Login
- Table of Contents
-
- 05-Layer 3—IP Services Configuration Guide
- 00-Preface
- 01-ARP configuration
- 02-IP addressing configuration
- 03-DHCP configuration
- 04-DNS configuration
- 05-IP forwarding basics configuration
- 06-Fast forwarding configuration
- 07-Adjacency table configuration
- 08-IRDP configuration
- 09-IP performance optimization configuration
- 10-UDP helper configuration
- 11-IPv6 basics configuration
- 12-IPv6 neighbor discovery configuration
- 13-DHCPv6 configuration
- 14-IPv6 fast forwarding configuration
- 15-IPv6 transition technologies configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 11-IPv6 basics configuration | 251.10 KB |
Configuring basic IPv6 settings
Configuring an IPv6 global unicast address
About IPv6 global unicast address
Generating an EUI-64 IPv6 address
Manually assigning an IPv6 global unicast address
Stateless address autoconfiguration
Configuring prefix-specific address autoconfiguration
Configuring an IPv6 link-local address
Configuring automatic generation of an IPv6 link-local address for an interface
Manually assigning an IPv6 link-local address to an interface
Configuring an IPv6 anycast address
Configuring path MTU discovery
Setting the interface MTU for IPv6 packets
Setting the aging time for dynamic path MTUs
Setting a static path MTU for an IPv6 address
Controlling sending ICMPv6 messages
Configuring the rate limit for ICMPv6 error messages
Enabling replying to multicast echo requests
Enabling sending ICMPv6 destination unreachable messages
Enabling sending ICMPv6 time exceeded messages
Enabling sending ICMPv6 redirect messages
Specifying the source address for ICMPv6 packets
Enabling Layer 3 packet statistics counting
Enabling IPv6 local fragment reassembly
Configuring IPv6 bandwidth-based load sharing
Verifying and maintaining basic IPv6 settings
Verifying basic IPv6 configuration
Displaying information about IPv6 protocol connections
Displaying and clearing IPv6 protocol packet statistics
Displaying and clearing IPv6 path MTU information
Displaying and clearing routing renumbering statistics
Basic IPv6 settings configuration examples
Example: Configuring basic IPv6 settings
Configuring basic IPv6 settings
About IPv6
IPv6, also called IP next generation (IPng), was designed by the IETF as the successor to IPv4. One significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits.
IPv6 features
Simplified header format
IPv6 removes several IPv4 header fields or moves them to the IPv6 extension headers to reduce the length of the basic IPv6 packet header. The basic IPv6 packet header has a fixed length of 40 bytes to simplify IPv6 packet handling and improve forwarding efficiency. Although the IPv6 address size is four times the IPv4 address size, the basic IPv6 packet header size is only twice the size of the option-less IPv4 packet header.
Figure 1 IPv4 packet header format and basic IPv6 packet header format
Larger address space
IPv6 can provide 3.4 x 1038 addresses to meet the requirements of hierarchical address assignment for both public and private networks.
Hierarchical address structure
IPv6 uses a hierarchical address structure to speed up route lookup and reduce the IPv6 routing table size through route aggregation.
Address autoconfiguration
To simplify host configuration, IPv6 supports stateful and stateless address autoconfiguration.
· Stateful address autoconfiguration enables a host to acquire an IPv6 address and other configuration information from a server (for example, a DHCPv6 server). For more information about DHCPv6 server, see "Configuring the DHCPv6 server."
· Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and other configuration information by using its link-layer address and the prefix information advertised by a router.
To communicate with other hosts on the same link, a host automatically generates a link-local address based on its link-layer address and the link-local address prefix (FE80::/10).
Built-in security
IPv6 defines extension headers to support IPsec. IPsec provides end-to-end security and enhances interoperability among different IPv6 applications.
QoS support
The Flow Label field in the IPv6 header allows the device to label the packets of a specific flow for special handling.
Enhanced neighbor discovery mechanism
The IPv6 neighbor discovery protocol uses a group of ICMPv6 messages to manage information exchange among neighboring nodes on the same link. The group of ICMPv6 messages replaces ARP messages, ICMPv4 router discovery messages, and ICMPv4 redirect messages and provides a series of other functions.
Flexible extension headers
IPv6 eliminates the Options field in the header and introduces optional extension headers to provide scalability and improve efficiency. The Options field in the IPv4 packet header contains a maximum of 40 bytes, whereas the IPv6 extension headers are restricted to the maximum size of IPv6 packets.
IPv6 addresses
IPv6 address format
An IPv6 address is represented as a set of 16-bit hexadecimals separated by colons (:). An IPv6 address is divided into eight groups, and each 16-bit group is represented by four hexadecimal numbers, for example, 2001:0000:130F:0000:0000:09C0:876A:130B.
To simplify the representation of IPv6 addresses, you can handle zeros in IPv6 addresses by using the following methods:
· The leading zeros in each group can be removed. For example, the above address can be represented in a shorter format as 2001:0:130F:0:0:9C0:876A:130B.
· If an IPv6 address contains one or more consecutive groups of zeros, they can be replaced by a double colon (::). For example, the above address can be represented in the shortest format as 2001:0:130F::9C0:876A:130B.
|
|
IMPORTANT: A double colon can appear once or not at all in an IPv6 address. This limit allows the device to determine how many zeros the double colon represents and correctly convert it to zeros to restore a 128-bit IPv6 address. |
An IPv6 address consists of an address prefix and an interface ID, which are equivalent to the network ID and the host ID of an IPv4 address.
An IPv6 address prefix is written in IPv6-address/prefix-length notation. The prefix-length is a decimal number indicating how many leftmost bits of the IPv6 address are in the address prefix.
IPv6 address types
IPv6 addresses include the following types:
· Unicast address—An identifier for a single interface, similar to an IPv4 unicast address. A packet sent to a unicast address is delivered to the interface identified by that address.
· Multicast address—An identifier for a set of interfaces (typically belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all interfaces identified by that address.
Broadcast addresses are replaced by multicast addresses in IPv6.
· Anycast address—An identifier for a set of interfaces (typically belonging to different nodes). A packet sent to an anycast address is delivered to the nearest interface among the interfaces identified by that address. The nearest interface is chosen according to the routing protocol's measure of distance.
The type of an IPv6 address is designated by the first several bits, called the format prefix.
Table 1 Mappings between address types and format prefixes
|
Type |
Format prefix (binary) |
IPv6 prefix ID |
|
|
Unicast address |
Unspecified address |
00...0 (128 bits) |
::/128 |
|
Loopback address |
00...1 (128 bits) |
::1/128 |
|
|
Link-local address |
1111111010 |
FE80::/10 |
|
|
Global unicast address |
Other forms |
N/A |
|
|
Multicast address |
11111111 |
FF00::/8 |
|
|
Anycast address |
Anycast addresses use the unicast address space and have the identical structure of unicast addresses. |
||
Unicast addresses
Unicast addresses include global unicast addresses, link-local unicast addresses, the loopback address, and the unspecified address.
· Global unicast addresses—Equivalent to public IPv4 addresses, global unicast addresses are provided for Internet service providers. This type of address allows for prefix aggregation to restrict the number of global routing entries.
· Link-local addresses—Used for communication among link-local nodes for neighbor discovery and stateless autoconfiguration. Packets with link-local source or destination addresses are not forwarded to other links.
· A loopback address—0:0:0:0:0:0:0:1 (or ::1). It has the same function as the loopback address in IPv4. It cannot be assigned to any physical interface. A node uses this address to send an IPv6 packet to itself.
· An unspecified address—0:0:0:0:0:0:0:0 (or ::). It cannot be assigned to any node. Before acquiring a valid IPv6 address, a node fills this address in the source address field of IPv6 packets. The unspecified address cannot be used as a destination IPv6 address.
Multicast addresses
IPv6 multicast addresses listed in Table 2 are reserved for special purposes.
Table 2 Reserved IPv6 multicast addresses
|
Address |
Application |
|
FF01::1 |
Node-local scope all-nodes multicast address. |
|
FF02::1 |
Link-local scope all-nodes multicast address. |
|
FF01::2 |
Node-local scope all-routers multicast address. |
|
FF02::2 |
Link-local scope all-routers multicast address. |
Multicast addresses also include solicited-node addresses. A node uses a solicited-node multicast address to acquire the link-layer address of a neighboring node on the same link and to detect duplicate addresses. Each IPv6 unicast or anycast address has a corresponding solicited-node address. The format of a solicited-node multicast address is FF02:0:0:0:0:1:FFXX:XXXX. FF02:0:0:0:0:1:FF is fixed and consists of 104 bits, and XX:XXXX is the last 24 bits of an IPv6 unicast address or anycast address.
EUI-64 address-based interface identifiers
An interface identifier is 64 bits long and uniquely identifies an interface on a link.
On an IEEE 802 interface (such as a VLAN interface), the interface identifier is derived from the link-layer address (typically a MAC address) of the interface. The MAC address is 48 bits long.
To obtain an EUI-64 address-based interface identifier, follow these steps:
1. Insert the 16-bit binary number 1111111111111110 (hexadecimal value of FFFE) behind the 24th high-order bit of the MAC address.
2. Invert the universal/local (U/L) bit (the seventh high-order bit). This operation makes the interface identifier have the same local or global significance as the MAC address.
Figure 2 Converting a MAC address into an EUI-64 address-based interface identifier
On a tunnel interface, the lower 32 bits of the EUI-64 address-based interface identifier are the source IPv4 address of the tunnel interface. The higher 32 bits of the EUI-64 address-based interface identifier of an ISATAP tunnel interface are 0000:5EFE, whereas those of other tunnel interfaces are all zeros. For more information about tunnels, see IPv4 over IPv4 tunneling configuration and IPv6 over IPv6 tunneling configuration in IP Tunneling and Security VPN Configuration Guide,
On an interface of another type (such as a serial interface) the EUI-64 address-based interface identifier is generated randomly by the device.
IPv6 path MTU discovery
The links that a packet passes from a source to a destination can have different MTUs, among which the minimum MTU is the path MTU. If a packet exceeds the path MTU, the source end fragments the packet to reduce the processing pressure on intermediate devices and to use network resources effectively.
A source end uses path MTU discovery to find the path MTU to a destination, as shown in Figure 3.
1. The source host sends a packet no larger than its MTU to the destination host.
2. If the MTU of an intermediate device's output interface is smaller than the packet, the device performs the following operations:
¡ Discards the packet.
¡ Returns an ICMPv6 error message containing the interface MTU to the source host.
3. Upon receiving the ICMPv6 error message, the source host performs the following operations:
¡ Uses the returned MTU to limit the packet size.
¡ Performs fragmentation.
¡ Sends the fragments to the destination host.
4. Step 2 and step 3 are repeated until the destination host receives the packet. In this way, the source host finds the minimum MTU of all links in the path to the destination host.
Figure 3 Path MTU discovery process
Protocols and standards
· RFC 1881, IPv6 Address Allocation Management
· RFC 1887, An Architecture for IPv6 Unicast Address Allocation
· RFC 1981, Path MTU Discovery for IP version 6
· RFC 2375, IPv6 Multicast Address Assignments
· RFC 2460, Internet Protocol, Version 6 (IPv6) Specification
· RFC 2464, Transmission of IPv6 Packets over Ethernet Networks
· RFC 2526, Reserved IPv6 Subnet Anycast Addresses
· RFC 3307, Allocation Guidelines for IPv6 Multicast Addresses
· RFC 4191, Default Router Preferences and More-Specific Routes
· RFC 4291, IP Version 6 Addressing Architecture
· RFC 4443, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification
· RFC 4862, IPv6 Stateless Address Autoconfiguration
IPv6 basics tasks at a glance
To configure basic IPv6 settings, perform the following tasks:
1. Configuring an IPv6 address
Choose the following tasks as needed:
¡ Configuring an IPv6 global unicast address
¡ Configuring an IPv6 link-local address
¡ Configuring an IPv6 anycast address
2. (Optional.) Configuring path MTU discovery
¡ Setting the interface MTU for IPv6 packets
¡ Setting the aging time for dynamic path MTUs
¡ Setting a static path MTU for an IPv6 address
3. (Optional.) Controlling sending ICMPv6 messages
¡ Configuring the rate limit for ICMPv6 error messages
¡ Enabling replying to multicast echo requests
¡ Enabling sending ICMPv6 destination unreachable messages
¡ Enabling sending ICMPv6 time exceeded messages
¡ Enabling sending ICMPv6 redirect messages
¡ Specifying the source address for ICMPv6 packets
4. (Optional.) Enabling router renumbering
5. (Optional.) Enabling Layer 3 packet statistics counting
6. (Optional.) Enabling IPv6 local fragment reassembly
7. (Optional.) Configuring IPv6 bandwidth-based load sharing
Configuring an IPv6 global unicast address
About IPv6 global unicast address
Use one of the following methods to configure an IPv6 global unicast address for an interface:
· EUI-64 IPv6 address—The IPv6 address prefix of the interface is manually configured, and the interface ID is generated automatically by the interface.
· Manual configuration—The IPv6 global unicast address is manually configured.
· Stateless address autoconfiguration—The IPv6 global unicast address is generated automatically based on the address prefix information contained in the RA message.
· Prefix-specific address autoconfiguration—The IPv6 global unicast address is generated automatically based on the prefix specified by its ID. The prefix can be manually configured or obtained through DHCPv6.
You can configure multiple IPv6 global unicast addresses on an interface.
Manually configured global unicast addresses (including EUI-64 IPv6 addresses) take precedence over automatically generated ones. If you manually configure a global unicast address with the same address prefix as an existing global unicast address on an interface, the manually configured one takes effect. However, it does not overwrite the automatically generated address. If you delete the manually configured global unicast address, the device uses the automatically generated one.
Generating an EUI-64 IPv6 address
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure an EUI-64 IPv6 address on the interface.
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64
By default, no EUI-64 IPv6 address is configured on an interface.
Manually assigning an IPv6 global unicast address
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Assign an IPv6 global unicast address to the interface.
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
By default, no IPv6 global unicast address is configured on an interface.
Stateless address autoconfiguration
About this task
Stateless address autoconfiguration enables an interface to automatically generate an IPv6 global unicast address by using the address prefix in the received RA message and the interface ID. On an IEEE 802 interface (such as an Ethernet interface or a VLAN interface), the interface ID is generated based on the interface's MAC address and is globally unique. An attacker can exploit this rule to identify the sending device easily.
To fix the vulnerability, you can configure the temporary address feature. With this feature, an IEEE 802 interface generates the following addresses:
· Public IPv6 address—Includes the address prefix in the RA message and a fixed interface ID generated based on the MAC address of the interface.
· Temporary IPv6 address—Includes the address prefix in the RA message and a random interface ID generated through MD5.
You can also configure the interface to preferentially use the temporary IPv6 address as the source address of sent packets. When the valid lifetime of the temporary IPv6 address expires, the interface deletes the address and generates a new one. This feature enables the system to send packets with different source addresses through the same interface. If the temporary IPv6 address cannot be used because of a DAD conflict, the public IPv6 address is used.
The preferred lifetime and valid lifetime for a temporary IPv6 address are determined as follows:
· The preferred lifetime of a temporary IPv6 address takes the smaller of the following values:
¡ The preferred lifetime of the address prefix in the RA message.
¡ The preferred lifetime configured for temporary IPv6 addresses minus DESYNC_FACTOR (a random number in the range of 0 to 600 seconds).
· The valid lifetime of a temporary IPv6 address takes the smaller of the following values:
¡ The valid lifetime of the address prefix.
¡ The valid lifetime configured for temporary IPv6 addresses.
Restrictions and guidelines
If the IPv6 prefix in the RA message is not 64 bits long, stateless address autoconfiguration fails to generate an IPv6 global unicast address.
To generate a temporary address, an interface must be enabled with stateless address autoconfiguration. Temporary IPv6 addresses do not overwrite public IPv6 addresses, so an interface can have multiple IPv6 addresses with the same address prefix but different interface IDs.
If an interface fails to generate a public IPv6 address because of a prefix conflict or other reasons, it does not generate any temporary IPv6 address.
Executing the undo ipv6 address auto command on an interface deletes all IPv6 global unicast addresses and link-local addresses that are automatically generated on the interface.
Enabling stateless address autoconfiguration
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable stateless address autoconfiguration on an interface, so that the interface can automatically generate a global unicast address.
ipv6 address auto
By default, the stateless address autoconfiguration feature is disabled on an interface.
Configuring the temporary address feature and preferentially using the temporary IPv6 address as the source address of outgoing packets
1. Enter system view.
system-view
2. Enable the temporary IPv6 address feature.
ipv6 temporary-address [ valid-lifetime preferred-lifetime ]
By default, the temporary IPv6 address feature is disabled.
3. Enable the system to preferentially use the temporary IPv6 address as the source address of the outgoing packets.
ipv6 prefer temporary-address
By default, the system does not preferentially use the temporary IPv6 address as the source address of the outgoing packets.
Configuring prefix-specific address autoconfiguration
1. Enter system view.
system-view
2. Configure an IPv6 prefix.
Choose one option as needed:
¡ Configure a static IPv6 prefix.
ipv6 prefix prefix-number ipv6-prefix/prefix-length
By default, no static IPv6 prefixes exist.
¡ Use DHCPv6 to obtain a dynamic IPv6 prefix.
For more information about IPv6 prefix acquisition, see "Configuring the DHCPv6 client."
3. Enter interface view.
interface interface-type interface-number
4. Specify an IPv6 prefix for an interface to automatically generate an IPv6 global unicast address and advertise the prefix.
ipv6 address prefix-number sub-prefix/prefix-length
By default, no IPv6 prefix is specified for the interface to automatically generate an IPv6 global unicast address.
Configuring an IPv6 link-local address
About IPv6 link-local address
Configure IPv6 link-local addresses using one of the following methods:
· Automatic generation—The device automatically generates a link-local address for an interface according to the link-local address prefix (FE80::/10) and the link-layer address of the interface.
· Manual assignment—Manually configure an IPv6 link-local address for an interface.
Restrictions and guidelines
After you configure an IPv6 global unicast address for an interface, the interface automatically generates a link-local address. This link-local address is the same as the one generated by using the ipv6 address auto link-local command. If a link-local address is manually assigned to an interface, this manual assigned link-local address takes effect. If the manually assigned link-local address is deleted, the automatically generated link-local address takes effect.
Using the undo ipv6 address auto link-local command on an interface deletes only the link-local address generated by the ipv6 address auto link-local command. If the interface has an IPv6 global unicast address, it still has a link-local address. If the interface has no IPv6 global unicast address, it has no link-local address.
An interface can have only one link-local address. As a best practice, use the automatic generation method to avoid link-local address conflicts. If both the automatic generation and manual assignment methods are used, the manual assignment takes precedence.
· If you first use automatic generation and then manual assignment, the manually assigned link-local address overwrites the automatically generated one.
· If you first use manual assignment and then automatic generation, both of the following occur:
¡ The link-local address is still the manually assigned one.
¡ The automatically generated link-local address does not take effect. If you delete the manually assigned address, the automatically generated link-local address takes effect.
Configuring automatic generation of an IPv6 link-local address for an interface
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the interface to automatically generate an IPv6 link-local address.
ipv6 address auto link-local
By default, no link-local address is configured on an interface.
After an IPv6 global unicast address is configured on the interface, a link-local address is generated automatically.
Manually assigning an IPv6 link-local address to an interface
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Manually assign an IPv6 link-local address to the interface.
ipv6 address ipv6-address link-local
By default, no link-local address is configured on an interface.
Configuring an IPv6 anycast address
4. Enter system view.
system-view
5. Enter interface view.
interface interface-type interface-number
6. Configure an IPv6 anycast address.
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } anycast
By default, no IPv6 anycast address is configured on an interface.
Configuring path MTU discovery
Setting the interface MTU for IPv6 packets
About this task
On receipt of an IPv6 packet, an intermediate device compares the packet size with the MTU of the forwarding interface. If the packet size is larger than the MTU of the forwarding interface, the device discards the packet. Meanwhile, the device sends the MTU to the source host through an ICMPv6 packet — Packet Too Big message.
Restrictions and guidelines
To avoid extra traffic overhead due to packet dropping, set a proper interface MTU.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Set the interface MTU for IPv6 packets.
ipv6 mtu size
By default, the interface MTU is 1280 bytes.
Setting the aging time for dynamic path MTUs
About this task
After the device dynamically discovers the path MTU for packets sent to a destination host (see "IPv6 path MTU discovery"), it performs the following operations:
· Sends packets to the destination host based on this path MTU.
· Starts the aging timer for this path MTU.
When the aging timer expires, the device removes the dynamic path MTU and determines a dynamic path MTU through the path MTU discovery mechanism again.
Restrictions and guidelines
The aging time takes effect on only dynamic path MTU values learned after the aging time configuration.
Procedure
1. Enter system view.
system-view
2. Set the aging time for dynamic path MTUs.
ipv6 pathmtu age age-time
The default setting is 10 minutes.
Setting a static path MTU for an IPv6 address
About this task
On an IPv6 network, packets are fragmented by the source device rather than the intermediate devices. In most cases, the source device performs packet fragment based on the dynamic path MTU obtained by PMTU discovery mechanism (see "IPv6 path MTU discovery"). To protect network devices from being attacked by oversize packets, you can configure a static path MTU for a destination IPv6 address. The static path MTU can control the size of the packets sent from the source device.
When a source device sends a packet to the destination, it identities whether the destination IPv6 address has a static path MTU. If the destination IPv6 address has a static path MTU, the source device compares the sending interface MTU and the static path MTU with the packet size.
· If the packet size is smaller than or equal to the smaller one of the two MTU values, the device sends the packet directly.
· If the packet size is larger than the smaller one of the two values, the device fragments the packet according to the smaller value.
During the sending process, if the source device receives a Packet Too Big message from an intermediate device, the packet sending fails.
Restrictions and guidelines
The priority of the static path MTU is higher than the dynamic path MTU, and the static path MTU never ages out.
Procedure
1. Enter system view.
system-view
2. Set a static path MTU for an IPv6 address.
ipv6 pathmtu [ vpn-instance vpn-instance-name ] ipv6-address value
By default, no path MTU is set for any IPv6 address.
Controlling sending ICMPv6 messages
Configuring the rate limit for ICMPv6 error messages
About this task
To avoid sending excessive ICMPv6 error messages within a short period that might cause network congestion, you can limit the rate at which ICMPv6 error messages are sent. A token bucket algorithm is used with one token representing one ICMPv6 error message.
A token is placed in the bucket at intervals until the maximum number of tokens that the bucket can hold is reached.
A token is removed from the bucket when an ICMPv6 error message is sent. When the bucket is empty, ICMPv6 error messages are not sent until a new token is placed in the bucket.
Procedure
1. Enter system view.
system-view
2. Set the bucket size and the interval for tokens to arrive in the bucket for ICMPv6 error messages.
ipv6 icmpv6 error-interval interval [ bucketsize ]
By default, the bucket allows a maximum of 10 tokens. A token is placed in the bucket at an interval of 100 milliseconds.
To disable the ICMPv6 rate limit, set the interval to 0 milliseconds.
Enabling replying to multicast echo requests
1. Enter system view.
system-view
2. Enable replying to multicast echo requests.
ipv6 icmpv6 multicast-echo-reply enable
By default, this feature is disabled.
Enabling sending ICMPv6 destination unreachable messages
About this task
The device sends the source the following ICMPv6 destination unreachable messages:
· ICMPv6 No Route to Destination message—A packet to be forwarded does not match any route.
· ICMPv6 Communication with Destination Administratively Prohibited message—An administrative prohibition is preventing successful communication with the destination. This is typically caused by a firewall or an ACL on the device.
· ICMPv6 Beyond Scope of Source Address message—The destination is beyond the scope of the source IPv6 address. For example, a packet's source IPv6 address is a link-local address, and its destination IPv6 address is a global unicast address.
· ICMPv6 Address Unreachable message—The device fails to resolve the link layer address for the destination IPv6 address of a packet.
· ICMPv6 Port Unreachable message—No port process on the destination device exists for a received UDP packet.
Restrictions and guidelines
An ICMPv6 destination unreachable message indicates that the destination is not reachable from the source device. Attackers can launch malicious attacks to make the device generate incorrect ICMPv6 destination unreachable messages, which will affect the function of the network. To protect the network from malicious attacks and decrease unnecessary network traffic, you can disable the sending of ICMPv6 destination unreachable messages.
Procedure
1. Enter system view.
system-view
2. Enable sending ICMPv6 destination unreachable messages.
ipv6 unreachables enable
By default, this feature is disabled.
Enabling sending ICMPv6 time exceeded messages
About this task
The device sends the source ICMPv6 time exceeded messages as follows:
· If a received packet is not destined for the device and its hop limit is 1, the device sends an ICMPv6 hop limit exceeded in transit message to the source.
· Upon receiving the first fragment of an IPv6 datagram destined for the device, the device starts a timer. If the timer expires before all fragments arrive, the device sends an ICMPv6 fragment reassembly time exceeded message to the source.
Restrictions and guidelines
If the device receives large numbers of malicious packets, its performance degrades greatly because it must send back ICMP time exceeded messages. To prevent such attacks, disable sending ICMPv6 time exceeded messages.
Procedure
1. Enter system view.
system-view
2. Enable sending ICMPv6 time exceeded messages.
ipv6 hoplimit-expires enable
The default setting is disabled.
Enabling sending ICMPv6 redirect messages
About this task
Upon receiving a packet from a host, the device sends an ICMPv6 redirect message to inform the host of a better next hop when the following conditions are met:
· The interface receiving the packet is the interface forwarding the packet.
· The selected route is not created or modified by any ICMPv6 redirect messages.
· The selected route is not a default route.
The ICMPv6 redirect feature simplifies host management by enabling hosts that hold few routes to optimize their routing table gradually. However, to avoid adding too many routes on hosts, this feature is disabled by default.
Procedure
1. Enter system view.
system-view
2. Enable sending ICMPv6 redirect messages.
ipv6 redirects enable
By default, sending ICMPv6 redirect messages is disabled.
Specifying the source address for ICMPv6 packets
About this task
Perform this task to specify the source IPv6 address for outgoing ping echo requests and ICMPv6 error messages. It is a good practice to specify the IPv6 address of the loopback interface as the source IPv6 address. This feature helps users to easily locate the sending device.
Restrictions and guidelines
If you specify an IPv6 address in the ping command, ping echo requests use the specified address as the source IPv6 address. If you do not specify an IPv6 address in the ping command, ping echo requests use the IPv6 address specified by the ipv6 icmpv6 source command.
Procedure
1. Enter system view.
system-view
2. Specify an IPv6 address as the source address for outgoing ICMPv6 packets.
ipv6 icmpv6 source [ vpn-instance vpn-instance-name ] ipv6-address
By default, the device uses the IPv6 address of the sending interface as the source IPv6 address for outgoing ICMPv6 packets.
Enabling router renumbering
About this task
Router renumbering allows reconfiguration of address prefixes on IPv6 routers.
As shown in Figure 4, Router A sends RR messages to the downstream devices (Router B, Router C, and Router D) to change their prefix to be advertised in RAs.
Restrictions and guidelines
You must enable router renumbering on the downstream router interfaces before they receive and process RR packets.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable router renumbering.
ipv6 router-renumber enable
By default, router renumbering is disabled.
Enabling Layer 3 packet statistics counting
About this task
The Layer 3 packet statistics counting feature counts statistics about incoming and outgoing IPv6 packets on an interface. To display the collected statistics, execute the display ipv6 statistics command.
Restrictions and guidelines
When the interface is processing a large number of packets, the Layer 3 packet statistics counting will cause high CPU usage and degrade the forwarding performance. If the statistics are not necessary, disable this feature to ensure the device performance.
If you perform the following tasks together on the same interface, the tasks configured later might not take effect because they use the same hardware resource:
· Apply a QoS policy that matches IPv6 addresses to outgoing traffic by using the qos apply policy command. For more information about this command, see QoS commands in ACL and QoS Command Reference.
· Enable IPv6 NetStream for outgoing traffic by using the ipv6 netstream outbound command. For more information about this command, see IPv6 NetStream commands in Network Management and Monitoring Command Reference.
· Enable packet counting for outgoing Layer 3 packets by using the statistics l3-packet enable outbound command.
Make sure you have understood the potential impact before performing the tasks above together.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable Layer 3 packet statistics counting.
statistics l3-packet enable { inbound | outbound }
By default, Layer 3 packet statistics counting is disabled.
Enabling IPv6 local fragment reassembly
About this task
Use this feature on a device to improve fragment reassembly efficiency. This feature enables the LPU to reassemble the IPv6 fragments of a packet if all the fragments arrive at it. If this feature is disabled, all IPv6 fragments are delivered to the active MPU for reassembly.
Restrictions and guidelines
The IPv6 local fragment reassembly feature applies only to fragments destined for the same LPU.
Procedure
1. Enter system view.
system-view
2. Enable IPv6 local fragment reassembly.
ipv6 reassemble local enable
By default, IPv6 local fragment reassembly is disabled.
Configuring IPv6 bandwidth-based load sharing
About this task
This feature shares IPv6 traffic among multiple output interfaces based on their expected load percentages. The device calculates the load percentage for each output interface in terms of the interface expected bandwidth.
For devices that run load sharing protocols such as Locator/ID Separation Protocol (LISP), they implement load sharing based on the ratios defined by these protocols.
Procedure
1. Enter system view.
system-view
2. Enable IPv6 bandwidth-based load sharing.
ipv6 bandwidth-based-sharing
By default, IPv6 bandwidth-based load sharing is disabled.
3. Enter interface view.
interface interface-type interface-number
4. Set the expected bandwidth of an interface.
bandwidth bandwidth
By default, the expected bandwidth of an interface equals the absolute bandwidth of the link.
For more information about the bandwidth command, see common interface commands in Interface Command Reference.
Verifying and maintaining basic IPv6 settings
Verifying basic IPv6 configuration
Perform display tasks in any view.
· Display IPv6 information about the interface.
display ipv6 interface [ interface-type [ interface-number ] ] [ brief ]
· Display IPv6 prefix information about the interface.
display ipv6 interface interface-type interface-number prefix
· Display the IPv6 prefix information.
display ipv6 prefix [ prefix-number ]
Displaying information about IPv6 protocol connections
Displaying information about IPv6 RawIP connections
Perform display tasks in any view.
· Display brief information about IPv6 RawIP connections.
display ipv6 rawip [ slot slot-number ]
· Display detailed information about IPv6 RawIP connections.
display ipv6 rawip verbose [ slot slot-number [ pcb pcb-index ] ]
Displaying information about IPv6 TCP connections
Perform display tasks in any view.
· Display brief information about IPv6 TCP connections.
display ipv6 tcp [ slot slot-number ]
· Display detailed information about IPv6 TCP connections.
display ipv6 tcp verbose [ slot slot-number [ pcb pcb-index ] ]
Displaying information about IPv6 UDP connections
Perform display tasks in any view.
· Display brief information about IPv6 UDP connections.
display ipv6 udp [ slot slot-number ]
· Display detailed information about IPv6 UDP connections.
display ipv6 udp verbose [ slot slot-number [ pcb pcb-index ] ]
Displaying and clearing IPv6 protocol packet statistics
Displaying IPv6 protocol packet statistics
Perform display tasks in any view.
· Display IPv6 and ICMPv6 packet statistics.
display ipv6 statistics [ slot slot-number ]
· Display ICMPv6 traffic statistics.
display ipv6 icmp statistics [ slot slot-number ]
· Display IPv6 UDP traffic statistics.
display udp statistics [ slot slot-number ]
For information about this command, see the IP performance optimization commands in Layer 3—IP Services Command Reference.
Clearing IPv6 protocol packet statistics
Perform clear tasks in user view.
· Clear IPv6 and ICMPv6 packet statistics.
reset ipv6 statistics [ slot slot-number ]
· Clear IPv6 UDP traffic statistics.
reset udp statistics
For information about this command, see the IP performance optimization commands in Layer 3—IP Services Command Reference.
Displaying and clearing IPv6 path MTU information
Displaying IPv6 Path MTU information
To display IPv6 path MTU information, execute the following command in any view:
display ipv6 pathmtu [ vpn-instance vpn-instance-name ] { ipv6-address | { all | dynamic | static } [ count ] }
Clearing IPv6 path MTU information
To clear IPv6 path MTU information, execute the following command in user view:
reset ipv6 pathmtu { all | dynamic | static }
Displaying and clearing routing renumbering statistics
Displaying routing renumbering statistics
To display routing renumbering statistics, execute the following command in any view:
display ipv6 router-renumber statistics
Clearing routing renumbering statistics
To clear routing renumbering statistics, execute the following command in user view:
reset ipv6 router-renumber statistics
Displaying IPv6 FIB entries
To display IPv6 FIB entries, execute the following command in any view:
display ipv6 fib [ vpn-instance vpn-instance-name ] [ ipv6-address [ prefix-length ] ]
Basic IPv6 settings configuration examples
Example: Configuring basic IPv6 settings
Network configuration
As shown in Figure 5, configure IPv6 addresses for the routers and verify that they can reach each other. Configure a route to the host on Router B. Enable IPv6 for the host to automatically obtain an IPv6 address through IPv6 ND. The host has a route to Router B.
Procedure
1. Configure Router A:
# Configure a global unicast address for interface HundredGigE 1/0/1.
<RouterA> system-view
[RouterA] interface hundredgige 1/0/1
[RouterA-HundredGigE1/0/1] ipv6 address 3001::1/64
[RouterA-HundredGigE1/0/1] quit
# Configure a global unicast address for interface HundredGigE 1/0/2 and enable it to advertise RA messages (an interface does not advertises RA messages by default).
[RouterA] interface hundredgige 1/0/2
[RouterA-HundredGigE1/0/2] ipv6 address 2001::1/64
[RouterA-HundredGigE1/0/2] undo ipv6 nd ra halt
[RouterA-HundredGigE1/0/2] quit
2. Configure Router B:
# Configure a global unicast address for interface HundredGigE 1/0/1.
<RouterB> system-view
[RouterB] interface hundredgige 1/0/1
[RouterB-HundredGigE1/0/1] ipv6 address 3001::2/64
[RouterB-HundredGigE1/0/1] quit
# Configure an IPv6 static route to the host.
[RouterB] ipv6 route-static 2001:: 64 3001::1
3. Configure the host:
Enable IPv6 on the host to automatically obtain an IPv6 address through IPv6 ND.
# Display neighbor information for HundredGigE 1/0/2 on Router A.
[RouterA] display ipv6 neighbors interface hundredgige 1/0/2
Type: S-Static D-Dynamic O-Openflow R-Rule I-Invalid
IPv6 address MAC address VLAN/VSI Interface State T Aging
FE80::215:E9FF:FEA6:7D14 0015-e9a6-7d14 N/A HGE1/0/2 STALE D 1238
2001::15B:E0EA:3524:E791 0015-e9a6-7d14 N/A HGE1/0/2 STALE D 1248
The output shows that the IPv6 global unicast address that the host obtained is 2001::15B:E0EA:3524:E791.
Verifying the configuration
# Display IPv6 interface information on Router A.
[RouterA] display ipv6 interface hundredgige 1/0/1
HundredGigE1/0/1 current state: UP
Line protocol current state: UP
IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:2
Global unicast address(es):
3001::1, subnet is 3001::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:1
FF02::1:FF00:2
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
IPv6 Packet statistics:
InReceives: 25829
InTooShorts: 0
InTruncatedPkts: 0
InHopLimitExceeds: 0
InBadHeaders: 0
InBadOptions: 0
ReasmReqds: 0
ReasmOKs: 0
InFragDrops: 0
InFragTimeouts: 0
OutFragFails: 0
InUnknownProtos: 0
InDelivers: 47
OutRequests: 89
OutForwDatagrams: 48
InNoRoutes: 0
InTooBigErrors: 0
OutFragOKs: 0
OutFragCreates: 0
InMcastPkts: 6
InMcastNotMembers: 25747
OutMcastPkts: 48
InAddrErrors: 0
InDiscards: 0
OutDiscards: 0
[RouterA] display ipv6 interface hundredgige 1/0/2
HundredGigE1/0/2 current state: UP
Line protocol current state: UP
IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1C0
Global unicast address(es):
2001::1, subnet is 2001::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:1
FF02::1:FF00:1C0
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 600 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses
IPv6 Packet statistics:
InReceives: 272
InTooShorts: 0
InTruncatedPkts: 0
InHopLimitExceeds: 0
InBadHeaders: 0
InBadOptions: 0
ReasmReqds: 0
ReasmOKs: 0
InFragDrops: 0
InFragTimeouts: 0
OutFragFails: 0
InUnknownProtos: 0
InDelivers: 159
OutRequests: 1012
OutForwDatagrams: 35
InNoRoutes: 0
InTooBigErrors: 0
OutFragOKs: 0
OutFragCreates: 0
InMcastPkts: 79
InMcastNotMembers: 65
OutMcastPkts: 938
InAddrErrors: 0
InDiscards: 0
OutDiscards: 0
# Display IPv6 interface information on Router B.
[RouterB] display ipv6 interface hundredgige 1/0/1
HundredGigE1/0/1 current state: UP
Line protocol current state: UP
IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1234
Global unicast address(es):
3001::2, subnet is 3001::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:2
FF02::1:FF00:1234
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
IPv6 Packet statistics:
InReceives: 117
InTooShorts: 0
InTruncatedPkts: 0
InHopLimitExceeds: 0
InBadHeaders: 0
InBadOptions: 0
ReasmReqds: 0
ReasmOKs: 0
InFragDrops: 0
InFragTimeouts: 0
OutFragFails: 0
InUnknownProtos: 0
InDelivers: 117
OutRequests: 83
OutForwDatagrams: 0
InNoRoutes: 0
InTooBigErrors: 0
OutFragOKs: 0
OutFragCreates: 0
InMcastPkts: 28
InMcastNotMembers: 0
OutMcastPkts: 7
InAddrErrors: 0
InDiscards: 0
OutDiscards: 0
# Ping Router A and Router B from the host, and ping Router A and the host from Router B to verify that they can reach each other. To ping a link-local address, use the –i parameter to specify an interface for the link-local address.
[RouterB] ping ipv6 -c 1 3001::1
Ping6(56 data bytes) 3001::2 --> 3001::1, press CTRL_C to break
56 bytes from 3001::1, icmp_seq=0 hlim=64 time=4.404 ms
--- Ping6 statistics for 3001::1 ---
1 packet(s) transmitted, 1 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 4.404/4.404/4.404/0.000 ms
[RouterB] ping ipv6 -c 1 2001::15B:E0EA:3524:E791
Ping6(56 data bytes) 3001::2 --> 2001::15B:E0EA:3524:E791, press CTRL_C to break
56 bytes from 2001::15B:E0EA:3524:E791, icmp_seq=0 hlim=64 time=5.404 ms
--- Ping6 statistics for 2001::15B:E0EA:3524:E791 ---
1 packet(s) transmitted, 1 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 5.404/5.404/5.404/0.000 ms
The output shows that Router B can ping Router A and the host. The host can also ping Router B and Router A (output not shown).
