Page 1 H3C MSR Series Routers Layer 3 - IP Services Configuration Guide(V7) Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: MSR-CMW710-R0007 Document version: 6W100-20140320...
Page 2 Copyright © 2014, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.
Page 3 The H3C MSR documentation set includes 14 configuration guides, which describe the software features for the H3C MSR Series Routers and guide you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios.
Page 4: Command Conventions
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 5: Obtaining Documentation
Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents]—Provides hardware installation, software...
Page 6 We appreciate your comments.
Page 7: Table Of Contents
Contents Configuring ARP ··························································································································································· 1 Overview ············································································································································································ 1 ARP message format ················································································································································ 1 ARP operating mechanism ······································································································································ 1 ARP table ··································································································································································· 2 Configuring a static ARP entry ········································································································································· 3 Setting the maximum number of dynamic ARP entries for a device ············································································ 4 ...
Page 8 Configuration procedure ······································································································································ 21 Configuring IP unnumbered ·········································································································································· 21 Configuration guidelines ······································································································································ 22 Configuration prerequisites ·································································································································· 22 Configuration procedure ······································································································································ 22 Displaying and maintaining IP addressing ················································································································· 22 IP address configuration example ································································································································ 23 ...
Page 9 DHCP server configuration examples ·························································································································· 48 Static IP address assignment configuration example························································································· 48 Dynamic IP address assignment configuration example ··················································································· 50 DHCP user class configuration example ············································································································· 51 Self-defined DHCP option configuration example ····························································································· 52 Troubleshooting DHCP server configuration ···············································································································...
Page 10 Displaying and maintaining DHCP snooping ············································································································· 75 DHCP snooping configuration examples ····················································································································· 76 Basic DHCP snooping configuration example ··································································································· 76 Option 82 configuration example ······················································································································· 77 Configuring the BOOTP client ··································································································································· 79 BOOTP application ························································································································································ 79 ...
Page 11 Applying the DDNS policy to an interface ················································································································ 107 Specifying the DSCP value for outgoing DDNS packets ························································································· 107 Displaying DDNS ························································································································································· 108 DDNS configuration examples ··································································································································· 108 DDNS configuration example with www.3322.org ······················································································· 108 DDNS configuration example with PeanutHull server ·····················································································...
Page 12 Bidirectional NAT for internal-to-external access ····························································································· 131 NAT Server for external-to-internal access ········································································································ 133 NAT Server for external-to-internal access through domain name ································································· 136 Bidirectional NAT for external-to-internal access through NAT Server ·························································· 138 NAT hairpin in C/S mode ································································································································· 141 ...
Page 13 IPv6 features ························································································································································· 174 IPv6 addresses ····················································································································································· 175 IPv6 ND protocol ················································································································································· 178 IPv6 path MTU discovery ···································································································································· 180 IPv6 transition technologies ········································································································································· 180 Dual stack ····························································································································································· 180 Tunneling ······························································································································································ 181 NAT-PT ·································································································································································· 181 ...
Page 14 Overview ······································································································································································· 225 Application of trusted and untrusted ports ········································································································ 225 H3C implementation of Option 18 and Option 37 ································································································· 226 Option 18 for DHCPv6 snooping ······················································································································ 226 DHCPv6 snooping support for Option 37 ········································································································ 227 ...
Page 15 Configuring tunneling ············································································································································· 236 Overview ······································································································································································· 236 IPv6 over IPv4 tunneling ····································································································································· 236 IPv4 over IPv4 tunneling ····································································································································· 239 IPv4 over IPv6 tunneling ····································································································································· 240 IPv6 over IPv6 tunneling ····································································································································· 243 Protocols and standards ····································································································································· 243 ...
Page 16: Configuring Arp
Configuring ARP This chapter describes how to configure the Address Resolution Protocol (ARP). Overview ARP resolves IP addresses into MAC addresses on Ethernet networks. ARP message format ARP uses two types of messages: ARP request and ARP reply. Figure 1 shows the format of ARP request/reply messages.
Page 17: Arp Table
If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request. The payload of the ARP request comprises the following information: Sender IP address and sender MAC address—Host A's IP address and MAC address. Target IP address—Host B's IP address.
Page 18: Configuring A Static Arp Entry
Static ARP entry A static ARP entry is manually configured and maintained. It does not age out and cannot be overwritten by any dynamic ARP entry. Static ARP entries protect communication between devices because attack packets cannot modify the IP-to-MAC mapping in a static ARP entry. Static ARP entries include long and short ARP entries.
Page 19: Setting The Maximum Number Of Dynamic Arp Entries For A Device
Step Command Remarks • Configure a long static ARP entry: arp static ip-address mac-address vlan-id interface-type interface-number Use either command. Configure a static ARP [ vpn-instance vpn-instance-name ] By default, no static ARP entry is entry. • Configure a short static ARP entry: configured.
Page 20: Setting The Aging Timer For Dynamic Arp Entries
Step Command Remarks Set the maximum number of If the value of the number argument is set dynamic ARP entries for the arp max-learning-num number to 0, the interface is disabled from interface. learning dynamic ARP entries. Setting the aging timer for dynamic ARP entries Each dynamic ARP entry in the ARP table has a limited lifetime, called an aging timer.
Page 21: Displaying And Maintaining Arp
Execute display commands in any view and reset commands in user view. Task Command Display ARP entries (MSR 2600/MSR display arp [ [ all | dynamic |multiport | static ] | vlan vlan-id | 3600). interface interface-type interface-number ] [ count | verbose ] display arp [ [ all | dynamic | multiport | static ] [ slot Display ARP entries (MSR 5600).
Page 22: Configuration Procedure
Figure 3 Network diagram Configuration procedure # Create VLAN 10. <Switch> system-view [Switch] vlan 10 [Switch-vlan10] quit # Add interface Ethernet 1/1 to VLAN 10. [Switch] interface ethernet 1/1 [Switch-Ethernet1/1] port access vlan 10 [Switch-Ethernet1/1] quit # Create VLAN-interface 10 and configure its IP address. [Switch] interface vlan-interface 10 [Switch-vlan-interface10] ip address 192.168.1.2 8 [Switch-vlan-interface10] quit...
Page 23: Configuring Gratuitous Arp
Configuring gratuitous ARP Overview In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device. A device sends a gratuitous ARP packet for either of the following purposes: Determine whether its IP address is already used by another device. If the IP address is already used, •...
Page 24: Configuration Procedure
If the virtual IP address of the VRRP group is associated with a virtual MAC address, the sender MAC address in the gratuitous ARP packet is the virtual MAC address of the virtual router. If the virtual IP address of the VRRP group is associated with the real MAC address of an interface, the sender MAC address in the gratuitous ARP packet is the MAC address of the interface on the master router in the VRRP group.
Page 25: Enabling Ip Conflict Notification
Step Command Remarks Enable periodic sending of arp send-gratuitous-arp [ interval By default, periodic sending of gratuitous ARP packets and milliseconds ] gratuitous ARP packets is disabled. set the sending interval. Enabling IP conflict notification By default, if the sender IP address of a received gratuitous ARP packet is being used by the receiving device, the receiving device sends a gratuitous ARP request, and it displays an error message after it receives an ARP reply about the conflict.
Page 26: Configuring Proxy Arp
Configuring proxy ARP Proxy ARP enables a device on one network to answer ARP requests for an IP address on another network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they would on the same broadcast domain. Proxy ARP includes common proxy ARP and local proxy ARP.
Page 27: Displaying Proxy Arp
Displaying proxy ARP Execute display commands in any view. Task Command Display common proxy ARP status. display proxy-arp [ interface interface-type interface-number ] Display local proxy ARP status. display local-proxy-arp [ interface interface-type interface-number ] Common proxy ARP configuration example Network requirements As shown in Figure...
Page 28 # Configure the IP address of interface Ethernet 1/1. [Router] interface ethernet 1/1 [Router-Ethernet1/1] ip address 192.168.20.99 255.255.255.0 # Enable common proxy ARP on interface Ethernet 1/1. [Router-Ethernet1/1] proxy-arp enable [Router-Ethernet1/1] quit After the configuration, Host A and Host D can ping each other.
Page 29: Configuring Arp Snooping
Configuring ARP snooping ARP snooping is not supported in the current release, and it is reserved for future use. ARP snooping is used in Layer 2 switching networks. It creates ARP snooping entries by using information in ARP packets. ARP fast-reply and manual-mode MFF (MAC–Forced Forwarding) can use the ARP snooping entries.
Page 30 Task Command display arp snooping [ vlan vlan-id ] [ slot slot-number ] [ count ] Display ARP snooping entries (MSR 5600). display arp snooping ip ip-address [ slot slot-number ] Remove ARP snooping entries. reset arp snooping [ ip ip-address | vlan vlan-id ]...
Page 31: Configuring Arp Fast-Reply
Configuring ARP fast-reply ARP fast-reply is not supported in the current release, and it is reserved for future use. Overview Function In a wireless network, APs are connected to an AC through tunnels, so that clients can communicate with the AC through APs and can further access the gateway through the AC. If a client broadcasts an ARP request through the associated AP, the AC needs to send the ARP request to all the other APs, wasting tunnel resources and affecting forwarding performance.
Page 32: Arp Fast-Reply Configuration Example
ARP fast-reply configuration example Network requirements As shown in Figure 5, Client 1, Client 2 through Client 100, and Client 101 through Client 200 access the network through AP 1, AP 2 and AP 3, respectively. AP 1, AP 2 and AP 3 are connected to AC through the switch.
Page 33 [AC-vlan1] quit...
Page 34: Configuring Ip Addressing
Configuring IP addressing The IP addresses in this chapter refer to IPv4 addresses unless otherwise specified. This chapter describes IP addressing basic and manual IP address assignment for interfaces. Dynamic IP address assignment (BOOTP and DHCP) and PPP address negotiation are beyond the scope of this chapter.
Page 35: Special Ip Addresses
Class Address range Remarks 192.0.0.0 to 223.255.255.255 224.0.0.0 to 239.255.255.255 Multicast addresses. Reserved for future use, except for the broadcast 240.0.0.0 to 255.255.255.255 address 255.255.255.255. Special IP addresses The following IP addresses are for special use and cannot be used as host IP addresses: IP address with an all-zero net ID—Identifies a host on the local network.
Page 36: Assigning An Ip Address To An Interface
Assigning an IP address to an interface An interface must have an IP address to communicate with other hosts. You can either manually assign an IP address to an interface, or configure the interface to obtain an IP address through BOOTP, DHCP, or PPP address negotiation.
Page 37: Configuration Guidelines
Configuration guidelines Follow these guidelines when you configure IP unnumbered: • Layer 3 Ethernet interfaces and loopback interfaces cannot borrow IP addresses of other interfaces, but other interfaces can borrow IP addresses of these interfaces. Synchronous and asynchronous serial interfaces, and dial-up interfaces can borrow IP addresses of •...
Page 38: Ip Address Configuration Example
IP address configuration example Network requirements As shown in Figure 8, Ethernet 1/1 on the router is connected to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24. To enable the hosts on the two network segments to communicate with the external network through the router, and to enable the hosts on the LAN to communicate with each other: Assign a primary IP address and a secondary IP address to Ethernet 1/1 on the router.
Page 39: Ip Unnumbered Configuration Example
56 bytes from 172.16.1.2: icmp_seq=0 ttl=254 time=7.000 ms 56 bytes from 172.16.1.2: icmp_seq=1 ttl=254 time=0.000 ms 56 bytes from 172.16.1.2: icmp_seq=2 ttl=254 time=1.000 ms 56 bytes from 172.16.1.2: icmp_seq=3 ttl=254 time=1.000 ms 56 bytes from 172.16.1.2: icmp_seq=4 ttl=254 time=2.000 ms --- Ping statistics for 172.16.1.2 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.000/2.200/7.000/2.482 ms...
Page 40: Configuration Procedure
Figure 9 Network diagram Configuration procedure Configure Router A: # Assign a primary IP address to Ethernet 1/1. <RouterA> system-view [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ip address 172.16.10.1 255.255.255.0 [RouterA-Ethernet1/1] quit # Configure Serial 2/1 to borrow an IP address from Ethernet 1/1. [RouterA] interface serial 2/1 [RouterA-Serial2/1] ip address unnumbered interface ethernet 1/1 [RouterA-Serial2/1] quit...
Page 41 [RouterA] ping 172.16.20.2 Ping 172.16.20.2 (172.16.20.2): 56 data bytes, press escape sequence to break 56 bytes from 172.16.20.2: icmp_seq=0 ttl=254 time=7.000 ms 56 bytes from 172.16.20.2: icmp_seq=1 ttl=254 time=0.000 ms 56 bytes from 172.16.20.2: icmp_seq=2 ttl=254 time=1.000 ms 56 bytes from 172.16.20.2: icmp_seq=3 ttl=254 time=1.000 ms 56 bytes from 172.16.20.2: icmp_seq=4 ttl=254 time=2.000 ms --- Ping statistics for 172.16.20.2 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss...
Page 42: Dhcp Overview
DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. Figure 10 shows a typical DHCP application scenario where the DHCP clients and the DHCP server reside on the same subnet. The DHCP clients can also obtain configuration parameters from a DHCP server on another subnet through a DHCP relay agent.
Page 43: Dynamic Ip Address Allocation Process
Dynamic IP address allocation process Figure 11 Dynamic IP address allocation process The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. Each DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message.
Page 44: Dhcp Message Format
DHCP message format Figure 12 shows the DHCP message format. DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes. Figure 12 DHCP message format • op—Message type defined in options field. 1 = REQUEST, 2 = REPLY htype, hlen—Hardware address type and length of the DHCP client.
Page 45: Dhcp Options
DHCP options DHCP uses the same message format as BOOTP, but DHCP uses the options field to carry information for dynamic address allocation and provide additional configuration information to clients. Figure 13 DHCP option format Common DHCP options The following are common DHCP options: Option 3—Router option.
Page 46 Through Option 43, the DHCP client can obtain the PXE server address, which is used to obtain the boot file or other control information from the PXE server. Format of Option 43: Figure 14 Option 43 format Network configuration parameters are carried in different sub-options of Option 43 as shown Figure Sub-option type—The field value can be 0x02 (service provider identifier sub-option) or 0x80 (PXE server address sub-option).
Page 47: Protocols And Standards
Normal padding format—Contains the VLAN ID and interface number of the interface that • received the client's request. Verbose padding format—Contains the access node identifier specified by the user, and the VLAN • ID, interface number and interface type of the interface that received the client's request. Remote ID has the following padding formats: String padding format—Contains a character string specified by the user.
Page 48: Configuring The Dhcp Server
Configuring the DHCP server Overview The DHCP server is well suited to networks where: • Manual configuration and centralized management are difficult to implement. IP addresses are limited. For example, an ISP limits the number of concurrent online users, and users •...
Page 49 If the matching user class has no assignable addresses, the DHCP server matches the client against the next user class. If all the matching user classes have no assignable addresses, the DHCP server selects an IP address from the common address range. If the DHCP client does not match any DHCP user class, the DHCP server selects an address in the IP address range specified by the address range command.
Page 50: Ip Address Allocation Sequence
IP address allocation sequence The DHCP server selects an IP address for a client in the following sequence: IP address statically bound to the client's MAC address or ID. IP address that was ever assigned to the client. IP address designated by the Option 50 field in the DHCP-DISCOVER message sent by the client. Option 50 is the Requested IP Address option.
Page 51: Creating A Dhcp Address Pool
Tasks at a glance Perform at least one of the following tasks: • Specifying IP address ranges for a DHCP address pool • Specifying gateways for the client • Specifying a domain name suffix for the client • Specifying DNS servers for the client •...
Page 52 Step Command Remarks Enter system view. system-view Required for client classification. Create a DHCP user class and dhcp class class-name enter DHCP user class view. By default, no DHCP user class exists. Required for client classification. if-match option option-code [ hex Configure the match rule for the hex-string [ offset offset length length By default, no match rule is...
Page 53 request, the DHCP server selects an address from the primary subnet. If no assignable address is found, the server selects an address from the secondary subnets in the order they are configured. In scenarios where the DHCP server and the DHCP clients reside on different subnets and the DHCP clients obtain IP addresses through a DHCP relay agent, the DHCP server needs to use the same address pool to assign IP addresses to clients in different subnets.
Page 54: Specifying Gateways For The Client
Step Command Remarks Except for the IP address of the DHCP server interface, IP addresses in all address pools (Optional.) Exclude the specified dhcp server forbidden-ip are assignable by default. IP addresses from dynamic start-ip-address [ end-ip-address ] allocation globally. To exclude multiple address ranges globally, repeat this step.
Page 55: Specifying A Domain Name Suffix For The Client
If you specify gateways in both address pool view and secondary subnet view, DHCP assigns the gateway addresses in the secondary subnet view to the clients on the secondary subnet. If you specify gateways in address pool view but not in secondary subnet view, DHCP assigns the gateway addresses in address pool view to the clients on the secondary subnet.
Page 56: Specifying Wins Servers And Netbios Node Type For The Client
Specifying WINS servers and NetBIOS node type for the client A Microsoft DHCP client using NetBIOS protocol must contact a WINS server for name resolution. You can specify up to eight WINS servers for such clients in a DHCP address pool. In addition, you must specify a NetBIOS node type for the clients to approach name resolution.
Page 57: Specifying The Tftp Server And Boot File Name For The Client
Specifying the TFTP server and boot file name for the client To implement client auto-configuration, you must specify the IP address or name of a TFTP server and the boot file name for the clients, and there is no need to perform any configuration on the DHCP clients. A DHCP client obtains these parameters from the DHCP server, and uses them to contact the TFTP server to get the configuration file used for system initialization.
Page 58: Configuring Option 184 Parameters For The Client
Configuring Option 184 parameters for the client To assign calling parameters to DHCP clients with voice service, you must configure Option 184 on the DHCP server. For more information about Option 184, see "Option 184." To configure option 184 parameters in a DHCP address pool: Step Command Remarks...
Page 59: Enabling Dhcp
Step Command Remarks Enter DHCP address pool dhcp server ip-pool pool-name view. option code { ascii ascii-string | hex Configure a self-defined By default, no self-defined DHCP hex-string | ip-address DHCP option. option is configured. ip-address&<1-8> } Table 2 Common DHCP options Corresponding Recommended option Option...
Page 60: Applying An Address Pool On An Interface
Step Command Remarks By default, the DHCP Enable the DHCP server on dhcp select server server on the interface the interface. is enabled. Applying an address pool on an interface Perform this task to apply a DHCP address pool on an interface. Upon receiving a DHCP request from the interface, the DHCP server assigns the statically bound IP address and configuration parameters from the address pool where the static binding is.
Page 61: Enabling Handling Of Option 82
Enabling handling of Option 82 Perform this task to enable the DHCP server to handle Option 82. Upon receiving a DHCP request that contains Option 82, the DHCP server adds Option 82 into the DHCP response. If you disable the DHCP to handle Option 82, it does not add Option 82 into the response message. You must enable handling of Option 82 on both the DHCP server and the DHCP relay agent to ensure correct processing for Option 82.
Page 62: Configuring The Dhcp Server To Send Bootp Responses In Rfc 1048 Format
To configure the DHCP server to ignore BOOTP requests: Step Command Remarks Enter system view. system-view Configure the DHCP server to By default, the DHCP server dhcp server bootp ignore ignore BOOTP requests. processes BOOTP requests. Configuring the DHCP server to send BOOTP responses in RFC 1048 format Not all BOOTP clients can send requests compatible with RFC 1048.
Page 63: Displaying And Maintaining The Dhcp Server
Displaying and maintaining the DHCP server IMPORTANT: A restart of the DHCP server or execution of the reset dhcp server ip-in-use command deletes all lease information. The DHCP server denies any DHCP request for lease extension, and the client must request an IP address again.
Page 64 0030-3030-662e-6532-3030-2e30-3030-322d-4574-6865-726e-6574-302f-30. The MAC address of the interface Ethernet 1/1 on Router C is 000f-e200-01c0. Figure 16 Network diagram Configuration procedure Specify an IP address for Ethernet 1/1 on Router A: <RouterA> system-view [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ip address 10.1.1.1 25 [RouterA-Ethernet1/1] quit Configure the DHCP server: # Enable DHCP.
Page 65: Dynamic Ip Address Assignment Configuration Example
Dynamic IP address assignment configuration example Network requirements As shown in Figure 17, the DHCP server (Router A) assigns IP address to clients on subnet • 10.1.1.0/24, which is subnetted into 10.1.1.0/25 and 10.1.1.128/25. The IP addresses of Ethernet 1/1 and Ethernet 1/2 on Router A are 10.1.1.1/25 and 10.1.1.129/25. •...
Page 66: Dhcp User Class Configuration Example
# Configure DHCP address pool 1 to assign IP addresses and other configuration parameters to clients in subnet 10.1.1.0/25. [RouterA] dhcp server ip-pool 1 [RouterA-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.128 [RouterA-dhcp-pool-1] expired day 10 hour 12 [RouterA-dhcp-pool-1] domain-name aabbcc.com [RouterA-dhcp-pool-1] dns-list 10.1.1.2 [RouterA-dhcp-pool-1] gateway-list 10.1.1.126 [RouterA-dhcp-pool-1] nbns-list 10.1.1.4 [RouterA-dhcp-pool-1] quit...
Page 67: Self-Defined Dhcp Option Configuration Example
Configuration procedure Specify IP addresses for the interfaces on DHCP server. (Details not shown.) Configure DHCP: # Enable DHCP and configure the DHCP server to handle Option 82. <RouterB> system-view [RouterB] dhcp enable [RouterB] dhcp server relay information enable # Enable the DHCP server on the interface Ethernet1/1. [RouterB] interface Ethernet 1/1 [RouterB-Ethernet1/1] dhcp select server [RouterB-Ethernet1/1] quit...
Page 68: Troubleshooting Dhcp Server Configuration
Figure 19 Network diagram Configuration procedure Specify an IP address for interface Ethernet 1/1. (Details not shown.) Configure the DHCP server: # Enable DHCP. <RouterA> system-view [RouterA] dhcp enable # Enable the DHCP server on Ethernet 1/1. [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] dhcp select server [RouterA-Ethernet1/1] quit # Configure DHCP address pool 0.
Page 69 Enable the network adapter or connect the network cable, release the IP address, and obtain another one on the client. For example, to release the IP address and obtain another one on a Windows XP DHCP client: In Windows environment, execute the cmd command to enter the DOS environment. Enter ipconfig /release to relinquish the IP address.
Page 70: Configuring The Dhcp Relay Agent
Configuring the DHCP relay agent Overview The DHCP relay agent enables clients to get IP addresses from a DHCP server on another subnet. This feature avoids deploying a DHCP server for each subnet to centralize management and reduce investment. Figure 20 shows a typical application of the DHCP relay agent.
Page 71: Dhcp Relay Agent Support For Option 82
Figure 21 DHCP relay agent operation DHCP relay agent support for Option 82 Option 82 records the location information about the DHCP client. It enables the administrator to locate the DHCP client for security and accounting purposes, and to assign IP addresses in a specific range to clients.
Page 72: Enabling Dhcp
Tasks at a glance (Optional.) Configuring the DHCP relay agent to release an IP address (Optional.) Configuring Option 82 (Optional.) Setting the DSCP value for DHCP packets sent by the DHCP relay agent Enabling DHCP You must enable DHCP to validate other DHCP relay agent settings. To enable DHCP: Step Command...
Page 73: Configuring The Dhcp Relay Agent Security Functions
To specify a DHCP server address on a relay agent: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no DHCP server Specify a DHCP server dhcp relay server-address address is specified on the relay address on the relay agent.
Page 74: Enabling Dhcp Starvation Attack Protection
To enable periodic refresh of dynamic relay entries: Step Command Remarks Enter system view. system-view By default, periodic refresh of Enable periodic refresh of dhcp relay client-information refresh dynamic relay entries is dynamic relay entries. enable enabled. By default, the refresh interval Configure the refresh dhcp relay client-information refresh is auto, which is calculated...
Page 75: Configuring The Dhcp Relay Agent To Release An Ip Address
Configuring the DHCP relay agent to release an IP address Configure the relay agent to release the IP address for a relay entry. The relay agent sends a DHCP-RELEASE message to the server and meanwhile deletes the relay entry. Upon receiving the DHCP-RELEASE message, the DHCP server releases the IP address.
Page 76: Setting The Dscp Value For Dhcp Packets Sent By The Dhcp Relay Agent
Setting the DSCP value for DHCP packets sent by the DHCP relay agent The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. To set the DSCP value for DHCP packets sent by the DHCP relay agent: Step Command Remarks...
Page 77: Option 82 Configuration Example
Because the DHCP relay agent and server are on different subnets, you need to configure static or dynamic routing to make them reachable to each other. DHCP server configuration is also required to guarantee the client-server communication through the DHCP relay agent. For DHCP server configuration information, see "DHCP server configuration examples ."...
Page 78: Troubleshooting Dhcp Relay Agent Configuration
Configuration procedure # Specify IP addresses for the interfaces. (Details not shown.) # Enable DHCP. <RouterA> system-view [RouterA] dhcp enable # Enable the DHCP relay agent on Ethernet 1/1. [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] dhcp select relay # Specify the IP address of the DHCP server on the relay agent. [RouterA-Ethernet1/1] dhcp relay server-address 10.1.1.1 # Enable the DHCP relay agent to handle Option 82, and perform Option 82 related configurations.
Page 79: Configuring The Dhcp Client
Configuring the DHCP client With DHCP client enabled, an interface uses DHCP to obtain configuration parameters from the DHCP server, for example, an IP address. The DHCP client configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces) and VLAN interfaces.
Page 80: Enabling Duplicated Address Detection
DHCP client detects IP address conflict through ARP packets. An attacker can act as the IP address owner to send an ARP reply, making the client unable to use the IP address assigned by the server. H3C recommends you to disable duplicate address detection when ARP attacks exist on the network.
Page 81: Displaying And Maintaining The Dhcp Client
Step Command Remarks Set the DSCP value for DHCP By default, the DSCP value in DHCP packets packets sent by the DHCP dhcp dscp dscp-value sent by the DHCP client is 56. client. Displaying and maintaining the DHCP client Execute display command in any view. Task Command display dhcp client [ verbose ] [ interface interface-type...
Page 82: Configuration Procedure
Configuration procedure Configure Router A: # Specify the IP address of Ethernet 1/1. <RouterA> system-view [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ip address 10.1.1.1 24 [RouterA-Ethernet1/1] quit # Enable DHCP. [RouterA] dhcp enable # Exclude an IP address from dynamic allocation. [RouterA] dhcp server forbidden-ip 10.1.1.2 # Configure DHCP address pool 0 and specify the subnet, lease duration, DNS server address, and a static route to subnet 20.1.1.0/24.
Page 83 T1 will timeout in 3 days 19 hours 48 minutes 43 seconds. # Use the display ip routing-table command to display the route information on Router B. The output shows that a static route to network 20.1.1.0/24 is added to the routing table. [RouterB] display ip routing-table Destinations : 11 Routes : 11...
Page 84: Configuring Dhcp Snooping
Configuring DHCP snooping DHCP snooping works between the DHCP client and server, or between the DHCP client and DHCP relay agent. It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers. Also, it records IP-to-MAC bindings of DHCP clients (called DHCP snooping entries) for security purposes. DHCP snooping does not work between the DHCP server and DHCP relay agent.
Page 85: Dhcp Snooping Support For Option 82
Figure 25 Trusted and untrusted ports In a cascaded network as shown in Figure 26, configure each DHCP snooping device's ports connected to other DHCP snooping devices as trusted ports. To save system resources, you can disable the untrusted ports that are not directly connected to DHCP clients from generating DHCP snooping entries. Figure 26 Trusted and untrusted ports in a cascaded network DHCP snooping support for Option 82 Option 82 records the location information about the DHCP client so the administrator can locate the...
Page 86: Dhcp Snooping Configuration Task List
Table 4 Handling strategies If a DHCP request Handling DHCP snooping… has… strategy Drop Drops the message. Keep Forwards the message without changing Option 82. Option 82 Forwards the message after replacing the original Option 82 with Replace the Option 82 padded according to the configured padding format, padding content, and code type.
Page 87: Configuring Option 82
Step Command Remarks By default, all ports are untrusted Specify the port as a trusted dhcp snooping trust ports after DHCP snooping is port. enabled. Return to system view. quit interface interface-type This interface must connect to the Enter interface view. interface-number DHCP client.
Page 88: Saving Dhcp Snooping Entries
Step Command Remarks (Optional.) Configure the By default, the padding dhcp snooping information remote-id padding content and code format is normal and the { normal [ format { ascii | hex } ] | [ vlan type for the remote ID code type is hex for the vlan-id ] string remote-id | sysname } sub-option.
Page 89: Enabling Dhcp Starvation Attack Protection
Enabling DHCP starvation attack protection A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that contain identical or different sender MAC addresses in the chaddr field to a DHCP server. This attack exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system resources.
Page 90: Configuring Dhcp Packet Rate Limit
Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, DHCP-REQUEST check is disabled. dhcp snooping check Enable DHCP-REQUEST check. You can enable DHCP-REQUEST request-message check only on Layer 2 Ethernet interfaces. Configuring DHCP packet rate limit Perform this task to configure the maximum rate at which an interface can receive DHCP packets.
Page 91: Dhcp Snooping Configuration Examples
Task Command Remarks Display information about the file that Available in any display dhcp snooping binding database stores DHCP snooping entries. view. reset dhcp snooping binding { all | ip Available in user Clear DHCP snooping entries. ip-address [ vlan vlan-id ] } view.
Page 92: Option 82 Configuration Example
[Router-Ethernet1/2] dhcp snooping binding record [Router-Ethernet1/2] quit Verifying the configuration After the preceding configuration is complete, the DHCP client can obtain an IP address and other configuration parameters only from the authorized DHCP server. You can view the DHCP snooping entry recorded for the client with the display dhcp snooping binding command.
Page 93 [Router] interface ethernet 1/3 [Router-Ethernet1/3] dhcp snooping information enable [Router-Ethernet1/3] dhcp snooping information strategy replace [Router-Ethernet1/3] dhcp snooping information circuit-id verbose node-identifier sysname format ascii [Router-Ethernet1/3] dhcp snooping information remote-id string device001 Verifying the configuration Use the display dhcp snooping information command to display Option 82 configuration information on Ethernet 1/2 and Ethernet 1/3 on the DHCP snooping device.
Page 94: Configuring The Bootp Client
Configuring the BOOTP client BOOTP client configuration only applies to Layer 3 Ethernet interfaces (including subinterfaces) and VLAN interfaces. If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows Server 2000 or Windows Server 2003. BOOTP application An interface that acts as a BOOTP client can use BOOTP to obtain information (such as IP address) from the BOOTP server.
Page 95: Configuring An Interface To Use Bootp For Ip Address Acquisition
Configuring an interface to use BOOTP for IP address acquisition Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, an interface does not Configure an interface to use ip address bootp-alloc use BOOTP for IP address BOOTP for IP address acquisition.
Page 96: Configuring Dns
Configuring DNS Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. With DNS, you can use easy-to-remember domain names in some applications and let the DNS server translate them into correct IP addresses. The domain name-to-IP address mapping is called a DNS entry.
Page 97: Dns Proxy
Figure 29 shows the relationship between the user program, DNS client, and DNS server. The DNS client is made up of the resolver and cache. The user program and DNS client can run on the same device or different devices, but the DNS server and the DNS client usually run on different devices. Dynamic domain name resolution allows the DNS client to store latest DNS entries in the dynamic domain name cache.
Page 98: Dns Spoofing
Figure 30 DNS proxy application A DNS proxy operates as follows: A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS proxy. The destination address of the request is the IP address of the DNS proxy. The DNS proxy searches the local static domain name resolution table and dynamic domain name resolution cache after receiving the request.
Page 99: Dns Configuration Task List
Figure 31 DNS spoofing application DNS spoofing enables the DNS proxy to send a spoofed reply with a configured IP address even if it cannot reach the DNS server. Without DNS spoofing, the proxy does not answer or forward a DNS request if it cannot find a matching DNS entry and it cannot reach the DNS server.
Page 100: Configuring The Ipv4 Dns Client
Tasks at a glance (Optional.) Configuring the DNS trusted interface (Optional.) Specifying the DSCP value for outgoing DNS packets Configuring the IPv4 DNS client Configuring static domain name resolution Static domain name resolution allows applications such as Telnet to contact hosts by using host names instead of IPv4 addresses.
Page 101: Configuring The Ipv6 Dns Client
You can specify DNS server IPv6 addresses for the public network and up to 1024 VPNs, and • specify a maximum of six DNS server IPv6 addresses for the public network or each VPN. An IPv4 name query is first sent to the DNS server IPv4 addresses. If no reply is received, it is sent •...
Page 102: Configuring Dynamic Domain Name Resolution
Configuring dynamic domain name resolution To send DNS queries to a correct server for resolution, you must enable dynamic domain name resolution and configure DNS servers. A DNS server manually configured takes precedence over the one dynamically obtained through DHCP, and a DNS server configured earlier takes precedence. A name query is first sent to the DNS server that has the highest priority.
Page 103: Configuring Dns Spoofing
A DNS proxy forwards an IPv4 name query first to IPv4 DNS servers, and if no reply is received, it forwards the request to IPv6 DNS servers. The DNS proxy forwards an IPv6 name query first to IPv6 DNS servers, and if no reply is received, it forwards the request to IPv4 DNS servers. To configure the DNS proxy: Step Command...
Page 104: Configuring The Dns Trusted Interface
DNS servers. In some scenarios, the DNS server only responds to DNS requests sourced from a specific IP address. In such cases, you must specify the source interface for the DNS packets so that the device can always uses the primary IP address of the specified source interface as the source IP address of DNS packets.
Page 105: Specifying The Dscp Value For Outgoing Dns Packets
Specifying the DSCP value for outgoing DNS packets The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority. To specify the DSCP value for outgoing DNS packets: Step Command Remarks...
Page 106: Dynamic Domain Name Resolution Configuration Example
Figure 32 Network diagram Configuration procedure # Configure a mapping between host name host.com and IP address 10.1.1.2. <Sysname> system-view [Sysname] ip host host.com 10.1.1.2 # Use the ping host.com command to verify that the device can use static domain name resolution to resolve domain name host.com into IP address 10.1.1.2.
Page 107 Configuration procedure Before performing the following configuration, make sure the device and the host can reach each other, and that the IP addresses of the interfaces are configured as shown in Figure Configure the DNS server: The configuration might vary with DNS servers. The following configuration is performed on a PC running Windows Server 2000.
Page 108 Figure 35 Adding a host On the page that appears, enter host name host and IP address 3.1.1.1. Click Add Host. The mapping between the IP address and host name is created. Figure 36 Adding a mapping between domain name and IP address Configure the DNS client:...
Page 109: Dns Proxy Configuration Example
# Specify the DNS server 2.1.1.2. <Sysname> system-view [Sysname] dns server 2.1.1.2 # Specify com as the name suffix. [Sysname] dns domain com Verifying the configuration # Use the ping host command on the device to verify that the communication between the device and the host is normal and that the translated destination IP address is 3.1.1.1.
Page 110 Figure 37 Network diagram Configuration procedure Before performing the following configuration, ,make sure Device A, the DNS server, and the host can reach each other and the IPv6 addresses of the interfaces are configured as shown in Figure Configure the DNS server: The configuration might vary with DNS servers.
Page 111: Ipv6 Dns Configuration Examples
round-trip min/avg/max/std-dev = 1.000/1.200/2.000/0.400 ms IPv6 DNS configuration examples Static domain name resolution configuration example Network requirements As shown in Figure 38, the device wants to access the host by using an easy-to-remember domain name rather than an IPv6 address. Configure static domain name resolution on the device so that the device can use the domain name host.com to access the host whose IPv6 address is 1::2.
Page 112 Figure 39 Network diagram Configuration procedure Before performing the following configuration, make sure the device and the host can reach each other, and the IPv6 addresses of the interfaces are configured, as shown Figure Configure the DNS server: The configuration might vary with DNS servers. The following configuration is performed on a PC running Windows Server 2003.
Page 113 Figure 41 Creating a record On the page that appears, select IPv6 Host (AAAA) as the resource record type.
Page 114 Figure 42 Selecting the resource record type Type host name host and IPv6 address 1::1. Click OK. The mapping between the IPv6 address and host name is created.
Page 115 Figure 43 Adding a mapping between domain name and IPv6 address Configure the DNS client: # Specify the DNS server 2::2. <Device> system-view [Device] ipv6 dns server 2::2 # Configure com as the DNS suffix. [Device] dns domain com Verifying the configuration # Use the ping ipv6 host command on the device to verify that the communication between the device and the host is normal and that the translated destination IP address is 1::1.
Page 116: Dns Proxy Configuration Example
DNS proxy configuration example Network requirements When the IP address of the DNS server changes, you must configure the new IP address of the DNS server on each device on the LAN. To simplify network management, you can use the DNS proxy function.
Page 117: Troubleshooting Ipv4 Dns Configuration
Verifying the configuration # Use the ping ipv6 host.com command on Device B to verify that the connection between the device and the host is normal and that the translated destination IP address is 3000::1. [DeviceB] ping ipv6 host.com Ping6(56 data bytes) 2000::1 --> 3000::1, press escape sequence to break 56 bytes from 3000::1, icmp_seq=0 hlim=128 time=1.000 ms 56 bytes from 3000::1, icmp_seq=1 hlim=128 time=0.000 ms 56 bytes from 3000::1, icmp_seq=2 hlim=128 time=1.000 ms...
Page 119: Configuring Ddns
Configuring DDNS Overview DNS provides only the static mappings between domain names and IP addresses. When the IP address of a node changes, your access to the node fails. Dynamic Domain Name System (DDNS) can dynamically update the mappings between domain names and IP addresses for DNS servers to direct you to the latest IP address mapping to a domain name.
Page 120: Ddns Client Configuration Task List
NOTE: The DDNS update process does not have a unified standard but depends on the DDNS server that the DDNS client contacts. DDNS client configuration task list Tasks at a glance (Required.) Configuring a DDNS policy (Required.) Applying the DDNS policy to an interface (Optional.) Specifying the DSCP value for outgoing DDNS packets Configuring a DDNS policy...
Page 121: Configuration Prerequisites
HP and GNUDIP are common DDNS update protocols. The server-name parameter is the domain name or IP address of the service provider's server using one of the update protocols. The URL address for an update request can start with: http://—The HTTP-based DDNS server. •...
Page 122: Applying The Ddns Policy To An Interface
Step Command Remarks Specify a username to be username username By default, no username is specified. included in the URL address. Specify a password to be included password { cipher | By default, no password is specified. in the URL address. simple } password (Optional.) Specify the interval for interval days [ hours...
Page 123: Displaying Ddns
To specify the DSCP value for outgoing DDNS packets: Step Command Remarks Enter system view. system-view Specify the DSCP value By default, the DSCP value for for outgoing DDNS ddns dscp dscp-value outgoing DDNS packets is 0. packets. Displaying DDNS Execute display commands in any view.
Page 124: Ddns Configuration Example With Peanuthull Server
Configuration procedure Before configuring DDNS on Router, register with username steven and password nevets at http://www.3322.org/, add Router's host name-to-IP address mapping to the DNS server, and make sure the devices can reach each other. # Create a DDNS policy named 3322.org, and enter its view. <Router>...
Page 125 Figure 47 Network diagram www.oray.cn DDNS server Eth1/1 IP network Router DDNS client 1.1.1.1 DNS server Configuration procedure Before configuring DDNS on Router, register with username steven and password nevets at http://www.oray.cn/, add Router's host name-to-IP address mapping to the DNS server, and make sure the devices can reach each other.
Page 126: Configuring Nat
Configuring NAT Network Address Translation (NAT) translates an IP address in the IP packet header to another IP address. Typically, NAT is configured on gateways to enable private users to access an external network and to enable external users to access private network resources such as a Web server. Figure 48 shows how NAT works.
Page 127: Nat Address
NAT address An IP address for translation, which can be manually specified or dynamically allocated. The address in the external network must be routable from the NAT address. NAT entry An entry recording the translation between a private and a public address on a NAT device. For more information, see "NAT entries."...
Page 128: Nat Features
layer protocol, and VPN instance in an ACL rule for packet matching. Only packets matching an ACL permit rule are processed by NAT. NAT features Static NAT Static NAT uses a fixed translation of a real address to a NAT address. Because the NAT address is the same for each consecutive connection, static NAT allows bidirectional access to and from the host.
Page 129: Nat Server
Figure 49 PAT operation Figure 49 for an example. Packets 1 and 2 with different source ports are from Host A, and Packets 3 with the same source port as packet 1 is from Host B. PAT maps the source IP addresses of the three packets to the same NAT address and uses different port numbers to make each unique.
Page 130: Nat Hairpin
Figure 50 NAT Server operation Direction Before NAT After NAT Inbound 20.1.1.1:8080 192.168.1.3:8080 Dst : 192.168.1.3:8080 Dst : 20.1.1.1:8080 Server Host 192.168.1.1 20.1.1.1 Internet Intranet 20.1.1.2 192.168.1.3 Src : 20.1.1.1:8080 Src : 192.168.1.3:8080 The host in the public network sends a packet destined for the public IP address and port number of the server in the private network.
Page 131: Nat Entries
NAT entries NAT session entry NAT translates the IP address of the first packet in a session and creates a NAT session entry for recording the mappings. The NAT session entry contains extended NAT information, such as interface and translation method. Subsequent packets of the session are translated by using this entry. The session management module maintains the updating and aging of NAT session entries.
Page 132: Nat With Dns Mapping
Upon receiving a request from a user in an MPLS VPN to an external network, NAT translates the private source IP address and port number to a NAT IP address and port number, and records the MPLS VPN information, such as the VPN name. When a response packet arrives, NAT translates the destination IP address and port number to the private IP address and port number, and forwards the packet to the target MPLS VPN.
Page 133: Nat Configuration Task List
NAT translates only IP addresses and port numbers in packet headers and does not analyze fields in application layer payload. However, the packet payloads of some protocols might contain IP address or port information, which might cause problems if not translated. For example, an FTP application involves both data connection and control connection.
Page 134: Configuring Outbound Net-To-Net Static Nat
When the destination IP address of a packet from the public matches the global-ip, the destination • IP address is translated into the local-ip. To configure outbound one-to-one static NAT: Step Command Remarks Enter system view. system-view By default, no mappings exist. nat static outbound local-ip Configure a one-to-one [ vpn-instance local-name ]...
Page 135: Configuring Inbound One-To-One Static Nat
Configuring inbound one-to-one static NAT Configure inbound one-to-one static NAT for address translation between a private IP address and a public IP address. • When the source IP address of a packet from the public network to the private network matches the global-ip, the IP address is translated to the local-ip.
Page 136: Configuring Dynamic Nat
Step Command Remarks Enable static NAT on the nat static enable By default, static NAT is disabled. interface. Configuring dynamic NAT Dynamic NAT implements address translation by mapping a group of IP addresses to a smaller number of NAT addresses. You can specify an address group (or the IP address of an interface) and ACL to implement dynamic NAT on the NAT interface.
Page 137: Configuring Inbound Dynamic Nat
NAT interface, and the next hop is the source address before translation. If you do not specify this keyword, you must add the route manually. H3C recommends that you manually specify a route because it takes time to add routes automatically.
Page 138: Configuring Nat Server
Step Command Remarks Configure an address nat address-group group-number By default, no address group exists. group and enter its view. By default, no group member exists. You can add multiple members to an Add a group member to address start-address end-address address group.
Page 139: Configuring Load Sharing Nat Server
Step Command Remarks • A single global address with a single or no global port: nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-name ] inside local-address [ local-port ] [ vpn-instance local-name ] [ acl acl-number ] •...
Page 140: Configuring Nat With Dns Mapping
Step Command Remarks nat server protocol pro-type global By default, no internal { { global-address | current-interface | interface server exists. interface-type interface-number } { global-port | Configure load sharing global-port1 global-port2 } | global-address1 You can configure NAT Server. global-address2 global-port } [ vpn-instance multiple load sharing global-name ] inside server-group...
Page 141: Configuring Nat Logging
[ group-number ] Display NAT with DNS mapping configuration. display nat dns-map Display information about NAT EIM entries display nat eim (MSR 2600/MSR 3600). Display information about NAT EIM entries display nat eim [ slot slot-number ] (MSR 5600).
Page 142: Nat Configuration Examples
} * [ vpn-instance vpn -name ] ] [ slot 5600). slot-number ] [ verbose ] Display static NAT mappings. display nat static Display NAT statistics (MSR 2600/MSR 3600). display nat statistics Display NAT statistics (MSR 5600). display nat statistics [ slot slot-number ] Clear NAT sessions.
Page 143 Configuration procedure # Specify IP addresses for the interfaces. (Details not shown.) # Configure a one-to-one static NAT mapping between internal address 10.1 10.10.8 and the NAT address 202.38.1.100. <Router> system-view [Router] nat static 10.110.10.8 202.38.1.100 # Enable static NAT on interface GigabitEthernet 1/2. [Router] interface gigabitethernet 1/2 [Router-GigabitEthernet1/2] nat static enable [Router-GigabitEthernet1/2] quit...
Page 144: Outbound Dynamic Nat For Internal-To-External Access (Non-Overlapping Addresses)
Outbound dynamic NAT for internal-to-external access (non-overlapping addresses) Network requirements As shown in Figure 53, a company has a segment address 192.168.0.0/16 and two public IP addresses 202.38.1.2 and 202.38.1.3. Configure outbound dynamic NAT to allow only internal users on segment 192.168.1.0/24 to access the Internet.
Page 145 202.38.1.2 202.38.1.3 NAT outbound information: There are 1 NAT outbound rules. Interface: GigabitEthernet1/2 ACL: 2000 Address group: 0 Port-preserved: N NO-PAT: N Reversible: N NAT logging: Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active: Disabled NAT mapping behavior: Mapping mode: Address and Port-Dependent : --- NAT ALG:...
Page 146: Bidirectional Nat For Internal-To-External Access
Bidirectional NAT for internal-to-external access Network requirements As shown in Figure 54, the IP address of the Web server is 192.168.1.10, and it overlaps with internal network 192.168.1.0/24, where the hosts reside. The company has two public IP addresses 202.38.1.2 and 202.38.1.3.
Page 147 [Router] nat address-group 1 # Add address 202.38.1.2 to the group. [Router-nat-address-group-1] address 202.38.1.2 202.38.1.2 [Router-nat-address-group-1] quit # Create address group 2. [Router] nat address-group 2 # Add address 202.38.1.3 to the group. [Router-nat-address-group-2] address 202.38.1.3 202.38.1.3 [Router-nat-address-group-2] quit # Enable inbound NO-PAT on interface GigabitEthernet 1/2 to translate the source IP address in the DNS reply payload into the address in address group 1, and allow reversible NAT.
Page 148: Nat Server For External-To-Internal Access
Flow-end : Disabled Flow-active: Disabled NAT mapping behavior: Mapping mode: Address and Port-Dependent : --- NAT ALG: DNS: Enabled FTP: Enabled H323: Enabled ICMP-ERROR: Enabled # Use the display nat session verbose command to display NAT session information generated when Host A accesses the Web server.
Page 149 Figure 55 Network diagram 10.110.10.1/16 10.110.10.2/16 Web server 1 Web server 2 GE1/1 GE1/2 10.110.10.10/16 202.38.1.1/24 Internet Router Host FTP server SMTP server 10.110.10.3/16 10.110.10.4/16 Configuration procedure # Specify IP addresses for the interfaces. (Details not shown.) # Enter interface view of GigabitEthernet 1/2. <Router>...
Page 150 Interface: GigabitEthernet1/2 Protocol: 6(TCP) Global IP/port: 202.38.1.1/25 Local IP/port: 10.110.10.4/25 Interface: GigabitEthernet1/2 Protocol: 6(TCP) Global IP/port: 202.38.1.1/80 Local IP/port: 10.110.10.1/80 Interface: GigabitEthernet1/2 Protocol: 6(TCP) Global IP/port: 202.38.1.1/8080 Local IP/port: 10.110.10.2/80 NAT logging: Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active: Disabled NAT mapping behavior:...
Page 151: Nat Server For External-To-Internal Access Through Domain Name
Interface(out): GigabitEthernet1/1 Initiator->Responder: 7 packets 308 bytes Responder->Initiator: 5 packets 312 bytes Total sessions found: 1 NAT Server for external-to-internal access through domain name Network requirements As shown in Figure 56, Web server at 0.1 10.10.2/24 in the internal network provides services for external users.
Page 152 # Add address 202.38.1.3 to the group. [Router-nat-address-group-1] address 202.38.1.3 202.38.1.3 [Router-nat-address-group-1] quit # Configure NAT Server on interface GigabitEthernet 1/2 to map the address 202.38.1.1 to 10.1 10.10.3. External users can access the internal DNS server. [Router] interface gigabitethernet 1/2 [Router-GigabitEthernet1/2] nat server protocol udp global 202.38.1.2 inside 10.110.10.3 domain # Enable outbound NO-PAT on interface GigabitEthernet 1/2, use the address in address group 1 to...
Page 153: Bidirectional Nat For External-To-Internal Access Through Nat Server
FTP: Enabled H323: Enabled ICMP-ERROR: Enabled # Use the display nat session verbose command to display NAT session information generated when Host accesses Web server. [Router] display nat session verbose Initiator: Source IP/port: 202.1.1.2/1694 Destination IP/port: 202.38.1.3/8080 VPN instance/VLAN ID/VLL ID: -/-/- Protocol: TCP(6) Responder: Source...
Page 154 Figure 57 Network diagram Configuration considerations This is a typical application of bidirectional NAT. To make sure the external host to access the internal Web server by using its domain name, • configure NAT Server so that the external host can access the internal DNS server to obtain the IP address of the Web server.
Page 155 # Add address 202.38.1.3 to the address group. [Router-nat-address-group-2] address 202.38.1.3 202.38.1.3 [Router-nat-address-group-2] quit # Configure NAT Server on interface GigabitEthernet 1/2 to allow external hosts to access the internal DNS server by using the address 202.38.1.4. [Router] interface gigabitethernet 1/2 [Router-GigabitEthernet1/2] nat server protocol udp global 202.38.1.4 inside 200.1.1.3 domain # Enable outbound NO-PAT on interface GigabitEthernet 1/2 to translate IP address of the Web server...
Page 156: Nat Hairpin In C/S Mode
Local IP/port: 200.1.1.3/53 NAT logging: Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active: Disabled NAT mapping behavior: Mapping mode: Address and Port-Dependent : --- NAT ALG: DNS: Enabled FTP: Enabled H323: Enabled ICMP-ERROR: Enabled # Use the display nat session verbose command to display NAT session information generated when Host accesses the Web server.
Page 157 Figure 58 Network diagram Configuration considerations This is a typical NAT hairpin application in C/S mode. Configure NAT Server on the interface that connects the external network to make sure an external • host can access the internal FTP server by using a NAT address. Enable NAT hairpin on the interface that connects the internal network to make sure internal hosts •...
Page 158 Verifying the configuration After completing the configurations, both internal and external hosts can access the internal FTP server through the external address. # Display all NAT configuration and statistics. [Router]display nat all NAT outbound information: There are 1 NAT outbound rules. Interface: GigabitEthernet1/2 ACL: 2000 Address group: ---...
Page 159: Nat Hairpin In P2P Mode For Access Between Internal Users
VPN instance/VLAN ID/VLL ID: -/-/- Protocol: TCP(6) State: TCP_ESTABLISHED Application: HTTP Start time: 2012-08-15 14:53:29 TTL: 3597s Interface(in) : GigabitEthernet1/1 Interface(out): GigabitEthernet1/1 Initiator->Responder: 7 packets 308 bytes Responder->Initiator: 5 packets 312 bytes Total sessions found: 1 NAT hairpin in P2P mode for access between internal users Network requirements In the P2P application, internal clients must register their IP address to the external server and the server records the registered IP addresses and port numbers of the internal clients.
Page 160 Configuration procedure # Specify IP addresses for the interfaces. (Details not shown.) # Configure ACL 2000, and create a rule to permit packets only from segment 192.168.1.0/24 to be translated. <Router> system-view [Router] acl number 2000 [Router-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [Router-acl-basic-2000] quit # Configure outbound dynamic PAT with Easy IP on interface GigabitEthernet 1/2.
Page 161: Twice Nat For Access Between Two Vpns With Overlapping Addresses
NAT ALG: DNS: Enabled FTP: Enabled H323: Enabled ICMP-ERROR: Enabled # Use the display nat session verbose command to display NAT session information generated when Client A accesses Client B. [Router] display nat session verbose Initiator: Source IP/port: 192.168.1.3/44929 Destination IP/port: 202.38.1.3/1 VPN instance/VLAN ID/VLL ID: -/-/- Protocol: UDP(17) Responder:...
Page 162 Configuration considerations This is a typical application of twice NAT. Both the source and destination addresses of packets between the two VPNs need to be translated. Configure static NAT on both interfaces that connects the VPNs on the NAT device. Configuration procedure # Specify VPN instances and IP addresses for the interfaces.
Page 163: Load Sharing Nat Server Configuration Example
Flow-begin : Disabled Flow-end : Disabled Flow-active: Disabled NAT mapping behavior: Mapping mode: Address and Port-Dependent : --- NAT ALG: DNS: Enabled FTP: Enabled H323: Enabled ICMP-ERROR: Enabled # Use the display nat session verbose command to display NAT session information generated when Host A accesses Host B.
Page 164 Figure 61 Network diagram 10.110.10.1/16 FTP server 1 GE1/1 GE1/2 10.110.10.10/16 202.38.1.1/16 Internet Router Host FTP server 2 FTP server 3 10.110.10.2/16 10.110.10.3/16 Configuration procedure # Specify IP addresses for the interfaces. (Details not shown.) # Create NAT Server group 0, and add members to the group. <Router>...
Page 165: Nat With Dns Mapping Configuration Example
10.110.10.2/21 (Connections: 2) 10.110.10.3/21 (Connections: 2) NAT logging: Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active: Disabled NAT mapping behavior: Mapping mode: Address and Port-Dependent : --- NAT ALG: DNS: Enabled FTP: Enabled H323: Enabled ICMP-ERROR: Enabled # Use the display nat session verbose command to display NAT session information generated when external hosts access an internal FTP server.
Page 166 Configure NAT so that: • The public IP address 202.38.1.2 is used by external users to access the Web and FTP servers. External users can use the public address or domain name of internal servers to access them. • Internal users can access the internal servers by using their domain names. •...
Page 167 Verifying the configuration After completing the configurations, both internal and external hosts can access the internal servers by using domain names. # Display all NAT configuration and statistics. [Router] display nat all NAT outbound information: There are 1 NAT outbound rules. Interface: GigabitEthernet1/2 ACL: --- Address group: ---...
Page 168 H323: Enabled ICMP-ERROR: Enabled...
Page 169: Basic Ip Forwarding On The Device
Basic IP forwarding on the device Upon receiving a packet, the device uses the destination IP address of the packet to find a match from the forwarding information base (FIB) table, and then uses the matching entry to forward the packet. FIB table A device selects optimal routes from the routing table, and puts them into the FIB table.
Page 170 Task Command display fib [ vpn-instance vpn-instance-name ] [ ip-address [ mask | Display FIB entries. mask-length ] ]...
Page 171: Configuring Fast Forwarding
5600). slot-number ] Display fast forwarding table information about display ip fast-forwarding fragcache [ ip-address ] fragmented packets (MSR 2600/MSR 3600). Display fast forwarding table information about display ip fast-forwarding fragcache [ ip-address ] fragmented packets (MSR 5600). [ slot slot-number ] Display the aging time of fast forwarding entries.
Page 172: Fast Forwarding Configuration Example
Fast forwarding configuration example Network requirements Enable fast forwarding on Router B. Figure 63 Network diagram Eth1/1 Eth1/1 Eth1/2 Eth1/2 11.1.1.1/8 11.1.1.2/8 22.1.1.1/8 22.1.1.2/8 Router B Router C Router A Configuration procedure Configure Router A: # Configure the IP address of interface Ethernet 1/1. <RouterA>...
Page 173: Verifying The Configuration
Verifying the configuration # Display the fast forwarding table on Router B. [RouterB] display ip fast-forwarding cache No fast-forwarding entries. The output shows that no fast forwarding entry exists. # Ping the IP address of Ethernet 1/2 of Router C from Router A. Reply packets can be received. [RouterA] ping 22.1.1.2 PING 22.1.1.2: 56 data bytes, press CTRL_C to break...
Page 174: Displaying The Adjacency Table
Displaying the adjacency table The adjacency table stores information about directly connected neighbors for IP forwarding. The neighbor information in the adjacency table in this chapter refers to non-Ethernet neighbor information. This table is not user configurable. The neighbor information is generated, updated, and deleted by link layer protocols through negotiation (such as PPP dynamic negotiation) or through manual configuration (such as ATM static configuration).
Page 175 Task Command display ipv6 adjacent-table { all | physical-interface interface-type Display IPv6 adjacency table interface-number | routing-interface interface-type information. interface-number | slot slot-number } [ count | verbose ]...
Page 176: Optimizing Ip Performance
Optimizing IP performance A customized configuration can help optimize overall IP performance. This chapter describes various techniques you can use to customize your installation. Enabling an interface to receive and forward directed broadcasts destined for the directly connected network A directed broadcast packet is destined for all hosts on a specific network. In the destination IP address of the directed broadcast, the network ID identifies the target network, and the host ID is made up of all ones.
Page 177: Configuration Example
Configuration example Network requirements As shown in Figure 64, the default gateway of the host is the IP address 1.1.1.2/24 of the interface Ethernet 1/1 of Router A. Configure a static route destined for the host on Router B. Router B can receive directed broadcasts from the host to IP address 2.2.2.255.
Page 178: Configuring Tcp Mss For An Interface
To configure an MTU for an interface: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Configure an MTU for the ip mtu mtu-size By default, no MTU is configured. interface. Configuring TCP MSS for an interface The maximum segment size (MSS) option informs the receiver of the largest segment that the sender can accept.
Page 179: Enabling Tcp Syn Cookie
Upon receiving the ICMP message, the TCP source device calculates the current path MTU of the TCP connection. The TCP source device sends subsequent TCP segments that each are smaller than the MSS (MSS = path MTU – IP header length – TCP header length). If the TCP source device still receives ICMP error messages when the MSS is smaller than 32 bytes, the TCP source device will fragment packets.
Page 180: Configuring The Tcp Buffer Size
To enable TCP SYN Cookie: Step Command Remarks Enter system view. system-view Enable SYN Cookie. tcp syn-cookie enable The default setting is disabled. Configuring the TCP buffer size Step Command Remarks Enter system view. system-view Configure the size of TCP receive/send tcp window window-size The default buffer size is 64 KB.
Page 181 The selected route is not created or modified by any ICMP redirect packet. The selected route is not destined for 0.0.0.0. There is no source route option in the received packet. ICMP redirect packets simplify host management and enable hosts to gradually optimize their routing table.
Page 182: Configuring Rate Limit For Icmp Error Messages
Sending ICMP error packets facilitates network management, but sending excessive ICMP packets increases network traffic. A device's performance degrades if it receives a lot of malicious ICMP packets that cause it to respond with ICMP error packets. To prevent such problems, you can disable the device from sending ICMP error packets. A device disabled from sending ICMP time-exceeded packets does not send ICMP TTL Expired packets but can still send ICMP Fragment Reassembly Timeout packets.
Page 183: Configuring Ip Virtual Fragment Reassembly
Configuring IP virtual fragment reassembly To make sure fragments arrive at a service module in order, the IP virtual fragment reassembly feature virtually reassembles the fragments of a datagram through sequencing and caching. The IP virtual fragment reassembly feature also prevents some service modules (such as IPsec, NAT, and firewall) from processing packet fragments that do not arrive in order.
Page 184: Displaying And Maintaining Ip Performance Optimization
Execute display commands in any view and reset commands in user view. Task Command Display brief information about RawIP connections display rawip (MSR 2600/MSR 3600). Display brief information about RawIP connections display rawip [ slot slot-number ] (MSR 5600). Display detailed information about RawIP connections display rawip verbose [ pcb pcb-index ] (MSR 2600/MSR 3600).
Page 185 Display detailed information about UDP connections display udp verbose [ slot slot-number [ pcb (MSR 5600). pcb-index ] ] Display IP packet statistics (MSR 2600/MSR 3600). display ip statistics Display IP packet statistics (MSR 5600). display ip statistics [ slot slot-number ]...
Page 186: Configuring Udp Helper
Configuring UDP helper Overview UDP helper enables a device to convert received UDP broadcast packets into unicast packets and forward them to a specific server. UDP helper is suitable for the scenario where hosts cannot obtain configuration information or device names by broadcasting packets because the target server or host resides on another broadcast domain.
Page 187: Displaying And Maintaining Udp Helper
Displaying and maintaining UDP helper Execute display command in any view and reset command in user view. Task Command Display information about packets forwarded display udp-helper interface interface-type interface-number by UDP helper. Clear UDP helper statistics. reset udp-helper statistics UDP helper configuration example Network requirements As shown in Figure...
Page 188: Verifying The Configuration
Verifying the configuration # Display information about UDP packets forwarded by UDP helper on the interface Ethernet 1/1. [RouterA-Ethernet1/1] display udp-helper interface ethernet 1/1 Interface Server address Packets sent Ethernet1/1 10.2.1.1...
Page 189: Configuring Basic Ipv6 Settings
Configuring basic IPv6 settings Overview IPv6, also called IP next generation (IPng), was designed by the IETF as the successor to IPv4. One significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits.
Page 190: Ipv6 Addresses
Stateful address autoconfiguration enables a host to acquire an IPv6 address and other • configuration information from a server (for example, a DHCPv6 server). For more information about DHCPv6 server, see "Configuring DHCPv6 server." • Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and other configuration information by using its link-layer address and the prefix information advertised by a router.
Page 191 An IPv6 address consists of an address prefix and an interface ID, which are equivalent to the network ID and the host ID of an IPv4 address. An IPv6 address prefix is written in IPv6-address/prefix-length notation, where the prefix-length is a decimal number indicating how many leftmost bits of the IPv6 address includes the address prefix.
Page 192 Multicast addresses IPv6 multicast addresses listed in Table 10 are reserved for special purposes. Table 7 Reserved IPv6 multicast addresses Address Application FF01::1 Node-local scope all-nodes multicast address. FF02::1 Link-local scope all-nodes multicast address. FF01::2 Node-local scope all-routers multicast address. FF02::2 Link-local scope all-routers multicast address.
Page 193: Ipv6 Nd Protocol
IPv6 ND protocol The IPv6 Neighbor Discovery (ND) protocol uses the following ICMPv6 messages: Table 8 ICMPv6 messages used by ND ICMPv6 message Type Function Acquires the link-layer address of a neighbor. Neighbor Solicitation (NS) Verifies whether a neighbor is reachable. Detects duplicate addresses.
Page 194 Neighbor reachability detection After Host A acquires the link-layer address of its neighbor Host B, Host A can use NS and NA messages to test reachability of Host B as follows: Host A sends an NS message whose destination address is the IPv6 address of Host B. If Host A receives an NA message from Host B, Host A decides that Host B is reachable.
Page 195: Ipv6 Path Mtu Discovery
Redirection Upon receiving a packet from a host, the gateway sends an ICMPv6 Redirect message to inform a better next hop to the host when the following conditions are met (similar to the ICMP redirection function in IPv4): • The interface receiving the packet is the same as the interface forwarding the packet. The selected route is not created or modified by an ICMPv6 Redirect message.
Page 196: Tunneling
both IPv4 and IPv6 packets. An application that supports both IPv4 and IPv6 prefers IPv6 at the network layer. Dual stack is suitable for communication between IPv4 nodes or between IPv6 nodes. It is the basis of all transition technologies. However, it does not solve the IPv4 address depletion issue because each dual stack node must have a globally unique IPv4 address.
Page 197: Ipv6 Basics Configuration Task List
RFC 2460, Internet Protocol, Version 6 (IPv6) Specification • • RFC 2463, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification RFC 2464, Transmission of IPv6 Packets over Ethernet Networks • RFC 2526, Reserved IPv6 Subnet Anycast Addresses •...
Page 198: Assigning Ipv6 Addresses To Interfaces
Assigning IPv6 addresses to interfaces This section describes how to configure an IPv6 global unicast address, an IPv6 link-local address, and an IPv6 anycast address. Configuring an IPv6 global unicast address Use one of the following methods to configure an IPv6 global unicast address for an interface: EUI-64 IPv6 address—The IPv6 address prefix of the interface is manually configured, and the •...
Page 199 Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no IPv6 global unicast address is configured on an interface. Using the undo ipv6 address auto Enable stateless address ipv6 address auto command on an interface removes all autoconfiguration.
Page 200: Configuring An Ipv6 Link-Local Address
Step Command Remarks Enable the system to By default, the system does not preferably use the temporary preferably use the temporary ipv6 prefer temporary-address IPv6 address as the source IPv6 address as the source address of the packet. address of the packet. To generate a temporary address, an interface must be enabled with stateless address autoconfiguration.
Page 201: Configuring An Ipv6 Anycast Address
Step Command Remarks By default, no link-local address is configured on an interface. Manually specify an IPv6 ipv6 address ipv6-address link-local address for the After an IPv6 global unicast address is link-local interface. configured on the interface, a link-local address is generated automatically. After you configure an IPv6 global unicast address for an interface, the interface automatically generates a link-local address.
Page 202: Setting The Maximum Number Of Dynamic Neighbor Entries
If you use Method 2, make sure the corresponding VLAN interface exists and the Layer 2 port specified by port-type port-number belongs to the VLAN specified by vlan-id. The device associates the VLAN interface with the neighbor IPv6 address to identify the static neighbor entry. To configure a static neighbor entry: Step Command...
Page 203: Minimizing Link-Local Nd Entries
Minimizing link-local ND entries Perform this task to minimize link-local ND entries assigned to the driver. Link-local ND entries refer to ND entries comprising link-local addresses. By default, the device assigns all ND entries to the driver. With this feature enabled, the device does not add newly learned link-local ND entries whose link local addresses are not the next hop of any route into the driver to save driver resources.
Page 204 Parameter Description Determines whether a host uses stateful autoconfiguration to obtain an IPv6 address. If the M flag is set to 1, the host uses stateful autoconfiguration (for example, from a M flag DHCPv6 server) to obtain an IPv6 address. Otherwise, the host uses stateless autoconfiguration to generate an IPv6 address according to its link-layer address and the prefix information in the RA message.
Page 205 Configuring parameters for RA messages Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no prefix information is configured for RA messages, and the IPv6 address of the interface sending RA messages is used as the prefix ipv6 nd ra prefix { ipv6-prefix information.
Page 206: Configuring The Maximum Number Of Attempts To Send An Ns Message For Dad
Configuring the maximum number of attempts to send an NS message for DAD An interface sends an NS message for DAD after obtaining an IPv6 address. If the interface does not receive a response within the time specified by the ipv6 nd ns retrans-timer command, it sends an NS message again.
Page 207 Figure 74 Application environment of local ND proxy Because Host A's IPv6 address is on the same subnet as Host B's, Host A directly sends an NS message to obtain Host B's MAC address. However, Host B cannot receive the NS message because they are isolated at Layer 2.
Page 208: Configuring Path Mtu Discovery
Configuring path MTU discovery Configuring the interface MTU IPv6 routers do not support packet fragmentation. If the size of a packet exceeds the MTU of the output interface, the router discards the packet and sends a Packet Too Big message to the source host. The source host fragments the packet according to the MTU.
Page 209: Controlling Sending Icmpv6 Packets
Step Command Remarks Configure the aging time for ipv6 pathmtu age age-time The default setting is 10 minutes. dynamic path MTUs. Controlling sending ICMPv6 packets This section describes how to configure ICMPv6 packet sending. Configuring the rate limit for ICMPv6 error messages To avoid sending excessive ICMPv6 error messages within a short period that might cause network congestion, you can limit the rate at which ICMPv6 error messages are sent.
Page 210: Enabling Sending Icmpv6 Time Exceeded Messages
If a packet does not match any route, the device sends a No Route to Destination ICMPv6 error • message to the source. If the device fails to forward the packet because of administrative prohibition (such as a firewall filter •...
Page 211: Specifying The Source Address For Icmpv6 Packets
The interface receiving the packet is the interface forwarding the packet. • • The selected route is not created or modified by any ICMPv6 redirect message. The selected route is not a default route. • The forwarded packet does not contain the routing extension header. •...
Page 212 Display the total number of neighbor display ipv6 neighbors { all | dynamic | interface interface-type entries (MSR 2600/MSR 3600). interface-number | static | vlan vlan-id } count display ipv6 neighbors { { all | dynamic | static } [ slot...
Page 213: Ipv6 Basics Configuration Example
Task Command Display detailed information about IPv6 UDP connections (MSR 2600/MSR display ipv6 udp verbose [ pcb pcb-index ] 3600). Display detailed information about IPv6 display ipv6 udp verbose [ slot slot-number [ pcb pcb-index ] ] UDP connections (MSR 5600).
Page 214: Configuration Procedure
Figure 75 Network diagram Host Router A Router B Eth1/2 Eth1/1 Eth1/1 2001::1/64 3001::1/64 3001::2/64 Configuration procedure Configure Router A: # Configure a global unicast address for interface Ethernet 1/1. <RouterA> system-view [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ipv6 address 3001::1/64 [RouterA-Ethernet1/1] quit # Configure a global unicast address for interface Ethernet 1/2 and enable it to advertise RA messages (an interface does not advertises RA messages by default).
Page 215 IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:2 Global unicast address(es): 3001::1, subnet is 3001::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FF00:2 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics:...
Page 216 FF02::2 FF02::1:FF00:1 FF02::1:FF00:1C0 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 600 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses...
Page 217 FF02::1:FF00:1 FF02::1:FF00:1234 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: InReceives: InTooShorts: InTruncatedPkts: InHopLimitExceeds: InBadHeaders: InBadOptions: ReasmReqds:...
Page 218: Troubleshooting Ipv6 Basics Configuration
56 bytes from 2001::15B:E0EA:3524:E791, icmp_seq=0 hlim=64 time=5.404 ms --- Ping6 statistics for 2001::15B:E0EA:3524:E791 --- 1 packet(s) transmitted, 1 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 5.404/5.404/5.404/0.000 ms The output shows that Router B can ping Router A and the host. The host can also ping Router B and Router A (output not shown).
Page 219: Dhcpv6 Overview
DHCPv6 overview DHCPv6 provides a framework to assign IPv6 prefixes, IPv6 addresses, and other configuration parameters to hosts. DHCPv6 address/prefix assignment An address/prefix assignment process involves two or four messages. Rapid assignment involving two messages As shown in Figure 76, rapid assignment operates in the following steps: The DHCPv6 client sends a Solicit message that contains a Rapid Commit option to prefer rapid assignment.
Page 220: Address/Prefix Lease Renewal
Figure 77 Assignment involving four messages Address/prefix lease renewal An IPv6 address/prefix assigned by a DHCPv6 server has a valid lifetime. After the valid lifetime expires, the DHCPv6 client cannot use the IPv6 address/prefix. To use the IPv6 address/prefix, the DHCPv6 client must renew the lease time.
Page 221: Stateless Dhcpv6
Stateless DHCPv6 Stateless DHCPv6 enables a device that has obtained an IPv6 address/prefix to get other configuration parameters from a DHCPv6 server. The device decides whether to perform stateless DHCP according to the managed address configuration flag (M flag) and the other stateful configuration flag (O flag) in the RA message received from the router during stateless address autoconfiguration.
Page 222: Configuring The Dhcpv6 Server
Configuring the DHCPv6 server Overview A DHCPv6 server can assign IPv6 addresses or IPv6 prefixes to DHCPv6 clients. IPv6 address assignment As shown in Figure 81, the DHCPv6 server assigns IPv6 addresses, domain name suffixes, DNS server addresses, and other configuration parameters to DHCPv6 clients. The IPv6 addresses assigned to the clients include the following types: •...
Page 223: Concepts
Figure 82 IPv6 prefix assignment Concepts Multicast addresses used by DHCPv6 DHCPv6 uses the multicast address FF05::1:3 to identify all site-local DHCPv6 servers, and uses the multicast address FF02::1:2 to identify all link-local DHCPv6 servers and relay agents. DUID A DHCP unique identifier (DUID) uniquely identifies a DHCPv6 device (DHCPv6 client, server, or relay agent).
Page 224: Dhcpv6 Address Pool
The DHCPv6 server creates a prefix delegation (PD) for each assigned prefix to record the IPv6 prefix, client DUID, IAID, valid lifetime, preferred lifetime, lease expiration time, and IPv6 address of the requesting client. DHCPv6 address pool The DHCP server selects IPv6 addresses, IPv6 prefixes, and other parameters from an address pool, and assigns them to the DHCP clients.
Page 225: Ipv6 Address/Prefix Allocation Sequence
client against the subnets of all address pools, and selects the address pool with the longest-matching subnet. To avoid wrong address allocation, keep the subnet used for dynamic assignment consistent with the subnet where the interface of the DHCPv6 server or DHCPv6 relay agent resides. IPv6 address/prefix allocation sequence The DHCPv6 server selects an IPv6 address/prefix for a client in the following sequence: IPv6 address/prefix statically bound to the client's DUID and IAID and expected by the client.
Page 226: Configuration Guidelines
Configuration guidelines An IPv6 prefix can be bound to only one DHCPv6 client. You cannot modify bindings that have • been created. To change the binding for a DHCPv6 client, you must delete the existing binding first. • Only one prefix pool can be applied to an address pool. You cannot modify prefix pools that have been applied.
Page 227: Configuring Ipv6 Address Assignment
Configuring IPv6 address assignment Use one of the following methods to configure IPv6 address assignment: • Configure a static IPv6 address binding in an address pool: If you bind a DUID and an IAID to an IPv6 address, the DUID and IAID in a request must match those in the binding before the DHCPv6 server can assign the IPv6 address to the requesting client.
Page 228: Configuring Network Parameters Assignment
Step Command Remarks By default, all IPv6 addresses except for the DHCPv6 server's IP address in a DHCPv6 address pool are assignable. (Optional.) Specify the IPv6 ipv6 dhcp server forbidden-address addresses excluded from start-ipv6-address If the excluded IPv6 address is in dynamic assignment.
Page 229: Configuring The Dhcpv6 Server On An Interface
Step Command Remarks network prefix/prefix-length Specify an IPv6 subnet for By default, no IPv6 subnet is [ preferred-lifetime preferred-lifetime dynamic assignment. specified. valid-lifetime valid-lifetime ] (Optional.) Specify a DNS By default, no DNS server dns-server ipv6-address server address. address is specified. (Optional.) Specify a domain By default, no domain name domain-name domain-name...
Page 230: Setting The Dscp Value For Dhcpv6 Packets Sent By The Dhcpv6 Server
Step Command Remarks Enter interface view. interface interface-type interface-number By default, the interface discards Enable the DHCPv6 ipv6 dhcp select server DHCPv6 packets from DHCPv6 server on the interface. clients. • Configure global address assignment: ipv6 dhcp server { allow-hint | preference preference-value | Use one of the commands.
Page 231: Dhcpv6 Server Configuration Examples
Task Command Display information about IPv6 address display ipv6 dhcp server ip-in-use [ address ipv6-address | pool bindings. pool-name ] Display information about IPv6 prefix display ipv6 dhcp server pd-in-use [ pool pool-name | prefix bindings. prefix/prefix-len ] Display packet statistics on the DHCPv6 display ipv6 dhcp server statistics [ pool pool-name ] server.
Page 232 Configuration procedure # Specify an IPv6 address for Ethernet 1/1. <Router> system-view [Router] interface ethernet 1/1 [Router-Ethernet1/1] ipv6 address 1::1/64 [Router-Ethernet1/1] quit # Create prefix pool 1, and specify the prefix 2001:0410::/32 with assigned prefix length 48. [Router] ipv6 dhcp prefix-pool 1 prefix 2001:0410::/32 assign-len 48 # Create address pool 1.
Page 233: Dynamic Ipv6 Address Assignment Configuration Example
Prefix pool: 1 Preferred lifetime 86400, valid lifetime 259200 Static bindings: DUID: 00030001ca0006a4 IAID: Not configured Prefix: 2001:410:201::/48 Preferred lifetime 86400, valid lifetime 259200 DNS server addresses: 2:2::3 Domain name: aaa.com SIP server addresses: 2:2::4 SIP server domain names: bbb.com # Display information about prefix pool 1.
Page 234 Figure 85 Network diagram Configuration procedure Specify IPv6 addresses for interfaces on the DHCPv6 server. (Details not shown.) Enable DHCPv6: # Enable the DHCPv6 server on the interfaces Ethernet 1/1 and Ethernet 1/2. <RouterA> system-view [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ipv6 dhcp select server [RouterA-Ethernet1/1] quit [RouterA] interface ethernet 1/2 [RouterA-Ethernet1/2] ipv6 dhcp select server...
Page 235 Verifying the configuration After the preceding configuration, clients in subnets 1::1:0:0:0/96 and 1::2:0:0:0/96 can obtain IPv6 addresses and other configuration parameters from the DHCPv6 server (Router A). You can use the display ipv6 dhcp server ip-in-use command to display IPv6 addresses assigned to the clients.
Page 236: Configuring The Dhcpv6 Relay Agent
Configuring the DHCPv6 relay agent A DHCPv6 client usually uses a multicast address to contact the DHCPv6 server on the local link to obtain an IPv6 address and other configuration parameters. As shown in Figure 86, if the DHCPv6 server resides on another subnet, the DHCPv6 clients need a DHCPv6 relay agent to contact the server.
Page 237: Configuration Guidelines
Figure 87 Operating process of a DHCPv6 relay agent DHCPv6 client DHCPv6 relay agent DHCPv6 server Solicit (contains a Rapid Commit option) (2) Relay-forward (3) Relay-reply (4) Reply Configuration guidelines You can use the ipv6 dhcp relay server-address command to specify a maximum of eight DHCPv6 •...
Page 238: Displaying And Maintaining The Dhcpv6 Relay Agent
Displaying and maintaining the DHCPv6 relay agent Execute display commands in any view and reset commands in user view. Task Command Display the DUID of the local device. display ipv6 dhcp duid Display DHCPv6 server addresses display ipv6 dhcp relay server-address [ interface interface-type specified on the DHCPv6 relay agent.
Page 239: Verifying The Configuration
[RouterA] interface ethernet 1/2 [RouterA-Ethernet1/2] ipv6 address 2::1 64 [RouterA-Ethernet1/2] quit [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ipv6 address 1::1 64 # Enable the DHCPv6 relay agent on Ethernet 1/1 and specify the DHCPv6 server on the relay agent. [RouterA-Ethernet1/1] ipv6 dhcp select relay [RouterA-Ethernet1/1] ipv6 dhcp relay server-address 2::2 Configure Router A as the gateway, enable Router A to send RA messages, and turn on the M and O flags.
Page 240: Configuring Dhcpv6 Snooping
Configuring DHCPv6 snooping NOTE: The feature is not supported. DHCPv6 snooping works between the DHCPv6 client and server, or between the DHCPv6 client and DHCPv6 relay agent. It guarantees that DHCPv6 clients obtain IP addresses from authorized DHCPv6 servers. Also, it records IP-to-MAC bindings of DHCPv6 clients (called DHCPv6 snooping entries) for security purposes.
Page 241: H3C Implementation Of Option 18 And Option 37
Option 18, also called the interface-ID option, is used by the DHCPv6 relay agent to determine the interface to use to forward RELAY-REPLY message. In H3C implementation, the DHCPv6 snooping device adds Option 18 to the received DHCPv6 request message before forwarding it to the DHCPv6 server. The server then assigns IP address to the client based on the client information in Option 18.
Page 242: Dhcpv6 Snooping Support For Option 37
Option 37, also called the remote-ID option, is used to identify the client. In H3C implementation, the DHCPv6 snooping device adds Option 37 to the received DHCPv6 request message before forwarding it to the DHCPv6 server. This option provides client information about address allocation.
Page 243: Configuring Basic Dhcpv6 Snooping
Tasks at a glance (Optional.) Enabling DHCPv6-REQUEST check Configuring basic DHCPv6 snooping To make sure DHCPv6 clients can obtain valid IPv6 addresses, specify the ports connected to authorized DHCPv6 servers as trusted ports. The trusted ports and the ports connected to DHCPv6 clients must be in the same VLAN.
Page 244: Saving Dhcpv6 Snooping Entries
Step Command Remarks ipv6 dhcp snooping option By default, Option 37 is not Enable support for Option 37. remote-id enable supported. ipv6 dhcp snooping option By default, the DHCPv6 snooping • (Optional.) Specify the content remote-id [ vlan vlan-id ] string device uses its DUID as the content as the remote ID.
Page 245: Setting The Maximum Number Of Dhcpv6 Snooping Entries
Setting the maximum number of DHCPv6 snooping entries Perform this task to prevent the system resources from being overused. To set the maximum number of DHCPv6 snooping entries: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Set the maximum number By default, the number of DHCPv6...
Page 246: Displaying And Maintaining Dhcpv6 Snooping
Display DHCPv6 packet statistics for DHCPv6 snooping display ipv6 dhcp snooping packet statistics (MSR 2600/MSR 3600). Display DHCPv6 packet statistics for DHCPv6 snooping display ipv6 dhcp snooping packet statistics [ slot (MSR 5600).
Page 247: Configuration Procedure
Configuration procedure # Enable DHCPv6 snooping. <Router> system-view [Router] ipv6 dhcp snooping enable # Specify Ethernet 1/1 as a trusted port. [Router] interface ethernet 1/1 [Router-Ethernet1/1] ipv6 dhcp snooping trust [Router-Ethernet1/1] quit # Enable recording of client information in DHCPv6 snooping entries. [Router]interface Ethernet 1/2 [Router-Ethernet1/2] ipv6 dhcp snooping binding record [Router-Ethernet1/2] quit...
Page 248: Configuring Ipv6 Fast Forwarding
Configuring IPv6 fast forwarding Overview Fast forwarding reduces route lookup time and improves packet forwarding efficiency by using a high-speed cache and data-flow-based technology. It identifies a data flow by using six fields: source IPv6 address, destination IPv6 address, source port number, destination port number, protocol number, and VPN instance name.
Page 249: Ipv6 Fast Forwarding Configuration Example
IPv6 fast forwarding configuration example Network requirements As shown in Figure 93, enable IPv6 fast forwarding on Router B. Figure 93 Network diagram Configuration procedure Configure Router A: # Specify the IPv6 address of interface Ethernet 1/1. <RouterA> system-view [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ipv6 address 2002::1 64 [RouterA-Ethernet1/1] quit # Configure a static route.
Page 250 [RouterB] display ipv6 fast-forwarding cache No IPv6 fast-forwarding entries. The output shows that no IPv6 fast forwarding entry exists. # Ping the IPv6 address of Ethernet 1/2 of Router C from Router A. Reply packets can be received. [RouterA] ping ipv6 2001::1 PING 2001::1 : 56 data bytes, press CTRL_C to break Reply from 2001::1...
Page 251: Configuring Tunneling
Configuring tunneling Overview Tunneling is an encapsulation technology. One network protocol encapsulates packets of another network protocol and transfers them over a virtual point-to-point connection. The virtual connection is called a tunnel. Packets are encapsulated at the tunnel source end and de-encapsulated at the tunnel destination end.
Page 252 physical interface of the tunnel. In the IPv4 header, the source IPv4 address is the IPv4 address of the tunnel source, and the destination IPv4 address is the IPv4 address of the tunnel destination. Upon receiving the packet, Device B de-encapsulates the packet. If the destination address of the IPv6 packet is itself, Device B forwards it to the upper-layer protocol.
Page 253 Automatic IPv4-compatible IPv6 tunneling—A point-to-multipoint link. Both ends of the tunnel use • IPv4-compatible IPv6 addresses. The address format is 0:0:0:0:0:0:a.b.c.d/96, where a.b.c.d is the IPv4 address of the tunnel destination. This mechanism simplifies tunnel establishment. Automatic IPv4-compatible IPv6 tunnels have limitations because IPv4-compatible IPv6 addresses must use globally unique IPv4 addresses.
Page 254: Ipv4 Over Ipv4 Tunneling
ISATAP tunnels are mainly used for communication between IPv6 routers or between an IPv6 host and an IPv6 router over an IPv4 network. Figure 96 Principle of ISATAP tunneling IPv4 over IPv4 tunneling IPv4 over IPv4 tunneling (RFC 1853) enables isolated IPv4 networks to communicate. For example, an IPv4 over IPv4 tunnel can connect isolated private IPv4 networks over a public IPv4 network.
Page 255: Ipv4 Over Ipv6 Tunneling
IPv4 over IPv6 tunneling Implementation IPv4 over IPv6 tunneling adds an IPv6 header to IPv4 packets so that IPv4 packets can pass an IPv6 network through a tunnel to realize interworking between isolated IPv4 networks. Figure 98 IPv4 over IPv6 tunnel Packets traveling through a tunnel undergo encapsulation and de-encapsulation, as shown in Figure Encapsulation:...
Page 256 Dual Stack Lite (DS-Lite) is a combination of the tunneling and NAT technologies. NAT translates the private IPv4 addresses of the IPv4 hosts before the hosts reach the IPv4 public network. DS-Lite tunnel supports only an IPv4 host in a private network initiating communication with an IPv4 host on the Internet.
Page 257 Figure 100 Packet forwarding process in DS-Lite 10.0.0.1/24 30.1.1.1/24 10.0.0.2/24 1::1/64 2::1/64 20.1.1.1/24 Private IPv6 network IPv4 network IPv4 network DS-Lite tunnel IPv4 host IPv4 host AFTR IPv4 dst: 30.1.1.1 IPv4 src: 10.0.0.1 TCP dst: 80 IPv6 dst: 2::1 TCP src: 10000 IPv6 src: 1::1 IPv4 dst: 30.1.1.1 Adds the...
Page 258: Ipv6 Over Ipv6 Tunneling
IPv6 over IPv6 tunneling IPv6 over IPv6 tunneling (RFC 2473) enables isolated IPv6 networks to communicate with each other over another IPv6 network. For example, two isolated IPv6 networks that do not want to show their addresses to the Internet can use an IPv6 over IPv6 tunnel to communicate with each other. Figure 101 Principle of IPv6 over IPv6 tunneling Figure 101 shows the encapsulation and de-encapsulation processes.
Page 259: Tunneling Configuration Task List
Tunneling configuration task list Tasks at a glance (Required.) Configuring a tunnel interface Perform one of the following tasks: • Configuring an IPv6 over IPv4 tunnel: Configuring an IPv6 over IPv4 manual tunnel Configuring an automatic IPv4-compatible IPv6 tunnel Configuring a 6to4 tunnel Configuring an ISATAP tunnel •...
Page 260: Configuring An Ipv6 Over Ipv4 Manual Tunnel
Step Command Remarks The intended bandwidth for the tunnel interface affects the link cost Set the intended bandwidth bandwidth bandwidth-value value. For more information, see for the tunnel interface. Layer 3—IP Routing Configuration Guide. Set the ToS for tunneled The default setting is the same as the tunnel tos tos-value packets.
Page 261: Configuration Example
Step Command Remarks By default, no source address or source interface is configured for the tunnel interface. Configure a source address or source { ip-address | The specified source address or the source interface for the tunnel interface-type interface-number } primary IP address of the specified interface.
Page 262 [RouterA] interface ethernet 1/2 [RouterA-Ethernet1/2] ip address 192.168.100.1 255.255.255.0 [RouterA-Ethernet1/2] quit # Specify an IPv6 address for Ethernet 1/1. [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ipv6 address 3002::1 64 [RouterA-Ethernet1/1] quit # Configure an IPv6 over IPv4 manual tunnel interface tunnel 0. [RouterA] interface tunnel 0 mode ipv6-ipv4 # Specify an IPv6 address for the tunnel interface.
Page 263: Configuring An Automatic Ipv4-Compatible Ipv6 Tunnel
# Router B and Router A can ping the IPv6 address of Ethernet 1/1 of each other. For example, ping the IPv6 address of Ethernet 1/1 on Router B from Router A. [RouterA] ping ipv6 3003::1 Ping6(56 data bytes) 3001::1 --> 3003::1, press escape sequence to break 56 bytes from 3003::1, icmp_seq=0 hlim=64 time=45.000 ms 56 bytes from 3003::1, icmp_seq=1 hlim=64 time=10.000 ms 56 bytes from 3003::1, icmp_seq=2 hlim=64 time=4.000 ms...
Page 264: Configuration Example
Configuration example Network requirements As shown in Figure 103, dual-stack routers Router A and Router B communicate over an IPv4 network. Configure an automatic IPv4-compatible IPv6 tunnel between the two routers to enable IPv6 communications over the IPv4 network. Figure 103 Network diagram Configuration procedure Before configuring an automatic IPv4-compatible IPv6 tunnel, make sure Router A and Router B can reach each other through IPv4.
Page 265: Configuring A 6To4 Tunnel
# Router B and Router A can ping the IPv4-compatible IPv6 address of each other. For example, ping the IPv4-compatible IPv6 address on Router B from Router A. [RouterA-Tunnel0] ping ipv6 ::192.168.50.1 Ping6(56 data bytes) ::192.168.100.1 --> ::192.168.50.1, press escape sequence to break 56 bytes from ::192.168.50.1, icmp_seq=0 hlim=64 time=17.000 ms 56 bytes from ::192.168.50.1, icmp_seq=1 hlim=64 time=9.000 ms 56 bytes from ::192.168.50.1, icmp_seq=2 hlim=64 time=11.000 ms...
Page 266: 6To4 Tunnel Configuration Example
Step Command Remarks (Optional.) Enable dropping of IPv6 packets tunnel discard The default setting is disabled. using IPv4-compatible ipv4-compatible-packet IPv6 addresses. 6to4 tunnel configuration example Network requirements As shown in Figure 104, configure a 6to4 tunnel between 6to4 routers Router A and Router B so Host A and Host B can reach each other over the IPv4 network.
Page 267 [RouterB] interface tunnel 0 mode ipv6-ipv4 6to4 # Specify an IPv6 address for the tunnel interface. [RouterA-Tunnel0] ipv6 address 3001::1/64 # Specify the source interface as Ethernet1/2 for the tunnel interface. [RouterA-Tunnel0] source ethernet 1/2 [RouterA-Tunnel0] quit # Configure a static route destined for 2002::/16 through the tunnel interface. [RouterA] ipv6 route-static 2002:: 16 tunnel 0 Configure Router B: •...
Page 268: 6To4 Relay Configuration Example
6to4 relay configuration example Network requirements As shown in Figure 105, Router A is a 6to4 router, and 6to4 addresses are used on the connected IPv6 network. Router B serves as a 6to4 relay router and is connected to an IPv6 network (2001::/16). Configure a 6to4 tunnel between Router A and Router B to make Host A and Host B reachable to each other.
Page 269: Configuring An Isatap Tunnel
[RouterA] ipv6 route-static 2002:0601:0101:: 64 tunnel 0 # Configure a default route to reach the IPv6 network, which specifies the next hop as the 6to4 address of the relay router. [RouterA] ipv6 route-static :: 0 2002:0601:0101::1 Configure Router B: • # Specify an IPv4 address for Ethernet 1/2.
Page 270: Configuration Example
Because automatic tunnels do not support dynamic routing, configure a static route destined for the • destination IPv6 network at each tunnel end. You can specify the local tunnel interface as the egress interface of the route or specify the IPv6 address of the peer tunnel interface as the next hop of the route.
Page 271 Configuration procedure Configure the router: • # Specify an IPv6 address for Ethernet1/2. <Router> system-view [Router] interface ethernet 1/2 [Router-Ethernet1/2] ipv6 address 3001::1/64 [Router-Ethernet1/2] quit # Specify an IPv4 address for Ethernet1/1. [Router] interface ethernet 1/1 [Router-Ethernet1/1] ip address 1.1.1.1 255.0.0.0 [Router-Ethernet1/1] quit # Create an ISATAP tunnel interface tunnel 0.
Page 272 # Display information about the ISATAP interface. C:\>ipv6 if 2 Interface 2: Automatic Tunneling Pseudo-Interface Guid {48FCE3FC-EC30-E50E-F1A7-71172AEEE3AE} does not use Neighbor Discovery uses Router Discovery routing preference 1 EUI-64 embedded IPv4 address: 1.1.1.2 router link-layer address: 1.1.1.1 preferred global 2001::5efe:1.1.1.2, life 29d23h59m46s/6d23h59m46s (public) preferred link-local fe80::5efe:1.1.1.2, life infinite link MTU 1500 (true link MTU 65515) current hop limit 255...
Page 273: Configuring An Ipv4 Over Ipv4 Tunnel
Configuring an IPv4 over IPv4 tunnel Follow these guidelines when you configure an IPv4 over IPv4 tunnel: • The destination address specified for the local tunnel interface must be the source address specified for the peer tunnel interface, and vice versa. The source/destination addresses of local tunnels of the same tunnel mode cannot be the same.
Page 274: Configuration Example
Configuration example Network requirements As shown in Figure 107, the two subnets Group 1 and Group 2 use private IPv4 addresses. Configure an IPv4 over IPv4 tunnel between Router A and Router B to make the two subnets reachable to each other. Figure 107 Network diagram Configuration procedure Make sure Router A and Router B can reach each other through IPv4.
Page 275: Configuring An Ipv4 Over Ipv6 Manual Tunnel
[RouterB-Ethernet1/1] quit # Specify an IPv4 address for Serial 2/1, which is the physical interface of the tunnel. [RouterB] interface serial 2/1 [RouterB-Serial2/1] ip address 3.1.1.1 255.255.255.0 [RouterB-Serial2/1] quit # Create an IPv4 over IPv4 tunnel interface tunnel 2. [RouterB] interface tunnel 2 mode ipv4-ipv4 # Specify an IPv4 address for the tunnel interface.
Page 276: Configuration Example
To configure an IPv4 over IPv6 manual tunnel: Step Command Remarks Enter system view. system-view Enter tunnel interface interface tunnel number [ mode view. ipv6 ] Configure an IPv4 ip address ip-address { mask | By default, no IPv4 address is configured address for the tunnel mask-length } [ sub ] for the tunnel interface.
Page 277 # Specify an IPv6 address for Serial 2/0, which is the physical interface of the tunnel. [RouterA] interface serial 2/0 [RouterA-Serial2/0] ipv6 address 2001::1:1 64 [RouterA-Serial2/0] quit # Create an IPv6 tunnel interface tunnel 1. [RouterA] interface tunnel 1 mode ipv6 # Specify an IPv4 address for the tunnel interface.
Page 278: Configuring A Ds-Lite Tunnel
Ping 30.1.3.1 (30.1.3.1) from 30.1.1.1: 56 data bytes, press escape sequence to break 56 bytes from 30.1.3.1: icmp_seq=0 ttl=255 time=3.000 ms 56 bytes from 30.1.3.1: icmp_seq=1 ttl=255 time=1.000 ms 56 bytes from 30.1.3.1: icmp_seq=2 ttl=255 time=0.000 ms 56 bytes from 30.1.3.1: icmp_seq=3 ttl=255 time=1.000 ms 56 bytes from 30.1.3.1: icmp_seq=4 ttl=255 time=1.000 ms --- Ping statistics for 30.1.3.1 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss...
Page 279: Configuration Example
Step Command Remarks By default, no source address or interface is specified for the tunnel. If you specify a source address, it is used Specify the source address source { ipv6-address | as the source address of the encapsulated or source interface for the interface-type IPv6 packets.
Page 280 [RouterA-Ethernet1/2] ipv6 address 1::1 64 [RouterA-Ethernet1/2] quit # Create an IPv6 tunnel interface tunnel1. [RouterA] interface tunnel 1 mode ipv6 # Specify an IPv4 address for the tunnel interface. [RouterA-Tunnel1] ip address 30.1.2.1 255.255.255.0 # Specify the IP address of Ethernet 1/2 as the source address for the tunnel interface. [RouterA-Tunnel1] source 1::1 # Specify IP address of Ethernet 1/2 on Router B as the destination address for the tunnel interface.
Page 281: Configuring An Ipv6 Over Ipv6 Tunnel
Pinging 20.1.1.2 with 32 bytes of data: Reply from 20.1.1.2: bytes=32 time=51ms TTL=255 Reply from 20.1.1.2: bytes=32 time=44ms TTL=255 Reply from 20.1.1.2: bytes=32 time=1ms TTL=255 Reply from 20.1.1.2: bytes=32 time=1ms TTL=255 Ping statistics for 20.1.1.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 51ms, Average = 24ms Configuring an IPv6 over IPv6 tunnel...
Page 282: Configuration Example
Step Command Remarks By default, no destination address is configured for the tunnel. Configure the destination The tunnel destination address address for the tunnel destination ipv6-address must be the IPv6 address of the interface. receiving interface on the tunnel peer. It is used as the destination IPv6 address of tunneled packets.
Page 283 # Create an IPv6 tunnel interface tunnel 1. [RouterA] interface tunnel 1 mode ipv6 # Specify an IPv6 address for the tunnel interface. [RouterA-Tunnel1] ipv6 address 3001::1:1 64 # Specify the IP address of Serial 2/0 as the source address for the tunnel interface. [RouterA-Tunnel1] source 2001::11:1 # Specify the IP address of Serial 2/1 on Router B as the destination address for the tunnel interface.
Page 284: Displaying And Maintaining Tunneling Configuration
56 bytes from 2002:3::1, icmp_seq=4 hlim=64 time=0.000 ms --- Ping6 statistics for 2002:3::1 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.000/0.000/0.000/0.000 ms Displaying and maintaining tunneling configuration Execute display commands in any view and reset commands in user view. Task Command display interface [ tunnel ] [ brief [ down ] ]...
Page 285: Configuring Flow Classification
Configuring flow classification The following matrix shows the feature and router compatibility: Feature MSR 2600 MSR 3600 MSR 5600 Flow classification To implement differentiated services, flow classification categorizes packets to be forwarded by a multi-core device according to one of the following flow classification policies: •...
Page 286: Index
Index A B C D E F H I N O P S T U Configuring an ISATAP tunnel,254 Configuring basic DHCP snooping,71 Address/prefix lease renewal,205 Configuring basic DHCPv6 snooping,228 Applying an address pool on an interface,45 Configuring DHCP packet rate limit,75 Applying the DDNS policy to an interface,107...
Page 287 Displaying and maintaining DHCPv6 snooping,231 table,154 Displaying and maintaining fast forwarding,156 Displaying and maintaining IP addressing,22 H3C implementation of Option 18 and Option 37,226 Displaying and maintaining IP performance optimization,169 Displaying and maintaining IPv4 DNS,90 IP address configuration example,23...
Page 288 Setting the DSCP value for DHCP packets sent by the DHCP server,47 Obtaining an IP address dynamically,79 Setting the DSCP value for DHCPv6 packets sent by the Overview,8 DHCPv6 server,215 Overview,104 Setting the maximum number of DHCPv6 snooping Overview,69 entries,230 Overview,81 Setting the maximum number of dynamic ARP entries Overview,33...

This manual is also suitable for:

Msr 3600 Msr series Msr 36-20 Msr 26-30 Msr 36-40 Msr 36-60 ... Show all

H3C MSR 2600 Configuration Manual

Quick Links

Troubleshooting

Need help?

Questions and answers

Related Manuals for H3C MSR 2600

Summary of Contents for H3C MSR 2600