Internet Protocol Version 6 (IPv6), also called IP next generation (IPng), was designed by the Internet Engineering Task Force (IETF) as the successor to Internet Protocol version 4 (IPv4). The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits.

IPv6 features

Header format simplification

IPv6 removes several IPv4 header fields or moves them to the IPv6 extension headers to reduce the length of the basic IPv6 packet header. The basic IPv6 packet header has a fixed length of 40 bytes to simplify IPv6 packet handling and to improve the forwarding efficiency. Although an IPv6 address size is four times larger than an IPv4 address, the basic IPv6 packet header size is only twice the size of the option-less IPv4 packet header.

Figure 1 IPv4 packet header format and basic IPv6 packet header format

Larger address space

The source and destination IPv6 addresses are 128 bits (or 16 bytes) long. IPv6 can provide 3.4 x 10³⁸ addresses to meet the requirements of hierarchical address division and the allocation of public and private addresses.

Hierarchical address structure

IPv6 uses hierarchical address structure to quicken route searches and keep IPv6 routing tables small by route aggregation.

Address autoconfiguration

To simplify host configuration, IPv6 supports stateful and stateless address autoconfiguration.

· Stateful address autoconfiguration enables a host to acquire an IPv6 address and other configuration information from a server (for example, a DHCP server).

· Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and other configuration information by using its link-layer address and the prefix information advertised by a router.

To communicate with other hosts on the same link, a host automatically generates a link-local address based on its link-layer address and the link-local address prefix (FE80::/10).

Built-in security

IPv6 defines extension headers to support IPsec. IPsec provides end-to-end security for network security solutions and enhances interoperability among different IPv6 applications.

QoS support

The Flow Label field in the IPv6 header allows the switch to label the packets and facilitates the special handling of a flow.

Enhanced neighbor discovery mechanism

The IPv6 neighbor discovery protocol is implemented through a group of Internet Control Message Protocol version 6 (ICMPv6) messages to manage the information exchange among neighboring nodes on the same link. The group of ICMPv6 messages replaces Address Resolution Protocol (ARP) messages, Internet Control Message Protocol version 4 (ICMPv4) Router Discovery messages, and ICMPv4 Redirect messages and provides a series of other functions.

Flexible extension headers

IPv6 eliminates the Options field in the header and introduces optional extension headers to provide scalability and improve efficiency. The Options field in the IPv4 packet header contains 40 bytes at most, whereas the IPv6 extension headers are restricted to the maximum size of IPv6 packets only.

IPv6 addresses

IPv6 address format

An IPv6 address is represented as a set of 16-bit hexadecimals separated by colons. An IPv6 address is divided into eight groups, and each 16-bit group is represented by four hexadecimal numbers, for example, 2001:0000:130F:0000:0000:09C0:876A:130B.

To simplify the representation of IPv6 addresses, zeros in IPv6 addresses can be handled as follows:

· The leading zeros in each group can be removed. For example, 2001:0000:130F:0000:0000:09C0:876A:130B can be represented in a shorter format as 2001:0:130F:0:0:9C0:876A:130B.

· If an IPv6 address contains two or more consecutive groups of zeros, they can be replaced by a double colon (::). For example, 2001:0000:130F:0000:0000:09C0:876A:130B can be represented in the shortest format as 2001:0:130F::9C0:876A:130B.

CAUTION:

A double colon may appear once or not at all in an IPv6 address. This limit allows the switch to determine how many zeros the double colon represents, and correctly converts it to zeros to restore a 128-bit IPv6 address.

An IPv6 address consists of two parts: an address prefix and an interface ID, which are equivalent to the network ID and the host ID of an IPv4 address respectively.

An IPv6 address prefix is written in IPv6-address/prefix-length notation where the IPv6-address is represented in any of the formats above and the prefix-length is a decimal number indicating how many leftmost bits of the IPv6 address are the address prefix.

IPv6 address types

IPv6 addresses fall into three types: unicast address, multicast address, and anycast address.

· Unicast address—An identifier for a single interface, similar to an IPv4 unicast address. A packet sent to a unicast address is delivered to the interface identified by that address.

· Multicast address—An identifier for a set of interfaces (belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all interfaces identified by that address.

· Anycast address—An identifier for a set of interfaces (belonging to different nodes). A packet sent to an anycast address is delivered to the nearest one of the interfaces identified by that address. The nearest interface is chosen according to the routing protocols' measure of distance.

NOTE:

There are no broadcast addresses in IPv6. Their function is replaced by multicast addresses.

The type of an IPv6 address is designated by the first several bits called the format prefix. Table 1 lists the mappings between address types and format prefixes.

Table 1 Mappings between address types and format prefixes

Type		Format prefix (binary)	IPv6 prefix ID
Unicast address	Unspecified address	00...0 (128 bits)	::/128
	Loopback address	00...1 (128 bits)	::1/128
	Link-local address	1111111010	FE80::/10
	Site-local address	1111111011	FEC0::/10
	Global unicast address	Other forms	N/A
Multicast address		11111111	FF00::/8
Anycast address		Anycast addresses use the unicast address space and have the identical structure of unicast addresses.

Unicast addresses

Unicast addresses comprise global unicast addresses, link-local unicast addresses, site-local unicast addresses, the loopback address, and the unspecified address.

· Global unicast addresses, equivalent to public IPv4 addresses, are provided for network service providers. This type of address allows efficient prefix aggregation to restrict the number of global routing entries.

· Link-local addresses are used for communication among link-local nodes for neighbor discovery and stateless autoconfiguration. Packets with link-local source or destination addresses are not forwarded to other links.

· Site-local unicast addresses are similar to private IPv4 addresses. Packets with site-local source or destination addresses are not forwarded out of the local site (or a private network).

· The loopback address is 0:0:0:0:0:0:0:1 (or ::1). It may never be assigned to any physical interface and can be used by a node to send an IPv6 packet to itself in the same way as the loopback address in IPv4.

· The unspecified address is 0:0:0:0:0:0:0:0 (or ::). It cannot be assigned to any node. Before acquiring a valid IPv6 address, a node fills this address in the source address field of IPv6 packets. The unspecified address cannot be used as a destination IPv6 address.

Multicast addresses

IPv6 multicast addresses listed in Table 2 are reserved for special purposes.

Table 2 Reserved IPv6 multicast addresses

Address	Application
FF01::1	Node-local scope all-nodes multicast address
FF02::1	Link-local scope all-nodes multicast address
FF01::2	Node-local scope all-routers multicast address
FF02::2	Link-local scope all-routers multicast address
FF05::2	Site-local scope all-routers multicast address

Multicast addresses also include solicited-node addresses. A node uses a solicited-node multicast address to acquire the link-layer address of a neighboring node on the same link and to detect duplicate addresses. Each IPv6 unicast or anycast address has a corresponding solicited-node address. The format of a solicited-node multicast address is:

FF02:0:0:0:0:1:FFXX:XXXX

Where FF02:0:0:0:0:1:FF is fixed and consists of 104 bits, and XX:XXXX is the last 24 bits of an IPv6 unicast address or anycast address.

EUI-64 address-based interface identifiers

An interface identifier is 64 bits and uniquely identifies an interface on a link.

Various types of interfaces generate EUI-64 address-based interface identifiers in different ways.

· On an IEEE 802 interfaces (such as an Ethernet interface and a VLAN interface)

The interface identifier is derived from the link-layer address (typically a MAC address) of the interface. To expand the 48-bit MAC address to a 64-bit interface identifier, the hexadecimal number FFFE (16 bits of 1111111111111110) is inserted into the MAC address (behind the 24th high-order bit). To make sure that the obtained interface identifier is unique, the universal/local (U/L) bit (which is the seventh high-order bit) is set to 1. Thus, an EUI-64 address-based interface identifier is obtained.

Figure 2 shows the process of how an EUI-64 address-based interface identifier is generated from a MAC address.

Figure 2 Converting a MAC address into an EUI-64 address-based interface identifier

· On a tunnel interface

The lower 32 bits of the EUI-64 address-based interface identifier are the source IPv4 address of the tunnel interface. The higher 32 bits of the EUI-64 address-based interface identifier of an ISATAP tunnel interface are 0000:5EFE, whereas those of other tunnel interfaces are all zeros. For more information about tunnels, see the chapter “Tunneling configuration.”

· On an interface of another type (such as a serial interface)

The EUI-64 address-based interface identifier is generated randomly by the switch.

IPv6 neighbor discovery protocol

The IPv6 Neighbor Discovery (ND) protocol uses five types of ICMPv6 messages to implement the following functions:

· Address resolution

· Neighbor reachability detection

· Duplicate address detection

· Router/prefix discovery and address autoconfiguration

· Redirection

Table 3 lists the types and functions of ICMPv6 messages used by the ND protocol.

Table 3 ICMPv6 messages used by ND

ICMPv6 message	Type	Function
Neighbor Solicitation (NS) message	135	Acquires the link-layer address of a neighbor.
		Verifies whether a neighbor is reachable.
		Detects duplicate addresses.
Neighbor Advertisement (NA) message	136	Responds to an NS message.
Neighbor Advertisement (NA) message	136	Notifies the neighboring nodes of link layer changes.
Router Solicitation (RS) message	133	Requests for an address prefix and other configuration information for autoconfiguration after startup.
Router Advertisement (RA) message	134	Responds to an RS message.
Router Advertisement (RA) message	134	Advertises information such as the Prefix Information options and flag bits.
Redirect message	137	Informs the source host of a better next hop on the path to a particular destination when certain conditions are satisfied.

Address resolution

This function is similar to the ARP function in IPv4. An IPv6 node acquires the link-layer addresses of neighboring nodes on the same link through NS and NA message exchanges. Figure 3 shows how Host A acquires the link-layer address of Host B on a single link.

Figure 3 Address resolution

The address resolution process is:

1. Host A multicasts an NS message. The source address of the NS message is the IPv6 address of the sending interface of Host A and the destination address is the solicited-node multicast address of Host B. The NS message contains the link-layer address of Host A.

2. After receiving the NS message, Host B judges whether the destination address of the packet is its solicited-node multicast address. If yes, Host B learns the link-layer address of Host A, and then unicasts an NA message containing its link-layer address.

3. Host A acquires the link-layer address of Host B from the NA message.

Neighbor reachability detection

After Host A acquires the link-layer address of its neighbor Host B, Host A can use NS and NA messages to check whether Host B is reachable.

1. Host A sends an NS message whose destination address is the IPv6 address of Host B.

2. If Host A receives an NA message from Host B, Host A decides that Host B is reachable. Otherwise, Host B is unreachable.

Duplicate address detection

After Host A acquires an IPv6 address, it performs Duplicate Address Detection (DAD) to check whether the address is being used by any other node (similar to the gratuitous ARP function in IPv4). DAD is accomplished through NS and NA message exchanges. Figure 4 shows the DAD process.

Figure 4 Duplicate address detection

1. Host A sends an NS message whose source address is the unspecified address and whose destination address is the corresponding solicited-node multicast address of the IPv6 address to be detected. The NS message contains the IPv6 address.

2. If Host B uses this IPv6 address, Host B returns an NA message. The NA message contains the IPv6 address of Host B.

3. Host A learns that the IPv6 address is being used by Host B after receiving the NA message from Host B. If receiving no NA message, Host A decides that the IPv6 address is not in use and uses this address.

Router/prefix discovery and address autoconfiguration

Router/prefix discovery enables a node to locate the neighboring routers and to learn from the received RA message configuration parameters such as the prefix of the network where the node is located.

Stateless address autoconfiguration enables a node to generate an IPv6 address automatically according to the information obtained through router/prefix discovery.

Router/prefix discovery is implemented through RS and RA messages:

1. At startup, a node sends an RS message to request from any available router for the address prefix and other configuration information for autoconfiguration.

2. A router returns an RA message containing information such as Prefix Information options. (The router also periodically sends an RA message.)

3. The node automatically generates an IPv6 address and other configuration information according to the address prefix and other configuration parameters in the RA message.

NOTE:

· In addition to an address prefix, the Prefix Information option also contains the preferred lifetime and valid lifetime of the address prefix. Nodes update the preferred lifetime and valid lifetime accordingly through periodic RA messages.

· An automatically generated address is applicable within the valid lifetime and is removed when the valid lifetime expires.

Redirection

A newly started host may contain only a default route to the gateway in its routing table. When certain conditions are satisfied, the gateway sends an ICMPv6 Redirect message to the source host so that the host can select a better next hop to forward packets (similar to the ICMP redirection function in IPv4).

The gateway sends an ICMPv6 Redirect message when the following conditions are satisfied:

· The receiving interface is the forwarding interface.

· The selected route itself is not created or modified by an ICMPv6 Redirect message.

· The selected route is not the default route.

· The IPv6 packet to be forwarded does not contain any routing header.

IPv6 PMTU discovery

The links that a packet passes from a source to a destination may have different maximum transmission units (MTUs). In IPv6, when the packet size exceeds the path MTU of a link, the packet is fragmented at the source end of the link to reduce the processing pressure on intermediate switches and use network resources effectively.

The path MTU (PMTU) discovery mechanism is designed to find the minimum MTU of all links in the path between a source and a destination. Figure 5 shows how a source host discovers the PMTU to a destination host.

Figure 5 PMTU discovery process

1. The source host compares its MTU with the packet to be sent, performs necessary fragmentation, and sends the resulting packet to the destination host.

2. If the MTU supported by a forwarding interface is smaller than the packet, the switch discards the packet and returns an ICMPv6 error packet containing the interface MTU to the source host.

3. After receiving the ICMPv6 error packet, the source host uses the returned MTU to limit the packet size, performs fragmentation, and sends the resulting packet to the destination host.

4. Step 2 and step 3 are repeated until the destination host receives the packet. In this way, the source host decides the minimum MTU of all links in the path to the destination host.

IPv6 transition technologies

Dual stack

Before IPv6 dominates the Internet, high-efficient, seamless IPv6 transition technologies are needed to enable communication between IPv4 and IPv6 networks. There are several IPv6 transition technologies, which can be used in different environments and periods, such as dual stack (RFC 2893), tunneling (RFC 2893), NAT-PT (RFC 2766), and 6PE.

Dual stack is the most direct transition approach. A network node that supports both IPv4 and IPv6 is called a dual stack node. A dual stack node configured with an IPv4 address and an IPv6 address can forward both IPv4 and IPv6 packets. For an upper layer application that supports both IPv4 and IPv6, either TCP or UDP can be selected at the transport layer, whereas the IPv6 stack is preferred at the network layer. Dual stack is suitable for communication between IPv4 nodes or between IPv6 nodes. It is the basis of all transition technologies. However, it does not solve the IPv4 address depletion issue because each dual stack node must have a globally unique IP address.

Tunneling

Tunneling is an encapsulation technology that utilizes one network protocol to encapsulate packets of another network protocol and transfer them over the network. For more information about tunneling, see the chapter “Tunneling configuration.”

NAT-PT

Network Address Translation – Protocol Translation (NAT-PT) is usually applied on a switch between IPv4 and IPv6 networks to translate between IPv4 and IPv6 packets, allowing communication between IPv4 and IPv6 nodes. It performs IP address translation, and according to different protocols, performs semantic translation for packets. This technology is only suitable for communication between a pure IPv4 node and a pure IPv6 node. For more information about NAT-PT, see the chapter “NAT-PT configuration.”

6PE

6PE is a transition technology by which Internet service providers (ISPs) can use existing IPv4 backbone networks to allow communications between isolated IPv6 networks.

6PE adds labels to the IPv6 routing information of customer networks and advertises the information into the IPv4 backbone network over Internal Border Gateway Protocol (IBGP) sessions. IPv6 packets are labeled and forwarded over tunnels on the backbone network. The tunnels can be GRE tunnels or MPLS LSPs. For more information about 6PE, see Layer 3—IP Routing Configuration Guide.

NOTE:

The switch does not support NAT-PT.

Protocols and standards

Protocols and standards related to IPv6 include:

· RFC 1881, IPv6 Address Allocation Management

· RFC 1887, An Architecture for IPv6 Unicast Address Allocation

· RFC 1981, Path MTU Discovery for IP version 6

· RFC 2375, IPv6 Multicast Address Assignments

· RFC 2460, Internet Protocol, Version 6 (IPv6) Specification

· RFC 2461, Neighbor Discovery for IP Version 6 (IPv6)

· RFC 2462, IPv6 Stateless Address Autoconfiguration

· RFC 2463, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification

· RFC 2464, Transmission of IPv6 Packets over Ethernet Networks

· RFC 2526, Reserved IPv6 Subnet Anycast Addresses

· RFC 3307, Allocation Guidelines for IPv6 Multicast Addresses

· RFC 3513, Internet Protocol Version 6 (IPv6) Addressing Architecture

IPv6 basics configuration task list

Complete the following tasks to perform IPv6 basics configuration:

Task		Remarks
Configuring basic IPv6 functions.	Enabling IPv6	Required
	Configuring IPv6 global unicast addresses	Required to configure one
	Configuring an IPv6 link-local address
	Configure an IPv6 anycast address
Configuring IPv6 ND.	Configuring a static neighbor entry	Optional
	Configuring the maximum number of neighbors dynamically learned	Optional
	Setting the age timer for ND entries in stale state	Optional
	Configuring parameters related to RA messages	Optional
	Configuring the maximum number of attempts to send an NS message for DAD	Optional
	Configuring ND snooping	Optional
Configuring PMTU discovery.	Configuring the interface MTU	Optional
	Configuring a static PMTU for a specified IPv6 address	Optional
	Configuring the aging time for dynamic PMTUs	Optional
Configuring IPv6 TCP properties.		Optional
Configuring IPv6 FIB load sharing.		Optional
Configuring ICMPv6 packet sending.	Configuring the maximum ICMPv6 error packets sent in an interval	Optional
	Enabling replying to multicast echo requests	Optional
	Enabling sending of ICMPv6 time exceeded messages	Optional
	Enabling sending of ICMPv6 destination unreachable messages	Optional

Configuring basic IPv6 functions

Enabling IPv6

Enable IPv6 before you perform any IPv6-related configuration. Without IPv6 enabled, an interface cannot forward IPv6 packets even if it has an IPv6 address configured.

To enable IPv6:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable IPv6.	ipv6	Disabled by default

Configuring IPv6 global unicast addresses

IPv6 global unicast addresses can be configured in the following ways:

· Automatic configuration: When the EUI-64 format is used, the IPv6 address prefix of an interface is the configured prefix, and the interface identifier is generated automatically by the interface.

· Manual configuration.

NOTE:

· You can configure multiple IPv6 global unicast addresses with different prefixes on an interface.

· A manually configured global unicast address takes precedence over an automatically generated one. If a global unicast address has been automatically generated on an interface when you manually configure another one with the same address prefix, the latter overwrites the previous. The overwritten automatic global unicast address will not be restored even if the manual one is removed. Instead, a new global unicast address will be automatically generated based on the address prefix information in the RA message that the interface receives at the next time.

EUI-64 format

To configure an interface to generate an EUI-64 IPv6 address:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the interface to generate an IPv6 address in EUI-64 format.	ipv6 address ipv6-address \| prefix-length eui-64	By default, no IPv6 global unicast address is configured on an interface.

Manual configuration

To specify an IPv6 address manually for an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure an IPv6 address manually.	ipv6 address { ipv6-address prefix-length \| ipv6-address \| prefix-length }	By default, no IPv6 global unicast address is configured on an interface.

Configuring an IPv6 link-local address

IPv6 link-local addresses can be configured in either of the following ways:

· Automatic generation—The switch automatically generates a link-local address for an interface according to the link-local address prefix (FE80::/10) and the link-layer address of the interface.

· Manual assignment—IPv6 link-local addresses can be assigned manually.

NOTE:

· An interface can have one link-local address only. To avoid link-local address conflicts, H3C recommends using the method of generating a link-local address on an interface automatically.

· Manual assignment takes precedence over automatic generation. If you first use automatic generation and then manual assignment, the manually assigned link-local address will overwrite the automatically generated one. If you first use manual assignment and then automatic generation, the automatically generated link-local address will not take effect and the link-local address is still the manually assigned one. If you delete the manually assigned address, the automatically generated link-local address is validated.

To configure automatic generation of an IPv6 link-local address for an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the interface to automatically generate an IPv6 link-local address.	ipv6 address auto link-local	Optional. By default, no link-local address is configured on an interface. After an IPv6 global unicast address is configured on the interface, a link-local address is generated automatically.

To configure an IPv6 link-local address manually:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure an IPv6 link-local address manually.	ipv6 address ipv6-address link-local	Optional. By default, no link-local address is configured on an interface. After an IPv6 global unicast address is configured on the interface, a link-local address is generated automatically.

NOTE:

· After an IPv6 global unicast address is configured for an interface, a link-local address is generated automatically. The automatically generated link-local address is the same as the one generated by using the ipv6 address auto link-local command. If a link-local address is manually assigned to an interface, this manual link-local address takes effect. If the manually assigned link-local address is removed, the automatically generated link-local address takes effect.

· The undo ipv6 address auto link-local command can only remove the link-local addresses generated through the ipv6 address auto link-local command. However, if an IPv6 global unicast address is already configured for an interface, the interface still has a link-local address because the system automatically generates one for the interface. If no IPv6 global unicast address is configured, the interface has no link-local address.

Configure an IPv6 anycast address

To configure an IPv6 anycast address for an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure an IPv6 anycast address.	ipv6 address ipv6-address \| prefix-length anycast	Optional. By default, no IPv6 anycast address is configured on an interface.

Configuring IPv6 ND

Configuring a static neighbor entry

The IPv6 address of a neighboring node can be resolved into a link-layer address dynamically through NS and NA messages or through a manually configured static neighbor entry.

The switch uniquely identifies a static neighbor entry according to the neighbor IPv6 address and the local Layer 3 interface number. There are two configuration methods:

· Associate a neighbor IPv6 address and link-layer address with the Layer 3 interface of the local node.

· Associate a neighbor IPv6 address and link-layer address with a port in a VLAN containing the local node.

To configure a static neighbor entry:

Step	Command
1. Enter system view.	system-view
2. Configure a static neighbor entry.	ipv6 neighbor ipv6-address mac-address { vlan-id port-type port-number \| interface interface-type interface-number } [ vpn-instance vpn-instance-name ]

CAUTION:

You can use either method above to configure a static neighbor entry for a VLAN interface.

· After a static neighbor entry is configured by using the first method, the switch needs to resolve the corresponding Layer 2 port information of the VLAN interface.

· If you use the second method, make sure that the corresponding VLAN interface exists and that the Layer 2 port specified by port-type port-number belongs to the VLAN specified by vlan-id. After a static neighbor entry is configured, the switch associates the VLAN interface with the IPv6 address to identify the static neighbor entry uniquely.

· In IRF mode, the mac-address argument in a static neighbor entry cannot be the same as that in the multi-port unicast MAC address entry. Otherwise, conflicts may occur. For more information about the multi-port unicast MAC address entry, see Layer 2—LAN Switching Configuration Guide.

Configuring the maximum number of neighbors dynamically learned

The switch can dynamically acquire the link-layer address of a neighboring node through NS and NA messages and add it into the neighbor table. A large table may reduce the forwarding performance of the switch. You can restrict the size of the neighbor table by setting the maximum number of neighbors that an interface can dynamically learn. When the number of dynamically learned neighbors reaches the threshold, the interface will stop learning neighbor information.

To configure the maximum number of neighbors dynamically learned:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the maximum number of neighbors dynamically learned by an interface.	ipv6 neighbors max-learning-num number	Optional. By default, the maximum number of neighbors that a Layer 2 Ethernet interface can learn is the maximum neighbor number supported by the adopted system working mode.

Setting the age timer for ND entries in stale state

ND entries in stale state have an age timer. If an ND entry in stale state is not refreshed before the timer expires, it transits to the delay state. If it is still not refreshed in five seconds, the ND entry transits to the probe state, and the device sends an NS message for detection. If no response is received after three ND messages are sent, the device removes the ND entry.

To set the age timer for ND entries in stale state:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the age timer for ND entries in stale state.	ipv6 neighbor stale-aging aging-time	Optional. Four hours by default.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set the age timer for ND entries in stale state.

ipv6 neighbor stale-aging aging-time

Optional.

Four hours by default.

Configuring parameters related to RA messages

You can enable an interface to send RA messages, and configure the interval for sending RA messages and parameters in RA messages. After receiving an RA message, a host can use these parameters to perform operations. Table 4 lists and describes the configurable parameters in an RA message.

Table 4 Parameters in an RA message and their descriptions

Parameters	Description
Cur Hop Limit	When sending an IPv6 packet, a host uses the value to fill the Hop Limit field in IPv6 headers. The value is also filled into the Hop Limit field in the response packet of a switch.
Prefix Information options	After receiving the prefix information advertised by the switch, the hosts on the same link can perform stateless autoconfiguration.
MTU	This field is used to make sure that all nodes on a link use the same MTU value.
M flag	This field determines whether hosts use the stateful autoconfiguration to acquire IPv6 addresses. If the M flag is set to 1, hosts use the stateful autoconfiguration (for example, through a DHCP server) to acquire IPv6 addresses. Otherwise, hosts use the stateless autoconfiguration to acquire IPv6 addresses. Hosts generate IPv6 addresses according to their own link-layer addresses and the prefix information advertised by the router.
O flag	This field determines whether hosts use stateful autoconfiguration to acquire other configuration information. If the O flag is set to 1, hosts use stateful autoconfiguration (for example, through a DHCP server) to acquire other configuration information. Otherwise, hosts use stateless autoconfiguration to acquire other configuration information.
Router Lifetime	This field tells the receiving hosts how long this router can serve as a default router. According to the router lifetime in the received RA messages, hosts determine whether the router sending RA messages can serve as the default router.
Retrans Timer	If the switch fails to receive a response message within the specified time after sending an NS message, the switch will retransmit the NS message.
Reachable Time	If the neighbor reachability detection shows that a neighbor is reachable, the switch considers the neighbor reachable within the specified reachable time. If the switch needs to send a packet to a neighbor after the specified reachable time expires, the switch will reconfirm whether the neighbor is reachable.

To allow sending of RA messages:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Disable RA message suppression.	undo ipv6 nd ra halt	By default, RA messages are suppressed.
4. Configure the maximum and minimum intervals for sending RA messages.	ipv6 nd ra interval max-interval-value min-interval-value	Optional. By default, the maximum interval for sending RA messages is 600 seconds, and the minimum interval is 200 seconds. The switch sends RA messages at random intervals between the maximum interval and the minimum interval. The minimum interval should be less than or equal to 0.75 times the maximum interval.

To configure parameters related to RA messages:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure the hop limit.	ipv6 nd hop-limit value	Optional. 64 by default.
3. Enter interface view.	interface interface-type interface-number	N/A
4. Configure the prefix information in RA messages.	ipv6 nd ra prefix { ipv6-prefix prefix-length \| ipv6-prefix/prefix-length } valid-lifetime preferred-lifetime [ no-autoconfig \| off-link ] *	Optional. By default, no prefix information is configured for RA messages, and the IPv6 address of the interface sending RA messages is used as the prefix information with valid lifetime 2592000 seconds (30 days) and preferred lifetime 604800 seconds (7 days).
5. Turn off the MTU option in RA messages.	ipv6 nd ra no-advlinkmtu	Optional. By default, RA messages contain the MTU option.
6. Set the M flag bit to 1.	ipv6 nd autoconfig managed-address-flag	Optional. By default, the M flag bit is set to 0. Hosts acquire IPv6 addresses through stateless autoconfiguration.
7. Set the O flag bit to 1.	ipv6 nd autoconfig other-flag	Optional. By default, the O flag bit is set to 0. Hosts acquire other configuration information through stateless autoconfiguration.
8. Configure the router lifetime in RA messages.	ipv6 nd ra router-lifetime value	Optional. 1800 seconds by default.
9. Set the NS retransmission timer.	ipv6 nd ns retrans-timer value	Optional. By default, the local interface sends NS messages at 1000 millisecond intervals, and the value of the Retrans Timer field in RA messages sent by the local interface is 0.
10. Set the reachable time.	ipv6 nd nud reachable-time value	Optional. By default, the neighbor reachable time on the local interface is 30000 milliseconds, and the value of the Reachable Time field in the RA messages sent by the local interface is 0.

NOTE:

· The maximum interval for sending RA messages should be less than or equal to the router lifetime in RA messages, so that the router can be updated through an RA message before expiration.

· The values of the NS retransmission timer and the reachable time configured for an interface are sent to hosts via RA messages. Furthermore, this interface sends NS messages at the interval of the NS retransmission timer and considers a neighbor reachable within the reachable time.

Configuring the maximum number of attempts to send an NS message for DAD

An interface sends an NS message for DAD after acquiring an IPv6 address. If the interface does not receive a response within a specified time (determined by the ipv6 nd ns retrans-timer command), it continues to send an NS message. If it still does not receive a response after the number of sent attempts reaches the threshold (specified with the ipv6 nd dad attempts command), the acquired address is considered usable.

To configure the attempts to send an NS message for DAD:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the number of attempts to send an NS message for DAD.	ipv6 nd dad attempts value	Optional. 1 by default. When the value argument is set to 0, DAD is disabled.

Configuring ND snooping

Configuration preparation

Complete the following task before you configure ND snooping:

Execute the acl ipv6 enable command in system view.

NOTE:

For more information about the command acl ipv6 enable, see ACL and QoS Configuration References.

Introduction

The ND snooping feature is used in Layer 2 switching networks. It creates ND snooping entries using DAD NS messages.

ND snooping entries are used to:

· Cooperate with the ND detection function. For more information about ND detection, see Security Configuration Guide.

· Cooperate with the IP Source Guard function. For more information about IP Source Guard, see Security Configuration Guide.

After you enable ND snooping on a VLAN of a switch, ND packets received by the interfaces of the VLAN are redirected to the CPU. The CPU uses the ND packets to create or update ND snooping entries comprising source IPv6 address, source MAC address, receiving VLAN, and receiving port information.

The following describes how an ND snooping entry is created, updated, and aged out.

1. Creating an ND snooping entry

The switch only uses received DAD NS messages to create ND snooping entries.

2. Updating an ND snooping entry

Upon receiving an ND packet, the switch searches the ND snooping table for an entry containing the source IPv6 address of the packet. If the entry was refreshed within one second, the switch does not update the entry. If the entry is not refreshed for more than one second, the switch matches the MAC address of the ND packet and the receiving port against that in the entry.

¡ If both of them match those in the entry, the device updates the aging time of the ND snooping entry.

¡ If neither of them matches the entry and the received packet is a DAD NS message, the message is ignored.

¡ If neither of them matches the entry and the received packet is not a DAD NS message, the switch performs active acknowledgement.

The active acknowledgement process is as follows:

¡ The switch checks the validity of the existing ND snooping entry. The switch sends out a DAD NS message including the IPv6 address of the ND snooping entry. If a corresponding NA message (whose source IPv6 address, source MAC address, receiving port, and source VLAN are consistent with those of the existing entry) is received, the device updates the aging time of the existing entry. If no corresponding NA message is received within one second after the DAD NS message is sent, the device starts to check the validity of the received ND packet.

¡ To check the validity of the received ND packet (packet A for example), the switch sends out a DAD NS message including the source IPv6 address of packet A. If a corresponding NA message (whose source IPv6 address, source MAC address, receiving port, and source VLAN are consistent with those of packet A) is received, the device updates the aging time of the entry. If no corresponding NA message is received within one second after the DAD NS message is sent, the device does not update the entry.

3. Aging out an ND snooping entry

An ND snooping entry is aged out after 25 minutes. If an ND snooping entry is not updated within 15 minutes, the switch performs active acknowledgement as follows:

The switch sends out a DAD NS message including the IPv6 address of the ND snooping entry.

¡ If a corresponding NA message is received (the source IPv6 address, source MAC address, receiving port, and source VLAN are consistent with those of the existing entry), the device updates the aging time of the existing entry.

¡ If no corresponding NA message is received within one second after the DAD NS message is sent out, the device removes the entry when the timer expires.

Configuration procedure

To configure ND snooping:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VLAN view.	vlan vlan-id	N/A
3. Enable ND snooping.	ipv6 nd snooping enable	Disabled by default.
4. Return to system view.	quit	N/A
5. Enter Layer 2 Ethernet interface view/Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
6. Configure the maximum number of ND snooping entries the interface can learn.	ipv6 nd snooping max-learning-num number	Optional. By default, the number of ND snooping entries an interface can learn is unlimited.

Configuring PMTU discovery

Configuring the interface MTU

IPv6 routers do not support packet fragmentation. After an IPv6 router receives an IPv6 packet, if the packet size is greater than the MTU of the forwarding interface, the router will discard the packet. Meanwhile, the router sends the MTU to the source host through an ICMPv6 packet — Packet Too Big message. The source host fragments the packet according to the MTU and resends it. To reduce the extra flow overhead resulting from packets being discarded, a proper interface MTU should be configured according to the actual networking environment.

To configure the interface MTU:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the interface MTU.	ipv6 mtu mtu-size	Optional. By default, the MTU of IPv6 packets sent over an interface is 1500 bytes.

Configuring a static PMTU for a specified IPv6 address

You can configure a static PMTU for a specified destination IPv6 address. When a source host sends a packet through an interface, it compares the interface MTU with the static PMTU of the specified destination IPv6 address. If the packet size is larger than the smaller one of the two values, the host fragments the packet according to the smaller value.

To configure a static PMTU for a specified IPv6 address:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a static PMTU for a specified IPv6 address.	ipv6 pathmtu [ vpn-instance vpn-instance-name ] ipv6-address [ value ]	By default, no static PMTU is configured.

Configuring the aging time for dynamic PMTUs

After the path MTU from a source host to a destination host is dynamically determined (see “IPv6 PMTU discovery”), the source host sends subsequent packets to the destination host based on this MTU. After the aging time expires, the dynamic PMTU is removed and the source host re-determines a dynamic path MTU through the PMTU mechanism.

The aging time is invalid for a static PMTU.

To configure the aging time for dynamic PMTUs:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure the aging time for dynamic PMTUs.	ipv6 pathmtu age age-time	Optional. 10 minutes by default.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure the aging time for dynamic PMTUs.

ipv6 pathmtu age age-time

Optional.

10 minutes by default.

Configuring IPv6 TCP properties

The IPv6 TCP properties you can configure include:

· synwait timer: When a SYN packet is sent, the synwait timer is triggered. If no response packet is received before the synwait timer expires, the IPv6 TCP connection establishment fails.

· finwait timer: When the IPv6 TCP connection status is FIN_WAIT_2, the finwait timer is triggered. If no packet is received before the finwait timer expires, the IPv6 TCP connection is terminated. If a FIN packet is received, the IPv6 TCP connection status becomes TIME_WAIT. If non-FIN packets are received, the finwait timer is reset upon receipt of the last non-FIN packet and the connection is terminated after the finwait timer expires.

· Size of the IPv6 TCP sending/receiving buffer.

To configure IPv6 TCP properties:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the synwait timer.	tcp ipv6 timer syn-timeout wait-time	Optional. 75 seconds by default.
3. Set the finwait timer.	tcp ipv6 timer fin-timeout wait-time	Optional. 675 seconds by default.
4. Set the size of the IPv6 TCP sending/receiving buffer.	tcp ipv6 window size	Optional. 8 KB by default.

Configuring IPv6 FIB load sharing

In the IPv6 FIB load sharing mode, the switch can decide how to select equal cost multi-paths (ECMP) to forward packets. The switch supports the following load sharing modes.

· Load sharing based on the HASH algorithm: An algorithm based on the source IPv6 address and destination IPv6 address is adopted to select an ECMP route to forward packets.

· Load sharing based on polling: Each ECMP route is used in turn to forward packets.

To configure the IPv6 FIB load sharing:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure the IPv6 FIB load sharing mode.	· Configure the load sharing based on the hash algorithm: ipv6 fib-loadbalance-type hash-based · Configure the load sharing based on polling: undo ipv6 fib-loadbalance-type hash-based	Optional. By default, the load sharing based on polling is adopted, and each ECMP route is used in turn to forward packets.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure the IPv6 FIB load sharing mode.

· Configure the load sharing based on the hash algorithm:
ipv6 fib-loadbalance-type hash-based

· Configure the load sharing based on polling:
undo ipv6 fib-loadbalance-type hash-based

Optional.

By default, the load sharing based on polling is adopted, and each ECMP route is used in turn to forward packets.

Configuring ICMPv6 packet sending

Configuring the maximum ICMPv6 error packets sent in an interval

If too many ICMPv6 error packets are sent within a short time in a network, network congestion may occur. To avoid network congestion, you can control the maximum number of ICMPv6 error packets sent within a specified time by adopting the token bucket algorithm.

You can set the capacity of a token bucket to determine the number of tokens in the bucket. In addition, you can set the update interval of the token bucket. The interval for restoring the configured capacity. One token allows one ICMPv6 error packet to be sent. Each time an ICMPv6 error packet is sent, the number of tokens in a token bucket decreases by one. If the number of ICMPv6 error packets successively sent exceeds the capacity of the token bucket, the additional ICMPv6 error packets cannot be sent out until the capacity of the token bucket is restored.

To configure the capacity and update interval of the token bucket:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure the capacity and update interval of the token bucket.	ipv6 icmp-error { bucket bucket-size \| ratelimit interval } *	Optional. By default, the capacity of a token bucket is 10 and the update interval is 100 milliseconds. At most 10 ICMPv6 error packets can be sent within 100 milliseconds. The update interval “0” indicates that the number of ICMPv6 error packets sent is not restricted.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure the capacity and update interval of the token bucket.

ipv6 icmp-error { bucket bucket-size | ratelimit interval } *

Optional.

By default, the capacity of a token bucket is 10 and the update interval is 100 milliseconds. At most 10 ICMPv6 error packets can be sent within 100 milliseconds.

The update interval “0” indicates that the number of ICMPv6 error packets sent is not restricted.

Enabling replying to multicast echo requests

If hosts are configured to answer multicast echo requests, an attacker may use this mechanism to attack a host. For example, if Host A (an attacker) sends an echo request with the source being Host B to a multicast address, all the hosts in the multicast group will send echo replies to Host B. To prevent such an attack, disable a device from replying multicast echo requests by default. In some application scenarios, however, you need to enable the device to reply multicast echo requests.

To enable replying to multicast echo requests:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable replying to multicast echo requests.	ipv6 icmpv6 multicast-echo-reply enable	Disabled by default

Enabling sending of ICMPv6 time exceeded messages

A switch sends out an ICMPv6 Time Exceeded message in the following cases:

· If a received IPv6 packet’s destination IP address is not a local address and its hop limit is 1, the switch sends an ICMPv6 Hop Limit Exceeded message to the source.

· Upon receiving the first fragment of an IPv6 datagram with the destination IP address being the local address, the switch starts a timer. If the timer expires before all the fragments arrive, an ICMPv6 Fragment Reassembly Timeout message is sent to the source.

If large amounts of malicious packets are received, the performance of a switch degrades greatly because it has to send back ICMP Time Exceeded messages. You can disable sending of ICMPv6 Time Exceeded messages.

To enable sending of ICMPv6 time exceeded messages:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable sending of ICMPv6 Time Exceeded messages.	ipv6 hoplimit-expires enable	Optional. Enabled by default.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable sending of ICMPv6 Time Exceeded messages.

ipv6 hoplimit-expires enable

Optional.

Enabled by default.

Enabling sending of ICMPv6 destination unreachable messages

If the device fails to forward a received IPv6 packet due to one of the following reasons, it drops the packet and sends a corresponding ICMPv6 Destination Unreachable error message to the source.

· If no route is available for forwarding the packet, the device sends a "no route to destination" ICMPv6 error message to the source. This feature is available only on base cards.

· If the device fails to resolve the corresponding link layer address of the destination IPv6 address, the device sends the source an "address unreachable" ICMPv6 error message.

· If the packet with the destination being local and transport layer protocol being UDP and the packet’s destination port number does not match the running process, the device sends the source a "port unreachable" ICMPv6 error message.

If an attacker sends abnormal traffic that causes the device to generate ICMPv6 destination unreachable messages, end users may be affected. To prevent such attacks, you can disable the device from sending ICMPv6 destination unreachable messages.

To enable sending of ICMPv6 destination unreachable messages:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable sending of ICMPv6 destination unreachable messages.	ipv6 unreachables enable	Disabled by default

Displaying and maintaining IPv6 basics configuration

Task	Command	Remarks
Display the IPv6 FIB entries.	display ipv6 fib [ vpn-instance vpn-instance-name ] [ acl6 acl6-number \| ipv6-prefix ipv6-prefix-name ] [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display the IPv6 FIB entry of a specified destination IPv6 address.	display ipv6 fib [ vpn-instance vpn-instance-name ] ipv6-address [ prefix-length ] [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display the IPv6 information of the interface.	display ipv6 interface [ interface-type [ interface-number ] ] [ brief ] [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display neighbor information (in standalone mode).	display ipv6 neighbors { { ipv6-address \| all \| dynamic \| static } [ slot slot-number ] \| interface interface-type interface-number \| vlan vlan-id } [ verbose ] [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display neighbor information (in IRF mode).	display ipv6 neighbors { { ipv6-address \| all \| dynamic \| static } [ chassis chassis-number slot slot-number ] \| interface interface-type interface-number \| vlan vlan-id } [ verbose ] [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display the total number of neighbor entries satisfying the specified conditions (in standalone mode).	display ipv6 neighbors { { all \| dynamic \| static } [ slot slot-number ] \| interface interface-type interface-number \| vlan vlan-id } count [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display the total number of neighbor entries satisfying the specified conditions (in IRF mode).	display ipv6 neighbors { { all \| dynamic \| static } [ chassis chassis-number slot slot-number ] \| interface interface-type interface-number \| vlan vlan-id } count [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display the neighbor information of a specified VPN.	display ipv6 neighbors vpn-instance vpn-instance-name [ count ] [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display the IPv6 PMTU information.	display ipv6 pathmtu [ vpn-instance vpn-instance-name ] { ipv6-address \| all \| dynamic \| static } [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display socket information (in standalone mode).	display ipv6 socket [ socktype socket-type ] [ task-id socket-id ] [ slot slot-number ] [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display socket information (in IRF mode).	display ipv6 socket [ socktype socket-type ] [ task-id socket-id ] [ chassis chassis-number slot slot-number ] [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display the statistics of IPv6 packets and ICMPv6 packets (in standalone mode).	display ipv6 statistics [ slot slot-number ] [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display the statistics of IPv6 packets and ICMPv6 packets (in IRF mode).	display ipv6 statistics [ chassis chassis-number slot slot-number ] [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display the IPv6 TCP connection statistics.	display tcp ipv6 statistics [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display the IPv6 TCP connection status information.	display tcp ipv6 status [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display the IPv6 UDP connection statistics.	display udp ipv6 statistics [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Display ND snooping entries.	display ipv6 nd snooping [ ipv6-address \| vlan vlan-id ] [ \| { begin \| exclude \| include } regular-expression ]	Available in any view
Clear IPv6 neighbor information (in standalone mode).	reset ipv6 neighbors { all \| dynamic \| interface interface-type interface-number \| slot slot-number \| static }	Available in user view
Clear IPv6 neighbor information (in IRF mode).	reset ipv6 neighbors { all \| dynamic \| interface interface-type interface-number \| chassis chassis-number slot slot-number \| static }	Available in user view
Clear the PMTU values.	reset ipv6 pathmtu { all \| static \| dynamic}	Available in user view
Clear the statistics of IPv6 and ICMPv6 packets (in standalone mode).	reset ipv6 statistics [ slot slot-number ]	Available in user view
Clear the statistics of IPv6 and ICMPv6 packets (in IRF mode).	reset ipv6 statistics [ chassis chassis-number slot slot-number ]	Available in user view
Clear the statistics of all IPv6 TCP connection statistics.	reset tcp ipv6 statistics	Available in user view
Clear the statistics of all IPv6 UDP packets.	reset udp ipv6 statistics	Available in user view
Clear ND snooping entries.	reset ipv6 nd snooping [ ipv6-address \| vlan vlan-id ]	Available in user view

IPv6 basics configuration example

NOTE:

By default, the Ethernet interface, VLAN interfaces, and aggregate interfaces are down. Before configuring them, bring them up with the undo shutdown command.

Network requirements

· Host, Switch A and Switch B are directly connected through Ethernet ports. Add the Ethernet ports into corresponding VLANs, configure IPv6 addresses for the VLAN interfaces and verify that they are connected.

· The global unicast addresses of VLAN-interface 1 and VLAN-interface 2 on Switch A are 2001::1/64 and 3001::1/64 respectively.

· The global unicast address of VLAN-interface 2 on Switch B is 3001::2/64, and a route to Host is available.

· IPv6 is enabled for Host to automatically obtain an IPv6 address through IPv6 ND, and a route to Switch B is available.

Figure 6 Network diagram

NOTE:

The VLAN interfaces have been created on the switches.

Configuration procedure

1. Configure Switch A:

# Enable IPv6.

<SwitchA> system-view

[SwitchA] ipv6

# Specify a global unicast address for VLAN-interface 2.

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] ipv6 address 3001::1/64

[SwitchA-Vlan-interface2] quit

# Specify a global unicast address for VLAN-interface 1, and allow it to advertise RA messages (no interface advertises RA messages by default).

[SwitchA] interface vlan-interface 1

[SwitchA-Vlan-interface1] ipv6 address 2001::1/64

[SwitchA-Vlan-interface1] undo ipv6 nd ra halt

[SwitchA-Vlan-interface1] quit

2. Configure Switch B:

# Enable IPv6.

<SwitchB> system-view

[SwitchB] ipv6

# Configure a global unicast address for VLAN-interface 2.

[SwitchB] interface vlan-interface 2

[SwitchB-Vlan-interface2] ipv6 address 3001::2/64

[SwitchB-Vlan-interface2] quit

# Configure an IPv6 static route with destination IP address 2001::/64 and next hop address 3001::1.

[SwitchB] ipv6 route-static 2001:: 64 3001::1

3. Configure the host:

Enable IPv6 for the host to automatically obtain an IPv6 address through IPv6 ND.

# Use the command ping ipv6 on Switch A to check if the switch B is reachable.

[SwitchA] ping ipv6 3001::1

PING 3001::1 : 56 data bytes, press CTRL_C to break

Reply from 3001::1

bytes=56 Sequence=0 hop limit=64 time = 3 ms

Reply from 3001::1

bytes=56 Sequence=1 hop limit=64 time = 2 ms

Reply from 3001::1

bytes=56 Sequence=2 hop limit=64 time = 2 ms

Reply from 3001::1

bytes=56 Sequence=3 hop limit=64 time = 3 ms

Reply from 3001::1

bytes=56 Sequence=4 hop limit=64 time = 9 ms

--- 3001::1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 2/3/9 ms

# Display neighbor information on GigabitEthernet 3/0/2 of Switch A.

[SwitchA] display ipv6 neighbors interface gigabitethernet 3/0/2

Type: S-Static D-Dynamic

IPv6 Address Link-layer VID Interface State T Age

FE80::215:E9FF:FEA6:7D14 0015-e9a6-7d14 1 GE3/0/2 STALE D 1238

2001::15B:E0EA:3524:E791 0015-e9a6-7d14 1 GE3/0/2 STALE D 1248

The output shows that the IPv6 global unicast address that the host obtained is 2001::15B:E0EA:3524:E791.

Verifying the configuration

# Display the IPv6 interface settings on Switch A. All the IPv6 global unicast addresses configured on the interface are displayed.

[SwitchA] display ipv6 interface vlan-interface 2

Vlan-interface2 current state :UP

Line protocol current state :UP

IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:2

Global unicast address(es):

3001::1, subnet is 3001::/64

Joined group address(es):

FF02::1:FF00:0

FF02::1:FF00:1

FF02::1:FF00:2

FF02::2

FF02::1

MTU is 1500 bytes

ND DAD is enabled, number of DAD attempts: 1

ND reachable time is 30000 milliseconds

ND retransmit interval is 1000 milliseconds

Hosts use stateless autoconfig for addresses

IPv6 Packet statistics:

InReceives: 25829

InTooShorts: 0

InTruncatedPkts: 0

InHopLimitExceeds: 0

InBadHeaders: 0

InBadOptions: 0

ReasmReqds: 0

ReasmOKs: 0

InFragDrops: 0

InFragTimeouts: 0

OutFragFails: 0

InUnknownProtos: 0

InDelivers: 47

OutRequests: 89

OutForwDatagrams: 48

InNoRoutes: 0

InTooBigErrors: 0

OutFragOKs: 0

OutFragCreates: 0

InMcastPkts: 6

InMcastNotMembers: 25747

OutMcastPkts: 48

InAddrErrors: 0

InDiscards: 0

OutDiscards: 0

[SwitchA] display ipv6 interface vlan-interface 1

Vlan-interface1 current state :UP

Line protocol current state :UP

IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1C0

Global unicast address(es):

2001::1, subnet is 2001::/64

Joined group address(es):

FF02::1:FF00:0

FF02::1:FF00:1

FF02::1:FF00:1C0

FF02::2

FF02::1

MTU is 1500 bytes

ND DAD is enabled, number of DAD attempts: 1

ND reachable time is 30000 milliseconds

ND retransmit interval is 1000 milliseconds

ND advertised reachable time is 0 milliseconds

ND advertised retransmit interval is 0 milliseconds

ND router advertisements are sent every 600 seconds

ND router advertisements live for 1800 seconds

Hosts use stateless autoconfig for addresses

IPv6 Packet statistics:

InReceives: 272

InTooShorts: 0

InTruncatedPkts: 0

InHopLimitExceeds: 0

InBadHeaders: 0

InBadOptions: 0

ReasmReqds: 0

ReasmOKs: 0

InFragDrops: 0

InFragTimeouts: 0

OutFragFails: 0

InUnknownProtos: 0

InDelivers: 159

OutRequests: 1012

OutForwDatagrams: 35

InNoRoutes: 0

InTooBigErrors: 0

OutFragOKs: 0

OutFragCreates: 0

InMcastPkts: 79

InMcastNotMembers: 65

OutMcastPkts: 938

InAddrErrors: 0

InDiscards: 0

OutDiscards: 0

# Display the IPv6 interface settings on Switch B. All the IPv6 global unicast addresses configured on the interfaces are displayed.

[SwitchB] display ipv6 interface vlan-interface 2

Vlan-interface2 current state :UP

Line protocol current state :UP

IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1234

Global unicast address(es):

3001::2, subnet is 3001::/64

Joined group address(es):

FF02::1:FF00:0

FF02::1:FF00:2

FF02::1:FF00:1234

FF02::2

FF02::1

MTU is 1500 bytes

ND DAD is enabled, number of DAD attempts: 1

ND reachable time is 30000 milliseconds

ND retransmit interval is 1000 milliseconds

Hosts use stateless autoconfig for addresses

IPv6 Packet statistics:

InReceives: 117

InTooShorts: 0

InTruncatedPkts: 0

InHopLimitExceeds: 0

InBadHeaders: 0

InBadOptions: 0

ReasmReqds: 0

ReasmOKs: 0

InFragDrops: 0

InFragTimeouts: 0

OutFragFails: 0

InUnknownProtos: 0

InDelivers: 117

OutRequests: 83

OutForwDatagrams: 0

InNoRoutes: 0

InTooBigErrors: 0

OutFragOKs: 0

OutFragCreates: 0

InMcastPkts: 28

InMcastNotMembers: 0

OutMcastPkts: 7

InAddrErrors: 0

InDiscards: 0

OutDiscards: 0

# Ping Switch A and Switch B on the host, and ping Switch A and the host on Switch B to verify whether they are connected.

CAUTION:

When you ping a link-local address, you should use the “–i” parameter to specify an interface for the link-local address.

[SwitchB] ping ipv6 -c 1 3001::1

PING 3001::1 : 56 data bytes, press CTRL_C to break

Reply from 3001::1

bytes=56 Sequence=1 hop limit=64 time = 2 ms

--- 3001::1 ping statistics ---

1 packet(s) transmitted

1 packet(s) received

0.00% packet loss

round-trip min/avg/max = 2/2/2 ms

[SwitchB-Vlan-interface2] ping ipv6 -c 1 2001::15B:E0EA:3524:E791

PING 2001::15B:E0EA:3524:E791 : 56 data bytes, press CTRL_C to break

Reply from 2001::15B:E0EA:3524:E791

bytes=56 Sequence=1 hop limit=63 time = 3 ms

--- 2001::15B:E0EA:3524:E791 ping statistics ---

1 packet(s) transmitted

1 packet(s) received

0.00% packet loss

round-trip min/avg/max = 3/3/3 ms

As shown in the output information, Switch B can ping Switch A and the host.

Troubleshooting IPv6 basics configuration

Symptom

The peer IPv6 address cannot be pinged.

Solution

· Use the display current-configuration command in any view or the display this command in system view to verify that IPv6 is enabled.

· Use the display ipv6 interface command in any view to verify that the IPv6 address of the interface is correct and the interface is up.

06-Layer 3 - IP Services Configuration Guide

IPv6 features

Header format simplification

Larger address space

Hierarchical address structure

Address autoconfiguration

Built-in security

QoS support

Enhanced neighbor discovery mechanism

Flexible extension headers

IPv6 addresses

IPv6 address format

IPv6 address types

Unicast addresses

Multicast addresses

EUI-64 address-based interface identifiers

IPv6 neighbor discovery protocol

Address resolution

Neighbor reachability detection

IPv6 transition technologies

Dual stack

Tunneling

NAT-PT

6PE

IPv6 basics configuration task list

Configuring IPv6 global unicast addresses

EUI-64 format

Manual configuration

Configuring IPv6 ND

Configuring parameters related to RA messages

Configuration preparation

Introduction

Configuration procedure

Configuring PMTU discovery

Configuring the aging time for dynamic PMTUs

Configuring IPv6 TCP properties

Configuring IPv6 FIB load sharing

Configuring ICMPv6 packet sending

Configuring the maximum ICMPv6 error packets sent in an interval

Enabling replying to multicast echo requests

Enabling sending of ICMPv6 time exceeded messages

Enabling sending of ICMPv6 destination unreachable messages

IPv6 basics configuration example

Network requirements

Configuration procedure

Verifying the configuration

Troubleshooting IPv6 basics configuration

Symptom

Solution

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us