secondary VAM servers manage and maintain VAM client information for all hubs and spokes.
  • Page 447 Device Interface IP address Device Interface IP address GE2/0/2 10.0.0.1/24 GE2/0/2 10.0.0.1/24 NAT3 GE2/0/1 1.0.0.3/24 AAA server 10.0.0.2/24 GE2/0/2 10.0.0.1/24 Primary server GE2/0/1 10.0.0.3/24 Secondary GE2/0/1 10.0.0.4/24 server Configuring the primary VAM server Configure IP addresses for the interfaces. (Details not shown.) Configure AAA: # Configure RADIUS scheme abc.
  • Page 448 [PrimaryServer-vam-server-domain-abc] authentication-method chap # Set the keepalive interval to 10 seconds and the maximum number of keepalive retries to 3. [PrimaryServer-vam-server-domain-abc] keepalive interval 10 retry 3 # Enable the VAM server for the ADVPN domain. [PrimaryServer-vam-server-domain-abc] server enable [PrimaryServer-vam-server-domain-abc] quit # Configure a default route.
  • Page 449 [Hub1-Tunnel1] source gigabitethernet 2/0/1 [Hub1-Tunnel1] quit Configuring Hub 2 Configure IP addresses for the interfaces. (Details not shown.) Configure the VAM client: # Create VAM client Hub2. <Hub2> system-view [Hub2] vam client name Hub2 # Specify ADVPN domain abc for the VAM client. [Hub2-vam-client-Hub2] advpn-domain abc # Set the pre-shared key to 123456.
  • Page 450 # Set both the username and password to spoke1. [Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1 # Specify the primary and secondary VAM servers. [Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.4 port 4001 [Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.4 port 4002 # Enable the VAM client. [Spoke1-vam-client-Spoke1] client enable [Spoke1-vam-client-Spoke1] quit Configure OSPF:...
  • Page 451 [Spoke2] ospf 1 [Spoke2-ospf-1] area 0 [Spoke2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [Spoke2-ospf-1-area-0.0.0.0] quit [Spoke2-ospf-1] quit # Configure a default route. [Hub1] ip route-static 0.0.0.0 0 10.0.0.1 Configure UDP-mode IPv4 ADVPN tunnel interface tunnel1. Configure its DR priority as 0 so Spoke 2 will not participate in DR/BDR election. [Spoke2] interface tunnel1 mode advpn udp [Spoke2-Tunnel1] ip address 192.168.0.4 255.255.255.0 [Spoke2-Tunnel1] vam client Spoke2...
  • Page 452 [NAT2-acl-basic-2000] quit # Create address group 1. [NAT2] nat address-group 1 # Add address 1.0.0.2 into the group. [NAT2-nat-address-group-1] address 1.0.0.2 1.0.0.2 [NAT2-nat-address-group-1] quit # Configure NAT on GigabitEthernet 2/0/1. [NAT2] interface gigabitethernet 2/0/1 [NAT2-GigabitEthernet2/0/1] nat outbound 2000 address-group 1 [NAT2-GigabitEthernet2/0/1] quit # Configure EIM for PAT to translate the source address and source port of packets matching ACL 2000 from the same address and port to the same source public address and port.
  • Page 453 192.168.0.1 1.0.0.1 0H 52M 192.168.0.2 1.0.0.1 0H 47M 31S 192.168.0.3 1.0.0.2 Spoke 0H 28M 25S 192.168.0.4 1.0.0.3 Spoke 0H 19M 15S The output shows that Hub 1, Hub 2, Spoke 1, Spoke 2, and Spoke 3 all have registered their address mapping information with the VAM servers.

  • Page 454: Configuring Aft

    Configuring AFT Overview Address Family Translation (AFT) translates an IP address of one address family into an IP address of the other address family. It enables an IPv4 network and an IPv6 network to communicate with each other, as shown in Figure 155.

  • Page 455: Prefix Translation

    NO-PAT supports all IP packets. PAT translates multiple IPv6 addresses to a single IPv4 address by mapping each IPv6 address and port to the IPv4 address and a unique port. PAT supports the following packet types: • TCP packets. • UDP packets.

  • Page 456: Aft Internal Server

    • IPv6-to-IPv4 destination address translation. AFT uses the NAT64 prefix to match destination IPv6 addresses and extracts the embedded IPv4 address from matching IPv6 addresses. A NAT64 prefix cannot be on the same subnet as any interface on the device. IVI prefix translation An IVI prefix is a 32-bit IPv6 address prefix.

  • Page 457: Ipv6-Initiated Communication

    IPv6-initiated communication As shown in Figure 159, when the IPv6 host initiates access to the IPv4 host, AFT operates as follows: Upon receiving a packet from the IPv6 host, AFT compares the packet with IPv6-to-IPv4 destination address translation policies. If a matching policy is found, AFT translates the destination IPv6 address according to the policy.

  • Page 458: Ipv4-Initiated Communication

    IPv4-initiated communication As shown in Figure 160, when the IPv4 host initiates access to the IPv6 host, AFT operates as follows: Upon receiving a packet from the IPv4 host, AFT compares the packet with IPv4-to-IPv6 destination address translation policies. If a matching policy is found, AFT translates the destination IPv4 address according to the policy.

  • Page 459: Aft Configuration Task List

    AFT configuration task list IPv6-initiated communication Task at a glance (Required.) Enabling AFT (Required.) Configuring an IPv6-to-IPv4 destination address translation policy (Required.) Configuring an IPv6-to-IPv4 source address translation policy (Optional.) Configuring AFT logging (Optional.) Setting the ToS field to 0 for translated IPv4 packets IPv4-initiated communication Task at a glance (Required.)

  • Page 460: Configuring An Ipv6-To-Ipv4 Source Address Translation Policy

    To configure an IPv6-to-IPv4 destination address translation policy: Step Command Remarks Enter system view. system-view • Configure an IPv4-to-IPv6 source address static mapping: aft v4tov6 source ipv4-address [ vpn-instance ipv4-vpn-instance-name ] ipv6-address [ vpn-instance Configure an By default, no IPv6-to-IPv4 ipv6-vpn-instance-name ] IPv6-to-IPv4 destination destination address translation...

  • Page 461: Configuring An Ipv4-To-Ipv6 Destination Address Translation Policy

    Step Command Remarks • Configure an IPv6-to-IPv4 source address static mapping: aft v6tov4 source ipv6-address [ vpn-instance ipv6-vpn-instance-name ] ipv4-address [ vpn-instance ipv4-vpn-instance-name ] • Configure an IPv6-to-IPv4 source address dynamic translation policy: aft v6tov4 source { acl ipv6 { name ipv6-acl-name | number By default, no Configure an...

  • Page 462: Configuring An Ipv4-To-Ipv6 Source Address Translation Policy

    Step Command Remarks number ipv4-acl-number { prefix-general prefix-general prefix-length | prefix-ivi prefix-ivi [ vpn-instance ipv6-vpn-instance-name ] } } Configuring an IPv4-to-IPv6 source address translation policy AFT compares an IPv4 packet with IPv4-to-IPv6 source address translation policies in the following order: IPv4-to-IPv6 source address static mappings.

  • Page 463: Setting The Tos Field To 0 For Translated Ipv4 Packets

    Setting the ToS field to 0 for translated IPv4 packets Step Command Remarks Enter system view. system-view By default, the ToS field value of Set the ToS field to 0 for IPv4 translated IPv4 packets is the packets translated from IPv6 aft turn-off tos same as the Traffic Class field packets.
  • Page 464 Task Command Display AFT port block mappings (distributed devices in standalone mode/centralized devices display aft port-block [ slot slot-number ] in IRF mode). Display AFT port block mappings (distributed display aft port-block [ chassis chassis-number slot devices in IRF mode). slot-number ] display aft session ipv4 [ { source-ip source-ip-address | destination-ip...

  • Page 465: Aft Configuration Examples

    Task Command Clear AFT statistics (distributed devices in standalone mode/centralized devices in IRF reset aft statistics [ slot slot-number ] mode). Clear AFT statistics (distributed devices in IRF reset aft statistics [ chassis chassis-number slot mode). slot-number ] AFT configuration examples Allowing IPv4 Internet access from an IPv6 network Network requirements As shown in...
  • Page 466 # Configure the router to use NAT64 prefix 2012::/96 to translate destination IPv6 addresses of IPv6 packets. [Router] aft prefix-nat64 2012:: 96 # Enable AFT on GigabitEthernet 2/0/1, which is connected to the IPv6 network. [Router] interface gigabitethernet 2/0/1 [Router-GigabitEthernet2/0/1] aft enable [Router-GigabitEthernet2/0/1] quit # Enable AFT on GigabitEthernet 2/0/2, which is connected to the IPv4 Internet.

  • Page 467: Providing Ftp Service From An Ipv6 Network To The Ipv4 Internet

    VPN instance/VLAN ID/Inline ID: -/-/- Protocol: ICMP(1) Inbound interface: GigabitEthernet2/0/1 Responder: Source IP/port: 20.1.1.1/1025 Destination IP/port: 10.1.1.1/0 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: ICMP(1) Inbound interface: GigabitEthernet2/0/2 State: ICMP_REPLY Application: OTHER Start time: 2014-03-13 08:52:59 TTL: 27s Initiator->Responder: 4 packets 240 bytes...
  • Page 468 # Enable AFT on GigabitEthernet 2/0/1, which is connected to the IPv4 Internet. [Router] interface gigabitethernet 2/0/1 [Router-GigabitEthernet2/0/1] aft enable [Router-GigabitEthernet2/0/1] quit # Enable AFT on GigabitEthernet 2/0/2, which is connected to the IPv6 FTP server. [Router] interface gigabitethernet 2/0/2 [Router-GigabitEthernet2/0/2] aft enable [Router-GigabitEthernet2/0/2] quit Verifying the configuration...

  • Page 469: Allowing Mutual Access Between Ipv4 And Ipv6 Networks

    State: TCP_ESTABLISHED Application: FTP Start time: 2014-03-13 09:07:30 TTL: 3582s Initiator->Responder: 3 packets 184 bytes Responder->Initiator: 2 packets 148 bytes Total sessions found: 1 Allowing mutual access between IPv4 and IPv6 networks Network requirements As shown in Figure 163, a company deploys both an IPv4 network and an IPv6 network. To allow mutual access between the IPv4 network and the IPv6 network, configure the following AFT policies on the router: •...
  • Page 470 [Router-GigabitEthernet2/0/1] quit # Enable AFT on GigabitEthernet 2/0/2, which is connected to the IPv6 network. [Router] interface gigabitethernet 2/0/2 [Router-GigabitEthernet2/0/2] aft enable [Router-GigabitEthernet2/0/2] quit Verifying the configuration # Verify the connectivity between IPv6 hosts and IPv4 hosts. This example pings IPv4 host A from IPv6 host A.

  • Page 471: Allowing Ipv6 Internet Access From An Ipv4 Network

    DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: ICMP(1) Inbound interface: GigabitEthernet2/0/1 State: ICMP_REPLY Application: OTHER Start time: 2014-03-13 08:52:59 TTL: 27s Initiator->Responder: 4 packets 240 bytes Responder->Initiator: 4 packets 240 bytes Total sessions found: 1 Allowing IPv6 Internet access from an IPv4 network Network requirements As shown in Figure...
  • Page 472 [Router-GigabitEthernet2/0/1] aft enable [Router-GigabitEthernet2/0/1] quit # Enable AFT on GigabitEthernet 2/0/2, which is connected to the IPv6 Internet. [Router] interface gigabitethernet 2/0/2 [Router-GigabitEthernet2/0/2] aft enable [Router-GigabitEthernet2/0/2] quit Verifying the configuration # Verify the connectivity between the IPv4 hosts and the IPv6 server. This example uses the ping utility on an IPv4 host.

  • Page 473: Providing Ftp Service From An Ipv4 Network To The Ipv6 Internet

    Source IP/port: 2013:0:FF14:0101:0100::/0 Destination IP/port: 2012::0A01:0101/33024 VPN instance/VLAN ID/Inline ID: -/-/- Protocol: IPV6-ICMP(58) Inbound interface: GigabitEthernet2/0/2 State: ICMPV6_REPLY Application: OTHER Start time: 2014-03-13 08:52:59 TTL: 23s Initiator->Responder: 4 packets 320 bytes Responder->Initiator: 4 packets 320 bytes Total sessions found: 1 Providing FTP service from an IPv4 network to the IPv6 Internet Network requirements...
  • Page 474 [Router-aft-address-group-0] quit # Configure IPv6 ACL 2000 to permit all IPv6 packets to pass through. [Router] acl ipv6 basic 2000 [Router-acl-ipv6-basic-2000] rule permit [Router-acl-ipv6-basic-2000] quit # Configure the router to translate source addresses of IPv6 packets permitted by IPv6 ACL 2000 to IPv4 addresses in address group 0.
  • Page 475 [Router] display aft session ipv4 verbose Initiator: Source IP/port: 30.1.1.1/11025 Destination IP/port: 20.1.1.1/21 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet2/0/1 Responder: Source IP/port: 20.1.1.1/21 Destination IP/port: 30.1.1.1/11025 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet2/0/2 State: TCP_ESTABLISHED...

  • Page 476: Configuring Waas

    Configuring WAAS The Wide Area Application Services (WAAS) feature is a set of services that can optimize WAN traffic. WAAS solves WAN issues such as high delay and low bandwidth by using optimization services. WAAS provides the following optimization services: •...

  • Page 477: Selective Acknowledgement

    Selective acknowledgement TCP uses a cumulative acknowledgement scheme. This scheme forces the sender to either wait a roundtrip time to know each lost packet, or to unnecessarily retransmit segments that have been correctly received. When multiple nonconsecutive segments are lost, this scheme reduces overall TCP throughput.

  • Page 478: Lz Compression

    LZ compression LZ compression is a lossless compression algorithm that uses a compression dictionary to replace repeated data in the same message. The compression dictionary is carried in the compression result. The sending device uses the sliding window technology to detect repeated data. Compared with DRE, LZ compression has a lower compression ratio.

  • Page 479: Configuring A Waas Class

    Configuring a WAAS class Step Command Remarks Enter system view. system-view Create a WAAS class and By default, only predefined WAAS waas class class-name enter WAAS class view. classes exist. match [ match-id ] tcp { any | destination | source } [ ip-address ipv4-address By default, no match criterion is Configure a match criterion.

  • Page 480: Applying A Waas Policy To An Interface

    Applying a WAAS policy to an interface Apply a WAAS policy to an interface that connects to the WAN. The device optimizes or passes through the traffic entering and leaving the WAN according to the configured policy. If the incoming and outgoing interfaces of the traffic are both connected to the WAN, the traffic is not optimized.

  • Page 481: Configuring The Tfo Blacklist Autodiscovery Feature

    Configuring the TFO blacklist autodiscovery feature This feature automatically discovers servers that cannot receive TCP packets with options and adds the server IP addresses and port numbers to a blacklist. The system automatically removes blacklist entries after a user-configured aging time. During the 3-way handshake, the local device determines that the TCP connection attempt fails if either of the following situations occurs: •...

  • Page 482: Displaying And Maintaining Waas

    Displaying and maintaining WAAS Execute display commands in any view and reset commands in user view. Task Command display waas class [ class-name ] Display WAAS class configuration. Display WAAS policy configuration. display waas policy [ policy-name ] Display WAAS session information display waas session { ipv4 | ipv6 } [ client-ip client-ip ] (centralized devices in standalone [ client-port client-port ] [ server-ip server-ip ] [ server-port...
  • Page 483 • For the first download, both WAAS devices create data dictionary entries and Router A sends both indexes and metadata. • For the second download, Router A replaces repeated data with indexes. Figure 166 Network diagram Configuration procedure Configure IP addresses for interfaces. (Details not shown.) Configure routing protocols to ensure connectivity.

  • Page 484: User-Defined Waas Policy Configuration Example

    Bytes in: 286 bytes Bytes out: 318 bytes Bypass bytes: 0 bytes Bytes Matched: 0 bytes Space saved: -11% Average latency: 0 usec Decode Statistics Dre msgs: 57050 Bytes in: 14038391 bytes Bytes out: 14079375 bytes Bypass bytes: 0 bytes Space saved: 0% Average latency: 0 usec # After the second download, display DRE statistics on Router A.
  • Page 485 • For the second download, Router A replaces repeated data with indexes. Figure 167 Network diagram Configuration procedure Configure IP addresses for interfaces. (Details not shown.) Configure routing protocols to ensure connectivity. (Details not shown.) Configure WAAS classes: # Create a WAAS class named c1 on Router A, and configure the WAAS class to match any TCP packets.
  • Page 486 # Apply the WAAS policy p1 to the interface GigabitEthernet 2/0/1 on Router A. <RouterA> system-view [RouterA] interface gigabitethernet 2/0/1 [RouterA-GigabitEthernet2/0/1] waas apply policy [RouterA-GigabitEthernet2/0/1] quit [RouterA] quit # Apply the WAAS policy p1 to the interface GigabitEthernet 2/0/1 on Router B. [RouterB] interface gigabitethernet 2/0/1 [RouterB-GigabitEthernet2/0/1] waas apply policy p1 [RouterB-GigabitEthernet2/0/1] quit...
  • Page 487 Total connections: 1 Active connections: 0 Encode Statistics Dre msgs: 2 Bytes in: 286 bytes Bytes out: 60 bytes Bypass bytes: 0 bytes Bytes Matched: 256 bytes Space saved: 79% Average latency: 0 usec Decode Statistics Dre msgs: 62687 Bytes in: 2592183 bytes Bytes out: 13972208 bytes Bypass bytes: 0 bytes Space saved: 81%...

  • Page 488: Document Conventions And Icons

    Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.

  • Page 489: Network Topology Icons

    Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 490: Support And Other Resources

    Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...

  • Page 491: Websites

    For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
  • Page 492 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.

  • Page 493: Index

    Index Numerics AFT address translation policy (IPv4-to-IPv6 destination), AFT address translation policy (IPv4-to-IPv6 1NAT configuration (static inbound 1\1), source), 1NAT configuration (static outbound AFT address translation policy (IPv6-to-IPv4 1\1), 142, 158, destination), AFT address translation policy (IPv6-to-IPv4 technology, source), 6to4 AFT configuration, 440, 445, relay configuration, AFT IPv4 Internet access (IPv6 network),...
  • Page 494 DHCPv6 address pool VPN instance NAT configuration (static inbound 1\1), application, NAT configuration (static inbound net-to-net), DHCPv6 address/prefix assignment, NAT configuration (static inbound object DHCPv6 address/prefix lease renewal, group-based), DHCPv6 client IPv6 address acquisition, NAT configuration (static outbound 1\1), 142, DHCPv6 client IPv6 address+prefix NAT configuration (static outbound acquisition,...
  • Page 495 AAA configuration, VAM server authentication algorithm, configuration, 357, 362, VAM server authentication method, connection initialization, VAM server configuration, display, VAM server enable, domain creation, VAM server encryption algorithm, hub group configuration, VAM server keepalive parameter, hub group creation, VAM server port number, hub group private address, VAM server pre-shared key, hub group spoke private address range,...
  • Page 496 translation process, GRE, translation process (IPv4-initiated applying communication), DDNS client policy to interface, translation process (IPv6-initiated DHCP address pool on interface, communication), DHCP address pool to VPN instance, aging DHCPv6 address pool to a VPN instance, ARP dynamic entry aging timer, DHCPv6 snooping trusted/untrusted port, IPv6 fast forwarding entry aging time, WAAS policy to interface,...
  • Page 497 suppression display, DHCP automatic address allocation, suppression maintain, DHCP binding auto backup, table, DHCP client auto-configuration file, ARP snooping DHCP snooping entry auto backup, feature and hardware compatibility, DHCPv6 binding auto backup, assembling DHCPv6 snooping entry auto backup, IPv6 interface link-local address automatic IPv6 local fragment reassembly, generation, assigning...
  • Page 498 blocking client DHCPv6 snooping packet blocking port, ADVPN VAM client configuration, BOOTP ADVPN VAM client creation, client configuration, 104, ADVPN VAM client domain, client display, ADVPN VAM client dumb timer, client dynamic IP address acquisition, ADVPN VAM client enable, DHCP application, ADVPN VAM client pre-shared key, DHCP client IP address acquisition ADVPN VAM client retry interval/number,...
  • Page 499 DHCPv6 IPv6 prefix acquisition tunneling information, configuration, compressing DHCPv6 IPv6 prefix assignment, WAAS DRE decompression, DHCPv6 relay agent configuration, 281, WAAS DRE process, DHCPv6 stateless, WAAS LZ compression process, stateless DHCPv6 configuration, WAAS LZ process, command configuring adjacency table command and hardware 6to4 relay, compatibility, 6to4 tunnel, 323,...
  • Page 500 AFT address translation policy (IPv6-to-IPv4 DHCP server, 40, 42, source), DHCP server address pool, AFT logging, DHCP server BOOTP request ignore, ARP, 1, DHCP server BOOTP response format, ARP direct route advertisement, DHCP server broadcast response, ARP dynamic entry aging timer, DHCP server compatibility, ARP fast-reply, 18, DHCP server IP address dynamic assignment,...
  • Page 501 DHCPv6 server network parameters (address IPPO TCP path MTU discovery, pool), IPPO TCP timers, DHCPv6 server network parameters (option IPv4 DNS, group), IPv4 DNS client, DHCPv6 server network parameters IPv4 DNS client domain name resolution assignment, (dynamic), 110, DHCPv6 server on interface, IPv4 DNS client domain name resolution DHCPv6 snooping, 299, 300, (static), 109,...
  • Page 502 IPv6 max number NS message sent NAT restrictions and guidelines, attempts, NAT server, IPv6 ND, NAT server (ACL-based), IPv6 ND static neighbor entry, NAT server (common), IPv6 ND suppression, 243, NAT server (external-internal access+domain IPv6 packet with extension headers name), discarding, NAT server (external-to-internal access), IPv6 path MTU discovery,...
  • Page 503 creating IPv6 ND duplicate address detection, ADVPN domain, IPv6 ND neighbor reachability detection, ADVPN hub group, IPv6 ND redirection, ADVPN VAM client, IPv6 ND router/prefix discovery, DHCP server address pool, device customizing 6to4 relay configuration, DHCP custom options, ARP dynamic entry max (device), DHCP options, ARP dynamic entry max (interface), DHCP server option customization,...
  • Page 504 DHCPv6 client IPv6 prefix acquisition IPv4/IPv4 GRE tunnel configuration, configuration, IPv4/IPv4 tunnel configuration, DHCPv6 client packet DSCP value, IPv4/IPv6 GRE tunnel configuration, DHCPv6 DUID, IPv4/IPv6 manual tunnel configuration, DHCPv6 IA, IPv6 basics configuration, DHCPv6 IAID, IPv6 DNS client configuration, DHCPv6 packet DSCP value, IPv6 DNS proxy configuration, DHCPv6 PD, IPv6 ND suppression configuration,...
  • Page 505 client auto-configuration file, Option 82 (relay agent);Option 082 (relay agent), 37, client BIMS server information, Option 82 handling enable;Option 082 handling client configuration, 86, enable, client display, option customization, client DNS server, options (common), client domain name suffix, options (custom), client duplicated address detection, overview, client enable (on interface),...
  • Page 506 server IP address dynamic assignment, address pool, server IP address static assignment, address pool selection, server logging enable, address pool VPN instance application, server maintain, address/prefix assignment, server option customization configuration, address/prefix lease renewal, server packet DSCP value, assignment (4 messages), server subnet configuration, binding auto backup, server user class configuration,...
  • Page 507 relay agent display, snooping entry auto backup, relay agent enable on interface, snooping entry max, relay agent Interface-ID option padding DHCPv6-REQUEST check, mode, direct route advertisement (ARP), relay agent maintain, discarding relay agent packet DSCP value, IPv6 packets with extension headers, relay agent server, discovering server configuration, 263, 266,...
  • Page 508 WAAS, troubleshoot IPv4 DNS configuration, DNS, 126, See also DDNS troubleshoot IPv4 DNS incorrect IP address, configuration, 106, troubleshoot IPv6 DNS configuration, DDNS configuration, 126, troubleshoot IPv6 DNS incorrect IP address, DDNS configuration (PeanutHull server), trusted interface configuration, DDNS configuration (www.3322.org), domain DDNS outgoing packet DSCP value, ADVPN AAA configuration,...
  • Page 509 duplicated address detection (DHCP), enable dynamic IPv6 ND direct route advertisement, AFT, enabling ARP dynamic entry aging timer, ADVPN VAM client, ARP dynamic entry check enable, ADVPN VAM server, ARP dynamic entry max (device), AFT, ARP dynamic entry max (interface), ARP dynamic entry check, DDNS client configuration, ARP logging,...
  • Page 510 IPv6 multicast echo request reply, DHCP server IP address static assignment, IPv6 ND proxy, DHCP server option customization, IPv6 RA message send, DHCP server subnet configuration, IPv6 router renumbering, DHCP server user class configuration, local proxy ARP, DHCP server user class whitelist configuration, NAT sending ICMP error message, DHCP snooping basic configuration,...
  • Page 511 maintain, AFT IPv4 Internet FTP service (IPv6 network), feature and hardware compatibility AFT IPv6 Internet FTP service (IPv4 ARP snooping, network), flow classification, full-mesh ADVPN configuration (IPv4 full-mesh NAT adjacency table display, traversal), adjacency table displaying commands, ADVPN configuration (IPv4 full-mesh), IP forwarding basics (on device), ADVPN configuration (IPv6 full-mesh), IP forwarding load sharing (per-packet or...
  • Page 512 NAT hairpin configuration (P2P mode), hairpin NAT server configuration (external-internal NAT hairpin C/S, access+domain name), NAT hairpin configuration, NAT server configuration (external-to-internal NAT hairpin configuration (C/S mode), access), NAT hairpin configuration (P2P mode), NAT+DNS mapping configuration, NAT hairpin P2P, NAT444 configuration (DS-Lite), hardware NAT444 configuration (dynamic), adjacency table command and hardware...
  • Page 513 ICMPv6 interval IP services destination unreachable ADVPN VAM client retry interval/number, message, ADVPN VAM server keepalive parameter, IP services error message rate limit, IP addressing IP services packet source address, 6to4 relay configuration, IP services redirect message, 6to4 tunnel configuration, 323, IP services time exceeded message, address classes, IPv6 message send control,...
  • Page 514 ARP short static entry configuration, DHCP server address pool IP address range, ARP snooping configuration, DHCP server IP address dynamic assignment, 63, ARP static entry, DHCP server IP address static ARP suppression configuration, 23, assignment, 61, ARP table, DHCP server option customization, automatic IPv4-compatible IPv6 DHCP server subnet configuration, tunnel, 321,...
  • Page 515 DHCPv6 server IPv6 prefix assignment, IPv6 basic settings configuration, 224, 232, DHCPv6 server network parameters (address IPv6 basics configuration, pool), IPv6 dual stack technology, DHCPv6 server network parameters (option IPv6 dynamic path MTU aging timer, group), IPv6 global unicast address, DHCPv6 server network parameters IPv6 ICMPv6 destination unreachable assignment,...
  • Page 516 IPv6/IPv6 tunnel configuration, 339, NAT server configuration (external-internal access+domain name), IRDP address, NAT server configuration (external-to-internal IRDP configuration, 204, 205, access), ISATAP tunnel configuration, 327, NAT+ALG configuration, masking, NAT+DNS mapping configuration, 153, NAT configuration, 133, 141, NAT444 configuration, NAT configuration NAT444 configuration (DS-Lite), 152, (bidirectional+external-internal access+domain name),...
  • Page 517 ADVPN configuration (IPv4 full-mesh), AFT IPv4 Internet access (IPv6 network), ADVPN configuration (IPv4 hub-spoke), AFT IPv4 Internet FTP service (IPv6 network), ADVPN configuration (IPv4 multi-hub-group), AFT IPv4 packet ToS field, ADVPN configuration (IPv6 full-mesh), AFT IPv4–IPv6 mutual access, ADVPN configuration (IPv6 hub-spoke), AFT IPv6 Internet access (IPv4 network), ADVPN configuration (IPv6 AFT IPv6 Internet FTP service (IPv4...
  • Page 518 DDNS client policy, DHCP relay agent client gateway address, DDNS client policy application, DHCP relay agent client offline detection, DDNS configuration, 126, DHCP relay agent configuration, 72, 73, DDNS configuration (PeanutHull server), DHCP relay agent enable, DDNS configuration (www.3322.org), DHCP relay agent entry periodic refresh, DDNS display, DHCP relay agent IP address release, DDNS outgoing packet DSCP value,...
  • Page 519 DHCP snooping Option 82 support, DHCPv6 relay agent display, DHCP snooping Option 82 support DHCPv6 relay agent enable on interface, configuration, DHCPv6 relay agent Interface-ID option padding DHCP snooping packet blocking port, mode, DHCP snooping packet rate limit, DHCPv6 relay agent maintain, DHCP snooping starvation attack DHCPv6 relay agent server, protection,...
  • Page 520 DS-Lite tunnel configuration, 335, IPv4/IPv6 manual tunnel configuration, 333, enable IPv6 direct route advertisement, IPv4/IPv6 tunneling implementation, fast forwarding configuration, IPv6 addresses, fast forwarding display, IPv6 anycast address configuration, fast forwarding entry aging time, IPv6 basic settings configuration, 224, 232, fast forwarding load sharing, IPv6 basics configuration, fast forwarding maintain,...
  • Page 521 IPv6 ND suppression configuration, 243, NAT configuration (static outbound object group-based), IPv6 path MTU discovery, 229, NAT configuration (static), IPv6 protocols and standards, NAT configuration restrictions (dynamic), IPv6 RA message parameter, NAT control, IPv6 router renumbering, NAT display, IPv6 static path MTU, NAT entry types, IPv6 transition technologies, NAT gateway+BRAS device configuration,...
  • Page 522 stateless DHCPv6, directed broadcast receive/forward configuration, troubleshooting DHCP relay agent configuration, directed broadcast receive/forward enable, troubleshooting DHCP server displaying, configuration, ICMP error message rate limit, troubleshooting GRE, ICMP error message send, troubleshooting GRE hosts cannot ping each ICMP packet source address, other, interface MTU configuration, troubleshooting IPv4 DNS configuration,...
  • Page 523 AFT translation process (IPv4-initiated IPv6, 224, See also IPng communication), 6PE technology, automatic IPv4-compatible IPv6 6to4 relay configuration, tunnel, 321, 6to4 tunnel configuration, 323, DNS client configuration, address formats, DNS configuration, address type, DNS outgoing packet DSCP value, addresses, DNS proxy configuration, 112, ADVPN configuration (IPv6 full-mesh), DNS spoofing configuration, ADVPN configuration (IPv6 hub-spoke),...
  • Page 524 fast forwarding configuration, maintaining basics, fast forwarding display, max number NS message sent attempts, fast forwarding entry aging time, multicast address type, fast forwarding load sharing configuration, multicast echo request reply, fast forwarding maintain, NAT-PT technology, features, ND configuration, global unicast address configuration, ND duplicate address detection, GRE application scenarios, ND dynamic neighbor entries max number,...
  • Page 525 IPv6 fast forwarding DHCP server user class whitelist configuration, command and hardware compatibility, DHCP snooping basic configuration, IRDP DHCPv6 client configuration, 288, 288, basic concepts, DHCPv6 client IPv6 address acquisition configuration, 204, 205, configuration, operation, DHCPv6 client IPv6 address+prefix acquisition protocols and standards, configuration, DHCPv6 client IPv6 prefix acquisition...
  • Page 526 IP forwarding load sharing configuration, gratuitous ARP periodic packet send, IPv6 fast forwarding, IPv6 EUI-64 address-based interface identifiers, IPv6 load sharing configuration (bandwidth-based), proxy ARP configuration, NAT server (load sharing), maintaining logging ADVPN, AFT configuration, AFT, ARP logging enable, ARP, DHCP server logging enable, ARP snooping, DHCP snooping logging,...
  • Page 527 masking mode IP addressing, DHCPv6 relay agent Interface-ID option padding, matching DNS spoofing network mode tracking, WAAS class configuration, NAT hairpin C/S, maximum segment size. Use NAT hairpin P2P, mesh tunneling (automatic), ADVPN configuration (IPv4 full-mesh), tunneling (manual), ADVPN configuration (IPv6 full-mesh), ADVPN full-mesh structure, 357, IPPO interface TCP MSS configuration, message...
  • Page 528 DNS dynamic domain name resolution, configuration (outbound bidirectional), DNS proxy configuration, configuration (static inbound 1\1), DNS spoofing configuration, configuration (static inbound net-to-net), DNS static domain name resolution, configuration (static inbound object group-based), IPv4 DNS client configuration, configuration (static outbound 1\1), 142, IPv4 DNS configuration, configuration (static outbound net-to-net), IPv6 DNS client configuration,...
  • Page 529 NAT444 entry, NAT444 mapping global sharing enable (dynamic), NAT444 gateway+BRAS device, static configuration, 150, NAT444 logging configuration (alarm), static mapping, NAT444 logging configuration (user), NAT64 NAT444 mapping global sharing enable (dynamic), AFT prefix translation, NO-PAT, NAT-PT NO-PAT entry, technology, PAT, neighbor sending ICMP error message, adjacency table display,...
  • Page 530 ADVPN configuration (IPv4 full-mesh NAT ARP fast-reply configuration, 18, traversal), ARP logging enable, ADVPN configuration (IPv4 full-mesh), ARP long static entry configuration, ADVPN configuration (IPv4 hub-spoke), ARP message format, ADVPN configuration (IPv4 ARP OpenFlow table entry, multi-hub-group), ARP operation, ADVPN configuration (IPv6 full-mesh), ARP PnP configuration, ADVPN configuration (IPv6 hub-spoke), ARP short static entry configuration,...
  • Page 531 DHCP server address pool IP address DHCPv6 IPv6 address/prefix allocation range, sequence, DHCP server BOOTP request ignore, DHCPv6 IPv6 prefix assignment, DHCP server broadcast response, DHCPv6 packet DSCP value, DHCP server compatibility configuration, DHCPv6 prefix allocation, DHCP server IP address dynamic DHCPv6 relay address pool configuration, assignment, DHCPv6 relay agent enable on interface,...
  • Page 532 DNS spoofing network mode tracking, IPPO TCP timer, DNS suffixes, IPv4 DNS client configuration, DNS trusted interface, IPv4 DNS client domain name resolution (dynamic), DS-Lite tunnel configuration, 335, IPv4 DNS client domain name resolution enable IPv6 direct route advertisement, (static), fast forwarding entry aging time, IPv4 DNS proxy configuration, fast forwarding load sharing,...
  • Page 533 IPv6 NAT-PT technology, NAT configuration (dynamic), IPv6 ND configuration, NAT configuration (outbound bidirectional), IPv6 ND duplicate address detection, NAT configuration (static inbound 1\1), IPv6 ND dynamic neighbor entries max NAT configuration (static inbound net-to-net), number, NAT configuration (static inbound object IPv6 ND hop limit, group-based), IPv6 ND link-local entry minimization,...
  • Page 534 WAAS class configuration, IP addressing configuration, 27, WAAS policy application to interface, IP forwarding basics (on device), WAAS policy configuration (predefined), IPPO (IPPO), WAAS policy configuration (user-defined), IPv4 DNS configuration, WAAS TFO parameter configuration, IPv6 basic settings configuration, 224, 232, Network Address Translation-Protocol Translation.
  • Page 535 DHCP relay agent client offline detection, Option 33 (DHCP);Option 033 (DHCP), OpenFlow Option 37;Option 037 ARP OpenFlow table entry, DHCPv6 snooping configuration, operation Option 43 (DHCP);Option 043 (DHCP), 37, IRDP, Option 51 (DHCP);Option 051 (DHCP), optimal Option 53 (DHCP);Option 053 (DHCP), IP forwarding optimal route selection, Option 55 (DHCP);Option 055 (DHCP), optimizing...
  • Page 536 flow classification, IPv6 NAT-PT technology, flow classification packet-based policy, IPv6 ND configuration, flow classification policy, IPv6 ND duplicate address detection, gratuitous ARP packet learning, IPv6 ND dynamic neighbor entries max number, gratuitous ARP periodic packet send, IPv6 ND hop limit, GRE checksum security feature, IPv6 ND link-local entry minimization, GRE encapsulation format,...
  • Page 537 NAT configuration (static outbound object ADVPN VAM client username+password, group-based), PAT (AFT), NAT configuration (static), PAT (NAT), NAT control, PD (DHCPv6), NAT gateway+BRAS device per-flow load sharing (IP forwarding), configuration, periodic gratuitous ARP packet send, NAT hairpin configuration (C/S mode), per-packet load sharing (IP forwarding), NAT hairpin configuration (P2P mode), ping...
  • Page 538 DHCP snooping packet blocking port, DHCPv6 IPv6 prefix assignment, DHCP snooping trusted port, DHCPv6 server dynamic IPv6 prefix assignment, DHCP snooping untrusted port, DHCPv6 server IPv6 address+prefix policy DHCPv6 snooping basics, assignment, DHCPv6 snooping DHCPv6 server IPv6 prefix assignment, configuration, 299, 300, DHCPv6 static prefix allocation, DHCPv6 snooping Option 18 configuration,...
  • Page 539 configuring ADVPN hub group, configuring DDNS (PeanutHull server), configuring ADVPN hub group private configuring DDNS (www.3322.org), address, configuring DDNS client, configuring ADVPN hub group spoke private configuring DDNS client policy, address range, configuring DHCP address pool static binding, configuring ADVPN routing, configuring DHCP address pool usage alarm, configuring ADVPN tunnel interface, configuring DHCP binding auto backup,...
  • Page 540 configuring DHCP snooping entry auto configuring DHCPv6 server policy for IPv6 backup, address+prefix assignment, configuring DHCP snooping Option configuring DHCPv6 snooping, 300, 82, 95, configuring DHCPv6 snooping basics, configuring DHCP snooping packet blocking configuring DHCPv6 snooping entry auto port, backup, configuring DHCP snooping packet rate configuring DHCPv6 snooping Option 18, limit,...
  • Page 541 configuring IPv4 DNS client domain name configuring IPv6 ND dynamic neighbor entries resolution (static), 109, max number, configuring IPv4 DNS proxy, configuring IPv6 ND stale state entry aging timer, configuring IPv4/IPv4 GRE tunnel, configuring IPv6 ND static neighbor entry, configuring IPv4/IPv4 tunnel, 330, configuring IPv6 ND suppression, 243, configuring IPv4/IPv6 GRE tunnel, configuring IPv6 path MTU discovery,...
  • Page 542 configuring NAT logging, creating DHCP server address pool, configuring NAT logging (session), customizing DHCP options, configuring NAT server, deleting WAAS settings, configuring NAT server (ACL-based), displaying ADVPN, configuring NAT server (common), displaying AFT, configuring NAT server (external-internal displaying ARP, access+domain name), displaying ARP PnP, configuring NAT server (external-to-internal displaying ARP snooping,...
  • Page 543 enabling DHCP client (on interface), enabling IPv6 ICMPv6 destination unreachable message send, enabling DHCP client duplicated address detection, enabling IPv6 ICMPv6 redirect message send, enabling DHCP Option 82 handling, enabling IPv6 ICMPv6 time exceeded message enabling DHCP relay agent (on interface), send, enabling DHCP relay agent client offline enabling IPv6 local fragment reassembly,...
  • Page 544 providing AFT IPv4 Internet FTP service (IPv6 specifying ADVPN VAM server encryption network), algorithm, providing AFT IPv6 Internet FTP service (IPv4 specifying DHCP address pool primary network), subnet+multiple address range, restoring WAAS settings, specifying DHCP address pool primary subnet+multiple secondary subnets, setting ADVPN VAM client dumb timer, specifying DHCP client auto-configuration file, setting ADVPN VAM client retry...
  • Page 545 troubleshooting IPv4 DNS incorrect IP DNS proxy configuration, address, DNS spoofing, troubleshooting IPv6 address cannot be DNS spoofing configuration, pinged, DNS spoofing network mode tracking, troubleshooting IPv6 DNS incorrect IP IPv4 DNS proxy configuration, address, IPv6 DNS proxy configuration, troubleshooting tunnel cannot come up, IPv6 ND proxy enable, protecting IRDP proxy-advertised IP address,...
  • Page 546 DHCP overview, DDNS configuration (www.3322.org), DHCP relay address pool configuration, DNS configuration, 106, DHCP relay agent client gateway address, DNS dynamic domain name resolution, DHCP relay agent client offline detection, DNS static domain name resolution, DHCP relay agent configuration, IPv4 DNS client domain name resolution (dynamic), 110, DHCP relay agent Option 82 configuration, IPv4 DNS client domain name resolution...
  • Page 547 DDNS configuration (www.3322.org), IPPO TCP timer, DDNS outgoing packet DSCP value, IPv4 DNS client configuration, DHCP snooping configuration, IPv4 DNS configuration, DHCP snooping trusted port, IPv4 DNS proxy configuration, DHCP snooping untrusted port, IPv4/IPv4 GRE tunnel configuration, DHCPv6 snooping configuration, 299, IPv4/IPv6 GRE tunnel configuration, DHCPv6snooping configuration, IPv6 DNS client configuration,...
  • Page 548 DHCPv6 snooping entry max, DHCP server option customization, DHCPv6 snooping logging, DHCP server packet DSCP value, DHCPv6 snooping Option 18 DHCP server subnet configuration, configuration, DHCP server user class configuration, DHCPv6 snooping Option 37 DHCP server user class whitelist configuration, configuration, DHCPv6 snooping packet blocking port, DHCP voice client Option 184 parameters,...
  • Page 549 DHCP client packet DSCP value, IRDP RS (router solicitation), DHCP relay agent packet DSCP value, source DHCP server packet DSCP value, AFT address translation policy (IPv4-to-IPv6 source), DHCP snooping entry max, AFT address translation policy (IPv6-to-IPv4 DHCPv6 client packet DSCP value, source), DHCPv6 packet DSCP value, IPPO ICMP packet source address,...
  • Page 550 IPPO ICMP packet source address, NAT configuration (static inbound object group-based), IPv6 ICMPv6 packet source address, NAT configuration (static outbound 1\1), IPv6 interface link-local address manually, NAT configuration (static outbound net-to-net), spoke NAT configuration (static outbound object ADVPN hub group spoke private address group-based), range, NAT444 configuration (static), 150,...
  • Page 551 IPPO TCP timer configuration, ADVPN VAM client dumb timer, TFO congestion algorithm optimization, ADVPN VAM server retry timer set, TFO increased buffering, ARP dynamic entry aging, TFO selective acknowledgement (SCK), IPPO TCP FIN wait timer, TFO slow start optimization, IPPO TCP SYN wait timer, WAAS DRE, IPv6 dynamic path MTU aging timer, WAAS DRE compression,...
  • Page 552 ADVPN configuration, 357, 362, IPv6/IPv4 manual tunnel configuration, 318, ADVPN configuration (IPv4 full-mesh NAT IPv6/IPv4 tunneling implementation, traversal), IPv6/IPv6 tunnel configuration, 339, ADVPN configuration (IPv4 full-mesh), IPv6/IPv6 tunneling implementation, ADVPN configuration (IPv4 hub-spoke), ISATAP tunnel configuration, 327, ADVPN configuration (IPv4 Layer 3 virtual tunnel interface, multi-hub-group), mode (automatic configuration),...
  • Page 553 IPv6 address (loopback), client pre-shared key, IPv6 address (unspecified), client retry interval/number, IPv6 address global unicast configuration, client server configuration, IPv6 address type, client username+password, UDP helper broadcast > unicast server authentication algorithm configuration, conversion, 218, server authentication method configuration, UDP helper multicast >...
  • Page 554 UDP helper broadcast > unicast policy application to interface, conversion, 218, policy configuration, UDP helper configuration, 218, policy configuration (predefined), UDP helper multicast > broadcast policy configuration (user-defined), conversion, protocols and standards, UDP helper multicast > broadcast/unicast setting delete, conversion, setting restore, TFO, ADVPN configuration, 357, 362,...

Table of Contents