HP 10500 Switch Series Layer 3 - IP Services Configuration Guide Part number: 5998-2209 Software version: Release 1201 and later Document version: 6W102-20130530...
Page 2
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Contents Configuring ARP ··························································································································································· 1 Overview············································································································································································ 1 ARP message format ················································································································································ 1 ARP operation ··························································································································································· 1 ARP table ··································································································································································· 2 Configuring a static ARP entry ········································································································································· 3 Configuring the maximum number of dynamic ARP entries for an interface ····························································· 4 ...
Page 4
IP address classes ·················································································································································· 24 Special IP addresses ············································································································································· 25 Subnetting and masking ······································································································································· 25 Assigning an IP address to an interface ······················································································································ 26 Configuration guidelines ······································································································································ 26 Configuration procedure ······································································································································ 26 Configuration example ········································································································································· 26 ...
Page 5
Static IP address assignment configuration example ························································································ 51 Dynamic IP address assignment configuration example ··················································································· 53 Self-defined option configuration example ········································································································· 54 Troubleshooting DHCP server configuration ··············································································································· 55 Configuring the DHCP relay agent ··························································································································· 56 Overview·········································································································································································...
Page 7
IPv6 features ························································································································································· 105 IPv6 addresses ····················································································································································· 106 IPv6 neighbor discovery protocol ······················································································································ 109 IPv6 path MTU discovery ···································································································································· 112 IPv6 transition technologies ································································································································ 112 Protocols and standards ····································································································································· 113 IPv6 basics configuration task list ······························································································································· 113 ...
Page 8
Configuration procedure ············································································································································· 140 Setting the DSCP value for DHCPv6 packets ··································································································· 140 Displaying and maintaining the DHCPv6 relay agent ····························································································· 141 DHCPv6 relay agent configuration example ············································································································ 141 Network requirements ········································································································································· 141 Configuration procedure ···································································································································· 142 ...
Page 9
GRE over IPv6 tunnel configuration example ············································································································ 197 Troubleshooting GRE ··················································································································································· 201 Support and other resources ·································································································································· 202 Contacting HP ······························································································································································ 202 Subscription service ············································································································································ 202 Related information ······················································································································································ 202 Documents ···························································································································································· 202 ...
Configuring ARP This chapter describes how to configure the Address Resolution Protocol (ARP). Overview ARP resolves IP addresses into physical addresses such as MAC addresses. On an Ethernet LAN, a device uses ARP to get the MAC address of the target device for a packet. NOTE: Layer You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see...
Host A looks through its ARP table for an ARP entry for Host B. If an entry is found, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B.
Dynamic ARP entry ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the output interface goes down, and it can be overwritten by a static ARP entry. Static ARP entry A static ARP entry is manually configured and maintained.
Configuring the maximum number of dynamic ARP entries for an interface An interface can dynamically learn ARP entries, so it may hold too many ARP entries. To solve this problem, you can set the maximum number of dynamic ARP entries that an interface can learn. When the maximum number is reached, the interface stops learning ARP entries.
Enabled by default. Configuring ARP quick update HP recommends enabling ARP quick update in WLANs only. As shown in Figure 3, the laptop frequently roams between AP 1 and AP 2. This affects the mapping between its MAC address and outbound interface on the switch. If the switch does not update its ARP table immediately after the outbound interface changes, it may fail to communicate with the laptop.
subnet mask of the receiving interface is not in the subnet 10.10.10.5/24, VLAN-interface 10 cannot process the ARP packet. With this feature enabled, the device calculates the subnet address by using the default mask of the class A network where 10.10.10.5/24 resides. Because 10.10.10.5/24 is on the same class A network as 10.1 1.1 1.1/8, VLAN-interface 10 can learn the sender IP and MAC addresses in the request.
NOTE: When configuring multicast ARP, use the interfaces on the EB, EA, SE, or SF card of the switch to connect to hosts and servers. Displaying and maintaining ARP CAUTION: Clearing ARP entries from the ARP table might cause communication failures. Task Command Remarks...
ARP configuration examples Static ARP entry configuration example Network requirements As shown in Figure 4, hosts are connected to the switch, which is connected to the router through interface GigabitEthernet 1/0/1 in VLAN 10. The IP and MAC addresses of the router are 192.168.1.1/24 and 00e0-fc01-0000 respectively.
IP Address MAC Address VLAN ID Interface Aging Type 192.168.1.1 00e0-fc01-0000 GE1/0/1 Multicast ARP configuration example (in standalone mode) Network requirements As shown in Figure 5, a small data center uses Microsoft multicast-mode NLB. To enable the switch to cooperate with NLB, perform the following configurations: Use the interfaces on the EB, EA, SE, or SF card of the switch to connect to the hosts and servers.
As shown in Figure 6, a small data center uses Microsoft multicast-mode NLB. Two HP 10500 switches form an IRF fabric. To enable the switches to cooperate with NLB, perform the following configurations: Use the interfaces on the EB, EA, SE, or SF card of the switch to connect to the hosts and servers.
Page 20
Configuration procedure This example only describes multicast ARP configuration. For more information about IRF, see the IRF configuration guide for switches. For NLB configuration on the servers, see the related documents for Windows Server. # Specify an IP address for VLAN-interface 10. <Switch>...
Configuring gratuitous ARP Overview In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device. A device sends a gratuitous ARP packet for either of the following purposes: • Determine whether its IP address is already used by another device.
If the virtual IP address of the VRRP group is associated with a virtual MAC address, the sender MAC address in the gratuitous ARP packet is the virtual MAC address of the virtual router. If the virtual IP address of the VRRP group is associated with the real MAC address of an interface, the sender MAC address in the gratuitous ARP packet is the MAC address of the interface on the master router in the VRRP group.
Page 23
You can use this command to enable the device to display error message without sending any gratuitous ARP request for conflict confirmation. The receiving device displays the message every 30 seconds until the conflict is resolved. To enable IP conflict notification: Step Command Remarks...
Configuring proxy ARP Overview Proxy ARP enables a device on a network to answer ARP requests for an IP address not on that network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they do on the same network.
Figure 8 Application environment of local proxy ARP Enable local proxy ARP in one of the following cases: Hosts connecting to different isolated Layer 2 ports in the same VLAN must communicate at Layer • If a super VLAN is configured, hosts in different sub VLANs of the super VLAN must communicate •...
Local proxy ARP configuration example in super VLAN Network requirements Figure 1 1 shows a super VLAN, VLAN 10, with the interface IP address 192.168.10.100/16 and sub-VLANs (VLAN 2 and VLAN 3). GigabitEthernet 1/0/2 belongs to VLAN 2 and GigabitEthernet 1/0/1 belongs to VLAN 3.
The ping operation from Host A to Host B is unsuccessful because they are isolated at Layer 2. # Configure local proxy ARP to implement Layer 3 communication between sub-VLANs. [Switch-Vlan-interface10] local-proxy-arp enable The ping operation from Host A to Host B is successful after the configuration. Local proxy ARP configuration example in isolate-user-VLAN Network requirements...
Configuring ARP snooping Overview ARP snooping is used in Layer 2 switching networks. It creates ARP snooping entries by using information in ARP packets. The ARP snooping entries can be used by manual-mode MFF (MAC–Forced Forwarding). For more information about MFF, see Security Configuration Guide. If ARP snooping is enabled on a VLAN, ARP packets received by the interfaces of the VLAN are redirected to the CPU.
Configuring IP addressing This chapter describes IP addressing basic and manual IP address assignment for interfaces. Dynamic IP address assignment (DHCP) is beyond the scope of this chapter. NOTE: The term "interface" in this chapter collectively refers to Layer-3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces.
Class Address range Remarks 192.0.0.0 to 223.255.255.255 224.0.0.0 to Multicast addresses. 239.255.255.255 240.0.0.0 to Reserved for future use except for the broadcast address 255.255.255.255 255.255.255.255. Special IP addresses The following IP addresses are for special use and cannot be used as host IP addresses. IP address with an all-zero net ID—Identifies a host on the local network.
Assigning an IP address to an interface You can assign an interface one primary address and multiple secondary addresses. Generally, you only need to assign the primary address to an interface. In some cases, you must assign secondary IP addresses to the interface. For example, if the interface connects to two subnets, to enable the device to communicate with all hosts on the LAN, assign a primary IP address and a secondary IP address to the interface.
Page 36
Figure 15 Network diagram 172.16.1.0/24 Switch Host B Vlan-int1 172.16.1.1/24 172.16.1.2/24 172.16.2.1/24 sub 172.16.2.2/24 Host A 172.16.2.0/24 Configuration procedure # Assign a primary IP address and a secondary IP address to VLAN-interface 1. <Switch> system-view [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 172.16.1.1 255.255.255.0 [Switch-Vlan-interface1] ip address 172.16.2.1 255.255.255.0 sub # Set the gateway address to 172.16.1.1 on the hosts attached to subnet 172.16.1.0/24, and to 172.16.2.1 on the hosts attached to subnet 172.16.2.0/24.
Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=255 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=255 time=26 ms --- 172.16.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/25/26 ms The output shows that the switch can communicate with the hosts on subnet 172.16.2.0/24. # Ping a host on subnet 172.16.1.0/24 from a host on subnet 172.16.2.0/24 to verify the connectivity.
DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. Figure 16 Typical DHCP application A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on another subnet through a DHCP relay agent.
Dynamic IP address allocation process Figure 17 Dynamic IP address allocation process The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. Each DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message.
DHCP message format Figure 18 shows the DHCP message format, which is based on the BOOTP message format although DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes. Figure 18 DHCP message format op—Message type defined in option field.
DHCP options DHCP uses the same message format as BOOTP, but DHCP uses the Option field to carry information for dynamic address allocation and to provide additional configuration information to clients. Figure 19 DHCP option format Common DHCP options The following are common DHCP options: Option 3—Router option.
Page 42
Vendor-specific option (Option 43) DHCP servers and clients use Option 43 to exchange vendor-specific configuration information. The DHCP client can obtain the following information through Option 43: Auto-Configuration Server (ACS) parameters, including the ACS URL, username, and password. • • Service provider identifier, which is acquired by the Customer Premises Equipment (CPE) from the DHCP server and sent to the ACS for selecting vender-specific configurations and parameters.
Page 43
Figure 22 PXE server address sub-option value field Relay agent option (Option 82) Option 82 is the relay agent option in the option field of the DHCP message. It records the location information of the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client's request, it adds Option 82 to the request message and sends it to the server.
Sub-option 1—Contains the user-specified access node identifier (ID of the device that adds Option 82 in DHCP messages), and the type, number, and VLAN ID of the interface that received the client's request. The VLAN ID field has a fixed length of 2 bytes. All the other padding contents of sub-option 1 are length variable.
Configuring the DHCP server This chapter shows how to configure DHCP servers. Overview The DHCP server is well suited to networks where: Manual configuration and centralized management are difficult to implement. • • IP addresses are limited. For example, an ISP limits the number of concurrent online users, and most users must acquire IP addresses dynamically.
Principles for selecting an address pool The DHCP server observes the following principles to select an address pool when assigning an IP address to a client: If there is an address pool where an IP address is statically bound to the MAC address or ID of the client, the DHCP server selects this address pool and assigns the statically bound IP address to the client.
DHCP server configuration task list Task Remarks Configuring an address pool on the DHCP server Required. Enabling DHCP Required. Enabling the DHCP server on an interface Required. Required by the extended address pool configuration. Applying an extended address pool on an interface When configuring a common address pool, ignore this task.
Creating a DHCP address pool When creating a DHCP address pool, specify it as a common address pool or an extended address pool. Address allocation mode is configured differently for common address pools and extended address pools. Configurations of other parameters (for example, the domain name suffix and DNS server address) are the same.
Page 49
If the interfaces on a DHCP client share the same MAC address, specify the client ID, rather than • MAC address, in a static binding to identify the requesting interface. If you do not specify the client ID, the client may fail to obtain an IP address. To configure a static binding in a common address pool: Step Command...
Step Command Remarks expired { day day [ hour hour Optional. Specify the address lease [ minute minute ] [ second duration. One day by default. second ] ] | unlimited } Return to system view. quit Optional. Except IP addresses of the DHCP Exclude IP addresses from dhcp server forbidden-ip server interfaces, all addresses in...
Configuring a domain name suffix for the client You can specify a domain name suffix in each DHCP address pool on the DHCP server to provide the clients with the domain name suffix. With this suffix assigned, the client only needs to enter part of a domain name, and the system adds the domain name suffix for name resolution.
To configure WINS servers and NetBIOS node type in a DHCP address pool: Step Command Remarks Enter system view. system-view Enter DHCP address pool dhcp server ip-pool pool-name view. [ extended ] Optional for b-node. Specify WINS servers. nbns-list ip-address&<1-8> No WINS server is specified by default.
To configure option 184 parameters in a DHCP address pool: Step Command Remarks Enter system view. system-view dhcp server ip-pool pool-name Enter DHCP address pool view. [ extended ] Not primary network calling processor is specified by default. Specify the IP address of the primary network calling...
Step Command Remarks • Specify the TFTP server: tftp-server ip-address ip-address Use either command. Specify the IP address or the • Specify the name of the TFTP server: name of the TFTP server. Not specified by default. tftp-server domain-name domain-name Specify the bootfile name.
Step Command Remarks option code { ascii ascii-string | Configure self-defined No self-defined DHCP option is hex hex-string&<1-16> | DHCP option. configured by default. ip-address ip-address&<1-8> } Table 2 for a description of common options and corresponding commands. Table 2 Common DHCP options Option Option name Corresponding command...
Configuration guidelines Follow these guidelines when you enable the DHCP server on an interface: If a DHCP relay agent exists between the DHCP server and client, the DHCP server, regardless of • whether the subaddress keyword is used, selects an IP address from the address pool containing the primary IP address of the DHCP relay agent's interface (connected to the client) for a requesting client.
Step Command Remarks Optional. By default, the DHCP server has no Apply an extended address dhcp server apply ip-pool extended address pool applied on its pool on the interface. pool-name interface, and assigns an IP address from a common address pool to a requesting client.
Step Command Remarks Optional. Specify the maximum number of dhcp server ping packets The default setting is one. ping packets to be sent for number The value 0 disables IP address conflict conflict detection. detection. Optional. dhcp server ping timeout The default setting is 500 ms.
Step Command Remarks Enter system view. system-view Optional. Enable the server to handle dhcp server relay information Option 82. enable Enabled by default. Specifying the threshold for sending trap messages Configuration prerequisites Before performing the configuration, use the snmp-agent target-host command to specify the destination address of the trap messages.
IMPORTANT: A restart of the DHCP server or execution of the reset dhcp server ip-in-use command deletes all lease information. The DHCP server denies any DHCP request for lease extension, and the client must request an IP address again. Task Command Remarks display dhcp server conflict { all | ip...
Page 61
The client ID of VLAN-interface 2 on Switch B is: 3030-3066-2e65-3234-392e-3830-3530-2d56-6c61-6e2d-696e-7465-7266-6163-6532. Figure 26 Network diagram Configuration procedure Configure the IP address of VLAN-interface 2 on Switch A: <SwitchA> system-view [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 10.1.1.1 25 [SwitchA-Vlan-interface2] quit Configure the DHCP server: # Enable DHCP.
Dynamic IP address assignment configuration example Network requirements • As shown in Figure 27, the DHCP server (Switch A) assigns IP addresses to clients in subnet 10.1.1.0/24, which is subnetted into 10.1.1.0/25 and 10.1.1.128/25. The IP addresses of VLAN-interfaces 1 and 2 on Switch A are 10.1.1.1/25 and 10.1.1.129/25 •...
Configuration procedure Specify IP addresses for the interfaces. (Details not shown.) Configure the DHCP server: # Enable DHCP. <SwitchA> system-view [SwitchA] dhcp enable # Enable the DHCP server on VLAN-interface 2. [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] dhcp select server global-pool [SwitchA-Vlan-interface2] quit # Configure DHCP address pool 0.
Configuring the DHCP relay agent Overview The DHCP relay agent enables clients to get IP addresses from a DHCP server on another subnet. This feature avoids deploying a DHCP server for each subnet, centralizes management, and reduces investment. An MCE device serving as the DHCP relay agent can forward DHCP packets not only between a DHCP server and clients on a public network, but also between a DHCP server and clients on a private network.
Figure 30 DHCP relay agent work process As shown in Figure 30, after receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP client, the DHCP relay agent fills the giaddr field of the message with its IP address and forwards the message to the designated DHCP server in unicast mode. Based on the giaddr field, the DHCP server returns an IP address and other configuration parameters in a response to the relay agent, and the relay agent conveys it to the client.
If a DHCP request Handling Padding The DHCP relay agent will… has… strategy format Forward the message after adding the Option Verbose 82 padded in verbose format. Forward the message after adding the User-defined user-defined Option 82. DHCP relay agent configuration task list Task Remarks Enabling DHCP...
Step Command Remarks interface interface-type Enter interface view. interface-number With DHCP is enabled, an Enable the DHCP relay agent dhcp select relay interface works in the DHCP server on the current interface. mode. Correlating a DHCP server group with a relay agent interface To improve availability, you can specify several DHCP servers as a group on the DHCP relay agent and correlate a relay agent interface with the server group.
Configuring the DHCP relay agent security functions Configuring address check Address check can block illegal hosts from accessing external networks. With this feature enabled, the DHCP relay agent can dynamically record clients' IP-to-MAC bindings after they obtain IP addresses through DHCP. You can also configure static IP-to-MAC bindings on the DHCP relay agent so that users can access external networks by using fixed IP addresses.
With this feature, the DHCP relay agent uses the IP address of a client and the MAC address of the DHCP relay interface to periodically send a DHCP-REQUEST message to the DHCP server. If the server returns a DHCP-ACK message or does not return any message within a specific interval, •...
compares the chaddr field of a received DHCP request with the source MAC address in the frame header. If they are the same, the DHCP relay agent decides this request as valid and forwards it to the DHCP server. If not, it discards the DHCP request. To enable MAC address check: Step Command...
Step Command Configure the DHCP relay agent to release an IP address. dhcp relay release ip client-ip The IP address to be released must be available in a dynamic client entry. Dynamic client entries can be generated only after you enable address check or IP source guard on the DHCP relay agent.
Step Command Remarks Optional. • Configure the padding format for By default: Option 82: • The padding format for Option dhcp relay information format 82 is normal. { normal | verbose [ node-identifier • The code type for the circuit ID { mac | sysname | user-defined sub-option depends on the node-identifier } ] }...
Task Command Remarks display dhcp relay security [ ip-address | Display information about bindings of Available in any dynamic | static ] [ | { begin | exclude | DHCP relay agents. view. include } regular-expression ] display dhcp relay security statistics [ | Display statistics information about Available in any { begin | exclude | include }...
Configuration procedure # Specify IP addresses for the interfaces. (Details not shown.) # Enable DHCP. <SwitchA> system-view [SwitchA] dhcp enable # Add DHCP server 10.1.1.1 into DHCP server group 1. [SwitchA] dhcp relay server-group 1 ip 10.1.1.1 # Enable the DHCP relay agent on VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] dhcp select relay # Correlate VLAN-interface 1 to DHCP server group 1.
[SwitchA-Vlan-interface1] dhcp relay information remote-id string device001 Troubleshooting DHCP relay agent configuration Symptom DHCP clients cannot obtain any configuration parameters through the DHCP relay agent. Analysis Some problems may occur with the DHCP relay agent or server configuration. Solution To locate the problem, enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information.
Configuring DHCP client With DHCP client enabled, an interface uses DHCP to obtain configuration parameters such as an IP address from the DHCP server. Configuration restrictions The DHCP client configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces), •...
Step Command Remarks Optional. Set the DSCP value for DHCP packets dhcp client dscp sent by the DHCP client. dscp-value By default, the DSCP value is 56. Displaying and maintaining the DHCP client Task Command Remarks display dhcp client [ verbose ] [ interface Display specified interface-type interface-number ] [ | { begin | Available in any view.
# Enable the DHCP service. [SwitchA] dhcp enable # Exclude an IP address from automatic allocation. [SwitchA] dhcp server forbidden-ip 10.1.1.2 # Configure DHCP address pool 0 and specify the subnet, lease duration, DNS server address, and a static route to subnet 20.1.1.0/24. [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 [SwitchA-dhcp-pool-0] expired day 10...
Page 80
127.0.0.1/32 Direct 0 127.0.0.1 InLoop0...
Configuring DHCP snooping A DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server. DHCP snooping functions DHCP snooping can: Make sure DHCP clients obtain IP addresses from authorized DHCP servers.
Application environment of trusted ports Configuring a trusted port connected to a DHCP server Figure 33 Configuring trusted and untrusted ports As shown in Figure 33, the DHCP snooping device port that is connected to an authorized DHCP server should be configured as a trusted port. The trusted port forwards response messages from the authorized DHCP server to the client, but the untrusted port does not forward response messages from the unauthorized DHCP server.
Figure 34 Configuring trusted ports in a cascaded network Table 4 Roles of ports Trusted port disabled from Trusted port enabled to Device Untrusted port recording binding entries record binding entries Switch A GigabitEthernet 1/0/1 GigabitEthernet 1/0/3 GigabitEthernet 1/0/2 GigabitEthernet 1/0/3 and Switch B GigabitEthernet 1/0/1 GigabitEthernet 1/0/2...
If a DHCP request Handling Padding format The DHCP snooping device will… has… strategy Forward the message after replacing the normal original Option 82 with the Option 82 padded in normal format. Forward the message after replacing the Replace verbose original Option 82 with the Option 82 padded in verbose format.
If a Layer 2 Ethernet interface is added to an aggregation group, the DHCP snooping configuration • of the interface does not take effect. After the interface quits the aggregation group, the configuration becomes effective. DHCP snooping can work with basic QinQ or flexible QinQ. When receiving a packet without any •...
If the handling strategy of the DHCP-snooping device is configured as replace, configure a padding • format for Option 82. If the handling strategy is keep or drop, you need not configure any padding format. If Option 82 contains the device name, the device name must contain no spaces. Otherwise, the •...
Step Command Remarks • Configure the padding format Optional. for Option 82: dhcp-snooping information By default: format { normal |verbose • The padding format for Option [ node-identifier { mac | 82 is normal. sysname | user-defined • The code type for the circuit ID node-identifier } ] } sub-option depends on the •...
To configure DHCP snooping entries backup: Step Command Remarks Enter system view. system-view Not specified by default. DHCP snooping entries are stored dhcp-snooping binding immediately after this command is Specify the name of the file for database filename used and then updated at the storing DHCP snooping entries.
To enable MAC address check: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Enable MAC address check. dhcp-snooping check mac-address Disabled by default. Enabling DHCP-REQUEST message attack protection Attackers may forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP clients that no longer need the IP addresses.
If a Layer 2 Ethernet interface belongs to an aggregation group, it uses the DHCP packet maximum • rate configured on the corresponding Layer 2 aggregate interface. To configure DHCP packet rate limit: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface view interface interface-type or Layer 2 aggregate interface view.
DHCP snooping configuration examples DHCP snooping configuration example Network requirements As shown in Figure 35, perform configurations on Switch B to achieve the following purposes: The port connected to the DHCP server can forward responses from the server, but the other ports •...
Page 92
<SwitchB> system-view [SwitchB] dhcp-snooping # Specify GigabitEthernet 1/0/1 as trusted. [SwitchB] interface GigabitEthernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] dhcp-snooping trust [SwitchB-GigabitEthernet1/0/1] quit # Configure GigabitEthernet 1/0/2 to support Option 82. [SwitchB] interface GigabitEthernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] dhcp-snooping information enable [SwitchB-GigabitEthernet1/0/2] dhcp-snooping information strategy replace [SwitchB-GigabitEthernet1/0/2] dhcp-snooping information circuit-id string company001 [SwitchB-GigabitEthernet1/0/2] dhcp-snooping information remote-id string device001 [SwitchB-GigabitEthernet1/0/2] quit...
Configuring IPv4 DNS Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. With DNS, you can use easy-to-remember domain names in some applications and let the DNS server translate them into correct IP addresses. DNS services can be static or dynamic.
The DNS client comprises the resolver and cache. The user program and DNS client can run on the same device or different devices, but the DNS server and the DNS client usually run on different devices. Dynamic domain name resolution allows the DNS client to store the latest mappings between domain names and IP addresses in the dynamic domain name cache.
Configuring dynamic domain name resolution To send DNS queries to a correct server for resolution, enable dynamic domain name resolution and configure a DNS server. In addition, you can configure a DNS suffix that the system automatically adds to the provided domain name for resolution.
Step Command Remarks Optional. Set the DSCP value for DNS packets. dns dscp dscp-value By default, the DSCP value is 0. Displaying and maintaining IPv4 DNS Task Command Remarks display ip host [ | { begin | Display the static IPv4 domain exclude | include } Available in any view.
# Use the ping host.com command to verify that the device can use static domain name resolution to resolve domain name host.com into IP address 10.1.1.2. [Sysname] ping host.com PING host.com (10.1.1.2): data bytes, press CTRL_C to break Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=128 time=1 ms Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=128 time=4 ms Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=128 time=3 ms Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=128 time=2 ms...
Page 98
The DNS server configuration page appears, as shown in Figure Right-click Forward Lookup Zones, select New Zone, and then follow the instructions to create a new zone named com. Figure 39 Creating a zone On the DNS server configuration page, right-click zone com, and select New Host. Figure 40 Adding a host On the page that appears, enter host name host and IP address 3.1.1.1.
Page 99
Figure 41 Adding a mapping between domain name and IP address Configure the DNS client: # Enable dynamic domain name resolution. <Sysname> system-view [Sysname] dns resolve # Specify the DNS server 2.1.1.2. [Sysname] dns server 2.1.1.2 # Configure com as the name suffix. [Sysname] dns domain com Verifying the configuration # Use the ping host command on the device to verify that the communication between the device and the...
Troubleshooting IPv4 DNS configuration Symptom After enabling dynamic domain name resolution, the user cannot get the correct IP address. Solution Use the display dns host ip command to verify that the specified domain name is in the cache. • If the specified domain name does not exist, verify that dynamic domain name resolution is enabled •...
Configuring IP forwarding basics Upon receiving a packet, the device uses the destination IP address of the packet to find a match from the forwarding information base (FIB) table, and uses the matching entry to forward the packet. FIB table A device selects optimal routes from the routing table, and puts them into the FIB table.
Page 102
Task Command Remarks display fib [ vpn-instance vpn-instance-name ] [ acl acl-number | ip-prefix ip-prefix-name ] [ | Display FIB information. Available in any view. { begin | exclude | include } regular-expression ] Display FIB information display fib [ vpn-instance vpn-instance-name ] matching the specified ip-address [ mask | mask-length ] [ | { begin | Available in any view.
Configuring IP performance optimization This chapter describes multiple features for IP performance optimization. The term "interface" in the IP performance optimization features collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide).
Step Command Remarks interface interface-type Enter interface view. interface-number Enable the interface to ip forward-broadcast [ acl Disabled by default. forward directed broadcasts. acl-number ] Configuration example Network requirements As shown in Figure 42, the default gateway of the host is the IP address 1.1.1.2/24 of VLAN-interface 3 of Switch A.
A router that fails to forward the packet because it exceeds the MTU on the outgoing interface discards the packet and returns an ICMP error message, which contains the MTU of the outgoing interface. Upon receiving the ICMP message, the TCP source device calculates the current path MTU of the TCP connection.
Configuring TCP timers You can configure the following TCP timers: synwait timer—When sending a SYN packet, TCP starts the synwait timer. If no response packet is • received within the synwait timer interval, the TCP connection cannot be created. • finwait timer—When a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is started.
If the device receives an IP packet with a timeout error, it drops the packet and sends an ICMP timeout packet to the source. The device sends an ICMP timeout packet under the following conditions: If the device finds that the destination of a packet is not itself and the TTL field of the packet is 1, it sends a "TTL timeout"...
Table 6 Handling ICMP messages Device mode ICMP messages sent ICMP messages received Remarks Extension information in extended ICMP messages is Common mode Common ICMP messages Common ICMP messages not processed. Extended ICMP messages Common ICMP messages Common ICMP messages without a length field are Compliant mode Extended ICMP messages...
Page 110
Task Command Remarks display ip statistics [ chassis chassis-number Display statistics of IP packets. (In IRF slot slot-number ] [ | { begin | exclude | Available in any view. mode.) include } regular-expression ] display icmp statistics [ slot slot-number ] [ | Display ICMP statistics.
Configuring UDP helper UDP helper enables a device to convert received UDP broadcast packets into unicast packets and forward them to a specific server. UDP helper is suitable for the scenario where hosts cannot obtain configuration information or device names by broadcasting packets because the target server or host resides on another broadcast domain.
Step Command Remarks interface interface-type Enter interface view. interface-number udp-helper server [ vpn-instance No destination server is Specify a destination server. vpn-instance-name ] ip-address specified by default. Displaying and maintaining UDP helper Task Command Remarks display udp-helper server [ interface Display information about packets interface-type interface-number ] [ | { begin Available in any view.
Page 113
# Specify the IP address of the destination server in the public network as 10.2.1.1 on VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.110.1.1 16 [SwitchA-Vlan-interface1] udp-helper server 10.2.1.1...
Configuring IPv6 basics Overview Internet Protocol Version 6 (IPv6), also called IP next generation (IPng), was designed by the Internet Engineering Task Force (IETF) as the successor to Internet Protocol version 4 (IPv4). The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits. NOTE: The term "interface"...
Hierarchical address structure IPv6 uses the hierarchical address structure to speed up route lookups and reduce the IPv6 routing table size through route aggregation. Address autoconfiguration To simplify host configuration, IPv6 supports stateful and stateless address autoconfiguration: Stateful address autoconfiguration enables a host to acquire an IPv6 address and other •...
Page 116
IMPORTANT: A double colon may appear once or not at all in an IPv6 address. This limit allows the device to determine how many zeros the double colon represents, and correctly convert it to zeros to restore a 128-bit IPv6 address.
Page 117
Link-local addresses are used for communication among link-local nodes for neighbor discovery • and stateless autoconfiguration. Packets with link-local source or destination addresses are not forwarded to other links. • Site-local unicast addresses are similar to private IPv4 addresses. Packets with site-local source or destination addresses are not forwarded out of the local site (or a private network).
Figure 45 Converting a MAC address into an EUI-64 address-based interface identifier • On a tunnel interface The lower 32 bits of the EUI-64 address-based interface identifier are the source IPv4 address of the tunnel interface. The higher 32 bits of the EUI-64 address-based interface identifier of an ISATAP tunnel interface are 0000:5EFE, whereas those of other tunnel interfaces are all zeros.
Page 119
ICMPv6 message Type Function Informs the source host of a better next hop on the path to a Redirect message particular destination when certain conditions are satisfied. Address resolution This function is similar to the ARP function in IPv4. An IPv6 node acquires the link-layer addresses of neighboring nodes on the same link through NS and NA message exchanges.
Page 120
Figure 47 Duplicate address detection Host A sends an NS message whose source address is the unspecified address and whose destination address is the corresponding solicited-node multicast address of the IPv6 address to be detected. The NS message contains the IPv6 address. If Host B uses this IPv6 address, Host B returns an NA message.
IPv6 path MTU discovery The links that a packet passes from a source to a destination may have different MTUs. In IPv6, when the packet size exceeds the path MTU of a link, the packet is fragmented at the source end of the link to reduce the processing pressure on intermediate devices and to use network resources effectively.
Step Command Remarks interface interface-type Enter interface view. interface-number Configure the interface to ipv6 address By default, no IPv6 global unicast generate an EUI-64 IPv6 ipv6-address|prefix-length eui-64 address is configured on an interface. address. Manual configuration To specify an IPv6 address manually for an interface: Step Command Remarks...
Before sending a packet, the system preferably uses the temporary IPv6 address of the sending interface as the source address of the packet to be sent. When this temporary IPv6 address expires, the system removes it and generates a new one. This enables the system to send packets with different source addresses through the same interface.
If you delete the manually assigned address, the automatically generated link-local address is validated. To configure automatic generation of an IPv6 link-local address for an interface: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Optional. Configure the interface By default, no link-local address is to automatically...
Step Command Remarks interface interface-type Enter interface view. interface-number Optional. Configure an IPv6 anycast ipv6 address By default, no IPv6 anycast address. ipv6-address/prefix-length anycast address is configured on an interface. Configuring IPv6 ND The following topics apply to configuring IPv6 ND. Configuring a static neighbor entry The IPv6 address of a neighboring node can be resolved into a link-layer address dynamically through NS and NA messages or through a manually configured static neighbor entry.
that an interface can dynamically learn. When the number of dynamically learned neighbors reaches the threshold, the interface stops learning neighbor information. To configure the maximum number of neighbors dynamically learned: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view.
Page 129
Parameters Description Determines whether hosts use the stateful autoconfiguration to acquire IPv6 addresses. If the M flag is set to 1, hosts use the stateful autoconfiguration (for example, through M flag a DHCP server) to acquire IPv6 addresses. Otherwise, hosts use the stateless autoconfiguration to acquire IPv6 addresses and generate IPv6 addresses according to their own link-layer addresses and the obtained prefix information.
Page 130
Step Command Remarks interface interface-type Enter interface view. interface-number Optional. By default, no prefix information is ipv6 nd ra prefix { ipv6-prefix configured for RA messages, and the Configure the prefix prefix-length | IPv6 address of the interface sending RA information in RA ipv6-prefix/prefix-length } messages is used as the prefix...
Configuring the maximum number of attempts to send an NS message for DAD An interface sends an NS message for DAD after acquiring an IPv6 address. If the interface does not receive a response within a specified time (determined by the ipv6 nd ns retrans-timer command), it continues to send an NS message.
Configuring path MTU discovery This section contains information on configuring path MTU discovery. Configuring a static path MTU for a specified IPv6 address You can configure a static path MTU for a specified destination IPv6 address. When a source host sends a packet through an interface, it compares the interface MTU with the static path MTU of the specified destination IPv6 address.
Step Command Remarks Enter system view. system-view Optional. Set the synwait timer. tcp ipv6 timer syn-timeout wait-time The default is 75 seconds. Optional. Set the finwait timer. tcp ipv6 timer fin-timeout wait-time The default is 675 seconds. Optional. Set the size of the IPv6 TCP tcp ipv6 window size sending/receiving buffer.
multicast address, all the hosts in the multicast group send echo replies to Host B. To prevent such an attack, disable a device from answering multicast echo requests by default. In some application scenarios, however, you need to enable the device to answer multicast echo requests. To enable replying to multicast echo requests: Step Command...
If the packet with the destination being local and transport layer protocol being UDP and the • packet's destination port number does not match the running process, the device sends the source a "port unreachable" ICMPv6 error message. If an attacker sends abnormal traffic that causes the device to generate ICMPv6 destination unreachable messages, end users may be affected.
Page 136
Task Command Remarks display ipv6 neighbors vpn-instance Display the neighbor Available in any vpn-instance-name [ count ] [ | { begin | exclude | information of a specified VPN. view. include } regular-expression ] display ipv6 pathmtu [ vpn-instance Display the IPv6 path MTU vpn-instance-name ] { ipv6-address | all | dynamic Available in any information.
IPv6 basics configuration example Network requirements As shown in Figure 49, a host, Switch A and Switch B are connected through Ethernet ports. Add the Ethernet ports into corresponding VLANs, configure IPv6 addresses for the VLAN interfaces and verify that they are connected. Enable IPv6 on the host to automatically obtain an IPv6 address through IPv6 ND.
# Execute the ping ipv6 command on Switch A to verify the connectivity between Switch A and Switch B. [SwitchA] ping ipv6 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Reply from 3001::1 bytes=56 Sequence=0 hop limit=64 time = 3 ms Reply from 3001::1 bytes=56 Sequence=1 hop limit=64...
Page 140
ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: InReceives: InTooShorts: InTruncatedPkts: InHopLimitExceeds: InBadHeaders: InBadOptions: ReasmReqds: ReasmOKs: InFragDrops: InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: 1012 OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Display the IPv6 interface settings on Switch B.
Page 141
IPv6 Packet statistics: InReceives: InTooShorts: InTruncatedPkts: InHopLimitExceeds: InBadHeaders: InBadOptions: ReasmReqds: ReasmOKs: InFragDrops: InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Ping Switch A and Switch B on the host, and ping Switch A and the host on Switch B to verify that they are connected.
1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/3 ms The output shows that Switch B can ping Switch A and the host. Troubleshooting IPv6 basics configuration Symptom The peer IPv6 address cannot be pinged. Solution •...
DHCPv6 overview IMPORTANT: The device cannot act as a DHCPv6 server. The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) provides a framework to assign IPv6 prefixes, IPv6 addresses, and other configuration parameters to hosts. Compared with other IPv6 address allocation methods (such as manual configuration and stateless address autoconfiguration), DHCPv6 can: Record addresses assigned to hosts and assign specific addresses to hosts, facilitating network •...
Figure 50 DUID-LL format Identified by an IAID, an Identity Association (IA) provides a construct through which the obtained addresses, prefixes, and other configuration parameters assigned from a server to a client are managed. A client can have more than one IA assigned to it, for example, one for each of its interfaces, to manage the addresses, prefixes, and other configuration parameters obtained by the interfaces.
Figure 51 Rapid assignment involving two messages Assignment involving four messages Figure 52 shows the process of IPv6 address/prefix assignment involving four messages. Figure 52 Assignment involving four messages The assignment involving four messages operates as follows: The DHCPv6 client sends out a Solicit message, requesting an IPv6 address/prefix and other configuration parameters.
Figure 53 Using the Renew message for address/prefix lease renewal As shown in Figure 54, if the DHCPv6 client receives no response from the DHCPv6 server after sending out a Renew message at T1, it multicasts a Rebind message to all DHCPv6 servers at T2 (that is, when 80% preferred lifetime expires).
Request option, specifying the configuration parameters that the client requests from the DHCPv6 server. After receiving the Information-request message, the DHCPv6 server returns to the client a Reply message containing the requested configuration parameters. The client checks the Reply message. If the obtained configuration parameters match those requested in the Information-request message, the client performs network configuration with the parameters.
Configuring DHCPv6 relay agent A DHCPv6 client usually uses a multicast address to contact the DHCPv6 server on the local link to obtain an IPv6 address and other configuration parameters. As shown in Figure 56, if the DHCPv6 server resides on another subnet, the DHCPv6 client can contact the server through a DHCPv6 relay agent, so you do not need to deploy a DHCPv6 server on each subnet.
within the Relay Message option of a Relay-reply message. The DHCPv6 server then sends the Relay-reply message to the DHCPv6 relay agent. The DHCPv6 relay agent obtains the reply from the Relay-reply message and sends the reply to the DHCPv6 client. Then the DHCPv6 client uses the IPv6 address and other network parameters assigned by the DHCPv6 server to perform network configuration.
Step Command Remarks Optional. Set the DSCP value for DHCPv6 packets sent by the ipv6 dhcp dscp dscp-value By default, the DSCP value in DHCPv6 relay agent. DHCPv6 packets is 56. Displaying and maintaining the DHCPv6 relay agent Task Command Remarks Display the DUID of the local display ipv6 dhcp duid [ | { begin | exclude |...
Configuring DHCPv6 client Serving as a DHCPv6 client, the device only supports stateless DHCPv6 configuration, that is, the device can only obtain other network configuration parameters, except the IPv6 address and prefix from the DHCPv6 server. With an IPv6 address obtained through stateless address autoconfiguration, the device automatically enables the stateless DHCPv6 function after it receives an RA message with the M flag set to 0 and the O flag set to 1.
<SwitchA> system-view [SwitchA] ipv6 # Enable stateless IPv6 address autoconfiguration on VLAN-interface 2. [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ipv6 address auto With this command executed, if VLAN-interface 2 has no IPv6 address configured, Switch A automatically generates a link-local address, and send an RS message, requesting the gateway (Switch B) to reply with an RA message immediately.
Configuring IPv6 DNS IPv6 Domain Name System (DNS) is responsible for translating domain names into IPv6 addresses. Like IPv4 DNS, IPv6 DNS includes static domain name resolution and dynamic domain name resolution. The functions and implementations of the two types of domain name resolution are the same as those of IPv4 DNS.
Step Command Remarks Enable dynamic domain dns resolve Disabled by default. name resolution. Not specified by default. dns server ipv6 ipv6-address If the IPv6 address of a DNS server is a Specify a DNS server. [ interface-type link-local address, you need to specify the interface-number ] interface-type and interface-number arguments.
IPv6 DNS configuration examples Static domain name resolution configuration example Network requirements As shown in Figure 60, the device wants to access the host by using an easy-to-remember domain name rather than an IPv6 address. Configure static domain name resolution on the device so that the device can use the domain name host.com to access the host at 1::2.
Dynamic domain name resolution configuration example Network requirements As shown in Figure 61, the device wants to access the host by using an easy-to-remember domain name rather than an IPv6 address. The IPv6 address of the DNS server is 2::2/64 and the server has a com domain, which stores the mapping between domain name host and IPv6 address 1::1/64.
Page 160
Figure 62 Creating a zone On the DNS server configuration page, right-click zone com and select Other New Records. Figure 63 Creating a record On the page that appears, select IPv6 Host (AAAA) as the resource record type, and click Create Record.
Page 161
Figure 64 Selecting the resource record type On the page that appears, enter host name host and IPv6 address 1::1. Click OK. The mapping between the IP address and host name is created.
Page 162
Figure 65 Adding a mapping between domain name and IPv6 address Configure the DNS client: # Enable dynamic domain name resolution. <Device> system-view [Device] dns resolve # Specify the DNS server 2::2. [Device] dns server ipv6 2::2 # Configure com as the DNS suffix. [Device] dns domain com Verifying the configuration # Use the ping ipv6 host command on the device to verify that the communication between the device...
Page 163
Reply from 1::1 bytes=56 Sequence=3 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=4 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=5 hop limit=126 time = 1 ms --- host.com ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/2 ms...
Configuring tunneling Overview Tunneling is an encapsulation technology. One network protocol encapsulates packets of another network protocol and transfers them over a virtual point-to-point connection. The virtual connection is called a tunnel. Packets are encapsulated at the tunnel source end and de-encapsulated at the tunnel destination end.
Page 165
Tunnel types IPv6 over IPv4 tunnels fall into manually configured tunnels and automatic tunnels, depending on how the IPv4 address of the tunnel destination is acquired. • Manually configured tunnel—The destination IPv4 address of the tunnel cannot be automatically acquired from the destination IPv6 address of an IPv6 packet at the tunnel source. It must be manually configured.
Figure 67 Principle of 6to4 tunneling ISATAP tunneling An ISATAP tunnel is a point-to-point automatic tunnel. It provides a solution to connect an IPv6 host to an IPv6 network over an IPv4 network. The destination addresses of IPv6 packets and the IPv6 addresses of tunnel interfaces are all ISATP addresses.
The IP protocol stack determines how to forward the packet according to the destination address in the IP header. If the packet is destined for the IPv4 host connected to Device B, Device A delivers the packet to the tunnel interface. The tunnel interface adds a new IPv4 header to the IPv4 packet and submits to the IP protocol stack.
The tunneling module removes the IPv6 header and delivers the remaining IPv4 packet to the IPv4 protocol stack. The IPv4 protocol stack forwards the IPv4 packet. IPv6 over IPv6 tunneling IPv6 over IPv6 tunneling (RFC 2473) enables isolated IPv6 networks to communicate with each other over another IPv6 network.
Tunneling configuration task list Complete the following tasks to configure the tunneling feature: Task Remarks Configuring a tunnel interface Required. Configuring an IPv6 manual tunnel Configuring an Optional. IPv6 over IPv4 Configuring a 6to4 tunnel Use one as needed. tunnel Configuring an ISATAP tunnel Configuring an IPv4 over IPv4 tunnel Optional.
By default, sending ICMP destination unreachable packets is disabled. To enable it, use the ip • unreachables enable command. Configuration procedure To configure a tunnel interface: Step Command Remarks Enter system view. system-view By default, no tunnel interface is Create a tunnel interface interface tunnel number and enter its view.
Configuring an IPv6 manual tunnel Configuration prerequisites Configure an IP addresses for the interface (such as a VLAN interface, or loopback interface) to be configured as the source interface of the tunnel interface. Configuration guidelines Follow these guidelines when you configure an IPv6 manual tunnel: After a tunnel interface is deleted, all the features configured on the tunnel interface will be deleted.
Step Command Remarks By default, the tunnel mode is GRE over IPv4. Specify IPv6 tunnel-protocol ipv6-ipv4 The same tunnel mode should be manual tunnel mode. configured at both ends of the tunnel. Otherwise, packet delivery fails. Configure a source source { ip-address | interface-type By default, no source address or address or interface interface-number }...
Page 173
# Specify an IPv6 address for VLAN-interface 101. [SwitchA] interface vlan-interface 101 [SwitchA-Vlan-interface101] ipv6 address 3002::1 64 [SwitchA-Vlan-interface101] quit # Create service loopback group 1 and specify its service type as tunnel. [SwitchA] service-loopback group 1 type tunnel # Assign GigabitEthernet 1/0/3 to service loopback group 1, and disable STP, and LLDP on the interface.
Page 174
[SwitchB-Tunnel0] ipv6 address 3001::2/64 [SwitchB-Tunnel0] source vlan-interface 100 [SwitchB-Tunnel0] destination 192.168.100.1 [SwitchB-Tunnel0] tunnel-protocol ipv6-ipv4 # Apply service loopback group 1 on the tunnel interface. [SwitchB-Tunnel0] service-loopback-group 1 [SwitchB-Tunnel0] quit # Configure a static route to IPv6 Group 1 through Tunnel 0 on Switch B. [SwitchB] ipv6 route-static 3002:: 64 tunnel 0 Verifying the configuration # Display the status of the tunnel interfaces on Switch A and Switch B, respectively.
InReceives: # Ping the IPv6 address of VLAN-interface 101 at the peer end from Switch A. [SwitchA] ping ipv6 3003::1 PING 3003::1 : 56 data bytes, press CTRL_C to break Reply from 3003::1 bytes=56 Sequence=1 hop limit=64 time = 1 ms Reply from 3003::1 bytes=56 Sequence=2 hop limit=64 time = 1 ms...
Step Command Remarks Enter system view. system-view By default, the IPv6 packet forwarding Enable IPv6. ipv6 function is disabled. Enter tunnel interface interface tunnel number view. • Configure an IPv6 global unicast address or a site-local address: The IPv6 link-local address configuration ipv6 address { ipv6-address is optional.
Figure 73 Network diagram Configuration considerations To enable communication between 6to4 networks, configure 6to4 addresses for 6to4 switches and hosts in the 6to4 networks. The IPv4 address of VLAN-interface 100 on Switch A is 2.1.1.1/24, and the corresponding 6to4 • prefix is 2002:0201:0101::/48 after it is translated to an IPv6 address.
Page 178
[SwitchA-GigabitEthernet1/0/3] quit # Configure a 6to4 tunnel. [SwitchA] interface tunnel 0 [SwitchA-Tunnel0] ipv6 address 2002:201:101::1/64 [SwitchA-Tunnel0] source vlan-interface 100 [SwitchA-Tunnel0] tunnel-protocol ipv6-ipv4 6to4 # Apply service loopback group 1 on the tunnel. [SwitchA-Tunnel0] service-loopback-group 1 [SwitchA-Tunnel0] quit # Configure a static route whose destination address is 2002::/16 and next-hop is the tunnel interface.
Verifying the configuration # Ping Host B from Host A or ping Host A from Host B. The ping operation succeeds. D:\>ping6 -s 2002:201:101:1::2 2002:501:101:1::2 Pinging 2002:501:101:1::2 from 2002:201:101:1::2 with 32 bytes of data: Reply from 2002:501:101:1::2: bytes=32 time=13ms Reply from 2002:501:101:1::2: bytes=32 time=1ms Reply from 2002:501:101:1::2: bytes=32 time=1ms Reply from 2002:501:101:1::2: bytes=32 time<1ms Ping statistics for 2002:501:101:1::2:...
Step Command Remarks By default, the IPv6 forwarding Enable IPv6. ipv6 function is disabled. Enter tunnel interface view. interface tunnel number • Configure an IPv6 global unicast address or site-local address: The IPv6 link-local address configuration is optional. ipv6 address { ipv6-address prefix-length | By default: ipv6-address/prefix-length }...
Page 181
Configuration procedure Make sure the corresponding VLAN interfaces have been created on the switch, and that VLAN-interface 101 on the ISATAP switch and the ISATAP host can reach each other through IPv4. • Configure the switch: # Enable IPv6. <Switch> system-view [Switch] ipv6 # Specify addresses for interfaces.
Page 182
Interface 2: Automatic Tunneling Pseudo-Interface Guid {48FCE3FC-EC30-E50E-F1A7-71172AEEE3AE} does not use Neighbor Discovery does not use Router Discovery routing preference 1 EUI-64 embedded IPv4 address: 0.0.0.0 router link-layer address: 0.0.0.0 preferred link-local fe80::5efe:2.1.1.2, life infinite link MTU 1280 (true link MTU 65515) current hop limit 128 reachable time 42500ms (base 30000ms) retransmission interval 1000ms...
Ping statistics for 2001::5efe:1.1.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms Verifying the configuration The ISATAP host can access the host in the IPv6 network. Configuring an IPv4 over IPv4 tunnel Configuration prerequisites Configure an IP addresses for the interface (such as a VLAN interface or loopback interface) to be...
Step Command Remarks By default, the tunnel mode is GRE over IPv4. Specify the IPv4 over tunnel-protocol ipv4-ipv4 The same tunnel mode should be IPv4 tunnel mode. configured at both ends of the tunnel. Otherwise, packet delivery will fail. Configure source source { ip-address | interface-type By default, no source address or...
Page 185
# Assign GigabitEthernet 1/0/3 to service loopback group 1, and disable STP, and LLDP on the interface. [SwitchA] interface GigabitEthernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] undo stp enable [SwitchA-GigabitEthernet1/0/3] undo lldp enable [SwitchA-GigabitEthernet1/0/3] port service-loopback group 1 [SwitchA-GigabitEthernet1/0/3] quit # Create interface Tunnel 1. [SwitchA] interface tunnel 1 # Specify an IPv4 address for interface Tunnel 1.
Page 186
# Specify an IPv4 address for interface Tunnel 2. [SwitchB-Tunnel2] ip address 10.1.2.2 255.255.255.0 # Configure the tunnel encapsulation mode as IPv4 over IPv4. [SwitchB-Tunnel2] tunnel-protocol ipv4-ipv4 # Specify the IP address of VLAN-interface 101 as the source address for interface Tunnel 2. [SwitchB-Tunnel2] source 3.1.1.1 # Specify the IP address of VLAN-interface 101 of Switch A as the destination address for interface Tunnel 2.
Step Command Remarks Enter system view. system-view By default, the IPv6 packet forwarding Enable IPv6. ipv6 function is disabled. Enter tunnel interface interface tunnel number view. Configure IPv4 ip address ip-address { mask | By default, no IPv4 address is configured address for the tunnel mask-length } [ sub ] for the tunnel interface.
Page 189
[SwitchA-Vlan-interface100] quit # Specify an IPv6 address for VLAN-interface 101, the physical interface of the tunnel. [SwitchA] interface vlan-interface 101 [SwitchA-Vlan-interface101] ipv6 address 2001::1:1 64 [SwitchA-Vlan-interface101] quit # Create service loopback group 1 and specify its service type as tunnel. [SwitchA] service-loopback group 1 type tunnel # Assign GigabitEthernet 1/0/3 to service loopback group 1, and disable STP, and LLDP.
Page 190
[SwitchB] interface GigabitEthernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] undo stp enable [SwitchB-GigabitEthernet1/0/3] undo lldp enable [SwitchB-GigabitEthernet1/0/3] port service-loopback group 1 [SwitchB-GigabitEthernet1/0/3] quit # Create interface Tunnel 2. [SwitchB] interface tunnel 2 # Specify an IPv4 address for interface Tunnel 2. [SwitchB-Tunnel2] ip address 30.1.2.2 255.255.255.0 # Configure the tunnel encapsulation mode as IPv4 over IPv6.
The IPv6 address of the tunnel interface must not be on the same subnet as the destination address • configured for the tunnel interface. The destination address of the route passing the tunnel interface must not be on the same subnet as •...
Step Command Remarks Enable dropping of IPv6 Optional. packets using tunnel discard ipv4-compatible-packet The default setting is IPv4-compatible IPv6 disabled. addresses. Configuration example Network requirements As shown in Figure 77, configure an IPv6 over IPv6 tunnel between Switch A and Switch B so the two IP networks can reach each other without disclosing their IPv6 addresses.
Page 194
# Create interface Tunnel 1. [SwitchA] interface tunnel 1 # Specify an IPv6 address for interface Tunnel 1. [SwitchA-Tunnel1] ipv6 address 3001::1:1 64 # Configure the tunnel encapsulation mode as IPv6 over IPv6. [SwitchA-Tunnel1] tunnel-protocol ipv6-ipv6 # Specify the IP address of VLAN-interface 101 as the source address for interface Tunnel 1. [SwitchA-Tunnel1] source 2001::11:1 # Specify the IP address of VLAN-interface 101 of Switch B as the destination address for interface Tunnel 1.
Page 195
# Specify the IP address of VLAN-interface 101 of Switch A as the destination address for interface Tunnel 2. [SwitchB-Tunnel2] destination 2001::11:1 # Apply service loopback group 1 on the tunnel. [SwitchB-Tunnel2] service-loopback-group 1 [SwitchB-Tunnel2] quit # Configure a static route destined to the IPv6 network Group 1 through interface Tunnel 2. [SwitchB] ipv6 route-static 2002:1:: 64 tunnel 2 Verifying the configuration # Display the status of the tunnel interfaces on Switch A and Switch B, respectively.
[SwitchA] ping ipv6 2002:3::1 PING 2002:3::1 : 56 data bytes, press CTRL_C to break Reply from 2002:3::1 bytes=56 Sequence=1 hop limit=64 time = 31 ms Reply from 2002:3::1 bytes=56 Sequence=2 hop limit=64 time = 1 ms Reply from 2002:3::1 bytes=56 Sequence=3 hop limit=64 time = 16 ms Reply from 2002:3::1 bytes=56 Sequence=4 hop limit=64...
Page 197
reachable. If no routing entry is available for tunnel communication in the routing table, configure a route to reach the tunnel destination.
Configuring GRE This chapter describes how to configure GRE. Overview Generic Routing Encapsulation (GRE) is a protocol designed for encapsulating and carrying the packets of one network layer protocol (for example, IP or IPX) over another network layer protocol (for example, IP).
GRE over IPv4—The transport protocol is IPv4, and the passenger protocol is any network layer • protocol. GRE over IPv6—The transport protocol is IPv6, and the passenger protocol is any network layer • protocol. GRE encapsulation and de-encapsulation processes The following encapsulation process and de-encapsulation process use Figure 80 to describe how an X protocol packet traverses the IP network through a GRE tunnel.
Configuring a GRE over IPv4 tunnel Configuration restrictions and guidelines The source address or interface and the destination address that are specified for the tunnel • interface must be a public address or interface. The source address and destination address of a tunnel uniquely identify a path. They must be •...
Step Command Remarks Optional. The default tunnel mode is GRE over IPv4. Set the tunnel mode to GRE tunnel-protocol gre You must configure the same tunnel over IPv4. mode on both ends of a tunnel. Otherwise, packet delivery may fail. Configure the source address By default, no source address or source { ip-address | interface-type...
Configure a static route, using the address of the subnet the original packet is destined for as its destination address and the address of the peer tunnel interface as its next hop. Enable a dynamic routing protocol on both the tunnel interface and the router interface connecting the private network, so that the dynamic routing protocol can establish a routing entry that allows the tunnel to forward packets through the tunnel.
For information about tunnel interfaces and more configuration commands on a tunnel interface, see "Configuring tunneling." For more information about commands interface tunnel, tunnel-protocol, source, destination, and tunnel discard ipv4-compatible-packet, see Layer 3—IP Services Command Reference. Displaying and maintaining GRE Task Command Remarks...
Page 204
[SwitchA-vlan100] quit [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ip address 10.1.1.1 255.255.255.0 [SwitchA-Vlan-interface100] quit # Configure an IPv4 address for interface GigabitEthernet 1/0/2, the physical interface of the tunnel. [SwitchA] vlan 101 [SwitchA-vlan101] port GigabitEthernet 1/0/2 [SwitchA-vlan101] quit [SwitchA] interface vlan-interface 101 [SwitchA-Vlan-interface101] ip address 1.1.1.1 255.255.255.0 [SwitchA-Vlan-interface101] quit # Create service loopback group 1, and configure the service type as tunnel.
Page 205
# Configure an IPv4 address for interface GigabitEthernet 1/0/2, the physical interface of the tunnel. [SwitchB] vlan 101 [SwitchB-vlan101] port GigabitEthernet 1/0/2 [SwitchB-vlan101] quit [SwitchB] interface vlan-interface 101 [SwitchB-Vlan-interface101] ip address 2.2.2.2 255.255.255.0 [SwitchB-Vlan-interface101] quit # Create service loopback group 1, and configure the service type as tunnel. [SwitchB] service-loopback group 1 type tunnel # Add port GigabitEthernet 1/0/3 to service loopback group 1, and disable STP, and LLDP on the port.
Checksumming of GRE packets disabled Last clearing of counters: Never Last 300 seconds input: 0 bytes/sec, 0 packets/sec Last 300 seconds output: 0 bytes/sec, 0 packets/sec 10 packets input, 840 bytes 0 input error 10 packets output, 840 bytes 0 output error [SwitchB] display interface tunnel 1 Tunnel1 current state: UP Line protocol current state: UP...
Page 207
Figure 82 Network diagram Configuration procedure Before the configuration, make sure Switch A and Switch B can reach each other. Configure Switch A: <SwitchA> system-view # Enable IPv6. [SwitchA] ipv6 # Configure interface VLAN-interface 100. [SwitchA] vlan 100 [SwitchA-vlan100] port GigabitEthernet 1/0/1 [SwitchA-vlan100] quit [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ip address 10.1.1.1 255.255.255.0...
Page 208
# Configure the source address of the tunnel interface Tunnel0 as the IP address of the interface VLAN-interface 101. [SwitchA-Tunnel0] source 2002::1:1 # Configure the destination address of the tunnel interface Tunnel0 as the IP address of the interface VLAN-interface 101 on Switch B. [SwitchA-Tunnel0] destination 2001::2:1 # Apply service loopback group 1 to the tunnel in tunnel interface view.
[SwitchB-Tunnel0] source 2001::2:1 # Configure the destination address of the tunnel interface Tunnel0 to be the IP address of interface VLAN-interface 101 on Switch A. [SwitchB-Tunnel0] destination 2002::1:1 # Apply service loopback group 1 to the tunnel in tunnel interface view. [SwitchB-Tunnel0] service-loopback-group 1 [SwitchB-Tunnel0] quit # Configure a static route from Switch B through the tunnel interface Tunnel0 to Group 1.
0 output error # From Switch B, ping the IP address of VLAN-interface 100 on Switch A. [SwitchB] ping 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=3 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=2 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=2 ms Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=2 ms Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=3 ms...
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 213
Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.