Page 1 H3C S9500 Series Routing Switches Operation Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: T2-08165E-20081225-C-1.24 Product Version: S9500-CMW310-R1648...
Page 2 Copyright © 2007-2008, Hangzhou H3C Technologies Co., Ltd. and its licensors All Rights Reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.
Page 3 About This Manual Organization H3C S9500 Series Routing Switches Configuration Manual is organized as follows: Part Contents includes Obtaining Documentation, Product 00 Product Overview Features, and Features. includes Ethernet Port Configuration, Port Configuration, Link Aggregation Configuration, Port Isolation Configuration, VLAN Configuration, MAC...
Page 4 Part Contents includes Command Line Interface Configuration, Login and User Interface Configuration, FTP and TFTP Configuration, HA Configuration, NQA Configuration, NetStream Configuration, NTP Configuration, RMON Configuration, SNMP Configuration, Packet Statistics Accounting Configuration, Device Management 08 System Volume Configuration, Configuration File Management Configuration, File System Management Configuration, Cluster...
Page 5 Caution data loss or damage to equipment. Note Means a complementary description. Related Documentation In addition to this manual, each H3C S9500 Series Routing Switches documentation set includes the following: Manual Description It introduces the installation procedure, H3C S9500 Series Routing Switches...
Page 6 [Technical Support & Document > Product Support > Software]: Provides the documentation released with the software version. Documentation Feedback You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.
Page 7: Manual Version
Operation Manual H3C S9500 Series Routing Switches IP Services Volume Organization Manual Version T2-08165E-20081225-C-1.24 Product Version S9500-CMW310-R1648 Organization The IP Services Volume is organized as follows: Features (operation Description manual) Address Resolution Protocol (ARP) is used to resolve an IP address into a data link layer address.
Page 8 Operation Manual H3C S9500 Series Routing Switches IP Services Volume Organization Features (operation Description manual) UDP Helper (UDPH) functions as a relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified server. The volume describes:...
Page 9: Table Of Contents
Operation Manual – ARP H3C S9500 Series Routing Switches Table of Contents Table of Contents Chapter 1 ARP Configuration....................... 1-1 1.1 Introduction to ARP......................1-1 1.2 Configuring ARP ........................ 1-3 1.2.1 Enabling/Disabling ARP Entry Checking ..............1-3 1.2.2 Adding/Deleting a Static ARP Entry ................ 1-3 1.2.3 Configuring the Dynamic ARP Aging Timer............
Page 10: Chapter 1 Arp Configuration
Operation Manual – ARP H3C S9500 Series Routing Switches Chapter 1 ARP Configuration Chapter 1 ARP Configuration When configuring ARP, go to these sections for information you are interested in: Introduction to ARP Configuring ARP Displaying and Debugging ARP 1.1 Introduction to ARP Address resolution protocol (ARP) is used to resolve an IP address into a MAC address.
Page 11 IP address of Host B. After obtaining the MAC address of Host B, the gateway sends the packet to Host B. III. ARP concepts ARP entries used in S9500 series routing switches include dynamic ARP entries and static ARP entries. Dynamic ARP entries are automatically created and maintained by the ARP protocol through ARP packets.
Page 12: Configuring Arp
Operation Manual – ARP H3C S9500 Series Routing Switches Chapter 1 ARP Configuration 1.2 Configuring ARP The ARP table can be maintained dynamically or manually. Usually, the manually configured mappings are known as static ARP entries. The user can display, add or delete such entries with commands.
Page 13: Configuring The Dynamic Arp Aging Timer
Operation Manual – ARP H3C S9500 Series Routing Switches Chapter 1 ARP Configuration As long as a switch operates, its static ARP entries remain valid unless you change or remove a VLAN interface, remove a VLAN, or remove a port from a VLAN.
Page 14 Operation Manual – ARP H3C S9500 Series Routing Switches Chapter 1 ARP Configuration To do… Use the command… Remarks Enter system view system-view — Add a port for the arp static ip-address mac-address vlan-id multicast ARP multi-port interface-type interface-number —...
Page 15: Proxy Arp Configuration
Operation Manual – ARP H3C S9500 Series Routing Switches Chapter 1 ARP Configuration 1.2.5 Proxy ARP Configuration I. Enable proxy ARP for Sub-VLANs With the super VLAN function enabled, a device also needs to be enabled with the proxy ARP function for Layer 3 communications between sub-VLANs. If you enable the proxy ARP function on a device that is connected to two sub-VLANs, the device forwards packets between the sub-VLANs at Layer 3.
Page 16: Gratuitous Arp Learning Configuration
Operation Manual – ARP H3C S9500 Series Routing Switches Chapter 1 ARP Configuration III. Enable local proxy ARP With local proxy ARP enabled, the device directly sends back an ARP response if it receives an ARP request whose sender and target IP addresses are on the same network segment as the receiving VLAN interface.
Page 17: Configuring Arp Packets Not To Broadcast In Vlan
Operation Manual – ARP H3C S9500 Series Routing Switches Chapter 1 ARP Configuration II. Gratuitous ARP packet learning configuration Follow these steps to configure the gratuitous ARP packet learning function: To do… Use the command… Remarks Enter system view system-view —...
Page 18 Operation Manual – ARP H3C S9500 Series Routing Switches Chapter 1 ARP Configuration To do… Use the command… Remarks reset arp [ dynamic | static | Clear specified ARP entries interface { interface-type interface-number } | all ] Available in...
Page 19: Chapter 2 Arp Table Size Configuration
Operation Manual – ARP H3C S9500 Series Routing Switches Chapter 2 ARP Table Size Configuration Chapter 2 ARP Table Size Configuration When configuring the ARP table size, go to these sections for information you are interested in: Introduction to ARP Table Size Configuration...
Page 20: Configuring Arp Table Size Dynamically
Operation Manual – ARP H3C S9500 Series Routing Switches Chapter 2 ARP Table Size Configuration Note: You can distinguish the model suffix of a card by the silkscreen at the upper right corner of the front panel. For example, the silkscreen of the LSB1GP12B0 card is GP12B, and so the suffix of this card is B.
Page 21: Displaying Arp Table Size Configuration
2.4 ARP Table Size Configuration Example I. Network requirements A host is connected to an S9500 series routing switch. The model names of all the cards in the switch system are suffixed with C, CA, or CB.
Page 22 Operation Manual – ARP H3C S9500 Series Routing Switches Chapter 2 ARP Table Size Configuration II. Network diagram Switch Figure 2-1 Diagram for ARP table size configuration III. Configuration procedure # Configure the maximum number of ARP entries supported by the whole switch as 64K.
Page 23: Chapter 3 Arp Attack Prevention Configuration
Operation Manual – ARP H3C S9500 Series Routing Switches Chapter 3 ARP Attack Prevention Configuration Chapter 3 ARP Attack Prevention Configuration When configuring ARP attack prevention, go to these sections for information you are interested in: ARP Spoofing Attack Prevention...
Page 24 By forging the ARP packets from A, the attacker B changes the ARP entry of A on G, thereby disconnecting A from G. To prevent ARP source address spoofing attacks, the S9500 series switches provide the following methods. I. Fixed MAC addresses For a dynamic ARP entry already learned by the switch, the corresponding MAC address cannot be modified by learning a new MAC address through ARP.
Page 25: Configuring Arp Spoofing Attack Prevention
As a result, the hosts are unable to access the network. Such an attack is called an ARP duplicate gateway attack. To prevent such attacks, S9500 series switches provide the duplicate gateway attack prevention function. If any of the following conditions occurs, the system generates an...
Page 26: Configuring Arp Duplicate Gateway Attack Prevention
MAC address is just one kind of attacks, which affects ARP entry learning of the switch. S9500 series switches can detect and prevent such ARP packet attacks. If the number of ARP packets with a fixed source MAC address received by the switch CPU reaches the set threshold within a certain period, the user with this MAC address is considered an attacker.
Page 27: Configuring Arp Packet Attack Prevention
Operation Manual – ARP H3C S9500 Series Routing Switches Chapter 3 ARP Attack Prevention Configuration 3.3.2 Configuring ARP Packet Attack Prevention Follow these steps to configure ARP packet attack prevention: To do… Use the command… Remarks Enter system view system-view —...
Page 28: Arp Attack Prevention Configuration Example
Operation Manual – ARP H3C S9500 Series Routing Switches Chapter 3 ARP Attack Prevention Configuration 3.4 ARP Attack Prevention Configuration Example I. Network requirements An S9500 switch (Switch 1) is connected to two low-end switches Switch 3 and Switch 2 through Ethernet 1/1/1 and Ethernet 1/1/2, respectively.
Page 29 Operation Manual – ARP H3C S9500 Series Routing Switches Chapter 3 ARP Attack Prevention Configuration [Switch1] anti-attack arp threshold 40 # Configure the aging time for ARP packet attack prevention entries to 300 seconds. [Switch1] anti-attack arp aging-time 300 # Configure the protective MAC address for ARP packet attack prevention to 0-0-1.
Page 30: Chapter 4 Ip Packet Attack Prevention Configuration
With the expansion of the Internet and the increase of Internet users, network devices are susceptible to attacks. You can configure the IP packet attack prevention function on S9500 series switches to defend against IP packet attacks or unknown multicast attacks.
Page 31 Operation Manual – ARP H3C S9500 Series Routing Switches Chapter 4 IP Packet Attack Prevention Configuration Note: Currently, the anti-attack ttl1 enable slot command is supported only on the cards suffixed with DB or DC.
Page 32 Operation Manual – IP Address H3C S9500 Series Routing Switches Table of Contents Table of Contents Chapter 1 IP Address Configuration ................... 1-1 1.1 Introduction to IP Addresses....................1-1 1.1.1 IP Address Classification and Representation............1-1 1.1.2 Subnet and Mask ....................1-3 1.2 Configuring IP Addresses ....................
Page 33: Chapter 1 Ip Address Configuration
Operation Manual – IP Address H3C S9500 Series Routing Switches Chapter 1 IP Address Configuration Chapter 1 IP Address Configuration When configuring IP address, go to these sections for information you are interested in: Introduction to IP Addresses Configuring IP Addresses...
Page 34 Operation Manual – IP Address H3C S9500 Series Routing Switches Chapter 1 IP Address Configuration The IP address is in dotted decimal format. Each IP address contains four integers in dotted decimal notation. Each integer corresponds to one byte, for example, 10.110.50.101.
Page 35: Subnet And Mask
Operation Manual – IP Address H3C S9500 Series Routing Switches Chapter 1 IP Address Configuration Network class Address range Note Addresses of class D are multicast addresses, among which: IP address 224.0.0.0 is reserved and will not be allocated. Those from 224.0.0.1 to 224.0.0.255 are reserved for routing...
Page 36: Configuring Ip Addresses
Operation Manual – IP Address H3C S9500 Series Routing Switches Chapter 1 IP Address Configuration ClassB ClassB 10001010, 00100110, 000 00000, 00000000 10001010, 00100110, 000 00000, 00000000 138.38.0.0 138.38.0.0 Standard Standard Standard Standard Standard 11111111, 11111111, 000 00000, 00000000 11111111, 11111111, 000 00000, 00000000...
Page 37 Operation Manual – IP Address H3C S9500 Series Routing Switches Chapter 1 IP Address Configuration addresses for an interface at most, so that it can be connected to more subnets. Among these IP addresses, one is the primary IP address and all others are secondary.
Page 38: Ip Address Protection Configuration
Operation Manual – IP Address H3C S9500 Series Routing Switches Chapter 1 IP Address Configuration 1.2.3 IP Address Protection Configuration I. How IP address protection works The IP address protection function stores IP-MAC bindings for legal users to filter illegal users.
Page 39: Displaying And Maintaining Ip Addresses
Operation Manual – IP Address H3C S9500 Series Routing Switches Chapter 1 IP Address Configuration Caution: The MAC address auto filling function is enabled only after the IP address protection function is enabled on the interface. Once an auto-fill ARP entry is filled with a MAC address, the entry becomes a normal static ARP entry and cannot be filled again.
Page 40: Troubleshooting Ip Address Configuration
Operation Manual – IP Address H3C S9500 Series Routing Switches Chapter 1 IP Address Configuration [H3C-Vlan-interface1] ip address 129.2.2.1 255.255.255.0 1.5 Troubleshooting IP Address Configuration Fault 1: The switch cannot ping through a certain host in the LAN. Troubleshooting can be performed as follows: Check the configuration of the switch.
Page 41 Operation Manual – VRRP H3C S9500 Series Routing Switches Table of Contents Table of Contents Chapter 1 VRRP Configuration ....................1-1 1.1 Introduction to VRRP ......................1-1 1.2 Configuring VRRP ......................1-2 1.2.1 Configuring the Function of Pinging the Virtual IP Address........1-3 1.2.2 Configuring the TTL Value Check for VRRP Packets..........
Page 42: Chapter 1 Vrrp Configuration
Operation Manual – VRRP H3C S9500 Series Routing Switches Chapter 1 VRRP Configuration Chapter 1 VRRP Configuration When configuring VRRP, go to these sections for information you are interested in: Introduction to VRRP Configuring VRRP Displaying and Debugging VRRP VRRP Configuration Examples Troubleshooting VRRP 1.1 Introduction to VRRP...
Page 43: Configuring Vrrp
Operation Manual – VRRP H3C S9500 Series Routing Switches Chapter 1 VRRP Configuration Network Actual IP address10.100.10.3 Actual IP address10.100.10.2 Master Backup Virtual IP address10.100.10.1 Virtual IP address10.100.10.1 Ethernet 10.100.10.7 10.100.10.8 10.100.10.9 Host 1 Host 2 Host 3 Figure 1-2 Network diagram for virtual router This virtual router has its own IP address: 10.100.10.1 (which can be the interface...
Page 44: Configuring The Function Of Pinging The Virtual Ip Address
Depending on the chips installed, some switches support mapping one virtual IP address to multiple MAC addresses. S9500 series not only guarantee correct data forwarding in the subnet, but also allow you to specify a mapping mode, either virtual IP address to real MAC address mapping or virtual IP address to virtual MAC address mapping.
Page 45: Configuring A Virtual Ip Address
Operation Manual – VRRP H3C S9500 Series Routing Switches Chapter 1 VRRP Configuration To do… Use the command… Specify a mapping mode for the virtual vrrp method { real-mac | virtual-mac } IP address Restore the default undo vrrp method By default, the virtual IP address of the virtual router corresponds to the virtual MAC address.
Page 46: Configuring Preemption And Delay For A Switch In A Vrrp Group
Operation Manual – VRRP H3C S9500 Series Routing Switches Chapter 1 VRRP Configuration To do… Use the command… Configure a priority for the switch in the vrrp vrid virtual-router-id priority virtual router. priority Remove the priority setting of the switch undo vrrp vrid virtual-router-id priority The priority ranges from 0 to 255.
Page 47: Configuring Authentication Type And Authentication Key
Operation Manual – VRRP H3C S9500 Series Routing Switches Chapter 1 VRRP Configuration The delay in seconds ranges from 0 to 255. By default, the preemption mode is enabled with a delay of 0 seconds. Note: If preemption mode is disabled, the delay will automatically become 0 seconds.
Page 48: Configuring The Interval For Sending Vrrp Packets On The Master
Operation Manual – VRRP H3C S9500 Series Routing Switches Chapter 1 VRRP Configuration Note: The same authentication type and authentication key should be configured for all VLAN interfaces that belong to the virtual router. 1.2.8 Configuring the Interval for Sending VRRP Packets on the Master The master switch advertises its normal operation state to the backup switch by sending VRRP packets regularly (at adver-interval).
Page 49: Configuring Vrrp Link Monitoring
Operation Manual – VRRP H3C S9500 Series Routing Switches Chapter 1 VRRP Configuration specified by value-reduced. Then the backup switch with the highest priority becomes the new master. Perform the following configuration in VLAN interface view to configure the switch to track a specified interface: To do…...
Page 50: Configuring Ifm Tracking
Operation Manual – VRRP H3C S9500 Series Routing Switches Chapter 1 VRRP Configuration Caution: Before you configure VRRP link monitoring, it is required that no physical loop exists and the spanning tree protocol (STP) is not enabled on the network.
Page 51: Configuring The Fast Switch Function For A Virtual Router
This mechanism causes delay in state switching and is not applicable to network environments that require fast state switching because it may interrupt traffic temporarily. To solve this problem, S9500 series switches support the fast switch function for the virtual router.
Page 52: Displaying And Debugging Vrrp
Operation Manual – VRRP H3C S9500 Series Routing Switches Chapter 1 VRRP Configuration Perform the following configuration in VLAN interface view to enable/disable the fast switch function for a virtual router: To do… Use the command… Enable the fast switch function...
Page 53: Vrrp Configuration Examples
Operation Manual – VRRP H3C S9500 Series Routing Switches Chapter 1 VRRP Configuration 1.4 VRRP Configuration Examples 1.4.1 Single VRRP Group Configuration Example I. Network requirements Host A takes the VRRP virtual router containing switch A and switch B as its default gateway to access host B on the Internet.
Page 54: Vrrp Interface Tracking Configuration Example
Operation Manual – VRRP H3C S9500 Series Routing Switches Chapter 1 VRRP Configuration [LSW_A-vlan-interface2] vrrp vrid 1 priority 110 [LSW-A-vlan-interface2] vrrp vrid 1 preempt-mode Configure switch B # Configure VLAN2. [LSW-B] vlan 2 [LSW-B-vlan2] interface vlan 2 [LSW-B-vlan-interface2] ip address 202.38.160.2 255.255.255.0 [LSW-B-vlan-interface2] quit # Configure VRRP.
Page 55: Vrrp Link Monitoring Configuration Example
Operation Manual – VRRP H3C S9500 Series Routing Switches Chapter 1 VRRP Configuration [H3CLSW-A ] vrrp ping-enable # Create the VRRP virtual router. [LSW-A] interface vlan 2 [LSW_A-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Set the priority for the virtual router.
Page 56 Operation Manual – VRRP H3C S9500 Series Routing Switches Chapter 1 VRRP Configuration No physical loops exist between Switch A, Switch B and Host Server, and STP is not enabled. Switch A is the master while Switch B is the backup. No physical link is available between Switch A and Host Server.
Page 57: Ifm Tracking Configuration Example
Operation Manual – VRRP H3C S9500 Series Routing Switches Chapter 1 VRRP Configuration # Set the VRRP priority for Switch A. [LSW-A-vlan-interface2] vrrp vrid 1 priority 110 Configure Switch B # Configure VLAN 2. <LSW-B> system-view [LSW-B] vlan 2 [LSW-B-vlan2] interface vlan 2 [LSW-B-vlan-interface2] ip address 10.1.1.2 255.255.255.0...
Page 58 Operation Manual – VRRP H3C S9500 Series Routing Switches Chapter 1 VRRP Configuration III. Configuration procedure Configure Switch A # Configure VLAN 2. [Switch A] vlan 2 [Switch A-vlan2] interface vlan-interface 2 [Switch A-Vlan-interface2] ip address 202.38.160.1 255.255.255.0 [Switch A-Vlan-interface2] quit # Enable OAM.
Page 59: Multiple Virtual Routers Configuration Example
Operation Manual – VRRP H3C S9500 Series Routing Switches Chapter 1 VRRP Configuration [Switch B] interface vlan 2 [Switch B-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Set the authentication mode and authentication key for the virtual router. [Switch B-Vlan-interface2] vrrp vrid 1 authentication-mode md5 switch # Configure IFM tracking, and set the increased value to 10.
Page 60: Troubleshooting Vrrp
Operation Manual – VRRP H3C S9500 Series Routing Switches Chapter 1 VRRP Configuration # Create virtual router 2. [LSW_A-vlan-interface2] vrrp vrid 2 virtual-ip 202.38.160.112 Configure switch B # Configure VLAN2. [LSW-B] vlan 2 [LSW-B-vlan2] interface vlan 2 [LSW-B-vlan-interface2] ip address 202.38.160.2 255.255.255.0 # Create virtual router 1.
Page 61 Operation Manual – VRRP H3C S9500 Series Routing Switches Chapter 1 VRRP Configuration VRRP configuration. For the configuration of the same VRRP virtual router, complete consistency for the number of virtual IP addresses, each virtual IP address, timer duration and authentication type must be guaranteed.
Page 62 Operation Manual – DHCP H3C S9500 Series Routing Switches Table of Contents Table of Contents Chapter 1 DHCP Overview......................1-1 1.1 DHCP Principles ........................ 1-1 1.1.1 BOOTP Relay Agent ....................1-3 1.1.2 DHCP and BOOTP Relay Agent................1-4 1.2 General DHCP Configuration .................... 1-4 1.2.1 Enabling/Disabling DHCP ..................
Page 63 Operation Manual – DHCP H3C S9500 Series Routing Switches Table of Contents 4.1.3 DHCP Snooping Support for Option 82 ..............4-3 4.2 DHCP Snooping Configuration ..................4-4 4.2.1 Configuration Guidelines..................4-6 4.3 Displaying and Maintaining DHCP Snooping ..............4-7 4.4 DHCP Snooping Configuration Example................4-7...
Page 64: Chapter 1 Dhcp Overview
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 1 DHCP Overview Chapter 1 DHCP Overview 1.1 DHCP Principles The fast expansion and growing complexity of networks result in scarce IP addresses assignable to hosts. Meanwhile, with the wide application of wireless networks, the frequent movements of laptops across networks require that the IP addresses be changed accordingly.
Page 65 Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 1 DHCP Overview Automatic IP address assignment. The DHCP server automatically assigns fixed IP addresses to DHCP clients when they are connected to the network for the first time. After that, the IP addresses are always occupied by the DHCP clients.
Page 66: Bootp Relay Agent
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 1 DHCP Overview DHCP_Request packet. The packet contains the IP address carried in the accepted DHCP_Offer packet. Acknowledgement. Upon receiving the DHCP_Request packet, the DHCP server that owns the IP address the DHCP_Request packet carries sends a DHCP_ACK packet to the DHCP client.
Page 67: Dhcp And Bootp Relay Agent
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 1 DHCP Overview 1.1.2 DHCP and BOOTP Relay Agent Like BOOTP, DHCP also works in the Client/Server mode. A DHCP client can obtain the configuration information dynamically from a DHCP server, including important parameters such as an IP address and mask.
Page 68: Configuring Processing Method Of Dhcp Packets
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 1 DHCP Overview 1.2.2 Configuring Processing Method of DHCP Packets You can perform the configurations listed in the following tables on your switch. After these configurations, the switch processes the DHCP packets it receives from DHCP clients in the methods you have configured.
Page 69: Enabling/Disabling Unauthorized Dhcp Server Detection
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 1 DHCP Overview To do… Use the command… undo dhcp select { interface Restore the default vlan-interface vlan-id [ to vlan-interface vlan-id ] | all } By default, DHCP packets are processed in global method. That is, DHCP packets are forwarded to the local DHCP server and IP addresses in global address pools are assigned.
Page 70: Chapter 2 Dhcp Server Configuration
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 2 DHCP Server Configuration Chapter 2 DHCP Server Configuration When configuring the DHCP server, go to these sections for information you are interested in: Configuring the DHCP Server Displaying and Debugging the DHCP Server DHCP Server Configuration Example 2.1 Configuring the DHCP Server...
Page 71: Creating A Global Dhcp Ip Address Pool
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 2 DHCP Server Configuration Note: In a VRRP network, A global address pool is recommended. You are recommended to configure the virtual IP address of the VRRP group as either the gateway in the global address pool or a reserved address, because some DHCP clients (for example, Linux devices serving as clients) do not perform address collision detection after obtaining addresses through DHCP.
Page 72: Configuring The Ip Address Assignment Mode
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 2 DHCP Server Configuration To do… Use the command… undo dhcp server ip-pool Remove a DHCP address pool pool-name By default, no global DHCP address pool is created. Note that a VLAN interface address pool is created by the system after you assign a legal unicast IP address to the VLAN interface and configure the dhcp select interface command in VLAN interface view.
Page 73 Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 2 DHCP Server Configuration Note: The static-bind ip-address command and the static-bind mac-address command must be used together to configure a static binding. The new configuration overwrites the previous one.
Page 74: Excluding Specified Ip Addresses From Assignment
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 2 DHCP Server Configuration To do… Use the command… Remove an dynamic assignment undo network address range By default, no IP address range is configured for dynamic IP address assignment.
Page 75: Configuring A Domain Name For Dhcp Clients
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 2 DHCP Server Configuration I. Configuring a lease time for a global DHCP address pool Perform the following configuration in DHCP address pool view to configure a lease time for a global DHCP address pool: To do…...
Page 76: Configuring Dns Servers For Dhcp Clients
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 2 DHCP Server Configuration To do… Use the command… Configure a DHCP client domain name domain-name domain-name for the global DHCP address pool Remove the DHCP client domain name undo domain-name from the global DHCP address pool II.
Page 77 Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 2 DHCP Server Configuration must also send a DNS server address to the client. At present, you can configure up to eight DNS server addresses for one DHCP address pool.
Page 78: Configuring Netbios Server Addresses For Dhcp Clients
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 2 DHCP Server Configuration 2.1.7 Configuring NetBIOS Server Addresses for DHCP Clients For clients running a Windows operating system and communicating through the NetBIOS protocol, the translation between host name and IP address are carried out by Windows Internet Naming Service (WINS) servers.
Page 79: Configuring A Netbios Node Type For Dhcp Clients
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 2 DHCP Server Configuration To do… Use the command… Remove one or all NetBIOS server undo dhcp server nbns-list addresses from specified DHCP { ip-address | all } { interface...
Page 80: Configuring Custom Dhcp Options
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 2 DHCP Server Configuration II. Configuring a NetBIOS node type in a VLAN interface address pool Perform the following configuration in VLAN interface view to configure a NetBIOS node type in the VLAN interface address pool: To do…...
Page 81: Configuring Gateways For Dhcp Clients
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 2 DHCP Server Configuration II. Configuring a custom DHCP option in a VLAN interface address pool Perform the following configuration in VLAN interface view to configure a custom DHCP option in the VLAN interface address pool: To do…...
Page 82: Configuring Parameters For Dhcp Server To Send Ping Packets
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 2 DHCP Server Configuration To do… Use the command… Remove one or all outbound gateway undo gateway-list { ip-address | all } addresses By default, no outbound gateway address is configured for DHCP clients.
Page 83: Displaying And Debugging The Dhcp Server
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 2 DHCP Server Configuration 2.2 Displaying and Debugging the DHCP Server Displaying the DHCP server: To do… Use the command… Remarks Display the statistics display dhcp server conflict { all |...
Page 84: Dhcp Server Configuration Example
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 2 DHCP Server Configuration Debugging the DHCP server: To do… Use the command… Remarks Disable debugging for the undo debugging dhcp server { all | DHCP server error | event | packet }...
Page 85 Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 2 DHCP Server Configuration # Create VLAN2. [H3C] vlan 2 # Enter VLAN interface view. [H3C] interface Vlan-interface 2 # Assign an IP address to Vlan-interface 2. [H3C-Vlan-interface2] ip address 10.110.1.1 255.255.0.0 # Specify to assign IP addresses in the interface address pool to DHCP clients.
Page 86: Chapter 3 Dhcp Relay Agent Configuration
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 3 DHCP Relay Agent Configuration Chapter 3 DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these sections for information you are interested in: Configuring the DHCP Relay Agent DHCP Option 82 Configuration 3.1 Configuring the DHCP Relay Agent...
Page 87: Configuring The Dhcp Relay Agent
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 3 DHCP Relay Agent Configuration If a DHCP server exists in the network, it processes the request packet directly without the help of a DHCP relay agent. If no DHCP server exists in the network, the network device serving as a DHCP relay agent in the network appropriately processes the request packet and forwards it to a specified DHCP server located in another network.
Page 88 Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 3 DHCP Relay Agent Configuration Note that when configuring a new DHCP server for a VLAN interface, the newly configured one does not overwrite the existing ones. Both the new and the old ones are valid.
Page 89 Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 3 DHCP Relay Agent Configuration Note: The DHCP client applies for an IP address through the DHCP relay agent. When the packet from the DHCP client arrives at the DHCP relay agent, the DHCP relay agent adds its primary IP address in the packet and forwards the packet to the DHCP server.
Page 90 Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 3 DHCP Relay Agent Configuration V. Releasing the IP address of a client through DHCP relay agent in interface view When you configure this function in interface view: If you do not specify a DHCP server, the DHCP relay agent will send a release packet to all the DHCP servers in the DHCP server group associated with this interface.
Page 91 Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 3 DHCP Relay Agent Configuration The address check is disabled on a relay agent-enabled VLAN interface by default. Caution: After the address check feature is enabled on a DHCP relay agent enabled VLAN interface, the client that has already obtained an IP address will lose its access right and has to apply for an IP address again.
Page 92: Displaying And Maintaining The Dhcp Relay Agent
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 3 DHCP Relay Agent Configuration To do… Use the command… Remarks Enter system view system-view — Enable DHCP relay agent dhcp relay security Enabled by default. handshake function tracker enable...
Page 93 Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 3 DHCP Relay Agent Configuration II. Network diagram DHCP client DHCP client DHCP Server 202.38.1.2 10.110.0.0 Ethernet 202.38.1.1 10.110.1.1 Ethernet Internet 202.38.0.0 Switch ( DHCP Relay) Figure 3-2 Network diagram for DHCP relay agent configuration III.
Page 94: Dhcp Option 82 Configuration
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 3 DHCP Relay Agent Configuration Caution: Do not change or delete the IP address of the interface enabled with the DHCP Relay agent; otherwise users will be unable to obtain IP addresses.
Page 95 Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 3 DHCP Relay Agent Configuration Sub-option 2 also belongs to Option 82 and defines the Remote ID. This option identifies the MAC address of the relay agent. Generally, sub-option 1 and sub-option 2 are used together to identify a DHCP client.
Page 96 Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 3 DHCP Relay Agent Configuration Figure 3-4 Sub-option structure SubOpt: Indicates the number of the sub-option. Sub-options contained in this packet are sub-option 1, sub-option 2 and sub-option 5. They have the following meanings: Sub-option 1 defines the Circuit ID.
Page 97 Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 3 DHCP Relay Agent Configuration The node identifier in the sub-option1 of Option82 is a string, which adopts the MAC address of the administration port of the device by default, in the form of 00-E0-FC-0D-DC-EC.
Page 98: Configuring Option 82 Support On Dhcp Relay Agent
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 3 DHCP Relay Agent Configuration packet contains the MAC address and VLAN ID of the receiving port of the switch, and the MAC address of the DHCP relay agent. After receiving the DHCP request packet forwarded by the DHCP relay agent, the DHCP server records the information carried by the option.
Page 99 Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 3 DHCP Relay Agent Configuration II. Enabling Option 82 support on DHCP relay agent Follow these steps to enable Option 82 support on the DHCP relay agent enabled VLAN interface in VLAN interface view: To do…...
Page 100: Option 82 Support On Dhcp Relay Agent Configuration Example
[H3C] interface vlan-interface 100 [H3C-vlan-interface 100] dhcp select relay [H3C-vlan-interface 100] ip relay address 202.38.1.2 [H3C-vlan-interface 100] dhcp relay information enable [H3C-vlan-interface 100] dhcp relay information strategy keep [H3C-vlan-interface 100] dhcp relay information format verbose [H3C-vlan-interface 100] dhcp...
Page 101 Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 3 DHCP Relay Agent Configuration The configuration of the DHCP server is omitted here. 3-16...
Page 102: Chapter 4 Dhcp Snooping Configuration
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 4 DHCP Snooping Configuration Chapter 4 DHCP Snooping Configuration When configuring DHCP snooping, go to these sections for information you are interested in: DHCP Snooping Overview DHCP Snooping Configuration Displaying and Maintaining DHCP Snooping...
Page 103: Dhcp Snooping And Acl
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 4 DHCP Snooping Configuration If the client’s IP address is manually configured, no matching DHCP snooping entry can be found. Thus, the client cannot receive any ARP reply and will fail to access the network.
Page 104: Dhcp Snooping Support For Option 82
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 4 DHCP Snooping Configuration Caution: After you configure DHCP snooping, any modification to a use-defined flow template may conflict with the DHCP snooping related ACLs, resulting in failure of implementing DHCP snooping features.
Page 105: Dhcp Snooping Configuration
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 4 DHCP Snooping Configuration The DHCP snooping device which is located in the same network segment with the DHCP client checks whether Option 82 exists in the packet. If yes, the DHCP snooping device processes the packet according to the configured strategy: it may drop the packet, replace the original Option 82 with its own Option 82, or keep the original Option 82 unchanged.
Page 106 Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 4 DHCP Snooping Configuration To do… Use the command… Remarks Required You need to configure a port that is connected to an authorized DHCP server as trusted to ensure that...
Page 107: Configuration Guidelines
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 4 DHCP Snooping Configuration To do… Use the command… Remarks reset dhcp-snooping entry { mac mac-address | vlan vlan-id | ip ip-address | Optional Remove DHCP snooping interface port-type entries...
Page 108: Displaying And Maintaining Dhcp Snooping
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 4 DHCP Snooping Configuration 4.3 Displaying and Maintaining DHCP Snooping To do… Use the command… Remarks display dhcp-snooping entry { vlan Display DHCP vlan-id [ to vlan-id ] | interface port-type...
Page 109 Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 4 DHCP Snooping Configuration [H3C] dhcp-snooping enable # Create VLAN 100 and add Ethernet 1/1/1, Ethernet 1/1/2 and Ethernet 1/1/3 into the VLAN. [H3C] vlan 100 [H3C-vlan100] quit [H3C] interface ethernet1/1/1...
Page 110: Wrong Dhcp Snooping Networking Examples
Operation Manual – DHCP H3C S9500 Series Routing Switches Chapter 4 DHCP Snooping Configuration Note: To ensure the DHCP client to obtain an IP address from the DHCP server, you need to complete other configurations on the DHCP client and DHCP server. The configuration procedure is omitted because it varies depending on the device model.
Page 111 Operation Manual – DNS H3C S9500 Series Routing Switches Table of Contents Table of Contents Chapter 1 DNS Configuration....................... 1-1 1.1 Introduction to DNS ......................1-1 1.1.1 Static Domain Name Resolution ................1-1 1.1.2 Dynamic Domain Name Resolution ................ 1-1 1.2 Configuring Domain Name Resolution ................
Page 112: Chapter 1 Dns Configuration
Operation Manual – DNS H3C S9500 Series Routing Switches Chapter 1 DNS Configuration Chapter 1 DNS Configuration When configuring DNS, go to these sections for information you are interested in: Introduction to DNS Configuring Domain Name Resolution Displaying and Debugging Domain Name Resolution...
Page 113: Configuring Domain Name Resolution
When the domain name suffix is used, if the input domain name does not include “.”, like “h3c”, the system regards it as a host name and add a domain name suffix to search. After all the domain names are failed to be searched out in this way, the system finally searches with the primarily input domain name.
Page 114: Configuring Dynamic Domain Name Resolution
Operation Manual – DNS H3C S9500 Series Routing Switches Chapter 1 DNS Configuration 1.2.2 Configuring Dynamic Domain Name Resolution Dynamic domain name resolution configuration includes: Enabling/disabling static domain name resolution Configuring the IP address of a domain name server Configuring domain name suffix I.
Page 115: Displaying And Debugging Domain Name Resolution
Operation Manual – DNS H3C S9500 Series Routing Switches Chapter 1 DNS Configuration To do… Use the command… Configure domain name suffix dns domain domain-name Delete domain name suffix undo dns domain [ domain-name ] 1.3 Displaying and Debugging Domain Name Resolution To do…...
Page 116: Troubleshooting Domain Name Resolution Configuration
Operation Manual – DNS H3C S9500 Series Routing Switches Chapter 1 DNS Configuration # Configure the IP address of the domain name server to 172.16.1.1. [H3C] dns server 172.16.1.1 # Configure the domain name suffix as com. [H3C] dns domain com # Ping a host with the specified domain name.
Page 117 Operation Manual – UDP Helper H3C S9500 Series Routing Switches Table of Contents Table of Contents Chapter 1 UDP Helper Configuration ..................1-1 1.1 Overview ..........................1-1 1.2 Configuring UDP Helper ....................1-1 1.2.1 Configuration Prerequisites..................1-1 1.2.2 Configuration Procedure ..................1-1...
Page 118: Chapter 1 Udp Helper Configuration
Operation Manual – UDP Helper H3C S9500 Series Routing Switches Chapter 1 UDP Helper Configuration Chapter 1 UDP Helper Configuration When configuring UDP Helper, go to these sections for information you are interested Overview Configuring UDP Helper Displaying UDP Helper 1.1 Overview...
Page 119 Operation Manual – UDP Helper H3C S9500 Series Routing Switches Chapter 1 UDP Helper Configuration To do… Use the command… Remarks Optional When the function is enabled, the broadcast packets with the default UDP ports are unicast to the corresponding destination server.
Page 120: Displaying Udp Helper
Operation Manual – UDP Helper H3C S9500 Series Routing Switches Chapter 1 UDP Helper Configuration Note that: You cannot specify the UDP ports before the function of forwarding UDP broadcast packets is enabled. Otherwise, the system displays error information. The dns | netbios-ds | netbios-ns | tacacs | tftp | time keyword refers to six default UDP ports.
Page 121 Operation Manual – NAT H3C S9500 Series Routing Switches Table of Contents Table of Contents Chapter 1 NAT Configuration....................... 1-1 1.1 NAT Overview........................1-1 1.1.1 Introduction to NAT ....................1-1 1.2 Configuring NAT ........................ 1-6 1.2.1 Configuring an Address Pool .................. 1-6 1.2.2 Configuring NAT......................
Page 122: Chapter 1 Nat Configuration
Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Chapter 1 NAT Configuration When configuring NAT, go to these sections for information you are interested in: NAT Overview Configuring NAT Displaying NAT Configuration NAT Configuration Examples...
Page 123 Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration ：： Datagram 1 ：： Datagram 1 ： Source IP 192.168.1.3 Source IP ：： 202.120.10.2 202.169.10.1 192.168.1.3 ： Destination IP 202.120.10.2 Destination IP ： 202.120.10.2 ：...
Page 124 Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration I. NAT and NAT control According to the NAT procedure illustrated in Figure 1-1, when an internal host tries to access the external networks, NAT selects a proper public address and substitutes it for the source address in the packets.
Page 125 Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Many-to-many NAT can be implemented by defining an address pool, and the control of NAT can be achieved by employing access control lists (ACLs). An address pool is a collection of public IP addresses for NAT. Its configuration depends on the number of available public IP addresses, the number of internal hosts, and the practical application.
Page 126 Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Packets 1 and 2 are from the same internal address but have different source port numbers. Packets 3 and 4 are from different internal addresses but have the same source port number.
Page 127: Configuring Nat
Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration The AnyServer feature can only translate packets of the specified protocol (TCP, UDP or ICMP) and is mainly used for internal hosts to provide services to the public network.
Page 128: Configuring Nat
Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration To do… Use the command… Remarks Enter system view system-view — Required An address pool is a collection of nat address-group consecutive public IP addresses. If its...
Page 129 Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration To do… Use the command… Remarks nat outbound Required acl-number By configuring the Configure one-to-one address-group association between group-number no-pat ACLs and the NAT slot slot-no address pool (or the...
Page 130: Configuring Internal Servers
Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Caution: Do not often execute the undo nat outbound command after the configuration is stable. Make sure you configure the nat vpn limit command to limit the maximum number of users and connections before configuring the nat outbound command in NAPT mode.
Page 131 Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration To do… Use the command… Remarks nat server protocol { tcp | udp } global global-addr Configure an internal global-port inside [ vpn-name ] server host-addr host-port slot...
Page 132 Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Caution: Up to 256 internal server translation commands can be configured for a VLAN interface. Up to 4,096 internal servers can be configured for a VLAN interface.
Page 133: Configuring Static Nat
Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration 1.2.4 Configuring Static NAT A static NAT entry is created using the nat static command, which includes the public network address, private network address, VPN of the private network address (if the private network address belongs to a VPN), and the slot where the NAT service board is located.
Page 134: Configuring Nat Blacklist Attributes
Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration 1.2.5 Configuring NAT Blacklist Attributes Follow these steps to enable/disable the NAT blacklist feature on a slot: To do… Use the command… Remarks Enter system view system-view —...
Page 135: Configuring The Aging Time Of Nat Connections
Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration 1.2.6 Configuring the Aging Time of NAT Connections Follow these steps to configure the aging time of NAT connections: To do… Use the command… Remarks Enter system view system-view —...
Page 136 Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration To do… Use the command… Remarks Optional Record the active time of ip userlog nat the NAT stream log active-time minutes Not enabled by default. Set the address and port...
Page 137: Displaying Nat Configuration
Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration 1.3 Displaying NAT Configuration To do… Use the command… Remarks Display the configuration of the display nat address-group address pool [ group-number ] Display the aging time of NAT table...
Page 138 [H3C-Vlan-interface200] ip address 200.1.1.100 255.255.255.0 [H3C-Vlan-interface200] quit # Configure ACL 3000. [H3C] acl number 3000 [H3C-acl-adv-3000] rule permit ip source 10.1.1.1 0.0.0.255 [H3C-acl-adv-3000] quit # Configure NAT address pool 0. [H3C] nat address-group 0 200.1.1.101 200.1.1.111 # Configure a NAT binding on VLAN-interface 200. The NAT LPU is located in slot 3.
Page 139: Nat Internal Server Configuration Example
# Customize a flow template (the default flow template does not check the packet’s destination MAC address), and apply the flow template to Ethernet 4/1/1. The interface card is located in slot 4. [H3C] flow-template user-defined slot 4 sip 0.0.0.0 dip 0.0.0.0 dmac 0-0-0 vlanid [H3C] interface Ethernet4/1/1...
Page 140 [H3C-Vlan-interface200] ip address 200.1.1.100 255.255.255.0 [H3C-Vlan-interface200] quit # Configure ACL 3000. [H3C] acl number 3000 [H3C-acl-adv-3000] rule permit ip source 10.1.2.1 0.0.0.255 [H3C-acl-adv-3000] quit # Configure internal servers on VLAN-interface 200. The NAT LPU is located in slot 3. [H3C] interface Vlan-interface 200...
Page 141: Static Nat Configuration Example
# Define a flow template (the default flow template does not check the packet’s destination MAC address), and apply the flow template to Ethernet 4/1/1. The interface card is located in slot 4. [H3C] flow-template user-defined slot 4 sip 0.0.0.0 dip 0.0.0.0 dmac 0-0-0 vlanid [H3C] interface Ethernet4/1/1...
Page 142 [H3C] acl number 3000 [H3C-acl-adv-3000] rule permit ip source 10.1.3.1 0.0.0.255 [H3C-acl-adv-3000] quit # Configure static NAT entries on VLAN-interface 200. The NAT LPU is located in slot 3. [H3C] interface Vlan-interface 200 [H3C-Vlan-interface200] nat static global 200.1.1.102 inside 10.1.3.2 slot 3 1-21...
Page 143: Vpn Nat Configuration Example
# Define a flow template (the default flow template does not check the packet’s destination MAC address), and apply the flow template to Ethernet 4/1/1. The interface card is located in slot 4. [H3C] flow-template user-defined slot 4 sip 0.0.0.0 dip 0.0.0.0 dmac 0-0-0 vlanid [H3C] interface Ethernet4/1/1...
Page 144 Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration II. Network diagram Private Network Public Network 10.1.1.2/24 Corporation A 10.1.1.3/24 Convergence Switch VPN - a VLAN 100 10.1.1.4/24 Ethernet 4/1 /1 10. 1. 1. 1/ 24...
Page 145 Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration [PE] vlan 200 [PE-vlan200] port ethernet4/1/2 [PE-vlan200] quit [PE] interface Vlan-interface 200 [PE-Vlan-interface200] ip address 200.1.1.100 255.255.255.0 # Configure ACL 3000. [PE] acl number 3000 [PE-acl-adv-3000] rule permit ip vpn-instance VPN-a source 10.1.1.1 0.0.0.255 [PE-acl-adv-3000] quit # Configure the maximum numbers of users and connections of VPN-a.
Page 146: Vpn-Vpn Nat Configuration Example
Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration # Reference the ACLs to redirect the packets that needs address translation to the NAT LPU. Ethernet 4/1/1 is the inbound interface on the private network side, and the VLAN ID is 100.
Page 147 Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration MPLS Hybrid Insertion Configuration in the MPLS VPN Volume for detailed information. There is a route from VPN 1 to the public network in the routing table of PE 1.
Page 148 Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration # Configure BGP and MPLS. Refer to the section Configuring PE Router in MPLS L3VPN Configuration of the MPLS VPN Volume for detailed configuration information. # Customize a flow template, and then apply it to Ethernet 4/1/1, where 4 indicates the slot in which the LPU is located.
Page 149 Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration [PE1-Ethernet4/1/1] traffic-redirect inbound ip-group 3001 link-group 4000 rule 0 slot 3 designated-vlan 192 # Configure an ACL rule to be referenced by NAT. [PE1] acl number 3100 [PE1-acl-adv-3100] rule permit ip vpn-instance VPN1 source 192.168.1.0...
Page 150: Vpn Nat Configuration Example I
Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Note: Choose one of the following three methods to advertise the VPN routes (the first method is recommended): Execute the export route-policy command in VPN instance view to advertise the routes configured with public network addresses, and then execute the import direct command to import directed connected routes in BGP view.
Page 151 Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration II. Network diagram 202.231.X.0/24 Global IP 10.X.0.0/16 Private IP VLAN1001 G3/1/2 VLAN1000 VPN2 G3/1/1 rt:65000:2 VPN1 NAT:pool1 rt:65000:1 NAT:pool2 10.0.0.0/16 202.231.11.0/24 202.231.2.0/24 10.0.0.0/16 Figure 1-8 Network diagram for VPN NAT configuration III.
Page 152 Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Configure the routing protocol on CE 2. IV. Configuration procedure Configure PE # Create VPN 1, and configure VPN 1 to redistribute routes from VPN 2. <PE> system-view...
Page 153: Vpn Nat Configuration Example Ii
Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration # Configure the maximum numbers of users and connections allowed in VPN 1 (set the values based on the actual number of hosts in VPN 1). [PE] nat vpn limit vpn-instance VPN1 1000 100000 # Apply NAT address pool 100 to VLAN-interface 1001 that connects to CE 2.
Page 154 Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration II. Network diagram Backbone Paradigm Server VLAN 100 G3 / 1 / 1 NAT 1：PooL 1 NATServer 1 NAT 2： POOL 2 VPN2 VLAN 1001 VPN 1...
Page 155 Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration Configure a NAT address pool for hosts in VPN 1 on VLAN-interface 100 that connects to the backbone. Configure the NAT internal server mapping of VPN1 on VLAN-interface 100 that connects to the backbone.
Page 156 Operation Manual – NAT H3C S9500 Series Routing Switches Chapter 1 NAT Configuration [PE-Vlan-interface1000] ip binding vpn-instance VPN1 [PE-Vlan-interface1000] ip address 202.231.11.1 255.255.255.0 [PE-Vlan-interface1000] ip address 10.0.1.254 255.255.255.0 sub [PE-Vlan-interface1000] quit # Configure a routing protocol. Select a routing protocol based on actual needs.
Page 157 Operation Manual – IP Performance H3C S9500 Series Routing Switches Table of Contents Table of Contents Chapter 1 IP Performance Configuration..................1-1 1.1 Configuring IP Performance ....................1-1 1.1.1 Configuring TCP Attributes ..................1-1 1.1.2 Configuring the Switch Whether to Send a Time Exceeded ICMP Packet..... 1-2 1.2 Displaying and Maintaining IP Performance..............
Page 158: Chapter 1 Ip Performance Configuration
Operation Manual – IP Performance H3C S9500 Series Routing Switches Chapter 1 IP Performance Configuration Chapter 1 IP Performance Configuration When configuring IP performance, go to these sections for information you are interested in: Configuring IP Performance Displaying and Maintaining IP Performance Troubleshooting IP Performance 1.1 Configuring IP Performance...
Page 159: Configuring The Switch Whether To Send A Time Exceeded Icmp Packet
Operation Manual – IP Performance H3C S9500 Series Routing Switches Chapter 1 IP Performance Configuration To do… Use the command… Restore the socket receiving/sending undo tcp window buffer size of TCP to default value 1.1.2 Configuring the Switch Whether to Send a Time Exceeded ICMP Packet The switch will return a destination unreachable packet to the sender when receiving a packet whose TTL is "1”.
Page 160 Operation Manual – IP Performance H3C S9500 Series Routing Switches Chapter 1 IP Performance Configuration To do… Use the command… Remarks Display ICMP statistics information display icmp statistics display ip socket Display the current socket information [ socktype sock-type ]...
Page 161: Troubleshooting Ip Performance
Operation Manual – IP Performance H3C S9500 Series Routing Switches Chapter 1 IP Performance Configuration To do… Use the command… Remarks Disable the debugging of IP undo debugging ip packet packets Enable the debugging of ICMP debugging ip icmp packets...
Page 162 Operation Manual – IP Performance H3C S9500 Series Routing Switches Chapter 1 IP Performance Configuration Destination port: 4296 task = ROUT(15) socketid = 6, src = 192.168.1.1:520, dst = 255.255.255.255:520, datalen = 24 Use the debugging tcp packet command to enable the TCP debugging to trace the TCP packets.
Page 163 Operation Manual – URPF H3C S9500 Series Routing Switches Table of Contents Table of Contents Chapter 1 URPF Configuration ....................1-1 1.1 URPF Overview ......................... 1-1 1.2 Configuring URPF......................1-2 1.3 URPF Configuration Examples..................1-3 1.3.1 Example I ........................ 1-3...
Page 164: Urpf Overview
Operation Manual – URPF H3C S9500 Series Routing Switches Chapter 1 URPF Configuration Chapter 1 URPF Configuration When configuring URPF, go to these sections for information you are interested in: URPF Overview Configuring URPF URPF Configuration Examples Note: The service processor boards mentioned in the chapter refer to LSB1NAMB0 boards.
Page 165: Configuring Urpf
Operation Manual – URPF H3C S9500 Series Routing Switches Chapter 1 URPF Configuration 1.2 Configuring URPF The following section describes the URPF configuration tasks: Configure packet redirection Enable URPF on ports Display port configuration information Clear URPF statistical counters to zero Use the urpf enable command to enable URPF for a certain VLAN port and specify the service processor board where the port locates.
Page 166 Operation Manual – URPF H3C S9500 Series Routing Switches Chapter 1 URPF Configuration To do… Use the command… Remarks Quit to system view quit — Enter VLAN interface interface vlan-interface — view vlan-id Required. Enable URPF in VLAN interface view. Specify...
Page 167 [H3C-acl-link-4000] rule 0 permit ip egress 01-02-03 00-00-00 # Configure packet redirecting on the corresponding Ethernet port. [H3C] interface ethernet 3/1/30 [H3C-Ethernet3/1/30] flow-template user-defined [H3C-Ethernet3/1/30] traffic-redirect inbound link-group 4000 slot 5 vlan 1000 [H3C-Ethernet3/1/30] quit [H3C] interface GigabitEthernet 6/1/2 [H3C-GigabitEthernet6/1/2] flow-template user-defined...
Page 168 [H3C] acl number 4000 # Permit the IP packets going into VLAN 1000 and the DMAC must be the interface MAC000f-e239-a9b8. [H3C-acl-link-4000] rule 0 permit ip ingress 1000 egress 000f-e239-a9b8 0000-0000-0000 # Permit the IP packets going into VLAN 1001.
Page 169 Operation Manual – URPF H3C S9500 Series Routing Switches Chapter 1 URPF Configuration [H3C-acl-link-4000] rule 1 permit ip ingress 1001 egress 000f-e239-a9b8 0000-0000-0000 # Configure a user-defined flow template. [H3C] flow-template user-defined slot 6 vlanid ethernet-protocol dmac 00-00-00 # Apply the flow template on port Ethernet 6/1/1 and configure traffic redirection.

H3C S9500 Series Operation Manual

Table of Contents

Chapter 1 ARP Configuration

Chapter 2 ARP Table Size Configuration

Chapter 3 ARP Attack Prevention Configuration

Chapter 4 IP Packet Attack Prevention Configuration

IP Address Configuration

Vrrp Configuration

Table of Contents

DNS Configuration

UDP Helper Configuration

Nat Configuration

Quick Links

Chapters

Troubleshooting

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for H3C S9500 Series

Summary of Contents for H3C S9500 Series

Table of Contents