Page of 246
Download Table of ContentsContents Print This PagePrint Bookmark
HP 3600 v2 Switch Series
Layer 3 - IP Services
Part number: 5998-2351
Software version: Release 2108P01
Document version: 6W100-20131130

Advertising

   Related Manuals for HP 3600 v2 Series

   Summary of Contents for HP 3600 v2 Series

  • Page 1: Configuration Guide

    HP 3600 v2 Switch Series Layer 3 - IP Services Configuration Guide Part number: 5998-2351 Software version: Release 2108P01 Document version: 6W100-20131130...

  • Page 2

    The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

  • Page 3: Table Of Contents

    Contents Configuring ARP ··························································································································································· 1   Overview ············································································································································································ 1   ARP message format ················································································································································ 1   ARP operation ··························································································································································· 2   ARP table ··································································································································································· 3   Configuring a static ARP entry ········································································································································· 3   Configuring the maximum number of dynamic ARP entries for an interface ······························································ 4  ...

  • Page 4: Table Of Contents

    Configuring IP unnumbered ·········································································································································· 27   Overview ································································································································································ 27   Configuration guidelines ······································································································································ 27   Configuration prerequisites ·································································································································· 27   Configuration procedure ······································································································································ 28   Displaying and maintaining IP addressing ················································································································· 28   DHCP overview ·························································································································································· 29   DHCP address allocation ·············································································································································· 29  ...

  • Page 5: Table Of Contents

    Static IP address assignment configuration example························································································· 53   Dynamic IP address assignment configuration example ··················································································· 55   Self-defined option configuration example ········································································································· 56   Troubleshooting DHCP server configuration ··············································································································· 57   Symptom ································································································································································· 57   Analysis ·································································································································································· 57   Solution ··································································································································································· 57  ...

  • Page 6: Table Of Contents

    DHCP snooping support for Option 82 ······················································································································· 76   DHCP snooping configuration task list ························································································································ 77   Configuring DHCP snooping basic functions ·············································································································· 77   Configuring DHCP snooping to support Option 82 ··································································································· 78   Configuring DHCP snooping entries backup ·············································································································· 80  ...

  • Page 7: Table Of Contents

    Working mechanism ··········································································································································· 100   Concepts······························································································································································· 101   Protocols and standards ····································································································································· 101   Configuration procedure ············································································································································· 101   IRDP configuration example ········································································································································ 102   Network requirements ········································································································································· 102   Configuration procedure ···································································································································· 103   Verifying the configuration ································································································································· 104  ...

  • Page 8: Table Of Contents

    Configuring a static path MTU for a specific IPv6 address ············································································ 135   Configuring the aging time for dynamic path MTUs ······················································································· 135   Configuring IPv6 TCP properties ································································································································ 135   Configuring ICMPv6 packet sending ························································································································· 136   Configuring the maximum ICMPv6 error packets sent in an interval ···························································· 136  ...

  • Page 9: Table Of Contents

    Network requirements ········································································································································· 160   Configuration procedure ···································································································································· 161   Verifying the configuration ································································································································· 161   Configuring DHCPv6 client ···································································································································· 163   Overview ······································································································································································· 163   Configuring the DHCPv6 client··································································································································· 163   Configuration prerequisites ································································································································ 163   Configuration guidelines ···································································································································· 163  ...

  • Page 10: Table Of Contents

    Configuration procedure ···································································································································· 187   Configuring an IPv6 manual tunnel ···························································································································· 188   Configuration prerequisites ································································································································ 188   Configuration guidelines ···································································································································· 188   Configuration procedure ···································································································································· 189   Configuration example ······································································································································· 189   Configuring a 6to4 tunnel ··········································································································································· 193   Configuration prerequisites ································································································································...

  • Page 11: Table Of Contents

    Support and other resources ·································································································································· 230   Contacting HP ······························································································································································ 230   Subscription service ············································································································································ 230   Related information ······················································································································································ 230   Documents ···························································································································································· 230   Websites ······························································································································································· 230   Conventions ·································································································································································· 231   Index ········································································································································································ 233  ...

  • Page 12: Configuring Arp

    Configuring ARP You can use the port link-mode command to set an Ethernet port to operate in bridge (Layer 2) or route mode (Layer 3) (see Layer 2—LAN Switching Configuration Guide). Overview The Address Resolution Protocol (ARP) is used to resolve an IP address into a physical address (Ethernet MAC address, for example).

  • Page 13: Arp Operation

    ARP operation If Host A and Host B are on the same subnet and Host A sends a packet to Host B, as shown in Figure 2, the resolution process is: Host A looks in its ARP table to see whether there is an ARP entry for Host B. If yes, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B.

  • Page 14: Arp Table

    ARP table An ARP table stores dynamic and static ARP entries. Dynamic ARP entry ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the output interface goes down, and it can be overwritten by a static ARP entry. Static ARP entry A static ARP entry is manually configured and maintained.

  • Page 15: Configuring The Maximum Number Of Dynamic Arp Entries For An Interface

    Optional. By default, a Layer 2 interface does not limit the number of dynamic ARP entries. A Layer 3 interface on the HP 3600 v2 EI switch series can learn up to 8192 Set the maximum number of arp max-learning-num dynamic ARP entries.

  • Page 16: Enabling Dynamic Arp Entry Check

    Enabled by default. Configuring ARP quick update HP recommends you enable ARP quick update in WLAN networks only. As shown in Figure 3, the laptop frequently roams between AP 1 and AP 2. This affects the mapping between its MAC address and output interface on the switch.

  • Page 17: Configuring Multicast Arp

    To enable ARP quick update: Step Command Remarks Enter system view. system-view Optional. Enable ARP quick mac-address station-move update. quick-notify enable Disabled by default. Configuring multicast ARP Microsoft Network Load Balancing (NLB) is a load balancing technology for server clustering developed on Windows Server.

  • Page 18: Displaying And Maintaining Arp

    Displaying and maintaining ARP CAUTION: Clearing ARP entries from the ARP table might cause communication failures. Task Command Remarks display arp [ [ all | dynamic | static ] [ slot slot-number ] | vlan vlan-id | interface Display ARP entries in the ARP interface-type interface-number ] [ count | Available in any view table.

  • Page 19: Multicast Arp Configuration Example

    Figure 4 Network diagram Configuration procedure Configure the switch: # Create VLAN 10. <Switch> system-view [Switch] vlan 10 [Switch-vlan10] quit # Add interface Ethernet 1/0/1 to VLAN 10. [Switch] interface Ethernet 1/0/1 [Switch-Ethernet1/0/1] port link-type trunk [Switch-Ethernet1/0/1] port trunk permit vlan 10 [Switch-Ethernet1/0/1] quit # Create interface VLAN-interface 10 and configure its IP address.

  • Page 20

    Add Ethernet 1/0/2 and Ethernet 1/0/3 into VLAN 1, and specify IP address 16.1.1.30/24 for • VLAN-interface 1. Add Ethernet 1/0/1 and Ethernet 1/0/4 into VLAN 2, and specify IP address 17.1.1.1/24 for • VLAN-interface 2. • Specify 17.1.1.1/24 as the default gateway of Host A and Host B. Specify 16.1.1.30/24 as the default gateway of Server A and Server B.

  • Page 21

    Verifying the configuration NLB load sharing—Enables the FTP server function of Server A and Server B. Host A and Host B • send requests to the virtual IP address and each of them logs in to a different server. NLB redundancy—Disables the network interface card of Server A. Host A and Host B send •...

  • Page 22: Configuring Gratuitous Arp

    Configuring gratuitous ARP Overview In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device. A device sends a gratuitous ARP packet for either of the following purposes: Determine whether its IP address is already used by another device. If the IP address is already used, •...

  • Page 23: Configuration Guidelines

    If the virtual IP address of the VRRP group is associated with a virtual MAC address, the sender MAC address in the gratuitous ARP packet takes the virtual MAC address of the virtual router. If the virtual IP address of the VRRP group is associated with the real MAC address of an interface, the sender MAC address in the gratuitous ARP packet takes the MAC address of the interface on the master router in the VRRP group.

  • Page 24

    You can use this command to enable the device to display error message without sending any gratuitous ARP request for conflict confirmation. The receiving device displays the message every 30 seconds until the conflict is resolved. To enable IP conflict notification: Step Command Remarks...

  • Page 25: Configuring Proxy Arp

    Configuring proxy ARP Overview Proxy ARP enables a device on a network to answer ARP requests for an IP address not on that network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they do on the same network.

  • Page 26: Enabling Common Proxy Arp

    Figure 7 Application environment of local proxy ARP Enable local proxy ARP in one of the following cases: Hosts connecting to different isolated Layer 2 ports in the same VLAN need to communicate at • Layer 3. If a super VLAN is configured, hosts in different sub VLANs of the super VLAN need to communicate •...

  • Page 27: Displaying And Maintaining Proxy Arp

    Displaying and maintaining proxy ARP Task Command Remarks display proxy-arp [ interface interface-type Display whether common proxy interface-number ] [ | { begin | exclude | Available in any view ARP is enabled. include } regular-expression ] display local-proxy-arp [ interface Display whether local proxy ARP is interface-type interface-number ] [ | { begin Available in any view...

  • Page 28: Local Proxy Arp Configuration Example In Case Of Port Isolation

    # Specify the IP address of interface VLAN-interface 1. [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.10.99 255.255.255.0 # Enable proxy ARP on interface VLAN-interface 1. [Switch-Vlan-interface1] proxy-arp enable [Switch-Vlan-interface1] quit # Specify the IP address of interface VLAN-interface 2. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.20.99 255.255.255.0 # Enable proxy ARP on interface VLAN-interface 2.

  • Page 29: Local Proxy Arp Configuration Example In Super Vlan

    [SwitchB-vlan2] port Ethernet 1/0/2 [SwitchB-vlan2] quit [SwitchB] interface Ethernet 1/0/3 [SwitchB-Ethernet1/0/3] port-isolate enable [SwitchB-Ethernet1/0/3] quit [SwitchB] interface Ethernet 1/0/1 [SwitchB-Ethernet1/0/1] port-isolate enable [SwitchB-Ethernet1/0/1] quit Configure Switch A: # Create VLAN 2, and add Ethernet 1/0/2 to VLAN 2. <SwitchA> system-view [SwitchA] vlan 2 [SwitchA-vlan2] port Ethernet 1/0/2 [SwitchA-vlan2] quit...

  • Page 30: Local Proxy Arp Configuration Example In Isolate-user-vlan

    Configuration procedure # Create the super VLAN and the sub-VLANs. Add Ethernet 1/0/2 to VLAN 2 and Ethernet 1/0/1 to VLAN 3. Configure the IP address 192.168.10.100/16 for the interface of VLAN 10. <Switch> system-view [Switch] vlan 2 [Switch-vlan2] port Ethernet 1/0/2 [Switch-vlan2] quit [Switch] vlan 3 [Switch-vlan3] port Ethernet 1/0/1...

  • Page 31

    Figure 11 Network diagram Switch A Eth1/0/2 VLAN 5 Vlan-int5 192.168.10.100/16 Isolate-user-vlan 5 Secondary VLAN 2 and 3 Eth1/0/2 VLAN 5 Eth1/0/3 VLAN 2 Eth1/0/1 VLAN 3 Host B Host A Switch B 192.168.10.99/16 192.168.10.200/16 Configuration procedure Configure Switch B: # Create VLAN 2, VLAN 3, and VLAN 5 on Switch B.

  • Page 32

    [SwitchA-vlan5] port Ethernet 1/0/2 [SwitchA-vlan5] quit [SwitchA] interface vlan-interface 5 [SwitchA-Vlan-interface5] ip address 192.168.10.100 255.255.0.0 From Host A, ping Host B. The ping operation is unsuccessful because they are isolated at Layer 2. # Configure local proxy ARP to implement Layer 3 communication between Host A and Host B. [SwitchA-Vlan-interface5] local-proxy-arp enable From Host A, ping Host B.

  • Page 33: Configuring Arp Snooping

    Configuring ARP snooping Overview The ARP snooping feature is used in Layer 2 switching networks. It creates ARP snooping entries using ARP packets, and the entries can be used by manual-mode MFF to answer ARP requests from a gateway. For more information about MFF, see Security Configuration Guide. If ARP snooping is enabled on a VLAN of a device, ARP packets received by the interfaces of the VLAN are redirected to the CPU.

  • Page 34: Configuring Ip Addressing

    Configuring IP addressing This chapter describes IP addressing basic and manual IP address assignment for interfaces. Dynamic IP address assignment (BOOTP and DHCP) are beyond the scope of this chapter. The term "interface" in this chapter collectively refers to VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2 LAN Switching Configuration Guide).

  • Page 35: Special Ip Addresses

    Class Address range Remarks 128.0.0.0 to 191.255.255.255 192.0.0.0 to 223.255.255.255 224.0.0.0 to Multicast addresses. 239.255.255.255 240.0.0.0 to Reserved for future use except for the broadcast address 255.255.255.255 255.255.255.255. Special IP addresses The following IP addresses are for special use and cannot be used as host IP addresses. IP address with an all-zero net ID—Identifies a host on the local network.

  • Page 36: Assigning An Ip Address To An Interface

    Without subnetting—65,534 hosts (2 – 2). (The two deducted addresses are the broadcast • address, which has an all-one host ID, and the network address, which has an all-zero host ID.) With subnetting—Using the first 9 bits of the host-id for subnetting provides 512 (2 ) subnets.

  • Page 37

    To enable the hosts on the two subnets to communicate with the external network through the switch, and to enable the hosts on the two subnets to communicate with each other: Assign a primary IP address and a secondary IP address to VLAN-interface 1 on the switch. •...

  • Page 38: Configuring Ip Unnumbered

    The output shows that the switch can communicate with the hosts on subnet 172.16.1.0/24. # From the switch, ping a host on subnet 172.16.2.0/24 to verify the connectivity. <Switch> ping 172.16.2.2 PING 172.16.2.2: 56 data bytes, press CTRL_C to break Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=255 time=25 ms Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=255 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=3 ttl=255 time=26 ms...

  • Page 39: Configuration Procedure

    Configuration procedure To configure IP unnumbered on an interface: Step Command Remarks Enter system view. system-view Enter tunnel interface view. interface tunnel number Specify the current interface to The interface does not borrow IP ip address unnumbered interface borrow the IP address of the addresses from other interfaces by interface-type interface-number specified interface.

  • Page 40: Dhcp Overview

    DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. DHCP uses the client/server model. Figure 15 A typical DHCP application A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on another subnet via a DHCP relay agent.

  • Page 41: Dynamic Ip Address Allocation Process

    Dynamic IP address allocation process Figure 16 Dynamic IP address allocation process The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. A DHCP server offers configuration parameters such as an IP address to the client, in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message.

  • Page 42: Dhcp Message Format

    DHCP message format Figure 17 shows the DHCP message format, which is based on the BOOTP message format although DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes. Figure 17 DHCP message format •...

  • Page 43: Dhcp Options

    DHCP options DHCP uses the same message format as BOOTP, but DHCP uses the Option field to carry information for dynamic address allocation and to provide additional configuration information to clients. Figure 18 DHCP option format Common DHCP options The following are common DHCP options: Option 3—Router option.

  • Page 44

    Service provider identifier, which is acquired by the Customer Premises Equipment (CPE) from the • DHCP server and sent to the ACS for selecting vender-specific configurations and parameters. Preboot Execution Environment (PXE) server address, which is used to obtain the bootfile or other •...

  • Page 45

    Figure 21 PXE server address sub-option value field Relay agent option (Option 82) Option 82 is the relay agent option in the option field of the DHCP message. It records the location information about the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client's request, it adds Option 82 to the request message and sends it to the server.

  • Page 46

    Figure 23 Sub-option 2 in normal padding format Verbose padding format • Sub-option 1—Contains the user-specified access node identifier (ID of the device that adds Option 82 in DHCP messages), and the type, number, and VLAN ID of the interface that received the client's request.

  • Page 47: Protocols And Standards

    Figure 27 Sub-option 9 in private padding format Standard padding format • Sub-option 1—Contains the VLAN ID of the interface that received the client's request, module (subcard number of the receiving port) and port (port number of the receiving port). The value of the sub-option type is 1, and the value of the circuit ID type is 0.

  • Page 48

    RFC 3442, The Classless Static Route Option for Dynamic Host Configuration Protocol (DHCP) • version 4...

  • Page 49: Configuring Dhcp Server

    Configuring DHCP server The term "interface" in the DHCP features collectively refers to VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2 LAN Switching Configuration Guide).

  • Page 50: Ip Address Allocation Sequence

    Principles for selecting an address pool The DHCP server observes the following principles to select an address pool when assigning an IP address to a client: If there is an address pool where an IP address is statically bound to the MAC address or ID of the client, the DHCP server will select this address pool and assign the statically bound IP address to the client.

  • Page 51: Configuring An Address Pool For The Dhcp Server

    Task Remarks Enabling DHCP Required. Enabling the DHCP server on an interface Required. Required by the extended address pool configuration. Applying an extended address pool on an interface When configuring a common address pool, ignore this task. Configuring the DHCP server security functions Optional.

  • Page 52: Configuring Address Allocation Mode For A Common Address Pool

    A common address pool and an extended address pool are different in address allocation mode configuration. Configurations of other parameters (such as the domain name suffix and DNS server address) for them are the same. To create a DHCP address pool: Step Command Remarks...

  • Page 53

    If the interfaces on a DHCP client share the same MAC address, you must specify the client ID, • rather than MAC address, in a static binding to identify the requesting interface. Otherwise, the client may fail to obtain an IP address. To configure a static binding in a common address pool: Step Command...

  • Page 54: Configuring Dynamic Address Allocation For An Extended Address Pool

    Step Command Remarks Specify the IP address range Optional. network ip range min-address on the subnet for dynamic max-address Not specified by default. allocation. expired { day day [ hour hour Optional. Specify the address lease [ minute minute ] [ second duration.

  • Page 55: Configuring A Domain Name Suffix For The Client

    Configuring a domain name suffix for the client You can specify a domain name suffix in each DHCP address pool on the DHCP server to provide the clients with the domain name suffix. With this suffix assigned, the client only needs to input part of a domain name, and the system will add the domain name suffix for name resolution.

  • Page 56: Configuring Bims Server Information For The Client

    To configure WINS servers and NetBIOS node type in the DHCP address pool: Step Command Remarks Enter system view. system-view Enter DHCP address pool dhcp server ip-pool pool-name view. [ extended ] Optional for b-node. Specify WINS server IP nbns-list ip-address&<1-8> addresses.

  • Page 57: Configuring Option 184 Parameters For The Client With Voice Service

    Configuring Option 184 parameters for the client with voice service To assign voice calling parameters along with an IP address to DHCP clients with voice service, you must configure Option 184 on the DHCP server. For more information about Option 184, see "DHCP overview."...

  • Page 58: Specifying A Server's Ip Address For The Dhcp Client

    Step Command Remarks Enter DHCP address pool dhcp server ip-pool pool-name [ extended ] view. • Specify the TFTP server: tftp-server ip-address ip-address Use either command. Specify the IP address or name of the TFTP server. • Specify the name of the TFTP server: Not specified by default.

  • Page 59: Enabling Dhcp

    Step Command Remarks option code { ascii ascii-string | Configure a self-defined No DHCP option is configured by hex hex-string&<1-16> | DHCP option. default. ip-address ip-address&<1-8> } Table 2 Description of common options Option Option name Corresponding command Command parameter Router Option gateway-list ip-address...

  • Page 60

    interface (connecting to the client). If the address pool contains no assignable IP address, the server assigns an IP address from an address pool that resides on the same subnet as the secondary IP addresses of the server interface. If the interface has multiple secondary IP addresses, each address pool is tried in turn for address allocation.

  • Page 61: Configuring The Dhcp Server Security Functions

    Configuring the DHCP server security functions Configuration prerequisites Before you configure the DHCP server security functions, complete the following tasks on the DHCP server: Enable DHCP. Configure the DHCP address pool. Enabling unauthorized DHCP server detection Unauthorized DHCP servers on a network may assign wrong IP addresses to DHCP clients. With unauthorized DHCP server detection enabled, the DHCP server checks whether a DHCP request contains Option 54 (Server Identifier Option).

  • Page 62: Enabling Client Offline Detection

    Step Command Remarks Optional. Configure a timeout waiting dhcp server ping timeout 500 ms by default. for ping responses. milliseconds The value 0 indicates that no ping operation is performed. Enabling client offline detection With this feature enabled, the DHCP server considers a DHCP client goes offline when the ARP entry for the client ages out.

  • Page 63: Specifying The Threshold For Sending Trap Messages

    Specifying the threshold for sending trap messages Configuration prerequisites Before you perform the configuration, use the snmp-agent target-host command to specify the destination address of the trap messages. For more information about the command, see Network Management and Monitoring Command Reference. Configuration procedure A DHCP server sends trap messages to the network management server when one of the following items reaches the specified threshold:...

  • Page 64: Dhcp Server Configuration Examples

    Task Command Remarks display dhcp server conflict { all | ip Display information about IP address ip-address } [ | { begin | exclude | include } Available in any view conflicts. regular-expression ] display dhcp server expired { all | ip Display information about lease ip-address | pool [ pool-name ] } [ | { begin | Available in any view...

  • Page 65

    Figure 29 Network diagram Gateway 10.1.1.126/25 Vlan-int2 10.1.1.1/25 10.1.1.2/25 Vlan-int2 Vlan-int2 Switch A Switch B Switch C DHCP server DHCP Client BOOTP Client DNS server Configuration procedure Configure the IP address of VLAN-interface 2 on Switch A. <SwitchA> system-view [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 10.1.1.1 25 [SwitchA-Vlan-interface2] quit Configure the DHCP server:...

  • Page 66: Dynamic Ip Address Assignment Configuration Example

    Dynamic IP address assignment configuration example Network requirements As shown in Figure 30, the DHCP server (Switch A) assigns IP addresses to clients in subnet • 10.1.1.0/24, which is subnetted into 10.1.1.0/25 and 10.1.1.128/25. The IP addresses of VLAN-interfaces 1 and 2 on Switch A are 10.1.1.1/25 and 10.1.1.129/25 •...

  • Page 67: Self-defined Option Configuration Example

    [SwitchA] dhcp server forbidden-ip 10.1.1.126 [SwitchA] dhcp server forbidden-ip 10.1.1.254 # Configure DHCP address pool 0 (subnet, client domain name suffix, and DNS server address). [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 [SwitchA-dhcp-pool-0] domain-name aabbcc.com [SwitchA-dhcp-pool-0] dns-list 10.1.1.2 [SwitchA-dhcp-pool-0] quit # Configure DHCP address pool 1 (subnet, gateway, lease duration, and WINS server).

  • Page 68: Troubleshooting Dhcp Server Configuration

    Configuration procedure Specify IP addresses for the interfaces. (Details not shown.) Configure the DHCP server: # Enable DHCP. <SwitchA> system-view [SwitchA] dhcp enable # Enable the DHCP server on VLAN-interface 2. [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] dhcp select server global-pool [SwitchA-Vlan-interface2] quit # Configure DHCP address pool 0.

  • Page 69: Configuring Dhcp Relay Agent

    Configuring DHCP relay agent The DHCP relay agent configuration is supported only on Layer 3 Ethernet interfaces, Layer 3 aggregate interfaces, and VLAN interfaces. Overview Via a relay agent, DHCP clients can communicate with a DHCP server on another subnet to obtain configuration parameters.

  • Page 70: Dhcp Relay Agent Support For Option 82

    Figure 33 DHCP relay agent work process After receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP client, the DHCP relay agent fills the giaddr field of the message with its IP address and forwards the message to the designated DHCP server in unicast mode. Based on the giaddr field, the DHCP server returns an IP address and other configuration parameters to the relay agent, and the relay agent conveys them to the client.

  • Page 71: Dhcp Relay Agent Configuration Task List

    If a client's Handling requesting Padding format The DHCP relay agent will… strategy message has… Forward the message after adding the verbose Option 82 padded in verbose format. Forward the message after adding the user-defined user-defined Option 82. DHCP relay agent configuration task list Task Remarks Enabling DHCP...

  • Page 72: Correlating A Dhcp Server Group With A Relay Agent Interface

    Step Command Remarks interface interface-type Enter interface view. interface-number Enable the DHCP relay agent With DHCP enabled, interfaces dhcp select relay on the current interface. operate in the DHCP server mode. Correlating a DHCP server group with a relay agent interface To improve reliability, you can specify several DHCP servers as a group on the DHCP relay agent and correlate a relay agent interface with the server group.

  • Page 73: Configuring The Dhcp Relay Agent Security Functions

    Configuring the DHCP relay agent security functions Configuring address check Address check can block illegal hosts from accessing external networks. With this feature enabled, the DHCP relay agent can dynamically record clients' IP-to-MAC bindings after they obtain IP addresses through DHCP. This feature also supports static bindings. You can also configure static IP-to-MAC bindings on the DHCP relay agent, so users can access external networks using fixed IP addresses.

  • Page 74: Enabling Unauthorized Dhcp Server Detection

    When this feature is enabled, the DHCP relay agent uses the IP address of a client and the MAC address of the DHCP relay interface to send a DHCP-REQUEST message to the DHCP server at specified intervals. If the server returns a DHCP-ACK message or does not return any message within a specific interval, •...

  • Page 75: Enabling Offline Detection

    To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source • MAC address, enable MAC address check on the DHCP relay agent. With this function enabled, the DHCP relay agent compares the chaddr field of a received DHCP request with the source MAC address field of the frame.

  • Page 76: Configuring The Dhcp Relay Agent To Support Option 82

    To configure the DHCP relay agent to send DHCP-RELEASE messages: Step Command Remarks Enter system view. system-view Configure the DHCP relay agent to The IP address must be in a dhcp relay release ip client-ip release an IP address. dynamic client entry. Configuring the DHCP relay agent to support Option 82 Configuration prerequisites...

  • Page 77: Setting The Dscp Value For Dhcp Packets

    Step Command Remarks Optional. • Configure the padding format for By default: Option 82: dhcp relay information format • The padding format for Option 82 { normal | verbose [ node-identifier is normal. { mac | sysname | user-defined • The code type for the circuit ID node-identifier } ] } sub-option depends on the padding...

  • Page 78: Dhcp Relay Agent Configuration Examples

    Task Command Remarks display dhcp relay information { all | Display Option 82 configuration interface interface-type interface-number } [ | information on the DHCP relay Available in any view { begin | exclude | include } agent. regular-expression ] display dhcp relay security [ ip-address | Display information about bindings dynamic | static ] [ | { begin | exclude | Available in any view...

  • Page 79: Dhcp Relay Agent Option 82 Support Configuration Example

    Figure 34 Network diagram DHCP client DHCP client Vlan-int1 Vlan-int2 10.10.1.1/24 10.1.1.2/24 Vlan-int2 10.1.1.1/24 Switch A Switch B DHCP relay agent DHCP server DHCP client DHCP client Configuration procedure The DHCP relay agent and server are on different subnets, so configure a static route or dynamic routing protocol to make them reachable to each other.

  • Page 80: Troubleshooting Dhcp Relay Agent Configuration

    Configuration procedure Configurations on the DHCP server are also required to make the Option 82 configurations function normally. # Specify IP addresses for the interfaces. (Details not shown.) # Enable DHCP. <SwitchA> system-view [SwitchA] dhcp enable # Add DHCP server 10.1.1.1 into DHCP server group 1. [SwitchA] dhcp relay server-group 1 ip 10.1.1.1 # Enable the DHCP relay agent on VLAN-interface 1.

  • Page 81: Configuring Dhcp Client

    Configuring DHCP client With DHCP client enabled, an interface uses DHCP to obtain configuration parameters such as an IP address from the DHCP server. Configuration restrictions The DHCP client configuration is supported only on Layer 3 Ethernet interfaces, Layer 3 aggregate •...

  • Page 82: Displaying And Maintaining The Dhcp Client

    Step Command Remarks Enter system view. system-view Set the DSCP value for DHCP Optional. packets sent by the DHCP dhcp client dscp dscp-value By default, the DSCP value is 56. client. Displaying and maintaining the DHCP client Task Command Remarks display dhcp client [ verbose ] [ interface Display specified interface-type interface-number ] [ | { begin |...

  • Page 83: Verifying The Configuration

    [SwitchA-Vlan-interface2] ip address 10.1.1.1 24 [SwitchA-Vlan-interface2] quit # Enable the DHCP service. [SwitchA] dhcp enable # Exclude an IP address from automatic allocation. [SwitchA] dhcp server forbidden-ip 10.1.1.2 # Configure DHCP address pool 0 and specify the subnet, lease duration, DNS server address, and a static route to subnet 20.1.1.0/24.

  • Page 84

    10.1.1.3/32 Direct 0 127.0.0.1 InLoop0 20.1.1.0/24 Static 70 10.1.1.2 Vlan2 127.0.0.0/8 Direct 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 127.0.0.1 InLoop0...

  • Page 85: Configuring Dhcp Snooping

    Configuring DHCP snooping The DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server. DHCP snooping functions DHCP snooping can: Ensure that DHCP clients obtain IP addresses from authorized DHCP servers.

  • Page 86: Application Environment Of Trusted Ports

    including IP addresses, MAC addresses, and CVLANs, before sending the packets to clients. For more information, see Layer 2—LAN Switching Configuration Guide. Application environment of trusted ports Configuring a trusted port connected to a DHCP server As shown in Figure 36, the DHCP snooping device port that is connected to an authorized DHCP server should be configured as a trusted port.

  • Page 87: Dhcp Snooping Support For Option 82

    Figure 37 Configuring trusted ports in a cascaded network DHCP snooping support for Option 82 Option 82 records the location information about the DHCP client so the administrator can locate the DHCP client for security control and accounting purposes. For more information, see "Configuring DHCP relay agent."...

  • Page 88: Dhcp Snooping Configuration Task List

    If a client's Handling requesting message Padding format The DHCP snooping device… strategy has… Forwards the message without changing normal Option 82. Forwards the message without changing verbose Option 82. Forwards the message after adding sub-option Append private 9 to option 82 or adding content to sub-option 9 that option 82 contains.

  • Page 89: Configuring Dhcp Snooping To Support Option 82

    You can specify Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces as trusted ports. For • more information about aggregate interfaces, see Layer 2—LAN Switching Configuration Guide. If a Layer 2 Ethernet interface is added to an aggregation group, the DHCP snooping configuration •...

  • Page 90

    to specify the device name. For more information about this command, see Fundamentals Command Reference. If DHCP snooping and QinQ work together or the DHCP snooping device receives a DHCP packet • with two VLAN tags, and the normal or verbose padding format is adopted for Option 82, DHCP snooping fills the VLAN ID field of sub-option 1 with outer VLAN tag.inter VLAN tag.

  • Page 91: Configuring Dhcp Snooping Entries Backup

    Step Command Remarks • Configure the padding content for the circuit ID sub-option: dhcp-snooping information [ vlan Optional. vlan-id ] circuit-id string circuit-id By default: • Configure the padding content for the • The padding content for the circuit remote ID sub-option: Configure ID sub-option depends on the dhcp-snooping information [ vlan...

  • Page 92: Enabling Dhcp Starvation Attack Protection

    Enabling DHCP starvation attack protection A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server may also fail to work because of exhaustion of system resources.

  • Page 93: Displaying And Maintaining Dhcp Snooping

    Step Command Remarks Enable DHCP-REQUEST message dhcp-snooping check request-message Disabled by default check. Displaying and maintaining DHCP snooping Task Command Remarks display dhcp-snooping [ ip ip-address ] Display DHCP snooping entries. [ | { begin | exclude | include } Available in any view regular-expression ] display dhcp-snooping information { all |...

  • Page 94: Dhcp Snooping Option 82 Support Configuration Example

    Figure 38 Network diagram Configuration procedure # Enable DHCP snooping. <SwitchB> system-view [SwitchB] dhcp-snooping # Specify Ethernet 1/0/1 as trusted. [SwitchB] interface Ethernet 1/0/1 [SwitchB-Ethernet1/0/1] dhcp-snooping trust [SwitchB-Ethernet1/0/1] quit DHCP snooping Option 82 support configuration example Network requirements As shown in Figure 38, enable DHCP snooping and Option 82 support on Switch B.

  • Page 95

    [SwitchB-Ethernet1/0/2] dhcp-snooping information circuit-id string company001 [SwitchB-Ethernet1/0/2] dhcp-snooping information remote-id string device001 [SwitchB-Ethernet1/0/2] quit # Configure Ethernet 1/0/3 to support Option 82. [SwitchB] interface Ethernet 1/0/3 [SwitchB-Ethernet1/0/3] dhcp-snooping information enable [SwitchB-Ethernet1/0/3] dhcp-snooping information strategy replace [SwitchB-Ethernet1/0/3] dhcp-snooping information format verbose node-identifier sysname [SwitchB-Ethernet1/0/3] dhcp-snooping information circuit-id format-type ascii [SwitchB-Ethernet1/0/3] dhcp-snooping information remote-id format-type ascii...

  • Page 96: Configuring Bootp Client

    Configuring BOOTP client Overview BOOTP application After you specify an interface of a device as a BOOTP client, the interface can use BOOTP to get information (such as IP address) from the BOOTP server. To use BOOTP, an administrator must configure a BOOTP parameter file for each BOOTP client on the BOOTP server.

  • Page 97: Configuring An Interface To Dynamically Obtain An Ip Address Through Bootp

    Configuring an interface to dynamically obtain an IP address through BOOTP Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Configure an interface to By default, an interface does not use dynamically obtain an IP address ip address bootp-alloc BOOTP to obtain an IP address.

  • Page 98: Configuring Ipv4 Dns

    Configuring IPv4 DNS Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into corresponding IP addresses. With DNS, you can use easy-to-remember domain names in some applications and let the DNS server translate them into correct IP addresses. DNS services can be static or dynamic.

  • Page 99: Dns Proxy

    Dynamic domain name resolution allows the DNS client to store latest mappings between domain names and IP addresses in the dynamic domain name cache. The DNS client does not need to send a request to the DNS server for a repeated query next time. The aged mappings are removed from the cache after some time, and latest entries are required from the DNS server.

  • Page 100: Dns Spoofing

    A DNS proxy operates as follows: A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS proxy. The destination address of the request is the IP address of the DNS proxy. The DNS proxy searches the local static domain name resolution table and dynamic domain name resolution table after receiving the request.

  • Page 101: Configuring The Ipv4 Dns Client

    The host sends a DNS request to the device to resolve the domain name of the HTTP server into an IP address. Upon receiving the request, the device searches the local static and dynamic DNS entries for a match. If no match is found and the device does know the DNS server address, the device spoofs the host by replying a configured IP address.

  • Page 102: Configuring The Dns Proxy

    Configuration restrictions and guidelines You can configure up to six DNS servers, including those with IPv6 addresses, in system view, and • up to six DNS servers on all interfaces of a device. A DNS server configured in system view has a higher priority than one configured in interface view. •...

  • Page 103: Configuring Dns Spoofing

    Step Command Remarks • (Method 1) In system view: dns server ip-address Use at least one method. • (Method 2) In interface view: Specify a DNS server. No DNS server is specified by interface interface-type default. interface-number dns server ip-address Configuring DNS spoofing DNS spoofing is effective only when: •...

  • Page 104: Displaying And Maintaining Ipv4 Dns

    Step Command Remarks Enter system view. system-view By default, no source interface for DNS packets is specified. The Set the DSCP value for DNS dns source-interface device uses the primary IP packets. interface-type interface-number address of the output interface of the matching route as the source IP address of a DNS request.

  • Page 105

    Configuration procedure # Configure a mapping between host name host.com and IP address 10.1.1.2. <Sysname> system-view [Sysname] ip host host.com 10.1.1.2 # Use the ping host.com command to verify that the device can use static domain name resolution to resolve domain name host.com into IP address 10.1.1.2. [Sysname] ping host.com PING host.com (10.1.1.2): data bytes, press CTRL_C to break...

  • Page 106

    Configuration procedure Before performing the following configuration, make sure the device and the host are accessible to each other via available routes, and that the IP addresses of the interfaces are configured as shown Figure This configuration may vary with DNS servers. The following configuration is performed on a PC running Windows Server 2000.

  • Page 107

    Figure 45 Adding a host On the page that appears, enter host name host and IP address 3.1.1.1. Click Add Host. The mapping between the IP address and host name is created. Figure 46 Adding a mapping between domain name and IP address Configure the DNS client:...

  • Page 108

    # Enable dynamic domain name resolution. <Sysname> system-view [Sysname] dns resolve # Specify the DNS server 2.1.1.2. [Sysname] dns server 2.1.1.2 # Configure com as the name suffix. [Sysname] dns domain com Verifying the configuration # Use the ping host command on the device to verify that the communication between the device and the host is normal and that the corresponding destination IP address is 3.1.1.1.

  • Page 109

    Figure 47 Network diagram Configuration procedure Before performing the following configuration, make sure Device A, the DNS server, and the host are reachable to each other and the IP addresses of the interfaces are configured as shown in Figure Configure the DNS server: This configuration may vary with different DNS servers.

  • Page 110: Troubleshooting Ipv4 Dns Configuration

    Reply from 3.1.1.1: bytes=56 Sequence=1 ttl=126 time=3 ms Reply from 3.1.1.1: bytes=56 Sequence=2 ttl=126 time=1 ms Reply from 3.1.1.1: bytes=56 Sequence=3 ttl=126 time=1 ms Reply from 3.1.1.1: bytes=56 Sequence=4 ttl=126 time=1 ms Reply from 3.1.1.1: bytes=56 Sequence=5 ttl=126 time=1 ms --- host.com ping statistics --- 5 packet(s) transmitted 5 packet(s) received...

  • Page 111: Configuring Irdp

    Configuring IRDP Overview As an extension of the Internet Control Message Protocol (ICMP), the ICMP Router Discovery Protocol (IRDP) enables hosts to discover the IP addresses of their neighboring routers and set their default routes. NOTE: The hosts in this chapter support IRDP. Background Before a host can send packets to another network, it must know the IP address of at least one router on the local subnet.

  • Page 112: Concepts

    This mechanism prevents the local link from being overloaded by a large number of RAs sent simultaneously from routers. HP recommends shortening the advertising interval on a link that suffers high packet loss rates. Destination address of RAs An RA uses either of the two destination IP addresses: broadcast address 255.255.255.255.

  • Page 113: Irdp Configuration Example

    Step Command Remarks interface interface-type The interface can be a Layer 3 Ethernet Enter interface view. interface-number port or VLAN interface. Enable IRDP on the ip irdp Disabled by default. interface. Optional. The preference defaults to 0. The specified preference applies to all Configure the preference of ip irdp preference advertised IP addresses, including the...

  • Page 114

    Figure 48 Network diagram Configuration procedure Configure Switch A: # Specify the IP address for VLAN-interface 100. <SwitchA> system-view [SwitchA] interface Vlan-interface 100 [SwitchA-Vlan-interface100] ip address 10.154.5.1 24 # Enable IRDP on VLAN-interface 100. [SwitchA-Vlan-interface100] ip irdp # Specify preference 1000 for the IP address of VLAN-interface 100. [SwitchA-Vlan-interface100] ip irdp preference 1000 # Configure the multicast address 224.0.0.1 as the destination IP address for RAs sent by VLAN-interface 100.

  • Page 115

    Verifying the configuration After enabling IRDP on Host A and Host B, display the routing table for the hosts (Host A for example). [HostA@localhost ~]$ netstat -rne Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.154.5.0 0.0.0.0 255.255.255.0 0 eth1...

  • Page 116: Optimizing Ip Performance

    Optimizing IP performance The term "interface" in this chapter collectively refers to VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2 LAN Switching Configuration Guide) —...

  • Page 117: Configuration Example

    Step Command Remarks Enter interface view. interface interface-type interface-number Enable the interface to forward ip forward-broadcast [ acl acl-number ] Disabled by default directed broadcasts. Configuration example Network requirements As shown in Figure 49, the host's interface and VLAN-interface 3 of the switch are on the same network segment (1.1.1.0/24).

  • Page 118: Configuring The Tcp Send/receive Buffer Size

    A router that fails to forward the packet because it exceeds the MTU on the outgoing interface discards the packet and returns an ICMP error message, which contains the MTU of the outgoing interface. Upon receiving the ICMP message, the TCP source device calculates the current path MTU of the TCP connection.

  • Page 119: Configuring Icmp To Send Error Packets

    synwait timer—When sending a SYN packet, TCP starts the synwait timer. If no response packet is • received within the synwait timer interval, the TCP connection cannot be created. finwait timer—When a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is •...

  • Page 120: Disadvantages Of Sending Icmp Error Packets

    If the device finds that the destination of a packet is not itself and the TTL field of the packet is 1, it will send a "TTL timeout" ICMP error message. When the device receives the first fragment of an IP datagram whose destination is the device itself, it starts a timer.

  • Page 121: Displaying And Maintaining Ip Performance Optimization

    Step Command Remarks • Enable sending ICMP redirect packets: ip redirects enable • Enable sending ICMP timeout packets: Enable sending ICMP error ip ttl-expires enable Disabled by default packets. • Enable sending ICMP destination unreachable packets: ip unreachables enable Displaying and maintaining IP performance optimization Task Command...

  • Page 122: Configuring Udp Helper

    Configuring UDP helper The term "interface" in this chapter collectively refers to VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2 LAN Switching Configuration Guide).

  • Page 123: Displaying And Maintaining Udp Helper

    Step Command Remarks Enable the forwarding of udp-helper port { port-number | dns | packets with the specified No UDP port number is specified netbios-ds | netbios-ns | tacacs | tftp UDP destination port by default. | time } numbers. interface interface-type Enter interface view.

  • Page 124

    [SwitchA] ip forward-broadcast # Enable UDP helper. [SwitchA] udp-helper enable # Enable the forwarding broadcast packets with the UDP destination port 55. [SwitchA] udp-helper port 55 # Specify the destination server 10.2.1.1 on VLAN-interface 1 in public network. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.110.1.1 16 [SwitchA-Vlan-interface1] udp-helper server 10.2.1.1...

  • Page 125: Configuring Ipv6 Basics

    Configuring IPv6 basics The term "interface" in this chapter collectively refers to VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2 LAN Switching Configuration Guide).

  • Page 126: Ipv6 Addresses

    Address autoconfiguration To simplify host configuration, IPv6 supports stateful and stateless address autoconfiguration. Stateful address autoconfiguration enables a host to acquire an IPv6 address and other • configuration information from a server (for example, a DHCP server). • Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and other configuration information by using its link-layer address and the prefix information advertised by a router.

  • Page 127

    An IPv6 address consists of an address prefix and an interface ID, both of which are equivalent to the network ID and the host ID of an IPv4 address, respectively. An IPv6 address prefix is written in IPv6-address/prefix-length notation where the IPv6-address is represented in any of the formats previously mentioned and the prefix-length is a decimal number indicating how many leftmost bits of the IPv6 address comprises the address prefix.

  • Page 128

    A loopback address is 0:0:0:0:0:0:0:1 (or ::1). It cannot be assigned to any physical interface and • can be used by a node to send an IPv6 packet to itself in the same way as the loopback address in IPv4. An unspecified address is 0:0:0:0:0:0:0:0 (or ::).

  • Page 129: Ipv6 Neighbor Discovery Protocol

    Figure 52 Converting a MAC address into an EUI-64 address-based interface identifier On a tunnel interface • The lower 32 bits of the EUI-64 address-based interface identifier are the source IPv4 address of the tunnel interface. The higher 32 bits of the EUI-64 address-based interface identifier of an ISATAP tunnel interface are 0000:5EFE, whereas those of other tunnel interfaces are all zeros.

  • Page 130

    Address resolution This function is similar to the ARP function in IPv4. An IPv6 node acquires the link-layer addresses of neighboring nodes on the same link through NS and NA message exchanges. Figure 53 shows how Host A acquires the link-layer address of Host B on a single link. Figure 53 Address resolution The address resolution operates in the following steps: Host A multicasts an NS message.

  • Page 131: Ipv6 Path Mtu Discovery

    Host A sends an NS message whose source address is the unspecified address and whose destination address is the corresponding solicited-node multicast address of the IPv6 address to be detected. The NS message contains the IPv6 address. If Host B uses this IPv6 address, Host B returns an NA message. The NA message contains the IPv6 address of Host B.

  • Page 132: Ipv6 Transition Technologies

    Figure 55 Path MTU discovery process The source host compares its MTU with the packet to be sent, performs necessary fragmentation, and sends the resulting packet to the destination host. If the MTU supported by a forwarding interface is smaller than the packet, the device discards the packet and returns an ICMPv6 error packet containing the interface MTU to the source host.

  • Page 133: Ipv6 Basics Configuration Task List

    RFC 2460, Internet Protocol, Version 6 (IPv6) Specification • RFC 2464, Transmission of IPv6 Packets over Ethernet Networks • • RFC 2526, Reserved IPv6 Subnet Anycast Addresses RFC 2894, Router Renumbering for IPv6 • RFC 3307, Allocation Guidelines for IPv6 Multicast Addresses •...

  • Page 134: Configuring Basic Ipv6 Functions

    Configuring basic IPv6 functions Enabling IPv6 Enable IPv6 before you perform any IPv6-related configuration. Without IPv6 enabled, an interface cannot forward IPv6 packets even if it has an IPv6 address configured. To enable IPv6: Step Command Remarks Enter system view. system-view Enable IPv6.

  • Page 135

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number ipv6 address { ipv6-address Configure an IPv6 address By default, no IPv6 global unicast prefix-length | manually. address is configured on an interface. ipv6-address/prefix-length } Stateless address autoconfiguration To configure an interface to generate an IPv6 address by using stateless address autoconfiguration: Step Command...

  • Page 136: Configuring An Ipv6 Link-local Address

    The preferred lifetime configured for temporary IPv6 addresses minus DESYNC_FACTOR (which is a random number ranging 0 to 600, in seconds). The valid lifetime of a temporary IPv6 address takes the value of the smaller of the following values: • The valid lifetime of the address prefix.

  • Page 137: Configure An Ipv6 Anycast Address

    Step Command Remarks Optional. By default, no link-local address is Configure the interface to configured on an interface. automatically generate an ipv6 address auto link-local After an IPv6 global unicast address is IPv6 link-local address. configured on the interface, a link-local address is generated automatically.

  • Page 138: Configuring Ipv6 Nd

    Step Command Remarks Optional. Configure an IPv6 anycast ipv6 address By default, no IPv6 anycast address. ipv6-address/prefix-length anycast address is configured on an interface. Configuring IPv6 ND Configuring a static neighbor entry The IPv6 address of a neighboring node can be resolved into a link-layer address dynamically through NS and NA messages or through a manually configured static neighbor entry.

  • Page 139: Setting The Age Timer For Nd Entries In Stale State

    Configure the maximum dynamically learned. A Layer 3 number of neighbors ipv6 neighbors max-learning-num interface on the HP 3600 v2 EI dynamically learned by an number switch series can learn up to 4096 interface.

  • Page 140

    Parameters Description Prefix Information After receiving the prefix information, the hosts on the same link can perform options stateless autoconfiguration. Make sure that all nodes on a link use the same MTU value. Determines whether hosts use the stateful autoconfiguration to acquire IPv6 addresses.

  • Page 141

    Step Command Remarks Optional. Configure the hop limit. ipv6 nd hop-limit value 64 by default. interface interface-type Enter interface view. interface-number Optional. By default, no prefix information is ipv6 nd ra prefix { ipv6-prefix configured for RA messages, and the Configure the prefix prefix-length | IPv6 address of the interface sending RA...

  • Page 142: Configuring The Maximum Number Of Attempts To Send An Ns Message For Dad

    Configuring the maximum number of attempts to send an NS message for DAD An interface sends an NS message for DAD after acquiring an IPv6 address. If the interface does not receive a response within a specific time (determined by the ipv6 nd ns retrans-timer command), it continues to send an NS message.

  • Page 143

    If neither of them matches the entry and the received packet is a DAD NS message, the message is ignored. If neither of them matches the entry and the received packet is not a DAD NS message, the device performs active acknowledgement. The active acknowledgement is performed in the following steps.

  • Page 144: Enabling Nd Proxy

    Step Command Remarks Enter Layer 2 Ethernet port view/Layer 2 aggregate interface interface-type interface-number interface view. Optional. Configure the maximum By default, the number of number of ND snooping ipv6 nd snooping max-learning-num number ND snooping entries an entries the interface can interface can learn is learn.

  • Page 145

    Figure 57 Application environment of local ND proxy Switch A Vlan-int2 4:3::100/16 VLAN 2 port-isolate group Eth1/0/2 Eth1/0/3 Eth1/0/1 Switch B Host B Host A 4:2::100/16 4:1::100/16 Because Host A's IPv6 address is on the same subnet as Host B's, Host A directly sends an NS message to obtain Host B's MAC address.

  • Page 146: Configuring Path Mtu Discovery

    Configuring path MTU discovery Configuring a static path MTU for a specific IPv6 address You can configure a static path MTU for a specific destination IPv6 address. When a source host sends a packet through an interface, it compares the interface MTU with the static path MTU of the specified destination IPv6 address.

  • Page 147: Configuring Icmpv6 Packet Sending

    Step Command Remarks Enter system view. system-view Optional. tcp ipv6 timer syn-timeout Set the synwait timer. wait-time 75 seconds by default. Optional. Set the finwait timer. tcp ipv6 timer fin-timeout wait-time 675 seconds by default. Optional. Set the size of the IPv6 TCP tcp ipv6 window size sending/receiving buffer.

  • Page 148: Enabling Sending Icmpv6 Time Exceeded Messages

    To enable replying to multicast echo requests: Step Command Remarks Enter system view. system-view Enable replying to multicast ipv6 icmpv6 multicast-echo-reply Not enabled by default echo requests. enable Enabling sending ICMPv6 time exceeded messages A device sends out an ICMPv6 Time Exceeded message in the following situations: If a received IPv6 packet's destination IP address is not a local address and its hop limit is 1, the •...

  • Page 149: Displaying And Maintaining Ipv6 Basics Configuration

    If an attacker sends abnormal traffic that causes the device to generate ICMPv6 destination unreachable messages, end users may be affected. To prevent such attacks, you can disable the device from sending ICMPv6 destination unreachable messages. To enable sending ICMPv6 destination unreachable messages: Step Command Remarks...

  • Page 150: Ipv6 Basics Configuration Example

    Task Command Remarks Display the statistics of IPv6 display ipv6 statistics [ slot slot-number ] [ | { begin Available in any view packets and ICMPv6 packets. | exclude | include } regular-expression ] Display the IPv6 TCP connection display tcp ipv6 statistics [ | { begin | exclude | Available in any view statistics.

  • Page 151

    The VLAN interfaces have been created on the switch. Configuration procedure Configure Switch A: # Enable IPv6. <SwitchA> system-view [SwitchA] ipv6 # Specify a global unicast address for VLAN-interface 2. [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ipv6 address 3001::1/64 [SwitchA-Vlan-interface2] quit # Specify a global unicast address for VLAN-interface 1, and allow it to advertise RA messages (no interface advertises RA messages by default).

  • Page 152

    5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/3/9 ms # Display neighbor information about Ethernet 1/0/2 on Switch A. [SwitchA] display ipv6 neighbors interface Ethernet 1/0/2 Type: S-Static D-Dynamic IPv6 Address Link-layer Interface State T Age FE80::215:E9FF:FEA6:7D14 0015-e9a6-7d14 Eth1/0/1...

  • Page 153

    OutRequests: OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: 25747 OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: [SwitchA] display ipv6 interface vlan-interface 1 Vlan-interface1 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1C0 Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es): FF02::1:FF00:0 FF02::1:FF00:1...

  • Page 154

    OutRequests: 1012 OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Display the IPv6 interface settings on Switch B. All the IPv6 global unicast addresses configured on the interface are displayed. [SwitchB] display ipv6 interface vlan-interface 2 Vlan-interface2 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1234...

  • Page 155: Troubleshooting Ipv6 Basics Configuration

    InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Ping Switch A and Switch B on the host, and ping Switch A and the host on Switch B to verify that they are connected. IMPORTANT: When you ping a link-local address, you should use the -i parameter to specify an interface for the link-local address.

  • Page 156: Solution

    Solution Use the display current-configuration command in any view or the display this command in system view to verify that IPv6 is enabled. Use the display ipv6 interface command in any view to verify that the IPv6 address of the interface is correct and the interface is up.

  • Page 157: Dhcpv6 Overview

    DHCPv6 overview Hardware compatibility Introduction to DHCPv6 The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) was designed based on IPv6 addressing scheme and is used for assigning IPv6 prefixes, IPv6 addresses and other configuration parameters to hosts. Compared with other IPv6 address allocation methods (such as manual configuration and stateless address autoconfiguration), DHCPv6 can: •...

  • Page 158: Address/prefix Lease Renewal

    Figure 60 Assignment involving four messages The assignment involving four messages operates in the following steps: The DHCPv6 client sends out a Solicit message, requesting an IPv6 address/prefix and other configuration parameters. If the Solicit message does not contain a Rapid Commit option, or if the DHCPv6 server does not support rapid assignment even though the Solicit message contains a Rapid Commit option, the DHCPv6 server responds with an Advertise message, informing the DHCPv6 client of the assignable address/prefix and other configuration parameters.

  • Page 159: Configuring Stateless Dhcpv6

    If the DHCPv6 client receives no response from the DHCPv6 servers, the client stops using the address/prefix when the valid lifetime expires. For more information about the valid lifetime and the preferred lifetime, see "Configuring IPv6 basics." Figure 62 Using the Rebind message for address/prefix lease renewal Configuring stateless DHCPv6 After obtaining an IPv6 address/prefix, a device can use stateless DHCPv6 to obtain other configuration parameters from a DHCPv6 server.

  • Page 160

    parameters. If not, the client ignores the configuration parameters. If multiple replies are received, the first received reply will be used. Protocols and standards RFC 3736, Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6 • RFC 3315, Dynamic Host Configuration Protocol for IPv6 (DHCPv6) •...

  • Page 161: Configuring Dhcpv6 Server

    Configuring DHCPv6 server Overview As shown in Figure 64, the DHCPv6 server assigns the DHCPv6 client an IPv6 prefix to facilitate IPv6 address management and network configuration. After obtaining the IPv6 prefix, the DHCPv6 client sends an RA message containing the prefix information to the subnet where it resides, so that hosts on the subnet can automatically configure their IPv6 addresses by using the prefix.

  • Page 162: Prefix Selection Process

    A DUID based on link-layer address (DUID-LL) defined in RFC 3315 is used to identify a DHCPv6 device. Figure 65 shows the DUID-LL format, where: DUID type—The device supports DUID-LL as the DUID type with the value of 0x0003. • •...

  • Page 163: Enabling The Dhcpv6 Server

    Enabling the DHCPv6 server Step Command Remarks Enter system view. system-view Enable the DHCPv6 server ipv6 dhcp server enable Disabled by default function. Creating a prefix pool A prefix pool specifies a range of prefixes. To create a prefix pool: Step Command Remarks...

  • Page 164: Applying The Address Pool To An Interface

    Step Command Remarks • Configure a static prefix: static-bind prefix prefix/prefix-len duid duid [ iaid iaid ] [ preferred-lifetime preferred-lifetime Use either command. valid-lifetime valid-lifetime ] Configure a DHCPv6 address No prefix is specified by pool. • Apply a prefix pool to the address default.

  • Page 165: Setting The Dscp Value For Dhcpv6 Packets

    Setting the DSCP value for DHCPv6 packets An IPv6 packet header contains an 8-bit Traffic class field. This field identifies the service type of IPv6 packets. As defined in RFC 2474, the first six bits set the Differentiated Services Code Point (DSCP) value, and the last two bits are reserved.

  • Page 166: Dhcpv6 Server Configuration Example

    DHCPv6 server configuration example Network requirements As shown in Figure 66, the switch serves as a DHCPv6 server, and assigns the IPv6 prefix, DNS server address, domain name, SIP server address, and SIP server domain name to the DHCPv6 clients. The IPv6 address of the switch is 1::1/64.

  • Page 167

    [Switch-Vlan-interface2] quit # Create and configure prefix pool 1. [Switch] ipv6 dhcp prefix-pool 1 prefix 2001:0410::/32 assign-len 48 # Create address pool 1. [Switch] ipv6 dhcp pool 1 # Apply prefix pool 1 to address pool 1, and set the preferred lifetime to one day, the valid lifetime to three days.

  • Page 168

    Domain name: aaa.com SIP server address: 2:2::4 SIP server domain name: bbb.com # Display information about prefix pool 1. [Switch-Vlan-interface2] display ipv6 dhcp prefix-pool 1 Prefix: 2001:410::/32 Assigned length: 48 Total prefix number: 65536 Available: 65535 In-use: 0 Static: 1 # After the client whose DUID is 00030001CA0006A40000 obtains an IPv6 prefix, display the PD information on the DHCPv6 server.

  • Page 169: Configuring Dhcpv6 Relay Agent

    Configuring DHCPv6 relay agent Overview A DHCPv6 client usually uses a multicast address to contact the DHCPv6 server on the local link to obtain an IPv6 address and other configuration parameters. As shown in Figure 67, if the DHCPv6 server resides on another subnet, the DHCPv6 client can contact the server via a DHCPv6 relay agent, so you do not need to deploy a DHCPv6 server on each subnet.

  • Page 170: Configuring The Dhcpv6 Relay Agent

    DHCPv6 relay agent is disabled on the interface. An interface cannot serve as a DHCPv6 relay agent and DHCPv6 server at the same time. • HP does not recommend enabling the DHCPv6 relay agent and DHCPv6 client on the same • interface...

  • Page 171

    Step Command Remarks By default, DHCPv6 relay Enable DHCPv6 relay agent ipv6 dhcp relay server-address agent is disabled and no on the interface and specify a ipv6-address [ interface interface-type DHCPv6 server is specified on DHCPv6 server. interface-number ] the interface. Setting the DSCP value for DHCPv6 packets An IPv6 packet header contains an 8-bit Traffic class field.

  • Page 172

    Switch A acts as the gateway of network 1::/64. It sends RA messages to notify the hosts to obtain IPv6 addresses and other configuration parameters through DHCPv6. Figure 69 Network diagram Configuration procedure Configure Switch A as a DHCPv6 relay agent: # Enable the IPv6 packet forwarding function.

  • Page 173

    Error Excess of rate limit Packets received SOLICIT REQUEST CONFIRM RENEW REBIND RELEASE DECLINE INFORMATION-REQUEST RELAY-FORWARD RELAY-REPLY Packets sent ADVERTISE RECONFIGURE REPLY RELAY-FORWARD RELAY-REPLY...

  • Page 174: Configuring Dhcpv6 Client

    For more information about the ipv6 address auto command, see the Layer 3—IP Services Command Reference. HP does not recommend enabling the DHCPv6 client and DHCPv6 server, or the DHCPv6 client • and DHCPv6 relay agent on the same interface at the same time.

  • Page 175: Displaying And Maintaining The Dhcpv6 Client

    Step Command Remarks Enter system view. system-view Optional. Set the DSCP value for the DHCPv6 ipv6 dhcp client dscp By default, the DSCP value in packets sent by the DHCPv6 client. dscp-value DHCPv6 packets is 56. Displaying and maintaining the DHCPv6 client Task Command Remarks...

  • Page 176

    [SwitchB] ipv6 # Configure the IPv6 address of VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ipv6 address 1::1 64 # Set the O flag in the RA messages to 1. [SwitchB-Vlan-interface2] ipv6 nd autoconfig other-flag # Enable Switch B to send RA messages. [SwitchB-Vlan-interface2] undo ipv6 nd ra halt Configure Switch A: # Enable the IPv6 packet forwarding function.

  • Page 177

    Confirm Renew Rebind Information-request Release Decline...

  • Page 178: Configuring Dhcpv6 Snooping

    Configuring DHCPv6 snooping A DHCPv6 snooping device does not work if it is between a DHCPv6 relay agent and a DHCPv6 server. The DHCPv6 snooping device works when it is between a DHCPv6 client and a DHCPv6 relay agent or between a DHCPv6 client and a DHCPv6 server.

  • Page 179: Recording Ip-to-mac Mappings Of Dhcpv6 Clients

    that they do not forward reply messages from any DHCPv6 servers. This ensures that the DHCPv6 client can obtain an IPv6 address from the authorized DHCPv6 server only. As shown in Figure 71, configure the port that connects to the DHCPv6 server as a trusted port, and other ports as untrusted.

  • Page 180: Configuring The Maximum Number Of Dhcpv6 Snooping Entries An Interface Can Learn

    Step Command Remarks interface interface-type Enter interface view. interface-number By default, all ports of the device Configure the port as trusted. with DHCPv6 snooping globally ipv6 dhcp snooping trust enabled are untrusted. Configuring the maximum number of DHCPv6 snooping entries an interface can learn Perform this optional task to prevent an interface from learning too many DHCPv6 snooping entries and to save system resources.

  • Page 181: Displaying And Maintaining Dhcpv6 Snooping

    Figure 73 Option 37 format The Second Vlan field is optional. If the received DHCPv6 request does not contain a second VLAN, Option 18 or Option 37 also does not contain it. To configure DHCPv6 Snooping to support Option 18 and Option 37: Step Command Remarks...

  • Page 182: Dhcpv6 Snooping Configuration Example

    Task Command Remarks Clear DHCPv6 snooping reset ipv6 dhcp snooping user-binding Available in user view entries. { ipv6-address | dynamic } DHCPv6 snooping configuration example Network requirements As shown in Figure 74, Switch is connected to a DHCPv6 server through Ethernet 1/0/1, and is connected to DHCPv6 clients through Ethernet 1/0/2 and Ethernet 1/0/3.

  • Page 183

    Verifying the configuration Connect Ethernet 1/0/2 to a DHCPv6 client, Ethernet 1/0/1 to a DHCPv6 server, and Ethernet 1/0/3 to an unauthorized DHCPv6 server. The DHCPv6 client obtains an IPv6 address from DHCPv6 server, but cannot obtain any IPv6 address from the unauthorized DHCPv6 server. You can use the display ipv6 dhcp snooping user-binding command to view the DHCPv6 snooping entries on Switch.

  • Page 184: Configuring Ipv6 Dns

    Configuring IPv6 DNS Overview IPv6 Domain Name System (DNS) is responsible for translating domain names into IPv6 addresses. Like IPv4 DNS, IPv6 DNS includes static domain name resolution and dynamic domain name resolution. The functions and implementations of the two types of domain name resolution are the same as those of IPv4 DNS.

  • Page 185: Setting The Dscp Value For Ipv6 Dns Packets

    Step Command Remarks Enter system view. system-view Enable dynamic domain name dns resolve Disabled by default. resolution. Not specified by default. If the IPv6 address of a DNS server is a dns server ipv6 ipv6-address Specify a DNS server. link-local address, you must specify the [ interface-type interface-number ] interface-type and interface-number arguments.

  • Page 186: Static Domain Name Resolution Configuration Example

    Static domain name resolution configuration example Network requirements As shown in Figure 75, the device wants to access the host by using an easy-to-remember domain name rather than an IPv6 address. Configure static domain name resolution on the device so that the device can use the domain name host.com to access the host whose IPv6 address is 1::2.

  • Page 187: Dynamic Domain Name Resolution Configuration Example

    Dynamic domain name resolution configuration example Network requirements As shown in Figure 76, the device wants to access the host by using an easy-to-remember domain name rather than an IPv6 address. The IPv6 address of the DNS server is 2::2/64 and the server has a com domain, which stores the mapping between domain name host and IPv6 address 1::1/64.

  • Page 188

    Figure 77 Creating a zone On the DNS server configuration page, right-click zone com and select Other New Records. Figure 78 Creating a record On the page that appears, select IPv6 Host (AAAA) as the resource record type, and click Create Record.

  • Page 189

    Figure 79 Selecting the resource record type On the page that appears, enter host name host and IPv6 address 1::1. Click OK. The mapping between the IP address and host name is created.

  • Page 190

    Figure 80 Adding a mapping between domain name and IPv6 address Configure the DNS client: # Enable dynamic domain name resolution. <Device> system-view [Device] dns resolve # Specify the DNS server 2::2. [Device] dns server ipv6 2::2 # Configure com as the DNS suffix. [Device] dns domain com Verifying the configuration # Use the ping ipv6 host command on the device to verify that the communication between the device...

  • Page 191

    bytes=56 Sequence=2 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=3 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=4 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=5 hop limit=126 time = 1 ms --- host.com ping statistics --- 5 packet(s) transmitted 5 packet(s) received...

  • Page 192: Configuring Tunneling

    Configuring tunneling Overview Tunneling is an encapsulation technology: one network protocol encapsulates packets of another network protocol and transfers them over a virtual point-to-point connection. The virtual connection is called a tunnel. Packets are encapsulated and de-encapsulated at both ends of a tunnel. Tunneling refers to the whole process from data encapsulation to data transfer to data de-encapsulation.

  • Page 193

    After determining from the routing table that the packet needs to be forwarded through the tunnel, Device A encapsulates the IPv6 packet with an IPv4 header and forwards it through the physical interface of the tunnel. Upon receiving the packet, Device B de-encapsulates the packet. Device B forwards the packet according to the destination address in the de-encapsulated IPv6 packet.

  • Page 194: Ipv4 Over Ipv4 Tunneling

    notation. For example, 1.1.1.1 can be represented by 0101:0101. The part that follows 2002:abcd:efgh uniquely identifies a host in a 6to4 network. The tunnel destination is automatically determined by the embedded IPv4 address, which makes it easy to create a 6to4 tunnel.

  • Page 195: Ipv4 Over Ipv6 Tunneling

    Figure 84 Principle of IPv4 over IPv4 tunneling Packets traveling through a tunnel undergo encapsulation and de-encapsulation processes, as shown Figure Encapsulation • The encapsulation follows these steps. Device A receives an IP packet from an IPv4 host and submits it to the IP protocol stack. The IP protocol stack determines how to forward the packet according to the destination address in the IP header.

  • Page 196: Ipv6 Over Ipv6 Tunneling

    Figure 85 Principle of IPv4 over IPv6 tunneling The encapsulation and de-encapsulation processes illustrated in Figure 85 are described as follows: Encapsulation • Upon receiving a packet from the attached IPv4 network, Device A examines the destination address of the packet and determines the outgoing interface. If the packet is destined for the IPv4 network attached to Device B, Device A delivers the packet to the tunnel interface pointed to Device B.

  • Page 197

    Figure 86 shows the encapsulation and de-encapsulation processes. Encapsulation • After receiving the IPv6 packet, the interface of Device A connecting private network A submits it to the IPv6 module for processing. The IPv6 module then determines how to forward the packet.

  • Page 198: Configuring A Tunnel Interface

    Configuring a tunnel interface Configure a Layer 3 virtual tunnel interface on each device on a tunnel so that devices at both ends can send, identify, and process packets from the tunnel. Configuration guidelines Follow these guidelines when you configure a tunnel interface: •...

  • Page 199: Configuring An Ipv6 Manual Tunnel

    Step Command Remarks Optional. The default MTU of the tunnel interface depends on the status of the interface. • If the tunnel interface is down, the default MTU is 64000 bytes. • If the tunnel interface is up, the default MTU is automatically generated.

  • Page 200

    Configuration procedure To configure an IPv6 manual tunnel: Step Command Remarks Enter system view. system-view By default, the IPv6 packet Enable IPv6. ipv6 forwarding function is disabled. Enter tunnel interface interface tunnel number view. • Configure a global unicast IPv6 The link-local IPv6 address address or a site-local address: configuration is optional.

  • Page 201

    Figure 87 Network diagram Configuration procedure Before configuring an IPv6 manual tunnel, make sure Switch A and Switch B have the corresponding VLAN interfaces created and can reach to each other. Configure Switch A: • # Enable IPv6. <SwitchA> system-view [SwitchA] ipv6 # Specify an IPv4 address for VLAN-interface 100.

  • Page 202

    Configure Switch B • # Enable IPv6. <SwitchB> system-view [SwitchB] ipv6 # Specify an IPv4 address for VLAN-interface 100. [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ip address 192.168.50.1 255.255.255.0 [SwitchB-Vlan-interface100] quit # Specify an IPv6 address for VLAN-interface 101. [SwitchB] interface vlan-interface 101 [SwitchB-Vlan-interface101] ipv6 address 3003::1 64 [SwitchB-Vlan-interface101] quit # Create service loopback group 1 to support the tunnel service.

  • Page 203

    MTU is 1480 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: InReceives: [SwitchB] display ipv6 interface tunnel 0 Tunnel0 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::C0A8:3201 Global unicast address(es): 3001::2, subnet is 3001::/64...

  • Page 204: Configuring A 6to4 Tunnel

    Configuring a 6to4 tunnel Configuration prerequisites Configure IP addresses for interfaces (such as the VLAN interface, and loopback interface) on the device to ensure normal communication. One of the interfaces will be used as the source interface of the tunnel. Configuration guidelines Follow these guidelines when you configure a 6to4 tunnel: Specify a public address or interface as the source address or interface for the tunnel.

  • Page 205

    Step Command Remarks GRE over IPv4 tunnel by default. Specify the 6to4 tunnel The same tunnel mode should be tunnel-protocol ipv6-ipv4 6to4 mode. configured at both ends of the tunnel. Otherwise, packet delivery will fail. Configure a source source { ip-address | interface-type By default, no source address or address or interface for interface-number }...

  • Page 206

    Configure Switch A: • # Enable IPv6. <SwitchA> system-view [SwitchA] ipv6 # Specify an IPv4 address for VLAN-interface 100. [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ip address 2.1.1.1 24 [SwitchA-Vlan-interface100] quit # Specify an IPv6 address for VLAN-interface 101. [SwitchA] interface vlan-interface 101 [SwitchA-Vlan-interface101] ipv6 address 2002:0201:0101:1::1/64 [SwitchA-Vlan-interface101] quit # Create service loopback group 1 to support the tunnel service.

  • Page 207: Configuring An Isatap Tunnel

    [SwitchB] service-loopback group 1 type tunnel # Assign Ethernet 1/0/3 to service loopback group 1, and disable STP, NDP, and LLDP on the interface. [SwitchB] interface Ethernet 1/0/3 [SwitchB-Ethernet1/0/3] undo stp enable [SwitchB-Ethernet1/0/3] undo ndp enable [SwitchB-Ethernet1/0/3] undo lldp enable [SwitchB-Ethernet1/0/3] port service-loopback group 1 [SwitchB-Ethernet1/0/3] quit # Configure the 6to4 tunnel.

  • Page 208

    Configuration guidelines Follow these guidelines when you configure an ISATAP tunnel: Specify a public address or interface as the source address or interface for the tunnel. • No destination address needs to be configured for an ISATAP tunnel. The destination address of the •...

  • Page 209

    Step Command Remarks Enable dropping of IPv6 Optional. packets using tunnel discard IPv4-compatible IPv6 ipv4-compatible-packet Disabled by default. addresses. Configuration example Network requirements As shown in Figure 89, an IPv6 network is connected to an IPv4 network through an ISATAP switch. IPv6 hosts reside in the IPv4 network.

  • Page 210

    [Switch-Ethernet1/0/3] port service-loopback group 1 [Switch-Ethernet1/0/3] quit # Configure an ISATAP tunnel. [Switch] interface tunnel 0 [Switch-Tunnel0] ipv6 address 2001::5efe:0101:0101 64 [Switch-Tunnel0] source vlan-interface 101 [Switch-Tunnel0] tunnel-protocol ipv6-ipv4 isatap # Disable the RA suppression so that hosts can acquire information such as the address prefix from the RA message released by the ISATAP switch.

  • Page 211: Configuring An Ipv4 Over Ipv4 Tunnel

    uses Router Discovery routing preference 1 EUI-64 embedded IPv4 address: 2.1.1.2 router link-layer address: 1.1.1.1 preferred global 2001::5efe:2.1.1.2, life 29d23h59m46s/6d23h59m46s (public) preferred link-local fe80::5efe:2.1.1.2, life infinite link MTU 1500 (true link MTU 65515) current hop limit 255 reachable time 42500ms (base 30000ms) retransmission interval 1000ms DAD transmits 0 default site prefix length 48...

  • Page 212

    destination IPv4 address, specify this tunnel interface as the outbound interface, or the peer tunnel interface address as the next hop. A similar configuration is required at the other tunnel end. If you configure dynamic routing at both ends, enable the dynamic routing protocol on both tunnel interfaces.

  • Page 213

    Figure 90 Network diagram Configuration procedure Before configuring an IPv4 over IPv4 tunnel, make sure Switch A and Switch B have the corresponding VLAN interfaces created and are reachable to each other. Configure Switch A: • # Specify an IPv4 address for VLAN-interface 100. <SwitchA>...

  • Page 214

    [SwitchA-Tunnel1] service-loopback-group 1 [SwitchA-Tunnel1] quit # Configure a static route from Switch through interface Tunnel 1 to Group 2. [SwitchA] ip route-static 10.1.3.0 255.255.255.0 tunnel 1 • Configure Switch B: # Specify an IPv4 address for VLAN-interface 100. <SwitchB> system-view [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ip address 10.1.3.1 255.255.255.0 [SwitchB-Vlan-interface100] quit...

  • Page 215

    Description: Tunnel1 Interface The Maximum Transmit Unit is 1480 Internet Address is 10.1.2.1/24 Primary Encapsulation is TUNNEL, service-loopback-group ID is 1. Tunnel source 2.1.1.1(Vlan-interface101), destination 3.1.1.1 Tunnel bandwidth 64 (kbps) Tunnel protocol/transport IP/IP Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0 Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0...

  • Page 216: Configuring An Ipv4 Over Ipv6 Tunnel

    5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 15/15/16 ms Configuring an IPv4 over IPv6 tunnel Configuration prerequisites Configure IP addresses for interfaces (such as the VLAN interface, and loopback interface) on the device to ensure normal communication. One of the interfaces will be used as the source interface of the tunnel. Configuration guidelines Follow these guidelines when you configure an IPv4 over IPv6 tunnel: Specify public addresses or interfaces as the source end destination addresses or interfaces.

  • Page 217

    Step Command Remarks Configure the source source { ipv6-address | By default, no source address or interface address or interface for interface-type interface-number } is configured for the tunnel. the tunnel interface. Configure the By default, no destination address is destination address for destination ipv6-address configured for the tunnel.

  • Page 218

    [SwitchA-Ethernet1/0/3] undo lldp enable [SwitchA-Ethernet1/0/3] port service-loopback group 1 [SwitchA-Ethernet1/0/3] quit # Create interface Tunnel 1. [SwitchA] interface tunnel 1 # Specify an IPv4 address for interface Tunnel 1. [SwitchA-Tunnel1] ip address 30.1.2.1 255.255.255.0 # Configure the tunnel encapsulation mode. [SwitchA-Tunnel1] tunnel-protocol ipv4-ipv6 # Specify the IP address of VLAN-interface 101 as the source address for interface Tunnel 1.

  • Page 219: Interface Tunnel

    # Configure the tunnel encapsulation mode. [SwitchB-Tunnel2] tunnel-protocol ipv4-ipv6 # Specify the IP address of VLAN-interface 101 as the source address for interface Tunnel 2. [SwitchB-Tunnel2] source 2002::2:1 # Specify the IP address of VLAN-interface 101 on Switch A as the destination address for interface Tunnel 2.

  • Page 220: Configuring An Ipv6 Over Ipv6 Tunnel

    Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0 Last clearing of counters: Never Last 300 seconds input: 1 bytes/sec, 0 packets/sec Last 300 seconds output: 1 bytes/sec, 0 packets/sec 167 packets input, 10688 bytes 0 input error 170 packets output, 10880 bytes 0 output error # Ping the IPv4 address of the peer interface VLAN-interface 100 from Switch A.

  • Page 221

    If you specify a source interface instead of a source address for the tunnel, the source address of the • tunnel is the primary IP address of the source interface. Configuration procedure To configure an IPv6 over IPv6 tunnel: Step Command Remarks Enter system view.

  • Page 222

    Configuration example Network requirements As shown in Figure 92, the two subnets Group 1 and Group 2 running IPv6 are connected through an IPv6 network. Configure an IPv6 over IPv6 tunnel between Switch A and Switch B to make the two subnets reachable to each other without disclosing their IPv6 addresses to the IPv6 network.

  • Page 223

    # Configure the tunnel encapsulation mode. [SwitchA-Tunnel1] tunnel-protocol ipv6-ipv6 # Specify the IP address of VLAN-interface 101 as the source address for interface Tunnel 1. [SwitchA-Tunnel1] source 2001::11:1 # Specify the IP address of VLAN-interface 101 on Switch B as the destination address for interface Tunnel 1.

  • Page 224

    # Reference service loopback group 1 on the tunnel. [SwitchB-Tunnel2] service-loopback-group 1 [SwitchB-Tunnel2] quit # Configure a static route from Switch B through interface Tunnel 2 to Group 1. [SwitchB] ipv6 route-static 2002:1:: 64 tunnel 2 Verifying the configuration Display the status of the tunnel interfaces on Switch A and Switch B. [SwitchA] display ipv6 interface tunnel 1 Tunnel1 current state :UP Line protocol current state :UP...

  • Page 225: Displaying And Maintaining Tunneling Configuration

    bytes=56 Sequence=1 hop limit=64 time = 31 ms Reply from 2002:3::1 bytes=56 Sequence=2 hop limit=64 time = 1 ms Reply from 2002:3::1 bytes=56 Sequence=3 hop limit=64 time = 16 ms Reply from 2002:3::1 bytes=56 Sequence=4 hop limit=64 time = 16 ms Reply from 2002:3::1 bytes=56 Sequence=5 hop limit=64 time = 31 ms...

  • Page 226

    reachable. If no routing entry is available for tunnel communication in the routing table, configure related routes.

  • Page 227: Configuring Gre

    Configuring GRE Overview Generic Routing Encapsulation (GRE) is a protocol designed for encapsulating and carrying the packets of one network layer protocol (for example, IP or IPX) over another network layer protocol (for example, IP). The path that transfers the encapsulated packets is referred to as a GRE tunnel. A GER tunnel is a virtual point-to-point (P2P) connection.

  • Page 228: Gre Encapsulation And De-encapsulation Processes

    GRE over IPv4—The transport protocol is IPv4, and the passenger protocol is any network layer • protocol. GRE over IPv6—The transport protocol is IPv6, and the passenger protocol is any network layer • protocol. GRE encapsulation and de-encapsulation processes Figure 95 X protocol networks interconnected through a GRE tunnel The following sections uses Figure 95 to describe how an X protocol packet traverses the IP network...

  • Page 229

    Protocols and standards RFC 1701, Generic Routing Encapsulation (GRE) • • RFC 1702, Generic Routing Encapsulation over IPv4 networks RFC 2784, Generic Routing Encapsulation (GRE) • Configuring a GRE over IPv4 tunnel Configuration prerequisites On each of the peer devices, configure an IP address for the interface to be used as the source •...

  • Page 230: Configuring A Gre Over Ipv6 Tunnel

    Step Command Remarks Configure an IPv4 address for ip address ip-address { mask | By default, a tunnel interface has the tunnel interface. mask-length } no IPv4 address. Optional. By default, the tunnel is a GRE over IPv4 tunnel. Set the tunnel mode to GRE tunnel-protocol gre You must configure the same tunnel over IPv4.

  • Page 231

    The source address and destination address of a tunnel uniquely identify a path. They must be • configured at both ends of the tunnel and the source address at one end must be the destination address at the other end and vice versa. The source address or interface and the destination address that are specified for the tunnel •...

  • Page 232: Displaying And Maintaining Gre

    Step Command Remarks Configure a route for packet Each end of the tunnel must have a See Layer 3—IP Routing forwarding through the route (static or dynamic) through Configuration Guide. tunnel. the tunnel to the other end. For information about commands interface tunnel, tunnel-protocol, source, destination, and tunnel discard ipv4-compatible-packet, see Layer 3—IP Services Command Reference.

  • Page 233

    # Configure an IPv4 address for interface Ethernet 1/0/1. <SwitchA> system-view [SwitchA] vlan 100 [SwitchA-vlan100] port Ethernet 1/0/1 [SwitchA-vlan100] quit [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ip address 10.1.1.1 255.255.255.0 [SwitchA-Vlan-interface100] quit # Configure an IPv4 address for interface Ethernet 1/0/2, the physical interface of the tunnel. [SwitchA] vlan 101 [SwitchA-vlan101] port Ethernet 1/0/2 [SwitchA-vlan101] quit...

  • Page 234

    [SwitchB-vlan100] port Ethernet 1/0/1 [SwitchB-vlan100] quit [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ip address 10.1.3.1 255.255.255.0 [SwitchB-Vlan-interface100] quit # Configure an IPv4 address for interface Ethernet 1/0/2, the physical interface of the tunnel. [SwitchB] vlan 101 [SwitchB-vlan101] port Ethernet 1/0/2 [SwitchB-vlan101] quit [SwitchB] interface vlan-interface 101 [SwitchB-Vlan-interface101] ip address 2.2.2.2 255.255.255.0 [SwitchB-Vlan-interface101] quit...

  • Page 235

    Internet Address is 10.1.2.1/24 Primary Encapsulation is TUNNEL, service-loopback-group ID is 1. Tunnel source 1.1.1.1, destination 2.2.2.2 Tunnel bandwidth 64 (kbps) Tunnel protocol/transport GRE/IP GRE key disabled Checksumming of GRE packets disabled Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0 Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0 Output queue : (FIFO queuing : Size/Length/Discards)

  • Page 236: Gre Over Ipv6 Tunnel Configuration Example

    --- 10.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/2 ms GRE over IPv6 tunnel configuration example Network requirements Two IPv4 subnets Group 1 and Group 2 are connected to an IPv6 network. Create a GRE over IPv6 tunnel between Switch A and Switch B, so that the two IPv4 subnets can communicate with each other through the GRE tunnel over the IPv6 network.

  • Page 237

    # Add port Ethernet 1/0/3 to service loopback group 1, and disable STP, NDP, and LLDP on the port. [SwitchA] interface Ethernet 1/0/3 [SwitchA-Ethernet1/0/3] undo stp enable [SwitchA-Ethernet1/0/3] undo ndp enable [SwitchA-Ethernet1/0/3] undo lldp enable [SwitchA-Ethernet1/0/3] port service-loopback group 1 [SwitchA-Ethernet1/0/3] quit # Create a tunnel interface Tunnel0.

  • Page 238

    # Add port Ethernet 1/0/3 to service loopback group 1, and disable STP, NDP, and LLDP on the port. [SwitchB] interface Ethernet 1/0/3 [SwitchB-Ethernet1/0/3] undo stp enable [SwitchB-Ethernet1/0/3] undo ndp enable [SwitchB-Ethernet1/0/3] undo lldp enable [SwitchB-Ethernet1/0/3] port service-loopback group 1 [SwitchB-Ethernet1/0/3] quit # Create a tunnel interface Tunnel0.

  • Page 239: Troubleshooting Gre

    10 packets output, 840 bytes 0 output error [SwitchB] display interface Tunnel 0 Tunnel0 current state: UP Line protocol current state: UP Description: Tunnel0 Interface The Maximum Transmit Unit is 1456 Internet Address is 10.1.2.2/24 Primary Encapsulation is TUNNEL, service-loopback-group ID is 1. Tunnel source 2001::2:1, destination 2002::1:1 Tunnel bandwidth 64 (kbps) Tunnel protocol/transport GRE/IPv6...

  • Page 240

    Figure 98 Network diagram Symptom The interfaces at both ends of the tunnel are configured correctly and can ping each other, but Host A and Host B cannot ping each other. Solution Execute the display ip routing-table command on Device A and Device C to view whether Device A has a route over tunnel 0 to 10.2.0.0/16 and whether Device C has a route over tunnel 0 to 10.1.0.0/16.

  • Page 241: Support And Other Resources

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...

  • Page 242: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...

  • Page 243

    Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 244: Index

    Index A B C D E G H I O P S T U Configuring DHCP snooping entries backup,80 Configuring DHCP snooping to support Option 82,78 Address/prefix lease renewal,147 Configuring DHCPv6 snooping to support Option 18 Application environment of trusted ports,75 and Option 37,169...

  • Page 245

    DHCP relay agent configuration examples,67 Enabling common proxy ARP,15 DHCP relay agent configuration task list,60 Enabling DHCP,48 DHCP server configuration examples,53 Enabling DHCP,60 DHCP server configuration task list,39 Enabling DHCP starvation attack protection,81 DHCP snooping configuration examples,82 Enabling DHCP-REQUEST message attack protection,81 DHCP snooping configuration task list,77...

  • Page 246

    Overview,216 Setting the DSCP value for IPv6 DNS packets,174 Overview,1 1 Specifying the source interface for DNS packets,92 Overview,22 Specifying the threshold for sending trap messages,52 Overview,23 Stateless DHCPv6 configuration example,164 Overview,173 Static domain name resolution configuration example,93 Static domain name resolution configuration Protocols and standards,36 example,175...

Comments to this Manuals

Symbols: 0
Latest comments: