HPE 3100 Configuration Manual
  1. Manuals
  2. Brands
  3. HPE Manuals
  4. Switch
  5. StoreOnce 3100
  6. Configuration manual
HPE 3100 Configuration Manual

HPE 3100 Configuration Manual

Hide thumbs Also See for 3100:
Table of Contents

Advertisement

Quick Links

Download this manual
HPE 3100 48 v2 Switch
Layer 3—IP Services

Configuration Guide

Part number: 5998-7643R
Software version: Release 2111
Document version: 6W100-20160122

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the 3100 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for HPE 3100

Summary of Contents for HPE 3100

  • Page 1: Configuration Guide

    HPE 3100 48 v2 Switch Layer 3—IP Services Configuration Guide Part number: 5998-7643R Software version: Release 2111 Document version: 6W100-20160122...
  • Page 2 © Copyright 2016 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

  • Page 3: Table Of Contents

    Contents Configuring ARP ·············································································· 1     Overview ·································································································································· 1   ARP message format ··········································································································· 1   ARP operation ···················································································································· 1   ARP table ·························································································································· 2   Configuring a static ARP entry ······································································································ 3   Configuring the maximum number of dynamic ARP entries for an interface ············································ 3  ...
  • Page 4 DHCP overview ············································································· 25     DHCP address allocation ··········································································································· 25   Dynamic IP address allocation process ·················································································· 25   IP address lease extension ·································································································· 26   DHCP message format ············································································································· 26   DHCP options ························································································································· 27   Common DHCP options ······································································································ 28  ...
  • Page 5   Enabling DHCP ······················································································································· 55   Enabling the DHCP relay agent on an interface ·············································································· 55   Correlating a DHCP server group with a relay agent interface ···························································· 55   Configuration guidelines ····································································································· 55   Configuration procedure ····································································································· 56   Configuring the DHCP relay agent security functions ·······································································...
  • Page 6   Configuration restrictions ··········································································································· 79   Configuring an interface to dynamically obtain an IP address through BOOTP ······································ 79   Displaying and maintaining BOOTP client configuration ··································································· 80   BOOTP client configuration example ···························································································· 80   Network requirements ········································································································ 80  ...
  • Page 7   Enabling forwarding of directed broadcasts to a directly connected network ································· 102   Configuration example ······································································································ 103   Configuring TCP attributes ······································································································· 103   Configuring TCP path MTU discovery ·················································································· 103   Configuring the TCP send/receive buffer size ········································································ 104  ...
  • Page 8   Solution ························································································································· 141 DHCPv6 overview ········································································ 142     Hardware compatibility ············································································································ 142   Introduction to DHCPv6 ··········································································································· 142   DHCPv6 address/prefix assignment ··························································································· 142   Rapid assignment involving two messages ··········································································· 142   Assignment involving four messages ··················································································· 142  ...
  • Page 9   Configuring a DHCPv6 snooping trusted port ··············································································· 164   Configuring the maximum number of DHCPv6 snooping entries an interface can learn ························· 165   Configuring DHCPv6 snooping to support Option 18 and Option 37 ·················································· 165   Displaying and maintaining DHCPv6 snooping ············································································· 166  ...
  • Page 10   Configuration guidelines ··································································································· 203   Configuration procedure ··································································································· 203   Configuration example ······································································································ 204   Displaying and maintaining tunneling configuration ······································································· 207   Troubleshooting tunneling configuration ······················································································ 208   Symptom ······················································································································· 208   Solution ························································································································· 208 Configuring GRE ·········································································· 209  ...

  • Page 11: Configuring Arp

    Configuring ARP Overview The Address Resolution Protocol (ARP) is used to resolve an IP address into a physical address (Ethernet MAC address, for example). In an Ethernet LAN, a device uses ARP to resolve the IP address of the next hop to the corresponding MAC address.

  • Page 12: Arp Table

    If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request using the following information: Source IP address and source MAC address—Host A’s own IP address and the MAC address Target IP address—Host B’s IP address Target MAC address—An all-zero MAC address All hosts on this subnet can receive the broadcast request, but only the requested host (Host B) processes the request.

  • Page 13: Configuring A Static Arp Entry

    Static ARP entries protect communication between devices, because attack packets cannot modify the IP-to-MAC mapping in a static ARP entry. Static ARP entries can be classified into long, and short ARP entries. • To configure a long static ARP entry, specify the IP address, MAC address, VLAN, and output interface.

  • Page 14: Setting The Aging Timer For Dynamic Arp Entries

    Set the maximum number of entries. A Layer 3 interface on the HPE arp max-learning-num dynamic ARP entries that the 3100 48 v2 Switch can learn up to 2048 number interface can learn. dynamic ARP entries. If the value of the number argument is set to 0, the interface is disabled from learning dynamic ARP entries.

  • Page 15: Configuring Arp Quick Update

    Configuring ARP quick update Hewlett Packard Enterprise recommends you enable ARP quick update in WLAN networks only. As shown in Figure 3, the laptop frequently roams between AP 1 and AP 2. This affects the mapping between its MAC address and output interface on the switch. If the switch does not update its ARP table immediately after the output interface changes, it might fail to communicate with the laptop.

  • Page 16: Displaying And Maintaining Arp

    NOTE: Multicast ARP is applicable to only multicast-mode NLB. To configure multicast ARP: Step Command Remarks Disable the ARP entry undo arp check enable check function. arp static ip-address mac-address Configure a static ARP vlan-id interface-type Optional. entry. interface-number mac-address multicast Configure a static multicast See IP Multicast Command mac-address interface interface-list...

  • Page 17: Multicast Arp Configuration Example

    Figure 4 Network diagram Configuration procedure Configure the switch: # Create VLAN 10. <Switch> system-view [Switch] vlan 10 [Switch-vlan10] quit # Add interface Ethernet 1/0/1 to VLAN 10. [Switch] interface Ethernet 1/0/1 [Switch-Ethernet1/0/1] port link-type trunk [Switch-Ethernet1/0/1] port trunk permit vlan 10 [Switch-Ethernet1/0/1] quit # Create interface VLAN-interface 10 and configure its IP address.
  • Page 18 • Add Ethernet 1/0/1 and Ethernet 1/0/4 into VLAN 2, and specify IP address 17.1.1.1/24 for VLAN-interface 2. • Specify 17.1.1.1/24 as the default gateway of Host A and Host B. • Specify 16.1.1.30/24 as the default gateway of Server A and Server B. •...
  • Page 19 • NLB redundancy—Disables the network interface card of Server A. Host A and Host B send requests to the virtual IP address and both log in to the FTP server on Server B.

  • Page 20: Configuring Gratuitous Arp

    Configuring gratuitous ARP Overview In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device. A device sends a gratuitous ARP packet for either of the following purposes: • Determine whether its IP address is already used by another device.

  • Page 21: Configuration Procedure

    • If you change the interval for sending gratuitous ARP packets, the configuration is effective at the next sending interval. • The frequency of sending gratuitous ARP packets might be much lower than is expected if this function is enabled on multiple interfaces, if each interface is configured with multiple secondary IP addresses, or if a small sending interval is configured in such cases.

  • Page 22: Configuring Proxy Arp

    Configuring proxy ARP Overview Proxy ARP enables a device on a network to answer ARP requests for an IP address not on that network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they do on the same network. Proxy ARP includes common proxy ARP and local proxy ARP.

  • Page 23: Enabling Common Proxy Arp

    Figure 7 Application environment of local proxy ARP Enable local proxy ARP in one of the following cases: • Hosts connecting to different isolated Layer 2 ports in the same VLAN need to communicate at Layer 3. • If an isolate-user-VLAN is configured, hosts in different secondary VLANs of the isolate-user-VLAN need to communicate at Layer 3.

  • Page 24: Proxy Arp Configuration Examples

    Task Command Remarks display proxy-arp [ interface Display whether common proxy interface-type interface-number ] [ | { begin Available in any view ARP is enabled. | exclude | include } regular-expression ] display local-proxy-arp [ interface Display whether local proxy ARP interface-type interface-number ] [ | { begin Available in any view is enabled.

  • Page 25: Local Proxy Arp Configuration Example In Case Of Port Isolation

    [Switch-Vlan-interface1] proxy-arp enable [Switch-Vlan-interface1] quit # Specify the IP address of interface VLAN-interface 2. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.20.99 255.255.255.0 # Enable proxy ARP on interface VLAN-interface 2. [Switch-Vlan-interface2] proxy-arp enable After completing preceding configurations, use the ping command to verify the connectivity between Host A and Host D.

  • Page 26: Local Proxy Arp Configuration Example In Isolate-User-Vlan

    [SwitchB] interface Ethernet 1/0/1 [SwitchB-Ethernet1/0/1] port-isolate enable [SwitchB-Ethernet1/0/1] quit Configure Switch A: # Create VLAN 2, and add Ethernet 1/0/2 to VLAN 2. <SwitchA> system-view [SwitchA] vlan 2 [SwitchA-vlan2] port Ethernet 1/0/2 [SwitchA-vlan2] quit [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.10.100 255.255.0.0 From Host A, ping Host B.
  • Page 27 and VLAN 2 and VLAN 3 as secondary VLANs. Configure the mappings between isolate-user-VLAN and the secondary VLANs. <SwitchB> system-view [SwitchB] vlan 2 [SwitchB-vlan2] port Ethernet 1/0/3 [SwitchB-vlan2] quit [SwitchB] vlan 3 [SwitchB-vlan3] port Ethernet 1/0/1 [SwitchB-vlan3] quit [SwitchB] vlan 5 [SwitchB-vlan5] port Ethernet 1/0/2 [SwitchB-vlan5] isolate-user-vlan enable [SwitchB-vlan5] quit...

  • Page 28: Configuring Arp Snooping

    Configuring ARP snooping Overview The ARP snooping feature is used in Layer 2 switching networks. It creates ARP snooping entries using ARP packets, and the entries can be used by manual-mode MFF to answer ARP requests from a gateway. For more information about MFF, see Security Configuration Guide. If ARP snooping is enabled on a VLAN of a device, ARP packets received by the interfaces of the VLAN are redirected to the CPU.

  • Page 29: Configuring Ip Addressing

    Configuring IP addressing This chapter describes IP addressing basic and manual IP address assignment for interfaces. Dynamic IP address assignment (BOOTP and DHCP) are beyond the scope of this chapter. The term "interface" in this chapter collectively refers to VLAN interfaces. Overview This section describes the IP addressing basics.

  • Page 30: Special Ip Addresses

    Special IP addresses The following IP addresses are for special use and cannot be used as host IP addresses. • IP address with an all-zero net ID—Identifies a host on the local network. For example, IP address 0.0.0.16 indicates the host with a host ID of 16 on the local network. •...

  • Page 31: Configuration Guidelines

    Configuration guidelines Follow these guidelines when you assign an IP address to an interface: • Each interface has only one primary IP address. A newly configured primary IP address overwrites the previous one. • You cannot assign secondary IP addresses to an interface that obtains an IP address through BOOTP or DHCP.
  • Page 32 Figure 13 Network diagram 172.16.1.0/24 Switch Host B Vlan-int1 172.16.1.1/24 172.16.1.2/24 172.16.2.1/24 sub 172.16.2.2/24 Host A 172.16.2.0/24 Configuration procedure # Assign a primary IP address and a secondary IP address to VLAN-interface 1. <Switch> system-view [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 172.16.1.1 255.255.255.0 [Switch-Vlan-interface1] ip address 172.16.2.1 255.255.255.0 sub # Set the gateway address to 172.16.1.1 on the hosts attached to subnet 172.16.1.0/24, and to 172.16.2.1 on the hosts attached to subnet 172.16.2.0/24.

  • Page 33: Configuring Ip Unnumbered

    Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=255 time=26 ms --- 172.16.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/25/26 ms The output shows that the switch can communicate with the hosts on subnet 172.16.2.0/24. # From a host on subnet 172.16.2.0/24, ping a host on subnet 172.16.1.0/24 to verify the connectivity.

  • Page 34: Displaying And Maintaining Ip Addressing

    Step Command Remarks the specified interface. by default. Displaying and maintaining IP addressing Task Command Remarks display ip interface [ interface-type Display IP configuration information interface-number ] [ | { begin | exclude | for a specified Layer 3 interface or Available in any view include } regular-expression ] all Layer 3 interfaces.

  • Page 35: Dhcp Overview

    DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. DHCP uses the client/server model. Figure 14 A typical DHCP application A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on another subnet via a DHCP relay agent.

  • Page 36: Ip Address Lease Extension

    The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. A DHCP server offers configuration parameters such as an IP address to the client, in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message.

  • Page 37: Dhcp Options

    Figure 16 DHCP message format • op—Message type defined in option field. 1 = REQUEST, 2 = REPLY • htype, hlen—Hardware address type and length of a DHCP client. • hops—Number of relay agents a request message traveled. • xid—Transaction ID, a random number chosen by the client to identify an IP address allocation. •...

  • Page 38: Common Dhcp Options

    Figure 17 DHCP option format Common DHCP options The following are common DHCP options: • Option 3—Router option. It specifies the gateway address. • Option 6—DNS server option. It specifies the DNS server's IP address. • Option 33—Static route option. It specifies a list of classful static routes (the destination addresses in these static routes are classful) that a client should add into its routing table.
  • Page 39 Format of Option 43 Network configuration parameters are carried in different sub-options of Option 43 as shown Figure Figure 18 Option 43 format Sub-option type—Type of a sub-option. The field value can be 0x01 (an ACS parameter sub-option), 0x02 (a service provider identifier sub-option), or 0x80 (a PXE server address sub-option). Sub-option length—Length of a sub-option excluding the sub-option type and sub-option length fields.
  • Page 40 Option 82 can contain up to 255 sub-options and must have one sub-option at least. Option 82 supports two sub-options: sub-option 1 (Circuit ID) and sub-option 2 (Remote ID). DHCP snooping device supports three sub-options: sub-option 1 (Circuit ID), sub-option 2 (Remote ID), and sub-option 9.
  • Page 41 • Private padding format Sub-option 1—Contains the VLAN ID of the interface that received the client's request, module (subcard number of the receiving port) and port (port number of the receiving port). The value of the sub-option type is 1. Figure 24 Sub-option 1 in private padding format Sub-option 2—Contains the MAC address of the DHCP snooping device that received the client's request.

  • Page 42: Protocols And Standards

    • Sub-option 2—IP address of the backup network calling processor. DHCP clients contact the backup when the primary is unreachable. • Sub-option 3—Voice VLAN ID and the result whether or not DHCP clients take this ID as the voice VLAN. •...

  • Page 43: Configuring Dhcp Server

    Configuring DHCP server The term "interface" in the DHCP features collectively refers to VLAN interfaces. Overview The DHCP server is well suited to networks where: • Manual configuration and centralized management are difficult to implement. • Many hosts need to acquire IP addresses dynamically. This may be because the number of hosts exceeds the number of assignable IP addresses, so it is impossible to assign a fixed IP address to each host.

  • Page 44: Ip Address Allocation Sequence

    Otherwise, the DHCP server will select the smallest common address pool that contains the IP address of the receiving interface (if the client and the server reside on the same subnet), or the smallest common address pool that contains the IP address specified in the giaddr field of the client's request (if a DHCP relay agent is in-between).

  • Page 45: Configuring An Address Pool For The Dhcp Server

    Task Remarks messages Setting the DSCP value for DHCP packets Optional. Configuring an address pool for the DHCP server Configuration task list Task Remarks Creating a DHCP address pool Required. Configuring address allocation Configuring static address allocation Required to configure either mode for a common address of the two for the common Configuring dynamic address allocation...

  • Page 46: Configuring Address Allocation Mode For A Common Address Pool

    Configuring address allocation mode for a common address pool IMPORTANT: You can configure either a static binding or dynamic address allocation for a common address pool, but not both. You need to specify a subnet for dynamic address allocation. A static binding is a special address pool containing only one IP address.
  • Page 47 Step Command Remarks • Specify the MAC address: static-bind mac-address Use at least one command. Specify the MAC address or mac-address Neither is bound statically by • client ID. Specify the client ID: default. static-bind client-identifier client-identifier expired { day day [ hour hour Optional.

  • Page 48: Configuring Dynamic Address Allocation For An Extended Address Pool

    Configuring dynamic address allocation for an extended address pool After the assignable IP address range and the mask are specified, the address pool becomes valid. Extended address pools support dynamic address allocation only. Excluded IP addresses specified with the forbidden-ip command in DHCP address pool view are not assignable in the current extended address pool, but are assignable in other address pools.

  • Page 49: Configuring Dns Servers For The Client

    Configuring DNS servers for the client A DHCP client contacts a Domain Name System (DNS) server to resolve names. You can specify up to eight DNS servers in the DHCP address pool. To configure DNS servers in the DHCP address pool: Step Command Remarks...

  • Page 50: Configuring Gateways For The Client

    clients to perform regular software update and backup by using configuration files obtained from a BIMS server. To configure the BIMS server IP address, port number, and shared key in the DHCP address pool: Step Command Remarks system-view Enter system view. dhcp server ip-pool pool-name Enter DHCP address pool [ extended ]...

  • Page 51: Configuring The Tftp Server And Bootfile Name For The Client

    Step Command Remarks Optional. voice-config fail-over Specify the failover IP address No failover IP address or dialer and dialer string. ip-address dialer-string string is specified by default. Configuring the TFTP server and bootfile name for the client For the DHCP server to support client auto-configuration, you must specify the IP address or name of a TFTP server and the bootfile name in the DHCP address pool.

  • Page 52: Configuring Self-Defined Dhcp Options

    Configuring self-defined DHCP options CAUTION: Be cautious when configuring self-defined DHCP options because such configuration may affect the DHCP operation process. By configuring self-defined DHCP options, you can • Define new DHCP options. New configuration options will come out with DHCP development. To support these new options, you can add them into the attribute list of the DHCP server.

  • Page 53: Enabling The Dhcp Server On An Interface

    Step Command Remarks system-view Enter system view. dhcp enable Enable DHCP. Disabled by default Enabling the DHCP server on an interface With the DHCP server enabled on an interface, upon receiving a client's request, the DHCP server will assign an IP address from its address pool to the DHCP client. Configuration guidelines Follow these guidelines when you enable the DHCP server on an interface: •...

  • Page 54: Configuring The Dhcp Server Security Functions

    this address pool, address allocation fails, and the DHCP server will not assign the client any IP address from other address pools. Only an extended address pool can be applied on the interface. The address pool to be referenced must already exist. To apply an extended address pool on an interface: Step Command...

  • Page 55: Enabling Client Offline Detection

    and pings another IP address. If it receives no response, the server continues to ping the IP address until the specified number of ping packets are sent. If still no response is received, the server assigns the IP address to the requesting client. (The DHCP client probes the IP address by sending gratuitous ARP packets.) To configure IP address conflict detection: Step...

  • Page 56: Enabling Option 82 Handling

    Enabling Option 82 handling Step Command Remarks system-view Enter system view. dhcp server relay information Optional. Enable the server to handle enable Option 82. Enabled by default. Specifying the threshold for sending trap messages Configuration prerequisites Before you perform the configuration, use the snmp-agent target-host command to specify the destination address of the trap messages.

  • Page 57: Displaying And Maintaining The Dhcp Server

    Step Command Remarks system-view Enter system view. Optional. Set the DSCP value for DHCP packets dhcp dscp dscp-value By default, the DSCP value is sent by the DHCP server. Displaying and maintaining the DHCP server IMPORTANT: A restart of the DHCP server or execution of the reset dhcp server ip-in-use command deletes all lease information.

  • Page 58: Static Ip Address Assignment Configuration Example

    • The DHCP server and client are not on the same subnet and they communicate with each other via a DHCP relay agent. The DHCP server configuration for the two types is the same. Static IP address assignment configuration example Network requirements As shown in Figure...

  • Page 59: Dynamic Ip Address Assignment Configuration Example

    # Create DHCP address pool 1, configure a static binding, DNS server and gateway in it. [SwitchA] dhcp server ip-pool 1 [SwitchA-dhcp-pool-1] static-bind ip-address 10.1.1.6 25 [SwitchA-dhcp-pool-1] static-bind mac-address 000f-e249-8050 [SwitchA-dhcp-pool-1] dns-list 10.1.1.2 [SwitchA-dhcp-pool-1] gateway-list 10.1.1.126 Verifying the configuration After the preceding configuration is complete, Switch B can obtain IP address 10.1.1.5 and other network parameters, and Switch C can obtain IP address 10.1.1.6 and other network parameters from Switch A.

  • Page 60: Self-Defined Option Configuration Example

    # Enable the DHCP server on VLAN-interface 1 and VLAN-interface 2. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] dhcp select server global-pool [SwitchA-Vlan-interface1] quit [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] dhcp select server global-pool [SwitchA-Vlan-interface2] quit # Exclude IP addresses (addresses of the DNS server, WINS server and gateways). [SwitchA] dhcp server forbidden-ip 10.1.1.2 [SwitchA] dhcp server forbidden-ip 10.1.1.4 [SwitchA] dhcp server forbidden-ip 10.1.1.126...

  • Page 61: Troubleshooting Dhcp Server Configuration

    PXE server type. The number 02 indicates the number of servers. The numbers 01 02 03 04 02 02 02 02 indicate that the PXE server addresses are 1.2.3.4 and 2.2.2.2. Figure 30 Network diagram Configuration procedure Specify IP addresses for the interfaces. (Details not shown.) Configure the DHCP server: # Enable DHCP.
  • Page 62 Enable the network adapter or connect the network cable. Release the IP address and obtain another one on the client. For example, to release the IP address and obtain another one on a Windows XP DHCP client: a. In a Windows environment, select Start > Run. Enter cmd in the dialog box, and click OK to enter the command line interface.

  • Page 63: Configuring Dhcp Relay Agent

    Configuring DHCP relay agent The DHCP relay agent configuration is supported only on VLAN interfaces. Overview Via a relay agent, DHCP clients can communicate with a DHCP server on another subnet to obtain configuration parameters. DHCP clients on different subnets can contact the same DHCP server rather than having a DHCP server on each subnet.

  • Page 64: Dhcp Relay Agent Support For Option 82

    After receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP client, the DHCP relay agent fills the giaddr field of the message with its IP address and forwards the message to the designated DHCP server in unicast mode. Based on the giaddr field, the DHCP server returns an IP address and other configuration parameters to the relay agent, and the relay agent conveys them to the client.

  • Page 65: Enabling Dhcp

    Task Remarks Enabling offline detection Optional Configuring the DHCP relay agent to release an IP address Optional Configuring the DHCP relay agent to support Option 82 Optional Setting the DSCP value for DHCP packets Optional Enabling DHCP Enable DHCP before performing other configurations related to the DHCP relay agent. To enable DHCP: Step Command...

  • Page 66: Configuration Procedure

    • You can specify up to twenty DHCP server groups on the relay agent. By executing the dhcp relay server-group command repeatedly, you can specify up to eight • DHCP server addresses for each DHCP server group. • The IP addresses of DHCP servers and those of relay agent's interfaces that connect DHCP clients cannot be on the same subnet.

  • Page 67: Configuring Periodic Refresh Of Dynamic Client Entries

    • Before enabling address check on an interface, you must enable the DHCP service, and enable the DHCP relay agent on the interface. Otherwise, the address check configuration is ineffective. The dhcp relay address-check enable command only checks IP and MAC addresses but not •...

  • Page 68: Enabling Dhcp Starvation Attack Protection

    With unauthorized DHCP servers detection enabled, the DHCP relay agent checks whether a request contains Option 54 (Server Identifier Option). If yes, the DHCP relay agent records the IP address of each detected DHCP server that assigned an IP address to a requesting DHCP client in the option, and records the receiving interface.

  • Page 69: Configuring The Dhcp Relay Agent To Release An Ip Address

    address of the client. Removing an ARP entry manually does not remove the corresponding client's IP-to-MAC binding. When the client goes offline, use the undo dhcp relay security command to remove the IP-to-MAC binding manually. To enable offline detection: Step Command Remarks system-view...

  • Page 70: Configuration Procedure

    • If sub-option 1 (node identifier) of Option 82 is padded with the device name (sysname) of a node, the device name must contain no spaces. Otherwise, the DHCP relay agent will drop the message. Configuration procedure To configure the DHCP relay agent to support Option 82: Step Command Remarks...

  • Page 71: Displaying And Maintaining The Dhcp Relay Agent

    To set the DSCP value for DHCP packets: Step Command Remarks system-view Enter system view. Set the DSCP value for DHCP Optional. packets sent by the DHCP dhcp dscp dscp-value By default, the DSCP value is 56. relay agent. Displaying and maintaining the DHCP relay agent Task Command Remarks...

  • Page 72: Dhcp Relay Agent Option 82 Support Configuration Example

    reside. The IP address of VLAN-interface 1 is 10.10.1.1/24 and the IP address of VLAN-interface 2 is 10.1.1.2/24. Figure 33 Network diagram DHCP client DHCP client Vlan-int1 Vlan-int2 10.10.1.1/24 10.1.1.2/24 Vlan-int2 10.1.1.1/24 Switch A Switch B DHCP relay agent DHCP server DHCP client DHCP client Configuration procedure...

  • Page 73: Troubleshooting Dhcp Relay Agent Configuration

    • Switch A forwards DHCP requests to the DHCP server (Switch B) after replacing Option 82 in the requests, so that the DHCP clients can obtain IP addresses. Configuration procedure Configurations on the DHCP server are also required to make the Option 82 configurations function normally.

  • Page 74: Configuring Dhcp Client

    Configuring DHCP client With DHCP client enabled, an interface uses DHCP to obtain configuration parameters such as an IP address from the DHCP server. Configuration restrictions • The DHCP client configuration is supported only on VLAN interfaces. • When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition via a relay agent, the DHCP server cannot be a Windows Server 2000 or Windows Server 2003.

  • Page 75: Displaying And Maintaining The Dhcp Client

    Step Command Remarks system-view Enter system view. Optional. Set the DSCP value for DHCP packets sent by the DHCP dhcp client dscp dscp-value By default, the DSCP value is client. Displaying and maintaining the DHCP client Task Command Remarks display dhcp client [ verbose ] [ interface Display specified interface-type interface-number ] [ | { begin | Available in any view...

  • Page 76: Verifying The Configuration

    [SwitchA-Vlan-interface2] ip address 10.1.1.1 24 [SwitchA-Vlan-interface2] quit # Enable the DHCP service. [SwitchA] dhcp enable # Exclude an IP address from automatic allocation. [SwitchA] dhcp server forbidden-ip 10.1.1.2 # Configure DHCP address pool 0 and specify the subnet, lease duration, DNS server address, and a static route to subnet 20.1.1.0/24.
  • Page 77 20.1.1.0/24 Static 70 10.1.1.2 Vlan2 127.0.0.0/8 Direct 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 127.0.0.1 InLoop0...

  • Page 78: Configuring Dhcp Snooping

    Configuring DHCP snooping The DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server. DHCP snooping functions DHCP snooping can: Ensure that DHCP clients obtain IP addresses from authorized DHCP servers.

  • Page 79: Application Environment Of Trusted Ports

    Application environment of trusted ports Configuring a trusted port connected to a DHCP server As shown in Figure 35, the DHCP snooping device port that is connected to an authorized DHCP server should be configured as a trusted port. The trusted port forwards reply messages from the authorized DHCP server to the client, but the untrusted port does not forward reply messages from the unauthorized DHCP server.

  • Page 80: Dhcp Snooping Support For Option 82

    Figure 36 Configuring trusted ports in a cascaded network DHCP snooping support for Option 82 Option 82 records the location information about the DHCP client so the administrator can locate the DHCP client for security control and accounting purposes. For more information, see "Configuring DHCP relay agent."...

  • Page 81: Dhcp Snooping Configuration Task List

    If a client's Handling Padding requesting The DHCP snooping device… strategy format message has… Option 82. Forwards the message after adding private sub-option 9 to option 82 or adding content to sub-option 9 that option 82 contains. Forwards the message without changing standard Option 82.

  • Page 82: Configuring Dhcp Snooping To Support Option 82

    • If a Layer 2 Ethernet interface is added to an aggregation group, the DHCP snooping configuration of the interface will not take effect. After the interface quits the aggregation group, the configuration will be effective. • DHCP snooping can work with basic QinQ or flexible QinQ. When receiving a packet without any VLAN tag from the DHCP client to the DHCP server, the DHCP snooping device adds a VLAN tag to the packet.
  • Page 83 DHCP snooping fills the VLAN ID field of sub-option 1 with outer VLAN tag.inter VLAN tag. For example, if the outer VLAN tag is 10 (a in hexadecimal) and the inner VLAN tag is 20 (14 in hexadecimal), the VLAN ID is 000a.0014. To configure DHCP snooping to support Option 82: Step Command...

  • Page 84: Configuring Dhcp Snooping Entries Backup

    Step Command Remarks • Configure the padding content for the circuit ID sub-option: Optional. dhcp-snooping information [ vlan vlan-id ] circuit-id string circuit-id By default: • • The padding content for the Configure the padding content for the circuit ID sub-option depends remote ID sub-option: Configure on the padding format of...

  • Page 85: Enabling Dhcp Starvation Attack Protection

    Enabling DHCP starvation attack protection A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server may also fail to work because of exhaustion of system resources.

  • Page 86: Enabling Mac And Port Check

    Step Command Remarks Enable DHCP-REQUEST message dhcp-snooping check request-message Disabled by default check. Enabling MAC and port check This feature enables the DHCP snooping device to check the client's MAC address and receiving port of the received DHCP REQUEST against DHCP snooping entries. This feature ensures that only one snooping entry exists for the same client's MAC address in each VLAN on the DHCP snooping device.

  • Page 87: Dhcp Snooping Configuration Examples

    Task Command Remarks regular-expression ] display dhcp-snooping information Display Option 82 configuration { all | interface interface-type information on the DHCP snooping Available in any view interface-number } [ | { begin | exclude | device. include } regular-expression ] display dhcp-snooping packet Display DHCP packet statistics on the statistics [ slot slot-number ] [ | { begin |...

  • Page 88: Dhcp Snooping Option 82 Support Configuration Example

    [SwitchB] dhcp-snooping # Specify Ethernet 1/0/1 as trusted. [SwitchB] interface Ethernet 1/0/1 [SwitchB-Ethernet1/0/1] dhcp-snooping trust [SwitchB-Ethernet1/0/1] quit DHCP snooping Option 82 support configuration example Network requirements As shown in Figure 37, enable DHCP snooping and Option 82 support on Switch B. Configure the handling strategy for DHCP requests containing Option 82 as replace.

  • Page 89: Configuring Bootp Client

    Configuring BOOTP client Overview BOOTP application After you specify an interface of a device as a BOOTP client, the interface can use BOOTP to get information (such as IP address) from the BOOTP server. To use BOOTP, an administrator must configure a BOOTP parameter file for each BOOTP client on the BOOTP server.

  • Page 90: Displaying And Maintaining Bootp Client Configuration

    Step Command Remarks system-view Enter system view. interface interface-type Enter interface view. interface-number Configure an interface to By default, an interface does not use ip address bootp-alloc dynamically obtain an IP address BOOTP to obtain an IP address. through BOOTP. Displaying and maintaining BOOTP client configuration Task...

  • Page 91: Static Domain Name Resolution

    Configuring IPv4 DNS Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into corresponding IP addresses. With DNS, you can use easy-to-remember domain names in some applications and let the DNS server translate them into correct IP addresses. DNS services can be static or dynamic.

  • Page 92: Dns Proxy

    a request to the DNS server for a repeated query next time. The aged mappings are removed from the cache after some time, and latest entries are required from the DNS server. The DNS server decides how long a mapping is valid, and the DNS client gets the aging information from DNS messages.

  • Page 93: Dns Spoofing

    The DNS proxy searches the local static domain name resolution table and dynamic domain name resolution table after receiving the request. If the requested information is found, the DNS proxy returns a DNS reply to the client. If the requested information is not found, the DNS proxy sends the request to the designated DNS server for domain name resolution.

  • Page 94: Configuring The Ipv4 Dns Client

    When forwarding the HTTP request through the dial-up interface, the device establishes a dial-up connection with the network and dynamically obtains the DNS server address through DHCP or other autoconfiguration mechanisms. When the DNS reply ages out, the host sends a DNS request to the device again. Then the device operates the same as a DNS proxy.

  • Page 95: Configuring The Dns Proxy

    Step Command Remarks Enter system view. system-view Enable dynamic domain dns resolve Disabled by default. name resolution. • (Approach 1) In system view: dns server ip-address • (Approach 2) In interface view: Use at least one approach. Specify a DNS server. a.

  • Page 96: Displaying And Maintaining Ipv4 Dns

    Step Command Remarks Enable DNS spoofing and specify the translated IP dns spoofing ip-address Disabled by default address. Setting the DSCP value for DNS packets An IPv4 packet header contains an 8-bit Type of Service (ToS) field. As defined in RFC 2474, the first six bits set the Differentiated Services Code Point (DSCP) value, and the last two bits are reserved.

  • Page 97: Static Domain Name Resolution Configuration Example

    Task Command Remarks display dns domain [ dynamic ] [ | { begin Display DNS suffixes. Available in any view | exclude | include } regular-expression ] Display information about the display dns host ip [ | { begin | exclude | dynamic IPv4 domain name Available in any view include } regular-expression ]...

  • Page 98: Dynamic Domain Name Resolution Configuration Example

    round-trip min/avg/max = 1/2/4 ms Dynamic domain name resolution configuration example Network requirements As shown in Figure 42, the device wants to access the host by using an easy-to-remember domain name rather than an IP address, and to request the DNS server on the network for an IP address by using dynamic domain name resolution.
  • Page 99 Figure 43 Creating a zone c. On the DNS server configuration page, right click zone com, and select New Host. Figure 44 Adding a hos d. On the page that appears, enter host name host and IP address 3.1.1.1. e. Click Add Host. The mapping between the IP address and host name is created.

  • Page 100: Verifying The Configuration

    Figure 45 Adding a mapping between domain name and IP address Configure the DNS client: # Enable dynamic domain name resolution. <Sysname> system-view [Sysname] dns resolve # Specify the DNS server 2.1.1.2. [Sysname] dns server 2.1.1.2 # Configure com as the name suffix. [Sysname] dns domain com Verifying the configuration # Use the ping host command on the device to verify that the communication between the device...

  • Page 101: Dns Proxy Configuration Example

    DNS proxy configuration example Network requirements When the IP address of the DNS server changes, you must configure the new IP address of the DNS server on each device on the LAN. To simplify network management, you can use the DNS proxy function.

  • Page 102: Troubleshooting Ipv4 Dns Configuration

    # Specify the DNS server 2.1.1.2. [DeviceB] dns server 2.1.1.2 Verifying the configuration # Execute the ping host.com command on Device B to verify that the communication between the device and the host is normal and that the corresponding destination IP address is 3.1.1.1. [DeviceB] ping host.com Trying DNS resolve, press CTRL_C to break Trying DNS server (2.1.1.2)

  • Page 103: Basic Ip Forwarding On The Device

    Basic IP forwarding on the device Upon receiving a packet, the device uses the destination IP address of the packet to find a match from the forwarding information base (FIB) table, and then uses the matching entry to forward the packet.
  • Page 104 Task Command Remarks Display FIB information display fib ip-address [ mask | mask-length ] matching the specified [ | { begin | exclude | include } Available in any view. destination IP address. regular-expression ]...

  • Page 105: Configuring Load Sharing

    Configuring load sharing If a routing protocol finds multiple equal-cost best routes to the same destination, the device forwards packets over the equal-cost routes to implement load sharing. Configuration procedure Per-flow load sharing allows the device to forward flows over equal-cost routes. Packets of one flow travel along the same routes.
  • Page 106 [SwitchA-vlan20] port Ethernet 1/0/6 [SwitchA-vlan20] quit # On Switch A, configure IP addresses for VLAN-interface 10 and VLAN-interface 20. [SwitchA] interface vlan-interface 10 [SwitchA-Vlan-interface10] ip address 10.1.1.1 24 [SwitchA-Vlan-interface10] quit [SwitchA] interface vlan-interface 20 [SwitchA-Vlan-interface20] ip address 20.1.1.1 24 [SwitchA-Vlan-interface20] quit # On Switch B, assign Ethernet 1/0/5 to VLAN 10, and Ethernet 1/0/6 to VLAN 20.

  • Page 107: Verifying The Configuration

    Verifying the configuration # On Switch A, display outbound traffic statistics. [SwitchA] display counters outbound interface Ethernet Interface Total (pkts) Broadcast (pkts) Multicast (pkts) Err (pkts) Eth1/0/1 Eth1/0/2 Eth1/0/3 Eth1/0/4 Eth1/0/5 1045 Eth1/0/6 1044 The output shows that Ethernet 1/0/5 and Ethernet 1/0/6 receive almost the same number of packets. Load sharing is implemented.

  • Page 108: Configuring Irdp

    Configuring IRDP Overview As an extension of the Internet Control Message Protocol (ICMP), the ICMP Router Discovery Protocol (IRDP) enables hosts to discover the IP addresses of their neighboring routers and set their default routes. NOTE: The hosts in this chapter support IRDP. Background Before a host can send packets to another network, it must know the IP address of at least one router on the local subnet.

  • Page 109: Concepts

    Concepts Preference of an IP address Every IP address advertised in RAs has a preference value. The IP address with the highest preference is selected as the default router address. You can configure the preference for IP addresses advertised on a router interface. The bigger the preference value, the higher the preference.

  • Page 110: Irdp Configuration Example

    Step Command Remarks Optional. The preference defaults to 0. Configure the preference of The specified preference applies to all ip irdp preference advertised IP addresses. advertised IP addresses, including the preference-value primary IP address and the manually configured secondary IP addresses of the interface.

  • Page 111: Configuration Procedure

    Configuration procedure Configure Switch A: # Specify the IP address for VLAN-interface 100. <SwitchA> system-view [SwitchA] interface Vlan-interface 100 [SwitchA-Vlan-interface100] ip address 10.154.5.1 24 # Enable IRDP on VLAN-interface 100. [SwitchA-Vlan-interface100] ip irdp # Specify preference 1000 for the IP address of VLAN-interface 100. [SwitchA-Vlan-interface100] ip irdp preference 1000 # Configure the multicast address 224.0.0.1 as the destination IP address for RAs sent by VLAN-interface 100.

  • Page 112: Enabling Forwarding Of Directed Broadcasts To A Directly Connected Network

    Optimizing IP performance The term "interface" in this chapter collectively refers to VLAN interfaces. Enabling receiving and forwarding of directed broadcasts to a directly connected network Directed broadcast packets are broadcast on a specific network. In the destination IP address of a directed broadcast, the network ID identifies the target network, and the host ID is made up of all ones.

  • Page 113: Configuring Tcp Attributes

    Configuration example Network requirements As shown in Figure 49, the host's interface and VLAN-interface 3 of the switch are on the same network segment (1.1.1.0/24). VLAN-interface 2 of Switch and the server are on another network segment (2.2.2.0/24). The default gateway of the host is VLAN-interface 3 (IP address 1.1.1.2/24) of Switch.

  • Page 114: Configuring The Tcp Send/Receive Buffer Size

    If the TCP source device still receives ICMP error messages when the MSS is smaller than 32 bytes, the TCP source device will fragment packets. An ICMP error message received from a router that does not support RFC 1191 has the MTU of the outgoing interface set to 0.

  • Page 115: Configuring Icmp To Send Error Packets

    Step Command Remarks Enter system view. system-view Optional. • Configure the TCP synwait timer: By default: tcp timer syn-timeout time-value • The synwait timer is 75 Configure TCP timers. • Configure the TCP finwait timer: seconds. tcp timer fin-timeout time-value •...

  • Page 116: Displaying And Maintaining Ip Performance Optimization

    When receiving a packet with the destination being local and transport layer protocol being UDP, if the packet's port number does not match the running process, the device will send the source a "port unreachable" ICMP error packet. If the source uses "strict source routing" to send packets, but the intermediate device finds that the next hop specified by the source is not directly connected, the device will send the source a "source routing failure"...
  • Page 117 Task Command Remarks include } regular-expression ] display ip statistics [ slot slot-number ] [ | Display statistics of IP packets. { begin | exclude | include } Available in any view regular-expression ] display icmp statistics [ slot slot-number ] [ | Display ICMP statistics.

  • Page 118: Configuring Udp Helper

    Configuring UDP helper The term "interface" in this chapter collectively refers to VLAN interfaces.. Overview UDP helper functions as a relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified destination server. This is helpful when a host cannot obtain network configuration information or request device names through broadcasting because the server or host to be requested is located on another broadcast domain.

  • Page 119: Displaying And Maintaining Udp Helper

    Step Command Remarks interface-number Specify the destination No destination server is server to which UDP packets udp-helper server ip-address specified by default. are to be forwarded. Displaying and maintaining UDP helper Task Command Remarks display udp-helper server [ interface Displays information about interface-type interface-number ] [ | Available in any view forwarded UDP packets.
  • Page 120 [SwitchA] udp-helper port 55 # Specify the destination server 10.2.1.1 on VLAN-interface 1 in public network. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.110.1.1 16 [SwitchA-Vlan-interface1] udp-helper server 10.2.1.1...

  • Page 121: Ipv6 Features

    Configuring IPv6 basics Overview Internet Protocol Version 6 (IPv6), also called IP next generation (IPng), was designed by the Internet Engineering Task Force (IETF) as the successor to Internet Protocol version 4 (IPv4). The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits.

  • Page 122: Ipv6 Addresses

    • Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and other configuration information by using its link-layer address and the prefix information advertised by a router. To communicate with other hosts on the same link, a host automatically generates a link-local address based on its link-layer address and the link-local address prefix (FE80::/10).
  • Page 123 • Multicast address—An identifier for a set of interfaces (typically belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all interfaces identified by that address. • Anycast address—An identifier for a set of interfaces (typically belonging to different nodes). A packet sent to an anycast address is delivered to the nearest one of the interfaces identified by that address.

  • Page 124: Ipv6 Neighbor Discovery Protocol

    Address Application FF02::1 Link-local scope all-nodes multicast address FF01::2 Node-local scope all-routers multicast address FF02::2 Link-local scope all-routers multicast address Multicast addresses also include solicited-node addresses. A node uses a solicited-node multicast address to acquire the link-layer address of a neighboring node on the same link and to detect duplicate addresses.
  • Page 125 • Neighbor reachability detection • Duplicate address detection • Router/prefix discovery and address autoconfiguration • Redirection Table 7 ICMPv6 messages used by ND ICMPv6 message Type Function Acquires the link-layer address of a neighbor. Neighbor Solicitation (NS) Verifies whether a neighbor is reachable. message Detects duplicate addresses.
  • Page 126 Host A sends an NS message whose destination address is the IPv6 address of Host B. If Host A receives an NA message from Host B, Host A decides that Host B is reachable. Otherwise, Host B is unreachable. Duplicate address detection After Host A acquires an IPv6 address, it performs Duplicate Address Detection (DAD) to check whether the address is being used by any other node (similar to the gratuitous ARP function in IPv4).

  • Page 127: Ipv6 Path Mtu Discovery

    • The receiving interface is the forwarding interface. • The selected route itself is not created or modified by an ICMPv6 Redirect message. • The selected route is not the default route. IPv6 path MTU discovery The links that a packet passes from a source to a destination may have different MTUs. In IPv6, when the packet size exceeds the path MTU of a link, the packet is fragmented at the source end of the link to reduce the processing pressure on intermediate devices and to use network resources effectively.

  • Page 128: Ipv6 Basics Configuration Task List

    Tunneling Tunneling is an encapsulation technology that utilizes one network protocol to encapsulate packets of another network protocol and transfer them over the network. For more information about tunneling, see "Configuring tunneling" Protocols and standards Protocols and standards related to IPv6 include: •...

  • Page 129: Configuring Basic Ipv6 Functions

    Task Remarks Configuring a static path MTU for a specific IPv6 address Optional Configuring path MTU discovery Configuring the aging time for dynamic path MTUs Optional Configuring IPv6 TCP properties Optional Configuring the maximum ICMPv6 error packets sent Optional in an interval Enabling replying to multicast echo requests Optional Configuring ICMPv6 packet sending...
  • Page 130 EUI-64 IPv6 addressing To configure an interface to generate an EUI-64 IPv6 address: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Configure the interface to ipv6 address By default, no IPv6 global unicast generate an EUI-64 IPv6 ipv6-address/prefix-length address is configured on an address.

  • Page 131: Configuring An Ipv6 Link-Local Address

    • Temporary IPv6 address—Comprises an address prefix provided by the RA message, and a random interface ID generated through MD5. Before sending a packet, the system preferably uses the temporary IPv6 address of the sending interface as the source address of the packet to be sent. When this temporary IPv6 address expires, the system removes it and generates a new one.

  • Page 132: Configure An Ipv6 Anycast Address

    To configure automatic generation of an IPv6 link-local address for an interface: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Optional. By default, no link-local address is Configure the interface to configured on an interface. automatically generate an ipv6 address auto link-local After an IPv6 global unicast address is...

  • Page 133: Configuring The Maximum Number Of Neighbors Dynamically Learned

    Step Command Remarks Optional. ipv6 address Configure an IPv6 anycast By default, no IPv6 anycast ipv6-address/prefix-length address. address is configured on an anycast interface. Configuring IPv6 ND Configuring a static neighbor entry The IPv6 address of a neighboring node can be resolved into a link-layer address dynamically through NS and NA messages or through a manually configured static neighbor entry.

  • Page 134: Configuring Parameters Related To Ra Messages

    Step Command Remarks interface interface-type Enter interface view. interface-number Optional. By default, a Layer 2 interface Configure the maximum does not limit the number of number of neighbors ipv6 neighbors neighbors dynamically learned. dynamically learned by an max-learning-num number The maximum number of interface.
  • Page 135 Parameters Description addresses according to their own link-layer addresses and the obtained prefix information. Determines whether hosts use stateful autoconfiguration to acquire other configuration information. O flag If the O flag is set to 1, hosts use stateful autoconfiguration (for example, through a DHCP server) to acquire other configuration information.

  • Page 136: Configuring The Maximum Number Of Attempts To Send An Ns Message For Dad

    Step Command Remarks Optional. Turn off the MTU option in ipv6 nd ra no-advlinkmtu By default, RA messages contain the RA messages. MTU option. Optional. ipv6 nd autoconfig By default, the M flag bit is set to 0 and Set the M flag bit to 1. managed-address-flag hosts acquire IPv6 addresses through stateless autoconfiguration.

  • Page 137: Configuring Nd Snooping

    Configuring ND snooping Introduction The ND snooping feature is used in Layer 2 switching networks. It creates ND snooping entries using DAD NS messages. ND snooping entries are used to do the following: • Cooperate with the ND detection function. For more information about ND detection, see Security Configuration Guide.

  • Page 138: Enabling Nd Proxy

    If a corresponding NA message is received (the source IPv6 address, source MAC address, receiving port, and source VLAN are consistent with those of the existing entry), the device updates the aging time of the existing entry. If no corresponding NA message is received within one second after the DAD NS message is sent out, the device removes the entry when the timer expires.
  • Page 139 As shown in 0, VLAN-interface 1 with IPv6 address 4:1::99/64 and VLAN-interface 2 with IPv6 address 4:2::99/64 belong to different subnets. Host A and Host B reside on the same network but in different broadcast domains. Figure 56 Application environment of common ND proxy Because Host A's IPv6 address is on the same subnet as Host B's, Host A directly sends an NS message to obtain Host B's MAC address.

  • Page 140: Configuring Path Mtu Discovery

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Enable common ND proxy. proxy-nd enable Disabled by default To enable local ND proxy: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Optional.

  • Page 141: Configuring Ipv6 Tcp Properties

    Configuring IPv6 TCP properties You can configure the following IPv6 TCP properties: • synwait timer—When a SYN packet is sent, the synwait timer is triggered. If no response packet is received before the synwait timer expires, the IPv6 TCP connection establishment fails.

  • Page 142: Enabling Replying To Multicast Echo Requests

    Step Command Remarks The update interval "0" indicates that the number of ICMPv6 error packets sent is not restricted. Enabling replying to multicast echo requests If hosts are configured to answer multicast echo requests, an attacker can use this mechanism to attack a host.

  • Page 143: Enabling Sending Icmpv6 Redirect Messages

    • If the device fails to forward the packet because of an administrative prohibition (such as a firewall filter or an ACL), the device sends the source a "destination network administratively prohibited" ICMPv6 error message. • If the device fails to deliver the packet because the destination is beyond the scope of the source IPv6 address (for example, the source IPv6 address of the packet is a link-local address whereas the destination IPv6 address of the packet is a global unicast address), the device sends the source a "beyond scope of source address"...

  • Page 144: Displaying And Maintaining Ipv6 Basics Configuration

    Step Command Remarks Enable the device to discard By default, the device does not IPv6 packets that contain ipv6 option drop enable discard IPv6 packets that contain extension headers. extension headers. Configuring multicast ND NLB is a clustering technology developed by Microsoft, and it load balances traffic across a set of servers.

  • Page 145: Ipv6 Basics Configuration Example

    Task Command Remarks display ipv6 neighbors { { all | dynamic | Display the total number of static } [ slot slot-number ] | interface neighbor entries satisfying the interface-type interface-number | vlan vlan-id } Available in any view specified conditions. count [ | { begin | exclude | include } regular-expression ] display ipv6 pathmtu { ipv6-address | all |...

  • Page 146: Configuration Procedure

    • IPv6 is enabled for the host to automatically obtain an IPv6 address through IPv6 ND, and a route to Switch B is available. Figure 58 Network diagram The VLAN interfaces have been created on the switch. Configuration procedure Configure Switch A: # Enable IPv6.

  • Page 147: Verifying The Configuration

    Reply from 3001::1 bytes=56 Sequence=3 hop limit=64 time = 3 ms Reply from 3001::1 bytes=56 Sequence=4 hop limit=64 time = 9 ms --- 3001::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/3/9 ms # Display neighbor information about Ethernet 1/0/2 on Switch A.
  • Page 148 InFragDrops: InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: 25747 OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: [SwitchA] display ipv6 interface vlan-interface 1 Vlan-interface1 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1C0 Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es):...
  • Page 149 InFragDrops: InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: 1012 OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Display the IPv6 interface settings on Switch B. All the IPv6 global unicast addresses configured on the interface are displayed. [SwitchB] display ipv6 interface vlan-interface 2 Vlan-interface2 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1234...
  • Page 150 OutFragFails: InUnknownProtos: InDelivers: OutRequests: OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Ping Switch A and Switch B on the host, and ping Switch A and the host on Switch B to verify that they are connected. IMPORTANT: When you ping a link-local address, you should use the -i parameter to specify an interface for the link-local address.

  • Page 151: Troubleshooting Ipv6 Basics Configuration

    Troubleshooting IPv6 basics configuration Symptom The peer IPv6 address cannot be pinged. Solution Use the display current-configuration command in any view or the display this command in system view to verify that IPv6 is enabled. Use the display ipv6 interface command in any view to verify that the IPv6 address of the interface is correct and the interface is up.

  • Page 152: Dhcpv6 Overview

    DHCPv6 overview Hardware compatibility Introduction to DHCPv6 The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) was designed based on IPv6 addressing scheme and is used for assigning IPv6 prefixes, IPv6 addresses and other configuration parameters to hosts. Compared with other IPv6 address allocation methods (such as manual configuration and stateless address autoconfiguration), DHCPv6 can: •...

  • Page 153: Address/Prefix Lease Renewal

    Figure 60 Assignment involving four messages The assignment involving four messages operates in the following steps: The DHCPv6 client sends out a Solicit message, requesting an IPv6 address/prefix and other configuration parameters. If the Solicit message does not contain a Rapid Commit option, or if the DHCPv6 server does not support rapid assignment even though the Solicit message contains a Rapid Commit option, the DHCPv6 server responds with an Advertise message, informing the DHCPv6 client of the assignable address/prefix and other configuration parameters.

  • Page 154: Configuring Stateless Dhcpv6

    Figure 62 Using the Rebind message for address/prefix lease renewal Configuring stateless DHCPv6 After obtaining an IPv6 address/prefix, a device can use stateless DHCPv6 to obtain other configuration parameters from a DHCPv6 server. This application is called stateless DHCPv6 configuration. With an IPv6 address obtained through stateless address autoconfiguration, a device automatically enables the stateless DHCPv6 function after it receives an RA message with the managed address configuration flag (M flag) set to 0 and with the other stateful configuration flag (O flag) set to 1.

  • Page 155: Protocols And Standards

    Protocols and standards • RFC 3736, Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6 • RFC 3315, Dynamic Host Configuration Protocol for IPv6 (DHCPv6) • RFC 2462, IPv6 Stateless Address Autoconfiguration • RFC 3633, IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6...

  • Page 156: Configuring Dhcpv6 Server

    Configuring DHCPv6 server Overview As shown in Figure 64, the DHCPv6 server assigns the DHCPv6 client an IPv6 prefix to facilitate IPv6 address management and network configuration. After obtaining the IPv6 prefix, the DHCPv6 client sends an RA message containing the prefix information to the subnet where it resides, so that hosts on the subnet can automatically configure their IPv6 addresses by using the prefix.

  • Page 157: Prefix Selection Process

    • Link layer address—Its value is the bridge MAC address of the device. Identified by an IAID, an Identity Association (IA) provides a construct through which the obtained addresses, prefixes, and other configuration parameters assigned from a server to a client are managed.

  • Page 158: Creating A Prefix Pool

    Step Command Remarks Enable the DHCPv6 server ipv6 dhcp server enable Disabled by default function. Creating a prefix pool A prefix pool specifies a range of prefixes. To create a prefix pool: Step Command Remarks Enter system view. system-view ipv6 dhcp prefix-pool prefix-pool-number prefix Create a prefix pool.

  • Page 159: Applying The Address Pool To An Interface

    Step Command Remarks • Configure a static prefix: static-bind prefix prefix/prefix-len duid duid [ iaid iaid ] [ preferred-lifetime preferred-lifetime valid-lifetime Use either command. valid-lifetime ] Configure a DHCPv6 No prefix is specified by • address pool. Apply a prefix pool to the address default.

  • Page 160: Setting The Dscp Value For Dhcpv6 Packets

    Setting the DSCP value for DHCPv6 packets An IPv6 packet header contains an 8-bit Traffic class field. This field identifies the service type of IPv6 packets. As defined in RFC 2474, the first six bits set the Differentiated Services Code Point (DSCP) value, and the last two bits are reserved.

  • Page 161: Configuration Considerations

    switch assigns prefix 2001:0410:0201::/48 client whose DUID 00030001CA0006A40000, assigns prefixes ranging from 2001:0410::/48 2001:0410:FFFF::/48 (excluding 2001:0410:0201::/48) to other clients. The DNS server address is 2::2:3. The DHCPv6 clients reside in domain aaa.com. The SIP server address is 2:2::4, and the domain name of the SIP server is bbb.com.

  • Page 162: Verifying The Configuration

    # Configure static prefix 2001:0410:0201::/48 in address pool 1, and set the client DUID as 00030001CA0006A40000, the preferred lifetime to one day, and the valid lifetime to three days. [Switch-ipv6-dhcp-pool-1] static-bind prefix 2001:0410:0201::/48 duid 00030001CA0006A40000 preferred-lifetime 86400 valid-lifetime 259200 # Configure the DNS server address as 2:2::3. [Switch-ipv6-dhcp-pool-1] dns-server 2:2::3 # Configure the domain name as aaa.com.
  • Page 163 Available: 65535 In-use: 0 Static: 1 # After the client whose DUID is 00030001CA0006A40000 obtains an IPv6 prefix, display the PD information on the DHCPv6 server. [Switch-Vlan-interface2] display ipv6 dhcp server pd-in-use all Total number = 1 Prefix Type Pool Lease-expiration 2001:410:201::/48 Static(C) 1 Jul 10 2009 19:45:01...

  • Page 164: Configuring Dhcpv6 Relay Agent

    Configuring DHCPv6 relay agent Overview A DHCPv6 client usually uses a multicast address to contact the DHCPv6 server on the local link to obtain an IPv6 address and other configuration parameters. As shown in Figure 67, if the DHCPv6 server resides on another subnet, the DHCPv6 client can contact the server via a DHCPv6 relay agent, so you do not need to deploy a DHCPv6 server on each subnet.

  • Page 165: Configuring The Dhcpv6 Relay Agent

    After obtaining the Solicit message from the Relay-forward message, the DHCPv6 server selects an IPv6 address and other required parameters, and adds them to the reply which is encapsulated within the Relay Message option of a Relay-reply message. The DHCPv6 server then sends the Relay-reply message to the DHCPv6 relay agent.

  • Page 166: Dhcpv6 Relay Agent Configuration Example

    Setting the DSCP value for DHCPv6 packets An IPv6 packet header contains an 8-bit Traffic class field. This field identifies the service type of IPv6 packets. As defined in RFC 2474, the first six bits set the Differentiated Services Code Point (DSCP) value, and the last two bits are reserved.

  • Page 167: Configuration Procedure

    Figure 69 Network diagram Configuration procedure Configure Switch A as a DHCPv6 relay agent: # Enable the IPv6 packet forwarding function. <SwitchA> system-view [SwitchA] ipv6 # Configure the IPv6 addresses of VLAN-interface 2 and VLAN-interface 3, respectively. [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ipv6 address 2::1 64 [SwitchA-Vlan-interface2] quit [SwitchA] interface vlan-interface 3...
  • Page 168 SOLICIT REQUEST CONFIRM RENEW REBIND RELEASE DECLINE INFORMATION-REQUEST RELAY-FORWARD RELAY-REPLY Packets sent ADVERTISE RECONFIGURE REPLY RELAY-FORWARD RELAY-REPLY...

  • Page 169: Configuring Dhcpv6 Client

    Configuring DHCPv6 client Overview With DHCPv6 client configured, an interface can obtain configuration parameters from the DHCPv6 server. A DHCPv6 client can use DHCPv6 to complete the following functions: • Obtain an IPv6 address and configuration parameters. • Obtain an IPv6 prefix and configuration parameters. •...

  • Page 170: Setting The Dscp Value For Dhcpv6 Packets

    Step Command Remarks autoconfiguration. For more information about the command, see — Layer 3 IP Services Command Reference. Setting the DSCP value for DHCPv6 packets An IPv6 packet header contains an 8-bit Traffic class field. This field identifies the service type of IPv6 packets.

  • Page 171: Configuration Procedure

    Figure 70 Network diagram Configuration procedure Configure Switch B: # Enable the IPv6 packet forwarding function. <SwitchB> system-view [SwitchB] ipv6 # Configure the IPv6 address of VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ipv6 address 1::1 64 # Set the O flag in the RA messages to 1. [SwitchB-Vlan-interface2] ipv6 nd autoconfig other-flag # Enable Switch B to send RA messages.
  • Page 172 DNS servers 1:2:3::5 1:2:4::7 Domain names abc.com Sysname.com # Use the display ipv6 dhcp client statistics command to view the current client statistics. [SwitchA-Vlan-interface2] display ipv6 dhcp client statistics Interface Vlan-interface2 Packets Received Reply Advertise Reconfigure Invalid Packets Sent Solicit Request Confirm Renew...

  • Page 173: Configuring Dhcpv6 Snooping

    Configuring DHCPv6 snooping A DHCPv6 snooping device does not work if it is between a DHCPv6 relay agent and a DHCPv6 server. The DHCPv6 snooping device works when it is between a DHCPv6 client and a DHCPv6 relay agent or between a DHCPv6 client and a DHCPv6 server. You can configure only Layer 2 Ethernet ports or Layer 2 aggregate interfaces as DHCPv6 snooping trusted ports.

  • Page 174: Recording Ip-To-Mac Mappings Of Dhcpv6 Clients

    As shown in Figure 71, configure the port that connects to the DHCPv6 server as a trusted port, and other ports as untrusted. Recording IP-to-MAC mappings of DHCPv6 clients DHCPv6 snooping reads DHCPv6 messages to create and update DHCPv6 snooping entries, including MAC addresses of clients, IPv6 addresses obtained by the clients, ports that connect to DHCPv6 clients, and VLANs to which the ports belong.

  • Page 175: Configuring The Maximum Number Of Dhcpv6 Snooping Entries An Interface Can Learn

    Configuring the maximum number of DHCPv6 snooping entries an interface can learn Perform this optional task to prevent an interface from learning too many DHCPv6 snooping entries and to save system resources. To configure the maximum number of DHCPv6 snooping entries an interface can learn: Step Command Remarks...

  • Page 176: Dhcpv6 Snooping Configuration Example

    The Second Vlan field is optional. If the received DHCPv6 request does not contain a second VLAN, Option 18 or Option 37 also does not contain it. To configure DHCPv6 Snooping to support Option 18 and Option 37: Step Command Remarks Enter system view.

  • Page 177: Configuration Procedure

    Figure 74 Network diagram Configuration procedure # Enable DHCPv6 snooping globally. <Switch> system-view [Switch] ipv6 dhcp snooping enable # Add Ethernet 1/0/1, Ethernet 1/0/2, and Ethernet 1/0/3 to VLAN 2. [Switch] vlan 2 [Switch-vlan2] port Ethernet 1/0/1 Ethernet 1/0/2 Ethernet 1/0/3 # Enable DHCPv6 snooping for VLAN 2.

  • Page 178: Configuring Ipv6 Dns

    Configuring IPv6 DNS Overview IPv6 Domain Name System (DNS) is responsible for translating domain names into IPv6 addresses. Like IPv4 DNS, IPv6 DNS includes static domain name resolution and dynamic domain name resolution. The functions and implementations of the two types of domain name resolution are the same as those of IPv4 DNS.

  • Page 179: Displaying And Maintaining Ipv6 Dns

    Step Command Remarks Not specified by default. dns server ipv6 ipv6-address If the IPv6 address of a DNS server is a Specify a DNS server. [ interface-type link-local address, you must specify the interface-number ] interface-type and interface-number arguments. Optional. Configure a DNS dns domain domain-name Not configured by default.

  • Page 180: Static Domain Name Resolution Configuration Example

    Static domain name resolution configuration example Network requirements As shown in Figure 75, the device wants to access the host by using an easy-to-remember domain name rather than an IPv6 address. Configure static domain name resolution on the device so that the device can use the domain name host.com to access the host whose IPv6 address is 1::2.

  • Page 181: Dynamic Domain Name Resolution Configuration Example

    Dynamic domain name resolution configuration example Network requirements As shown in Figure 76, the device wants to access the host by using an easy-to-remember domain name rather than an IPv6 address. The IPv6 address of the DNS server is 2::2/64 and the server has a com domain, which stores the mapping between domain name host and IPv6 address 1::1/64.
  • Page 182 Figure 77 Creating a zone c. On the DNS server configuration page, right-click zone com and select Other New Records. Figure 78 Creating a record d. On the page that appears, select IPv6 Host (AAAA) as the resource record type, and click Create Record.
  • Page 183 Figure 79 Selecting the resource record type e. On the page that appears, enter host name host and IPv6 address 1::1. f. Click OK. The mapping between the IP address and host name is created.

  • Page 184: Verifying The Configuration

    Figure 80 Adding a mapping between domain name and IPv6 address Configure the DNS client: # Enable dynamic domain name resolution. <Device> system-view [Device] dns resolve # Specify the DNS server 2::2. [Device] dns server ipv6 2::2 # Configure com as the DNS suffix. [Device] dns domain com Verifying the configuration # Use the ping ipv6 host command on the device to verify that the communication between the...
  • Page 185 Reply from 1::1 bytes=56 Sequence=3 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=4 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=5 hop limit=126 time = 1 ms --- host.com ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/2 ms...

  • Page 186: Configuring Tunneling

    Configuring tunneling Overview Tunneling is an encapsulation technology: one network protocol encapsulates packets of another network protocol and transfers them over a virtual point-to-point connection. The virtual connection is called a tunnel. Packets are encapsulated and de-encapsulated at both ends of a tunnel. Tunneling refers to the whole process from data encapsulation to data transfer to data de-encapsulation.
  • Page 187 Device B forwards the packet according to the destination address in the de-encapsulated IPv6 packet. If the destination address is the device itself, Device B forwards the IPv6 packet to the upper-layer protocol for processing. Tunnel types Depending on how the IPv4 address of the tunnel destination is acquired, IPv6 over IPv4 tunnels are divided into the following types: •...

  • Page 188: Ipv4 Over Ipv4 Tunneling

    Figure 82 6to4 tunnel 6to4 router 6to4 router IPv4 network 6to4 network 6to4 network Site 2 Site 1 6to4 tunnel Device A Device B • ISATAP tunneling An ISATAP tunnel is a point-to-multipoint automatic tunnel. The destination of a tunnel can automatically be acquired from the embedded IPv4 address in the destination address of an IPv6 packet.

  • Page 189: Ipv4 Over Ipv6 Tunneling

    a. Device A receives an IP packet from an IPv4 host and submits it to the IP protocol stack. b. The IP protocol stack determines how to forward the packet according to the destination address in the IP header. If the packet is destined for the IPv4 host connected to Device B, Device A delivers the packet to the tunnel interface.

  • Page 190: Ipv6 Over Ipv6 Tunneling

    IPv6 over IPv6 tunneling IPv6 over IPv6 tunneling (specified in RFC 2473) is developed for IPv6 data packet encapsulation so that encapsulated packets can be transmitted over an IPv6 network. The encapsulated packets are IPv6 tunnel packets. Figure 86 Principle of IPv6 over IPv6 tunneling Figure 86 shows the encapsulation and de-encapsulation processes.

  • Page 191: Tunneling Configuration Task List

    Tunneling configuration task list Task Remarks Configuring a tunnel interface Required. Configuring an IPv6 manual tunnel Optional. Configuring an IPv6 over IPv4 tunnel Configuring a 6to4 tunnel Use one as needed. Configuring an ISATAP tunnel Configuring an IPv4 over IPv4 tunnel Optional.

  • Page 192: Configuring An Ipv6 Manual Tunnel

    Step Command Remarks Optional. Configure the description text description for the By default, the description of a tunnel interface. interface is Tunnelnumber Interface. Reference a service By default, the tunnel does not service-loopback-group number loopback group. reference any service loopback group. Optional.

  • Page 193: Configuration Procedure

    tunnel end. If you configure dynamic routing at both ends, enable the dynamic routing protocol on both tunnel interfaces. For the detailed configuration, see Layer 3—IP Routing Configuration Guide. Configuration procedure To configure an IPv6 manual tunnel: Step Command Remarks system-view Enter system view.
  • Page 194 other. If the destination IPv4 address cannot be automatically obtained from the destination IPv6 addresses of packets, configure an IPv6 manual tunnel. Figure 87 Network diagram Configuration procedure Before configuring an IPv6 manual tunnel, make sure Switch A and Switch B have the corresponding VLAN interfaces created and can reach to each other.
  • Page 195 • Configure Switch B # Enable IPv6. <SwitchB> system-view [SwitchB] ipv6 # Specify an IPv4 address for VLAN-interface 100. [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ip address 192.168.50.1 255.255.255.0 [SwitchB-Vlan-interface100] quit # Specify an IPv6 address for VLAN-interface 101. [SwitchB] interface vlan-interface 101 [SwitchB-Vlan-interface101] ipv6 address 3003::1 64 [SwitchB-Vlan-interface101] quit # Create service loopback group 1 to support the tunnel service.
  • Page 196 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: InReceives: [SwitchB] display ipv6 interface tunnel 0 Tunnel0 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::C0A8:3201 Global unicast address(es): 3001::2, subnet is 3001::/64 Joined group address(es):...

  • Page 197: Configuring A 6To4 Tunnel

    Configuring a 6to4 tunnel Configuration prerequisites Configure IP addresses for interfaces (such as the VLAN interface, and loopback interface) on the device to ensure normal communication. One of the interfaces will be used as the source interface of the tunnel. Configuration guidelines Follow these guidelines when you configure a 6to4 tunnel: •...

  • Page 198: Configuration Example

    Step Command Remarks GRE over IPv4 tunnel by default. Specify the 6to4 The same tunnel mode should be tunnel-protocol ipv6-ipv4 6to4 tunnel mode. configured at both ends of the tunnel. Otherwise, packet delivery will fail. Configure a source source { ip-address | interface-type By default, no source address or address or interface interface is configured for the tunnel.
  • Page 199 # Enable IPv6. <SwitchA> system-view [SwitchA] ipv6 # Specify an IPv4 address for VLAN-interface 100. [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ip address 2.1.1.1 24 [SwitchA-Vlan-interface100] quit # Specify an IPv6 address for VLAN-interface 101. [SwitchA] interface vlan-interface 101 [SwitchA-Vlan-interface101] ipv6 address 2002:0201:0101:1::1/64 [SwitchA-Vlan-interface101] quit # Create service loopback group 1 to support the tunnel service.

  • Page 200: Configuring An Isatap Tunnel

    [SwitchB] interface Ethernet 1/0/3 [SwitchB-Ethernet1/0/3] undo stp enable [SwitchB-Ethernet1/0/3] undo ndp enable [SwitchB-Ethernet1/0/3] undo lldp enable [SwitchB-Ethernet1/0/3] port service-loopback group 1 [SwitchB-Ethernet1/0/3] quit # Configure the 6to4 tunnel. [SwitchB] interface tunnel 0 [SwitchB-Tunnel0] ipv6 address 2002:0501:0101::1/64 [SwitchB-Tunnel0] source vlan-interface 100 [SwitchB-Tunnel0] tunnel-protocol ipv6-ipv4 6to4 # Reference service loopback group 1 on the tunnel.

  • Page 201: Configuration Procedure

    • No destination address needs to be configured for an ISATAP tunnel. The destination address of the tunnel can be automatically obtained through the IPv4 address embedded in the ISATAP address. • To encapsulate and forward IPv6 packets whose destination address does not belong to the subnet where the receiving tunnel interface resides, configure a static route to reach the destination IPv6 address through this tunnel interface on the device.

  • Page 202: Configuration Example

    Configuration example Network requirements As shown in Figure 89, an IPv6 network is connected to an IPv4 network through an ISATAP switch. IPv6 hosts reside in the IPv4 network. Configure the IPv6 hosts to access the IPv6 network through the ISATAP tunnel. Figure 89 Network diagram Configuration procedure Before configuring an ISATAP tunnel, make sure the corresponding VLAN interfaces have been...
  • Page 203 # Disable the RA suppression so that hosts can acquire information such as the address prefix from the RA message released by the ISATAP switch. [Switch-Tunnel0] undo ipv6 nd ra halt # Reference service loopback group 1 on the tunnel. [Switch-Tunnel0] service-loopback-group 1 [Switch-Tunnel0] quit # Configure a static route to the ISATAP host.

  • Page 204: Configuring An Ipv4 Over Ipv4 Tunnel

    retransmission interval 1000ms DAD transmits 0 default site prefix length 48 # By comparison, it is found that the host acquires the address prefix 2001::/64 and automatically generates the address 2001::5efe:2.1.1.2. Meanwhile, "uses Router Discovery" is displayed, indicating that the router discovery function is enabled on the host. At this time, ping the IPv6 address of the tunnel interface of the switch.

  • Page 205: Configuration Procedure

    • If you specify a source interface instead of a source address for the tunnel, the source address of the tunnel is the primary IP address of the source interface. Configuration procedure To configure an IPv4 over IPv4 tunnel: Step Command Remarks system-view...
  • Page 206 [SwitchA-Vlan-interface100] ip address 10.1.1.1 255.255.255.0 [SwitchA-Vlan-interface100] quit # Specify an IPv4 address for VLAN-interface 101, the physical interface of the tunnel. [SwitchA] interface vlan-interface 101 [SwitchA-Vlan-interface101] ip address 2.1.1.1 255.255.255.0 [SwitchA-Vlan-interface101] quit # Create service loopback group 1 to support the tunnel service. [SwitchA] service-loopback group 1 type tunnel # Assign Ethernet 1/0/3 to service loopback group 1, and disable STP, NDP, and LLDP on the interface.

  • Page 207: Interface Tunnel

    [SwitchB] interface Ethernet 1/0/3 [SwitchB-Ethernet1/0/3] undo stp enable [SwitchB-Ethernet1/0/3] undo ndp enable [SwitchB-Ethernet1/0/3] undo lldp enable [SwitchB-Ethernet1/0/3] port service-loopback group 1 [SwitchB-Ethernet1/0/3] quit # Create interface Tunnel 2. [SwitchB] interface tunnel 2 # Specify an IPv4 address for interface Tunnel 2. [SwitchB-Tunnel2] ip address 10.1.2.2 255.255.255.0 # Configure the tunnel encapsulation mode.

  • Page 208: Configuring An Ipv4 Over Ipv6 Tunnel

    Line protocol current state: UP Description: Tunnel2 Interface The Maximum Transmit Unit is 1480 Internet Address is 10.1.2.2/24 Primary Encapsulation is TUNNEL, service-loopback-group ID is 1. Tunnel source 3.1.1.1(Vlan-interface101), destination 2.1.1.1 Tunnel bandwidth 64 (kbps) Tunnel protocol/transport IP/IP Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0 Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0...

  • Page 209: Configuration Procedure

    destination IPv4 address, specify this tunnel interface as the outbound interface, or the peer tunnel interface address as the next hop. A similar configuration is required at the other tunnel end. If you configure dynamic routing at both ends, enable the dynamic routing protocol on both tunnel interfaces.
  • Page 210 Configuration procedure Before configuring an IPv4 over IPv6 tunnel, make sure Switch A and Switch B have the corresponding VLAN interfaces created and can reach each other. • Configure Switch A: # Enable IPv6. <SwitchA> system-view [SwitchA] ipv6 # Specify an IPv4 address for VLAN-interface 100. [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ip address 30.1.1.1 255.255.255.0 [SwitchA-Vlan-interface100] quit...
  • Page 211 [SwitchB-Vlan-interface100] quit # Specify an IPv6 address for VLAN-interface 101, the physical interface of the tunnel. [SwitchB] interface vlan-interface 101 [SwitchB-Vlan-interface101] ipv6 address 2002::2:1 64 [SwitchB-Vlan-interface101] quit # Create service loopback group 1 to support the tunnel service. [SwitchB] service-loopback group 1 type tunnel # Assign Ethernet 1/0/3 to service loopback group 1, and disable STP, NDP, and LLDP on the interface.
  • Page 212 Last 300 seconds input: 0 bytes/sec, 0 packets/sec Last 300 seconds output: 0 bytes/sec, 0 packets/sec 152 packets input, 9728 bytes 0 input error 168 packets output, 10752 bytes 0 output error [SwitchB] display interface tunnel 2 Tunnel2 current state: UP Line protocol current state: UP Description: Tunnel2 Interface The Maximum Transmit Unit is 1460...

  • Page 213: Configuring An Ipv6 Over Ipv6 Tunnel

    Configuring an IPv6 over IPv6 tunnel Configuration prerequisites Configure IP addresses for interfaces (such as the VLAN interface, and loopback interface) on the device to ensure normal communication. One of the interfaces will be used as the source interface of the tunnel.

  • Page 214: Configuration Example

    Step Command Remarks • (Method 1) Configure an IPv6 global unicast address or site-local address: ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length Use either method. Configure an IPv6 ipv6 address address for the tunnel By default, no IPv6 address is ipv6-address/prefix-length interface.
  • Page 215 Configuration procedure Before configuring an IPv6 over IPv6 tunnel, make sure Switch A and Switch B have the corresponding VLAN interfaces created and can reach each other. • Configure Switch A: # Enable IPv6. <SwitchA> system-view [SwitchA] ipv6 # Specify an IPv6 address for VLAN-interface 100. [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ipv6 address 2002:1::1 64 [SwitchA-Vlan-interface100] quit...
  • Page 216 [SwitchB-Vlan-interface100] ipv6 address 2002:3::1 64 [SwitchB-Vlan-interface100] quit # Specify an IPv6 address for VLAN-interface 101, the physical interface of the tunnel. [SwitchB] interface vlan-interface 101 [SwitchB-Vlan-interface101] ipv6 address 2002::22:1 64 [SwitchB-Vlan-interface101] quit # Create service loopback group 1 to support the tunnel service. [SwitchB] service-loopback group 1 type tunnel # Assign Ethernet 1/0/3 to service loopback group 1, and disable STP, NDP, and LLDP on the interface.

  • Page 217: Displaying And Maintaining Tunneling Configuration

    ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: [SwitchB] display ipv6 interface tunnel 2 Tunnel2 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::2024:1 Global unicast address(es): 3001::1:2, subnet is 3001::/64 Joined group address(es):...

  • Page 218: Troubleshooting Tunneling Configuration

    Task Command Remarks display interface [ tunnel ] [ brief [ description | down ] ] [ | { begin | exclude | include } regular-expression ] Display information about tunnel Available in any view interfaces. display interface tunnel number [ brief [ description ] ] [ | { begin | exclude | include } regular-expression ] display ipv6 interface tunnel [ number ]...

  • Page 219: Configuring Gre

    Configuring GRE Overview Generic Routing Encapsulation (GRE) is a protocol designed for encapsulating and carrying the packets of one network layer protocol (for example, IP or IPX) over another network layer protocol (for example, IP). The path that transfers the encapsulated packets is referred to as a GRE tunnel. A GER tunnel is a virtual point-to-point (P2P) connection.

  • Page 220: Gre Encapsulation And De-Encapsulation Processes

    GRE encapsulation and de-encapsulation processes Figure 95 X protocol networks interconnected through a GRE tunnel The following sections uses to describe how an X protocol packet traverses the IP network through a GRE tunnel. Encapsulation process After receiving an X protocol packet through the interface connected to Group 1, Device A submits it to the X protocol for processing.

  • Page 221: Configuring A Gre Over Ipv4 Tunnel

    Configuring a GRE over IPv4 tunnel Configuration prerequisites • On each of the peer devices, configure an IP address for the interface to be used as the source interface of the tunnel interface (for example, a VLAN interface or a loopback interface), and make sure this interface can normally communicate with the interface used as the source interface of the tunnel interface on the peer device.

  • Page 222: Configuring A Gre Over Ipv6 Tunnel

    Step Command Remarks will fail. Configure the source By default, no source address or source { ip-address | address or interface for the interface is configured for a tunnel interface-type interface-number } tunnel interface. interface. Configure the destination By default, no destination address destination ip-address address for the tunnel is configured for a tunnel...

  • Page 223: Displaying And Maintaining Gre

    Configure a static route, using the address of the network segment the original packet is destined for as its destination address and the address of the peer tunnel interface as its next hop. Enable a dynamic routing protocol on both the tunnel interface and the router interface connecting the private network, so that the dynamic routing protocol can establish a routing entry that allows the tunnel to forward packets through the tunnel.

  • Page 224: Gre Over Ipv4 Tunnel Configuration Example

    Task Command Remarks [ down ] ] [ | { begin | exclude | specified or all tunnel interfaces. include } regular-expression ] display interface tunnel number [ brief ] [ | { begin | exclude | include } regular-expression ] display ipv6 interface tunnel [ number ] [ brief ] [ | { begin | Display IPv6 information about a...
  • Page 225 [SwitchA-Vlan-interface101] quit # Create service loopback group 1, and configure the service type as tunnel. [SwitchA] service-loopback group 1 type tunnel # Add port Ethernet 1/0/3 to service loopback group 1, and disable STP, NDP, and LLDP on the port. [SwitchA] interface Ethernet 1/0/3 [SwitchA-Ethernet1/0/3] undo stp enable [SwitchA-Ethernet1/0/3] undo ndp enable...
  • Page 226 # Add port Ethernet 1/0/3 to service loopback group 1, and disable STP, NDP, and LLDP on the port. [SwitchB] interface Ethernet 1/0/3 [SwitchB-Ethernet1/0/3] undo stp enable [SwitchB-Ethernet1/0/3] undo ndp enable [SwitchB-Ethernet1/0/3] undo lldp enable [SwitchB-Ethernet1/0/3] port service-loopback group 1 [SwitchB-Ethernet1/0/3] quit # Create a tunnel interface Tunnel1.

  • Page 227: Gre Over Ipv6 Tunnel Configuration Example

    0 output error [SwitchB] display interface tunnel 1 Tunnel1 current state: UP Line protocol current state: UP Description: Tunnel1 Interface The Maximum Transmit Unit is 1476 Internet Address is 10.1.2.2/24 Primary Encapsulation is TUNNEL, service-loopback-group ID is 1. Tunnel source 2.2.2.2, destination 1.1.1.1 Tunnel bandwidth 64 (kbps) Tunnel protocol/transport GRE/IP GRE key disabled...
  • Page 228 Figure 97 Network diagram Configuration procedure Before the configuration, make sure that Switch A and Switch B are reachable to each other. Configure Switch A: <SwitchA> system-view # Enable IPv6. [SwitchA] ipv6 # Configure interface VLAN-interface 100. [SwitchA] vlan 100 [SwitchA-vlan100] port Ethernet 1/0/1 [SwitchA-vlan100] quit [SwitchA] interface vlan-interface 100...
  • Page 229 # Configure the source address of the tunnel interface Tunnel0 as the IP address of interface VLAN-interface 101. [SwitchA-Tunnel0] source 2002::1:1 # Configure the destination address of the tunnel interface Tunnel0 as the IP address of interface VLAN-interface 101 on Switch B. [SwitchA-Tunnel0] destination 2001::2:1 # Apply service loopback group 1 to the tunnel in tunnel interface view.

  • Page 230: Verify The Configuration

    # Configure the destination address of the tunnel interface Tunnel0 as the IP address of interface VLAN-interface 101 on Switch A. [SwitchB-Tunnel0] destination 2002::1:1 # Apply service loopback group 1 to the tunnel in tunnel interface view. [SwitchB-Tunnel0] service-loopback-group 1 [SwitchB-Tunnel0] quit # Configure a static route from Switch B through the tunnel interface Tunnel0 to Group 1.

  • Page 231: Troubleshooting Gre

    Last 300 seconds input: 0 bytes/sec, 0 packets/sec Last 300 seconds output: 0 bytes/sec, 0 packets/sec 10 packets input, 840 bytes 0 input error 10 packets output, 840 bytes 0 output error # From Switch B, ping the IP address of VLAN-interface 100 on Switch A. [SwitchB] ping 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break...

  • Page 232: Document Conventions And Icons

    Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.

  • Page 233: Network Topology Icons

    Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 234: Support And Other Resources

    Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...

  • Page 235: Customer Self Repair

    For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
  • Page 236 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.

  • Page 237: Index

    Index A B C D E F G H I L N O P S T U Configuring DHCPv6 snooping to support Option 18 and Option 37,165 Accessing Hewlett Packard Enterprise Support,224 Configuring DNS spoofing,85 Accessing updates,224 Configuring ICMP to send error packets,105 Address/prefix lease renewal,143...
  • Page 238 Enabling IP conflict notification,11 DHCP snooping functions,68 Enabling local proxy ARP,13 DHCP snooping support for Option 82,70 Enabling MAC and port check,76 DHCPv6 address/prefix assignment,142 DHCPv6 relay agent configuration example,156 Enabling offline detection,58 DHCPv6 server configuration example,150 Enabling receiving and forwarding of directed broadcasts to a directly connected network,102 DHCPv6 server configuration task...
  • Page 239 Stateless DHCPv6 configuration example,160 Static domain name resolution configuration Protocols and standards,145 example,170 Protocols and standards,32 Static domain name resolution configuration Proxy ARP configuration examples,14 example,87 Setting the aging timer for dynamic ARP entries,4 Troubleshooting DHCP relay agent configuration,63 Setting the DSCP value for DHCP packets,64 Troubleshooting DHCP server configuration,51...

Table of Contents