04-Layer 3—IP Services Configuration Guide

HomeSupportSwitchesS12500X-AF SeriesConfigure & DeployConfiguration GuidesH3C S12500X-AF Switch Series Configuration Guides(R26xx)-6W10204-Layer 3—IP Services Configuration Guide

01-Text

Download Book  (2.74 MB)

Contents

Configuring ARP·· 1

Overview·· 1

ARP message format 1

ARP operating mechanism·· 1

ARP table· 2

Configuring a static ARP entry· 3

Configuring a multiport ARP entry· 4

Setting the maximum number of dynamic ARP entries for a device· 4

Setting the maximum number of dynamic ARP entries for an interface· 5

Setting the aging timer for dynamic ARP entries· 5

Enabling dynamic ARP entry check· 6

Synchronizing ARP entries· 6

Configuring a customer-side port 6

Enabling ARP logging· 7

Displaying and maintaining ARP·· 7

Configuration examples· 8

Long static ARP entry configuration example· 8

Short static ARP entry configuration example· 9

Multiport ARP entry configuration example· 10

Configuring gratuitous ARP·· 12

Overview·· 12

Gratuitous ARP packet learning· 12

Periodic sending of gratuitous ARP packets· 12

Configuration procedure· 13

Enabling IP conflict notification·· 13

Configuring proxy ARP·· 14

Enabling common proxy ARP·· 14

Enabling local proxy ARP·· 14

Displaying proxy ARP·· 14

Common proxy ARP configuration example· 15

Network requirements· 15

Configuration procedure· 15

Verifying the configuration·· 16

Configuring ARP snooping· 17

Configuration procedure· 17

Displaying and maintaining ARP snooping· 17

Configuring ARP fast-reply· 18

Overview·· 18

Configuration procedure· 18

ARP fast-reply configuration example· 18

Network requirements· 18

Configuration procedure· 19

Configuring IP addressing· 20

Overview·· 20

IP address classes· 20

Special IP addresses· 21

Subnetting and masking· 21

Assigning an IP address to an interface· 21

Configuration guidelines· 22

Configuration procedure· 22

Displaying and maintaining IP addressing· 23

IP address configuration example· 23

Network requirements· 23

Configuration procedure· 23

Verifying the configuration·· 24

DHCP overview·· 25

DHCP address allocation·· 25

Allocation mechanisms· 25

IP address allocation process· 26

IP address lease extension·· 26

DHCP message format 27

DHCP options· 28

Common DHCP options· 28

Custom DHCP options· 28

Protocols and standards· 30

Configuring the DHCP server 31

Overview·· 31

DHCP address pool 31

IP address allocation sequence· 33

DHCP server configuration task list 33

Configuring an address pool on the DHCP server 34

Configuration task list 34

Creating a DHCP address pool 34

Specifying IP address ranges for a DHCP address pool 34

Specifying gateways for DHCP clients· 37

Specifying a domain name suffix for DHCP clients· 38

Specifying DNS servers for DHCP clients· 38

Specifying WINS servers and NetBIOS node type for DHCP clients· 39

Specifying BIMS server for DHCP clients· 39

Specifying the configuration file for DHCP client auto-configuration·· 40

Specifying a server for DHCP clients· 40

Customizing DHCP options· 41

Enabling DHCP·· 42

Enabling the DHCP server on an interface· 43

Applying an address pool on an interface· 43

Configuring a DHCP policy for dynamic address assignment 43

Configuring IP address conflict detection·· 44

Enabling handling of Option 82· 45

Configuring DHCP server compatibility· 45

Configuring the DHCP server to broadcast all responses· 45

Setting the DSCP value for DHCP packets sent by the DHCP server 46

Applying a DHCP address pool to a VPN instance· 46

Displaying and maintaining the DHCP server 47

DHCP server configuration examples· 47

Dynamic IP address assignment configuration example· 47

DHCP user class configuration example· 49

Primary and secondary subnets configuration example· 51

DHCP option customization configuration example· 52

Troubleshooting DHCP server configuration·· 54

Symptom·· 54

Analysis· 54

Solution·· 54

Configuring the DHCP relay agent 55

Overview·· 55

Operation·· 55

DHCP relay agent support for Option 82· 56

DHCP relay agent configuration task list 56

Enabling DHCP·· 57

Enabling the DHCP relay agent on an interface· 57

Specifying DHCP servers on a relay agent 57

Configuring the DHCP relay agent security features· 58

Enabling the DHCP relay agent to record relay entries· 58

Enabling periodic refresh of dynamic relay entries· 58

Enabling DHCP starvation attack protection·· 59

Configuring the DHCP relay agent to release an IP address· 60

Configuring Option 82· 60

Setting the DSCP value for DHCP packets sent by the DHCP relay agent 61

Configuring a DHCP address pool on the DHCP relay agent 61

Configuring the DHCP smart relay feature· 62

Displaying and maintaining the DHCP relay agent 63

DHCP relay agent configuration examples· 63

DHCP relay agent configuration example· 63

Option 82 configuration example· 64

Troubleshooting DHCP relay agent configuration·· 65

Symptom·· 65

Analysis· 65

Solution·· 65

Configuring the DHCP client 66

Enabling the DHCP client on an interface· 66

Configuring a DHCP client ID for an interface· 66

Enabling duplicated address detection·· 67

Setting the DSCP value for DHCP packets sent by the DHCP client 67

Displaying and maintaining the DHCP client 67

DHCP client configuration example· 68

Network requirements· 68

Configuration procedure· 68

Verifying the configuration·· 69

Configuring DHCP snooping· 71

Overview·· 71

Application of trusted and untrusted ports· 71

DHCP snooping support for Option 82· 72

DHCP snooping configuration task list 73

Configuring basic DHCP snooping· 73

Configuring Option 82· 74

Configuring DHCP snooping entry auto backup· 75

Enabling DHCP starvation attack protection·· 76

Enabling DHCP-REQUEST attack protection·· 76

Setting the maximum number of DHCP snooping entries· 77

Configuring DHCP packet rate limit 77

Displaying and maintaining DHCP snooping· 77

DHCP snooping configuration examples· 78

Basic DHCP snooping configuration example· 78

Option 82 configuration example· 79

Configuring DNS·· 81

Overview·· 81

Static domain name resolution·· 81

Dynamic domain name resolution·· 81

DNS configuration task list 82

Configuring the IPv4 DNS client 82

Configuring static domain name resolution·· 82

Configuring dynamic domain name resolution·· 83

Configuring the IPv6 DNS client 84

Configuring static domain name resolution·· 84

Configuring dynamic domain name resolution·· 84

Specifying the source interface for DNS packets· 85

Configuring the DNS trusted interface· 86

Setting the DSCP value for outgoing DNS packets· 86

Displaying and maintaining DNS·· 86

IPv4 DNS configuration examples· 87

Static domain name resolution configuration example· 87

Dynamic domain name resolution configuration example· 88

IPv6 DNS configuration examples· 91

Static domain name resolution configuration example· 91

Dynamic domain name resolution configuration example· 91

Troubleshooting IPv4 DNS configuration·· 94

Symptom·· 94

Solution·· 94

Troubleshooting IPv6 DNS configuration·· 94

Symptom·· 94

Solution·· 94

Configuring IP forwarding basic settings· 96

FIB table· 96

Saving the IP forwarding entries to a file· 96

Displaying FIB table entries· 97

Configuring load sharing· 98

Configuring per-flow load sharing· 98

Enabling local-first load sharing· 98

Displaying the load sharing path selected for a flow·· 99

Load sharing configuration example· 99

Network requirements· 99

Configuration procedure· 99

Verifying the configuration·· 100

Configuring IRDP·· 101

Overview·· 101

IRDP operation·· 101

Basic concepts· 101

Protocols and standards· 102

Configuration procedure· 102

IRDP configuration example· 103

Network requirements· 103

Configuration procedure· 103

Verifying the configuration·· 104

Optimizing IP performance· 105

Enabling an interface to forward directed broadcasts destined for the directly connected network· 105

Configuration procedure· 105

Configuration example· 105

Setting the interface MTU for IPv4 packets· 106

Setting TCP MSS for an interface· 106

Enabling SYN Cookie· 107

Setting the TCP buffer size· 107

Setting TCP timers· 108

Enabling sending ICMP error messages· 108

Disabling forwarding ICMP fragments· 110

Configuring rate limit for ICMP error messages· 110

Specifying the source address for ICMP packets· 110

Displaying and maintaining IP performance optimization·· 111

Configuring UDP helper 113

Overview·· 113

Configuration restrictions and guidelines· 113

Configuring UDP helper to convert broadcast to unicast 113

Configuring UDP helper to convert broadcast to multicast 114

Displaying and maintaining UDP helper 114

UDP helper configuration examples· 115

Configuring UDP helper to convert broadcast to unicast 115

Configuring UDP helper to convert broadcast to multicast 116

Configuring basic IPv6 settings· 118

Overview·· 118

IPv6 features· 118

IPv6 addresses· 119

IPv6 ND protocol 121

IPv6 path MTU discovery· 123

IPv6 transition technologies· 124

Dual stack· 124

Tunneling· 124

6PE·· 125

Protocols and standards· 125

IPv6 basics configuration task list 125

Assigning IPv6 addresses to interfaces· 126

Configuring an IPv6 global unicast address· 126

Configuring an IPv6 link-local address· 129

Configuring an IPv6 anycast address· 130

Configuring IPv6 ND·· 130

Configuring a static neighbor entry· 130

Setting the maximum number of dynamic neighbor entries· 131

Setting the aging timer for ND entries in stale state· 131

Minimizing link-local ND entries· 131

Setting the hop limit 132

Configuring parameters for RA messages· 132

Setting the maximum number of attempts to send an NS message for DAD·· 134

Enabling ND proxy· 134

Configuring a customer-side port 136

Configuring path MTU discovery· 136

Setting the interface MTU for IPv6 packets· 136

Setting a static path MTU for an IPv6 address· 137

Setting the aging time for dynamic path MTUs· 137

Controlling sending ICMPv6 messages· 137

Configuring the rate limit for ICMPv6 error messages· 137

Enabling replying to multicast echo requests· 138

Enabling sending ICMPv6 destination unreachable messages· 138

Enabling sending ICMPv6 time exceeded messages· 139

Enabling sending ICMPv6 redirect messages· 139

Specifying the source address for ICMPv6 packets· 140

Enabling IPv6 local fragment reassembly· 140

Enabling a device to discard IPv6 packets that contain extension headers· 140

Displaying and maintaining IPv6 basics· 141

Basic IPv6 configuration example· 143

Network requirements· 143

Configuration procedure· 143

Verifying the configuration·· 144

Troubleshooting IPv6 basics configuration·· 147

Symptom·· 147

Solution·· 147

DHCPv6 overview·· 148

DHCPv6 address/prefix assignment 148

Rapid assignment involving two messages· 148

Assignment involving four messages· 148

Address/prefix lease renewal 149

Stateless DHCPv6· 150

Protocols and standards· 150

Configuring the DHCPv6 server 151

Overview·· 151

IPv6 address assignment 151

IPv6 prefix assignment 151

Concepts· 152

DHCPv6 address pool 152

IPv6 address/prefix allocation sequence· 153

Configuration task list 154

Configuring IPv6 prefix assignment 154

Configuration guidelines· 154

Configuration procedure· 154

Configuring IPv6 address assignment 155

Configuration guidelines· 156

Configuration procedure· 156

Configuring network parameters assignment 157

Configuring the DHCPv6 server on an interface· 157

Configuration guidelines· 158

Configuration procedure· 158

Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 server 158

Enabling the DHCPv6 server to advertise IPv6 prefixes· 159

Displaying and maintaining the DHCPv6 server 159

DHCPv6 server configuration examples· 160

Dynamic IPv6 prefix assignment configuration example· 160

Dynamic IPv6 address assignment configuration example· 162

Configuring the DHCPv6 relay agent 165

Overview·· 165

DHCPv6 relay agent configuration task list 166

Enabling the DHCPv6 relay agent on an interface· 166

Specifying DHCPv6 servers on the relay agent 166

Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 relay agent 167

Specifying a padding mode for the Interface-ID option·· 167

Configuring a DHCPv6 address pool on the DHCPv6 relay agent 168

Enabling the DHCPv6 relay agent to advertise IPv6 prefixes· 168

Displaying and maintaining the DHCPv6 relay agent 169

DHCPv6 relay agent configuration example· 169

Network requirements· 169

Configuration procedure· 170

Verifying the configuration·· 170

Configuring the DHCPv6 client 172

Overview·· 172

DHCPv6 client configuration task list 172

Configuring IPv6 address acquisition·· 172

Configuring IPv6 prefix acquisition·· 173

Configuring stateless DHCPv6· 173

Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 client 173

Displaying and maintaining DHCPv6 client 174

DHCPv6 client configuration examples· 174

IPv6 address acquisition configuration example· 174

IPv6 prefix acquisition configuration example· 176

Stateless DHCPv6 configuration example· 177

Configuring tunneling· 180

Overview·· 180

Configuring a tunnel interface· 180

Displaying and maintaining tunneling configuration·· 182

Troubleshooting tunneling configuration·· 182

Symptom·· 182

Analysis· 182

Solution·· 182

IPv6 over IPv4 tunneling· 184

Overview·· 184

Configuring an IPv6 over IPv4 tunnel 184

Configuration example· 185

IPv4 over IPv4 tunneling· 189

Overview·· 189

Configuring an IPv4 over IPv4 tunnel 189

Configuration example· 190

Configuring GRE·· 194

Overview·· 194

GRE encapsulation format 194

GRE tunnel operating principle· 194

GRE application scenarios· 195

Protocols and standards· 196

Configuring a GRE/IPv4 tunnel 196

Configuration guidelines· 196

Configuration procedure· 197

Displaying and maintaining GRE·· 198

GRE configuration examples· 199

Configuring an IPv4 over IPv4 GRE tunnel 199

Troubleshooting GRE·· 201

Symptom·· 202

Analysis· 202

Solution·· 202

Index· 203

 


Configuring ARP

Overview

ARP resolves IP addresses into MAC addresses on Ethernet networks.

ARP message format

ARP uses two types of messages: ARP request and ARP reply. Figure 1 shows the format of ARP request/reply messages. Numbers in the figure refer to field lengths.

Figure 1 ARP message format

 

·          Hardware type—Hardware address type. The value 1 represents Ethernet.

·          Protocol type—Type of the protocol address to be mapped. The hexadecimal value 0x0800 represents IP.

·          Hardware address length and protocol address length—Length, in bytes, of a hardware address and a protocol address. For an Ethernet address, the value of the hardware address length field is 6. For an IPv4 address, the value of the protocol address length field is 4.

·          OP—Operation code, which describes the type of ARP message. The value 1 represents an ARP request, and the value 2 represents an ARP reply.

·          Sender hardware address—Hardware address of the device sending the message.

·          Sender protocol address—Protocol address of the device sending the message.

·          Target hardware address—Hardware address of the device to which the message is being sent.

·          Target protocol address—Protocol address of the device to which the message is being sent.

ARP operating mechanism

As shown in Figure 2, Host A and Host B are on the same subnet. Host A sends a packet to Host B as follows:

1.        Host A looks through the ARP table for an ARP entry for Host B. If one entry is found, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame. Then Host A sends the frame to Host B.

2.        If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request. The payload of the ARP request contains the following information:

?  Sender IP address and sender MAC address—Host A's IP address and MAC address.

?  Target IP address—Host B's IP address.

?  Target MAC address—An all-zero MAC address.

All hosts on this subnet can receive the broadcast request, but only the requested host (Host B) processes the request.

3.        Host B compares its own IP address with the target IP address in the ARP request. If they are the same, Host B operates as follows:

a.    Adds the sender IP address and sender MAC address into its ARP table.

b.    Encapsulates its MAC address into an ARP reply.

c.    Unicasts the ARP reply to Host A.

4.        After receiving the ARP reply, Host A operates as follows:

a.    Adds the MAC address of Host B into its ARP table.

b.    Encapsulates the MAC address into the packet and sends the packet to Host B.

Figure 2 ARP address resolution process

 

If Host A and Host B are on different subnets, Host A sends a packet to Host B as follows:

5.        Host A broadcasts an ARP request where the target IP address is the IP address of the gateway.

6.        The gateway responds with its MAC address in an ARP reply to Host A.

7.        Host A uses the gateway's MAC address to encapsulate the packet, and then sends the packet to the gateway.

8.        If the gateway has an ARP entry for Host B, it forwards the packet to Host B directly. If not, the gateway broadcasts an ARP request, in which the target IP address is the IP address of Host B.

9.        After the gateway gets the MAC address of Host B, it sends the packet to Host B.

ARP table

An ARP table stores dynamic, static, OpenFlow, and Rule ARP entries.

Dynamic ARP entry

ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the output interface goes down. In addition, a dynamic ARP entry can be overwritten by a static ARP entry.

Static ARP entry

A static ARP entry is manually configured and maintained. It does not age out and cannot be overwritten by any dynamic ARP entry.

Static ARP entries protect communication between devices because attack packets cannot modify the IP-to-MAC mapping in a static ARP entry.

The device supports the following types of static ARP entries:

·          Long static ARP entry—It contains the IP address, MAC address, and one of the following combinations:

?  VLAN and output interface.

?  Input and output interfaces.

A long static ARP entry is directly used for forwarding packets.

·          Short static ARP entry—It contains only the IP address and MAC address.

?  If the output interface is a Layer 3 Ethernet interface, the short ARP entry can be directly used to forward packets.

?  If the output interface is a VLAN interface, the device sends an ARP request whose target IP address is the IP address in the short entry. If the sender IP and MAC addresses in the received ARP reply match the short static ARP entry, the device performs the following operations:

-      Adds the interface that received the ARP reply to the short static ARP entry.

-      Uses the resolved short static ARP entry to forward IP packets.

·          Multiport ARP entry—It contains the IP address, MAC address, and VLAN.

The device can use a multiport ARP entry that has the same MAC address and VLAN as a multicast or multiport unicast MAC address entry for packet forwarding. A multiport ARP entry is manually configured. It does not age out and cannot be overwritten by any dynamic ARP entry. For more information about multicast MAC, see IP Multicast Configuration Guide.

To communicate with a host by using a fixed IP-to-MAC mapping, configure a short static ARP entry on the device. To communicate with a host by using a fixed IP-to-MAC mapping through an interface in a VLAN, configure a long static ARP entry on the device.

OpenFlow ARP entry

ARP creates OpenFlow ARP entries by learning from the OpenFlow module. An OpenFlow ARP entry does not age out, and it cannot be updated. An OpenFlow ARP entry can be used directly to forward packets. For more information about OpenFlow, see OpenFlow Configuration Guide.

Rule ARP entry

ARP creates Rule ARP entries by learning from the VXLAN and OVSDB modules. A Rule ARP entry does not age out, and it cannot be updated. It can be overwritten by a static ARP entry. A Rule ARP entry can be used directly to forward packets.

For more information about VXLAN and OVSDB, see VXLAN Configuration Guide.

Configuring a static ARP entry

Static ARP entries are effective when the device functions correctly.

A resolved short static ARP entry becomes unresolved upon certain events, for example, when the resolved output interface goes down, or the corresponding VLAN or VLAN interface is deleted.

Long static ARP entries can be effective or ineffective. Ineffective long static ARP entries cannot be used for packet forwarding. A long static ARP entry is ineffective when any of the following conditions exists:

·          The corresponding VLAN interface or output interface is down.

·          The IP address in the entry conflicts with a local IP address.

·          No local interface has an IP address in the same subnet as the IP address in the ARP entry.

A long static ARP entry in a VLAN is deleted if the VLAN or VLAN interface is deleted.

To configure a static ARP entry:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure a static ARP entry.

·         Configure a long static ARP entry:
arp static ip-address mac-address [ vlan-id interface-type interface-number | interface-type interface-number interface-type interface-number vsi vsi-name ] [ vpn-instance vpn-instance-name ]

·         Configure a short static ARP entry:
arp static ip-address mac-address [ vpn-instance vpn-instance-name ]

By default, no static ARP entries exist.

 

Configuring a multiport ARP entry

A multiport ARP entry contains an IP address, MAC address, and VLAN ID. For a multiport ARP entry to be effective for packet forwarding, make sure the following conditions are met:

·          A multicast or multiport unicast MAC address entry is configured to specify multiple output interfaces. The MAC address entry must have the same MAC address and VLAN ID as the multiport ARP entry.

·          The IP address in the multiport ARP entry must reside on the same subnet as the VLAN interface of the specified VLAN.

A multiport ARP entry can overwrite a dynamic, short static or long static ARP entry. Conversely, a short static or long static ARP entry can overwrite a multiport ARP entry.

To configure a multiport ARP entry:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure a multicast or multiport unicast MAC address entry.

·         Configure a multiport unicast MAC address entry:
mac-address multiport mac-address interface interface-list vlan vlan-id

·         Configure a multicast MAC address entry:
mac-address multicast mac-address interface interface-list vlan vlan-id

By default, no multicast or multiport unicast MAC address entries exist.

For more information about the mac-address multiport command, see Layer 2—LAN Switching Command Reference. For more information about the mac-address multicast command, see IP Multicast Command Reference.

3.       Configure a multiport ARP entry.

arp multiport ip-address mac-address vlan-id [ vpn-instance vpn-instance-name ]

By default, no multiport ARP entries exist.

 

Setting the maximum number of dynamic ARP entries for a device

A device can dynamically learn ARP entries. To prevent a device from holding too many ARP entries, you can set the maximum number of dynamic ARP entries that the device can learn. When the maximum number is reached, the device stops learning ARP entries.

If you set a value lower than the number of existing dynamic ARP entries, the device does not remove the existing entries unless they are aged out.

To set the maximum number of dynamic ARP entries for a device:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set the maximum number of dynamic ARP entries for the device.

In standalone mode:
arp max-learning-number max-number slot slot-number

In IRF mode:
arp max-learning-number max-number chassis chassis-number slot slot-number

By default, a device can learn a maximum of 1048576 dynamic ARP entries.

To disable the device from learning dynamic ARP entries, set the number to 0.

 

Setting the maximum number of dynamic ARP entries for an interface

An interface can dynamically learn ARP entries. To prevent an interface from holding too many ARP entries, you can set the maximum number of dynamic ARP entries that the interface can learn. When the maximum number is reached, the interface stops learning ARP entries.

You can set limits for both a Layer 2 interface and the VLAN interface for a permitted VLAN on the Layer 2 interface. The Layer 2 interface learns an ARP entry only when neither limit is reached.

The total number of dynamic ARP entries that all interfaces learn will not be larger than the maximum number of dynamic ARP entries set for the device.

To set the maximum number of dynamic ARP entries for an interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Set the maximum number of dynamic ARP entries for the interface.

arp max-learning-num max-number

By default, an interface can learn a maximum of 1048576 dynamic ARP entries.

To disable the interface from learning dynamic ARP entries, set the number to 0.

 

Setting the aging timer for dynamic ARP entries

Each dynamic ARP entry in the ARP table has a limited lifetime, called an aging timer. The aging timer of a dynamic ARP entry is reset each time the dynamic ARP entry is updated. A dynamic ARP entry that is not updated before its aging timer expires is deleted from the ARP table.

To set the aging timer for dynamic ARP entries:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set the aging timer for dynamic ARP entries.

arp timer aging aging-time

The default setting is 20 minutes.

 

Enabling dynamic ARP entry check

The dynamic ARP entry check feature disables the device from supporting dynamic ARP entries that contain multicast MAC addresses. The device cannot learn dynamic ARP entries containing multicast MAC addresses. You cannot manually add static ARP entries containing multicast MAC addresses.

When dynamic ARP entry check is disabled, ARP entries containing multicast MAC addresses are supported. The device can learn dynamic ARP entries containing multicast MAC addresses obtained from the ARP packets sourced from a unicast MAC address. You can also manually add static ARP entries containing multicast MAC addresses.

To enable dynamic ARP entry check:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable dynamic ARP entry check.

arp check enable

By default, dynamic ARP entry check is enabled.

 

Synchronizing ARP entries

This task ensures that all cards on the device have the same ARP entries.

To synchronize ARP entries across all cards in a timely manner, you can schedule the device to automatically execute the arp smooth command. For information about scheduling a task, see Fundamentals Configuration Guide.

To synchronize ARP entries from the active MPU to all other cards:

 

Task

Command

Synchronize ARP entries from the active MPU to all other cards.

arp smooth

 

Configuring a customer-side port

By default, the device associates an ARP entry with routing information when the device learns an ARP entry. The ARP entry provides the next hop information for routing. To save hardware resources, you can use this command to specify a port that connects a user terminal as a customer-side port. The device will not associate the routing information with the learned ARP entries.

To configure a customer-side port:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Configure the VLAN interface as a customer-side port.

arp mode uni

By default, a port operates as a network-side port.

 

Enabling ARP logging

This feature enables a device to log ARP events when ARP cannot resolve IP addresses correctly. The device can log the following ARP events:

·          On a proxy ARP-disabled interface, the target IP address of a received ARP packet is not one of the following IP addresses:

?  The IP address of the receiving interface.

?  The virtual IP address of the VRRP group.

·          The sender IP address of a received ARP reply conflicts with one of the following IP addresses:

?  The IP address of the receiving interface.

?  The virtual IP address of the VRRP group.

The device sends ARP log messages to the information center. You can use the info-center source command to specify the log output rules for the information center. For more information about information center, see Network Management and Monitoring Configuration Guide.

To enable the ARP logging feature:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable the ARP logging feature.

arp check log enable

By default, ARP logging is disabled.

 

Displaying and maintaining ARP

IMPORTANT

IMPORTANT:

Clearing ARP entries from the ARP table might cause communication failures. Make sure the entries to be cleared do not affect current communications.

 

Execute display commands in any view and reset commands in user view.

 

Task

Command

(In standalone mode.) Display ARP entries.

display arp [ [ all | dynamic | multiport | static ] [ slot slot-number ] | vlan vlan-id | interface interface-type interface-number ] [ count | verbose ]

(In IRF mode.) Display ARP entries.

display arp [ [ all | dynamic | multiport | static ] [ chassis chassis-number slot slot-number ] | vlan vlan-id | interface interface-type interface-number ] [ count | verbose ]

(In standalone mode.) Display the ARP entry for an IP address.

display arp ip-address [ slot slot-number ] [ verbose ]

(In IRF mode.) Display the ARP entry for an IP address.

display arp ip-address [ chassis chassis-number slot slot-number ] [ verbose ]

Display the maximum number of ARP entries that a device supports.

display arp entry-limit

Display the ARP entries for a VPN instance.

display arp vpn-instance vpn-instance-name [ count ]

Display the aging timer of dynamic ARP entries.

display arp timer aging

(In standalone mode.) Clear ARP entries from the ARP table.

reset arp { all | dynamic | interface interface-type interface-number | multiport | slot slot-number | static }

(In IRF mode.) Clear ARP entries from the ARP table.

reset arp { all | chassis chassis-number slot slot-number | dynamic | interface interface-type interface-number | multiport | static }

 

Configuration examples

Long static ARP entry configuration example

Network requirements

As shown in Figure 3, hosts are connected to Device B. Device B is connected to Device A through interface HundredGigE 1/0/1 in VLAN 10.

To ensure secure communications between Device A and Device B, configure a long static ARP entry for Device A on Device B.

Figure 3 Network diagram

Configuration procedure

# Create VLAN 10.

<DeviceB> system-view

[DeviceB] vlan 10

[DeviceB-vlan10] quit

# Add interface HundredGigE 1/0/1 to VLAN 10.

[DeviceB] interface hundredgige 1/0/1

[DeviceB-HundredGigE1/0/1] port access vlan 10

[DeviceB-HundredGigE1/0/1] quit

# Create VLAN-interface 10 and configure its IP address.

[DeviceB] interface vlan-interface 10

[DeviceB-vlan-interface10] ip address 192.168.1.2 8

[DeviceB-vlan-interface10] quit

# Configure a long static ARP entry that has IP address 192.168.1.1, MAC address 00e0-fc01-0000, and output interface HundredGigE 1/0/1 in VLAN 10.

[DeviceB] arp static 192.168.1.1 00e0-fc01-0000 10 hundredgige 1/0/1

Verifying the configuration

# Verify that Device B has a long static ARP entry for Device A.

[DeviceB] display arp static

  Type: S-Static   D-Dynamic   O-Openflow   R-Rule   M-Multiport  I-Invalid

IP address       MAC address     VID     Interface/Link ID      Aging Type

192.168.1.1      00e0-fc01-0000  10      HGE1/0/1               N/A   S

Short static ARP entry configuration example

Network requirements

As shown in Figure 4, hosts are connected to Device B. Device B is connected to Device A through interface HundredGigE 1/0/2.

To ensure secure communications between Device A and Device B, configure a short static ARP entry for Device A on Device B.

Figure 4 Network diagram

Configuration procedure

# Configure an IP address for HundredGigE 1/0/2.

<DeviceB> system-view

[DeviceB] interface hundredgige 1/0/2

[DeviceB-HundredGigE1/0/2] ip address 192.168.1.2/24

[DeviceB-HundredGigE1/0/2] quit

# Configure a short static ARP entry that has IP address 192.168.1.1 and MAC address 00e0-fc01-001f.

[DeviceB] arp static 192.168.1.1 00e0-fc01-001f

Verifying the configuration

# Verify that Device B has a short static ARP entry for Device A

[DeviceB] display arp static

  Type: S-Static   D-Dynamic   O-Openflow   R-Rule   M-Multiport  I-Invalid

IP address       MAC address     VID     Interface/Link ID      Aging Type

192.168.1.1      00e0-fc01-001f  N/A     N/A                    N/A   S

Multiport ARP entry configuration example

Network requirements

As shown in Figure 5, a device connects to three servers through interfaces HundredGigE 1/0/1, HundredGigE 1/0/2, and HundredGigE 1/0/3 in VLAN 10. The servers share the IP address 192.168.1.1/24 and MAC address 00e0-fc01-0000.

Configure a multiport ARP entry so that the device sends IP packets with the destination IP address 192.168.1.1 to the three servers.

Figure 5 Network diagram

Configuration procedure

# Create VLAN 10.

<Device> system-view

[Device] vlan 10

[Device-vlan10] quit

# Add HundredGigE 1/0/1, HundredGigE 1/0/2, and HundredGigE 1/0/3 to VLAN 10.

[Device] interface hundredgige 1/0/1

[Device-HundredGigE1/0/1] port access vlan 10

[Device-HundredGigE1/0/1] quit

[Device] interface hundredgige 1/0/2

[Device-HundredGigE1/0/2] port access vlan 10

[Device-HundredGigE1/0/2] quit

[Device] interface hundredgige 1/0/3

[Device-HundredGigE1/0/3] port access vlan 10

[Device-HundredGigE1/0/3] quit

# Create VLAN-interface 10 and specify its IP address.

[Device] interface vlan-interface 10

[Device-vlan-interface10] ip address 192.168.1.2 24

[Device-vlan-interface10] quit

# Configure a multiport unicast MAC address entry that has MAC address 00e0-fc01-0000, and output interfaces HundredGigE 1/0/1, HundredGigE 1/0/2, and HundredGigE 1/0/3 in VLAN 10.

[Device] mac-address multiport 00e0-fc01-0000 interface hundredgige 1/0/1 to hundredgige 1/0/3 vlan 10

# Configure a multiport ARP entry with IP address 192.168.1.1 and MAC address 00e0-fc01-0000.

[Device] arp multiport 192.168.1.1 00e0-fc01-0000 10

Verifying the configuration

# Verify that the device has a multiport ARP entry with IP address 192.168.1.1 and MAC address 00e0-fc01-0000.

[Device] display arp

  Type: S-Static   D-Dynamic   O-Openflow   R-Rule   M-Multiport  I-Invalid

IP address       MAC address     VID     Interface/Link ID      Aging Type

192.168.1.1      00e0-fc01-0000  10      N/A                    N/A   M


Configuring gratuitous ARP

Overview

In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device.

A device sends a gratuitous ARP packet for either of the following purposes:

·          Determine whether its IP address is already used by another device. If the IP address is already used, the device is informed of the conflict by an ARP reply.

·          Inform other devices of a MAC address change.

Gratuitous ARP packet learning

This feature enables a device to create or update ARP entries by using the sender IP and MAC addresses in received gratuitous ARP packets.

When this feature is disabled, the device uses received gratuitous ARP packets to update existing ARP entries only. ARP entries are not created based on the received gratuitous ARP packets, which saves ARP table space.

Periodic sending of gratuitous ARP packets

Enabling periodic sending of gratuitous ARP packets helps downstream devices update ARP entries or MAC entries in a timely manner.

This feature can implement the following functions:

·          Prevent gateway spoofing.

Gateway spoofing occurs when an attacker uses the gateway address to send gratuitous ARP packets to the hosts on a network. The traffic destined for the gateway from the hosts is sent to the attacker instead. As a result, the hosts cannot access the external network.

To prevent such gateway spoofing attacks, you can enable the gateway to send gratuitous ARP packets at intervals. Gratuitous ARP packets contain the primary IP address and manually configured secondary IP addresses of the gateway, so hosts can learn correct gateway information.

·          Prevent ARP entries from aging out.

If network traffic is heavy or if the host CPU usage is high, received ARP packets can be discarded or are not promptly processed. Eventually, the dynamic ARP entries on the receiving host age out. The traffic between the host and the corresponding devices is interrupted until the host re-creates the ARP entries.

To prevent this problem, you can enable the gateway to send gratuitous ARP packets periodically. Gratuitous ARP packets contain the primary IP address and manually configured secondary IP addresses of the gateway, so the receiving hosts can update ARP entries in a timely manner.

·          Prevent the virtual IP address of a VRRP group from being used by a host.

The master router of a VRRP group can periodically send gratuitous ARP packets to the hosts on the local network. The hosts can then update local ARP entries and avoid using the virtual IP address of the VRRP group. The sender MAC address in the gratuitous ARP packet is the virtual MAC address of the virtual router. For more information about VRRP, see High Availability Configuration Guide.

Configuration procedure

When you configure gratuitous ARP, follow these restrictions and guidelines:

·          You can enable periodic sending of gratuitous ARP packets on a maximum of 1024 interfaces.

·          Periodic sending of gratuitous ARP packets takes effect on an interface only when the following conditions are met:

?  The data link layer state of the interface is up.

?  The interface has an IP address.

·          If you change the sending interval for gratuitous ARP packets, the configuration takes effect at the next sending interval.

·          The sending interval for gratuitous ARP packets might be much longer than the specified sending interval in any of the following circumstances:

?  This feature is enabled on multiple interfaces.

?  Each interface is configured with multiple secondary IP addresses.

?  A small sending interval is configured when the previous two conditions exist.

To configure gratuitous ARP:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable learning of gratuitous ARP packets.

gratuitous-arp-learning enable

By default, learning of gratuitous ARP packets is enabled.

3.       Enable the device to send gratuitous ARP packets upon receiving ARP requests whose sender IP address belongs to a different subnet.

gratuitous-arp-sending enable

By default, a device does not send gratuitous ARP packets upon receiving ARP requests whose sender IP address belongs to a different subnet.

4.       Enter interface view.

interface interface-type interface-number

N/A

5.       Enable periodic sending of gratuitous ARP packets.

arp send-gratuitous-arp [ interval interval ]

By default, periodic sending of gratuitous ARP packets is disabled.

 

Enabling IP conflict notification

By default, if the sender IP address of an ARP packet is being used by the receiving device, the receiving device sends a gratuitous ARP request. It also displays an error message after it receives an ARP reply about the conflict.

You can use this command to enable the device to display error messages before sending a gratuitous ARP reply or request for conflict confirmation.

To enable IP conflict notification:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable IP conflict notification.

arp ip-conflict log prompt

By default, IP conflict notification is disabled.

 


Configuring proxy ARP

Proxy ARP enables a device on one network to answer ARP requests for an IP address on another network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they would on the same broadcast domain.

Proxy ARP includes common proxy ARP and local proxy ARP.

·          Common proxy ARP—Allows communication between hosts that connect to different Layer 3 interfaces and reside in different broadcast domains.

·          Local proxy ARP—Allows communication between hosts that connect to the same Layer 3 interface and reside in different broadcast domains.

Enabling common proxy ARP

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

The following interface types are supported:

·         VLAN interface.

·         Layer 3 Ethernet interface.

·         Layer 3 Ethernet subinterface.

·         Layer 3 aggregate interface.

·         Layer 3 aggregate subinterface.

3.       Enable common proxy ARP.

proxy-arp enable

By default, common proxy ARP is disabled.

 

Enabling local proxy ARP

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

The following interface types are supported:

·         VLAN interface.

·         Layer 3 Ethernet interface.

·         Layer 3 Ethernet subinterface.

·         Layer 3 aggregate interface.

·         Layer 3 aggregate subinterface.

3.       Enable local proxy ARP.

local-proxy-arp enable [ ip-range start-ip-address to end-ip-address ]

By default, local proxy ARP is disabled.

 

Displaying proxy ARP

Execute display commands in any view.

 

Task

Command

Display common proxy ARP status.

display proxy-arp [ interface interface-type interface-number ]

Display local proxy ARP status.

display local-proxy-arp [ interface interface-type interface-number ]

 

Common proxy ARP configuration example

Network requirements

As shown in Figure 6, Host A and Host D have the same IP prefix and mask, but they are located on different subnets separated by the switch. Host A belongs to VLAN 1, and Host D belongs to VLAN 2. No default gateway is configured on Host A and Host D.

Configure common proxy ARP on the switch to enable communication between the two hosts.

Figure 6 Network diagram

 

Configuration procedure

# Create VLAN 2.

<Switch> system-view

[Switch] vlan 2

[Switch-vlan2] quit

# Configure the IP address of VLAN-interface 1.

[Switch] interface vlan-interface 1

[Switch-Vlan-interface1] ip address 192.168.10.99 255.255.255.0

# Enable common proxy ARP on VLAN-interface 1.

[Switch-Vlan-interface1] proxy-arp enable

[Switch-Vlan-interface1] quit

# Configure the IP address of VLAN-interface 2.

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ip address 192.168.20.99 255.255.255.0

# Enable common proxy ARP on VLAN-interface 2.

[Switch-Vlan-interface2] proxy-arp enable

Verifying the configuration

# Verify that Host A and Host D can ping each other.


Configuring ARP snooping

ARP snooping is used in Layer 2 switching networks. It creates ARP snooping entries by using information in ARP packets. ARP fast-reply can use the ARP snooping entries.

If you enable ARP snooping for a VLAN, ARP packets received in the VLAN are redirected to the CPU. The CPU uses the sender IP and MAC addresses of the ARP packets, and receiving VLAN and port to create ARP snooping entries.

The aging timer and valid period of an ARP snooping entry are 25 minutes and 15 minutes. If an ARP snooping entry is not updated in 12 minutes, the device sends an ARP request. The ARP request uses the IP address of the entry as the target IP address. If an ARP snooping entry is not updated in 15 minutes, it becomes invalid and cannot be used. After that, if an ARP packet matching the entry is received, the entry becomes valid, and its aging timer restarts. If the aging timer of an ARP snooping entry expires, the entry is removed.

An attack occurs if an ARP packet has the same sender IP address as a valid ARP snooping entry but a different sender MAC address. The ARP snooping entry becomes invalid, and it is removed in 1 minute.

Configuration procedure

To enable ARP snooping for a VLAN:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter VLAN view.

vlan vlan-id

N/A

3.       Enable ARP snooping

arp snooping enable

By default, ARP snooping is disabled.

 

Displaying and maintaining ARP snooping

Execute display commands in any view and reset commands in user view.

 

Task

Command

(In standalone mode.) Display ARP snooping entries.

display arp snooping [ vlan vlan-id ] [ slot slot-number ] [ count ]

display arp snooping ip ip-address [ slot slot-number ]

(In IRF mode.) Display ARP snooping entries.

display arp snooping [ vlan vlan-id ] [ chassis chassis-number slot slot-number ] [ count ]

display arp snooping ip ip-address [ chassis chassis-number slot slot-number ]

Remove ARP snooping entries.

reset arp snooping [ ip ip-address | vlan vlan-id ]

 


Configuring ARP fast-reply

Overview

ARP fast-reply enables a device to directly answer ARP requests according to DHCP snooping entries or ARP snooping entries. ARP fast-reply functions in a VLAN. For information about DHCP snooping, see "Configuring DHCP snooping."

If the target IP address of a received ARP request is the IP address of the VLAN interface, the device delivers the request to the ARP module. If not, the device takes the following steps to process the packet:

1.        Search the DHCP snooping table for a match by using the target IP address.

2.        If a match is found, whether the device returns a reply depends on the interface in the matching entry.

?  If the interface is the Ethernet interface that received the ARP request, the device does not return any reply.

?  If the interface is an Ethernet interface other than the receiving interface, the device returns a reply according to the matching entry.

3.        If no matching DHCP snooping entry is found and ARP snooping is enabled, the device searches the ARP snooping table.

?  If the interface in the matching entry is the Ethernet interface that received the ARP request, the device does not return any reply.

?  If the interface is an Ethernet interface other than the receiving interface, the device returns a reply according to the ARP snooping entry.

4.        If no match is found in both tables, the ARP request is forwarded to other interfaces except the receiving interface in the VLAN, or delivered to other modules.

Configuration procedure

To improve the availability of ARP fast-reply, enable ARP snooping at the same time.

To configure ARP fast-reply:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter VLAN view.

vlan vlan-id

N/A

3.       Enable ARP fast-reply.

arp fast-reply enable

By default, ARP fast-reply is disabled.

 

ARP fast-reply configuration example

Network requirements

As shown in Figure 7, all clients are in VLAN 2, and access the network through the switch. They have obtained IP addresses through DHCP.

Enable ARP snooping and ARP fast-reply for VLAN 2. The switch directly returns an ARP reply without broadcasting received ARP requests in the VLAN.

Figure 7 Network diagram

 

Configuration procedure

# Enable ARP snooping for VLAN 2 on the switch.

<Switch> system-view

[Switch] vlan 2

[Switch-vlan2] arp snooping enable

# Enable ARP fast-reply for VLAN 2 on the switch.

[Switch-vlan2] arp fast-reply enable

[Switch-vlan2] quit

 


Configuring IP addressing

The IP addresses in this chapter refer to IPv4 addresses unless otherwise specified.

This chapter describes IP addressing basics and manual IP address assignment for interfaces. Dynamic IP address assignment (DHCP) is beyond the scope of this chapter.

Overview

This section describes the IP addressing basics.

IP addressing uses a 32-bit address to identify each host on an IPv4 network. To make addresses easier to read, they are written in dotted decimal notation, each address being four octets in length. For example, address 00001010000000010000000100000001 in binary is written as 10.1.1.1.

IP address classes

Each IP address breaks down into the following sections:

·          Net ID—Identifies a network. The first several bits of a net ID, known as the class field or class bits, identify the class of the IP address.

·          Host ID—Identifies a host on a network.

IP addresses are divided into five classes, as shown in Figure 8. The shaded areas represent the address class. The first three classes are most commonly used.

Figure 8 IP address classes

 

Table 1 IP address classes and ranges

Class

Address range

Remarks

A

0.0.0.0 to 127.255.255.255

The IP address 0.0.0.0 is used by a host at startup for temporary communication. This address is never a valid destination address.

Addresses starting with 127 are reserved for loopback test. Packets destined to these addresses are processed locally as input packets rather than sent to the link.

B

128.0.0.0 to 191.255.255.255

N/A

C

192.0.0.0 to 223.255.255.255

N/A

D

224.0.0.0 to 239.255.255.255

Multicast addresses.

E

240.0.0.0 to 255.255.255.255

Reserved for future use, except for the broadcast address 255.255.255.255.

 

Special IP addresses

The following IP addresses are for special use and cannot be used as host IP addresses:

·          IP address with an all-zero net ID—Identifies a host on the local network. For example, IP address 0.0.0.16 indicates the host with a host ID of 16 on the local network.

·          IP address with an all-zero host ID—Identifies a network.

·          IP address with an all-one host ID—Identifies a directed broadcast address. For example, a packet with the destination address of 192.168.1.255 will be broadcast to all the hosts on the network 192.168.1.0.

Subnetting and masking

Subnetting divides a network into smaller networks called subnets by using some bits of the host ID to create a subnet ID.

Masking identifies the boundary between the host ID and the combination of net ID and subnet ID.

Each subnet mask comprises 32 bits that correspond to the bits in an IP address. In a subnet mask, consecutive ones represent the net ID and subnet ID, and consecutive zeros represent the host ID.

Before being subnetted, Class A, B, and C networks use these default masks (also called natural masks): 255.0.0.0, 255.255.0.0, and 255.255.255.0, respectively.

Figure 9 Subnetting a Class B network

 

Subnetting increases the number of addresses that cannot be assigned to hosts. Therefore, using subnets means accommodating fewer hosts.

For example, a Class B network without subnetting can accommodate 1022 more hosts than the same network subnetted into 512 subnets.

·          Without subnetting—65534 (216 – 2) hosts. (The two deducted addresses are the broadcast address, which has an all-one host ID, and the network address, which has an all-zero host ID.)

·          With subnetting—Using the first nine bits of the host-id for subnetting provides 512 (29) subnets. However, only seven bits remain available for the host ID. This allows 126 (27 – 2) hosts in each subnet, a total of 64512 (512 × 126) hosts.

Assigning an IP address to an interface

An interface must have an IP address to communicate with other hosts. You can either manually assign an IP address to an interface, or configure the interface to obtain an IP address through DHCP. If you change the way an interface obtains an IP address, the new IP address will overwrite the previous address.

An interface can have one primary address and multiple secondary addresses.

Typically, you need to configure a primary IP address for an interface. If the interface connects to multiple subnets, configure primary and secondary IP addresses on the interface so the subnets can communicate with each other through the interface.

In an IRF fabric, you can assign an IP address to the management Ethernet port of each member in the management Ethernet port view of the master. Only the IP address assigned to the management Ethernet port of the master takes effect. After an IRF fabric split, the IP addresses assigned to the management Ethernet ports of the new masters (original subordinates) take effect. Then you can use these IP addresses to log in to the new masters for troubleshooting.

 

 

NOTE:

After an IRF split, the routing information on the original master might not be updated immediately. As a result, the management Ethernet port of the original master cannot be pinged from the master (original subordinate) in another IRF fabric. To resolve the problem, wait until route synchronization between the devices is completed or enable NSR for the routing protocol. For information about NSR, see Layer 3—IP Routing Configuration Guide.

 

Configuration guidelines

Follow these guidelines when you assign an IP address to an interface:

·          An interface can have only one primary IP address. A newly configured primary IP address overwrites the previous one.

·          You cannot assign secondary IP addresses to an interface that obtains an IP address through DHCP.

·          The primary and secondary IP addresses assigned to the interface can be located on the same network segment. Different interfaces on your device must reside on different network segments.

·          The following commands are mutually exclusive. You can configure only one of these commands on the management Ethernet port of the IRF master.

?  The ip address command with the irf-member member-id option that specifies the master.

?  The ip address command that does not contain the irf-member member-id option.

?  The mad ip address command.

?  The ip address dhcp-alloc command.

·          Exclude the management Ethernet port of the master from being shut down if MAD is enabled in the IRF fabric. The port can be kept in up state when the MAD status transits to Recovery.

Configuration procedure

To assign an IP address to an interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Assign an IP address to the interface.

In standalone mode:
ip address ip-address { mask | mask-length } [ sub ]

In IRF mode:
ip address ip-address { mask-length | mask } [ irf-member member-id | sub ]

By default, no IP address is assigned to the interface.

To assign an IP address to the management Ethernet port of an IRF member device, enter the master's management Ethernet port view and specify the irf-member member-id option.

 

Displaying and maintaining IP addressing

Execute display commands in any view.

 

Task

Command

Display IP configuration and statistics for the specified or all Layer 3 interfaces.

display ip interface [ interface-type interface-number ]

Display brief IP configuration for Layer 3 interfaces.

display ip interface [ interface-type [ interface-number ] ] brief [ description ]

 

IP address configuration example

Network requirements

As shown in Figure 10, a port in VLAN 1 on a switch is connected to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24.

To enable the hosts on the two network segments to communicate with the external network through the switch, and to enable the hosts on the LAN to communicate with each other:

·          Assign a primary IP address and a secondary IP address to VLAN-interface 1 on the switch.

·          Set the primary IP address of the switch as the gateway address of the PCs on subnet 172.16.1.0/24, and set the secondary IP address of the switch as the gateway address of the PCs on subnet 172.16.2.0/24.

Figure 10 Network diagram

Configuration procedure

# Assign a primary IP address and a secondary IP address to VLAN-interface 1.

<Switch> system-view

[Switch] interface vlan-interface 1

[Switch-Vlan-interface1] ip address 172.16.1.1 255.255.255.0

[Switch-Vlan-interface1] ip address 172.16.2.1 255.255.255.0 sub

# Set the gateway address to 172.16.1.1 on the PCs attached to subnet 172.16.1.0/24, and to 172.16.2.1 on the PCs attached to subnet 172.16.2.0/24.

Verifying the configuration

# Verify the connectivity between a host on subnet 172.16.1.0/24 and the switch.

<Switch> ping 172.16.1.2

Ping 172.16.1.2 (172.16.1.2): 56 data bytes, press CTRL_C to break

56 bytes from 172.16.1.2: icmp_seq=0 ttl=128 time=7.000 ms

56 bytes from 172.16.1.2: icmp_seq=1 ttl=128 time=2.000 ms

56 bytes from 172.16.1.2: icmp_seq=2 ttl=128 time=1.000 ms

56 bytes from 172.16.1.2: icmp_seq=3 ttl=128 time=1.000 ms

56 bytes from 172.16.1.2: icmp_seq=4 ttl=128 time=2.000 ms

 

--- Ping statistics for 172.16.1.2 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/2.600/7.000/2.245 ms

# Verify the connectivity between a host on subnet 172.16.2.0/24 and the switch.

<Switch> ping 172.16.2.2

Ping 172.16.2.2 (172.16.2.2): 56 data bytes, press CTRL_C to break

56 bytes from 172.16.2.2: icmp_seq=0 ttl=128 time=2.000 ms

56 bytes from 172.16.2.2: icmp_seq=1 ttl=128 time=7.000 ms

56 bytes from 172.16.2.2: icmp_seq=2 ttl=128 time=1.000 ms

56 bytes from 172.16.2.2: icmp_seq=3 ttl=128 time=2.000 ms

56 bytes from 172.16.2.2: icmp_seq=4 ttl=128 time=1.000 ms

 

--- Ping statistics for 172.16.2.2 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/2.600/7.000/2.245 ms

# Verify the connectivity between a host on subnet 172.16.1.0/24 and a host on subnet 172.16.2.0/24. The ping operation succeeds.

 


DHCP overview

The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices.

Figure 11 shows a typical DHCP application scenario where the DHCP clients and the DHCP server reside on the same subnet. The DHCP clients can also obtain configuration parameters from a DHCP server on another subnet through a DHCP relay agent. For more information about the DHCP relay agent, see "Configuring the DHCP relay agent."

Figure 11 A typical DHCP application

 

DHCP address allocation

Allocation mechanisms

DHCP supports the following allocation mechanisms:

·          Static allocation—The network administrator assigns an IP address to a client, such as a WWW server, and DHCP conveys the assigned address to the client.

·          Automatic allocation—DHCP assigns a permanent IP address to a client.

·          Dynamic allocation—DHCP assigns an IP address to a client for a limited period of time, which is called a lease. Most DHCP clients obtain their addresses in this way.

IP address allocation process

Figure 12 IP address allocation process

 

As shown in Figure 12, a DHCP server assigns an IP address to a DHCP client in the following process:

1.        The client broadcasts a DHCP-DISCOVER message to locate a DHCP server.

2.        Each DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message. For more information, see "DHCP message format."

3.        If the client receives multiple offers, it accepts the first received offer, and broadcasts it in a DHCP-REQUEST message to formally request the IP address. (IP addresses offered by other DHCP servers can be assigned to other clients.)

4.        All DHCP servers receive the DHCP-REQUEST message. However, only the server selected by the client does one of the following operations:

?  Returns a DHCP-ACK message to confirm that the IP address has been allocated to the client.

?  Returns a DHCP-NAK message to deny the IP address allocation.

After receiving the DHCP-ACK message, the client verifies the following details before using the assigned IP address:

·          The assigned IP address is not in use. To verify this, the client broadcasts a gratuitous ARP packet. The assigned IP address is not in use if no response is received within the specified time.

·          The assigned IP address is not on the same subnet as any IP address in use on the client.

Otherwise, the client sends a DHCP-DECLINE message to the server to request an IP address again.

IP address lease extension

A dynamically assigned IP address has a lease. When the lease expires, the IP address is reclaimed by the DHCP server. To continue using the IP address, the client must extend the lease duration.

When about half of the lease duration elapses, the DHCP client unicasts a DHCP-REQUEST to the DHCP server to extend the lease. Depending on the availability of the IP address, the DHCP server returns one of the following messages:

·          A DHCP-ACK unicast confirming that the client's lease duration has been extended.

·          A DHCP-NAK unicast denying the request.

If the client receives no reply, it broadcasts another DHCP-REQUEST message for lease extension when about seven-eighths of the lease duration elapses. Again, depending on the availability of the IP address, the DHCP server returns either a DHCP-ACK unicast or a DHCP-NAK unicast.

DHCP message format

Figure 13 shows the DHCP message format. DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes.

Figure 13 DHCP message format

 

·          op—Message type defined in options field. 1 = REQUEST, 2 = REPLY

·          htype, hlen—Hardware address type and length of the DHCP client.

·          hops—Number of relay agents a request message traveled.

·          xid—Transaction ID, a random number chosen by the client to identify an IP address allocation.

·          secs—Filled in by the client, the number of seconds elapsed since the client began address acquisition or renewal process. This field is reserved and set to 0.

·          flags—The leftmost bit is defined as the BROADCAST (B) flag. If this flag is set to 0, the DHCP server sent a reply back by unicast. If this flag is set to 1, the DHCP server sent a reply back by broadcast. The remaining bits of the flags field are reserved for future use.

·          ciaddr—Client IP address if the client has an IP address that is valid and usable. Otherwise, set to zero. (The client does not use this field to request an IP address to lease.)

·          yiaddr—Your IP address. It is an IP address assigned by the DHCP server to the DHCP client.

·          siaddr—Server IP address, from which the client obtained configuration parameters.

·          giaddr—Gateway IP address. It is the IP address of the first relay agent to which a request message travels.

·          chaddr—Client hardware address.

·          sname—Server host name, from which the client obtained configuration parameters.

·          file—Boot file (also called system software image) name and path information, defined by the server to the client.

·          options—Optional parameters field that is variable in length. Optional parameters include the message type, lease duration, subnet mask, domain name server IP address, and WINS IP address.

DHCP options

DHCP extends the message format as an extension to BOOTP for compatibility. DHCP uses the options field to carry information for dynamic address allocation and provide additional configuration information for clients.

Figure 14 DHCP option format

 

Common DHCP options

The following are common DHCP options:

·          Option 3—Router option. It specifies the gateway address.

·          Option 6—DNS server option. It specifies the DNS server's IP address.

·          Option 33—Static route option. It specifies a list of classful static routes (the destination addresses in these static routes are classful) that a client should add into its routing table. If both Option 33 and Option 121 exist, Option 33 is ignored.

·          Option 51—IP address lease option.

·          Option 53—DHCP message type option. It identifies the type of the DHCP message.

·          Option 55—Parameter request list option. It is used by a DHCP client to request specified configuration parameters. The option includes values that correspond to the parameters requested by the client.

·          Option 60—Vendor class identifier option. A DHCP client uses this option to identify its vendor. A DHCP server uses this option to distinguish DHCP clients, and assigns IP addresses to them.

·          Option 66—TFTP server name option. It specifies a TFTP server to be assigned to the client.

·          Option 67—Boot file name option. It specifies the boot file name to be assigned to the client.

·          Option 121—Classless route option. It specifies a list of classless static routes (the destination addresses in these static routes are classless) that a client should add into its routing table. If both Option 33 and Option 121 exist, Option 33 is ignored.

·          Option 150—TFTP server IP address option. It specifies the TFTP server IP address to be assigned to the client.

For more information about DHCP options, see RFC 2132 and RFC 3442.

Custom DHCP options

Some options, such as Option 43, Option 82, and Option 184, have no standard definitions in RFC 2132.

Vendor-specific option (Option 43)

DHCP servers and clients use Option 43 to exchange vendor-specific configuration information.

The DHCP client can obtain the following information through Option 43:

·          ACS parameters, including the ACS URL, username, and password.

·          Service provider identifier, which is acquired by the CPE from the DHCP server and sent to the ACS for selecting vender-specific configurations and parameters.

·          PXE server address, which is used to obtain the boot file or other control information from the PXE server.

1.        Format of Option 43:

Figure 15 Option 43 format

 

Network configuration parameters are carried in different sub-options of Option 43 as shown in Figure 15.

?  Sub-option type—The field value can be 0x01 (ACS parameter sub-option), 0x02 (service provider identifier sub-option), or 0x80 (PXE server address sub-option).

?  Sub-option length—Excludes the sub-option type and sub-option length fields.

?  Sub-option value—The value format varies by sub-option.

2.        Sub-option value field formats:

?  ACS parameter sub-option value field—Includes the ACS URL, username, and password separated by spaces (hexadecimal number 20) as shown in Figure 16.

Figure 16 ACS parameter sub-option value field

 

?  Service provider identifier sub-option value field—Includes the service provider identifier.

?  PXE server address sub-option value field—Includes the PXE server type that can only be 0, the server number that indicates the number of PXE servers contained in the sub-option, and server IP addresses, as shown in Figure 17.

Figure 17 PXE server address sub-option value field

 

Relay agent option (Option 82)

Option 82 is the relay agent option. It records the location information about the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client's request, it adds Option 82 to the request and sends it to the server.

The administrator can use Option 82 to locate the DHCP client and further implement security control and accounting. The DHCP server can use Option 82 to provide individual configuration policies for the clients.

Option 82 can include a maximum of 255 sub-options and must include a minimum of one sub-option. Option 82 supports the following sub-options: sub-option 1 (Circuit ID), sub-option 2 (Remote ID), and sub-option 5 (Link Selection). Option 82 has no standard definition. Its padding formats vary by vendor.

·          Circuit ID has the following padding modes:

?  String padding mode—Includes a character string specified by the user.

?  Normal padding mode—Includes the VLAN ID and interface number of the interface that receives the client's request.

?  Verbose padding mode—Includes the access node identifier specified by the user, and the VLAN ID, interface number and interface type of the interface that receives the client's request.

·          Remote ID has the following padding modes:

?  String padding mode—Includes a character string specified by the user.

?  Normal padding mode—Includes the MAC address of the DHCP relay agent interface or the MAC address of the DHCP snooping device that receives the client's request.

?  Sysname padding mode—Includes the device name of the device. To set the device name for the device, use the sysname command in system view.

·          The Link Selection sub-option carries the IP address in the giaddr field or the IP address of a relay interface. If you use the dhcp relay source-address { ip-address | interface interface-type interface-number } command, you must enable the DHCP relay agent to support Option 82. This sub-option will then be included in Option 82.

Option 184

Option 184 is a reserved option. You can define the parameters in the option as needed. The device supports Option 184 carrying voice related parameters, so a DHCP client with voice functions can get voice parameters from the DHCP server.

Option 184 has the following sub-options:

·          Sub-option 1—Specifies the IP address of the primary network calling processor. The primary processor acts as the network calling control source and provides program download services. For Option 184, you must define sub-option 1 to make other sub-options take effect.

·          Sub-option 2—Specifies the IP address of the backup network calling processor. DHCP clients contact the backup processor when the primary one is unreachable.

·          Sub-option 3—Specifies the voice VLAN ID and the result whether the DHCP client takes this VLAN as the voice VLAN.

·          Sub-option 4—Specifies the failover route that includes the IP address and the number of the target user. A SIP VoIP user uses this IP address and number to directly establish a connection to the target SIP user when both the primary and backup calling processors are unreachable.

Protocols and standards

·          RFC 2131, Dynamic Host Configuration Protocol

·          RFC 2132, DHCP Options and BOOTP Vendor Extensions

·          RFC 1542, Clarifications and Extensions for the Bootstrap Protocol

·          RFC 3046, DHCP Relay Agent Information Option

·          RFC 3442, The Classless Static Route Option for Dynamic Host Configuration Protocol (DHCP) version 4


Configuring the DHCP server

Overview

The DHCP server is well suited to networks where:

·          Manual configuration and centralized management are difficult to implement.

·          IP addresses are limited. For example, an ISP limits the number of concurrent online users, and users must acquire IP addresses dynamically.

·          Most hosts do not need fixed IP addresses.

An MCE acting as the DHCP server can assign IP addresses not only to clients on public networks, but also to clients on private networks. The IP address ranges of public and private networks or those of private networks on the DHCP server cannot overlap. For more information about MCE, see MPLS Configuration Guide.

DHCP address pool

Each DHCP address pool has a group of assignable IP addresses and network configuration parameters. The DHCP server selects IP addresses and other parameters from the address pool and assigns them to the DHCP clients.

Address assignment mechanisms

Configure the following address assignment mechanisms as needed:

·          Static address allocation—Manually bind the MAC address or ID of a client to an IP address in a DHCP address pool. When the client requests an IP address, the DHCP server assigns the IP address in the static binding to the client.

·          Dynamic address allocation—Specify IP address ranges in a DHCP address pool. Upon receiving a DHCP request, the DHCP server dynamically selects an IP address from the matching IP address range in the address pool.

You can specify IP address ranges in an address pool by using either of the following methods:

·          Method 1—Specify a primary subnet in an address pool and divide the subnet into multiple address ranges. These address ranges include a common IP address range and IP address ranges for DHCP user classes.

Upon receiving a DHCP request, the DHCP server finds a user class matching the client and selects an IP address in the address range of the user class for the client. A user class can include multiple matching rules, and a client matches the user class as long as it matches any of the rules. In address pool view, you can specify different address ranges for different user classes.

The DHCP server selects an IP address for a client by performing the following steps:

a.    DHCP server compares the client against DHCP user classes in the order they are configured.

b.    If the client matches a user class, the DHCP server selects an IP address from the address range of the user class.

c.    If the matching user class has no assignable addresses, the DHCP server compares the client against the next user class. If all the matching user classes have no assignable addresses, the DHCP server selects an IP address from the common address range.

d.    If the DHCP client does not match any DHCP user class, the DHCP server selects an address in the IP address range specified by the address range command. If the address range has no assignable IP addresses or it is not configured, the address allocation fails.

 

 

NOTE:

All address ranges must belong to the primary subnet. If an address range does not reside on the primary subnet, DHCP cannot assign the addresses in the address range.

 

·          Method 2—Specify a primary subnet and multiple secondary subnets in an address pool.

The DHCP server selects an IP address from the primary subnet first. If there is no assignable IP address on the primary subnet, the DHCP server selects an IP address from secondary subnets in the order they are configured.

Principles for selecting an address pool

The DHCP server observes the following principles to select an address pool for a client:

1.        If there is an address pool where an IP address is statically bound to the MAC address or ID of the client, the DHCP server selects this address pool and assigns the statically bound IP address and other configuration parameters to the client.

2.        If the receiving interface has an address pool applied, the DHCP server selects an IP address and other configuration parameters from this address pool.

3.        If no static address pool is configured and no address pool is applied to the receiving interface, the DHCP server selects an address pool depending on the client location.

?  Client on the same subnet as the server—The DHCP server compares the IP address of the receiving interface with the primary subnets of all address pools.

-      If a match is found, the server selects the address pool with the longest-matching primary subnet.

-      If no match is found, the DHCP server compares the IP address with the secondary subnets of all address pools. The server selects the address pool with the longest-matching secondary subnet.

?  Client on a different subnet than the server—The DHCP server compares the IP address in the giaddr field of the DHCP request with the primary subnets of all address pools.

-      If a match is found, the server selects the address pool with the longest-matching primary subnet.

-      If no match is found, the DHCP server compares the IP address with the secondary subnets of all address pools. The server selects the address pool with the longest-matching secondary subnet.

For example, two address pools 1.1.1.0/24 and 1.1.1.0/25 are configured but not applied to any DHCP server's interfaces.

·          If the IP address of the receiving interface is 1.1.1.1/25, the DHCP server selects the address pool 1.1.1.0/25. If the address pool has no available IP addresses, the DHCP server will not select the other pool and the address allocation will fail.

·          If the IP address of the receiving interface is 1.1.1.130/25, the DHCP server selects the address pool 1.1.1.0/24.

To ensure correct address allocation, keep the IP addresses used for dynamic allocation on one of the subnets:

·          Clients on the same subnet as the server—Subnet where the DHCP server receiving interface resides.

·          Clients on a different subnet than the serverSubnet where the first DHCP relay interface that faces the clients resides.

 

 

NOTE:

As a best practice, configure a minimum of one matching primary subnet in your network. Otherwise, the DHCP server selects only the first matching secondary subnet for address allocation. If the network has more DHCP clients than the assignable IP addresses in the secondary subnet, not all DHCP clients can obtain IP addresses.

 

IP address allocation sequence

The DHCP server selects an IP address for a client in the following sequence:

1.        IP address statically bound to the client's MAC address or ID.

2.        IP address that was ever assigned to the client.

3.        IP address designated by the Option 50 field in the DHCP-DISCOVER message sent by the client.

Option 50 is the Requested IP Address option. The client uses this option to specify the wanted IP address in a DHCP-DISCOVER message. The content of Option 50 is user defined.

4.        First assignable IP address found in the way discussed in "DHCP address pool."

5.        IP address that was a conflict or passed its lease duration. If no IP address is assignable, the server does not respond.

 

 

NOTE:

·      If a client moves to another subnet, the DHCP server selects an IP address in the address pool matching the new subnet. It does not assign the IP address that was once assigned to the client.

·      Conflicted IP addresses can be assigned to other DHCP clients only after the addresses are in conflict for an hour.

 

DHCP server configuration task list

Tasks at a glance

(Required.) Configuring an address pool on the DHCP server

(Required.) Enabling DHCP

(Required.) Enabling the DHCP server on an interface

(Optional.) Applying an address pool on an interface

(Optional.) Configuring a DHCP policy for dynamic address assignment

(Optional.) Configuring IP address conflict detection

(Optional.) Enabling handling of Option 82

(Optional.) Configuring DHCP server compatibility

(Optional.) Setting the DSCP value for DHCP packets sent by the DHCP server

(Optional.) Applying a DHCP address pool to a VPN instance

 

Configuring an address pool on the DHCP server

Configuration task list

Tasks at a glance

(Required.) Creating a DHCP address pool

Perform one or more of the following tasks:

·         Specifying IP address ranges for a DHCP address pool

·         Specifying gateways for DHCP clients

·         Specifying a domain name suffix for DHCP clients

·         Specifying DNS servers for DHCP clients

·         Specifying WINS servers and NetBIOS node type for DHCP clients

·         Specifying BIMS server for DHCP clients

·         Specifying the configuration file for DHCP client auto-configuration

·         Specifying a server for DHCP clients

·         Customizing DHCP options

 

Creating a DHCP address pool

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a DHCP address pool and enter its view.

dhcp server ip-pool pool-name

By default, no DHCP address pool exists.

 

Specifying IP address ranges for a DHCP address pool

You can configure both static and dynamic address allocation mechanisms in a DHCP address pool. For dynamic address allocation, you can specify either a primary subnet with multiple address ranges or a primary subnet with multiple secondary subnets for a DHCP address pool. You cannot configure both.

Specifying a primary subnet and multiple address ranges for a DHCP address pool

Some scenarios need to classify DHCP clients on the same subnet into different address groups. To meet this need, you can configure DHCP user classes and specify different address ranges for the classes. The clients matching a user class can then get the IP addresses of an address range. In addition, you can specify a common address range for the clients that do not match any user class. If no common address range is specified, such clients fail to obtain IP addresses.

If there is no need to classify clients, you do not need to configure DHCP user classes or their address ranges.

Follow these guidelines when you specify a primary subnet and multiple address ranges for a DHCP address pool:

·          If you use the network or address range command multiple times for the same address pool, the most recent configuration takes effect.

·          IP addresses specified by the forbidden-ip command are not assignable in the current address pool, but are assignable in other address pools. IP addresses specified by the dhcp server forbidden-ip command are not assignable in any address pool.

·          You can use class range to modify an existing address range, and the new address range can include IP addresses that are being used by clients. Upon receiving a lease extension request for such an IP address, the DHCP server allocates a new IP address to the requesting client. But the original lease continues aging in the address pool, and will be released when the lease duration is reached. To release such lease without waiting for its timeout, execute the reset dhcp server ip-in-use command.

To specify a primary subnet and multiple address ranges for a DHCP address pool:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a DHCP user class and enter DHCP user class view.

dhcp class class-name

Required for client classification.

By default, no DHCP user class exists.

3.       Configure a match rule for the DHCP user class.

if-match rule rule-number { hardware-address hardware-address mask hardware-address-mask | option option-code [ ascii ascii-string [ offset offset | partial ] | hex hex-string [ mask mask | offset offset length length | partial ] ] | relay-agent gateway-address }

Required for client classification.

By default, no match rule is configured for a DHCP user class.

4.       Return to system view.

quit

N/A

5.       Create a DHCP address pool and enter its view.

dhcp server ip-pool pool-name

By default, no DHCP address pool exists.

6.       Specify the primary subnet for the address pool.

network network-address [ mask-length | mask mask ]

By default, no primary subnet is specified.

7.       (Optional.) Specify the common address range.

address range start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ]

By default, no IP address range is specified.

8.       (Optional.) Specify an IP address range for a DHCP user class.

class class-name range start-ip-address end-ip-address

By default, no IP address range is specified for a user class.

The DHCP user class must already exist.

To specify address ranges for multiple DHCP user classes, repeat this step.

9.       (Optional.) Set the address lease duration.

expired { day day [ hour hour [ minute minute [ second second ] ] ] | unlimited }

The default setting is 1 day.

10.     (Optional.) Exclude the specified IP addresses in the address pool from dynamic allocation.

forbidden-ip ip-address&<1-8>

By default, all the IP addresses in the DHCP address pool are assignable.

To exclude multiple address ranges from dynamic allocation, repeat this step.

11.     Return to system view.

quit

N/A

12.     (Optional.) Exclude the specified IP addresses from automatic allocation globally.

dhcp server forbidden-ip start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ]

By default, except for the IP address of the DHCP server interface, all IP addresses in address pools are assignable.

To exclude multiple IP address ranges, repeat this step.

 

Specifying a primary subnet and multiple secondary subnets for a DHCP address pool

If an address pool has a primary subnet and multiple secondary subnets, the server assigns IP addresses on a secondary subnet when the primary subnet has no assignable IP addresses.

Follow these guidelines when you specify a primary subnet and secondary subnets for a DHCP address pool:

·          You can specify only one primary subnet in each address pool. If you use the network command multiple times, the most recent configuration takes effect.

·          You can specify a maximum of 32 secondary subnets in each address pool.

·          IP addresses specified by the forbidden-ip command are not assignable in the current address pool, but are assignable in other address pools. IP addresses specified by the dhcp server forbidden-ip command are not assignable in any address pool.

To specify a primary subnet and secondary subnets for a DHCP address pool:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a DHCP address pool and enter its view.

dhcp server ip-pool pool-name

By default, no DHCP address pool exists.

3.       Specify the primary subnet.

network network-address [ mask-length | mask mask ]

By default, no primary subnet is specified.

4.       (Optional.) Specify a secondary subnet.

network network-address [ mask-length | mask mask ] secondary

By default, no secondary subnet is specified.

5.       (Optional.) Return to address pool view.

quit

N/A

6.       (Optional.) Set the address lease duration.

expired { day day [ hour hour [ minute minute [ second second ] ] ] | unlimited }

The default setting is 1 day.

7.       (Optional.) Exclude the specified IP addresses from dynamic allocation.

forbidden-ip ip-address&<1-8>

By default, all the IP addresses in the DHCP address pool can be dynamically allocated.

To exclude multiple address ranges from the address pool, repeat this step.

8.       Return to system view.

quit

N/A

9.       (Optional.) Exclude the specified IP addresses from dynamic allocation globally.

dhcp server forbidden-ip start-ip-address [ end-ip-address ]

Except for the IP address of the DHCP server interface, IP addresses in all address pools are assignable by default.

To exclude multiple address ranges globally, repeat this step.

 

Configuring a static binding in a DHCP address pool

Some DHCP clients, such as a WWW server, need fixed IP addresses. To provide a fixed IP address for a client, you can statically bind the MAC address or ID of the client to an IP address in a DHCP address pool. When the client requests an IP address, the DHCP server assigns the IP address in the static binding to the client.

Follow these guidelines when you configure a static binding:

·          One IP address can be bound to only one client MAC or client ID. You cannot modify bindings that have been created. To change the binding for a DHCP client, you must delete the existing binding first.

·          The IP address of a static binding cannot be the address of the DHCP server interface. Otherwise, an IP address conflict occurs and the bound client cannot obtain an IP address correctly.

·          Multiple interfaces on the same device might all use DHCP to request a static IP address. In this case, use client IDs rather than the device's MAC address to identify the interfaces. Otherwise, IP address allocation will fail.

To configure a static binding:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a DHCP address pool and enter its view.

dhcp server ip-pool pool-name

By default, no DHCP address pool exists.

3.       Configure a static binding.

static-bind ip-address ip-address [ mask-length | mask mask ] { client-identifier client-identifier | hardware-address hardware-address [ ethernet | token-ring ] }

By default, no static binding is configured.

To add more static bindings, repeat this step.

4.       (Optional.) Set the lease duration for the IP address.

expired { day day [ hour hour [ minute minute [ second second ] ] ] | unlimited }

The default setting is 1 day.

 

Specifying gateways for DHCP clients

DHCP clients send packets destined for other networks to a gateway. The DHCP server can assign the gateway address to the DHCP clients.

You can specify gateway addresses in each address pool on the DHCP server. A maximum of 64 gateways can be specified in DHCP address pool view or secondary subnet view.

The DHCP server assigns gateway addresses to clients on a secondary subnet in the following ways:

·          If gateways are specified in both address pool view and secondary subnet view, DHCP assigns those specified in the secondary subnet view.

·          If gateways are specified in address pool view but not in secondary subnet view, DHCP assigns those specified in address pool view.

To configure gateways in the DHCP address pool:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a DHCP address pool and enter its view.

dhcp server ip-pool pool-name

By default, no DHCP address pool exists.

3.       Specify gateways.

gateway-list ip-address&<1-64>

By default, no gateway is specified.

4.       (Optional.) Enter secondary subnet view

network network-address [ mask-length | mask mask ] secondary

N/A

5.       (Optional.) Specify gateways.

gateway-list ip-address&<1-64>

By default, no gateway is specified.

 

Specifying a domain name suffix for DHCP clients

You can specify a domain name suffix in a DHCP address pool on the DHCP server. With this suffix assigned, the client only needs to input part of a domain name, and the system adds the domain name suffix for name resolution. For more information about DNS, see "Configuring DNS."

To configure a domain name suffix in the DHCP address pool:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a DHCP address pool and enter its view.

dhcp server ip-pool pool-name

By default, no DHCP address pool exists.

3.       Specify a domain name suffix.

domain-name domain-name

By default, no domain name is specified.

 

Specifying DNS servers for DHCP clients

To access hosts on the Internet through domain names, a DHCP client must contact a DNS server to resolve names. You can specify up to eight DNS servers in a DHCP address pool.

To specify DNS servers in a DHCP address pool:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a DHCP address pool and enter its view.

dhcp server ip-pool pool-name

By default, no DHCP address pool exists.

3.       Specify DNS servers.

dns-list ip-address&<1-8>

By default, no DNS server is specified.

 

Specifying WINS servers and NetBIOS node type for DHCP clients

A Microsoft DHCP client using NetBIOS protocol must contact a WINS server for name resolution. You can specify up to eight WINS servers for such clients in a DHCP address pool.

In addition, you must specify a NetBIOS node type for the clients to approach name resolution. There are four NetBIOS node types:

·          b (broadcast)-node—A b-node client sends the destination name in a broadcast message. The destination returns its IP address to the client after receiving the message.

·          p (peer-to-peer)-node—A p-node client sends the destination name in a unicast message to the WINS server. The WINS server returns the destination IP address.

·          m (mixed)-node—An m-node client broadcasts the destination name. If it receives no response, it unicasts the destination name to the WINS server to get the destination IP address.

·          h (hybrid)-node—An h-node client unicasts the destination name to the WINS server. If it receives no response, it broadcasts the destination name to get the destination IP address.

To configure WINS servers and NetBIOS node type in a DHCP address pool:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a DHCP address pool and enter its view.

dhcp server ip-pool pool-name

By default, no DHCP address pool exists.

3.       Specify WINS servers.

nbns-list ip-address&<1-8>

This step is optional for b-node.

By default, no WINS server is specified.

4.       Specify the NetBIOS node type.

netbios-type { b-node | h-node | m-node | p-node }

By default, no NetBIOS node type is specified.

 

Specifying BIMS server for DHCP clients

Perform this task to provide the BIMS server IP address, port number, and shared key for the clients. The DHCP clients contact the BIMS server to get configuration files and perform software upgrade and backup.

To configure the BIMS server IP address, port number, and shared key in the DHCP address pool:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a DHCP address pool and enter its view.

dhcp server ip-pool pool-name

By default, no DHCP address pool exists.

3.       Specify the BIMS server IP address, port number, and shared key.

bims-server ip ip-address [ port port-number ] sharekey { cipher | simple } string

By default, no BIMS server information is specified.

 

Specifying the configuration file for DHCP client auto-configuration

Auto-configuration enables a device to obtain a set of configuration settings automatically from servers when the device starts up without a configuration file. It requires the cooperation of the DHCP server, HTTP server, DNS server, and TFTP server. For more information about auto-configuration, see Fundamentals Configuration Guide.

Follow these guidelines to specify the parameters on the DHCP server for configuration file acquisition:

·          If the configuration file is on a TFTP server, specify the IP address or name of the TFTP server, and the configuration file name.

·          If the configuration file is on an HTTP server, specify the configuration file URL.

The DHCP client uses the obtained parameters to contact the TFTP server or the HTTP server to get the configuration file.

To specify the configuration file name in a DHCP address pool:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a DHCP address pool and enter its view.

dhcp server ip-pool pool-name

By default, no DHCP address pool exists.

3.       Specify the IP address or the name of a TFTP server.

·         Specify the IP address of the TFTP server:
tftp-server ip-address
ip-address

·         Specify the name of the TFTP server:
tftp-server domain-name
domain-name

You can specify both the IP address and name of the TFTP server.

By default, no TFTP server is specified.

4.       Specify the configuration file name.

bootfile-name bootfile-name

By default, no configuration file name is specified.

 

To specify the configuration file URL in a DHCP address pool:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a DHCP address pool and enter its view.

dhcp server ip-pool pool-name

By default, no DHCP address pool exists.

3.       Specify the URL of the configuration file.

bootfile-name url

By default, no configuration file URL is specified.

 

Specifying a server for DHCP clients

Some DHCP clients need to obtain configuration information from a server, such as a TFTP server. You can specify the IP address of that server. The DHCP server sends the server's IP address to DHCP clients along with other configuration information.

To specify the IP address of a server:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a DHCP address pool and enter its view.

dhcp server ip-pool pool-name

By default, no DHCP address pool exists.

3.       Specify the IP address of a server.

next-server ip-address

By default, no server is specified.

 

Customizing DHCP options

IMPORTANT

IMPORTANT:

Use caution when customizing DHCP options because the configuration might affect DHCP operation.

 

You can customize options for the following purposes:

·          Add newly released options.

·          Add options for which the vendor defines the contents, for example, Option 43.

·          Add options for which the CLI does not provide a dedicated configuration command. For example, you can use the option 4 ip-address 1.1.1.1 command to define the time server address 1.1.1.1 for DHCP clients.

·          Add all option values if the actual requirement exceeds the limit for a dedicated option configuration command. For example, the dns-list command can specify up to eight DNS servers. To specify more than eight DNS servers, you must use the option 6 command to define all DNS servers.

To customize a DHCP option in a DHCP address pool:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a DHCP address pool and enter its view.

dhcp server ip-pool pool-name

By default, no DHCP address pool exists.

3.       Customize a DHCP option.

option code { ascii ascii-string | hex hex-string | ip-address ip-address&<1-8> }

By default, no DHCP option is customized in a DHCP address pool.

DHCP options specified in DHCP option groups take precedence over those specified in DHCP address pools.

 

To customize a DHCP option in a DHCP option group:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a DHCP user class and enter DHCP user class view.

dhcp class class-name

By default, no DHCP user class exists.

3.       Configure a match rule for the DHCP user class.

if-match rule rule-number { hardware-address hardware-address mask hardware-address-mask | option option-code [ ascii ascii-string [ offset offset | partial ] | hex hex-string [ mask mask | offset offset length length | partial ] ] | relay-agent gateway-address }

By default, no match rule is configured for a DHCP user class.

4.       Return to system view.

quit

N/A

5.       Create a DHCP option group and enter DHCP option group view.

dhcp option group option-group-number

By default, no DHCP option group exists.

6.       Customize a DHCP option.

option code { ascii ascii-string | hex hex-string | ip-address ip-address&<1-8> }

By default, no DHCP option is customized in a DHCP option group.

DHCP options specified in DHCP option groups take precedence over those specified in DHCP address pools.

7.       Create a DHCP address pool and enter DHCP address pool view.

dhcp server ip-pool pool-name

By default, no DHCP address pool exists.

8.       Specify the DHCP option group for the DHCP user class.

class class-name option group option-group-number

By default, no DHCP option group is specified for a DHCP user class.

 

Table 2 Common DHCP options

Option

Option name

Corresponding command

Recommended option command parameters

3

Router Option

gateway-list

ip-address

6

Domain Name Server Option

dns-list

ip-address

15

Domain Name

domain-name

ascii

44

NetBIOS over TCP/IP Name Server Option

nbns-list

ip-address

46

NetBIOS over TCP/IP Node Type Option

netbios-type

hex

66

TFTP server name

tftp-server

ascii

67

Boot file name

bootfile-name

ascii

43

Vendor Specific Information

N/A

hex

 

Enabling DHCP

You must enable DHCP to validate other DHCP configurations.

To enable DHCP:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable DHCP.

dhcp enable

By default, DHCP is disabled.

 

Enabling the DHCP server on an interface

Perform this task to enable the DHCP server on an interface. Upon receiving a DHCP request on the interface, the DHCP server assigns the client an IP address and other configuration parameters from a DHCP address pool.

To enable the DHCP server on an interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Enable the DHCP server on the interface.

dhcp select server

By default, the DHCP server on the interface is enabled.

 

Applying an address pool on an interface

Perform this task to apply a DHCP address pool on an interface.

Upon receiving a DHCP request from the interface, the DHCP server performs address allocation in the following ways:

·          If a static binding is found for the client, the server assigns the static IP address and configuration parameters from the address pool that contains the static binding.

·          If no static binding is found for the client, the server uses the address pool applied to the interface for address and configuration parameter allocation.

To apply an address pool on an interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Apply an address pool on the interface.

dhcp server apply ip-pool pool-name

By default, no address pool is applied on an interface.

If the applied address pool does not exist, the DHCP server fails to perform dynamic address allocation.

 

Configuring a DHCP policy for dynamic address assignment

In a DHCP policy, each DHCP user class has a bound DHCP address pool. Clients matching different user classes obtain IP addresses and other parameters from different address pools. The DHCP policy must be applied to the interface that acts as the DHCP server. When receiving a DHCP request, the DHCP server compares the packet against the user classes in the order that they are configured.

·          If a match is found and the bound address pool has assignable IP addresses, the server assigns an IP address and other parameters from the address pool. If the address pool does not have assignable IP addresses, the address assignment fails.

·          If no match is found, the server assigns an IP address and other parameters from the default DHCP address pool. If no default address pool is specified or the default address pool does not have assignable IP addresses, the address assignment fails.

For successful address assignment, make sure the applied DHCP policy and the bound address pools exist.

To configure a DHCP policy for dynamic address assignment:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a DHCP user class and enter DHCP user class view.

dhcp class class-name

By default, no DHCP user class exists.

3.       Configure a match rule for the DHCP user class.

if-match rule rule-number { hardware-address hardware-address mask hardware-address-mask | option option-code [ ascii ascii-string [ offset offset | partial ] | hex hex-string [ mask mask | offset offset length length | partial ] ] | relay-agent gateway-address }

By default, no match rule is configured for a DHCP user class.

4.       Return to system view.

quit

N/A

5.       Create a DHCP policy and enter DHCP policy view.

dhcp policy policy-name

By default, no DHCP policy exists.

6.       Specify a DHCP address pool for a DHCP user class.

class class-name ip-pool pool-name

By default, no address pool is specified for a user class.

7.       Specify the default DHCP address pool.

default ip-pool pool-name

By default, no default address pool is specified.

8.       Return to system view.

quit

N/A

9.       Enter interface view.

interface interface-type interface-number

N/A

10.     Apply the DHCP policy to the interface.

dhcp apply-policy policy-name

By default, no DHCP policy is applied to an interface.

 

Configuring IP address conflict detection

Before assigning an IP address, the DHCP server pings that IP address.

·          If the server receives a response within the specified period, it selects and pings another IP address.

·          If it receives no response, the server continues to ping the IP address until a specific number of ping packets are sent. If still no response is received, the server assigns the IP address to the requesting client. The DHCP client uses gratuitous ARP to perform IP address conflict detection.

To configure IP address conflict detection:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       (Optional.) Set the maximum number of ping packets to be sent for conflict detection.

dhcp server ping packets number

The default setting is one.

The value 0 disables IP address conflict detection.

3.       (Optional.) Set the ping timeout time.

dhcp server ping timeout milliseconds

The default setting is 500 ms.

The value 0 disables IP address conflict detection.

 

Enabling handling of Option 82

Perform this task to enable the DHCP server to handle Option 82. Upon receiving a DHCP request that contains Option 82, the DHCP server adds Option 82 into the DHCP response.

If you disable the DHCP to handle Option 82, it does not add Option 82 into the response message.

You must enable handling of Option 82 on both the DHCP server and the DHCP relay agent to ensure correct processing for Option 82. For information about enabling handling of Option 82 on the DHCP relay agent, see "Configuring Option 82."

To enable the DHCP server to handle Option 82:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable the server to handle Option 82.

dhcp server relay information enable

By default, handling of Option 82 is enabled.

 

Configuring DHCP server compatibility

Perform this task to enable the DHCP server to support DHCP clients that are incompliant with RFC.

Configuring the DHCP server to broadcast all responses

By default, the DHCP server broadcasts a response only when the broadcast flag in the DHCP request is set to 1. You can configure the DHCP server to ignore the broadcast flag and always broadcast a response. This feature is useful when some clients set the broadcast flag to 0 but do not accept unicast responses.

The DHCP server always unicasts a response in the following situations, regardless of whether this feature is configured or not:

·          The DHCP request is from a DHCP client that has an IP address (the ciaddr field is not 0).

·          The DHCP request is forwarded by a DHCP relay agent from a DHCP client (the giaddr field is not 0).

To configure the DHCP server to broadcast all responses:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable the DHCP server to broadcast all responses.

dhcp server always-broadcast

By default, the DHCP server reads the broadcast flag to decide whether to broadcast or unicast a response.

 

Setting the DSCP value for DHCP packets sent by the DHCP server

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.

To set the DSCP value for DHCP packets sent by the DHCP server:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set the DSCP value for DHCP packets sent by the DHCP server.

dhcp dscp dscp-value

By default, the DSCP value in DHCP packets sent by the DHCP server is 56.

 

Applying a DHCP address pool to a VPN instance

If a DHCP address pool is applied to a VPN instance, the DHCP server assigns IP addresses in this address pool to clients in the VPN instance. Addresses in this address pool will not be assigned to clients on the public network.

The DHCP server can obtain the VPN instance to which a DHCP client belongs from the following information:

·          The client's VPN information stored in authentication modules.

·          The VPN information of the DHCP server's interface that receives DHCP packets from the client.

The VPN information from authentication modules takes priority over the VPN information of the receiving interface.

To apply a DHCP address pool to a VPN instance:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a DHCP address pool and enter its view.

dhcp server ip-pool pool-name

By default, no DHCP address pool exists.

3.       Apply the address pool to a VPN instance.

vpn-instance vpn-instance-name

By default, the address pool is not applied to any VPN instance.

 

Displaying and maintaining the DHCP server

IMPORTANT

IMPORTANT:

A restart of the DHCP server or execution of the reset dhcp server ip-in-use command deletes all lease information. The DHCP server denies any DHCP request for lease extension, and the client must request an IP address again.

 

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display information about IP address conflicts.

display dhcp server conflict [ ip ip-address ] [ vpn-instance vpn-instance-name ]

Display information about lease-expired IP addresses.

display dhcp server expired [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]

Display information about assignable IP addresses.

display dhcp server free-ip [ pool pool-name | vpn-instance vpn-instance-name ]

Display information about assigned IP addresses.

display dhcp server ip-in-use [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]

Display DHCP server statistics.

display dhcp server statistics [ pool pool-name | vpn-instance vpn-instance-name ]

Display information about DHCP address pools.

display dhcp server pool [ pool-name | vpn-instance vpn-instance-name ]

Clear information about IP address conflicts.

reset dhcp server conflict [ ip ip-address ] [ vpn-instance vpn-instance-name ]

Clear information about lease-expired IP addresses.

reset dhcp server expired [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]

Clear information about assigned IP addresses.

reset dhcp server ip-in-use [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]

Clear DHCP server statistics.

reset dhcp server statistics [ vpn-instance vpn-instance-name ]

 

DHCP server configuration examples

DHCP networking includes the following types:

·          The DHCP server and clients reside on the same subnet and exchange messages directly.

·          The DHCP server and clients are not on the same subnet and they communicate with each other through a DHCP relay agent.

The DHCP server configuration for the two types is identical.

Dynamic IP address assignment configuration example

Network requirements

As shown in Figure 18, the DHCP server (Switch A) assigns IP addresses to clients on subnet 10.1.1.0/24, which is subnetted into 10.1.1.0/25 and 10.1.1.128/25.

Configure DHCP server on Switch A to implement the following assignment scheme.

Table 3 Assignment scheme

DHCP clients

IP address

Lease

Other configuration parameters

Clients connected to VLAN-interface 10

IP addresses on subnet 10.1.1.0/25

10 days and 12 hours

·         Gateway: 10.1.1.126/25

·         DNS server: 10.1.1.2/25

·         Domain name: aabbcc.com

·         WINS server: 10.1.1.4/25

Clients connected to VLAN-interface 20

IP addresses on subnet 10.1.1.128/25

Five days

·         Gateway: 10.1.1.254/25

·         DNS server: 10.1.1.2/25

·         Domain name: aabbcc.com

 

Figure 18 Network diagram

 

Configuration procedure

1.        Specify IP addresses for the VLAN interfaces. (Details not shown.)

2.        Configure the DHCP server:

# Enable DHCP.

<SwitchA> system-view

[SwitchA] dhcp enable

# Enable the DHCP server on VLAN-interface 10 and VLAN-interface 20.

[SwitchA] interface vlan-interface 10

[SwitchA-Vlan-interface10] dhcp select server

[SwitchA-Vlan-interface10] quit

[SwitchA] interface vlan-interface 20

[SwitchA-Vlan-interface20] dhcp select server

[SwitchA-Vlan-interface20] quit

# Exclude the DNS server address, WINS server address, and gateway addresses from dynamic allocation.

[SwitchA] dhcp server forbidden-ip 10.1.1.2

[SwitchA] dhcp server forbidden-ip 10.1.1.4

[SwitchA] dhcp server forbidden-ip 10.1.1.126

[SwitchA] dhcp server forbidden-ip 10.1.1.254

# Configure DHCP address pool 1 to assign IP addresses and other configuration parameters to clients on subnet 10.1.1.0/25.

[SwitchA] dhcp server ip-pool 1

[SwitchA-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.128

[SwitchA-dhcp-pool-1] expired day 10 hour 12

[SwitchA-dhcp-pool-1] domain-name aabbcc.com

[SwitchA-dhcp-pool-1] dns-list 10.1.1.2

[SwitchA-dhcp-pool-1] gateway-list 10.1.1.126

[SwitchA-dhcp-pool-1] nbns-list 10.1.1.4

[SwitchA-dhcp-pool-1] quit

# Configure DHCP address pool 2 to assign IP addresses and other configuration parameters to clients on subnet 10.1.1.128/25.

[SwitchA] dhcp server ip-pool 2

[SwitchA-dhcp-pool-2] network 10.1.1.128 mask 255.255.255.128

[SwitchA-dhcp-pool-2] expired day 5

[SwitchA-dhcp-pool-2] domain-name aabbcc.com

[SwitchA-dhcp-pool-2] dns-list 10.1.1.2

[SwitchA-dhcp-pool-2] gateway-list 10.1.1.254

[SwitchA-dhcp-pool-2] quit

Verifying the configuration

# Verify that clients on subnets 10.1.1.0/25 and 10.1.1.128/25 can obtain correct IP addresses and all other network parameters from Switch A. (Details not shown.)

# On the DHCP server, display the IP addresses assigned to the clients.

[SwitchA] display dhcp server ip-in-use

IP address       Client identifier/    Lease expiration      Type

                 Hardware address

10.1.1.3         0031-3865-392e-6262-  Jan 14 22:25:03 2015  Auto(C)

                 3363-2e30-3230-352d-

                 4745-302f-30

10.1.1.5         0031-fe65-4203-7e02-  Jan 14 22:25:03 2015  Auto(C)

                 3063-5b30-3230-4702-

                 620e-712f-5e

10.1.1.130       3030-3030-2e30-3030-  Jan 9 10:45:11 2015   Auto(C)

                 662e-3030-3033-2d45-

                 7568-6572-1e

10.1.1.131       3030-0020-fe02-3020-  Jan 9 10:45:11 2015   Auto(C)

                 7052-0201-2013-1e02

                 0201-9068-23

10.1.1.132       2020-1220-1102-3021-  Jan 9 10:45:11 2015   Auto(C)

                 7e52-0211-2025-3402

                 0201-9068-9a

10.1.1.133       2021-d012-0202-4221-  Jan 9 10:45:11 2015   Auto(C)

                 8852-0203-2022-55e0

                 3921-0104-31

DHCP user class configuration example

Network requirement

As shown in Figure 19, the DHCP relay agent (Switch A) forwards DHCP packets between DHCP clients and the DHCP server (Switch B). Enable switch A to support Option 82 so that switch A can add Option 82 in the DHCP requests sent by the DHCP clients.

Configure the address allocation scheme as follows:

 

Assign IP addresses

To clients

10.10.1.2 to 10.10.1.10

The DHCP request contains Option 82.

10.10.1.11 to 10.10.1.26

The hardware address in the request is six bytes long and begins with aabb-aabb-aab.

 

For clients on subnet 10.10.1.0/24, the DNS server address is 10.10.1.20/24 and the gateway address is 10.10.1.254/24.

Figure 19 Network diagram

 

Configuration procedure

1.        Specify IP addresses for interfaces on the DHCP server and the DHCP relay agent. (Details not shown.)

2.        Configure DHCP services:

# Enable DHCP and configure the DHCP server to handle Option 82.

<SwitchB> system-view

[SwitchB] dhcp enable

[SwitchB] dhcp server relay information enable

# Enable DHCP server on VLAN-interface10.

[SwitchB] interface vlan-interface 10

[SwitchB-Vlan-interface10] dhcp select server

[SwitchB-Vlan-interface10] quit

# Create DHCP user class tt and configure a match rule to match client requests with Option 82.

[SwitchB] dhcp class tt

[SwitchB-dhcp-class-tt] if-match rule 1 option 82

[SwitchB-dhcp-class-tt] quit

# Create DHCP user class ss and configure a match rule to match DHCP requests in which the hardware address is six bytes long and begins with aabb-aabb-aab.

[SwitchB] dhcp class ss

[SwitchB-dhcp-class-ss] if-match rule 1 hardware-address aabb-aabb-aab0 mask ffff-ffff-fff0

[SwitchB-dhcp-class-ss] quit

# Create DHCP address pool aa.

[SwitchB] dhcp server ip-pool aa

# Specify the subnet for dynamic allocation.

[SwitchB-dhcp-pool-aa] network 10.10.1.0 mask 255.255.255.0

# Specify the address range for dynamic allocation.

[SwitchB-dhcp-pool-aa] address range 10.10.1.2 10.10.1.100

# Specify the address range for user class tt.

[SwitchB-dhcp-pool-aa] class tt range 10.10.1.2 10.10.1.10

# Specify the address range for user class ss.

[SwitchB-dhcp-pool-aa] class ss range 10.10.1.11 10.10.1.26

# Specify the gateway address and the DNS server address.

[SwitchB-dhcp-pool-aa] gateway-list 10.10.1.254

[SwitchB-dhcp-pool-aa] dns-list 10.10.1.20

[SwitchB-dhcp-pool-aa] quit

Verifying the configuration

# Verify that clients matching the user classes can obtain IP addresses in the specified ranges and all other configuration parameters from the DHCP server. (Details not shown.)

# Display the IP address assigned by the DHCP server.

[SwitchB] display dhcp server ip-in-use

IP address       Client identifier/    Lease expiration      Type

                 Hardware address

10.10.1.2        0031-3865-392e-6262-  Jan 14 22:25:03 2015  Auto(C)

                 3363-2e30-3230-352d-

                 4745-302f-30

10.10.1.11       aabb-aabb-aab1        Jan 14 22:25:03 2015  Auto(C)

Primary and secondary subnets configuration example

Network requirements

As shown in Figure 20, the DHCP server (Switch A) dynamically assigns IP addresses to clients in the LAN.

Configure two subnets in the address pool on the DHCP server: 10.1.1.0/24 as the primary subnet and 10.1.2.0/24 as the secondary subnet. The DHCP server selects IP addresses from the secondary subnet when the primary subnet has no assignable addresses.

Switch A assigns the following parameters:

·          The default gateway 10.1.1.254/24 to clients on subnet 10.1.1.0/24.

·          The default gateway 10.1.2.254/24 to clients on subnet 10.1.2.0/24.

Figure 20 Network diagram

 

Configuration procedure

# Enable DHCP.

<SwitchA> system-view

[SwitchA] dhcp enable

# Configure the primary and secondary IP addresses of VLAN-interface 10.

[SwitchA] interface vlan-interface 10

[SwitchA-Vlan-interface10] ip address 10.1.1.1 24

[SwitchA-Vlan-interface10] ip address 10.1.2.1 24 sub

# Enable the DHCP server on VLAN-interface 10.

[SwitchA-Vlan-interface10] dhcp select server

[SwitchA-Vlan-interface10] quit

# Create DHCP address pool aa.

[SwitchA] dhcp server ip-pool aa

# Specify the primary subnet and the gateway address for dynamic allocation.

[SwitchA-dhcp-pool-aa] network 10.1.1.0 mask 255.255.255.0

[SwitchA-dhcp-pool-aa] gateway-list 10.1.1.254

# Specify the secondary subnet and the gateway address for dynamic allocation.

[SwitchA-dhcp-pool-aa] network 10.1.2.0 mask 255.255.255.0 secondary

[SwitchA-dhcp-pool-aa-secondary] gateway-list 10.1.2.254

[SwitchA-dhcp-pool-aa-secondary] quit

[SwitchA-dhcp-pool-aa] quit

Verifying the configuration

# Verify that the DHCP server assigns clients IP addresses and gateway address from the secondary subnet when no address is available from the primary subnet. (Details not shown.)

# Display the primary and secondary subnet IP addresses the DHCP server has assigned. The following is part of the command output.

[SwitchA] display dhcp server ip-in-use

IP address       Client identifier/    Lease expiration      Type

                 Hardware address

10.1.1.2         0031-3865-392e-6262-  Jan 14 22:25:03 2015  Auto(C)

                 3363-2e30-3230-352d-

                 4745-302f-30

10.1.2.2         3030-3030-2e30-3030-  Jan 14 22:25:03 2015  Auto(C)

                 662e-3030-3033-2d45-

                 7568-6572-1e

DHCP option customization configuration example

Network requirements

As shown in Figure 21, DHCP clients obtain IP addresses and PXE server addresses from the DHCP server (Switch A). The subnet for address allocation is 10.1.1.0/24.

Configure the address allocation scheme as follows:

 

Assign PXE addresses

To clients

2.3.4.5 and 3.3.3.3

The hardware address in the request is six bytes long and begins with aabb-aabb.

1.2.3.4 and 2.2.2.2.

Other clients.

 

The DHCP server assigns PXE server addresses to DHCP clients through Option 43, a customized option. The format of Option 43 and that of the PXE server address sub-option are shown in Figure 15 and Figure 17. For example, the value of Option 43 configured in the DHCP address pool is 80 0B 00 00 02 01 02 03 04 02 02 02 02.

·          The number 80 is the value of the sub-option type.

·          The number 0B is the value of the sub-option length.

·          The numbers 00 00 are the value of the PXE server type.

·          The number 02 indicates the number of servers.

·          The numbers 01 02 03 04 02 02 02 02 indicate that the PXE server addresses are 1.2.3.4 and 2.2.2.2.

Figure 21 Network diagram

 

Configuration procedure

1.        Specify IP addresses for the interfaces. (Details not shown.)

2.        Configure the DHCP server:

# Enable DHCP.

<SwitchA> system-view

[SwitchA] dhcp enable

# Create DHCP user class ss and configure a match rule to match DHCP requests in which the hardware address is six bytes long and begins with aabb-aabb.

[SwitchA] dhcp class ss

[SwitchA-dhcp-class-ss] if-match rule 1 hardware-address aabb-aabb-0000 mask ffff-ffff-0000

[SwitchA-dhcp-class-ss] quit

# Create DHCP option group 1 and customize Option 43.

[SwitchA] dhcp option-group 1

[SwitchA-dhcp-option-group-1] option 43 hex 800B0000020203040503030303

# Enable the DHCP server on VLAN-interface 2.

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] dhcp select server

[SwitchA-Vlan-interface2] quit

# Create DHCP address pool 0.

[SwitchA] dhcp server ip-pool 0

# Specify the subnet for dynamic address allocation.

[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0

# Customize Option 43.

[SwitchA-dhcp-pool-0] option 43 hex 800B0000020102030402020202

# Associate DHCP user class ss with option group 1.

[SwitchA-dhcp-pool-0] class ss option-group 1

[SwitchA-dhcp-pool-0] quit

Verifying the configuration

# Verify that Switch B can obtain an IP address on subnet 10.1.1.0/24 and the corresponding PXE server addresses from the Switch A. (Details not shown.)

# On the DHCP server, display the IP addresses assigned to the clients.

[SwitchA] display dhcp server ip-in-use

IP address       Client identifier/    Lease expiration      Type

                 Hardware address

10.1.1.2         aabb-aabb-ab01        Jan 14 22:25:03 2015  Auto(C)

Troubleshooting DHCP server configuration

Symptom

A client's IP address obtained from the DHCP server conflicts with another IP address.

Analysis

Another host on the subnet might have the same IP address.

Solution

1.        Disable the client's network adapter or disconnect the client's network cable. Ping the IP address of the client from another host to check whether there is a host using the same IP address.

2.        If a ping response is received, the IP address has been manually configured on a host. Execute the dhcp server forbidden-ip command on the DHCP server to exclude the IP address from dynamic allocation.

3.        Enable the network adapter or connect the network cable, release the IP address, and obtain another one on the client. For example, to release the IP address and obtain another one on a Windows XP DHCP client:

a.    In Windows environment, execute the cmd command to enter the DOS environment.

b.    Enter ipconfig /release to relinquish the IP address.

c.    Enter ipconfig /renew to obtain another IP address.


Configuring the DHCP relay agent

Overview

The DHCP relay agent enables clients to get IP addresses from a DHCP server on another subnet. This feature avoids deploying a DHCP server for each subnet to centralize management and reduce investment. Figure 22 shows a typical application of the DHCP relay agent.

Figure 22 DHCP relay agent application

 

An MCE device acting as the DHCP relay agent can forward DHCP packets between a DHCP server and clients on either a public network or a private network. For more information about MCE, see MPLS Configuration Guide.

Operation

The DHCP server and client interact with each other in the same way regardless of whether the relay agent exists. For the interaction details, see "IP address allocation process." The following only describes steps related to the DHCP relay agent:

1.        After receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP client, the DHCP relay agent processes the message as follows:

a.    Fills the giaddr field of the message with its IP address.

b.    Unicasts the message to the designated DHCP server.

2.        Based on the giaddr field, the DHCP server returns an IP address and other configuration parameters in a response.

3.        The relay agent conveys the response to the client.

Figure 23 DHCP relay agent operation

 

DHCP relay agent support for Option 82

Option 82 records the location information about the DHCP client. It enables the administrator to perform the following tasks:

·          Locate the DHCP client for security and accounting purposes.

·          Assign IP addresses in a specific range to clients.

For more information about Option 82, see "Relay agent option (Option 82)."

If the DHCP relay agent supports Option 82, it handles DHCP requests by following the strategies described in Table 4.

If a response returned by the DHCP server contains Option 82, the DHCP relay agent removes the Option 82 before forwarding the response to the client.

Table 4 Handling strategies of the DHCP relay agent

If a DHCP request has…

Handling strategy

The DHCP relay agent…

Option 82

Drop

Drops the message.

Keep

Forwards the message without changing Option 82.

Replace

Forwards the message after replacing the original Option 82 with the Option 82 padded according to the configured padding format, padding content, and code type.

No Option 82

N/A

Forwards the message after adding Option 82 padded according to the configured padding format, padding content, and code type.

 

DHCP relay agent configuration task list

Tasks at a glance

(Required.) Enabling DHCP

(Required.) Enabling the DHCP relay agent on an interface

(Required.) Specifying DHCP servers on a relay agent

(Optional.) Configuring the DHCP relay agent security features

(Optional.) Configuring the DHCP relay agent to release an IP address

(Optional.) Configuring Option 82

(Optional.) Setting the DSCP value for DHCP packets sent by the DHCP relay agent

(Optional.) Configuring a DHCP address pool on the DHCP relay agent

(Optional.) Configuring the DHCP smart relay feature

 

Enabling DHCP

You must enable DHCP to validate other DHCP relay agent settings.

To enable DHCP:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable DHCP.

dhcp enable

By default, DHCP is disabled.

 

Enabling the DHCP relay agent on an interface

With the DHCP relay agent enabled, an interface forwards incoming DHCP requests to a DHCP server.

An IP address pool that contains the IP address of the DHCP relay interface must be configured on the DHCP server. Otherwise, the DHCP clients connected to the relay agent cannot obtain correct IP addresses.

To enable the DHCP relay agent on an interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Enable the DHCP relay agent.

dhcp select relay

By default, when DHCP is enabled, an interface operates in the DHCP server mode.

 

Specifying DHCP servers on a relay agent

To improve availability, you can specify several DHCP servers on the DHCP relay agent. When the interface receives request messages from clients, the relay agent forwards them to all DHCP servers.

Follow these guidelines when you specify a DHCP server address on a relay agent:

·          The IP address of any specified DHCP server must not reside on the same subnet as the IP address of the relay interface. Otherwise, the clients might fail to obtain IP addresses.

·          You can specify a maximum of eight DHCP servers.

To specify a DHCP server address on a relay agent:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Specify a DHCP server address on the relay agent.

dhcp relay server-address ip-address

By default, no DHCP server address is specified on the relay agent.

 

Configuring the DHCP relay agent security features

Enabling the DHCP relay agent to record relay entries

Perform this task to enable the DHCP relay agent to automatically record clients' IP-to-MAC bindings (relay entries) after they obtain IP addresses through DHCP.

Some security features use the relay entries to check incoming packets and block packets that do not match any entry. In this way, illegal hosts are not able to access external networks through the relay agent. Examples of the security features are ARP address check, authorized ARP, and IP source guard.

To enable the DHCP relay agent to record relay entries:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable the relay agent to record relay entries.

dhcp relay client-information record

By default, the relay agent does not record relay entries.

 

Enabling periodic refresh of dynamic relay entries

A DHCP client unicasts a DHCP-RELEASE message to the DHCP server to release its IP address. The DHCP relay agent conveys the message to the DHCP server and does not remove the IP-to-MAC entry of the client.

With this feature, the DHCP relay agent uses the IP address of a relay entry to periodically send a DHCP-REQUEST message to the DHCP server:

The relay agent maintains the relay entries depending on what it receives from the DHCP server:

·          If the server returns a DHCP-ACK message or does not return any message within an interval, the DHCP relay agent removes the relay entry. In addition, upon receiving the DHCP-ACK message, the relay agent sends a DHCP-RELEASE message to release the IP address.

·          If the server returns a DHCP-NAK message, the relay agent keeps the relay entry.

To enable periodic refresh of dynamic relay entries:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable periodic refresh of dynamic relay entries.

dhcp relay client-information refresh enable

By default, periodic refresh of dynamic relay entries is enabled.

3.       Set the refresh interval.

dhcp relay client-information refresh [ auto | interval interval ]

By default, the refresh interval is auto, which is calculated based on the number of total relay entries.

 

Enabling DHCP starvation attack protection

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system resources. The following methods are available to relieve or prevent such attacks.

·          To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source MAC addresses, you can use one of the following methods:

?  Limit the number of ARP entries that a Layer 3 interface can learn.

?  Set the MAC learning limit for a Layer 2 port, and disable unknown frame forwarding when the MAC learning limit is reached.

·          To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source MAC address, you can enable MAC address check on the DHCP relay agent. The DHCP relay agent compares the chaddr field of a received DHCP request with the source MAC address in the frame header. If they are the same, the DHCP relay agent forwards the request to the DHCP server. If not, the relay agent discards the request.

Enable MAC address check only on the DHCP relay agent directly connected to the DHCP clients. A DHCP relay agent changes the source MAC address of DHCP packets before sending them.

A MAC address check entry has an aging time. When the aging time expires, both of the following occur:

·          The entry ages out.

·          The DHCP relay agent rechecks the validity of DHCP requests sent from the MAC address in the entry.

To enable MAC address check:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set the aging time for MAC address check entries.

dhcp relay check mac-address aging-time time

The default aging time is 30 seconds.

This command takes effect only after you execute the dhcp relay check mac-address command.

3.       Enter the interface view.

interface interface-type interface-number

N/A

4.       Enable MAC address check.

dhcp relay check mac-address

By default, MAC address check is disabled.

 

Configuring the DHCP relay agent to release an IP address

Configure the relay agent to release the IP address for a relay entry. The relay agent sends a DHCP-RELEASE message to the server and meanwhile deletes the relay entry. Upon receiving the DHCP-RELEASE message, the DHCP server releases the IP address.

To configure the DHCP relay agent to release an IP address:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure the DHCP relay agent to release an IP address.

dhcp relay release ip ip-address [ vpn-instance vpn-instance-name ]

This command can release only the IP addresses in the recorded relay entries.

 

Configuring Option 82

Follow these guidelines when you configure Option 82:

·          To support Option 82, you must perform related configuration on both the DHCP server and relay agent. For DHCP server Option 82 configuration, see "Enabling handling of Option 82."

·          If the handling strategy is replace, configure a padding mode and a padding format for Option 82. If the handling strategy is keep or drop, you do not need to configure a padding mode or padding format for Option 82.

·          The device name (sysname) must not include spaces if it is configured as the padding content for sub-option 1. Otherwise, the DHCP relay agent will fail to add or replace Option 82.

To configure Option 82:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Enable the relay agent to handle Option 82.

dhcp relay information enable

By default, handling of Option 82 is disabled.

4.       (Optional.) Configure the strategy for handling DHCP requests that contain Option 82.

dhcp relay information strategy { drop | keep | replace }

By default, the handling strategy is replace.

5.       (Optional.) Configure the padding mode and padding format for the Circuit ID sub-option.

dhcp relay information circuit-id { bas | string circuit-id | vxlan-port | { normal | verbose [ node-identifier { mac | sysname | user-defined node-identifier } ] [ interface ] } [ format { ascii | hex } ] }

By default, the padding mode for Circuit ID sub-option is normal, and the padding format is hex.

6.       (Optional.) Configure the padding mode and padding format for the Remote ID sub-option.

dhcp relay information remote-id { normal [ format { ascii | hex } ] | string remote-id | sysname }

By default, the padding mode for the Remote ID sub-option is normal, and the padding format is hex.

 

Setting the DSCP value for DHCP packets sent by the DHCP relay agent

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.

To set the DSCP value for DHCP packets sent by the DHCP relay agent:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set the DSCP value for DHCP packets sent by the DHCP relay agent.

dhcp dscp dscp-value

By default, the DSCP value in DHCP packets sent by the DHCP relay agent is 56.

 

Configuring a DHCP address pool on the DHCP relay agent

This feature allows DHCP clients of the same type to obtain IP addresses and other configuration parameters from the DHCP servers specified in the matching DHCP address pool.

It applies to scenarios where the DHCP relay agent connects to clients of the same access type but classified into different types by their locations. In this case, the relay interface typically has no IP address configured. You can use the gateway-list command to specify gateway addresses for clients matching the same DHCP address pool and bind the gateway addresses to the device's MAC address.

Upon receiving a DHCP DISCOVER or REQUEST from a client that matches a DHCP address pool, the relay agent processes the packet as follows:

·          Fills the giaddr field of the packet with a specified gateway address.

·          Forwards the packet to all DHCP servers in the matching DHCP address pool.

The DHCP servers select a DHCP address pool according to the gateway address.

To configure a DHCP address pool on the DHCP relay agent:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a DHCP address pool and enter its view.

dhcp server ip-pool pool-name

By default, no DHCP address pools exist.

3.       Specify gateway addresses for the clients matching the DHCP address pool.

gateway-list ip-address&<1-64>

By default, no gateway address is specified.

4.       Specify DHCP servers for the DHCP address pool.

remote-server ip-address&<1-8>

By default, no DHCP server is specified for the DHCP address pool.

You can specify a maximum of eight DHCP servers for one DHCP address pool for high availability. The relay agent forwards DHCP DISCOVER and REQUEST packets to all DHCP servers in the DHCP address pool.

 

Configuring the DHCP smart relay feature

The DHCP smart relay feature allows the DHCP relay agent to insert secondary IP addresses when the DHCP server does not reply the DHCP-OFFER message.

The relay agent initially inserts its primary IP address in the giaddr field before forwarding a request to the DHCP server. If no DHCP-OFFER is received, the relay agent allows the client to send a maximum of two requests to the DHCP server by using the primary IP address. If no DHCP-OFFER is returned after two retries, the relay agent switches to a secondary IP address. If the DHCP server still does not respond, the next secondary IP address is used. After the secondary IP addresses are all tried and the DHCP server does not respond, the relay agent repeats the process by starting from the primary IP address.

Without this feature, the relay agent only inserts the primary IP address in the giaddr field of all requests.

On a relay agent where DHCP address pools and gateway addresses are configured, the smart relay feature starts the process from the first gateway address. For more information, see "Configuring a DHCP address pool on the DHCP relay agent."

To configure the DHCP smart relay feature for a common network:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Enable the DHCP relay agent.

dhcp select relay

By default, an interface operates in the DHCP server mode when DHCP is enabled.

4.       Assign primary and secondary IP addresses to the DHCP relay agent.

ip address ip-address { mask-length | mask } [ sub ]

By default, the DHCP relay agent does not have any IP addresses.

5.       Return to system view.

quit

N/A

6.       Enable the DHCP smart relay feature.

dhcp smart-relay enable

By default, the DHCP smart relay feature is disabled.

 

To configure the DHCP smart relay feature for a network with DHCP address pools:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Enable the DHCP relay agent.

dhcp select relay

By default, an interface operates in the DHCP server mode when DHCP is enabled.

4.       Return to system view.

quit

N/A

5.       Create a DHCP address pool and enter its view.

dhcp server ip-pool pool-name

By default, no DHCP address pool exists.

6.       Specify gateway addresses for the clients matching the DHCP address pool.

gateway-list ip-address&<1-64>

By default, the DHCP address pool does not have any gateway addresses.

7.       Specify DHCP servers for the DHCP address pool.

remote-server ip-address&<1-8>

By default, the DHCP address pool does not have any DHCP server IP addresses.

You can specify a maximum of eight DHCP servers for one DHCP address pool for high availability. The relay agent forwards DHCP-DISCOVER and DHCP-REQUEST packets to all DHCP servers in the DHCP address pool.

8.       Return to system view.

quit

N/A

9.       Enable the DHCP smart relay feature.

dhcp smart-relay enable

By default, the DHCP smart relay feature is disabled.

 

Displaying and maintaining the DHCP relay agent

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display information about DHCP servers on an interface.

display dhcp relay server-address [ interface interface-type interface-number ]

Display Option 82 configuration information on the DHCP relay agent.

display dhcp relay information [ interface interface-type interface-number ]

Display relay entries on the DHCP relay agent.

display dhcp relay client-information [ interface interface-type interface-number | ip ip-address [ vpn-instance vpn-instance-name ] ]

Display packet statistics on the DHCP relay agent.

display dhcp relay statistics [ interface interface-type interface-number ]

Display MAC address check entries on the DHCP relay agent.

display dhcp relay check mac-address

Clear relay entries on the DHCP relay agent.

reset dhcp relay client-information [ interface interface-type interface-number | ip ip-address [ vpn-instance vpn-instance-name ] ]

Clear packet statistics on the DHCP relay agent.

reset dhcp relay statistics [ interface interface-type interface-number ]

 

DHCP relay agent configuration examples

DHCP relay agent configuration example

Network requirements

As shown in Figure 24, configure the DHCP relay agent on Switch A. The DHCP relay agent enables DHCP clients to obtain IP addresses and other configuration parameters from the DHCP server on another subnet.

The DHCP relay agent and server are on different subnets. Configure static or dynamic routing to make them reachable to each other.

Perform the configuration on the DHCP server to guarantee the client-server communication. For DHCP server configuration information, see "DHCP server configuration examples."

Figure 24 Network diagram

 

Configuration procedure

# Specify IP addresses for the interfaces. (Details not shown.)

# Enable DHCP.

<SwitchA> system-view

[SwitchA] dhcp enable

# Enable the DHCP relay agent on VLAN-interface 10.

[SwitchA] interface vlan-interface 10

[SwitchA-Vlan-interface10] dhcp select relay

# Specify the IP address of the DHCP server on the relay agent.

[SwitchA-Vlan-interface10] dhcp relay server-address 10.1.1.1

Verifying the configuration

# Verify that DHCP clients can obtain IP addresses and all other network parameters from the DHCP server through the DHCP relay agent. (Details not shown.)

# Display the statistics of DHCP packets forwarded by the DHCP relay agent.

[SwitchA] display dhcp relay statistics

# Display relay entries if you have enabled relay entry recording on the DHCP relay agent.

[SwitchA] display dhcp relay client-information

Option 82 configuration example

Network requirements

As shown in Figure 24, the DHCP relay agent (Switch A) replaces Option 82 in DHCP requests before forwarding them to the DHCP server (Switch B).

·          The Circuit ID sub-option is company001.

·          The Remote ID sub-option is device001.

To use Option 82, you must also enable the DHCP server to handle Option 82.

Configuration procedure

# Specify IP addresses for the interfaces. (Details not shown.)

# Enable DHCP.

<SwitchA> system-view

[SwitchA] dhcp enable

# Enable the DHCP relay agent on VLAN-interface 10.

[SwitchA] interface vlan-interface 10

[SwitchA-Vlan-interface10] dhcp select relay

# Specify the IP address of the DHCP server.

[SwitchA-Vlan-interface10] dhcp relay server-address 10.1.1.1

# Configure the handling strategies and padding content of Option 82.

[SwitchA-Vlan-interface10] dhcp relay information enable

[SwitchA-Vlan-interface10] dhcp relay information strategy replace

[SwitchA-Vlan-interface10] dhcp relay information circuit-id string company001

[SwitchA-Vlan-interface10] dhcp relay information remote-id string device001

Troubleshooting DHCP relay agent configuration

Symptom

DHCP clients cannot obtain configuration parameters through the DHCP relay agent.

Analysis

Some problems might occur with the DHCP relay agent or server configuration.

Solution

To locate the problem, enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information.

Check that:

·          DHCP is enabled on the DHCP server and relay agent.

·          The DHCP server has an address pool on the same subnet as the DHCP clients.

·          The DHCP server and DHCP relay agent can reach each other.

·          The DHCP server address specified on the DHCP relay interface connected to the DHCP clients is correct.


Configuring the DHCP client

With DHCP client enabled, an interface uses DHCP to obtain configuration parameters from the DHCP server, for example, an IP address.

The DHCP client configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces), VLAN interfaces, and Layer 3 aggregate interfaces.

Enabling the DHCP client on an interface

Follow these guidelines when you enable the DHCP client on an interface:

·          If the number of IP address request failures reaches the system-defined amount, the DHCP client-enabled interface uses a default IP address.

·          An interface can be configured to acquire an IP address in multiple ways. The new configuration overwrites the old.

·          Secondary IP addresses cannot be configured on an interface that is enabled with the DHCP client.

·          If the interface obtains an IP address on the same segment as another interface on the device, the interface does not use the assigned address. Instead, it requests a new IP address from the DHCP server.

To enable the DHCP client on an interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Configure an interface to use DHCP for IP address acquisition.

ip address dhcp-alloc

By default, an interface does not use DHCP for IP address acquisition.

 

Configuring a DHCP client ID for an interface

A DHCP client ID is added to the DHCP option 61. A DHCP server can specify IP addresses for clients based on the DHCP client ID.

Make sure the IDs for different DHCP clients are unique.

To configure a DHCP client ID for an interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Configure a DHCP client ID for the interface.

dhcp client identifier { ascii ascii-string | hex hex-string | mac interface-type interface-number }

By default, an interface generates the DHCP client ID based on its MAC address. If the interface has no MAC address, it uses the MAC address of the first Ethernet interface to generate its client ID.

4.       Verify the client ID configuration.

display dhcp client [ verbose ] [ interface interface-type interface-number ]

DHCP client ID includes ID type and type value. Each ID type has a fixed type value. You can check the fields for the client ID to verify which type of client ID is used:

·         If an ASCII string is used as the client ID, the type value is 00.

·         If a hexadecimal number is used as the client ID, the type value is the first two characters in the number.

·         If the MAC address of an interface is used as the client ID, the type value is 01.

 

Enabling duplicated address detection

DHCP client detects IP address conflict through ARP packets. An attacker can act as the IP address owner to send an ARP reply. The spoofing attack makes the client unable to use the IP address assigned by the server. As a best practice, disable duplicate address detection when ARP attacks exist on the network.

To enable duplicated address detection:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable duplicate address detection.

dhcp client dad enable

By default, the duplicate address detection feature is enabled on an interface.

 

Setting the DSCP value for DHCP packets sent by the DHCP client

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.

To set the DSCP value for DHCP packets sent by the DHCP client:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set the DSCP value for DHCP packets sent by the DHCP client.

dhcp client dscp dscp-value

By default, the DSCP value in DHCP packets sent by the DHCP client is 56.

 

Displaying and maintaining the DHCP client

Execute display command in any view.

 

Task

Command

Display DHCP client information.

display dhcp client [ verbose ] [ interface interface-type interface-number ]

 

DHCP client configuration example

Network requirements

As shown in Figure 26, on a LAN, Switch B contacts the DHCP server through VLAN-interface 2 to obtain an IP address, a DNS server address, and static route information. The DHCP client's IP address resides on subnet 10.1.1.0/24. The DNS server address is 20.1.1.1. The next hop of the static route to subnet 20.1.1.0/24 is 10.1.1.2.

The DHCP server uses Option 121 to assign static route information to DHCP clients. Figure 25 shows the Option 121 format. The destination descriptor field contains the following parts: subnet mask length and destination network address, both in hexadecimal notation. In this example, the destination descriptor is 18 14 01 01 (the subnet mask length is 24 and the network address is 20.1.1.0 in dotted decimal notation). The next hop address is 0A 01 01 02 (10.1.1.2 in dotted decimal notation).

Figure 25 Option 121 format

 

Figure 26 Network diagram

 

Configuration procedure

1.        Configure Switch A:

# Specify an IP address for VLAN-interface 2.

<SwitchA> system-view

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] ip address 10.1.1.1 24

[SwitchA-Vlan-interface2] quit

# Enable DHCP.

[SwitchA] dhcp enable

# Exclude an IP address from dynamic allocation.

[SwitchA] dhcp server forbidden-ip 10.1.1.2

# Configure DHCP address pool 0. Specify the subnet, lease duration, DNS server address, and a static route to subnet 20.1.1.0/24.

[SwitchA] dhcp server ip-pool 0

[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0

[SwitchA-dhcp-pool-0] expired day 10

[SwitchA-dhcp-pool-0] dns-list 20.1.1.1

[SwitchA-dhcp-pool-0] option 121 hex 18 14 01 01 0A 01 01 02

2.        Configure Switch B:

# Configure VLAN-interface 2 to use DHCP for IP address acquisition.

<SwitchB> system-view

[SwitchB] interface vlan-interface 2

[SwitchB-Vlan-interface2] ip address dhcp-alloc

[SwitchB-Vlan-interface2] quit

Verifying the configuration

# Display the IP address and other network parameters assigned to Switch B.

[SwitchB-Vlan-interface2] display dhcp client verbose

Vlan-interface2 DHCP client information:

 Current state: BOUND

 Allocated IP: 10.1.1.3 255.255.255.0

 Allocated lease: 864000 seconds, T1: 331858 seconds, T2: 756000 seconds

 Lease from May 21 19:00:29 2012   to   May 31 19:00:29 2012

 DHCP server: 10.1.1.1

 Transaction ID: 0xcde72232

 Classless static routes:

   Destination: 20.1.1.0, Mask: 255.255.255.0, NextHop: 10.1.1.2

 DNS servers: 20.1.1.1

 Client ID type: acsii(type value=00)

 Client ID value: 000c.29d3.8659-Vlan2

 Client ID (with type) hex: 0030-3030-632e-3239-

                            6433-2e38-3635-392d-

                            4574-6830-2f30-2f32

 T1 will timeout in 3 days 19 hours 48 minutes 43 seconds

# Display the route information on Switch B. The output shows that a static route to subnet 20.1.1.0/24 is added to the routing table.

[SwitchB] display ip routing-table

 

Destinations : 11        Routes : 11

 

Destination/Mask    Proto  Pre  Cost         NextHop         Interface

10.1.1.0/24         Direct 0    0            10.1.1.3        Vlan2

10.1.1.3/32         Direct 0    0            127.0.0.1       InLoop0

20.1.1.0/24         Static 70   0            10.1.1.2        Vlan2

10.1.1.255/32       Direct 0    0            10.1.1.3        Vlan2

127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0

127.0.0.0/32        Direct 0    0            127.0.0.1       InLoop0

127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0

127.255.255.255/32  Direct 0    0            127.0.0.1       InLoop0

224.0.0.0/4         Direct 0    0            0.0.0.0         NULL0

224.0.0.0/24        Direct 0    0            0.0.0.0         NULL0

255.255.255.255/32  Direct 0    0            127.0.0.1       InLoop0


Configuring DHCP snooping

Overview

DHCP snooping works between the DHCP client and server, or between the DHCP client and DHCP relay agent. It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers. Also, it records IP-to-MAC bindings of DHCP clients (called DHCP snooping entries) for security purposes.

DHCP snooping does not work between the DHCP server and DHCP relay agent.

DHCP snooping defines trusted and untrusted ports to make sure clients obtain IP addresses only from authorized DHCP servers.

·          Trusted—A trusted port can forward DHCP messages correctly to make sure the clients get IP addresses from authorized DHCP servers.

·          Untrusted—An untrusted port discards received DHCP-ACK and DHCP-OFFER messages to prevent unauthorized servers from assigning IP addresses.

DHCP snooping reads DHCP-ACK messages received from trusted ports and DHCP-REQUEST messages to create DHCP snooping entries. A DHCP snooping entry includes the MAC and IP addresses of a client, the port that connects to the DHCP client, and the VLAN.

The following features need to use DHCP snooping entries:

·          ARP fast-reply—Uses DHCP snooping entries to reduce ARP broadcast traffic. For more information, see "Configuring ARP fast-reply."

·          ARP attack detection—Uses DHCP snooping entries to filter ARP packets from unauthorized clients. For more information, see Security Configuration Guide.

·          IP source guard—Uses DHCP snooping entries to filter illegal packets on a per-port basis. For more information, see Security Configuration Guide.

·          VLAN mapping—Uses DHCP snooping entries to replace service provider VLAN in packets with customer VLAN before sending the packets to clients. For more information, see Layer 2LAN Switching Configuration Guide.

Application of trusted and untrusted ports

Configure ports facing the DHCP server as trusted ports, and configure other ports as untrusted ports.

As shown in Figure 27, configure the DHCP snooping device's port that is connected to the DHCP server as a trusted port. The trusted port forwards response messages from the DHCP server to the client. The untrusted port connected to the unauthorized DHCP server discards incoming DHCP response messages.

Figure 27 Trusted and untrusted ports

 

In a cascaded network as shown in Figure 28, configure the DHCP snooping devices' ports facing the DHCP server as trusted ports. To save system resources, you can enable only the untrusted ports directly connected to the DHCP clients to record DHCP snooping entries.

Figure 28 Trusted and untrusted ports in a cascaded network

DHCP snooping support for Option 82

Option 82 records the location information about the DHCP client so the administrator can locate the DHCP client for security and accounting purposes. For more information about Option 82, see "Relay agent option (Option 82)."

DHCP snooping uses the same strategies as the DHCP relay agent to handle Option 82 for DHCP request messages, as shown in Table 5. If a response returned by the DHCP server contains Option 82, DHCP snooping removes Option 82 before forwarding the response to the client. If the response contains no Option 82, DHCP snooping forwards it directly.

Table 5 Handling strategies

If a DHCP request has…

Handling strategy

DHCP snooping…

Option 82

Drop

Drops the message.

Keep

Forwards the message without changing Option 82.

Replace

Forwards the message after replacing the original Option 82 with the Option 82 padded according to the configured padding format, padding content, and code type.

No Option 82

N/A

Forwards the message after adding the Option 82 padded according to the configured padding format, padding content, and code type.

 

DHCP snooping configuration task list

The DHCP snooping configuration does not take effect on a Layer 2 Ethernet interface that is an aggregation member port. The configuration takes effect when the interface leaves the aggregation group.

 

Tasks at a glance

(Required.) Configuring basic DHCP snooping

(Optional.) Configuring Option 82

(Optional.) Configuring DHCP snooping entry auto backup

(Optional.) Enabling DHCP starvation attack protection

(Optional.) Enabling DHCP-REQUEST attack protection

(Optional.) Setting the maximum number of DHCP snooping entries

(Optional.) Configuring DHCP packet rate limit

 

Configuring basic DHCP snooping

Follow these guidelines when you configure basic DHCP snooping:

·          Specify the ports connected to authorized DHCP servers as trusted ports to make sure that DHCP clients can obtain valid IP addresses. The trusted ports and the ports connected to DHCP clients must be in the same VLAN.

·          You can specify the following interfaces as trusted ports: Layer 2 Ethernet interfaces, Layer 2 aggregate interfaces, Layer 3 Ethernet interfaces, and Layer 3 aggregate interfaces. For more information about aggregate interfaces, see Layer 2—LAN Switching Configuration Guide.

·          The DHCP snooping configuration on a Layer 2 Ethernet interface that has been added to an aggregation group does not take effect unless the interface leaves the aggregation group.

To configure basic DHCP snooping:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable DHCP snooping.

dhcp snooping enable

By default, DHCP snooping is disabled.

3.       Enter interface view.

interface interface-type interface-number

This interface must connect to the DHCP server.

4.       Specify the port as a trusted port.

dhcp snooping trust

By default, all ports are untrusted ports after DHCP snooping is enabled.

5.       Return to system view.

quit

N/A

6.       Enter interface view.

interface interface-type interface-number

This interface must connect to the DHCP client.

7.       (Optional.) Enable the recording of DHCP snooping entries.

dhcp snooping binding record

By default, the recording of DHCP snooping entries is disabled.

 

Configuring Option 82

Follow these guidelines when you configure Option 82:

·          The Option 82 configuration on a Layer 2 Ethernet interface that has been added to an aggregation group does not take effect unless the interface leaves the aggregation group.

·          To support Option 82, you must configure Option 82 on both the DHCP server and the DHCP snooping device. For information about configuring Option 82 on the DHCP server, see "Enabling handling of Option 82."

·          If the handling strategy is replace, configure a padding mode and padding format for Option 82. If the handling strategy is keep or drop, you do not need to configure any padding mode or padding format for Option 82. The settings do not take effect even if you configure them.

·          If Option 82 contains the device name, the device name must contain no spaces. Otherwise, DHCP snooping drops the message. You can use the sysname command to specify the device name. For more information about this command, see Fundamentals Command Reference.

·          In verbose mode, DHCP snooping pads the VLAN ID field of sub-option 1 in the format of outer VLAN tag.inner VLAN tag if a DHCP packet contains two VLAN tags.

For example, if the outer VLAN tag is 10 and the inner VLAN tag is 20, the VLAN ID field is 000a.0014. The hexadecimal digit a represents the outer VLAN tag 10, and the hexadecimal digit 14 represents the inner VLAN tag 20.

·          The device name (sysname) must not include spaces if it is configured as the padding content for sub-option 1. Otherwise, the DHCP snooping device will fail to add or replace Option 82.

To configure DHCP snooping to support Option 82:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Enable DHCP snooping to support Option 82.

dhcp snooping information enable

By default, DHCP snooping does not support Option 82.

4.       (Optional.) Configure a handling strategy for DHCP requests that contain Option 82.

dhcp snooping information strategy { drop | keep | replace }

By default, the handling strategy is replace.

5.       (Optional.) Configure the padding mode and padding format for the Circuit ID sub-option.

dhcp snooping information circuit-id { [ vlan vlan-id ] string circuit-id | { normal | verbose [ node-identifier { mac | sysname | user-defined node-identifier } ] } [ format { ascii | hex } ] }

By default, the padding mode is normal and the padding format is hex for the Circuit ID sub-option.

6.       (Optional.) Configure the padding mode and padding format for the Remote ID sub-option.

dhcp snooping information remote-id { normal [ format { ascii | hex } ] | [ vlan vlan-id ] string remote-id | sysname }

By default, the padding mode is normal and the padding format is hex for the Remote ID sub-option.

 

Configuring DHCP snooping entry auto backup

The auto backup feature saves DHCP snooping entries to a backup file, and allows the DHCP snooping device to download the entries from the backup file at device reboot. The entries on the DHCP snooping device cannot survive a reboot. The auto backup helps the security features provide services if these features (such as IP source guard) must use DHCP snooping entries for user authentication.

 

 

NOTE:

If you disable DHCP snooping with the undo dhcp snooping enable command, the device deletes all DHCP snooping entries, including those stored in the backup file.

 

To save DHCP snooping entries:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure the DHCP snooping device to back up DHCP snooping entries to a file.

dhcp snooping binding database filename { filename | url url [ username username [ password { cipher | simple } string ] ] }

By default, the DHCP snooping device does not back up DHCP snooping entries.

With this command executed, the DHCP snooping device backs up DHCP snooping entries immediately and runs auto backup.

This command automatically creates the file if you specify a non-existent file.

3.       (Optional.) Manually save DHCP snooping entries to the backup file.

dhcp snooping binding database update now

N/A

4.       (Optional.) Set the waiting time after a DHCP snooping entry change for the DHCP snooping device to update the backup file.

dhcp snooping binding database update interval interval

The default waiting time is 300 seconds.

When a DHCP snooping entry is learned, updated, or removed, the waiting period starts. The DHCP snooping device updates the backup file when the specified waiting period is reached. All changed entries during the period will be saved to the backup file.

If no DHCP snooping entry changes, the backup file is not updated.

 

Enabling DHCP starvation attack protection

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that contain identical or different sender MAC addresses in the chaddr field to a DHCP server. This attack exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system resources. For information about the fields of DHCP packet, see "DHCP message format."

You can prevent DHCP starvation attacks in the following ways:

·          If the forged DHCP requests contain different sender MAC addresses, use the mac-address max-mac-count command to set the MAC learning limit on Layer 2 port. For more information about the command, see Layer 2—LAN Switching Command Reference.

·          If the forged DHCP requests contain the same sender MAC address, perform this task to enable MAC address check for DHCP snooping. This feature compares the chaddr field of a received DHCP request with the source MAC address field in the frame header. If they are the same, the request is considered valid and forwarded to the DHCP server. If not, the request is discarded.

To enable MAC address check:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Enable MAC address check.

dhcp snooping check mac-address

By default, MAC address check is disabled.

 

Enabling DHCP-REQUEST attack protection

DHCP-REQUEST messages include DHCP lease renewal packets, DHCP-DECLINE packets, and DHCP-RELEASE packets. This feature prevents the unauthorized clients that forge the DHCP-REQUEST messages from attacking the DHCP server.

Attackers can forge DHCP lease renewal packets to renew leases for legitimate DHCP clients that no longer need the IP addresses. These forged messages disable the victim DHCP server from releasing the IP addresses.

Attackers can also forge DHCP-DECLINE or DHCP-RELEASE packets to terminate leases for legitimate DHCP clients that still need the IP addresses.

To prevent such attacks, you can enable DHCP-REQUEST check. This feature uses DHCP snooping entries to check incoming DHCP-REQUEST messages.

·          If a matching entry is found for a message, this feature compares the entry with the message information.

?  If they are consistent, the message is considered as valid and forwarded to the DHCP server.

?  If they are different, the message is considered as a forged message and is discarded.

·          If no matching entry is found, the message is considered valid and forwarded to the DHCP server.

To enable DHCP-REQUEST check:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Enable DHCP-REQUEST check.

dhcp snooping check request-message

By default, DHCP-REQUEST check is disabled.

 

Setting the maximum number of DHCP snooping entries

Perform this task to prevent the system resources from being overused.

To set the maximum number of DHCP snooping entries:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Set the maximum number of DHCP snooping entries for the interface to learn.

dhcp snooping max-learning-num max-number

By default, the number of DHCP snooping entries for an interface to learn is unlimited.

 

Configuring DHCP packet rate limit

Perform this task to set the maximum rate at which an interface can receive DHCP packets. This feature discards exceeding DHCP packets to prevent attacks that send large numbers of DHCP packets.

To configure DHCP packet rate limit:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Set the maximum rate at which the interface can receive DHCP packets.

dhcp snooping rate-limit rate

By default, incoming DHCP packets are not rate limited.

The rate set on the Layer 2 aggregate interface applies to all members of the aggregate interface. If a member interface leaves the aggregation group, it uses the rate set in its Ethernet interface view.

 

Displaying and maintaining DHCP snooping

Execute display commands in any view, and reset commands in user view.

 

Task

Command

Remarks

Display DHCP snooping entries.

display dhcp snooping binding [ ip ip-address [ vlan vlan-id ] ] [ verbose ]

Available in any view.

Display Option 82 configuration information on the DHCP snooping device.

display dhcp snooping information { all | interface interface-type interface-number }

Available in any view.

(In standalone mode.) Display DHCP packet statistics on the DHCP snooping device.

display dhcp snooping packet statistics [ slot slot-number ]

Available in any view.

(In IRF mode.) Display DHCP packet statistics on the DHCP snooping device.

display dhcp snooping packet statistics [ chassis chassis-number slot slot-number ]

Available in any view.

Display information about trusted ports.

display dhcp snooping trust

Available in any view.

Display information about the file that stores DHCP snooping entries.

display dhcp snooping binding database

Available in any view.

Clear DHCP snooping entries.

reset dhcp snooping binding { all | ip ip-address [ vlan vlan-id ] }

Available in user view.

(In standalone mode.) Clear DHCP packet statistics on the DHCP snooping device.

reset dhcp snooping packet statistics [ slot slot-number ]

Available in user view.

(In IRF mode.) Clear DHCP packet statistics on the DHCP snooping device.

reset dhcp snooping packet statistics [ chassis chassis-number slot slot-number ]

Available in user view.

 

DHCP snooping configuration examples

Basic DHCP snooping configuration example

Network requirements

As shown in Figure 29, Switch B is connected to the authorized DHCP server through HundredGigE 1/0/1, to the unauthorized DHCP server through HundredGigE 1/0/3, and to the DHCP client through HundredGigE 1/0/2.

Configure only the port connected to the authorized DHCP server to forward the responses from the DHCP server. Enable the DHCP snooping device to record clients' IP-to-MAC bindings by reading DHCP-ACK messages received from the trusted port and the DHCP-REQUEST messages.

Figure 29 Network diagram

Configuration procedure

# Enable DHCP snooping.

<SwitchB> system-view

[SwitchB] dhcp snooping enable

# Configure HundredGigE 1/0/1 as a trusted port.

[SwitchB] interface hundredgige 1/0/1

[SwitchB-HundredGigE1/0/1] dhcp snooping trust

[SwitchB-HundredGigE1/0/1] quit

# Enable recording clients' IP-to-MAC bindings on HundredGigE 1/0/2.

[SwitchB] interface hundredgige 1/0/2

[SwitchB-HundredGigE1/0/2] dhcp snooping binding record

[SwitchB-HundredGigE1/0/2] quit

Verifying the configuration

# Verify that the DHCP client can obtain an IP address and other configuration parameters only from the authorized DHCP server. (Details not shown.)

# Display the DHCP snooping entry recorded for the client.

[SwitchB] display dhcp snooping binding

Option 82 configuration example

Network requirements

As shown in Figure 30, enable DHCP snooping and configure Option 82 on Switch B as follows:

·          Configure the handling strategy for DHCP requests that contain Option 82 as replace.

·          On HundredGigE 1/0/2, configure the padding content for the Circuit ID sub-option as company001 and for the Remote ID sub-option as device001.

·          On HundredGigE 1/0/3, configure the padding mode for the Circuit ID sub-option as verbose, access node identifier as sysname, and padding format as ascii. Configure the padding content for the Remote ID sub-option as device001.

Figure 30 Network diagram

Configuration procedure

# Enable DHCP snooping.

<SwitchB> system-view

[SwitchB] dhcp snooping enable

# Configure HundredGigE 1/0/1 as a trusted port.

[SwitchB] interface hundredgige 1/0/1

[SwitchB-HundredGigE1/0/1] dhcp snooping trust

[SwitchB-HundredGigE1/0/1] quit

# Configure Option 82 on HundredGigE 1/0/2.

[SwitchB] interface hundredgige 1/0/2

[SwitchB-HundredGigE1/0/2] dhcp snooping information enable

[SwitchB-HundredGigE1/0/2] dhcp snooping information strategy replace

[SwitchB-HundredGigE1/0/2] dhcp snooping information circuit-id string company001

[SwitchB-HundredGigE1/0/2] dhcp snooping information remote-id string device001

[SwitchB-HundredGigE1/0/2] quit

# Configure Option 82 on HundredGigE 1/0/3.

[SwitchB] interface hundredgige 1/0/3

[SwitchB-HundredGigE1/0/3] dhcp snooping information enable

[SwitchB-HundredGigE1/0/3] dhcp snooping information strategy replace

[SwitchB-HundredGigE1/0/3] dhcp snooping information circuit-id verbose node-identifier sysname format ascii

[SwitchB-HundredGigE1/0/3] dhcp snooping information remote-id string device001

Verifying the configuration

# Display Option 82 configuration information on HundredGigE 1/0/2 and HundredGigE 1/0/3 on the DHCP snooping device.

[SwitchB] display dhcp snooping information

 


Configuring DNS

Overview

Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. The domain name-to-IP address mapping is called a DNS entry.

DNS services can be static or dynamic. After a user specifies a name, the device checks the static name resolution table for an IP address. If no IP address is available, it contacts the DNS server for dynamic name resolution, which takes more time than static name resolution. To improve efficiency, you can put frequently queried name-to-IP address mappings in the local static name resolution table.

Static domain name resolution

Static domain name resolution means manually creating mappings between domain names and IP addresses. For example, you can create a static DNS mapping for a device so that you can Telnet to the device by using the domain name.

Dynamic domain name resolution

Resolution process

1.        A user program sends a name query to the resolver of the DNS client.

2.        The DNS resolver looks up the local domain name cache for a match. If the resolver finds a match, it sends the corresponding IP address back. If not, it sends a query to the DNS server.

3.        The DNS server looks up the corresponding IP address of the domain name in its DNS database. If no match is found, the server sends a query to other DNS servers. This process continues until a result, whether successful or not, is returned.

4.        After receiving a response from the DNS server, the DNS client returns the resolution result to the user program.

Figure 31 shows the relationship between the user program, DNS client, and DNS server.

The DNS client includes the resolver and cache. The user program and DNS client can run on the same device or different devices. The DNS server and the DNS client usually run on different devices.

Figure 31 Dynamic domain name resolution

 

Dynamic domain name resolution allows the DNS client to store latest DNS entries in the dynamic domain name cache. The DNS client does not need to send a request to the DNS server for a repeated query within the aging time. To make sure the entries from the DNS server are up to date, a DNS entry is removed when its aging timer expires. The DNS server determines how long a mapping is valid, and the DNS client obtains the aging information from DNS responses.

DNS suffixes

You can configure a domain name suffix list so that the resolver can use the list to supply the missing part of an incomplete name.

For example, you can configure com as the suffix for aabbcc.com. The user only needs to enter aabbcc to obtain the IP address of aabbcc.com. The resolver adds the suffix and delimiter before passing the name to the DNS server.

The name resolver handles the queries based on the domain names that the user enters:

·          If the user enters a domain name without a dot (.) (for example, aabbcc), the resolver considers the domain name to be a host name. It adds a DNS suffix to the host name before performing the query operation. If no match is found for any host name and suffix combination, the resolver uses the user-entered domain name (for example, aabbcc) for the IP address query.

·          If the user enters a domain name with a dot (.) among the letters (for example, www.aabbcc), the resolver directly uses this domain name for the query operation. If the query fails, the resolver adds a DNS suffix for another query operation.

·          If the user enters a domain name with a dot (.) at the end (for example, aabbcc.com.), the resolver considers the domain name an FQDN and returns the successful or failed query result. The dot at the end of the domain name is considered a terminating symbol.

The device supports static and dynamic DNS client services.

If an alias is configured for a domain name on the DNS server, the device can resolve the alias into the IP address of the host.

DNS configuration task list

Tasks at a glance

Perform one of the following tasks:

·         Configuring the IPv4 DNS client

·         Configuring the IPv6 DNS client

(Optional.) Specifying the source interface for DNS packets

(Optional.) Configuring the DNS trusted interface

(Optional.) Setting the DSCP value for outgoing DNS packets

 

Configuring the IPv4 DNS client

Configuring static domain name resolution

Static domain name resolution allows applications such as Telnet to contact hosts by using host names instead of IPv4 addresses.

Follow these guidelines when you configure static domain name resolution:

·          For the public network or a VPN instance, each host name maps to only one IPv4 address. The most recent configuration for a host name takes effect.

·          You can configure the following:

?  IPv4 DNS entries for both public network and VPN instances.

?  A maximum of 1024 IPv4 DNS entries for the public network or each VPN instance.

To configure static domain name resolution:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure a host name-to-IPv4 address mapping.

ip host host-name ip-address [ vpn-instance vpn-instance-name ]

By default, no host name-to-IPv4 address mappings exist.

 

Configuring dynamic domain name resolution

To use dynamic domain name resolution, configure DNS servers so that DNS queries can be sent to a correct server for resolution. A DNS server manually configured takes precedence over the one dynamically obtained through DHCP, and a DNS server configured earlier takes precedence. A name query is first sent to the DNS server that has the highest priority. If no reply is received, it is sent to the DNS server that has the second highest priority, and so on.

In addition, you can configure a DNS suffix that the system automatically adds to the provided domain name for resolution. A DNS suffix manually configured takes precedence over the one dynamically obtained through DHCP, and a DNS suffix configured earlier takes precedence. The DNS resolver first uses the suffix that has the highest priority. If the name resolution fails, the DNS resolver uses the suffix that has the second highest priority, and so on.

Configuration guidelines

Follow these guidelines when you configure dynamic domain name resolution:

·          You can specify DNS server IPv4 addresses as follows:

?  Specify DNS server IPv4 addresses for both public network and VPN instances.

?  Specify a maximum of six DNS server IPv4 addresses for the public network or each VPN instance.

·          You can specify DNS server IPv6 addresses as follows:

?  Specify DNS server IPv6 addresses for both public network and VPN instances.

?  Specify a maximum of six DNS server IPv6 addresses for the public network or each VPN instance.

An IPv4 name query is first sent to the DNS server IPv4 addresses. If no reply is received, it is sent to the DNS server IPv6 addresses.

·          You can specify DNS suffixes as follows:

?  Specify DNS suffixes for both public network and VPN instances.

?  Specify a maximum of 16 DNS suffixes for the public network or each VPN instance.

Configuration procedure

To configure dynamic domain name resolution:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Specify a DNS server.

·         Specify a DNS server IPv4 address:
dns server ip-address [ vpn-instance vpn-instance-name ]

·         Specify a DNS server IPv6 address:
ipv6 dns server
ipv6-address [ interface-type interface-number ] [ vpn-instance vpn-instance-name ]

By default, no DNS server is specified.

You can specify both the IPv4 and IPv6 addresses.

3.       (Optional.) Configure a DNS suffix.

dns domain domain-name [ vpn-instance vpn-instance-name ]

By default, no DNS suffix is configured and only the provided domain name is resolved.

 

Configuring the IPv6 DNS client

Configuring static domain name resolution

Static domain name resolution allows applications such as Telnet to contact hosts by using host names instead of IPv6 addresses.

Follow these guidelines when you configure static domain name resolution:

·          For the public network or a VPN instance, each host name maps to only one IPv6 address. The most recent configuration for a host name takes effect.

·          You can configure the following items:

?  IPv6 DNS entries for both public network and VPN instances.

?  A maximum of 1024 IPv6 DNS entries for the public network or each VPN instance.

To configure static domain name resolution:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure a host name-to-IPv6 address mapping.

ipv6 host host-name ipv6-address [ vpn-instance vpn-instance-name ]

By default, no host name-to-IPv6 address mappings exist.

 

Configuring dynamic domain name resolution

To send DNS queries to a correct server for resolution, you must enable dynamic domain name resolution and configure DNS servers. A DNS server manually configured takes precedence over the one dynamically obtained through DHCP, and a DNS server configured earlier takes precedence. A name query is first sent to the DNS server that has the highest priority. If no reply is received, it is sent to the DNS server that has the second highest priority, and so on.

In addition, you can configure a DNS suffix that the system automatically adds to the provided domain name for resolution. A DNS suffix manually configured takes precedence over the one dynamically obtained through DHCP, and a DNS suffix configured earlier takes precedence. The DNS resolver first uses the suffix that has the highest priority. If the name resolution fails, the DNS resolver uses the suffix that has the second highest priority, and so on.

Configuration guidelines

Follow these guidelines when you configure dynamic domain name resolution:

·          You can specify DNS server IPv4 addresses as follows:

?  Specify DNS server IPv4 addresses for both public network and VPN instances.

?  Specify a maximum of six DNS server IPv4 addresses for the public network or each VPN instance.

·          You can specify DNS server IPv6 addresses as follows:

?  Specify DNS server IPv6 addresses for both public network and VPN instances.

?  Specify a maximum of six DNS server IPv6 addresses for the public network or each VPN instance.

An IPv6 name query is first sent to the IPv6 DNS servers. If no reply is received, it is sent to the IPv4 DNS servers.

·          You can specify DNS suffixes as follows:

?  Specify DNS suffixes for both public network and VPN instances.

?  Specify a maximum of 16 DNS suffixes for the public network or each VPN instance.

Configuration procedure

To configure dynamic domain name resolution:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Specify a DNS server.

·         Specify a DNS server IPv4 address:
dns server ip-address [ vpn-instance vpn-instance-name ]

·         Specify a DNS server IPv6 address:
ipv6 dns server ipv6-address [ interface-type interface-number ] [ vpn-instance vpn-instance-name ]

By default, no DNS server is specified.

You can specify both the IPv4 and IPv6 addresses.

3.       (Optional.) Configure a DNS suffix.

dns domain domain-name [ vpn-instance vpn-instance-name ]

By default, no DNS suffix is configured. Only the provided domain name is resolved.

 

Specifying the source interface for DNS packets

This task enables the device to always use the primary IP address of the specified source interface as the source IP address of outgoing DNS packets. This feature applies to scenarios in which the DNS server responds only to DNS requests sourced from a specific IP address. If no IP address is configured on the source interface, no DNS packets can be sent out.

When sending an IPv6 DNS request, the device follows the method defined in RFC 3484 to select an IPv6 address of the source interface.

You can configure only one source interface on the public network or a VPN instance. You can configure the source interface for both public network and VPN instances.

To specify the source interface for DNS packets:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Specify the source interface for DNS packets.

dns source-interface interface-type interface-number [ vpn-instance vpn-instance-name ]

By default, no source interface for DNS packets is specified.

If you execute the command multiple times, the most recent configuration takes effect.

If you specify the vpn-instance vpn-instance-name option, make sure the source interface belongs to the specified VPN instance.

 

Configuring the DNS trusted interface

This task enables the device to use only the DNS suffix and domain name server information obtained through the trusted interface. The device can then obtain the correct resolved IP address. This feature protects the device against attackers that act as the DHCP server to assign incorrect DNS suffix and domain name server address.

To configure the DNS trusted interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Specify the DNS trusted interface.

dns trust-interface interface-type interface-number

By default, no DNS trusted interface is specified.

You can configure up to 128 DNS trusted interfaces.

 

Setting the DSCP value for outgoing DNS packets

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.

To set the DSCP value for outgoing DNS packets:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set the DSCP value for DNS packets sent by a DNS client or a DNS proxy.

·         DSCP value for IPv4 DNS packets:
dns dscp
dscp-value

·         DSCP value for IPv6 DNS packets:
ipv6 dns dscp
dscp-value

By default, the DSCP value is 0 in DNS packets sent by a DNS client or a DNS proxy.

 

Displaying and maintaining DNS

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display the domain name resolution table.

display dns host [ ip | ipv6 ] [ vpn-instance vpn-instance-name ]

Display IPv4 DNS server information.

display dns server [ dynamic ] [ vpn-instance vpn-instance-name ]

Display IPv6 DNS server information.

display ipv6 dns server [ dynamic ] [ vpn-instance vpn-instance-name ]

Display DNS suffixes.

display dns domain [ dynamic ] [ vpn-instance vpn-instance-name ]

Clear dynamic DNS entries.

reset dns host [ ip | ipv6 ] [ vpn-instance vpn-instance-name ]

 

IPv4 DNS configuration examples

Static domain name resolution configuration example

Network requirements

As shown in Figure 32, the host at 10.1.1.2 is named host.com. Configure static IPv4 DNS on the device so that the device can use the easy-to-remember domain name rather than the IP address to access the host.

Figure 32 Network diagram

 

Configuration procedure

# Configure a mapping between host name host.com and IP address 10.1.1.2.

<Sysname> system-view

[Sysname] ip host host.com 10.1.1.2

# Verify that the device can use static domain name resolution to resolve domain name host.com into IP address 10.1.1.2.

[Sysname] ping host.com

Ping host.com (10.1.1.2): 56 data bytes, press CTRL_C to break

56 bytes from 10.1.1.2: icmp_seq=0 ttl=255 time=1.000 ms

56 bytes from 10.1.1.2: icmp_seq=1 ttl=255 time=1.000 ms

56 bytes from 10.1.1.2: icmp_seq=2 ttl=255 time=1.000 ms

56 bytes from 10.1.1.2: icmp_seq=3 ttl=255 time=1.000 ms

56 bytes from 10.1.1.2: icmp_seq=4 ttl=255 time=2.000 ms

 

--- Ping statistics for host.com ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/1.200/2.000/0.400 ms

Dynamic domain name resolution configuration example

Network requirements

As shown in Figure 33, configure the DNS server to store the mapping between the host's domain name host and IPv4 address 3.1.1.1/16 in the com domain. Configure dynamic IPv4 DNS and DNS suffix com on the device so that the device can use domain name host to access the host.

Figure 33 Network diagram

 

Configuration procedure

Before performing the following configuration, make sure that:

·          The device and the host can reach each other.

·          The IP addresses of the interfaces are configured as shown in Figure 33.

1.        Configure the DNS server:

The configuration might vary by DNS server. The following configuration is performed on a PC running Windows Server 2008 R2.

a.    Select Start > Programs > Administrative Tools > DNS.

The DNS server configuration page appears, as shown in Figure 34.

b.    Right-click Forward Lookup Zones, select New Zone, and then follow the wizard to create a new zone named com.

Figure 34 Creating a zone

 

a.    On the DNS server configuration page, right-click zone com and select New Host.

Figure 35 Adding a host

 

a.    On the page that appears, enter host name host and IP address 3.1.1.1.

b.    Click Add Host.

The mapping between the IP address and host name is created.

Figure 36 Adding a mapping between domain name and IP address

 

2.        Configure the DNS client:

# Specify the DNS server 2.1.1.2.

<Sysname> system-view

[Sysname] dns server 2.1.1.2

# Specify com as the name suffix.

[Sysname] dns domain com

Verifying the configuration

# Verify that the device can use the dynamic domain name resolution to resolve domain name host.com into IP address 3.1.1.1.

[Sysname] ping host

Ping host.com (3.1.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 3.1.1.1: icmp_seq=0 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=1 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=2 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=3 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=4 ttl=255 time=2.000 ms

 

--- Ping statistics for host ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/1.200/2.000/0.400 ms

IPv6 DNS configuration examples

Static domain name resolution configuration example

Network requirements

As shown in Figure 37, the host at 1::2 is named host.com. Configure static IPv6 DNS on the device so that the device can use the easy-to-remember domain name rather than the IPv6 address to access the host.

Figure 37 Network diagram

 

Configuration procedure

# Configure a mapping between host name host.com and IPv6 address 1::2.

<Device> system-view

[Device] ipv6 host host.com 1::2

# Verify that the device can use static domain name resolution to resolve domain name host.com into IPv6 address 1::2.

[Sysname] ping ipv6 host.com

Ping6(56 data bytes) 1::1 --> 1::2, press CTRL_C to break

56 bytes from 1::2, icmp_seq=0 hlim=128 time=1.000 ms

56 bytes from 1::2, icmp_seq=1 hlim=128 time=0.000 ms

56 bytes from 1::2, icmp_seq=2 hlim=128 time=1.000 ms

56 bytes from 1::2, icmp_seq=3 hlim=128 time=1.000 ms

56 bytes from 1::2, icmp_seq=4 hlim=128 time=0.000 ms

 

--- Ping6 statistics for host.com ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.600/1.000/0.490 ms

Dynamic domain name resolution configuration example

Network requirements

As shown in Figure 38, configure the DNS server to store the mapping between the host's domain name host and IPv6 address 1::1/64 in the com domain. Configure dynamic IPv6 DNS and DNS suffix com on the device so that the device can use domain name host to access the host.

Figure 38 Network diagram

 

Configuration procedure

Before performing the following configuration, make sure that:

·          The device and the host can reach each other.

·          The IPv6 addresses of the interfaces are configured as shown in Figure 38.

1.        Configure the DNS server:

The configuration might vary by DNS server. The following configuration is performed on a PC running Windows Server 2008 R2. Make sure that the DNS server supports IPv6 DNS so that the server can process IPv6 DNS packets and its interfaces can forward IPv6 packets.

a.    Select Start > Programs > Administrative Tools > DNS.

The DNS server configuration page appears, as shown in Figure 39.

b.    Right-click Forward Lookup Zones, select New Zone, and then follow the wizard to create a new zone named com.

Figure 39 Creating a zone

 

a.    On the DNS server configuration page, right-click zone com and select New Host.

Figure 40 Adding a host

 

a.    On the page that appears, enter host name host and IPv6 address 1::1.

b.    Click Add Host.

The mapping between the IPv6 address and host name is created.

Figure 41 Adding a mapping between domain name and IPv6 address

 

2.        Configure the DNS client:

# Specify the DNS server 2::2.

<Device> system-view

[Device] ipv6 dns server 2::2

# Configure com as the DNS suffix.

[Device] dns domain com

Verifying the configuration

# Verify that the device can use the dynamic domain name resolution to resolve the domain name host.com into the IP address 1::1.

[Device] ping ipv6 host

Ping6(56 data bytes) 3::1 --> 1::1, press CTRL_C to break

56 bytes from 1::1, icmp_seq=0 hlim=128 time=1.000 ms

56 bytes from 1::1, icmp_seq=1 hlim=128 time=0.000 ms

56 bytes from 1::1, icmp_seq=2 hlim=128 time=1.000 ms

56 bytes from 1::1, icmp_seq=3 hlim=128 time=1.000 ms

56 bytes from 1::1, icmp_seq=4 hlim=128 time=0.000 ms

 

--- Ping6 statistics for host ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.600/1.000/0.490 ms

Troubleshooting IPv4 DNS configuration

Symptom

After enabling dynamic domain name resolution, the user cannot get the correct IP address.

Solution

1.        Use the display dns host ip command to verify that the specified domain name is in the cache.

2.        If the specified domain name does not exist, check that the DNS client can communicate with the DNS server.

3.        If the specified domain name is in the cache, but the IP address is incorrect, check that the DNS client has the correct IP address of the DNS server.

4.        Verify that the mapping between the domain name and IP address is correct on the DNS server.

Troubleshooting IPv6 DNS configuration

Symptom

After enabling dynamic domain name resolution, the user cannot get the correct IPv6 address.

Solution

1.        Use the display dns host ipv6 command to verify that the specified domain name is in the cache.

2.        If the specified domain name does not exist, check that dynamic domain name resolution is enabled, and that the DNS client can communicate with the DNS server.

3.        If the specified domain name is in the cache, but the IPv6 address is incorrect, check that the DNS client has the correct IPv6 address of the DNS server.

4.        Verify that the mapping between the domain name and IPv6 address is correct on the DNS server.

 


Configuring IP forwarding basic settings

The device uses the destination IP address of a received packet to find a match from the forwarding information base (FIB) table. It then uses the matching entry to forward the packet.

FIB table

A device selects optimal routes from the routing table, and puts them into the FIB table. Each FIB entry specifies the next hop IP address and output interface for packets destined for a specific subnet or host.

For more information about the routing table, see Layer 3—IP Routing Configuration Guide.

Use the display fib command to display FIB table entries. The following example displays the entire FIB table.

<Sysname> display fib

 

Destination count: 4 FIB entry count: 4

 

Flag:

  U:Usable   G:Gateway   H:Host   B:Blackhole   D:Dynamic   S:Static

  R:Relay     F:FRR

 

Destination/Mask   Nexthop         Flag     OutInterface/Token       Label

10.2.0.0/16        10.2.1.1        U        HGE1/0/1                 Null

10.2.1.1/32        127.0.0.1       UH       InLoop0                  Null

127.0.0.0/8        127.0.0.1       U        InLoop0                  Null

127.0.0.1/32       127.0.0.1       UH       InLoop0                  Null

A FIB entry includes the following items:

·          Destination—Destination IP address.

·          Mask—Network mask. The mask and the destination address identify the destination network. A logical AND operation between the destination address and the network mask yields the address of the destination network. For example, if the destination address is 192.168.1.40 and the mask 255.255.255.0, the address of the destination network is 192.168.1.0. A network mask includes a certain number of consecutive 1s. It can be expressed in dotted decimal format or by the number of the 1s.

·          Nexthop—IP address of the next hop.

·          Flag—Route flag.

·          OutInterface—Output interface.

·          Token—MPLS Label Switched Path index number.

·          Label—Inner label.

Saving the IP forwarding entries to a file

The feature automatically creates the file if you specify a nonexistent file. If the file already exists, this feature overwrites the file content.

To automatically save the IP forwarding entries periodically, configure a schedule for the device to automatically run the ip forwarding-table save command. For information about scheduling a task, see Fundamentals Configuration Guide.

To save the IP forwarding entries to a file:

 

Task

Command

Remarks

Specify a file to save the IP forwarding entries.

ip forwarding-table save filename filename

Executing this command triggers one-time saving of the IP forwarding entries.

This command can be executed in any view.

 

Displaying FIB table entries

Execute display commands in any view.

 

Task

Command

Display FIB entries.

display fib [ vpn-instance vpn-instance-name ] [ ip-address [ mask | mask-length ] ]

 


Configuring load sharing

If a routing protocol finds multiple equal-cost best routes to the same destination, the device forwards packets over the equal-cost routes to implement load sharing.

 

Configuring per-flow load sharing

The device forwards flows over equal-cost routes. Packets of one flow travel along the same routes. You can configure the device to identify a flow based on the following criteria: source IP address, destination IP address, source port number, destination port number, IP protocol number, ingress port, and VLAN.

In a complex network, when the per-flow criteria cannot distinguish flows, you can use the algorithm keyword to specify an algorithm to identify flows.

The device supports configuring any combination of flow match criteria for load sharing.

To configure load sharing:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure load sharing.

In standalone mode:
ip load-sharing mode per-flow [ algorithm algorithm-number | [ dest-ip | dest-port | ip-pro | src-ip | src-port | ingress-port ] * | tunnel { all | inner | outer } ] { global | slot slot-number }

In IRF mode:
ip load-sharing mode per-flow [ algorithm algorithm-number | [ dest-ip | dest-port | ip-pro | src-ip | src-port | ingress-port ] * | tunnel { all | inner | outer } ] { chassis chassis-number slot slot-number | global }

By default, the device performs per-flow load sharing based on the following criteria: source IP address, destination IP address, source port number, destination port number, IP protocol number, and ingress port.

 

Enabling local-first load sharing

Local-first load sharing distributes traffic preferentially across the output interfaces on the receiving IRF member device if output interfaces for multiple equal-cost routes are on different members. This feature enhances packets forwarding efficiency.

To enable local-first load sharing:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable local-first load sharing.

ip load-sharing local-first enable

Local-first load sharing is enabled.

 

Displaying the load sharing path selected for a flow

When you configure this command, make sure the options are the same as those in the ip load-sharing mode command. If the options are not consistent, the path displayed by this command might be different from the real path for load sharing.

To display the load sharing path selected for a flow:

 

Task

Command

Display the load sharing path selected for a flow.

display ip load-sharing path ingress-port interface-type interface-number packet-format { ipv4oe dest-ip ip-address [ src-ip ip-address ] | ipv6oe dest-ipv6 ipv6-address [ src-ipv6 ipv6-address ] } [ dest-port port-id | ip-pro protocol-id | src-port port-id | vpn-instance vpn-instance-name ] *

Load sharing configuration example

Network requirements

As shown in Figure 42, Switch A has two equal-cost routes to Switch B. Configure load sharing on Switch A to forward packets through Switch B to the destination IP address 1.2.3.4/24.

Figure 42 Network diagram

Configuration procedure

# On Switch A, assign HundredGigE 1/0/1 to VLAN 10, and HundredGigE 1/0/2 to VLAN 20.

<SwitchA> system-view

[SwitchA] vlan 10

[SwitchA-vlan10] port hundredgige 1/0/1

[SwitchA-vlan10] quit

[SwitchA] vlan 20

[SwitchA-vlan20] port hundredgige 1/0/2

[SwitchA-vlan20] quit

# On Switch A, configure IP addresses for VLAN-interface 10 and VLAN-interface 20.

[SwitchA] interface vlan-interface 10

[SwitchA-Vlan-interface10] ip address 10.1.1.1 24

[SwitchA-Vlan-interface10] quit

[SwitchA] interface vlan-interface 20

[SwitchA-Vlan-interface20] ip address 20.1.1.1 24

[SwitchA-Vlan-interface20] quit

# On Switch B, assign HundredGigE 1/0/1 to VLAN 10, and HundredGigE 1/0/2 to VLAN 20.

<SwitchB> system-view

[SwitchB] vlan 10

[SwitchB-vlan10] port hundredgige 1/0/1

[SwitchB-vlan10] quit

[SwitchB] vlan 20

[SwitchB-vlan20] port hundredgige 1/0/2

[SwitchB-vlan20] quit

# On Switch B, configure IP addresses for VLAN-interface 10 and VLAN-interface 20.

[SwitchB] interface vlan-interface 10

[SwitchB-Vlan-interface10] ip address 10.1.1.2 24

[SwitchB-Vlan-interface10] quit

[SwitchB] interface vlan-interface 20

[SwitchB-Vlan-interface20] ip address 20.1.1.2 24

[SwitchB-Vlan-interface20] quit

# On Switch A, configure two static routes to the destination IP address.

<SwitchA> system-view

[SwitchA] ip route-static 1.2.3.4 24 10.1.1.2

[SwitchA] ip route-static 1.2.3.4 24 20.1.1.2

[SwitchA] quit

# On Switch A, display FIB entries matching the destination IP address 1.2.3.4.

<SwitchA> display fib 1.2.3.4

 

Destination count: 1 FIB entry count: 2

 

Flag:

  U:Usable   G:Gateway   H:Host   B:Blackhole   D:Dynamic   S:Static

  R:Relay     F:FRR

 

Destination/Mask   Nexthop         Flag     OutInterface/Token       Label

1.2.3.0/24         10.1.1.2        USGR     Vlan10                   Null

1.2.3.0/24         20.1.1.2        USGR     Vlan20                   Null

# On Switch A, configure per-flow load sharing based on the source IP address and destination IP address.

<SwitchA> system-view

[SwitchA] ip load-sharing mode per-flow dest-ip src-ip

Verifying the configuration

# Verify that Switch A implements load sharing.

<SwitchA> display counters outbound interface HundredGigE

Interface         Total (pkts)   Broadcast (pkts)   Multicast (pkts)  Err (pkts)

HGE1/0/1                 1045                  0                  0           0

HGE1/0/2                 1044                  0                  0           0

 


Configuring IRDP

The term "router" in this chapter refers to a routing-capable device.

The term "host" in this chapter refers to the host that supports IRDP. For example, a host that runs the Linux operating system.

Overview

ICMP Router Discovery Protocol (IRDP), an extension of the ICMP, is independent of any routing protocol. It allows hosts to discover the IP addresses of neighboring routers that can act as default gateways to reach devices on other IP networks.

IRDP enables hosts to track dynamic changes in router availability and requires a minimal amount of manual configuration.

IRDP operation

IRDP uses the following types of ICMP messages:

·          Router advertisement (RA)—Sent by a router to advertise IP addresses (including the primary and secondary IP addresses) and preference.

·          Router solicitation (RS)—Sent by a host to request the IP addresses of routers on the subnet.

An interface with IRDP enabled periodically broadcasts or multicasts an RA message to advertise its IP addresses. A receiving host adds the IP addresses to its routing table, and selects the IP address with the highest preference as the default gateway.

When a host attached to the subnet starts up, the host multicasts an RS message to request immediate advertisements. If the host does not receive any advertisements, it retransmits the RS several times. If the host does not discover the IP addresses of neighboring routers because of network problems, the host can still discover them from periodic RAs.

IRDP allows hosts to discover neighboring routers, but it does not suggest the best route to a destination. If a host sends a packet to a router that is not the best next hop, the host will receive an ICMP redirect message from the router.

Basic concepts

Preference of an IP address

Every IP address advertised in RAs has a preference value. A larger preference value represents a higher preference. The IP address with the highest preference is selected as the default gateway address.

You can specify the preference for IP addresses to be advertised on a router interface.

An address with the minimum preference value (-2147483648) will not be used as a default gateway address.

Lifetime of an IP address

An RA contains a lifetime field that specifies the lifetime of advertised IP addresses. If the host does not receive a new RA for an IP address within the address lifetime, the host removes the route entry.

All the IP addresses advertised by an interface have the same lifetime.

Advertising interval

A router interface with IRDP enabled sends out RAs randomly between the minimum and maximum advertising intervals. This mechanism prevents the local link from being overloaded by a large number of RAs sent simultaneously from routers.

As a best practice, shorten the advertising interval on a link that suffers high packet loss rates.

Destination address of RAs

An RA uses either of the following destination IP addresses:

·          Broadcast address 255.255.255.255.

·          Multicast address 224.0.0.1, which identifies all hosts on the local link.

By default, the destination IP address of an RA is the broadcast address. If all listening hosts in a local area network support IP multicast, specify 224.0.0.1 as the destination IP address.

Proxy-advertised IP addresses

By default, an interface advertises its primary and secondary IP addresses. You can specify IP addresses of other gateways for an interface to proxy-advertise.

Protocols and standards

RFC 1256: ICMP Router Discovery Messages

Configuration procedure

To configure IRDP:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

The interface can be a Layer 3 Ethernet interface or VLAN interface.

3.       Enable IRDP on the interface.

ip irdp

By default, IRDP is disabled.

After IRDP is enabled on an interface, the IRDP configuration takes effect, and the device sends RA messages out of the interface.

4.       (Optional.) Specify the preference of advertised primary and secondary IP addresses on the interface.

ip irdp preference preference-value

The default preference is 0.

5.       (Optional.) Set the lifetime of IP addresses to be advertised.

ip irdp lifetime lifetime-value

The default lifetime is 1800 seconds.

The lifetime applies to all advertised IP addresses, including proxy-advertised IP addresses on the interface.

The lifetime cannot be shorter than the maximum advertising interval.

6.       (Optional.) Set the maximum and minimum advertising intervals.

ip irdp interval max-interval [ min-interval ]

By default, the maximum interval is 600 seconds, and the minimum interval is 3/4 of the maximum interval.

7.       (Optional.) Specify the multicast address 224.0.0.1 as the destination IP address of RAs.

ip irdp multicast

By default, RAs use the broadcast address 255.255.255.255 as the destination IP address.

8.       (Optional.) Specify a proxy-advertised IP address and its preference.

ip irdp address ip-address preference-value

Repeat this step to specify multiple proxy-advertised IP addresses.

By default, no IP address is specified.

You can specify a maximum of four proxy-advertised IP addresses on an interface.

 

IRDP configuration example

Network requirements

As shown in Figure 43, Host A and Host B that run Linux support IRDP, and they are in the internal network. Switch A and Switch B act as the egress routers and connect to external networks 192.168.1.0/24 and 192.168.2.0/24, respectively.

Configure Switch A as the default gateway for the hosts. Packets to the external networks can be correctly routed.

Figure 43 Network diagram

 

Configuration procedure

1.        Configure Switch A:

# Specify an IP address for VLAN-interface 2.

<SwitchA> system-view

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] ip address 10.154.5.1 24

# Enable IRDP on VLAN-interface 2.

[SwitchA-Vlan-interface2] ip irdp

# Specify preference 1000 for advertised IP addresses on VLAN-interface 2.

[SwitchA-Vlan-interface2] ip irdp preference 1000

# Specify the multicast address 224.0.0.1 as the destination IP address for RAs sent by VLAN-interface 2.

[SwitchA-Vlan-interface2] ip irdp multicast

# Specify the IP address 192.168.1.0 and preference 400 for VLAN-interface 2 to proxy-advertise.

[SwitchA-Vlan-interface2] ip irdp address 192.168.1.0 400

2.        Configure Switch B:

# Specify an IP address for VLAN-interface 2.

<SwitchB> system-view

[SwitchB] interface vlan-interface 2

[SwitchB-Vlan-interface2] ip address 10.154.5.2 24

# Enable IRDP on VLAN-interface 2.

[SwitchB-Vlan-interface2] ip irdp

# Specify preference 500 for advertised IP addresses on VLAN-interface 2.

[SwitchB-Vlan-interface2] ip irdp preference 500

# Specify the multicast address 224.0.0.1 as the destination IP address for RAs sent by VLAN-interface 2.

[SwitchB-Vlan-interface2] ip irdp multicast

# Specify the IP address 192.168.2.0 and preference 400 for VLAN-interface 2 to proxy-advertise.

[SwitchB-Vlan-interface2] ip irdp address 192.168.2.0 400

Verifying the configuration

# Display the routing table for Host A.

[HostA@localhost ~]$ netstat -rne

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.154.5.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

0.0.0.0          10.154.5.1     0.0.0.0          UG    0      0        0 eth1

The output shows that the default route on Host A points to IP address 10.154.5.1, and Host A has routes to 192.168.1.0/24 and 192.168.2.0/24.

# Display the routing table for Host B.

[HostB@localhost ~]$ netstat -rne

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.154.5.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

0.0.0.0          10.154.5.1     0.0.0.0          UG    0      0        0 eth1

The output shows that the default route on Host B points to IP address 10.154.5.1, and Host B has routes to 192.168.1.0/24 and 192.168.2.0/24.


Optimizing IP performance

A customized configuration can help optimize overall IP performance. This chapter describes various techniques you can use to customize your installation.

Enabling an interface to forward directed broadcasts destined for the directly connected network

A directed broadcast packet is destined for all hosts on a specific network. In the destination IP address of the directed broadcast, the network ID identifies the target network, and the host ID is made up of all ones.

If an interface is allowed to forward directed broadcasts destined for the directly connected network, hackers can exploit this vulnerability to attack the target network. In some scenarios, however, an interface must send such directed broadcast packets to support UDP helper and Wake on LAN.

The task enables the interface to forward directed broadcast packets that are destined for the directly connected network and are received from another subnet to support Wake on LAN. Wake on LAN sends the directed broadcasts to wake up the hosts on the target network.

Configuration procedure

To enable an interface to forward directed broadcasts destined to the directly connected network:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Enable the interface to forward directed broadcasts destined for the directly connected network.

ip forward-broadcast [ acl acl-number ]

By default, an interface cannot forward directed broadcasts destined for the directly connected network.

 

Configuration example

Network requirements

As shown in Figure 44, the default gateway of the host is the IP address 1.1.1.2/24 of VLAN-interface 3 of Switch A.

Switch B can receive directed broadcasts from the host to IP address 2.2.2.255.

Figure 44 Network diagram

 

Configuration procedure

1.        Configure Switch A:

# Specify IP addresses for VLAN-interface 3 and VLAN-interface 2.

<SwitchA> system-view

[SwitchA] interface vlan-interface 3

[SwitchA-Vlan-interface3] ip address 1.1.1.2 24

[SwitchA-Vlan-interface3] quit

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] ip address 2.2.2.2 24

# Enable VLAN-interface 2 to forward directed broadcasts directed for the directly connected network.

[SwitchA-Vlan-interface2] ip forward-broadcast

2.        Configure Switch B:

# Configure a static route to the host.

<SwitchB> system-view

[SwitchB] ip route-static 1.1.1.1 24 2.2.2.2

# Specify an IP address for VLAN-interface 2.

[SwitchB] interface vlan-interface 2

[SwitchB-Vlan-interface2] ip address 2.2.2.1 24

After the configurations are completed, if you ping the subnet-directed broadcast address 2.2.2.255 on the host, VLAN-interface 2 of Switch B can receive the ping packets. If you delete the ip forward-broadcast configuration on any switch, the interface cannot receive the ping packets.

Setting the interface MTU for IPv4 packets

The interface MTU for IPv4 packets defines the largest size of an IPv4 packet that an interface can transmit without fragmentation. When a packet exceeds the MTU of the sending interface, the device processes the packet in one of the following ways:

·          If the packet disallows fragmentation, the device discards it.

·          If the packet allows fragmentation, the device fragments it and forwards the fragments.

Fragmentation and reassembling consume system resources, so set the MTU based on the network environment to avoid fragmentation.

To set the interface MTU for IPv4 packets:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Set the interface MTU for IPv4 packets.

ip mtu mtu-size

By default, the interface MTU is not set.

 

Setting TCP MSS for an interface

The maximum segment size (MSS) option informs the receiver of the largest segment that the sender can accept. Each end announces its MSS during TCP connection establishment. If the size of a TCP segment is smaller than the MSS of the receiver, TCP sends the TCP segment without fragmentation. If not, it fragments the segment according to the receiver's MSS.

If you set the TCP MSS on an interface, the size of each TCP segment received or sent on the interface cannot exceed the MSS value.

This configuration takes effect only for TCP connections established after the configuration rather than the TCP connections that already exist.

This configuration is effective only for IP packets. If MPLS is enabled on the interface, do not set the TCP MSS on the interface.

To set the TCP MSS for the interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Set the TCP MSS for the interface.

tcp mss value

By default, the TCP MSS is not set.

 

Enabling SYN Cookie

A TCP connection is established through a three-way handshake:

1.        The sender sends a SYN packet to the server.

2.        The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED state, and replies with a SYN ACK packet to the sender.

3.        The sender receives the SYN ACK packet and replies with an ACK packet. A TCP connection is established.

An attacker can exploit this mechanism to mount SYN Flood attacks. The attacker sends a large number of SYN packets, but does not respond to the SYN ACK packets from the server. As a result, the server establishes a large number of TCP semi-connections and can no longer handle normal services.

SYN Cookie can protect the server from SYN Flood attacks. When the server receives a SYN packet, it responds with a SYN ACK packet without establishing a TCP semi-connection. The server establishes a TCP connection and enters ESTABLISHED state only when it receives an ACK packet from the client.

To enable SYN Cookie:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable SYN Cookie.

tcp syn-cookie enable

By default, SYN Cookie is disabled.

 

Setting the TCP buffer size

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set the size of TCP receive/send buffer.

tcp window window-size

The default buffer size is 63 KB.

 

Setting TCP timers

You can set the following TCP timers:

·          SYN wait timer—TCP starts the SYN wait timer after sending a SYN packet. Within the SYN wait timer if no response is received or the upper limit on TCP connection tries is reached, TCP fails to establish the connection.

·          FIN wait timer—TCP starts the FIN wait timer when TCP changes the connection state to FIN_WAIT_2. If no FIN packet is received within the timer interval, TCP terminates the connection. If a FIN packet is received, TCP changes the connection state to TIME_WAIT. If a non-FIN packet is received, TCP restarts the timer, and tears down the connection when the timer expires.

To set TCP timers:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set TCP timers.

·         Set the TCP SYN wait timer:
tcp timer syn-timeout time-value

·         Set the TCP FIN wait timer:
tcp timer fin-timeout time-value

By default:

·         The TCP SYN wait timer is 75 seconds.

·         The TCP FIN wait timer is 675 seconds.

 

Enabling sending ICMP error messages

Perform this task to enable sending ICMP error messages, including redirect, time exceeded, and destination unreachable messages.

·          ICMP redirect messages

A host that has only one default route sends all packets to the default gateway. The default gateway sends an ICMP redirect message to inform the host of a correct next hop by following these rules:

?  The receiving and sending interfaces are the same.

?  The selected route is not created or modified by any ICMP redirect messages.

?  The selected route is not destined for 0.0.0.0.

?  There is no source route option in the received packet.

ICMP redirect messages simplify host management and enable hosts to gradually optimize their routing table.

·          ICMP time exceeded messages

A device sends ICMP time exceeded messages by following these rules:

?  The device sends the source an ICMP TTL exceeded in transit message when the following conditions are met:

-      The received packet is not destined for the device.

-      The TTL field of the packet is 1.

?  When the device receives the first fragment of an IP datagram destined for it, it starts a timer. If the timer expires before all the fragments of the datagram are received, the device sends an ICMP fragment reassembly time exceeded message to the source.

·          ICMP destination unreachable messages

A device sends ICMP destination unreachable messages by following these rules:

?  The device sends the source an ICMP network unreachable message when the following conditions are met:

-      The packet does not match any route.

-      No default route exists in the routing table.

?  The device sends the source an ICMP protocol unreachable message when the following conditions are met:

-      The packet is destined for the device.

-      The transport layer protocol of the packet is not supported by the device.

 

 

NOTE:

If a DHCP enabled device receives an ICMP echo reply without sending any ICMP echo requests, the device does not send any ICMP protocol unreachable messages to the source. For more information about DHCP, see Layer 3—IP Services Configuration Guide.

 

?  The device sends the source an ICMP port unreachable message when the following conditions are met:

-      The UDP packet is destined for the device.

-      The packet's port number does not match the corresponding process.

?  The device sends the source an ICMP source route failed message when the following conditions are met:

-      The source uses Strict Source Routing to send packets.

-      The intermediate device finds that the next hop specified by the source is not directly connected.

?  The device sends the source an ICMP fragmentation needed and DF set message when the following conditions are met:

-      The MTU of the sending interface is smaller than the packet.

-      The packet has DF set.

To enable sending ICMP error messages:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable sending ICMP error messages.

·         Enable sending ICMP redirect messages:
ip redirects enable

·         Enable sending ICMP time exceeded messages:
ip ttl-expires enable

·         Enable sending ICMP destination unreachable messages:
ip unreachables enable

The default settings are disabled.

To avoid echo packet loss, do not enable sending ICMP redirect messages on the local device if BFD on the peer device uses echo packets for link detection.

 

Sending ICMP error messages facilitates network management, but sending excessive ICMP messages increases network traffic. The device performance degrades if it receives a lot of malicious ICMP messages that cause it to respond with ICMP error messages.

To prevent such problems, you can disable the device from sending ICMP error messages. A device that is disabled from sending ICMP time exceeded messages does not send ICMP TTL exceeded in transit messages. However, it can still send ICMP fragment reassembly time exceeded messages.

Disabling forwarding ICMP fragments

Disabling forwarding ICMP fragments can protect your device from ICMP fragments attacks.

To disable forwarding ICMP fragments:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Disable forwarding ICMP fragments.

ip icmp fragment discarding

By default, forwarding ICMP fragments is enabled.

 

Configuring rate limit for ICMP error messages

To avoid sending excessive ICMP error messages within a short period that might cause network congestion, you can limit the rate at which ICMP error messages are sent. A token bucket algorithm is used with one token representing one ICMP error message.

A token is placed in the bucket at intervals until the maximum number of tokens that the bucket can hold is reached.

A token is removed from the bucket when an ICMP error message is sent. When the bucket is empty, ICMP error messages are not sent until a new token is placed in the bucket.

To configure rate limit for ICMP error messages:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set the interval for tokens to arrive in the bucket and the bucket size for ICMP error messages.

ip icmp error-interval interval [ bucketsize ]

By default, a token is placed in the bucket at intervals of 100 milliseconds and the bucket allows a maximum of 10 tokens.

To disable the ICMP rate limit, set the interval to 0 milliseconds.

 

Specifying the source address for ICMP packets

Perform this task to specify the source IP address for outgoing ping echo requests and ICMP error messages. As a best practice, specify the IP address of the loopback interface as the source IP address. This feature helps users to locate the sending device easily.

If you specify an IP address in the ping command, ping echo requests use the specified address as the source IP address rather than the IP address specified by the ip icmp source command.

To specify the source IP address for ICMP packets:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Specify the source address for outgoing ICMP packets.

ip icmp source [ vpn-instance vpn-instance-name ] ip-address

By default, no source address is specified for outgoing ICMP packets. The device uses the IP address of the sending interface as the source IP address for outgoing ICMP packets.

 

Displaying and maintaining IP performance optimization

Execute display commands in any view and reset commands in user view.

 

Task

Command

(In standalone mode.) Display brief information about RawIP connections.

display rawip [ slot slot-number ]

(In IRF mode.) Display brief information about RawIP connections.

display rawip [ chassis chassis-number slot slot-number ]

(In standalone mode.) Display detailed information about RawIP connections.

display rawip verbose [ slot slot-number [ pcb pcb-index ] ]

(In IRF mode.) Display detailed information about RawIP connections.

display rawip verbose [ chassis chassis-number slot slot-number [ pcb pcb-index ] ]

(In standalone mode.) Display brief information about TCP connections.

display tcp [ slot slot-number ]

(In IRF mode.) Display brief information about TCP connections.

display tcp [ chassis chassis-number slot slot-number ]

(In standalone mode.) Display detailed information about TCP connections.

display tcp verbose [ slot slot-number [ pcb pcb-index ] ]

(In IRF mode.) Display detailed information about TCP connections.

display tcp verbose [ chassis chassis-number slot slot-number [ pcb pcb-index ] ]

(In standalone mode.) Display brief information about UDP connections.

display udp [ slot slot-number ]

(In IRF mode.) Display brief information about UDP connections.

display udp [ chassis chassis-number slot slot-number ]

(In standalone mode.) Display detailed information about UDP connections.

display udp verbose [ slot slot-number [ pcb pcb-index ] ]

(In IRF mode.) Display detailed information about UDP connections.

display udp verbose [ chassis chassis-number slot slot-number [ pcb pcb-index ] ]

(In standalone mode.) Display IP packet statistics.

display ip statistics [ slot slot-number ]

(In IRF mode.) Display IP packet statistics.

display ip statistics [ chassis chassis-number slot slot-number ]

(In standalone mode.) Display TCP traffic statistics.

display tcp statistics [ slot slot-number ]

(In IRF mode.) Display TCP traffic statistics.

display tcp statistics [ chassis chassis-number slot slot-number ]

(In standalone mode.) Display UDP traffic statistics.

display udp statistics [ slot slot-number ]

(In IRF mode.) Display UDP traffic statistics.

display udp statistics [ chassis chassis-number slot slot-number ]

(In standalone mode.) Display ICMP statistics.

display icmp statistics [ slot slot-number ]

(In IRF mode.) Display ICMP statistics.

display icmp statistics [ chassis chassis-number slot slot-number ]

(In standalone mode.) Clear IP packet statistics.

reset ip statistics [ slot slot-number ]

(In IRF mode.) Clear IP packet statistics.

reset ip statistics [ chassis chassis-number slot slot-number ]

Clear TCP traffic statistics.

reset tcp statistics

Clear UDP traffic statistics.

reset udp statistics

 


Configuring UDP helper

Overview

UDP helper can provide the following packet conversion for packets with specific UDP destination port numbers:

·          Convert broadcast to unicast, and forward the unicast packets to specific destinations.

·          Convert broadcast to multicast, and forward the multicast packets.

Configuration restrictions and guidelines

When you configure UDP helper, follow these restrictions and guidelines:

·          By default, an interface on the device does not receive directed broadcasts destined for the directly connected network. To use UDP helper, execute the ip forward-broadcast command. For more information about receiving directed broadcasts destined for the directly connected network, see "Optimizing IP performance."

·          Do not set UDP ports 67 and 68 for UDP helper, because UDP helper cannot forward DHCP broadcast packets.

·          You can specify a maximum of 256 UDP ports for UDP helper.

·          You can specify a maximum of 20 unicast and multicast addresses for UDP helper to convert broadcast packets on an interface.

Configuring UDP helper to convert broadcast to unicast

You can configure UDP helper to convert broadcast packets with specific UDP port numbers to unicast packets.

Upon receiving a UDP broadcast packet, UDP helper uses the configured UDP ports to match the UDP destination port number of the packet.

·          If a match is found, UDP helper duplicates the packet and modifies the destination IP address of the copy to the configured unicast address. Then UDP helper forwards the unicast packet to the unicast address.

·          If no match is found, UDP helper does not process the packet.

To configure UDP helper to convert broadcast to unicast:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable UDP helper.

udp-helper enable

By default, UDP helper is disabled.

3.       Specify a UDP port number.

udp-helper port { port-number | dns | netbios-ds | netbios-ns | tacacs | tftp | time }

By default, no UDP port numbers are specified.

4.       Enter interface view.

interface interface-type interface-number

N/A

5.       Specify a destination server for UDP helper to convert broadcast to unicast.

udp-helper server ip-address [ global | vpn-instance vpn-instance-name ]

By default, no destination server is specified.

If you specify multiple destination servers, UDP helper creates one copy for each server.

Use this command on the interface that receives broadcast packets.

 

Configuring UDP helper to convert broadcast to multicast

You can configure UDP helper to convert broadcast packets with specific UDP port numbers to multicast packets.

Upon receiving a UDP broadcast packet, UDP helper uses the configured UDP ports to match the UDP destination port number of the packet.

·          If a match is found, UDP helper duplicates the packet and modifies the destination IP address of the copy to the configured multicast address. Then UDP helper forwards the packet to the multicast group.

·          If no match is found, UDP helper does not process the packet.

To configure UDP helper to convert broadcast to multicast:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable UDP helper.

udp-helper enable

By default, UDP helper is disabled.

3.       Specify a UDP port number.

udp-helper port { port-number | dns | netbios-ds | netbios-ns | tacacs | tftp | time }

By default, no UDP port numbers are specified.

4.       Enter interface view.

interface interface-type interface-number

N/A

5.       Specify a destination multicast address for UDP helper to convert broadcast to multicast.

udp-helper broadcast-map multicast-address [ acl acl-number ]

By default, no destination multicast address is specified for UDP helper.

If you specify multiple multicast addresses, UDP helper creates one copy for each address.

Use this command on the interface that receives broadcast packets.

 

Displaying and maintaining UDP helper

Execute display command in any view and reset commands in user view.

 

Task

Command

Display information about broadcast to unicast conversion by UDP helper on an interface.

display udp-helper interface interface-type interface-number

Clear packet statistics for UDP helper.

reset udp-helper statistics

 

UDP helper configuration examples

Configuring UDP helper to convert broadcast to unicast

Network requirements

As shown in Figure 45, configure UDP helper to convert broadcast to unicast on VLAN-interface 1 of Switch A. This feature enables Switch A to forward broadcast packets with UDP destination port number 55 to the destination server 10.2.1.1/16.

Figure 45 Network diagram

 

Configuration procedure

Make sure Switch A can reach the subnet 10.2.0.0/16.

# Enable UDP helper.

[SwitchA] System-view

[SwitchA] udp-helper enable

# Enable the UDP port 55 for UDP helper.

[SwitchA] udp-helper port 55

# Assign 10.110.1.1/16 to VLAN-interface 1 and enable the interface to forward directed broadcast packets destined for the directly connected network.

[SwitchA] interface vlan-interface 1

[SwitchA-Vlan-interface1] ip address 10.110.1.1 16

[SwitchA-Vlan-interface1] ip forward-broadcast

# Specify the destination server 10.2.1.1 for UDP helper to convert broadcast to unicast on VLAN-interface 1.

[SwitchA-Vlan-interface1] udp-helper server 10.2.1.1

Verifying the configuration

# Display information about broadcast to unicast conversion by UDP helper on VLAN-interface 1.

[SwitchA-Vlan-interface1] display udp-helper interface vlan-interface 1

Interface                Server VPN instance           Server address Packets sent

Vlan-interface1          N/A                           10.2.1.1       5

Configuring UDP helper to convert broadcast to multicast

Network requirements

As shown in Figure 46, VLAN-interface 1 of Switch B can receive multicast packets destined to 225.1.1.1.

Configure UDP helper to convert broadcast to multicast on VLAN-interface 1 of Switch A. This feature enables Switch A to forward broadcast packets with UDP destination port number 55 to the multicast group 225.1.1.1.

Figure 46 Network diagram

 

Configuration procedure

Make sure Switch A can reach the subnet 10.2.0.0/16.

1.        Configure Switch A:

# Enable UDP helper.

<SwitchA> system-view

[SwitchA] udp-helper enable

# Enable the UDP port 55 for UDP helper.

[SwitchA] udp-helper port 55

# Assign 10.110.1.1/16 to VLAN-interface 1 and enable the interface to forward directed broadcast packets destined for the directly connected network.

[SwitchA] interface vlan-interface 1

[SwitchA-Vlan-interface1] ip address 10.110.1.1 16

[SwitchA-Vlan-interface1] ip forward-broadcast

# Configure UDP helper to convert broadcast packets to multicast packets destined for 225.1.1.1.

[SwitchA-Vlan-interface1] udp-helper broadcast-map 225.1.1.1

[SwitchA-Vlan-interface1] quit

# Enable IP multicast routing globally.

[SwitchA] multicast routing

[SwitchA-mrib] quit

Enable PIM-DM on VLAN-interface 1.

[SwitchA] interface vlan-interface 1

[SwitchA-Vlan-interface1] pim dm

[SwitchA-Vlan-interface1] quit

# Enable PIM-DM and IGMP on VLAN-interface 2.

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] pim dm

[SwitchA-Vlan-interface2] igmp enable

# Configure VLAN-interface 2 as a static member of the multicast group 225.1.1.1.

[SwitchA-Vlan-interface2] igmp static-group 225.1.1.1

2.        Configure Switch B:

# Enable IP multicast routing globally.

<SwitchB> system-view

[SwitchB] multicast routing

[SwitchB-mrib] quit

# Enable PIM-DM and IGMP on VLAN-interface 1.

[SwitchB] interface vlan-interface 1

[SwitchB-Vlan-interface1] pim dm

[SwitchB-Vlan-interface1] igmp enable

# Configure VLAN-interface 1 as a static member of the multicast group 225.1.1.1.

[SwitchB-Vlan-interface1] igmp static-group 225.1.1.1

Verifying the configuration

Verify that you can capture multicast packets from Switch A on Switch B.


Configuring basic IPv6 settings

Overview

IPv6, also called IP next generation (IPng), was designed by the IETF as the successor to IPv4. One significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits.

IPv6 features

Simplified header format

IPv6 removes several IPv4 header fields or moves them to the IPv6 extension headers to reduce the length of the basic IPv6 packet header. The basic IPv6 packet header has a fixed length of 40 bytes to simplify IPv6 packet handling and improve forwarding efficiency. Although the IPv6 address size is four times the IPv4 address size, the basic IPv6 packet header size is only twice the size of the option-less IPv4 packet header.

Figure 47 IPv4 packet header format and basic IPv6 packet header format

 

Larger address space

IPv6 can provide 3.4 x 1038 addresses to meet the requirements of hierarchical address assignment for both public and private networks.

Hierarchical address structure

IPv6 uses a hierarchical address structure to speed up route lookup and reduce the IPv6 routing table size through route aggregation.

Address autoconfiguration

To simplify host configuration, IPv6 supports stateful and stateless address autoconfiguration.

·          Stateful address autoconfiguration enables a host to acquire an IPv6 address and other configuration information from a server (for example, a DHCPv6 server). For more information about DHCPv6 server, see "Configuring the DHCPv6 server."

·          Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and other configuration information by using its link-layer address and the prefix information advertised by a router.

To communicate with other hosts on the same link, a host automatically generates a link-local address based on its link-layer address and the link-local address prefix (FE80::/10).

Built-in security

IPv6 defines extension headers to support IPsec. IPsec provides end-to-end security and enhances interoperability among different IPv6 applications.

QoS support

The Flow Label field in the IPv6 header allows the device to label the packets of a specific flow for special handling.

Enhanced neighbor discovery mechanism

The IPv6 neighbor discovery protocol uses a group of ICMPv6 messages to manage information exchange among neighboring nodes on the same link. The group of ICMPv6 messages replaces ARP messages, ICMPv4 router discovery messages, and ICMPv4 redirect messages and provides a series of other functions.

Flexible extension headers

IPv6 eliminates the Options field in the header and introduces optional extension headers to provide scalability and improve efficiency. The Options field in the IPv4 packet header contains a maximum of 40 bytes, whereas the IPv6 extension headers are restricted to the maximum size of IPv6 packets.

IPv6 addresses

IPv6 address formats

An IPv6 address is represented as a set of 16-bit hexadecimals separated by colons (:). An IPv6 address is divided into eight groups, and each 16-bit group is represented by four hexadecimal numbers, for example, 2001:0000:130F:0000:0000:09C0:876A:130B.

To simplify the representation of IPv6 addresses, you can handle zeros in IPv6 addresses by using the following methods:

·          The leading zeros in each group can be removed. For example, the above address can be represented in a shorter format as 2001:0:130F:0:0:9C0:876A:130B.

·          If an IPv6 address contains one or more consecutive groups of zeros, they can be replaced by a double colon (::). For example, the above address can be represented in the shortest format as 2001:0:130F::9C0:876A:130B.

 

IMPORTANT

IMPORTANT:

A double colon can appear once or not at all in an IPv6 address. This limit allows the device to determine how many zeros the double colon represents and correctly convert it to zeros to restore a 128-bit IPv6 address.

 

An IPv6 address consists of an address prefix and an interface ID, which are equivalent to the network ID and the host ID of an IPv4 address.

An IPv6 address prefix is written in IPv6-address/prefix-length notation. The prefix-length is a decimal number indicating how many leftmost bits of the IPv6 address are in the address prefix.

IPv6 address types

IPv6 addresses include the following types:

·          Unicast address—An identifier for a single interface, similar to an IPv4 unicast address. A packet sent to a unicast address is delivered to the interface identified by that address.

·          Multicast address—An identifier for a set of interfaces (typically belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all interfaces identified by that address.

Broadcast addresses are replaced by multicast addresses in IPv6.

·          Anycast address—An identifier for a set of interfaces (typically belonging to different nodes). A packet sent to an anycast address is delivered to the nearest interface among the interfaces identified by that address. The nearest interface is chosen according to the routing protocol's measure of distance.

The type of an IPv6 address is designated by the first several bits, called the format prefix.

Table 6 Mappings between address types and format prefixes

Type

Format prefix (binary)

IPv6 prefix ID

Unicast address

Unspecified address

00...0 (128 bits)

::/128

Loopback address

00...1 (128 bits)

::1/128

Link-local address

1111111010

FE80::/10

Global unicast address

Other forms

N/A

Multicast address

11111111

FF00::/8

Anycast address

Anycast addresses use the unicast address space and have the identical structure of unicast addresses.

 

Unicast addresses

Unicast addresses include global unicast addresses, link-local unicast addresses, the loopback address, and the unspecified address.

·          Global unicast addresses—Equivalent to public IPv4 addresses, global unicast addresses are provided for Internet service providers. This type of address allows for prefix aggregation to restrict the number of global routing entries.

·          Link-local addresses—Used for communication among link-local nodes for neighbor discovery and stateless autoconfiguration. Packets with link-local source or destination addresses are not forwarded to other links.

·          A loopback address—0:0:0:0:0:0:0:1 (or ::1). It has the same function as the loopback address in IPv4. It cannot be assigned to any physical interface. A node uses this address to send an IPv6 packet to itself.

·          An unspecified address—0:0:0:0:0:0:0:0 (or ::). It cannot be assigned to any node. Before acquiring a valid IPv6 address, a node fills this address in the source address field of IPv6 packets. The unspecified address cannot be used as a destination IPv6 address.

Multicast addresses

IPv6 multicast addresses listed in Table 7 are reserved for special purposes.

Table 7 Reserved IPv6 multicast addresses

Address

Application

FF01::1

Node-local scope all-nodes multicast address.

FF02::1

Link-local scope all-nodes multicast address.

FF01::2

Node-local scope all-routers multicast address.

FF02::2

Link-local scope all-routers multicast address.

 

Multicast addresses also include solicited-node addresses. A node uses a solicited-node multicast address to acquire the link-layer address of a neighboring node on the same link and to detect duplicate addresses. Each IPv6 unicast or anycast address has a corresponding solicited-node address. The format of a solicited-node multicast address is FF02:0:0:0:0:1:FFXX:XXXX. FF02:0:0:0:0:1:FF is fixed and consists of 104 bits, and XX:XXXX is the last 24 bits of an IPv6 unicast address or anycast address.

EUI-64 address-based interface identifiers

An interface identifier is 64-bit long and uniquely identifies an interface on a link. Interfaces generate EUI-64 address-based interface identifiers differently.

·          On an IEEE 802 interface (such as an Ethernet interface and a VLAN interface)—The interface identifier is derived from the link-layer address (typically a MAC address) of the interface. The MAC address is 48-bit long.

To obtain an EUI-64 address-based interface identifier, follow these steps:

a.    Insert the 16-bit binary number 1111111111111110 (hexadecimal value of FFFE) behind the 24th high-order bit of the MAC address.

b.    Invert the universal/local (U/L) bit (the seventh high-order bit). This operation makes the interface identifier have the same local or global significance as the MAC address.

Figure 48 Converting a MAC address into an EUI-64 address-based interface identifier

 

·          On a tunnel interface—The lower 32 bits of the EUI-64 address-based interface identifier are the source IPv4 address of the tunnel interface. The higher 32 bits of the tunnel interfaces are all zeros. For more information about tunnels, see "Configuring tunneling."

·          On an interface of another type (such as a serial interface)—The EUI-64 address-based interface identifier is generated randomly by the device.

IPv6 ND protocol

The IPv6 Neighbor Discovery (ND) protocol uses the following ICMPv6 messages:

Table 8 ICMPv6 messages used by ND

ICMPv6 message

Type

Function

Neighbor Solicitation (NS)

135

Acquires the link-layer address of a neighbor.

Verifies whether a neighbor is reachable.

Detects duplicate addresses.

Neighbor Advertisement (NA)

136

Responds to an NS message.

Notifies the neighboring nodes of link layer changes.

Router Solicitation (RS)

133

Requests an address prefix and other configuration information for autoconfiguration after startup.

Router Advertisement (RA)

134

Responds to an RS message.

Advertises information, such as the Prefix Information options and flag bits.

Redirect

137

Informs the source host of a better next hop on the path to a particular destination when certain conditions are met.

 

Address resolution

This function is similar to ARP in IPv4. An IPv6 node acquires the link-layer addresses of neighboring nodes on the same link through NS and NA messages. Figure 49 shows how Host A acquires the link-layer address of Host B on the same link.

Figure 49 Address resolution

 

The address resolution procedure is as follows:

1.        Host A multicasts an NS message. The source address of the NS message is the IPv6 address of the sending interface of Host A. The destination address is the solicited-node multicast address of Host B. The NS message body contains the link-layer address of Host A and the target IPv6 address.

2.        After receiving the NS message, Host B determines whether the target address of the packet is its IPv6 address. If it is, Host B learns the link-layer address of Host A, and then unicasts an NA message containing its link-layer address.

3.        Host A acquires the link-layer address of Host B from the NA message.

Neighbor reachability detection

After Host A acquires the link-layer address of its neighbor Host B, Host A can use NS and NA messages to test reachability of Host B as follows:

1.        Host A sends an NS message whose destination address is the IPv6 address of Host B.

2.        If Host A receives an NA message from Host B, Host A decides that Host B is reachable. Otherwise, Host B is unreachable.

Duplicate address detection

After Host A acquires an IPv6 address, it performs Duplicate Address Detection (DAD) to check whether the address is being used by any other node. This is similar to gratuitous ARP in IPv4. DAD is accomplished through NS and NA messages.

Figure 50 Duplicate address detection

 

1.        Host A sends an NS message. The source address is the unspecified address and the destination address is the corresponding solicited-node multicast address of the IPv6 address to be detected. The NS message body contains the detected IPv6 address.

2.        If Host B uses this IPv6 address, Host B returns an NA message that contains its IPv6 address.

3.        Host A knows that the IPv6 address is being used by Host B after receiving the NA message from Host B. If receiving no NA message, Host A decides that the IPv6 address is not in use and uses this address.

Router/prefix discovery and stateless address autoconfiguration

A node performs router/prefix discovery and stateless address autoconfiguration as follows:

1.        At startup, a node sends an RS message to request configuration information from a router.

2.        The router returns an RA message containing the Prefix Information option and other configuration information. (The router also periodically sends an RA message.)

3.        The node automatically generates an IPv6 address and other configuration parameters according to the configuration information in the RA message.

The Prefix Information option contains an address prefix and the preferred lifetime and valid lifetime of the address prefix. A node updates the preferred lifetime and valid lifetime upon receiving a periodic RA message.

The generated IPv6 address is valid within the valid lifetime and becomes invalid when the valid lifetime expires.

After the preferred lifetime expires, the node cannot use the generated IPv6 address to establish new connections, but can receive packets destined for the IPv6 address. The preferred lifetime cannot be greater than the valid lifetime.

Redirection

Upon receiving a packet from a host, the gateway sends an ICMPv6 redirect message to inform the host of a better next hop when the following conditions are met:

·          The interface receiving the packet is the same as the interface forwarding the packet.

·          The selected route is not created or modified by an ICMPv6 redirect message.

·          The selected route is not a default route on the device.

·          The forwarded IPv6 packet does not contain the routing extension header.

IPv6 path MTU discovery

The links that a packet passes from a source to a destination can have different MTUs, among which the minimum MTU is the path MTU. If a packet exceeds the path MTU, the source end fragments the packet to reduce the processing pressure on intermediate devices and to use network resources effectively.

A source end uses path MTU discovery to find the path MTU to a destination, as shown in Figure 51.

Figure 51 Path MTU discovery process

 

1.        The source host sends a packet no larger than its MTU to the destination host.

2.        If the MTU of a device's output interface is smaller than the packet, the device performs the following operations:

?  Discards the packet.

?  Returns an ICMPv6 error message containing the interface MTU to the source host.

3.        Upon receiving the ICMPv6 error message, the source host performs the following operations:

?  Uses the returned MTU to limit the packet size.

?  Performs fragmentation.

?  Sends the fragments to the destination host.

4.        Step 2 and step 3 are repeated until the destination host receives the packet. In this way, the source host finds the minimum MTU of all links in the path to the destination host.

IPv6 transition technologies

IPv6 transition technologies enable communication between IPv4 and IPv6 networks. The following IPv6 transition technologies can be used for different applications:

·          Dual stack (RFC 2893)

·          Tunneling (RFC 2893)

·          IPv6 on the provider edge routers (6PE)

Dual stack

Dual stack is the most direct transition approach. A network node that supports both IPv4 and IPv6 is a dual-stack node. A dual-stack node configured with an IPv4 address and an IPv6 address can forward both IPv4 and IPv6 packets. An application that supports both IPv4 and IPv6 prefers IPv6 at the network layer.

Dual stack is suitable for communication between IPv4 nodes or between IPv6 nodes. It is the basis of all transition technologies. However, it does not solve the IPv4 address depletion issue because each dual-stack node must have a globally unique IPv4 address.

Tunneling

Tunneling uses one network protocol to encapsulate the packets of another network protocol and transfers them over the network. For more information about tunneling, see "Configuring tunneling."

6PE

6PE enables communication between isolated IPv6 networks over an IPv4 backbone network.

6PE adds labels to the IPv6 routing information about customer networks and advertises the information into the IPv4 backbone network over internal Border Gateway Protocol (IBGP) sessions. IPv6 packets are labeled and forwarded over tunnels on the backbone network. The tunnels can be GRE tunnels or MPLS LSPs.

Figure 52 Network diagram

 

6PE is a highly efficient solution. When an ISP wants to utilize the existing IPv4/MPLS network to provide IPv6 traffic switching, it only needs to upgrade the PE routers. In addition, the operation risk of 6PE is very low. For more information about 6PE, see Layer 3—IP Routing Configuration Guide.

Protocols and standards

Protocols and standards related to IPv6 include:

·          RFC 1881, IPv6 Address Allocation Management

·          RFC 1887, An Architecture for IPv6 Unicast Address Allocation

·          RFC 1981, Path MTU Discovery for IP version 6

·          RFC 2375, IPv6 Multicast Address Assignments

·          RFC 2460, Internet Protocol, Version 6 (IPv6) Specification

·          RFC 2464, Transmission of IPv6 Packets over Ethernet Networks

·          RFC 2526, Reserved IPv6 Subnet Anycast Addresses

·          RFC 3307, Allocation Guidelines for IPv6 Multicast Addresses

·          RFC 4191, Default Router Preferences and More-Specific Routes

·          RFC 4291, IP Version 6 Addressing Architecture

·          RFC 4443, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification

·          RFC 4861, Neighbor Discovery for IP Version 6 (IPv6)

·          RFC 4862, IPv6 Stateless Address Autoconfiguration

IPv6 basics configuration task list

Tasks at a glance

(Required.) Assigning IPv6 addresses to interfaces:

·         Configuring an IPv6 global unicast address

·         Configuring an IPv6 link-local address

·         Configuring an IPv6 anycast address

(Optional.) Configuring IPv6 ND:

·         Configuring a static neighbor entry

·         Setting the maximum number of dynamic neighbor entries

·         Setting the aging timer for ND entries in stale state

·         Minimizing link-local ND entries

·         Setting the hop limit

·         Configuring parameters for RA messages

·         Setting the maximum number of attempts to send an NS message for DAD

·         Enabling ND proxy

·         Configuring a customer-side port

(Optional.) Configuring path MTU discovery:

·         Setting the interface MTU

·         Setting a static path MTU for an IPv6 address

·         Setting the aging time for dynamic path MTUs

(Optional.) Controlling sending ICMPv6 messages:

·         Configuring the rate limit for ICMPv6 error messages

·         Enabling replying to multicast echo requests

·         Enabling sending ICMPv6 destination unreachable messages

·         Enabling sending ICMPv6 time exceeded messages

·         Enabling sending ICMPv6 redirect messages

·         Specifying the source address for ICMPv6 packets

(Optional.) Enabling IPv6 local fragment reassembly

(Optional.) Enabling a device to discard IPv6 packets that contain extension headers

 

Assigning IPv6 addresses to interfaces

This section describes how to configure an IPv6 global unicast address, an IPv6 link-local address, and an IPv6 anycast address.

Configuring an IPv6 global unicast address

Use one of the following methods to configure an IPv6 global unicast address for an interface:

·          EUI-64 IPv6 address—The IPv6 address prefix of the interface is manually configured, and the interface ID is generated automatically by the interface.

·          Manual configuration—The IPv6 global unicast address is manually configured.

·          Stateless address autoconfiguration—The IPv6 global unicast address is generated automatically based on the address prefix information contained in the RA message.

·          Prefix-specific address autoconfiguration—The IPv6 global unicast address is generated automatically based on the prefix specified by its ID. The prefix can be manually configured or obtained through DHCPv6.

You can configure multiple IPv6 global unicast addresses on an interface.

Manually configured global unicast addresses (including EUI-64 IPv6 addresses) take precedence over automatically generated ones. If you manually configure a global unicast address with the same address prefix as an existing global unicast address on an interface, the manually configured one takes effect. However, it does not overwrite the automatically generated address. If you delete the manually configured global unicast address, the device uses the automatically generated one.

EUI-64 IPv6 address

To configure an interface to generate an EUI-64 IPv6 address:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Configure the interface to generate an EUI-64 IPv6 address.

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64

By default, no EUI-64 IPv6 address is configured on an interface.

 

Manual configuration

To configure an IPv6 global unicast address for an interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Configure an IPv6 global unicast address for the interface.

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }

By default, no IPv6 global unicast address is configured on an interface.

 

Stateless address autoconfiguration

To configure an interface to generate an IPv6 address through stateless address autoconfiguration:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Enable stateless address autoconfiguration on an interface, so that the interface can automatically generate a global unicast address.

ipv6 address auto

By default, the stateless address autoconfiguration feature is disabled on an interface.

Using the undo ipv6 address auto command on an interface deletes all IPv6 global unicast addresses and link-local addresses that are automatically generated on the interface.

 

After this configuration is completed, the interface automatically generates an IPv6 global unicast address by using the address prefix in the received RA message and the interface ID. On an IEEE 802 interface (such as an Ethernet interface or a VLAN interface), the interface ID is generated based on the interface's MAC address and is globally unique. An attacker can exploit this rule to identify the sending device easily.

To fix the vulnerability, you can configure the temporary address feature. With this feature, an IEEE 802 interface generates the following addresses:

·          Public IPv6 address—Includes the address prefix in the RA message and a fixed interface ID generated based on the MAC address of the interface.

·          Temporary IPv6 address—Includes the address prefix in the RA message and a random interface ID generated through MD5.

You can also configure the interface to preferentially use the temporary IPv6 address as the source address of sent packets. When the valid lifetime of the temporary IPv6 address expires, the interface deletes the address and generates a new one. This feature enables the system to send packets with different source addresses through the same interface. If the temporary IPv6 address cannot be used because of a DAD conflict, the public IPv6 address is used.

The preferred lifetime and valid lifetime for a temporary IPv6 address are determined as follows:

·          The preferred lifetime of a temporary IPv6 address takes the smaller of the following values:

?  The preferred lifetime of the address prefix in the RA message.

?  The preferred lifetime configured for temporary IPv6 addresses minus DESYNC_FACTOR (a random number in the range of 0 to 600 seconds).

·          The valid lifetime of a temporary IPv6 address takes the smaller of the following values:

?  The valid lifetime of the address prefix.

?  The valid lifetime configured for temporary IPv6 addresses.

To configure the temporary address feature:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable the temporary IPv6 address feature.

ipv6 temporary-address [ valid-lifetime preferred-lifetime ]

By default, the temporary IPv6 address feature is disabled.

3.       Enable the system to preferentially use the temporary IPv6 address as the source address of the packet.

ipv6 prefer temporary-address

By default, the system does not preferentially use the temporary IPv6 address as the source address of the packet.

 

To generate a temporary address, an interface must be enabled with stateless address autoconfiguration. Temporary IPv6 addresses do not overwrite public IPv6 addresses, so an interface can have multiple IPv6 addresses with the same address prefix but different interface IDs.

If an interface fails to generate a public IPv6 address because of a prefix conflict or other reasons, it does not generate any temporary IPv6 address.

Prefix-specific address autoconfiguration

This task allows you to specify an IPv6 prefix for an interface to automatically generate an IPv6 global unicast address and advertise the prefix. You must specify the IPv6 prefix by its ID.

To specify an IPv6 prefix for an interface to generate an IPv6 address and advertise the prefix:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure an IPv6 prefix.

·         (Method 1) Configure a static IPv6 prefix:
ipv6 prefix
prefix-number ipv6-prefix/prefix-length

·         (Method 2) Use DHCPv6 to obtain a dynamic IPv6 prefix:
For more information about IPv6 prefix acquisition, see "
Configuring the DHCPv6 client."

By default, no static or dynamic IPv6 prefixes exist.

3.       Enter interface view.

interface interface-type interface-number

N/A

4.       Specify an IPv6 prefix for an interface to automatically generate an IPv6 global unicast address and advertise the prefix.

ipv6 address prefix-number sub-prefix/prefix-length

By default, no IPv6 prefix is specified for the interface to automatically generate an IPv6 global unicast address.

 

Configuring an IPv6 link-local address

Configure IPv6 link-local addresses using one of the following methods:

·          Automatic generation—The device automatically generates a link-local address for an interface according to the link-local address prefix (FE80::/10) and the link-layer address of the interface.

·          Manual assignment—Manually configure an IPv6 link-local address for an interface.

An interface can have only one link-local address. As a best practice, use the automatic generation method to avoid link-local address conflicts. If both methods are used, the manual assignment takes precedence.

·          If you first use automatic generation and then manual assignment, the manually assigned link-local address overwrites the automatically generated one.

·          If you first use manual assignment and then automatic generation, both of the following occur:

?  The link-local address is still the manually assigned one.

?  The automatically generated link-local address does not take effect. If you delete the manually assigned address, the automatically generated link-local address takes effect.

Configuring automatic generation of an IPv6 link-local address for an interface

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Configure the interface to automatically generate an IPv6 link-local address.

ipv6 address auto link-local

By default, no link-local address is configured on an interface.

After an IPv6 global unicast address is configured on the interface, a link-local address is generated automatically.

 

Manually specifying an IPv6 link-local address for an interface

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Manually specify an IPv6 link-local address for the interface.

ipv6 address ipv6-address link-local

By default, no link-local address is configured on an interface.

 

After you configure an IPv6 global unicast address for an interface, the interface automatically generates a link-local address. The automatically generated link-local address is the same as the one generated by using the ipv6 address auto link-local command. If a link-local address is manually assigned to an interface, this manual link-local address takes effect. If the manually assigned link-local address is deleted, the automatically generated link-local address takes effect.

Using the undo ipv6 address auto link-local command on an interface only deletes the link-local address generated by the ipv6 address auto link-local command. If the interface has an IPv6 global unicast address, it still has a link-local address. If the interface has no IPv6 global unicast address, it has no link-local address.

Configuring an IPv6 anycast address

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Configure an IPv6 anycast address.

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } anycast

By default, no IPv6 anycast address is configured on an interface.

 

Configuring IPv6 ND

This section describes how to configure IPv6 ND.

Configuring a static neighbor entry

A neighbor entry stores information about a link-local node. The entry can be created dynamically through NS and NA messages, or configured statically.

The device uniquely identifies a static neighbor entry by the IPv6 address and the local Layer 3 interface number of the neighbor. You can configure a static neighbor entry by using one of the following methods:

·          Method 1—Associate a neighbor's IPv6 address and link-layer address with the local Layer 3 interface.

If you use Method 1, the device automatically finds the Layer 2 port connected to the neighbor.

·          Method 2—Associate a neighbor's IPv6 address and link-layer address with a Layer 2 port in a VLAN.

If you use Method 2, make sure the Layer 2 port belongs to the specified VLAN and the corresponding VLAN interface already exists. The device associates the VLAN interface with the neighbor IPv6 address to identify the static neighbor entry.

To configure a static neighbor entry:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure a static neighbor entry.

ipv6 neighbor ipv6-address mac-address { vlan-id port-type port-number | interface interface-type interface-number } [ vpn-instance vpn-instance-name ]

By default, no static neighbor entries exist.

 

Setting the maximum number of dynamic neighbor entries

The device can dynamically acquire the link-layer address of a neighboring node through NS and NA messages and add it into the neighbor table. When the number of dynamic neighbor entries reaches the threshold, the interface stops learning neighbor information. To prevent an interface from occupying too many neighbor table resources, you can set the maximum number of dynamic neighbors that an interface can learn.

To set the maximum number of dynamic neighbor entries:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Set the maximum number of dynamic neighbor entries that the interface can learn.

ipv6 neighbors max-learning-num max-number

By default, an interface can learn a maximum of 1048576 dynamic neighbor entries.

 

Setting the aging timer for ND entries in stale state

ND entries in stale state have an aging timer. If an ND entry in stale state is not refreshed before the timer expires, the ND entry changes to the delay state. If it is still not refreshed in 5 seconds, the ND entry changes to the probe state, and the device sends an NS message three times. If no response is received, the device deletes the ND entry.

To set the aging timer for ND entries in stale state:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set the aging timer for ND entries in stale state.

ipv6 neighbor stale-aging aging-time

The default setting is 240 minutes.

 

Minimizing link-local ND entries

Perform this task to minimize link-local ND entries assigned to the driver. Link-local ND entries refer to ND entries that contain link-local addresses.

By default, the device assigns all ND entries to the driver. With this feature enabled, the device does not add newly learned link-local ND entries whose link local addresses are not the next hop of any route into the driver. This saves driver resources.

This feature takes effect only on newly learned link-local ND entries.

To minimize link-local ND entries:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Minimize link-local ND entries.

ipv6 neighbor link-local minimize

By default, the device assigns all ND entries to the driver.

 

Setting the hop limit

The device advertises the hop limit in RA messages. All RA message receivers use the advertised value to fill in the Hop Limit field for IPv6 packets to be sent. To disable the device from advertising the hop limit, use the ipv6 nd ra hop-limit unspecified command.

To set the hop limit:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set the Hop Limit field in the IP header.

ipv6 hop-limit value

The default setting is 64.

 

Configuring parameters for RA messages

You can enable an interface to send RA messages, and configure the interval for sending RA messages and parameters in RA messages. After receiving an RA message, a host can use these parameters to perform corresponding operations. Table 9 describes the configurable parameters in an RA message.

Table 9 Parameters in an RA message and their descriptions

Parameter

Description

Hop Limit

Maximum number of hops in RA messages. A host receiving the RA message fills the value in the Hop Limit field of sent IPv6 packets.

Prefix information

After receiving the prefix information, the hosts on the same link can perform stateless autoconfiguration.

MTU

Guarantees that all nodes on the link use the same MTU.

M flag

Determines whether a host uses stateful autoconfiguration to obtain an IPv6 address.

If the M flag is set to 1, the host uses stateful autoconfiguration (for example, from a DHCPv6 server) to obtain an IPv6 address. Otherwise, the host uses stateless autoconfiguration to generate an IPv6 address according to its link-layer address and the prefix information in the RA message.

O flag

Determines whether a host uses stateful autoconfiguration to obtain configuration information other than IPv6 address.

If the O flag is set to 1, the host uses stateful autoconfiguration (for example, from a DHCPv6 server) to obtain configuration information other than IPv6 address. Otherwise, the host uses stateless autoconfiguration.

Router Lifetime

Tells the receiving hosts how long the advertising router can live. If the lifetime of a router is 0, the router cannot be used as the default gateway.

Retrans Timer

If the device does not receive a response message within the specified time after sending an NS message, it retransmits the NS message.

Reachable Time

If the neighbor reachability detection shows that a neighbor is reachable, the device considers the neighbor reachable within the specified reachable time. If the device needs to send a packet to the neighbor after the specified reachable time expires, the device reconfirms whether the neighbor is reachable.

Router Preference

Specifies the router preference in a RA message. A host selects a router as the default gateway according to the router preference. If router preferences are the same, the host selects the router from which the first RA message is received.

 

The maximum interval for sending RA messages should be less than (or equal to) the router lifetime in RA messages. In this way, the router can be updated by an RA message before expiration.

The values of the NS retransmission timer and the reachable time configured for an interface are sent in RA messages to hosts. This interface sends NS messages at the interval of the NS retransmission timer and considers a neighbor reachable within the reachable time.

Enabling sending of RA messages

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Enable sending of RA messages.

undo ipv6 nd ra halt

The default setting is disabled.

4.       Set the maximum and minimum intervals for sending RA messages.

ipv6 nd ra interval max-interval min-interval

By default, the maximum interval for sending RA messages is 600 seconds, and the minimum interval is 200 seconds.

The device sends RA messages at random intervals between the maximum interval and the minimum interval.

The minimum interval should be less than or equal to 0.75 times the maximum interval.

 

Configuring parameters for RA messages

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Configure the prefix information in RA messages.

ipv6 nd ra prefix { ipv6-prefix prefix-length | ipv6-prefix/prefix-length } [ valid-lifetime preferred-lifetime [ no-autoconfig | off-link ] * | no-advertise ]

By default, no prefix information is configured for RA messages, and the IPv6 address of the interface sending RA messages is used as the prefix information. If the IPv6 address is manually configured, the prefix uses a fixed valid lifetime of 2592000 seconds (30 days) and a preferred lifetime of 604800 seconds (7 days). If the IPv6 address is automatically obtained, the prefix uses the valid lifetime and preferred lifetime configured for the IPv6 address.

4.       Configure the default settings for prefixes advertised in RA messages.

ipv6 nd ra prefix default [ valid-lifetime preferred-lifetime [ no-autoconfig | off-link ] * | no-advertise ]

By default, no default settings are configured for prefixes advertised in RA messages.

5.       Turn off the MTU option in RA messages.

ipv6 nd ra no-advlinkmtu

By default, RA messages contain the MTU option.

6.       Specify unlimited hops in RA messages.

ipv6 nd ra hop-limit unspecified

By default, the maximum number of hops in RA messages is 64.

7.       Set the M flag bit to 1.

ipv6 nd autoconfig managed-address-flag

By default, the M flag bit is set to 0 in RA advertisements. Hosts receiving the advertisements will obtain IPv6 addresses through stateless autoconfiguration.

8.       Set the O flag bit to 1.

ipv6 nd autoconfig other-flag

By default, the O flag bit is set to 0 in RA advertisements. Hosts receiving the advertisements will acquire other configuration information through stateless autoconfiguration.

9.       Set the router lifetime in RA messages.

ipv6 nd ra router-lifetime time

By default, the router lifetime is 1800 seconds.

10.     Set the NS retransmission timer.

ipv6 nd ns retrans-timer value

By default, an interface sends NS messages every 1000 milliseconds, and the value of the Retrans Timer field in RA messages is 0.

11.     Set the router preference in RA messages.

ipv6 nd router-preference { high | low | medium }

By default, the router preference is medium.

12.     Set the reachable time.

ipv6 nd nud reachable-time time

By default, the neighbor reachable time is 30000 milliseconds, and the value of the Reachable Time field in sent RA messages is 0.

 

Setting the maximum number of attempts to send an NS message for DAD

An interface sends an NS message for DAD for an obtained IPv6 address. The interface resends the NS message if it does not receive a response within the time specified by the ipv6 nd ns retrans-timer command. If the interface receives no response after making the maximum attempts specified by the ipv6 nd dad attempts command, the interface uses the IPv6 address.

To set the attempts to send an NS message for DAD:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Set the number of attempts to send an NS message for DAD.

ipv6 nd dad attempts interval

The default setting is 1. When the interval argument is set to 0, DAD is disabled.

 

Enabling ND proxy

About ND proxy

ND proxy enables a device to answer an NS message requesting the hardware address of a host on another network. With ND proxy, hosts in different broadcast domains can communicate with each other as they would on the same network.

ND proxy includes common ND proxy and local ND proxy.

·          Common ND proxy.

As shown in Figure 53, HundredGigE 1/0/1 with IPv6 address 4:1::99/64 and HundredGigE 1/0/2 with IPv6 address 4:2::99/64 belong to different subnets. Host A and Host B reside on the same network but in different broadcast domains.

Figure 53 Application environment of ND proxy

Because Host A's IPv6 address is on the same subnet as Host B's, Host A directly sends an NS message to obtain Host B's MAC address. However, Host B cannot receive the NS message because they belong to different broadcast domains.

To solve this problem, enable common ND proxy on HundredGigE 1/0/1 and HundredGigE 1/0/2 of the router. The router replies to the NS message from Host A, and forwards packets from other hosts to Host B.

·          Local ND proxy.

As shown in Figure 54, Host A belongs to VLAN 2 and Host B belongs to VLAN 3. Host A and Host B connect to HundredGigE 1/0/1 and HundredGigE 1/0/3, respectively.

Figure 54 Application environment of local ND proxy

Because Host A's IPv6 address is on the same subnet as Host B's, Host A directly sends an NS message to obtain Host B's MAC address. However, Host B cannot receive the NS message because they belong to different VLANs.

To solve this problem, enable local ND proxy on HundredGigE 1/0/2 of the router so that the router can forward messages between Host A and Host B.

Local ND proxy implements Layer 3 communication for two hosts in the following cases:

?  The two hosts connect to ports of the same device and the ports must be in different VLANs.

?  The two hosts connect to isolated Layer 2 ports in the same isolation group of a VLAN.

Configuration procedure

You can enable common ND proxy and local ND proxy in VLAN interface view, Layer 3 Ethernet interface view, or Layer 3 Ethernet subinterface view.

To enable common ND proxy:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Enable common ND proxy.

proxy-nd enable

By default, common ND proxy is disabled.

 

To enable local ND proxy:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Enable local ND proxy.

local-proxy-nd enable

By default, local ND proxy is disabled.

 

Configuring a customer-side port

By default, the device associates an ND entry with routing information when the device learns an ND entry. The ND entry provides the next hop information for routing. To save hardware resources, you can use this command to specify a port that connects a user terminal as a customer-side port. The device will not associate the routing information with the learned ND entries.

To configure a customer-side port:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Specify the VLAN interface as a customer-side port.

ipv6 nd mode uni

By default, a port acts as a network-side port.

 

Configuring path MTU discovery

Setting the interface MTU for IPv6 packets

If the size of a packet exceeds the MTU of the sending interface, the device discards the packet. If the device is an intermediate device, it also sends the source host an ICMPv6 Packet Too Big message with the MTU of the sending interface. The source host fragments the packets according to the MTU. To avoid this situation, set a proper interface MTU.

To set the interface MTU for IPv6 packets:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Set the interface MTU for IPv6 packets.

ipv6 mtu size

By default, no interface MTU is set.

 

Setting a static path MTU for an IPv6 address

You can set a static path MTU for an IPv6 address. Before sending a packet to the IPv6 address, the device compares the MTU of the output interface with the static path MTU. If the packet exceeds the smaller one of the two values, the device fragments the packet according to the smaller value. After sending the fragmented packets, the device dynamically finds the path MTU to a destination host (see "IPv6 path MTU discovery").

To set a static path MTU for a destination IPv6 address:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set a static path MTU for a destination IPv6 address.

ipv6 pathmtu [ vpn-instance vpn-instance-name ] ipv6-address value

By default, no path MTU is set for any IPv6 address.

 

Setting the aging time for dynamic path MTUs

After the device dynamically finds the path MTU to a destination host (see "IPv6 path MTU discovery"), it performs the following operations:

·          Sends packets to the destination host based on the path MTU.

·          Starts the aging timer.

When the aging timer expires, the device removes the dynamic path MTU and finds the path MTU again.

To set the aging time for dynamic path MTUs:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set the aging time for dynamic path MTUs.

ipv6 pathmtu age age-time

The default setting is 10 minutes.

The aging time is invalid for a static path MTU.

 

Controlling sending ICMPv6 messages

This section describes how to configure ICMPv6 message sending.

Configuring the rate limit for ICMPv6 error messages

To avoid sending excessive ICMPv6 error messages within a short period that might cause network congestion, you can limit the rate at which ICMPv6 error messages are sent. A token bucket algorithm is used with one token representing one ICMPv6 error message.

A token is placed in the bucket at intervals until the maximum number of tokens that the bucket can hold is reached.

A token is removed from the bucket when an ICMPv6 error message is sent. When the bucket is empty, ICMPv6 error messages are not sent until a new token is placed in the bucket.

To configure the rate limit for ICMPv6 error messages:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set the bucket size and the interval for tokens to arrive in the bucket for ICMPv6 error messages.

ipv6 icmpv6 error-interval interval [ bucketsize ]

By default, the bucket allows a maximum of 10 tokens. A token is placed in the bucket at an interval of 100 milliseconds.

To disable the ICMPv6 rate limit, set the interval to 0 milliseconds.

 

Enabling replying to multicast echo requests

The device does not respond to multicast echo requests by default. In some scenarios, you must enable the device to answer multicast echo requests so the source host can obtain needed information.

To enable the device to answer multicast echo requests:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable replying to multicast echo requests.

ipv6 icmpv6 multicast-echo-reply enable

By default, this feature is disabled.

 

Enabling sending ICMPv6 destination unreachable messages

The device sends the source the following ICMPv6 destination unreachable messages:

·          ICMPv6 No Route to Destination message—A packet to be forwarded does not match any route.

·          ICMPv6 Communication with Destination Administratively Prohibited message—An administrative prohibition is preventing successful communication with the destination. This is typically caused by a firewall or an ACL on the device.

·          ICMPv6 Beyond Scope of Source Address message—The destination is beyond the scope of the source IPv6 address. For example, a packet's source IPv6 address is a link-local address, and its destination IPv6 address is a global unicast address.

·          ICMPv6 Address Unreachable message—The device fails to resolve the link layer address for the destination IPv6 address of a packet.

·          ICMPv6 Port Unreachable message—No port process on the destination device exists for a received UDP packet.

If a device is generating ICMPv6 destination unreachable messages incorrectly, disable the sending of ICMPv6 destination unreachable messages to prevent attack risks.

To enable sending ICMPv6 destination unreachable messages:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable sending ICMPv6 destination unreachable messages.

ipv6 unreachables enable

By default, this feature is disabled.

 

Enabling sending ICMPv6 time exceeded messages

The device sends the source ICMPv6 time exceeded messages as follows:

·          If a received packet is not destined for the device and its hop limit is 1, the device sends an ICMPv6 hop limit exceeded in transit message to the source.

·          Upon receiving the first fragment of an IPv6 datagram destined for the device, the device starts a timer. If the timer expires before all the fragments arrive, the device sends an ICMPv6 fragment reassembly time exceeded message to the source.

If the device receives large numbers of malicious packets, its performance degrades greatly because it must send back ICMP time exceeded messages. To prevent such attacks, disable sending ICMPv6 time exceeded messages.

To enable sending ICMPv6 time exceeded messages:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable sending ICMPv6 time exceeded messages.

ipv6 hoplimit-expires enable

The default setting is disabled.

 

Enabling sending ICMPv6 redirect messages

Upon receiving a packet from a host, the device sends an ICMPv6 redirect message to inform the host of a better next hop when the following conditions are met:

·          The interface receiving the packet is the interface forwarding the packet.

·          The selected route is not created or modified by any ICMPv6 redirect messages.

·          The selected route is not a default route.

·          The forwarded packet does not contain the routing extension header.

The ICMPv6 redirect feature simplifies host management by enabling hosts that hold few routes to optimize their routing table gradually. However, to avoid adding too many routes on hosts, this feature is disabled by default.

To enable sending ICMPv6 redirect messages:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable sending ICMPv6 redirect messages.

ipv6 redirects enable

By default, sending ICMPv6 redirect messages is disabled.

 

Specifying the source address for ICMPv6 packets

Perform this task to specify the source IPv6 address for outgoing ping echo requests and ICMPv6 error messages. It is a good practice to specify the IPv6 address of the loopback interface as the source IPv6 address. This feature helps users to easily locate the sending device.

If you specify an IPv6 address in the ping command, ping echo requests use the specified address as the source IPv6 address. Otherwise, ping echo requests use the IPv6 address specified by the ipv6 icmpv6 source command.

To specify the source IPv6 address for ICMPv6 packets:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Specify an IPv6 address as the source address for outgoing ICMPv6 packets.

ipv6 icmpv6 source [ vpn-instance vpn-instance-name ] ipv6-address

By default, the device uses the IPv6 address of the sending interface as the source IPv6 address for outgoing ICMPv6 packets.

 

Enabling IPv6 local fragment reassembly

Use this feature on a device to improve fragment reassembly efficiency. This feature enables the interface module to reassemble the IPv6 fragments of a packet if all the fragments arrive at it. If this feature is disabled, all IPv6 fragments are delivered to the active MPU for reassembly. The feature applies only to fragments destined for the same interface module.

To enable IPv6 local fragment reassembly:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable IPv6 local fragment reassembly.

ipv6 reassemble local enable

By default, IPv6 local fragment reassembly is disabled.

 

Enabling a device to discard IPv6 packets that contain extension headers

This feature enables a device to discard a received IPv6 packet in which the extension headers cannot be processed by the device.

To enable a device to discard IPv6 packets that contain extension headers:

 

Step

Command

Remarks

1.       Enter system view

system-view

N/A

2.       Enable the device to discard IPv6 packets that contain extension headers.

ipv6 extension-header drop enable

By default, the device does not discard IPv6 packets that contain extension headers.

 

Displaying and maintaining IPv6 basics

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display IPv6 FIB entries.

display ipv6 fib [ vpn-instance vpn-instance-name ] [ ipv6-address [ prefix-length ] ]

Display IPv6 information about the interface.

display ipv6 interface [ interface-type [ interface-number ] ] [ brief ]

Display IPv6 prefix information about the interface.

display ipv6 interface interface-type interface-number prefix

(In standalone mode.) Display neighbor information.

display ipv6 neighbors { { ipv6-address | all | dynamic | static } [ slot slot-number ] | interface interface-type interface-number | vlan vlan-id } [ verbose ]

(In IRF mode.) Display neighbor information.

display ipv6 neighbors { { ipv6-address | all | dynamic | static } [ chassis chassis-number slot slot-number ] | interface interface-type interface-number | vlan vlan-id } [ verbose ]

(In standalone mode.) Display the total number of neighbor entries.

display ipv6 neighbors { { all | dynamic | static } [ slot slot-number ] | interface interface-type interface-number | vlan vlan-id } count

(In IRF mode.) Display the total number of neighbor entries.

display ipv6 neighbors { { all | dynamic | static } [ chassis chassis-number slot slot-number ] | interface interface-type interface-number | vlan vlan-id } count

Display the maximum number of ND entries that a device supports.

display ipv6 neighbors entry-limit

Display neighbor information for a VPN.

display ipv6 neighbors vpn-instance vpn-instance-name [ count ]

Display the IPv6 path MTU information.

display ipv6 pathmtu [ vpn-instance vpn-instance-name ] { ipv6-address | { all | dynamic | static } [ count ] }

Display the IPv6 prefix information.

display ipv6 prefix [ prefix-number ]

(In standalone mode.) Display IPv6 and ICMPv6 statistics.

display ipv6 statistics [ slot slot-number ]

(In IRF mode.) Display IPv6 and ICMPv6 statistics.

display ipv6 statistics [ chassis chassis-number slot slot-number ]

(In standalone mode.) Display brief information about IPv6 RawIP connections.

display ipv6 rawip [ slot slot-number ]

(In IRF mode.) Display brief information about IPv6 RawIP connections.

display ipv6 rawip [ chassis chassis-number slot slot-number ]

(In standalone mode.) Display detailed information about IPv6 RawIP connections.

display ipv6 rawip verbose [ slot slot-number [ pcb pcb-index ] ]

(In IRF mode.) Display detailed information about IPv6 RawIP connections.

display ipv6 rawip verbose [ chassis chassis-number slot slot-number [ pcb pcb-index ] ]

(In standalone mode.) Display brief information about IPv6 TCP connections.

display ipv6 tcp [ slot slot-number ]

(In IRF mode.) Display brief information about IPv6 TCP connections.

display ipv6 tcp [ chassis chassis-number slot slot-number ]

(In standalone mode.) Display detailed information about IPv6 TCP connections.

display ipv6 tcp verbose [ slot slot-number [ pcb pcb-index ] ]

(In IRF mode.) Display detailed information about IPv6 TCP connections.

display ipv6 tcp verbose [ chassis chassis-number slot slot-number [ pcb pcb-index ] ]

(In standalone mode.) Display brief information about IPv6 UDP connections.

display ipv6 udp [ slot slot-number ]

(In IRF mode.) Display brief information about IPv6 UDP connections.

display ipv6 udp [ chassis chassis-number slot slot-number ]

(In standalone mode.) Display detailed information about IPv6 UDP connections.

display ipv6 udp verbose [ slot slot-number [ pcb pcb-index ] ]

(In IRF mode.) Display detailed information about IPv6 UDP connections.

display ipv6 udp verbose [ chassis chassis-number slot slot-number [ pcb pcb-index ] ]

(In standalone mode.) Display ICMPv6 traffic statistics.

display ipv6 icmp statistics [ slot slot-number ]

(In IRF mode.) Display ICMPv6 traffic statistics.

display ipv6 icmp statistics [ chassis chassis-number slot slot-number ]

(In standalone mode.) Display IPv6 TCP traffic statistics.

display tcp statistics [ slot slot-number ]

(In IRF mode.) Display IPv6 TCP traffic statistics.

display tcp statistics [ chassis chassis-number slot slot-number ]

(In standalone mode.) Display IPv6 UDP traffic statistics.

display udp statistics [ slot slot-number ]

(In IRF mode.) Display IPv6 UDP traffic statistics.

display udp statistics [ chassis chassis-number slot slot-number ]

(In standalone mode.) Clear IPv6 neighbor information.

reset ipv6 neighbors { all | dynamic | interface interface-type interface-number | slot slot-number | static }

(In IRF mode.) Clear IPv6 neighbor information.

reset ipv6 neighbors { all | dynamic | interface interface-type interface-number | chassis chassis-number slot slot-number | static }

Clear path MTUs.

reset ipv6 pathmtu { all | dynamic | static }

(In standalone mode.) Clear IPv6 and ICMPv6 packet statistics.

reset ipv6 statistics [ slot slot-number ]

(In IRF mode.) Clear IPv6 and ICMPv6 packet statistics.

reset ipv6 statistics [ chassis chassis-number slot slot-number ]

Clear IPv6 TCP traffic statistics.

reset tcp statistics

Clear IPv6 UDP traffic statistics.

reset udp statistics

 

Basic IPv6 configuration example

Network requirements

As shown in Figure 55, a host, Switch A, and Switch B are connected through Ethernet ports. Add the Ethernet ports to corresponding VLANs. Configure IPv6 addresses for the VLAN interfaces and verify that they are connected. Switch B can reach the host.

Enable IPv6 on the host to automatically obtain an IPv6 address through IPv6 ND.

Figure 55 Network diagram

 

Configuration procedure

This example assumes that the VLAN interfaces have been created on the switches.

1.        Configure Switch A:

# Specify a global unicast address for VLAN-interface 2.

<SwitchA> system-view

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] ipv6 address 3001::1/64

[SwitchA-Vlan-interface2] quit

# Specify a global unicast address for VLAN-interface 1, and allow it to advertise RA messages (no interface advertises RA messages by default).

[SwitchA] interface vlan-interface 1

[SwitchA-Vlan-interface1] ipv6 address 2001::1/64

[SwitchA-Vlan-interface1] undo ipv6 nd ra halt

[SwitchA-Vlan-interface1] quit

2.        Configure Switch B:

# Configure a global unicast address for VLAN-interface 2.

<SwitchB> system-view

[SwitchB] interface vlan-interface 2

[SwitchB-Vlan-interface2] ipv6 address 3001::2/64

[SwitchB-Vlan-interface2] quit

# Configure an IPv6 static route with destination IPv6 address 2001::/64 and next hop address 3001::1.

[SwitchB] ipv6 route-static 2001:: 64 3001::1

3.        Configure the host:

Enable IPv6 for the host to automatically obtain an IPv6 address through IPv6 ND.

# Display neighbor information for HundredGigE 1/0/2 on Switch A.

[SwitchA] display ipv6 neighbors interface hundredgige 1/0/2

Type: S-Static    D-Dynamic    O-Openflow     R-Rule    I-Invalid

IPv6 address               Link Layer      VID  Interface/Link ID   State T Age

FE80::215:E9FF:FEA6:7D14   0015-e9a6-7d14  1    HGE1/0/2            STALE D 1238

2001::15B:E0EA:3524:E791   0015-e9a6-7d14  1    HGE1/0/2            STALE D 1248

The output shows that the IPv6 global unicast address that Host obtained is 2001::15B:E0EA:3524:E791.

Verifying the configuration

# Display the IPv6 interface settings on Switch A. All IPv6 global unicast addresses configured on the interface are displayed.

[SwitchA] display ipv6 interface vlan-interface 2

Vlan-interface2 current state: UP

Line protocol current state: UP

IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:2

  Global unicast address(es):

    3001::1, subnet is 3001::/64

  Joined group address(es):

    FF02::1

    FF02::2

    FF02::1:FF00:1

    FF02::1:FF00:2

  MTU is 1500 bytes

  ND DAD is enabled, number of DAD attempts: 1

  ND reachable time is 30000 milliseconds

  ND retransmit interval is 1000 milliseconds

  Hosts use stateless autoconfig for addresses

IPv6 Packet statistics:

  InReceives:                    25829

  InTooShorts:                   0

  InTruncatedPkts:               0

  InHopLimitExceeds:             0

  InBadHeaders:                  0

  InBadOptions:                  0

  ReasmReqds:                    0

  ReasmOKs:                      0

  InFragDrops:                   0

  InFragTimeouts:                0

  OutFragFails:                  0

  InUnknownProtos:               0

  InDelivers:                    47

  OutRequests:                   89

  OutForwDatagrams:              48

  InNoRoutes:                    0

  InTooBigErrors:                0

  OutFragOKs:                    0

  OutFragCreates:                0

  InMcastPkts:                   6

  InMcastNotMembers:             25747

  OutMcastPkts:                  48

  InAddrErrors:                  0

  InDiscards:                    0

  OutDiscards:                   0

[SwitchA] display ipv6 interface vlan-interface 1

Vlan-interface1 current state: UP

Line protocol current state: UP

IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1C0

  Global unicast address(es):

    2001::1, subnet is 2001::/64

  Joined group address(es):

    FF02::1

    FF02::2

    FF02::1:FF00:1

    FF02::1:FF00:1C0

  MTU is 1500 bytes

  ND DAD is enabled, number of DAD attempts: 1

  ND reachable time is 30000 milliseconds

  ND retransmit interval is 1000 milliseconds

  ND advertised reachable time is 0 milliseconds

  ND advertised retransmit interval is 0 milliseconds

  ND router advertisements are sent every 600 seconds

  ND router advertisements live for 1800 seconds

  Hosts use stateless autoconfig for addresses

IPv6 Packet statistics:

  InReceives:                    272

  InTooShorts:                   0

  InTruncatedPkts:               0

  InHopLimitExceeds:             0

  InBadHeaders:                  0

  InBadOptions:                  0

  ReasmReqds:                    0

  ReasmOKs:                      0

  InFragDrops:                   0

  InFragTimeouts:                0

  OutFragFails:                  0

  InUnknownProtos:               0

  InDelivers:                    159

  OutRequests:                   1012

  OutForwDatagrams:              35

  InNoRoutes:                    0

  InTooBigErrors:                0

  OutFragOKs:                    0

  OutFragCreates:                0

  InMcastPkts:                   79

  InMcastNotMembers:             65

  OutMcastPkts:                  938

  InAddrErrors:                  0

  InDiscards:                    0

  OutDiscards:                   0

# Display the IPv6 interface settings on Switch B. All IPv6 global unicast addresses configured on the interface are displayed.

[SwitchB] display ipv6 interface vlan-interface 2

Vlan-interface2 current state :UP

Line protocol current state :UP

IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1234

  Global unicast address(es):

    3001::2, subnet is 3001::/64

  Joined group address(es):

    FF02::1

    FF02::2

    FF02::1:FF00:2

    FF02::1:FF00:1234

  MTU is 1500 bytes

  ND DAD is enabled, number of DAD attempts: 1

  ND reachable time is 30000 milliseconds

  ND retransmit interval is 1000 milliseconds

  Hosts use stateless autoconfig for addresses

IPv6 Packet statistics:

  InReceives:                    117

  InTooShorts:                   0

  InTruncatedPkts:               0

  InHopLimitExceeds:             0

  InBadHeaders:                  0

  InBadOptions:                  0

  ReasmReqds:                    0

  ReasmOKs:                      0

  InFragDrops:                   0

  InFragTimeouts:                0

  OutFragFails:                  0

  InUnknownProtos:               0

  InDelivers:                    117

  OutRequests:                   83

  OutForwDatagrams:              0

  InNoRoutes:                    0

  InTooBigErrors:                0

  OutFragOKs:                    0

  OutFragCreates:                0

  InMcastPkts:                   28

  InMcastNotMembers:             0

  OutMcastPkts:                  7

  InAddrErrors:                  0

  InDiscards:                    0

  OutDiscards:                   0

# Ping Switch A and Switch B on the host, and ping Switch A and the host on Switch B to verify that they are connected.

 

 

NOTE:

When you ping a link-local address, use the -i parameter to specify an interface for the link-local address.

 

[SwitchB] ping ipv6 -c 1 3001::1

Ping6(56 data bytes) 3001::2 --> 3001::1, press CTRL_C to break

56 bytes from 3001::1, icmp_seq=0 hlim=64 time=4.404 ms

 

--- Ping6 statistics for 3001::1 ---

1 packet(s) transmitted, 1 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 4.404/4.404/4.404/0.000 ms

[SwitchB] ping ipv6 -c 1 2001::15B:E0EA:3524:E791

Ping6(56 data bytes) 3001::2 --> 2001::15B:E0EA:3524:E791, press CTRL_C to break

56 bytes from 2001::15B:E0EA:3524:E791, icmp_seq=0 hlim=64 time=5.404 ms

 

--- Ping6 statistics for 2001::15B:E0EA:3524:E791 ---

1 packet(s) transmitted, 1 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 5.404/5.404/5.404/0.000 ms

The output shows that Switch B can ping Switch A and the host. The host can also ping Switch B and Switch A.

Troubleshooting IPv6 basics configuration

Symptom

An IPv6 address cannot be pinged.

Solution

1.        Use the display ipv6 interface command in any view to verify that the IPv6 address of the output interface is correct and the interface is up.

2.        Use the debugging ipv6 packet command in user view to enable the debugging for IPv6 packets to locate the fault.


DHCPv6 overview

DHCPv6 provides a framework to assign IPv6 prefixes, IPv6 addresses, and other configuration parameters to hosts.

DHCPv6 address/prefix assignment

An address/prefix assignment process involves two or four messages.

Rapid assignment involving two messages

As shown in Figure 56, rapid assignment operates in the following steps:

1.        The DHCPv6 client sends to the DHCPv6 server a Solicit message that contains a Rapid Commit option to prefer rapid assignment.

2.        If the DHCPv6 server supports rapid assignment, it responds with a Reply message containing the assigned IPv6 address/prefix and other configuration parameters. If the DHCPv6 server does not support rapid assignment, Assignment involving four messages is performed.

Figure 56 Rapid assignment involving two messages

 

Assignment involving four messages

As shown in Figure 57, four-message assignment operates using the following steps:

1.        The DHCPv6 client sends a Solicit message to request an IPv6 address/prefix and other configuration parameters.

2.        The DHCPv6 server responds with an Advertise message that contains the assignable address/prefix and other configuration parameters if either of the following conditions exists:

?  The Solicit message does not contain a Rapid Commit option.

?  The DHCPv6 server does not support rapid assignment even though the Solicit message contains a Rapid Commit option.

3.        The DHCPv6 client might receive multiple Advertise messages offered by different DHCPv6 servers. It selects an offer according to the receiving sequence and server priority, and sends a Request message to the selected server for confirmation.

4.        The DHCPv6 server sends a Reply message to the client, confirming that the address/prefix and other configuration parameters are assigned to the client.

Figure 57 Assignment involving four messages

 

Address/prefix lease renewal

An IPv6 address/prefix assigned by a DHCPv6 server has a valid lifetime. After the valid lifetime expires, the DHCPv6 client cannot use the IPv6 address/prefix. To use the IPv6 address/prefix, the DHCPv6 client must renew the lease time.

Figure 58 Using the Renew message for address/prefix lease renewal

 

As shown in Figure 58, at T1, the DHCPv6 client sends a Renew message to the DHCPv6 server. The recommended value of T1 is half the preferred lifetime. The DHCPv6 server responds with a Reply message, informing the client whether the lease is renewed.

Figure 59 Using the Rebind message for address/prefix lease renewal

 

As shown in Figure 59:

·          If the DHCPv6 client does not receive a response from the DHCPv6 server after sending a Renew message at T1, it multicasts a Rebind message to all DHCPv6 servers at T2. Typically, the value of T2 is 0.8 times the preferred lifetime.

·          The DHCPv6 server responds with a Reply message, informing the client whether the lease is renewed.

·          If the DHCPv6 client does not receive a response from any DHCPv6 server before the valid lifetime expires, the client stops using the address/prefix.

For more information about the valid lifetime and the preferred lifetime, see "Configuring basic IPv6 settings."

Stateless DHCPv6

Stateless DHCPv6 enables a device that has obtained an IPv6 address/prefix to get other configuration parameters from a DHCPv6 server.

The device performs stateless DHCPv6 if an RA message with the following flags is received from the router during stateless address autoconfiguration:

·          The managed address configuration flag (M flag) is set to 0.

·          The other stateful configuration flag (O flag) is set to 1.

For more information about stateless address autoconfiguration, see "Configuring basic IPv6 settings."

Figure 60 Stateless DHCPv6 operation

 

As shown in Figure 60, stateless DHCPv6 operates in the following steps:

1.        The DHCPv6 client sends an Information-request message to the multicast address of all DHCPv6 servers and DHCPv6 relay agents. The Information-request message contains an Option Request option that specifies the requested configuration parameters.

2.        The DHCPv6 server returns to the client a Reply message containing the requested configuration parameters.

3.        The client checks the Reply message. If the obtained configuration parameters match those requested in the Information-request message, the client uses these parameters to complete configuration. If not, the client ignores the configuration parameters. If the client receives multiple replies with configuration parameters matching those requested in the Information-request message, it uses the first received reply.

Protocols and standards

·          RFC 3736, Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6

·          RFC 3315, Dynamic Host Configuration Protocol for IPv6 (DHCPv6)

·          RFC 2462, IPv6 Stateless Address Autoconfiguration

·          RFC 3633, IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6

 


Configuring the DHCPv6 server

Overview

A DHCPv6 server can assign IPv6 addresses, IPv6 prefixes, and other configuration parameters to DHCPv6 clients.

IPv6 address assignment

As shown in Figure 61, the DHCPv6 server assigns IPv6 addresses, domain name suffixes, DNS server addresses, and other configuration parameters to DHCPv6 clients.

The IPv6 addresses assigned to the clients include the following types:

·          Temporary IPv6 addresses—Frequently changed without lease renewal.

·          Non-temporary IPv6 addresses—Correctly used by DHCP clients, with lease renewal.

Figure 61 IPv6 address assignment

 

IPv6 prefix assignment

As shown in Figure 62, the DHCPv6 server assigns an IPv6 prefix to the DHCPv6 client. The client advertises the prefix information in a multicast RA message so that hosts on the subnet can automatically configure their IPv6 addresses by using the prefix.

Figure 62 IPv6 prefix assignment

 

Concepts

Multicast addresses used by DHCPv6

DHCPv6 uses the multicast address FF05::1:3 to identify all site-local DHCPv6 servers. It uses the multicast address FF02::1:2 to identify all link-local DHCPv6 servers and relay agents.

DUID

A DHCP unique identifier (DUID) uniquely identifies a DHCPv6 device (DHCPv6 client, server, or relay agent). A DHCPv6 device adds its DUID in a sent packet.

Figure 63 DUID-LL format

 

The device supports the DUID format based on link-layer address (DUID-LL) defined in RFC 3315. Figure 63 shows the DUID-LL format, which includes the following fields:

·          DUID type—The device supports the DUID type of DUID-LL with the value of 0x0003.

·          Hardware type—The device supports the hardware type of Ethernet with the value of 0x0001.

·          Link layer address—Takes the value of the bridge MAC address of the device.

IA

Identified by an IAID, an identity association (IA) provides a construct through which a client manages the obtained addresses, prefixes, and other configuration parameters. A client can have multiple IAs, for example, one for each of its interfaces.

IAID

An IAID uniquely identifies an IA. It is chosen by the client and must be unique on the client.

PD

The DHCPv6 server creates a prefix delegation (PD) for each assigned prefix to record the following details:

·          IPv6 prefix.

·          Client DUID.

·          IAID.

·          Valid lifetime.

·          Preferred lifetime.

·          Lease expiration time.

·          IPv6 address of the requesting client.

DHCPv6 address pool

The DHCP server selects IPv6 addresses, IPv6 prefixes, and other parameters from an address pool, and assigns them to the DHCP clients.

Address allocation mechanisms

DHCPv6 supports the following address allocation mechanisms:

·          Static address allocation—To implement static address allocation for a client, create a DHCPv6 address pool, and manually bind the DUID and IAID of the client to an IPv6 address in the DHCPv6 address pool. When the client requests an IPv6 address, the DHCPv6 server assigns the IPv6 address in the static binding to the client.

·          Dynamic address allocation—To implement dynamic address allocation for clients, create a DHCPv6 address pool, specify a subnet for the pool, and divide the subnet into temporary and non-temporary IPv6 address ranges. Upon receiving a DHCP request, the DHCPv6 server selects an IPv6 address from the temporary or non-temporary IPv6 address range based on the address type in the client request.

Prefix allocation mechanisms

DHCPv6 supports the following prefix allocation mechanisms:

·          Static prefix allocation—To implement static prefix allocation for a client, create a DHCPv6 address pool, and manually bind the DUID and IAID of the client to an IPv6 prefix in the DHCPv6 address pool. When the client requests an IPv6 prefix, the DHCPv6 server assigns the IPv6 prefix in the static binding to the client.

·          Dynamic prefix allocation—To implement dynamic prefix allocation for clients, create a DHCPv6 address pool and a prefix pool, specify a subnet for the address pool, and apply the prefix pool to the address pool. Upon receiving a DHCP request, the DHCPv6 server dynamically selects an IPv6 prefix from the prefix pool in the address pool.

Address pool selection

The DHCPv6 server observes the following principles when selecting an IPv6 address or prefix for a client:

1.        If there is an address pool where an IPv6 address is statically bound to the DUID or IAID of the client, the DHCPv6 server selects this address pool. It assigns the statically bound IPv6 address or prefix and other configuration parameters to the client.

2.        If the receiving interface has an address pool applied, the DHCP server selects an IPv6 address or prefix and other configuration parameters from this address pool.

3.        If no static address pool is configured and no address pool is applied to the receiving interface, the DHCPv6 server selects an address pool depending on the client location.

?  Client on the same subnet as the serverThe DHCPv6 server compares the IPv6 address of the receiving interface with the subnets of all address pools. It selects the address pool with the longest-matching subnet.

?  Client on a different subnet than the serverThe DHCPv6 server compares the IPv6 address of the DHCPv6 relay agent interface closest to the client with the subnets of all address pools. It also selects the address pool with the longest-matching subnet.

To make sure IPv6 address allocation functions correctly, keep the subnet used for dynamic assignment consistent with the subnet where the interface of the DHCPv6 server or DHCPv6 relay agent resides.

IPv6 address/prefix allocation sequence

The DHCPv6 server selects an IPv6 address/prefix for a client in the following sequence:

1.        IPv6 address/prefix statically bound to the client's DUID and IAID and expected by the client.

2.        IPv6 address/prefix statically bound to the client's DUID and IAID.

3.        IPv6 address/prefix statically bound to the client's DUID and expected by the client.

4.        IPv6 address/prefix statically bound to the client's DUID.

5.        IPv6 address/prefix that was ever assigned to the client.

6.        Assignable IPv6 address/prefix in the address pool/prefix pool expected by the client.

7.        Assignable IPv6 address/prefix in the address pool/prefix pool.

8.        IPv6 address/prefix that was a conflict or passed its lease duration. If no IPv6 address/prefix is assignable, the server does not respond.

If a client moves to another subnet, the DHCPv6 server selects an IPv6 address/prefix from the address pool that matches the new subnet.

Conflicted IPv6 addresses can be assigned to other DHCPv6 clients only after the addresses are in conflict for one hour.

Configuration task list

Tasks at a glance

(Optional.) Perform the following tasks:

·         Configuring IPv6 prefix assignment

·         Configuring IPv6 address assignment

·         Configuring network parameters assignment

(Required.) Configuring the DHCPv6 server on an interface

(Optional.) Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 server

(Optional.) Enabling the DHCPv6 server to advertise IPv6 prefixes

 

Configuring IPv6 prefix assignment

Use the following methods to configure IPv6 prefix assignment:

·          Configure a static IPv6 prefix binding in an address pool—If you bind a DUID and an IAID to an IPv6 prefix, the DUID and IAID in a request must match those in the binding before the DHCPv6 server can assign the IPv6 prefix to the DHCPv6 client. If you only bind a DUID to an IPv6 prefix, the DUID in the request must match the DUID in the binding before the DHCPv6 server can assign the IPv6 prefix to the DHCPv6 client.

·          Apply a prefix pool to an address pool—The DHCPv6 server dynamically assigns an IPv6 prefix from the prefix pool in the address pool to a DHCPv6 client.

Configuration guidelines

·          An IPv6 prefix can be bound to only one DHCPv6 client. You cannot modify bindings that have been created. To change the binding for a DHCPv6 client, you must delete the existing binding first.

·          Only one prefix pool can be applied to an address pool. You cannot modify prefix pools that have been applied. To change the prefix pool for an address pool, you must remove the prefix pool application first.

·          You can apply a prefix pool that has not been created to an address pool. The setting takes effect after the prefix pool is created.

Configuration procedure

To configure IPv6 prefix assignment:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       (Optional.) Specify the IPv6 prefixes excluded from dynamic assignment.

ipv6 dhcp server forbidden-prefix start-prefix/prefix-len [ end-prefix/prefix-len ] [ vpn-instance vpn-instance-name ]

By default, no IPv6 prefixes in the prefix pool are excluded from dynamic assignment.

If the excluded IPv6 prefix is in a static binding, the prefix still can be assigned to the client.

To exclude multiple IPv6 prefix ranges, repeat this step.

3.       Create a prefix pool.

ipv6 dhcp prefix-pool prefix-pool-number prefix { prefix-number | prefix/prefix-len } assign-len assign-len [ vpn-instance vpn-instance-name ]

This step is required for dynamic prefix assignment.

By default, no prefix pools exist.

If you specify an IPv6 prefix by its ID, make sure the IPv6 prefix is in effect. Otherwise, the configuration does not take effect.

4.       Create a DHCPv6 address pool and enter its view.

ipv6 dhcp pool pool-name

By default, no DHCPv6 address pools exist.

5.       Specify an IPv6 subnet for dynamic assignment.

network prefix/prefix-length [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

By default, no IPv6 subnet is specified for dynamic assignment.

The IPv6 subnets cannot be the same in different address pools.

6.       Configure static prefix assignment, dynamic prefix assignment, or both.

·         Configure a static prefix binding:
static-bind
prefix prefix/prefix-len duid duid [ iaid iaid ] [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

·         Apply the prefix pool to the address pool:
prefix-pool
prefix-pool-number [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

By default, static or dynamic prefix assignment is not configured for an address pool.

To add multiple static IPv6 prefix bindings, use the static-bind prefix command multiple times.

 

Configuring IPv6 address assignment

Use one of the following methods to configure IPv6 address assignment:

·          Configure a static IPv6 address binding in an address pool.

If you bind a DUID and an IAID to an IPv6 address, the DUID and IAID in a request must match those in the binding before the DHCPv6 server can assign the IPv6 address to the requesting client. If you only bind a DUID to an IPv6 address, the DUID in a request must match the DUID in the binding before the DHCPv6 server can assign the IPv6 address to the requesting client.

·          Specify a subnet and address ranges in an address pool.

?  Non-temporary address assignment—The server selects addresses from the non-temporary address range specified by the address range command. If no non-temporary address range is specified, the server selects addresses on the subnet specified by the network command.

?  Temporary address assignment—The server selects addresses from the temporary address range specified by the temporary address range command. If no temporary address range is specified in the address pool, the DHCPv6 server cannot assign temporary addresses to clients.

Configuration guidelines

·          You can specify only one non-temporary address range and one temporary address range in an address pool.

·          The address ranges specified by the address range and temporary address range commands must be on the subnet specified by the network command. Otherwise, the addresses are unassignable.

·          Only one prefix pool can be applied to an address pool. You can apply a prefix pool that has not been created to an address pool. The setting takes effect after the prefix pool is created.

·          An IPv6 address can be bound to only one DHCPv6 client. You cannot modify bindings that have been created. To change the binding for a DHCPv6 client, you must delete the existing binding first.

·          Only one subnet can be specified in an address pool. If you use the network command multiple times in a DHCPv6 address pool, the most recent configuration takes effect. If you use this command to specify only new lifetimes, the settings do not affect existing leases. The IPv6 addresses assigned after the modification will use the new lifetimes.

Configuration procedure

To configure IPv6 address assignment:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       (Optional.) Specify the IPv6 addresses excluded from dynamic assignment.

ipv6 dhcp server forbidden-address start-ipv6-address [ end-ipv6-address ] [ vpn-instance vpn-instance-name ]

By default, all IPv6 addresses except for the DHCPv6 server's IP address in a DHCPv6 address pool are assignable.

If the excluded IPv6 address is in a static binding, the address still can be assigned to the client.

To exclude multiple IPv6 prefix ranges, repeat this step.

3.       Create a DHCPv6 address pool and enter its view.

ipv6 dhcp pool pool-name

By default, no DHCPv6 address pools exist.

4.       Specify an IPv6 subnet for dynamic assignment.

network prefix/prefix-length [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

By default, no IPv6 address subnet is specified.

The IPv6 subnets cannot be the same in different address pools.

5.       (Optional.) Specify a non-temporary IPv6 address range.

address range start-ipv6-address end-ipv6-address [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

By default, no non-temporary IPv6 address range is specified, and all unicast addresses on the subnet are assignable.

6.       (Optional.) Specify a temporary IPv6 address range.

temporary address range start-ipv6-address end-ipv6-address [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

By default, no temporary IPv6 address range is specified, and the DHCPv6 server cannot assign temporary IPv6 addresses.

7.       (Optional.) Create a static binding.

static-bind address ipv6-address/addr-prefix-length | duid duid [ iaid iaid ] [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

By default, no static binding is configured.

To add more static bindings, repeat this step.

 

Configuring network parameters assignment

In addition to IPv6 prefixes and IPv6 addresses, you can configure other network parameters in a DHCPv6 address pool. You can configure a maximum of eight DNS server addresses, one domain name, eight SIP server addresses, and eight SIP server domain names in a DHCPv6 address pool.

Network parameters in a DHCPv6 address pool take precedence over those in a DHCPv6 option group.

To configure network parameters assignment:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a DHCPv6 address pool and enter its view.

ipv6 dhcp pool pool-name

By default, no DHCPv6 address pools exist.

3.       Specify an IPv6 subnet for dynamic assignment.

network prefix/prefix-length [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ]

By default, no IPv6 subnet is specified.

The IPv6 subnets cannot be the same in different address pools.

4.       (Optional.) Specify a DNS server address.

dns-server ipv6-address

By default, no DNS server address is specified.

5.       (Optional.) Specify a domain name.

domain-name domain-name

By default, no domain name is specified.

6.       (Optional.) Specify a SIP server address or domain name.

sip-server { address ipv6-address | domain-name domain-name }

By default, no SIP server address or domain name is specified.

7.       (Optional.) Configure a self-defined DHCPv6 option.

option code hex hex-string

By default, no self-defined DHCPv6 option is configured.

 

Configuring the DHCPv6 server on an interface

Enable the DHCP server and configure one of the following address/prefix assignment methods on an interface:

·          Apply an address pool on the interface—The DHCPv6 server selects an IPv6 address/prefix from the applied address pool for a requesting client. If there is no assignable IPv6 address/prefix in the address pool, the DHCPv6 server cannot to assign an IPv6 address/prefix to a client.

·          Configure global address assignment on the interface—The DHCPv6 server selects an IPv6 address/prefix in the global DHCPv6 address pool that matches the server interface address or the DHCPv6 relay agent address for a requesting client.

If you configure both methods on an interface, the DHCPv6 server uses the specified address pool for address assignment without performing global address assignment.

Configuration guidelines

·          An interface cannot act as a DHCPv6 server and DHCPv6 relay agent at the same time.

·          Do not enable DHCPv6 server and DHCPv6 client on the same interface.

·          If you use the ipv6 dhcp server command multiple times, the most recent configuration takes effect.

·          You can apply an address pool that has not been created to an interface. The setting takes effect after the address pool is created.

·          Only one address pool can be applied to an interface. If you use the ipv6 dhcp server apply pool command multiple times, the most recent configuration takes effect.

Configuration procedure

To configure the DHCPv6 server on an interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Enable the DHCPv6 server on the interface.

ipv6 dhcp select server

By default, the interface discards DHCPv6 packets from DHCPv6 clients.

4.       Configure an address/prefix assignment method.

·         Configure global address assignment:
ipv6 dhcp server
{ allow-hint | preference preference-value | rapid-commit } *

·         Apply a DHCPv6 address pool to the interface:
ipv6 dhcp server apply pool
pool-name [ allow-hint | preference preference-value | rapid-commit ] *

By default, desired address/prefix assignment and rapid assignment are disabled, and the default preference is 0.

 

Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 server

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.

To set the DSCP value for DHCPv6 packets sent by the DHCPv6 server:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set the DSCP value for DHCPv6 packets sent by the DHCPv6 server.

ipv6 dhcp dscp dscp-value

By default, the DSCP value in DHCPv6 packets sent by the DHCPv6 server is 56.

 

Enabling the DHCPv6 server to advertise IPv6 prefixes

A DHCPv6 client can obtain an IPv6 prefix through DHCPv6 and use the IPv6 prefix for IPv6 address assignment in a downstream network. If the IPv6 prefix is in a different subnet than the IPv6 address of the DHCPv6 client's upstream interface, the downstream network cannot access the external network. If the DHCPv6 server is on the same link as the DHCPv6 client, enable the DHCPv6 server to advertise the IPv6 prefix.

To enable the DHCPv6 server to advertise IPv6 prefixes:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable the DHCPv6 server to advertise IPv6 prefixes.

ipv6 dhcp advertise pd-route

By default, the DHCPv6 server does not advertise IPv6 prefixes.

 

Displaying and maintaining the DHCPv6 server

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display the DUID of the local device.

display ipv6 dhcp duid

Display DHCPv6 address pool information.

display ipv6 dhcp pool [ pool-name | vpn-instance vpn-instance-name ]

Display prefix pool information.

display ipv6 dhcp prefix-pool [ prefix-pool-number ] [ vpn-instance vpn-instance-name ]

Display DHCPv6 server information on an interface.

display ipv6 dhcp server [ interface interface-type interface-number ]

Display information about IPv6 address conflicts.

display ipv6 dhcp server conflict [ address ipv6-address ] [ vpn-instance vpn-instance-name ]

Display information about expired IPv6 addresses.

display ipv6 dhcp server expired [ [ address ipv6-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]

Display information about IPv6 address bindings.

display ipv6 dhcp server ip-in-use [ [ address ipv6-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]

Display information about IPv6 prefix bindings.

display ipv6 dhcp server pd-in-use [ pool pool-name | [ prefix prefix/prefix-len ] [ vpn-instance vpn-instance-name ] ]

Display packet statistics on the DHCPv6 server.

display ipv6 dhcp server statistics [ pool pool-name | vpn-instance vpn-instance-name ]

Clear information about IPv6 address conflicts.

reset ipv6 dhcp server conflict [ address ipv6-address ] [ vpn-instance vpn-instance-name ]

Clear information about expired IPv6 address bindings.

reset ipv6 dhcp server expired [ [ address ipv6-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]

Clear information about IPv6 address bindings.

reset ipv6 dhcp server ip-in-use [ [ address ipv6-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]

Clear information about IPv6 prefix bindings.

reset ipv6 dhcp server pd-in-use [ pool pool-name | [ prefix prefix/prefix-len ] [ vpn-instance vpn-instance-name ] ]

Clear packets statistics on the DHCPv6 server.

reset ipv6 dhcp server statistics [ vpn-instance vpn-instance-name ]

 

DHCPv6 server configuration examples

Dynamic IPv6 prefix assignment configuration example

Network requirements

As shown in Figure 64, the switch acts as a DHCPv6 server to assign an IPv6 prefix, a DNS server address, a domain name, a SIP server address, and a SIP server name to each DHCPv6 client.

The switch assigns prefix 2001:0410:0201::/48 to the client whose DUID is 00030001CA0006A40000, and assigns prefixes in the range of 2001:0410::/48 to 2001:0410:FFFF::/48 (excluding 2001:0410:0201::/48) to other clients. The DNS server address is 2::2:3. The DHCPv6 clients reside in the domain aaa.com. The SIP server address is 2:2::4, and the SIP server name is bbb.com.

Figure 64 Network diagram

 

Configuration procedure

# Specify an IPv6 address for VLAN-interface 2.

<Switch> system-view

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ipv6 address 1::1/64

# Disable RA message suppression on VLAN-interface 2.

[Switch-Vlan-interface2] undo ipv6 nd ra halt

# Set the M flag to 1 in RA advertisements to be sent on VLAN-interface 2. Hosts that receive the RA advertisements will obtain IPv6 addresses through DHCPv6.

[Switch-Vlan-interface2] ipv6 nd autoconfig managed-address-flag

# Set the O flag to 1 in RA advertisements to be sent on VLAN-interface 2. Hosts that receive the RA advertisements will obtain information other than IPv6 address through DHCPv6.

[Switch-Vlan-interface2] ipv6 nd autoconfig other-flag

[Switch-Vlan-interface2] quit

# Create prefix pool 1, and specify the prefix 2001:0410::/32 with the assigned prefix length 48.

[Switch] ipv6 dhcp prefix-pool 1 prefix 2001:0410::/32 assign-len 48

# Create address pool 1.

[Switch] ipv6 dhcp pool 1

# In address pool 1, configure subnet 1::/64 where VLAN interface-2 resides.

[Switch-dhcp6-pool-1] network 1::/64

# Apply prefix pool 1 to address pool 1, and set the preferred lifetime to one day, and the valid lifetime to three days.

[Switch-dhcp6-pool-1] prefix-pool 1 preferred-lifetime 86400 valid-lifetime 259200

# In address pool 1, bind prefix 2001:0410:0201::/48 to the client DUID 00030001CA0006A40000, and set the preferred lifetime to one day, and the valid lifetime to three days.

[Switch-dhcp6-pool-1] static-bind prefix 2001:0410:0201::/48 duid 00030001CA0006A40000 preferred-lifetime 86400 valid-lifetime 259200

# Configure the DNS server address 2:2::3.

[Switch-dhcp6-pool-1] dns-server 2:2::3

# Configure the domain name as aaa.com.

[Switch-dhcp6-pool-1] domain-name aaa.com

# Configure the SIP server address as 2:2::4, and the SIP server name as bbb.com.

[Switch-dhcp6-pool-1] sip-server address 2:2::4

[Switch-dhcp6-pool-1] sip-server domain-name bbb.com

[Switch-dhcp6-pool-1] quit

# Enable the DHCPv6 server on VLAN-interface 2, enable desired prefix assignment and rapid prefix assignment, and set the preference to the highest.

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ipv6 dhcp select server

[Switch-Vlan-interface2] ipv6 dhcp server allow-hint preference 255 rapid-commit

Verifying the configuration

# Display DHCPv6 server configuration on VLAN-interface 2.

[Switch-Vlan-interface2] display ipv6 dhcp server interface vlan-interface 2

Using pool: global

Preference value: 255

Allow-hint: Enabled

Rapid-commit: Enabled

# Display information about address pool 1.

[Switch-Vlan-interface2] display ipv6 dhcp pool 1

DHCPv6 pool: 1

  Network: 1::/64

    Preferred lifetime 604800, valid lifetime 2592000

  Prefix pool: 1

    Preferred lifetime 86400, valid lifetime 259200

  Static bindings:

    DUID: 00030001ca0006a40000

    IAID: Not configured

    Prefix: 2001:410:201::/48

      Preferred lifetime 86400, valid lifetime 259200

  DNS server addresses:

    2:2::3

  Domain name:

    aaa.com

  SIP server addresses:

    2:2::4

  SIP server domain names:

    bbb.com          

# Display information about prefix pool 1.

[Switch-Vlan-interface2] display ipv6 dhcp prefix-pool 1

Prefix: 2001:410::/32

Assigned length: 48

Total prefix number: 65536

Available: 65535

In-use: 0

Static: 1

# After the client with the DUID 00030001CA0006A40000 obtains an IPv6 prefix, display the binding information on the DHCPv6 server.

[Switch-Vlan-interface2] display ipv6 dhcp server pd-in-use

Pool: 1

 IPv6 prefix                                 Type      Lease expiration

 2001:410:201::/48                           Static(C) Jul 10 19:45:01 2009

# After the other client obtains an IPv6 prefix, display binding information on the DHCPv6 server.

[Switch-Vlan-interface2] display ipv6 dhcp server pd-in-use

Pool: 1

 IPv6 prefix                                 Type      Lease expiration

 2001:410:201::/48                           Static(C) Jul 10 19:45:01 2009

 2001:410::/48                               Auto(C)   Jul 10 20:44:05 2009

Dynamic IPv6 address assignment configuration example

Network requirements

As shown in Figure 65, Switch A acts as a DHCPv6 server to assign IPv6 addresses to the clients on subnets 1::1:0:0:0/96 and 1::2:0:0:0/96.

On Switch A, configure the IPv6 address 1::1:0:0:1/96 for VLAN-interface 10 and 1::2:0:0:1/96 for VLAN-interface 20. The lease duration of the addresses on subnet 1::1:0:0:0/96 is 172800 seconds (two days), the valid time is 345600 seconds (four days), the domain name suffix is aabbcc.com, and the DNS server address is 1::1:0:0:2/96. The lease duration of the addresses on subnet 1::2:0:0:0/96 is 432000 seconds (five days), the valid time is 864000 seconds (ten days), the domain name is aabbcc.com, and the DNS server address is 1::2:0:0:2/96.

Figure 65 Network diagram

 

Configuration procedure

1.        Configure the interfaces on the DHCPv6 server:

# Specify an IPv6 address for VLAN-interface 10.

<SwitchA> system-view

[SwitchA] interface vlan-interface 10

[SwitchA-Vlan-interface10] ipv6 address 1::1:0:0:1/96

# Disable RA message suppression on VLAN-interface 10.

[SwitchA-Vlan-interface10] undo ipv6 nd ra halt

# Set the M flag to 1 in RA advertisements to be sent on VLAN-interface 10. Hosts that receive the RA advertisements will obtain IPv6 addresses through DHCPv6.

[SwitchA-Vlan-interface10] ipv6 nd autoconfig managed-address-flag

# Set the O flag to 1 in RA advertisements to be sent on VLAN-interface 10. Hosts that receive the RA advertisements will obtain information other than IPv6 address through DHCPv6.

[SwitchA-Vlan-interface10] ipv6 nd autoconfig other-flag

[SwitchA-Vlan-interface10] quit

# Specify an IPv6 address for VLAN-interface 20.

[SwitchA] interface vlan-interface 20

[SwitchA-Vlan-interface20] ipv6 address 1::2:0:0:1/96

# Disable RA message suppression on VLAN-interface 20.

[SwitchA-Vlan-interface20] undo ipv6 nd ra halt

# Set the M flag to 1 in RA advertisements to be sent on VLAN-interface 20. Hosts that receive the RA advertisements will obtain IPv6 addresses through DHCPv6.

[SwitchA-Vlan-interface20] ipv6 nd autoconfig managed-address-flag

# Set the O flag to 1 in RA advertisements to be sent on VLAN-interface 20. Hosts that receive the RA advertisements will obtain information other than IPv6 address through DHCPv6.

[SwitchA-Vlan-interface20] ipv6 nd autoconfig other-flag

[SwitchA-Vlan-interface20] quit

2.        Enable DHCPv6:

# Enable DHCPv6 server on VLAN-interface 10 and VLAN-interface 20.

[SwitchA] interface vlan-interface 10

[SwitchA-Vlan-interface10] ipv6 dhcp select server

[SwitchA-Vlan-interface10] quit

[SwitchA] interface vlan-interface 20

[SwitchA-Vlan-interface20] ipv6 dhcp select server

[SwitchA-Vlan-interface20] quit

# Exclude the DNS server addresses from dynamic assignment.

[SwitchA] ipv6 dhcp server forbidden-address 1::1:0:0:2

[SwitchA] ipv6 dhcp server forbidden-address 1::2:0:0:2

# Configure the DHCPv6 address pool 1 to assign IPv6 addresses and other configuration parameters to clients on subnet 1::1:0:0:0/96.

[SwitchA] ipv6 dhcp pool 1

[SwitchA-dhcp6-pool-1] network 1::1:0:0:0/96 preferred-lifetime 172800 valid-lifetime 345600

[SwitchA-dhcp6-pool-1] domain-name aabbcc.com

[SwitchA-dhcp6-pool-1] dns-server 1::1:0:0:2

[SwitchA-dhcp6-pool-1] quit

# Configure the DHCPv6 address pool 2 to assign IPv6 addresses and other configuration parameters to clients on subnet 1::2:0:0:0/96.

[SwitchA] ipv6 dhcp pool 2

[SwitchA-dhcp6-pool-2] network 1::2:0:0:0/96 preferred-lifetime 432000 valid-lifetime 864000

[SwitchA-dhcp6-pool-2] domain-name aabbcc.com

[SwitchA-dhcp6-pool-2] dns-server 1::2:0:0:2

[SwitchA-dhcp6-pool-2] quit

Verifying the configuration

# Verify that the clients on subnets 1::1:0:0:0/96 and 1::2:0:0:0/96 can obtain IPv6 addresses and all other configuration parameters from the DHCPv6 server (Switch A). (Details not shown.)

# On the DHCPv6 server, display IPv6 addresses assigned to the DHCPv6 clients.

[SwitchA] display ipv6 dhcp server ip-in-use


Configuring the DHCPv6 relay agent

Overview

A DHCPv6 client usually uses a multicast address to contact the DHCPv6 server on the local link to obtain an IPv6 address and other configuration parameters. As shown in Figure 66, if the DHCPv6 server resides on another subnet, the DHCPv6 clients need a DHCPv6 relay agent to contact the server. The relay agent feature avoids deploying a DHCP server on each subnet.

Figure 66 Typical DHCPv6 relay agent application

 

As shown in Figure 67, a DHCPv6 client obtains an IPv6 address and other network configuration parameters from a DHCPv6 server through a DHCPv6 relay agent. The following example uses rapid assignment to describe the process:

·          The DHCPv6 client sends a Solicit message containing the Rapid Commit option to the multicast address FF02::1:2 of all the DHCPv6 servers and relay agents.

·          After receiving the Solicit message, the DHCPv6 relay agent encapsulates the message into the Relay Message option of a Relay-forward message, and sends the message to the DHCPv6 server.

·          After obtaining the Solicit message from the Relay-forward message, the DHCPv6 server performs the following tasks:

?  Selects an IPv6 address and other required parameters.

?  Adds them to a reply that is encapsulated within the Relay Message option of a Relay-reply message.

?  Sends the Relay-reply message to the DHCPv6 relay agent.

·          The DHCPv6 relay agent obtains the reply from the Relay-reply message and sends the reply to the DHCPv6 client.

·          The DHCPv6 client uses the IPv6 address and other network parameters assigned by the DHCPv6 server to complete network configuration.

Figure 67 Operating process of a DHCPv6 relay agent

 

DHCPv6 relay agent configuration task list

Tasks at a glance

(Required.) Enabling the DHCPv6 relay agent on an interface

(Required.) Specifying DHCPv6 servers on the relay agent

(Optional.) Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 relay agent

(Optional.) Specifying a padding mode for the Interface-ID option

(Optional.) Configuring a DHCPv6 address pool on the DHCPv6 relay agent

(Optional.) Enabling the DHCPv6 relay agent to advertise IPv6 prefixes

 

Enabling the DHCPv6 relay agent on an interface

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Enable DHCPv6 relay agent on the interface.

ipv6 dhcp select relay

By default, the DHCPv6 relay agent is disabled on the interface.

Do not enable the DHCPv6 relay agent and DHCPv6 client on the same interface.

 

Specifying DHCPv6 servers on the relay agent

You can use the ipv6 dhcp relay server-address command to specify a maximum of eight DHCPv6 servers on the DHCP relay agent interface. The DHCPv6 relay agent forwards DHCP requests to all the specified DHCPv6 servers.

To specify a DHCPv6 server on a relay agent:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Specify a DHCPv6 server.

ipv6 dhcp relay server-address ipv6-address [ interface interface-type interface-number ]

By default, no DHCPv6 server is specified.

If a DHCPv6 server address is a link-local address or multicast address, you must specify an outgoing interface by using the interface keyword in this command. Otherwise, DHCPv6 packets might fail to reach the DHCPv6 server.

 

Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 relay agent

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.

To set the DSCP value for DHCPv6 packets sent by the DHCPv6 relay agent:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set the DSCP value for DHCPv6 packets sent by the DHCPv6 relay agent.

ipv6 dhcp dscp dscp-value

The default DSCP value is 56.

 

Specifying a padding mode for the Interface-ID option

This feature enables the relay agent to fill the Interface-ID option in the specified mode. When receiving a DHCPv6 packet from a client, the relay agent fills the Interface-ID option in the mode and then forwards the packet to the DHCPv6 server.

To specify a padding mode for the Interface-ID option:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

N/A

3.       Specify a padding mode for the Interface-ID option.

ipv6 dhcp relay interface-id { bas | interface }

By default, the relay agent fills the Interface-ID option with the interface index of the interface.

 

Configuring a DHCPv6 address pool on the DHCPv6 relay agent

This feature allows DHCPv6 clients of the same type to obtain IPv6 addresses, IPv6 prefixes, and other configuration parameters from the DHCPv6 servers specified in the matching DHCPv6 address pool.

It applies to scenarios where the DHCPv6 relay agent connects to clients of the same access type but classified into different types by their locations. In this case, the relay interface typically has no IPv6 address configured. You can use the gateway-list command to specify the gateway addresses for clients matching the same DHCPv6 address pool.

Upon receiving a DHCPv6 Solicit or Request from a client that matches a DHCPv6 address pool, the relay agent processes the packet as follows:

·          Fills the link-address field of the packet with a specified gateway address.

·          Forwards the packet to all DHCPv6 servers in the matching DHCPv6 address pool.

The DHCPv6 servers select a DHCPv6 address pool according to the gateway address.

To configure a DHCPv6 address pool on the DHCPv6 relay agent:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a DHCPv6 address pool and enter its view.

ipv6 dhcp pool pool-name

By default, no DHCPv6 address pools exist.

3.       Specify gateway addresses for the clients matching the DHCPv6 address pool.

gateway-list ipv6-address&<1-8>

By default, no gateway address is specified.

4.       Specify DHCPv6 servers for the DHCPv6 address pool.

remote-server ipv6-address [ interface interface-type interface-number ]

By default, no DHCPv6 server is specified for the DHCPv6 address pool.

You can specify a maximum of eight DHCPv6 servers for one DHCPv6 address pool for high availability. The relay agent forwards DHCPv6 Solicit and Request packets to all DHCPv6 servers in the DHCPv6 address pool.

 

Enabling the DHCPv6 relay agent to advertise IPv6 prefixes

A DHCPv6 client can obtain an IPv6 prefix through DHCPv6 and use the IPv6 prefix for IPv6 address assignment in a downstream network. If the IPv6 prefix is in a different subnet than the IPv6 address of the DHCPv6 client's upstream interface, the downstream network cannot access the external network. You can enable the DHCPv6 relay agent that is on the same link as the DHCPv6 client to advertise the IPv6 prefix.

To enable the DHCPv6 relay agent to advertise IPv6 prefixes:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable the DHCPv6 relay agent to advertise IPv6 prefixes.

ipv6 dhcp advertise pd-route

By default, the DHCPv6 relay agent does not advertise IPv6 prefixes.

Before using this command, make sure the DHCPv6 relay agent is enabled to record DHCPv6 relay entries.

 

Displaying and maintaining the DHCPv6 relay agent

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display the DUID of the local device.

display ipv6 dhcp duid

Display DHCPv6 server addresses specified on the DHCPv6 relay agent.

display ipv6 dhcp relay server-address [ interface interface-type interface-number ]

Display packet statistics on the DHCPv6 relay agent.

display ipv6 dhcp relay statistics [ interface interface-type interface-number ]

Clear packets statistics on the DHCPv6 relay agent.

reset ipv6 dhcp relay statistics [ interface interface-type interface-number ]

 

DHCPv6 relay agent configuration example

Network requirements

As shown in Figure 68, configure the DHCPv6 relay agent on Switch A to relay DHCPv6 packets between DHCPv6 clients and the DHCPv6 server.

Switch A acts as the gateway of network 1::/64. It sends RA messages to notify the hosts to obtain IPv6 addresses and other configuration parameters through DHCPv6. For more information about RA messages, see "Configuring basic IPv6 settings."

Figure 68 Network diagram

 

Configuration procedure

# Specify IPv6 addresses for VLAN-interface 2 and VLAN-interface 3.

<SwitchA> system-view

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] ipv6 address 2::1 64

[SwitchA-Vlan-interface2] quit

[SwitchA] interface vlan-interface 3

[SwitchA-Vlan-interface3] ipv6 address 1::1 64

# Disable RA message suppression on VLAN-interface 3.

[SwitchA-Vlan-interface3] undo ipv6 nd ra halt

# Set the M flag to 1 in RA advertisements to be sent on VLAN-interface 3. Hosts that receive the RA advertisements will obtain IPv6 addresses through DHCPv6.

[SwitchA-Vlan-interface3] ipv6 nd autoconfig managed-address-flag

# Set the O flag to 1 in RA advertisements to be sent on VLAN-interface 3. Hosts that receive the RA advertisements will obtain information other than IPv6 address through DHCPv6.

[SwitchA-Vlan-interface3] ipv6 nd autoconfig other-flag

# Enable the DHCPv6 relay agent on VLAN-interface 3 and specify the DHCPv6 server on the relay agent.

[SwitchA-Vlan-interface3] ipv6 dhcp select relay

[SwitchA-Vlan-interface3] ipv6 dhcp relay server-address 2::2

Verifying the configuration

# Display DHCPv6 server address information on Switch A.

[SwitchA-Vlan-interface3] display ipv6 dhcp relay server-address

Interface: Vlan-interface3

 Server address                             Outgoing Interface

 2::2

# Display packet statistics on the DHCPv6 relay agent.

[SwitchA-Vlan-interface3] display ipv6 dhcp relay statistics

Packets dropped               :  0

Packets received              :  14

    Solicit                   :  0

    Request                   :  0

    Confirm                   :  0

    Renew                     :  0

    Rebind                    :  0

    Release                   :  0

    Decline                   :  0

    Information-request       :  7

    Relay-forward             :  0

    Relay-reply               :  7

Packets sent                  :  14

    Advertise                 :  0

    Reconfigure               :  0

    Reply                     :  7

    Relay-forward             :  7

    Relay-reply               :  0


Configuring the DHCPv6 client

Overview

With DHCPv6 client configured, an interface can obtain configuration parameters from the DHCPv6 server.

A DHCPv6 client can use DHCPv6 to complete the following functions:

·          Obtain an IPv6 address, an IPv6 prefix, or both, and obtain other configuration parameters. The client automatically creates a DHCPv6 option group for the obtained parameters. With the obtained IPv6 prefix, the client can generate its global unicast address.

·          Support stateless DHCPv6 to obtain configuration parameters except IPv6 address and IPv6 prefix. The client obtains an IPv6 address through stateless IPv6 address autoconfiguration. If the client receives an RA message with the M flag set to 0 and the O flag set to 1 during address acquisition, stateless DHCPv6 starts.

Do not configure the DHCPv6 client on the same interface as the DHCPv6 server or the DHCPv6 relay agent.

DHCPv6 client configuration task list

Tasks at a glance

(Required.) Perform one of the following tasks:

·         Configuring IPv6 address acquisition

·         Configuring IPv6 prefix acquisition

·         Configuring stateless DHCPv6

(Optional.) Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 client

 

Configuring IPv6 address acquisition

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

Supported interfaces include Layer 3 Ethernet interface, Layer 3 Ethernet subinterface, Layer 3 aggregate interface, Layer 3 aggregate subinterface, and VLAN interface.

3.       Configure the interface to use DHCPv6 to obtain an IPv6 address and other configuration parameters.

ipv6 address dhcp-alloc [ option-group group-number | rapid-commit ] *

By default, the interface does not use DHCPv6 for IPv6 address acquisition.

 

Configuring IPv6 prefix acquisition

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

Supported interfaces include Layer 3 Ethernet interface, Layer 3 Ethernet subinterface, Layer 3 aggregate interface, Layer 3 aggregate subinterface, and VLAN interface.

3.       Configure the interface to use DHCPv6 to obtain an IPv6 prefix and other configuration parameters.

ipv6 dhcp client pd prefix-number [ option-group group-number | rapid-commit ] *

By default, the interface does not use DHCPv6 for IPv6 prefix acquisition.

 

Configuring stateless DHCPv6

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

interface interface-type interface-number

Supported interfaces include Layer 3 Ethernet interface, Layer 3 Ethernet subinterface, Layer 3 aggregate interface, Layer 3 aggregate subinterface, and VLAN interface.

3.       Configure the interface to support stateless DHCPv6.

·         Enable stateless IPv6 address autoconfiguration:
ipv6 address auto

·         Enable stateless DHCPv6:
ipv6 dhcp client stateless enable

By default, the interface does not support stateless DHCPv6.

You can perform both tasks.

If you use only the ipv6 address auto command, make sure the M flag is set to 0 and the O flag is set to 1 in the RA message. Otherwise, stateless DHCPv6 cannot be triggered.

 

Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 client

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.

To set the DSCP value for DHCPv6 packets sent by the DHCPv6 client:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set the DSCP value for DHCPv6 packets sent by the DHCPv6 client.

ipv6 dhcp client dscp dscp-value

By default, the DSCP value in DHCPv6 packets sent by the DHCPv6 client is 56.

 

Displaying and maintaining DHCPv6 client

Execute the display commands in any view, and execute the reset command in user view.

 

Task

Command

Display the DHCPv6 client information.

display ipv6 dhcp client [ interface interface-type interface-number ]

Display the DHCPv6 client statistics.

display ipv6 dhcp client statistics [ interface interface-type interface-number ]

Clear the DHCPv6 client statistics.

reset ipv6 dhcp client statistics [ interface interface-type interface-number ]

 

DHCPv6 client configuration examples

IPv6 address acquisition configuration example

Network requirements

As shown in Figure 69, configure the switch to use DHCPv6 to obtain configuration parameters from the DHCPv6 server. The parameters include IPv6 address, DNS server address, domain name suffix, SIP server address, and SIP server domain name.

Figure 69 Network diagram

 

Configuration procedure

You must configure the DHCPv6 server first before configuring the DHCPv6 client. For information about configuring DHCPv6 server, see "Configuring the DHCPv6 server."

# Configure VLAN-interface 2 as a DHCPv6 client for IPv6 address acquisition. Configure the DHCPv6 client to support DHCPv6 rapid address assignment. Configure the DHCPv6 client to create a dynamic DHCPv6 option group for saving configuration parameters.

<Switch> system-view

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ipv6 address dhcp-alloc rapid-commit option-group 1

[Switch-Vlan-interface2] quit

Verifying the configuration

# Verify that the client has obtained an IPv6 address and other configuration parameters from the server.

[Switch] display ipv6 dhcp client

Vlan-interface2:

  Type: Stateful client requesting address

    State: OPEN

    Client DUID: 0003000100e002000000

    Preferred server:

      Reachable via address: FE80::2E0:1FF:FE00:18

      Server DUID: 0003000100e001000000

    IA_NA: IAID 0x00000642, T1 50 sec, T2 80 sec

      Address: 1:1::2/128

       Preferred lifetime 100 sec, valid lifetime 200 sec

       Will expire on Mar 27 2014 at 08:06:57 (198 seconds left)

    DNS server addresses:

      2000::FF

    Domain name:

      example.com

    SIP server addresses:

      2:2::4

    SIP server domain names:

      bbb.com

# Verify that the client has created a dynamic DHCPv6 option group for saving configuration parameters.

[Switch] display ipv6 dhcp option-group 1

DHCPv6 option group: 1

  DNS server addresses:

    Type: Dynamic (DHCPv6 address allocation)

    Interface: Vlan-interface2

    2000::FF

  Domain name:

    Type: Dynamic (DHCPv6 address allocation)

    Interface: Vlan-interface2

    example.com

  SIP server addresses:

    Type: Dynamic (DHCPv6 address allocation)

    Interface: Vlan-interface2

    2:2::4

  SIP server domain names:

    Type: Dynamic (DHCPv6 address allocation)

    Interface: Vlan-interface2

    bbb.com

# Verify that the DHCPv6 client has obtained an IPv6 address..

[Switch] display ipv6 interface brief

*down: administratively down

(s): spoofing

Interface                                Physical   Protocol   IPv6 Address

Vlan-interface2                          up         up         1:1::2

IPv6 prefix acquisition configuration example

Network requirements

As shown in Figure 70, configure the switch to use DHCPv6 to obtain configuration parameters from the DHCPv6 server. The parameters include IPv6 prefix, DNS server address, domain name suffix, SIP server address, and SIP server domain name.

Figure 70 Network diagram

 

Configuration procedure

You must configure the DHCPv6 server first before configuring the DHCPv6 client. For information about configuring DHCPv6 server, see "Configuring the DHCPv6 server."

# Configure an IPv6 address for VLAN-interface 2 that is connected to the DHCPv6 server.

<Switch> system-view

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ipv6 address 1::2/48

# Configure VLAN-interface 2 as a DHCPv6 client for IPv6 prefix acquisition. Configure the DHCPv6 client to support DHCPv6 rapid prefix assignment. Configure the DHCPv6 client to assign an ID to the obtained IPv6 prefix and create a dynamic DHCPv6 option group for saving configuration parameters.

[Switch-Vlan-interface2] ipv6 dhcp client pd 1 rapid-commit option-group 1

[Switch-Vlan-interface2] quit

Verifying the configuration

# Verify that the DHCPv6 client has obtained an IPv6 prefix and other configuration parameters from the DHCPv6 server.

[Switch] display ipv6 dhcp client

Vlan-interface2:

  Type: Stateful client requesting prefix

    State: OPEN

    Client DUID: 0003000100e002000000

    Preferred server:

      Reachable via address: FE80::2E0:1FF:FE00:18

      Server DUID: 0003000100e001000000

    IA_PD: IAID 0x00000642, T1 50 sec, T2 80 sec

      Prefix: 12:34::/48

        Preferred lifetime 100 sec, valid lifetime 200 sec

        Will expire on Feb 4 2014 at 15:37:20(80 seconds left)

    DNS server addresses:

      2000::FF

    Domain name:

      example.com

    SIP server addresses:

      2:2::4

    SIP server domain names:

      bbb.com

# Verify that the client has obtained an IPv6 prefix.

[Switch] display ipv6 prefix 1

Number: 1

Type  : Dynamic

Prefix: 12:34::/48

Preferred lifetime 100 sec, valid lifetime 200 sec

# Verify that the client has created a dynamic DHCPv6 option group for saving configuration parameters.

[Switch] display ipv6 dhcp option-group 1

DHCPv6 option group: 1

  DNS server addresses:

    Type: Dynamic (DHCPv6 prefix allocation)

    Interface: Vlan-interface2

    2000::FF

  Domain name:

    Type: Dynamic (DHCPv6 prefix allocation)

    Interface: Vlan-interface2

    example.com

  SIP server addresses:

    Type: Dynamic (DHCPv6 prefix allocation)

    Interface: Vlan-interface2

    2:2::4

  SIP server domain names:

    Type: Dynamic (DHCPv6 prefix allocation)

    Interface: Vlan-interface2

    bbb.com

Stateless DHCPv6 configuration example

Network requirements

As shown in Figure 71, configure Switch A to use stateless DHCPv6 to obtain configuration parameters except IPv6 address and IPv6 prefix. Switch B acts as the gateway and advertises RA messages periodically.

Figure 71 Network diagram

 

Configuration procedure

You must configure the DHCPv6 server first before configuring the DHCPv6 client. For information about configuring DHCPv6 server, see "Configuring the DHCPv6 server."

1.        Configure the gateway Switch B.

# Configure an IPv6 address for VLAN-interface 2.

<SwitchB> system-view

[SwitchB] interface vlan-interface 2

[SwitchB-Vlan-interface2] ipv6 address 1::1 64

# Set the O flag to 1 in RA advertisements to be sent on VLAN-interface 2. Hosts that receive the RA advertisements will obtain information other than IPv6 address through DHCPv6.

[SwitchB-Vlan-interface2] ipv6 nd autoconfig other-flag

# Disable RA message suppression on VLAN-interface 2.

[SwitchB-Vlan-interface2] undo ipv6 nd ra halt

2.        Configure the DHCPv6 client Switch A.

# Enable stateless IPv6 address autoconfiguration on VLAN-interface 2.

<SwitchA> system-view

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] ipv6 address auto

With stateless IPv6 address autoconfiguration enabled, but no IPv6 address configured for VLAN-interface 2, Switch A automatically generates a link local address. It sends an RS message to Switch B to request configuration information for IPv6 address generation. Upon receiving the RS message, Switch B sends back an RA message. After receiving an RA message with the M flag set to 0 and the O flag set to 1, Switch A performs stateless DHCPv6 to get other configuration parameters.

Verifying the configuration

# Display the DHCPv6 client information.

[SwitchA-Vlan-interface2] display ipv6 dhcp client interface vlan-interface 2

Vlan-interface2:

 Type: Stateless client

    State: OPEN

    Client DUID: 00030001000fe2ff0000

    Preferred server:

      Reachable via address: FE80::213:7FFF:FEF6:C818

      Server DUID: 0003000100137ff6c818

    DNS server addresses:

      1:2:4::5

      1:2:4::7

    Domain name:

      abc.com

# Display the DHCPv6 client statistics.

[SwitchA-Vlan-interface2] display ipv6 dhcp client statistics

Interface                     :  Vlan-interface2

Packets received              :  1

        Reply                 :  1

        Advertise             :  0

        Reconfigure           :  0

        Invalid               :  0

Packets sent                  :  5

        Solicit               :  0

        Request               :  0

        Renew                 :  0

        Rebind                :  0

        Information-request   :  5

        Release               :  0

        Decline               :  0

 


Configuring tunneling

Overview

Tunneling encapsulates the packets of a network protocol within the packets of a second network protocol and transfers them over a virtual point-to-point connection. The virtual connection is called a tunnel. Packets are encapsulated at the tunnel source and de-encapsulated at the tunnel destination.

Tunneling supports the following technologies:

·          GRE tunneling.

·          MPLS TE tunneling.

·          VXLAN tunneling.

·          IPv6 over IPv4 tunneling and IPv4 over IPv4 tunneling.

Configuring a tunnel interface

Configure a tunnel interface (Layer 3 virtual interface) at both ends of a tunnel. The devices use the tunnel interface to identify, process, and send packets for the tunnel.

Follow these guidelines when you configure a tunnel interface:

·          The device cannot directly route a tunneled packet based on its destination address. The packet is sent to a tunnel-type service loopback group, which then delivers the packet to the forwarding module for Layer 3 forwarding. For the tunnel interface to forward and receive packets, you must configure a tunnel-type service loopback group on the device. For information about service loopback group, see Layer 2—LAN Switching Configuration Guide.

·          When an active/standby switchover occurs or the standby MPU is removed on a distributed device, the tunnel interfaces configured on the active or standby MPU still exist. To delete a tunnel interface, use the undo interface tunnel command.

To configure a tunnel interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a tunnel interface, specify the tunnel mode, and enter tunnel interface view.

interface tunnel number [ mode { gre | ipv4-ipv4 | ipv6-ipv4 | mpls-te | vxlan } ]

By default, no tunnel interfaces exist.

When you create a new tunnel interface, you must specify the tunnel mode. When you enter the view of an existing tunnel interface, you do not need to specify the tunnel mode.

For packet tunneling to succeed, the two ends of a tunnel must use the same tunnel mode.

3.       Configure a source address or source interface for the tunnel interface.

source { ipv4-address | ipv6-address | interface-type interface-number }

By default, no source address or source interface is configured for the tunnel interface.

If you specify a source address, it is used as the source address of tunneled packets.

If you specify a source interface, the primary IP address of this interface is used as the source IP address of tunneled packets.

4.       Configure a destination address for the tunnel interface.

destination { ipv4-address | ipv6-address }

By default, no destination address is configured for the tunnel interface.

The tunnel destination address must be the IP address of the receiving interface on the tunnel peer. It is used as the destination IP address of tunneled packets.

5.       (Optional.) Configure a description for the interface.

description text

By default, the description for a tunnel interface is Tunnel number Interface.

6.       (Optional.) Specify a traffic processing slot for the tunnel interface.

In standalone mode:
service slot slot-number

In IRF mode:
service chassis chassis-number slot slot-number

By default, no traffic processing slot is specified. Traffic on a tunnel interface is processed on the slot at which the traffic arrives.

7.       Set the MTU of the tunnel interface.

mtu size

If the tunnel interface has never been up, the default MTU is 64000 bytes.

If the tunnel interface is up, its default MTU is identical to the outgoing interface's MTU minus the length of the tunnel headers. The outgoing interface is automatically obtained through routing table lookup based on the tunnel destination address.

8.       Set the expected bandwidth for the tunnel interface.

bandwidth bandwidth-value

The default expected bandwidth (in kbps) is the interface maximum rate divided by 1000.

The expected bandwidth for the tunnel interface affects the link cost value. For more information, see Layer 3—IP Routing Configuration Guide.

9.       Set the ToS for tunneled packets.

tunnel tos tos-value

The default setting is the same as the ToS of the original packets.

10.     Set the TTL for tunneled packets.

tunnel ttl ttl-value

The default TTL for tunneled packets is 255.

11.     Specify the VPN instance to which the tunnel destination belongs.

tunnel vpn-instance vpn-instance-name

By default, the tunnel destination belongs to the public network.

For a tunnel interface to come up, the tunnel source and destination must belong to the same VPN instance. To specify a VPN instance for the tunnel source, use the ip binding vpn-instance command on the tunnel source interface. For more information about the ip binding vpn-instance command, see MPLS Command Reference.

12.     (Optional.) Restore the default settings of the tunnel interface.

default

N/A

13.     (Optional.) Shut down the tunnel interface.

shutdown

By default, a tunnel interface is down.

 

Displaying and maintaining tunneling configuration

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display information about tunnel interfaces.

display interface [ tunnel [ number ] ] [ brief [ description | down ] ]

Display IPv6 information on tunnel interfaces.

display ipv6 interface [ tunnel [ number ] ] [ brief ]

Clear statistics on tunnel interfaces.

reset counters interface [ tunnel [ number ] ]

 

Troubleshooting tunneling configuration

Symptom

A tunnel interface configured with related parameters such as tunnel source address, tunnel destination address, and tunnel mode cannot come up.

Analysis

The physical interface of the tunnel does not come up, or the tunnel destination is unreachable.

Solution

1.        To resolve the problem:

?  Use the display interface or display ipv6 interface command to verify that the physical interface of the tunnel is up. If the physical interface is down, check the network connection.

?  Use the display ipv6 routing-table or display ip routing-table command to verify that the tunnel destination is reachable. If the route is not available, configure a route to reach the tunnel destination.

2.        If the problem persists, contact H3C Support.


IPv6 over IPv4 tunneling

Overview

IPv6 over IPv4 tunneling enables isolated IPv6 networks to communicate, as shown in Figure 72.

 

 

NOTE:

The devices at both ends of an IPv6 over IPv4 tunnel must support the IPv4/IPv6 dual stack.

 

Figure 72 IPv6 over IPv4 tunnel

 

The IPv6 over IPv4 tunnel processes packets by using the following steps:

1.        A host in the IPv6 network sends an IPv6 packet to Device A at the tunnel source.

2.        After Device A receives the IPv6 packet, it processes the packet as follows:

a.    Searches the routing table to identify the outgoing interface for the IPv6 packet.

The outgoing interface is the tunnel interface, so Device A knows that the packet needs to be forwarded through the tunnel.

b.    Adds an IPv4 header to the IPv6 packet and forwards the packet through the physical interface of the tunnel.

In the IPv4 header, the source IPv4 address is the IPv4 address of the tunnel source, and the destination IPv4 address is the IPv4 address of the tunnel destination.

3.        Upon receiving the packet, Device B de-encapsulates the packet.

4.        If the destination address of the IPv6 packet is itself, Device B forwards it to the upper-layer protocol. If it is not, Device B forwards it according to the routing table.

Configuring an IPv6 over IPv4 tunnel

Follow these guidelines when you configure an IPv6 over IPv4 tunnel:

·          The tunnel destination address specified on the local device must be identical with the tunnel source address specified on the tunnel peer device.

·          Do not specify the same tunnel source and destination addresses for the tunnel interfaces in the same mode on a device.

·          To ensure correct packet forwarding, identify whether the destination IPv6 network and the IPv6 address of the local tunnel interface are on the same subnet. If they are not, configure a route reaching the destination IPv6 network through the tunnel interface. You can configure the route by using one of the following methods:

?  Configure a static route, and specify the local tunnel interface as the egress interface or specify the IPv6 address of the peer tunnel interface as the next hop.

?  Enable IPv6 BGP on the tunnel interface.

You must configure the route on both the local and peer tunnel interfaces.

For more information about route configuration, see Layer 3—IP Routing Configuration Guide.

To configure an IPv6 over IPv4 tunnel:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter IPv6 over IPv4 tunnel interface view.

interface tunnel number [ mode ipv6-ipv4 ]

N/A

3.       Specify an IPv6 address for the tunnel interface.

See "Configuring basic IPv6 settings."

By default, no IPv6 address is configured for the tunnel interface.

4.       Configure a source address or source interface for the tunnel interface.

source { ipv4-address | interface-type interface-number }

By default, no source address or source interface is configured for the tunnel interface.

If you specify a source address, it is used as the source IP address of tunneled packets.

If you specify a source interface, the primary IP address of this interface is used as the source IP address of tunneled packets.

5.       Configure a destination address for the tunnel interface.

destination ipv4-address

By default, no destination address is configured for the tunnel interface.

The tunnel destination address must be the IP address of the receiving interface on the tunnel peer. It is used as the destination IP address of tunneled packets.

6.       (Optional.) Set the DF bit for tunneled packets.

tunnel dfbit enable

By default, the DF bit is not set for tunneled packets.

7.       Return to system view.

quit

N/A

8.       (Optional.) Enable dropping IPv6 packets that use IPv4-compatible IPv6 addresses.

tunnel discard ipv4-compatible-packet

By default, IPv6 packets that use IPv4-compatible IPv6 addresses are not dropped.

 

Configuration example

Network requirements

As shown in Figure 73, configure an IPv6 over IPv4 tunnel between Switch A and Switch B so the two IPv6 networks can reach each other over the IPv4 network.

Figure 73 Network diagram

Configuration procedure

Make sure Switch A and Switch B have the corresponding VLAN interfaces created and can reach each other through IPv4.

·          Configure Switch A:

# Add HundredGigE 1/0/2 (the physical interface of the tunnel) to VLAN 100.

<SwitchA> system-view

[SwitchA] vlan 100

[SwitchA-vlan100] port hundredgige 1/0/2

[SwitchA-vlan100] quit

# Specify an IPv4 address for VLAN-interface 100.

[SwitchA] interface vlan-interface 100

[SwitchA-Vlan-interface100] ip address 192.168.100.1 255.255.255.0

[SwitchA-Vlan-interface100] quit

# Add HundredGigE 1/0/1 to VLAN 101.

[SwitchA] vlan 101

[SwitchA-vlan101] port hundredgige 1/0/1

[SwitchA-vlan101] quit

# Specify an IPv6 address for VLAN-interface 101.

[SwitchA] interface vlan-interface 101

[SwitchA-Vlan-interface101] ipv6 address 3002::1 64

[SwitchA-Vlan-interface101] quit

# Create service loopback group 1, and specify its service type as tunnel.

[SwitchA] service-loopback group 1 type tunnel

# Add HundredGigE 1/0/3 to service loopback group 1.

[SwitchA] interface hundredgige 1/0/3

[SwitchA-HundredGigE1/0/3] port service-loopback group 1

[SwitchA-HundredGigE1/0/3] quit

# Create IPv6 over IPv4 tunnel interface Tunnel 0.

[SwitchA] interface tunnel 0 mode ipv6-ipv4

# Specify an IPv6 address for the tunnel interface.

[SwitchA-Tunnel0] ipv6 address 3001::1/64

# Specify VLAN-interface 100 as the source interface of the tunnel interface.

[SwitchA-Tunnel0] source vlan-interface 100

# Specify the destination address for the tunnel interface as the IP address of the VLAN-interface 100 on Switch B.

[SwitchA-Tunnel0] destination 192.168.50.1

[SwitchA-Tunnel0] quit

# Configure a static route destined for IPv6 network 2 through tunnel 0.

[SwitchA] ipv6 route-static 3003:: 64 tunnel 0

·          Configure Switch B:

# Add HundredGigE 1/0/2 (the physical interface of the tunnel) to VLAN 100.

<SwitchB> system-view

[SwitchB] vlan 100

[SwitchB-vlan100] port hundredgige 1/0/2

[SwitchB-vlan100] quit

# Specify an IPv4 address for VLAN-interface 100.

[SwitchB] interface vlan-interface 100

[SwitchB-Vlan-interface100] ip address 192.168.50.1 255.255.255.0

[SwitchB-Vlan-interface100] quit

# Add HundredGigE 1/0/1 to VLAN 101.

[SwitchB] vlan 101

[SwitchB-vlan101] port hundredgige 1/0/1

[SwitchB-vlan101] quit

# Specify an IPv6 address for VLAN-interface 101.

[SwitchB] interface vlan-interface 101

[SwitchB-Vlan-interface101] ipv6 address 3003::1 64

[SwitchB-Vlan-interface101] quit

# Create service loopback group 1, and specify its service type as tunnel.

[SwitchB] service-loopback group 1 type tunnel

# Add HundredGigE 1/0/3 to service loopback group 1.

[SwitchB] interface hundredgige 1/0/3

[SwitchB-HundredGigE1/0/3] port service-loopback group 1

[SwitchB-HundredGigE1/0/3] quit

# Create IPv6 over IPv4 tunnel interface Tunnel 0.

[SwitchB] interface tunnel 0 mode ipv6-ipv4

# Specify an IPv6 address for the tunnel interface.

[SwitchB-Tunnel0] ipv6 address 3001::2/64

# Specify VLAN-interface 100 as the source interface of the tunnel interface.

[SwitchB-Tunnel0] source vlan-interface 100

# Specify the destination address for the tunnel interface as the IP address of VLAN-interface 100 of Switch A.

[SwitchB-Tunnel0] destination 192.168.100.1

[SwitchB-Tunnel0] quit

# Configure a static route destined for IPv6 network 1 through tunnel 0.

[SwitchB] ipv6 route-static 3002:: 64 tunnel 0

Verifying the configuration

# Use the display ipv6 interface command to display tunnel interface status on Switch A and Switch B. Verify that the interface tunnel 0 is up. (Details not shown.)

# Verify that Switch B and Switch A can ping the IPv6 address of VLAN-interface 101 of each other. This example uses Switch A.

[SwitchA] ping ipv6 3003::1

Ping6(56 data bytes) 3001::1 --> 3003::1, press CTRL_C to break

56 bytes from 3003::1, icmp_seq=0 hlim=64 time=45.000 ms

56 bytes from 3003::1, icmp_seq=1 hlim=64 time=10.000 ms

56 bytes from 3003::1, icmp_seq=2 hlim=64 time=4.000 ms

56 bytes from 3003::1, icmp_seq=3 hlim=64 time=10.000 ms

56 bytes from 3003::1, icmp_seq=4 hlim=64 time=11.000 ms

 

--- Ping6 statistics for 3003::1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 4.000/16.000/45.000/14.711 ms


IPv4 over IPv4 tunneling

Overview

IPv4 over IPv4 tunneling (RFC 1853) enables isolated IPv4 networks to communicate. For example, an IPv4 over IPv4 tunnel can connect isolated private IPv4 networks over a public IPv4 network.

Figure 74 IPv4 over IPv4 tunnel

 

Figure 74 shows the encapsulation and de-encapsulation processes.

·          Encapsulation:

a.    Device A receives an IP packet from an IPv4 host and submits it to the IP protocol stack.

b.    The IPv4 protocol stack determines how to forward the packet according to the destination address in the IP header. If the packet is destined for the IPv4 host connected to Device B, Device A delivers the packet to the tunnel interface.

c.    The tunnel interface adds a new IPv4 header to the IPv4 packet and submits it to the IP protocol stack.

In the new header, the source IP address specifies the tunnel source, and the destination IP address specifies the tunnel destination.

d.    The IP protocol stack uses the destination IP address of the new IP header to look up the routing table, and then sends the packet out.

·          De-encapsulation:

e.    After receiving the packet, Device B delivers it to the IP protocol stack.

f.     If the protocol number is 4 (indicating an IPv4 packet is encapsulated within the packet), the IP protocol stack delivers the packet to the tunnel module for de-encapsulation.

g.    The tunnel module de-encapsulates the IP packet and sends it back to the IP protocol stack.

h.    The protocol stack forwards the de-encapsulated packet.

Configuring an IPv4 over IPv4 tunnel

Follow these guidelines when you configure an IPv4 over IPv4 tunnel:

·          The tunnel destination address specified on the local device must be identical with the tunnel source address specified on the tunnel peer device.

·          Do not specify the same source and destination addresses for local tunnel interfaces in the same tunnel mode.

·          The IPv4 address of the local tunnel interface cannot be on the same subnet as the destination address configured on the tunnel interface.

·          To ensure correct packet forwarding, identify whether the destination IPv4 network and the IPv4 address of the local tunnel interface are on the same subnet. If they are not, configure a route reaching the destination IPv4 network through the tunnel interface. You can configure the route by using one of the following methods:

?  Configure a static route, and specify the local tunnel interface as the egress interface or specify the IPv4 address of the peer tunnel interface as the next hop.

?  Enable BGP on the tunnel interface.

You must configure the route on both the local and peer tunnel interfaces.

For more information about route configuration, see Layer 3—IP Routing Configuration Guide.

·          The destination address of the route passing the tunnel interface cannot be on the same subnet as the destination address configured on the tunnel interface.

To configure an IPv4 over IPv4 tunnel:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter IPv4 over IPv4 tunnel interface view.

interface tunnel number [ mode ipv4-ipv4 ]

N/A

3.       Configure an IPv4 address for the tunnel interface.

ip address ip-address { mask | mask-length } [ sub ]

By default, no IPv4 address is configured for the tunnel interface.

4.       Configure a source address or source interface for the tunnel interface.

source { ipv4-address | interface-type interface-number }

By default, no source address or source interface is configured for the tunnel interface.

If you specify a source address, it is used as the source IP address of tunneled packets.

If you specify a source interface, the primary IP address of this interface is used as the source IP address of tunneled packets.

5.       Configure a destination address for the tunnel interface.

destination ipv4-address

By default, no destination address is configured for the tunnel interface.

The tunnel destination address must be the IP address of the receiving interface on the tunnel peer. It is used as the destination IP address of tunneled packets.

6.       (Optional.) Set the DF bit for tunneled packets.

tunnel dfbit enable

By default, the DF bit is not set for tunneled packets.

 

Configuration example

Network requirements

As shown in Figure 75, the two subnets IPv4 group 1 and IPv4 group 2 use private IPv4 addresses. Configure an IPv4 over IPv4 tunnel between Switch A and Switch B to make the two subnets reachable to each other.

Figure 75 Network diagram

Configuration procedure

Make sure Switch A and Switch B have the corresponding VLAN interfaces created and can reach each other through IPv4.

·          Configure Switch A:

# Add HundredGigE 1/0/1 to VLAN 100.

<SwitchA> system-view

[SwitchA] vlan 100

[SwitchA-vlan100] port hundredgige 1/0/1

[SwitchA-vlan100] quit

# Specify an IPv4 address for VLAN-interface 100.

[SwitchA] interface vlan-interface 100

[SwitchA-Vlan-interface100] ip address 10.1.1.1 255.255.255.0

[SwitchA-Vlan-interface100] quit

# Add HundredGigE 1/0/2 (the physical interface of the tunnel) to VLAN 101.

[SwitchA] vlan 101

[SwitchA-vlan101] port hundredgige 1/0/2

[SwitchA-vlan101] quit

# Specify an IPv4 address for VLAN-interface 101.

[SwitchA] interface vlan-interface 101

[SwitchA-Vlan-interface101] ip address 2.1.1.1 255.255.255.0

[SwitchA-Vlan-interface101] quit

# Create service loopback group 1, and specify its service type as tunnel.

[SwitchA] service-loopback group 1 type tunnel

# Assign HundredGigE 1/0/3 to service loopback group 1.

[SwitchA] interface hundredgige 1/0/3

[SwitchA-HundredGigE1/0/3] port service-loopback group 1

[SwitchA-HundredGigE1/0/3] quit

# Create IPv4 over IPv4 tunnel interface Tunnel 1.

[SwitchA] interface tunnel 1 mode ipv4-ipv4

# Specify an IPv4 address for the tunnel interface.

[SwitchA-Tunnel1] ip address 10.1.2.1 255.255.255.0

# Specify the IP address of VLAN-interface 101 as the source address for the tunnel interface.

[SwitchA-Tunnel1] source 2.1.1.1

# Specify the IP address of VLAN-interface 101 on Switch B as the destination address for the tunnel interface.

[SwitchA-Tunnel1] destination 3.1.1.1

[SwitchA-Tunnel1] quit

# Configure a static route destined for IPv4 group 2 through the tunnel interface.

[SwitchA] ip route-static 10.1.3.0 255.255.255.0 tunnel 1

·          Configure Switch B:

# Add HundredGigE 1/0/1 to VLAN 100.

<SwitchB> system-view

[SwitchB] vlan 100

[SwitchB-vlan100] port hundredgige 1/0/1

[SwitchB-vlan100] quit

# Specify an IPv4 address for VLAN-interface 100.

[SwitchB] interface vlan-interface 100

[SwitchB-Vlan-interface100] ip address 10.1.3.1 255.255.255.0

[SwitchB-Vlan-interface100] quit

# Add HundredGigE 1/0/2 (the physical interface of the tunnel) to VLAN 101.

[SwitchB] vlan 101

[SwitchB-vlan101] port hundredgige 1/0/2

[SwitchB-vlan101] quit

# Specify an IPv4 address for VLAN-interface 101.

[SwitchB] interface vlan-interface 101

[SwitchB-Vlan-interface101] ip address 3.1.1.1 255.255.255.0

[SwitchB-Vlan-interface101] quit

# Create service loopback group 1, and specify its service type as tunnel.

[SwitchB] service-loopback group 1 type tunnel

# Assign HundredGigE 1/0/3 to service loopback group 1.

[SwitchB] interface hundredgige 1/0/3

[SwitchB-HundredGigE1/0/3] port service-loopback group 1

[SwitchB-HundredGigE1/0/3] quit

# Create IPv4 over IPv4 tunnel interface Tunnel 2.

[SwitchB] interface tunnel 2 mode ipv4-ipv4

# Specify an IPv4 address for the tunnel interface.

[SwitchB-Tunnel2] ip address 10.1.2.2 255.255.255.0

# Specify the IP address of VLAN-interface 101 as the source address for the tunnel interface.

[SwitchB-Tunnel2] source 3.1.1.1

# Specify the IP address of VLAN-interface 101 on Switch A as the destination address for the tunnel interface.

[SwitchB-Tunnel2] destination 2.1.1.1

[SwitchB-Tunnel2] quit

# Configure a static route destined for IPv4 group 1 through the tunnel interface.

[SwitchB] ip route-static 10.1.1.0 255.255.255.0 tunnel 2

Verifying the configuration

# Use the display interface tunnel command to display the status of the tunnel interfaces on Switch A and Switch B. Verify that the tunnel interfaces are up. (Details not shown.)

# Verify that Switch A and Switch B can ping the IPv4 address of the peer interface VLAN-interface 100. This example uses Switch A.

[SwitchA] ping -a 10.1.1.1 10.1.3.1

Ping 10.1.3.1 (10.1.3.1) from 10.1.1.1: 56 data bytes, press CTRL_C to break

56 bytes from 10.1.3.1: icmp_seq=0 ttl=255 time=2.000 ms

56 bytes from 10.1.3.1: icmp_seq=1 ttl=255 time=1.000 ms

56 bytes from 10.1.3.1: icmp_seq=2 ttl=255 time=0.000 ms

56 bytes from 10.1.3.1: icmp_seq=3 ttl=255 time=1.000 ms

56 bytes from 10.1.3.1: icmp_seq=4 ttl=255 time=1.000 ms

 

--- Ping statistics for 10.1.3.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/1.000/2.000/0.632 ms

 


Configuring GRE

Overview

Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a protocol (such as IP, MPLS, or Ethernet) into a virtual point-to-point tunnel over a network (such as an IP network). Packets are encapsulated at one tunnel end and de-encapsulated at the other tunnel end. The network layer protocol of the packets before encapsulation and after encapsulation can be the same or different.

GRE encapsulation format

Figure 76 GRE encapsulation format

 

As shown in Figure 76, a GRE-tunneled packet includes the following parts:

·          Payload packet—Original packet. The protocol type of the payload packet is called the passenger protocol. The passenger protocol can be any network layer protocol.

·          GRE header—Header that is added to the payload packet to change the payload packet to a GRE packet. A GRE header includes the number of encapsulations, version, and passenger protocol type. GRE is called the encapsulation protocol.

·          Delivery header—Header that is added to the GRE packet to deliver it to the tunnel end. The transport protocol (or delivery protocol) is the network layer protocol that transfers GRE packets.

GRE tunnel operating principle

Figure 77 IPv6 networks interconnected through a GRE tunnel

As shown in Figure 77, an IPv6 protocol packet traverses an IPv4 network through a GRE tunnel as follows:

1.        After receiving an IPv6 packet from the interface connected to IPv6 network 1, Device A processes the packet as follows:

a.    Looks up the routing table to identify the outgoing interface for the IPv6 packet.

b.    Submits the IPv6 packet to the outgoing interface—the GRE tunnel interface Tunnel 0.

2.        Upon receiving the packet, the tunnel interface encapsulates the packet with GRE and then with IPv4. In the IPv4 header:

?  The source address is the tunnel's source address (the IP address of interface HundredGigE 1/0/1 of Device A).

?  The destination address is the tunnel's destination address (the IP address of interface HundredGigE 1/0/1 of Device B).

3.        Device A looks up the routing table according to the destination address in the IPv4 header, and forwards the IPv4 packet out of the physical interface (HundredGigE 1/0/1) of the GRE tunnel.

4.        When the IPv4 arrives at the GRE tunnel destination Device B, Device B checks the destination address. Because the destination is Device B itself and the protocol number in the IP header is 47 (the protocol number for GRE), Device B submits the packet to GRE for de-encapsulation.

5.        GRE first removes the IPv4 header, and then checks the packet sequence number. After GRE finishes the checking, it removes the GRE header, and submits the payload to the IPv6 protocol for forwarding.

 

 

NOTE:

GRE encapsulation and de-encapsulation can decrease the forwarding efficiency of tunnel-end devices.

 

GRE application scenarios

The following shows typical GRE application scenarios:

Connecting networks running different protocols over a single backbone

Figure 78 Network diagram

 

As shown in Figure 78, IPv6 network 1 and IPv6 network 2 are IPv6 networks, and IPv4 network 1 and IPv4 network 2 are IPv4 networks. Through the GRE tunnel between Device A and Device B, IPv6 network 1 can communicate with IPv6 network 2 and IPv4 network 1 can communicate with IPv4 network 2, without affecting each other.

Enlarging network scope

Figure 79 Network diagram

 

In an IP network, the maximum TTL value of a packet is 255. If two devices have more than 255 hops in between, they cannot communicate with each other. By using a GRE tunnel, you can hide some hops to enlarge the network scope. As shown in Figure 79, only the tunnel-end devices (Device A and Device D) of the GRE tunnel are counted in hop count calculation. Therefore, there are only three hops between Host A and Host B.

Constructing VPN

Figure 80 Network diagram

 

As shown in Figure 80, Site 1 and Site 2 both belong to VPN 1 and are located in different cities. Using a GRE tunnel can connect the two VPN sites across the WAN.

Protocols and standards

·          RFC 1701, Generic Routing Encapsulation (GRE)

·          RFC 1702, Generic Routing Encapsulation over IPv4 networks

·          RFC 2784, Generic Routing Encapsulation (GRE)

·          RFC 2890, Key and Sequence Number Extensions to GRE

Configuring a GRE/IPv4 tunnel

Perform this task to configure a GRE tunnel on an IPv4 network.

Configuration guidelines

Follow these guidelines when you configure a GRE/IPv4 tunnel:

·          You must configure the tunnel source address and destination address at both ends of a tunnel. The tunnel source or destination address at one end must be the tunnel destination or source address at the other end.

·          As a best practice, do not configure the same tunnel source and destination addresses for local tunnel interfaces that use the same tunnel mode.

·          To ensure correct packet forwarding, identify whether the destination network of packets and the IP address of the local tunnel interface are on the same subnet. If they are not, configure a route reaching the destination network through the tunnel interface. You can configure the route by using one of the following methods:

?  Configure a static route, using the local tunnel interface as the outgoing interface of the route.

?  Enable BGP or OSPF on both the tunnel interface and the interface connecting the private network. This allows BGP or OSPF to establish a routing entry with the tunnel interface as the outgoing interface.

·          The IP address of the tunnel interface and the tunnel destination address configured on the tunnel interface must be in different subnets.

·          You must create a service loopback group, specify its service type as tunnel, and add an unused Layer 2 Ethernet interface to the service Loopback group. For more information about service loopback groups, see Layer 2—LAN Switching Configuration Guide.

For information about tunnel interfaces, and the interface tunnel, source, destination, tunnel dfbit enable, and tunnel discard ipv4-compatible-packet commands, see "Configuring tunneling."

Configuration procedure

To configure a GRE/IPv4 tunnel:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a GRE tunnel interface, and specify the tunnel mode as GRE/IPv4.

interface tunnel interface-number mode gre

By default, no tunnel interfaces exist.

You must configure the same tunnel mode on both ends of a tunnel. Otherwise, packet delivery might fail.

3.       Configure an IPv4 or IPv6 address for the tunnel interface.

For information about how to assign an IPv4 address to an interface, see "Configuring IP addressing."

For information about how to assign an IPv6 address to an interface, see "Configuring basic IPv6 settings."

By default, no IPv4 or IPv6 address is configured for a tunnel interface.

When the passenger protocol is IPv4, configure an IPv4 address for the tunnel interface. When the passenger protocol is IPv6, configure an IPv6 address for the tunnel interface.

4.       Configure a source address or source interface for the tunnel interface.

source { ip-address | interface-type interface-number }

By default, no source address or interface is configured for a tunnel interface.

If you configure a source address for a tunnel interface, the tunnel interface uses the source address as the source address of the encapsulated packets.

If you configure a source interface for a tunnel interface, the tunnel interface uses the primary IP address of the source interface as the source address of the encapsulated packets.

5.       Configure a destination address for the tunnel interface.

destination ip-address

By default, no destination address is configured for a tunnel interface.

The destination address is the address of the physical interface that the tunnel remote end uses to receive packets from the GRE tunnel.

The tunnel local end uses this address as the destination address of the encapsulated packets.

6.       (Optional.) Enable GRE keepalive, and set the keepalive interval and keepalive number.

keepalive [ interval [ times ] ]

By default, GRE keepalive is disabled.

7.       (Optional.) Set the DF bit for encapsulated packets.

tunnel dfbit enable

By default, the DF bit is not set, allowing encapsulated packets to be fragmented.

8.       Return to system view.

quit

N/A

9.       (Optional.) Configure the device to discard IPv6 packets with IPv4-compatible IPv6 addresses.

tunnel discard ipv4-compatible-packet

By default, the device does not discard such IPv6 packets.

 

Displaying and maintaining GRE

Execute display commands in any view and reset commands in user view.

 

Task

Command

Remarks

Display information about tunnel interfaces.

display interface [ tunnel [ number ] ] [ brief [ description | down ] ]

For more information about the commands, see Layer 3—IP Services Command Reference.

Display IPv6 information about tunnel interface.

display ipv6 interface [ tunnel [ number ] ] [ brief ]

For more information about this command, see Layer 3—IP Services Command Reference.

Clear tunnel interface statistics.

reset counters interface [ tunnel [ number ] ]

For more information about this command, see Layer 3—IP Services Command Reference.

 

GRE configuration examples

Configuring an IPv4 over IPv4 GRE tunnel

Network requirements

As shown in Figure 81, Group 1 and Group 2 are two private IPv4 networks. The two networks both use private network addresses and belong to the same VPN. Establish a GRE tunnel between Switch A and Switch B to interconnect the two private IPv4 networks Group 1 and Group 2.

Figure 81 Network diagram

Configuration procedure

Before performing the following configuration, configure an IP address for each interface, and make sure Switch A and Switch B can reach each other.

1.        Configure Switch A:

# Create service loopback group 1, and configure the service type as tunnel.

<SwitchA> system-view

[SwitchA] service-loopback group 1 type tunnel

# Add port HundredGigE 1/0/3 to service loopback group 1.

[SwitchA] interface hundredgige 1/0/3

[SwitchA-HundredGigE1/0/3] port service-loopback group 1

[SwitchA-HundredGigE1/0/3] quit

# Create a tunnel interface Tunnel 1, and specify the tunnel mode as GRE/IPv4.

[SwitchA] interface tunnel 1 mode gre

# Configure an IP address for the tunnel interface.

[SwitchA-Tunnel1] ip address 10.1.2.1 255.255.255.0

# Configure the source address of tunnel interface as the IP address of VLAN-interface 101 on Switch A.

[SwitchA-Tunnel1] source vlan-interface 101

# Configure the destination address of the tunnel interface as the IP address of VLAN-interface 101 on Switch B.

[SwitchA-Tunnel1] destination 2.2.2.2

[SwitchA-Tunnel1] quit

# Configure a static route from Switch A through the tunnel interface to Group 2.

[SwitchA] ip route-static 10.1.3.0 255.255.255.0 tunnel 1

2.        Configure Switch B:

# Create service loopback group 1, and configure the service type as tunnel.

<SwitchB> system-view

[SwitchB] service-loopback group 1 type tunnel

# Add port HundredGigE 1/0/3 to service loopback group 1.

[SwitchB] interface hundredgige 1/0/3

[SwitchB-HundredGigE1/0/3] port service-loopback group 1

[SwitchB-HundredGigE1/0/3] quit

# Create a tunnel interface Tunnel 1, and specify the tunnel mode as GRE/IPv4.

[SwitchB] interface tunnel 1 mode gre

# Configure an IP address for the tunnel interface.

[SwitchB-Tunnel1] ip address 10.1.2.2 255.255.255.0

# Configure the source address of tunnel interface as the IP address of VLAN-interface 101 on Switch B.

[SwitchB-Tunnel1] source vlan-interface 101

# Configure the destination address of the tunnel interface as the IP address of VLAN-interface 101 on Switch A.

[SwitchB-Tunnel1] destination 1.1.1.1

[SwitchB-Tunnel1] quit

# Configure a static route from Switch B through the tunnel interface to Group 1.

[SwitchB] ip route-static 10.1.1.0 255.255.255.0 Tunnel 1

Verifying the configuration

# Display tunnel interface information on Switch A.

[SwitchA] display interface tunnel 1

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel1 Interface

Bandwidth: 64kbps

Maximum Transmit Unit: 1476

Internet Address is 10.1.2.1/24 Primary

Tunnel source 1.1.1.1, destination 2.2.2.2

Tunnel keepalive disabled

Tunnel TTL 255

Tunnel protocol/transport GRE/IP

    GRE key disabled

    Checksumming of GRE packets disabled

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# Display tunnel interface information on Switch B.

[SwitchB] display interface tunnel 1

Tunnel1

Current state: UP

Line protocol state: UP

Description: Tunnel1 Interface

Bandwidth: 64kbps

Maximum Transmit Unit: 1476

Internet Address is 10.1.2.2/24 Primary

Tunnel source 2.2.2.2, destination 1.1.1.1

Tunnel keepalive disabled

Tunnel TTL 255

Tunnel protocol/transport GRE/IP

    GRE key disabled

    Checksumming of GRE packets disabled

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

# From Switch B, ping the IP address of VLAN-interface 100 on Switch A.

[SwitchB] ping -a 10.1.3.1 10.1.1.1

Ping 10.1.1.1 (10.1.1.1) from 10.1.3.1: 56 data bytes, press CTRL_C to break

56 bytes from 10.1.1.1: icmp_seq=0 ttl=255 time=11.000 ms

56 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=1.000 ms

56 bytes from 10.1.1.1: icmp_seq=2 ttl=255 time=0.000 ms

56 bytes from 10.1.1.1: icmp_seq=3 ttl=255 time=0.000 ms

56 bytes from 10.1.1.1: icmp_seq=4 ttl=255 time=0.000 ms

 

--- Ping statistics for 10.1.1.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/2.400/11.000/4.317 ms

The output shows that Switch B can successfully ping Switch A.

Troubleshooting GRE

The key to configuring GRE is to keep the configuration consistent. Most faults can be located by using the debugging gre or debugging tunnel command. This section analyzes one type of fault for illustration, with the scenario shown in Figure 82.

Figure 82 Network diagram

 

Symptom

The interfaces at both ends of the tunnel are configured correctly and can ping each other, but Host A and Host B cannot ping each other.

Analysis

It might be because that Device A or Device C has no route to reach the peer network.

Solution

1.        Execute the display ip routing-table command on Device A and Device C to view whether Device A has a route over tunnel 0 to 10.2.0.0/16 and whether Device C has a route over tunnel 0 to 10.1.0.0/16.

2.        If such a route does not exist, execute the ip route-static command in system view to add the route. Take Device A as an example:

[DeviceA] ip route-static 10.2.0.0 255.255.0.0 tunnel 0



Numerics

6PE

technology, 125

A

acquiring

DHCPv6 client IPv6 address, 172

DHCPv6 client IPv6 prefix, 173

DHCPv6 IPv6 address acquisition configuration, 174

DHCPv6 IPv6 prefix acquisition configuration, 176

address

DHCP address assignment, 31

DHCP address pool, 31

DHCP address pool application on interface, 43

DHCP address pool selection, 32

DHCP address pool VPN instance application, 46

DHCP allocation, 25

DHCP client duplicated address detection, 67

DHCP dynamic address assignment policy, 43

DHCP IP address allocation sequence, 33

DHCP IP address conflict detection, 44

DHCP IP address lease extension, 26

DHCP relay address pool, 61

DHCP server address pool, 34

DHCP server address pool creation, 34

DHCP server address pool IP address range, 34

DHCPv6 address allocation, 153

DHCPv6 address pool, 152

DHCPv6 address pool selection, 153

DHCPv6 address/prefix assignment, 148

DHCPv6 address/prefix lease renewal, 149

DHCPv6 client IPv6 address acquisition, 172

DHCPv6 IA, 152

DHCPv6 IAID, 152

DHCPv6 IPv6 address assignment, 151

DHCPv6 IPv6 address/prefix allocation sequence, 153

DHCPv6 multicast, 152

DHCPv6 overview, 148

DHCPv6 server dynamic IPv6 address assignment, 162

DHCPv6 server IPv6 address assignment, 155

IP address classes, 20

IP addressing configuration, 20, 23

IP addressing interface address, 21

IPPO ICMP packet source address, 110

IPv6 addresses, 119

IPv6 ICMPv6 packet source address, 139

special IP addresses, 21

stateless DHCPv6, 150

Address Resolution Protocol. Use ARP

advertise

DHCPv6 relay agent IPv6 prefix advertisement, 168

DHCPv6 server IPv6 prefix advertisement, 159

advertising

IRDP proxy-advertised IP address, 101

IRDP RA (router advertisement), 101

aging

ARP dynamic entry aging timer, 5

allocating

DHCP address allocation, 31

DHCP addresses allocation, 25

DHCP IP address allocation sequence, 33

DHCPv6 dynamic address allocation, 153

DHCPv6 dynamic prefix allocation, 153

DHCPv6 IPv6 address/prefix allocation sequence, 153

DHCPv6 static address allocation, 153

DHCPv6 static prefix allocation, 153

Anycast

IPv6 address type, 119

IPv6 anycast address configuration, 130

application scenario

GRE, 195

applying

DHCP address pool on interface, 43

DHCP address pool to VPN instance, 46

ARP

common proxy ARP configuration, 15

common proxy ARP enable, 14

configuration, 1, 8

customer-side port configuration, 6

display, 7

dynamic entry aging timer configuration, 5

dynamic entry check enable, 6

dynamic entry max (device), 4

dynamic entry max (interface), 5

entry synchronization, 6

fast-reply configuration, 18, 18, 18

gratuitous ARP configuration, 12, 13

gratuitous ARP IP conflict notification, 13

gratuitous ARP packet learning, 12

gratuitous ARP periodic packet send, 12

local proxy ARP enable, 14

logging enable, 7

long static entry configuration, 8

maintain, 7

message format, 1

multiport entry configuration, 4, 10

operation, 1

proxy ARP configuration, 14

short static entry configuration, 9

snooping configuration, 17

snooping display, 17

snooping maintain, 17

static entry configuration, 3

table, 2

assembling

IPv6 local fragment reassembly, 140

assigning

DHCP address, 31

DHCPv6 address/prefix, 148

DHCPv6 assignment (4 messages), 148

DHCPv6 IPv6 address, 151

DHCPv6 IPv6 prefix, 151

DHCPv6 rapid assignment (2 messages), 148

DHCPv6 server dynamic IPv6 address assignment, 162

DHCPv6 server dynamic IPv6 prefix assignment, 160

DHCPv6 server IPv6 address assignment, 155

DHCPv6 server IPv6 prefix assignment, 154

DHCPv6 server network parameters assignment, 157

IP addressing interface address, 21

IPv6 interface addresses, 126

auto

DHCP automatic address allocation, 25

DHCP client auto-configuration file, 40

DHCP snooping entry auto backup, 75

IPv6 address configuration (global unicast)(prefix-specific autoconfiguration), 128

IPv6 interface link-local address automatic generation, 129

IPv6 link-local address automatic generation, 129

IPv6 ND stateless address autoconfiguration, 123

IPv6 stateless address autoconfiguration, 127

B

backing up

DHCP snooping entries, 75

BIMS server information (DHCP client), 39

broadcast

DHCP server broadcast response, 45

UDP helper broadcast > multicast conversion, 114, 116

UDP helper broadcast > unicast conversion, 113, 115

UDP helper configuration, 113, 115

buffer

IPPO TCP buffer size, 107

C

class

IP address class, 20

client

DHCP client auto-configuration file, 40

DHCP client BIMS server information, 39

DHCP client configuration, 66, 68

DHCP client DNS server, 38

DHCP client domain name suffix, 38

DHCP client duplicated address detection, 67

DHCP client enable (on interface), 66

DHCP client gateway, 37

DHCP client ID configuration (on interface), 66

DHCP client NetBIOS node type, 39

DHCP client packet DSCP value, 67

DHCP client WINS server, 39

DHCP server specification, 40

DHCP snooping Option 82 support, 72

DHCPv6 address pool, 152

DHCPv6 client packet DSCP value, 173

DHCPv6 configuration, 172, 172, 174

DHCPv6 IA, 152

DHCPv6 IAID, 152

DHCPv6 IPv6 address acquisition, 172

DHCPv6 IPv6 address acquisition configuration, 174

DHCPv6 IPv6 prefix acquisition, 173

DHCPv6 IPv6 prefix acquisition configuration, 176

DHCPv6 IPv6 prefix assignment, 151

DHCPv6 relay agent configuration, 165, 169

DHCPv6 stateless, 173

stateless DHCPv6 configuration, 177

common

DHCP options, 28

configuring

ARP, 1, 8

ARP customer-side port, 6

ARP dynamic entry aging timer, 5

ARP fast-reply, 18, 18

ARP long static entry, 8

ARP multiport entry, 4, 10

ARP short static entry, 9

ARP snooping, 17

ARP static entry, 3

client stateless DHCPv6, 177

common proxy ARP, 15

DHCP address pool static binding, 37

DHCP client, 66, 68

DHCP client auto-configuration file, 40

DHCP client ID (on interface), 66

DHCP dynamic address assignment policy, 43

DHCP IP address conflict detection, 44

DHCP relay address pool, 61

DHCP relay agent, 55, 56, 63

DHCP relay agent IP address release, 60

DHCP relay agent Option 82, 60, 64

DHCP relay agent security features, 58

DHCP server, 31, 33

DHCP server address pool, 34

DHCP server broadcast response, 45

DHCP server compatibility, 45

DHCP server configuration, 47

DHCP server dynamic IP address assignment, 47

DHCP server option customization, 52

DHCP server subnet, 51

DHCP server user class, 49

DHCP smart relay, 62

DHCP snooping, 71, 73, 78

DHCP snooping basics, 73, 78

DHCP snooping entry auto backup, 75

DHCP snooping Option 82, 74, 79

DHCP snooping packet rate limit, 77

DHCPv6 client, 172, 172, 174

DHCPv6 client IPv6 address acquisition, 172, 174

DHCPv6 client IPv6 prefix acquisition, 173, 176

DHCPv6 client stateless, 173

DHCPv6 relay agent, 165, 169

DHCPv6 relay agent address pool, 168

DHCPv6 server, 151, 154, 160

DHCPv6 server dynamic IPv6 address assignment, 162

DHCPv6 server dynamic IPv6 prefix assignment, 160

DHCPv6 server IPv6 address assignment, 155

DHCPv6 server IPv6 prefix assignment, 154

DHCPv6 server network parameters assignment, 157

DHCPv6 server on interface, 157

DNS, 81, 82

DNS trusted interface, 86

gratuitous ARP, 12, 13

GRE, 194, 199

GRE/IPv4 tunnel, 196

IP addressing, 20, 23

IP forwarding load sharing, 98, 99

IP forwarding per-flow load sharing, 98

IPPO directed broadcast forward, 105

IPPO ICMP error message rate limit, 110

IPv4 DNS, 87

IPv4 DNS client, 82

IPv4 DNS client domain name resolution (dynamic), 83, 88

IPv4 DNS client domain name resolution (static), 82, 87

IPv4/IPv4 GRE tunnel, 199

IPv4/IPv4 tunnel, 189, 190

IPv6 address (global unicast)(manual), 127

IPv6 address (global unicast)(prefix-specific autoconfiguration), 128

IPv6 anycast address, 130

IPv6 basic settings, 118, 125, 142

IPv6 DNS, 91

IPv6 DNS client, 84

IPv6 DNS client domain name resolution (dynamic), 84, 91

IPv6 DNS client domain name resolution (static), 84, 91

IPv6 EUI-64 address, 127

IPv6 global unicast address, 126

IPv6 ICMPv6 error message rate limit, 137

IPv6 interface link-local address automatic generation, 129

IPv6 link-local address, 129

IPv6 max number NS message sent attempts, 134

IPv6 ND, 130

IPv6 ND customer-side port, 136

IPv6 ND static neighbor entry, 130

IPv6 path MTU discovery, 136

IPv6 RA message parameter, 132, 133

IPv6 stateless address autoconfiguration, 127

IPv6/IPv4 tunnel, 184, 185

IRDP, 101, 102, 103

Layer 3 virtual tunnel interface, 180

proxy ARP, 14

tunneling, 180

UDP helper, 113, 115

UDP helper broadcast > multicast conversion, 114, 116

UDP helper broadcast > unicast conversion, 113, 115

conflict notification (gratuitous ARP), 13

controlling

IPv6 ICMPv6 message send, 137

cookie (SYN), 107

creating

DHCP server address pool, 34

customer

ARP customer-side port, 6

IPv6 ND customer-side port, 136

customizing

DHCP custom options, 28

DHCP options, 41

DHCP server option customization, 52

D

destination unreachable message (ICMPv6), 138

detecting

DHCP client duplicated address detection, 67

DHCP IP address conflict detection, 44

IPv6 ND duplicate address detection, 122

IPv6 ND neighbor reachability detection, 122

IPv6 ND redirection, 123

IPv6 ND router/prefix discovery, 123

device

ARP dynamic entry max (device), 4

ARP dynamic entry max (interface), 5

client stateless DHCPv6 configuration, 177

common proxy ARP configuration, 15

DHCP client configuration, 68

DHCP client packet DSCP value, 67

DHCP overview, 25

DHCP relay agent configuration, 63

DHCP relay agent Option 82 configuration, 64

DHCP relay agent packet DSCP value, 61

DHCP server configuration, 31, 33, 47

DHCP server dynamic IP address assignment, 47

DHCP server option customization, 52

DHCP server packet DSCP value, 46

DHCP server subnet configuration, 51

DHCP server user class configuration, 49

DHCP snooping entry max, 77

DHCPv6 client IPv6 address acquisition configuration, 174

DHCPv6 client IPv6 prefix acquisition configuration, 176

DHCPv6 client packet DSCP value, 173

DHCPv6 DUID, 152

DHCPv6 IA, 152

DHCPv6 IAID, 152

DHCPv6 packet DSCP value, 158

DHCPv6 PD, 152

DHCPv6 relay agent configuration, 169

DHCPv6 server configuration, 151, 154, 160

DHCPv6 server dynamic IPv6 address assignment, 162

DHCPv6 server dynamic IPv6 prefix assignment, 160

DNS outgoing packet DSCP value, 86

DNS packet source interface, 85

DNS trusted interface, 86

IP addressing configuration, 23

IP forwarding basic settings, 96

IP forwarding per-flow load sharing, 98

IP services DHCP client configuration, 174

IPPO directed broadcast forward configuration, 105

IPPO ICMP error message send, 108

IPPO ICMP fragment forwarding disable, 110

IPPO interface TCP MSS, 106

IPPO IPv4 packet MTU, 106

IPPO SYN cookie, 107

IPPO TCP buffer size, 107

IPPO TCP timer, 108

IPv4 DNS client configuration, 82

IPv4/IPv4 GRE tunnel configuration, 199

IPv4/IPv4 tunnel configuration, 190

IPv6 basics configuration, 142

IPv6 DNS client configuration, 84

IPv6/IPv4 tunnel configuration, 185

stateless DHCPv6, 150

UDP helper broadcast > multicast conversion, 116

UDP helper broadcast > unicast conversion, 115

UDP helper configuration, 115

DHCP

address allocation, 25

address assignment, 31

address pool, 31

address pool application on interface, 43

address pool selection, 32

address pool VPN instance application, 46

client auto-configuration file, 40

client BIMS server information, 39

client configuration, 66, 68

client display, 67

client DNS server, 38

client domain name suffix, 38

client duplicated address detection, 67

client enable (on interface), 66

client gateway specification, 37

client ID configuration (on interface), 66

client NetBIOS node type, 39

client packet DSCP value, 67

client server specification, 40

client WINS server specification, 39

DHCPv6. See DHCPv6

dynamic address assignment policy, 43

enable, 42

IP address allocation, 26

IP address allocation sequence, 33

IP address conflict detection, 44

IP address lease extension, 26

message format, 27

Option #, 28, See also Option #

Option 121, 28

Option 150, 28

Option 184 (reserved), 28, 30

Option 3;Option 003, 28

Option 33;Option 033, 28

Option 43 (vendor-specific);Option 043 (vendor-specific), 28, 28

Option 51;Option 051, 28

Option 53;Option 053, 28

Option 55;Option 055, 28

Option 6;Option 006, 28

Option 60;Option 060, 28

Option 66;Option 066, 28

Option 67;Option 067, 28

Option 82 (relay agent);Option 082 (relay agent), 28, 29

Option 82 handling enable;Option 082 handling enable, 45

option customization, 41

options (common), 28

options (custom), 28

overview, 25

protocols and standards, 30

relay agent configuration, 55, 56, 63

relay agent display, 63

relay agent enable, 57

relay agent enable (on interface), 57

relay agent entry periodic refresh, 58

relay agent IP address release, 60

relay agent maintain, 63

relay agent operation, 55

relay agent Option 82 configuration, 60, 64

relay agent Option 82 support, 56

relay agent packet DSCP value, 61

relay agent relay entry recording, 58

relay agent security features, 58

relay agent server, 57

relay agent starvation attack protection, 59

server address pool configuration, 34

server address pool creation, 34

server address pool IP address range, 34

server broadcast response, 45

server compatibility configuration, 45

server configuration, 31, 33, 47

server display, 47

server dynamic IP address assignment, 47

server enable on interface, 43

server maintain, 47

server option customization configuration, 52

server packet DSCP value, 46

server subnet configuration, 51

server user class configuration, 49

smart relay configuration, 62

snooping. See DHCP snooping

troubleshoot relay agent configuration, 65

troubleshoot server configuration, 54

DHCP snooping

basic configuration, 73

basics configuration, 78

configuration, 71, 73, 78

DHCP-REQUEST message attack protection, 76

display, 77

entry auto backup, 75

entry max, 77

maintain, 77

Option 82 configuration, 74

Option 82 support, 72

Option 82 support configuration, 79

packet rate limit, 77

starvation attack protection, 76

trusted port, 71

untrusted port, 71

DHCP-REQUEST message attack protection, 76

DHCPv6

address allocation, 153

address pool, 152

address pool selection, 153

address/prefix assignment, 148

address/prefix lease renewal, 149

assignment (4 messages), 148

client configuration, 172, 172, 174

client display, 174

client IPv6 address acquisition, 172

client IPv6 address acquisition configuration, 174

client IPv6 prefix acquisition, 173

client IPv6 prefix acquisition configuration, 176

client maintain, 174

client packet DSCP value, 173

client stateless DHCPv6, 173

client stateless DHCPv6 configuration, 177

concepts, 152

DUID, 152

IA, 152

IAID, 152

IPv6 address assignment, 151

IPv6 address/prefix allocation sequence, 153

IPv6 prefix assignment, 151

multicast address, 152

overview, 148

PD, 152

prefix allocation, 153

protocols and standards, 150

rapid assignment (2 messages), 148

relay agent address pool configuration, 168

relay agent configuration, 165, 169

relay agent display, 169

relay agent enable on interface, 166

relay agent Interface-ID option padding mode, 167

relay agent IPv6 prefix advertisement, 168

relay agent maintain, 169

relay agent packet DSCP value, 167

relay agent server, 166

server configuration, 151, 154, 160

server configuration on interface, 157

server display, 159

server dynamic IPv6 address assignment, 162

server dynamic IPv6 prefix assignment, 160

server IPv6 address assignment, 155

server IPv6 prefix advertisement, 159

server IPv6 prefix assignment, 154

server maintain, 159

server network parameters assignment, 157

stateless DHCPv6, 150

disabling

IPPO ICMP fragment forwarding, 110

displaying

ARP, 7

ARP snooping, 17

DHCP client, 67

DHCP relay agent, 63

DHCP server, 47

DHCP snooping, 77

DHCPv6 client, 174

DHCPv6 relay agent, 169

DHCPv6 server, 159

DNS, 86

GRE, 198

IP addressing, 23

IP forwarding FIB table entries, 97

IP forwarding load sharing path, 99

IPPO, 111

IPv6 basics, 140

proxy ARP, 14

tunneling configuration, 182

UDP helper, 114

DNS

configuration, 81, 82

DHCP client DNS server, 38

DHCP client domain name suffix, 38

DNS display, 86

DNS maintain, 86

dynamic domain name resolution, 81

IPv4 client configuration, 82

IPv4 client domain name resolution (dynamic), 83, 88

IPv4 client domain name resolution (static), 82, 87

IPv4 configuration, 87

IPv6 client configuration, 84

IPv6 client domain name resolution (dynamic), 84, 91

IPv6 client domain name resolution (static), 84, 91

IPv6 configuration, 91

outgoing packet DSCP value, 86

packet source interface, 85

static domain name resolution, 81

suffixes, 82

troubleshoot IPv4 DNS configuration, 94

troubleshoot IPv4 DNS incorrect IP address, 94

troubleshoot IPv6 DNS configuration, 94

troubleshoot IPv6 DNS incorrect IP address, 94

trusted interface configuration, 86

domain

DHCP client domain name suffix, 38

name system. Use DNS

DSCP

DHCP client packet DSCP value, 67

DHCP relay agent packet DSCP value, 61

DHCP server packet DSCP value, 46

DHCPv6 client packet DSCP value, 173

DHCPv6 packet value, 158

DHCPv6 relay agent packet DSCP value, 167

DNS outgoing packet DSCP value, 86

dual stack technology, 124

DUID (DHCPv6), 152

duplicated address detection (DHCP), 67

dynamic

ARP dynamic entry aging timer, 5

ARP dynamic entry check enable, 6

ARP dynamic entry max (device), 4

ARP dynamic entry max (interface), 5

DHCP address allocation, 25, 31

DHCP relay agent entry periodic refresh, 58

DHCP server dynamic IP address assignment, 47

DHCPv6 dynamic address allocation, 153

DHCPv6 prefix allocation, 153

DHCPv6 server dynamic IPv6 address assignment, 162

DHCPv6 server dynamic IPv6 prefix assignment, 160

DNS domain name resolution, 81

IPv4 DNS client domain name resolution, 83, 88

IPv6 DNS client domain name resolution, 84, 91

IPv6 dynamic path MTU aging timer, 137

Dynamic Host Configuration Protocol. Use DHCP

E

enabling

ARP dynamic entry check, 6

ARP logging, 7

common proxy ARP, 14

DHCP, 42

DHCP client (on interface), 66

DHCP client duplicated address detection, 67

DHCP Option 82 handling, 45

DHCP relay agent (on interface), 57

DHCP relay agent entry periodic refresh, 58

DHCP relay agent relay entry recording, 58

DHCP relay agent starvation attack protection, 59

DHCP server on interface, 43

DHCP snooping starvation attack protection, 76

DHCP-REQUEST message attack protection, 76

DHCPv6 relay agent IPv6 prefix advertisement, 168

DHCPv6 relay agent on interface, 166

DHCPv6 server IPv6 prefix advertisement, 159

gratuitous ARP IP conflict notification, 13

IP forwarding load sharing (local-first), 98

IPPO directed broadcast forward, 105

IPPO ICMP error message send, 108

IPPO SYN cookie, 107

IPv6 ICMPv6 destination unreachable message send, 138

IPv6 ICMPv6 redirect message send, 139

IPv6 ICMPv6 time exceeded message send, 139

IPv6 local fragment reassembly, 140

IPv6 multicast echo request reply, 138

IPv6 ND proxy, 134

IPv6 packet+extension header discard, 140

IPv6 RA message send, 133

local proxy ARP, 14

encapsulating

GRE configuration, 194, 199

GRE encapsulation format, 194

IPv4/IPv4 GRE tunnel configuration, 199

tunneling configuration, 180

error

IPPO ICMP error message sending, 108

Ethernet

ARP configuration, 1, 8

ARP fast-reply configuration, 18, 18

ARP long static entry configuration, 8

ARP multiport entry configuration, 10

ARP short static entry configuration, 9

ARP snooping configuration, 17

client stateless DHCPv6 configuration, 177

common proxy ARP configuration, 15

DHCP client configuration, 66, 68

DHCP server configuration, 31, 33, 47

DHCP server dynamic IP address assignment, 47

DHCP server option customization, 52

DHCP server subnet configuration, 51

DHCP server user class configuration, 49

DHCP snooping basic configuration, 78

DHCPv6 client configuration, 172, 174

DHCPv6 client IPv6 address acquisition configuration, 174

DHCPv6 client IPv6 prefix acquisition configuration, 176

gratuitous ARP configuration, 12

proxy ARP configuration, 14

UDP helper broadcast > multicast conversion, 114

UDP helper broadcast > unicast conversion, 113

UDP helper configuration, 113, 115

EUI-64 address

IP services address-based interface identifiers, 121

IP services configuration, 127

extending

DHCP IP address lease extension, 26

F

fast

ARP fast-reply configuration, 18, 18

FIB

IP forwarding basic settings, 96

IP forwarding per-flow load sharing, 98

IP routing table, 96

table entry display, 97

file

DHCP client auto-configuration file, 40

IP forwarding entries save to file, 96

FIN wait timer, 108

flow

IP forwarding load sharing path display, 99

format

ARP message format, 1

DHCP message, 27

GRE encapsulation format, 194

IPv6 addresses, 119

forwarding

IPPO directed broadcast forward, 105

fragment

IPPO ICMP fragment forwarding, 110

IPv6 local fragment reassembly, 140

G

gateway

DHCP client gateway specification, 37

Generic Routing Encapsulation. Use GRE

gratuitous ARP

configuration, 12, 13

IP conflict notification, 13

packet learning, 12

periodic packet send, 12

GRE, 180, See also tunneling

application scenarios, 195

configuration, 194, 199

display, 198

encapsulation format, 194

GRE/IPv4 tunnel configuration, 196

IPv4/IPv4 GRE tunnel configuration, 199

maintain, 198

protocols and standards, 196

troubleshoot, 201

troubleshoot hosts cannot ping each other, 202

tunnel operation, 194

I

IA (DHCPv6), 152

IAID (DHCPv6), 152

ICMP

IPPO ICMP error message rate limit, 110

IPPO ICMP error message send, 108

IPPO ICMP fragment forwarding disable, 110

IPPO ICMP packet source address specification, 110

IRDP configuration, 101, 102, 103

Router Discovery Protocol. Use IRDP

ICMPv6

IP services destination unreachable message send, 138

IP services error message rate limit, 137

IP services packet source address, 139

IP services redirect message send, 139

IP services time exceeded message send, 139

IPv6 message send control, 137

IPv6 ND duplicate address detection, 122

IPv6 ND neighbor reachability detection, 122

IPv6 ND protocol, 121

IPv6 ND protocol address resolution, 122

IPv6 ND redirection, 123

IPv6 ND router/prefix discovery, 123

IPv6 ND stateless address autoconfiguration, 123

ID

DHCPv6 relay agent Interface-ID option padding mode, 167

IP address class Host ID, 20

IP address class Net ID, 20

identity

association. See IA

association ID. See IAID

implementing

IPv4/IPv4 tunneling, 189

IPv6/IPv4 tunneling, 184

instance

DHCP address pool VPN instance application, 46

IP

performance optimization. See IPPO

IP addressing

address classes, 20

ARP configuration, 1, 8

ARP dynamic entry aging timer, 5

ARP dynamic entry check enable, 6

ARP dynamic entry max (device), 4

ARP dynamic entry max (interface), 5

ARP fast-reply configuration, 18, 18

ARP long static entry configuration, 8

ARP message format, 1

ARP multiport entry, 4

ARP multiport entry configuration, 10

ARP operation, 1

ARP short static entry configuration, 9

ARP snooping configuration, 17

ARP static entry, 3

ARP table, 2

client stateless DHCPv6 configuration, 177

common proxy ARP configuration, 15

configuration, 20, 23

DHCP address allocation, 25, 26

DHCP address allocation sequence, 33

DHCP address assignment, 31

DHCP address conflict detection, 44

DHCP address pool, 31

DHCP address pool VPN instance application, 46

DHCP client configuration, 66, 68

DHCP client display, 67

DHCP client duplicated address detection, 67

DHCP client packet DSCP value, 67

DHCP dynamic address assignment policy, 43

DHCP lease extension, 26

DHCP message format, 27

DHCP relay agent IP address release, 60

DHCP server address pool IP address range, 34

DHCP server configuration, 47

DHCP server dynamic IP address assignment, 47

DHCP server option customization, 52

DHCP server subnet configuration, 51

DHCP server user class configuration, 49

DHCP snooping basic configuration, 73

DHCP snooping configuration, 71, 73, 78

DHCPv6 client configuration, 172, 174

DHCPv6 client IPv6 address acquisition, 172

DHCPv6 client IPv6 address acquisition configuration, 174

DHCPv6 client IPv6 prefix acquisition, 173

DHCPv6 client IPv6 prefix acquisition configuration, 176

DHCPv6 client stateless, 173

DHCPv6 configuration, 151

DHCPv6 overview, 148

DHCPv6 server configuration, 154, 160

DHCPv6 server configuration on interface, 157

DHCPv6 server dynamic IPv6 address assignment, 162

DHCPv6 server dynamic IPv6 prefix assignment, 160

DHCPv6 server IPv6 address assignment, 155

DHCPv6 server IPv6 prefix assignment, 154

DHCPv6 server network parameters assignment, 157

display, 23

DNS configuration, 81, 82

DNS dynamic domain name resolution, 81

DNS packet source interface, 85

DNS static domain name resolution, 81

DNS trusted interface, 86

forwarding basic settings, 96

gratuitous ARP configuration, 12, 13

gratuitous ARP IP conflict notification, 13

gratuitous ARP packet learning, 12

gratuitous ARP periodic packet send, 12

interface IP address assignment, 21

IP services Pv6 ND protocol address resolution, 122

IPv4/IPv4 tunnel configuration, 189, 190

IPv6 6PE technology, 125

IPv6 addresses, 119

IPv6 anycast address configuration, 130

IPv6 basic settings configuration, 118, 125

IPv6 basics configuration, 142

IPv6 dual stack technology, 124

IPv6 dynamic path MTU aging timer, 137

IPv6 global unicast address, 126

IPv6 ICMPv6 destination unreachable message send, 138

IPv6 ICMPv6 error message rate limit, 137

IPv6 ICMPv6 message send, 137

IPv6 ICMPv6 redirect message send, 139

IPv6 ICMPv6 time exceeded message send, 139

IPv6 interface address assignment, 126

IPv6 interface MTU, 136

IPv6 link-local address configuration, 129

IPv6 max number NS message sent attempts, 134

IPv6 multicast echo request reply, 138

IPv6 ND configuration, 130

IPv6 ND duplicate address detection, 122

IPv6 ND dynamic neighbor entries max number, 131

IPv6 ND hop limit, 132

IPv6 ND link-local entry minimization, 131

IPv6 ND neighbor reachability detection, 122

IPv6 ND protocol, 121

IPv6 ND proxy, 134

IPv6 ND redirection, 123

IPv6 ND router/prefix discovery, 123

IPv6 ND stale state entry aging timer, 131

IPv6 ND stateless address autoconfiguration, 123

IPv6 ND static neighbor entry, 130

IPv6 packet+extension header discard, 140

IPv6 path MTU discovery, 123, 136

IPv6 RA message parameter, 132

IPv6 static path MTU, 137

IPv6 transition technologies, 124

IPv6 tunneling technology, 124

IPv6/IPv4 tunnel configuration, 184, 185

IRDP address, 101

IRDP configuration, 101, 102, 103

masking, 21

proxy ARP configuration, 14

special IP addresses, 21

subnetting, 21

IP forwarding

device basic settings, 96

entry save to file, 96

FIB table, 96

FIB table entry display, 97

load sharing, 99

load sharing (local-first), 98

load sharing configuration, 98

load sharing path display, 99

optimal route selection, 96

per-flow load sharing, 98

IP services

ARP configuration, 1

ARP display, 7

ARP dynamic entry check enable, 6

ARP dynamic entry max (device), 4

ARP dynamic entry max (interface), 5

ARP fast-reply configuration, 18, 18

ARP logging enable, 7

ARP maintain, 7

ARP multiport entry, 4

ARP snooping configuration, 17

ARP snooping display, 17

ARP snooping maintain, 17

ARP static entry, 3

common proxy ARP configuration, 15

DHCP address allocation, 25

DHCP address allocation sequence, 33

DHCP address pool, 31

DHCP address pool application on interface, 43

DHCP address pool VPN instance application, 46

DHCP client BIMS server information, 39

DHCP client configuration, 66, 68, 68

DHCP client DNS server, 38

DHCP client domain name suffix, 38

DHCP client gateway, 37

DHCP client ID configuration (on interface), 66

DHCP client NetBIOS node type, 39

DHCP client server specification, 40

DHCP client WINS server, 39

DHCP dynamic address assignment policy, 43

DHCP enable, 42

DHCP IP address allocation, 26

DHCP IP address conflict detection, 44

DHCP IP address lease extension, 26

DHCP message format, 27

DHCP Option 82 handling enable, 45

DHCP option customization, 41

DHCP options (common), 28

DHCP options (custom), 28

DHCP overview, 25

DHCP protocols and standards, 30

DHCP relay agent configuration, 55, 56, 63

DHCP relay agent enable, 57

DHCP relay agent entry periodic refresh, 58

DHCP relay agent IP address release, 60

DHCP relay agent operation, 55

DHCP relay agent Option 82 configuration, 60, 64

DHCP relay agent Option 82 support, 56

DHCP relay agent relay entry recording, 58

DHCP relay agent security features, 58

DHCP relay agent server, 57

DHCP relay agent starvation attack protection, 59

DHCP server address pool, 34, 34

DHCP server address pool IP address range, 34

DHCP server compatibility configuration, 45

DHCP server configuration, 31, 33, 47

DHCP server display, 47

DHCP server dynamic IP address assignment, 47

DHCP server enable on interface, 43

DHCP server maintain, 47

DHCP server option customization, 52

DHCP server subnet configuration, 51

DHCP server user class configuration, 49

DHCP smart relay, 62

DHCP snooping basic configuration, 78

DHCP snooping configuration, 71, 73, 78

DHCP snooping display, 77

DHCP snooping entry auto backup, 75

DHCP snooping entry max, 77

DHCP snooping maintain, 77

DHCP snooping Option 82 configuration, 74

DHCP snooping Option 82 support, 72

DHCP snooping Option 82 support configuration, 79

DHCP snooping packet rate limit, 77

DHCP snooping starvation attack protection, 76

DHCP snooping trusted port, 71

DHCP snooping untrusted port, 71

DHCP-REQUEST message attack protection, 76

DHCPv6 address pool, 152

DHCPv6 address/prefix assignment, 148

DHCPv6 address/prefix lease renewal, 149

DHCPv6 client configuration, 172, 172

DHCPv6 client display, 174

DHCPv6 client IPv6 address acquisition, 172

DHCPv6 client IPv6 prefix acquisition, 173

DHCPv6 client maintain, 174

DHCPv6 client stateless, 173

DHCPv6 concepts, 152

DHCPv6 configuration, 151

DHCPv6 IPv6 address assignment, 151

DHCPv6 IPv6 address/prefix allocation sequence, 153

DHCPv6 IPv6 prefix assignment, 151

DHCPv6 overview, 148

DHCPv6 protocols and standards, 150

DHCPv6 relay agent configuration, 165, 169

DHCPv6 relay agent display, 169

DHCPv6 relay agent enable on interface, 166

DHCPv6 relay agent Interface-ID option padding mode, 167

DHCPv6 relay agent IPv6 prefix advertisement, 168

DHCPv6 relay agent maintain, 169

DHCPv6 relay agent server, 166

DHCPv6 server configuration, 154, 160

DHCPv6 server display, 159

DHCPv6 server dynamic IPv6 address assignment, 162

DHCPv6 server dynamic IPv6 prefix assignment, 160, 160

DHCPv6 server IPv6 address assignment, 155

DHCPv6 server IPv6 prefix advertisement, 159

DHCPv6 server IPv6 prefix assignment, 154

DHCPv6 server maintain, 159

DNS configuration, 81, 82

DNS outgoing packet DSCP value, 86

DNS packet source interface, 85

DNS trusted interface, 86

forwarding basic settings, 96

gratuitous ARP configuration, 12, 13

gratuitous ARP IP conflict notification, 13

GRE application scenarios, 195

GRE configuration, 194, 199

GRE display, 198

GRE encapsulation format, 194

GRE maintain, 198

GRE operation, 194

GRE protocols and standards, 196

GRE/IPv4 tunnel configuration, 196

ICMPv6 error message rate limit, 137

IP address classes, 20

IP addressing display, 23

IP addressing interface address, 21

IP addressing subnetting, 21

IP addressingconfiguration, 20

IP forwarding entries save, 96

IP forwarding FIB table, 96

IP forwarding load sharing, 99

IP forwarding load sharing (local-first), 98

IP forwarding load sharing configuration, 98

IPv4 DNS configuration, 87

IPv4/IPv4 GRE tunnel configuration, 199

IPv4/IPv4 tunnel configuration, 189, 190

IPv4/IPv4 tunneling implementation, 189

IPv6 addresses, 119

IPv6 anycast address configuration, 130

IPv6 basic settings configuration, 118, 125

IPv6 basics configuration, 142

IPv6 basics display, 140

IPv6 basics maintain, 140

IPv6 DNS configuration, 91

IPv6 dynamic path MTU aging timer, 137

IPv6 features, 118

IPv6 ICMPv6 destination unreachable message send, 138

IPv6 ICMPv6 message send, 137

IPv6 ICMPv6 packet source address specification, 139

IPv6 ICMPv6 redirect message send, 139

IPv6 ICMPv6 time exceeded message send, 139

IPv6 interface address assignment, 126

IPv6 interface MTU, 136

IPv6 link-local address configuration, 129

IPv6 local fragment reassembly, 140

IPv6 max number NS message sent attempts, 134

IPv6 multicast echo request reply, 138

IPv6 ND configuration, 130

IPv6 ND dynamic neighbor entries max number, 131

IPv6 ND hop limit, 132

IPv6 ND link-local entry minimization, 131

IPv6 ND protocol, 121

IPv6 ND proxy enable, 134

IPv6 ND stale state entry aging timer, 131

IPv6 ND static neighbor entry, 130

IPv6 path MTU discovery, 123, 136

IPv6 protocols and standards, 125

IPv6 RA message parameter, 132

IPv6 static path MTU, 137

IPv6 transition technologies, 124

IPv6/IPv4 tunnel configuration, 184, 185

IPv6/IPv4 tunneling implementation, 184

IRDP basic concepts, 101

IRDP configuration, 101, 102, 103

IRDP operation, 101

IRDP protocols and standards, 102

Layer 3 virtual tunnel interface, 180

performance optimization. See IPPO

proxy ARP configuration, 14

proxy ARP display, 14

special IP addresses, 21

stateless DHCPv6, 150

troubleshooting DHCP relay agent configuration, 65

troubleshooting DHCP server configuration, 54

troubleshooting GRE, 201

troubleshooting GRE hosts cannot ping each other, 202

troubleshooting IPv4 DNS configuration, 94

troubleshooting IPv4 DNS incorrect IP address, 94

troubleshooting IPv6 address cannot be pinged, 147

troubleshooting IPv6 basics configuration, 147

troubleshooting IPv6 DNS configuration, 94

troubleshooting IPv6 DNS incorrect IP address, 94

troubleshooting tunnel cannot come up, 182

troubleshooting tunneling configuration, 182

tunneling configuration, 180

tunneling configuration display, 182

tunneling configuration maintain, 182

UDP helper broadcast > multicast conversion, 114, 116

UDP helper broadcast > unicast conversion, 113, 115

UDP helper configuration, 113, 115

UDP helper configuration restrictions, 113

UDP helper display, 114

UDP helper maintain, 114

IPng, 118, See also IPv6

IPPO

configuration, 105

directed broadcast forward configuration, 105

directed broadcast forward enable, 105

display, 111

ICMP error message rate limit, 110

ICMP error message send, 108

ICMP fragment forwarding disable, 110

ICMP packet source address, 110

interface TCP MSS, 106

IPv4 packet MTU, 106

maintain, 111

SYN cookie, 107

TCP buffer size, 107

TCP timer, 108

IP-to-MAC

DHCP snooping configuration, 71, 73, 78

IPv4

DNS client configuration, 82

DNS configuration, 87

DNS outgoing packet DSCP value, 86

GRE application scenarios, 195

GRE encapsulation format, 194

GRE/IPv4 tunnel configuration, 196

IP address classes, 20

IP addressing configuration, 20, 23

IP addressing interface address, 21

IP addressing masking, 21

IP addressing subnetting, 21

IP services 6PE technology, 125

IPPO IPv4 packet MTU, 106

IPv4/IPv4 GRE tunnel configuration, 199

IPv4/IPv4 tunnel configuration, 189, 190

IPv4/IPv4 tunneling implementation, 189

IPv6/IPv4 tunnel configuration, 184, 185

IPv6/IPv4 tunneling implementation, 184

special IP addresses, 21

tunneling configuration, 180

IPv6, 118, See also IPng

6PE technology, 125

address formats, 119

address type, 119

addresses, 119

anycast address configuration, 130

basic settings configuration, 118, 125

basics configuration, 142

basics display, 140

basics maintain, 140

DHCPv6. See DHCPv6

DNS client configuration, 84

DNS configuration, 91

DNS outgoing packet DSCP value, 86

dual stack technology, 124

dynamic path MTU aging timer, 137

EUI-64 address configuration, 127

EUI-64 address-based interface identifiers, 121

features, 118

global unicast address configuration, 126

GRE application scenarios, 195

GRE encapsulation format, 194

ICMPv6 destination unreachable message send, 138

ICMPv6 error message rate limit, 137

ICMPv6 message send, 137

ICMPv6 packet source address specification, 139

ICMPv6 redirect message send, 139

ICMPv6 time exceeded message send, 139

interface address assignment, 126

interface link-local address automatic generation, 129

interface link-local address manual specification, 129

interface MTU configuration, 136

IPv6/IPv4 tunnel configuration, 184, 185

IPv6/IPv4 tunneling implementation, 184

link-local address configuration, 129

local fragment reassembly enable, 140

max number NS message sent attempts, 134

multicast address type, 120

multicast echo request reply, 138

ND configuration, 130

ND customer-side port configuration, 136

ND duplicate address detection, 122

ND dynamic neighbor entries max number, 131

ND hop limit, 132

ND link-local entry minimization, 131

ND neighbor reachability detection, 122

ND protocol, 121

ND protocol address resolution, 122

ND proxy enable, 134

ND redirection, 123

ND router/prefix discovery, 123

ND stale state entry aging timer, 131

ND stateless address autoconfiguration, 123

ND static neighbor entry configuration, 130

packet+extension header discard, 140

path MTU discovery, 123

path MTU discovery configuration, 136

protocols and standards, 125

RA message parameter, 133

RA message parameter configuration, 132

RA message send enable, 133

stateless address autoconfiguration, 127

static path MTU configuration, 137

transition technologies, 124

troubleshoot address cannot be pinged, 147

troubleshoot basics configuration, 147

tunneling configuration, 180

tunneling technology, 124

IPv6 addressing

DHCPv6 relay agent IPv6 prefix advertisement, 168

DHCPv6 server IPv6 prefix advertisement, 159

IRDP

basic concepts, 101

configuration, 101, 102, 103

operation, 101

protocols and standards, 102

IRF

DHCP overview, 25

L

LAN

IPPO, 105

Layer 3

client stateless DHCPv6 configuration, 177

DHCP client configuration, 66, 68

DHCP overview, 25

DHCP relay agent configuration, 55, 56, 63

DHCP relay agent Option 82 configuration, 64

DHCP server configuration, 31, 33, 47

DHCP server dynamic IP address assignment, 47

DHCP server option customization, 52

DHCP server subnet configuration, 51

DHCP server user class configuration, 49

DHCP snooping basic configuration, 78

DHCPv6 client configuration, 172, 172, 174

DHCPv6 client IPv6 address acquisition configuration, 174

DHCPv6 client IPv6 prefix acquisition configuration, 176

UDP helper broadcast > multicast conversion, 114, 116

UDP helper broadcast > unicast conversion, 113, 115

UDP helper configuration, 113, 115

virtual tunnel interface, 180

learning

IPv6 ND dynamic neighbor entries max number, 131

leasing

DHCP IP address lease extension, 26

DHCPv6 address/prefix lease renewal, 149

DHCPv6 PD, 152

limiting

DHCP snooping packet rate limit, 77

IPPO ICMP error message rate limit, 110

IPv6 ICMPv6 error message rate limit, 137

load sharing

IP forwarding load sharing, 99

IP forwarding load sharing (local-first), 98

IP forwarding load sharing configuration, 98

IP forwarding load sharing path display, 99

IP forwarding per-flow load sharing, 98

local

IP forwarding load sharing (local-first), 98

logging

ARP logging enable, 7

M

MAC addressing

ARP configuration, 1, 8

ARP dynamic entry check enable, 6

ARP fast-reply configuration, 18, 18

ARP long static entry configuration, 8

ARP multiport entry configuration, 10

ARP operation, 1

ARP short static entry configuration, 9

ARP snooping configuration, 17

common proxy ARP configuration, 15

DHCP client configuration, 66, 68

gratuitous ARP configuration, 12

gratuitous ARP packet learning, 12

gratuitous ARP periodic packet send, 12

IPv6 EUI-64 address-based interface identifiers, 121

proxy ARP configuration, 14

maintaining

ARP, 7

ARP snooping, 17

DHCP relay agent, 63

DHCP server, 47

DHCP snooping, 77

DHCPv6 client, 174

DHCPv6 relay agent, 169

DHCPv6 server, 159

DNS, 86

GRE, 198

IPPO, 111

IPv6 basics, 140

tunneling configuration, 182

UDP helper, 114

masking

IP addressing, 21

maximum segment size. Use MSS

message

ARP configuration, 1, 8

ARP fast-reply configuration, 18, 18

ARP long static entry configuration, 8

ARP message format, 1

ARP multiport entry configuration, 10

ARP short static entry configuration, 9

ARP snooping configuration, 17

common proxy ARP configuration, 15

DHCP format, 27

DHCP-REQUEST message attack protection, 76

DHCPv6 assignment (4 messages), 148

DHCPv6 rapid assignment (2 messages), 148

gratuitous ARP configuration, 12

gratuitous ARP packet learning, 12

gratuitous ARP periodic packet send, 12

IPPO ICMP error message rate limit, 110

IPPO ICMP error message sending, 108

IPv6 ICMPv6 error message rate limit, 137

IPv6 ICMPv6 message send, 137

IPv6 ND protocol, 121

proxy ARP configuration, 14

Microsoft Windows

DHCP client configuration, 66, 68

minimizing IPv6 ND link-local entries, 131

mode

DHCPv6 relay agent Interface-ID option padding, 167

MSS

IPPO interface TCP MSS, 106

MTU

IPPO IPv4 packet MTU, 106

IPv6 dynamic path MTU aging timer, 137

IPv6 interface MTU configuration, 136

IPv6 path MTU discovery, 123

IPv6 path MTU discovery configuration, 136

IPv6 static path MTU configuration, 137

multicast

DHCPv6 address, 152

IPv6 address, 120

IPv6 address type, 119

IPv6 multicast echo request reply, 138

UDP helper broadcast > multicast conversion, 114, 116

UDP helper configuration, 115

multiport ARP entry, 4

multiport entry (ARP), 10

N

name

DNS configuration, 81

DNS dynamic domain name resolution, 81

DNS static domain name resolution, 81

IPv4 DNS client configuration, 82

IPv4 DNS configuration, 87

IPv6 DNS client configuration, 84

naming

DHCP client domain name suffix, 38

DNS configuration, 82

IPv4 DNS client domain name resolution (dynamic), 83, 88

IPv4 DNS client domain name resolution (static), 82, 87

IPv6 DNS client domain name resolution (dynamic), 84, 91

IPv6 DNS client domain name resolution (static), 84, 91

IPv6 DNS configuration, 91

neighbor discovery

IPv6 duplicate address detection, 122

IPv6 ND address resolution, 122

IPv6 ND configuration, 130

IPv6 ND dynamic neighbor entries max number, 131

IPv6 ND hop limit, 132

IPv6 ND link-local entry minimization, 131

IPv6 ND protocol, 121

IPv6 ND stale state entry aging timer, 131

IPv6 ND static neighbor entry, 130

IPv6 neighbor reachability detection, 122

IPv6 redirection, 123

IPv6 router/prefix discovery, 123

IPv6 stateless address autoconfiguration, 123

NetBIOS

DHCP client node type, 39

network

ARP customer-side port, 6

ARP dynamic entry aging timer, 5

ARP dynamic entry check enable, 6

ARP dynamic entry max (device), 4

ARP dynamic entry max (interface), 5

ARP fast-reply configuration, 18, 18

ARP logging enable, 7

ARP long static entry configuration, 8

ARP message format, 1

ARP multiport entry, 4

ARP multiport entry configuration, 10

ARP OpenFlow table entry, 3

ARP operation, 1

ARP short static entry configuration, 9

ARP static entry, 3

ARP table, 2

client stateless DHCPv6 configuration, 177

common proxy ARP configuration, 15

DHCP address pool, 31

DHCP client DNS server, 38

DHCP client gateway, 37

DHCP client ID configuration (on interface), 66

DHCP client packet DSCP value, 67

DHCP client server specification, 40

DHCP relay address pool, 61

DHCP relay agent configuration, 63

DHCP relay agent enable, 57

DHCP relay agent Option 82 configuration, 64

DHCP relay agent packet DSCP value, 61

DHCP relay agent security features, 58

DHCP relay agent server, 57

DHCP server address pool, 34

DHCP server address pool IP address range, 34

DHCP server broadcast response, 45

DHCP server compatibility configuration, 45

DHCP server configuration, 47

DHCP server dynamic IP address assignment, 47

DHCP server option customization, 52

DHCP server packet DSCP value, 46

DHCP server subnet configuration, 51

DHCP server user class configuration, 49

DHCP smart relay, 62

DHCP snooping basic configuration, 73, 78

DHCP snooping Option 82 configuration, 79

DHCP snooping trusted port, 71

DHCP snooping untrusted port, 71

DHCPv6 address allocation, 153

DHCPv6 address pool, 152

DHCPv6 address pool selection, 153

DHCPv6 address/prefix assignment, 148

DHCPv6 client IPv6 address acquisition, 172

DHCPv6 client IPv6 address acquisition configuration, 174

DHCPv6 client IPv6 prefix acquisition, 173

DHCPv6 client IPv6 prefix acquisition configuration, 176

DHCPv6 client packet DSCP value, 173

DHCPv6 client stateless, 173

DHCPv6 IPv6 address assignment, 151

DHCPv6 IPv6 address/prefix allocation sequence, 153

DHCPv6 IPv6 prefix assignment, 151

DHCPv6 packet DSCP value, 158

DHCPv6 prefix allocation, 153

DHCPv6 relay agent address pool configuration, 168

DHCPv6 relay agent enable on interface, 166

DHCPv6 relay agent Interface-ID option padding mode, 167

DHCPv6 relay agent packet DSCP value, 167

DHCPv6 relay agent server, 166

DHCPv6 server configuration on interface, 157

DHCPv6 server dynamic IPv6 address assignment, 162

DHCPv6 server dynamic IPv6 prefix assignment, 160

DHCPv6 server IPv6 address assignment, 155

DHCPv6 server IPv6 prefix assignment, 154

DHCPv6 server network parameters assignment, 157

DNS outgoing packet DSCP value, 86

DNS packet source interface, 85

DNS trusted interface, 86

gratuitous ARP configuration, 13

gratuitous ARP IP conflict notification, 13

gratuitous ARP packet learning, 12

gratuitous ARP periodic packet send, 12

GRE application scenarios, 195

GRE/IPv4 tunnel configuration, 196

IP address classes, 20

IP addressing configuration, 23

IP addressing interface address, 21

IP addressing masking, 21

IP addressing subnetting, 21

IP forwarding entries save, 96

IP forwarding load sharing, 99

IP forwarding load sharing (local-first), 98

IP forwarding load sharing configuration, 98

IP forwarding per-flow load sharing, 98

IPPO directed broadcast forward, 105

IPPO directed broadcast forward configuration, 105

IPPO ICMP error message rate limit, 110

IPPO ICMP error message send, 108

IPPO ICMP fragment forwarding disable, 110

IPPO interface TCP MSS, 106

IPPO IPv4 packet MTU, 106

IPPO SYN cookie, 107

IPPO TCP buffer size, 107

IPPO TCP timer, 108

IPv4 DNS client configuration, 82

IPv4 DNS client domain name resolution (dynamic), 88

IPv4 DNS client domain name resolution (static), 87

IPv4/IPv4 GRE tunnel configuration, 199

IPv4/IPv4 tunnel configuration, 189, 190

IPv4/IPv4 tunneling implementation, 189

IPv6 6PE technology, 125

IPv6 addresses, 119

IPv6 anycast address configuration, 130

IPv6 basics configuration, 142

IPv6 DNS client configuration, 84

IPv6 DNS client domain name resolution (dynamic), 91

IPv6 DNS client domain name resolution (static), 91

IPv6 dual stack technology, 124

IPv6 dynamic path MTU aging timer, 137

IPv6 global unicast address, 126

IPv6 ICMPv6 destination unreachable message send, 138

IPv6 ICMPv6 error message rate limit, 137

IPv6 ICMPv6 message send, 137

IPv6 ICMPv6 redirect message send, 139

IPv6 ICMPv6 time exceeded message send, 139

IPv6 interface address assignment, 126

IPv6 interface MTU, 136

IPv6 link-local address configuration, 129

IPv6 max number NS message sent attempts, 134

IPv6 multicast echo request reply, 138

IPv6 ND configuration, 130

IPv6 ND customer-side port, 136

IPv6 ND duplicate address detection, 122

IPv6 ND dynamic neighbor entries max number, 131

IPv6 ND hop limit, 132

IPv6 ND link-local entry minimization, 131

IPv6 ND neighbor reachability detection, 122

IPv6 ND protocol, 121

IPv6 ND protocol address resolution, 122

IPv6 ND redirection, 123

IPv6 ND router/prefix discovery, 123

IPv6 ND stale state entry aging timer, 131

IPv6 ND stateless address autoconfiguration, 123

IPv6 ND static neighbor entry, 130

IPv6 packet+extension header discard, 140

IPv6 path MTU discovery, 123, 136

IPv6 RA message parameter, 132

IPv6 static path MTU, 137

IPv6 transition technologies, 124

IPv6 tunneling technology, 124

IPv6/IPv4 tunnel configuration, 184, 185

IPv6/IPv4 tunneling implementation, 184

IRDP basic concepts, 101

IRDP operation, 101

Layer 3 virtual tunnel interface, 180

special IP addresses, 21

UDP helper broadcast > multicast conversion, 114, 116

UDP helper broadcast > unicast conversion, 113, 115

network management

ARP configuration, 1, 8

ARP snooping configuration, 17

DHCP client configuration, 66, 68

DHCP overview, 25

DHCP relay agent configuration, 55, 56

DHCP server configuration, 31, 33

DHCP snooping configuration, 71, 73, 78

DHCPv6 client configuration, 172, 172, 174

DHCPv6 concepts, 152

DHCPv6 overview, 148

DHCPv6 relay agent configuration, 165, 169

DHCPv6 server configuration, 151, 154, 160

DNS configuration, 81, 82

gratuitous ARP configuration, 12

GRE configuration, 194, 199

IP addressing configuration, 20

IP forwarding basic settings, 96

IPPO, 105

IPv4 DNS configuration, 87

IPv6 basic settings configuration, 118, 125

IPv6 DNS configuration, 91

IRDP configuration, 101, 102, 103

proxy ARP configuration, 14

tunneling configuration, 180

UDP helper configuration, 113, 115

node

DHCP client NetBIOS node b (broadcast) type, 39

DHCP client NetBIOS node h (hybrid) type, 39

DHCP client NetBIOS node m (mixed) type, 39

DHCP client NetBIOS node p (peer-to-peer) type, 39

non-temporary

DHCPv6 non-temporary address assignment, 155

DHCPv6 non-temporary IPv6 address, 151

notifying

gratuitous ARP IP conflict notification, 13

O

OpenFlow

ARP OpenFlow table entry, 3

operation

IRDP, 101

optimal

IP forwarding optimal route selection, 96

optimizing

IP performance. See IPPO

IPPO SYN cookie, 107

option

DHCP field, 28

DHCP option customization, 41

DHCP server option customization, 52

DHCPv6 relay agent Interface-ID option padding, 167

Option 121 (DHCP), 28

Option 150 (DHCP), 28

Option 184 (DHCP)

reserved option, 28, 30

Option 3 (DHCP);Option 003 (DHCP), 28

Option 33 (DHCP);Option 033 (DHCP), 28

Option 43 (DHCP);Option 043 (DHCP), 28, 28

Option 51 (DHCP);Option 051 (DHCP), 28

Option 53 (DHCP);Option 053 (DHCP), 28

Option 55 (DHCP);Option 055 (DHCP), 28

Option 6 (DHCP);Option 006 (DHCP), 28

Option 60 (DHCP);Option 060 (DHCP), 28

Option 66 (DHCP);Option 066 (DHCP), 28

Option 67 (DHCP);Option 067 (DHCP), 28

Option 82 (DHCP);Option 082 (DHCP)

handling enable, 45

relay agent, 28, 29

relay agent configuration, 60, 64

relay agent support, 56

snooping configuration, 74, 79

snooping support, 72

P

packet

DHCP client packet DSCP value, 67

DHCP server packet DSCP value, 46

DHCP snooping packet rate limit, 77

DHCPv6 client packet DSCP value, 173

DHCPv6 packet DSCP value, 158

DNS packet source interface, 85

gratuitous ARP packet learning, 12

gratuitous ARP periodic packet send, 12

GRE encapsulation format, 194

GRE tunnel operation, 194

IP addressing configuration, 20, 23

IP forwarding basic settings, 96

IPPO, 105

IPPO ICMP error message rate limit, 110

IPPO ICMP fragment forwarding disable, 110

IPPO ICMP packet source address, 110

IPPO IPv4 packet MTU, 106

IPv4/IPv4 tunneling implementation, 189

IPv6 6PE technology, 125

IPv6 addresses, 119

IPv6 anycast address configuration, 130

IPv6 basic settings configuration, 118, 125

IPv6 basics configuration, 142

IPv6 dual stack technology, 124

IPv6 dynamic path MTU aging timer, 137

IPv6 global unicast address, 126

IPv6 ICMPv6 destination unreachable message send, 138

IPv6 ICMPv6 error message rate limit, 137

IPv6 ICMPv6 packet source address, 139

IPv6 ICMPv6 redirect message send, 139

IPv6 ICMPv6 time exceeded message send, 139

IPv6 interface address assignment, 126

IPv6 interface MTU, 136

IPv6 link-local address configuration, 129

IPv6 max number NS message sent attempts, 134

IPv6 multicast echo request reply, 138

IPv6 ND configuration, 130

IPv6 ND duplicate address detection, 122

IPv6 ND dynamic neighbor entries max number, 131

IPv6 ND hop limit, 132

IPv6 ND link-local entry minimization, 131

IPv6 ND neighbor reachability detection, 122

IPv6 ND protocol address resolution, 122

IPv6 ND redirection, 123

IPv6 ND router/prefix discovery, 123

IPv6 ND stale state entry aging timer, 131

IPv6 ND stateless address autoconfiguration, 123

IPv6 ND static neighbor entry, 130

IPv6 packet+extension header discard, 140

IPv6 path MTU discovery, 123, 136

IPv6 RA message parameter, 132

IPv6 static path MTU, 137

IPv6 transition technologies, 124

IPv6 tunneling technology, 124

IPv6/IPv4 tunneling implementation, 184

tunneling configuration, 180

UDP helper broadcast > multicast conversion, 114

UDP helper broadcast > unicast conversion, 113

UDP helper configuration, 113

parameter

DHCPv6 server network parameters assignment, 157

IPv6 RA message parameter, 132, 133

stateless DHCPv6, 150

PD (DHCPv6), 152

per-flow load sharing (IP forwarding), 98

periodic gratuitous ARP packet send, 12

ping

troubleshooting GRE hosts cannot ping each other, 202

troubleshooting IPv6 address cannot be pinged, 147

policy

DHCP dynamic address assignment policy, 43

pool

DHCP relay address pool, 61

DHCPv6 address pool, 152

DHCPv6 address pool selection, 153

DHCPv6 relay agent address pool configuration, 168

port

ARP customer-side port, 6

DHCP snooping trusted port, 71

DHCP snooping untrusted port, 71

IPv6 ND customer-side port, 136

prefix

delegation. See PD

DHCPv6 address/prefix assignment, 148

DHCPv6 address/prefix lease renewal, 149

DHCPv6 client IPv6 prefix acquisition, 173

DHCPv6 dynamic prefix allocation, 153

DHCPv6 IPv6 address assignment, 151

DHCPv6 IPv6 address/prefix allocation sequence, 153

DHCPv6 IPv6 prefix assignment, 151

DHCPv6 server dynamic IPv6 prefix assignment, 160

DHCPv6 server IPv6 prefix assignment, 154

DHCPv6 static prefix allocation, 153

stateless DHCPv6, 150

procedure

applying DHCP address pool on interface, 43

applying DHCP address pool to VPN instance, 46

ARP entry synchronization, 6

assigning IP addressing interface address, 21

assigning IPv6 interface addresses, 126

configuring ARP customer-side port, 6

configuring ARP dynamic entry aging timer, 5

configuring ARP fast-reply, 18

configuring ARP long static entry, 8

configuring ARP multiport entry, 4, 10

configuring ARP short static entry, 9

configuring ARP static entry, 3

configuring client stateless DHCPv6, 177

configuring common proxy ARP, 15

configuring DHCP address pool static binding, 37

configuring DHCP client, 68

configuring DHCP client ID (on interface), 66

configuring DHCP dynamic address assignment policy, 43

configuring DHCP IP address conflict detection, 44

configuring DHCP relay address pool, 61

configuring DHCP relay agent, 56, 63

configuring DHCP relay agent IP address release, 60

configuring DHCP relay agent Option 82, 60, 64

configuring DHCP relay agent security features, 58

configuring DHCP server, 33

configuring DHCP server address pool, 34

configuring DHCP server broadcast response, 45

configuring DHCP server compatibility, 45

configuring DHCP server dynamic IP address assignment, 47

configuring DHCP server option customization, 52

configuring DHCP server subnet, 51

configuring DHCP server user class, 49

configuring DHCP smart relay, 62

configuring DHCP snooping, 73

configuring DHCP snooping basics, 73, 78

configuring DHCP snooping entry auto backup, 75

configuring DHCP snooping Option 82, 74, 79

configuring DHCP snooping packet rate limit, 77

configuring DHCPv6 client, 172

configuring DHCPv6 client IPv6 address acquisition, 172, 174

configuring DHCPv6 client IPv6 prefix acquisition, 173, 176

configuring DHCPv6 client stateless, 173

configuring DHCPv6 relay agent, 166, 169

configuring DHCPv6 relay agent address pool, 168

configuring DHCPv6 server, 154

configuring DHCPv6 server dynamic IPv6 address assignment, 162

configuring DHCPv6 server dynamic IPv6 prefix assignment, 160

configuring DHCPv6 server IPv6 address assignment, 155

configuring DHCPv6 server IPv6 prefix assignment, 154

configuring DHCPv6 server network parameters assignment, 157

configuring DHCPv6 server on interface, 157

configuring DNS, 82

configuring DNS trusted interface, 86

configuring gratuitous ARP, 13

configuring GRE/IPv4 tunnel, 196

configuring IP addressing, 23

configuring IP forwarding load sharing, 99

configuring IP forwarding load sharing (local-first), 98

configuring IP forwarding per-flow load sharing, 98

configuring IPPO directed broadcast forward, 105

configuring IPPO ICMP error message rate limit, 110

configuring IPv4 DNS client, 82

configuring IPv4 DNS client domain name resolution (dynamic), 83, 88

configuring IPv4 DNS client domain name resolution (static), 82, 87

configuring IPv4/IPv4 GRE tunnel, 199

configuring IPv4/IPv4 tunnel, 189, 190

configuring IPv6 address (global unicast)(manual), 127

configuring IPv6 address (global unicast)(prefix-specific autoconfiguration), 128

configuring IPv6 anycast address, 130

configuring IPv6 basic settings, 125

configuring IPv6 basics, 142

configuring IPv6 DNS client, 84

configuring IPv6 DNS client domain name resolution (dynamic), 84, 91

configuring IPv6 DNS client domain name resolution (static), 84, 91

configuring IPv6 EUI-64 address, 127

configuring IPv6 global unicast address, 126

configuring IPv6 ICMPv6 error message rate limit, 137

configuring IPv6 interface link-local address automatic generation, 129

configuring IPv6 link-local address, 129

configuring IPv6 max number NS message sent attempts, 134

configuring IPv6 ND, 130

configuring IPv6 ND customer-side port, 136

configuring IPv6 ND dynamic neighbor entries max number, 131

configuring IPv6 ND stale state entry aging timer, 131

configuring IPv6 ND static neighbor entry, 130

configuring IPv6 path MTU discovery, 136

configuring IPv6 RA message parameters, 132, 133

configuring IPv6 stateless address with autoconfiguration, 127

configuring IPv6/IPv4 tunnel, 184, 185

configuring IRDP, 102, 103

configuring Layer 3 virtual tunnel interface, 180

configuring UDP helper broadcast > multicast conversion, 114, 116

configuring UDP helper broadcast > unicast conversion, 113, 115

controlling IPv6 ICMPv6 message send, 137

creating DHCP server address pool, 34

customizing DHCP options, 41

disabling IPPO ICMP fragment forwarding, 110

displaying ARP, 7

displaying ARP snooping, 17

displaying DHCP client, 67

displaying DHCP relay agent, 63

displaying DHCP server, 47

displaying DHCP snooping, 77

displaying DHCPv6 client, 174

displaying DHCPv6 relay agent, 169

displaying DHCPv6 server, 159

displaying DNS, 86

displaying GRE, 198

displaying IP addressing, 23

displaying IP forwarding FIB table entries, 97

displaying IP forwarding load sharing path, 99

displaying IPPO, 111

displaying IPv6 basics, 140

displaying proxy ARP, 14

displaying tunneling configuration, 182

displaying UDP helper, 114

enabling ARP dynamic entry check, 6

enabling ARP logging, 7

enabling common proxy ARP, 14

enabling DHCP, 42

enabling DHCP client (on interface), 66

enabling DHCP client duplicated address detection, 67

enabling DHCP Option 82 handling, 45

enabling DHCP relay agent (on interface), 57

enabling DHCP relay agent entry periodic refresh, 58

enabling DHCP relay agent relay entry recording, 58

enabling DHCP relay agent starvation attack protection, 59

enabling DHCP server on interface, 43

enabling DHCP snooping starvation attack protection, 76

enabling DHCP-REQUEST message attack protection, 76

enabling DHCPv6 relay agent on interface, 166

enabling DHCPv6 relay agent to advertise IPv6 prefixes, 168

enabling DHCPv6 server to advertise IPv6 prefixes, 159

enabling gratuitous ARP IP conflict notification, 13

enabling IPPO directed broadcast forward, 105

enabling IPPO ICMP error message send, 108

enabling IPPO SYN cookie, 107

enabling IPv6 ICMPv6 destination unreachable message send, 138

enabling IPv6 ICMPv6 redirect message send, 139

enabling IPv6 ICMPv6 time exceeded message send, 139

enabling IPv6 local fragment reassembly, 140

enabling IPv6 multicast echo request reply, 138

enabling IPv6 ND proxy, 134

enabling IPv6 packet+extension header discard, 140

enabling IPv6 RA message send, 133

enabling local proxy ARP, 14

maintaining ARP, 7

maintaining ARP snooping, 17

maintaining DHCP relay agent, 63

maintaining DHCP server, 47

maintaining DHCP snooping, 77

maintaining DHCPv6 client, 174

maintaining DHCPv6 relay agent, 169

maintaining DHCPv6 server, 159

maintaining DNS, 86

maintaining GRE, 198

maintaining IPPO, 111

maintaining IPv6 basics, 140

maintaining tunneling configuration, 182

maintaining UDP helper, 114

minimizing IPv6 ND link-local entry, 131

saving IP forwarding entries to file, 96

setting ARP dynamic entry max (device), 4

setting ARP dynamic entry max (interface), 5

setting DHCP client packet DSCP value, 67

setting DHCP relay agent packet DSCP value, 61

setting DHCP server packet DSCP value, 46

setting DHCP snooping entry max, 77

setting DHCPv6 client packet DSCP value, 173

setting DHCPv6 packet DSCP value, 158

setting DHCPv6 relay agent packet DSCP value, 167

setting DNS outgoing packet DSCP value, 86

setting IPPO interface TCP MSS, 106

setting IPPO IPv4 packet MTU, 106

setting IPPO TCP buffer size, 107

setting IPPO TCP timer, 108

setting IPv6 dynamic path MTU aging timer, 137

setting IPv6 interface MTU, 136

setting IPv6 ND hop limit, 132

setting IPv6 static path MTU, 137

specifying DHCP address pool primary subnet+multiple address range, 34

specifying DHCP address pool primary subnet+multiple secondary subnets, 36

specifying DHCP client auto-configuration file, 40

specifying DHCP client BIMS server information, 39

specifying DHCP client DNS server, 38

specifying DHCP client domain name suffix, 38

specifying DHCP client gateway, 37

specifying DHCP client server, 40

specifying DHCP client WINS server, 39

specifying DHCP relay agent server, 57

specifying DHCP server address pool IP address range, 34

specifying DHCPv6 relay agent Interface-ID option padding mode, 167

specifying DHCPv6 relay agent server, 166

specifying DNS packet source interface, 85

specifying IPPO ICMP packet source address, 110

specifying IPv6 ICMPv6 packet source address, 139

specifying IPv6 interface link-local address manually, 129

specifyingDHCP client NetBIOS node type, 39

troubleshooting DHCP address conflict, 54

troubleshooting DHCP relay agent configuration, 65

troubleshooting GRE hosts cannot ping each other, 202

troubleshooting IPv4 DNS incorrect IP address, 94

troubleshooting IPv6 address cannot be pinged, 147

troubleshooting IPv6 DNS incorrect IP address, 94

troubleshooting tunnel cannot come up, 182

protecting

DHCP relay agent starvation attack protection, 59

DHCP snooping starvation attack protection, 76

DHCP-REQUEST message attack protection, 76

protocols and standards

DHCP, 30

DHCP overview, 25

DHCPv6, 150

GRE, 196

IPv6, 125

IRDP, 102

IRDP configuration, 101, 102

proxy ARP

common proxy ARP configuration, 15

common proxy ARP enable, 14

configuration, 14

display, 14

local proxy ARP enable, 14

proxying

IPv6 ND proxy enable, 134

IRDP proxy-advertised IP address, 101

R

RA

IRDP RA (router advertisement), 101

rapid assignment (2 messages), 148

rate limiting

DHCP snooping rate limit, 77

IPPO ICMP error message rate limit, 110

IPv6 ICMPv6 error message rate limit, 137

reassembling

IPv6 local fragment reassembly, 140

receiving

IPPO directed broadcast forward, 105

redirecting

IPv6 ND, 123

relay agent

DHCP configuration, 55, 56

DHCP enable, 57, 57

DHCP enable (on interface), 57

DHCP IP address release, 60

DHCP operation, 55

DHCP Option 82, 28, 29

DHCP Option 82 configuration, 60

DHCP Option 82 support, 56

DHCP overview, 25

DHCP relay address pool configuration, 61

DHCP relay agent configuration, 63

DHCP relay agent Option 82 configuration, 64

DHCP relay agent packet DSCP value, 61

DHCP relay agent server, 57

DHCP relay entry periodic refresh, 58

DHCP relay entry recording, 58

DHCP security features, 58

DHCP smart relay, 62

DHCP snooping configuration, 71, 73, 78

DHCP starvation attack protection, 59

DHCPv6 address pool configuration, 168

DHCPv6 configuration, 165, 169

DHCPv6 DUID, 152

DHCPv6 enable on interface, 166

DHCPv6 Interface-ID option padding mode, 167

DHCPv6 relay agent packet DSCP value, 167

DHCPv6 relay agent server, 166

display, 63, 169

maintain, 63, 169

troubleshooting DHCP configuration, 65

releasing

DHCP relay agent IP address release, 60

reserved DHCP Option 184, 28, 30

resolving

DNS configuration, 81, 82

DNS dynamic domain name resolution, 81

DNS static domain name resolution, 81

IPv4 DNS client domain name resolution (dynamic), 83, 88

IPv4 DNS client domain name resolution (static), 82, 87

IPv4 DNS configuration, 87

IPv6 DNS client domain name resolution (dynamic), 84, 91

IPv6 DNS client domain name resolution (static), 84, 91

IPv6 DNS configuration, 91

restrictions

UDP helper configuration, 113

route

IP forwarding optimal route selection, 96

router

IPv6 ND router/prefix discovery, 123

routing

DHCP snooping configuration, 71

DHCP snooping trusted port, 71

DHCP snooping untrusted port, 71

DNS configuration, 81, 82

DNS outgoing packet DSCP value, 86

DNS packet source interface, 85

DNS trusted interface, 86

GRE configuration, 194, 199

GRE/IPv4 tunnel configuration, 196

IP address classes, 20

IP addressing configuration, 20, 23

IP addressing interface address, 21

IP addressing masking, 21

IP addressing subnetting, 21

IP forwarding basic settings, 96

IP forwarding optimal route selection, 96

IPPO, 105

IPPO directed broadcast forward, 105

IPPO directed broadcast forward configuration, 105

IPPO ICMP error message send, 108

IPPO ICMP fragment forwarding disable, 110

IPPO interface TCP MSS, 106

IPPO IPv4 packet MTU, 106

IPPO SYN cookie, 107

IPPO TCP buffer size, 107

IPPO TCP timer, 108

IPv4 DNS client configuration, 82

IPv4 DNS configuration, 87

IPv4/IPv4 GRE tunnel configuration, 199

IPv6 DNS client configuration, 84

IPv6 DNS configuration, 91

IRDP configuration, 101, 102, 103

special IP addresses, 21

UDP helper broadcast > multicast conversion, 116

UDP helper broadcast > unicast conversion, 115

UDP helper configuration, 115

RS

IRDP RS (router solicitation), 101

rule

ARP rule entry, 3

S

saving

IP forwarding entries to a file, 96

security

DHCP relay agent entry periodic refresh, 58

DHCP relay agent IP address release, 60

DHCP relay agent relay entry recording, 58

DHCP relay agent security features, 58

DHCP relay agent starvation attack protection, 59

DHCP smart relay, 62

DHCP snooping basic configuration, 73, 78

DHCP snooping configuration, 71, 73, 78

DHCP snooping entry auto backup, 75

DHCP snooping packet rate limit, 77

DHCP snooping starvation attack protection, 76

DHCP-REQUEST message attack protection, 76

selecting

DHCP address pool, 32

DHCPv6 address pool selection, 153

IP forwarding optimal route selection, 96

server

DHCP address pool, 34

DHCP address pool creation, 34

DHCP address pool IP address range, 34

DHCP client auto-configuration file, 40

DHCP client BIMS server information, 39

DHCP client gateway specification, 37

DHCP client NetBIOS node type, 39

DHCP client server specification, 40

DHCP client WINS server, 39

DHCP compatibility configuration, 45

DHCP configuration, 31, 33

DHCP relay agent server, 57

DHCP server broadcast response, 45

DHCP server configuration, 47

DHCP server dynamic IP address assignment, 47

DHCP server option customization, 52

DHCP server packet DSCP value, 46

DHCP server subnet configuration, 51

DHCP server user class configuration, 49

DHCPv6 address pool, 152

DHCPv6 configuration, 151, 154, 160

DHCPv6 configuration on interface, 157

DHCPv6 DUID, 152

DHCPv6 dynamic IPv6 address assignment, 162

DHCPv6 dynamic IPv6 prefix assignment, 160

DHCPv6 IPv6 address assignment, 155

DHCPv6 IPv6 prefix assignment, 154

DHCPv6 network parameters assignment, 157

DHCPv6 packet DSCP value, 158

DHCPv6 PD, 152

DHCPv6 relay agent server, 166

setting

ARP dynamic entry max (device), 4

ARP dynamic entry max (interface), 5

DHCP client packet DSCP value, 67

DHCP relay agent packet DSCP value, 61

DHCP server packet DSCP value, 46

DHCP snooping entry max, 77

DHCPv6 client packet DSCP value, 173

DHCPv6 packet DSCP value, 158

DHCPv6 relay agent packet DSCP value, 167

DNS outgoing packet DSCP value, 86

IPPO interface TCP MSS, 106

IPPO IPv4 packet MTU, 106

IPPO TCP buffer size, 107

IPPO TCP timers, 108

IPv6 dynamic path MTU aging timer, 137

IPv6 interface MTU, 136

IPv6 ND dynamic neighbor entries max number, 131

IPv6 ND hop limit, 132

IPv6 ND stale state entry aging timer, 131

IPv6 static path MTU, 137

smart relay

DHCP configuration, 62

snooping

ARP snooping configuration, 17

DHCP snooping basic configuration, 73, 78

DHCP snooping configuration, 71, 73, 78

DHCP snooping entry auto backup, 75

DHCP snooping entry max, 77

DHCP snooping Option 82 configuration, 79

DHCP snooping Option 82 support, 72

DHCP snooping packet rate limit, 77

DHCP snooping starvation attack protection, 76

DHCP-REQUEST message attack protection, 76

soliciting

IRDP RS (router solicitation), 101

source

IPPO ICMP packet source address, 110

IPv6 ICMPv6 packet source address, 139

special IP addresses, 21

specifying

DHCP address pool primary subnet+multiple address range, 34

DHCP address pool primary subnet+multiple secondary subnets, 36

DHCP client auto-configuration file, 40

DHCP client BIMS server information, 39

DHCP client DNS server, 38

DHCP client domain name suffix, 38

DHCP client gateway, 37

DHCP client NetBIOS node type, 39

DHCP client server, 40

DHCP client WINS server, 39

DHCP relay agent server, 57

DHCP server address pool IP address range, 34

DHCPv6 relay agent Interface-ID option padding mode, 167

DHCPv6 relay agent server, 166

DNS packet source interface, 85

IPPO ICMP packet source address, 110

IPv6 ICMPv6 packet source address, 139

IPv6 interface link-local address manually, 129

starvation attack

DHCP relay agent protection, 59

DHCP snooping protection, 76

stateless DHCPv6, 150

configuration, 177

DHCPv6 client, 173

static

DHCP address allocation, 25, 31

DHCPv6 prefix allocation, 153

DHCPv6 static address allocation, 153

DNS domain name resolution, 81

IPv4 DNS client domain name resolution, 82, 87

IPv6 DNS client domain name resolution, 84, 91

IPv6 ND static neighbor entry, 130

IPv6 static path MTU, 137

subnetting

DHCP server subnet configuration, 51

DHCPv6 relay agent configuration, 165, 169

IP addressing, 21

suffix

DHCP client domain name suffix, 38

DNS client, 82

DNS trusted interface, 86

SYN

IPPO SYN cookie enable, 107

IPPO wait timer, 108

synchronizing

ARP entry, 6

T

table

ARP multiport entry, 4

ARP static entry, 3

ARP table, 2

IP forwarding FIB table entry display, 97

TCP

IPPO buffer size, 107

IPPO interface TCP MSS, 106

IPPO SYN cookie, 107

IPPO TCP timer configuration, 108

TCP/IP

DNS configuration, 81, 82

IPv4 DNS configuration, 87

IPv6 DNS configuration, 91

temporary

DHCPv6 temporary address assignment, 155

DHCPv6 temporary IPv6 address, 151

time

IP services ICMPv6 time exceeded message send, 139

timer

ARP dynamic entry aging, 5

IPPO TCP FIN wait, 108

IPPO TCP SYN wait, 108

IPv6 dynamic path MTU aging timer, 137

IPv6 ND stale state entry aging timer, 131

traffic

Layer 3 virtual tunnel interface, 180

traffic engineering

tunneling configuration, 180

transition technologies, 124

troubleshooting

DHCP relay agent configuration, 65

DHCP server configuration, 54

GRE, 201

GRE hosts cannot ping each other, 202

IPv4 DNS configuration, 94

IPv4 DNS incorrect IP address, 94

IPv6 address cannot be pinged, 147

IPv6 basics configuration, 147

IPv6 DNS configuration, 94

IPv6 DNS incorrect IP address, 94

tunnel cannot come up, 182

tunneling configuration, 182

trusted

DHCP snooping trusted port, 71

tunneling, 180, See also GRE

configuration, 180

configuration display, 182

configuration maintain, 182

GRE configuration, 194, 199

GRE encapsulation format, 194

GRE operation, 194

GRE/IPv4 tunnel configuration, 196

IPv4/IPv4 GRE tunnel configuration, 199

IPv4/IPv4 tunnel configuration, 189, 190

IPv4/IPv4 tunneling implementation, 189

IPv6 tunneling technology, 124

IPv6/IPv4 tunnel configuration, 184, 185

IPv6/IPv4 tunneling implementation, 184

Layer 3 virtual tunnel interface, 180

supported technologies, 180

troubleshoot configuration, 182

troubleshoot tunnel cannot come up, 182

U

UDP helper

broadcast > multicast conversion, 114, 116

broadcast > unicast conversion, 113, 115

configuration, 113, 115

configuration restrictions, 113

display, 114

IPPO, 105

maintain, 114

unicast

IPv6 address (global), 120

IPv6 address (link-local), 120

IPv6 address (loopback), 120

IPv6 address (unspecified), 120

IPv6 address global unicast configuration, 126

IPv6 address type, 119

UDP helper broadcast > unicast conversion, 113, 115

untrusted

DHCP snooping untrusted port, 71

user

User Datagram Protocol. Use UDP

V

vendor

DHCP Option 43 vendor-specific, 28, 28

VLAN

ARP customer-side port, 6

client stateless DHCPv6 configuration, 177

DHCP client configuration, 66, 68

DHCP relay agent configuration, 55, 56, 63

DHCP relay agent Option 82 configuration, 64

DHCP server configuration, 31, 33, 47

DHCP server dynamic IP address assignment, 47

DHCP server option customization, 52

DHCP server user class configuration, 49

DHCP snooping basic configuration, 78

DHCPv6 client configuration, 172, 172, 174

DHCPv6 client IPv6 address acquisition configuration, 174

DHCPv6 client IPv6 prefix acquisition configuration, 176

UDP helper broadcast > multicast conversion, 114, 116

UDP helper broadcast > unicast conversion, 113, 115

UDP helper configuration, 113, 115

VPN

DHCP address pool VPN instance application, 46

GRE application, 195

tunneling configuration, 180

W

Windows

DHCP client configuration, 66, 68

DHCP client WINS server, 39

Internet Naming Service. Use WINS

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网