Page 1: Configuration Guide
HPE FlexNetwork HSR6800 Routers Comware 7 Layer 3—IP Services Configuration Guide Part number: 5200-3510 Software version: HSR6800-CMW710-R7607 Document version: 6W100-20170412...
Page 2 © Copyright 2017 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Page 3: Table Of Contents
Contents Configuring ARP ·············································································· 1 Overview ·································································································································· 1 ARP message format ··········································································································· 1 ARP operating mechanism ···································································································· 1 ARP table ·························································································································· 2 Configuring a static ARP entry ······································································································ 3 Setting the maximum number of dynamic ARP entries for a device ······················································· 3 ...
Page 4 Configuration procedure ····································································································· 21 Displaying and maintaining IP addressing ····················································································· 21 Configuration examples ············································································································· 21 IP address configuration example ························································································· 21 IP unnumbered configuration example ··················································································· 23 DHCP overview ············································································· 25 DHCP address allocation ··········································································································· 25 ...
Page 5 DHCP option customization configuration example ··································································· 60 Troubleshooting DHCP server configuration ·················································································· 61 Symptom ························································································································· 61 Analysis ·························································································································· 61 Solution ··························································································································· 62 Configuring the DHCP relay agent ····················································· 63 Overview ································································································································ 63 Operation ························································································································...
Page 6 Dynamic domain name resolution ························································································· 85 DNS proxy ······················································································································· 86 DNS spoofing ··················································································································· 87 DNS configuration task list ········································································································· 88 Configuring the IPv4 DNS client ·································································································· 88 Configuring static domain name resolution ·············································································· 88 ...
Page 7 Using NAT with other features ·································································································· 118 VRF-aware NAT ·············································································································· 118 NAT with DNS mapping ···································································································· 118 NAT with ALG ················································································································· 119 NAT configuration task list ······································································································· 120 NAT configuration restrictions and guidelines ··············································································· 120 ...
Page 8 Configuring load sharing ································································ 174 Configuring per-packet or per-flow load sharing ············································································ 174 Configuring load sharing based on bandwidth ·············································································· 174 Configuring fast forwarding ····························································· 176 Overview ······························································································································ 176 Configuring the aging time for fast forwarding entries ····································································· 176 ...
Page 9 IPv6 path MTU discovery ·································································································· 205 IPv6 transition technologies ······································································································ 206 Dual stack ······················································································································ 206 Tunneling ······················································································································ 206 6PE ······························································································································ 207 Protocols and standards ·········································································································· 207 IPv6 basics configuration task list ······························································································ 207 ...
Page 10 Configuration procedure ··································································································· 240 Configuring IPv6 address assignment ························································································ 240 Configuration guidelines ··································································································· 241 Configuration procedure ··································································································· 241 Configuring network parameters assignment ··············································································· 242 Configuring network parameters in a DHCPv6 address pool ····················································· 242 ...
Page 11 IPv4 over IPv4 tunneling ··································································································· 276 IPv4 over IPv6 tunneling ··································································································· 277 IPv6 over IPv6 tunneling ··································································································· 281 Protocols and standards ··································································································· 281 Tunneling configuration task list ································································································ 282 Configuring a tunnel interface ··································································································· 282 ...
Page 12 Enabling the VAM server ·································································································· 329 Configuring a pre-shared key for the VAM server ··································································· 330 Configuring hub groups ···································································································· 330 Setting the port number of the VAM server ············································································ 332 Specifying authentication and encryption algorithms for the VAM server ····································· 332 ...
Page 13 Slow start optimization ······································································································ 429 Increased buffering ·········································································································· 429 Congestion algorithm optimization······················································································· 429 Selective acknowledgement ······························································································ 430 DRE ···································································································································· 430 DRE compression process ································································································ 430 DRE decompression process ····························································································· 430 LZ compression ····················································································································· 431 ...
Page 14: Configuring Arp
Configuring ARP Overview ARP resolves IP addresses into MAC addresses on Ethernet networks. ARP message format ARP uses two types of messages: ARP request and ARP reply. Figure 1 shows the format of ARP request/reply messages. Numbers in the figure refer to field lengths. Figure 1 ARP message format •...
Page 15: Arp Table
All hosts on this subnet can receive the broadcast request, but only the requested host (Host B) processes the request. Host B compares its own IP address with the target IP address in the ARP request. If they are the same, Host B operates as follows: a.
Page 16: Configuring A Static Arp Entry
• If the output interface is a Layer 3 Ethernet interface, the ARP entry can be directly used to forward packets. • If the output interface is a VLAN interface, the device sends an ARP request whose target IP address is the IP address in the entry. If the sender IP and MAC addresses in the received ARP reply match the static ARP entry, the device performs the following operations: Adds the interface that received the ARP reply to the static ARP entry.
Page 17: Setting The Maximum Number Of Dynamic Arp Entries For An Interface
Step Command Remarks By default, the maximum • In standalone mode: number of dynamic ARP entries arp max-learning-number that a device can learn is the Set the maximum max-number slot slot-number upper limit of the allowed value number of dynamic •...
Page 18: Enabling Dynamic Arp Entry Check
Enabling dynamic ARP entry check The dynamic ARP entry check feature disables the device from supporting dynamic ARP entries that contain multicast MAC addresses. The device cannot learn dynamic ARP entries containing multicast MAC addresses. You cannot manually add static ARP entries containing multicast MAC addresses.
Page 19: Static Arp Entry Configuration Example
Execute display commands in any view and reset commands in user view. Task Command display arp [ [ all | dynamic | static ] [ slot slot-number ] | vlan Display ARP entries (in standalone vlan-id | interface interface-type interface-number ] [ count | mode).
Page 20: Configuration Procedure
Configuration procedure # Configure an IP address for GigabitEthernet 2/1/2. <RouterB> system-view [RouterB] interface gigabitethernet 2/1/2 [RouterB-GigabitEthernet2/1/2] ip address 192.168.1.2 24 [RouterB-GigabitEthernet2/1/2] quit # Configure a static ARP entry that has IP address 192.168.1.1 and MAC address 00e0-fc01-001f. [RouterB] arp static 192.168.1.1 00e0-fc01-001f Verifying the configuration # Verify that Router B has a static ARP entry for Router A.
Page 21: Configuring Gratuitous Arp
Configuring gratuitous ARP Overview In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device. A device sends a gratuitous ARP packet for either of the following purposes: • Determine whether its IP address is already used by another device.
Page 22: Configuration Procedure
• Update MAC entries of devices in the VLANs having ambiguous Dot1q or QinQ termination configured. In VRRP configuration, if ambiguous Dot1q or QinQ termination is configured for multiple VLANs and VRRP groups, interfaces configured with VLAN termination must be disabled from transmitting broadcast/multicast packets.
Page 23: Enabling Ip Conflict Notification
Enabling IP conflict notification By default, if the sender IP address of an incoming ARP packet is the same as that of the device, the device sends a gratuitous ARP request. The device displays an error message only after it receives an ARP reply about the conflict.
Page 24: Configuring Proxy Arp
Configuring proxy ARP Proxy ARP enables a device on one network to answer ARP requests for an IP address on another network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they would on the same broadcast domain. Proxy ARP includes common proxy ARP and local proxy ARP.
Page 25: Common Proxy Arp Configuration Example
Task Command Display common proxy ARP display proxy-arp [ interface interface-type interface-number ] status. display local-proxy-arp [ interface interface-type interface-number ] Display local proxy ARP status. Common proxy ARP configuration example Network requirements As shown in Figure 4, Host A and Host D have the same prefix and mask, but they are located on different subnets.
Page 26: Verifying The Configuration
[Router-GigabitEthernet2/1/1] quit Verifying the configuration # Verify that Host A and Host D can ping each other.
Page 27: Configuring Arp Suppression
Configuring ARP suppression Overview The ARP suppression feature enables a device to directly answer ARP requests by using ARP suppression entries. The device generates ARP suppression entries based on dynamic ARP entries that it learns. This feature is typically configured on the PEs connected to base stations in an MPLS L2VPN that provides access to an L3VPN network.
Page 28: Displaying And Maintaining Arp Suppression
Step Command Remarks Return to cross-connect quit group view. Return to system view. quit (Optional.) Enable the ARP suppression push arp suppression push interval By default, the ARP suppression push feature and set a push interval feature is disabled. interval. Displaying and maintaining ARP suppression Execute display commands in any view and reset commands in user view.
Page 29: Verifying The Configuration
[RouterA-xcg-vpna] connection svc # Enable ARP suppression for the cross-connect svc in cross-connect group vpna. [RouterA-xcg-vpna-svc] arp suppression enable Verifying the configuration On the base station, clear ARP entries, and ping the L3VE interface VE-L3VPN 1 of Router B. (Details not shown.) Verify that Router A has ARP suppression entries for the base station and Router B.
Page 30: Configuring Arp Direct Route Advertisement
Configuring ARP direct route advertisement Overview The ARP direct route advertisement feature advertises host routes instead of advertising the network route. This feature is typically configured on PE-aggs to advertise host routes to the connected PEs in the L3VPN. Figure 7 shows a typical application scenario where the PE in the L3VPN has ECMP routes destined to a base station in the L2VPN.
Page 31: Configuring Ip Addressing
Configuring IP addressing The IP addresses in this chapter refer to IPv4 addresses unless otherwise specified. This chapter describes IP addressing basics and manual IP address assignment for interfaces. Dynamic IP address assignment (BOOTP and DHCP) and PPP address negotiation are beyond the scope of this chapter.
Page 32: Special Ip Addresses
Class Address range Remarks Reserved for future use, except for the broadcast 240.0.0.0 to 255.255.255.255 address 255.255.255.255. Special IP addresses The following IP addresses are for special use and cannot be used as host IP addresses: • IP address with an all-zero net ID—Identifies a host on the local network. For example, IP address 0.0.0.16 indicates the host with a host ID of 16 on the local network.
Page 33: Configuration Guidelines
An interface can have one primary address and multiple secondary addresses. Typically, you need to configure a primary IP address for an interface. If the interface connects to multiple subnets, configure primary and secondary IP addresses on the interface so the subnets can communicate with each other through the interface.
Page 34: Configuration Prerequisites
Configuration prerequisites Assign an IP address to the interface from which you want to borrow the IP address. Alternatively, you can configure the interface to obtain one through BOOTP, DHCP, or PPP address negotiation. Configuration procedure To configure IP unnumbered on an interface: Step Command Remarks...
Page 35 Figure 10 Network diagram Configuration procedure # Assign a primary IP address and a secondary IP address to GigabitEthernet 2/1/1. <Router> system-view [Router] interface gigabitethernet 2/1/1 [Router-GigabitEthernet2/1/1] ip address 172.16.1.1 255.255.255.0 [Router-GigabitEthernet2/1/1] ip address 172.16.2.1 255.255.255.0 sub # Set the gateway address to 172.16.1.1 on the PCs attached to subnet 172.16.1.0/24, and to 172.16.2.1 on the PCs attached to subnet 172.16.2.0/24.
Page 36: Ip Unnumbered Configuration Example
--- Ping statistics for 172.16.2.2 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 1.000/2.600/7.000/2.245 ms # Verify the connectivity between a host on subnet 172.16.1.0/24 and a host on subnet 172.16.2.0/24. The ping operation succeeds. IP unnumbered configuration example Network requirements As shown in...
Page 37 # Configure interface Serial 3/1/1 to borrow an IP address from GigabitEthernet 2/1/1. [RouterB] interface serial 3/1/1 [RouterB-Serial3/1/1] ip address unnumbered interface gigabitethernet 2/1/1 [RouterB-Serial3/1/1] quit # Configure a static route to the subnet attached to Router A, specifying Serial 3/1/1 as the outgoing interface.
Page 38: Dhcp Overview
DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. Figure 12 shows a typical DHCP application scenario where the DHCP clients and the DHCP server reside on the same subnet. The DHCP clients can also obtain configuration parameters from a DHCP server on another subnet through a DHCP relay agent.
Page 39: Ip Address Allocation Process
IP address allocation process Figure 13 IP address allocation process As shown in Figure 13, a DHCP server assigns an IP address to a DHCP client in the following process: The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. Each DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message.
Page 40: Dhcp Message Format
If the client receives no reply, it broadcasts another DHCP-REQUEST message for lease extension when about seven-eighths of the lease duration elapses. Again, depending on the availability of the IP address, the DHCP server returns either a DHCP-ACK unicast or a DHCP-NAK unicast. DHCP message format Figure 14 shows the DHCP message format.
Page 41: Dhcp Options
DHCP options DHCP extends the message format as an extension to BOOTP for compatibility. DHCP uses the options field to carry information for dynamic address allocation and provide additional configuration information for clients. Figure 15 DHCP option format Common DHCP options The following are common DHCP options: •...
Page 42 • PXE server address, which is used to obtain the boot file or other control information from the PXE server. Format of Option 43: Figure 16 Option 43 format Network configuration parameters are carried in different sub-options of Option 43 as shown Figure Sub-option type—The field value can be 0x01 (ACS parameter sub-option), 0x02 (service provider identifier sub-option), or 0x80 (PXE server address sub-option).
Page 43: Protocols And Standards
Option 82 can include a maximum of 255 sub-options and must include a minimum of one sub-option. Option 82 supports two sub-options: sub-option 1 (Circuit ID) and sub-option 2 (Remote ID). Option 82 has no standard definition. Its padding formats vary by vendor. •...
Page 44: Configuring The Dhcp Server
Configuring the DHCP server Overview The DHCP server is well suited to networks where: • Manual configuration and centralized management are difficult to implement. • IP addresses are limited. For example, an ISP limits the number of concurrent online users, and users must acquire IP addresses dynamically.
Page 45 NOTE: All address ranges must belong to the primary subnet. If an address range does not reside on the primary subnet, DHCP cannot assign the addresses in the address range. • Method 2—Specify a primary subnet and multiple secondary subnets in an address pool. The DHCP server selects an IP address from the primary subnet first.
Page 46: Ip Address Allocation Sequence
NOTE: As a best practice, configure a minimum of one matching primary subnet in your network. Otherwise, the DHCP server selects only the first matching secondary subnet for address allocation. If the network has more DHCP clients than the assignable IP addresses in the secondary subnet, not all DHCP clients can obtain IP addresses.
Page 47: Configuring An Address Pool On The Dhcp Server
Tasks at a glance (Optional.) Enabling client offline detection on the DHCP server (Optional.) Enabling DHCP logging on the DHCP server Configuring an address pool on the DHCP server Configuration task list Tasks at a glance (Required.) Creating a DHCP address pool Perform one or more of the following tasks: •...
Page 48 Follow these guidelines when you specify a primary subnet and multiple address ranges for a DHCP address pool: • If you use the network or address range command multiple times for the same address pool, the most recent configuration takes effect. •...
Page 49 Step Command Remarks By default, all the IP addresses in the DHCP 10. (Optional.) Exclude the address pool are assignable. specified IP addresses in the forbidden-ip ip-address&<1-8> address pool from dynamic To exclude multiple address allocation. ranges from dynamic allocation, repeat this step. 11.
Page 50: Specifying Gateways For Dhcp Clients
Step Command Remarks Return to system view. quit Except for the IP address of the DHCP server interface, IP addresses in all address dhcp server forbidden-ip (Optional.) Exclude the specified pools are assignable by start-ip-address [ end-ip-address ] IP addresses from dynamic default.
Page 51: Specifying A Domain Name Suffix For Dhcp Clients
• If gateways are specified in both address pool view and secondary subnet view, DHCP assigns those specified in the secondary subnet view. • If gateways are specified in address pool view but not in secondary subnet view, DHCP assigns those specified in address pool view.
Page 52: Specifying Wins Servers And Netbios Node Type For Dhcp Clients
Specifying WINS servers and NetBIOS node type for DHCP clients A Microsoft DHCP client using NetBIOS protocol must contact a WINS server for name resolution. You can specify up to eight WINS servers for such clients in a DHCP address pool. In addition, you must specify a NetBIOS node type for the clients to approach name resolution.
Page 53: Specifying The Configuration File For Dhcp Client Auto-Configuration
Specifying the configuration file for DHCP client auto-configuration Auto-configuration enables a device to obtain a set of configuration settings automatically from servers when the device starts up without a configuration file. It requires the cooperation of the DHCP server, HTTP server, DNS server, and TFTP server. For more information about auto-configuration, see Fundamentals Configuration Guide.
Page 54: Configuring Option 184 Parameters For Dhcp Clients
Step Command Remarks Enter system view. system-view Create a DHCP address pool By default, no DHCP address dhcp server ip-pool pool-name and enter its view. pool exists. Specify the IP address of a next-server ip-address By default, no server is specified. server.
Page 55 To customize a DHCP option in a DHCP address pool: Step Command Remarks Enter system view. system-view Create a DHCP address By default, no DHCP address pool dhcp server ip-pool pool-name pool and enter its view. exists. By default, no DHCP option is customized in a DHCP address pool.
Page 56: Configuring The Dhcp User Class Whitelist
Corresponding Recommended option Option Option name command command parameters Domain Name Server Option dns-list ip-address domain-name ascii Domain Name NetBIOS over TCP/IP Name nbns-list ip-address Server Option NetBIOS over TCP/IP Node netbios-type Type Option TFTP server name tftp-server ascii bootfile-name ascii Boot file name Vendor Specific Information...
Page 57: Enabling The Dhcp Server On An Interface
Step Command Remarks Enter system view. system-view Enable DHCP. dhcp enable By default, DHCP is disabled. Enabling the DHCP server on an interface Perform this task to enable the DHCP server on an interface. Upon receiving a DHCP request on the interface, the DHCP server assigns the client an IP address and other configuration parameters from a DHCP address pool.
Page 58: Configuring Ip Address Conflict Detection
DHCP policy must be applied to the interface that acts as the DHCP server. When receiving a DHCP request, the DHCP server compares the packet against the user classes in the order that they are configured. • If a match is found and the bound address pool has assignable IP addresses, the server assigns an IP address and other parameters from the address pool.
Page 59: Enabling Handling Of Option 82
Step Command Remarks Enter system view. system-view The default setting is one. (Optional.) Set the maximum dhcp server ping packets number of ping packets to be The value 0 disables IP address number sent for conflict detection. conflict detection. The default setting is 500 ms. (Optional.) Set the ping dhcp server ping timeout The value 0 disables IP address...
Page 60: Configure The Dhcp Server To Ignore Bootp Requests
Step Command Remarks By default, the DHCP server reads Enable the DHCP server the broadcast flag to decide to broadcast all dhcp server always-broadcast whether to broadcast or unicast a responses. response. Configure the DHCP server to ignore BOOTP requests The lease duration of the IP addresses obtained by the BOOTP clients is unlimited.
Page 61: Setting The Dscp Value For Dhcp Packets Sent By The Dhcp Server
Step Command Remarks Enter system view. system-view Disable the DHCP By default, the DHCP server can server from dhcp server reply-exclude-option60 encapsulate Option 60 in DHCP encapsulating Option replies. 60 in DHCP replies. Setting the DSCP value for DHCP packets sent by the DHCP server The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.
Page 62: Configuring Address Pool Usage Alarming
Step Command Remarks The default waiting time is 300 (Optional.) Set the waiting seconds. time after a DHCP binding dhcp server database update change for the DHCP server interval interval If no DHCP binding changes, to update the backup file. the backup file is not updated.
Page 63: Advertising Subnets Assigned To Clients
If the address pool is applied to a VPN instance, the VPN instance must exist. To bind the gateways to the DHCP server's MAC address: Step Command Remarks Enter system view. system-view Create a DHCP address pool By default, no DHCP address dhcp server ip-pool pool-name and enter its view.
Page 64: Applying A Dhcp Address Pool To A Vpn Instance
Applying a DHCP address pool to a VPN instance If a DHCP address pool is applied to a VPN instance, the DHCP server assigns IP addresses in this address pool to clients in the VPN instance. Addresses in this address pool will not be assigned to clients on the public network.
Page 65: Displaying And Maintaining The Dhcp Server
To enable DHCP logging on the DHCP server: Step Command Remarks Enter system view. system-view By default, DHCP logging is Enable DHCP logging. dhcp log enable disabled. Displaying and maintaining the DHCP server IMPORTANT: A restart of the DHCP server or execution of the reset dhcp server ip-in-use command deletes all lease information.
Page 66: Static Ip Address Assignment Configuration Example
The DHCP server configuration for the two types is identical. Static IP address assignment configuration example Network requirements As shown in Figure 21, Router A (DHCP server) assigns a static IP address, a DNS server address, and a gateway address to Router B (DHCP client) and Router C (BOOTP client). The client ID of the interface GigabitEthernet 2/1/1 on Router B is: 0030-3030-662e-6532-3030-2e30-3030-322d-4574-6865-726e-6574.
Page 67: Dynamic Ip Address Assignment Configuration Example
[RouterA-dhcp-pool-0] gateway-list 10.1.1.126 [RouterA-dhcp-pool-0] quit [RouterA] Verifying the configuration # Verify that Router B can obtain IP address 10.1.1.5 and all other network parameters from Router A. (Details not shown.) # Verify that Router C can obtain IP address 10.1.1.6 and all other network parameters from Router A.
Page 68 Configuration procedure Specify IP addresses for interfaces. (Details not shown.) Configure the DHCP server: # Enable DHCP. <RouterA> system-view [RouterA] dhcp enable # Enable the DHCP server on GigabitEthernet 2/1/1 and GigabitEthernet 2/1/2. [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] dhcp select server [RouterA-GigabitEthernet2/1/1] quit [RouterA] interface gigabitethernet 2/1/2 [RouterA-GigabitEthernet2/1/2] dhcp select server...
Page 69: Dhcp User Class Configuration Example
10.1.1.5 0031-fe65-4203-7e02- Jan 14 22:25:03 2015 Auto(C) 3063-5b30-3230-4702- 620e-712f-5e 10.1.1.130 3030-3030-2e30-3030- Jan 9 10:45:11 2015 Auto(C) 662e-3030-3033-2d45- 7568-6572-1e 10.1.1.131 3030-0020-fe02-3020- Jan 9 10:45:11 2015 Auto(C) 7052-0201-2013-1e02 0201-9068-23 10.1.1.132 2020-1220-1102-3021- Jan 9 10:45:11 2015 Auto(C) 7e52-0211-2025-3402 0201-9068-9a 10.1.1.133 2021-d012-0202-4221- Jan 9 10:45:11 2015 Auto(C) 8852-0203-2022-55e0 3921-0104-31...
Page 70 # Enable DHCP and configure the DHCP server to handle Option 82. <RouterB> system-view [RouterB] dhcp enable [RouterB] dhcp server relay information enable # Enable the DHCP server on the interface GigabitEthernet2/1/1. [RouterB] interface gigabitethernet 2/1/1 [RouterB-GigabitEthernet2/1/1] dhcp select server [RouterB-GigabitEthernet2/1/1] quit # Create DHCP user class tt and configure a match rule to match DHCP requests that contain Option 82.
Page 71: Dhcp User Class Whitelist Configuration Example
DHCP user class whitelist configuration example Network requirements As shown in Figure 24, configure the DHCP user class whitelist to allow the DHCP server to assign IP addresses to clients whose hardware addresses are six bytes long and begin with aabb-aabb. Figure 24 Network diagram Configuration procedure Specify IP addresses for the interfaces on the DHCP server.
Page 72: Primary And Secondary Subnets Configuration Example
Primary and secondary subnets configuration example Network requirements As shown in Figure 25, the DHCP server (Router A) assigns IP addresses to DHCP clients in the LAN. Configure two subnets in the address pool on the DHCP server: 10.1.1.0/24 as the primary subnet and 10.1.2.0/24 as the secondary subnet.
Page 73: Dhcp Option Customization Configuration Example
Verifying the configuration # Verify that the DHCP server assigns clients IP addresses and gateway address from the secondary subnet when no assignable address is available from the primary subnet. (Details not shown.) # On the DHCP server, display IP addresses assigned to the clients. The following is part of the command output.
Page 74: Troubleshooting Dhcp Server Configuration
# Enable DHCP. <RouterA> system-view [RouterA] dhcp enable # Create DHCP user class ss and configure a match rule to match DHCP requests in which the hardware address is six bytes long and begins with aabb-aabb. [RouterA] dhcp class ss [RouterA-dhcp-class-ss] if-match rule 1 hardware-address aabb-aabb-0000 mask ffff-ffff-0000 [RouterA-dhcp-class-ss] quit...
Page 75: Solution
Solution Disable the client's network adapter or disconnect the client's network cable. Ping the IP address of the client from another host to check whether there is a host using the same IP address. If a ping response is received, the IP address has been manually configured on a host. Execute the dhcp server forbidden-ip command on the DHCP server to exclude the IP address from dynamic allocation.
Page 76: Configuring The Dhcp Relay Agent
Configuring the DHCP relay agent Overview The DHCP relay agent enables clients to get IP addresses from a DHCP server on another subnet. This feature avoids deploying a DHCP server for each subnet to centralize management and reduce investment. Figure 27 shows a typical application of the DHCP relay agent.
Page 77: Dhcp Relay Agent Support For Option 82
Figure 28 DHCP relay agent operation DHCP relay agent support for Option 82 Option 82 records the location information about the DHCP client. It enables the administrator to perform the following tasks: • Locate the DHCP client for security and accounting purposes. •...
Page 78: Enabling Dhcp
Tasks at a glance (Optional.) Configuring the DHCP relay agent to release an IP address (Optional.) Configuring Option 82 (Optional.) Setting the DSCP value for DHCP packets sent by the DHCP relay agent (Optional.) Enabling DHCP server proxy on a DHCP relay agent (Optional.) Configuring a DHCP relay address pool (Optional.)
Page 79: Specifying Dhcp Servers On A Relay Agent
Specifying DHCP servers on a relay agent To improve availability, you can specify several DHCP servers on the DHCP relay agent. When the interface receives request messages from clients, the relay agent forwards them to all DHCP servers. Follow these guidelines when you specify a DHCP server address on a relay agent: •...
Page 80: Enabling Dhcp Starvation Attack Protection
With this feature, the DHCP relay agent uses the following information to periodically send a DHCP-REQUEST message to the DHCP server: • The IP address of a relay entry. • The MAC address of the DHCP relay interface. The relay agent maintains the relay entries depending on what it receives from the DHCP server: •...
Page 81: Configuring The Dhcp Relay Agent To Release An Ip Address
Step Command Remarks Enter system view. system-view The default aging time is 30 seconds. Set the aging time for MAC dhcp relay check mac-address This command takes effect address check entries. aging-time time only after you execute the dhcp relay check mac-address command.
Page 82: Setting The Dscp Value For Dhcp Packets Sent By The Dhcp Relay Agent
Step Command Remarks (Optional.) Configure the strategy dhcp relay information strategy By default, the handling for handling DHCP requests that { drop | keep | replace } strategy is replace. contain Option 82. dhcp relay information circuit-id { bas [ sub-interface-vlan ] | string circuit-id | { normal | By default, the padding (Optional.) Configure the padding...
Page 83: Configuring A Dhcp Relay Address Pool
Configuring a DHCP relay address pool This feature allows DHCP clients of the same type to obtain IP addresses and other configuration parameters from the DHCP servers specified in the matching relay address pool. It applies to scenarios where the DHCP relay agent connects to clients of the same access type but classified into different types by their locations.
Page 84: Specifying A Gateway Address For Dhcp Clients
Specifying a gateway address for DHCP clients By default, the DHCP relay agent fills the giaddr field of DHCP DISCOVER and REQUEST packets with the primary IP address of the relay interface. You can specify a gateway address on the relay agent for DHCP clients.
Page 85 DHCP server still does not respond, the next secondary IP address is used. After the secondary IP addresses are all tried and the DHCP server does not respond, the relay agent repeats the process by starting from the primary IP address. Without this feature, the relay agent only encapsulates the primary IP address to the giaddr field of all requests.
Page 86: Specifying The Source Ip Address For Relayed Dhcp Requests
Step Command Remarks By default, the relay address pool does not have any DHCP server IP addresses. You can specify a maximum of eight Specify DHCP servers for remote-server DHCP servers for one relay address the relay address pool. ip-address&<1-8> pool for high availability.
Page 87: Displaying And Maintaining The Dhcp Relay Agent
information, but the secondary gateway cannot. The secondary gateway can only forward DHCP replies to all PWs. To enable the secondary gateway to forward a DHCP reply to only the intended PW, perform the following tasks: • Configure the dhcp relay information enable and dhcp relay information circuit-id (with sub-interface-vlan specified) commands on the primary gateway.
Page 88: Dhcp Relay Agent Configuration Examples
Task Command display dhcp relay client-information [ interface Display relay entries on the DHCP relay agent. interface-type interface-number | ip ip-address [ vpn-instance vpn-instance-name ] ] display dhcp relay statistics [ interface Display packet statistics on the DHCP relay agent. interface-type interface-number ] Display MAC address check entries on the DHCP display dhcp relay check mac-address...
Page 89: Option 82 Configuration Example
# Enable the DHCP relay agent on GigabitEthernet 2/1/1. [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] dhcp select relay # Specify the IP address of the DHCP server on the relay agent. [RouterA-GigabitEthernet2/1/1] dhcp relay server-address 10.1.1.1 Verifying the configuration # Verify that DHCP clients can obtain IP addresses and all other network parameters from the DHCP server through the DHCP relay agent.
Page 90: Analysis
Analysis Some problems might occur with the DHCP relay agent or server configuration. Solution To locate the problem, enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information. Check that: •...
Page 91: Configuring The Dhcp Client
Configuring the DHCP client With DHCP client enabled, an interface uses DHCP to obtain configuration parameters from the DHCP server, for example, an IP address. The DHCP client configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces), VLAN interfaces, and Layer 3 aggregate interfaces. Enabling the DHCP client on an interface Follow these guidelines when you enable the DHCP client on an interface: •...
Page 92: Enabling Duplicated Address Detection
Step Command Remarks DHCP client ID includes ID type and type value. Each ID type has a fixed type value. You can check the fields for the client ID to verify which type of client ID is used: • If an ASCII string is used as the client display dhcp client ID, the type value is 00.
Page 93: Dhcp Client Configuration Example
Task Command display dhcp client [ verbose ] [ interface interface-type Display DHCP client information. interface-number ] DHCP client configuration example Network requirements As shown in Figure 31, Router B contacts the DHCP server through GigabitEthernet 2/1/1 to obtain an IP address, a DNS server address, and static route information. The DHCP client's IP address resides on subnet 10.1.1.0/24.
Page 94: Verifying The Configuration
[RouterA] dhcp server forbidden-ip 10.1.1.2 # Configure DHCP address pool 0. Specify the subnet, lease duration, DNS server address, and a static route to subnet 20.1.1.0/24. [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 [RouterA-dhcp-pool-0] expired day 10 [RouterA-dhcp-pool-0] dns-list 20.1.1.1 [RouterA-dhcp-pool-0] option 121 hex 181401010A010102 Configure Router B:...
Page 95 127.0.0.1/32 Direct 0 127.0.0.1 InLoop0 127.255.255.255/32 Direct 0 127.0.0.1 InLoop0 224.0.0.0/4 Direct 0 0.0.0.0 NULL0 224.0.0.0/24 Direct 0 0.0.0.0 NULL0 255.255.255.255/32 Direct 0 127.0.0.1 InLoop0...
Page 96: Configuring The Bootp Client
Configuring the BOOTP client BOOTP client configuration only applies to Layer 3 Ethernet interfaces (including subinterfaces), VLAN interfaces, and Layer 3 aggregate interfaces. BOOTP application An interface that acts as a BOOTP client can use BOOTP to obtain information (such as IP address) from the BOOTP server.
Page 97: Displaying And Maintaining Bootp Client
Step Command Remarks Configure an interface to use By default, an interface does not BOOTP for IP address ip address bootp-alloc use BOOTP for IP address acquisition. acquisition. Displaying and maintaining BOOTP client Execute display command in any view. Task Command display bootp client [ interface interface-type Display BOOTP client information.
Page 98: Configuring Dns
Configuring DNS Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. The domain name-to-IP address mapping is called a DNS entry. DNS services can be static or dynamic. After a user specifies a name, the device checks the static name resolution table for an IP address.
Page 99: Dns Proxy
Dynamic domain name resolution allows the DNS client to store latest DNS entries in the dynamic domain name cache. The DNS client does not need to send a request to the DNS server for a repeated query within the aging time. To make sure the entries from the DNS server are up to date, a DNS entry is removed when its aging timer expires.
Page 100: Dns Spoofing
A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS proxy. The destination address of the request is the IP address of the DNS proxy. The DNS proxy searches the local static domain name resolution table and dynamic domain name resolution cache after receiving the request.
Page 101: Dns Configuration Task List
Dynamically obtains the DNS server address through DHCP or another autoconfiguration mechanism. Because the DNS entry ages out immediately upon creation, the host sends another DNS request to the device to resolve the HTTP server domain name. The device operates the same as a DNS proxy. For more information, see "DNS proxy."...
Page 102: Configuring Dynamic Domain Name Resolution
Configuring dynamic domain name resolution To use dynamic domain name resolution, a DNS server address is required so that DNS queries can be sent to a correct server for resolution. In addition, you can configure a DNS suffix that the system automatically adds to the incomplete domain name that a user enters.
Page 103: Configuring The Ipv6 Dns Client
Step Command Remarks ipv6 dns server ipv6-address Specify a DNS server [ interface-type interface-number ] IPv6 address. [ vpn-instance vpn-instance-name ] Configuring the IPv6 DNS client Configuring static domain name resolution Static domain name resolution allows applications such as Telnet to contact hosts by using host names instead of IPv6 addresses.
Page 104: Configuring The Dns Proxy
server address manually specified takes priority over a DNS server address dynamically obtained, for example, through DHCP. The device first sends a DNS query to the DNS server address of the highest priority. If the first query fails, it sends the DNS query to the DNS server address of the second highest priority, and so on.
Page 105: Configuring Dns Spoofing
Step Command Remarks Enter interface view: By default, no DNS server interface interface-type address is specified. Specify a DNS server interface-number IPv4 address in Specify a DNS server IPv4 address: interface view. dns server ip-address [ vpn-instance vpn-instance-name ] ipv6 dns server ipv6-address Specify a DNS server [ interface-type interface-number ] IPv6 address.
Page 106: Specifying The Source Interface For Dns Packets
Step Command Remarks Enter system view. system-view Enable DNS proxy. dns proxy enable By default, DNS proxy is disabled. • Specify an IPv4 address: By default, DNS spoofing is dns spoofing ip-address disabled. [ vpn-instance Enable DNS spoofing and vpn-instance-name ] specify the IP address You can specify both an IPv4 •...
Page 107: Setting The Dscp Value For Outgoing Dns Packets
Step Command Remarks By default, no DNS trusted interface is specified. Specify the DNS trusted dns trust-interface interface-type interface. interface-number You can configure up to 128 DNS trusted interfaces. Setting the DSCP value for outgoing DNS packets The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.
Page 108: Dynamic Domain Name Resolution Configuration Example
Figure 35 Network diagram Configuration procedure # Configure a mapping between the host name host.com and the IP address 10.1.1.2. <Sysname> system-view [Sysname] ip host host.com 10.1.1.2 # Verify that the device can use static domain name resolution to resolve the domain name host.com into the IP address 10.1.1.2.
Page 109 The configuration might vary by DNS server. The following configuration is performed on a PC running Windows Server 2008 R2. a. Select Start > Programs > Administrative Tools > DNS. The DNS server configuration page appears, as shown in Figure b.
Page 110 Figure 38 Adding a host d. On the page that appears, enter the host name host and the IP address 3.1.1.1. e. Click Add Host. The mapping between the IP address and host name is created. Figure 39 Adding a mapping between domain name and IP address Configure the DNS client: # Specify the DNS server 2.1.1.2.
Page 111: Dns Proxy Configuration Example
<Sysname> system-view [Sysname] dns server 2.1.1.2 # Specify com as the name suffix. [Sysname] dns domain com Verifying the configuration # Verify that the device can use the dynamic domain name resolution to resolve the domain name host.com into the IP address 3.1.1.1. [Sysname] ping host Ping host.com (3.1.1.1): 56 data bytes, press CTRL_C to break 56 bytes from 3.1.1.1: icmp_seq=0 ttl=255 time=1.000 ms...
Page 112: Ipv6 Dns Configuration Examples
The configuration might vary by DNS server. When a PC running Windows Server 2008 R2 acts as the DNS server, see "Dynamic domain name resolution configuration example" for configuration information. Configure the DNS proxy: # Specify the DNS server 4.1.1.1. <DeviceA>...
Page 113: Dynamic Domain Name Resolution Configuration Example
# Verify that the device can use static domain name resolution to resolve the domain name host.com into the IPv6 address 1::2. [Sysname] ping ipv6 host.com Ping6(56 data bytes) 1::1 --> 1::2, press CTRL_C to break 56 bytes from 1::2, icmp_seq=0 hlim=128 time=1.000 ms 56 bytes from 1::2, icmp_seq=1 hlim=128 time=0.000 ms 56 bytes from 1::2, icmp_seq=2 hlim=128 time=1.000 ms 56 bytes from 1::2, icmp_seq=3 hlim=128 time=1.000 ms...
Page 114 Figure 43 Creating a zone c. On the DNS server configuration page, right-click zone com and select New Host. Figure 44 Adding a host d. On the page that appears, enter the host name host and the IPv6 address 1::1. e.
Page 115: Dns Proxy Configuration Example
Figure 45 Adding a mapping between domain name and IPv6 address Configure the DNS client: # Specify the DNS server 2::2. <Device> system-view [Device] ipv6 dns server 2::2 # Configure com as the DNS suffix. [Device] dns domain com Verifying the configuration # Verify that the device can use the dynamic domain name resolution to resolve the domain name host.com into the IP address 1::1.
Page 116 Figure 46 Network diagram Configuration procedure Before performing the following configuration, make sure that: • Device A, the DNS server, and the host are reachable to each other. • The IPv6 addresses of the interfaces are configured as shown in Figure Configure the DNS server: This configuration might vary by DNS server.
Page 117: Troubleshooting Ipv4 Dns Configuration
Troubleshooting IPv4 DNS configuration Symptom After enabling dynamic domain name resolution, the user cannot get the correct IP address. Solution Use the display dns host ip command to verify that the specified domain name is in the cache. If the specified domain name does not exist, check that the DNS client can communicate with the DNS server.
Page 118: Configuring Ddns
Configuring DDNS Overview DNS provides only the static mappings between domain names and IP addresses. When the IP address of a node changes, your access to the node fails. Dynamic Domain Name System (DDNS) can dynamically update the mappings between domain names and IP addresses for DNS servers.
Page 119: Ddns Client Configuration Task List
DDNS client configuration task list Tasks at a glance (Required.) Configuring a DDNS policy (Required.) Applying the DDNS policy to an interface (Optional.) Setting the DSCP value for outgoing DDNS packets Configuring a DDNS policy A DDNS policy contains the DDNS server address, port number, login ID, password, time interval, associated SSL client policy, and update time interval.
Page 120: Configuration Prerequisites
• gnudip://—The TCP-based GNUDIP server. • oray://—The TCP-based DDNS server. The domain names of DDNS servers are members.3322.org and phservice2.oray.net. The domain names of PeanutHull DDNS servers can be phservice2.oray.net, phddns60.oray.net, client.oray.net, ph031.oray.net, and so on. Determine the domain name in the URL according to the actual situation. The port number in the URL address is optional.
Page 121: Applying The Ddns Policy To An Interface
Step Command Remarks By default, no SSL client policy is associated with the DDNS policy. (Optional.) Associate an SSL ssl-client-policy This step is only effective and a must for client policy with the DDNS policy-name HTTP-based DDNS update requests. For policy.
Page 122: Displaying Ddns
Step Command Remarks Enter system view. system-view Set the DSCP value for By default, the DSCP value for ddns dscp dscp-value outgoing DDNS packets. outgoing DDNS packets is 0. Displaying DDNS Execute display commands in any view. Task Command Display DDNS policy information. display ddns policy [ policy-name ] DDNS configuration examples DDNS configuration example with www.3322.org...
Page 123: Ddns Configuration Example With Peanuthull Server
• Make sure the devices can reach each other. # Create a DDNS policy named 3322.org, and enter its view. <Router> system-view [Router] ddns policy 3322.org # Specify the URL address, username, and password for DDNS update requests. [Router-ddns-policy-3322.org] url http://members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>...
Page 124 Configuration procedure Before configuring DDNS on Router, perform the following tasks: • Register with username steven and password nevets at http://www.oray.cn/. • Configure a DDNS policy to update the mapping between the router's FQDN and IP address. • Make sure the devices can reach each other. # Create a DDNS policy named oray.cn and enter its view.
Page 125: Configuring Nat
Configuring NAT Overview Network Address Translation (NAT) translates an IP address in the IP packet header to another IP address. Typically, NAT is configured on gateways to enable private hosts to access external networks and external hosts to access private network resources such as a Web server. Figure 50 NAT operation Direction Before NAT...
Page 126: Nat Control
Bidirectional NAT NAT translates the source and destination IP addresses of incoming packets on the receiving interface and outgoing packets on the sending interface. Bidirectional NAT is applied when source and destination addresses overlap. Twice NAT Twice NAT translates the destination IP address on the receiving interface, and the source IP address on the sending interface.
Page 127: Nat Server
Figure 51 PAT operation As shown in Figure 51, PAT translates the source IP addresses of the three packets to the same public address and translates their port numbers to different port numbers. Upon receiving a response, PAT translates the destination address and port number of the response, and forwards it to the target host.
Page 128: Nat444
Upon receiving a request from the host, NAT translates the public destination IP address and port number to the private IP address and port number of the internal server. Upon receiving a response from the server, NAT translates the private source IP address and port number to the public IP address and port number.
Page 129 This value is the base number for mapping. Sorts the port blocks in ascending order of the start port number in each block. Sorts the private IP addresses and the public IP addresses separately in ascending order. Maps the first base number of private IP addresses to the first public IP address and its port blocks in ascending order.
Page 130: Ds-Lite Nat444
NOTE: If the NAT444 configuration changes, NAT444 mappings for online users also change. The change cannot be synchronized to the AAA server, affecting user tracing accuracy. As a best practice, log off the users immediately after you change the NAT444 configuration. When the users come online, NAT444 creates new mappings for them.
Page 131: No-Pat Entry
NO-PAT entry A NO-PAT entry maps a private address to a public address. The same mapping applies to subsequent connections originating from the same source IP. A NO-PAT entry can also be created during the ALG process for NAT. For information about NAT with ALG, see "NAT with ALG."...
Page 132: Nat With Alg
Figure 56 NAT with DNS mapping As shown in Figure 56, NAT with DNS mapping works as follows: The host sends a DNS request containing the domain name of the internal Web server. Upon receiving the DNS response, the NAT device performs a DNS mapping lookup by using the domain name in the response.
Page 133: Nat Configuration Task List
NAT configuration task list Tasks at a glance Remarks If you perform all the tasks on an interface, the NAT rules are sorted in the following order: • NAT Server. • Static NAT. Perform one or more of the following tasks: •...
Page 134: Configuring Outbound One-To-One Static Nat
transport layer protocol, and VPN instance. For more information about ACLs, see ACL and QoS Configuration Guide. • Manually add a route for inbound static NAT. Use local-ip or local-network as the destination address, and use global-ip, an address in global-network, or the next hop directly connected to the output interface as the next hop.
Page 135: Configuring Object Group-Based Outbound Static Nat
Step Command Remarks nat static outbound net-to-net local-start-address local-end-address [ vpn-instance By default, no mappings exist. local-vpn-instance-name ] global Configure a net-to-net global-network { mask-length | If you specify the acl keyword, mapping for outbound static mask } [ vpn-instance NAT processes only packets NAT.
Page 136: Configuring Inbound One-To-One Static Nat
Configuring inbound one-to-one static NAT For address translation from a public IP address to a private IP address, configure inbound one-to-one static NAT. • When the source IP address of a packet from the public network to the private network matches the global-ip, the source IP address is translated into the local-ip.
Page 137: Configuring Object Group-Based Inbound Static Nat
Step Command Remarks interface interface-type Enter interface view. interface-number Enable static NAT on the nat static enable By default, static NAT is disabled. interface. Configuring object group-based inbound static NAT Configure object group-based inbound static NAT to translate public IP addresses into private IP addresses.
Page 138: Configuration Prerequisites
• A NAT rule with an ACL takes precedence over a rule without any ACL. • The priority for the ACL-based dynamic NAT rules depends on ACL number. A higher ACL number represents a higher priority. Configuration prerequisites Perform the following tasks before configuring dynamic NAT: •...
Page 139: Configuring Inbound Dynamic Nat
Step Command Remarks • Configure NO-PAT: nat outbound [ ipv4-acl-number | name ipv4-acl-name ] address-group { group-id | name group-name } [ vpn-instance vpn-instance-name ] no-pat [ reversible ] [ disable ] By default, no outbound dynamic [ description text ] NAT rules exist.
Page 140: Configuring Nat Server
Step Command Remarks By default, no address ranges exist. Add an address range You can add multiple address address start-address end-address to the address group. ranges to an address group. The address ranges must not overlap. Return to system view. quit interface interface-type Enter interface view.
Page 141: Configuring Load Sharing Nat Server
Step Command Remarks • A single public address with a single or no public port: nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ] inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ reversible ] [ disable ] [ description text ]...
Page 142: Configuring Acl-Based Nat Server
Step Command Remarks Configure a NAT Server By default, no NAT nat server-group group-id group and enter its view. Server groups exist. By default, no internal servers exist. Add an internal server inside ip inside-ip port port-number [ weight You can add multiple into the group.
Page 143: Configuring Dynamic Nat444
Step Command Remarks Enter system view. system-view Create a NAT port block nat port-block-group By default, no port block groups exist. group, and enter its view. group-id By default, no private IP address ranges local-ip-address exist. Add a private IP address start-address end-address range to the port block You can add multiple private IP address...
Page 144: Enabling Global Mapping Sharing For Dynamic Nat444
Step Command Remarks By default, no port block parameters port-block block-size exist. Configure port block block-size parameters. [ extended-block-number The configuration takes effect only on extended-block-number ] PAT translation mode. Return to system view. quit interface interface-type Enter interface view. interface-number nat outbound [ ipv4-acl-number | name...
Page 145: Configuring Nat With Dns Mapping
Step Command Remarks By default, no public IP address ranges exist. Add a public IP address address start-address range to the NAT You can add multiple public IP address end-address address group. ranges to an address group, but they cannot overlap. By default, the port range is 1 to 65535.
Page 146: Configuring Nat With Alg
• In C/S mode, the destination IP address of the packet going to the internal server is translated by matching the NAT Server configuration. The source IP address is translated by matching the outbound dynamic or static NAT entries. NAT hairpin typically operates with NAT Server, outbound dynamic NAT, or outbound static NAT. They must be configured on interfaces of the same interface card.
Page 147: Configuring Nat444 User Logging
Step Command Remarks Enter system view. system-view nat log enable [ acl { ipv4-acl-number | By default, NAT logging is Enable NAT logging. name ipv4-acl-name } ] disabled. • For NAT session establishment events: nat log flow-begin Enable NAT session By default, NAT session •...
Page 148: Configuring Nat Alarm Logging
Configuring NAT alarm logging Packets that need to be translated are dropped if the system lacks NAT resources. In No-PAT, the NAT resources refer to the public IP addresses. In EIM PAT, the NAT resources refer to public IP addresses and ports. In NAT444, the NAT resources refer to public IP addresses, port blocks, or ports in port blocks.
Page 149: Enabling Nat Reply Redirection
Step Command Remarks Enable sending ICMP By default, no ICMP error error messages for NAT nat icmp-error reply messages are sent for NAT failures. failures. Enabling NAT reply redirection In some network scenarios, the inbound dynamic NAT is configured with tunneling, and multiple tunnel interfaces use the same NAT address group.
Page 150: Displaying And Maintaining Nat
Displaying and maintaining NAT Execute display commands in any view and reset commands in user view. Task Command Display the NAT with ALG status for all display nat alg supported protocols. Display all NAT configuration information. display nat all Display NAT address group information. display nat address-group [ group-id ] Display NAT with DNS mapping configuration.
Page 151: Nat Configuration Examples
Task Command Display the port block usage for dynamic display nat port-block-usage [ address-group group-id ] NAT444 address groups (in standalone [ slot slot-number ] mode). Display the port block usage for dynamic display nat port-block-usage [ address-group group-id ] NAT444 address groups (in IRF mode).
Page 152: Outbound Dynamic Nat Configuration Example (Non-Overlapping Addresses)
Interfaces enabled with static NAT: Totally 1 interfaces enabled with static NAT. Interface: GigabitEthernet2/1/2 Config status: Active # Display NAT session information. [Router] display nat session verbose Initiator: Source IP/port: 10.110.10.8/42496 Destination IP/port: 202.38.1.111/2048 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: ICMP(1) Inbound interface: GigabitEthernet2/1/1 Responder:...
Page 153 Configuration procedure # Specify IP addresses for the interfaces on the router. (Details not shown.) # Configure address group 0, and add an address range from 202.38.1.2 to 202.38.1.3 to the group. <Router> system-view [Router] nat address-group 0 [Router-address-group-0] address 202.38.1.2 202.38.1.3 [Router-address-group-0] quit # Configure ACL 2000, and create a rule to permit packets only from subnet 192.168.1.0/24 to pass through.
Page 154 Mapping mode : Address and Port-Dependent : --- Config status: Active NAT ALG: : Enabled : Enabled H323 : Disabled ICMP-ERROR : Enabled : Disabled MGCP : Disabled : Disabled PPTP : Enabled RTSP : Enabled : Disabled SCCP : Disabled : Disabled SQLNET : Disabled...
Page 155: Outbound Bidirectional Nat Configuration Example
Outbound bidirectional NAT configuration example Network requirements As shown in Figure 59, the private network where the Web server resides overlaps with the company private network 192.168.1.0/24. The company has two public IP addresses 202.38.1.2 and 202.38.1.3. Configure NAT to allow internal users to access the external Web server by using the server's domain name.
Page 156 [Router-address-group-2] address 202.38.1.3 202.38.1.3 [Router-address-group-2] quit # Enable inbound NO-PAT on interface GigabitEthernet 2/1/2 to translate the source IP address in the DNS reply payload into the address in address group 1, and allow reversible NAT. [Router] interface gigabitethernet 2/1/2 [Router-GigabitEthernet2/1/2] nat inbound 2000 address-group 1 no-pat reversible # Enable outbound PAT on interface GigabitEthernet 2/1/2 to translate the source address of outgoing packets into the address in address group 2.
Page 157: Nat Server For External-To-Internal Access Configuration Example
NAT logging: Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active : Disabled Port-block-assign : Disabled Port-block-withdraw : Disabled Alarm : Disabled NAT mapping behavior: Mapping mode : Address and Port-Dependent : --- Config status: Active NAT ALG: : Enabled # Display NAT session information generated when Host A accesses the Web server.
Page 158 Configure the NAT Server feature to allow the external user to access the internal servers with public address 202.38.1.1/24. Figure 60 Network diagram Configuration procedure # Specify IP addresses for the interfaces on the router. (Details not shown.) # Enter interface view of GigabitEthernet 2/1/2. <Router>...
Page 159 Local IP/port : 10.110.10.3/21 Config status : Active Interface: GigabitEthernet2/1/2 Protocol: 6(TCP) Global IP/port: 202.38.1.1/25 Local IP/port : 10.110.10.4/25 Config status : Active Interface: GigabitEthernet2/1/2 Protocol: 6(TCP) Global IP/port: 202.38.1.1/80 Local IP/port : 10.110.10.1/80 Config status : Active Interface: GigabitEthernet2/1/2 Protocol: 6(TCP) Global IP/port: 202.38.1.1/8080 Local IP/port : 10.110.10.2/80...
Page 160: Nat Server For External-To-Internal Access Through Domain Name Configuration Example
VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet2/1/1 State: TCP_ESTABLISHED Application: FTP Start time: 2012-08-15 14:53:29 TTL: 3597s Initiator->Responder: 7 packets 308 bytes Responder->Initiator: 5 packets 312 bytes Total sessions found: 1 NAT Server for external-to-internal access through domain name configuration example Network requirements As shown in...
Page 161 [Router-acl-ipv4-basic-2000] rule permit source 10.110.10.2 0 [Router-acl-ipv4-basic-2000] quit # Create address group 1. [Router] nat address-group 1 # Add address 202.38.1.3 to the group. [Router-address-group-1] address 202.38.1.3 202.38.1.3 [Router-address-group-1] quit # Configure NAT Server on interface GigabitEthernet 2/1/2 to map the address 202.38.1.1 to 10.110.10.3.
Page 162: Bidirectional Nat For External-To-Internal Nat Server Access Through Domain Name Configuration Example
Flow-begin : Disabled Flow-end : Disabled Flow-active : Disabled Port-block-assign : Disabled Port-block-withdraw : Disabled Alarm : Disabled NAT mapping behavior: Mapping mode : Address and Port-Dependent : --- Config status: Active NAT ALG: : Enabled # Display NAT session information generated when Host accesses Web server. [Router] display nat session verbose Initiator: Source...
Page 163 Configure NAT to allow external host at 192.168.1.2 in the external network to use the domain name to access the internal Web server. Figure 62 Network diagram Requirements analysis To meet the network requirements, you must perform the following tasks: •...
Page 164 [Router-address-group-2] quit # Configure NAT Server on interface GigabitEthernet 2/1/2 to allow external hosts to access the internal DNS server by using the address 202.38.1.4. [Router] interface gigabitethernet 2/1/2 [Router-GigabitEthernet2/1/2] nat server protocol udp global 202.38.1.4 inside 192.168.1.3 dns # Enable outbound NO-PAT on interface GigabitEthernet 2/1/2 to translate IP address of the Web server in the DNS response payload into the address in address group 1, and allow reversible NAT.
Page 165 Port-preserved: N NO-PAT: Y Reversible: Y Config status: Active NAT internal server information: Totally 1 internal servers. Interface: GigabitEthernet2/1/2 Protocol: 17(UDP) Global IP/port: 202.38.1.4/53 Local IP/port : 200.1.1.3/53 Config status : Active NAT logging: Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active...
Page 166: Nat Hairpin In C/S Mode Configuration Example
Responder->Initiator: 5 packets 312 bytes Total sessions found: 1 NAT hairpin in C/S mode configuration example Network requirements As shown in Figure 63, the internal FTP server at 192.168.1.4/24 provides services for internal and external users. The private network uses two public IP addresses 202.38.1.1 and 202.38.1.2. Configure NAT hairpin in C/S mode to allow external and internal users to access the internal FTP server by using public IP address 202.38.1.2.
Page 167 # Enable outbound NAT with Easy IP on interface GigabitEthernet 2/1/2 so that NAT translates the source addresses of the packets from internal hosts into the IP address of interface GigabitEthernet 2/1/2. [Router-GigabitEthernet2/1/2] nat outbound 2000 [Router-GigabitEthernet2/1/2] quit # Enable NAT hairpin on interface GigabitEthernet 2/1/1. [Router] interface gigabitethernet 2/1/1 [Router-GigabitEthernet2/1/1] nat hairpin enable Verifying the configuration...
Page 168: Nat Hairpin In P2P Mode Configuration Example
# Display NAT session information generated when Host A accesses the FTP server. [Router] display nat session verbose Initiator: Source IP/port: 192.168.1.2/1694 Destination IP/port: 202.38.1.2/21 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet2/1/1 Responder: Source IP/port: 192.168.1.4/21 Destination IP/port: 202.38.1.1/1025...
Page 169 Requirements analysis To meet the network requirements, you must perform the following tasks: • Configure outbound dynamic PAT on the interface connected to the external network, so the internal clients can access the external server for registration. • Configure the mapping behavior for PAT as Endpoint-Independent Mapping because the registered IP address and port number should be accessible for any source address.
Page 170: Twice Nat Configuration Example
Flow-active : Disabled Port-block-assign : Disabled Port-block-withdraw : Disabled Alarm : Disabled NAT hairpinning: Totally 1 interfaces enabled with NAT hairpinning. Interface: GigabitEthernet2/1/1 Config status: Active NAT mapping behavior: Mapping mode : Endpoint-Independent : 2000 Config status: Active # Display NAT session information generated when Client A accesses Client B. [Router] display nat session verbose Initiator: Source...
Page 171 Figure 65 Network diagram Requirements analysis This is a typical application of twice NAT. Both the source and destination addresses of packets between the two VPNs need to be translated. Configure static NAT on both interfaces connected to the VPNs on the NAT device. Configuration procedure # Specify VPN instances and IP addresses for the interfaces on the router.
Page 172 Interfaces enabled with static NAT: Totally 2 interfaces enabled with static NAT. Interface: GigabitEthernet2/1/1 Config status: Active Interface: GigabitEthernet2/1/2 Config status: Active NAT logging: Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active : Disabled Port-block-assign : Disabled Port-block-withdraw : Disabled Alarm : Disabled...
Page 173: Load Sharing Nat Server Configuration Example
Load sharing NAT Server configuration example Network requirements As shown in Figure 66, three FTP servers are in the intranet to provide FTP services for external users. Configure NAT so that these external users use the address 202.38.1.1/16 to access the servers and the three FTP servers implement load sharing.
Page 174 Totally 1 internal servers. Interface: GigabitEthernet2/1/2 Protocol: 6(TCP) Global IP/port: 202.38.1.1/21 Local IP/port : server group 0 10.110.10.1/21 (Connections: 1) 10.110.10.2/21 (Connections: 2) 10.110.10.3/21 (Connections: 2) Config status : Active NAT logging: Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active : Disabled...
Page 175: Nat With Dns Mapping Configuration Example
NAT with DNS mapping configuration example Network requirements As shown in Figure 67, the internal Web server at 10.110.10.1/16 and FTP server at 10.110.10.2/16 provide services for external user. The company has three public addresses 202.38.1.1 through 202.38.1.3. The DNS server at 202.38.1.4 is on the external network. Configure NAT so that: •...
Page 176 [Router-GigabitEthernet2/1/2] quit # Configure two DNS mapping entries by mapping the domain name www.server.com of the Web server to 202.38.1.2, and ftp.server.com of the FTP server to 202.38.1.2. [Router] nat dns-map domain www.server.com protocol tcp ip 202.38.1.2 port http [Router] nat dns-map domain ftp.server.com protocol tcp ip 202.38.1.2 port ftp [Router] quit Verifying the configuration # Verify that both internal and external hosts can access the internal servers by using domain names.
Page 177: Static Nat444 Configuration Example
Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active : Disabled Port-block-assign : Disabled Port-block-withdraw : Disabled Alarm : Disabled NAT mapping behavior: Mapping mode: Address and Port-Dependent : --- Config status: Active NAT ALG: : Enabled Static NAT444 configuration example Network requirements As shown in Figure...
Page 178 [Router] interface gigabitethernet 2/1/2 [Router-GigabitEthernet2/1/2] nat outbound port-block-group 1 [Router-GigabitEthernet2/1/2] quit Verifying the configuration # Verify that users at the private IP addresses can access the Internet. (Details not shown.) # Display all NAT configuration and statistics. [Router] display nat all NAT logging: Log enable : Disabled...
Page 179: Dynamic Nat444 Configuration Example
10.110.10.5 202.38.1.100 12001-12500 10.110.10.6 202.38.1.100 12501-13000 10.110.10.7 202.38.1.100 13001-13500 10.110.10.8 202.38.1.100 13501-14000 10.110.10.9 202.38.1.100 14001-14500 10.110.10.10 202.38.1.100 14501-15000 Dynamic NAT444 configuration example Network requirements As shown in Figure 69, a company uses private IP address on network 192.168.0.0/16 and public IP addresses 202.38.1.2 and 202.38.1.3.
Page 180: Display Nat Statistics
# Configure outbound NAT444 on interface GigabitEthernet 2/1/2. [Router] interface gigabitethernet 2/1/2 [Router-GigabitEthernet2/1/2] nat outbound 2000 address-group 0 [Router-GigabitEthernet2/1/2] quit Verifying the configuration # Verify that Host A can access external servers, but Host B and Host C cannot. (Details not shown.) # Display all NAT configuration and statistics.
Page 181: Ds-Lite Nat444 Configuration Example
Total dynamic port block entries: 430 Active static port block entries: 0 Active dynamic port block entries: 1 DS-Lite NAT444 configuration example Network requirements As shown in Figure 70, configure DS-Lite tunneling and NAT to allow the DS-Lite host to access the IPv4 network over the IPv6 network.
Page 182 [Router-address-group-0] port-block block-size 300 [Router-address-group-0] quit # Configure an IPv6 ACL to identify packets from subnet 1::/64. [Router] acl ipv6 basic 2100 [Router-acl-ipv4-basic-2100] rule permit source 1::/64 [Router-acl-ipv4-basic-2100] quit # Configure DS-Lite NAT444 on GigabitEthernet 2/1/1. [Router] interface gigabitethernet 2/1/1 [Router-GigabitEthernet2/1/1] nat outbound ds-lite-b4 2100 address-group 0 [Router-GigabitEthernet2/1/1] quit Configure the DS-Lite host:...
Page 183: Nat444 Gateway Unified With Bras Device Configuration Example
# Verify that a NAT444 mapping has been created for the DS-Lite host. [Router] display nat port-block dynamic ds-lite-b4 Local VPN DS-Lite B4 addr Global IP Port block Connections 1::1 20.1.1.11 1024-1323 Total entries found: 1 NAT444 gateway unified with BRAS device configuration example Network requirements As shown in...
Page 184 # Create ISP domain cgn. [Router] domain cgn # Specify RADIUS scheme rad for PPP user authentication, authorization, and accounting. [Router-isp-cgn] authentication ppp radius-scheme rad [Router-isp-cgn] authorization ppp radius-scheme rad [Router-isp-cgn] accounting ppp radius-scheme rad # Specify the user address type as private IPv4 address. [Router-isp-cgn] user-address-type private-ipv4 [Router-isp-cgn] quit # Create a PPP address pool and add IP addresses 10.210.0.2 to 10.210.0.255 to the pool.
Page 185: Basic Ip Forwarding On The Device
Basic IP forwarding on the device The device uses the destination IP address of a received packet to find a match from the forwarding information base (FIB) table. It then uses the matching entry to forward the packet. FIB table A device selects optimal routes from the routing table, and puts them into the FIB table.
Page 186 Task Command display fib [ topology topology-name | vpn-instance Display FIB entries. vpn-instance-name ] [ ip-address [ mask | mask-length ] ]...
Page 187: Configuring Load Sharing
Configuring load sharing If a routing protocol finds multiple equal-cost best routes to the same destination, the device forwards packets over the equal-cost routes to implement load sharing. Configuring per-packet or per-flow load sharing Load sharing can be implemented in one of the following ways: •...
Page 188 Step Command Remarks By default, the expected Configure the expected bandwidth bandwidth bandwidth is the physical bandwidth of the interface. bandwidth of the interface.
Page 189: Configuring Fast Forwarding
Configuring fast forwarding Overview Fast forwarding reduces route lookup time and improves packet forwarding efficiency by using a high-speed cache and data-flow-based technology. It identifies a data flow by using the following fields: source IP address, source port number, destination IP address, destination port number, and protocol number.
Page 190: Displaying And Maintaining Fast Forwarding
Displaying and maintaining fast forwarding Execute display commands in any view and reset commands in user view. Task Command display ip fast-forwarding cache [ ip-address ] Display fast forwarding entries (in standalone mode). [ slot slot-number ] display ip fast-forwarding cache [ ip-address ] Display fast forwarding entries (in IRF mode).
Page 191: Configuring Flow Classification
Configuring flow classification To implement differentiated services, flow classification categorizes packets to be forwarded by a multicore device according to one of the following flow classification policies: • Flow-based policy—Forwards packets of a flow to the same CPU. A data flow is defined by using the following fields: source IP address, destination IP address, source port number, destination port number, and protocol number.
Page 192: Displaying The Adjacency Table
Displaying the adjacency table The adjacency table stores information about directly connected neighbors for IP forwarding. The neighbor information in this chapter refers to non-Ethernet neighbor information. This table is not user configurable. The neighbor information is generated, updated, and deleted by link layer protocols through negotiation (such as PPP dynamic negotiation) or through manual configuration.
Page 193 Task Command display adjacent-table { all | physical-interface interface-type Display IPv4 adjacency table interface-number | routing-interface interface-type information (in standalone mode). interface-number | slot slot-number } [ count | verbose ] display adjacent-table { all | physical-interface interface-type interface-number | routing-interface interface-type Display IPv4 adjacency table information (in IRF mode).
Page 194: Configuring Irdp
Configuring IRDP The term "router" in this chapter refers to a routing-capable device. The term "host" in this chapter refers to the host that supports IRDP. For example, a host that runs the Linux operating system. Overview ICMP Router Discovery Protocol (IRDP), an extension of the ICMP, is independent of any routing protocol.
Page 195: Protocols And Standards
Advertising interval A router interface with IRDP enabled sends out RAs randomly between the minimum and maximum advertising intervals. This mechanism prevents the local link from being overloaded by a large number of RAs sent simultaneously from routers. As a best practice, shorten the advertising interval on a link that suffers high packet loss rates. Destination address of RAs An RA uses either of the following destination IP addresses: •...
Page 196: Irdp Configuration Example
Step Command Remarks (Optional.) Specify the By default, RAs use the broadcast multicast address 224.0.0.1 as ip irdp multicast address 255.255.255.255 as the the destination IP address of destination IP address. RAs. Repeat this step to specify multiple proxy-advertised IP addresses. (Optional.) Specify a By default, no IP address is ip irdp address ip-address...
Page 197: Verifying The Configuration
# Specify the multicast address 224.0.0.1 as the destination IP address for RAs sent by GigabitEthernet 2/1/1. [RouterA-GigabitEthernet2/1/1] ip irdp multicast # Specify the IP address 192.168.1.0 and preference 400 for GigabitEthernet 2/1/1 to proxy-advertise. [RouterA-GigabitEthernet2/1/1] ip irdp address 192.168.1.0 400 Configure Router B: # Specify an IP address for GigabitEthernet 2/1/1.
Page 198: Optimizing Ip Performance
Optimizing IP performance A customized configuration can help optimize overall IP performance. This chapter describes various techniques you can use to customize your installation. Enabling an interface to receive and forward directed broadcasts destined for the directly connected network A directed broadcast packet is destined for all hosts on a specific network. In the destination IP address of the directed broadcast, the network ID identifies the target network, and the host ID is made up of all ones.
Page 199: Setting Mtu For An Interface
Figure 73 Network diagram Configuration procedure Configure Router A: # Specify IP addresses for GigabitEthernet 2/1/1 and GigabitEthernet 2/1/2. <RouterA> system-view [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] ip address 1.1.1.2 24 [RouterA-GigabitEthernet2/1/1] quit [RouterA] interface gigabitethernet 2/1/2 [RouterA-GigabitEthernet2/1/2] ip address 2.2.2.2 24 # Enable GigabitEthernet 2/1/2 to forward directed broadcasts destined for the directly connected network.
Page 200: Setting Tcp Mss For An Interface
Step Command Remarks Set the MTU for the interface. ip mtu mtu-size By default, the MTU is not set. Setting TCP MSS for an interface The maximum segment size (MSS) option informs the receiver of the largest segment that the sender can accept.
Page 201: Enabling Tcp Syn Cookie
Because the minimum TCP MSS specified by the system is 32 bytes, the actual minimum MTU is 72 bytes. After you enable TCP path MTU discovery, all new TCP connections will detect the path MTU. The device uses the path MTU to calculate the MSS to avoid IP fragmentation. The path MTU uses the following aging mechanism to ensure that the source device can increase the path MTU when the minimum link MTU on the path increases: •...
Page 202: Setting Tcp Timers
Step Command Remarks Set the size of TCP receive/send tcp window The default buffer size is 63 KB. buffer. window-size Setting TCP timers You can set the following TCP timers: • SYN wait timer—TCP starts the SYN wait timer after sending a SYN packet. Within the SYN wait timer if no response is received or the upper limit on TCP connection tries is reached, TCP fails to establish the connection.
Page 203 When the device receives the first fragment of an IP datagram destined for it, it starts a timer. If the timer expires before all the fragments of the datagram are received, the device sends an ICMP fragment reassembly time exceeded message to the source. •...
Page 204: Disabling Forwarding Icmp Fragments
To prevent such problems, you can disable the device from sending ICMP error messages. A device that is disabled from sending ICMP time exceeded messages does not send ICMP TTL exceeded in transit messages. However, it can still send ICMP fragment reassembly time exceeded messages. Disabling forwarding ICMP fragments Disabling forwarding ICMP fragments can protect your device from ICMP fragments attacks.
Page 205: Enabling Ipv4 Local Fragment Reassembly
Step Command Remarks ip icmp source By default, the device uses the IP Specify the source [ vpn-instance address of the sending interface as the address for outgoing vpn-instance-name ] source IP address for outgoing ICMP ICMP packets. ip-address packets. Enabling IPv4 local fragment reassembly Perform this task to enable the local reassembly feature for IPv4 fragments that are destined for the local device.
Page 206 Task Command Display the usage of non-well known ports for TCP display tcp-proxy port-info slot slot-number proxy. (in standalone mode). Display the usage of non-well known ports for TCP display tcp-proxy port-info chassis chassis-number slot slot-number proxy. (in IRF mode). Display detailed information about TCP connections display tcp verbose [ slot slot-number [ pcb (in standalone mode).
Page 207: Configuring Udp Helper
Configuring UDP helper Overview UDP helper can provide the following packet conversion for packets with specific UDP destination port numbers: • Convert broadcast to unicast, and forward the unicast packets to specific destinations. • Convert broadcast to multicast, and forward the multicast packets. •...
Page 208: Configuring Udp Helper To Convert Broadcast To Multicast
Step Command Remarks By default, no destination server is specified. If you specify multiple Specify a destination destination servers, UDP server for UDP helper to udp-helper server ip-address [ global | helper creates one copy for convert broadcast to vpn-instance vpn-instance-name ] each server.
Page 209: Configuring Udp Helper To Convert Multicast To Broadcast Or Unicast
Configuring UDP helper to convert multicast to broadcast or unicast You can configure UDP helper to convert multicast packets with specific UDP port numbers and multicast addresses to broadcast or unicast packets. Upon receiving a UDP multicast packet, UDP helper uses the configured UDP ports to match the UDP destination port number of the packet.
Page 210: Udp Helper Configuration Examples
UDP helper configuration examples Configuring UDP helper to convert broadcast to unicast Network requirements As shown in Figure 74, configure UDP helper to convert broadcast to unicast on GigabitEthernet 2/1/1 of Router A. This feature enables Router A to forward broadcast packets with UDP destination port 55 to the destination server 10.2.1.1/16.
Page 211 Figure 75 Network diagram Configuration procedure Make sure Router A can reach the subnet 10.2.0.0/16. # Enable UDP helper. <RouterA> system-view [RouterA] udp-helper enable # Enable the UDP port 55 for UDP helper. [RouterA] udp-helper port 55 # Configure UDP helper to convert broadcast packets to multicast packets destined for 225.1.1.1 on GigabitEthernet 2/1/1.
Page 212: Configuring Udp Helper To Convert Multicast To Broadcast
Configuring UDP helper to convert multicast to broadcast Network requirements As shown in Figure 76, GigabitEthernet 2/1/1 of Router B is a member of the multicast group 225.1.1.1. Configure UDP helper to convert multicast to broadcast on GigabitEthernet 2/1/1 of Router A. This feature enables Router A to forward multicast packets from Router B to all hosts on 10.110.0.0/16.
Page 213: Configuring Basic Ipv6 Settings
Configuring basic IPv6 settings Overview IPv6, also called IP next generation (IPng), was designed by the IETF as the successor to IPv4. One significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits.
Page 214: Ipv6 Addresses
• Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and other configuration information by using its link-layer address and the prefix information advertised by a router. To communicate with other hosts on the same link, a host automatically generates a link-local address based on its link-layer address and the link-local address prefix (FE80::/10).
Page 215 • Multicast address—An identifier for a set of interfaces (typically belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all interfaces identified by that address. Broadcast addresses are replaced by multicast addresses in IPv6. •...
Page 216: Ipv6 Nd Protocol
duplicate addresses. Each IPv6 unicast or anycast address has a corresponding solicited-node address. The format of a solicited-node multicast address is FF02:0:0:0:0:1:FFXX:XXXX. FF02:0:0:0:0:1:FF is fixed and consists of 104 bits, and XX:XXXX is the last 24 bits of an IPv6 unicast address or anycast address.
Page 217 ICMPv6 message Type Function Responds to an RS message. Router Advertisement (RA) Advertises information, such as the Prefix Information options and flag bits. Informs the source host of a better next hop on the path to a Redirect particular destination when certain conditions are met. Address resolution This function is similar to ARP in IPv4.
Page 218: Ipv6 Path Mtu Discovery
Figure 80 Duplicate address detection Host A Host B 2000::1 ICMPv6 type = 135 Src = :: Dst = FF02::1:FF00:1 ICMPv6 type = 136 Src = 2000::1 Dst = FF02::1 Host A sends an NS message. The source address is the unspecified address and the destination address is the corresponding solicited-node multicast address of the IPv6 address to be detected.
Page 219: Ipv6 Transition Technologies
Figure 81 Path MTU discovery process The source host sends a packet no larger than its MTU to the destination host. If the MTU of a device's output interface is smaller than the packet, the device performs the following operations: Discards the packet.
Page 220: 6Pe
6PE enables communication between isolated IPv6 networks over an IPv4 backbone network. 6PE adds labels to the IPv6 routing information about customer networks and advertises the information into the IPv4 backbone network over internal Border Gateway Protocol (IBGP) sessions. IPv6 packets are labeled and forwarded over tunnels on the backbone network. The tunnels can be GRE tunnels or MPLS LSPs.
Page 221: Assigning Ipv6 Addresses To Interfaces
Tasks at a glance (Optional.) Configuring IPv6 • Configuring a static neighbor entry • Setting the maximum number of dynamic neighbor entries • Setting the aging timer for ND entries in stale state • Minimizing link-local ND entries • Setting the hop limit •...
Page 222 takes effect. However, it does not overwrite the automatically generated address. If you delete the manually configured global unicast address, the device uses the automatically generated one. EUI-64 IPv6 address To configure an interface to generate an EUI-64 IPv6 address: Step Command Remarks...
Page 223 • Public IPv6 address—Includes the address prefix in the RA message and a fixed interface ID generated based on the MAC address of the interface. • Temporary IPv6 address—Includes the address prefix in the RA message and a random interface ID generated through MD5. You can also configure the interface to preferentially use the temporary IPv6 address as the source address of sent packets.
Page 224: Configuring An Ipv6 Link-Local Address
Step Command Remarks • (Method 1) Configure a static IPv6 prefix: ipv6 prefix prefix-number ipv6-prefix/prefix-length • By default, no static or dynamic (Method 2) Use DHCPv6 to Configure an IPv6 prefix. IPv6 prefixes exist. obtain a dynamic IPv6 prefix: For more information about IPv6 prefix acquisition, see "Configuring the DHCPv6 client."...
Page 225: Configuring An Ipv6 Anycast Address
Manually specifying an IPv6 link-local address for an interface Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Manually specify an IPv6 ipv6 address ipv6-address By default, no link-local address is link-local address for the link-local configured on an interface.
Page 226: Setting The Maximum Number Of Dynamic Neighbor Entries
If you use Method 2, make sure the Layer 2 port belongs to the specified VLAN and the corresponding VLAN interface already exists. The device associates the VLAN interface with the neighbor IPv6 address to identify the static neighbor entry. To configure a static neighbor entry: Step Command...
Page 227: Setting The Hop Limit
By default, the device assigns all ND entries to the driver. With this feature enabled, the device does not add newly learned link-local ND entries whose link local addresses are not the next hop of any route into the driver. This saves driver resources. This feature takes effect only on newly learned link-local ND entries.
Page 228 Parameter Description Tells the receiving hosts how long the advertising router can live. If the lifetime of Router Lifetime a router is 0, the router cannot be used as the default gateway. If the device does not receive a response message within the specified time after Retrans Timer sending an NS message, it retransmits the NS message.
Page 229: Setting The Maximum Number Of Attempts To Send An Ns Message For Dad
Step Command Remarks By default, no prefix information is configured for RA messages, and the IPv6 address of the interface sending RA messages is used as the prefix ipv6 nd ra prefix { ipv6-prefix information. If the IPv6 address is Configure the prefix prefix-length | manually configured, the prefix uses a...
Page 230: Enabling Nd Proxy
Step Command Remarks interface interface-type Enter interface view. interface-number Set the number of attempts The default setting is 1. When the to send an NS message for ipv6 nd dad attempts interval interval argument is set to 0, DAD DAD. is disabled.
Page 231: Configuring Ipv6 Nd Suppression
Because Host A's IPv6 address is on the same subnet as Host B's, Host A directly sends an NS message to obtain Host B's MAC address. However, Host B cannot receive the NS message because they belong to different VLANs. To solve this problem, enable local ND proxy on GigabitEthernet 2/1/2 of the router so that the router can forward messages between Host A and Host B.
Page 232: Configuring Ipv6 Nd Direct Route Advertisement
Figure 85 Typical application To configure the IPv6 ND suppression feature: Step Command Remarks Enter system view. system-view By default, no cross-connect groups exist. Configure a cross-connect xconnect-group group-name For more information about the group and enter its view. command, see MPLS Command Reference.
Page 233: Configuring Path Mtu Discovery
Figure 86 Typical application To configure ND direct route advertisement: Step Command Remarks Enter system view. system-view By default, no L3VE interfaces exist. Configure an L3VE interface interface ve-l3vpn For more information about the and enter its view. interface-number command, see MPLS Command Reference.
Page 234: Setting A Static Path Mtu For An Ipv6 Address
Setting a static path MTU for an IPv6 address You can set a static path MTU for an IPv6 address. Before sending a packet to the IPv6 address, the device compares the MTU of the output interface with the static path MTU. If the packet exceeds the smaller one of the two values, the device fragments the packet according to the smaller value.
Page 235: Enabling Replying To Multicast Echo Requests
Step Command Remarks Enter system view. system-view By default, the bucket allows a maximum of 10 tokens. A token Set the bucket size and the is placed in the bucket at an interval for tokens to arrive in ipv6 icmpv6 error-interval interval of 100 milliseconds.
Page 236: Enabling Sending Icmpv6 Time Exceeded Messages
Enabling sending ICMPv6 time exceeded messages The device sends the source ICMPv6 time exceeded messages as follows: • If a received packet is not destined for the device and its hop limit is 1, the device sends an ICMPv6 hop limit exceeded in transit message to the source. •...
Page 237: Enabling Ipv6 Local Fragment Reassembly
Step Command Remarks Enter system view. system-view By default, the device uses the Specify an IPv6 address as ipv6 icmpv6 source IPv6 address of the sending the source address for [ vpn-instance interface as the source IPv6 outgoing ICMPv6 packets. vpn-instance-name ] ipv6-address address for outgoing ICMPv6 packets.
Page 238: Enabling A Device To Discard Ipv6 Packets That Contain Extension Headers
Enabling a device to discard IPv6 packets that contain extension headers This feature enables a device to discard a received IPv6 packet in which the extension headers cannot be processed by the device. To enable a device to discard IPv6 packets that contain extension headers: Step Command Remarks...
Page 239 Task Command Display IPv6 and ICMPv6 statistics (in display ipv6 statistics [ slot slot-number ] standalone mode). Display IPv6 and ICMPv6 statistics (in display ipv6 statistics [ chassis chassis-number slot IRF mode). slot-number ] Display brief information about IPv6 RawIP connections (in standalone display ipv6 rawip [ slot slot-number ] mode).
Page 240: Ipv6 Configuration Examples
Task Command Display IPv6 UDP traffic statistics (in display udp statistics [ slot slot-number ] standalone mode). display udp statistics [ chassis chassis-number slot Display IPv6 UDP traffic statistics (in IRF mode). slot-number ] Clear ND suppression entries (in reset ipv6 nd suppression xconnect-group [ name standalone mode).
Page 241 [RouterA-GigabitEthernet2/1/2] ipv6 address 2001::1/64 [RouterA-GigabitEthernet2/1/2] undo ipv6 nd ra halt [RouterA-GigabitEthernet2/1/2] quit Configure Router B: # Configure a global unicast address for interface GigabitEthernet 2/1/1. <RouterB> system-view [RouterB] interface gigabitethernet 2/1/1 [RouterB-GigabitEthernet2/1/1] ipv6 address 3001::2/64 [RouterB-GigabitEthernet2/1/1] quit # Configure an IPv6 static route to the host. [RouterB] ipv6 route-static 2001:: 64 3001::1 Configure the host: Enable IPv6 on the host to automatically obtain an IPv6 address through IPv6 ND.
Page 242 ReasmOKs: InFragDrops: InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: 25747 OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: [RouterA] display ipv6 interface gigabitethernet 2/1/2 GigabitEthernet2/1/2 current state: UP Line protocol current state: UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1C0 Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es):...
Page 243 InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: 1012 OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Display IPv6 interface information on Router B. [RouterB] display ipv6 interface gigabitethernet 2/1/1 GigabitEthernet2/1/1 current state: UP Line protocol current state: UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1234 Global unicast address(es): 3001::2, subnet is 3001::/64...
Page 244: Ipv6 Nd Suppression Configuration Example
OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Ping Router A and Router B from the host, and ping Router A and the host from Router B to verify that they can reach each other. NOTE: To ping a link-local address, use the –i parameter to specify an interface for the link-local address.
Page 245: Troubleshooting Ipv6 Basics Configuration
Configuration procedure Configure IPv6 addresses for the interfaces as shown in Figure 88. Make sure the base station can reach the L3VE interface of Router B. (Details not shown.) Configure IPv6 ND suppression: # Create a cross-connect group named vpna. <RouterA>...
Page 246: Dhcpv6 Overview
DHCPv6 overview DHCPv6 provides a framework to assign IPv6 prefixes, IPv6 addresses, and other configuration parameters to hosts. DHCPv6 address/prefix assignment An address/prefix assignment process involves two or four messages. Rapid assignment involving two messages As shown in Figure 89, rapid assignment operates in the following steps: The DHCPv6 client sends to the DHCPv6 server a Solicit message that contains a Rapid Commit option to prefer rapid assignment.
Page 247: Address/Prefix Lease Renewal
Figure 90 Assignment involving four messages Address/prefix lease renewal An IPv6 address/prefix assigned by a DHCPv6 server has a valid lifetime. After the valid lifetime expires, the DHCPv6 client cannot use the IPv6 address/prefix. To use the IPv6 address/prefix, the DHCPv6 client must renew the lease time.
Page 248: Stateless Dhcpv6
Stateless DHCPv6 Stateless DHCPv6 enables a device that has obtained an IPv6 address/prefix to get other configuration parameters from a DHCPv6 server. The device performs stateless DHCPv6 if an RA message with the following flags is received from the router during stateless address autoconfiguration: •...
Page 249: Configuring The Dhcpv6 Server
Configuring the DHCPv6 server Overview A DHCPv6 server can assign IPv6 addresses, IPv6 prefixes, and other configuration parameters to DHCPv6 clients. IPv6 address assignment As shown in Figure 94, the DHCPv6 server assigns IPv6 addresses, domain name suffixes, DNS server addresses, and other configuration parameters to DHCPv6 clients. The IPv6 addresses assigned to the clients include the following types: •...
Page 250: Concepts
Concepts Multicast addresses used by DHCPv6 DHCPv6 uses the multicast address FF05::1:3 to identify all site-local DHCPv6 servers. It uses the multicast address FF02::1:2 to identify all link-local DHCPv6 servers and relay agents. DUID A DHCP unique identifier (DUID) uniquely identifies a DHCPv6 device (DHCPv6 client, server, or relay agent).
Page 251: Ipv6 Address/Prefix Allocation Sequence
Address allocation mechanisms DHCPv6 supports the following address allocation mechanisms: • Static address allocation—To implement static address allocation for a client, create a DHCPv6 address pool, and manually bind the DUID and IAID of the client to an IPv6 address in the DHCPv6 address pool.
Page 252: Configuration Task List
Assignable IPv6 address/prefix in the address pool/prefix pool expected by the client. Assignable IPv6 address/prefix in the address pool/prefix pool. IPv6 address/prefix that was a conflict or passed its lease duration. If no IPv6 address/prefix is assignable, the server does not respond. If a client moves to another subnet, the DHCPv6 server selects an IPv6 address/prefix from the address pool that matches the new subnet.
Page 253: Configuration Procedure
Configuration procedure To configure IPv6 prefix assignment: Step Command Remarks Enter system view. system-view By default, no IPv6 prefixes in the prefix pool are excluded from dynamic assignment. (Optional.) Specify the ipv6 dhcp server forbidden-prefix IPv6 prefixes excluded start-prefix/prefix-len If the excluded IPv6 prefix is in a from dynamic [ end-prefix/prefix-len ] [ vpn-instance static binding, the prefix still can...
Page 254: Configuration Guidelines
If you bind a DUID and an IAID to an IPv6 address, the DUID and IAID in a request must match those in the binding before the DHCPv6 server can assign the IPv6 address to the requesting client. If you only bind a DUID to an IPv6 address, the DUID in a request must match the DUID in the binding before the DHCPv6 server can assign the IPv6 address to the requesting client.
Page 255: Configuring Network Parameters Assignment
Step Command Remarks By default, no IPv6 address subnet is specified. network { prefix/prefix-length | The IPv6 subnets cannot be the prefix prefix-number same in different address pools. Specify an IPv6 subnet for [ sub-prefix/sub-prefix-length ] } dynamic assignment. If you specify an IPv6 prefix by [ preferred-lifetime its ID, make sure the IPv6 prefix preferred-lifetime valid-lifetime...
Page 256: Configuring Network Parameters In A Dhcpv6 Option Group
Step Command Remarks By default, no IPv6 subnet is specified. The IPv6 subnets cannot be network { prefix/prefix-length | prefix the same in different address prefix-number Specify an IPv6 subnet for pools. [ sub-prefix/sub-prefix-length ] } dynamic assignment. If you specify an IPv6 prefix [ preferred-lifetime preferred-lifetime by its ID, make sure the IPv6 valid-lifetime valid-lifetime ]...
Page 257: Configuring A Dhcpv6 Policy For Ipv6 Address And Prefix Assignment
Step Command Remarks Specify a DHCPv6 option By default, no DHCPv6 option group option-group-number group. option group is specified. Configuring a DHCPv6 policy for IPv6 address and prefix assignment In a DHCPv6 policy, each DHCPv6 user class has a bound DHCPv6 address pool. Clients matching different user classes obtain IPv6 addresses, IPv6 prefixes, and other parameters from different address pools.
Page 258: Configuring The Dhcpv6 Server On An Interface
Configuring the DHCPv6 server on an interface Enable the DHCP server and configure one of the following address/prefix assignment methods on an interface: • Apply an address pool on the interface—The DHCPv6 server selects an IPv6 address/prefix from the applied address pool for a requesting client. If there is no assignable IPv6 address/prefix in the address pool, the DHCPv6 server cannot to assign an IPv6 address/prefix to a client.
Page 259: Setting The Dscp Value For Dhcpv6 Packets Sent By The Dhcpv6 Server
Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 server The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. To set the DSCP value for DHCPv6 packets sent by the DHCPv6 server: Step Command Remarks...
Page 260: Advertising Subnets Assigned To Clients
Advertising subnets assigned to clients This feature enables the route management module to advertise subnets assigned to DHCPv6 clients. This feature achieves symmetric routing for traffic of the same host. As shown in Figure 97, Router A and Router B act as both the DHCPv6 server and the BRAS device. The BRAS devices send accounting packets to the RADIUS server.
Page 261: Enabling Dhcpv6 Logging On The Dhcpv6 Server
The VPN information from authentication modules takes priority over the VPN information of the receiving interface. To apply a DHCPv6 address pool to a VPN instance: Step Command Remarks Enter system view. system-view Create an address pool and By default, no DHCPv6 address ipv6 dhcp pool pool-name enter its view.
Page 262: Dhcpv6 Server Configuration Examples
Task Command Display information about expired IPv6 display ipv6 dhcp server expired [ [ address ipv6-address ] addresses. [ vpn-instance vpn-instance-name ] | pool pool-name ] Display information about IPv6 address display ipv6 dhcp server ip-in-use [ [ address ipv6-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ] bindings.
Page 263 Configuration procedure # Specify an IPv6 address for GigabitEthernet 2/1/1. <Router> system-view [Router] interface gigabitethernet 2/1/1 [Router-GigabitEthernet2/1/1] ipv6 address 1::1/64 # Disable RA message suppression on GigabitEthernet 2/1/1. [Router-GigabitEthernet2/1/1] undo ipv6 nd ra halt # Set the M flag to 1 in RA advertisements to be sent on GigabitEthernet 2/1/1. Hosts that receive the advertisements will obtain IPv6 addresses through DHCPv6.
Page 264: Dynamic Ipv6 Address Assignment Configuration Example
Rapid-commit: Enabled # Display information about address pool 1. [Router-GigabitEthernet2/1/1] display ipv6 dhcp pool 1 DHCPv6 pool: 1 Network: 1::/64 Preferred lifetime 604800, valid lifetime 2592000 Prefix pool: 1 Preferred lifetime 86400, valid lifetime 259200 Static bindings: DUID: 00030001ca0006a4 IAID: Not configured Prefix: 2001:410:201::/48 Preferred lifetime 86400, valid lifetime 259200 DNS server addresses:...
Page 265 On Router A, configure the IPv6 address 1::1:0:0:1/96 for GigabitEthernet 2/1/1 and 1::2:0:0:1/96 for GigabitEthernet 2/1/2. The lease duration of the addresses on subnet 1::1:0:0:0/96 is 172800 seconds (two days), the valid time is 345600 seconds (four days), the domain name is aabbcc.com, and the DNS server address is 1::1:0:0:2/96.
Page 266 [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] ipv6 dhcp select server [RouterA-GigabitEthernet2/1/1] quit [RouterA] interface gigabitethernet 2/1/2 [RouterA-GigabitEthernet2/1/2] ipv6 dhcp select server [RouterA-GigabitEthernet2/1/2] quit # Exclude the DNS server address from dynamic assignment. [RouterA] ipv6 dhcp server forbidden-address 1::1:0:0:2 [RouterA] ipv6 dhcp server forbidden-address 1::2:0:0:2 # Create DHCPv6 address pool 1 to assign IPv6 addresses and other configuration parameters to clients on subnet 1::1:0:0:0/96.
Page 267: Configuring The Dhcpv6 Relay Agent
Configuring the DHCPv6 relay agent Overview A DHCPv6 client usually uses a multicast address to contact the DHCPv6 server on the local link to obtain an IPv6 address and other configuration parameters. As shown in Figure 100, if the DHCPv6 server resides on another subnet, the DHCPv6 clients need a DHCPv6 relay agent to contact the server.
Page 268: Dhcpv6 Relay Agent Configuration Task List
Figure 101 Operating process of a DHCPv6 relay agent DHCPv6 client DHCPv6 relay agent DHCPv6 server Solicit (contains a Rapid Commit option) (2) Relay-forward (3) Relay-reply (4) Reply DHCPv6 relay agent configuration task list Tasks at a glance (Required.) Enabling the DHCPv6 relay agent on an interface (Required.) Specifying DHCPv6 servers on the relay agent (Optional.)
Page 269: Setting The Dscp Value For Dhcpv6 Packets Sent By The Dhcpv6 Relay Agent
Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no DHCPv6 server is specified. If a DHCPv6 server address is a ipv6 dhcp relay server-address link-local address or multicast Specify a DHCPv6 server. ipv6-address [ interface address, you must specify an interface-type interface-number ] outgoing interface by using the...
Page 270: Configuring A Dhcpv6 Relay Address Pool
Configuring a DHCPv6 relay address pool This feature allows DHCPv6 clients of the same type to obtain IPv6 addresses and other configuration parameters from the DHCPv6 servers specified in the matching relay address pool. It applies to scenarios where the DHCPv6 relay agent connects to clients of the same access type but classified into different types by their locations.
Page 271: Displaying And Maintaining The Dhcpv6 Relay Agent
Step Command Remarks interface interface-type Enter interface view. interface-number By default, the DHCPv6 relay Specify a gateway address for ipv6 dhcp relay gateway agent uses the first IPv6 DHCPv6 clients. ipv6-address address of the relay interface as the clients' gateway address. Displaying and maintaining the DHCPv6 relay agent Execute display commands in any view and reset commands in user view.
Page 272: Configuration Procedure
Configuration procedure # Specify IPv6 addresses for GigabitEthernet 2/1/1 and GigabitEthernet 2/1/2. <RouterA> system-view [RouterA] interface gigabitethernet 2/1/2 [RouterA-GigabitEthernet2/1/2] ipv6 address 2::1 64 [RouterA-GigabitEthernet2/1/2] quit [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] ipv6 address 1::1 64 # Disable RA message suppression on GigabitEthernet 2/1/1. [RouterA-GigabitEthernet2/1/1] undo ipv6 nd ra halt # Set the M flag to 1 in RA advertisements to be sent on GigabitEthernet 2/1/1.
Page 273 Relay-forward Relay-reply...
Page 274: Configuring The Dhcpv6 Client
Configuring the DHCPv6 client Overview With DHCPv6 client configured, an interface can obtain configuration parameters from the DHCPv6 server. A DHCPv6 client can use DHCPv6 to complete the following functions: • Obtain an IPv6 address, an IPv6 prefix, or both, and obtain other configuration parameters. If DHCPv6 server is enabled on the device, the client can automatically save the obtained parameters to a DHCPv6 option group.
Page 275: Configuring Ipv6 Prefix Acquisition
Step Command Remarks Configure the interface to ipv6 address dhcp-alloc By default, the interface does not use DHCPv6 to obtain an [ option-group group-number | use DHCPv6 for IPv6 address IPv6 address and other rapid-commit ] * acquisition. configuration parameters. Configuring IPv6 prefix acquisition Step Command...
Page 276: Configuring The Dhcpv6 Client Duid
Configuring the DHCPv6 client DUID The DUID of a DHCPv6 client is the globally unique identifier of the client. The client pads its DUID into Option 1 of the DHCPv6 packet that it sends to the DHCPv6 server. The DHCPv6 server can assign specific IPv6 addresses or prefixes to DHCPv6 clients with specific DUIDs.
Page 277: Dhcpv6 Client Configuration Examples
DHCPv6 client configuration examples IPv6 address acquisition configuration example Network requirements As shown in Figure 103, configure GigabitEthernet 2/1/1 of the router to use DHCPv6 to obtain configuration parameters from the DHCPv6 server. The parameters include IPv6 address, DNS server address, domain name suffix, SIP server address, and SIP server domain name. Figure 103 Network diagram DHCPv6 server GE2/1/1...
Page 278: Ipv6 Prefix Acquisition Configuration Example
Domain name: example.com SIP server addresses: 2:2::4 SIP server domain names: bbb.com # After DHCPv6 server is enabled on the device, verify that configuration parameters are saved in a dynamic DHCPv6 option group. [Router-GigabitEthernet2/1/1] display ipv6 dhcp option-group 1 DHCPv6 option group: 1 DNS server addresses: Type: Dynamic (DHCPv6 address allocation) Interface: GigabitEthernet2/1/1...
Page 279 Figure 104 Network requirements Configuration procedure You must configure the DHCPv6 server before configuring the DHCPv6 client. For information about configuring the DHCPv6 server, see "Configuring the DHCPv6 server." # Configure an IPv6 address for GigabitEthernet 2/1/1 that connects to the DHCPv6 server. <Router>...
Page 280: Ipv6 Address And Prefix Acquisition Configuration Example
# Verify that the client has obtained an IPv6 prefix. [Router] display ipv6 prefix 1 Number: 1 Type : Dynamic Prefix: 12:34::/48 Preferred lifetime 100 sec, valid lifetime 200 sec # After DHCPv6 server is enabled on the device, verify that configuration parameters are saved in a dynamic DHCPv6 option group.
Page 281 Configuration procedure You must configure the DHCPv6 server before configuring the DHCPv6 client. For information about configuring the DHCPv6 server, see "Configuring the DHCPv6 server." # Configure an IPv6 address for GigabitEthernet 2/1/1 that connects to the DHCPv6 server. <Router> system-view [Router] interface gigabitethernet 2/1/1 [Router-GigabitEthernet2/1/1] ipv6 address 1::2/48 # Configure GigabitEthernet 2/1/1 to use DHCPv6 for IPv6 address and prefix acquisition.
Page 282: Stateless Dhcpv6 Configuration Example
# Display information about the dynamic IPv6 prefix. The output shows that the client has obtained an IPv6 prefix. [Router] display ipv6 prefix 1 Number: 1 Type : Dynamic Prefix: 12:34::/48 Preferred lifetime 100 sec, valid lifetime 200 sec # After DHCPv6 server is enabled on the device, display information about the dynamic DHCPv6 option group.
Page 283 # Configure an IPv6 address for GigabitEthernet 2/1/1. <RouterB> system-view [RouterB] interface gigabitethernet 2/1/1 [RouterB-GigabitEthernet2/1/1] ipv6 address 1::1 64 # Set the O flag to 1 in RA advertisements to be sent on GigabitEthernet 2/1/1. Hosts that receive the RA advertisements will obtain information other than IPv6 address through DHCPv6.
Page 284 Rebind Information-request Release Decline...
Page 285: Configuring Ipv6 Fast Forwarding
Configuring IPv6 fast forwarding Overview Fast forwarding reduces route lookup time and improves packet forwarding efficiency by using a high-speed cache and data-flow-based technology. It identifies a data flow by using the following fields: • Source IPv6 address. • Destination IPv6 address. •...
Page 286: Displaying And Maintaining Ipv6 Fast Forwarding
Displaying and maintaining IPv6 fast forwarding Execute display commands in any view and reset commands in user view. Task Command Display IPv6 fast forwarding entries (in standalone display ipv6 fast-forwarding cache [ ipv6-address ] mode). [ slot slot-number ] display ipv6 fast-forwarding cache [ ipv6-address ] Display IPv6 fast forwarding entries (in IRF mode).
Page 287: Configuring Tunneling
Configuring tunneling Overview Tunneling encapsulates the packets of a network protocol within the packets of a second network protocol and transfers them over a virtual point-to-point connection. The virtual connection is called a tunnel. Packets are encapsulated at the tunnel source and de-encapsulated at the tunnel destination.
Page 288 In the IPv4 header, the source IPv4 address is the IPv4 address of the tunnel source, and the destination IPv4 address is the IPv4 address of the tunnel destination. Upon receiving the packet, Device B de-encapsulates the packet. If the destination address of the IPv6 packet is itself, Device B forwards it to the upper-layer protocol.
Page 289: Ipv4 Over Ipv4 Tunneling
• IPv6 over IPv4 manual tunneling—A point-to-point link. This type of tunneling provides the following solutions: Connects isolated IPv6 networks over an IPv4 network. Connects an IPv6 network and an IPv4/IPv6 dual-stack host over an IPv4 network. • Automatic IPv4-compatible IPv6 tunneling—A point-to-multipoint link. Automatic IPv4-compatible IPv6 tunnels have limitations because IPv4-compatible IPv6 addresses must use globally unique IPv4 addresses.
Page 290: Ipv4 Over Ipv6 Tunneling
Figure 110 IPv4 over IPv4 tunnel Figure 110 shows the encapsulation and de-encapsulation processes. • Encapsulation: a. Device A receives an IP packet from an IPv4 host and submits it to the IP protocol stack. b. The IPv4 protocol stack determines how to forward the packet according to the destination address in the IP header.
Page 291 Figure 111 IPv4 over IPv6 tunnel Figure 111 shows the encapsulation and de-encapsulation processes. • Encapsulation: a. Upon receiving an IPv4 packet, Device A delivers it to the IPv4 protocol stack. b. The IPv4 protocol stack uses the destination address of the packet to determine the egress interface.
Page 292 Figure 112 DS-Lite tunnel As shown in Figure 112, the DS-Lite feature contains the following components: Basic Bridging BroadBand (B4) element The B4 element is typically a CPE router that connects end hosts. IPv4 packets entering the B4 router are encapsulated into IPv6 packets and sent to the AFTR. IPv6 packets from the AFTR are de-encapsulated into IPv4 packets and sent to the subscriber's network.
Page 293 Figure 113 Packet forwarding process in DS-Lite 10.0.0.1/24 30.1.1.1/24 10.0.0.2/24 1::1/64 2::1/64 20.1.1.1/24 Private IPv6 network IPv4 network IPv4 network DS-Lite tunnel IPv4 host IPv4 host AFTR IPv4 dst: 30.1.1.1 IPv4 src: 10.0.0.1 TCP dst: 80 IPv6 dst: 2::1 TCP src: 10000 IPv6 src: 1::1 IPv4 dst: 30.1.1.1 Adds an IPv6...
Page 294: Ipv6 Over Ipv6 Tunneling
IPv6 over IPv6 tunneling IPv6 over IPv6 tunneling (RFC 2473) enables isolated IPv6 networks to communicate with each other over another IPv6 network. For example, two isolated IPv6 networks that do not want to show their addresses to the Internet can use an IPv6 over IPv6 tunnel to communicate with each other. Figure 114 Principle of IPv6 over IPv6 tunneling Figure 114 shows the encapsulation and de-encapsulation processes.
Page 295: Tunneling Configuration Task List
Tunneling configuration task list Tasks at a glance (Required.) Configuring a tunnel interface Perform one of the following tasks: • Configuring an IPv6 over IPv4 tunnel: Configuring an IPv6 over IPv4 manual tunnel Configuring an automatic IPv4-compatible IPv6 tunnel Configuring a 6to4 tunnel Configuring an ISATAP tunnel •...
Page 296: Configuring An Ipv6 Over Ipv4 Manual Tunnel
Step Command Remarks • In standalone mode: service standby slot slot-number (Optional.) Specify a backup By default, no backup traffic • traffic processing slot for the processing slot is specified for In IRF mode: tunnel interface. an interface. service standby chassis chassis-number slot slot-number Set the MTU of the tunnel...
Page 297: Configuration Example
reaching the destination IPv6 network through the tunnel interface. You can configure the route by using one of the following methods: Configure a static route, and specify the local tunnel interface as the egress interface or specify the IPv6 address of the peer tunnel interface as the next hop. Enable a dynamic routing protocol on both tunnel interfaces to achieve the same purpose.
Page 298 Figure 115 Network diagram Configuration procedure Make sure Router A and Router B can reach each other through IPv4. • Configure Router A: # Specify an IPv4 address for GigabitEthernet 2/1/2. <RouterA> system-view [RouterA] interface gigabitethernet 2/1/2 [RouterA-GigabitEthernet2/1/2] ip address 192.168.100.1 255.255.255.0 [RouterA-GigabitEthernet2/1/2] quit # Specify an IPv6 address for GigabitEthernet 2/1/1.
Page 299: Configuring An Automatic Ipv4-Compatible Ipv6 Tunnel
[RouterB-Tunnel0] ipv6 address 3001::2/64 # Specify GigabitEthernet 2/1/2 as the source interface of the tunnel interface. [RouterB-Tunnel0] source gigabitethernet 2/1/2 # Specify the destination address for the tunnel interface as the IP address of GigabitEthernet 2/1/2 on Router A. [RouterB-Tunnel0] destination 192.168.50.1 [RouterB-Tunnel0] quit # Configure a static route destined for IPv6 network 1 through Tunnel 0.
Page 300: Configuration Example
Step Command Remarks By default, no source address or source interface is configured for the tunnel interface. If you specify a source address, it Configure a source address source { ipv4-address | is used as the source IP address or source interface for the interface-type interface-number } of tunneled packets.
Page 301: Configuring A 6To4 Tunnel
[RouterB] interface gigabitethernet 2/1/1 [RouterB-GigabitEthernet2/1/1] ip address 192.168.50.1 255.255.255.0 [RouterB-GigabitEthernet2/1/1] quit # Create an automatic IPv4-compatible IPv6 tunnel. [RouterB] interface tunnel 0 mode ipv6-ipv4 auto-tunnel # Specify an IPv4-compatible IPv6 address for the tunnel interface. [RouterB-Tunnel0] ipv6 address ::192.168.50.1/96 # Specify GigabitEthernet 2/1/1 as the source interface of the tunnel interface. [RouterB-Tunnel0] source gigabitethernet 2/1/1 Verifying the configuration # Use the display ipv6 interface command to display tunnel interface status on Router A and...
Page 302: 6To4 Tunnel Configuration Example
Step Command Remarks By default, no source address or source interface is configured for the tunnel interface. Configure a source If you specify a source address, it address or source source { ipv4-address | is used as the source IP address interface for the tunnel interface-type interface-number } of tunneled packets.
Page 303 Configuration procedure Make sure Router A and Router B can reach each other through IPv4. • Configure Router A: # Specify an IPv4 address for GigabitEthernet 2/1/2. <RouterA> system-view [RouterA] interface gigabitethernet 2/1/2 [RouterA-GigabitEthernet2/1/2] ip address 2.1.1.1 24 [RouterA-GigabitEthernet2/1/2] quit # Specify a 6to4 address for GigabitEthernet 2/1/1.
Page 304: 6To4 Relay Configuration Example
Reply from 2002:501:101:1::2: bytes=32 time=13ms Reply from 2002:501:101:1::2: bytes=32 time=1ms Reply from 2002:501:101:1::2: bytes=32 time=1ms Reply from 2002:501:101:1::2: bytes=32 time<1ms Ping statistics for 2002:501:101:1::2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 13ms, Average = 3ms 6to4 relay configuration example Network requirements...
Page 305 # Create the 6to4 tunnel interface Tunnel 0. [RouterA] interface tunnel 0 mode ipv6-ipv4 6to4 # Specify an IPv6 address for the tunnel interface. [RouterA-Tunnel0] ipv6 address 2002::1/64 # Specify GigabitEthernet 2/1/2 as the source interface of the tunnel interface. [RouterA-Tunnel0] source gigabitethernet 2/1/2 [RouterA-Tunnel0] quit # Configure a static route to the 6to4 relay router.
Page 306: Configuring An Isatap Tunnel
Configuring an ISATAP tunnel Follow these guidelines when you configure an ISATAP tunnel: • You do not need to configure a destination address for an ISATAP tunnel, because the destination IPv4 address is embedded in the ISATAP address. • Do not specify the same source addresses for local tunnel interfaces in the same tunnel mode. •...
Page 307 Figure 119 Network diagram Configuration procedure • Configure the router: # Specify an IPv6 address for GigabitEthernet 2/1/2. <Router> system-view [Router] interface gigabitethernet 2/1/2 [Router-GigabitEthernet2/1/2] ipv6 address 3001::1/64 [Router-GigabitEthernet2/1/2] quit # Specify an IPv4 address for GigabitEthernet 2/1/1. [Router] interface gigabitethernet 2/1/1 [Router-GigabitEthernet2/1/1] ip address 1.1.1.1 255.0.0.0 [Router-GigabitEthernet2/1/1] quit # Create the ISATAP tunnel interface Tunnel 0.
Page 308 current hop limit 128 reachable time 42500ms (base 30000ms) retransmission interval 1000ms DAD transmits 0 default site prefix length 48 # Specify an IPv4 address for the ISATAP router. C:\>netsh interface ipv6 isatap set router 1.1.1.1 # Display information about the ISATAP interface. C:\>ipv6 if 2 Interface 2: Automatic Tunneling Pseudo-Interface Guid {48FCE3FC-EC30-E50E-F1A7-71172AEEE3AE}...
Page 309: Configuring An Ipv4 Over Ipv4 Tunnel
Configuring an IPv4 over IPv4 tunnel Follow these guidelines when you configure an IPv4 over IPv4 tunnel: • The tunnel destination address specified on the local device must be identical with the tunnel source address specified on the tunnel peer device. •...
Page 310: Configuration Example
Configuration example Network requirements As shown in Figure 120, the two subnets IPv4 group 1 and IPv4 group 2 use private IPv4 addresses. Configure an IPv4 over IPv4 tunnel between Router A and Router B to make the two subnets reachable to each other.
Page 311: Configuring An Ipv4 Over Ipv6 Manual Tunnel
# Specify an IPv4 address for Serial 3/1/1, which is the physical interface of the tunnel. [RouterB] interface serial 3/1/1 [RouterB-Serial3/1/1] ip address 3.1.1.1 255.255.255.0 [RouterB-Serial3/1/1] quit # Create the IPv4 over IPv4 tunnel interface Tunnel 2. [RouterB] interface tunnel 2 mode ipv4-ipv4 # Specify an IPv4 address for the tunnel interface.
Page 312: Configuration Example
To configure an IPv4 over IPv6 manual tunnel: Step Command Remarks Enter system view. system-view Enter IPv4 over IPv6 interface tunnel number [ mode tunnel interface view. ipv4-ipv6 ] Configure an IPv4 ip address ip-address { mask | By default, no IPv4 address is address for the tunnel mask-length } [ sub ] configured for the tunnel interface.
Page 313 # Specify an IPv6 address for Serial 3/1/0, which is the physical interface of the tunnel. [RouterA] interface serial 3/1/0 [RouterA-Serial3/1/0] ipv6 address 2001::1:1 64 [RouterA-Serial3/1/0] quit # Create IPv4 over IPv6 tunnel interface Tunnel 1. [RouterA] interface tunnel 1 mode ipv4-ipv6 # Specify an IPv4 address for the tunnel interface.
Page 314: Configuring A Ds-Lite Tunnel
56 bytes from 30.1.3.1: icmp_seq=2 ttl=255 time=0.000 ms 56 bytes from 30.1.3.1: icmp_seq=3 ttl=255 time=1.000 ms 56 bytes from 30.1.3.1: icmp_seq=4 ttl=255 time=1.000 ms --- Ping statistics for 30.1.3.1 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.000/1.200/3.000/0.980 ms Configuring a DS-Lite tunnel A B4 tunnel interface can establish a tunnel with only one AFTR tunnel interface, but an AFTR tunnel interface can establish tunnels with multiple B4 tunnel interfaces.
Page 315 Step Command Remarks By default, no source address or interface is specified for the tunnel. If you specify a source address, it is Specify the source used as the source IPv6 address of source { ipv6-address | address or source tunneled packets.
Page 316: Configuration Example
Step Command Remarks By default, DS-Lite tunneling is disabled. Enable DS-Lite tunneling Only after you use this command, the ds-lite enable on the interface. AFTR can tunnel IPv4 packets from the public IPv4 network to the B4 router. Configuration example Network requirements As shown in Figure...
Page 317 [RouterA-Tunnel1] destination 2::2 [RouterA-Tunnel1] quit # Configure a static route to the public IPv4 network through the tunnel interface. [RouterA] ip route-static 20.1.1.0 255.255.255.0 tunnel 1 • Configure Router B: # Specify an IPv4 address for GigabitEthernet 2/1/1. <RouterB> system-view [RouterB] interface gigabitethernet 2/1/1 [RouterB-GigabitEthernet2/1/1] ip address 20.1.1.1 24 [RouterB-GigabitEthernet2/1/1] quit...
Page 318: Configuring An Ipv6 Over Ipv6 Tunnel
Configuring an IPv6 over IPv6 tunnel Follow these guidelines when you configure an IPv6 over IPv6 tunnel: • The tunnel destination address specified on the local device must be identical with the tunnel source address specified on the tunnel peer device. •...
Page 319: Configuration Example
Step Command Remarks Return to system view. quit (Optional.) Enable dropping By default, IPv6 packets that use IPv6 packets that use tunnel discard IPv4-compatible IPv6 packets IPv4-compatible IPv6 ipv4-compatible-packet are not dropped. addresses. Configuration example Network requirements As shown in Figure 123, configure an IPv6 over IPv6 tunnel between Router A and Router B so the two networks can reach each other without disclosing their IPv6 addresses.
Page 320: Displaying And Maintaining Tunneling Configuration
• Configure Router B: # Specify an IPv6 address for GigabitEthernet 2/1/1. <RouterB> system-view [RouterB] interface gigabitethernet 2/1/1 [RouterB-GigabitEthernet2/1/1] ipv6 address 2002:3::1 64 [RouterB-GigabitEthernet2/1/1] quit # Specify an IPv6 address for Serial 3/1/1, which is the physical interface of the tunnel. [RouterB] interface serial 3/1/1 [RouterB-Serial3/1/1] ipv6 address 2002::22:1 64 [RouterB-Serial3/1/1] quit...
Page 321: Troubleshooting Tunneling Configuration
Task Command display interface [ tunnel [ number ] ] [ brief [ description | Display information about tunnel interfaces. down ] ] Display IPv6 information on tunnel display ipv6 interface [ tunnel [ number ] ] [ brief ] interfaces.
Page 322: Configuring Gre
Configuring GRE Overview Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a protocol (such as IP, MPLS, or Ethernet) into a virtual point-to-point tunnel over a network (such as an IP network). Packets are encapsulated at one tunnel end and de-encapsulated at the other tunnel end. The network layer protocol of the packets before encapsulation and after encapsulation can be the same or different.
Page 323: Gre Security Mechanisms
As shown in Figure 125, an IPv6 protocol packet traverses an IPv4 network through a GRE tunnel as follows: After receiving an IPv6 packet from the interface connected to IPv6 network 1, Device A processes the packet as follows: a. Looks up the routing table to identify the outgoing interface for the IPv6 packet. b.
Page 324 Connecting networks running different protocols over a single backbone Figure 126 Network diagram IPv6 network 1 IPv6 network 2 Internet Device A Device B GRE tunnel IPv4 network 1 IPv4 network 2 As shown in Figure 126, IPv6 network 1 and IPv6 network 2 are IPv6 networks, and IPv4 network 1 and IPv4 network 2 are IPv4 networks.
Page 325: Protocols And Standards
Constructing VPN Figure 128 Network diagram As shown in Figure 128, Site 1 and Site 2 both belong to VPN 1 and are located in different cities. Using a GRE tunnel can connect the two VPN sites across the WAN. Operating with IPsec Figure 129 Network diagram As shown in...
Page 326: Configuring A Gre/Ipv4 Tunnel
Configuring a GRE/IPv4 tunnel Perform this task to configure a GRE tunnel on an IPv4 network. Configuration guidelines Follow these guidelines when you configure a GRE/IPv4 tunnel: • You must configure the tunnel source address and destination address at both ends of a tunnel. The tunnel source or destination address at one end must be the tunnel destination or source address at the other end.
Page 327 Step Command Remarks By default, no source address or interface is configured for a tunnel interface. If you configure a source address for a tunnel interface, the tunnel interface uses the source address Configure a source address source { ip-address | as the source address of the or source interface for the interface-type interface-number }...
Page 328: Configuring A Gre/Ipv6 Tunnel
Configuring a GRE/IPv6 tunnel Perform this task to configure a GRE tunnel on an IPv6 network. Configuration guidelines Follow these guidelines when you configure a GRE/IPv6 tunnel: • You must configure the tunnel source address and destination address at both ends of a tunnel. The tunnel source or destination address at one end must be the tunnel destination or source address at the other end.
Page 329: Displaying And Maintaining Gre
Step Command Remarks By default, no source IPv6 address or interface is configured for a tunnel interface. If you configure a source IPv6 address for a tunnel interface, the tunnel interface uses the source Configure a source IPv6 IPv6 address as the source IPv6 source { ipv6-address | address or source interface address of the encapsulated...
Page 330: Gre Configuration Examples
Task Command Remarks For more information about this Display IPv6 information display ipv6 interface [ tunnel command, see Layer 3—IP about tunnel interface. [ number ] ] [ brief ] Services Command Reference. For more information about this Clear tunnel interface reset counters interface [ tunnel command, see Layer 3—IP statistics.
Page 331 [RouterB-Tunnel0] ip address 10.1.2.2 255.255.255.0 # Configure the source address of the tunnel interface as the IP address of interface GigabitEthernet 2/1/2 on Router B. [RouterB-Tunnel0] source 2.2.2.2 # Configure the destination address of the tunnel interface as the IP address of the interface GigabitEthernet 2/1/2 on Router A.
Page 332: Configuring An Ipv4 Over Ipv6 Gre Tunnel
Checksumming of GRE packets disabled Output queue - Urgent queuing: Size/Length/Discards 0/100/0 Output queue - Protocol queuing: Size/Length/Discards 0/500/0 Output queue - FIFO queuing: Size/Length/Discards 0/75/0 Last clearing of counters: Never Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec Input: 0 packets, 0 bytes, 0 drops Output: 0 packets, 0 bytes, 0 drops...
Page 333 [RouterA-Tunnel0] source 2002::1:1 # Configure the destination address of the tunnel interface as the IP address of interface GigabitEthernet 2/1/2 on Router B. [RouterA-Tunnel0] destination 2001::2:1 [RouterA-Tunnel0] quit # Configure a static route from Router A through the tunnel interface to Group 2. [RouterA] ip route-static 10.1.3.0 255.255.255.0 tunnel 0 Configure Router B: # Create a tunnel interface Tunnel 0, and specify the tunnel mode as GRE/IPv6.
Page 334: Troubleshooting Gre
Tunnel0 Current state: UP Line protocol state: UP Description: Tunnel0 Interface Bandwidth: 64kbps Maximum transmission unit: 1456 Internet address: 10.1.2.2/24 (primary) Tunnel source 2002::2:1, destination 2001::1:1 Tunnel TTL 255 Tunnel protocol/transport GRE/IPv6 GRE key disabled Checksumming of GRE packets disabled Output queue - Urgent queuing: Size/Length/Discards 0/100/0 Output queue - Protocol queuing: Size/Length/Discards 0/500/0 Output queue - FIFO queuing: Size/Length/Discards 0/75/0...
Page 335: Symptom
Figure 132 Network diagram Symptom The interfaces at both ends of the tunnel are configured correctly and can ping each other, but Host A and Host B cannot ping each other. Analysis It might be because that Device A or Device C has no route to reach the peer network. Solution Execute the display ip routing-table command on Device A and Device C to view whether Device A has a route over tunnel 0 to 10.2.0.0/16 and whether Device C has a route over tunnel...
Page 336: Configuring Advpn
Configuring ADVPN Overview Auto Discovery Virtual Private Network (ADVPN) enables enterprise branches that use dynamic public addresses to establish a VPN network. ADVPN uses the VPN Address Management (VAM) protocol to collect, maintain, and distribute dynamic public addresses. VAM uses the client/server model. All VAM clients register their public addresses on the VAM server. A VAM client obtains the public addresses of other clients from the server to establish ADVPN tunnels.
Page 337 • Hub-spoke—In a hub-spoke ADVPN, spokes communicate with each other through the hub. The hub acts as both the route exchange center and data forwarding center. As shown in Figure 134, each spoke establishes a permanent tunnel to the hub. Spokes communicate with each other through the hub.
Page 338: How Advpn Operates
Figure 135 Hub-group ADVPN Tunnel 2 Hub3 Group 0 Hub1 Tunnel 2 Tunnel 2 Hub2 VAM server Tunnel 1 Tunnel 1 Tunnel 1 Tunnel 1 Tunnel 1 Tunnel 1 Tunnel 1 Spoke1 Group 1 Spoke2 Group 2 Spoke4 Spoke3 Site 1 Site 5 Site 6 Site 2...
Page 339 The server and the client exchange negotiation acknowledgment packets protected by using the keys. The server and the client use the keys to protect subsequent packets if they can restore the protected negotiation acknowledgment packets. If they cannot restore the packets, the negotiation fails. Figure 136 Connection initialization process Registration Figure 137...
Page 340 To establish a hub-hub tunnel: The hub checks whether a tunnel to each peer hub exists. If not, the hub sends a tunnel establishment request to the peer hub. To establish a spoke-spoke tunnel: In a full-mesh network, when a spoke receives a data packet but finds no tunnel for forwarding the packet, it sends an address resolution request to the server.
Page 341: Nat Traversal
the destination address. If the route to the remote private network is learned by using both methods, the route with a lower preference is used. NAT traversal An ADVPN tunnel can traverse a NAT gateway. • If only the tunnel initiator resides behind a NAT gateway, a spoke-spoke tunnel can be established through the NAT gateway.
Page 342: Configuring Aaa
Tasks at a glance (Optional.) Configuring IPsec for ADVPN tunnels Configuring AAA The VAM server can use AAA to authenticate clients. Clients passing AAA authentication can access the ADVPN domain. For information about AAA configuration, see Security Configuration Guide. Configuring the VAM server Tasks at a glance (Required.) Creating an ADVPN domain...
Page 343: Configuring A Pre-Shared Key For The Vam Server
Configuring a pre-shared key for the VAM server The pre-shared key is used to generate initial encryption and authentication keys during connection initialization. It is also used to generate encryption and authentication keys for subsequent packets if encryption and authentication are needed. The VAM server must have the same pre-shared key as the clients in the same ADVPN domain.
Page 344 Step Command Remarks Enter system view. system-view vam server advpn-domain Enter ADVPN domain view. domain-name [ id domain-id ] Enter hub group view. hub-group group-name • Configure a hub private IPv4 address: hub private-address private-ip-address [ public-address { public-ip-address | public-ipv6-address } Use either command.
Page 345: Setting The Port Number Of The Vam Server
Step Command Remarks Enter system view. system-view vam server advpn-domain Enter ADVPN domain view. domain-name [ id domain-id ] Enter hub group view. hub-group group-name • Specify an ACL to control establishing IPv4 spoke-to-spoke tunnels: shortcut interest { acl { acl-number Use either command.
Page 346: Configuring An Authentication Method
Step Command Remarks The default encryption algorithms encryption-algorithm are AES-CBC-256, { 3des-cbc | aes-cbc-128 | AES-CBC-192, AES-CBC-128, Specify encryption aes-cbc-192 | aes-cbc-256 | AES-CTR-256, AES-CTR-192, algorithms. aes-ctr-128 | aes-ctr-192 | AES-CTR-128, 3DES-CBC, and aes-ctr-256 | des-cbc | none } * DES-CBC in descending order of priority.
Page 347: Setting The Retry Timer
Step Command Remarks By default, the keepalive interval Configure keepalive keepalive interval interval retry is 180 seconds, and the maximum parameters. retries number of keepalive retries is 3. Setting the retry timer The VAM server starts the retry timer after it sends a request to a client. If the server does not receive a response from the client before the retry timer expires, the server resends the request.
Page 348: Enabling Vam Clients
Enabling VAM clients Step Command Remarks Enter system view. system-view • Enable one or all VAM clients: vam client enable [ name Use either method. client-name ] Enable VAM clients. • By default, no VAM client is Enable a VAM client: enabled.
Page 349: Setting The Retry Interval And Retry Number For A Vam Client
All VAM clients and the VAM server in an ADVPN domain must have the same pre-shared key. If they have different pre-shared keys, the decryption and authentication will fail, and they cannot establish any connection. To configure a pre-shared key for a VAM client: Step Command Remarks...
Page 350: Configuring An Advpn Tunnel Interface
Step Command Remarks Enter system view. system-view Enter VAM client view. vam client name client-name By default, no username and Configure a username and user username password password is configured for the password for the client. { cipher | simple } string client.
Page 351 Step Command Remarks By default, the source UDP port number of ADVPN packets is 18001. This command is available when (Optional.) Set the source the tunnel mode is UDP. UDP port number of ADVPN advpn source-port port-number If the vam client command packets.
Page 352: Configuring Routing
Step Command Remarks By default, no ADVPN 13. (Optional.) Configure a group-to-QoS policy mappings advpn map group group-name mapping between an are configured. qos-policy policy-name ADVPN group and a QoS outbound Perform this configuration on the policy. hub. For more information about tunnel interface configurations and commands, see Layer 3—IP Services Configuration Guide and Layer 3—IP Services Command Reference.
Page 353 Task Command Display IPv6 private-to-public address display vam server ipv6 address-map [ advpn-domain mapping information for VAM clients domain-name [ private-address private-ipv6-address ] ] [ verbose ] registered with the VAM server. Display IPv4 private networks for VAM display vam server private-network [ advpn-domain clients registered with the VAM server.
Page 354: Advpn Configuration Examples
ADVPN configuration examples IPv4 full-mesh ADVPN configuration example Network requirements As shown in Figure 139, the primary and secondary VAM servers manage and maintain VAM client information for all hubs and spokes. The AAA server performs authentication and accounting for VAM clients.
Page 355 <PrimaryServer> system-view [PrimaryServer] radius scheme abc [PrimaryServer-radius-abc] primary authentication 1.0.0.10 1812 [PrimaryServer-radius-abc] primary accounting 1.0.0.10 1813 [PrimaryServer-radius-abc] key authentication simple 123 [PrimaryServer-radius-abc] key accounting simple 123 [PrimaryServer-radius-abc] user-name-format without-domain [PrimaryServer-radius-abc] quit [PrimaryServer] radius session-control enable # Configure AAA methods for ISP domain abc. [PrimaryServer] domain abc [PrimaryServer-isp-abc] authentication advpn radius-scheme abc [PrimaryServer-isp-abc] accounting advpn radius-scheme abc...
Page 356 [Hub1-vam-client-Hub1] pre-shared-key simple 123456 # Set both the username and password to hub1. [Hub1-vam-client-Hub1] user hub1 password simple hub1 # Specify the primary and secondary VAM servers. [Hub1-vam-client-Hub1] server primary ip-address 1.0.0.11 [Hub1-vam-client-Hub1] server secondary ip-address 1.0.0.12 # Enable the VAM client. [Hub1-vam-client-Hub1] client enable [Hub1-vam-client-Hub1] quit Configure an IPsec profile:...
Page 357 # Specify ADVPN domain abc for the VAM client. [Hub2-vam-client-Hub2] advpn-domain abc # Set the pre-shared key to 123456. [Hub2-vam-client-Hub2] pre-shared-key simple 123456 # Set both the username and password to hub2. [Hub2-vam-client-Hub2] user hub2 password simple hub2 # Specify the primary and secondary VAM servers. [Hub2-vam-client-Hub2] server primary ip-address 1.0.0.11 [Hub2-vam-client-Hub2] server secondary ip-address 1.0.0.12 # Enable the VAM client.
Page 358 # Create VAM client Spoke1. <Spoke1> system-view [Spoke1] vam client name Spoke1 # Specify ADVPN domain abc for the VAM client. [Spoke1-vam-client-Spoke1] advpn-domain abc # Set the pre-shared key to 123456. [Spoke1-vam-client-Spoke1] pre-shared-key simple 123456 # Set both the username and password to spoke1. [Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1 # Specify the primary and secondary VAM servers.
Page 359 [Spoke1-Tunnel1] tunnel protection ipsec profile abc [Spoke1-Tunnel1] quit Configuring Spoke 2 Configure IP addresses for the interfaces. (Details not shown.) Configure the VAM client: # Create VAM client Spoke2. <Spoke2> system-view [Spoke2] vam client name Spoke2 # Specify ADVPN domain abc for the VAM client. [Spoke2-vam-client-Spoke2] advpn-domain abc # Set the pre-shared key to 123456.
Page 360 [Spoke2] interface tunnel1 mode advpn gre [Spoke2-Tunnel1] ip address 192.168.0.4 255.255.255.0 [Spoke2-Tunnel1] vam client Spoke2 [Spoke2-Tunnel1] ospf network-type broadcast [Spoke2-Tunnel1] ospf dr-priority 0 [Spoke2-Tunnel1] source gigabitethernet 2/1/1 [Spoke2-Tunnel1] tunnel protection ipsec profile abc [Spoke2-Tunnel1] quit Verifying the configuration # Display IPv4 address mapping information for all VAM clients registered with the primary VAM server.
Page 361: Ipv6 Full-Mesh Advpn Configuration Example
The output shows that Spoke 1 has established a permanent hub-spoke tunnel to Hub 1 and Hub 2. # Verify that Spoke 1 can ping the private address 192.168.0.4 of Spoke 2. [Spoke1] ping 192.168.0.4 Ping 192.168.0.4 (192.168.0.4): 56 data bytes, press CTRL_C to break 56 bytes from 192.168.0.4: icmp_seq=0 ttl=255 time=4.000 ms 56 bytes from 192.168.0.4: icmp_seq=1 ttl=255 time=0.000 ms 56 bytes from 192.168.0.4: icmp_seq=2 ttl=255 time=0.000 ms...
Page 362 Figure 140 Network diagram Table 12 Interface and IP address assignment Device Interface IP address Device Interface IP address Hub 1 GE2/1/1 1::1/64 Spoke 1 GE2/1/1 1::3/64 Tunnel1 192:168::1/64 GE2/1/2 192:168:1::1/64 Hub 2 GE2/1/1 1::2/64 Tunnel1 192:168::3/64 Tunnel1 192:168::2/64 Spoke 2 GE2/1/1 1::4/64 AAA server...
Page 363 [PrimaryServer-isp-abc] quit [PrimaryServer] domain default enable abc Configure the VAM server: # Create ADVPN domain abc. [PrimaryServer] vam server advpn-domain abc id 1 # Create hub group 0. [PrimaryServer-vam-server-domain-abc] hub-group 0 # Specify hub private IPv6 addresses. [PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::1 [PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::2...
Page 364 [Hub1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456 [Hub1-ike-keychain-abc] quit [Hub1] ike profile abc [Hub1-ike-profile-abc] keychain abc [Hub1-ike-profile-abc] quit # Configure the IPsec profile. [Hub1] ipsec transform-set abc [Hub1-ipsec-transform-set-abc] encapsulation-mode transport [Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1 [Hub1-ipsec-transform-set-abc] quit [Hub1] ipsec profile abc isakmp [Hub1-ipsec-profile-isakmp-abc] transform-set abc...
Page 365 [Hub2-vam-client-Hub2] client enable [Hub2-vam-client-Hub2] quit Configure an IPsec profile: # Configure IKE. [Hub2] ike keychain abc [Hub2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456 [Hub2-ike-keychain-abc] quit [Hub2] ike profile abc [Hub2-ike-profile-abc] keychain abc [Hub2-ike-profile-abc] quit # Configure the IPsec profile. [Hub2] ipsec transform-set abc [Hub2-ipsec-transform-set-abc] encapsulation-mode transport [Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc...
Page 366 [Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1 # Specify the primary and secondary VAM servers. [Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.11 [Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.12 # Enable the VAM client. [Spoke1-vam-client-Spoke1] client enable [Spoke1-vam-client-Spoke1] quit Configure an IPsec profile: # Configure IKE. [Spoke1] ike keychain abc [Spoke1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456 [Spoke1-ike-keychain-abc] quit...
Page 367 <Spoke2> system-view [Spoke2] vam client name Spoke2 # Specify ADVPN domain abc for the VAM client. [Spoke2-vam-client-Spoke2] advpn-domain abc # Set the pre-shared key to 123456. [Spoke2-vam-client-Spoke2] pre-shared-key simple 123456 # Set both the username and password to spoke2. [Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2 # Specify the primary and secondary VAM servers.
Page 368 [Spoke2-Tunnel1] tunnel protection ipsec profile abc [Spoke2-Tunnel1] quit Verifying the configuration # Display IPv6 address mapping information for all VAM clients registered with the primary VAM server. [PrimaryServer] display vam server ipv6 address-map ADVPN domain name: abc Total private address mappings: 4 Group Private address Public address...
Page 369: Ipv4 Hub-Spoke Advpn Configuration Example
56 bytes from 192:168::4, icmp_seq=2 hlim=64 time=1.000 ms 56 bytes from 192:168::4, icmp_seq=3 hlim=64 time=1.000 ms 56 bytes from 192:168::4, icmp_seq=4 hlim=64 time=1.000 ms --- Ping6 statistics for 192:168::4 --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.000/1.200/3.000/0.980 ms # Display IPv6 ADVPN tunnel information on Spokes.
Page 370 Table 13 Interface and IP address assignment Interfac Device IP address Device Interface IP address Hub 1 GE2/1/1 1.0.0.1/24 Spoke 1 GE2/1/1 1.0.0.3/24 Tunnel1 192.168.0.1/24 GE2/1/2 192.168.1.1/24 Hub 2 GE2/1/1 1.0.0.2/24 Tunnel1 192.168.0.3/24 Tunnel1 192.168.0.2/24 Spoke 2 GE2/1/1 1.0.0.4/24 AAA server 1.0.0.10/24 GE2/1/2 192.168.2.1/24...
Page 371 [PrimaryServer-vam-server-domain-abc] authentication-method chap # Enable the VAM server for the ADVPN domain. [PrimaryServer-vam-server-domain-abc] server enable [PrimaryServer-vam-server-domain-abc] quit Configuring the secondary VAM server # Configure the secondary VAM server in the same way that the primary server is configured. (Details not shown.) Configuring Hub 1 Configure IP addresses for the interfaces.
Page 372 [Hub1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [Hub1-ospf-1-area-0.0.0.0] quit [Hub1-ospf-1] quit Configure GRE-mode IPv4 ADVPN tunnel interface tunnel1. [Hub1] interface tunnel1 mode advpn gre [Hub1-Tunnel1] ip address 192.168.0.1 255.255.255.0 [Hub1-Tunnel1] vam client Hub1 [Hub1-Tunnel1] ospf network-type p2mp [Hub1-Tunnel1] source gigabitethernet 2/1/1 [Hub1-Tunnel1] tunnel protection ipsec profile abc [Hub1-Tunnel1] quit Configuring Hub 2 Configure IP addresses for the interfaces.
Page 373 Configure OSPF to advertise the private network. [Hub2] ospf 1 [Hub2-ospf-1] area 0 [Hub2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [Hub2-ospf-1-area-0.0.0.0] quit [Hub2-ospf-1] quit Configure GRE-mode IPv4 ADVPN tunnel interface tunnel1. [Hub2] interface tunnel1 mode advpn gre [Hub2-Tunnel1] ip address 192.168.0.2 255.255.255.0 [Hub2-Tunnel1] vam client Hub2 [Hub2-Tunnel1] ospf network-type p2mp [Hub2-Tunnel1] source gigabitethernet 2/1/1 [Hub2-Tunnel1] tunnel protection ipsec profile abc...
Page 374 [Spoke1-ipsec-profile-isakmp-abc] transform-set abc [Spoke1-ipsec-profile-isakmp-abc] ike-profile abc [Spoke1-ipsec-profile-isakmp-abc] quit Configure OSPF to advertise private networks. [Spoke1] ospf 1 [Spoke1-ospf-1] area 0 [Spoke1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [Spoke1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [Spoke1-ospf-1-area-0.0.0.0] quit [Spoke1-ospf-1] quit Configure GRE-mode IPv4 ADVPN tunnel interface tunnel1. [Spoke1] interface tunnel1 mode advpn gre [Spoke1-Tunnel1] ip address 192.168.0.3 255.255.255.0 [Spoke1-Tunnel1] vam client Spoke1 [Spoke1-Tunnel1] ospf network-type p2mp...
Page 375 [Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1 [Spoke2-ipsec-transform-set-abc] quit [Spoke2] ipsec profile abc isakmp [Spoke2-ipsec-profile-isakmp-abc] transform-set abc [Spoke2-ipsec-profile-isakmp-abc] ike-profile abc [Spoke2-ipsec-profile-isakmp-abc] quit Configure OSPF to advertise private networks. [Spoke2] ospf 1 [Spoke2-ospf-1] area 0 [Spoke2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [Spoke2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255 [Spoke2-ospf-1-area-0.0.0.0] quit [Spoke2-ospf-1] quit Configure GRE-mode IPv4 ADVPN tunnel interface tunnel1.
Page 376: Ipv6 Hub-Spoke Advpn Configuration Example
Interface : Tunnel1 Number of sessions: 3 Private address Public address Port Type State Holding time 192.168.0.2 1.0.0.2 Success 0H 46M 192.168.0.3 1.0.0.3 Success 0H 27M 27S 192.168.0.4 1.0.0.4 Success 0H 18M 18S The output shows that Hub 1 has established a permanent tunnel to Hub 2, Spoke 1, and Spoke 2. # Display IPv4 ADVPN tunnel information on Spokes.
Page 377 Figure 142 Network diagram Table 14 Interface and IP address assignment Device Interface IP address Device Interface IP address Hub 1 GE2/1/1 1::1/64 Spoke 1 GE2/1/1 1::3/64 Tunnel1 192:168::1/64 GE2/1/2 192:168:1::1/64 Hub 2 GE2/1/1 1::2/64 Tunnel1 192:168::3/64 Tunnel1 192:168::2/64 Spoke 2 GE2/1/1 1::4/64 AAA server...
Page 378 [PrimaryServer-isp-abc] authentication advpn radius-scheme abc [PrimaryServer-isp-abc] accounting advpn radius-scheme abc [PrimaryServer-isp-abc] quit [PrimaryServer] domain default enable abc Configure the VAM server: # Create ADVPN domain abc. [PrimaryServer] vam server advpn-domain abc id 1 # Create hub group 0. [PrimaryServer-vam-server-domain-abc] hub-group 0 # Specify hub private IPv6 addresses.
Page 379 Configure an IPsec profile: # Configure IKE. [Hub1] ike keychain abc [Hub1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456 [Hub1-ike-keychain-abc] quit [Hub1] ike profile abc [Hub1-ike-profile-abc] keychain abc [Hub1-ike-profile-abc] quit # Configure the IPsec profile. [Hub1] ipsec transform-set abc [Hub1-ipsec-transform-set-abc] encapsulation-mode transport [Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1...
Page 380 [Hub2-vam-client-Hub2] server primary ipv6-address 1::11 [Hub2-vam-client-Hub2] server secondary ipv6-address 1::12 # Enable the VAM client. [Hub2-vam-client-Hub2] client enable [Hub2-vam-client-Hub2] quit Configure an IPsec profile: # Configure IKE. [Hub2] ike keychain abc [Hub2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456 [Hub2-ike-keychain-abc] quit [Hub2] ike profile abc [Hub2-ike-profile-abc] keychain abc...
Page 381 # Set the pre-shared key to 123456. [Spoke1-vam-client-Spoke1] pre-shared-key simple 123456 # Set both the username and password to spoke1. [Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1 # Specify the primary and secondary VAM servers. [Spoke1-vam-client-Spoke1] server primary ipv6-address 1::11 [Spoke1-vam-client-Spoke1] server secondary ipv6-address 1::12 # Enable the VAM client.
Page 382 # Create VAM client Spoke2. <Spoke2> system-view [Spoke2] vam client name Spoke2 # Specify ADVPN domain abc for the VAM client. [Spoke2-vam-client-Spoke2] advpn-domain abc # Set the pre-shared key to 123456. [Spoke2-vam-client-Spoke2] pre-shared-key simple 123456 # Set both the username and password to spoke2. [Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2 # Specify the primary and secondary VAM servers.
Page 383 [Spoke2-Tunnel1] tunnel protection ipsec profile abc [Spoke2-Tunnel1] quit Verifying the configuration # Display IPv6 address mapping information for all VAM clients registered with the primary VAM server. [PrimaryServer] display vam server ipv6 address-map ADVPN domain name: abc Total private address mappings: 4 Group Private address Public address...
Page 384: Ipv4 Multi-Hub-Group Advpn Configuration Example
56 bytes from 192:168::4, icmp_seq=2 hlim=64 time=1.000 ms 56 bytes from 192:168::4, icmp_seq=3 hlim=64 time=1.000 ms 56 bytes from 192:168::4, icmp_seq=4 hlim=64 time=1.000 ms --- Ping6 statistics for 192:168::4 --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.000/1.200/3.000/0.980 ms IPv4 multi-hub-group ADVPN configuration example Network requirements As shown in...
Page 385 Table 15 Interface and IP address assignment Device Interface IP address Device Interface IP address Hub 1 GE2/1/1 1.0.0.1/24 Spoke 1 GE2/1/1 1.0.0.4/24 Tunnel1 192.168.1.1/24 GE2/1/2 192.168.10.1/24 Tunnel2 192.168.0.1/24 Tunnel1 192.168.1.3/24 Hub 2 GE2/1/1 1.0.0.2/24 Spoke 2 GE2/1/1 1.0.0.5/24 Tunnel1 192.168.1.2/24 GE2/1/2 192.168.20.1/24...
Page 386 [PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2 [PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.3 [PrimaryServer-vam-server-domain-abc-hub-group-0] quit # Create hub group 1. [PrimaryServer-vam-server-domain-abc] hub-group 1 # Specify hub private IPv4 addresses. [PrimaryServer-vam-server-domain-abc-hub-group-1] hub private-address 192.168.1.1 [PrimaryServer-vam-server-domain-abc-hub-group-1] hub private-address 192.168.1.2 # Specify a spoke private IPv4 network. [PrimaryServer-vam-server-domain-abc-hub-group-1] spoke private-address network 192.168.1.0 255.255.255.0 # Allow establishing direct spoke-spoke tunnels.
Page 387 # Specify the primary and secondary VAM servers. [Hub1-vam-client-Hub1Group0] server primary ip-address 1.0.0.11 [Hub1-vam-client-Hub1Group0] server secondary ip-address 1.0.0.12 # Enable the VAM client. [Hub1-vam-client-Hub1Group0] client enable [Hub1-vam-client-Hub1Group0] quit # Create VAM client Hub1Group1. [Hub1] vam client name Hub1Group1 # Specify ADVPN domain abc for the VAM client. [Hub1-vam-client-Hub1Group1] advpn-domain abc # Set the pre-shared key to 123456.
Page 388 Configure ADVPN tunnels: # Configure UDP-mode IPv4 ADVPN tunnel interface tunnel1. [Hub1] interface tunnel1 mode advpn udp [Hub1-Tunnel1] ip address 192.168.1.1 255.255.255.0 [Hub1-Tunnel1] vam client Hub1Group1 [Hub1-Tunnel1] ospf network-type broadcast [Hub1-Tunnel1] source gigabitethernet 2/1/1 [Hub1-Tunnel1] tunnel protection ipsec profile abc [Hub1-Tunnel1] quit # Configure UDP-mode IPv4 ADVPN tunnel interface tunnel2.
Page 389 # Enable the VAM client. [Hub2-vam-client-Hub2Group1] client enable [Hub2-vam-client-Hub2Group1] quit Configure an IPsec profile: # Configure IKE. [Hub2] ike keychain abc [Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456 [Hub2-ike-keychain-abc] quit [Hub2] ike profile abc [Hub2-ike-profile-abc] keychain abc [Hub2-ike-profile-abc] quit # Configure the IPsec profile.
Page 390 Configuring Hub 3 Configure IP addresses for the interfaces. (Details not shown.) Configure the VAM client: # Create VAM client Hub3Group0. <Hub3> system-view [Hub3] vam client name Hub3Group0 # Specify ADVPN domain abc for the VAM client. [Hub3-vam-client-Hub3Group0] advpn-domain abc # Set the pre-shared key to 123456.
Page 391 [Hub3] ipsec profile abc isakmp [Hub3-ipsec-profile-isakmp-abc] transform-set abc [Hub3-ipsec-profile-isakmp-abc] ike-profile abc [Hub3-ipsec-profile-isakmp-abc] quit Configure OSPF to advertise private networks. [Hub3] ospf 1 [Hub3-ospf-1] area 0 [Hub3-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [Hub3-ospf-1-area-0.0.0.0] quit [Hub3-ospf-1] area 2 [Hub3-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255 [Hub3-ospf-1-area-0.0.0.2] quit [Hub3-ospf-1] quit Configure ADVPN tunnels: # Configure UDP-mode IPv4 ADVPN tunnel interface tunnel1.
Page 392 [Spoke1-vam-client-Spoke1] quit Configure an IPsec profile: # Configure IKE. [Spoke1] ike keychain abc [Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456 [Spoke1-ike-keychain-abc] quit [Spoke1] ike profile abc [Spoke1-ike-profile-abc] keychain abc [Spoke1-ike-profile-abc] quit # Configure the IPsec profile. [Spoke1] ipsec transform-set abc [Spoke1-ipsec-transform-set-abc] encapsulation-mode transport [Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1...
Page 393 # Set both the username and password to spoke2. [Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2 # Specify the primary and secondary VAM servers. [Spoke2-vam-client-Spoke2] server primary ip-address 1.0.0.11 [Spoke2-vam-client-Spoke2] server secondary ip-address 1.0.0.12 # Enable the VAM client. [Spoke2-vam-client-Spoke2] client enable [Spoke2-vam-client-Spoke2] quit Configure an IPsec profile: # Configure IKE.
Page 394 Configuring Spoke 3 Configure IP addresses for the interfaces. (Details not shown.) Configure the VAM client: # Create VAM client Spoke3. <Spoke3> system-view [Spoke3] vam client name Spoke3 # Specify ADVPN domain abc for the VAM client. [Spoke3-vam-client-Spoke3] advpn-domain abc # Set the pre-shared key to 123456.
Page 395 [Spoke3-Tunnel1] vam client Spoke3 [Spoke3-Tunnel1] ospf network-type broadcast [Spoke3-Tunnel1] ospf dr-priority 0 [Spoke3-Tunnel1] advpn network 192.168.40.0 255.255.255.0 [Spoke3-Tunnel1] source gigabitethernet 2/1/1 [Spoke3-Tunnel1] tunnel protection ipsec profile abc [Spoke3-Tunnel1] quit Configuring Spoke 4 Configure IP addresses for the interfaces. (Details not shown.) Configure the VAM client: # Create VAM client Spoke4.
Page 396 [Spoke4-ospf-1-area-0.0.0.2] network 192.168.50.0 0.0.0.255 [Spoke4-ospf-1-area-0.0.0.2] network 192.168.60.0 0.0.0.255 [Spoke4-ospf-1-area-0.0.0.2] quit [Spoke4-ospf-1] quit Configure UDP-mode IPv4 ADVPN tunnel interface tunnel1. Configure its DR priority as 0 so Spoke 4 will not participate in DR/BDR election. [Spoke4] interface tunnel1 mode advpn udp [Spoke4-Tunnel1] ip address 192.168.2.3 255.255.255.0 [Spoke4-Tunnel1] vam client Spoke4 [Spoke4-Tunnel1] ospf network-type broadcast...
Page 397: Ipv6 Multi-Hub-Group Advpn Configuration Example
192.168.2.3 1.0.0.7 Spoke 0H 25M 31S The output shows that Hub 1, Hub 2, Hub3, Spoke 1, Spoke 2, Spoke 3, and Spoke4 all have registered their address mapping information with the VAM servers. # Display IPv4 ADVPN tunnel information on Hubs. This example uses Hub 1. [Hub1] display advpn session Interface : Tunnel1...
Page 398 • Allow any two spokes to establish a direct spoke-spoke tunnel. Figure 144 Network diagram Tunnel 2 Hub3 Hub1 Tunnel 2 Tunnel 2 Group 0 Hub2 GE2/1/1 GE2/1/1 GE2/1/1 Tunnel 1 Tunnel 1 Tunnel 1 AAA server GE2/1/1 Primary server GE2/1/1 Tunnel 1 GE2/1/1...
Page 399 Configure AAA: # Configure RADIUS scheme abc. <PrimaryServer> system-view [PrimaryServer] radius scheme abc [PrimaryServer-radius-abc] primary authentication ipv6 1::10 1812 [PrimaryServer-radius-abc] primary accounting ipv6 1::10 1813 [PrimaryServer-radius-abc] key authentication simple 123 [PrimaryServer-radius-abc] key accounting simple 123 [PrimaryServer-radius-abc] user-name-format without-domain [PrimaryServer-radius-abc] quit [PrimaryServer] radius session-control enable # Configure AAA methods for ISP domain abc.
Page 400 # Specify a spoke private IPv6 network. [PrimaryServer-vam-server-domain-abc-hub-group-2] spoke ipv6 private-address network 192:168:2::0 64 [PrimaryServer-vam-server-domain-abc-hub-group-2] quit # Set the pre-shared key to 123456. [PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456 # Set the authentication mode to CHAP. [PrimaryServer-vam-server-domain-abc] authentication-method chap # Enable the VAM server for the ADVPN domain. [PrimaryServer-vam-server-domain-abc] server enable [PrimaryServer-vam-server-domain-abc] quit Configuring the secondary VAM server...
Page 401 Configure an IPsec profile: # Configure IKE. [Hub1] ike keychain abc [Hub1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456 [Hub1-ike-keychain-abc] quit [Hub1] ike profile abc [Hub1-ike-profile-abc] keychain abc [Hub1-ike-profile-abc] quit # Configure the IPsec profile. [Hub1] ipsec transform-set abc [Hub1-ipsec-transform-set-abc] encapsulation-mode transport [Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1...
Page 402 Configuring Hub 2 Configure IP addresses for the interfaces. (Details not shown.) Configure the VAM client: # Create VAM client Hub2Group0. <Hub2> system-view [Hub2] vam client name Hub2Group0 # Specify ADVPN domain abc for the VAM client. [Hub2-vam-client-Hub2Group0] advpn-domain abc # Set the pre-shared key to 123456.
Page 403 [Hub2] ipsec profile abc isakmp [Hub2-ipsec-profile-isakmp-abc] transform-set abc [Hub2-ipsec-profile-isakmp-abc] ike-profile abc [Hub2-ipsec-profile-isakmp-abc] quit Configure OSPFv3. [Hub2] ospf 1 [Hub2-ospf-1] area 0 [Hub2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [Hub2-ospf-1-area-0.0.0.0] quit [Hub2-ospf-1] area 1 [Hub2-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 [Hub2-ospf-1-area-0.0.0.1] quit [Hub2-ospf-1] quit Configure ADVPN tunnels: # Configure UDP-mode IPv6 ADVPN tunnel interface tunnel1.
Page 404 [Hub3-vam-client-Hub3Group0] server primary ipv6-address 1::11 [Hub3-vam-client-Hub3Group0] server secondary ipv6-address 1::12 # Enable the VAM client. [Hub2-vam-client-Hub2Group0] client enable [Hub2-vam-client-Hub2Group0] quit # Create VAM client Hub3Group1. [Hub3] vam client name Hub3Group1 # Specify ADVPN domain abc for the VAM client. [Hub3-vam-client-Hub3Group1] advpn-domain abc # Set the pre-shared key to 123456.
Page 405 [Hub3] interface tunnel1 mode advpn udp ipv6 [Hub3-Tunnel1] ipv6 address 192:168:2::1 64 [Hub3-Tunnel1] ipv6 address fe80::2:1 link-local [Hub3-Tunnel1] vam ipv6 client Hub3Group1 [Hub3-Tunnel1] ospfv3 1 area 2 [Hub3-Tunnel1] ospfv3 network-type broadcast [Hub3-Tunnel1] source gigabitethernet 2/1/1 [Hub3-Tunnel1] tunnel protection ipsec profile abc [Hub3-Tunnel1] quit # Configure UDP-mode IPv6 ADVPN tunnel interface tunnel2.
Page 406 [Spoke1-ipsec-transform-set-abc] encapsulation-mode transport [Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1 [Spoke1-ipsec-transform-set-abc] quit [Spoke1] ipsec profile abc isakmp [Spoke1-ipsec-profile-isakmp-abc] transform-set abc [Spoke1-ipsec-profile-isakmp-abc] ike-profile abc [Spoke1-ipsec-profile-isakmp-abc] quit Configure OSPFv3. [Spoke1] ospfv3 1 [Spoke1-ospfv3-1] router-id 0.0.0.4 [Spoke1-ospfv3-1] area 0 [Spoke1-ospfv3-1-area-0.0.0.0] quit [Spoke1-ospfv3-1] area 1 [Spoke1-ospfv3-1-area-0.0.0.1] quit [Spoke1-ospfv3-1] quit [Spoke1] interface gigabitethernet 2/1/2...
Page 407 # Enable the VAM client. [Spoke2-vam-client-Spoke2] client enable [Spoke2-vam-client-Spoke2] quit Configure an IPsec profile: # Configure IKE. [Spoke2] ike keychain abc [Spoke2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456 [Spoke2-ike-keychain-abc] quit [Spoke2] ike profile abc [Spoke2-ike-profile-abc] keychain abc [Spoke2-ike-profile-abc] quit # Configure the IPsec profile.
Page 408 [Spoke2-Tunnel1] quit Configuring Spoke 3 Configure IP addresses for the interfaces. (Details not shown.) Configure the VAM client: # Create VAM client Spoke3. <Spoke3> system-view [Spoke3] vam client name Spoke3 # Specify ADVPN domain abc for the VAM client. [Spoke3-vam-client-Spoke3] advpn-domain abc # Set the pre-shared key to 123456.
Page 409 [Spoke3-GigabitEthernet2/1/2] quit Configure UDP-mode IPv6 ADVPN tunnel interface tunnel1. Configure its DR priority as 0 so Spoke 3 will not participate in DR/BDR election. [Spoke3] interface tunnel1 mode advpn udp ipv6 [Spoke3-Tunnel1] ipv6 address 192:168:2::2 64 [Spoke3-Tunnel1] ipv6 address fe80::2:2 link-local [Spoke3-Tunnel1] vam ipv6 client Spoke3 [Spoke3-Tunnel1] ospfv3 1 area 2 [Spoke3-Tunnel1] ospfv3 network-type broadcast...
Page 410 [Spoke4-ipsec-profile-isakmp-abc] transform-set abc [Spoke4-ipsec-profile-isakmp-abc] ike-profile abc [Spoke4-ipsec-profile-isakmp-abc] quit Configure OSPFv3. [Spoke4] ospfv3 1 [Spoke4-ospfv3-1] router-id 0.0.0.7 [Spoke4-ospfv3-1] area 0 [Spoke4-ospfv3-1-area-0.0.0.0] quit [Spoke4-ospfv3-1] area 2 [Spoke4-ospfv3-1-area-0.0.0.2] quit [Spoke4-ospfv3-1] quit [Spoke4] interface gigabitethernet 2/1/2 [Spoke4-GigabitEthernet2/1/2] ospfv3 1 area 2 [Spoke4-GigabitEthernet2/1/2] quit [Spoke4] interface gigabitethernet 2/1/3 [Spoke4-GigabitEthernet2/1/3] ospfv3 1 area 2 [Spoke4-GigabitEthernet2/1/3] quit Configure UDP-mode IPv6 ADVPN tunnel interface tunnel1.
Page 411 # Display IPv6 address mapping information for all VAM clients registered with the secondary VAM server. [SecondaryServer] display vam server ipv6 address-map ADVPN domain name: abc Total private address mappings: 10 Group Private address Public address Type Holding time 192:168::1 1::1 0H 52M 192:168::2...
Page 412: Ipv4 Full-Mesh Nat Traversal Advpn Configuration Example
The output shows that Spoke 3 has established a permanent hub-spoke tunnel to Hub 3. IPv4 full-mesh NAT traversal ADVPN configuration example Network requirements As shown in Figure 145, all the VAM servers and VAM clients reside behind a NAT gateway. The primary and secondary VAM servers manage and maintain VAM client information for all hubs and spokes.
Page 413 Device Interface IP address Device Interface IP address GE2/1/2 10.0.0.1/24 GE2/1/2 10.0.0.1/24 NAT3 GE2/1/1 1.0.0.3/24 AAA server 10.0.0.2/24 GE2/1/2 10.0.0.1/24 Primary server GE2/1/1 10.0.0.3/24 Secondary GE2/1/1 10.0.0.4/24 server Configuring the primary VAM server Configure IP addresses for the interfaces. (Details not shown.) Configure AAA: # Configure RADIUS scheme abc.
Page 414 [PrimaryServer-vam-server-domain-abc] authentication-method chap # Set the keepalive interval to 10 seconds and the maximum number of keepalive retries to 3. [PrimaryServer-vam-server-domain-abc] keepalive interval 10 retry 3 # Enable the VAM server for the ADVPN domain. [PrimaryServer-vam-server-domain-abc] server enable [PrimaryServer-vam-server-domain-abc] quit # Configure a default route.
Page 415 [Hub1-Tunnel1] source gigabitethernet 2/1/1 [Hub1-Tunnel1] quit Configuring Hub 2 Configure IP addresses for the interfaces. (Details not shown.) Configure the VAM client: # Create VAM client Hub2. <Hub2> system-view [Hub2] vam client name Hub2 # Specify ADVPN domain abc for the VAM client. [Hub2-vam-client-Hub2] advpn-domain abc # Set the pre-shared key to 123456.
Page 416 # Set both the username and password to spoke1. [Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1 # Specify the primary and secondary VAM servers. [Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.4 port 4001 [Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.4 port 4002 # Enable the VAM client. [Spoke1-vam-client-Spoke1] client enable [Spoke1-vam-client-Spoke1] quit Configure OSPF:...
Page 417 [Spoke2] ospf 1 [Spoke2-ospf-1] area 0 [Spoke2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [Spoke2-ospf-1-area-0.0.0.0] quit [Spoke2-ospf-1] quit # Configure a default route. [Hub1] ip route-static 0.0.0.0 0 10.0.0.1 Configure UDP-mode IPv4 ADVPN tunnel interface tunnel1. Configure its DR priority as 0 so Spoke 2 will not participate in DR/BDR election. [Spoke2] interface tunnel1 mode advpn udp [Spoke2-Tunnel1] ip address 192.168.0.4 255.255.255.0 [Spoke2-Tunnel1] vam client Spoke2...
Page 418 [NAT2-acl-ipv4-basic-2000] quit # Create address group 1. [NAT2] nat address-group 1 # Add address 1.0.0.2 into the group. [NAT2-nat-address-group-1] address 1.0.0.2 1.0.0.2 [NAT2-nat-address-group-1] quit # Configure NAT on GigabitEthernet 2/1/1. [NAT2] interface gigabitethernet 2/1/1 [NAT2-GigabitEthernet2/1/1] nat outbound 2000 address-group 1 [NAT2-GigabitEthernet2/1/1] quit # Configure EIM for PAT to translate the source address and source port of packets matching ACL 2000 from the same address and port to the same source public address and port.
Page 419 192.168.0.1 1.0.0.1 0H 52M 192.168.0.2 1.0.0.1 0H 47M 31S 192.168.0.3 1.0.0.2 Spoke 0H 28M 25S 192.168.0.4 1.0.0.3 Spoke 0H 19M 15S The output shows that Hub 1, Hub 2, Spoke 1, Spoke 2, and Spoke 3 all have registered their address mapping information with the VAM servers.
Page 420: Configuring Aft
Configuring AFT Overview Address Family Translation (AFT) translates an IP address of one address family into an IP address of the other address family. It enables an IPv4 network and an IPv6 network to communicate with each other, as shown in Figure 146.
Page 421: Prefix Translation
When an IPv6 host first initiates a connection to the IPv4 network, it creates a mapping from the host's IPv6 address to an IPv4 address and a port block. It translates the IPv6 address to the IPv4 address, and the source ports to ports in the port block for subsequent connections from the IPv6 host until the ports in the port block are exhausted.
Page 422: Aft Internal Server
General prefix translation A general prefix is an IPv6 address prefix used to construct an IPv6 address representing an IPv4 node in an IPv6 network. The length of a general prefix can be 32, 40, 48, 56, 64, or 96. As shown in Figure 149, a general prefix based IPv6 address does not have reserved bits, and an...
Page 423: Ipv4-Initiated Communication
If a matching policy is found, AFT translates the source IPv6 address according to the policy. If no matching policy is found, AFT discards the packet. AFT forwards the translated packet and records the mappings between IPv6 addresses and IPv4 addresses. AFT translates the IPv4 addresses in the response packet header to IPv6 addresses based on the address mappings before packet forwarding.
Page 424: Aft With Alg
If no matching policy is found, AFT discards the packet. AFT forwards the translated packet and records the mappings between IPv4 addresses and IPv6 addresses. AFT translates the IPv6 addresses in the response packet header to IPv4 addresses based on the address mappings before packet forwarding.
Page 425: Ipv4-Initiated Communication
Task at a glance (Required.) Configuring an IPv6-to-IPv4 source address translation policy (Optional.) Configuring AFT logging (Optional.) Setting the ToS field to 0 for translated IPv4 packets IPv4-initiated communication Task at a glance (Required.) Enabling AFT (Required.) Configuring an IPv4-to-IPv6 destination address translation policy (Required.) Configuring an IPv4-to-IPv6 source address translation policy (Optional.)
Page 426: Configuring An Ipv6-To-Ipv4 Source Address Translation Policy
Step Command Remarks • Configure an IPv4-to-IPv6 source address static mapping: aft v4tov6 source ipv4-address [ vpn-instance ipv4-vpn-instance-name ] ipv6-address [ vpn-instance Configure an By default, no IPv6-to-IPv4 ipv6-vpn-instance-name ] IPv6-to-IPv4 destination destination address translation • address translation policy. Configure a general prefix: policies exist.
Page 427: Configuring An Ipv4-To-Ipv6 Destination Address Translation Policy
Step Command Remarks • Configure an IPv6-to-IPv4 source address static mapping: aft v6tov4 source ipv6-address [ vpn-instance ipv6-vpn-instance-name ] ipv4-address [ vpn-instance ipv4-vpn-instance-name ] • Configure an IPv6-to-IPv4 source address dynamic translation policy: aft v6tov4 source { acl ipv6 { name ipv6-acl-name | number By default, no Configure an...
Page 428: Configuring An Ipv4-To-Ipv6 Source Address Translation Policy
Step Command Remarks • Configure an AFT mapping for an IPv6 internal server: aft v6server protocol protocol-type ipv4-destination-address ipv4-port-number [ vpn-instance ipv4-vpn-instance-name ] By default, no ipv6-destination-address ipv6-port-number IPv4-to-IPv6 [ vpn-instance ipv6-vpn-instance-name ] destination address • translation policies Configure an IPv6-to-IPv4 source address static exist.
Page 429: Configuring Aft Logging
Configuring AFT logging For security auditing, you can configure AFT logging to record AFT session information. AFT sessions refer to sessions whose source and destination addresses have been translated by AFT. To configure AFT logging: Step Command Remarks Enter system view. system-view By default, AFT logging is Enable AFT logging.
Page 430: Aft Configuration Examples
Task Command Display AFT mappings (in standalone mode). display aft address-mapping [ slot slot-number ] display aft address-mapping [ chassis Display AFT mappings (in IRF mode). chassis-number slot slot-number ] Display information about AFT NO-PAT entries display aft no-pat [ slot slot-number ] (in standalone mode).
Page 431 To allow IPv6 hosts on subnet 2013::/96 to access the IPv4 Internet, configure the following AFT policies on the router: • Configure a NAT64 prefix to translate IPv4 addresses of IPv4 servers to IPv6 addresses. • Configure an IPv6-to-IPv4 source address dynamic translation policy to translate source IPv6 addresses of IPv6-initiated packets to IPv4 addresses in the range of 10.1.1.1 to 10.1.1.3.
Page 432 Pinging 2012::20.1.1.1 with 32 bytes of data: Reply from 2012::20.1.1.1: time=3ms Reply from 2012::20.1.1.1: time=3ms Reply from 2012::20.1.1.1: time=3ms Reply from 2012::20.1.1.1: time=3ms # Display detailed information about IPv6 AFT sessions on the router. [Router] display aft session ipv6 verbose Initiator: Source IP/port: 2013::100/0...
Page 433: Providing Ftp Service From An Ipv6 Network To The Ipv4 Internet
Total sessions found: 1 Providing FTP service from an IPv6 network to the IPv4 Internet Network requirements As shown in Figure 153, a company upgrades the network to IPv6, and it has an IPv4 address 10.1.1.1. To allow the IPv6 FTP server to provide FTP services to IPv4 hosts, configure the following AFT policies on the router: •...
Page 434: Allowing Mutual Access Between Ipv4 And Ipv6 Networks
DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet2/1/1 Responder: Source IP/port: 10.1.1.1/21 Destination IP/port: 20.1.1.1/11025 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet2/1/2 State: TCP_ESTABLISHED Application: FTP Start time: 2014-03-13 09:07:30 TTL: 3577s Initiator->Responder: 3 packets...
Page 435 • Configure a NAT64 prefix to translate source IPv4 addresses of packets initiated by the IPv4 network to IPv6 addresses. Figure 154 Network diagram Configuration procedure # Specify IP addresses for the interfaces on the router. The IPv6 addresses for IPv6 hosts are calculated by the IVI prefix 2013::/32 and IPv4 addresses in the range of 20.1.1.0/24.
Page 436: Allowing Ipv6 Internet Access From An Ipv4 Network
Initiator: Source IP/port: 2013:0:FF14:0101:0100::/0 Destination IP/port: 2012::0a01:0101/32768 VPN instance/VLAN ID/Inline ID: -/-/- Protocol: IPV6-ICMP(58) Inbound interface: GigabitEthernet2/1/2 Responder: Source IP/port: 2012::0a01:0101/0 Destination IP/port: 2013:0:FF14:0101:0100::/33024 VPN instance/VLAN ID/Inline ID: -/-/- Protocol: IPV6-ICMP(58) Inbound interface: GigabitEthernet2/1/1 State: ICMPV6_REPLY Application: OTHER Start time: 2014-03-13 08:52:59 TTL: 23s Initiator->Responder: 4 packets...
Page 437 To allow IPv4 hosts to access the IPv6 server in the IPv6 Internet, configure the following AFT policies on the router: • Configure an IPv4-to-IPv6 source address dynamic translation policy. • Configure an IPv6-to-IPv4 source address static mapping for the IPv6 server. Figure 155 Network diagram Configuration procedure # Specify IP addresses for the interfaces on the router.
Page 438 [Router] display aft session ipv4 verbose Initiator: Source IP/port: 10.1.1.1/1025 Destination IP/port: 20.1.1.1/2048 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: ICMP(1) Inbound interface: GigabitEthernet2/1/1 Responder: Source IP/port: 20.1.1.1/1025 Destination IP/port: 10.1.1.1/0 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: ICMP(1) Inbound interface: GigabitEthernet2/1/2 State: ICMP_REPLY...
Page 439: Providing Ftp Service From An Ipv4 Network To The Ipv6 Internet
Providing FTP service from an IPv4 network to the IPv6 Internet Network requirements As shown in Figure 156, a company deploys an IPv4 network, and it has an IPv6 address 2012::1. The Internet migrates to IPv6. To allow the IPv4 FTP server to provide FTP services to IPv6 hosts, configure the following AFT policies on the router: •...
Page 440 # Enable AFT on GigabitEthernet 2/1/2, which is connected to the IPv4 network. [Router] interface gigabitethernet 2/1/2 [Router-GigabitEthernet2/1/2] aft enable [Router-GigabitEthernet2/1/2] quit Verifying the configuration # Verify the connectivity between the IPv6 hosts and the IPv4 FTP server. For example, ping the IPv4 FTP server from IPv6 host A.
Page 441 Protocol: TCP(6) Inbound interface: GigabitEthernet2/1/2 State: TCP_ESTABLISHED Application: FTP Start time: 2014-03-13 09:07:30 TTL: 3577s Initiator->Responder: 3 packets 124 bytes Responder->Initiator: 2 packets 108 bytes Total sessions found: 1...
Page 442: Configuring Waas
Configuring WAAS The Wide Area Application Services (WAAS) feature is a set of services that can optimize WAN traffic. WAAS solves WAN issues such as high delay and low bandwidth by using optimization services. WAAS provides the following optimization services: •...
Page 443: Selective Acknowledgement
Selective acknowledgement TCP uses a cumulative acknowledgement scheme. This scheme forces the sender to either wait a roundtrip time to know each lost packet, or to unnecessarily retransmit segments that have been correctly received. When multiple nonconsecutive segments are lost, this scheme reduces overall TCP throughput.
Page 444: Lz Compression
LZ compression LZ compression is a lossless compression algorithm that uses a compression dictionary to replace repeated data in the same message. The compression dictionary is carried in the compression result. The sending device uses the sliding window technology to detect repeated data. Compared with DRE, LZ compression has a lower compression ratio.
Page 445: Configuring A Waas Policy
Step Command Remarks Create a WAAS class and By default, only predefined WAAS waas class class-name enter WAAS class view. classes exist. match [ match-id ] tcp { any | destination | source } [ ip-address ipv4-address By default, no match criterion is Configure a match criterion.
Page 446: Configuring Tfo Parameters
A global logical interface (such as a Layer 3 aggregate interface or VLAN interface) that spans multiple cards or IRF member devices can be used to connect to the WAN. To ensure the traffic optimization effect for such an interface, use the service command to specify one of these cards or IRF member devices to forward traffic for the interface.
Page 447: Configuring The Tfo Blacklist Autodiscovery Feature
Configuring the TFO blacklist autodiscovery feature This feature automatically discovers servers that cannot receive TCP packets with options and adds the server IP addresses and port numbers to a blacklist. The system automatically removes blacklist entries after a user-configured aging time. During the 3-way handshake, the local device determines that the TCP connection attempt fails if either of the following situations occurs: •...
Page 448: Displaying And Maintaining Waas
Displaying and maintaining WAAS Execute display commands in any view and reset commands in user view. Task Command Display WAAS class configuration. display waas class [ class-name ] display waas policy [ policy-name ] Display WAAS policy configuration. display waas session { ipv4 | ipv6 } [ client-ip client-ip ] Display WAAS session information (in [ client-port client-port ] [ server-ip server-ip ] [ server-port standalone mode).
Page 449 Figure 157 Network diagram Configuration procedure Configure IP addresses for interfaces. (Details not shown.) Configure routing protocols to ensure connectivity. (Details not shown.) Disable fast forwarding load sharing: # Disable fast forwarding load sharing on Router A. <RouterA> system-view [RouterA] undo ip fast-forwarding load-sharing # Disable fast forwarding load sharing on Router B.
Page 450: User-Defined Waas Policy Configuration Example
Encode Statistics Dre msgs: 2 Bytes in: 286 bytes Bytes out: 318 bytes Bypass bytes: 0 bytes Bytes Matched: 0 bytes Space saved: -11% Average latency: 0 usec Decode Statistics Dre msgs: 57050 Bytes in: 14038391 bytes Bytes out: 14079375 bytes Bypass bytes: 0 bytes Space saved: 0% Average latency: 0 usec...
Page 451 • For the first download, both WAAS devices need to create data dictionary entries and Router A sends both indexes and metadata. • For the second download, Router A replaces repeated data with indexes. Figure 158 Network diagram Configuration procedure Configure IP addresses for interfaces.
Page 452 # Create a WAAS policy named p1 on Router B, and specify the WAAS class c1. Configure TFO, DRE, and LZ optimization actions for the WAAS class. [RouterB] waas policy p1 [RouterB-waaspolicy-p1] class c1 [RouterB-waaspolicy-p1-c1] optimize tfo dre lz [RouterB-waaspolicy-p1-c1] quit [RouterB-waaspolicy-p1] quit Apply WAAS policies: # Apply the WAAS policy p1 to the interface GigabitEthernet 2/1/1 on Router A.
Page 453 Average latency: 0 usec # After the second download, display DRE statistics on Router A. <RouterA> display waas statistic dre Peer-ID: cc3e-5fd8-5158 Peer version: 1.0 Cache in storage: 12857856 bytes Index number: 50226 Age: 00 weeks, 00 days, 00 hours, 2 minutes, 02 seconds Total connections: 1 Active connections: 0 Encode Statistics...
Page 454: Document Conventions And Icons
Document conventions and icons Conventions This section describes the conventions used in the documentation. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional.
Page 455: Network Topology Icons
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 456: Support And Other Resources
Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...
Page 457: Websites
For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
Page 458 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Page 459: Index
Index AFT prefix translation, Numerics BOOTP client IP address acquisition interface, DHCP address assignment, 1NAT configuration (static inbound 1\1), DHCP address pool, 1NAT configuration (static outbound DHCP address pool application on interface, 1\1), 121, 138, 138 DHCP address pool selection, DHCP address pool usage alarm, technology, DHCP address pool VPN instance application,...
Page 460 IP addressing IP unnumbered DHCP client subnet, configuration, DHCPv6 client subnet, IPPO ICMP packet source address, IRDP proxy-advertised IP address, IPv6 addresses, IRDP RA (router advertisement), IPv6 ICMPv6 packet source address, ADVPN NAT configuration, 112, 120, 138 AAA configuration, NAT configuration configuration, 323, 328, 341 (bidirectional+external-internal...
Page 461 VAM server keepalive parameter, ADVPN VAM server authentication algorithm configuration, VAM server port number, ADVPN VAM server encryption algorithm VAM server pre-shared key, configuration, VAM server retry timer set, WAAS TFO congestion algorithm optimization, address translation policy configuration allocating (IPv4-to-IPv6 destination), DHCP address allocation, address translation policy configuration DHCP addresses allocation,...
Page 462 static entry configuration, 3, 6 IPv6 stateless address autoconfiguration, suppression configuration, 14, 15 tunneling automatic mode, suppression display, WAAS TFO blacklist autodiscovery, suppression maintain, table, backing up assembling DHCP binding auto backup, IPv6 local fragment reassembly, DHCPv6 binding auto backup, assigning bandwidth DHCP address,...
Page 463 IPPO TCP buffer size, DHCPv6 IPv6 prefix assignment, DHCPv6 relay agent configuration, 254, 258 DHCPv6 stateless, CHAP stateless DHCPv6 configuration, ADVPN VAM server authentication common method, DHCP options, checksum security feature (GRE), compressing class WAAS DRE decompression, DHCP user class whitelist, WAAS DRE process, IP address class, WAAS LZ compression process,...
Page 464 automatic IPv4-compatible IPv6 DHCPv6 client IPv6 prefix acquisition, 262, 265 tunnel, 286, 287 DHCPv6 client stateless, BOOTP client, 83, 84 DHCPv6 relay address pool, BOOTP client IP address acquisition DHCPv6 relay agent, 254, 255, 258 interface, DHCPv6 server, 236, 239, 249 client stateless DHCPv6, DHCPv6 server dynamic IPv6 address common proxy ARP,...
Page 465 IPv4 DNS client domain name resolution NAT (dynamic inbound), (static), 88, 94 NAT (dynamic outbound), IPv4 DNS proxy, NAT (dynamic outbound+non-overlapping IPv4/IPv4 GRE tunnel, addresses), IPv4/IPv4 tunnel, 296, 297 NAT (dynamic), IPv4/IPv6 GRE tunnel, NAT (outbound bidirectional), IPv4/IPv6 manual tunnel, 298, 299 NAT (static inbound 1\1), IPv6 address (global unicast)(manual),...
Page 466 WAAS policy (predefined), IPv6 ND router/prefix discovery, WAAS policy (user-defined), device WAAS TFO blacklist autodiscovery, 6to4 relay configuration, WAAS TFO parameters, ARP dynamic entry max (device), conflict notification (gratuitous ARP), ARP dynamic entry max (interface), controlling ARP suppression configuration, IPv6 ICMPv6 message send, BOOTP client configuration, cookie (TCP SYN), client stateless DHCPv6 configuration,...
Page 467 DNS proxy, address assignment, DNS proxy configuration, address pool, DNS spoofing, address pool application on interface, DNS spoofing configuration, address pool selection, DNS trusted interface, address pool usage alarm, DS-Lite tunnel configuration, address pool VPN instance application, IP addressing configuration, 21, 21 binding auto backup, IP addressing IP unnumbered...
Page 468 Option 60;Option 060, server user class configuration, Option 66;Option 066, server user class whitelist configuration, Option 67;Option 067, smart relay configuration, Option 82 (relay agent);Option 082 (relay troubleshoot relay agent configuration, agent), 28, 29 troubleshoot server configuration, Option 82 handling enable;Option 082 user class whitelist configuration, handling enable, voice client Option 184 parameters,...
Page 469 relay agent Interface-ID option padding IPv6 fast forwarding, mode, NAT, relay agent maintain, proxy ARP, relay agent packet DSCP value, tunneling configuration, relay agent server, UDP helper, server configuration, 236, 239, 249 WAAS, server configuration on interface, DNS, 105, See also DDNS server display, configuration,...
Page 470 DHCP client domain name suffix, Domain Name System. Use DDNS Domain Name System. Use Dynamic Host Configuration Protocol. Use DHCP IPv4 DNS client domain name resolution, 89, 95 compression, IPv6 DNS client domain name resolution, 90, 100 decompression, IPv6 dynamic path MTU aging timer, WAAS, NAT, WAAS LZ compression,...
Page 471 AFT, DHCPv6 client IPv6 address acquisition configuration, Enabling DHCPv6 client IPv6 address+prefix acquisition NAT reply redirection, configuration, enabling DHCPv6 client IPv6 prefix acquisition ADVPN VAM client, configuration, DHCP, gratuitous ARP configuration, DHCP server logging, proxy ARP configuration, DHCP server on interface, UDP helper broadcast >...
Page 472 ADVPN packet forwarding, NAT gateway+BRAS device configuration, fast forwarding configuration, NAT hairpin configuration (C/S mode), fast forwarding load sharing, NAT hairpin configuration (P2P mode), IP services fast forwarding entry aging NAT server configuration (external-internal time, access+domain name), IPPO directed broadcast receive/forward, NAT server configuration (external-to-internal access), IPv6 fast forwarding configuration,...
Page 473 ADVPN configuration (IPv6 AFT, multi-hub-group), IPv4/IPv4 tunneling, ADVPN hub group configuration, IPv4/IPv6 tunneling, ADVPN hub group creation, IPv6/IPv4 tunneling, ADVPN hub group private address, IPv6/IPv6 tunneling, ADVPN hub group spoke private address initializing range, ADVPN connection, ADVPN structure (hub-group), instance ADVPN structure (hub-spoke), DHCP address pool VPN instance application, hub-spoke...
Page 474 automatic IPv4-compatible IPv6 DHCPv6 client IPv6 address acquisition tunnel, 286, 287 configuration, BOOTP client configuration, 83, 84 DHCPv6 client IPv6 address+prefix acquisition, BOOTP client dynamic IP address acquisition, DHCPv6 client IPv6 address+prefix acquisition configuration, client stateless DHCPv6 configuration, DHCPv6 client IPv6 prefix acquisition, common proxy ARP configuration, DHCPv6 client IPv6 prefix acquisition configuration,...
Page 475 IPv6 address formats, NAT configuration (bidirectional+external-internal access+domain name), IPv6 address type, NAT configuration (dynamic inbound), IPv6 addresses, NAT configuration (dynamic outbound), IPv6 anycast address configuration, NAT configuration (dynamic IPv6 basic settings outbound+non-overlapping addresses), configuration, 200, 207, 227 NAT configuration (dynamic), IPv6 basics configuration, NAT configuration (outbound bidirectional), IPv6 dual stack technology,...
Page 476 FIB table, AFT display, FIB table entry display, AFT enable, load sharing (bandwidth-based), AFT implementations, load sharing (per-packet or per-flow), 174, 174 AFT IPv4 Internet access (IPv6 network), load sharing configuration, AFT IPv4 Internet FTP service (IPv6 network), optimal route selection, AFT IPv4 packet ToS field, IP performance optimization.
Page 477 DHCP client configuration, 78, 80 DHCP server IP address static assignment, DHCP client display, DHCP server logging enable, DHCP client DNS server, DHCP server maintain, DHCP client domain name suffix, DHCP server option customization, DHCP client gateway, DHCP server subnet configuration, DHCP client ID configuration (on interface), DHCP server user class configuration, DHCP client NetBIOS node type,...
Page 478 DHCPv6 server IPv6 prefix assignment, IPv4/IPv6 manual tunnel configuration, 298, 299 DHCPv6 server logging, IPv4/IPv6 tunneling implementation, DHCPv6 server maintain, IPv6 addresses, displaying IPv6 basics, IPv6 anycast address configuration, DNS configuration, 85, 88 IPv6 basic settings configuration, 200, 207, 227 DNS outgoing packet DSCP value, IPv6 basics configuration, DNS packet source interface,...
Page 479 IRDP operation, NAT terminology, IRDP protocols and standards, NAT types, ISATAP tunnel configuration, 293, 293 NAT+ALG configuration, Layer 3 virtual tunnel interface, NAT+DNS mapping configuration, 132, 162 maintaining IPv6 basics, NAT444 configuration, NAT configuration, 112, 120, 138 NAT444 configuration (DS-Lite), 131, 168 NAT configuration NAT444 configuration (dynamic),...
Page 480 UDP helper multicast > broadcast/unicast DNS proxy configuration, 91, 98 conversion, DNS spoofing configuration, IPng, 200, See also IPv6 DS-Lite tunnel configuration, 301, 303 IPPO DS-Lite tunneling, configuration, GRE application scenarios, directed broadcast receive/forward GRE encapsulation format, configuration, GRE/IPv4 tunnel configuration, directed broadcast receive/forward IP address classes, enable,...
Page 481 AFT translation process (IPv6-initiated IPv6/IPv6 tunnel configuration, 305, 306 communication), IPv6/IPv6 tunneling implementation, anycast address configuration, ISATAP tunnel configuration, 293, 293 automatic IPv4-compatible IPv6 link-local address configuration, tunnel, 286, 287 load sharing configuration basic configuration, (bandwidth-based), basic settings configuration, 200, 207, 227 local fragment reassembly enable, DHCPv6.
Page 482 DHCP overview, ADVPN route learning, ISATAP IPv6 ND dynamic neighbor entries max number, tunnel configuration, 293, 293 leasing DHCP IP address lease extension, AFT prefix translation, DHCPv6 address/prefix lease renewal, DHCPv6 PD, keepalive limiting ADVPN VAM server keepalive parameter, IPPO ICMP error message rate limit, IPv6 ICMPv6 error message rate limit, ADVPN VAM client pre-shared key, load sharing...
Page 483 IPv6 EUI-64 address-based interface common proxy ARP configuration, identifiers, DHCP format, proxy ARP configuration, DHCPv6 assignment (4 messages), maintaining DHCPv6 rapid assignment (2 messages), ADVPN, gratuitous ARP configuration, AFT, gratuitous ARP packet learning, ARP, gratuitous ARP periodic packet send, ARP suppression, IPPO ICMP error message rate limit, DHCP relay agent, IPPO ICMP error message sending,...
Page 484 name configuration (static outbound object group-based), DDNS client configuration, configuration (static), DDNS configuration (PeanutHull server), configuration restrictions (dynamic), DDNS configuration (www.3322.org), configuration restrictions and guidelines, DNS configuration, control, DNS dynamic domain name resolution, deletion of timestamps in TCP SYN and SYN DNS proxy configuration, ACK packets, DNS spoofing configuration,...
Page 485 server configuration (external-internal NetBIOS access+domain name), DHCP client node type, server configuration (external-to-internal net-to-net access), NAT configuration (static inbound net-to-net), server configuration (load sharing), 128, 160 NAT configuration (static outbound session entry, net-to-net), static NAT, network static NAT444 mapping, 6to4 relay configuration, terminology, 6to4 tunnel configuration, 288, 289...
Page 486 ARP operation, DHCPv6 address pool selection, ARP static entry, DHCPv6 address/prefix assignment, ARP static entry configuration, DHCPv6 client DUID, ARP table, DHCPv6 client gateway address, automatic IPv4-compatible IPv6 DHCPv6 client IPv6 address acquisition, tunnel, 286, 287 DHCPv6 client IPv6 address acquisition BOOTP client IP address acquisition configuration, interface,...
Page 487 DS-Lite tunnel configuration, 301, 303 IPv6 6PE technology, enable IPv6 direct route advertisement, IPv6 addresses, fast forwarding entry aging time, IPv6 anycast address configuration, fast forwarding load sharing, IPv6 DNS client configuration, flow classification policy, IPv6 DNS client domain name resolution (dynamic), gratuitous ARP configuration, IPv6 DNS client domain name resolution...
Page 488 IRDP basic concepts, UDP helper broadcast > multicast conversion, 195, 197 IRDP operation, UDP helper broadcast > unicast ISATAP tunnel configuration, 293, 293 conversion, 194, 197 Layer 3 virtual tunnel interface, UDP helper multicast > broadcast NAT configuration conversion, (bidirectional+external-internal UDP helper multicast >...
Page 489 WAAS configuration, 429, 431, 435 WAAS TFO congestion algorithm optimization, node WAAS TFO slow start optimization, DHCP client NetBIOS node b (broadcast) type, option DHCP client NetBIOS node h (hybrid) type, DHCP field, DHCP client NetBIOS node m (mixed) DHCP option customization, type, DHCP server option customization, DHCP client NetBIOS node p (peer-to-peer)
Page 490 flow classification packet-based policy, IPv6 ND stateless address autoconfiguration, flow classification policy, IPv6 ND static neighbor entry, gratuitous ARP packet learning, IPv6 ND suppression configuration, 218, 231 gratuitous ARP periodic packet send, IPv6 path MTU discovery, 205, 220 GRE checksum security feature, IPv6 RA message parameter, GRE encapsulation format, IPv6 static path MTU,...
Page 491 ADVPN VAM server authentication NAT logging, method, NAT server (ACL-based), parameter NAT server (common), DHCPv6 server network parameters (address NAT server (load sharing), pool), NAT server configuration, DHCPv6 server network parameters (option NAT444, group), NAT444 configuration (DS-Lite), DHCPv6 server network parameters NAT444 configuration (dynamic), assignment, NAT444 configuration (static),...
Page 492 configuring 6to4 relay, configuring DDNS (www.3322.org), configuring 6to4 tunnel, 288, 289 configuring DDNS client, configuring ADVPN, configuring DDNS client policy, configuring ADVPN (IPv4 full-mesh NAT configuring DHCP address pool static binding, traversal), configuring DHCP address pool usage alarm, configuring ADVPN (IPv4 full-mesh), configuring DHCP binding auto backup, configuring ADVPN (IPv4 hub-spoke), configuring DHCP client,...
Page 493 configuring DHCPv6 relay address pool, configuring IPv4 DNS client domain name resolution (static), 88, 94 configuring DHCPv6 relay agent, 255, 258 configuring IPv4 DNS proxy, configuring DHCPv6 server, configuring IPv4/IPv4 GRE tunnel, configuring DHCPv6 server dynamic IPv6 address assignment, configuring IPv4/IPv4 tunnel, 296, 297 configuring DHCPv6 server dynamic IPv6 configuring IPv4/IPv6 GRE tunnel,...
Page 494 configuring IRDP, 182, 183 configuring twice NAT, configuring ISATAP tunnel, 293, 293 configuring UDP helper broadcast > multicast conversion, 195, 197 configuring Layer 3 virtual tunnel interface, configuring UDP helper broadcast > unicast conversion, 194, 197 configuring NAT, configuring UDP helper multicast > broadcast configuring NAT conversion, (bidirectional+external-internal...
Page 495 enabling ADVPN VAM client, enabling local proxy ARP, enabling ADVPN VAM server, enabling NAT reply redirection, enabling AFT, enabling NAT444 mapping global sharing (dynamic), enabling ARP dynamic entry check, enabling sending ICMP error messages for NAT enabling ARP logging, failures, enabling common proxy ARP, maintaining ADVPN, enabling deletion of timestamps in TCP SYN...
Page 496 setting IPv6 ND hop limit, troubleshooting IPv6 address cannot be pinged, specifying ADVPN spoke-to-spoke tunnel establishment control ACL, troubleshooting IPv6 DNS incorrect IP address, specifying ADVPN VAM client domain, troubleshooting tunnel cannot come up, specifying ADVPN VAM client pre-shared key, protecting specifying ADVPN VAM client server, DHCP relay agent starvation attack protection,...
Page 497 rate limit maintain, 74, 258 IPPO ICMP error message rate limit, troubleshooting DHCP configuration, rate limiting releasing IPv6 ICMPv6 error message rate limit, DHCP relay agent IP address release, reassembling reserved DHCP Option 184, 28, 30 IPPO IPv4 local fragment reassembly, resolving IPv6 local fragment reassembly, DDNS client configuration,...
Page 498 DDNS configuration (PeanutHull server), NAT control, DDNS configuration (www.3322.org), DDNS outgoing packet DSCP value, DNS configuration, 85, 88 TFO selective acknowledgement, DNS outgoing packet DSCP value, security DNS packet source interface, ADVPN tunnel IPsec, DNS proxy, ADVPN VAM client username+password, DNS proxy configuration, DHCP relay agent entry periodic refresh, DNS spoofing configuration,...
Page 499 DHCP server user class whitelist IRDP RS (router solicitation), configuration, source DHCP voice client Option 184 parameters, AFT address translation policy (IPv4-to-IPv6 DHCPv6 address pool, source), DHCPv6 configuration, 236, 239, 249 AFT address translation policy (IPv6-to-IPv4 source), DHCPv6 configuration on interface, DHCP relay agent source IP address, DHCPv6 DUID, IPPO ICMP packet source address,...
Page 500 DNS spoofing configuration, IPPO TCP SYN cookie enable, DNS spoofing network mode tracking, IPPO wait timer, starvation attack DHCP relay agent protection, table stateless DHCPv6, ARP static entry, DHCPv6 client, ARP table, DHCPv6 client configuration, IP forwarding FIB table entry display, static AFT, IPPO buffer size,...
Page 501 ADVPN VAM client dumb timer, ADVPN spoke-to-spoke tunnel establishment control ACL, ADVPN VAM server retry timer set, ADVPN tunnel establishment, ARP dynamic entry aging, ADVPN tunnel interface, IPPO TCP FIN wait timer, ADVPN tunnel IPsec, IPPO TCP SYN wait timer, automatic IPv4-compatible IPv6 tunnel, 286, 287 IPv6 dynamic path MTU aging timer,...
Page 502 configuration, 194, 197 server authentication algorithm configuration, configuration restrictions, server authentication method configuration, display, server configuration, IPPO (IPPO), server enable, maintain, server encryption algorithm configuration, multicast > broadcast conversion, server keepalive parameter, multicast > broadcast/unicast conversion, server port number configuration, unicast server pre-shared key configuration, IPv6 address (global),...
Page 503 DHCPv6 address pool VPN instance application, GRE application, tunneling configuration, 274, 282 VRF-aware NAT, NAT, WAAS class configuration, configuration, 429, 431, 435 configuration restrictions, display, DRE, DRE compression, DRE decompression, LZ compression, maintain, policy application to interface, policy configuration, policy configuration (predefined), policy configuration (user-defined), protocols and standards, setting delete,...

HPE FlexNetwork HSR6800 Configuration Manual

Configuring ARP

Configuring Gratuitous ARP

Configuring Proxy ARP

Configuring ARP Suppression

Configuring ARP Direct Route Advertisement

Configuring IP Addressing

DHCP Overview

Configuring the DHCP Server

Configuring the DHCP Relay Agent

Configuring the DHCP Client

Configuring the BOOTP Client

Configuring DNS

Configuring DDNS

Configuring NAT

Basic IP Forwarding on the Device

Configuring Load Sharing

Configuring Fast Forwarding

Configuring Flow Classification

Quick Links

Configuration Guide

Troubleshooting

Related Manuals for HPE FlexNetwork HSR6800

Summary of Contents for HPE FlexNetwork HSR6800