HPE 5820X Series Configuration Manual
  1. Manuals
  2. Brands
  3. HPE Manuals
  4. Switch
  5. 5820X Series
  6. Configuration manual
HPE 5820X Series Configuration Manual

HPE 5820X Series Configuration Manual

Layer 3 - ip services
Hide thumbs Also See for 5820X Series:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual, Installation Manual
HPE 5820X & 5800 Switch Series
Layer 3 - IP Services

Configuration Guide

Part number: 5998-7391R
Software version: Release 1810
Document version: 6W100-20160129

Advertisement

Table of Contents
loading

Related Manuals for HPE 5820X Series

Summary of Contents for HPE 5820X Series

  • Page 1: Configuration Guide

    HPE 5820X & 5800 Switch Series Layer 3 - IP Services Configuration Guide Part number: 5998-7391R Software version: Release 1810 Document version: 6W100-20160129...
  • Page 2 © Copyright 2016 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

  • Page 3: Table Of Contents

    Contents Configuring ARP ····························································································· 1 Overview ···························································································································································· 1 ARP message format ································································································································· 1 ARP operation ············································································································································ 1 ARP table ··················································································································································· 2 Configuring a static ARP entry ··························································································································· 3 Configuring a multiport ARP entry ····················································································································· 4 Configuring the maximum number of dynamic ARP entries for an interface ····················································· 4 Setting the aging timer for dynamic ARP entries ·······························································································...
  • Page 4 Configuring IP unnumbered ····························································································································· 26 Configuration guidelines ··························································································································· 26 Configuration prerequisites ······················································································································ 26 Configuration procedure ··························································································································· 26 Displaying and maintaining IP addressing ······································································································· 27 DHCP overview ····························································································· 28 DHCP address allocation ································································································································· 28 Dynamic IP address allocation process ··································································································· 28 IP address lease extension ······················································································································...
  • Page 5 DHCP relay agent support for Option 82 ································································································· 56 DHCP relay agent configuration task list ········································································································· 57 Enabling DHCP ················································································································································ 57 Enabling the DHCP relay agent on an interface ······························································································ 57 Correlating a DHCP server group with a relay agent interface ········································································ 58 Configuration guidelines ···························································································································...
  • Page 6 BOOTP application ·································································································································· 82 Obtaining an IP address dynamically ······································································································· 82 Protocols and standards ·························································································································· 82 Configuration restrictions ································································································································· 82 Configuring an interface to dynamically obtain an IP address through BOOTP ·············································· 83 Displaying and maintaining BOOTP client configuration ················································································· 83 BOOTP client configuration example ···············································································································...
  • Page 7 Configuration procedure ························································································································· 107 Enabling support for ICMP extensions ··········································································································· 107 ICMP extensions for MPLS ···················································································································· 108 Handling ICMP messages ······················································································································ 108 Configuration procedure ························································································································· 108 Displaying and maintaining IP performance optimization ·············································································· 109 Configuring UDP helper ·············································································· 110 Configuration restrictions and guidelines ······································································································· 110 Configuration procedure ································································································································...
  • Page 8 IAID ························································································································································ 145 Binding ··················································································································································· 145 PD ·························································································································································· 145 DHCPv6 address/prefix assignment ·············································································································· 145 Rapid assignment involving two messages ··························································································· 145 Assignment involving four messages ····································································································· 145 Address/prefix lease renewal ························································································································· 146 Stateless DHCPv6 configuration ···················································································································· 147 About stateless DHCPv6 ························································································································ 147 Operation ···············································································································································...
  • Page 9 Configuration restrictions ······························································································································· 172 Enabling DHCPv6 snooping ·························································································································· 172 Configuring a DHCPv6 snooping trusted port ································································································ 172 Configuring the maximum number of DHCPv6 snooping entries an interface can learn ······························· 173 Configuring DHCPv6 snooping to support Option 18 and Option 37 ····························································· 173 Configuring DHCPv6 snooping entry backup ································································································...
  • Page 10 Configuration procedure ························································································································· 212 Configuration example ··························································································································· 213 Displaying and maintaining tunneling configuration ······················································································· 216 Troubleshooting tunneling configuration ········································································································ 217 Configuring GRE ························································································· 218 Overview ························································································································································ 218 GRE encapsulation format ····················································································································· 218 GRE encapsulation and de-encapsulation processes ··········································································· 219 Protocols and standards ························································································································ 219 Configuring a GRE over IPv4 tunnel ··············································································································...

  • Page 11: Configuring Arp

    Configuring ARP This chapter describes how to configure the Address Resolution Protocol (ARP). Overview ARP resolves IP addresses into physical addresses such as MAC addresses. On an Ethernet LAN, a device uses ARP to get the MAC address of the target device for a packet. NOTE: You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide).

  • Page 12: Arp Table

    Host A looks through its ARP table for an ARP entry for Host B. If an entry is found, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B.

  • Page 13: Configuring A Static Arp Entry

    Static ARP entry A static ARP entry is manually configured and maintained. It does not age out, and cannot be overwritten by a dynamic ARP entry. Static ARP entries protect communication between devices, because attack packets cannot modify the IP-to-MAC mapping in a static ARP entry. Static ARP entries can be classified into long, and short ARP entries.

  • Page 14: Configuring A Multiport Arp Entry

    Configuring a multiport ARP entry For a multiport ARP entry, the multicast or multiport unicast MAC address entry specifies the VLAN ID and outbound ports, and the short static ARP entry specifies the VPN and the IP address. A multiport ARP entry is never overwritten by a dynamic, short static, or long static ARP entry. The multiport ARP entry does not take effect if the specifed VLAN interface is not created, is down, or does not match the specified VPN.

  • Page 15: Setting The Aging Timer For Dynamic Arp Entries

    Set the maximum number of learn a maximum of 16384 dynamic arp max-learning-num dynamic ARP entries that the ARP entries. For HPE 5820X series number interface can learn. switches, a Layer 3 interface can learn a maximum of 8192 dynamic ARP entries.

  • Page 16: Configuring Arp Quick Update

    Configuring ARP quick update Hewlett Packard Enterprise recommends enabling ARP quick update in WLANs only. As shown in Figure 3, the laptop frequently roams between AP 1 and AP 2. This affects the mapping between its MAC address and outbound interface on the switch. If the switch does not update its ARP table immediately after the outbound interface changes, it may fail to communicate with the laptop.

  • Page 17: Displaying And Maintaining Arp

    • Internet Group Management Protocol (IGMP) multicast mode—The switch sends packets only out of the ports that connect to the cluster members rather than all ports. NOTE: Multicast ARP is applicable to only multicast-mode NLB. To configure multicast ARP: Step Command Remarks Disable the ARP entry...

  • Page 18: Arp Configuration Examples

    ARP configuration examples Static ARP entry configuration example Network requirements As shown in Figure 4, hosts are connected to the switch, which is connected to the router through interface GigabitEthernet 1/0/1 in VLAN 10. The IP and MAC addresses of the router are 192.168.1.1/24 and 00e0-fc01-0000 respectively.

  • Page 19: Multicast Arp Configuration Example

    IP Address MAC Address VLAN ID Interface Aging Type 192.168.1.1 00e0-fc01-0000 GE1/0/1 Multicast ARP configuration example Network requirements As shown in Figure 5, a small data center uses Microsoft multicast-mode NLB. To enable the switches to cooperate with NLB, perform the following configurations: •...
  • Page 20 [Switch-Vlan-interface1] ip address 16.1.1.30 255.255.255.0 [Switch-Vlan-interface1] quit # Disable the ARP entry check function. [Switch] undo arp check enable # Configure a static multicast MAC address entry. [Switch] mac-address multicast 03bf-1001-0164 interface GigabitEthernet 1/0/2 GigabitEthernet 1/0/3 vlan 1 Verifying the configuration •...

  • Page 21: Configuring Gratuitous Arp

    Configuring gratuitous ARP Overview In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device. A device sends a gratuitous ARP packet for either of the following purposes: • Determine whether its IP address is already used by another device.

  • Page 22: Configuration Procedure

    For more information about VRRP, see High Availability Configuration Guide. Configuration procedure Follow these guidelines when you configure gratuitous ARP: • You can enable periodic sending of gratuitous ARP packets on a maximum of 1024 interfaces. • Periodic sending of gratuitous ARP packets takes effect only when the link of the enabled interface goes up and an IP address has been assigned to the interface.

  • Page 23: Configuring Proxy Arp

    Configuring proxy ARP Overview Proxy ARP enables a device on a network to answer ARP requests for an IP address not on that network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they do on the same network. Proxy ARP includes common proxy ARP and local proxy ARP.

  • Page 24: Enabling Common Proxy Arp

    Figure 7 Application environment of local proxy ARP Enable local proxy ARP in one of the following cases: • Hosts connecting to different isolated Layer 2 ports in the same VLAN must communicate at Layer 3. • If a super VLAN is configured, hosts in different sub VLANs of the super VLAN must communicate at Layer 3.

  • Page 25: Displaying And Maintaining Proxy Arp

    Step Command Remarks [ ip-range startIP to endIP ] Displaying and maintaining proxy ARP Task Command Remarks display proxy-arp [ interface interface-type interface-number ] [ | Display whether proxy ARP is Available in any view. enabled. { begin | exclude | include } regular-expression ] display local-proxy-arp [ interface Display whether local proxy ARP...

  • Page 26: Local Proxy Arp Configuration Example In Case Of Port Isolation

    <Switch> system-view [Switch] vlan 2 [Switch-vlan2] quit # Specify the IP address of interface VLAN-interface 1. [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.10.99 255.255.255.0 # Enable proxy ARP on interface VLAN-interface 1. [Switch-Vlan-interface1] proxy-arp enable [Switch-Vlan-interface1] quit # Specify the IP address of interface VLAN-interface 2. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.20.99 255.255.255.0 # Enable proxy ARP on interface VLAN-interface 2.

  • Page 27: Configuration Procedure

    Figure 9 Network diagram Switch A GE1/0/2 VLAN 2 Vlan-int2 192.168.10.100/16 VLAN 2 port-isolate group GE1/0/2 GE1/0/3 GE1/0/1 Switch B Host B Host A 192.168.10.200/16 192.168.10.99/16 Configuration procedure Add GigabitEthernet 1/0/3, GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 on Switch B to VLAN 2.

  • Page 28: Local Proxy Arp Configuration Example In Super Vlan

    Local proxy ARP configuration example in super VLAN Network requirements Figure 10 shows a super VLAN, VLAN 10, with the interface IP address 192.168.10.100/16 and sub-VLANs (VLAN 2 and VLAN 3). GigabitEthernet 1/0/2 belongs to VLAN 2 and GigabitEthernet 1/0/1 belongs to VLAN 3. Host A belongs to VLAN 2 and connects to GigabitEthernet 1/0/2 of the switch.

  • Page 29: Local Proxy Arp Configuration Example In Isolate-User-Vlan

    The ping operation from Host A to Host B is successful after the configuration. Local proxy ARP configuration example in isolate-user-VLAN Network requirements As shown in Figure 11, Switch B is attached to Switch A. VLAN 5 on Switch B is an isolate-user-VLAN, which includes uplink port GigabitEthernet 1/0/2 and two secondary VLANs, VLAN 2 and VLAN 3.
  • Page 30 [SwitchB] interface GigabitEthernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] port isolate-user-vlan 5 promiscuous [SwitchB-GigabitEthernet1/0/2] quit [SwitchB] interface GigabitEthernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port isolate-user-vlan host [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface GigabitEthernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] port isolate-user-vlan host [SwitchB-GigabitEthernet1/0/3] quit [SwitchB] isolate-user-vlan 5 secondary 2 3 Configure Switch A: # Create VLAN 5 and add GigabitEthernet 1/0/2 to it.

  • Page 31: Configuring Arp Snooping

    Configuring ARP snooping Overview ARP snooping is used in Layer 2 switching networks. It creates ARP snooping entries by using information in ARP packets. The ARP snooping entries can be used by manual-mode MFF (MAC–Forced Forwarding). For more information about MFF, see Security Configuration Guide. If ARP snooping is enabled on a VLAN, ARP packets received by the interfaces of the VLAN are redirected to the CPU.

  • Page 32: Configuring Ip Addressing

    Configuring IP addressing This chapter describes IP addressing basic and manual IP address assignment for interfaces. Dynamic IP address assignment (BOOTP and DHCP) are beyond the scope of this chapter. NOTE: The term "interface" in this chapter collectively refers to Layer-3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces.

  • Page 33: Special Ip Addresses

    Class Address range Remarks 224.0.0.0 to Multicast addresses. 239.255.255.255 240.0.0.0 to Reserved for future use except for the broadcast address 255.255.255.255 255.255.255.255. Special IP addresses The following IP addresses are for special use and cannot be used as host IP addresses. •...

  • Page 34: Assigning An Ip Address To An Interface

    Assigning an IP address to an interface You can assign an interface one primary address and multiple secondary addresses. Generally, you only need to assign the primary address to an interface. In some cases, you must assign secondary IP addresses to the interface. For example, if the interface connects to two subnets, to enable the device to communicate with all hosts on the LAN, assign a primary IP address and a secondary IP address to the interface.
  • Page 35 Figure 14 Network diagram 172.16.1.0/24 Switch Host B Vlan-int1 172.16.1.1/24 172.16.1.2/24 172.16.2.1/24 sub 172.16.2.2/24 Host A 172.16.2.0/24 Configuration procedure # Assign a primary IP address and a secondary IP address to VLAN-interface 1. <Switch> system-view [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 172.16.1.1 255.255.255.0 [Switch-Vlan-interface1] ip address 172.16.2.1 255.255.255.0 sub # Set the gateway address to 172.16.1.1 on the hosts attached to subnet 172.16.1.0/24, and to 172.16.2.1 on the hosts attached to subnet 172.16.2.0/24.

  • Page 36: Configuring Ip Unnumbered

    Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=255 time=26 ms --- 172.16.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/25/26 ms The output shows that the switch can communicate with the hosts on subnet 172.16.2.0/24. # Ping a host on subnet 172.16.1.0/24 from a host on subnet 172.16.2.0/24 to verify the connectivity.

  • Page 37: Displaying And Maintaining Ip Addressing

    Displaying and maintaining IP addressing Task Command Remarks display ip interface [ interface-type Display IP configuration information interface-number ] [ | { begin | exclude | for a specific Layer 3 interface or all Available in any view. include } regular-expression ] Layer 3 interfaces.

  • Page 38: Dhcp Overview

    DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. Figure 15 Typical DHCP application A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on another subnet through a DHCP relay agent.

  • Page 39: Ip Address Lease Extension

    The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. Each DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message.

  • Page 40: Dhcp Options

    • op—Message type defined in option field. 1 = REQUEST, 2 = REPLY. • htype, hlen—Hardware address type and length of the DHCP client. • hops—Number of relay agents a request message traveled. • xid—Transaction ID, a random number chosen by the client to identify an IP address allocation. •...

  • Page 41: Custom Dhcp Options

    • Option 60—Vendor class identifier option. It is used by a DHCP client to identify its vendor, and by a DHCP server to distinguish DHCP clients by vendor class and assign specific IP addresses for the DHCP clients. • Option 66—TFTP server name option. This option specifies a TFTP server to be assigned to the client.
  • Page 42 ACS parameter sub-option value field—Contains variable ACS URL, username, and password separated by spaces (0x20) as shown in Figure Figure 20 ACS parameter sub-option value field URL of ACS (variable) User name of ACS (variable) Password of ACS (variable) Service provider identifier sub-option value field—Contains the service provider identifier. PXE server address sub-option value field—Contains the PXE server type that can only be 0, the server number that indicates the number of PXE servers contained in the sub-option, and server IP addresses, as shown in...
  • Page 43 Figure 22 Sub-option 1 in normal padding format Sub-option 2—Contains the MAC address of the DHCP relay agent interface or the MAC address of the DHCP snooping device that received the client's request. The value of the sub-option type is 2, and that of the remote ID type is 0. Figure 23 Sub-option 2 in normal padding format •...

  • Page 44: Protocols And Standards

    Sub-option 9—Contains the Sysname and the primary IP address of the Loopback0 interface. The value of the sub-option type is 9. Figure 27 Sub-option 9 in private padding format • Standard padding format Sub-option 1—Contains the VLAN ID of the interface that received the client's request, module (subcard number of the receiving port) and port (number of the receiving port).
  • Page 45 • RFC 3442, The Classless Static Route Option for Dynamic Host Configuration Protocol (DHCP) version 4...

  • Page 46: Configuring The Dhcp Server

    Configuring the DHCP server This chapter shows how to configure DHCP servers. Overview The DHCP server is well suited to networks where: • Manual configuration and centralized management are difficult to implement. • IP addresses are limited. For example, an ISP limits the number of concurrent online users, and most users must acquire IP addresses dynamically.

  • Page 47: Ip Address Allocation Sequence

    If the receiving interface has an extended address pool referenced, the DHCP server assigns an IP address from this address pool. If no IP address is available in the address pool, the DHCP server fails to assign an address to the client. For more information, see "Configuring dynamic address allocation for an extended address pool."...

  • Page 48: Configuring An Address Pool On The Dhcp Server

    Task Remarks Specifying a server's IP address for the DHCP client Optional. Specifying the threshold for sending trap messages Optional. Setting the DSCP value for DHCP packets Optional. Configuring an address pool on the DHCP server Configuration task list Task Remarks Creating a DHCP address pool Required.

  • Page 49: Configuring Address Allocation Mode For A Common Address Pool

    Configuring address allocation mode for a common address pool CAUTION: You can configure either a static binding or dynamic address allocation for a common address pool, but not both. You must to specify a subnet for dynamic address allocation. A static binding is a special address pool containing only one IP address.
  • Page 50 Step Command Remarks client-identifier Optional. expired { day day [ hour hour Specify the lease duration for the By default, the lease duration [ minute minute [ second IP address. of the IP address is second ] ] ] | unlimited } unlimited.

  • Page 51: Configuring Dynamic Address Allocation For An Extended Address Pool

    Configuring dynamic address allocation for an extended address pool Extended address pools support dynamic address allocation only. When you configure an extended address pool, specify: • Assignable IP address range • Mask After the assignable IP address range and the mask are specified, the address pool becomes valid. To configure dynamic address allocation for an extended address pool: Step Command...

  • Page 52: Configuring Dns Servers For The Client

    Configuring DNS servers for the client To access hosts on the Internet through domain names, a DHCP client must contact a DNS server to resolve names. You can specify up to eight DNS servers in a DHCP address pool. To configure DNS servers in a DHCP address pool: Step Command Remarks...

  • Page 53: Configuring Gateways For The Client

    To configure the BIMS server IP address, port number, and shared key in the DHCP address pool: Step Command Remarks Enter system view. system-view Enter DHCP address pool dhcp server ip-pool pool-name view. [ extended ] Specify the BIMS server IP bims-server ip ip-address [ port No BIMS server information is address, port number, and...

  • Page 54: Configuring The Tftp Server And Bootfile Name For The Client

    Step Command Remarks string is specified by default. Configuring the TFTP server and bootfile name for the client For the DHCP server to support client auto-configuration, specify the IP address or name of a TFTP server and the bootfile name in the DHCP address pool. You do not need to perform any configuration on the DHCP client.

  • Page 55: Configuring Self-Defined Dhcp Options

    Configuring self-defined DHCP options CAUTION: Be careful when configuring self-defined DHCP options because such configuration may affect DHCP operation. By configuring self-defined DHCP options, you can: • Define new DHCP options—New configuration options come out with DHCP development. To support these new options, you can add them into the attribute list of the DHCP server. •...

  • Page 56: Enabling The Dhcp Server On An Interface

    Step Command Remarks Enter system view. system-view The default setting is disabled by Enable DHCP. dhcp enable default. Enabling the DHCP server on an interface Perform this task to enable the DHCP server on an interface. Upon receiving a DHCP request on the interface, the DHCP server assigns an IP address and other configuration parameters from the DHCP address pool to the DHCP client.

  • Page 57: Configuring The Dhcp Server Security Functions

    this address pool, address allocation fails, and the DHCP server does not assign the client any IP address from other address pools. Only an extended address pool can be applied on the interface. The address pool to be applied must already exist.

  • Page 58: Enabling Client Offline Detection

    • If it receives no response, the server continues to ping the IP address until a specific number of ping packets are sent. If still no response is received, the server assigns the IP address to the requesting client. (The DHCP client probes the IP address by sending gratuitous ARP packets.) To configure IP address conflict detection: Step Command...

  • Page 59: Configuration Procedure

    Configuration procedure To enable the DHCP server to handle Option 82: Step Command Remarks Enter system view. system-view Optional. Enable the server to handle dhcp server relay information Option 82. enable Enabled by default. Specifying the threshold for sending trap messages Configuration prerequisites Before performing the configuration, use the snmp-agent target-host command to specify the...

  • Page 60: Displaying And Maintaining The Dhcp Server

    Displaying and maintaining the DHCP server IMPORTANT: A restart of the DHCP server or execution of the reset dhcp server ip-in-use command deletes all lease information. The DHCP server denies any DHCP request for lease extension, and the client must request an IP address again. Task Command Remarks...

  • Page 61: Dynamic Ip Address Assignment Configuration Example

    The client ID of VLAN-interface 2 on Switch B is: 3030-3066-2e65-3234-392e-3830-3530-2d56-6c61-6e2d-696e-7465-7266-6163-6532. Figure 29 Network diagram Configuration procedure Configure the IP address of VLAN-interface 2 on Switch A: <SwitchA> system-view [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 10.1.1.1 25 [SwitchA-Vlan-interface2] quit Configure the DHCP server: # Enable DHCP.
  • Page 62 • The IP addresses of VLAN-interfaces 1 and 2 on Switch A are 10.1.1.1/25 and 10.1.1.129/25 respectively. • In address pool 10.1.1.0/25, configure the address lease duration as 10 days and 12 hours, domain name suffix aabbcc.com, DNS server address 10.1.1.2/25, gateway 10.1.1.126/25, and WINS server 10.1.1.4/25.

  • Page 63: Self-Defined Option Configuration Example

    [SwitchA-dhcp-pool-0] quit # Configure DHCP address pool 1 (subnet, gateway, lease duration, and WINS server). [SwitchA] dhcp server ip-pool 1 [SwitchA-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.128 [SwitchA-dhcp-pool-1] gateway-list 10.1.1.126 [SwitchA-dhcp-pool-1] expired day 10 hour 12 [SwitchA-dhcp-pool-1] nbns-list 10.1.1.4 [SwitchA-dhcp-pool-1] quit # Configure DHCP address pool 2 (subnet, gateway, and lease duration). [SwitchA] dhcp server ip-pool 2 [SwitchA-dhcp-pool-2] network 10.1.1.128 mask 255.255.255.128 [SwitchA-dhcp-pool-2] expired day 5...

  • Page 64: Troubleshooting Dhcp Server Configuration

    # Configure DHCP address pool 0. [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 [SwitchA-dhcp-pool-0] option 43 hex 80 0B 00 00 02 01 02 03 04 02 02 02 02 Verifying the configuration After the preceding configuration is complete, Switch B can obtain its IP address on 10.1.1.0/24 and the PXE server addresses from the Switch A.

  • Page 65: Configuring The Dhcp Relay Agent

    Configuring the DHCP relay agent Overview The DHCP relay agent enables clients to get IP addresses from a DHCP server on another subnet. This feature avoids deploying a DHCP server for each subnet, centralizes management, and reduces investment. An MCE device serving as the DHCP relay agent can forward DHCP packets not only between a DHCP server and clients on a public network, but also between a DHCP server and clients on a private network.

  • Page 66: Dhcp Relay Agent Support For Option 82

    Figure 33 DHCP relay agent work process As shown in Figure 33, after receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP client, the DHCP relay agent fills the giaddr field of the message with its IP address and forwards the message to the designated DHCP server in unicast mode. Based on the giaddr field, the DHCP server returns an IP address and other configuration parameters in a response to the relay agent, and the relay agent conveys it to the client.

  • Page 67: Dhcp Relay Agent Configuration Task List

    If a DHCP request Handling Padding The DHCP relay agent… has… strategy format Forwards the message after adding the Verbose Option 82 padded in verbose format. Forwards the message after adding the User-defined user-defined Option 82. DHCP relay agent configuration task list Task Remarks Enabling DHCP...

  • Page 68: Correlating A Dhcp Server Group With A Relay Agent Interface

    Step Command Remarks Enable DHCP relay With DHCP is enabled, an agent current dhcp select relay interface operates in the DHCP interface. server mode. Correlating a DHCP server group with a relay agent interface To improve availability, you can specify several DHCP servers as a group on the DHCP relay agent and correlate a relay agent interface with the server group.

  • Page 69: Configuring The Dhcp Relay Agent Security Functions

    Configuring the DHCP relay agent security functions Configuring address check Address check can block illegal hosts from accessing external networks. With this feature enabled, the DHCP relay agent can dynamically record clients' IP-to-MAC bindings after they obtain IP addresses through DHCP. You can also configure static IP-to-MAC bindings on the DHCP relay agent so that users can access external networks by using fixed IP addresses.

  • Page 70: Enabling Unauthorized Dhcp Server Detection

    • If the server returns a DHCP-NAK message, the relay agent keeps the entry. To configure periodic refresh of dynamic client entries: Step Command Remarks Enter system view. system-view Optional. Enable periodic refresh of dhcp relay security dynamic client entries. refresh enable Enabled by default.

  • Page 71: Enabling Client Offline Detection

    Step Command Remarks interface interface-type Enter interface view. interface-number Enable address dhcp relay check mac-address The default setting is disabled. check. A DHCP relay agent changes the source MAC addresses of DHCP packets before forwarding them out. Therefore, enable MAC address check only on the DHCP relay agent directly connected to the DHCP clients.

  • Page 72: Configuring The Dhcp Relay Agent To Handle Option 82

    Configuring the DHCP relay agent to handle Option 82 Configuration prerequisites Before performing this configuration, complete the following tasks: Enable DHCP. Enable the DHCP relay agent on the specified interface. Correlate a DHCP server group with relay agent interfaces. To support Option 82, perform related configurations on both the DHCP server and relay agent. For more information about DHCP server configuration, see "Configuring the DHCP server"...

  • Page 73: Setting The Dscp Value For Dhcp Packets

    Step Command Remarks • Configure the padding content for the circuit ID sub-option: dhcp relay information circuit-id Optional. Configure string circuit-id By default, the padding content user-defined Option • Configure the padding content for depends on the padding format of the remote ID sub-option: Option 82.

  • Page 74: Dhcp Relay Agent Configuration Examples

    DHCP relay agent configuration examples DHCP relay agent configuration example Network requirements As shown in Figure 34, the DHCP relay agent forwards messages between DHCP clients and the DHCP server. Figure 34 Network diagram DHCP client DHCP client Vlan-int1 Vlan-int2 10.10.1.1/24 10.1.1.2/24 Vlan-int2...

  • Page 75: Dhcp Relay Agent Option 82 Support Configuration Example

    DHCP relay agent Option 82 support configuration example Network requirements As shown in Figure 34, the DHCP relay agent (Switch A) replaces Option 82 in DHCP requests before forwarding them to the DHCP server (Switch B). • The circuit ID sub-option is company001. •...

  • Page 76: Configuring Dhcp Client

    Configuring DHCP client With DHCP client enabled, an interface uses DHCP to obtain configuration parameters such as an IP address from the DHCP server. Configuration restrictions • The DHCP client configuration is supported only on Layer 3 Ethernet interfaces, VLAN interfaces, and Layer 3 aggregate interfaces.

  • Page 77: Displaying And Maintaining The Dhcp Client

    Displaying and maintaining the DHCP client Task Command Remarks display dhcp client [ verbose ] [ interface Display specified interface-type interface-number ] [ | { begin | Available in any view. configuration information. exclude | include } regular-expression ] DHCP client configuration example Network requirements On a LAN, Switch B contacts the DHCP server through VLAN-interface 2 to obtain an IP address, DNS server address, and static route information, as shown in...

  • Page 78: Verifying The Configuration

    # Configure DHCP address pool 0 and specify the subnet, lease duration, DNS server address, and a static route to subnet 20.1.1.0/24. [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 [SwitchA-dhcp-pool-0] expired day 10 [SwitchA-dhcp-pool-0] dns-list 20.1.1.1 [SwitchA-dhcp-pool-0] option 121 hex 18 14 01 01 0A 01 01 02 Configure Switch B: # Enable the DHCP client on VLAN-interface 2.

  • Page 79: Configuring Dhcp Snooping

    Configuring DHCP snooping A DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server. DHCP snooping functions DHCP snooping can: Make sure that DHCP clients obtain IP addresses from authorized DHCP servers.

  • Page 80: Application Environment Of Trusted Ports

    Application environment of trusted ports Configuring a trusted port connected to a DHCP server Figure 36 Configuring trusted and untrusted ports As shown in Figure 36, the DHCP snooping device port that is connected to an authorized DHCP server should be configured as a trusted port. The trusted port forwards response messages from the authorized DHCP server to the client, but the untrusted port does not forward response messages from the unauthorized DHCP server.

  • Page 81: Dhcp Snooping Support For Option 82

    Figure 37 Configuring trusted ports in a cascaded network Table 4 Roles of ports Trusted port disabled from Trusted port enabled to Device Untrusted port recording binding entries record binding entries Switch A GigabitEthernet 1/0/1 GigabitEthernet 1/0/3 GigabitEthernet 1/0/2 GigabitEthernet 1/0/3 and Switch B GigabitEthernet 1/0/1 GigabitEthernet 1/0/2...

  • Page 82: Dhcp Snooping Configuration Task List

    If a DHCP request Handling Padding The DHCP snooping device… has… strategy format Forwards the message after replacing the original Option 82 with the Option 82 padded verbose in verbose format. Forwards the message after replacing the user-defined original Option 82 with the user-defined Option 82.

  • Page 83: Configuring Dhcp Snooping Basic Functions

    Configuring DHCP snooping basic functions Configuration guidelines Follow these guidelines to configure DHCP snooping basic functions: • Specify the ports connected to authorized DHCP servers as trusted to make sure DHCP clients can obtain valid IP addresses. The trusted ports and the ports connected to DHCP clients must be in the same VLAN.

  • Page 84: Configuring Dhcp Snooping To Support Option 82

    Configuring DHCP snooping to support Option 82 Configuration guidelines Follow these guidelines to configure DHCP snooping to support Option 82: • You can only configure DHCP snooping to support Option 82 on Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces. •...

  • Page 85: Configuring Dhcp Snooping Entries Backup

    Step Command Remarks Optional. By default: • • The padding format for Option Configure the padding format 82 is normal. for Option 82: • dhcp-snooping information The code type for the circuit ID format { normal | private sub-option depends on the private | standard |verbose padding format of Option 82.

  • Page 86: Enabling Dhcp Starvation Attack Protection

    To configure DHCP snooping entries backup: Step Command Remarks Enter system view. system-view Not specified by default. DHCP snooping entries are stored dhcp-snooping binding immediately after this command is Specify the name of the file for database filename used and then updated at the storing DHCP snooping entries.

  • Page 87: Enabling Dhcp-Request Message Attack Protection

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number dhcp-snooping check Enable MAC address check. Disabled by default. mac-address Enabling DHCP-REQUEST message attack protection Attackers may forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP clients that no longer need the IP addresses.

  • Page 88: Enabling Dhcp Snooping To Record Option 55 And Option 60

    To configure DHCP packet rate limit: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface interface-type view Layer aggregate interface-number interface view. Configure the maximum rate of dhcp-snooping rate-limit rate Not configured by default. incoming DHCP packets. Enabling DHCP snooping to record Option 55 and Option 60 The DHCP snooping device reads DHCP-REQUEST messages to record the clients' Option 55 and...

  • Page 89: Displaying And Maintaining Dhcp Snooping

    Displaying and maintaining DHCP snooping Task Command Remarks display dhcp-snooping [ ip ip-address ] [ verbose ] [ | { begin | Display DHCP snooping entries. Available in any view. exclude | include } regular-expression ] display dhcp-snooping information Display Option 82 configuration { all | interface interface-type information on the DHCP snooping Available in any view.

  • Page 90: Dhcp Snooping Option 82 Support Configuration Example

    Figure 38 Network diagram Configuration procedure # Enable DHCP snooping. <SwitchB> system-view [SwitchB] dhcp-snooping # Specify GigabitEthernet 1/0/1 as trusted. [SwitchB] interface GigabitEthernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] dhcp-snooping trust [SwitchB-GigabitEthernet1/0/1] quit DHCP snooping Option 82 support configuration example Network requirements As shown in Figure 38, Switch B replaces Option 82 in DHCP requests before forwarding them to the DHCP server (Switch A).
  • Page 91 # Configure GigabitEthernet 1/0/3 to support Option 82. [SwitchB] interface GigabitEthernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] dhcp-snooping information enable [SwitchB-GigabitEthernet1/0/3] dhcp-snooping information strategy replace [SwitchB-GigabitEthernet1/0/3] dhcp-snooping information format verbose node-identifier sysname [SwitchB-GigabitEthernet1/0/3] dhcp-snooping information circuit-id format-type ascii [SwitchB-GigabitEthernet1/0/3] dhcp-snooping information remote-id format-type ascii...

  • Page 92: Configuring Bootp Client

    Configuring BOOTP client Overview BOOTP application After you specify an interface of a device as a BOOTP client, the interface can use BOOTP to get information (such as IP address) from the BOOTP server. To use BOOTP, an administrator must configure a BOOTP parameter file for each BOOTP client on the BOOTP server.

  • Page 93: Configuring An Interface To Dynamically Obtain An Ip Address Through Bootp

    Configuring an interface to dynamically obtain an IP address through BOOTP To configure an interface to dynamically obtain an IP address: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Configure interface By default, an interface does not dynamically obtain an IP address ip address bootp-alloc use BOOTP to obtain an IP...

  • Page 94: Configuring Ipv4 Dns

    Configuring IPv4 DNS Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. With DNS, you can use easy-to-remember domain names in some applications and let the DNS server translate them into correct IP addresses. DNS services can be static or dynamic.

  • Page 95: Dns Proxy

    Dynamic domain name resolution allows the DNS client to store the latest mappings between domain names and IP addresses in the dynamic domain name cache. The DNS client does not need to send a request to the DNS server for a repeated query next time. The aged mappings are removed from the cache after some time, and latest entries are required from the DNS server.

  • Page 96: Dns Spoofing

    The DNS proxy searches the local static domain name resolution table and dynamic domain name resolution table after receiving the request. If the requested information is found, the DNS proxy returns a DNS reply to the client. If the requested information is not found, the DNS proxy sends the request to the designated DNS server for domain name resolution.

  • Page 97: Configuring The Ipv4 Dns Client

    When forwarding the HTTP request through the dial-up interface, the device establishes a dial-up connection with the network and dynamically obtains the DNS server address through DHCP or other autoconfiguration mechanisms. When the DNS reply ages out, the host sends a DNS request to the device again. Then the device operates the same as a DNS proxy.

  • Page 98: Configuring The Dns Proxy

    Step Command Remarks system-view Enter system view. Enable dynamic domain dns resolve Disabled by default. name resolution. • (Approach 1) In system view: dns server ip-address • Use at least one approach. (Approach 2) In interface view: Specify a DNS server. a.

  • Page 99: Setting The Dscp Value For Dns Packets

    Step Command Remarks system-view Enter system view. Enable DNS spoofing and dns spoofing ip-address specify the translated IP Disabled by default. address. Setting the DSCP value for DNS packets Step Command Remarks system-view Enter system view. Optional. Set the DSCP value for DNS packets. dns dscp dscp-value By default, the DSCP value is 0.

  • Page 100: Ipv4 Dns Configuration Examples

    Task Command Remarks regular-expression ] display dns host ip [ | { begin | Display the information of the exclude | include } dynamic IPv4 domain name Available in any view. cache. regular-expression ] Clear the information of the reset dns host ip dynamic IPv4 domain name Available in user view.

  • Page 101: Dynamic Domain Name Resolution Configuration Example

    Dynamic domain name resolution configuration example Network requirements As shown in Figure 43, the device wants to access the host by using an easy-to-remember domain name rather than an IP address, and to request the DNS server on the network for an IP address by using dynamic domain name resolution.
  • Page 102 c. On the DNS server configuration page, right-click zone com, and select New Host. Figure 45 Adding a host d. On the page that appears, enter host name host and IP address 3.1.1.1. e. Click Add Host. The mapping between the IP address and host name is created. Figure 46 Adding a mapping between domain name and IP address...

  • Page 103: Dns Proxy Configuration Example

    Configure the DNS client: # Enable dynamic domain name resolution. <Sysname> system-view [Sysname] dns resolve # Specify the DNS server 2.1.1.2. [Sysname] dns server 2.1.1.2 # Configure com as the name suffix. [Sysname] dns domain com Verifying the configuration # Use the ping host command on the device to verify that the communication between the device and the host is normal, and that the corresponding destination IP address is 3.1.1.1.
  • Page 104 Figure 47 Network diagram Configuration procedure Before performing the following configuration, assume that Device A, the DNS server, and the host are reachable to each other and the IP addresses of the interfaces are configured as shown in Figure Configure the DNS server: This configuration may vary with DNS servers.

  • Page 105: Troubleshooting Ipv4 Dns Configuration

    Reply from 3.1.1.1: bytes=56 Sequence=5 ttl=126 time=1 ms --- host.com ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/3 ms Troubleshooting IPv4 DNS configuration Symptom After enabling dynamic domain name resolution, the user cannot get the correct IP address. Solution Use the display dns host ip command to verify that the specified domain name is in the cache.

  • Page 106: Configuring Ip Forwarding Basics

    Configuring IP forwarding basics Upon receiving a packet, the device uses the destination IP address of the packet to find a match from the forwarding information base (FIB) table, and uses the matching entry to forward the packet. FIB table A device selects optimal routes from the routing table, and puts them into the FIB table.
  • Page 107 Task Command Remarks display fib [ vpn-instance Display FIB information vpn-instance-name ] ip-address [ mask | matching the specified Available in any view. mask-length ] [ | { begin | exclude | include } destination IP address. regular-expression ]...

  • Page 108: Configuring Irdp

    Configuring IRDP Overview As an extension of the Internet Control Message Protocol (ICMP), the ICMP Router Discovery Protocol (IRDP) enables hosts to discover the IP addresses of their neighboring routers and set their default routes. NOTE: The hosts in this chapter support IRDP. Background Before a host can send packets to another network, it must know the IP address of at least one router on the local subnet.

  • Page 109: Concepts

    Concepts The following concepts apply to IRDP. Preference of an IP address Every IP address advertised in RAs has a preference value. The IP address with the highest preference is selected as the default router address. You can configure the preference for IP addresses advertised on a router interface. The larger the preference value, the higher the preference.

  • Page 110: Irdp Configuration Example

    Step Command Remarks ip irdp Enable IRDP on the interface. Disabled by default. Optional. The preference defaults to 0. ip irdp preference The specified preference applies to Configure the preference of all advertised IP addresses, advertised IP addresses. preference-value including the primary IP address and the manually configured secondary IP addresses of the interface.

  • Page 111: Configuration Procedure

    Figure 48 Network diagram Configuration procedure Configure Switch A: # Specify the IP address for VLAN-interface 100. <SwitchA> system-view [SwitchA] interface Vlan-interface 100 [SwitchA-Vlan-interface100] ip address 10.154.5.1 24 # Enable IRDP on VLAN-interface 100. [SwitchA-Vlan-interface100] ip irdp # Specify preference 1000 for the IP address of VLAN-interface 100. [SwitchA-Vlan-interface100] ip irdp preference 1000 # Configure the multicast address 224.0.0.1 as the destination IP address for RAs sent by VLAN-interface 100.

  • Page 112: Verifying The Configuration

    Verifying the configuration After enabling IRDP on Host A and Host B, display the routing table for the hosts (Host A for example). [HostA@localhost ~]$ netstat -rne Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.154.5.0 0.0.0.0 255.255.255.0 0 eth1...

  • Page 113: Configuring Ip Performance Optimization

    Configuring IP performance optimization This chapter describes multiple features for IP performance optimization. The term "interface" in the IP performance optimization features collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide).

  • Page 114: Configuration Example

    Configuration example Network requirements As shown in Figure 49, the default gateway of the host is the IP address 1.1.1.2/24 of VLAN-interface 3 of Switch A. Configure receiving and forwarding of directed broadcasts on the switch so that the server can receive directed broadcasts from the host to IP address 2.2.2.255.

  • Page 115: Configuring The Tcp Send/Receive Buffer Size

    NOTE: • If the TCP source device still receives ICMP error messages when the MSS is smaller than 32 bytes, the TCP source device fragments packets. • An ICMP error message received from a router that does not support RFC 1191 has the MTU of the outgoing interface set to 0.

  • Page 116: Configuring Icmp To Send Error Packets

    If a non-FIN packet is received, the system restarts the timer upon receiving the last non-FIN packet. The connection is broken after the timer expires. The actual length of the finwait timer is determined by the following formula: Actual length of the finwait timer = (Configured length of the finwait timer – 75) + configured length of the synwait timer To configure TCP timers: Step...

  • Page 117: Disadvantages Of Sending Icmp Error Packets

    Conditions for sending an ICMP destination unreachable packet: If neither a route nor the default route for forwarding a packet is available, the device sends a "network unreachable" ICMP error packet. If the destination of a packet is local but the transport layer protocol of the packet is not supported by the local device, the device sends a "protocol unreachable"...

  • Page 118: Icmp Extensions For Mpls

    ICMP extensions for MPLS In MPLS networks, when a packet's TTL expires, MPLS strips the MPLS header, encapsulates the remaining datagram into an ICMP time exceeded message, and sends the message to the egress router of the MPLS tunnel. Then the egress router sends the message back to the ingress router of the tunnel.

  • Page 119: Displaying And Maintaining Ip Performance Optimization

    Step Command Remarks Enter system view. system-view Optional. Enable support for ICMP ip icmp-extensions compliant extensions in compliant mode. Disabled by default. Enable support for ICMP Optional. ip icmp-extensions extensions in non-compliant non-compliant Disabled by default. mode. After support for ICMP extensions is disabled, no ICMP message sent by the device contains extension information.

  • Page 120: Configuring Udp Helper

    Configuring UDP helper UDP helper enables a device to convert received UDP broadcast packets into unicast packets and forward them to a specific server. UDP helper is suitable for the scenario where hosts cannot obtain configuration information or device names by broadcasting packets because the target server or host resides on another broadcast domain.

  • Page 121: Displaying And Maintaining Udp Helper

    Step Command Remarks udp-helper server [ vpn-instance No destination server is Specify a destination server. specified by default. vpn-instance-name ] ip-address Displaying and maintaining UDP helper Task Command Remarks display udp-helper server [ interface interface-type interface-number ] [ | Display information about packets Available in any view.
  • Page 122 [SwitchA-Vlan-interface1] ip address 10.110.1.1 16 [SwitchA-Vlan-interface1] udp-helper server 10.2.1.1...

  • Page 123: Configuring Ipv6 Basics

    Configuring IPv6 basics Overview Internet Protocol Version 6 (IPv6), also called IP next generation (IPng), was designed by the Internet Engineering Task Force (IETF) as the successor to Internet Protocol version 4 (IPv4). The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits.

  • Page 124: Ipv6 Addresses

    • Stateful address autoconfiguration enables a host to acquire an IPv6 address and other configuration information from a server (for example, a DHCP server). • Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and other configuration information by using its link-layer address and the prefix information advertised by a router.
  • Page 125 IPv6 address types IPv6 addresses fall into the following types: • Unicast address—An identifier for a single interface, similar to an IPv4 unicast address. A packet sent to a unicast address is delivered to the interface identified by that address. •...
  • Page 126 Table 8 Reserved IPv6 multicast addresses Address Application FF01::1 Node-local scope all-nodes multicast address FF02::1 Link-local scope all-nodes multicast address FF01::2 Node-local scope all-routers multicast address FF02::2 Link-local scope all-routers multicast address FF05::2 Site-local scope all-routers multicast address Multicast addresses also include solicited-node addresses. A node uses a solicited-node multicast address to acquire the link-layer address of a neighboring node on the same link and to detect duplicate addresses.

  • Page 127: Ipv6 Neighbor Discovery Protocol

    IPv6 neighbor discovery protocol The IPv6 Neighbor Discovery (ND) protocol uses the following types of ICMPv6 messages to implement the following functions: • Address resolution • Neighbor reachability detection • Duplicate address detection • Router/prefix discovery and address autoconfiguration • Redirection Table 9 lists the types and functions of ICMPv6 messages used by the ND protocol.
  • Page 128 After receiving the NS message, Host B determines whether the destination address of the packet is its solicited-node multicast address. If it is, Host B learns the link-layer address of Host A, and then unicasts an NA message containing its link-layer address. Host A acquires the link-layer address of Host B from the NA message.

  • Page 129: Ipv6 Path Mtu Discovery

    In addition to an address prefix, the Prefix Information option also contains the preferred lifetime and valid lifetime of the address prefix. Nodes update the preferred lifetime and valid lifetime accordingly through periodic RA messages. An automatically generated address is applicable within the valid lifetime and is removed when the valid lifetime expires.

  • Page 130: Protocols And Standards

    Dual stack Dual stack is the most direct transition approach. A network node that supports both IPv4 and IPv6 is a dual stack node. A dual stack node configured with an IPv4 address and an IPv6 address can forward both IPv4 and IPv6 packets. For an upper layer application that supports both IPv4 and IPv6, either TCP or UDP can be selected at the transport layer, whereas the IPv6 stack is preferred at the network layer.

  • Page 131: Configuring Basic Ipv6 Functions

    Task Remarks Configuring the maximum number of attempts to Optional. send an NS message for DAD Configuring ND snooping Optional. Enabling ND proxy Optional. Configuring a static path MTU for a specified IPv6 Optional. address Configuring path MTU discovery Configuring the aging time for dynamic path MTUs Optional.
  • Page 132 • If a global unicast address has been automatically generated on an interface when you manually configure another one with the same address prefix, the latter overwrites the previous. The overwritten automatic global unicast address does not be restored even if the manual one is removed.

  • Page 133: Configuring An Ipv6 Link-Local Address

    function configured on an IEEE 802 interface, the system can generate two addresses, public IPv6 address and temporary IPv6 address. • Public IPv6 address—Comprises an address prefix provided by the RA message, and a fixed interface ID generated based on the MAC address of the interface. •...

  • Page 134: Configure An Ipv6 Anycast Address

    • If you first use automatic generation and then manual assignment, the manually assigned link-local address overwrites the automatically generated one. • If you first use manual assignment and then automatic generation, the automatically generated link-local address does not take effect and the link-local address is still the manually assigned one.

  • Page 135: Configuring Ipv6 Nd

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Optional. ipv6 address Configure an IPv6 anycast By default, no IPv6 anycast ipv6-address/prefix-length address. address is configured on an anycast interface. Configuring IPv6 ND The following topics apply to configuring IPv6 ND. Configuring a static neighbor entry The IPv6 address of a neighboring node can be resolved into a link-layer address dynamically through NS and NA messages or through a manually configured static neighbor entry.

  • Page 136: Setting The Age Timer For Nd Entries In Stale State

    Optional. By default, a Layer 2 interface does not limit the number of neighbors dynamically learned. Configure the maximum For HPE 5800 series switches, a number of neighbors ipv6 neighbors Layer 3 interface can dynamically dynamically learned by an max-learning-num number learn a maximum of 8192 interface.
  • Page 137 Parameters Description stateless autoconfiguration to acquire IPv6 addresses and generate IPv6 addresses according to their own link-layer addresses and the obtained prefix information. Determines whether hosts use stateful autoconfiguration to acquire other configuration information. O flag If the O flag is set to 1, hosts use stateful autoconfiguration (for example, through a DHCP server) to acquire other configuration information.

  • Page 138: Configuring The Maximum Number Of Attempts To Send An Ns Message For Dad

    Step Command Remarks seconds (30 days) and preferred lifetime 604,800 seconds (7 days). Optional. Turn off the MTU option in ipv6 nd ra no-advlinkmtu By default, RA messages contain the RA messages. MTU option. Optional. ipv6 nd autoconfig By default, the M flag bit is set to 0 and Set the M flag bit to 1.

  • Page 139: Configuring Nd Snooping

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Optional. Configure the number of The default is 1. When the value attempts to send an NS ipv6 nd dad attempts value argument is set to 0, DAD is message for DAD.
  • Page 140 To check the validity of the received ND packet (packet A for example), the device sends out a DAD NS message including the source IPv6 address of packet A. If a corresponding NA message (whose source IPv6 address, source MAC address, receiving port, and source VLAN are consistent with those of packet A) is received, the device updates the aging time of the entry.

  • Page 141: Enabling Nd Proxy

    Enabling ND proxy ND proxy supports the NS and NA messages only. About ND proxy If a host sends an NS message requesting the hardware address of another host that is isolated from the sending host at Layer 2, the device in between must be able to forward the NS message to allow Layer 3 communication between the two hosts.

  • Page 142: Configuring Path Mtu Discovery

    To solve this problem, enable local ND proxy on VLAN-interface 2 of Switch A so that Switch A can forward messages between Host A and Host B. Local ND proxy implements Layer 3 communication for two hosts in the following cases: The two hosts must connect to different isolated Layer 2 ports of a VLAN.

  • Page 143: Configuring The Aging Time For Dynamic Path Mtus

    Configuring the aging time for dynamic path MTUs After the path MTU from a source host to a destination host is dynamically determined (see "IPv6 path MTU discovery"), the source host sends subsequent packets to the destination host based on this MTU.

  • Page 144: Configuring The Maximum Icmpv6 Error Packets Sent In An Interval

    Configuring the maximum ICMPv6 error packets sent in an interval If too many ICMPv6 error packets are sent within a short time in a network, network congestion may occur. To avoid network congestion, you can control the maximum number of ICMPv6 error packets sent within a specified time by adopting the token bucket algorithm.

  • Page 145: Enabling Sending Icmpv6 Destination Unreachable Messages

    • Upon receiving the first fragment of an IPv6 datagram with the destination IP address being the local address, the device starts a timer. If the timer expires before all the fragments arrive, an ICMPv6 Fragment Reassembly Timeout message is sent to the source. If large quantities of malicious packets are received, the performance of a device degrades greatly because it must send back ICMP Time Exceeded messages.

  • Page 146: Enabling A Device To Discard Ipv6 Packets That Contain Extension Headers

    device from such attacks, you can use the undo form of the following command to disable sending ICMPV6 redirect packets. To enable sending ICMPv6 redirect messages: Step Command Remarks Enter system view system-view Optional. 2. Enable sending ICMPv6 ipv6 redirects enable By default, this function is redirect messages disabled.

  • Page 147: Ipv6 Basics Configuration Example

    Task Command Remarks display ipv6 neighbors { { all | dynamic | static } Display the total number of [ slot slot-number ] | interface interface-type Available in any neighbor entries satisfying the interface-number | vlan vlan-id } count [ | { begin view.

  • Page 148: Configuration Procedure

    Figure 58 Network diagram The VLAN interfaces have been created on the switch. Configuration procedure Configure Switch A: # Enable IPv6. <SwitchA> system-view [SwitchA] ipv6 # Specify a global unicast address for VLAN-interface 2. [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ipv6 address 3001::1/64 [SwitchA-Vlan-interface2] quit # Specify a global unicast address for VLAN-interface 1, and allow it to advertise RA messages (no interface advertises RA messages by default).

  • Page 149: Verifying The Configuration

    bytes=56 Sequence=3 hop limit=64 time = 3 ms Reply from 3001::1 bytes=56 Sequence=4 hop limit=64 time = 9 ms --- 3001::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/3/9 ms # Display the neighbor information of GigabitEthernet 1/0/2 on Switch A. [SwitchA] display ipv6 neighbors interface GigabitEthernet 1/0/2 Type: S-Static D-Dynamic...
  • Page 150 InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: 25747 OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: [SwitchA] display ipv6 interface vlan-interface 1 Vlan-interface1 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1C0 Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es): FF02::1:FF00:0...
  • Page 151 InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: 1012 OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Display the IPv6 interface settings on Switch B. All IPv6 global unicast addresses configured on the interface are displayed. [SwitchB] display ipv6 interface vlan-interface 2 Vlan-interface2 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1234...

  • Page 152: Troubleshooting Ipv6 Basics Configuration

    InUnknownProtos: InDelivers: OutRequests: OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Ping Switch A and Switch B on the host, and ping Switch A and the host on Switch B to verify that they are connected. CAUTION: When you ping a link-local address, use the -i parameter to specify an interface for the link-local address.

  • Page 153: Solution

    Solution • Use the display current-configuration command in any view or the display this command in system view to verify that IPv6 is enabled. • Use the display ipv6 interface command in any view to verify that the IPv6 address of the interface is correct and the interface is up.

  • Page 154: Dhcpv6 Overview

    DHCPv6 overview The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) provides a framework to assign IPv6 prefixes, IPv6 addresses, and other configuration parameters to hosts. Compared with other IPv6 address allocation methods (such as manual configuration and stateless address autoconfiguration), DHCPv6 can: •...

  • Page 155: Iaid

    interfaces, to manage the addresses, prefixes, and other configuration parameters obtained by the interfaces. IAID An IAID uniquely identifies an IA. It is chosen by the client and must be unique among the IAIDs on the client. Binding The DHCPv6 server uses bindings to record the configuration information assigned to DHCPv6 clients, including the IPv6 address/prefix, client DUID, IAID, valid lifetime, preferred lifetime, and lease expiration time.

  • Page 156: Address/Prefix Lease Renewal

    Figure 61 Assignment involving four messages The assignment involving four messages operates as follows: The DHCPv6 client sends out a Solicit message, requesting an IPv6 address/prefix and other configuration parameters. If the Solicit message does not contain a Rapid Commit option, or if the DHCPv6 server does not support rapid assignment even though the Solicit message contains a Rapid Commit option, the DHCPv6 server responds with an Advertise message, informing the DHCPv6 client of the assignable address/prefix and other configuration parameters.

  • Page 157: Stateless Dhcpv6 Configuration

    Figure 63 Using the Rebind message for address/prefix lease renewal If the DHCPv6 client receives no response from the DHCPv6 servers, the client stops using the address/prefix when the valid lifetime expires. For more information about the valid lifetime and the preferred lifetime, see "Configuring IPv6 basics."...

  • Page 158: Protocols And Standards

    Figure 64 Stateless DHCPv6 operation Protocols and standards • RFC 3736, Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6 • RFC 3315, Dynamic Host Configuration Protocol for IPv6 (DHCPv6) • RFC 2462, IPv6 Stateless Address Autoconfiguration • RFC 3633, IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6...

  • Page 159: Configuring Dhcpv6 Server

    Configuring DHCPv6 server This chapter shows how to configure DHCPv6 server. Overview To simplify IPv6 address management and network configuration, you can configure a DHCPv6 server to assign IPv6 addresses, IPv6 prefixes, and other configuration parameters to DHCPv6 clients. As shown in Figure 65, the DHCPv6 client obtains an IPv6 prefix from the server, and sends an RA message containing the prefix information to the subnet where it resides, so that hosts on the subnet...

  • Page 160: Prefix Selection Process

    Prefix selection process To configure a DHCPv6 server to assign IPv6 prefixes to DHCPv6 clients, you must apply an address pool on the receiving interface of the DHCPv6 server. Upon receiving a request, the DHCPv6 server searches all the address pools for a static IPv6 prefix bound to the client. •...

  • Page 161: Configuring The Dhcpv6 Server To Assign Ipv6 Prefixes To Dhcpv6 Clients

    Step Command Remarks Enter system view. system-view Enable the DHCPv6 server ipv6 dhcp server enable Disabled by default. function. Configuring the DHCPv6 server to assign IPv6 prefixes to DHCPv6 clients Use one of the following methods to configure the DHCPv6 server to assign an IPv6 prefix to a DHCPv6 client: •...

  • Page 162: Configuring The Dhcpv6 Server To Assign Ipv6 Addresses To Dhcpv6 Clients

    Step Command Remarks • Configure a static prefix binding: static-bind prefix prefix/prefix-len duid duid [ iaid iaid ] [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ] Use at least one command. Configure the DHCPv6 • server. Apply a prefix pool to the address Not configured by default.

  • Page 163: Configuring Network Parameters In A Dhcpv6 Address Pool

    Step Command Description • Configure a static IPv6 address binding: static-bind address ipv6-address/addr-prefix-length duid duid [ iaid iaid ] [ preferred-lifetime Use at least one preferred-lifetime valid-lifetime command. Configure the DHCPv6 valid-lifetime ] server. Not configured by • Specify a subnet in the DHCPv6 address default.

  • Page 164: Setting The Dscp Value For Dhcpv6 Packets

    • A nonexistent address pool can be applied to an interface, but the server cannot assign any prefix, address, or other configuration information from the address pool until the address pool is created. • You cannot modify the address pool applied to an interface or parameters such as the server priority by using the ipv6 dhcp server command.

  • Page 165: Configuration Examples

    Task Command Remarks display ipv6 dhcp server pd-in-use { all | pool Display information about pool-number | prefix prefix/prefix-len | prefix-pool Available in any view. prefix-pool-number } [ | { begin | exclude | IPv6 prefix bindings. include } regular-expression ] Display packet statistics on display ipv6 dhcp server statistics [ | { begin | Available in any view.
  • Page 166 Figure 66 Network diagram Configuration procedure # Enable IPv6 and DHCPv6 server. <Switch> system-view [Switch] ipv6 [Switch] ipv6 dhcp server enable # Configure the IPv6 address of VLAN-interface 2. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ipv6 address 1::1/64 # Disable RA message suppression. [Switch-Vlan-interface2] undo ipv6 nd ra halt # Set the M flag in the RA message to 1.
  • Page 167 [Switch-dhcp6-pool-1] quit # Enable the DHCPv6 server on VLAN-interface 2, apply address pool 1 to the interface, configure the address pool to support desired prefix assignment and rapid prefix assignment, and set the precedence to the highest. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ipv6 dhcp server apply pool 1 allow-hint preference 255 rapid-commit Verifying the configuration...

  • Page 168: Static Ipv6 Address Assignment Configuration Example

    # After the other client obtains an IPv6 prefix, display the binding information on the DHCPv6 server. [Switch-Vlan-interface2] display ipv6 dhcp server pd-in-use all Total number = 2 Prefix Type Pool Expiration time 2001:410:201::/48 Static(C) 1 Jul 10 2011 19:45:01 2001:410::/48 Auto(C) Jul 10 2011 20:44:05...
  • Page 169 # In address pool 1, bind IPv6 address 1::A/124 with the client whose DUID is FF00010006498D3322000102030405, and bind 1::B/124 with the client whose DUID is 00030001CA0006A40000. Set their preferred lifetime to one day and valid lifetime to three days. [Switch-dhcp6-pool-1] static-bind address 1::A/124 duid FF00010006498D3322000102030405 preferred-lifetime 86400 valid-lifetime 259200 [Switch-dhcp6-pool-1] static-bind address 1::B/124 duid 00030001CA0006A40000 preferred-lifetime 86400 valid-lifetime 259200...

  • Page 170: Dynamic Ipv6 Address Assignment Configurations Example

    DUID: 00030001CA0006A40000 IAID: 0x1 Address: 1::B Preferred lifetime 604800, valid lifetime 2592000 Expires at Dec 23 2010 13:47:52 (2588194 seconds left) Dynamic IPv6 address assignment configurations example Network requirements As shown in Figure 68, the switch serves as the DHCPv6 server. It assigns IPv6 addresses on subnet 1:2::/32 to clients Host A and Host B, and assigns IPv6 addresses on subnet 1:3::/32 to clients Host C and Host D.
  • Page 171 [Switch-Vlan-interface2] ipv6 nd autoconfig managed-address-flag [Switch-Vlan-interface2] quit # Configure an IPv6 address for interface VLAN-interface 3. [Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ipv6 address 1:3::1/32 # Disable RA message suppression. [Switch-Vlan-interface3] undo ipv6 nd ra halt # Set the M flag in the RA message to 1. [Switch-Vlan-interface3] ipv6 nd autoconfig managed-address-flag [Switch-Vlan-interface3] quit # Create address pool 1, specify subnet 1:2::/32 in the address pool, and set the subnet preferred...
  • Page 172 [Switch] display ipv6 dhcp pool 2 Pool: 2 Network: 1:3::/32 Preferred lifetime 86400, valid lifetime 259200 # After Host A and Host B have obtained IPv6 addresses, display the IPv6 address binding information on the DHCPv6 server. [Switch] display ipv6 dhcp server ip-in-use Total number = 2 Address Type...

  • Page 173: Configuring Dhcpv6 Relay Agent

    Configuring DHCPv6 relay agent A DHCPv6 client usually uses a multicast address to contact the DHCPv6 server on the local link to obtain an IPv6 address and other configuration parameters. As shown in Figure 69, if the DHCPv6 server resides on another subnet, the DHCPv6 client can contact the server through a DHCPv6 relay agent, so you do not need to deploy a DHCPv6 server on each subnet.

  • Page 174: Configuration Prerequisites

    After obtaining the Solicit message from the Relay-forward message, the DHCPv6 server selects an IPv6 address and other required parameters, and adds them to the reply which is encapsulated within the Relay Message option of a Relay-reply message. The DHCPv6 server then sends the Relay-reply message to the DHCPv6 relay agent.

  • Page 175: Configuring Route Addition For Assigned Ipv6 Prefixes On The Dhcpv6 Relay Agent

    Step Command Remarks DHCPv6 relay agent. DHCPv6 packets is 56. Configuring route addition for assigned IPv6 prefixes on the DHCPv6 relay agent The route addition feature enables the DHCPv6 relay agent to automatically add a route to the client's network. The DHCPv6 relay agent learns the client's network from the IPv6 prefix information in the PD option of the received legal DHCPv6 reply message.

  • Page 176: Dhcpv6 Relay Agent Configuration Example

    DHCPv6 relay agent configuration example Network requirements As shown in Figure 71, the network address prefix of DHCPv6 clients is 1::/64, and the IPv6 address of the DHCPv6 server is 2::2/64. The DHCPv6 client and server must communicate through a DHCPv6 relay agent (Switch A).
  • Page 177 Server address(es) Output Interface 2::2 # Display packet statistics on the DHCPv6 relay agent. [SwitchA-Vlan-interface3] display ipv6 dhcp relay statistics Packets dropped Error Excess of rate limit Packets received SOLICIT REQUEST CONFIRM RENEW REBIND RELEASE DECLINE INFORMATION-REQUEST RELAY-FORWARD RELAY-REPLY Packets sent ADVERTISE RECONFIGURE REPLY...

  • Page 178: Configuring Dhcpv6 Client

    Configuring DHCPv6 client Serving as a DHCPv6 client, the device only supports stateless DHCPv6 configuration, that is, the device can only obtain other network configuration parameters, except the IPv6 address and prefix from the DHCPv6 server. With an IPv6 address obtained through stateless address autoconfiguration, the device automatically enables the stateless DHCPv6 function after it receives an RA message with the M flag set to 0 and the O flag set to 1.

  • Page 179: Stateless Dhcpv6 Configuration Example

    Task Command Remarks exclude | include } regular-expression ] display ipv6 dhcp client statistics [ interface interface-type interface-number ] [ | Display DHCPv6 client statistics. Available in any view. { begin | exclude | include } regular-expression ] display ipv6 dhcp duid [ | { begin | exclude | Display the DUID of the local Available in any view.

  • Page 180: Verifying The Configuration

    # Enable stateless IPv6 address autoconfiguration on VLAN-interface 2. [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ipv6 address auto With this command executed, if VLAN-interface 2 has no IPv6 address configured, Switch A automatically generates a link-local address, and send an RS message, requesting the gateway (Switch B) to reply with an RA message immediately.

  • Page 181: Configuring Dhcpv6 Snooping

    Configuring DHCPv6 snooping Overview DHCPv6 snooping is security feature with the following functions: • Guaranteeing that DHCPv6 clients obtain IPv6 addresses from authorized DHCPv6 servers • Recording IP-to-MAC mappings of DHCPv6 clients Guaranteeing that DHCPv6 clients obtain IPv6 addresses from authorized DHCPv6 servers If DHCPv6 clients obtain invalid IPv6 addresses and network configuration parameters from an unauthorized DHCPv6 server, they are unable to communicate with other network devices.

  • Page 182: Configuration Restrictions

    snooping user-binding command to view the IPv6 address obtained by each client, so you can manage and monitor the clients' IPv6 addresses. Configuration restrictions A DHCPv6 snooping device does not work if it is between a DHCPv6 relay agent and a DHCPv6 server.

  • Page 183: Configuring The Maximum Number Of Dhcpv6 Snooping Entries An Interface Can Learn

    Step Command Remarks enabled are untrusted. Configuring the maximum number of DHCPv6 snooping entries an interface can learn Perform this optional task to prevent an interface from learning too many DHCPv6 snooping entries and to save system resources. To configure the maximum number of DHCPv6 snooping entries an interface can learn: Step Command Remarks...

  • Page 184: Configuring Dhcpv6 Snooping Entry Backup

    Figure 75 Option 37 format The Second Vlan field is optional. If the received DHCPv6 request does not contain a second VLAN, Option 18 or Option 37 also does not contain it. To configure DHCPv6 Snooping to support Option 18 and Option 37: Step Command Remarks...

  • Page 185: Displaying And Maintaining Dhcpv6 Snooping

    To configure DHCPv6 snooping entry backup: Step Command Remarks Enter system view. system-view By default, the DHCPv6 snooping device does not back up the DHCPv6 snooping Configure the DHCPv6 ipv6 dhcp snooping entries. snooping device to back binding database up DHCPv6 snooping With this command executed, the DHCPv6 filename filename entries to a file.

  • Page 186: Configuration Procedure

    Figure 76 Network diagram Configuration procedure # Enable DHCPv6 snooping globally. <Switch> system-view [Switch] ipv6 dhcp snooping enable # Add GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 to VLAN 2. [Switch] vlan 2 [Switch-vlan2] port GigabitEthernet 1/0/1 GigabitEthernet 1/0/2 GigabitEthernet 1/0/3 # Enable DHCPv6 snooping for VLAN 2.

  • Page 187: Configuring Ipv6 Dns

    Configuring IPv6 DNS IPv6 Domain Name System (DNS) is responsible for translating domain names into IPv6 addresses. Like IPv4 DNS, IPv6 DNS includes static domain name resolution and dynamic domain name resolution. The functions and implementations of the two types of domain name resolution are the same as those of IPv4 DNS.

  • Page 188: Setting The Dscp Value For Ipv6 Dns Packets

    Step Command Remarks interface-number ] interface-type and interface-number arguments. Optional. dns domain Configure a DNS suffix. Not configured by default. Only the provided domain-name domain name is resolved. For more information about the dns resolve and dns domain commands, see Layer 3—IP Services Command Reference.

  • Page 189: Dynamic Domain Name Resolution Configuration Example

    Figure 77 Network diagram Configuration procedure # Configure a mapping between host name host.com and IPv6 address 1::2. <Device> system-view [Device] ipv6 host host.com 1::2 # Enable IPv6 packet forwarding. [Device] ipv6 # Use the ping ipv6 host.com command to verify that the device can use static domain name resolution to resolve domain name host.com into IPv6 address 1::2.
  • Page 190 Figure 78 Network diagram Configuration procedure Before performing the following configuration, make sure that the device and the host are accessible to each other through available routes, and the IPv6 addresses of the interfaces are configured as shown Figure This configuration may vary with DNS servers. The following configuration is performed on a PC running Windows Server 2003.
  • Page 191 Figure 80 Creating a record a. On the page that appears, select IPv6 Host (AAAA) as the resource record type, and click Create Record.
  • Page 192 Figure 81 Selecting the resource record type e. On the page that appears, enter host name host and IPv6 address 1::1. f. Click OK. The mapping between the IP address and host name is created.
  • Page 193 Figure 82 Adding a mapping between domain name and IPv6 address Configure the DNS client: # Enable dynamic domain name resolution. <Device> system-view [Device] dns resolve # Specify the DNS server 2::2. [Device] dns server ipv6 2::2 # Configure com as the DNS suffix. [Device] dns domain com Verifying the configuration # Use the ping ipv6 host command on the device to verify that the communication between the...
  • Page 194 bytes=56 Sequence=3 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=4 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=5 hop limit=126 time = 1 ms --- host.com ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/2 ms...

  • Page 195: Configuring Tunneling

    Configuring tunneling Overview Tunneling is an encapsulation technology. One network protocol encapsulates packets of another network protocol and transfers them over a virtual point-to-point connection. The virtual connection is called a tunnel. Packets are encapsulated at the tunnel source end and de-encapsulated at the tunnel destination end.
  • Page 196 Tunnel types IPv6 over IPv4 tunnels fall into manually configured tunnels and automatic tunnels, depending on how the IPv4 address of the tunnel destination is acquired. • Manually configured tunnel—The destination IPv4 address of the tunnel cannot be automatically acquired from the destination IPv6 address of an IPv6 packet at the tunnel source. It must be manually configured.

  • Page 197: Ipv4 Over Ipv4 Tunneling

    Figure 84 Principle of 6to4 tunneling ISATAP tunneling An ISATAP tunnel is a point-to-point automatic tunnel. It provides a solution to connect an IPv6 host to an IPv6 network over an IPv4 network. The destination addresses of IPv6 packets and the IPv6 addresses of tunnel interfaces are all ISATP addresses.

  • Page 198: Ipv4 Over Ipv6 Tunneling

    b. The IP protocol stack determines how to forward the packet according to the destination address in the IP header. If the packet is destined for the IPv4 host connected to Device B, Device A delivers the packet to the tunnel interface. c.

  • Page 199: Ipv6 Over Ipv6 Tunneling

    d. The IPv4 protocol stack forwards the IPv4 packet. IPv6 over IPv6 tunneling IPv6 over IPv6 tunneling (RFC 2473) enables isolated IPv6 networks to communicate with each other over another IPv6 network. For example, two isolated IPv6 networks that do not want to show their addresses to the Internet can use an IPv6 over IPv6 tunnel to communicate with each other.

  • Page 200: Configuring A Tunnel Interface

    • On an IRF fabric comprising the HPE 5800 and HPE 5820X switches, only unused Layer 2 Ethernet interfaces on the HPE 5820X can be added to a service loopback group.
  • Page 201 Step Command Remarks system-view Enter system view. Create a tunnel interface By default, no tunnel interface is interface tunnel number and enter its view. created. Optional. Configure a description for By default, the description of a description text the interface. tunnel interface is Tunnelnumber Interface.

  • Page 202: Configuring An Ipv6 Manual Tunnel

    Configuring an IPv6 manual tunnel Configuration prerequisites Configure an IP addresses for the interface (such as a VLAN interface, or loopback interface) to be configured as the source interface of the tunnel interface. Configuration guidelines Follow these guidelines when you configure an IPv6 manual tunnel: •...

  • Page 203: Configuration Example

    Step Command Remarks Configure a source source { ip-address | interface-type By default, no source address or address or interface interface is configured for the tunnel. interface-number } for the tunnel. Configure a destination address By default, no destination address is destination ip-address for the tunnel configured for the tunnel.
  • Page 204 # Assign GigabitEthernet 1/0/3 to service loopback group 1, and disable STP, NDP, and LLDP on the interface. [SwitchA] interface GigabitEthernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] undo stp enable [SwitchA-GigabitEthernet1/0/3] undo ndp enable [SwitchA-GigabitEthernet1/0/3] undo lldp enable [SwitchA-GigabitEthernet1/0/3] port service-loopback group 1 [SwitchA-GigabitEthernet1/0/3] quit # Configure a manual IPv6 tunnel.
  • Page 205 [SwitchB-Tunnel0] service-loopback-group 1 [SwitchB-Tunnel0] quit # Configure a static route to IPv6 Group 1 through Tunnel 0 on Switch B. [SwitchB] ipv6 route-static 3002:: 64 tunnel 0 Verifying the configuration # Display the status of the tunnel interfaces on Switch A and Switch B, respectively. [SwitchA] display ipv6 interface tunnel 0 Tunnel0 current state :UP Line protocol current state :UP...

  • Page 206: Configuring A 6To4 Tunnel

    bytes=56 Sequence=1 hop limit=64 time = 1 ms Reply from 3003::1 bytes=56 Sequence=2 hop limit=64 time = 1 ms Reply from 3003::1 bytes=56 Sequence=3 hop limit=64 time = 1 ms Reply from 3003::1 bytes=56 Sequence=4 hop limit=64 time = 1 ms Reply from 3003::1 bytes=56 Sequence=5 hop limit=64 time = 1 ms...

  • Page 207: Configuration Example

    Step Command Remarks • Configure an IPv6 global unicast address or a site-local address: ipv6 address { ipv6-address The IPv6 link-local address configuration is optional. prefix-length | By default: ipv6-address/prefix-length } • ipv6 address No IPv6 global unicast address or Configure an IPv6 site-local address is configured for address for the...
  • Page 208 Configuration considerations To enable communication between 6to4 networks, configure 6to4 addresses for 6to4 switches and hosts in the 6to4 networks. • The IPv4 address of VLAN-interface 100 on Switch A is 2.1.1.1/24, and the corresponding 6to4 prefix is 2002:0201:0101::/48 after it is translated to an IPv6 address. Assign interface Tunnel 0 to subnet 2002:0201:0101::/64 and VLAN-interface 101 to subnet 2002:0201:0101:1::/64.
  • Page 209 <SwitchB> system-view [SwitchB] ipv6 # Configure an IPv4 address for VLAN-interface 100. [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ip address 5.1.1.1 24 [SwitchB-Vlan-interface100] quit # Configure an IPv6 address for VLAN-interface 101. [SwitchB] interface vlan-interface 101 [SwitchB-Vlan-interface101] ipv6 address 2002:0501:0101:1::1/64 [SwitchB-Vlan-interface101] quit # Create service loopback group 1 and specify its service type as tunnel.

  • Page 210: Configuring An Isatap Tunnel

    Configuring an ISATAP tunnel Configuration prerequisites Configure an IP addresses for the interface (such as a VLAN interface or loopback interface) to be configured as the source interface of the tunnel interface. Configuration guidelines Follow these guidelines when you configure an ISATAP tunnel: •...

  • Page 211: Configuration Example

    Step Command Remarks delivery will fail. Configure a source By default, no source address or source { ip-address | interface-type address or interface for interface is configured for the interface-number } the tunnel. tunnel. quit Return to system view. Enable dropping of IPv6 Optional.
  • Page 212 [Switch-GigabitEthernet1/0/3] undo lldp enable [Switch-GigabitEthernet1/0/3] port service-loopback group 1 [Switch-GigabitEthernet1/0/3] quit # Configure an ISATAP tunnel. [Switch] interface tunnel 0 [Switch-Tunnel0] ipv6 address 2001::5efe:0101:0101 64 [Switch-Tunnel0] source vlan-interface 101 [Switch-Tunnel0] tunnel-protocol ipv6-ipv4 isatap # Disable RA suppression so that the ISATAP host can acquire information such as the address prefix from the RA message advertised by the ISATAP switch.

  • Page 213: Configuring An Ipv4 Over Ipv4 Tunnel

    uses Router Discovery routing preference 1 EUI-64 embedded IPv4 address: 2.1.1.2 router link-layer address: 1.1.1.1 preferred global 2001::5efe:2.1.1.2, life 29d23h59m46s/6d23h59m46s (public) preferred link-local fe80::5efe:2.1.1.2, life infinite link MTU 1500 (true link MTU 65515) current hop limit 255 reachable time 42500ms (base 30000ms) retransmission interval 1000ms DAD transmits 0 default site prefix length 48...

  • Page 214: Configuration Procedure

    you can enable a dynamic routing protocol on both tunnel interfaces to achieve the same purpose. For the detailed configuration, see Layer 3—IP Routing Configuration Guide. • The IPv4 address of the local tunnel interface cannot be on the same subnet as the destination address configured on the tunnel interface.
  • Page 215 Figure 92 Network diagram Configuration procedure Make sure that Switch A and Switch B have the corresponding VLAN interfaces created and can reach each other through IPv4. • Configure Switch A: # Configure an IPv4 address for VLAN-interface 100. <SwitchA> system-view [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ip address 10.1.1.1 255.255.255.0 [SwitchA-Vlan-interface100] quit...
  • Page 216 [SwitchA-Tunnel1] quit # Configure a static route destined for the IP network Group 2 through interface Tunnel 1. [SwitchA] ip route-static 10.1.3.0 255.255.255.0 tunnel 1 • Configure Switch B: # Configure an IPv4 address for VLAN-interface 100. <SwitchB> system-view [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ip address 10.1.3.1 255.255.255.0 [SwitchB-Vlan-interface100] quit # Configure an IPv4 address for VLAN-interface 101 (the physical interface of the tunnel).
  • Page 217 Encapsulation is TUNNEL, service-loopback-group ID is 1. Tunnel source 2.1.1.1, destination 3.1.1.1 Tunnel bandwidth 64 (kbps) Tunnel protocol/transport IP/IP Last clearing of counters: Never Last 300 seconds input: 0 bytes/sec, 0 packets/sec Last 300 seconds output: 2 bytes/sec, 0 packets/sec 4 packets input, 256 bytes 0 input error...

  • Page 218: Configuring An Ipv4 Over Ipv6 Tunnel

    Configuring an IPv4 over IPv6 tunnel Configuration prerequisites Configure an IPv6 addresses for the interface (such as a VLAN interface or loopback interface) to be configured as the source interface of the tunnel interface. Configuration guidelines Follow these guidelines when you configure an IPv4 over IPv6 tunnel: •...

  • Page 219: Configuration Example

    Configuration example Network requirements As shown in Figure 93, configure an IPv4 over IPv6 tunnel between Switch A and Switch B so the two IPv4 networks can reach each other over the IPv6 network. Figure 93 Network diagram Switch A Switch B Vlan-int101 Vlan-int101...
  • Page 220 # Configure the destination address of interface Tunnel 1 (IP address of VLAN-interface 101 of Switch B). [SwitchA-Tunnel1] destination 2002::2:1 # Apply service loopback group 1 on the tunnel. [SwitchA-Tunnel1] service-loopback-group 1 [SwitchA-Tunnel1] quit # Configure a static route destined for the IPv4 network Group 2 through interface Tunnel 1. [SwitchA] ip route-static 30.1.3.0 255.255.255.0 tunnel 1 •...
  • Page 221 Verifying the configuration After the configuration, display the status of the tunnel interfaces on Switch A and Switch B, respectively. [SwitchA] display interface tunnel 1 Tunnel1 current state: UP Line protocol current state: UP Description: Tunnel1 Interface The Maximum Transmit Unit is 1460 Internet Address is 30.1.2.1/24 Primary Encapsulation is TUNNEL, service-loopback-group ID is 1.

  • Page 222: Configuring An Ipv6 Over Ipv6 Tunnel

    5 packet(s) received 0.00% packet loss round-trip min/avg/max = 15/21/46 ms Configuring an IPv6 over IPv6 tunnel Configuration prerequisites Configure an IPv6 address for the interface (such as a VLAN interface or loopback interface) to be configured as the source interface of the tunnel interface. Configuration guidelines Follow these guidelines when you configure an IPv6 over IPv6 tunnel: •...

  • Page 223: Configuration Example

    Step Command Remarks • (Approach 1) Configure an IPv6 global unicast address or site-local address: ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } Use either approach. ipv6 address Configure an IPv6 address By default, no IPv6 address for the tunnel interface. ipv6-address/prefix-length is configured for the tunnel eui-64...
  • Page 224 Configuration procedure Make sure that Switch A and Switch B have the corresponding VLAN interfaces created and can reach each other through IPv6. • Configure Switch A: # Enable IPv6. <SwitchA> system-view [SwitchA] ipv6 # Configure an IPv6 address for VLAN-interface 100. [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ipv6 address 2002:1::1 64 [SwitchA-Vlan-interface100] quit...
  • Page 225 [SwitchB-Vlan-interface100] ipv6 address 2002:3::1 64 [SwitchB-Vlan-interface100] quit # Configure an IPv6 address for VLAN-interface 101 (the physical interface of the tunnel). [SwitchB] interface vlan-interface 101 [SwitchB-Vlan-interface101] ipv6 address 2002::22:1 64 [SwitchB-Vlan-interface101] quit # Create service loopback group 1 and specify its service type as tunnel. [SwitchB] service-loopback group 1 type tunnel # Assign GigabitEthernet 1/0/3 to service loopback group 1, and disable STP, NDP, and LLDP on the interface.

  • Page 226: Displaying And Maintaining Tunneling Configuration

    ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: [SwitchB] display ipv6 interface tunnel 2 Tunnel2 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::2024:1 Global unicast address(es): 3001::1:2, subnet is 3001::/64 Joined group address(es):...

  • Page 227: Troubleshooting Tunneling Configuration

    Task Command Remarks display interface [ tunnel ] [ brief [ down ] ] [ | { begin | exclude | include } regular-expression ] Display information about tunnel Available in any view. interfaces. display interface tunnel number [ brief ] [ | { begin | exclude | include } regular-expression ] display ipv6 interface tunnel [ number ] [ brief ] Display IPv6 information on...

  • Page 228: Configuring Gre

    Configuring GRE This chapter describes how to configure GRE. Overview Generic Routing Encapsulation (GRE) is a protocol designed for encapsulating and carrying the packets of one network layer protocol (for example, IP or IPX) over another network layer protocol (for example, IP). The path that transfers the encapsulated packets is referred to as a GRE tunnel. A GER tunnel is a virtual point-to-point (P2P) connection.

  • Page 229: Gre Encapsulation And De-Encapsulation Processes

    • GRE over IPv6—The transport protocol is IPv6, and the passenger protocol is any network layer protocol. GRE encapsulation and de-encapsulation processes The following encapsulation process and de-encapsulation process use Figure 97 to describe how an X protocol packet traverses the IP network through a GRE tunnel. Figure 97 X protocol networks interconnected through a GRE tunnel Encapsulation process After receiving an X protocol packet through the interface connected to Group 1, Device A...

  • Page 230: Configuring A Gre Over Ipv4 Tunnel

    Configuring a GRE over IPv4 tunnel Configuration restrictions and guidelines • The source address or interface and the destination address that are specified for the tunnel interface must be a public address or interface. • The source address and destination address of a tunnel uniquely identify a path. They must be configured at both ends of the tunnel and the source address at one end must be the destination address at the other end and vice versa.

  • Page 231: Configuring A Gre Over Ipv6 Tunnel

    Step Command Remarks Configure the source By default, no source address or source { ip-address | address or interface for the interface is configured for a tunnel interface-type interface-number } tunnel interface. interface. Configure the destination By default, no destination address address for the tunnel destination ip-address is configured for a tunnel...

  • Page 232: Configuration Prerequisites

    Configuration prerequisites • On each of the peer devices, configure an IP address for the interface to be used as the source interface of the tunnel interface (for example, a VLAN interface or loopback interface), and make sure this interface can normally communicate with the interface used as the source interface of the tunnel interface on the peer device.

  • Page 233: Gre Over Ipv4 Tunnel Configuration Example

    Task Command Remarks display interface [ tunnel ] [ brief [ down ] ] [ | { begin | exclude | include } regular-expression ] Display information about a Available in any view. specific or all tunnel interfaces. display interface tunnel number [ brief ] [ | { begin | exclude | include } regular-expression ] display ipv6 interface tunnel...
  • Page 234 [SwitchA-Vlan-interface101] ip address 1.1.1.1 255.255.255.0 [SwitchA-Vlan-interface101] quit # Create service loopback group 1, and configure the service type as tunnel. [SwitchA] service-loopback group 1 type tunnel # Add port GigabitEthernet 1/0/3 to service loopback group 1, and disable STP, NDP, and LLDP on the port.
  • Page 235 # Add port GigabitEthernet 1/0/3 to service loopback group 1, and disable STP, NDP, and LLDP on the port. [SwitchB] interface GigabitEthernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] undo stp enable [SwitchB-GigabitEthernet1/0/3] undo ndp enable [SwitchB-GigabitEthernet1/0/3] undo lldp enable [SwitchB-GigabitEthernet1/0/3] port service-loopback group 1 [SwitchB-GigabitEthernet1/0/3] quit # Create a tunnel interface Tunnel1.

  • Page 236: Gre Over Ipv6 Tunnel Configuration Example

    Tunnel1 current state: UP Line protocol current state: UP Description: Tunnel1 Interface The Maximum Transmit Unit is 1476 Internet Address is 10.1.2.2/24 Primary Encapsulation is TUNNEL, service-loopback-group ID is 1. Tunnel source 2.2.2.2, destination 1.1.1.1 Tunnel bandwidth 64 (kbps) Tunnel keepalive disabled Tunnel protocol/transport GRE/IP GRE key disabled Checksumming of GRE packets disabled...
  • Page 237 Figure 99 Network diagram Configuration procedure Before the configuration, make sure Switch A and Switch B can reach each other. Configure Switch A: <SwitchA> system-view # Enable IPv6. [SwitchA] ipv6 # Configure interface VLAN-interface 100. [SwitchA] vlan 100 [SwitchA-vlan100] port GigabitEthernet 1/0/1 [SwitchA-vlan100] quit [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ip address 10.1.1.1 255.255.255.0...
  • Page 238 # Configure the source address of the tunnel interface Tunnel0 as the IP address of the interface VLAN-interface 101. [SwitchA-Tunnel0] source 2002::1:1 # Configure the destination address of the tunnel interface Tunnel0 as the IP address of the interface VLAN-interface 101 on Switch B. [SwitchA-Tunnel0] destination 2001::2:1 # Apply service loopback group 1 to the tunnel in tunnel interface view.

  • Page 239: Verify The Configuration

    # Configure the destination address of the tunnel interface Tunnel0 to be the IP address of interface VLAN-interface 101 on Switch A. [SwitchB-Tunnel0] destination 2002::1:1 # Apply service loopback group 1 to the tunnel in tunnel interface view. [SwitchB-Tunnel0] service-loopback-group 1 [SwitchB-Tunnel0] quit # Configure a static route from Switch B through the tunnel interface Tunnel0 to Group 1.

  • Page 240: Troubleshooting Gre

    # From Switch B, ping the IP address of VLAN-interface 100 on Switch A. [SwitchB] ping 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=3 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=2 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=2 ms Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=2 ms Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=3 ms...

  • Page 241: Document Conventions And Icons

    Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.

  • Page 242: Network Topology Icons

    Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 243: Support And Other Resources

    Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...

  • Page 244: Websites

    For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
  • Page 245 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.

  • Page 246: Index

    Index A B C D E F G I L N O P S T U Configuring an ISATAP tunnel,200 Configuring ARP quick update,6 Accessing Hewlett Packard Enterprise Support,233 Configuring basic IPv6 functions,121 Accessing updates,233 Configuring DHCP packet rate limit,77 Address/prefix lease renewal,146 Configuring DHCP snooping basic...
  • Page 247 DHCP address allocation,28 Enabling DHCP snooping to record Option 55 and Option 60,78 DHCP client configuration example,67 Enabling DHCP starvation attack protection,76 DHCP message format,29 Enabling DHCP-REQUEST message attack DHCP options,30 protection,77 DHCP relay agent configuration examples,64 Enabling DHCPv6 snooping,172 DHCP relay agent configuration task list,57 Enabling dynamic ARP entry...
  • Page 248 Overview,11 Setting the DSCP value for IPv6 DNS packets,178 Overview,113 Specifying the source interface for DNS packets,89 Overview,55 Specifying the threshold for sending trap messages,49 Overview,1 Stateless DHCPv6 configuration,147 Overview,218 Stateless DHCPv6 configuration example,169 Protocols and standards,148 Troubleshooting DHCP relay agent configuration,65 Protocols and standards,34...

This manual is also suitable for:

5800 series

Table of Contents