Page 3
ProCurve 8212zl Switch 6200yl Switch Series 5400zl Switches Series 3500yl Switches Series 2900 Switches January 2008 K.13.01 T.13.01 IPv6 Configuration Guide...
Page 4
Nothing herein should be construed as constituting an additional warranty. HP shall Applicable Products not be liable for technical or editorial errors or omissions ProCurve Switch 2900-24G (J9049A) contained herein. ProCurve Switch 2900-48G (J9050A)
Product manuals (all). Printed Publications The two publications listed below are printed and shipped with your switch. The latest version of each is also available in PDF format on the ProCurve Web site, as described in the above Note. ■...
Page 14
The two publications listed below support all of the switches covered by this manual except the ProCurve Series 2900 switches: ■ Command Line Interface Reference Guide—Provides a comprehensive description of CLI commands, syntax, and operations. Event Log Message Reference Guide—Provides a comprehensive descrip- ■...
IPv6 Command Index This index provides a tool for locating descriptions of individual IPv6 com- mands covered in this guide. N o t e A link-local address must include %vlan< vid > without spaces as a suffix. For example: fe80::110:252%vlan20 The index begins on the next page.
It describes how to use the command line interface (CLI) to configure, manage, monitor, and troubleshoot switch operation. For an overview of other product documentation for the above switches, refer to “Product Doc- umentation” on page ix. You can download documentation from the ProCurve Networking web site, www.procurve.com. Conventions This guide uses the following conventions for command syntax and displayed information.
In the default configuration, your switch displays a CLI prompt similar to the following example: ProCurve 8212zl# To simplify recognition, this guide uses ProCurve to represent command prompts for all switch models. For example: ProCurve# (You can use the hostname command to change the text in the CLI prompt.) Screen Simulations Displayed Text.
N o t e For the latest version of all ProCurve switch documentation referred to below, including Release Notes covering recently added features, visit the ProCurve Networking web site at www.procurve.com, click on Technical support, and then click on Product Manuals (all).
Page 23
Getting Started Sources for More Information Advanced Traffic Management Guide—Use this guide for information on ■ topics such as: • VLANs: Static port-based and protocol VLANs, and dynamic GVRP VLANs • spanning-Tree: 802.1D (STP), 802.1w (RSTP), and 802.1s (MSTP) • meshing •...
Click on Technical support. Click on Product manuals. Click on the product for which you want to view or download a manual. If you need further information on ProCurve switch technology, visit the ProCurve Networking web site at: www.procurve.com Online Help...
Figure 1-4. Button for Web Browser Interface Online Help N o t e To access the online Help for the ProCurve web browser interface, you need either ProCurve Manager (version 1.5 or greater) installed on your network or an active connection to the World Wide Web. Otherwise, Online help for the...
To Set Up and Install the Switch in Your Network To Set Up and Install the Switch in Your Network Use the ProCurve Installation and Getting Started Guide (shipped with the switch) for the following: ■ Notes, cautions, and warnings related to installing and using the switch and its related modules ■...
Introduction to IPv6 Migrating to IPv6 IPv6 Propagation IPv6 is currently in the early stages of deployment worldwide, involving a phased-in migration led by the application of basic IPv6 functionality. In these applications, IPv6 traffic is switched among IPv6-capable devices on a given LAN, and routed between LANs using IPv6-capable routers.
Introduction to IPv6 Migrating to IPv6 Connecting to Devices Supporting IPv6 Over IPv4 Tunneling The switches covered by this guide can interoperate with IPv6/IPv4 devices capable of tunneling IPv6 traffic across an IPv4 infrastructure. Some examples include: traffic between IPv6/IPv4 routers(router/router) ■...
Introduction to IPv6 Use Model Use Model Adding IPv6 Capability IPv6 was designed by the Internet Engineering Task Force (IETF) to improve on the scalability, security, ease of configuration, and network management capabilities of IPv4. IPv6 provides increased flexibility and connectivity for existing networked devices, addresses the limited address availability inherent in IPv4, and the infrastructure for the next wave of Internet devices, such as PDAs, mobile phones and appliances.
K.13.01. Configuration and Management This section outlines the configurable management features supporting IPv6 operation on your ProCurve IPv6-ready switch. Management Features Software release K.13.01 provides host-based IPv6 features that enable the switches covered in this guide to be managed from an IPv6 management station and to operate in both IPv6 and IPv4/IPv6 network environments.
Introduction to IPv6 Configuration and Management and the interface identifier currently in use in the link-local address. Having a global unicast address and a connection to an IPv6- aware router enables IPv6 traffic on a VLAN to be routed to other VLANs supporting IPv6-aware devices. (Using software release K.13.01, an external, IPv6- aware router is required to forward traffic between VLANs.) Multiple, global unicast addresses can be configured on a VLAN that receives...
Introduction to IPv6 Configuration and Management N o t e In IPv6 for the switches covered in this guide, the default route cannot be statically configured. Also, DHCPv6 does not include default route configura- tion.) Refer to “Default IPv6 Router” on page 4-28 and “View IPv6 Gateway, Route, and Router Neighbors ”...
Introduction to IPv6 Configuration and Management IPv6 Management Features The switch's IPv6 management features support operation in an environment employing IPv6 servers and management stations.With a link to a properly configured IPv6 router, switch management extends to routed traffic solu- tions.
Telnet and is also used for secure file transfers (SFTP and SCP). Software release K.13.01 with SSHv2 on IPv6 extends to IPv6 devices the SSH functionality that has been previously available on ProCurve switches running IPv4. This means that SSH version 2 connections are...
Introduction to IPv6 Configurable IPv6 Security supported between the switch and IPv6 management stations when SSH on the switch is also configured for IPv6 operation. The switch now offers these SSHv2 connection types: ■ IPv6 only IPv4 only ■ IPv4 or IPv6 ■...
Introduction to IPv6 Diagnostic and Troubleshooting C a u t i o n The Authorized IP Managers feature does not protect against unauthorized station access through a modem or direct connection to the Console (RS-232) port. Also, if an unauthorized station “spoofs” an authorized IP address, then the unauthorized station cannot be blocked by the Authorized IP Managers feature, even if a duplicate IP address condition exists.
Introduction to IPv6 Diagnostic and Troubleshooting Domain Name System (DNS) Resolution This feature enables resolving a host name to an IPv6 address and the reverse, and takes on added importance over its IPv4 counterpart due to the extended length of IPv6 addresses. With DNS-compatible commands, CLI command entry becomes easier for reaching a device whose IPv6 address is configured with a host name counterpart on a DNS server.
Introduction to IPv6 IPv6 Scalability SNMP When IPv6 is enabled on a VLAN interface, you can manage the switch from a network management station configured with an IPv6 address. Refer to “SNMP Management for IPv6” on page 5-20. Loopback Address Like the IPv4 loopback address, the IPv6 loopback address (::1) can be used by the switch to send an IPv6 packet to itself.
Introduction to IPv6 Path MTU (PMTU) Discovery Path MTU (PMTU) Discovery IPv6 PMTU operation is managed automatically by the IPv6 nodes between the source and destination of a transmission. For Ethernet frames, the default MTU is 1500 bytes. If a router on the path cannot forward the default MTU size, it sends an ICMPv6 message (PKT_TOO_BIG) with the recommended MTU to the sender of the frame.
IPv6 Addressing Introduction Introduction IPv6 supports multiple addresses on an interface, and uses them in a manner comparable to subnetting an IPv4 VLAN. For example, where the switch is configured with multiple VLANs and each is connected to an IPv6 router, each VLAN will have a single link-local address and one or more global unicast addresses.
IPv6 Addressing IPv6 Address Structure and Format An IPv6 address includes a network prefix and an interface identifier. Network Prefix The network prefix (high-order bits) in an IPv6 address begins with a well- known, fixed prefix for defining the address type. Some examples of well- known, fixed prefixes are: 2000::/3global (routable) unicast address fd08::/8 unique local unicast address...
IPv6 Addressing IPv6 Addressing Options IPv6 Addressing Options IPv6 Address Sources IPv6 addressing sources provide a flexible methodology for assigning addresses to VLAN interfaces on the switch. Options include: ■ stateless IPv6 autoconfiguration on VLAN interfaces includes: • link-local unicast addresses •...
Page 48
IPv6 Addressing IPv6 Addressing Options Stateful Address Autoconfiguration. This method allows use of a DHCPv6 server to automatically configure IPv6 addressing on a host in a manner similar to stateful IP addressing with a DHCPv4 server. For software release K.13.01, a DHCPv6 server can provide routable IPv6 addressing and NTP (timep) server addresses.
IPv6 Addressing IPv6 Address Sources servers. These lifetimes cannot be reset using control from the switch console or SNMP methods. Refer to “Preferred and Valid Address Lifetimes” on page 3- Stateful (DHCPv6) Address Configuration Stateful addresses are defined by a system administrator or other authority, and automatically assigned to the switch and other devices through the Dynamic Host Configuration Protocol (DHCPv6).
IPv6 Addressing IPv6 Address Sources Static Address Configuration Generally, static address configuration should be used when you want specific, non-default addressing to be assigned to a VLAN interface. For IPv6, DHCP use is indicated for conditions such as the following: ■...
IPv6 Addressing Address Types and Scope Address Types and Scope Address Types IPv6 uses these IP address types: Unicast: Identifies a specific IPv6 interface. Traffic having a unicast ■ destination address is intended for a single interface. Like IPv4 addresses, unicast addresses can be assigned to a specific VLAN on the switch and to other IPv6 devices connected to the switch.
IPv6 Addressing Address Types and Scope Address Scope The address scope determines the area (topology) in which a given IPv6 address is used. This section provides an overview of IPv6 address types. For more information, refer to the chapter titled “IPv6 Addressing”. Link-Local Address.
Page 54
IPv6 Addressing Address Types and Scope In binary notation, the fixed prefix for link-local prefixes is: 1111 1110 10 = fe80/10 For more on link-local addresses, refer to “Link-Local Unicast Address” on page 3-13. Routable Global Unicast Prefix. This well-known 3-bit fixed-prefix indi- cates a routable address used to identify a device on a VLAN interface that is accessible by routing from multiple networks.
IPv6 Addressing Link-Local Unicast Address Other Prefix Types. There are other designated global unicast prefixes such as those for the following address types: ■ RFC 4380: “Teredo: Tunneling IPv6 over UDP” RFC 3056: “Connection of IPv6 Domains via IPv4 Clouds” ■...
IPv6 Addressing Link-Local Unicast Address Because all VLANs configured on the switch use the same MAC address, all automatically generated link-local addresses on the switch will have the same link-local address. However, since the scope of a link-local address includes only the VLAN on which it was generated, this should not be a problem.
IPv6 Addressing Link-Local Unicast Address MAC Address IPv6 I/F Identifier Full Link-Local Unicast Address 00-15-60-7a-ad-c0 215:60ff:fe7a:adc0 fe80::215:60ff:fe7a:adc0/64 09-c1-8a-44-b4-9d 11c1:8aff:fe44:b49d fe80::11c1:8aff:fe44:b49d/64 00-1a-73-5a-7e-57 21a:73ff:fe5a:7e57 fe80::21a:73ff:fe5a:7e57/64 The EUI method of generating a link-local address is automatically imple- mented on the switches covered by this guide when IPv6 is enabled on a VLAN interface.
IPv6 Addressing Global Unicast Address Global Unicast Address A global unicast address is required for unicast traffic to be routed across VLANs within an organization as well as across the public internet. To support subnetting, a VLAN can be configured with multiple global unicast addresses. Any of the following methods can be used to configure this kind of address on a VLAN: ■...
IPv6 Addressing Global Unicast Address generate a link-local address on the VLAN as described in the preceeding ■ section (page 3-13). ■ transmit a router solicitation on the VLAN, and to listen for advertise- ments from any IPv6 routers on the VLAN. For each unique router advertisement (RA) the switch receives from any router(s), the switch configures a unique, global unicast address.
IPv6 Addressing Global Unicast Address Prefixes in Routable IPv6 Addresses In routable IPv6 addresses, the prefix uniquely identifies an entity and a unicast subnet within that entity, and is defined by a length value specifying the number of leftmost contiguous (high-order) bits comprising the prefix. For an automatically generated global unicast address, the default prefix length is 64 bits.
IPv6 Addressing Unique Local Unicast IPv6 Address Unique Local Unicast IPv6 Address A unique local unicast address is an address that falls within a specific range, but is used only as a global unicast address within an organization. Traffic having a source address within the defined range should not be allowed beyond the borders of the intended domain or onto the public internet.
IPv6 Addressing Anycast Addresses Anycast Addresses Network size, traffic loads and the potential for network changes make it desirable to build in redundancy for some network services to provide increased service reliability. Anycast addressing provides this capability for applications where it does not matter which source is actually used to provide a service that is offered on multiple sources.
IPv6 Addressing Multicast Application to IPv6 Addressing For related information, refer to: ■ RFC 4291: “IP Version 6 Addressing Archetecture” ■ RFC 2526: “Reserved IPv6 Subnet Anycast Addresses” Multicast Application to IPv6 Addressing Multicast is used to reduce traffic for applications that have more than one recipient for the same data.
IPv6 Addressing Multicast Application to IPv6 Addressing For information on Multicast Listener Discovery (MLD) refer to the chapter titled “Multicast Listener Discovery (MLD) Snooping”. When MLD is enabled on an interface, you can use show ipv6 mld [ vlan < vid >] to list the active multicast group activity the switch has detected per interface from other devices.
IPv6 Addressing Multicast Application to IPv6 Addressing multicast scope: Bits 13-16 set boundaries on multicast traffic distribu- ■ tion, such as the interface defined by the link-local unicast address of an area, or the network boundaries of an organization. Because IPv6 uses multicast technology in place of the broadcast technology used in IPv4, the multicast scope field also controls the boundaries for broadcast-type traffic sent in multicast packets.
IPv6 loopback address is never used as the source IPv6 address for any packet that is sent out of a device, and the switch drops any traffic it receives with a loopback address destination. An example use case is: ProCurve# ping6 ::1 0000:0000:0000:0000:0000:0000:0000:0001 is alive, time = 1 ms 3-24...
IPv6 Addressing The Unspecified Address The Unspecified Address The “unspecified” address is defined as 0.0.0.0.0.0.0.0 (::/128, or just ::). It can be used, for example, as a temporary source address in multicast traffic sent by an interface that has not yet acquired its own address. The unspecified address cannot be statically configured on the switch, or used as a destination address.
Page 68
IPv6 Addressing IPv6 Address Deprecation N o t e s Preferred and valid lifetimes on a VLAN interface are determined by the router advertisements received on the interface. These values are not affected by the lease time assigned to an address by a DHCPv6 server. That is, lease expiration on a DHCPv6-assigned address terminates use of the address, regardless of the status of the RA-assigned lifetime, and router-assigned lifetime expiration of a leased address terminates the switch’s use of the address.
IPv6 Addressing Configuration General Configuration Steps General Configuration Steps The IPv6 configuration on switches running software release K.13.01 includes global and per-VLAN settings. This section provides an overview of the general configuration steps for enabling IPv6 on a given VLAN and can be enabled by any one of several commands.
IPv6 Addressing Configuration Configuring IPv6 Addressing If needed, statically configure IPv6 unicast addressing on the VLAN interface as needed. This can include any of the following: • statically replacing the automatically generated link-local address • statically adding global unicast, unique local unicast, and/or anycast addresses Configuring IPv6 Addressing In the default configuration on a VLAN, any one of the following commands...
IPv6 Addressing Configuration Enabling IPv6 with an Automatically Configured Link-Local Address Enabling IPv6 with an Automatically Configured Link-Local Address This command enables automatical configuration of a link-local address . Syntax: [no] ipv6 enable If IPv6 has not already been enabled on a VLAN by another IPv6 command option described in this chapter, this command enables IPv6 on the VLAN and automatically configures the VLAN's link-local unicast address with a 64-bit EUI-64 inter-...
IPv6 Addressing Configuration Enabling Automatic Configuration of a Global Unicast Address and a Default Router Identity on a VLAN Enabling Automatic Configuration of a Global Unicast Address and a Default Router Identity on a VLAN Enabling autoconfig or rebooting the switch with autoconfig enabled on a VLAN causes the switch to configure IPv6 addressing on the VLAN using router advertisements and an EUI-64 interface identifier (page 3-14).
IPv6 Addressing Configuration Enabling Automatic Configuration of a Global Unicast Address and a Default Router Identity on a VLAN — Continued from the previous page. — After verification of uniqueness by DAD, an IPv6 address assigned to a VLAN by autoconfiguration is set to the preferred and valid lifetimes specified by the RA used to generate the address, and is configured as a preferred address.
IPv6 Addressing Configuration Enabling DHCPv6 Enabling DHCPv6 Enabling the DHCPv6 option on a VLAN allows the switch to obtain a global unicast address and an NTP (network time protocol) server assignment for a Timep server. (If a DHCPv6 server is not needed to provide a global unicast address to a switch interface, the server can still be configured to provide the NTP server assignment.
IPv6 Addressing Configuration Enabling DHCPv6 — Continued from the previous page. — After verification of uniqueness by DAD, an IPv6 address assigned to the VLAN by an DHCPv6 server is set to the preferred and valid lifetimes specified in a router advertise- ment received on the VLAN for the prefix used in the assigned address, and is configured as a preferred address.
IPv6 Addressing Configuration Configuring a Static IPv6 Address on a VLAN DHCPv6 and statically configured global unicast or anycast addresses are ■ mutually exclusive on a given VLAN. That is, configuring DHCPv6 on a VLAN erases any static global unicast or anycast addresses previously configured on that VLAN, and the reverse.
IPv6 Addressing Configuration Configuring a Static IPv6 Address on a VLAN Statically Configuring a Link-Local Unicast Address Syntax: [no] ipv6 address fe80::< device-identifier > link-local If IPv6 is not already enabled on the VLAN, this command ■ enables IPv6 and configures a static link-local address. ■...
IPv6 Addressing Configuration Configuring a Static IPv6 Address on a VLAN Statically Configuring A Global Unicast Address Syntax:. [no] ipv6 address < network-prefix><device-id >/< prefix-length > [no] ipv6 address < network-prefix>::/< prefix-length > eui-64 If IPv6 is not already enabled on a VLAN, either of these command options do the following: ■...
IPv6 Addressing Configuration Configuring a Static IPv6 Address on a VLAN Operating Notes With IPv6 enabled, the switch determines the default IPv6 router for the ■ VLAN from the router advertisements it receives. (Refer to “Router Access and Default Router Selection” on page 4-27.) ■...
Page 83
IPv6 Addressing Configuration Configuring a Static IPv6 Address on a VLAN Syntax:. [no] ipv6 address < network-prefix >< device-identifier >/< prefix-length > anycast If IPv6 is not already enabled on a VLAN, this command option does the following: enables IPv6 on the VLAN ■...
IPv6 Addressing Configuration Disabling IPv6 on a VLAN Duplicate Address Detection (DAD) for Statically Configured Addresses Statically configured IPv6 addresses are designated as permanent. If DAD determines that a statically configured address duplicates a previously config- ured and reachable address on another device belonging to the VLAN, then the more recent, duplicate address is designated as duplicate.
IPv6 Addressing Configuration Neighbor Discovery (ND) Neighbor Discovery (ND) Neighbor Discovery (ND) is the IPv6 equivalent of the IPv4 ARP for layer 2 address resolution, and uses IPv6 ICMP messages to do the following: Determine the link-layer address of neighbors on the same VLAN inter- ■...
IPv6 Addressing Configuration Duplicate Address Detection (DAD) N o t e : Neighbor and router solicitations must originate on the same VLAN as the receiving device. To support this operation, IPv6 is designed to discard any incoming neighbor or router solicitation that does not have a value of 255 in the IP Hop Limit field.
IPv6 Addressing Configuration Duplicate Address Detection (DAD) that includes its link-local address. If the newly configured address is from a static or DHCPv6 source and is found to be a duplicate, it is labelled as duplicate in the “Address Status” field of the show ipv6 command, and is not used.
IPv6 Addressing Configuration Duplicate Address Detection (DAD) Operating Notes A verified link-local unicast address must exist on a VLAN interface before ■ the switch can run DAD on other addresses associated with the interface. ■ If a previously configured unicast address is changed, a neighbor adver- tisement (an all-nodes multicast message--ff02::1) is sent to notify other devices on the VLAN and to perform duplicate address detection.
IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration Use these commands to view the current status of the IPv6 configuration on the switch. Syntax: show ipv6 Lists the current, global IPv6 settings and per-VLAN IPv6 addressing on the switch.
Page 90
IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration Address Origin: Autoconfig: The address was configured using stateless ■ address autoconfiguration (SLAAC). In this case, the device identifier for global unicast addresses copied from the current link-local unicast address. DHCP: The address was assigned by a DHCPv6 server. Note ■...
Page 91
IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration ProCurve(config)# show ipv6 Internet (IPv6) Service IPv6 Routing : Disabled Default Gateway : 10.0.9.80 ND DAD : Enabled DAD Attempts Vlan Name : DEFAULT_VLAN IPv6 Status : Disabled Vlan Name : VLAN10...
Page 92
IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration DAD Attempts: Indicates the number of neighbor solicita- ■ tions the switch transmits per-address for duplicate (IPv6) address detection. Implemented when a new address is configured or when an interface with config- ured addresses comes up (such as after a reboot).
Page 93
IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration ProCurve(config)# show ipv6 vlan 10 Internet (IPv6) Service IPv6 Routing : Disabled Default Gateway : 10.0.9.80 ND DAD : Enabled DAD Attempts Vlan Name : VLAN10 IPv6 Status : Enabled IPv6 Address/Prefixlength...
Page 94
IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration ProCurve(config)# show run Running configuration: vlan 10 name "VLAN10" Statically configured IPv6 addresses untagged A1-A12 appear in the show run output. ipv6 address fe80::127 link-local ipv6 address 2001:db8::127/64 ipv6 address 2001:db8::15:101/64 anycast...
IPv6 Addressing Configuration Router Access and Default Router Selection Router Access and Default Router Selection Routing traffic between destinations on different VLANs configured on the switch or to a destination on an off-switch VLAN is done by placing the switch on the same VLAN interface or subnet as an IPv6-capable router configured to route traffic to other IPv6 interfaces or to tunnel IPv6 traffic across an IPv4 network.
IPv6 Addressing Configuration Router Access and Default Router Selection N o t e If the switch does not receive a router advertisement after sending the router solicitations, as described above, then no further router solicitations are sent on that VLAN unless a new IPv6 setting is configured, IPv6 on the VLAN is disabled, then re-enabled, or the VLAN itself is disconnected, then recon- nected.
IPv6 Addressing Configuration View IPv6 Gateway, Route, and Router Neighbors View IPv6 Gateway, Route, and Router Neighbors Use these commands to view the switch's current routing table content and connectivity to routers per VLAN. This includes information received in router advertisements from IPv6 routers on VLANs enabled with IPv6 on the switch.
IPv6 Addressing Configuration View IPv6 Gateway, Route, and Router Neighbors ProCurve(config)# show ipv6 route IPv6 Route Entries “Unknown” Address Dest : ::/0 Type : static Gateway : fe80::213:c4ff:fedd:14b0%vlan10 Dist. : 40 Metric : 0 Dest : ::1/128 Type : connected...
Page 99
VLAN as is indicated in the Interface field. For example, figure 4-5 indicates that the switch is receiving router advertise- ments from a single router that exists on VLAN 10. ProCurve(config)# show ipv6 routers IPv6 Router Table Entries Router Address : fe80::213:c4ff:fedd:14b0...
IPv6 Addressing Configuration Address Lifetimes Address Lifetimes Every configured IPv6 unicast and anycast address has a lifetime setting that determines how long the address can be used before it must be refreshed or replaced. Some addresses are set as “permanent” and do not expire. Others have both a “preferred”...
Page 101
IPv6 Addressing Configuration Address Lifetimes Table 4-1. IPv6 Unicast Addresses Lifetimes Address Source Lifetime Criteria Link-Local Permanent Statically Configured Unicast or Anycast Permanent Autoconfigured Global Finite Preferred and Valid Lifetimes DHCPv6-Configured Finite Preferred and Valid Lifetimes A new, preferred address used as a replacement for a deprecated address can be acquired from a manual, DHCPv6, or autoconfiguration source.
IPv6 Management Features Introduction Introduction Feature Default Neighbor Cache 5-3, 5-5 Telnet6 Enabled 5-6, 5-7, 5-8 SNTP Address None 5-10 Timep Address None 5-13 TFTP 5-15 SNMP Trap Receivers None 5-21 This chapter focuses on the IPv6 application of management features in software release K.13.01 that support both IPv6 and IPv4 operation.
IPv6 Management Features Viewing and Clearing the IPv6 Neighbors Cache Viewing the Neighbor Cache Neighbor discovery occurs when there is communication between IPv6 devices on a VLAN. The Neighbor Cache retains data for a given neighbor until the entry times out. For more on this topic, refer to “Neighbor Discovery (ND)” on page 4-17.
Page 106
001279-88a100 REACH local fe80::10:27 001560-7aadc0 REACH dynamic A3 fe80::213:c4ff:fedd:14b0 0013c4-dd14b0 REACH dynamic A1 Figure 5-1. Example of Neighbor Cache Without Specifying a VLAN ProCurve(config)# show ipv6 neighbor vlan 10 IPv6 ND Cache Entries IPv6 Address MAC Address State Age Port...
(Local IPv6 addresses, that is, IPv6 addresses configured on the VLAN interface for the switch on which the command is executed, are not removed.) Removed addresses are listed in the command output. ProCurve(config)# clear ipv6 neighbors 2001:db8:260:212::1%vlan10 deleted fe80:::10:27%vlan10 deleted fe80::213:c4ff:fedd:14b0%vlan10 deleted...
VLAN interface (VLAN 10), you would use the following command: ProCurve(config)# telnet fe80::215:60ff:fe79:980%vlan10 If the switch is receiving router advertisements from an IPv6 default gateway router, you can Telnet to a device on the same VLAN or another VLAN or subnet by using its global unicast address.
To: The destination of the outbound session, if in use. For example, the following figure shows that the switch is running one outbound, IPv4 session and is being accessed by two inbound sessions. ProCurve# show telnet Telnet Activity -------------------------------------------------------- Session...
Telnet4 access is no telnet-server.) For example, to disable Telnet6 access to the switch, you would use this com- mand: ProCurve(config)# no telnet6-server Viewing the Current Inbound Telnet6 Configuration Syntax: show console This command shows the current configuration of IPv4 and IPv6 inbound telnet permissions, as well as other informa- tion.
IPv6 Management Features SNTP and Timep SNTP and Timep Configuring (Enabling or Disabling) the SNTP Mode Software release K.13.01 enables configuration of a global unicast address for IPv6 SNTP time server. This section lists the SNTP and related commands, including an example of using an IPv6 address.
IPv6 Management Features SNTP and Timep Configuring an IPv6 Address for an SNTP Server N o t e To use a global unicast IPv6 address to configure an IPv6 SNTP time server on the switch, the switch must be receiving advertisements from an IPv6 router on a VLAN configured on the switch.
Page 113
■ as the priority “1” and “2” SNTP servers, respectively, using version 7, you would enter these commands at the global config level, as shown below. ProCurve(config)# sntp server priority 1 fe80::215:60ff:fe7a:adc0%vlan10 7 ProCurve(config)# sntp server priority 2 2001:db8::215:60ff:fe79:8980 7...
IPv6 Management Features SNTP and Timep For example, the show sntp output for the preceeding sntp server command example would appear as follows: ProCurve(config)# show sntp SNTP Configuration This example illustrates the command output when both IPv6 and IPv4 server Time Sync Mode: Sntp addresses are configured.
Page 115
IPv6 Management Features SNTP and Timep ip timep manual < ipv6-addr > Enable Timep operation with a statically configured [ interval < 1 - 9999 >] IPv6 address for a Timep server. Optionally change the interval between time requests. no ip timep Disables Timep operation.
Page 116
IPv6 Management Features SNTP and Timep ProCurve(config)# ip timep manual fe80::215:60ff:fe7a:adc0%vlan10 N o t e In the preceeding example, using a link-local address requires that you specify the local scope for the address; VLAN 10 in this case. This is always indicated by %vlan followed immediately (without spaces) by the VLAN identifier.
IPv6 Management Features TFTP File Transfers Over IPv6 TFTP File Transfers Over IPv6 TFTP File Transfers over IPv6 You can use TFTP copy commands over IPv6 to upload, or download files to and from a physically connected device or a remote TFTP server, including: ■...
IPv6 Management Features TFTP File Transfers Over IPv6 Enabling TFTP for IPv6 TFTP for IPv6 is enabled by default on the switch. However, if it is disabled, you can re-enable it by specifying TFTP client or server functionality with the tftp6 <client | server>...
IPv6 Management Features TFTP File Transfers Over IPv6 Using TFTP to Copy Files over IPv6 Use the TFTP copy commands described in this section to: ■ Download specified files from a TFTP server to a switch on which TFTP client functionality is enabled. ■...
Page 120
IPv6 Management Features TFTP File Transfers Over IPv6 flash < primary | secondary >: Copies a software file stored ■ on a remote host to primary or secondary flash memory on the switch. To run a newly downloaded software image, enter the reload or boot system flash command. pub-key-file: Copies a public-key file to the switch.
IPv6 Management Features TFTP File Transfers Over IPv6 < ipv6-addr >: If this is a link-local address, use this IPv6 address format: fe80::< device-id >%vlan< vid > For example: fe80::123%vlan10 If this is a global unicast or anycast address, use this IPv6 format: <...
As with SNMP for IPv4, you can manage a switch via SNMP from an IPv6- based network management station by using an application such as ProCurve Manager (PCM) or ProCurve Manager Plus (PCM+). (For more on PCM and PCM+, go to the ProCurve Networking web site at www.procurve.com.)
IPv6 Management Features SNMP Management for IPv6 SNMP Configuration Commands Supported IPv6 addressing is supported in the following SNMP configuration commands: For more information on each SNMP configuration procedure, refer to the “Configuring for Network Management Applications” chapter in the current Management and Configuration Guide for your switch.
Page 124
(including the IPv4 or IPv6 address) that can receive SNMPv1 and SNMPv2c traps, and the source IP (interface) address used in IP headers when sending SNMP notifications (traps and informs) or responses to SNMP requests. ProCurve(config)# show snmp-server SNMP Communities Community Name MIB View Write Access...
IP Preserve for IPv6 The show snmpv3 targetaddress command displays the configuration (including the IPv4 or IPv6 address) of the SNMPv3 management stations to which notification messages are sent. ProCurve(config)# show snmpv3 targetaddress snmpTargetAddrTable [rfc2573] Target Name IP Address Parameter ------------------------- ---------------------- --------------------------- 15.29.17.218...
Page 126
IPv6 Management Features IP Preserve for IPv6 ; J8697A Configuration Editor; Created on release #K.13.01 hostname "ProCurve" time daylight-time-rule None Entering an ip preserve statement as the last line in a configuration file stored on a TFTP server allows you to download and execute the file as the startup-config file on an IPv6 switch.
Page 127
Figure 5-11. Configuration File with Dedicated IP Addressing After Startup with IP Preserve For more information on how to use the IP Preserve feature, refer to the “Configuring IP Addressing” chapter in the current Management and Config- uration Guide for your ProCurve switch. 5-25...
Page 128
IPv6 Management Features IP Preserve for IPv6 5-26...
IPv6 Management Security Features IPv6 Management Security IPv6 Management Security This chapter describes management security features that are IPv6 counter- parts of IPv4 management security features on the switches covered by this guide. Feature Default configure authorized IP disabled managers for IPv6 configuring secure shell for IPv6 disabled 6-15...
IPv6 Management Security Features Authorized IP Managers for IPv6 Authorized IP Managers for IPv6 The Authorized IP Managers feature uses IP addresses and masks to deter- mine which stations (PCs or workstations) can access the switch through the network. This feature supports switch access through: ■...
Page 132
IPv6 Management Security Features Authorized IP Managers for IPv6 You configure each authorized manager address with Manager or Opera- ■ tor-level privilege to access the switch in a Telnet, SNMPv1, or SNMPv2c session. (Access privilege for SSH, SNMPv3, and web browser sessions are configured through the access application, not through the Authorized IP Managers feature.) •...
IPv6 Management Security Features Authorized IP Managers for IPv6 Configuring Authorized IP Managers for Switch Access To configure one or more IPv6-based management stations to access the switch using the Authorized IP Managers feature, enter the ipv6 authorized- managers command Syntax: ipv6 authorized-managers <ipv6-addr>...
IPv6 Management Security Features Authorized IP Managers for IPv6 N o t e s If you do not enter a value for the ipv6-mask parameter when you configure an authorized IPv6 address, the switch automatically uses FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF as the default mask (see “Configuring Authorized IP Managers for Switch Access”...
Page 135
IPv6 Management Security Features Authorized IP Managers for IPv6 Conversely, in a mask, a “0” binary bit means that either the “on” or “off” setting of the corresponding IPv6 bit in an authorized address is valid and does not have to match the setting of the same bit in the specified IPv6 address. Figure 6-2 shows the binary expressions represented by individual hexadeci- mal values in an ipv6-mask parameter.
Page 136
IPv6 Management Security Features Authorized IP Managers for IPv6 Example. Figure 6-3 shows an example in which a mask that authorizes switch access to four management stations is applied to the IPv6 address: 2001:DB8:0000:0000:244:17FF:FEB6:D37D. The mask is: FFFF:FFFF:FFFF:FFF8:FFFF:FFFF:FFFF:FFFC. Manager- or Operator-Level Access Block Block Block...
Page 137
IPv6 Management Security Features Authorized IP Managers for IPv6 to 0 (“off”) and allow the corresponding bits in an authorized IPv6 address to be either “on” or “off”. As a result, only the four IPv6 addresses shown in Figure 6-5 are allowed access. Block Block Block...
Page 138
IPv6 Management Security Features Authorized IP Managers for IPv6 Each authorized station has the same 64-bit device ID (244:17FF:FEB6:D37D) ■ because the value of the last four blocks in the mask is FFFF (binary value 1111 1111). FFFF requires all bits in each corresponding block of an authorized IPv6 address to have the same “on”...
Page 139
IPv6 Management Security Features Authorized IP Managers for IPv6 Figure 6-7 shows the bits in the fourth block of the mask that determine the valid subnets in which authorized stations with an IPv6 device ID of 244:17FF:FEB6:D37D reside. FFF8 in the fourth block of the mask means that bits 3 - 15 of the block are fixed and, in an authorized IPv6 address, must correspond to the “on”...
Authorized IP Managers for IPv6 Displaying an Authorized IP Managers Configuration Use the show ipv6 authorized-managers command to list the IPv6 stations authorized to access the switch; for example: ProCurve# show ipv6 authorized-managers IPv6 Authorized Managers --------------------------------------- Address : 2001:db8:0:7::5...
IPv6 mask. Also, if you do not specify an access value to grant either Manager- or Operator-level access, by default, the switch assigns Man- ager access. For example: ProCurve# ipv6 authorized-managers 2001:db8::a8:1c:e3:69 ProCurve# show ipv6 authorized-managers IPv6 Authorized Managers...
Page 142
ProCurve(config)# ipv6 authorized-managers 2001:db8::a05b:17ff:fec5:3f61 Deleting an Authorized IP Manager Entry. Enter only the IPv6 address of the configured authorized IP manager station that you want to delete with the no form of the command; for example: ProCurve(config)# no ipv6 authorized-managers 2001:db8::231:17ff:fec5:3e61 6-14...
IPv6 Management Security Features Secure Shell for IPv6 Secure Shell for IPv6 The Secure Shell (SSH) for IPv6 feature provides the same Telnet-like func- tions through encrypted, authenticated transactions as SSH for IPv4. SSH for IPv6 provides CLI (console) access and secure file transfer functionality. The following types of transactions are supported: Client public-key authentication ■...
Page 144
IPv6 Management Security Features Secure Shell for IPv6 Syntax:. [no] ip ssh Enables SSH on the switch and activates the connection with a configured SSH server (RADIUS or TACACS+). To disable SSH on the switch, enter the no ip ssh com- mand.
To verify an SSH for IPv6 configuration and display all SSH sessions running on the switch, enter the show ip ssh command. Information on all current SSH sessions (IPv4 and IPv6) is displayed. ProCurve(config)# show ip ssh SSH enabled : Yes Displays the current SSH configuration and status.
SCP and SFTP run over an encrypted SSH session allowing you to use a secure SSH tunnel to: ■ Transfer files and update ProCurve software images. Distribute new software images with automated scripts that make it easier ■ to upgrade multiple switches simultaneously and securely.
Multicast Listener Discovery (MLD) Snooping Overview Overview Multicast addressing allows one-to-many or many-to-many communication among hosts on a network. Typical applications of multicast communication include audio and video streaming, desktop conferencing, collaborative com- puting, and similar applications. Multicast Listener Discovery (MLD) is an IPv6 protocol used on a local link for multicast group management.
Multicast Listener Discovery (MLD) Snooping Introduction to MLD Snooping Introduction to MLD Snooping There are several roles that network devices may play in an IPv6 multicast environment: ■ MLD host—a network node that uses MLD to “join” (subscribe to) one or more multicast groups multicast router—a router that routes multicast traffic between sub- ■...
Page 150
Multicast Listener Discovery (MLD) Snooping Introduction to MLD Snooping General operation. Multicast communication can take place without MLD, and by default MLD is disabled. In that case, if a switch receives a packet with a multicast destination address, it floods the packet to all ports in the same VLAN (except the port that it came in on).
Page 151
Multicast Listener Discovery (MLD) Snooping Introduction to MLD Snooping Note that MLD snooping operates on a single VLAN (though there can be multiple VLANs, each running MLD snooping). Cross-VLAN traffic is handled by a multicast router. Forwarding in MLD snooping. When MLD snooping is active, a multicast packet is handled by the switch as follows: ■...
Page 152
MLD hosts to multicast queries, and forward or block multicast traffic accordingly. All of the ProCurve switches described by this guide have the querier function enabled by default. If there is another device on the VLAN that is already acting as querier, the switch defers to that querier.
Page 153
Multicast Listener Discovery (MLD) Snooping Introduction to MLD Snooping Fast leaves and forced fast leaves. The fast leave and forced fast leave functions can help to prune unnecessary multicast traffic when an MLD host issues a leave request from a multicast address. Fast leave is enabled by default and forced fast leave is disabled by default.
The [no] form of the command disables MLD snooping on a VLAN. MLD snooping is disabled by default. For example, to enable MLD snooping on VLAN 8: ProCurve# config ProCurve(config)# vlan 8 ProCurve(vlan-8)# ipv6 mld To disable MLD snooping on VLAN 8: ProCurve(vlan-8)# no ipv6 mld...
<port-list>—specifies the affected port or range of ports For example: ProCurve(vlan-8)# ipv6 mld forward a16-a18 ProCurve(vlan-8)# ipv6 mld blocked a19-a21 ProCurve(vlan-8)# show ipv6 mld vlan 8 config MLD Service Vlan Config VLAN ID : 8 VLAN NAME : VLAN8 MLD Enabled [No] : Yes...
For example, to disable the switch from acting as querier on VLAN 8: ProCurve(vlan-8)# no ipv6 mld querier To enable the switch to act as querier on VLAN 8: ProCurve(vlan-8)# ipv6 mld querier Configuring Fast Leave Syntax: [no] ipv6 mld fastleave <port-list>...
Multicast Listener Discovery (MLD) Snooping Configuring MLD For example, to disable fast leave on ports in VLAN 8: ProCurve(vlan-8)# no ipv6 mld fastleave a14-a15 To enable fast leave on ports in VLAN 8: ProCurve(vlan-8)# ipv6 mld fastleave a14-a15 Configuring Forced Fast Leave Syntax: [no] ipv6 mld forcedfastleave <port-list>...
Displays MLD status for the specified VLAN vid—VLAN ID For example, a switch with MLD snooping configured on VLANs 8 and 9 might show the following information: ProCurve# show ipv6 mld MLD Service Protocol Info Total vlans with MLD enabled Current count of multicast groups joined...
Page 160
Multicast Listener Discovery (MLD) Snooping Displaying MLD Status and Configuration The following information is shown for each VLAN that has MLD snooping enabled: ■ VLAN ID number and name Querier address: IPv6 address of the device acting as querier for the VLAN ■...
Displays current MLD configuration for the specified VLAN, including per-port configuration information. vid—VLAN ID For example, the general form of the command might look like this: ProCurve# show ipv6 mld config MLD Service Config Control unknown multicast [Yes] : Yes...
Page 162
Multicast Listener Discovery (MLD) Snooping Displaying MLD Status and Configuration The specific form of the command might look like this: ProCurve# show ipv6 mld vlan 8 config MLD Service Vlan Config VLAN ID : 8 VLAN NAME : VLAN8 MLD Enabled [No] : Yes...
For example, the general form of the command is shown below. The specific form the the command is similar, except that it lists the port information for only the specified group. ProCurve# show ipv6 mld vlan 9 group MLD Service Protocol Group Info VLAN ID : 9...
Multicast Listener Discovery (MLD) Snooping Displaying MLD Status and Configuration The following information is shown: ■ VLAN ID and name ■ port information for each IPv6 multicast group address in the VLAN (general group command) or for the specified IPv6 multicast group address (specific group command): •...
Page 165
VLAN8 VLAN9 Figure 7-9. Example of MLD Statistics for All VLANs Configured And the specific form of the command: ProCurve# show ipv6 mld vlan 8 statistics MLD Statistics VLAN ID : 8 VLAN NAME : VLAN8 Number of Filtered Groups...
Displaying MLD Status and Configuration Counters Syntax: show ipv6 mld vlan <vid> counters Displays MLD counters for the specified VLAN vid—VLAN ID ProCurve# show ipv6 mld vlan 8 counters MLD Service Vlan Counters VLAN ID : 8 VLAN NAME : VLAN8 General Query Rx...
Page 167
Multicast Listener Discovery (MLD) Snooping Displaying MLD Status and Configuration The following information is shown: ■ VLAN number and name ■ For each VLAN: • number of general queries received • number of general queries sent • number of group-specific queries received •...
Page 168
Multicast Listener Discovery (MLD) Snooping Displaying MLD Status and Configuration 7-22...
IPv6 Diagnostic and Troubleshooting Introduction Introduction Feature Default IPv6 ICMP Message Interval and 100 ms Token Bucket 10 max tokens ping6 Enabled traceroute6 The IPv6 ICMP feature enables control over the error and informational message rate for IPv6 traffic, which can help mitigate the effects of a Denial- of-service attack.
Page 171
Use the show run command to view the current ICMP error interval settings. For example, the following command limits ICMP error and informational messages to no more than 20 every 1 second: ProCurve(config)# ipv6 icmp error-interval 1000000 bucket-size...
IPv6 Diagnostic and Troubleshooting Ping for IPv6 (Ping6) Ping for IPv6 (Ping6) The Ping6 test is a point-to-point test that accepts an IPv6 address or IPv6 host name to see if an IPv6 switch is communicating properly with another device on the same or another IP network.
Page 173
2001:0db8:0000:0000:000a:001c:00e3:0003 is alive, iteration 3, time = 15 ms 3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms) min/avg/max = 15/15/15 ProCurve# ping6 2001:db8::214:c2ff:fe4c:e480 repetitions 3 timeout 2 2001:db8:0000:0000:0214:c2ff:fe4c:e480 is alive, iteration 1, time = 15 ms 2001:db8:0000:0000:0214:c2ff:fe4c:e480 is alive, iteration 2, time = 10 ms...
IPv6 Diagnostic and Troubleshooting Traceroute for IPv6 Traceroute for IPv6 The traceroute6 command enables you to trace the route from a switch to a host device that is identified by an IPv6 address or IPv6 host name. In the command output, information on each (router) hop between the switch and the destination IPv6 address is displayed.
Page 175
IPv6 Diagnostic and Troubleshooting Traceroute for IPv6 Syntax: traceroute6 < ipv6-address | hostname > [minttl < 1-255 > [maxttl < 1-255 > [timeout < 1 - 60 >] [probes < 1-5 >] traceroute6 <link-local-address%vlan<vid> | hostname > [minttl < 1-255 >] [maxttl < 1-255 >] [timeout < 1 - 60 >] [probes < 1-5 >] Displays the IPv6 address of each hop in the route to the specified destination host device with the time (in microseconds) required for a packet reply to be received from...
Page 176
0 ms 1 ms 0 ms three probes sent to each router. Destination IPv6 address ProCurve# traceroute6 2001:db8::10 maxttl 7 traceroute to fe80::1:2:3:4 1 hop min, 7 hops max, 5 sec. timeout, 3 probes 2001:db8::a:1c:e3:3 0 ms 0 ms 0 ms...
IPv6 Diagnostic and Troubleshooting DNS Resolver for IPv6 DNS Resolver for IPv6 The Domain Name System (DNS) resolver is designed for local network domains where it enables use of a host name or fully qualified domain name to support DNS-compatible commands from the switch. Beginning with soft- ware release K.13.01,DNS operation supports these features: ■...
Page 178
Assume that the above, configured DNS server supports an IPv6 device having a host name of “mars-1” (and an IPv6 address of fe80::215:60ff:fe7a:adc0) in the “mygroup.procurve.net” domain. In this case you can use the device's host name alone to ping the device because the mygroup.procurve.net domain has...
= 1 ms Figure 8-1. Example of Configuring for a Local DNS Server and Pinging a Registered Device However, for the same “mars-1” device, if mygroup.procurve.net was not the configured domain name, you would have to use the fully qualified domain name for the device named mars-1: ProCurve# ping6 mars-1.mygroup.procurve.net...
IPv6 Diagnostic and Troubleshooting Debug/Syslog for IPv6 Debug/Syslog for IPv6 The Debug/System logging (Syslog) for IPv6 feature provides the same logging functions as the IPv4 version, allowing you to record IPv4 and IPv6 Event Log and debug messages on a remote device to troubleshoot switch or network operation.
IPv6 Diagnostic and Troubleshooting Debug/Syslog for IPv6 Debug Command Syntax: [no] debug < debug-type > Configures the types of IPv4 and IPv6 messages that are sent to Syslog servers or other debug destinations, where <debug-type > is any of the following event types: When a match occurs on an ACL “deny”...
Page 182
IPv6 Diagnostic and Troubleshooting Debug/Syslog for IPv6 Syntax:. [no] debug < debug-type > (Continued) ip [ ospf < adj | event | flood | lsa-generation | packet | retransmission | spf > ] Configures specified IPv4 OSPF message types to be sent to configured debug destinations: adj —...
IPv6 Diagnostic and Troubleshooting Debug/Syslog for IPv6 Configuring Debug Destinations A Debug/Syslog destination device can be a Syslog server (up to six maximum) and/or a console session: Use the debug destination < logging | session | buffer > command to enable ■...
IPv6 Diagnostic and Troubleshooting Debug/Syslog for IPv6 Logging Command Syntax: [no] logging < syslog-ipv4-addr > Enables or disables Syslog messaging to the specified IPv4 address. You can configure up to six addresses. If you config- ure an address when none are already configured, this com- mand enables destination logging (Syslog) and the Event debug type.
Page 185
Terminology DAD Duplicate Address Detection. Refer to “Duplicate Address Detection (DAD)” on page 4-18. Device Identifier The low-order bits in an IPv6 address that identify a specific device. For example, in the link-local address 2001:db8:a10:101:212:79ff:fe88:a100/64, the bits forming 212:79ff:fe88:a100 comprise the device identifier. DoS Denial-of-Service.
Page 190
single IPv6 link-local address on an network prefix … 3-4 interface … 3-13 one address per interface … 3-13 SNMP support … 2-15, 5-20 LLDP SNTP debug messages … 8-14 See SNTP server. local unicast address SSHv2 … 2-11 network prefix … 3-4 See also SSH.