HP MSR Router Series

HP MSR Router Series
Layer 3 - IP Services
Configuration Guide(V5)
Part number: 5998-8205
Software version: CMW520-R2513
Document version: 6PW106-20150808
Legal and notice information
© Copyright 2015 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or use
of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
i
Contents
Configuring ARP ··························································································································································· 1 Overview············································································································································································ 1 ARP message format ················································································································································ 1 ARP operation ··························································································································································· 1 ARP table ··································································································································································· 2 Configuring a static ARP entry ········································································································································· 3 Configuring the maximum number of dynamic ARP entries for an interface······························································ 4 Setting the aging timer for dynamic ARP entries ··········································································································· 4 Enabling dynamic ARP entry check ································································································································ 4 Enabling natural mask support for ARP requests ··········································································································· 5 Displaying and maintaining ARP····································································································································· 5 ARP entry configuration example ···································································································································· 6 Network requirements ·············································································································································· 6 Configuration procedure ········································································································································· 6 Configuring gratuitous ARP ········································································································································· 8 Overview············································································································································································ 8 Enabling learning of gratuitous ARP packets ········································································································ 8 Configuring periodic sending of gratuitous ARP packets ···················································································· 8 Configuration guidelines ·················································································································································· 9 Configuration procedure ·················································································································································· 9 Configuring proxy ARP ·············································································································································· 10 Overview········································································································································································· 10 Common proxy ARP ·············································································································································· 10 Local proxy ARP····················································································································································· 10 Enabling common proxy ARP ······································································································································· 11 Enabling local proxy ARP·············································································································································· 11 Displaying and maintaining proxy ARP······················································································································· 12 Proxy ARP configuration examples ······························································································································ 12 Common proxy ARP configuration example ··············································································································· 12 Local proxy ARP configuration example in case of port isolation ··································································· 13 Configuring ARP snooping ········································································································································ 15 Overview········································································································································································· 15 Configuration procedure ··············································································································································· 15 Displaying and maintaining ARP snooping ················································································································ 15 DHCP overview ·························································································································································· 16 DHCP overview ······························································································································································ 16 Allocation mechanisms ········································································································································· 16 Dynamic IP address allocation process··············································································································· 17 IP address lease extension···································································································································· 17 DHCP message format··················································································································································· 18 DHCP options ································································································································································· 19 Common DHCP options ········································································································································ 19 Custom options ······················································································································································ 19 Protocols and standards ················································································································································ 23 Configuring the DHCP server ···································································································································· 25 Overview········································································································································································· 25 i
DHCP address pool··············································································································································· 25 IP address allocation sequence···························································································································· 26 DHCP server configuration task list ······························································································································ 26 Configuring an address pool on the DHCP server ····································································································· 27 Configuration task list ··········································································································································· 27 Creating a DHCP address pool ··························································································································· 27 Configuring address allocation mode for a common address pool ································································ 28 Configuring dynamic address allocation for an extended address pool ························································ 30 Specifying a domain name suffix for the client ·································································································· 30 Specifying DNS servers for the client ·················································································································· 31 Specifying WINS servers and NetBIOS node type for the client ····································································· 31 Specifying BIMS server information for the client ······························································································ 32 Specifying gateways for the client······················································································································· 32 Configuring Option 184 parameters for the client with voice service ···························································· 32 Configuring the TFTP server and bootfile name for the client ··········································································· 33 Specifying a server's IP address for the DHCP client ························································································ 34 Configuring self-defined DHCP options ·············································································································· 34 Enabling DHCP ······························································································································································ 35 Enabling the DHCP server on an interface ·················································································································· 35 Configuration guidelines ······································································································································ 35 Configuration procedure ······································································································································ 36 Applying an extended address pool on an interface ································································································ 36 Configuring the DHCP server security functions ········································································································· 36 Configuration prerequisites ·································································································································· 36 Enabling unauthorized DHCP server detection ·································································································· 36 Configuring IP address conflict detection ··········································································································· 37 Configuring the DHCP server to work with authorized ARP ············································································· 37 Enabling client offline detection ··································································································································· 38 Enabling handling of Option 82 ·································································································································· 39 Configuration prerequisites ·································································································································· 39 Enabling Option 82 handling ······························································································································ 39 Specifying the threshold for sending trap messages ·································································································· 39 Configuration prerequisites ·································································································································· 39 Configuration procedure ······································································································································ 39 Displaying and maintaining the DHCP server ············································································································ 40 DHCP server configuration examples ·························································································································· 40 Static IP address assignment configuration example························································································· 41 Dynamic IP address assignment configuration example ··················································································· 42 Self-defined option configuration example ········································································································· 43 Troubleshooting DHCP server configuration ··············································································································· 44 Symptom ································································································································································· 44 Analysis ·································································································································································· 44 Solution ··································································································································································· 45 Configuring the DHCP relay agent ··························································································································· 46 Overview········································································································································································· 46 Fundamentals ························································································································································· 46 DHCP relay agent support for Option 82 ·········································································································· 47 DHCP relay agent configuration task list ····················································································································· 48 Enabling DHCP ······························································································································································ 48 Enabling the DHCP relay agent on an interface ········································································································ 48 Correlating a DHCP server group with a relay agent interface················································································ 49 Configuring the DHCP relay agent security functions ································································································ 50 Configuring address check ·································································································································· 50 Configuring periodic refresh of dynamic client entries ····················································································· 51 ii
Configuring the DHCP relay agent to work with authorized ARP···································································· 51 Enabling unauthorized DHCP server detection ·································································································· 52 Enabling DHCP starvation attack protection ······································································································ 52 Enabling client offline detection ··································································································································· 53 Configuring the DHCP relay agent to release an IP address ···················································································· 53 Configuring the DHCP relay agent to handle Option 82 ·························································································· 54 Displaying and maintaining the DHCP relay agent ··································································································· 55 DHCP relay agent configuration examples ················································································································· 56 DHCP relay agent configuration example ·········································································································· 56 DHCP relay agent Option 82 support configuration example ········································································· 57 Troubleshooting DHCP relay agent configuration ······································································································ 57 Symptom ································································································································································· 57 Analysis ·································································································································································· 58 Solution ··································································································································································· 58 Configuring DHCP client ··········································································································································· 59 Introduction to DHCP client ··········································································································································· 59 Enabling the DHCP client on an interface ··················································································································· 59 Displaying and maintaining the DHCP client ·············································································································· 59 DHCP client configuration example ····························································································································· 60 Network requirements ··········································································································································· 60 Configuration procedure ······································································································································ 60 Verifying the configuration ··································································································································· 61 Configuring DHCP snooping····································································································································· 62 Overview········································································································································································· 62 Application of trusted and untrusted ports ·········································································································· 63 DHCP snooping support for Option 82 ·············································································································· 64 DHCP snooping configuration task list ························································································································ 65 Configuring DHCP snooping basic functions ·············································································································· 65 Configuring DHCP snooping to support Option 82··································································································· 66 Configuring DHCP snooping entries backup ·············································································································· 67 Enabling DHCP starvation attack protection ··············································································································· 68 Enabling DHCP-REQUEST message attack protection ······························································································· 69 Displaying and maintaining DHCP snooping ············································································································· 69 DHCP snooping configuration example ······················································································································ 70 Network requirements ··········································································································································· 70 Configuration procedure ······································································································································ 70 DHCP snooping Option 82 support configuration example ····················································································· 71 Network requirements ··········································································································································· 71 Configuration procedure ······································································································································ 71 Configuring BOOTP client ········································································································································· 72 BOOTP application ························································································································································ 72 Obtaining an IP address dynamically ························································································································· 72 Protocols and standards ················································································································································ 72 Configuring an interface to dynamically obtain an IP address through BOOTP ···················································· 73 Displaying and maintaining BOOTP client configuration ·························································································· 73 BOOTP client configuration example ·························································································································· 73 Network requirements ··········································································································································· 73 Configuration procedure ······································································································································ 73 Configuring IPv4 DNS ··············································································································································· 75 Overview········································································································································································· 75 Static domain name resolution····························································································································· 75 Dynamic domain name resolution ······················································································································· 75 iii
DNS proxy ····························································································································································· 76 DNS spoofing ························································································································································ 77 Configuring the IPv4 DNS client ·································································································································· 78 Configuring static domain name resolution ········································································································ 78 Configuring dynamic domain name resolution ·································································································· 79 Configuring the DNS proxy ·········································································································································· 80 Configuring DNS spoofing ··········································································································································· 80 Specifying the source interface for DNS packets ······································································································· 80 Displaying and maintaining IPv4 DNS ························································································································ 81 IPv4 DNS configuration examples ······························································································································· 81 Static domain name resolution configuration example ····················································································· 81 Dynamic domain name resolution configuration example ··············································································· 82 DNS proxy configuration example ······················································································································ 85 Troubleshooting IPv4 DNS configuration ···················································································································· 86 Configuring DDNS ····················································································································································· 87 Overview········································································································································································· 87 DDNS networking application ····························································································································· 87 DDNS client configuration task list ······························································································································· 88 Configuring a DDNS policy ·········································································································································· 88 Configuration prerequisites ·································································································································· 89 Configuration procedure ······································································································································ 89 Applying the DDNS policy to an interface·················································································································· 89 Configuration prerequisites ·································································································································· 89 Configuration procedure ······································································································································ 90 Displaying and maintaining DDNS······························································································································ 90 DDNS configuration example 1 ··································································································································· 90 Network requirements ··········································································································································· 90 Configuration procedure ······································································································································ 91 DDNS configuration example 2 ··································································································································· 92 Network requirements ··········································································································································· 92 Configuration procedure ······································································································································ 92 Configuring IP addressing ········································································································································· 94 Overview········································································································································································· 94 IP address classes ·················································································································································· 94 Special IP addresses ············································································································································· 95 Subnetting and masking ······································································································································· 95 Assigning an IP address to an interface ······················································································································ 96 Configuration guidelines ······································································································································ 96 Configuration procedure ······································································································································ 96 Configuration example ········································································································································· 96 Configuring IP unnumbered ·········································································································································· 98 Configuration guidelines ······································································································································ 98 Configuration prerequisites ·································································································································· 98 Configuration procedure ······································································································································ 98 Configuration example ········································································································································· 99 Displaying and maintaining IP addressing ··············································································································· 100 Configuring fast forwarding ··································································································································· 101 Overview······································································································································································· 101 Configuration guidelines ············································································································································· 101 Configuration procedure ············································································································································· 101 Displaying and maintaining fast forwarding ············································································································ 102 Fast forwarding configuration example ····················································································································· 102 Network requirements ········································································································································· 102 iv
Configuration procedure ···································································································································· 102 Verifying the configuration ································································································································· 103 Optimizing IP performance ···································································································································· 105 Enabling forwarding of directed broadcasts to a directly connected network ····················································· 105 Enabling forwarding of directed broadcasts to a directly connected network ············································· 105 Forwarding directed broadcasts configuration example ················································································ 105 Configuring TCP attributes ·········································································································································· 106 Configuring TCP MSS for the interface ············································································································· 106 Configuring TCP path MTU discovery··············································································································· 107 Configuring the TCP send/receive buffer size ································································································· 108 Configuring TCP timers ······································································································································· 108 Configuring ICMP to send error packets ··················································································································· 109 Advantages of sending ICMP error packets ····································································································· 109 Disadvantages of sending ICMP error packets ································································································ 110 Configuration procedure ···································································································································· 110 Enabling support for ICMP extensions ······················································································································· 110 ICMP extensions for MPLS ·································································································································· 110 Handling ICMP messages ·································································································································· 111 Configuration procedure ···································································································································· 111 Configuring IP virtual fragment reassembly ·············································································································· 112 Configuration guidelines ···································································································································· 112 Configuration procedure ···································································································································· 112 Configuration example ······································································································································· 112 Displaying and maintaining IP performance optimization ············································································· 113 Configuring NAT ····················································································································································· 114 Overview······································································································································································· 114 NAT control ·························································································································································· 115 NAT operation ····················································································································································· 115 NAT configuration task list ·········································································································································· 118 Configuring address translation ································································································································· 119 Configuring static NAT ······································································································································· 119 Configuring dynamic NAT ································································································································· 120 Configuring an internal server ···································································································································· 122 Configuring a common internal server ············································································································· 122 Configuring DNS mapping ········································································································································· 123 Configuring NAT aging time ······································································································································ 123 Configuring NAT ALG ················································································································································· 124 Configuring NAT logging ··········································································································································· 124 Enabling NAT logging ········································································································································ 124 Exporting NAT logs ············································································································································· 125 Setting NAT connection limits ····································································································································· 126 Enabling aging out NAT entries upon master link failure························································································ 126 Displaying and maintaining NAT······························································································································· 127 NAT configuration examples ······································································································································ 128 One-to-one static NAT configuration example ································································································· 128 Dynamic NAT configuration example 1 ··········································································································· 128 Dynamic NAT configuration example 2 ··········································································································· 129 Common internal server configuration example ······························································································ 130 NAT DNS mapping configuration example ····································································································· 131 Exporting NAT logs to the information center ·································································································· 133 Exporting NAT logs to log server ······················································································································ 134 Troubleshooting NAT ··················································································································································· 135 Symptom 1 ··························································································································································· 135 v
Solution ································································································································································· 135 Symptom 2 ··························································································································································· 136 Solution ································································································································································· 136 Configuring NAT-PT ················································································································································ 137 Overview······································································································································································· 137 Basic concepts ····················································································································································· 137 Implementing NAT-PT ·········································································································································· 138 NAT-PT limitations ··············································································································································· 139 Protocols and standards ····································································································································· 139 NAT-PT configuration task list ····································································································································· 140 Configuration prerequisites ········································································································································· 140 Enabling NAT-PT ·························································································································································· 141 Configuring a NAT-PT prefix ······································································································································ 141 Configuring IPv4/IPv6 address mappings on the IPv6 side ···················································································· 141 Configuring a static mapping on the IPv6 side ································································································ 141 Configuring a dynamic mapping policy on the IPv6 side ·············································································· 142 Configuring IPv4/IPv6 address mappings on the IPv4 side ···················································································· 143 Configuring a static mapping on the IPv4 side ································································································ 143 Configuring a dynamic mapping policy on the IPv4 side ·············································································· 144 Setting the ToS field after NAT-PT translation ··········································································································· 144 Setting the traffic class field after NAT-PT translation ······························································································· 144 Configuring static NAPT-PT mappings of IPv6 servers ····························································································· 145 Configuring a NAT-PT session aging time for a protocol ························································································ 145 Configuring the maximum number of sessions ········································································································· 146 Displaying and maintaining NAT-PT ·························································································································· 146 NAT-PT configuration examples ································································································································· 147 Configuring dynamic mapping on the IPv6 side ····························································································· 147 Configuring static mappings on the IPv4 side and the IPv6 side ··································································· 148 Troubleshooting NAT-PT ·············································································································································· 149 Symptom ······························································································································································· 149 Solution ································································································································································· 150 Configuring DVPN ·················································································································································· 151 Overview······································································································································································· 151 Basic concepts ····················································································································································· 151 How DVPN operates ··········································································································································· 151 Network structures ··············································································································································· 152 DVPN implementation ········································································································································· 153 Supported DVPN features··································································································································· 155 DVPN configuration task list ······································································································································· 156 Configuring AAA ························································································································································· 156 Configuring the VAM server ······································································································································· 156 Creating a VPN domain ····································································································································· 157 Enabling VAM server ·········································································································································· 157 Configuring the listening IP address and UDP port number ··········································································· 157 Configuring the security parameters of VAM protocol packets ····································································· 158 Specifying the client authentication mode ········································································································ 158 Specifying a hub ················································································································································· 159 Configuring the pre-shared key of the VAM server ························································································· 159 Configuring keepalive parameters ···················································································································· 159 Configuring a VAM client ··········································································································································· 160 Creating a VAM client ········································································································································ 160 Setting the VAM protocol packet retransmission interval ················································································ 160 Specifying the primary VAM server ·················································································································· 161 vi
Specifying the secondary VAM server ·············································································································· 161 Configuring the username and password ········································································································ 161 Specifying the VPN domain of the VAM client ································································································ 161 Specifying the pre-shared key of the VAM client ····························································································· 162 Enabling VAM client ··········································································································································· 162 Configuring an IPsec profile ······································································································································· 162 Configuration guidelines ···································································································································· 162 Configuration prerequisites ································································································································ 163 Configuration procedure ···································································································································· 163 Configuring DVPN tunnel parameters ······················································································································· 163 Configuration guidelines ···································································································································· 163 Configuration prerequisites ································································································································ 164 Configuration procedure ···································································································································· 164 Configuring routing ······················································································································································ 166 Displaying and maintaining DVPN ···························································································································· 167 Full mesh DVPN configuration example ···················································································································· 167 Network requirements ········································································································································· 167 Configuration procedure ···································································································································· 168 Verifying the configuration ································································································································· 177 Hub-spoke DVPN configuration example ·················································································································· 182 Network requirements ········································································································································· 182 Configuration procedure ···································································································································· 182 Verifying the configuration ································································································································· 189 Configuring tunneling ············································································································································· 193 Overview······································································································································································· 193 IPv6 over IPv4 tunneling ····································································································································· 193 IPv4 over IPv4 tunneling ····································································································································· 196 IPv4 over IPv6 tunneling ····································································································································· 197 IPv6 over IPv6 tunneling ····································································································································· 199 Protocols and standards ····································································································································· 200 Tunneling configuration task list ································································································································· 200 Configuring a tunnel interface ···································································································································· 201 Configuration prerequisites ································································································································ 201 Configuration guidelines ···································································································································· 201 Configuration procedure ···································································································································· 201 Configuring an IPv6 manual tunnel ···························································································································· 202 Configuration prerequisites ································································································································ 202 Configuration guidelines ···································································································································· 202 Configuration procedure ···································································································································· 202 Configuration example ······································································································································· 203 Configuring an automatic IPv4-compatible IPv6 tunnel ··························································································· 206 Configuration prerequisites ································································································································ 206 Configuration guidelines ···································································································································· 206 Configuration procedure ···································································································································· 206 Configuration example ······································································································································· 207 Configuring a 6to4 tunnel ··········································································································································· 209 Configuration prerequisites ································································································································ 209 Configuration guidelines ···································································································································· 209 Configuration procedure ···································································································································· 210 6to4 tunnel configuration example ··················································································································· 210 6to4 relay configuration example ····················································································································· 212 Configuring an ISATAP tunnel ···································································································································· 214 Configuration prerequisites ································································································································ 214 Configuration guidelines ···································································································································· 214 vii
Configuration procedure ···································································································································· 215 Configuration example ······································································································································· 215 Configuring an IPv4 over IPv4 tunnel ························································································································ 218 Configuration prerequisites ································································································································ 218 Configuration guidelines ···································································································································· 218 Configuration procedure ···································································································································· 218 Configuration example ······································································································································· 219 Configuring an IPv4 over IPv6 manual tunnel··········································································································· 221 Configuration prerequisites ································································································································ 221 Configuration guidelines ···································································································································· 221 Configuration procedure ···································································································································· 222 Configuration example ······································································································································· 222 Configuring a DS-Lite tunnel ······································································································································· 225 Configuration prerequisites ································································································································ 225 Configuring the CPE of a tunnel ························································································································ 225 Configuring the AFTR of a tunnel······················································································································· 226 Configuration example ······································································································································· 227 Configuring an IPv6 over IPv6 tunnel ························································································································ 230 Configuration prerequisites ································································································································ 230 Configuration guidelines ···································································································································· 230 Configuration procedure ···································································································································· 231 Configuration example ······································································································································· 231 Displaying and maintaining tunneling configuration ······························································································· 234 Troubleshooting tunneling configuration ··················································································································· 235 Symptom ······························································································································································· 235 Solution ································································································································································· 235 Configuring UDP helper·········································································································································· 236 Overview······································································································································································· 236 Broadcast UDP helper ········································································································································· 236 Multicast UDP helper ··········································································································································· 236 Configuring broadcast UDP helper ···························································································································· 236 Configuring multicast UDP helper ······························································································································ 237 Displaying and maintaining UDP helper ··················································································································· 237 UDP helper configuration examples ··························································································································· 238 Broadcast UDP helper configuration example ································································································· 238 Multicast UDP helper configuration example ··································································································· 238 Configuring GRE ····················································································································································· 240 Overview······································································································································································· 240 GRE encapsulation format ·································································································································· 240 GRE encapsulation and de-encapsulation ········································································································ 241 GRE security features ·········································································································································· 241 GRE application scenarios ································································································································· 242 Protocols and standards ····································································································································· 243 Configuring a GRE over IPv4 tunnel ·························································································································· 243 Configuration guidelines ···································································································································· 243 Configuration prerequisites ································································································································ 244 Configuration procedure ···································································································································· 244 Configuring a GRE over IPv6 tunnel ·························································································································· 245 Configuration prerequisites ································································································································ 246 Configuration procedure ···································································································································· 246 Displaying and maintaining GRE ······························································································································· 247 GRE over IPv4 tunnel configuration example············································································································ 247 GRE over IPv6 tunnel configuration example············································································································ 250 viii
Troubleshooting GRE ··················································································································································· 253 Configuring IPv6 basics ·········································································································································· 254 Overview······································································································································································· 254 IPv6 features ························································································································································· 254 IPv6 addresses ····················································································································································· 255 IPv6 neighbor discovery protocol ······················································································································ 258 IPv6 path MTU discovery···································································································································· 260 IPv6 transition technologies ································································································································ 261 Protocols and standards ····································································································································· 262 IPv6 basics configuration task list ······························································································································· 262 Configuring basic IPv6 functions ································································································································ 263 Enabling IPv6 ······················································································································································· 263 Configuring an IPv6 global unicast address ···································································································· 264 Configuring an IPv6 link-local address ············································································································· 265 Configure an IPv6 anycast address··················································································································· 266 Configuring IPv6 ND ··················································································································································· 266 Configuring a static neighbor entry ·················································································································· 266 Configuring the maximum number of neighbors dynamically learned ························································· 267 Setting the age timer for ND entries in stale state ··························································································· 267 Configuring parameters related to RA messages ···························································································· 268 Configuring the maximum number of attempts to send an NS message for DAD ······································· 270 Enabling local ND proxy ···································································································································· 270 Configuring path MTU discovery ······························································································································· 272 Configuring the interface MTU ·························································································································· 272 Configuring a static path MTU for a specified IPv6 address·········································································· 272 Configuring the aging time for dynamic path MTUs ······················································································· 272 Configuring IPv6 TCP properties ································································································································ 273 Configuring IPv6 FIB load sharing ····························································································································· 273 Configuring ICMPv6 packet sending ························································································································· 274 Configuring the maximum ICMPv6 error packets sent in an interval ···························································· 274 Enabling replying to multicast echo requests ··································································································· 274 Enabling sending ICMPv6 time exceeded messages ······················································································ 275 Enabling sending ICMPv6 destination unreachable messages ······································································ 275 Enabling sending ICMPv6 redirect messages ·································································································· 276 Displaying and maintaining IPv6 basics configuration···························································································· 276 IPv6 basics configuration example ···························································································································· 277 Network requirements ········································································································································· 277 Configuration procedure ···································································································································· 278 Verifying the configuration ································································································································· 279 Troubleshooting IPv6 basics configuration ················································································································ 282 Symptom ······························································································································································· 282 Solution ································································································································································· 282 DHCPv6 overview ··················································································································································· 284 Basic concepts ······························································································································································ 284 DHCPv6 address/prefix assignment ·························································································································· 285 Rapid assignment involving two messages······································································································· 285 Assignment involving four messages ················································································································· 285 Address/prefix lease renewal ···································································································································· 286 Stateless DHCPv6 configuration ································································································································· 287 Protocols and standards ·············································································································································· 287 Configuring the DHCPv6 server ····························································································································· 288 Overview······································································································································································· 288 DHCPv6 address pool ········································································································································ 288 ix
Prefix selection process ······································································································································· 288 Address selection process ·································································································································· 289 DHCPv6 server configuration task list ························································································································ 289 Configuration prerequisites ········································································································································· 289 Enabling the DHCPv6 server ······································································································································ 289 Configuring the DHCPv6 server to assign IPv6 prefixes to DHCPv6 clients ·························································· 290 Configuration guidelines ···································································································································· 290 Configuration procedure ···································································································································· 290 Configuring the DHCPv6 server to assign IPv6 addresses to DHCPv6 clients ······················································ 291 Configuration guidelines ···································································································································· 291 Configuration procedure ···································································································································· 291 Configuring network parameters in a DHCPv6 address pool················································································· 292 Enabling the DHCPv6 server on an interface ··········································································································· 292 Displaying and maintaining the DHCPv6 server ······································································································ 293 DHCPv6 server configuration examples ···················································································································· 294 IPv6 prefix and network parameters assignment configuration example ····················································· 294 Static IPv6 address assignment configuration example ·················································································· 296 Dynamic IPv6 address assignment configuration example············································································· 298 Configuring the DHCPv6 relay agent ···················································································································· 301 Overview······································································································································································· 301 Configuration prerequisites ········································································································································· 302 Configuration guidelines ············································································································································· 302 Configuration procedure ············································································································································· 302 Displaying and maintaining the DHCPv6 relay agent ····························································································· 303 DHCPv6 relay agent configuration example ············································································································ 303 Network requirements ········································································································································· 303 Configuration procedure ···································································································································· 303 Verifying the configuration ································································································································· 304 Configuring the DHCPv6 client ······························································································································ 305 Configuration guidelines ············································································································································· 305 Configuration procedure ············································································································································· 305 Displaying and maintaining the DHCPv6 client ······································································································· 305 Stateless DHCPv6 configuration example ················································································································· 306 Network requirements ········································································································································· 306 Configuration procedure ···································································································································· 306 Verifying the configuration ································································································································· 306 Configuring IPv6 fast forwarding ··························································································································· 308 Overview······································································································································································· 308 Configuration guidelines ············································································································································· 308 Configuration procedure ············································································································································· 308 Displaying and maintaining IPv6 fast forwarding ···································································································· 308 IPv6 fast forwarding configuration example ············································································································· 309 Network requirements ········································································································································· 309 Configuration procedure ···································································································································· 309 Verifying the configuration ································································································································· 310 Configuring IPv6 DNS ············································································································································ 312 Configuring the IPv6 DNS client ································································································································ 312 Configuring static domain name resolution ······································································································ 312 Configuring dynamic domain name resolution ································································································ 312 Displaying and maintaining IPv6 DNS ······················································································································ 313 Static domain name resolution configuration example ···························································································· 313 Network requirements ········································································································································· 313 x
Configuration procedure ···································································································································· 314 Dynamic domain name resolution configuration example ······················································································ 314 Network requirements ········································································································································· 314 Configuration procedure ···································································································································· 315 Verifying the configuration ································································································································· 318 Basic forwarding on the device ····························································································································· 320 FIB table ········································································································································································ 320 Displaying and maintaining the FIB table ················································································································· 320 Configuring load sharing ······································································································································· 322 Configuring load sharing ············································································································································ 322 Configuring bandwidth-based load sharing ···································································································· 322 Configuring user-based load sharing ················································································································ 323 Bandwidth-based load sharing configuration example ··························································································· 323 Network requirements ········································································································································· 323 Configuration procedure ···································································································································· 324 Support and other resources ·································································································································· 325 Contacting HP ······························································································································································ 325 Subscription service ············································································································································ 325 Related information ······················································································································································ 325 Documents ···························································································································································· 325 Websites······························································································································································· 325 Conventions ·································································································································································· 326 Index ········································································································································································ 328 xi
Configuring ARP
This chapter describes how to configure the Address Resolution Protocol (ARP).
Overview
ARP resolves IP addresses into physical addresses such as MAC addresses. On an Ethernet LAN, a
device uses ARP to get the MAC address of the target device for a packet.
ARP message format
ARP uses two types of messages, ARP request and ARP reply. Figure 1 shows the format of the ARP
request/reply. Numbers in the figure refer to field lengths.
Figure 1 ARP message format
•
Hardware type—Hardware address type. The value 1 represents Ethernet.
•
Protocol type—Type of the protocol address to be mapped. The hexadecimal value 0x0800
represents IP.
•
Hardware address length and protocol address length—Length, in bytes, of a hardware address
and a protocol address. For an Ethernet address, the value of the hardware address length field is
6. For an IPv4 address, the value of the protocol address length field is 4.
•
OP—Operation code, which describes type of the ARP message. Value 1 represents an ARP request,
and value 2 represents an ARP reply.
•
Sender hardware address—Hardware address of the device sending the message.
•
Sender protocol address—Protocol address of the device sending the message.
•
Target hardware address—Hardware address of the device to which the message is being sent.
•
Target protocol address—Protocol address of the device to which the message is being sent.
ARP operation
As shown in Figure 2, Host A and Host B are on the same subnet. Host A sends a packet to Host B as
follows:
1.
Host A looks through its ARP table for an ARP entry for Host B. If one entry is found, Host A uses
the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends
the frame to Host B.
1
2.
If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request. The
payload of the ARP request comprises the following information:
{
Sender IP address and sender MAC address—Host A's IP address and MAC address
{
Target IP address—Host B's IP address
{
Target MAC address—An all-zero MAC address
All hosts on this subnet can receive the broadcast request, but only the requested host (Host B)
processes the request.
3.
Host B compares its own IP address with the target IP address in the ARP request. If they are the
same, Host B:
a. Adds the sender IP address and sender MAC address into its ARP table.
b. Encapsulates its MAC address into an ARP reply.
c. Unicasts the ARP reply to Host A.
4.
After receiving the ARP reply, Host A:
a. Adds the MAC address of Host B into its ARP table.
b. Encapsulates the MAC address into the packet and sends the packet to Host B.
Figure 2 ARP address resolution process
If Host A and Host B are on different subnets, Host A sends a packet to Host B, as follows:
5.
Host A sends an ARP request to the gateway. The target IP address in the ARP request is the IP
address of the gateway.
6.
The gateway responds with its MAC address in an ARP reply to Host A.
7.
Host A uses the gateway MAC address to encapsulate the packet and sends the packet to the
gateway.
8.
If the gateway has the ARP entry for Host B, it forwards the packet to Host B directly. If not, it
broadcasts an ARP request, in which the target IP address is the IP address of Host B.
9.
After obtaining the MAC address of Host B, the gateway sends the packet to Host B.
ARP table
An ARP table stores dynamic and static ARP entries.
Dynamic ARP entry
ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging
timer expires or the output interface goes down, and it can be overwritten by a static ARP entry.
2
Static ARP entry
A static ARP entry is manually configured and maintained. It does not age out, and cannot be overwritten
by a dynamic ARP entry.
Static ARP entries protect communication between devices, because attack packets cannot modify the
IP-to-MAC mapping in a static ARP entry.
Static ARP entries can be classified into long, and short.
•
To configure a long static ARP entry, specify the IP address, MAC address, VLAN, and output
interface. A long static ARP entry is directly used for forwarding matching packets. To communicate
with a host by using a fixed IP-to-MAC mapping through a specific interface in a specific VLAN,
configure a long static ARP entry on the device.
•
To configure a short static ARP entry, you only need to specify the IP address and MAC address.
{
{
If the output interface is a Layer 3 Ethernet interface, the short ARP entry can be directly used to
forward matching packets.
If the output interface is a VLAN interface, the device first sends an ARP request whose target IP
address is the IP address of the short entry. If the sender IP and MAC addresses in the received
ARP reply match the IP and MAC addresses of the short static ARP entry, the device adds the
interface receiving the ARP reply to the short static ARP entry, and then uses the resolved entry
to forward the matching IP packets.
To communicate with a host by using a fixed IP-to-MAC mapping, configure a short static ARP
entry on the device.
Configuring a static ARP entry
A static ARP entry is effective when the device works correctly. If a VLAN or VLAN interface is deleted,
all long static ARP entries in the VLAN are deleted, and all resolved short static ARP entries in the VLAN
becomes unresolved.
Follow these guidelines when you configure a long static ARP entry:
•
The vlan-id argument must be the ID of an existing VLAN where the ARP entry resides. The specified
Ethernet interface must belong to that VLAN. The VLAN interface of the VLAN must be created.
•
The IP address of the VLAN interface of the VLAN specified by the vlan-id argument must belong to
the same subnet as the IP address specified by the ip-address argument.
To configure a static ARP entry:
Step
1.
Enter system view.
Command
Remarks
system-view
N/A
• Configure a long static ARP entry:
2.
Configure a static
ARP entry.
arp static ip-address mac-address vlan-id
interface-type interface-number [ vpn-instance
vpn-instance-name ]
• Configure a short static ARP entry:
arp static ip-address mac-address
[ vpn-instance vpn-instance-name ]
3
Use either command.
Configuring the maximum number of dynamic ARP
entries for an interface
An interface can dynamically learn ARP entries, so it might hold too many ARP entries. To solve this
problem, you can set the maximum number of dynamic ARP entries that an interface can learn. When the
maximum number is reached, the interface stops learning ARP entries.
A Layer 2 interface can learn an ARP entry only when both its maximum number and the VLAN
interface's maximum number are not reached.
To set the maximum number of dynamic ARP entries that an interface can learn:
Step
Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter interface view.
interface interface-type
interface-number
N/A
Optional.
3.
Set the maximum number
of dynamic ARP entries
that the interface can
learn.
arp max-learning-num number
By default, a Layer 2 interface does
not limit the number of dynamic ARP
entries. A Layer 3 interface can learn
a maximum of 1024 dynamic ARP
entries.
If the value for the number argument
is set to 0, the interface is disabled
from learning dynamic ARP entries.
Setting the aging timer for dynamic ARP entries
Each dynamic ARP entry in the ARP table has a limited lifetime, called aging timer. The aging timer of a
dynamic ARP entry is reset each time the dynamic ARP entry is updated. Dynamic ARP entries that are not
updated before their aging timers expire are deleted from the ARP table.
To set the aging timer for dynamic ARP entries:
Step
Command
Remarks
N/A
4.
Enter system view.
system-view
5.
Set the aging timer for
dynamic ARP entries.
arp timer aging aging-time
Optional.
20 minutes by default.
Enabling dynamic ARP entry check
The dynamic ARP entry check function controls whether the device supports dynamic ARP entries with
multicast MAC addresses.
When dynamic ARP entry check is enabled, the device cannot learn dynamic ARP entries containing
multicast MAC addresses.
4
When dynamic ARP entry check is disabled, the device can learn dynamic ARP entries containing
multicast MAC addresses.
To enable dynamic ARP entry check:
Step
Command
Remarks
N/A
6.
Enter system view.
system-view
7.
Enable dynamic ARP entry
check.
arp check enable
Optional.
Enabled by default.
Enabling natural mask support for ARP requests
This feature enables the device to learn the sender IP and MAC addresses in a received ARP request
whose sender IP address is on the same classful network as but a different subnet from the IP address of
the receiving interface. A classful network refers to a class A, B, or C network.
For example, VLAN-interface 10 with IP address 10.10.10.5/24 receives an ARP request from
10.11.11.1/8. Because the subnet address calculated by the AND operation of 10.11.11.1 and the 24-bit
subnet mask of the receiving interface is not in the subnet 10.10.10.5/24, VLAN-interface 10 cannot
process the ARP packet.
With this feature enabled, the device calculates the subnet address by using the default mask of the class
A network where 10.10.10.5/24 resides. Because 10.10.10.5/24 is on the same class A network as
10.11.11.1/8, VLAN-interface 10 can learn the sender IP and MAC addresses in the request.
To enable natural mask support for ARP requests:
Step
Command
Remarks
8.
Enter system view.
system-view
N/A
9.
Enable natural mask support for
ARP requests.
naturemask-arp enable
Disabled by default.
Displaying and maintaining ARP
CAUTION:
Clearing ARP entries from the ARP table might cause communication failures.
Task
Command
Remarks
Display ARP entries in the ARP
table.
display arp [ [ all | dynamic | static ] | vlan
vlan-id | interface interface-type
interface-number ] [ count | verbose ] [ | { begin |
exclude | include } regular-expression ]
Available in any view.
Display the ARP entry for a
specific IP address.
display arp ip-address [ verbose ] [ | { begin |
exclude | include } regular-expression ]
Available in any view.
Display the ARP entries for a
specific VPN instance.
display arp vpn-instance vpn-instance-name
[ count ] [ | { begin | exclude | include }
regular-expression ]
Available in any view.
5
Task
Command
Remarks
Display the aging timer of
dynamic ARP entries.
display arp timer aging [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Clear ARP entries from the
ARP table.
reset arp { all | dynamic | static | interface
interface-type interface-number }
Available in user view.
ARP entry configuration example
Network requirements
As shown in Figure 3, hosts are connected to the switch, which is connected to the router through
interface Ethernet 1/1 in VLAN 10. The IP and MAC addresses of the router are 192.168.1.1/24 and
00e0-fc01-0000 respectively.
To prevent malicious users from attacking the switch and enhance security for communications between
the router and switch, configure a static ARP entry for the router on the switch.
Figure 3 Network diagram
Configuration procedure
# Create VLAN 10.
<Switch> system-view
[Switch] vlan 10
[Switch-vlan10] quit
# Add interface Ethernet 1/1 to VLAN 10.
[Switch] interface ethernet 1/1
[Switch-Ethernet1/1] port link-type trunk
[Switch-Ethernet1/1] port trunk permit vlan 10
[Switch-Ethernet1/1] quit
# Create interface VLAN-interface 10 and configure its IP address.
[Switch] interface vlan-interface 10
6
[Switch-vlan-interface10] ip address 192.168.1.2 24
[Switch-vlan-interface10] quit
# Configure a static ARP entry that has IP address 192.168.1.1, MAC address 00e0-fc01-0000, and
output interface Ethernet 1/1 in VLAN 10.
[Switch] arp static 192.168.1.1 00e0-fc01-0000 10 ethernet 1/1
# Display information about static ARP entries.
[Switch] display arp static
Type: S-Static
D-Dynamic
A-Authorized
IP Address
MAC Address
VLAN ID
Interface
Aging Type
192.168.1.1
00e0-fc01-0000
10
Eth1/1
N/A
7
S
Configuring gratuitous ARP
Overview
In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the
sending device.
A device sends a gratuitous ARP packet for either of the following purposes:
•
Determine whether its IP address is already used by another device. If the IP address is already used,
the device is informed of the conflict by an ARP reply.
•
Inform other devices of a change of its MAC address.
Enabling learning of gratuitous ARP packets
This feature enables a device to create or update ARP entries by using the sender IP and MAC addresses
in received gratuitous ARP packets.
With this feature disabled, the device uses the received gratuitous ARP packets to update only existing
ARP entries.
Configuring periodic sending of gratuitous ARP packets
Enabling a device to periodically send gratuitous ARP packets helps downstream devices update their
corresponding ARP entries or MAC entries in time. This feature can be used to prevent gateway spoofing,
prevent ARP entries from aging out, and prevent the virtual IP address of a VRRP group from being used
by a host.
•
Prevent gateway spoofing
An attacker can use the gateway address to send gratuitous ARP packets to the hosts on a network
so that the traffic destined for the gateway from the hosts is sent to the attacker instead. As a result,
the hosts cannot access the external network.
To prevent such gateway spoofing attacks, you can enable the gateway to send gratuitous ARP
packets containing its primary IP address and manually configured secondary IP addresses at a
specific interval, so hosts can learn correct gateway address information.
•
Prevent ARP entries from aging out
If network traffic is heavy or if a host's CPU usage is high, received ARP packets might be
discarded or might not be processed in time. Eventually, the dynamic ARP entries on the receiving
host age out, and the traffic between the host and the corresponding devices is interrupted until the
host re-creates the ARP entries.
To prevent this problem, you can enable the gateway to send gratuitous ARP packets periodically.
The gratuitous ARP packets contain the gateway's primary IP address or one of its manually
configured secondary IP addresses, so the receiving hosts can update ARP entries in time.
•
Prevent the virtual IP address of a VRRP group from being used by a host
The master router of a VRRP group can periodically send gratuitous ARP packets to the hosts on the
local network, so that the hosts can update local ARP entries and avoid using the virtual IP address
of the VRRP group.
8
If the virtual IP address of the VRRP group is associated with a virtual MAC address, the sender
MAC address in the gratuitous ARP packet is the virtual MAC address of the virtual router. If the
virtual IP address of the VRRP group is associated with the real MAC address of an interface, the
sender MAC address in the gratuitous ARP packet is the MAC address of the interface on the
master router in the VRRP group.
Configuration guidelines
Follow these guidelines when you configure gratuitous ARP:
•
You can enable periodic sending of gratuitous ARP packets on a maximum of 1024 interfaces.
•
Periodic sending of gratuitous ARP packets takes effect only when the link of the enabled interface
goes up and an IP address has been assigned to the interface.
•
If you change the interval for sending gratuitous ARP packets, the configuration is effective at the
next sending interval.
•
The frequency of sending gratuitous ARP packets might be much lower than the sending interval set
by the user if this function is enabled on multiple interfaces, if each interface is configured with
multiple secondary IP addresses, or if a small sending interval is configured when the previous two
conditions exist.
Configuration procedure
To configure gratuitous ARP:
Step
Command
Remarks
10. Enter system view.
system-view
N/A
11. Enable learning of gratuitous ARP
packets.
gratuitous-arp-learning
enable
Optional.
Enabled by default.
12. Enable the device to send gratuitous
ARP packets upon receiving ARP
requests whose sender IP address
belongs to a different subnet.
gratuitous-arp-sending
enable
By default, a device does not send
gratuitous ARP packets upon
receiving ARP requests whose sender
IP address belongs to a different
subnet.
13. Enter interface view.
interface interface-type
interface-number
N/A
14. Enable periodic sending of gratuitous
ARP packets and set the sending
interval.
arp send-gratuitous-arp
[ interval milliseconds ]
By default, this feature is disabled.
9
Configuring proxy ARP
Overview
Proxy ARP enables a device on a network to answer ARP requests for an IP address not on that network.
With proxy ARP, hosts on different broadcast domains can communicate with each other as they do on
the same network.
Proxy ARP includes common proxy ARP and local proxy ARP.
•
Common proxy ARP—Allows communication between hosts that connect to different Layer-3
interfaces and reside in different broadcast domains.
•
Local proxy ARP—Allows communication between hosts that connect to the same Layer-3 interface
and reside in different broadcast domains.
Common proxy ARP
A proxy ARP enabled device allows hosts that reside on different subnets to communicate.
As shown in Figure 4, Router connects to two subnets through Ethernet 1/1 and Ethernet 1/2. The IP
addresses of the two interfaces are 192.168.10.99/24 and 192.168.20.99/24. Host A and Host B are
assigned the same prefix 192.168.0.0. Host A connects to Ethernet 1/1 and Host B connects to Ethernet
1/2.
Figure 4 Application environment of proxy ARP
Because Host A and Host B have the same prefix 192.168.0.0, Host A considers that Host B is on the
same network, and it broadcasts an ARP request for the MAC address of Host B. However, Host B cannot
receive this request because it is in a different broadcast domain.
You can enable proxy ARP on Ethernet 1/1 of the router so that the router can reply to the ARP request
from Host A with the MAC address of Ethernet 1/1, and forward packets sent from Host A to Host B. In
this case, the router acts as a proxy of Host B.
A main advantage of proxy ARP is that you can enable it on a single router without disturbing routing
tables of other routers in the network. Proxy ARP acts as the gateway for hosts that are not configured with
a default gateway or do not have routing capability.
Local proxy ARP
As shown in Figure 5, Host A and Host B belong to VLAN 2, but are isolated at Layer 2. Host A connects
to Ethernet 1/3 while Host B connects to Ethernet 1/1. Enable local proxy ARP on Router to allow Layer
3 communication between the two hosts.
10
Figure 5 Application environment of local proxy ARP
Enable local proxy ARP in one of the following cases:
•
Hosts connecting to different isolated Layer 2 ports in the same VLAN need to communicate at
Layer 3.
•
If a super VLAN is configured, hosts in different sub VLANs of the super VLAN need to communicate
at Layer 3.
Enabling common proxy ARP
You can enable common proxy ARP in VLAN interface view/Layer 3 Ethernet interface view/Layer 3
Ethernet subinterface view/Layer 3 aggregate interface view/Layer 3 aggregate subinterface view.
To enable common proxy ARP:
Step
Command
Remarks
15. Enter system view.
system-view
N/A
16. Enter interface view.
interface interface-type interface-number
N/A
17. Enable proxy ARP.
proxy-arp enable
Disabled by default.
Enabling local proxy ARP
You can enable local proxy ARP in VLAN interface view/Layer 3 Ethernet interface view/Layer 3
Ethernet subinterface view/Layer 3 aggregate interface view/Layer 3 aggregate subinterface view.
To enable local proxy ARP:
Step
Command
Remarks
18. Enter system view.
system-view
N/A
19. Enter interface view.
interface interface-type
interface-number
N/A
20. Enable local proxy ARP.
local-proxy-arp enable [ ip-range
startIP to endIP ]
Disabled by default.
11
Displaying and maintaining proxy ARP
Task
Command
Remarks
Display whether proxy ARP is
enabled.
display proxy-arp [ interface interface-type
interface-number ] [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Display whether local proxy ARP is
enabled.
display local-proxy-arp [ interface
interface-type interface-number ] [ | { begin
| exclude | include } regular-expression ]
Available in any view.
Proxy ARP configuration examples
Common proxy ARP configuration example
Network requirements
Host A and Host D have the same prefix and mask, but they are located on different subnets. No default
gateway is configured on Host A and Host D.
Configure proxy ARP on the router to enable communication between Host A and Host D.
Figure 6 Network diagram
Configuration procedure
# Configure the IP address of interface Ethernet 1/2.
<Router> system-view
[Router] interface ethernet 1/2
[Router-Ethernet1/2] ip address 192.168.10.99 255.255.255.0
12
# Enable proxy ARP on interface Ethernet 1/2.
[Router-Ethernet1/2] proxy-arp enable
[Router-Ethernet1/2] quit
# Configure the IP address of interface Ethernet 1/1.
[Router] interface ethernet 1/1
[Router-Ethernet1/1] ip address 192.168.20.99 255.255.255.0
# Enable proxy ARP on interface Ethernet 1/1.
[Router-Ethernet1/1] proxy-arp enable
[Router-Ethernet1/1] quit
After completing preceding configurations, use the ping command to verify the connectivity between
Host A and Host D.
Local proxy ARP configuration example in case of port isolation
Network requirements
As shown in Figure 7, Host A and Host B belong to the same VLAN, and connect to the switch through
Ethernet 1/3 and Ethernet 1/1 respectively. The switch connects to the router through Ethernet 1/2.
Configure port isolation on Ethernet 1/3 and Ethernet 1/1 of the switch to isolate Host A from Host B at
Layer 2. Enable local proxy ARP on the router to allow communication between Host A and Host B at
Layer 3.
If the two ports (Ethernet 1/3 and Ethernet 1/1) on the switch are isolated only at Layer 2, you can
enable communication between the two hosts by configuring local proxy ARP on VLAN-interface 2 of the
switch.
Figure 7 Network diagram
Configuration procedure
1.
Configure the switch:
# Add Ethernet 1/3, Ethernet 1/1 and Ethernet 1/2 to VLAN 2. Configure port isolation for Host
A and Host B.
<Switch> system-view
[Switch] vlan 2
[Switch-vlan2] port ethernet 1/3
[Switch-vlan2] port ethernet 1/1
13
[Switch-vlan2] port ethernet 1/2
[Switch-vlan2] quit
[Switch] interface ethernet 1/3
[Switch-Ethernet1/3] port-isolate enable
[Switch-Ethernet1/3] interface ethernet 1/1
[Switch-Ethernet1/1] port-isolate enable
2.
Configure the router:
# Specify the IP address of Ethernet 1/2.
<Router> system-view
[Router] interface ethernet 1/2
[Router-Ethernet1/2] ip address 192.168.10.100 255.255.255.0
The ping operation from Host A to Host B is unsuccessful because they are isolated at Layer 2 and
Layer 3.
# Configure local proxy ARP to allow communication between Host A and Host B at Layer 3.
[Router-Ethernet1/2] local-proxy-arp enable
The ping operation from Host A to Host B is successful after the configuration.
14
Configuring ARP snooping
Overview
ARP snooping is used in Layer 2 switching networks. It creates ARP snooping entries by using information
in ARP packets. The ARP snooping entries can be used by ARP fast-reply.
If ARP snooping is enabled on a VLAN, ARP packets received by the interfaces of the VLAN are
redirected to the CPU. The CPU uses the sender IP and MAC addresses of the ARP packets, and receiving
VLAN and port to create ARP snooping entries.
The aging time and valid period of an ARP snooping entry are 25 minutes and 15 minutes, respectively.
If an ARP snooping entry is not updated within 15 minutes, it becomes invalid and cannot be used. After
that, if an ARP packet matching the entry is received, the entry becomes valid, and its aging timer restarts.
If the aging timer of an ARP entry expires, the entry is removed.
If the ARP snooping device receives an ARP packet that has the same sender IP address as but a different
sender MAC address from a valid ARP snooping entry, it considers an attack occurs. The ARP snooping
entry becomes invalid and is removed after 25 minutes.
Configuration procedure
To enable ARP snooping for a VLAN:
Step
Command
Remarks
21. Enter system view.
system-view
N/A
22. Enter VLAN view.
vlan vlan-id
N/A
23. Enable ARP snooping.
arp-snooping enable
Disabled by default.
Displaying and maintaining ARP snooping
Task
Command
Remarks
Display ARP snooping entries.
display arp-snooping [ ip ip-address | vlan
vlan-id ] [ | { begin | exclude | include }
regular-expression ]
Available in any view.
Remove ARP snooping entries.
reset arp-snooping [ ip ip-address | vlan
vlan-id ]
Available in user view.
15
DHCP overview
The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration
information to network devices.
A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on
another subnet through a DHCP relay agent. For more information about the DHCP relay agent, see
"Configuring the DHCP relay agent."
Figure 8 A typical DHCP application
DHCP overview
Allocation mechanisms
DHCP supports the following mechanisms for IP address allocation:
•
Static allocation—The network administrator assigns an IP address to a client (for example, a
WWW server), and DHCP conveys the assigned address to the client.
•
Automatic allocation—DHCP assigns a permanent IP address to a client.
•
Dynamic allocation—DHCP assigns an IP address to a client for a limited period of time, which is
called a lease. Most DHCP clients obtain their addresses in this way.
16
Dynamic IP address allocation process
Figure 9 Dynamic IP address allocation process
1.
The client broadcasts a DHCP-DISCOVER message to locate a DHCP server.
2.
Each DHCP server offers configuration parameters such as an IP address to the client in a
DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in
the DHCP-DISCOVER message. For related information, see "DHCP message format."
3.
If several DHCP servers send offers to the client, the client accepts the first received offer, and
broadcasts it in a DHCP-REQUEST message to formally request the IP address.
4.
All DHCP servers receive the DHCP-REQUEST message, but only the server selected by the client
returns a DHCP-ACK message to confirm that the IP address has been allocated to the client, or a
DHCP-NAK message to deny the IP address allocation.
{
{
After the client receives the DHCP-ACK message, it broadcasts a gratuitous ARP packet to verify
whether the IP address assigned by the server is already in use.
If the client receives no response within the specified time, the client uses the assigned IP address.
Otherwise, the client sends a DHCP-DECLINE message to the server to request an IP address
again.
IP addresses offered by other DHCP servers can be assigned to other clients.
IP address lease extension
A dynamically assigned IP address has a lease. When the lease expires, the IP address is reclaimed by
the DHCP server. To continue using the IP address, the client must extend the lease duration.
When 1/2 lease duration elapses, the DHCP client unicasts a DHCP-REQUEST to the DHCP server to
extend the lease. Depending on the availability of the IP address, the DHCP server returns either a
DHCP-ACK unicast confirming that the client's lease duration has been extended, or a DHCP-NAK
unicast denying the request.
If the client receives no reply, it broadcasts another DHCP-REQUEST message for lease extension after
7/8 of the lease duration elapses. Again, depending on the availability of the IP address, the DHCP
server returns either a DHCP-ACK unicast confirming that the client's lease duration has been extended,
or a DHCP-NAK unicast denying the request.
17
DHCP message format
Figure 10 shows the DHCP message format, which is based on the BOOTP message format although
DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size
of each field in bytes.
Figure 10 DHCP message format
•
op—Message type defined in option field. 1 = REQUEST, 2 = REPLY
•
htype, hlen—Hardware address type and length of the DHCP client.
•
hops—Number of relay agents a request message traveled.
•
xid—Transaction ID, a random number chosen by the client to identify an IP address allocation.
•
secs—Filled in by the client, the number of seconds elapsed since the client began address
acquisition or renewal process. This field is reserved and set to 0.
•
flags—The leftmost bit is defined as the BROADCAST (B) flag. If this flag is set to 0, the DHCP server
sent a reply back by unicast. If this flag is set to 1, the DHCP server sent a reply back by broadcast.
The remaining bits of the flags field are reserved for future use.
•
ciaddr—Client IP address if the client has an IP address that is valid and usable. Otherwise, it is set
to zero. (The client does not use this field to request a specific IP address to lease.)
•
yiaddr—"Your" (client) IP address, assigned by the server.
•
siaddr—Server IP address, from which the client obtained configuration parameters.
•
giaddr—(Gateway) IP address of the first relay agent a request message traveled.
•
chaddr—Client hardware address.
•
sname—Server host name, from which the client obtained configuration parameters.
•
file—Bootfile name and path information, defined by the server to the client.
•
options—Optional parameters field that is variable in length, which includes the message type,
lease duration, subnet mask, domain name server IP address, and WINS IP address.
18
DHCP options
DHCP uses the same message format as BOOTP, but DHCP uses the Option field to carry information for
dynamic address allocation and to provide additional configuration information to clients.
Figure 11 DHCP option format
Common DHCP options
The following are common DHCP options:
•
Option 3—Router option. It specifies the gateway address.
•
Option 6—DNS server option. It specifies the DNS server's IP address.
•
Option 33—Static route option. It specifies a list of classful static routes (the destination addresses
in these static routes are classful) that a client should add into its routing table. If both Option 33
and Option 121 exist, Option 33 is ignored.
•
Option 51—IP address lease option.
•
Option 53—DHCP message type option. It identifies the type of the DHCP message.
•
Option 55—Parameter request list option. It is used by a DHCP client to request specified
configuration parameters. The option contains values that correspond to the parameters requested
by the client.
•
Option 60—Vendor class identifier option. It is used by a DHCP client to identify its vendor, and by
a DHCP server to distinguish DHCP clients by vendor class and assign specific IP addresses to the
DHCP clients.
•
Option 66—TFTP server name option. It specifies a TFTP server to be assigned to the client.
•
Option 67—Bootfile name option. It specifies the bootfile name to be assigned to the client.
•
Option 121—Classless route option. It specifies a list of classless static routes (the destination
addresses in these static routes are classless) that the requesting client should add to its routing table.
If both Option 33 and Option 121 exist, Option 33 is ignored.
•
Option 150—TFTP server IP address option. It specifies the TFTP server IP address to be assigned to
the client.
For more information about DHCP options, see RFC 2132 and RFC 3442.
Custom options
Some options, such as Option 43, Option 82, and Option 184, have no standard definitions in RFC
2132.
Vendor-specific option (Option 43)
DHCP servers and clients use Option 43 to exchange vendor-specific configuration information.
The DHCP client can obtain the following information through Option 43:
19
•
Auto-Configuration Server (ACS) parameters, including the ACS URL, username, and password.
•
Service provider identifier, which is acquired by the Customer Premises Equipment (CPE) from the
DHCP server and sent to the ACS for selecting vender-specific configurations and parameters. For
more information about CPE and ACS, see Network Management and Monitoring Configuration
Guide.
•
Preboot Execution Environment (PXE) server address, which is used to obtain the bootfile or other
control information from the PXE server.
•
Access controller (AC) address, which is used by an AP to obtain the boot file or other control
information from the AC.
1.
Format of Option 43:
Figure 12 Format of Option 43
Network configuration parameters are carried in different sub-options of Option 43 as shown
in Figure 12.
{
2.
Sub-option type—The field value can be 0x01 (an ACS parameter sub-option), 0x02 (a service
provider identifier sub-option), or 0x80 (a PXE server address sub-option).
{
Sub-option length—Excludes the sub-option type and sub-option length fields.
{
Sub-option value—The value format varies with sub-options.
Sub-option value field formats:
{
ACS parameter sub-option value field—Includes variable ACS URL, username, and password
separated by spaces (0x20) as shown in Figure 13.
Figure 13 ACS parameter sub-option value field
URL of ACS (variable)
20
User name of ACS (variable)
20
Password of ACS (variable)
{
{
Service provider identifier sub-option value field—Includes the service provider identifier.
PXE server address sub-option value field—Includes the PXE server type that can only be 0, the
server number that indicates the number of PXE servers contained in the sub-option, and server
IP addresses, as shown in Figure 14.
20
Figure 14 PXE server address sub-option value field
Relay agent option (Option 82)
Option 82 is the relay agent option in the option field of the DHCP message. It records the location
information of the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client's
request, it adds Option 82 to the request message and sends it to the server.
The administrator can use Option 82 to locate the DHCP client and further implement security control
and accounting. The DHCP server can use Option 82 to provide individual configuration policies for the
clients.
Option 82 can include up to 255 sub-options and must have at least one sub-option. The relay agent
Option 82 supports two sub-options: sub-option 1 (Circuit ID) and sub-option 2 (Remote ID). The DHCP
snooping Option 82 supports three sub-options: sub-option 1 (Circuit ID), sub-option 2 (Remote ID), and
sub-option 9.
Option 82 has no standard definition. Its padding formats vary with vendors.
There are two methods for configuring Option 82:
•
User-defined method—Manually specify the content of Option 82.
•
Non-user-defined method—Pad Option 82 in the default normal format, verbose format, private
format, or standard format.
NOTE:
Only the DHCP snooping device supports sub-option 9, padded in either private or standard format.
If you choose normal format or verbose format, you can specify the code type for the sub-options as ASCII
or HEX.
•
Normal padding format:
{
Sub-option 1—Includes the VLAN ID and interface number of the interface that received the
client's request. The value of the sub-option type is 1, and that of the Circuit ID type is 0.
Figure 15 Sub-option 1 in normal padding format
{
Sub-option 2—Includes the MAC address of the DHCP relay agent interface or the MAC
address of the DHCP snooping device that received the client's request. The value of the
sub-option type is 2, and that of the Remote ID type is 0.
21
Figure 16 Sub-option 2 in normal padding format
•
Verbose padding format:
{
Sub-option 1—Includes the user-specified access node identifier (ID of the device that adds
Option 82 in DHCP messages), and the type, number, and VLAN ID of the interface that
received the client's request. The VLAN ID field has a fixed length of 2 bytes. All the other
padding contents of sub-option 1 are length variable. See Figure 17.
Figure 17 Sub-option 1 in verbose padding format
{
•
Sub-option 2—Includes the MAC address of the DHCP relay agent interface or the MAC
address of the DHCP snooping device that received the client's request. It has the same format
as that in normal padding format. See Figure 16.
Private padding format:
{
Sub-option 1—Includes the VLAN ID of the interface that received the client's request, module
(subcard number of the receiving port on a centralized device or slot number of the receiving
port on a distributed device) and port (number of the receiving port). The value of the sub-option
type is 1.
Figure 18 Sub-option 1 in private padding format
{
Sub-option 2—Includes the MAC address of the DHCP snooping device that received the
client's request. The value of the sub-option type is 2.
Figure 19 Sub-option 2 in private padding format
{
Sub-option 9—Includes the sysname and the primary IP address of the Loopback0 interface.
The value of the sub-option type is 9.
22
Figure 20 Sub-option 9 in private padding format
•
Standard padding format:
{
Sub-option 1—Includes the VLAN ID of the interface that received the client's request, module
(subcard number of the receiving port on a centralized device or slot number of the receiving
port on a distributed device) and port (number of the receiving port). The value of the sub-option
type is 1, and the value of the Circuit ID type is 0.
Figure 21 Sub-option 1 in standard padding format
{
Sub-option 2—Includes the MAC address of the DHCP snooping device that received the
client's request. The value of the sub-option type is 2, and that of the Remote ID type is 0. It has
the same format as sub-option 2 in normal padding format. See Figure 16.
Option 184
Option 184 is a reserved option. You can define the parameters in the option as needed. The device
supports Option 184 carrying voice related parameters, so a DHCP client with voice functions can get
voice parameters from the DHCP server.
Option 184 has the following sub-options:
•
Sub-option 1—Specifies the IP address of the primary network calling processor, which serves as
the network calling control source and provides program download services.
•
Sub-option 2—Specifies the IP address of the backup network calling processor. DHCP clients
contact the backup processor when the primary one is unreachable.
•
Sub-option 3—Specifies the voice VLAN ID and the result whether or not the DHCP clients takes this
ID as the voice VLAN.
•
Sub-option 4—Specifies the failover route that includes the IP address and the number of the target
user. A Session Initiation Protocol (SIP) user uses this IP address and number to directly establish a
connection to the target SIP user when both the primary and backup calling processors are
unreachable.
For Option 184, you must define sub-option 1 to make other sub-options take effect.
Protocols and standards
•
RFC 2131, Dynamic Host Configuration Protocol
•
RFC 2132, DHCP Options and BOOTP Vendor Extensions
•
RFC 1542, Clarifications and Extensions for the Bootstrap Protocol
23
•
RFC 3046, DHCP Relay Agent Information Option
•
RFC 3442, The Classless Static Route Option for Dynamic Host Configuration Protocol (DHCP)
version 4
24
Configuring the DHCP server
Overview
The DHCP server is well suited to networks where:
•
Manual configuration and centralized management are difficult to implement.
•
IP addresses are limited. For example, an ISP limits the number of concurrent online users, and most
users must acquire IP addresses dynamically.
•
Most hosts do not need fixed IP addresses.
In addition to assigning IP addresses to DHCP clients on a public network, a multi-VPN-instance customer
edge (MCE) serving as the DHCP server can also assign IP addresses to DHCP clients on private
networks. Note that the IP address ranges of public and private networks or those of private networks on
the DHCP server cannot overlap each other. For more information about MCE, see MPLS Configuration
Guide.
DHCP address pool
DHCP address pools include common and extended address pools:
•
Common address pool—Supports both static binding and dynamic allocation.
•
Extended address pool—Supports only dynamic allocation.
Common address pool structure
The organization of the common address pool database can be compared to a tree. The root of the tree
is the address pool for natural networks, branches are address pools for subnets, and leaves are
addresses statically bound to clients. For the same level address pools, a previously configured pool has
a higher selection priority than a new one.
At the very beginning, subnets inherit network parameters and clients inherit subnet parameters.
Therefore, common parameters (for example, a DNS server address) should be configured at the highest
(network or subnet) level of the tree.
The new configuration at the higher level (parent) of the tree is:
•
Inherited if the lower level (child) has no such configuration.
IP address lease durations are not inherited.
•
Overridden if the lower level (child) has such configuration.
NOTE:
The extended address pools on a DHCP server are independent of each other and no inheritance
relationship exists among them.
Principles for selecting an address pool
The DHCP server observes the following principles to select an address pool when assigning an IP
address to a client:
25
1.
If there is an address pool where an IP address is statically bound to the MAC address or ID of the
client, the DHCP server selects this address pool and assigns the statically bound IP address to the
client. For the configuration of this address pool, see "Configuring static address allocation."
2.
If the receiving interface has an extended address pool referenced, the DHCP server assigns an IP
address from this address pool. If no IP address is available in the address pool, the DHCP server
fails to assign an address to the client. For the configuration of such an address pool, see
"Configuring dynamic address allocation for an extended address pool."
3.
Otherwise, the DHCP server selects the smallest common address pool that contains the IP address
of the receiving interface (if the client and the server reside on the same subnet), or the smallest
common address pool that contains the IP address specified in the giaddr field of the client's
request (if a DHCP relay agent is in-between). If no IP address is available in the address pool, the
DHCP server fails to assign an address to the client because it cannot assign an IP address from the
parent address pool to the client. For the configuration of such an address pool, see "Configuring
dynamic address allocation."
For example, two common address pools, 1.1.1.0/24 and 1.1.1.0/25, are configured on the DHCP server.
If the IP address of the interface receiving DHCP requests is 1.1.1.1/25, the DHCP server selects IP
addresses for clients from address pool 1.1.1.0/25. If no IP address is available in the address pool, the
DHCP server fails to assign addresses to clients. If the IP address of the interface receiving DHCP requests
is 1.1.1.130/25, the DHCP server selects IP addresses for clients from the 1.1.1.0/24 address pool.
NOTE:
To make sure correct IP address allocation, keep the IP addresses for dynamic allocation within the subnet
where the interface of the DHCP server or DHCP relay agent resides.
IP address allocation sequence
A DHCP server assigns an IP address to a client in the following sequence:
1.
IP address statically bound to the client's MAC address or ID.
2.
IP address that was ever assigned to the client.
3.
IP address designated by the Option 50 field in a DHCP-DISCOVER message.
Option 50 is the requested IP address field in DHCP-DISCOVER messages. It is padded by the
client to specify the IP address that the client wants to obtain. The contents to be padded depend
on the client.
4.
First assignable IP address found in an extended or common address pool.
5.
IP address that was a conflict or passed its lease duration.
If no IP address is assignable, the server does not respond.
DHCP server configuration task list
Task
Remarks
Configuring an address pool on the DHCP server
Required.
Enabling DHCP
Required.
Enabling the DHCP server on an interface
Required.
26
Task
Remarks
Applying an extended address pool on an interface
Required by the extended address pool
configuration.
When configuring a common address pool,
ignore this task.
Configuring the DHCP server security functions
Optional.
Enabling client offline detection
Optional.
Enabling handling of Option 82
Optional.
Specifying the threshold for sending trap messages
Optional.
Configuring an address pool on the DHCP server
Configuration task list
Task
Remarks
Creating a DHCP address pool
Required.
Configuring address
allocation mode for a
common address pool
Configuring static address allocation
Configuring dynamic address allocation
Required to configure either
of the two for the common
address pool configuration.
Required for the extended
address pool configuration.
Configuring dynamic address allocation for an extended address pool
Specifying a domain name suffix for the client
Specifying DNS servers for the client
Specifying WINS servers and NetBIOS node type for the client
Specifying BIMS server information for the client
Optional.
Specifying gateways for the client
Configuring Option 184 parameters for the client with voice service
Configuring the TFTP server and bootfile name for the client
Specifying a server's IP address for the DHCP client
Configuring self-defined DHCP options
Creating a DHCP address pool
When you create a DHCP address pool, specify it as a common address pool or an extended address
pool.
To create a DHCP address pool:
Step
Command
Remarks
24. Enter system view.
system-view
N/A
27
Step
Command
Remarks
25. Create a DHCP address pool
and enter its view.
dhcp server ip-pool pool-name
[ extended ]
No DHCP address pool is created by
default.
A common address pool and an extended address pool are different in address allocation mode
configuration. Configurations of other parameters (such as the domain name suffix and DNS server
address) for them are the same.
Configuring address allocation mode for a common address
pool
CAUTION:
You can configure either a static binding or dynamic address allocation for a common address pool, but
not both.
You need to specify a subnet for dynamic address allocation. A static binding is a special address pool
containing only one IP address.
Configuring static address allocation
Some DHCP clients, such as a WWW server, need fixed IP addresses. To provide a fixed IP address for
such a client, you can statically bind the MAC address or ID of the client to an IP address in a DHCP
address pool. When the client requests an IP address, the DHCP server assigns the IP address in the static
binding to the client.
Follow these guidelines when you configure static address allocation:
•
Use the static-bind ip-address command together with static-bind mac-address or static-bind
client-identifier to accomplish a static binding configuration.
•
In a DHCP address pool, if you execute the static-bind mac-address command before the
static-bind client-identifier command, the latter overwrites the former and vice versa.
•
If you use the static-bind ip-address, static-bind mac-address, or static-bind client-identifier
command multiple times in the DHCP address pool, the most recent configuration takes effect.
•
The IP address of the static binding cannot be an interface address of the DHCP server. Otherwise,
an IP address conflict might occur, making the bound client unable to obtain an IP address correctly.
•
The ID of the static binding must be identical to the ID displayed by using the display dhcp client
verbose command on the client. Otherwise, the client cannot obtain an IP address.
•
The specified lease duration takes effect but the lease duration displayed by the display dhcp server
ip-in-use all command is still Unlimited.
•
When the device serves as a DHCP client or BOOTP client, you must bind the DHCP client's ID to
an IP address, or bind the BOOTP client's MAC address to an IP address on the DHCP server.
Otherwise, the DHCP or BOOTP client cannot obtain a static IP address.
•
If the interfaces on a DHCP client share the same MAC address, specify the client ID, rather than
MAC address, in a static binding to identify the requesting interface. If you do not do this, the client
might fail to obtain an IP address.
To configure a static binding in a common address pool:
28
Step
Command
Remarks
26. Enter system view.
system-view
N/A
27. Enter common address pool view.
dhcp server ip-pool pool-name
N/A
28. Specify the IP address.
static-bind ip-address ip-address
[ mask-length | mask mask ]
No IP addresses are statically
bound by default.
• Specify the MAC address:
29. Specify the MAC address or client
ID.
static-bind mac-address
mac-address
Use either of the commands.
• Specify the client ID:
Neither is bound statically by
default.
expired { day day [ hour hour
[ minute minute [ second second ] ] ]
| unlimited }
Optional.
static-bind client-identifier
client-identifier
30. Specify the lease duration for the
IP address.
By default, the lease duration
of the IP address is unlimited.
Configuring dynamic address allocation
For dynamic address allocation, you must configure a DHCP address pool, specify one and only one
address range for the pool, and specify the lease duration. A DHCP address pool can have only one
lease duration.
To avoid address conflicts, configure the DHCP server to exclude IP addresses used by the gateway or
FTP server from dynamic allocation.
Follow these guidelines when you configure dynamic address allocation:
•
In common address pool view, if you use the network or network ip range command multiple times,
the most recent configuration takes effect.
•
After you exclude IP addresses from automatic allocation by using the dhcp server forbidden-ip
command, neither a common address pool nor an extended address pool can assign these IP
addresses through dynamic address allocation.
•
You can exclude multiple IP address ranges from allocation.
To configure dynamic address allocation for a common address pool:
Step
Command
Remarks
31. Enter system view.
system-view
N/A
32. Enter common address pool
view.
dhcp server ip-pool pool-name
N/A
33. Specify a subnet.
network network-address
[ mask-length | mask mask ]
Not specified by default.
34. Specify the IP address range
on the subnet for dynamic
allocation.
network ip range min-address
max-address
Optional.
35. Specify the address lease
duration.
expired { day day [ hour hour
[ minute minute ] [ second
second ] ] | unlimited }
Optional.
36. Return to system view.
quit
N/A
29
Not specified by default.
One day by default.
Step
Command
Remarks
Optional.
37. Exclude IP addresses from
automatic allocation.
dhcp server forbidden-ip
low-ip-address [ high-ip-address ]
Except IP addresses of the DHCP
server interfaces, all addresses in
the DHCP address pool are
assignable by default.
Configuring dynamic address allocation for an extended
address pool
Extended address pools support dynamic address allocation only.
When configuring an extended address pool, you must specify:
•
Assignable IP address range
•
Mask
After the assignable IP address range and the mask are specified, the address pool becomes valid.
To configure dynamic address allocation for an extended address pool:
Step
Command
Remarks
38. Enter system view.
system-view
N/A
39. Enter extended address pool
view.
dhcp server ip-pool pool-name
extended
N/A
40. Specify the IP address
range.
network ip range min-address
max-address
Not specified by default.
41. Specify the IP address mask.
network mask mask
Not specified by default.
42. Specify the IP address range
for the DHCP clients of a
specific vendor.
vendor-class-identifier
hex-string&<1-255> ip range
min-address max-address
Optional.
43. Specify the address lease
duration.
expired { day day [ hour hour
[ minute minute [ second second ] ] ]
| unlimited }
Optional.
Not configured by default.
One day by default.
Optional.
44. Exclude IP addresses from
dynamic allocation.
forbidden-ip ip-address&<1-8>
Except IP addresses of the DHCP
server interfaces, all addresses in
the DHCP address pool are
assignable by default.
Excluded IP addresses specified with the forbidden-ip command in DHCP address pool view are not
assignable in the current extended address pool, but are assignable in other address pools.
Specifying a domain name suffix for the client
You can specify a domain name suffix in each DHCP address pool on the DHCP server to provide the
clients with the domain name suffix. With this suffix assigned, the client only needs to input part of a
domain name, and the system adds the domain name suffix for name resolution. For more information
about DNS, see "Configuring IPv4 DNS."
30
To configure a domain name suffix in the DHCP address pool:
Step
Command
Remarks
45. Enter system view.
system-view
N/A
46. Enter DHCP address pool view.
dhcp server ip-pool pool-name
[ extended ]
N/A
47. Specify a domain name suffix.
domain-name domain-name
Not specified by default.
Specifying DNS servers for the client
To access hosts on the Internet through domain names, a DHCP client must contact a DNS server to
resolve names. You can specify up to eight DNS servers in a DHCP address pool.
To configure DNS servers in a DHCP address pool:
Step
Command
Remarks
48. Enter system view.
system-view
N/A
49. Enter DHCP address pool
view.
dhcp server ip-pool pool-name
[ extended ]
N/A
50. Specify DNS servers.
dns-list ip-address&<1-8>
No DNS server is specified by
default.
Specifying WINS servers and NetBIOS node type for the client
A Microsoft DHCP client using NetBIOS protocol must contact a Windows Internet Naming Service
(WINS) server for name resolution. You can specify up to eight WINS servers for such clients in a DHCP
address pool.
Specify a NetBIOS node type for the clients to approach name resolution. There are four NetBIOS node
types:
•
b (broadcast)-node—A b-node client sends the destination name in a broadcast message. The
destination returns its IP address to the client after receiving the message.
•
p (peer-to-peer)-node—A p-node client sends the destination name in a unicast message to the
WINS server, and the WINS server returns the destination IP address.
•
m (mixed)-node—An m-node client broadcasts the destination name. If it receives no response, it
unicasts the destination name to the WINS server to get the destination IP address.
•
h (hybrid)-node—An h-node client unicasts the destination name to the WINS server. If it receives
no response, it broadcasts the destination name to get the destination IP address.
To configure WINS servers and NetBIOS node type in a DHCP address pool:
Step
Command
Remarks
51. Enter system view.
system-view
N/A
52. Enter DHCP address pool
view.
dhcp server ip-pool pool-name
[ extended ]
N/A
31
Step
Command
Remarks
Optional for b-node.
53. Specify WINS servers.
nbns-list ip-address&<1-8>
54. Specify the NetBIOS node
type.
netbios-type { b-node | h-node
| m-node | p-node }
No WINS server is specified by
default.
Not specified by default.
Specifying BIMS server information for the client
Perform this task to provide the branch intelligent management system (BIMS) server IP address, port
number, and shared key for the clients. The DHCP clients contact the BIMS server to get configuration files
and perform software update and backup.
To configure the BIMS server IP address, port number, and shared key in the DHCP address pool:
Step
Command
Remarks
55. Enter system view.
system-view
N/A
56. Enter DHCP address pool
view.
dhcp server ip-pool pool-name
[ extended ]
N/A
57. Specify the BIMS server IP
address, port number, and
shared key.
bims-server ip ip-address [ port
port-number ] sharekey [ cipher |
simple ] key
No BIMS server information is
specified by default.
Specifying gateways for the client
Step
Command
Remarks
58. Enter system view.
system-view
N/A
59. Enter DHCP address pool
view.
dhcp server ip-pool pool-name
[ extended ]
N/A
60. Specify gateways.
gateway-list ip-address&<1-8>
No gateway is specified by
default.
You can specify up to eight
gateways in a DHCP address pool.
Configuring Option 184 parameters for the client with voice
service
To assign calling parameters to DHCP clients with voice service, you must configure Option 184 on the
DHCP server. For more information about Option 184, see "DHCP overview."
To configure option 184 parameters in a DHCP address pool:
Step
Command
Remarks
61. Enter system view.
system-view
N/A
32
Step
Command
Remarks
62. Enter DHCP address pool view.
dhcp server ip-pool pool-name
[ extended ]
N/A
63. Specify the IP address of the
network calling processor.
No primary network calling
processor is specified by default.
voice-config ncp-ip ip-address
Specify an IP address for the
network calling processor before
performing other configurations.
Optional.
64. Specify the IP address of the
backup network calling
processor.
voice-config as-ip ip-address
65. Configure the voice VLAN.
voice-config voice-vlan vlan-id
{ disable | enable }
66. Specify the failover IP address
and dialer string.
voice-config fail-over
ip-address dialer-string
No backup network calling
processor is specified by default.
Optional.
No voice VLAN is configured by
default.
Optional.
No failover IP address or dialer
string is specified by default.
Configuring the TFTP server and bootfile name for the client
For the DHCP server to support client auto-configuration, specify the IP address or name of a TFTP server
and the bootfile name in the DHCP address pool. You do not need to perform any configuration on the
DHCP client.
The DHCP client obtains these parameters from the DHCP server, and uses them to contact the TFTP
server to request the configuration file used for system initialization.
1.
When a router starts up without loading any configuration file, the system sets an active interface
(such as the interface of the default VLAN or a Layer 3 Ethernet interface) as the DHCP client to
request from the DHCP server for parameters, such as an IP address and name of a TFTP server,
and the bootfile name.
2.
After receiving related parameters, the DHCP client sends a TFTP request to obtain the
configuration file from the specified TFTP server for system initialization. If the client cannot get
such parameters, it performs system initialization without loading any configuration file.
To configure the IP address and name of the TFTP server and the bootfile name in the DHCP address
pool:
Step
Command
Remarks
67. Enter system view.
system-view
N/A
68. Enter DHCP address pool
view.
dhcp server ip-pool pool-name
[ extended ]
N/A
• Specify the TFTP server:
tftp-server ip-address ip-address
69. Specify the IP address or the
name of the TFTP server.
• Specify the name of the TFTP server:
70. Specify the bootfile name.
bootfile-name bootfile-name
tftp-server domain-name
domain-name
33
Use either command.
Not specified by default.
Not specified by default.
Specifying a server's IP address for the DHCP client
Some DHCP clients need to obtain configuration information from a server, such as a TFTP server. You
can specify the IP address of that server in each address pool of the DHCP server. The DHCP server sends
the server's IP address to DHCP clients along with other configuration information.
To specify the IP address of a server:
Step
Command
Remarks
71. Enter system view.
system-view
N/A
72. Enter DHCP address pool
view.
dhcp server ip-pool pool-name
[ extended ]
N/A
73. Specify the IP address of a
server.
next-server ip-address
Not specified by default.
Configuring self-defined DHCP options
CAUTION:
Be careful when configuring self-defined DHCP options because such configuration might affect DHCP
operation.
By configuring self-defined DHCP options, you can
•
Define new DHCP options. New configuration options come out with DHCP development. To
support these new options, you can add them into the attribute list of the DHCP server.
•
Define existing DHCP options. Vendors use Option 43 to define options that have no unified
definitions in RFC 2132. The self-defined DHCP option enables DHCP clients to obtain
vendor-specific information.
•
Extend existing DHCP options. When the current DHCP options cannot meet the customers'
requirements (for example, you cannot use the dns-list command to configure more than eight DNS
server addresses), you can configure a self-defined option for extension.
To configure a self-defined DHCP option in a DHCP address pool:
Step
Command
Remarks
74. Enter system view.
system-view
N/A
75. Enter DHCP address pool
view.
dhcp server ip-pool pool-name
[ extended ]
N/A
76. Configure a self-defined
DHCP option.
option code { ascii ascii-string |
hex hex-string&<1-16> |
ip-address ip-address&<1-8> }
No self-defined DHCP option is
configured by default.
See Table 1 for a description of common options and corresponding commands.
Table 1 Common DHCP options
Option
Option name
Corresponding command
Command parameter
3
Router Option
gateway-list
ip-address
34
Option
Option name
Corresponding command
Command parameter
6
Domain Name Server Option
dns-list
ip-address
15
Domain Name
domain-name
ascii
44
NetBIOS over TCP/IP Name
Server Option
nbns-list
ip-address
46
NetBIOS over TCP/IP Node Type
Option
netbios-type
hex
66
TFTP server name
tftp-server
ascii
67
Bootfile name
bootfile-name
ascii
43
Vendor Specific Information
N/A
hex
Enabling DHCP
Enable DHCP to validate other DHCP configurations.
To enable DHCP:
Step
Command
Remarks
77. Enter system view.
system-view
N/A
78. Enable DHCP.
dhcp enable
The default setting is disabled by default.
Enabling the DHCP server on an interface
Perform this task to enable the DHCP server on an interface. Upon receiving a DHCP request on the
interface, the DHCP server assigns an IP address and other configuration parameters from the DHCP
address pool to the DHCP client.
Configuration guidelines
Follow these guidelines when you enable the DHCP server on an interface:
•
If a DHCP relay agent exists between the DHCP server and client, the DHCP server, regardless of
whether the subaddress keyword is used, selects an IP address from the address pool containing the
primary IP address of the DHCP relay agent's interface (connected to the client) for a requesting
client.
•
When the DHCP server and client are on the same subnet:
{
{
With the keyword subaddress specified, the DHCP server preferably assigns an IP address from
an address pool that resides on the same subnet as the primary IP address of the server
interface (connecting to the client). If the address pool contains no assignable IP address, the
server assigns an IP address from an address pool that resides on the same subnet as the
secondary IP addresses of the server interface. If the interface has multiple secondary IP
addresses, each address pool is tried in turn for address allocation.
Without the keyword subaddress specified, the DHCP server can only assign an IP address from
the address pool that resides on the same subnet as the primary IP address of the server
interface.
35
Configuration procedure
To enable the DHCP server on an interface:
Step
Command
Remarks
79. Enter system view.
system-view
N/A
80. Enter interface view.
interface interface-type interface-number
N/A
81. Enable the DHCP server on
the interface.
dhcp select server global-pool [ subaddress ]
Optional.
The default setting is
enabled by default.
Applying an extended address pool on an interface
After you create an extended address pool and apply it on an interface, a DHCP server, upon receiving
a client's request on the interface, attempts to assign the client the statically bound IP address first and
then an IP address from the specified address pool. If no IP address is available in this address pool,
address allocation fails, and the DHCP server does not assign the client any IP address from other
address pools.
Only an extended address pool can be applied on the interface. The address pool to be referenced must
already exist.
To apply an extended address pool on an interface:
Step
Command
Remarks
82. Enter system view.
system-view
N/A
83. Enter interface view.
interface interface-type
interface-number
N/A
Optional.
84. Apply an extended address
pool on the interface.
dhcp server apply ip-pool
pool-name
By default, the DHCP server has no
extended address pool applied on its
interface, and assigns an IP address
from a common address pool to a
requesting client.
Configuring the DHCP server security functions
Configuration prerequisites
Before you perform this configuration, complete the following configurations on the DHCP server:
1.
Enable DHCP.
2.
Configure the DHCP address pool.
Enabling unauthorized DHCP server detection
Unauthorized DHCP servers on a network might assign wrong IP addresses to DHCP clients.
36
With unauthorized DHCP server detection enabled, the DHCP server checks whether a DHCP request
contains Option 54 (Server Identifier Option). If yes, the DHCP server records in the option the IP address
of the DHCP server that assigned an IP address to a requesting DHCP client and records the receiving
interface. The administrator can use this information to check for unauthorized DHCP servers.
To enable unauthorized DHCP server detection:
Step
Command
Remarks
85. Enter system view.
system-view
N/A
86. Enable unauthorized DHCP
server detection.
dhcp server detect
Disabled by default.
With the unauthorized DHCP server detection enabled, the device logs each detected DHCP server once.
The administrator can use the log information to find unauthorized DHCP servers.
Configuring IP address conflict detection
Before assigning an IP address, the DHCP server pings that IP address.
•
If the server receives a response within the specified period, it selects and pings another IP address.
•
If it receives no response, the server continues to ping the IP address until a specific number of ping
packets are sent. If still no response is received, the server assigns the IP address to the requesting
client. (The DHCP client probes the IP address by sending gratuitous ARP packets.)
To configure IP address conflict detection:
Step
Command
Remarks
87. Enter system view.
system-view
N/A
88. Specify the maximum number of
ping packets to be sent for
conflict detection.
Optional.
dhcp server ping packets
number
The default setting is one.
The value 0 disables IP address conflict
detection.
Optional.
89. Configure the ping timeout time.
dhcp server ping timeout
milliseconds
The default setting is 500 ms.
The value 0 disables IP address conflict
detection.
Configuring the DHCP server to work with authorized ARP
Only the clients that obtain an IP address from the DHCP server are considered as authorized clients. If
the DHCP server also serves as the gateway, the DHCP server can work with authorized ARP to block
unauthorized clients and prevent ARP spoofing attacks.
To enable the DHCP server to work with authorized ARP, perform the following:
•
Configure the DHCP server to support authorized ARP—The DHCP server notifies authorized ARP
to add/delete/change authorized ARP entries when adding/deleting/changing IP address leases.
•
Enable authorized ARP—The ARP automatic learning function is disabled after you enable
authorized ARP. ARP entries are added according to the IP address leases specified by the DHCP
server, to avoid learning incorrect ARP entries.
37
The DHCP server works with authorized ARP for the following purposes:
•
Only the clients that have obtained IP addresses from the DHCP server and have their ARP entries
recorded on the DHCP server are authorized clients and can access the network.
•
The clients that have not obtained IP addresses from the DHCP server are considered unauthorized
clients and are unable to access the network.
•
Disabling ARP automatic learning prevents network attacks such as IP/MAC address spoofing
attacks, and only authorized users can access the network.
Configuration guidelines
Follow these guidelines when you configure the DHCP server to work with authorized ARP:
•
Authorized ARP can only be configured on Layer 3 interfaces.
•
When the working mode of the interface is changed from DHCP server to DHCP relay agent,
neither the IP address leases nor the authorized ARP entries are deleted. Because these ARP entries
might conflict with new ARP entries generated on the DHCP relay agent. HP recommends you delete
the existing IP address leases by using the reset dhcp server ip-in-use command before changing
the interface working mode to DHCP relay agent.
•
Disabling the DHCP server to support authorized ARP dose not delete the IP address leases, but
deletes the corresponding authorized ARP entries.
For more information about authorized ARP, see Security Configuration Guide. For more information
about the arp authorized enable command, see Security Command Reference.
Configuration procedure
To configure the DHCP server to work with authorized ARP:
Step
Command
Remarks
90. Enter system view.
system-view
N/A
91. Enter interface view.
interface interface-type
interface-number
N/A
92. Enable the DHCP server to work
with authorized ARP.
dhcp update arp
Not enabled by default.
93. Enable authorized ARP.
arp authorized enable
Disabled by default.
Enabling client offline detection
With this feature enabled, the DHCP server considers that a DHCP client goes offline when the ARP entry
for the client ages out. In addition, it removes the client's IP-to-MAC binding entry and releases the IP
address of the client. Removing an ARP entry manually does not remove the corresponding client's
IP-to-MAC binding.
To enable offline detection:
Step
Command
Remarks
94. Enter system view.
system-view
N/A
95. Enter interface view.
interface interface-type
interface-number
N/A
96. Enable offline detection.
dhcp server client-detect enable
Disabled by default.
38
Enabling handling of Option 82
With Option 82 handling enabled, when the DHCP server receives a request with Option 82, it adds
Option 82 into the response.
If the server is configured to ignore Option 82, it assigns an IP address to the client without adding
Option 82 in the response message.
Configuration prerequisites
Before you perform this configuration, complete the following configuration on the DHCP server:
1.
Enable DHCP.
2.
Configure the DHCP address pool.
Enabling Option 82 handling
To enable the DHCP server to handle Option 82:
Step
Command
Remarks
97. Enter system view.
system-view
N/A
98. Enable the server to handle
Option 82.
dhcp server relay information
enable
Optional.
Enabled by default.
To support Option 82 requires configuring both the DHCP server and relay agent (or the device enabled
with DHCP snooping). For more information, see "Configuring the DHCP relay agent" and "Configuring
DHCP snooping."
Specifying the threshold for sending trap messages
Configuration prerequisites
Before you perform the configuration, use the snmp-agent target-host command to specify the
destination address of the trap messages. For more information about the command, see Network
Management and Monitoring Command Reference.
Configuration procedure
A DHCP server sends trap messages to the network management server when one of the following items
reaches the specified threshold:
•
The ratio of successfully allocated IP addresses to received DHCP requests
•
The average IP address utilization of the address pool
•
The maximum IP address utilization of the address pool
Trap messages help network administrators know the latest usage information of the DHCP server.
To specify the threshold for sending trap messages:
39
Step
Command
Remarks
99. Enter system view.
system-view
N/A
100. Specify the threshold for
sending trap messages to the
network management server.
dhcp server threshold { allocated-ip
threshold-value | average-ip-use
threshold-value | max-ip-use threshold-value }
Optional.
Disabled by default.
Displaying and maintaining the DHCP server
NOTE:
A restart of the DHCP server or execution of the reset dhcp server ip-in-use command deletes all lease
information. The DHCP server denies any DHCP request for lease extension, and the client must request an
IP address again.
Task
Command
Remarks
Display information about IP address
conflicts.
display dhcp server conflict { all | ip
ip-address } [ | { begin | exclude | include }
regular-expression ]
Available in any view.
Display information about lease
expiration.
display dhcp server expired { all | ip
ip-address | pool [ pool-name ] } [ | { begin |
exclude | include } regular-expression ]
Available in any view.
Display information about assignable
IP addresses.
display dhcp server free-ip [ | { begin |
exclude | include } regular-expression ]
Available in any view.
Display IP addresses excluded from
automatic allocation in the DHCP
address pool.
display dhcp server forbidden-ip [ | { begin |
exclude | include } regular-expression ]
Available in any view.
Display information about bindings.
display dhcp server ip-in-use { all | ip
ip-address | pool [ pool-name ] } [ | { begin |
exclude | include } regular-expression ]
Available in any view.
Display information about DHCP
server statistics.
display dhcp server statistics [ | { begin |
exclude | include } regular-expression ]
Available in any view.
Display tree organization
information of address pools.
display dhcp server tree { all | pool
[ pool-name ] } [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Clear information about IP address
conflicts.
reset dhcp server conflict { all | ip ip-address }
Available in user
view.
Clear information about dynamic
bindings.
reset dhcp server ip-in-use { all | ip
ip-address | pool [ pool-name ] }
Available in user
view.
Clear information about DHCP server
statistics.
reset dhcp server statistics
Available in user
view.
DHCP server configuration examples
DHCP networking involves two types:
•
The DHCP server and client are on the same subnet and perform direct message delivery.
40
•
The DHCP server and client are not on the same subnet and communicate with each other through
a DHCP relay agent.
The DHCP server configuration for the two types is the same.
Static IP address assignment configuration example
Network requirements
As shown in Figure 22, Router A (DHCP server) assigns a static IP address, DNS server address, and
gateway address to Router B (DHCP client) and Router C (BOOTP client), respectively.
The MAC address of the interface Ethernet 1/1 on Router C is 000f-e200-01c0.
The client ID of the interface Ethernet 1/1 on Router B is:
3030-3066-2e65-3230-302e-3030-3032-2d45-7468-6572-6e65-7430-2f30.
Figure 22 Network diagram
Gateway
10.1.1.126/25
Eth1/1
10.1.1.1/25
Router A
DHCP server
Eth1/1
10.1.1.2/25
DNS server
Eth1/1
Router B
Router C
DHCP Client BOOTP Client
Configuration procedure
1.
Configure the IP address of Ethernet 1/1 on Router A:
<RouterA> system-view
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] ip address 10.1.1.1 25
[RouterA-Ethernet1/1] quit
2.
Configure the DHCP server:
# Enable DHCP.
[RouterA] dhcp enable
# Enable the DHCP server on Ethernet 1/1.
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] dhcp select server global-pool
[RouterA-Ethernet1/1] quit
# Create DHCP address pool 0, and configure a static binding, DNS server and gateway in it.
[RouterA] dhcp server ip-pool 0
[RouterA-dhcp-pool-0] static-bind ip-address 10.1.1.5.25
[RouterA-dhcp-pool-0] static-bind client-identifier
3030-3066-2e65-3230-302e-3030-3032-2d45-7468-6572-6e65-7430-2f30
[RouterA-dhcp-pool-0] dns-list 10.1.1.2
41
[RouterA-dhcp-pool-0] gateway-list 10.1.1.126
[RouterA-dhcp-pool-0] quit
# Create DHCP address pool 1, and configure a static binding, DNS server and gateway in it.
[RouterA] dhcp server ip-pool 1
[RouterA-dhcp-pool-1] static-bind ip-address 10.1.1.6.25
[RouterA-dhcp-pool-1] static-bind mac-address 000f-e200-01c0
[RouterA-dhcp-pool-1] dns-list 10.1.1.2
[RouterA-dhcp-pool-1] gateway-list 10.1.1.126
Verifying the configuration
After the preceding configuration is complete, Router B can obtain IP address 10.1.1.5 and other network
parameters, and Router C can obtain IP address 10.1.1.6 and other network parameters from Router A.
You can use the display dhcp server ip-in-use command on the DHCP server to view the IP addresses
assigned to the clients.
Dynamic IP address assignment configuration example
Network requirements
As shown in Figure 23, the DHCP server (Router A) assigns IP address to clients on subnet 10.1.1.0/24,
which is subnetted into 10.1.1.0/25 and 10.1.1.128/25.
The IP addresses of Ethernet 1/1 and Ethernet 1/2 on Router A are 10.1.1.1/25 and 10.1.1.129/25
respectively.
In subnet 10.1.1.0/25, the address lease duration is ten days and twelve hours, the domain name suffix
is aabbcc.com, the DNS server address is 10.1.1.2/25, the WINS server address is 10.1.1.4/25, and the
gateway address is 10.1.1.126/25.
In the subnet 10.1.1.128/25, the address lease duration is five days, the domain name suffix is
aabbcc.com, the DNS server address is 10.1.1.2/25, and the gateway address is 10.1.1.254/25. There
is no WINS server address.
The domain name suffix and DNS server address on subnets 10.1.1.0/25 and 10.1.1.128/25 are the
same. Therefore, the domain name suffix and DNS server address need to be configured only for subnet
10.1.1.0/24. Subnet 10.1.1.0/25 and 10.1.1.128/25 can inherit the configuration of subnet 10.1.1.0/24.
Figure 23 Network diagram
Client
WINS server
10.1.1.4/25
10.1.1.126/25
Eth1/1
10.1.1.1/25
Gateway A
10.1.1.2/25
DNS server
Client
Eth1/1
Eth1/2
10.1.1.129/25
10.1.1.254/25
Gateway B
Router A
DHCP server
Router B
Client
Client
Configuration procedure
1.
Client
Specify IP addresses for interfaces. (Details not shown.)
42
Client
2.
Configure the DHCP server:
# Enable DHCP.
<RouterA> system-view
[RouterA] dhcp enable
# Enable the DHCP server on Ethernet 1/1 and Ethernet 1/2.
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] dhcp select server global-pool
[RouterA-Ethernet1/1] quit
[RouterA] interface ethernet 1/2
[RouterA-Ethernet1/2] dhcp select server global-pool
[RouterA-Ethernet1/2] quit
# Exclude IP addresses from dynamic allocation (addresses of the DNS server, WINS server, and
gateways).
[RouterA] dhcp server forbidden-ip 10.1.1.2
[RouterA] dhcp server forbidden-ip 10.1.1.4
[RouterA] dhcp server forbidden-ip 10.1.1.126
[RouterA] dhcp server forbidden-ip 10.1.1.254
# Configure DHCP address pool 0 (subnet, client domain name suffix, and DNS server address).
[RouterA] dhcp server ip-pool 0
[RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
[RouterA-dhcp-pool-0] domain-name aabbcc.com
[RouterA-dhcp-pool-0] dns-list 10.1.1.2
[RouterA-dhcp-pool-0] quit
# Configure DHCP address pool 1 (subnet, gateway, WINS server, and lease duration).
[RouterA] dhcp server ip-pool 1
[RouterA-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.128
[RouterA-dhcp-pool-1] gateway-list 10.1.1.126
[RouterA-dhcp-pool-1] expired day 10 hour 12
[RouterA-dhcp-pool-1] nbns-list 10.1.1.4
[RouterA-dhcp-pool-1] quit
# Configure DHCP address pool 2 (subnet, gateway and lease duration).
[RouterA] dhcp server ip-pool 2
[RouterA-dhcp-pool-2] network 10.1.1.128 mask 255.255.255.128
[RouterA-dhcp-pool-2] expired day 5
[RouterA-dhcp-pool-2] gateway-list 10.1.1.254
Verifying the configuration
After the preceding configuration is complete, clients on networks 10.1.1.0/25 and 10.1.1.128/25 can
obtain correct IP addresses and other network parameters from Router A. You can use the display dhcp
server ip-in-use command on the DHCP server to view the IP addresses assigned to the clients.
Self-defined option configuration example
Network requirements
As shown in Figure 24, the DHCP client (Router B) obtains its IP address and PXE server addresses from
the DHCP server (Router A). The IP address belongs to subnet 10.1.1.0/24. The PXE server addresses are
1.2.3.4 and 2.2.2.2.
43
The DHCP server assigns PXE server addresses to DHCP clients through Option 43, a self-defined option.
The format of Option 43 and that of the PXE server address sub-option are shown in Figure 12 and Figure
14, respectively. The value of Option 43 configured on the DHCP server in this example is 80 0B 00 00
02 01 02 03 04 02 02 02 02. The number 80 is the value of the sub-option type. The number 0B is the
value of the sub-option length. The numbers 00 00 are the value of the PXE server type. The number 02
indicates the number of servers. The numbers 01 02 03 04 02 02 02 02 indicate that the PXE server
addresses are 1.2.3.4 and 2.2.2.2.
Figure 24 Network diagram
Configuration procedure
1.
Specify IP address for interface Ethernet 1/1. (Details not shown.)
2.
Configure the DHCP server:
# Enable DHCP.
<RouterA> system-view
[RouterA] dhcp enable
# Enable the DHCP server on Ethernet 1/1.
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] dhcp select server global-pool
[RouterA-Ethernet1/1] quit
# Configure DHCP address pool 0.
[RouterA] dhcp server ip-pool 0
[RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
[RouterA-dhcp-pool-0] option 43 hex 80 0B 00 00 02 01 02 03 04 02 02 02 02
Verifying the configuration
After the preceding configuration is complete, Router B can obtain its IP address on 10.1.1.0/24 and the
PXE server addresses from Router A. You can use the display dhcp server ip-in-use command on the
DHCP server to view the IP addresses assigned to the clients.
Troubleshooting DHCP server configuration
Symptom
A client's IP address obtained from the DHCP server conflicts with another IP address.
Analysis
Another host on the subnet might have the same IP address.
44
Solution
1.
Disable the client's network adapter or disconnect the client's network cable. Ping the IP address
of the client from another host to check whether there is a host using the same IP address.
2.
If a ping response is received, the IP address has been manually configured on a host. Execute the
dhcp server forbidden-ip command on the DHCP server to exclude the IP address from dynamic
allocation.
3.
Enable the network adapter or connect the network cable. Release the IP address and obtain
another one on the client. For example, to release the IP address and obtain another one on a
Windows XP DHCP client:
a. In Windows environment, select Start > Run.
b. Enter cmd in the dialog box, and click OK to enter the command line interface.
c. Enter ipconfig/release to relinquish the IP address.
d. Enter ipconfig/renew to obtain another IP address.
45
Configuring the DHCP relay agent
The DHCP relay agent configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces),
virtual Ethernet interfaces (or subinterfaces), VLAN interfaces, Layer 3 aggregate interfaces, and serial
interfaces.
Overview
The DHCP relay agent enables clients to get IP addresses from a DHCP server on another subnet. This
feature avoids deploying a DHCP server for each subnet, centralizes management, and reduces
investment.
An MCE device serving as the DHCP relay agent can forward DHCP packets not only between a DHCP
server and clients on a public network, but also between a DHCP server and clients on a private network.
Note that the IP address ranges of the public and private networks or those of private networks cannot
overlap each other. For more information about MCE, see MPLS Configuration Guide.
Fundamentals
Figure 25 shows a typical application of the DHCP relay agent.
Figure 25 DHCP relay agent application
The DHCP server and client interact with each other in the same way regardless of whether the relay
agent exists (see "DHCP overview").
46
Figure 26 DHCP relay agent work process
1.
After receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP client,
the DHCP relay agent fills the giaddr field of the message with its IP address and forwards the
message to the designated DHCP server in unicast mode.
2.
Based on the giaddr field, the DHCP server returns an IP address and other configuration
parameters in a response to the relay agent, and the relay agent conveys it to the client.
DHCP relay agent support for Option 82
Option 82 records the location information of the DHCP client. It enables the administrator to locate the
DHCP client for security control and accounting purposes. For more information, see "DHCP overview."
If the DHCP relay agent supports Option 82, it handles a DHCP request according to Option 82, if any.
The handling strategies are described in Table 2.
If a response returned by the DHCP server contains Option 82, the DHCP relay agent removes the Option
82 before forwarding the response to the client.
Table 2 Handling strategies of the DHCP relay agent
If a DHCP request
has…
Handling
strategy
Padding
format
The DHCP relay agent…
Drop
Random
Drops the message.
Keep
Random
Forwards the message without changing
Option 82.
normal
Forwards the message after replacing the
original Option 82 with the Option 82
padded in normal format.
verbose
Forwards the message after replacing the
original Option 82 with the Option 82
padded in verbose format.
user-defined
Forwards the message after replacing the
original Option 82 with the user-defined
Option 82.
normal
Forwards the message after adding Option 82
padded in normal format.
Option 82
Replace
no Option 82
N/A
47
If a DHCP request
has…
Handling
strategy
Padding
format
The DHCP relay agent…
N/A
verbose
Forwards the message after adding the Option
82 padded in verbose format.
N/A
user-defined
Forwards the message after adding the
user-defined Option 82.
DHCP relay agent configuration task list
Task
Remarks
Enabling DHCP
Required.
Enabling the DHCP relay agent on an interface
Required.
Correlating a DHCP server group with a relay agent interface
Required.
Configuring the DHCP relay agent security functions
Optional.
Enabling client offline detection
Optional.
Configuring the DHCP relay agent to release an IP address
Optional.
Configuring the DHCP relay agent to handle Option 82
Optional.
Enabling DHCP
Enable DHCP to validate other DHCP relay agent settings.
To enable DHCP:
Step
Command
Remarks
101. Enter system view.
system-view
N/A
102. Enable DHCP.
dhcp enable
Disabled by default.
Enabling the DHCP relay agent on an interface
With the DHCP relay agent enabled, an interface forwards incoming DHCP requests to a DHCP server
for address allocation.
An IP address pool that contains the IP address of the DHCP relay agent interface must be configured on
the DHCP server. Otherwise, the DHCP clients connected to the relay agent cannot obtain correct IP
addresses.
To enable the DHCP relay agent on an interface:
Step
Command
Remarks
103. Enter system view.
system-view
N/A
104. Enter interface view.
interface interface-type
interface-number
N/A
48
Step
Command
Remarks
105. Enable the DHCP relay agent
on the current interface.
dhcp select relay
With DHCP is enabled, an
interface operates in the DHCP
server mode.
Correlating a DHCP server group with a relay
agent interface
To improve availability, you can specify several DHCP servers as a group on the DHCP relay agent and
correlate a relay agent interface with the server group. When the interface receives request messages
from clients, the relay agent forwards them to all DHCP servers of the group.
Configuration guidelines
Follow these guidelines when you correlate a DHCP server group with a relay agent interface:
•
You can specify up to 20 DHCP server groups on the relay agent.
•
You can specify up to eight DHCP server addresses for each DHCP server group.
•
The IP addresses of DHCP servers and those of relay agent's interfaces that connect DHCP clients
cannot be on the same subnet. Otherwise, the client cannot obtain an IP address.
•
A DHCP server group can correlate with one or multiple DHCP relay agent interfaces, while a relay
agent interface can only correlate with one DHCP server group. If you use the dhcp relay
server-select command multiple times, the most recent configuration takes effect.
•
The group-id argument in the dhcp relay server-select command is configured by using the dhcp
relay server-group command.
Configuration procedure
To correlate a DHCP server group with a relay agent interface:
Step
Command
Remarks
106. Enter system view.
system-view
N/A
107. Create a DHCP server group
and add a server into the group.
dhcp relay server-group group-id ip
ip-address
Not created by default.
108. Enter interface view.
interface interface-type
interface-number
N/A
109. Correlate the DHCP server
group with the current interface.
dhcp relay server-select group-id
By default, no interface is
correlated with any DHCP
server group.
49
Configuring the DHCP relay agent security
functions
Configuring address check
Address check can block illegal hosts from accessing external networks.
With this feature enabled, the DHCP relay agent can dynamically record clients' IP-to-MAC bindings
after they obtain IP addresses through DHCP. You can also configure static IP-to-MAC bindings on the
DHCP relay agent so that users can access external networks using fixed IP addresses.
Upon receiving a packet from a host, the DHCP relay agent checks the source IP and MAC addresses in
the packet against the recorded dynamic and static bindings. If no match is found, the DHCP relay agent
does not learn the ARP entry of the host, and does not forward any reply to the host, which therefore
cannot access external networks through the DHCP relay agent.
Configuration guidelines
Follow these guidelines when you configure address check:
•
The dhcp relay address-check enable command can be executed only on Layer 3 Ethernet
interfaces (including subinterfaces), VLAN interfaces, and Layer 3 aggregate interfaces.
•
Before enabling address check on an interface, you must enable the DHCP service, and enable the
DHCP relay agent on the interface. Otherwise, the address check configuration is ineffective.
•
The dhcp relay address-check enable command only checks IP and MAC addresses but not
interfaces.
•
When using the dhcp relay security static command to bind an interface to a static binding entry,
make sure that the interface is configured as a DHCP relay agent. Otherwise, address entry
conflicts might occur.
•
When a synchronous/asynchronous serial interface requests an IP address through DHCP, the
DHCP relay agent does not record the corresponding IP-to-MAC binding.
Configuration procedure
To create a static binding and enable address check:
Step
Command
Remarks
110. Enter system view.
system-view
N/A
Optional.
111. Create a static binding.
dhcp relay security static ip-address
mac-address [ interface
interface-type interface-number ]
112. Enter interface view.
interface interface-type
interface-number
N/A
113. Enable address check.
dhcp relay address-check enable
Disabled by default.
50
No static binding is created by
default.
Configuring periodic refresh of dynamic client entries
A DHCP client unicasts a DHCP-RELEASE message to the DHCP server to release its IP address. The
DHCP relay agent simply conveys the message to the DHCP server and does not remove the IP-to-MAC
entry of the client.
With this feature, the DHCP relay agent uses the IP address of a client and the MAC address of the DHCP
relay interface to periodically send a DHCP-REQUEST message to the DHCP server.
•
If the server returns a DHCP-ACK message or does not return any message within a specific interval,
the DHCP relay agent ages out the entry.
•
If the server returns a DHCP-NAK message, the relay agent keeps the entry.
To configure periodic refresh of dynamic client entries:
Step
Command
Remarks
114. Enter system view.
system-view
N/A
115. Enable periodic refresh of
dynamic client entries.
dhcp relay security refresh
enable
Optional.
116. Configure the refresh interval.
dhcp relay security tracker
{ interval | auto }
Enabled by default.
Optional.
The default setting is auto. The auto
interval is calculated by the relay agent
according to the number of client entries.
Configuring the DHCP relay agent to work with authorized ARP
Only clients that obtain an IP address from the DHCP server are considered as authorized clients. If the
DHCP relay agent serves as the gateway, it can work with authorized ARP to block unauthorized clients
and prevent ARP spoofing attacks.
To enable the DHCP relay agent to work with authorized ARP:
•
Configure the DHCP relay agent to support authorized ARP—With this function enabled, the DHCP
relay agent automatically records DHCP clients' IP-to-MAC bindings (called client entries), and
notifies authorized ARP to add/delete/change authorized ARP entries when
adding/deleting/changing client entries.
•
Enable authorized ARP—The ARP automatic learning function is disabled after you enable
authorized ARP. ARP entries are added according to the client entries recorded by the DHCP relay
agent to avoid learning incorrect ARP entries.
The DHCP relay agent works with authorized ARP for the following purposes:
•
Only the clients that have obtained IP addresses from the DHCP server and have their IP-to-MAC
bindings recorded on the DHCP relay agent are authorized clients. Only authorized clients can
access the network.
•
Clients that have not obtained IP addresses from the DHCP server are considered unauthorized
clients and are unable to access the network.
•
Disabling ARP automatic learning prevents network attacks such as IP/MAC address spoofing
attacks, and only authorized users can access the network, enhancing network security.
Configuration guidelines
•
Authorized ARP can only be configured on Layer 3 Ethernet interfaces.
51
•
Disabling the DHCP relay agent to support authorized ARP deletes the corresponding authorized
ARP entries.
•
Because the DHCP relay agent does not notify the authorized ARP module of the static bindings,
you need to configure the corresponding static ARP entries for authorized users that have statically
specified IP addresses.
•
For more information about authorized ARP, see Security Configuration Guide. For more
information about the arp authorized enable command, see Security Command Reference.
Configuration procedure
To configure the DHCP relay agent to work with authorized ARP:
Step
Command
Remarks
117. Enter system view.
system-view
N/A
118. Enter interface view.
interface interface-type
interface-number
N/A
119. Enable the DHCP relay agent to
work with authorized ARP.
dhcp update arp
Not enabled by default.
120. Enable authorized ARP.
arp authorized enable
Not enabled by default.
Enabling unauthorized DHCP server detection
Unauthorized DHCP servers might assign wrong IP addresses to DHCP clients.
With unauthorized DHCP servers detection enabled, the DHCP relay agent checks whether a request
contains Option 54 (Server Identifier Option). If yes, the DHCP relay agent records in the option the IP
address of the DHCP server that assigned an IP address to a requesting DHCP client, and records the
receiving interface. The administrator can use this information to check for unauthorized DHCP servers.
The relay agent logs a DHCP server only once.
To enable unauthorized DHCP server detection:
Step
Command
Remarks
121. Enter system view.
system-view
N/A
122. Enable unauthorized DHCP
server detection.
dhcp relay server-detect
Disabled by default.
Enabling DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using
different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of
the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail
to work because of exhaustion of system resources. The following methods are available to relieve or
prevent such attacks.
•
To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source
MAC addresses, you can limit the number of ARP entries that a Layer 3 interface can learn or MAC
addresses that a Layer 2 port can learn. You can also configure an interface that has learned the
maximum MAC addresses to discard packets whose source MAC addresses are not in the MAC
address table.
52
•
To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source
MAC address, you can enable MAC address check on the DHCP relay agent. The DHCP relay
agent compares the chaddr field of a received DHCP request with the source MAC address in the
frame header. If they are the same, the DHCP relay agent decides this request as valid and
forwards it to the DHCP server. If not, it discards the DHCP request.
To enable MAC address check:
Step
Command
Remarks
123. Enter system view.
system-view
N/A
124. Enter interface view.
interface interface-type
interface-number
N/A
125. Enable MAC address
check.
dhcp relay check mac-address
The default setting is disabled.
A DHCP relay agent changes the source MAC addresses of DHCP packets before forwarding them out.
Therefore, enable MAC address check only on the DHCP relay agent directly connected to the DHCP
clients. If you enable this feature on an intermediate relay agent, it might discard valid DHCP packets
and the sending clients do not obtain IP addresses.
Enabling client offline detection
With this feature enabled, the DHCP relay agent considers that a DHCP client goes offline when the ARP
entry for the client ages out. In addition, it removes the client entry and sends a DHCP-RELEASE message
to the DHCP server to release the IP address of the client.
To enable offline detection:
Step
Command
Remarks
126. Enter system view.
system-view
N/A
127. Enter interface view.
interface interface-type
interface-number
N/A
128. Enable offline detection.
dhcp relay client-detect enable
Disabled by default.
Removing an ARP entry manually does not remove the corresponding client's IP-to-MAC binding. When
the client goes offline, use the undo dhcp relay security command to remove the IP-to-MAC binding
manually.
Configuring the DHCP relay agent to release an IP
address
You can configure the relay agent to release a client's IP address. The relay agent sends a
DHCP-RELEASE message that contains the specified IP address. Upon receiving the DHCP-RELEASE
message, the DHCP server releases the IP address. Meanwhile, the client entry is removed from the
DHCP relay agent. The IP address to be released must be available in a dynamic client entry.
To configure the DHCP relay agent to send DHCP-RELEASE messages:
53
Step
Command
129. Enter system view.
system-view
130. Configure the DHCP relay agent to release an IP address.
dhcp relay release ip client-ip
Dynamic client entries can be generated only after you enable address check, authorized ARP, or IP
source guard on the DHCP relay agent. For more information about IP source guard, see Security
Configuration Guide.
Configuring the DHCP relay agent to handle
Option 82
Configuration prerequisites
Before performing this configuration, complete the following tasks:
1.
Enable DHCP.
2.
Enable the DHCP relay agent on the specified interface.
3.
Correlate a DHCP server group with relay agent interfaces.
To support Option 82, you must perform related configuration on both the DHCP server and relay agent.
For more information about DHCP server configuration, see "Configuring the DHCP server."
If the handling strategy of the DHCP relay agent is configured as replace, you must configure a padding
format for Option 82. If the handling strategy is keep or drop, you need not configure any padding
format.
The system name (sysname) if padded in sub-option 1 (node identifier) of Option 82 must not contain
spaces. Otherwise, the DHCP relay agent drops the message.
Configuration procedure
To configure the DHCP relay agent to support Option 82:
Step
Command
Remarks
131. Enter system view.
system-view
N/A
132. Enter interface view.
interface interface-type interface-number
N/A
133. Enable the relay agent
to handle Option 82.
dhcp relay information enable
The default setting is disabled.
134. Configure the strategy
for handling DHCP
requests containing
Option 82.
dhcp relay information strategy { drop |
keep | replace }
Optional.
54
The default setting is replace.
Step
Command
Remarks
• Configure the padding format for
135. Configure
non-user-defined
Option 82.
Option 82:
dhcp relay information format
{ normal | verbose [ node-identifier
{ mac | sysname | user-defined
node-identifier } ] }
• Configure the code type for the Circuit
ID sub-option:
dhcp relay information circuit-id
format-type { ascii | hex }
• Configure the code type for the
Remote ID sub-option:
dhcp relay information remote-id
format-type { ascii | hex }
Optional.
By default:
• The padding format for Option
82 is normal.
• The code type for the Circuit ID
sub-option depends on the
padding format of Option 82.
Each field has its own code
type.
• The code type for the Remote ID
sub-option is hex.
The Remote ID sub-option
configuration and the Circuit ID
sub-option configuration apply to
non-user-defined Option 82 only.
• Configure the padding content for the
136. Configure user-defined
Option 82.
Circuit ID sub-option:
dhcp relay information circuit-id
string circuit-id
• Configure the padding content for the
Remote ID sub-option:
dhcp relay information remote-id
string { remote-id | sysname }
Optional.
By default, the padding content
depends on the padding format of
Option 82.
Displaying and maintaining the DHCP relay agent
Task
Command
Remarks
Display information about DHCP server
groups correlated to a specific or all
interfaces.
display dhcp relay { all | interface
interface-type interface-number } [ | { begin
| exclude | include } regular-expression ]
Available in any
view.
Display Option 82 configuration
information on the DHCP relay agent.
display dhcp relay information { all |
interface interface-type interface-number }
[ | { begin | exclude | include }
regular-expression ]
Available in any
view.
Display information about bindings of
DHCP relay agents.
display dhcp relay security [ ip-address |
dynamic | static ] [ | { begin | exclude |
include } regular-expression ]
Available in any
view.
Display statistics information about
bindings of DHCP relay agents.
display dhcp relay security statistics [ |
{ begin | exclude | include }
regular-expression ]
Available in any
view.
Display information about the
refreshing interval for entries of
dynamic IP-to-MAC bindings.
display dhcp relay security tracker [ |
{ begin | exclude | include }
regular-expression ]
Available in any
view.
Display information about the
configuration of a specific or all DHCP
server groups.
display dhcp relay server-group { group-id
| all } [ | { begin | exclude | include }
regular-expression ]
Available in any
view.
55
Task
Command
Remarks
Display packet statistics on the DHCP
relay agent.
display dhcp relay statistics [ server-group
{ group-id | all } ] [ | { begin | exclude |
include } regular-expression ]
Available in any
view.
Clear packet statistics on the DHCP
relay agent.
reset dhcp relay statistics [ server-group
group-id ]
Available in user
view.
DHCP relay agent configuration examples
DHCP relay agent configuration example
Network requirements
As shown in Figure 27, the DHCP relay agent forwards DHCP messages between DHCP clients and the
DHCP server.
Because the DHCP relay agent and server are on different subnets, you need to configure static or
dynamic routing to make them reachable to each other.
DHCP server configuration is also required to guarantee the client-server communication through the
DHCP relay agent. For DHCP server configuration information, see "Configuring the DHCP server."
Figure 27 Network diagram
DHCP client
DHCP client
Eth1/1
10.10.1.1/24
Eth1/2
10.1.1.2/24
Eth1/1
10.1.1.1/24
Router A
DHCP relay agent
DHCP client
Router B
DHCP server
DHCP client
Configuration procedure
# Specify IP addresses for the interfaces. (Details not shown.)
# Enable DHCP.
<RouterA> system-view
[RouterA] dhcp enable
# Add DHCP server 10.1.1.1 into DHCP server group 1
[RouterA] dhcp relay server-group 1 ip 10.1.1.1
# Enable the DHCP relay agent on Ethernet 1/1.
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] dhcp select relay
# Correlate Ethernet 1/1 to DHCP server group 1.
56
[RouterA-Ethernet1/1] dhcp relay server-select 1
After the preceding configuration is complete, DHCP clients can obtain IP addresses and other network
parameters from the DHCP server through the DHCP relay agent. You can use the display dhcp relay
statistics command to view the statistics of DHCP packets forwarded by the DHCP relay agents. If you
enable address check of the DHCP relay agents with the dhcp relay address-check enable command,
you can use the display dhcp relay security command to view client entries.
DHCP relay agent Option 82 support configuration example
Network requirements
As shown in Figure 27, the DHCP relay agent (Router A) replaces Option 82 in DHCP requests before
forwarding them to the DHCP server (Router B).
•
The Circuit ID sub-option is company001.
•
The Remote ID sub-option is device001.
Configuration procedure
# Specify IP addresses for the interfaces. (Details not shown.)
# Enable DHCP.
<RouterA> system-view
[RouterA] dhcp enable
# Add DHCP server 10.1.1.1 into DHCP server group 1.
[RouterA] dhcp relay server-group 1 ip 10.1.1.1
# Enable the DHCP relay agent on Ethernet 1/1.
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] dhcp select relay
# Correlate Ethernet 1/1 to DHCP server group 1.
[RouterA-Ethernet1/1] dhcp relay server-select 1
# Enable the DHCP relay agent to handle Option 82, and perform Option 82-related configurations.
[RouterA-Ethernet1/1] dhcp relay information enable
[RouterA-Ethernet1/1] dhcp relay information strategy replace
[RouterA-Ethernet1/1] dhcp relay information circuit-id string company001
[RouterA-Ethernet1/1] dhcp relay information remote-id string device001
NOTE:
To use Option 82, you must also enable the DHCP server to handle Option 82.
Troubleshooting DHCP relay agent configuration
Symptom
DHCP clients cannot obtain any configuration parameters through the DHCP relay agent.
57
Analysis
Some problems might occur with the DHCP relay agent or server configuration.
Solution
To locate the problem, enable debugging and execute the display command on the DHCP relay agent
to view the debugging information and interface state information.
Verify that:
1.
DHCP is enabled on the DHCP server and relay agent.
2.
The DHCP server has an address pool on the same subnet as the DHCP clients.
3.
The DHCP server and DHCP relay agent can reach each other.
4.
The relay agent interface connected to DHCP clients is correlated with a correct DHCP server
group and the IP addresses of the group members are correct.
58
Configuring DHCP client
The DHCP client configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces), VLAN
interfaces, and Layer 3 aggregate interfaces.
You cannot configure an interface of an aggregation group as a DHCP client.
When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition
through a relay agent, the DHCP server cannot be a Windows Server 2000 or Windows Server 2003.
Introduction to DHCP client
With DHCP client enabled, an interface uses DHCP to obtain configuration parameters such as an IP
address from the DHCP server.
Enabling the DHCP client on an interface
To enable the DHCP client on an interface:
Step
Command
Remarks
137. Enter system view.
system-view
N/A
138. Enter interface view.
interface interface-type interface-number
N/A
139. Enable the DHCP client on the
interface.
ip address dhcp-alloc [ client-identifier mac
interface-type interface-number ]
Disabled by default.
An interface can be configured to acquire an IP address in multiple ways. The latest configuration
overwrites the previous one.
Secondary IP addresses cannot be configured on an interface that is enabled with the DHCP client.
If the IP address that interface A obtains from the DHCP server is on the same network segment as the IP
address of interface B, interface A neither uses the IP address nor requests any IP address from the DHCP
server, unless the IP address of interface B is manually deleted and interface A is brought up again by
first executing the shutdown command and then the undo shutdown command or the DHCP client is
re-enabled on interface A by executing the undo ip address dhcp-alloc command and then the ip
address dhcp-alloc command.
Displaying and maintaining the DHCP client
Task
Command
Remarks
Display specified
configuration information.
display dhcp client [ verbose ] [ interface
interface-type interface-number ] [ | { begin |
exclude | include } regular-expression ]
Available in any view.
59
DHCP client configuration example
Network requirements
As shown in Figure 29, Router B contacts the DHCP server through Ethernet 1/1 to obtain an IP address,
DNS server address, and static route information. The DHCP client IP address resides on network
10.1.1.0/24. The DNS server address is 20.1.1.1. The next hop of the static route to network 20.1.1.0/24
is 10.1.1.2.
The DHCP server uses Option 121 to assign static route information to DHCP clients. Figure 28 shows the
format of Option 121. The destination descriptor field comprises two parts, subnet mask length and
destination network address. In this example, the value of the destination descriptor field takes 18 14 01
01, a hexadecimal number indicating that the subnet mask length is 24 and destination network address
is 20.1.1.0, and the value of the next hop address field takes 0A 01 01 02, a hexadecimal number
indicating that the next hop is 10.1.1.2.
Figure 28 Option 121 format
Figure 29 Network diagram
Configuration procedure
1.
Configure Router A:
# Specify the IP address of Ethernet 1/1.
<RouterA> system-view
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] ip address 10.1.1.1 24
[RouterA-Ethernet1/1] quit
# Enable DHCP.
[RouterA] dhcp enable
# Exclude an IP address from automatic allocation.
[RouterA] dhcp server forbidden-ip 10.1.1.2
# Configure DHCP address pool 0 and specify the subnet, lease duration, DNS server address,
and a static route to subnet 20.1.1.0/24.
60
[RouterA] dhcp server ip-pool 0
[RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
[RouterA-dhcp-pool-0] expired day 10
[RouterA-dhcp-pool-0] dns-list 20.1.1.1
[RouterA-dhcp-pool-0] option 121 hex 18 14 01 01 0A 01 01 02
2.
Configure Router B:
# Enable the DHCP client on Ethernet 1/1.
<RouterB> system-view
[RouterB] interface ethernet 1/1
[RouterB-Ethernet1/1] ip address dhcp-alloc
Verifying the configuration
# Use the display dhcp client command to view the IP address and other network parameters assigned
to Router B.
[RouterB-Ethernet1/1] display dhcp client verbose
Ethernet1/1 DHCP client information:
Current machine state: BOUND
Allocated IP: 10.1.1.3 255.255.255.0
Allocated lease: 864000 seconds, T1: 432000 seconds, T2: 756000 seconds
Lease from 2009.02.20 11:06:35
to
2009.03.02 11:06:35
DHCP server: 10.1.1.1
Transaction ID: 0x410090f0
Classless static route:
Destination: 20.1.1.0, Mask: 255.255.255.0, NextHop: 10.1.1.2
DNS server: 20.1.1.1
Client ID: 3030-3066-2e65-3230302e-3030-3032-2d457468-6572-6e65-74302f30
T1 will timeout in 4 days 23 hours 59 minutes 50 seconds.
# Use the display ip routing-table command to view the route information on Router B. A static route to
network 20.1.1.0/24 is added to the routing table.
[RouterB-Ethernet1/1] display ip routing-table
Routing Tables: Public
Destinations : 5
Destination/Mask
Proto
10.1.1.0/24
Routes : 5
Pre
Cost
NextHop
Interface
Direct 0
0
10.1.1.3
Eth1/1
10.1.1.3/32
Direct 0
0
127.0.0.1
InLoop0
20.1.1.0/24
Static 70
0
10.1.1.2
Eth1/1
127.0.0.0/8
Direct 0
0
127.0.0.1
InLoop0
127.0.0.1/32
Direct 0
0
127.0.0.1
InLoop0
61
Configuring DHCP snooping
DHCP snooping is supported on fixed Layer 2 switching interfaces on MSR20-1X and MSR900 routers,
and is not supported on MSR93X routers. To use DHCP snooping, other series routers need to install a
FIC-16FSW, DFIC-24FSW, MIM-16FSW, or DMIM-24FSW interface module.
A DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between
the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server.
Overview
DHCP snooping defines trusted and untrusted ports to make sure that clients obtain IP addresses only
from authorized DHCP servers.
•
Trusted—A trusted port can forward DHCP messages correctly to make sure the clients get IP
addresses from authorized DHCP servers.
•
Untrusted—An untrusted port discards received DHCP-ACK and DHCP-OFFER messages to
prevent unauthorized servers from assigning IP addresses.
DHCP snooping reads DHCP-ACK messages received from trusted ports and DHCP-REQUEST
messages to create DHCP snooping entries. A DHCP snooping entry includes the MAC and IP
addresses of a client, the port that connects to the DHCP client, and the VLAN of the port.
The following features need to use DHCP snooping entries:
•
ARP fast-reply—Uses DHCP snooping entries to reduce ARP broadcast traffic. For more information,
see "Configuring ARP fast-reply."
•
ARP detection—Uses DHCP snooping entries to filter ARP packets from unauthorized clients. For
more information, see Security Configuration Guide.
•
IP source guard—Uses DHCP snooping entries to filter illegal packets on a per-port basis. For more
information, see Security Configuration Guide.
62
Application of trusted and untrusted ports
Configuring a trusted port connected to a DHCP server
Figure 30 Configuring trusted and untrusted ports
Configuring trusted ports in a cascaded network
In a cascaded network as shown in Figure 31, each DHCP snooping device's ports connected to other
DHCP snooping devices should be configured as trusted ports.
To save system resources, you can disable the trusted ports that are not directly connected to DHCP
clients from recording client IP-to-MAC bindings (DHCP snooping entries) upon receiving DHCP requests.
Figure 31 Configuring trusted ports in a cascaded network
DHCP client
Host A
DHCP snooping
Switch A
Eth1/1
DHCP client
Host B
Eth1/3
Eth1/1
Eth1/4
DHCP client
Host C
DHCP client
Host D
Eth1/2
Eth1/3
DHCP server
Device
Eth1/1
Eth1/2
Eth1/4
Eth1/3
Eth1/1
DHCP snooping
Switch C
Eth1/2
DHCP snooping
Switch B
Untrusted ports
Trusted ports disabled from recording binding entries
Trusted ports enabled to record binding entries
63
DHCP snooping support for Option 82
Option 82 records the location information of the DHCP client so the administrator can locate the DHCP
client for security control and accounting purposes. For more information, see "Configuring the DHCP
relay agent."
If DHCP snooping supports Option 82, it handles clients' requests according to Option 82, if any. Table
3 describes the handling strategies.
If a reply returned by the DHCP server contains Option 82, the DHCP snooping device removes the
Option 82 before forwarding the reply to the client. If the reply contains no Option 82, the DHCP
snooping device forwards it directly.
Table 3 Handling strategies of DHCP snooping
If a DHCP request
has…
Handling
strategy
Padding format
The DHCP snooping device…
Drop
N/A
Drops the message.
Keep
Random
Forwards the message without changing
Option 82.
normal
Forwards the message after replacing the
original Option 82 with the Option 82 padded
in normal format.
verbose
Forwards the message after replacing the
original Option 82 with the Option 82 padded
in verbose format.
user-defined
Forwards the message after replacing the
original Option 82 with the user-defined
Option 82.
normal
Forwards the message without changing
Option 82.
verbose
Forward the message without changing Option
82.
private
Forwards the message after adding sub-option
9 to option 82 or adding content to sub-option
9 that option 82 contains.
standard
Forwards the message without changing
Option 82.
user-defined
Forwards the message without changing
Option 82.
normal
Forwards the message after adding the Option
82 padded in normal format.
Replace
Option 82
Append
no Option 82
N/A
64
If a DHCP request
has…
Handling
strategy
Padding format
The DHCP snooping device…
N/A
private
Forwards the message after adding Option 82
padded in private format.
N/A
standard
Forwards the message after adding Option 82
padded in standard format.
N/A
verbose
Forwards the message after adding the Option
82 padded in verbose format.
N/A
user-defined
Forwards the message after adding the
user-defined Option 82.
The handling strategy and padding format for Option 82 on the DHCP snooping device are the same as
those on the relay agent.
DHCP snooping configuration task list
Task
Remarks
Configuring DHCP snooping basic functions
Required.
Configuring DHCP snooping to support Option 82
Optional.
Configuring DHCP snooping entries backup
Optional.
Enabling DHCP starvation attack protection
Optional.
Enabling DHCP-REQUEST message attack protection
Optional.
Configuring DHCP snooping basic functions
Follow these guidelines to configure DHCP snooping basic functions:
•
You must specify the ports connected to authorized DHCP servers as trusted ports to make sure that
DHCP clients can obtain valid IP addresses. The trusted ports and the ports connected to DHCP
clients must be in the same VLAN.
•
You can specify Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces, and WLAN-BSS
interfaces as trusted ports. For more information about aggregate interfaces, see Layer 2—LAN
Switching Configuration Guide. For more information about WLAN-BSS interfaces, see WLAN
Configuration Guide.
•
If a Layer 2 Ethernet interface is added to an aggregation group, the DHCP snooping configuration
of the interface does not take effect. After the interface quits the aggregation group, the
configuration becomes effective.
•
DHCP snooping can work with basic QinQ or flexible QinQ. When receiving a packet without any
VLAN tag from the DHCP client to the DHCP server, the DHCP snooping device adds a VLAN tag
to the packet. If the packet has one VLAN tag, the device adds another VLAN tag to the packet and
records the two VLAN tags in a DHCP snooping entry. The newly added VLAN tag is the outer tag.
If the packet has two VLAN tags, the device directly forwards the packet to the DHCP server without
adding any tag. If you need to add a new VLAN tag and meanwhile modify the original VLAN tag
for the packet, DHCP snooping cannot work with flexible QinQ.
To configure DHCP snooping basic functions:
65
Step
Command
Remarks
140. Enter system view.
system-view
N/A
141. Enable DHCP snooping.
dhcp-snooping
Disabled by default.
142. Enter Ethernet interface view.
interface interface-type
interface-number
The interface connects to the DHCP
server.
143. Specify the port as a trusted
port that records the
IP-to-MAC bindings of clients.
dhcp-snooping trust
After DHCP snooping is enabled, a
port is an untrusted port by default.
144. Return to system view.
quit
N/A
145. Enter interface view.
interface interface-type
interface-number
The interface indirectly connects to
the DHCP client.
146. Specify the port as a trusted
port that does not record the
IP-to-MAC bindings of clients.
dhcp-snooping trust
no-user-binding
Optional.
After DHCP snooping is enabled, a
port is an untrusted port by default.
Configuring DHCP snooping to support Option 82
Follow these guidelines to configure DHCP snooping to support Option 82:
•
You can only configure DHCP snooping to support Option 82 on Layer 2 Ethernet interfaces, Layer
2 aggregate interfaces, and WLAN-BSS interfaces.
•
If a Layer 2 Ethernet interface is added to an aggregation group, enabling DHCP snooping to
support Option 82 on the interface does not take effect. After the interface quits the aggregation
group, the configuration becomes effective.
•
To make sure Option 82 works correctly, perform some configurations on both the DHCP server and
the DHCP snooping device. For DHCP server configuration, see "Enabling handling of Option 82."
•
If the handling strategy of the DHCP-snooping device is configured as replace, configure a padding
format for Option 82. If the handling strategy is keep or drop, you do not need to configure any
padding format.
•
If Option 82 contains the device name, the device name must contain no spaces. Otherwise, the
DHCP-snooping device drops the message. You can use the sysname command to specify the
device name. For more information about this command, see Fundamentals Command Reference.
•
If DHCP snooping and QinQ work together or the DHCP snooping device receives a DHCP packet
with two VLAN tags, and the normal or verbose padding format is adopted for Option 82, DHCP
snooping fills the VLAN ID field of sub-option 1 with outer VLAN tag.inner VLAN tag. For example,
if the outer VLAN tag is 10 (a in hexadecimal) and the inner VLAN tag is 20 (14 in hexadecimal),
the VLAN ID is 000a.0014.
To configure DHCP snooping to support Option 82:
Step
Command
Remarks
147. Enter system view.
system-view
N/A
148. Enter interface view.
interface interface-type
interface-number
N/A
149. Enable DHCP snooping to
support Option 82.
dhcp-snooping information enable
Disabled by default.
66
Step
Command
Remarks
150. Configure the handling
strategy for requests
containing Option 82.
dhcp-snooping information strategy
{ append | drop | keep | replace }
Optional.
replace by default.
Optional.
• Configure the padding format
for Option 82:
dhcp-snooping information
format { normal | private
private | standard |verbose
[ node-identifier { mac |
sysname | user-defined
node-identifier } ] }
• Configure the code type for the
151. Configure Option 82 in
the non-user-defined
padding format.
Circuit ID sub-option:
dhcp-snooping information
circuit-id format-type { ascii |
hex }
By default:
• The padding format for Option
82 is normal.
• The code type for the Circuit ID
sub-option depends on the
padding format of Option 82.
Each field has its own code type.
• The code type for the Remote ID
sub-option is hex.
• Sub-option 9 is not enabled.
The private padding format supports
only the hex code type.
• Configure the code type for the
The remote ID sub-option
configuration and the Circuit ID
sub-option code type configuration
apply to non-user-defined Option 82
only.
• Enable sub-option 9:
For sub-option 9 configuration, when
append strategy is adopted, the
sysname and the primary IP address of
the Loopback0 interface are padded.
When some other strategy is adopted,
only the sysname is padded.
Remote ID sub-option:
dhcp-snooping information
remote-id format-type { ascii |
hex }
dhcp-snooping information
[ vlan vlan-id ] sub-option
sub-option-code
• Configure the padding content
for the Circuit ID sub-option:
dhcp-snooping information
[ vlan vlan-id ] circuit-id string
circuit-id
• Configure the padding content
152. Configure user-defined
Option 82.
for the Remote ID sub-option:
dhcp-snooping information
[ vlan vlan-id ] remote-id string
{ remote-id | sysname }
• Configure the padding content
for the sub-option 9:
dhcp-snooping information
[ vlan vlan-id ] sub-option
sub-option-code [ string
user-string&<1-8> ]
Optional.
By default:
• The padding content for the
Circuit ID sub-option depends on
the padding format of Option 82.
• The padding content for the
Remote ID sub-option depends on
the padding format of Option 82.
• Sub-option 9 is not padded.
Configuring DHCP snooping entries backup
DHCP snooping entries cannot survive a reboot. If the DHCP snooping device is rebooted, security
modules (such as IP source guard) that use DHCP snooping entries to authenticate users reject requests
from clients until new entries are learned.
67
The DHCP snooping entries backup feature enables you to store DHCP snooping entries in a file. When
the DHCP snooping device reboots, it reads DHCP snooping entries from this file.
To configure DHCP snooping entries backup:
Step
Command
Remarks
153. Enter system view.
system-view
N/A
Not specified by default.
DHCP snooping entries are stored
immediately after this command is
used and then updated at the
interval set by the dhcp-snooping
binding database update interval
command.
154. Specify the name of the file for
storing DHCP snooping entries.
dhcp-snooping binding
database filename
filename
155. Back up DHCP snooping entries to
the file.
dhcp-snooping binding
database update now
DHCP snooping entries are stored to
the file each time this command is
used.
156. Set the interval at which the DHCP
snooping entry file is refreshed.
dhcp-snooping binding
database update interval
minutes
Optional.
Optional.
By default, the file is not refreshed
periodically.
After DHCP snooping is disabled with the undo dhcp-snooping command, the device deletes all DHCP
snooping entries, including those stored in the file.
Enabling DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using
different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of
the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail
to work because of exhaustion of system resources. You can protect against starvation attacks in the
following ways:
•
To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source
MAC addresses, you can limit the number of MAC addresses that a Layer 2 port can learn.
•
To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source
MAC address, you can enable MAC address check on the DHCP snooping device. With this
function enabled, the DHCP snooping device compares the chaddr field of a received DHCP
request with the source MAC address field of the frame. If they are the same, the request is
considered valid and forwarded to the DHCP server. If not, the request is discarded.
To enable MAC address check:
Step
Command
Remarks
157. Enter system view.
system-view
N/A
158. Enter interface view.
interface interface-type
interface-number
N/A
68
Step
Command
Remarks
Disabled by default.
159. Enable MAC address check.
You can enable MAC address check
only on Layer 2 Ethernet interfaces,
Layer 2 aggregate interfaces, and
WLAN-BSS interfaces.
dhcp-snooping check
mac-address
Enabling DHCP-REQUEST message attack
protection
Attackers can forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP clients
that no longer need the IP addresses. These forged messages keep a victim DHCP server renewing the
leases of IP addresses instead of releasing the IP addresses. This wastes IP address resources.
To prevent such attacks, you can enable DHCP-REQUEST message check on DHCP snooping devices.
This feature uses DHCP snooping entries to check incoming DHCP-REQUEST messages.
•
If a matching entry is found for a message, the DHCP snooping device compares the entry with the
message information. If they are consistent, the DHCP-REQUEST message is considered a valid
lease renewal request and forwarded to the DHCP server. If they are not consistent, the message is
considered as a forged lease renewal request and discarded.
•
If no matching entry is found, the message is considered valid and forwarded to the DHCP server.
To enable DHCP-REQUEST message check:
Step
Command
Remarks
160. Enter system view.
system-view
N/A
161. Enter interface view.
interface interface-type
interface-number
N/A
Disabled by default.
162. Enable
DHCP-REQUEST
check.
dhcp-snooping check
request-message
You can enable DHCP-REQUEST check
only on Layer 2 Ethernet interfaces, Layer 2
aggregate interfaces, and WLAN-BSS
interfaces.
Displaying and maintaining DHCP snooping
Task
Command
Remarks
Display DHCP snooping entries.
display dhcp-snooping [ ip ip-address ]
[ | { begin | exclude | include }
regular-expression ]
Available in any view.
Display Option 82 configuration
information on the DHCP snooping
device.
display dhcp-snooping information { all |
interface interface-type
interface-number } [ | { begin | exclude |
include } regular-expression ]
Available in any view.
69
Task
Command
Remarks
Display DHCP packet statistics on the
DHCP snooping device.
display dhcp-snooping packet statistics
[ | { begin | exclude | include }
regular-expression ]
Available in any view.
Display information about trusted ports.
display dhcp-snooping trust [ | { begin |
exclude | include } regular-expression ]
Available in any view.
Display information about DHCP
snooping entry file.
display dhcp-snooping binding database
[ | { begin | exclude | include }
regular-expression ]
Available in any view.
Clear DHCP snooping entries.
reset dhcp-snooping { all | ip ip-address }
Available in user
view.
Clear DHCP packet statistics on the
DHCP snooping device.
reset dhcp-snooping packet statistics
Available in user
view.
DHCP snooping configuration example
Network requirements
As shown in Figure 32, perform configuration on Switch B to achieve the following purposes:
•
The port connected to the DHCP server can forward responses from the server, but the other ports
cannot forward responses from any DHCP server.
•
Configure Router B to record clients' IP-MAC bindings by reading DHCP-REQUEST messages and
DHCP-ACK messages received from the trusted port.
Figure 32 Network diagram
Configuration procedure
# Enable DHCP snooping.
<SwitchB> system-view
[SwitchB] dhcp-snooping
# Specify Ethernet 1/1 as trusted.
[SwitchB] interface ethernet 1/1
[SwitchB-Ethernet1/1] dhcp-snooping trust
70
[SwitchB-Ethernet1/1] quit
DHCP snooping Option 82 support configuration
example
Network requirements
As shown in Figure 32, Switch B replaces Option 82 in DHCP requests before forwarding them to the
DHCP server (Switch A).
•
The Circuit ID sub-option is company001.
•
The Remote ID sub-option is device001.
•
On Ethernet 1/3, configure the padding format as verbose, access node identifier as sysname,
and code type as ascii for Option 82.
Configuration procedure
# Enable DHCP snooping.
<SwitchB> system-view
[SwitchB] dhcp-snooping
# Specify Ethernet 1/1 as trusted.
[SwitchB] interface ethernet 1/1
[SwitchB-Ethernet1/1] dhcp-snooping trust
[SwitchB-Ethernet1/1] quit
# Configure Ethernet 1/2 to support Option 82.
[SwitchB] interface ethernet 1/2
[SwitchB-Ethernet1/2] dhcp-snooping information enable
[SwitchB-Ethernet1/2] dhcp-snooping information strategy replace
[SwitchB-Ethernet1/2] dhcp-snooping information circuit-id string company001
[SwitchB-Ethernet1/2] dhcp-snooping information remote-id string device001
[SwitchB-Ethernet1/2] quit
# Configure Ethernet 1/3 to support Option 82.
[SwitchB] interface ethernet 1/3
[SwitchB-Ethernet1/3] dhcp-snooping information enable
[SwitchB-Ethernet1/3] dhcp-snooping information strategy replace
[SwitchB-Ethernet1/3] dhcp-snooping information format verbose node-identifier sysname
[SwitchB-Ethernet1/3] dhcp-snooping information circuit-id format-type ascii
[SwitchB-Ethernet1/3] dhcp-snooping information remote-id format-type ascii
71
Configuring BOOTP client
BOOTP client configuration only applies to Layer 3 Ethernet interfaces (including subinterfaces), Layer 3
aggregate interfaces and VLAN interfaces.
If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay
agent, the BOOTP server cannot be a Windows Server 2000 or Windows Server 2003.
You cannot configure an interface of an aggregation group as a BOOTP client.
BOOTP application
After you specify an interface of a device as a BOOTP client, the interface can use BOOTP to get
information (such as IP address) from the BOOTP server.
To use BOOTP, an administrator must configure a BOOTP parameter file for each BOOTP client on the
BOOTP server. The parameter file contains information such as MAC address and IP address of a
BOOTP client. When a BOOTP client sends a request to the BOOTP server, the BOOTP server searches
for the BOOTP parameter file and returns the corresponding configuration information.
BOOTP is usually used in relatively stable environments. In network environments that change frequently,
DHCP is more suitable.
Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to configure an
IP address for the BOOTP client, without any BOOTP server.
Obtaining an IP address dynamically
A DHCP server can take the place of the BOOTP server in the following dynamic IP address acquisition.
A BOOTP client dynamically obtains an IP address from a BOOTP server as follows:
1.
The BOOTP client broadcasts a BOOTP request, which contains its own MAC address.
2.
The BOOTP server receives the request and searches the configuration file for the corresponding
IP address and other information according to the MAC address of the BOOTP client.
3.
The BOOTP server returns a BOOTP response to the BOOTP client.
4.
The BOOTP client obtains the IP address from the received response.
Protocols and standards
•
RFC 951, Bootstrap Protocol (BOOTP)
•
RFC 2132, DHCP Options and BOOTP Vendor Extensions
•
RFC 1542, Clarifications and Extensions for the Bootstrap Protocol
72
Configuring an interface to dynamically obtain an
IP address through BOOTP
Step
Command
Remarks
163. Enter system view.
system-view
N/A
164. Enter interface view.
interface interface-type
interface-number
N/A
165. Configure an interface to
dynamically obtain an IP address
through BOOTP.
ip address bootp-alloc
By default, an interface does not
use BOOTP to obtain an IP
address.
Displaying and maintaining BOOTP client
configuration
Task
Command
Remarks
Display BOOTP client information.
display bootp client [ interface interface-type
interface-number ] [ | { begin | exclude |
include } regular-expression ]
Available in any view.
BOOTP client configuration example
Network requirements
As shown in Figure 23, Ethernet 1/1 of Router B is connected to the LAN to obtain an IP address from
the DHCP server by using BOOTP.
To make the BOOTP client obtain an IP address from the DHCP server, you must perform configurations
on the DHCP server. For more information, see "Configuring the DHCP server."
Configuration procedure
The following describes only the configuration on Router B serving as a client.
# Configure Ethernet 1/1 to dynamically obtain an IP address by using BOOTP.
<RouterB> system-view
[RouterB] interface ethernet 1/1
[RouterB-Ethernet1/1] ip address bootp-alloc
# Use the display bootp client command to view the IP address assigned to the BOOTP client.
73
74
Configuring IPv4 DNS
Overview
Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain
names into IP addresses. With DNS, you can use easy-to-remember domain names in some applications
and let the DNS server translate them into correct IP addresses.
DNS services can be static or dynamic. After a user specifies a name, the device checks the local static
name resolution table for an IP address. If no IP address is available, it contacts the DNS server for
dynamic name resolution, which takes more time than static name resolution. To improve efficiency, you
can put frequently queried name-to-IP address mappings in the local static name resolution table.
Static domain name resolution
Static domain name resolution means setting up mappings between domain names and IP addresses. IP
addresses of the corresponding domain names can be found in the static domain resolution table when
you use applications such as Telnet.
Dynamic domain name resolution
Resolution process
1.
A user program sends a name query to the resolver of the DNS client.
2.
The DNS resolver looks up the local domain name cache for a match. If the resolver finds a match,
it sends the corresponding IP address back. If not, it sends a query to the DNS server.
3.
The DNS server looks up the corresponding IP address of the domain name in its DNS database.
If no match is found, the server sends a query to a higher level DNS server. This process continues
until a result, whether successful or not, is returned.
4.
After receiving a response from the DNS server, the DNS client returns the resolution result to the
application.
Figure 33 Dynamic domain name resolution
User
program
Request
Request
Resolver
Response
Response
DNS server
Read
Save
Cache
DNS client
Figure 33 shows the relationship between the user program, DNS client, and DNS server.
75
The DNS client is made up of the resolver and cache. The user program and DNS client can run on the
same device or different devices, but the DNS server and the DNS client usually run on different devices.
Dynamic domain name resolution allows the DNS client to store latest mappings between domain names
and IP addresses in the dynamic domain name cache. The DNS client does not need to send a request
to the DNS server for a repeated query next time. The aged mappings are removed from the cache after
some time, and latest entries are required from the DNS server. The DNS server decides how long a
mapping is valid, and the DNS client gets the aging information from DNS messages.
DNS suffixes
The DNS client holds a list of user-specified suffixes. The resolver can use the list to supply the missing part
of incomplete names.
For example, a user can configure com as the suffix for aabbcc.com. The user only needs to type aabbcc
to obtain the IP address of aabbcc.com because the resolver adds the suffix and delimiter before passing
the name to the DNS server.
•
If there is no dot (.) in the domain name (for example, aabbcc), the resolver considers this a host
name and adds a DNS suffix before the query. If no match is found after all the configured suffixes
are used respectively, the original domain name (for example, aabbcc) is used for the query.
•
If there is a dot (.) in the domain name (for example, www.aabbcc), the resolver directly uses this
domain name for the query. If the query fails, the resolver adds a DNS suffix for another query.
•
If the dot (.) is at the end of the domain name (for example, aabbcc.com.), the resolver considers
it an absolute domain name or a Fully Qualified Domain Name (FQDN) and returns the query
result, successful or failed. The dot at the end of the domain name is considered a terminating
symbol.
The device supports static and dynamic DNS client services.
NOTE:
If an alias is configured for a domain name on the DNS server, the device can resolve the alias into the IP
address of the host.
DNS proxy
A DNS proxy forwards DNS requests and replies between DNS clients and a DNS server.
As shown in Figure 34, a DNS client sends a DNS request to the DNS proxy, which forwards the request
to the designated DNS server, and then conveys the reply from the DNS server to the client.
The DNS proxy simplifies network management. When the DNS server address is changed, you can
change the configuration on only the DNS proxy instead of on each DNS client.
76
Figure 34 DNS proxy networking application
A DNS proxy operates as follows:
1.
A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS
proxy. The destination address of the request is the IP address of the DNS proxy.
2.
The DNS proxy searches the local static domain name resolution table and dynamic domain name
resolution table after receiving the request. If the requested information is found, the DNS proxy
returns a DNS reply to the client.
3.
If the requested information is not found, the DNS proxy sends the request to the designated DNS
server for domain name resolution.
4.
After receiving a reply from the DNS server, the DNS proxy records the IP address-to-domain name
mapping and forwards the reply to the DNS client.
With no DNS server or route to a DNS server specified, the DNS proxy does not forward DNS requests,
or answer requests from the DNS clients.
DNS spoofing
Figure 35 Application of DNS spoofing
DNS spoofing is applied to the dial-up network, as shown in Figure 35.
•
The device connects to the PSTN/ISDN network through a dial-up interface and triggers the
establishment of a dial-up connection only when packets are to be forwarded through the dial-up
interface.
77
The device serves as a DNS proxy and is specified as a DNS server on the hosts. After the dial-up
connection is established through the dial-up interface, the device dynamically obtains the DNS
server address through DHCP or other autoconfiguration mechanisms.
•
Without DNS spoofing enabled, the device forwards the DNS requests received from the hosts to the
DNS server, if it cannot find a match in the local domain name resolution table. However, without any
dial-up connection established, the device cannot obtain the DNS server address, so it cannot forward
or answer the requests from the clients. The domain name cannot be resolved and no traffic triggers the
establishment of a dial-up connection.
DNS spoofing can solve the problem. DNS spoofing enables the device to reply the DNS client with a
configured IP address when the device does not have a DNS server address or route to a DNS server.
Subsequent packets sent by the DNS client trigger the establishment of a dial-up connection with the
network.
In the network of Figure 35, a host accesses the HTTP server in following these steps:
1.
The host sends a DNS request to the device to resolve the domain name of the HTTP server into an
IP address.
2.
Upon receiving the request, the device searches the local static and dynamic DNS entries for a
match. If no match is found and the device does know the DNS server address, the device spoofs
the host by replying a configured IP address. The TTL of the DNS reply is 0. The device must have
a route to the IP address with the dial-up interface as the output interface.
Because the IP address configured with DNS spoofing is not the actual IP address of the requested
domain name, the TTL of the DNS reply is set to 0 to prevent the DNS client from generating
incorrect domain name-to-IP address mappings.
3.
Upon receiving the reply, the host sends an HTTP request to the replied IP address.
4.
When forwarding the HTTP request through the dial-up interface, the device establishes a dial-up
connection with the network and dynamically obtains the DNS server address through DHCP or
other autoconfiguration mechanisms.
5.
When the DNS reply ages out, the host sends a DNS request to the device again.
6.
Then the device operates the same as a DNS proxy. For more information, see "DNS proxy."
7.
After obtaining the IP address of the HTTP server, the host can access the HTTP server.
Configuring the IPv4 DNS client
Configuring static domain name resolution
Configuring static domain name resolution refers to specifying the mappings between host names and
IPv4 addresses. Static domain name resolution allows applications such as Telnet to contact hosts by
using host names instead of IPv4 addresses.
To configure static domain name resolution:
Step
Command
Remarks
166. Enter system view.
system-view
N/A
78
Step
Command
Remarks
Not configured by default.
167. Configure a mapping
between a host name
and an IPv4 address.
ip host hostname ip-address
The IPv4 address you last assign to the host
name overwrites the previous one if there is
any.
You may create up to 50 static mappings
between domain names and IPv4
addresses.
Configuring dynamic domain name resolution
To send DNS queries to a correct server for resolution, you must enable dynamic domain name resolution
and configure a DNS server.
In addition, you can configure a DNS suffix that the system automatically adds to the provided domain
name for resolution.
Configuration guidelines
Follow these guidelines when you configure dynamic domain name resolution:
•
You can configure up to six DNS servers, including those with IPv6 addresses, in system view, and
up to six DNS servers on all interfaces of a device.
•
A DNS server configured in system view has a higher priority than one configured in interface view.
A DNS server configured earlier has a higher priority than one configured later in the same view.
A DNS server manually configured has a higher priority than one dynamically obtained through
DHCP. A name query request is first sent to the DNS server that has the highest priority. If no reply
is received, it is sent to the DNS server that has the second highest priority, and so on in turn.
•
You can specify up to ten DNS suffixes.
Configuration procedure
To configure dynamic domain name resolution:
Step
Command
Remarks
168. Enter system view.
system-view
N/A
169. Enable dynamic domain
name resolution.
dns resolve
Disabled by default.
• Method 1 (In system view):
dns server ip-address
• Method 2 (In interface view):
170. Specify a DNS server.
a. interface interface-type
interface-number
b. dns server ip-address
Use at least one method.
No DNS server is specified by
default.
c. quit
Optional.
171. Configure a DNS suffix.
dns domain domain-name
79
By default, no DNS suffix is
configured and only the provided
domain name is resolved.
Configuring the DNS proxy
You can specify multiple DNS servers. Upon receiving a name query request from a client, the DNS
proxy forwards the request to the DNS server that has the highest priority. If having not received a reply,
it forwards to the request to a DNS server that has the second highest priority, and thus in turn.
To configure the DNS proxy:
Step
Command
Remarks
172. Enter system view.
system-view
N/A
173. Enable DNS proxy.
dns proxy enable
Disabled by default.
• Method 1 (In system view):
dns server ip-address
174. Specify a DNS server.
• Method 2 (In interface view):
a. interface interface-type
interface-number
Use at least one method.
No DNS server is specified by
default.
b. dns server ip-address
Configuring DNS spoofing
DNS spoofing is effective only when:
•
The DNS proxy is enabled on the device.
•
No DNS server or route to any DNS server is specified on the device.
To configure DNS spoofing:
Step
Command
Remarks
175. Enter system view.
system-view
N/A
176. Enable DNS spoofing and
specify the translated IP
address.
dns spoofing ip-address
Disabled by default.
Specifying the source interface for DNS packets
By default, the device uses the primary IP address of the output interface of the matching route as the
source IP address of a DNS request. Therefore, the source IP address of the DNS packets might vary with
DNS servers. In some scenarios, the DNS server only responds to DNS requests sourced from a specific
IP address. In such cases, you must specify the source interface for the DNS packets so that the device
can always use the primary IP address of the specified source interface as the source IP address of DNS
packets.
To specify the source interface for DNS packets:
80
Step
Command
Remarks
177. Enter system view.
system-view
N/A
dns source-interface interface-type
interface-number
By default, no source interface for
DNS packets is specified. The
device uses the primary IP
address of the output interface of
the matching route as the source
IP address of a DNS request.
178. Specify the source interface
for DNS packets.
Displaying and maintaining IPv4 DNS
Task
Command
Remarks
Display the static IPv4 domain
name resolution table.
display ip host [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Display IPv4 DNS server
information.
display dns server [ dynamic ] [ | { begin
| exclude | include } regular-expression ]
Available in any view.
Display DNS suffixes.
display dns domain [ dynamic ] [ |
{ begin | exclude | include }
regular-expression ]
Available in any view.
Display information about the
dynamic IPv4 domain name
cache.
display dns host ip [ | { begin | exclude
| include } regular-expression ]
Available in any view.
Clear information about the
dynamic IPv4 domain name
cache.
reset dns host ip
Available in user view.
IPv4 DNS configuration examples
Static domain name resolution configuration example
Network requirements
As shown in Figure 36, the device wants to access the host by using an easy-to-remember domain name
rather than an IP address.
Configure static domain name resolution on the device so that the device can use the domain name
host.com to access the host whose IP address is 10.1.1.2.
Figure 36 Network diagram
Configuration procedure
# Configure a mapping between host name host.com and IP address 10.1.1.2.
81
<Sysname> system-view
[Sysname] ip host host.com 10.1.1.2
# Use the ping host.com command to verify that the device can use static domain name resolution to
resolve domain name host.com into IP address 10.1.1.2.
[Sysname] ping host.com
PING host.com (10.1.1.2):
56
data bytes, press CTRL_C to break
Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=128 time=1 ms
Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=128 time=4 ms
Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=128 time=3 ms
Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=128 time=2 ms
Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=128 time=3 ms
--- host.com ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/2/4 ms
Dynamic domain name resolution configuration example
Network requirements
As shown in Figure 37, the device wants to access the host by using an easy-to-remember domain name
rather than an IP address, and to request the DNS server on the network for an IP address by using
dynamic domain name resolution. The IP address of the DNS server is 2.1.1.2/16 and the DNS server has
a com domain, which stores the mapping between domain name host and IP address 3.1.1.1/16.
Configure dynamic domain name resolution and the domain name suffix com on the device that serves
as a DNS client so that the device can use domain name host to access the host with the domain name
host.com and the IP address 3.1.1.1/16.
Figure 37 Network diagram
Configuration procedure
Before performing the following configuration, make sure the device and the host are accessible to each
other through available routes, and that the IP addresses of the interfaces are configured as shown Figure
37.
This configuration might vary with DNS servers. The following configuration is performed on a PC
running Windows Server 2000.
82
1.
Configure the DNS server:
a. Select Start > Programs > Administrative Tools > DNS.
The DNS server configuration page appears, as shown in Figure 38.
b. Right-click Forward Lookup Zones, select New Zone, and then follow the wizard to create a
new zone named com.
Figure 38 Creating a zone
c. On the DNS server configuration page, right-click zone com, and select New Host.
Figure 39 Adding a host
83
d. On the page that appears, enter host name host and IP address 3.1.1.1.
e. Click Add Host.
The mapping between the IP address and host name is created.
Figure 40 Adding a mapping between domain name and IP address
Configure the DNS client:
2.
# Enable dynamic domain name resolution.
<Sysname> system-view
[Sysname] dns resolve
# Specify the DNS server 2.1.1.2.
[Sysname] dns server 2.1.1.2
# Configure com as the name suffix.
[Sysname] dns domain com
Verifying the configuration
# Use the ping host command on the device to verify that the communication between the device and the
host is normal and that the corresponding destination IP address is 3.1.1.1.
[Sysname] ping host
Trying DNS resolve, press CTRL_C to break
Trying DNS server (2.1.1.2)
PING host.com (3.1.1.1):
56
data bytes, press CTRL_C to break
Reply from 3.1.1.1: bytes=56 Sequence=1 ttl=126 time=3 ms
Reply from 3.1.1.1: bytes=56 Sequence=2 ttl=126 time=1 ms
Reply from 3.1.1.1: bytes=56 Sequence=3 ttl=126 time=1 ms
Reply from 3.1.1.1: bytes=56 Sequence=4 ttl=126 time=1 ms
Reply from 3.1.1.1: bytes=56 Sequence=5 ttl=126 time=1 ms
--- host.com ping statistics ---
84
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/3 ms
DNS proxy configuration example
Network requirements
When the IP address of the DNS server changes, you must configure the new IP address of the DNS
server on each device on the LAN. To simplify network management, you can use the DNS proxy
function.
As shown in Figure 41:
•
Specify Device A as the DNS server of Device B (the DNS client). Device A acts as a DNS proxy.
The IP address of the real DNS server is 4.1.1.1.
•
Configure the IP address of the DNS proxy on Device B. DNS requests of Device B are forwarded
to the real DNS server through the DNS proxy.
Figure 41 Network diagram
Configuration procedure
Before performing the following configuration, assume that Device A, the DNS server, and the host are
reachable to each other and the IP addresses of the interfaces are configured as shown in Figure 41.
1.
Configure the DNS server:
This configuration might vary with DNS servers. When a PC running Windows Server 2000 acts
as the DNS server, see "Dynamic domain name resolution configuration example" for related
configuration information.
2.
Configure the DNS proxy:
# Specify the DNS server 4.1.1.1.
<DeviceA> system-view
[DeviceA] dns server 4.1.1.1
# Enable DNS proxy.
[DeviceA] dns proxy enable
85
Configure the DNS client:
3.
# Enable the domain name resolution function.
<DeviceB> system-view
[DeviceB] dns resolve
# Specify the DNS server 2.1.1.2.
[DeviceB] dns server 2.1.1.2
Verifying the configuration
# Execute the ping host.com command on Device B to verify that the communication between the device
and the host is normal and that the corresponding destination IP address is 3.1.1.1.
[DeviceB] ping host.com
Trying DNS resolve, press CTRL_C to break
Trying DNS server (2.1.1.2)
PING host.com (3.1.1.1):
56
data bytes, press CTRL_C to break
Reply from 3.1.1.1: bytes=56 Sequence=1 ttl=126 time=3 ms
Reply from 3.1.1.1: bytes=56 Sequence=2 ttl=126 time=1 ms
Reply from 3.1.1.1: bytes=56 Sequence=3 ttl=126 time=1 ms
Reply from 3.1.1.1: bytes=56 Sequence=4 ttl=126 time=1 ms
Reply from 3.1.1.1: bytes=56 Sequence=5 ttl=126 time=1 ms
--- host.com ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/3 ms
Troubleshooting IPv4 DNS configuration
Symptom
After enabling dynamic domain name resolution, the user cannot get the correct IP address.
Solution
1.
Use the display dns host ip command to verify that the specified domain name is in the cache.
2.
If the specified domain name does not exist, check that dynamic domain name resolution is
enabled and that the DNS client can communicate with the DNS server.
3.
If the specified domain name is in the cache, but the IP address is incorrect, check that the DNS
client has the correct IP address of the DNS server.
4.
Verify that the mapping between the domain name and IP address is correct on the DNS server.
86
Configuring DDNS
Overview
Although DNS allows you to access nodes in networks using their domain names, it provides only the
static mappings between domain names and IP addresses. When you use the domain name to access
a node whose IP address has changed, your access fails because DNS leads you to the IP address that
is no longer where the node resides.
Dynamic Domain Name System (DDNS) can dynamically update the mappings between domain names
and IP addresses for DNS servers to direct you to the latest IP address corresponding to a domain name.
Because DDNS is supported by IPv4 DNS but not supported by IPv6 DNS, it can be used to update the
mappings between domain names and IPv4 addresses only.
DDNS networking application
As shown in Figure 42, DDNS works on the client-server model.
•
DDNS client—A device that needs to dynamically update the mapping between the domain name
and the IP address on the DNS server when the client's IP address changes. An Internet user
typically uses the domain name to access an application layer server such as an HTTP server or an
FTP server. When its IP address changes, the application layer server runs as a DDNS client that
sends a request to the DDNS server to update the mapping between the domain name and the IP
address.
•
DDNS server—Informs the DNS server of latest mappings. When receiving the mapping update
request from a DDNS client, the DDNS server tells the DNS server to re-map between the domain
name and the IP address of the DDNS client. Therefore, the Internet users can use the same domain
name to access the DDNS client even if the IP address of the DDNS client has changed.
Figure 42 DDNS networking application
DNS server
IP network
HTTP server
DDNS client
HTTP client
DDNS server
87
With the DDNS client configured, a device can dynamically update the latest mapping between its
domain name and IP address on the DNS server through DDNS servers at www.3322.org or
www.oray.cn for example.
The DDNS update process does not have a unified standard but depends on the DDNS server that the
DDNS client contacts. The well-known DDNS service providers include www.3322.org, www.oray.cn
(also known as the PeanutHull server), and www.dyndns.com.
DDNS client configuration task list
Task
Remark
Configuring a DDNS policy
Required.
Applying the DDNS policy to an interface
Required.
Configuring a DDNS policy
A DDNS policy contains the DDNS server address, port number, login ID, password, time interval,
associated SSL client policy, and update time interval. After creating a DDNS policy, you can apply it to
multiple interfaces to simplify DDNS configuration.
The URL addresses configured for update requests vary by DDNS server.
•
When a DDNS client contacts a DDNS server at www.3322.org by using HTTP, the URL address for
update requests should be configured as:
http://username:password@members.3322.org/dyndns/update?system=dyndns&hostname=<h
>&myip=<a>
•
When a DDNS client contacts a PeanutHull DDNS server by using TCP, the URL address for update
requests should be configured as:
oray://username:password@phservice2.oray.net
Replace the parameters username and password in the URL with your actual login ID and password
registered at the DDNS service provider's website.
members.3322.org and phservice2.oray.net are the domain names of DDNS servers. The domain
names of PeanutHull DDNS servers can be phservice2.oray.net, phddns60.oray.net, client.oray.net,
ph031.oray.net, and so on. Determine the domain name in the URL according to the actual situation.
The system automatically fills <h> with the FQDN that is specified when the DDNS policy is applied to
the interface and automatically fills <a> with the primary IP address of the interface to which the DDNS
policy is applied. You may also manually specify an FQDN and an IP address in <h> and <a>,
respectively. After that, the FQDN that is specified when the DDNS policy is applied becomes ineffective.
HP recommends you do not change <h> and <a> in the URL address because your configuration might
be incorrect. For more information about applying DDNS policies, see "Applying the DDNS policy to an
interface."
NOTE:
The FQDN is the only identification of a node in the network. An FQDN consists of a local host name and
a parent domain name and can be translated into an IP address.
88
Configuration prerequisites
Visit the website of a DDNS service provider, register an account, and apply for a domain name for the
DDNS client. When the DDNS client updates the mapping between the domain name and the IP address
through the DDNS server, the DDNS server checks whether the account information is correct and
whether the domain name to be updated belongs to the account.
Configuration procedure
To configure a DDNS policy:
Step
Command
Remarks
179. Enter system view.
system-view
N/A
180. Create a DDNS policy and
enter its view.
ddns policy policy-name
By default, no DDNS policy is created.
181. Specify a URL address for
DDNS update requests.
url request-url
By default, no URL address is specified for
DDNS update requests.
Optional.
By default, no SSL client policy is
associated with the DDNS policy.
182. Associate an SSL client policy
with the DDNS policy.
ssl client policy
policy-name
This step is only effective and a must
for HTTP-based DDNS update
requests. For SSL client policy
configuration, see Security
Configuration Guide.
183. Specify the interval for sending
update requests.
interval days [ hours
[ minutes ] ]
Optional.
By default, the time interval is one hour.
The URL address for an update request can start with http://, https://, or oray://.
•
http:// indicates the HTTP-based DDNS server.
•
https:// indicates the HTTPS-based DDNS server.
•
oray:// indicates the TCP-based PeanutHull server.
Applying the DDNS policy to an interface
After you apply the DDNS policy to an interface and specify the FQDN for update, the DDNS client
sends requests to the DDNS server to update the mapping between the domain name and the primary
IP address of the interface at the specified interval.
Configuration prerequisites
•
Specify the primary IP address of the interface and make sure the DDNS server and the interface
can reach each other.
•
Configure static or dynamic domain name resolution to translate the domain name of the DDNS
server into the IPv4 address. For more information, see "Configuring the IPv4 DNS client."
89
Configuration procedure
To apply the DDNS policy to an interface:
Step
Command
Remarks
184. Enter system view.
system-view
N/A
185. Enter interface view.
interface interface-type
interface-number
N/A
186. Apply the DDNS policy to the
interface to update the mapping
between the specified FQDN and
the primary IP address of the
interface, and enable DDNS
update.
ddns apply policy policy-name
[ fqdn domain-name ]
By default, no DDNS policy is
applied to the interface, no
FQDN is specified for update,
and DDNS update is disabled.
If the DDNS service is provided by www.3322.org, the FQDN of the mapping to be updated must be
specified. Otherwise, DDNS update might fail.
If the DDNS server is a PeanutHull server and no FQDN is specified, the DDNS server updates all the
corresponding domain names of the DDNS client account. If an FQDN is specified, the DDNS server
updates only the mapping between the specified FQDN and the primary IP address.
Displaying and maintaining DDNS
Task
Command
Remark
Display information of the DDNS
policy.
display ddns policy [ policy-name ] [ |
{ begin | exclude | include }
regular-expression ]
Available in any view.
DDNS configuration example 1
Network requirements
•
As shown in Figure 43, Router is a Web server with the domain name whatever.3322.org.
•
Router acquires the IP address through DHCP. Through DDNS service provided by www.3322.org,
Router informs the DNS server of the latest mapping between its domain name and IP address.
•
The IP address of the DNS server is 1.1.1.1. Router uses the DNS server to translate www.3322.org
into the corresponding IP address.
90
Figure 43 Network diagram
www.3322.org
DDNS server
Eth1/1
IP network
Router
DDNS client
1.1.1.1
DNS server
Configuration procedure
Before configuring DDNS on Router, register with username steven and password nevets at
http://www.3322.org/, add Router's host name-to-IP address mapping to the DNS server, and make
sure the devices are reachable to each other.
# Create a DDNS policy named 3322.org, and enter its view.
<Router> system-view
[Router] ddns policy 3322.org
# Specify for DDNS update requests the URL address with the login ID steven and password nevets.
[Router-ddns-policy-3322.org] url
http://steven:nevets@members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<
a>
# Set the interval for sending DDNS update requests to 15 minutes.
[Router-ddns-policy-3322.org] interval 0 0 15
[Router-ddns-policy-3322.org] quit
# Enable dynamic domain name resolution on Router.
[Router] dns resolve
# Specify the IP address of the DNS server as 1.1.1.1.
[Router] dns server 1.1.1.1
# Apply DDNS policy 3322.org to interface Ethernet 1/1 to enable DDNS update and dynamically
update the mapping between domain name whatever.3322.org and the primary IP address of Ethernet
1/1.
[Router] interface ethernet 1/1
[Router-Ethernet1/1] ddns apply policy 3322.org fqdn whatever.3322.org
After the preceding configuration is completed, Router notifies the DNS server of its new domain
name-to-IP address mapping through the DDNS server provided by www.3322.org, whenever the IP
address of Router changes. Therefore, Router can always provide Web service at whatever.3322.org.
91
DDNS configuration example 2
Network requirements
As shown in Figure 44, Router is a Web server with domain name whatever.gicp.cn.
Router acquires the IP address through DHCP. Through the PeanutHull server, Router informs the DNS
server of the latest mapping between its domain name and IP address.
The IP address of the DNS server is 1.1.1.1. Router uses the DNS server to translate www.oray.cn into the
corresponding IP address.
Figure 44 Network diagram
www.oray.cn
DDNS server
Eth1/1
IP network
Router
DDNS client
1.1.1.1
DNS server
Configuration procedure
Before configuring DDNS on Router, register with username steven and password nevets at
http://www.oray.cn/, add Router's host name-to-IP address mapping to the DNS server, and make sure
the devices are reachable to each other.
# Create a DDNS policy named oray.cn and enter its view.
<Router> system-view
[Router] ddns policy oray.cn
# Specify for DDNS update requests the URL address with the login ID steven and password nevets.
[Router-ddns-policy-oray.cn] url oray://steven:nevets@phservice2.oray.net
# Set the DDNS update request interval to 12 minutes.
[Router-ddns-policy-oray.cn] interval 0 0 12
[Router-ddns-policy-oray.cn] quit
# Enable dynamic domain name resolution on Router.
[Router] dns resolve
# Specify the IP address of the DNS server as 1.1.1.1.
[Router] dns server 1.1.1.1
92
# Apply the DDNS policy to interface Ethernet 1/1 to enable DDNS update and dynamically update the
mapping between whatever.gicp.cn and the primary IP address of Ethernet 1/1.
[Router] interface ethernet 1/1
[Router-Ethernet1/1] ddns apply policy oray.cn fqdn whatever.gicp.cn
After the preceding configuration is completed, Router notifies the DNS server of its new domain
name-to-IP address mapping through the PeanutHull server, whenever the IP address of Router changes.
Therefore, Router can always provide Web service at whatever.gicp.cn.
93
Configuring IP addressing
This chapter describes IP addressing basic and manual IP address assignment for interfaces. Dynamic IP
address assignment (BOOTP and DHCP) and PPP address negotiation are beyond the scope of this
chapter.
Overview
This section describes the IP addressing basics.
IP addressing uses a 32-bit address to identify each host on a network. To make addresses easier to read,
they are written in dotted decimal notation, each address being four octets in length. For example,
address 00001000000000010000000100000001 in binary is written as 10.1.1.1.
IP address classes
Each IP address breaks down into the following parts:
•
Net ID—Identifies a network. The first several bits of a net ID, known as the class field or class bits,
identify the class of the IP address.
•
Host ID—Identifies a host on a network.
IP addresses are divided into five classes, as shown in Figure 45. The shaded areas represent the address
class. The first three classes are widely used.
Figure 45 IP address classes
Table 4 IP address classes and ranges
Class
Address range
Remarks
The IP address 0.0.0.0 is used by a host at startup for temporary
communication. This address is never a valid destination address.
A
0.0.0.0 to
127.255.255.255
B
128.0.0.0 to
191.255.255.255
N/A
C
192.0.0.0 to
223.255.255.255
N/A
Addresses starting with 127 are reserved for loopback test.
Packets destined to these addresses are processed locally as input
packets rather than sent to the link.
94
Class
Address range
Remarks
D
224.0.0.0 to
239.255.255.255
Multicast addresses.
E
240.0.0.0 to
255.255.255.255
Reserved for future use except for the broadcast address
255.255.255.255.
Special IP addresses
The following IP addresses are for special use and cannot be used as host IP addresses.
•
IP address with an all-zero net ID—Identifies a host on the local network. For example, IP address
0.0.0.16 indicates the host with a host ID of 16 on the local network.
•
IP address with an all-zero host ID—Identifies a network.
•
IP address with an all-one host ID—Identifies a directed broadcast address. For example, a packet
with the destination address of 192.168.1.255 is broadcast to all the hosts on the network
192.168.1.0.
Subnetting and masking
Subnetting divides a network into smaller networks called subnets by using some bits of the host ID to
create a subnet ID.
Masking identifies the boundary between the host ID and the combination of net ID and subnet ID.
(When subnetting is not adopted, a mask identifies the boundary between the net ID and the host ID.)
Each subnet mask is made up of 32 bits, which correspond to the bits in an IP address. In a subnet mask,
consecutive ones represent the net ID and subnet ID, and consecutive zeros represent the host ID.
Before being subnetted, Class A, B, and C networks use default masks (also called natural masks)
255.0.0.0, 255.255.0.0, and 255.255.255.0, respectively.
Figure 46 shows how a Class B network is subnetted.
Figure 46 Subnetting a Class B network
Subnetting increases the number of addresses that cannot be assigned to hosts. After being subnetted,
a network can accommodate fewer hosts.
For example, a Class B network without subnetting can accommodate 1022 more hosts than the same
network subnetted into 512 subnets.
•
Without subnetting—65534 hosts (216 – 2). (The two deducted addresses are the broadcast
address, which has an all-one host ID, and the network address, which has an all-zero host ID.)
•
With subnetting—Using the first 9 bits of the host-id for subnetting provides 512 (29) subnets.
However, only 7 bits remain available for the host ID. This allows 126 (27 – 2) hosts in each subnet,
a total of 64512 hosts (512 × 126).
95
Assigning an IP address to an interface
You can assign an interface one primary address and multiple secondary addresses.
Generally, you only need to assign the primary address to an interface. In some cases, you must assign
secondary IP addresses to the interface. For example, if the interface connects to two subnets, to enable
the device to communicate with all hosts on the LAN, assign a primary IP address and a secondary IP
address to the interface.
Configuration guidelines
Follow these guidelines when you assign an IP address to an interface:
•
Each interface has only one primary IP address. A newly configured primary IP address overwrites
the previous one.
•
You cannot assign secondary IP addresses to an interface that obtains an IP address through
BOOTP, DHCP, PPP address negotiation, or IP unnumbered.
•
The primary and secondary IP addresses you assign to the interface can be located on the same
subnet, but different interfaces on your device must reside on different subnets.
•
You can manually assign an IP address to an interface, or configure the interface to obtain an IP
address through BOOTP, DHCP, or PPP address negotiation. If you change the way an interface
obtains an IP address, the new IP address overwrites the previous one.
Configuration procedure
To assign an IP address to an interface:
Step
Command
Remarks
187. Enter system view.
system-view
N/A
188. Enter interface view.
interface interface-type
interface-number
N/A
189. Assign an IP address to
the interface.
ip address ip-address { mask-length
| mask } [ sub ]
By default, no IP address is assigned to
any interface.
Configuration example
Network requirements
As shown in Figure 47, Ethernet 1/1 on the router is connected to a LAN comprising two segments:
172.16.1.0/24 and 172.16.2.0/24.
To enable the hosts on the two subnets to communicate with the external network through the router, and
to enable the hosts on the two subnets to communicate with each other:
•
Assign a primary IP address and a secondary IP address to Ethernet 1/1 on the router.
•
Set the primary IP address of the router as the gateway address of the hosts on subnet
172.16.1.0/24, and the secondary IP address of the router as the gateway address of the hosts on
subnet 172.16.2.0/24.
96
Figure 47 Network diagram
Configuration procedure
# Assign a primary IP address and a secondary IP address to Ethernet 1/1.
<Router> system-view
[Router] interface ethernet 1/1
[Router-Ethernet1/1] ip address 172.16.1.1 255.255.255.0
[Router-Ethernet1/1] ip address 172.16.2.1 255.255.255.0 sub
# Set the gateway address to 172.16.1.1 on the hosts attached to subnet 172.16.1.0/24, and to 172.16.2.1
on the hosts attached to subnet 172.16.2.0/24.
# Ping a host on subnet 172.16.1.0/24 from the router to verify the connectivity.
<Router> ping 172.16.1.2
PING 172.16.1.2: 56
data bytes, press CTRL_C to break
Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=255 time=25 ms
Reply from 172.16.1.2: bytes=56 Sequence=2 ttl=255 time=27 ms
Reply from 172.16.1.2: bytes=56 Sequence=3 ttl=255 time=26 ms
Reply from 172.16.1.2: bytes=56 Sequence=4 ttl=255 time=26 ms
Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=255 time=26 ms
--- 172.16.1.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/26/27 ms
The output shows that the router can communicate with the host on subnet 172.16.1.0/24.
# Ping a host on subnet 172.16.2.0/24 from the router to verify the connectivity.
<Router> ping 172.16.2.2
PING 172.16.2.2: 56
data bytes, press CTRL_C to break
Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=255 time=25 ms
Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=255 time=26 ms
Reply from 172.16.2.2: bytes=56 Sequence=3 ttl=255 time=26 ms
97
Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=255 time=26 ms
Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=255 time=26 ms
--- 172.16.2.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/25/26 ms
The output shows that the router can communicate with the host on subnet 172.16.2.0/24.
# Ping a host on subnet 172.16.1.0/24 from a host on subnet 172.16.2.0/24 to verify the connectivity.
Host B can be successfully pinged from Host A.
Configuring IP unnumbered
Logically, to enable IP on an interface, you must assign this interface a unique IP address. Yet, you can
borrow an IP address already configured on one of other interfaces on your device instead. This is called
"IP unnumbered" and the interface borrowing the IP address is called "IP unnumbered interface."
You can use IP unnumbered to save IP addresses either when available IP addresses are inadequate or
when an interface is brought up only for occasional use.
Configuration guidelines
Follow these guidelines when you configure IP unnumbered:
•
Serial, dialer, POS, and ATM interfaces can borrow IP addresses from Layer 3 Ethernet interfaces or
other interfaces.
•
Layer 3 Ethernet interfaces and loopback interfaces cannot borrow IP addresses of other interfaces,
but other interfaces can borrow IP addresses of these interfaces.
•
An interface cannot borrow an IP address from an unnumbered interface.
•
Multiple interfaces can use the same unnumbered IP address.
•
If an interface has multiple IP addresses, only the primary IP address can be borrowed.
•
The IP address of the borrowing interface varies with that of the borrowed interface. If an IP address
is configured for the borrowed interface, the IP address of the borrowing interface is the same as
that of the borrowed interface. If no IP address is configured for the borrowed interface, no IP
address is assigned to the borrowing interface.
Configuration prerequisites
Assign a primary IP address to the interface from which you want to borrow the IP address. Alternatively,
you may configure the interface to obtain one through BOOTP, DHCP, or PPP address negotiation.
Configuration procedure
To configure IP unnumbered on an interface:
Step
Command
Remarks
190. Enter system view.
system-view
N/A
98
Step
Command
Remarks
191. Enter interface view.
interface interface-type
interface-number
N/A
192. Specify the current interface to
borrow the IP address of the
specified interface.
ip address unnumbered interface
interface-type interface-number
The interface does not borrow IP
addresses from other interfaces by
default.
Configuration example
Network requirements
As shown in Figure 48, two routers on an intranet are connected to each other through serial interfaces
across a Digital Data Network (DDN), and they each connect to a LAN through Ethernet interfaces.
To save IP addresses, configure the serial interfaces to borrow IP addresses from the Ethernet interfaces.
Figure 48 Network diagram
Configuration procedure
1.
Configure Router A:
# Assign a primary IP address to Ethernet 1/1.
<RouterA> system-view
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] ip address 172.16.10.1 255.255.255.0
[RouterA-Ethernet1/1] quit
# Configure Serial 2/1 to borrow an IP address from Ethernet 1/1.
[RouterA] interface serial 2/1
[RouterA-Serial2/1] ip address unnumbered interface ethernet 1/1
[RouterA-Serial2/1] quit
# Create a route to the subnet attached to Router B, specifying interface Serial 2/1 as the outgoing
interface.
[RouterA] ip route-static 172.16.20.0 255.255.255.0 serial 2/1
2.
Configure Router B:
# Assign a primary IP address to Ethernet 1/1.
<RouterB> system-view
[RouterB] interface ethernet 1/1
99
[RouterB-Ethernet1/1] ip address 172.16.20.1 255.255.255.0
[RouterB-Ethernet1/1] quit
# Configure interface Serial 2/1 to borrow an IP address from Ethernet 1/1.
[RouterB] interface serial 2/1
[RouterB-Serial2/1] ip address unnumbered interface ethernet 1/1
[RouterB-Serial2/1] quit
# Create a route to the subnet attached to Router A, specifying interface Serial 2/1 as the
outgoing interface.
[RouterB] ip route-static 172.16.10.0 255.255.255.0 serial 2/1
3.
Ping a host attached to Router B from Router A to verify the configuration.
[RouterA] ping 172.16.20.2
PING 172.16.20.2: 56
data bytes, press CTRL_C to break
Reply from 172.16.20.2: bytes=56 Sequence=1 ttl=255 time=25 ms
Reply from 172.16.20.2: bytes=56 Sequence=2 ttl=255 time=25 ms
Reply from 172.16.20.2: bytes=56 Sequence=3 ttl=255 time=26 ms
Reply from 172.16.20.2: bytes=56 Sequence=4 ttl=255 time=26 ms
Reply from 172.16.20.2: bytes=56 Sequence=5 ttl=255 time=26 ms
--- 172.16.20.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/25/26 ms
The output shows that the host can be pinged.
Displaying and maintaining IP addressing
Task
Command
Remarks
Display IP configuration information
about a specific Layer 3 interface or
all Layer 3 interfaces.
display ip interface [ interface-type
interface-number ] [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Display brief IP configuration
information about a specific Layer 3
interface or all Layer 3 interfaces.
display ip interface [ interface-type
[ interface-number ] ] brief [ | { begin |
exclude | include } regular-expression ]
Available in any view.
100
Configuring fast forwarding
Overview
Fast forwarding reduces route lookup time and improves packet forwarding efficiency by using a
high-speed cache and data-flow-based technology. It uses a five-tuple (source IP address, source port
number, destination IP address, destination port number, and protocol number) to identify a data flow.
After the first packet of a flow is forwarded through the routing table, fast forwarding creates an entry for
the flow and uses the entry to forward subsequent packets of the flow.
Fast forwarding can process fragmented IP packets, but it does not fragment IP packets.
Some features, such as packet queue management and header compression, can decrease fast
forwarding performance.
Fast forwarding is supported:
•
On all kinds of high-speed interfaces (including subinterfaces), such as Ethernet, synchronous PPP,
Frame Relay and HDLC interfaces.
•
On PPP MP links.
•
On IPHC compression or VJ compression enabled PPP links.
•
When packet filtering is configured.
•
When Application Specific Packet Filter (ASPF) is configured.
•
When Network Address Translation (NAT) is configured.
•
When Generic Routing Encapsulation (GRE) is configured.
Configuration guidelines
Follow these guidelines when you configure fast forwarding:
•
To enable per-packet load balancing, you must disable fast forwarding in the corresponding
direction of related interfaces.
•
The interface on which fast forwarding is enabled stops sending ICMP redirect messages.
•
After fast forwarding is enabled on an interface, no IP packet debugging information is displayed
for the interface by using the debugging ip packet command.
•
To implement fast forwarding for a single data flow, enable fast forwarding in the inbound direction
of the incoming interface and in the outbound direction of the outgoing interface.
•
When a routing interface is different from its physical interface on links such as MP links or PPPoE
links, whether fast forwarding is enabled or not on the physical interface does not affect fast
forwarding on the routing interface.
Configuration procedure
To configure fast forwarding:
101
Step
Command
Remarks
193. Enter system view.
system-view
N/A
194. Enter interface view.
interface interface-type
interface-number
N/A
195. Enable fast forwarding on the
interface in the inbound
and/or outbound direction.
ip fast-forwarding [ inbound |
outbound ]
Optional.
By default, fast forwarding is
enabled in the inbound and
outbound directions.
Displaying and maintaining fast forwarding
Task
Command
Remarks
Display information in the fast
forwarding table.
display ip fast-forwarding cache
[ ip-address ] [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Clear information in the fast
forwarding table.
reset ip fast-forwarding cache
Available in user view.
Fast forwarding configuration example
Network requirements
As shown in Figure 49, enable fast forwarding on the devices.
Figure 49 Network diagram
Configuration procedure
Configuring Router A
# Configure the IP address of Ethernet 1/1. By default, fast forwarding is enabled in the inbound and
outbound directions.
<RouterA> system-view
[RouterA] interface ethernet1/1
[RouterA-Ethernet1/1] ip address 11.1.1.1 255.0.0.0
[RouterA-Ethernet1/1] quit
# Configure a static route.
[RouterA] ip route-static 22.1.1.0 255.0.0.0 11.1.1.2
102
Configuring Router C
# Configure the IP address of interface Serial 2/1. By default, fast forwarding is enabled in the inbound
and outbound directions.
<RouterC> system-view
[RouterC] interface serial2/1
[RouterC-Serial2/1] ip address 22.1.1.2 255.0.0.0
[RouterC-Serial2/1] quit
# Configure a static route.
[RouterC] ip route-static 11.1.1.0 255.0.0.0 22.1.1.1
Configuring Router B
# Configure IP addresses of interfaces Ethernet 1/1 and Serial 2/1. By default, fast forwarding is
enabled in the inbound and outbound directions.
<RouterB> system-view
[RouterB] interface ethernet1/1
[RouterB-Ethernet1/1] ip address 11.1.1.2 255.0.0.0
[RouterB-Ethernet1/1] quit
[RouterB] interface serial2/1
[RouterB-Serial2/1] ip address 22.1.1.1 255.0.0.0
[RouterB-Serial2/1] quit
Verifying the configuration
# Display the fast forwarding table on Router B.
[RouterB] display ip fast-forwarding cache
[RouterB]
The output shows that no fast forwarding entry exists.
# Ping the IP address of Serial 2/1 of Router C from Router A. Reply packets can be received.
[RouterA] ping 22.1.1.2
PING 22.1.1.2: 56
data bytes, press CTRL_C to break
Reply from 22.1.1.2: bytes=56 Sequence=1 ttl=254 time=2 ms
Reply from 22.1.1.2: bytes=56 Sequence=2 ttl=254 time=1 ms
Reply from 22.1.1.2: bytes=56 Sequence=3 ttl=254 time=1 ms
Reply from 22.1.1.2: bytes=56 Sequence=4 ttl=254 time=2 ms
Reply from 22.1.1.2: bytes=56 Sequence=5 ttl=254 time=2 ms
--- 22.1.1.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/2/3 ms
# Display the fast forwarding table on Router B.
<RouterB> display ip fast-forwarding cache
Fast-Forwarding cache:
Index
SIP
total 2 items
SPort DIP
DPort Pro Input_If
Output_If
Flg
423 :0 22.1.1.2
0
11.1.1.1
0
1
S2/1
Eth1/1
7
507 :0 11.1.1.1
8
22.1.1.2
0
1
Eth1/1
S2/1
7
103
The output shows that fast forwarding entries have been created.
104
Optimizing IP performance
This chapter describes multiple features for IP performance optimization.
Enabling forwarding of directed broadcasts to a
directly connected network
A directed broadcast packet is destined for all hosts on a specific network. In the destination IP address
of the directed broadcast, the network ID identifies the target network, and the host ID is made up of all
ones.
If a device is allowed to forward directed broadcasts to a directly connected network, hackers can
exploit this vulnerability to attack the target network. However, this feature must be enabled for the
following functions:
•
UDP Helper—Converts broadcasts to unicasts and forwards them to a specific server.
•
Wake on LAN—Forwards directed broadcasts to wake up a specific host.
Enabling forwarding of directed broadcasts to a directly
connected network
Follow these guidelines when you enable the device to forward directed broadcasts:
•
If an ACL is referenced in the ip forward-broadcast command, only packets permitted by the ACL
can be forwarded.
•
If you execute the ip forward-broadcast command multiple times on an interface, the most recent
configuration takes effect. If the command executed last does not include acl acl-number, the ACL
configured previously is removed.
To enable the device to forward directed broadcasts:
Step
Command
Remarks
196. Enter system view.
system-view
N/A
197. Enter interface view.
interface interface-type interface-number
N/A
198. Enable the interface to
forward directed broadcasts.
ip forward-broadcast [ acl acl-number ]
Disabled by default.
Forwarding directed broadcasts configuration example
Network requirements
As shown in Figure 50:
•
The host Administrator and Ethernet 1/1 of Router are in the same subnet 1.1.1.0/24.
•
The interface Ethernet 1/2 of Router and user hosts (Host A, Host B, and Host C) are in another
subnet 2.2.2.0/24.
105
•
The default gateway of Administrator is the IP address 1.1.1.2/24 of the interface Ethernet 1/1 of
Router.
•
The default gateway of Host A, Host B and Host C is the IP address 2.2.2.2/24 of the interface
Ethernet 1/2 of Router.
Configure forwarding of directed broadcasts so that user hosts can receive directed broadcasts from the
Administrator to implement Wake on LAN.
Figure 50 Network diagram
Host A
1.1.1.1/24
Administrator
Eth1/1
1.1.1.2/24
Eth1/2
2.2.2.2/24
Host B
Router
Host C
Configuration procedure
# Configure IP addresses for Ethernet 1/1 and Ethernet 1/2.
[Router] interface ethernet 1/1
[Router-Ethernet1/1] ip address 1.1.1.2 24
[Router-Ethernet1/1] quit
[Router] interface ethernet 1/2
[Router-Ethernet1/2] ip address 2.2.2.2 24
# Enable Ethernet 1/2 to forward directed broadcasts.
[Router-Ethernet1/2] ip forward-broadcast
After the configurations, if you send a packet whose destination address is the subnet-directed broadcast
address (2.2.2.255) from Administrator, the packet can be received by the user hosts.
Configuring TCP attributes
This section provides information about configuring TCP attributes.
Configuring TCP MSS for the interface
The Max Segment Size (MSS) option informs the receiver of the largest segment that the sender is willing
to accept. Each end announces the MSS it expects to receive during the TCP connection establishment.
The end that receives the MSS value from the other end then limits the size of each TCP segment to be
sent.
•
If the size of a TCP segment is smaller than the MSS of the other end, the TCP segment is sent to the
other end without being fragmented.
•
Otherwise, it is fragmented according to the MSS before being sent.
Follow these guidelines when you configure TCP MSS of the interface:
•
If you configure a TCP MSS on an interface, the size of each TCP segment received or sent on the
interface cannot exceed the MSS value.
106
•
This configuration takes effect only for TCP connections that are established after the configuration
rather than the TCP connections that already exist.
•
This configuration is effective only for IP packets. If MPLS is enabled on the interface, do not to
configure the TCP MSS on the interface.
To configure TCP MSS of the interface:
Step
Command
Remarks
199. Enter system view.
system-view
N/A
200. Enter interface view.
interface interface-type
interface-number
N/A
201. Configure the TCP MSS of the
interface.
Optional.
tcp mss value
The TCP MSS is 1460 bytes by
default.
Configuring TCP path MTU discovery
CAUTION:
All devices on the TCP path must be enabled to send ICMP error messages by using the ip unreachables
enable command.
TCP path MTU discovery (in RFC 1191) discovers the path MTU between the source and destination ends
of a TCP connection. It works as follows:
1.
A TCP source device sends a packet with the Don't Fragment (DF) bit set.
2.
A router that fails to forward the packet because it exceeds the MTU on the outgoing interface
discards the packet and returns an ICMP error message, which contains the MTU of the outgoing
interface.
3.
Upon receiving the ICMP message, the TCP source device calculates the current path MTU of the
TCP connection.
4.
The TCP source device sends subsequent TCP segments that each are smaller than the MSS (MSS
=path MTU–IP header length–TCP header length).
NOTE:
• If the TCP source device still receives ICMP error messages when the MSS is smaller than 32 bytes, the
TCP source device fragments packets.
• An ICMP error message received from a router that does not support RFC 1191 has the MTU of the
outgoing interface set to 0. Upon receiving the ICMP message, the TCP source device selects the path
MTU smaller than the current path MTU from the MTU table as described in RFC 1191 to calculate the
TCP MSS. The MTU table contains MTUs of 68, 296, 508, 1006, 1280, 1492, 2002, 4352, 8166, 17914,
32000, and 65535 bytes. Because the minimum TCP MSS specified by the system is 32 bytes, the actual
minimum MTU is 72 bytes.
After you enable TCP path MTU discovery, all new TCP connections detect the path MTU. The device uses
the path MTU to calculate the MSS to avoid IP fragmentation.
The path MTU uses an aging mechanism to make sure the source device can increase the path MTU
when the minimum link MTU on the path increases:
107
•
When the TCP source device receives an ICMP error message, it reduces the path MTU and starts
an age timer for the path MTU.
•
After the age timer expires, the source device uses a larger MSS in the MTU table as described in
RFC 1191.
•
If no ICMP error message is received within 2 minutes, the source device increases the MSS again
until the MSS is as large as the MSS negotiated during TCP three-way handshake.
To enable TCP path MTU discovery:
Step
Command
Remarks
202. Enter system view.
system-view
N/A
203. Enable TCP path MTU
discovery.
tcp path-mtu-discovery [ aging minutes |
no-aging ]
Disabled by default.
Configuring the TCP send/receive buffer size
Step
Command
Remarks
204. Enter system view.
system-view
N/A
205. Configure the size of TCP
receive/send buffer.
tcp window window-size
Optional.
8 KB by default.
Configuring TCP timers
You can configure the following TCP timers:
•
synwait timer—When sending a SYN packet, TCP starts the synwait timer. If no response packet is
received within the synwait timer interval, the TCP connection cannot be created.
•
finwait timer—When a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is
started.
{
{
If no FIN packet is received within the timer interval, the TCP connection is terminated. If a FIN
packet is received, the TCP connection state changes to TIME_WAIT.
If a non-FIN packet is received, the system restarts the timer upon receiving the last non-FIN
packet. The connection is broken after the timer expires.
The actual finwait timer is determined by the following formula:
Actual finwait timer = (Configured finwait timer – 75) + configured synwait timer
To configure TCP timers:
Step
Command
Remarks
206. Enter system view.
system-view
N/A
Optional.
• Configure the TCP synwait timer:
207. Configure TCP timers.
tcp timer syn-timeout time-value
• Configure the TCP finwait timer:
tcp timer fin-timeout time-value
By default:
• The TCP synwait timer is 75
seconds.
• The TCP finwait timer is 675
seconds.
108
Configuring ICMP to send error packets
Sending error packets is a major function of ICMP. Error packets are usually sent by the network or
transport layer protocols to notify the source device of network failures or errors.
Advantages of sending ICMP error packets
ICMP error packets include redirect, timeout, and destination unreachable packets.
•
ICMP redirect packets
A host might have only a default route to the default gateway in its routing table after startup. If the
following conditions are met, the default gateway sends ICMP redirect packets to the source host,
telling it to reselect a correct next hop to send the subsequent packets:
{
The receiving and forwarding interfaces are the same.
{
The selected route has not been created or modified by an ICMP redirect packet.
{
The selected route is not the default route of the device.
{
There is no source route option in the packet.
The ICMP redirect packets function simplifies host administration and enables a host to gradually
optimize the routing table.
•
ICMP timeout packets
If the device receives an IP packet with a timeout error, it drops the packet and sends an ICMP
timeout packet to the source.
The device sends an ICMP timeout packet under the following conditions:
{
{
•
If the device finds that the destination of a packet is not itself and the TTL field of the packet is
1, it sends a "TTL timeout" ICMP error message.
When the device receives the first fragment of an IP datagram whose destination is the device
itself, it starts a timer. If the timer times out before all the fragments of the datagram are received,
the device sends a "reassembly timeout" ICMP error packet.
ICMP destination unreachable packets
If the device receives an IP packet with the destination unreachable, it drops the packet and sends
an ICMP destination unreachable error packet to the source.
Conditions for sending an ICMP destination unreachable packet:
{
{
{
{
If neither a route nor the default route for forwarding a packet is available, the device sends a
"network unreachable" ICMP error packet.
If the destination of a packet is local but the transport layer protocol of the packet is not
supported by the local device, the device sends a "protocol unreachable" ICMP error packet to
the source.
When receiving a packet with the destination being local and transport layer protocol being
UDP, if the packet's port number does not match the running process, the device sends the
source a "port unreachable" ICMP error packet.
If the source uses "strict source routing" to send packets, but the intermediate device finds that
the next hop specified by the source is not directly connected, the device sends the source a
"source routing failure" ICMP error packet.
109
{
When forwarding a packet, if the MTU of the sending interface is smaller than the packet, but
the packet has been set as "Don't Fragment," the device sends the source a "fragmentation
needed and Don't Fragment (DF)-set" ICMP error packet.
Disadvantages of sending ICMP error packets
Sending ICMP error packets facilitates network control and management, but it has the following
disadvantages:
•
Sending a lot of ICMP packets increases network traffic.
•
A device's performance degrades if it receives a lot of malicious packets that cause it to respond
with ICMP error packets.
•
A host's performance degrades if the redirection function increases the size of its routing table.
•
End users are affected if malicious users send ICMP destination unreachable packets.
To prevent such problems, disable the device from sending ICMP error packets.
Configuration procedure
To enable sending ICMP error packets:
Step
Command
Remarks
208. Enter system view.
system-view
N/A
• Enable sending ICMP redirect
packets:
ip redirects enable
209. Enable sending ICMP
error packets.
• Enable sending ICMP timeout
packets:
ip ttl-expires enable
• Enable sending ICMP destination
unreachable packets:
ip unreachables enable
Disabled by default.
When sending ICMP timeout
packets is disabled, the device
does not send "TTL timeout" ICMP
error packets. However,
"reassembly timeout" error
packets are sent correctly.
Enabling support for ICMP extensions
ICMP messages are of a fixed format and cannot carry extension information. With support for ICMP
extensions enabled, a device appends an extension information field to the ICMP messages as needed.
The device can append only MPLS label information to ICMP messages.
ICMP extensions for MPLS
In MPLS networks, when a packet's TTL expires, MPLS strips the MPLS header, encapsulates the
remaining datagram into an ICMP time exceeded message, and sends the message to the egress router
of the MPLS tunnel. Then the egress router sends the message back to the ingress router of the tunnel. The
ICMP message, however, does not contain the label information that is very important to the ingress
router. With support for ICMP extensions enabled, the device appends the MPLS label to the ICMP time
exceeded message before sending it back to the ingress router of the tunnel.
110
ICMP extensions are usually used for an enhanced traceroute implementation in MPLS networks, in
which MPLS label information about each hop the original datagram arrives at is printed.
Handling ICMP messages
ICMP messages can be classified into the following types:
•
Common ICMP messages—Without any extension information.
•
Extended ICMP messages with a length field—Carry extension information and a length field. The
length field indicates the length of the original datagram that is encapsulated within the ICMP
header and excludes the ICMP extension length. Such an ICMP message complies with RFC 4884.
•
Extended ICMP messages without a length field—Carry extension information but does not contain
a length field. Such an ICMP message does not comply with RFC 4884.
Based on how these messages are handled, the device can work in one of these modes: common mode,
compliant mode, and non-compliant mode. Table 5 shows how ICMP messages are handled in different
working modes.
Table 5 Handling ICMP messages
Device mode
ICMP messages sent
ICMP messages received
Remarks
Common mode
Common ICMP messages
Common ICMP messages
Extension information in
extended ICMP messages is
not processed.
Common ICMP messages
Common ICMP messages
Extended ICMP messages
with a length field
Extended ICMP messages
with a length field
Compliant mode
Non-compliant
mode
Common ICMP messages
Extended ICMP messages
without a length field
All three types of ICMP
messages
Extended ICMP messages
without a length field are
handled as common ICMP
messages.
N/A
NOTE:
ICMP/ICMPv6 messages that can carry extension information include only IPv4 redirect messages,
IPv4/IPv6 time exceeded messages, and IPv4/IPv6 destination unreachable messages.
Configuration procedure
To enable support for ICMP extensions:
Step
Command
Remarks
210. Enter system view.
system-view
N/A
• In compliant mode:
211. Enable support for ICMP
extensions.
ip icmp-extensions compliant
• In non-compliant mode:
ip icmp-extensions non-compliant
111
Optional.
Disabled by default.
After support for ICMP extensions is disabled, no ICMP message sent by the device contains extension
information.
Configuring IP virtual fragment reassembly
To prevent each service module (such as IPsec, NAT and firewall) from processing packet fragments that
do not arrive in order, you can enable the IP virtual fragment reassembly feature, which can virtually
reassemble the fragments of a datagram through fragment check, sequencing and caching, ensuring
fragments arrive at each service module in order.
The IP virtual fragment reassembly feature can detect the following types of fragment attacks, and discard
the attack fragments for security:
•
Tiny fragment attack—If the first fragment of an incoming datagram is very small and the Layer 4
(such as TCP and UDP) header is placed into the second fragment, the datagram is considered a
tiny fragment attack.
•
Overlapping fragment attack—If two consecutive incoming fragments are identical or overlap
each other, they are considered an overlapping fragment attack.
•
Fragment-flood attack—If the number of concurrent reassemblies or the number of fragments per
datagram exceeds the upper limits, the reassemblies or fragments are considered a fragment-flood
attack.
Configuration guidelines
•
The IP virtual fragment reassembly feature only applies to incoming packets on an interface.
•
The IP virtual fragment reassembly feature does not support load sharing. The fragments of an IP
datagram cannot arrive through different interfaces.
Configuration procedure
To configure IP virtual fragment reassembly:
Step
Command
Remarks
212. Enter system view.
system-view
N/A
213. Enter interface view.
interface interface-type interface-number
N/A
214. Enable IP virtual fragment
reassembly.
ip virtual-reassembly [ drop-fragments |
max-fragments number | max-reassemblies
number | timeout seconds ] *
By default, the feature is
disabled.
Configuration example
Network requirements
As shown in Figure 51, configure devices as follows:
•
Router A connects to Host and Router B.
•
NAT is enabled on Ethernet 1/2 of Router A.
•
Configure IP virtual fragment reassembly on Ethernet 1/2 of Router A.
112
Figure 51 Network diagram
Configuration procedure
1.
Configure the host:
# Configure a route so that the Host, Router A, and Router B can communicate with each other.
(Details not shown.)
2.
Configure Router A:
# Configure NAT and IP virtual fragment reassembly.
<RouterA> system-view
[RouterA] nat static 10.1.1.1 11.2.2.3
[RouterA] interface ethernet 1/2
[RouterA-Ethernet1/2] nat outbound static
[RouterA-Ethernet1/2] ip virtual-reassembly
With the IP virtual fragment reassembly feature, Router A checks, sequences, and caches
fragments that do not arrive in order at Ethernet 1/2. You can use the display ip
virtual-reassembly command to view related information.
Displaying and maintaining IP performance optimization
Task
Command
Remarks
Display TCP connection
statistics.
display tcp statistics [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Display UDP statistics.
display udp statistics [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Display statistics of IP packets.
display ip statistics [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Display ICMP statistics.
display icmp statistics [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Display socket information.
display ip socket [ socktype sock-type ] [ task-id
socket-id ] [ | { begin | exclude | include }
regular-expression ]
Available in any view.
Display information about IP
virtual fragment reassembly on
the interfaces.
display ip virtual-reassembly [ interface
interface-type interface-number ] [ | { begin |
exclude | include } regular-expression ]
Available in any view.
Clear statistics of IP packets.
reset ip statistics
Available in user view.
Clear statistics of TCP
connections.
reset tcp statistics
Available in user view.
Clear statistics of UDP traffic.
reset udp statistics
Available in user view.
113
Configuring NAT
Overview
Network Address Translation (NAT) provides a way to translate an IP address in the IP packet header to
another IP address. NAT enables a large number of private users to access the Internet by using a small
number of public IP addresses. NAT effectively alleviates the depletion of IP addresses.
A private IP address is used only in an internal network, whereas a public or external IP address is used
on the Internet and is globally unique.
According to RFC 1918, three blocks of IP addresses are reserved for private networks:
•
In Class A, 10.0.0.0 to 10.255.255.255.
•
In Class B, 172.16.0.0 to 172.31.255.255.
•
In Class C, 192.168.0.0 to 192.168.255.255.
No host with an IP address in the three ranges exists on the Internet. You can use those IP addresses in
an enterprise network freely without requesting them from an ISP or a registration center.
In addition to translating private addresses to public addresses, NAT can also perform address
translation between any two networks. In this document, the two networks refer to an internal network
and an external network. Typically, a private network is an internal network, and a public network is an
external network.
Figure 52 shows the NAT operation.
Figure 52 NAT operation
Host
Direction
Before NAT
After NAT
Outbound
192.168.1.3
20.1.1.1
Src : 192.168.1.3
Dst : 1.1.1.2
Src : 20.1.1.1
Dst : 1.1.1.2
NAT
192.168.1.1
Intranet
Server
20.1.1.1
Internet
192.168.1.3
1.1.1.2
Src : 1.1.1.2
Dst : 192.168.1.3
Src : 1.1.1.2
Dst : 20.1.1.1
1.
The internal host with IP address 192.168.1.3 sends an IP packet to the external server with IP
address 1.1.1.2 through the NAT device.
2.
Upon receiving the packet, the NAT device checks the IP header and finds that it is destined to the
external network. The NAT device then translates the private address 192.168.1.3 to the globally
unique public address 20.1.1.1 and forwards the packet to the server on the external network.
Meanwhile, the NAT device adds the mapping of the two addresses into its NAT table.
3.
The external server responds to the internal host with an IP packet whose destination IP address is
20.1.1.1. Upon receiving the packet, the NAT device checks the IP header, looks into its NAT
table for the mapping, replaces the destination address with the private address of 192.168.1.3,
and then sends the new packet to the internal host.
114
The NAT operation is transparent to the terminals involved. The external server believes that the IP
address of the internal PC is 20.1.1.1 and is unaware of the private address 192.168.1.3. As such, NAT
hides the private network from the external networks.
Despite the advantages of allowing internal hosts to access external resources and providing privacy,
NAT also has the following disadvantages:
•
Because NAT involves translation of IP addresses, the IP headers cannot be encrypted. This is also
true to the application protocol packets when the contained IP address or port number needs to be
translated. For example, you cannot encrypt an FTP connection, or its port command cannot work
correctly.
•
Network debugging becomes more difficult. For example, when a host in a private network tries to
attack other networks, it is harder to pinpoint the attacking host because the host IP address has
been hidden.
NAT control
Typically, an enterprise allows some hosts in the internal network to access external networks and
prohibits others. The enterprise can achieve this through the NAT control mechanism. If a source IP
address is among addresses denied, the NAT device does not translate the address. In addition, the NAT
device only translates private addresses to specified public addresses.
You can achieve NAT control through an ACL and an address pool.
•
Only packets matching the ACL rules are served by NAT.
•
An address pool is a collection of consecutive public IP addresses for address translation. You can
specify an address pool based on the number of available public IP addresses, the number of
internal hosts, and network requirements. The NAT device selects an address from the address pool
as the public address of an IP packet.
NAT operation
Basic NAT
As shown in Figure 52, when an internal host accesses an external network, the NAT device uses a public
IP address to replace the private source IP address. In Figure 52, NAT uses the IP address of the outgoing
interface as the public IP address. All internal hosts use the same public IP address to access external
networks and only one host can access external networks at a given time.
A NAT device can also hold multiple public IP addresses to support concurrent access requests.
Whenever a new external network access request comes from the internal network, the NAT device
chooses an available public IP address (if any) to replace the source IP address, adds the mapping to its
NAT table, and forwards the packet. In this way, multiple internal hosts can access external networks
simultaneously.
The number of public IP addresses that a NAT device needs is usually far less than the number of internal
hosts because not all internal hosts access external networks at the same time. The number of public IP
addresses is related to the number of internal hosts that might access external networks simultaneously
during peak hours.
NAPT
Network Address Port Translation (NAPT) is a variation of basic NAT. It allows multiple internal addresses
to be mapped to the same public IP address, which is called multiple-to-one NAT.
115
NAPT mapping is based on both the IP address and the port number. With NAPT, packets from multiple
internal hosts are mapped to the same external IP address with different port numbers.
Figure 53 NAPT operation
Host A
192.168.1.2
Direction
Before NAT
After NAT
Outbound
192.168.1.2:1111
20.1.1.1:1001
Outbound
192.168.1.2:2222
20.1.1.1:1002
Outbound
192.168.1.3:1111
20.1.1.1:1003
Packet 1
Src : 192.168.1.2:1111
Packet 1
Src : 20.1.1.1:1001
Packet 2
Src : 192.168.1.2:2222
192.168.1.1
Host B
Packet 2
Src : 20.1.1.1:1002
NAT
Server
20.1.1.1
Internet
Intranet
Packet 3
Src : 192.168.1.3:1111
Packet 3
Src : 20.1.1.1:1003
1.1.1.2
192.168.1.3
As shown in Figure 53, three IP packets arrive at the NAT device. Packets 1 and 2 are from the same
internal address but have different source port numbers. Packets 1 and 3 are from different internal
addresses but have the same source port number. NAPT maps the three IP packets to the same external
address but with different source port numbers. Therefore, the packets can still be differentiated. When
receiving the response packets, the NAT device forwards them to the corresponding hosts according to
the destination addresses and port numbers.
NAPT improves utilization of IP address resources, enabling more internal hosts to access the external
network at the same time.
NAPT supports the following NAT mapping behavior modes:
•
Endpoint-Independent Mapping—The NAT device uses entries, each of which includes the source
IP address, source port number, and protocol type to translate addresses and filter packets. The
same NAPT mapping applies to packets sent from the same internal IP address and port to any
external IP address and port. The NAT device also allows external hosts to access the internal
network by using the translated external addresses and port numbers. This mode facilitates
communication among hosts that connect to different NAT devices.
•
Address and Port-Dependent Mapping—The NAT device uses entries each including the source IP
address, source port number, protocol type, destination IP address, and destination port number to
translate addresses and filter packets. For packets with the same source address and source port
number but different destination addresses and destination port numbers, different NAPT mappings
apply so that the source address and port number are mapped to the same external IP address but
different port numbers. The NAT device allows the hosts only on the corresponding external
networks where these destination addresses reside to access the internal network. This mode is
secure but inconvenient for communication among hosts that connect to different NAT devices.
Internal server
NAT hides the internal network structure, including the identities of internal hosts. However, some internal
hosts such as an internal Web server or FTP server might need to be accessed by external hosts. NAT
meets this need by supporting internal servers.
116
You can configure an internal server on the NAT device by mapping a public IP address and port number
to the private IP address and port number of the internal server. For instance, you can configure an
address like 20.1.1.12:8080 as an internal Web server's external address and port number.
In Figure 54, when the NAT device receives a packet destined for the public IP address of an internal
server, it looks in the NAT entries and translates the destination address and port number in the packet
to the private IP address and port number of the internal server. When the NAT device receives a
response packet from the internal server, it translates the source private IP address and port number of the
packet into the public IP address and port number of the internal server.
Figure 54 Internal server operation
Server
Direction
Before NAT
After NAT
Inbound
20.1.1.1:8080
192.168.1.3:8080
Dst : 192.168.1.3:8080
192.168.1.1
Intranet
192.168.1.3
Dst : 20.1.1.1:8080
NAT
Host
20.1.1.1
Internet
Src : 192.168.1.3:8080
Src : 20.1.1.1:8080
1.1.1.2
DNS mapping
Typically, the DNS server and users that need to access internal servers reside on the public network. You
can specify an external IP address and a port number for an internal server on the public network
interface of a NAT device, so that external users can access the internal server using its domain name or
pubic IP address. In Figure 55, an internal host wants to access an internal Web server by using its
domain name, when the DNS server is located on the public network. Typically, the DNS server replies
with the public address of the internal server to the host and thus the host cannot access the internal server.
The DNS mapping feature can solve the problem.
Figure 55 Operation of NAT DNS mapping
A DNS mapping entry records the domain name, public address, public port number, and protocol type
of an internal server. Upon receiving a DNS reply, the NAT-enabled interface matches the domain name
in the message against the DNS mapping entries. If a match is found, the private address of the internal
server is found and the interface replaces the public IP address in the reply with the private IP address.
Then, the host can use the private address to access the internal server.
117
Easy IP
Easy IP uses the public IP address of an interface on the device as the translated source address to save
IP address resources, and uses ACLs to permit only certain internal IP addresses to be NATed.
Support for special protocols
Apart from the basic address translation function, NAT also provides an application layer gateway (ALG)
mechanism that supports some special application protocols without requiring the NAT platform to be
modified. This allows for high scalability. The IP addresses or port numbers contained in such protocol
messages need address translation.
The special protocols that NAT supports include: File Transfer Protocol (FTP), Point-to-Point Tunneling
Protocol (PPTP), Domain Name System (DNS), Internet Locator Service (ILS), H.323, Session Initiation
Protocol (SIP), and NetBIOS over TCP/IP (NBT).
NAT support for MPLS VPNs
NAT allows users from different MPLS VPNs to access external networks through the same outbound
interface, and allows the VPN users to use the same private address space.
1.
Upon receiving a request from an MPLS VPN to an external network, NAT replaces the private
source IP address and port number with a public IP address and port number, and records the
MPLS VPN information, such as the protocol type and router distinguisher (RD).
2.
When the response packet arrives, NAT replaces the public destination IP address and port
number with the internal IP address and port number, and sends the packet to the target MPLS
VPN.
This feature can also apply to internal servers so that external users can access an internal host of an
MPLS VPN. For example, suppose a host in MPLS VPN 1 needs to provide Web services for the Internet.
It has a private address of 10.110.1.1. To achieve this purpose, configure NAT to use 202.110.10.20 as the
public IP address of the host so that the Internet users can use this IP address to access Web services on
the host.
NAT allows hosts in multiple MPLS VPNs to access each other by using the MPLS VPN information
carried in the external IP address.
NAT configuration task list
Task
Configuring address translation
Remarks
Configuring static NAT
Configuring dynamic NAT
Either is required.
Configuring an internal server
Required.
Configuring DNS mapping
Optional.
Configuring NAT aging time
Optional.
Configuring NAT ALG
Optional.
Configuring NAT logging
Optional.
Setting NAT connection limits
Optional.
Enabling aging out NAT entries upon master link failure
Optional.
118
If the NAT configuration (address translation or internal server configuration) on an interface is changed,
save the configuration and reboot the device (or use the reset nat session command to manually clear the
relevant NAT entries), to avoid the following problems:
•
After you delete the NAT-related configuration, address translation can still work for sessions
already created.
•
If you configure NAT when NAT is running, the same configuration might have different results
because of different configuration orders.
Configuring address translation
A NAT device can be configured with or dynamically generate mappings to translate between internal
and external network addresses. Address translation can be classified into static and dynamic NAT.
•
Static NAT—Mappings between external and internal network addresses are manually configured.
Static NAT can meet fixed access requirements of a few users.
•
Dynamic NAT—A dynamic NAT entry is generated dynamically. Dynamic NAT is implemented by
associating an ACL with an address pool (or the address of an interface in the case of Easy IP). This
association defines what packets can use the addresses in the address pool (or the interface's
address) to access the external network. An IP address is selected from the associated address pool
to translate an outgoing packet. After the session terminates, the selected IP address is released.
Dynamic NAT can meet external access requirements of a large number of users.
Both static NAT and dynamic NAT support NAT multiple-instance as long as the VPN instance of an IP
address is provided.
Configuring static NAT
You must configure static NAT in system view, and make it effective in interface view.
Static NAT supports two modes: one-to-one and net-to-net.
Configuring one-to-one static NAT
One-to-one static NAT translates a private IP address into a public IP address.
To configure one-to-one static NAT:
Step
Command
215. Enter system view.
system-view
216. Configure a one-to-one static NAT
mapping.
nat static [ acl-number ] local-ip [ vpn-instance local-name ]
global-ip [ vpn-instance global-name ]
217. Enter interface view.
interface interface-type interface-number
218. Enable static NAT on the interface.
nat outbound static [ track vrrp virtual-router-id ]
Configuring net-to-net static NAT
Net-to-net static NAT translates a private network into a public network.
To configure net-to-net static NAT:
Step
Command
219. Enter system view.
system-view
119
Step
Command
220. Configure a net-to-net static NAT mapping.
nat static [ acl-number ] net-to-net local-start-address
local-end-address global global-network { netmask-length |
netmask }
221. Enter interface view.
interface interface-type interface-number
222. Enable static NAT on the interface.
nat outbound static
Configuring dynamic NAT
Dynamic NAT is usually implemented by associating an ACL with an address pool (or the address of an
interface) on an interface.
•
To select the address of an interface as the translated address, use Easy IP.
•
To select an address from an address pool as the translated address, use No-PAT or NAPT for
dynamic address translation. No-PAT is used in many-to-many address translation but does not
translate TCP/UDP port numbers. NAPT allows for many-to-one address translation by translating
also TCP/UDP port numbers.
Configuration prerequisites
•
Configure an ACL to specify IP addresses permitted to be translated. For more information about
ACL, see ACL and QoS Configuration Guide.
•
Determine whether to use an interface's IP address as the translated source address.
•
Determine a public IP address pool for address translation.
•
Determine whether to translate port information.
Configuring NAT address pools
You can configure NAT address pools in two ways:
•
Configure an address pool that consists of a set of consecutive addresses.
•
Configure an address group that can contain several members. Each member specifies an address
pool that consists of a set of consecutive addresses. The address pools of members might not be
consecutive.
The NAT device selects an IP address from a specified NAT address pool as the source address of a
packet.
To configure an address pool:
Step
Command
Remarks
223. Enter system view.
system-view
N/A
224. Configure an address
pool.
nat address-group group-number
start-address end-address
Address pools must not overlap.
To configure an address group:
Step
Command
Remarks
225. Enter system view.
system-view
N/A
120
Step
Command
Remarks
226. Create an address group and
enter its view.
nat address-group
group-number
N/A
227. Add a member to the address
group.
address start-address
end-address
The IP address pools of address group
members must not overlap with each
other or with other address pools.
228. Configure the port range for the
address group.
port-range port-range-start
port-range-end
Optional.
By default, the port range is 1 to
65535.
Configuring Easy IP
Easy IP allows the device to use the IP address of one of its interfaces as the source address of NATed
packets.
To configure Easy IP:
Step
Command
229. Enter system view.
system-view
230. Enter interface view.
interface interface-type interface-number
231. Enable Easy IP by associating an ACL with
the port range.
nat outbound [ acl-number ] [ port-range port-range-start
port-range-end ] [ track vrrp virtual-router-id ]
Configuring No-PAT
With a specific ACL associated with an address pool or interface address, No-PAT translates the source
address of a packet permitted by the ACL into an IP address of the address pool or the interface address,
without using the port information.
To configure No-PAT:
Step
Command
232. Enter system view.
system-view
233. Enter interface view.
interface interface-type interface-number
234. Configure No-PAT by associating an ACL
with an IP address pool on the outbound
interface for translating only IP addresses.
nat outbound [ acl-number ] address-group group-number
[ vpn-instance vpn-instance-name ] no-pat [ reversible ]
[ track vrrp virtual-router-id ]
Configuring NAPT
With a specific ACL associated with an address pool or interface address, NAPT translates the source
address of a packet permitted by the ACL into an IP address of the address pool or the interface address,
with using the port information.
To configure NAPT:
121
Step
Command
Remarks
235. Enter system view.
system-view
N/A
236. Enter interface view.
interface interface-type interface-number
N/A
237. Configure NAPT by associating
an ACL with an IP address pool
on the outbound interface for
translating both IP address and
port number.
nat outbound [ acl-number ]
[ address-group group-number
[ vpn-instance vpn-instance-name ] ]
[ track vrrp virtual-router-id ]
N/A
238. Return to system view.
quit
N/A
239. Configure the NAT mapping
behavior mode.
nat mapping-behavior
endpoint-independent [ acl acl-number ]
Optional.
Address and
Port-Dependent Mapping
by default.
Configuring an internal server
To configure an internal server, you need to map an external IP address and port number to the internal
server. This is done through executing the nat server command on an interface.
Internal server configurations include external network information (external IP address global-address
and external port number global-port), internal network information (internal IP address local-address
and internal port number local-port), and internal server protocol type. According to different
internal/external network information configurations, internal servers can be classified into common
internal servers and load sharing internal servers.
Both internal servers and their external IP addresses can support MPLS L3VPN. If an internal server
belongs to an MPLS L3VPN, you also need to specify the vpn-instance-name argument. Without this
argument specified, the internal server does not belong to any VPN.
Configuring a common internal server
After mapping the internal IP address/port number (local-address and local-port) of a common internal
server to an external IP address/port number (global-address and global-port), hosts in external
networks can access the server located in the internal network.
The device supports using the interface address as the external address of an internal server, which is the
Easy IP feature. If you want to specify an interface, the interface must be a loopback interface and must
already exist.
If you configure an internal server using Easy IP but do not configure an IP address for the interface, the
internal server configuration does not take effect.
To configure a common internal server:
Step
Command
Remarks
240. Enter system view.
system-view
N/A
241. Enter interface view.
interface interface-type interface-number
N/A
122
Step
Command
Remarks
• nat server index protocol pro-type global
{ global-address global-port1 global-port2 inside
local-address1 local-address2 local-port [ vpn-instance
local-name ] [ track vrrp virtual-router-id ] |
current-interface [ global-port ] inside local-address
[ local-port ] [ vpn-instance local-name ] [ remote-host
host-address ] [ lease-duration lease-time ] [ description
string ] }
242. Configure a common
internal server.
• nat server protocol pro-type global { global-address |
Use either
command.
interface interface-type interface-number |
current-interface } global-port1 global-port2
[ vpn-instance global-name ] inside local-address1
local-address2 local-port [ vpn-instance local-name ]
[ track vrrp virtual-router-id ]
Configuring DNS mapping
With DNS mapping, an internal host can access an internal server on the same private network by using
the domain name of the internal server when the DNS server resides on the public network.
To configure a DNS mapping:
Step
Command
243. Enter system view.
system-view
244. Configure a DNS mapping.
nat dns-map domain domain-name protocol pro-type ip global-ip
port global-port
Configuring NAT aging time
NAT aging time configuration supports multiple protocols.
To set the NAT aging time:
Step
Command
Remarks
245. Enter system view.
system-view
N/A
123
Step
Command
Remarks
Optional.
The default NAT aging time varies by
protocol:
246. Set NAT aging time
for a specified
protocol.
nat aging-time { dns | ftp-ctrl |
ftp-data | icmp | no-pat | pptp |
tcp | tcp-fin | tcp-syn | udp }
seconds
•
•
•
•
•
•
•
•
10 seconds for DNS.
300 seconds for FTP control links.
300 seconds for FTP data links.
10 seconds for ICMP.
240 seconds in NO-PAT mode.
300 seconds for PPTP.
300 seconds for TCP.
10 seconds for TCP FIN and RST
connections.
• 10 seconds for TCP SYN connections.
• 240 seconds for UDP.
Configuring NAT ALG
NAT ALG configuration supports multiple protocols.
To configure NAT ALG:
Step
Command
Remarks
247. Enter system view.
system-view
N/A
248. Enable NAT ALG.
nat alg { all | dns | ftp | h323 | ils | nbt | pptp |
sip }
Optional.
Enabled by default.
Configuring NAT logging
With NAT logging enabled, a NAT device logs IP address translation information such as the source IP
address, source port number, destination IP address, destination port number, translated source IP
address, translated source port number and user operations.
As multiple internal users share the same external IP address or the same range of external IP addresses
when accessing external networks through a NAT device, it is hard to identify each of the users. The NAT
logging function helps in tracking access of internal users to external networks, thus enhancing network
security.
NAT logging logs only access of internal network users to external networks. It does not log access of
external users to internal servers.
Enabling NAT logging
Step
Command
Remarks
249. Enter system view.
system-view
N/A
250. Enable NAT logging.
nat log enable [ acl acl-number ]
Disabled by default.
124
Step
Command
Remarks
• Enable logging of NAT
Use either command.
session establishment events:
nat log flow-begin
251. Enable NAT logging.
• Enable logging for active
NAT sessions and set the
logging interval:
nat log flow-active minutes
By default:
• No log is generated when a NAT
session is established.
• Logging for active NAT sessions is
disabled.
Exporting NAT logs
NAT logs can be exported to either the information center or the log server:
•
To the information center—NAT logs are converted into system logs and exported to the local
device's information center. Depending on the configuration of the information center, NAT logs are
then exported to their final destination. Up to 10 NAT logs can be exported to the information
center at one time.
•
To the log server—NAT logs are encapsulated into UDP packets and sent to the log server, as
shown in Figure 56. The output NAT logs can be in several versions, each with a different UDP
packet format. Only version 1 is used. A UDP packet is composed of a header and one or more
NAT logs.
Figure 56 Exporting NAT logs to the NAT log server
NAT logs
NAT logs
Internet
User
Device
generating NAT log
NAT log server
If you configure both destinations, the system automatically exports NAT logs to the information center.
Exporting NAT logs to the information center
Exporting NAT logs to the information center consumes storage space of the device. Use this approach
when the volume of NAT logs is relatively small.
NAT logs to the information center are prioritized as informational, meaning that they are ordinary
message information. For more information about NAT log priority, see Network Management and
Monitoring Configuration Guide.
To configure the device to export NAT logs to the information center:
Step
Command
Remarks
252. Enter system view.
system-view
N/A
253. Export NAT logs to the information
center.
userlog nat syslog
NAT logs are exported to the NAT
log server by default.
125
Exporting NAT logs to the log server
For the device to export NAT logs to the log server in UDP packets, you can configure three parameters:
•
IP address and UDP port number of the NAT log server. NAT logs cannot be exported successfully
if you do not configure the information center export direction and specify the log server address.
•
Source IP address of NAT logs. This address allows the log server to identify the log source. Use the
loopback interface address as the source IP address of NAT logs.
•
Version number of NAT logs. NAT logs might come in several versions, each with a different packet
format. The device supports only version 1.
On a distributed device–Centralized IRF device–In standalone mode, you can specify a separate log
server for each interface card identified by slot slot-number to implement load sharing on log servers.
On a distributed device–In IRF mode, you can specify a separate log server for each interface card
identified by chassis chassis-number to implement load sharing on log servers.
To configure the device to export NAT logs to a NAT log server:
Step
Command
Remarks
254. Enter system view.
system-view
N/A
255. Specify the IP address
and UDP port number
of the NAT log server.
userlog nat export host { ipv4-address |
ipv6 ipv6-address } udp-port
The IP address of the NAT log server
must be a valid IPv4 or IPv6 unicast
address.
Use a port number greater than 1024
to avoid conflicting with the
system-defined port numbers.
Optional.
256. Specify the source IP
address for the UDP
packets that carry NAT
logs.
userlog nat export source-ip ip-address
By default, the source IP address is
the IP address of the interface through
which the UDP packets are sent.
257. Specify the version
number of the NAT log
packets.
userlog nat export version
version-number
Optional.
Version 1 by default.
Setting NAT connection limits
For more information about NAT connection limits, see Security Configuration Guide.
Enabling aging out NAT entries upon master link
failure
In a link backup environment where NAT is enabled on the master and backup interfaces of a gateway
device, if the master link fails, the backup link switches to the master state. If this feature is enabled on the
gateway, all existing NAT entries on the failed link are aged out immediately, so that new NAT entries
can be created for subsequent packets on the new master link, and thus existing NAT streams can be
directed to the new link immediately.
To enable aging out NAT entries upon master link failure:
126
Step
Command
Remarks
258. Enter system view.
system-view
N/A
259. Enable aging out NAT entries
upon master link failure.
nat link-down reset-session
enable
Disabled by default.
Displaying and maintaining NAT
IMPORTANT:
Clearing the NAT log buffer implies loss of all NAT logs. In general, HP recommends not using this
command.
Task
Command
Remarks
Display information about NAT
address pools.
display nat address-group
[ group-number ] [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Display the NAT aging time settings
for various protocols.
display nat aging-time [ | { begin |
exclude | include } regular-expression ]
Available in any view.
Display all NAT configuration
information.
display nat all [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Display NAT configuration
information.
display nat bound [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Display DNS mapping configuration
information.
display nat dns-map [ | { begin | exclude
| include } regular-expression ]
Available in any view.
Display the internal server
information.
display nat server [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Display static NAT information.
display nat static [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Display dynamic NAT entries.
display nat session [ vpn-instance
vpn-instance-name ] [ source { global
global-address | inside inside-address } ]
[ destination dst-address ] [ | { begin |
exclude | include } regular-expression ]
Available in any view.
Display NAT statistics.
display nat statistics [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Display NAT log information.
display nat log [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Display the configurations and
statistics of output logs.
display userlog export [ | { begin |
exclude | include } regular-expression ]
Available in any view.
Clear the records in the NAT log
buffer.
reset userlog nat logbuffer
Available in user view.
Clear the statistics of NAT logs.
reset userlog nat export
Available in user view.
127
Task
Command
Remarks
Clear the address translation table
and release the corresponding
storage space.
reset nat session
Available in user view.
NAT configuration examples
One-to-one static NAT configuration example
Network requirements
An internal host 10.110.10.8/24 uses public address 202.38.1.100 to access the Internet.
Figure 57 Network diagram
GE1/1
10.110.10.1/24
Host
GE1/2
202.38.1.1/16
Internet
Router
Server
10.110.10.8/24
Configuration procedure
# As shown in Figure 57, configure IP addresses for the interfaces. (Details not shown.)
# Configure a one-to-one static NAT mapping.
<Router> system-view
[Router] nat static 10.110.10.8 202.38.1.100
# Enable static NAT on interface GigabitEthernet 1/2.
[Router] interface gigabitethernet 1/2
[Router-GigabitEthernet1/2] nat outbound static
[Router-GigabitEthernet1/2] quit
Dynamic NAT configuration example 1
Network requirements
As shown in Figure 58, a company has three public IP addresses in the range of 202.38.1.1/24 to
202.38.1.3/24, and an internal network address of 10.110.0.0/16. Specifically, the company has the
following requirements:
•
The internal users in subnet 10.110.10.0/24 can access the Internet using public IP addresses
202.38.1.2 and 202.38.1.3, but users in other network segments cannot.
•
Configure the upper and lower limits of connections (sourced from 10.110.10.100) limited by
destination addresses as 1000 and 200. The number of connections initiated from the internal user
to external servers cannot be greater than 1000 or less than 200.
128
Figure 58 Network diagram
Configuration procedure
# As shown in Figure 58, configure IP addresses for the interfaces. (Details not shown.)
# Configure address pool 1.
<Router> system-view
[Router] nat address-group 1 202.38.1.2 202.38.1.3
# Configure ACL 2001, permitting only users from network segment 10.110.10.0/24 to access the
Internet.
[Router] acl number 2001
[Router-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Router-acl-basic-2001] rule deny
[Router-acl-basic-2001] quit
# Associate address pool 1 and ACL 2001 with the outbound interface GigabitEthernet 1/2, and
implement NAPT.
[Router] interface gigabitethernet 1/2
[Router-GigabitEthernet1/2] nat outbound 2001 address-group 1
[Router-GigabitEthernet1/2] quit
# Configure connection limit policy 1, limiting user connections sourced from 10.110.10.100 by
destination address. Set the upper and lower limits of user connections to 1000 and 200.
[Router] acl number 2002
[Router-acl-basic-2002] rule permit source 10.110.10.100 0.0.0.0
[Router-acl-basic-2002] rule deny
[Router-acl-basic-2002] quit
[Router] connection-limit policy 1
[Router-connection-limit-policy-1] limit 0 acl 2002 per-destination amount 1000 200
[Router-connection-limit-policy-1] quit
# Apply connection limit policy 1 to NAT.
[Router] nat connection-limit-policy 1
Dynamic NAT configuration example 2
Network requirements
As shown in Figure 59, a company has three public IP addresses in the range of 202.38.1.1/24 to
202.38.1.3/24, and a private network segment of 10.110.0.0/16. Specifically, the company requires
that the internal users in subnet 10.110.10.0/24 can access the Internet through NAT.
129
Figure 59 Network diagram
Configuration procedure
# As shown in Figure 59, configure IP addresses for the interfaces. (Details not shown.)
# Configure address pool 1.
<Router> system-view
[Router] nat address-group 1 202.38.1.2 202.38.1.3
# Configure ACL 2001, permitting only users from network segment 10.110.10.0/24 to access the
Internet.
[Router] acl number 2001
[Router-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Router-acl-basic-2001] rule deny
[Router-acl-basic-2001] quit
# Associate address pool 1 and ACL 2001 with the outbound interface GigabitEthernet 1/2, and
implement NAPT.
[Router] interface gigabitethernet 1/2
[Router-GigabitEthernet1/2] nat outbound 2001 address-group 1
[Router-GigabitEthernet1/2] quit
Common internal server configuration example
Network requirements
As shown in Figure 60, a company provides two Web servers, one FTP server, and one SMTP server for
external users to access. The internal network address is 10.110.0.0/16. The internal address for the FTP
server is 10.110.10.3/16, for Web server 1 is 10.110.10.1/16, for Web server 2 is 10.110.10.2/16, and
for the SMTP server is 10.110.10.4/16. The company has three public IP addresses in the range of
202.38.1.1/24 to 202.38.1.3/24. Specifically, the company has the following requirements:
•
External hosts can access internal servers with public address 202.38.1.1/24.
•
Port 8080 is used for Web server 2.
130
Figure 60 Network diagram
10.110.10.1/16
10.110.10.2/16
Web server 1
Web server 2
GE1/1
10.110.10.10/16
GE1/2
202.38.1.1/24
Internet
Router
FTP server
SMTP server
10.110.10.3/16
10.110.10.4/16
Host
Configuration procedure
# As shown in Figure 60, configure IP addresses for the interfaces. (Details not shown.)
# Enter interface GigabitEthernet 1/2 view.
<Router> system-view
[Router] interface gigabitethernet 1/2
# Configure the internal FTP server.
[Router-GigabitEthernet1/2] nat server protocol tcp global 202.38.1.1 21 inside
10.110.10.3 ftp
# Configure the internal Web server 1.
[Router-GigabitEthernet1/2] nat server protocol tcp global 202.38.1.1 80 inside
10.110.10.1 www
# Configure the internal Web server 2.
[Router-GigabitEthernet1/2] nat server protocol tcp global 202.38.1.1 8080 inside
10.110.10.2 www
# Configure the internal SMTP server.
[Router-GigabitEthernet1/2] nat server protocol tcp global 202.38.1.1 smtp inside
10.110.10.4 smtp
[Router-GigabitEthernet1/2] quit
NAT DNS mapping configuration example
Network requirements
As shown in Figure 61, a company provides Web and FTP services to external users, and uses internal IP
network segment 10.110.0.0/16. The IP addresses of the Web and FTP servers are 10.110.10.1/16 and
10.110.10.2/16. The company has three public addresses 202.38.1.1/24 through 202.38.1.3/24. The
DNS server is at 202.38.1.4/24.
•
The public IP address 202.38.1.2 is used to provide services to external users.
•
External users can use the public address or domain name of internal servers to access them.
•
Internal users can access the internal servers by using their domain names.
131
Figure 61 Network diagram
10.110.10.1/16
10.110.10.2/16
202.38.1.4/24
Web server
FTP server
DNS server
GE1/1
10.110.10.10/16
GE1/2
202.38.1.1/24
Internet
Router
Host A
Host B
10.110.10.3/16
202.38.1.10/24
Configuration procedure
# As shown in Figure 61, configure IP addresses for the interfaces. (Details not shown.)
# Enter the view of interface GigabitEthernet 1/2.
<Router> system-view
[Router] interface gigabitethernet 1/2
# Configure the internal Web server.
[Router-GigabitEthernet1/2] nat server protocol tcp global 202.38.1.2 inside 10.110.10.1
www
# Configure the internal FTP server.
[Router-GigabitEthernet1/2] nat server protocol tcp global 202.38.1.2 inside 10.110.10.2
ftp
[Router-GigabitEthernet1/2] quit
# Configure two DNS mapping entries: map the domain name www.server.com of the Web server to
202.38.1.2, and ftp.server.com of the FTP server to 202.38.1.2.
[Router] nat dns-map domain www.server.com protocol tcp ip 202.38.1.2 port www
[Router] nat dns-map domain ftp.server.com protocol tcp ip 202.38.1.2 port ftp
[Router] quit
Verifying the configuration
# After completing the configurations, display the DNS mapping configuration information.
<Router> display nat dns-map
NAT DNS mapping information:
There are currently 2 NAT DNS mapping(s)
Domain-name: www.server.com
Global-IP
: 202.38.1.2
Global-port: 80(www)
Protocol
: 6(TCP)
Domain-name: ftp.server.com
Global-IP
: 202.38.1.2
Global-port: 21(ftp)
Protocol
: 6(TCP)
Host A and Host B can use the domain name www.server.com to access the Web server, and use
ftp.server.com to access the FTP server.
132
Exporting NAT logs to the information center
Network requirements
As shown in Figure 62, a host in the private network accesses Device B in the public network through
Device A, which is enabled with NAT.
Device A sends NAT logs to the information center in the form of system logs.
You can view the records on the information center to supervise the private network users.
Figure 62 Network diagram
Configuration procedure
The following only lists configurations pertinent to NAT logs. Details of the configurations regarding the
IP addresses of the devices and NAT function are not shown here.
# As shown in Figure 62, configure IP addresses for the interfaces. (Details not shown.)
# Export the NAT logs of Device A to the information center.
<DeviceA> system-view
[DeviceA] userlog nat syslog
# Enable the NAT log function on Device A.
[DeviceA] nat log enable
# View the log buffer to monitor access records.
[DeviceA] quit
<DeviceA> dir
Directory of cf:/
0
-rw-
16850028
Aug 07 2009 04:02:42
mainpack.bin
1
2
drw-
-
Aug 07 2005 05:13:48
logfile
-rw-
1747
Aug 07 2009 04:05:38
vrpcfg.cfg
3
-rw-
524288
Aug 13 2009 01:27:40
basicbtm.bin
4
-rw-
524288
Aug 13 2009 01:27:40
extendbtm.bin
249852 KB total (232072 KB free)
File system type of cf: FAT32
<DeviceA> cd logfile
<DeviceA> more logfile.log
……omitted……
%@250005%Jul
7 04:20:04:72 2005 DeviceA USERLOG/7/NAT:
ICMP; 192.168.1.6:768--->1.1.1.1:12288; 2.2.2.2:768;
133
[2005/07/07 04:20:03-0000/00/00 00:00:00];
Operator 8: Data flow created
%@250006%Jul
7 04:20:10:72 2005 DeviceA USERLOG/7/NAT:
ICMP; 192.168.1.6:768--->1.1.1.1:12288; 2.2.2.2:768;
[2005/07/07 04:20:03-2005/07/07 04:20:09];
Operator 1: Normal over
%@250007%Jul
7 04:20:30:72 2005 DeviceA USERLOG/7/NAT:
ICMP; 192.168.1.6:768--->1.1.1.1:12288; 2.2.2.2:768;
[2005/07/07 04:20:29-0000/00/00 00:00:00];
Operator 8: Data flow created
……omitted……
Besides NAT logs, the log file includes other system logs. Table 6 explains the NAT logs:
Table 6 Description on NAT logs
Field
Description
ICMP
ICMP.
192.168.1.6:768
Source IP address and port number before translation.
1.1.1.1:12288
Source IP address and port number after translation.
2.2.2.2:768
Destination IP address and port number.
2005/07/07 04:20:03
2005/07/07 04:20:29
Start time of the NAT session (in this example, the time displayed is the device's
system time). When the logs are exported in UDP packet, the UDP packet
records the interval in seconds between the current system time and Greenwich
time 0 AM, Jan 1st, 1970. The log server, based on its own system time, converts
this interval and exports it.
2005/07/07 04:20:09
End time of the NAT session.
0000/00/00 00:00:00
0000/00/00 00:00:00 means that this time is uncertain.
Reasons for generating NAT logs come from:
• Aged for reset or config-change—Refers to logs generated due to
configuration change or manual session deletion.
• Aged for no-pat of NAT—Refers to logs generated when the no-pat session is
Operator
aged out.
• Active data flow timeout—Refers to logs generated when the duration of
NAT session exceeds the active data flow time.
• Data flow created—Refers to logs generated when a NAT session is
established.
• Normal over—Refers to logs generated when the session is aged out.
Exporting NAT logs to log server
Network requirements
As shown in Figure 63, a PC in the private network accesses Device B on the public network through
Device A, which is enabled with NAT.
Device A sends NAT logs to the information center in UDP packets.
134
Figure 63 Network diagram
Loop1
2.2.2.2/24
Eth1/1
1.1.1.1/24
Vlan-int1
192.168.1.5/24
Eth1/2
1.1.1.4/24
Eth1/3
Host
Eth1/2
Device A
Device B
192.168.1.6/24
NAT log server/system log server
3.3.3.7/24
Configuration procedure
The following only lists configurations pertinent to NAT logs. Details of the configurations regarding the
IP addresses of the devices and NAT function are not shown.
# As shown in Figure 63, configure IP addresses for the interfaces. (Details not shown.)
# Export the NAT logs of Device A to the NAT log server.
<DeviceA> system-view
[DeviceA] userlog nat export host 3.3.3.7 9021
# Set the source IP address of NAT log packets for Device A to 9.9.9.9.
[DeviceA] userlog nat export source-ip 9.9.9.9
# Enable the NAT log function on Device A.
[DeviceA] nat log enable
You must run XLog on the NAT log server or the system log server to view NAT log information.
Troubleshooting NAT
Symptom 1
Abnormal translation of IP addresses.
Solution
1.
Enable debugging for NAT. Try to locate the problem based on the debugging display.
2.
Use other commands, if necessary, to further identify the problem. Pay special attention to the
source address after the address translation and make sure this address is the address that you
intend to change to. If not, there might be an address pool bug.
3.
Make sure a route is available between the destination network and the address pool segment.
4.
Be aware of the possible effects that the firewall or the ACLs have to NAT, and also pay attention
to the route configurations.
135
Symptom 2
The internal server does not function correctly.
Solution
1.
Verify that the internal server host is correctly configured.
2.
Verify the router is correctly configured with respect to the internal server parameters, such as the
internal server IP address.
3.
Use the display acl command to verify that the firewall permits external access to the internal
network. For more information about firewall, see Security Configuration Guide.
136
Configuring NAT-PT
Overview
Because of the coexistence of IPv4 networks and IPv6 networks, Network Address Translation – Protocol
Translation (NAT-PT) was introduced to realize translation between IPv4 and IPv6 addresses. For
example, it can enable a host in an IPv6 network to access the FTP server in an IPv4 network.
As shown in Figure 64, NAT-PT runs on the device between IPv4 and IPv6 networks. The address
translation is transparent to both IPv4 and IPv6 networks. Users in the IPv6 and IPv4 networks can
communicate without changing their configurations.
Figure 64 Network diagram
Basic concepts
NAT-PT mechanism
There are three NAT-PT mechanisms to realize translation between IPv4 and IPv6 addresses: static
mapping, dynamic mapping, and NAPT-PT:
•
Static mapping
Static mappings are manually configured for translation between IPv6 and IPv4 addresses.
•
Dynamic mapping
Dynamic mappings are dynamically generated for translation between IPv6 and IPv4 addresses.
Different from static mappings, dynamic mappings are not fixed one-to-one mappings between
IPv6 and IPv4 addresses.
•
NAPT-PT
Network Address Port Translation – Protocol Translation (NAPT-PT) realizes the TCP/UDP port
number translation besides static or dynamic address translation. With NAPT-PT, different IPv6
addresses can correspond to one IPv4 address. Different IPv6 hosts are distinguished by different
port numbers so that these IPv6 hosts can share one IPv4 address to accomplish the address
translation and save IPv4 addresses.
137
NAT-PT prefix
The 96-bit NAT-PT prefix in the IPv6 address prefix format is used in the following cases:
•
Upon receiving a packet from an IPv6 host to an IPv4 host, the NAT-PT device detects the prefix of
the destination IPv6 address in the packet. If the prefix is the same as the configured NAT-PT prefix,
the device translates source and destination IPv6 addresses of the packet into IPv4 addresses.
•
After a packet from an IPv4 host to an IPv6 host is translated through NAT-PT, the prefix of the
translated source IPv6 address is the configured NAT-PT prefix.
Implementing NAT-PT
Session initiated by an IPv6 host
Figure 65 NAT-PT implementation (session initiated by an IPv6 host)
NAT-PT works as follows:
1.
Determines whether to perform NAT-PT.
Upon receiving a packet from an IPv6 host to an IPv4 host, the NAT-PT device detects the prefix of
the destination IPv6 address in the packet. If the prefix is the same as the configured NAT-PT prefix,
the device considers that the packet needs to be forwarded to the IPv4 network and NAT-PT needs
to be performed.
2.
Translates the source IP address.
The NAT-PT device translates the source IPv6 address of the packet into an IPv4 address according
to the static or dynamic mapping on the IPv6 side.
3.
Translates the destination IP address.
The NAT-PT device translates the destination IPv6 address of the packet into an IPv4 address
according to the static mapping, if configured, on the IPv4 network side. Without any static
mapping configured on the IPv4 network side, if the lowest 32 bits of the destination IPv6 address
in the packet can be directly translated into a valid IPv4 address, the destination IPv6 address is
translated into that IPv4 address. Otherwise, the translation fails.
4.
Forwards the packet and stores the mappings.
After the source and destination IPv6 addresses of the packet are translated into IPv4 addresses,
the NAT-PT device forwards the packet to the IPv4 host. Meanwhile, the IPv4/IPv6 address
mappings are stored in the NAT-PT device.
5.
Forwards the reply packet according to the stored mappings.
Upon receiving a reply packet from the IPv4 host to the IPv6 host, the NAT-PT device swaps the
source and destination IPv4 addresses according to the stored mappings and forwards the packet
to the IPv6 host.
138
Session initiated by an IPv4 host
The NAT-PT implementation process for a session initiated by an IPv4 host is as follows:
1.
Determines whether to perform NAT-PT.
Upon receiving a packet from an IPv4 host to an IPv6 host, the NAT-PT device checks the
destination IPv4 address in the packet against the static mappings configured on the IPv6 network
side. If a match is found, the device considers that the packet needs to be forwarded to the IPv6
network and NAT-PT needs to be performed.
2.
Translates the source IP address.
The NAT-PT device translates the source IPv4 address of the packet into an IPv6 address according
to the static or dynamic mapping on the IPv4 side. If no mapping is configured on the IPv4 side,
the source IPv4 address with the first configured NAT-PT prefix is used as the translated source IPv6
address.
3.
Translates the destination IP address.
The NAT-PT device translates the destination IPv4 address of the packet into an IPv6 address
according to the static mapping on the IPv6 side.
4.
Forwards the packet and stores the mappings.
After the source and destination IPv4 addresses of the packet are translated into IPv6 addresses,
the NAT-PT device forwards the packet to the IPv6 host. Meanwhile, the IPv4/IPv6 address
mappings are stored in the NAT-PT device.
5.
Forwards the reply packet according to the stored mappings.
Upon receiving a reply packet from the IPv6 host to the IPv4 host, the NAT-PT device swaps the
source and destination IPv6 addresses according to the stored mappings and forwards the packet
to the IPv4 host.
NAT-PT limitations
Because of the following limitations, NAT-PT is not recommended in some applications. For example,
tunneling is recommended in the case where an IPv6 host needs to communicate with another IPv6 host
across an IPv4 network.
•
In NAT-PT translation, the request and response packets of a session must be processed by the same
NAT-PT device.
•
The Options field in the IPv4 packet header cannot be translated.
•
NAT-PT does not provide end-to-end security.
For more information about tunneling, see "Configuring tunneling."
NAT-PT supports Internet Control Message Protocol (ICMP), Domain Name System (DNS), File Transfer
Protocol (FTP), and other protocols that employ the network layer protocol but have no address
information in the protocol messages.
Protocols and standards
•
RFC 2765, Stateless IP/ICMP Translation Algorithm
•
RFC 2766, Network Address Translation - Protocol Translation (NAT-PT)
139
NAT-PT configuration task list
Complete the following tasks to configure NAT-PT to allow active access from an IPv4 host to an IPv6 host:
Task
Remarks
Enabling NAT-PT
Required.
Configuring a NAT-PT prefix
Required.
Configuring IPv4/IPv6 address mappings on the IPv6
side
Required.
Optional.
Configuring a static mapping on the IPv4 side
If no static IPv4/IPv6 address mapping is configured,
the lowest 32 bits of the destination IPv6 address is
used as the translated destination IPv4 address.
Setting the ToS field after NAT-PT translation
Optional.
Configuring a NAT-PT session aging time for a
protocol
Optional.
Configuring the maximum number of sessions
Optional.
Complete the following tasks to configure NAT-PT to allow active access from an IPv4 host to an IPv6 host:
Task
Remarks
Enabling NAT-PT
Required.
Configuring a NAT-PT prefix
Required.
Optional.
Configuring IPv4/IPv6 address mappings on the IPv4
side
Configuring IPv4/IPv6 address mappings on the IPv4
side
Configuring static NAPT-PT mappings of IPv6 servers
If no IPv4/IPv6 address mapping is configured, the
source IPv4 address added with the first configured
NAT-PT prefix is used as the translated source IPv6
address.
Required.
Complete either task.
Setting the traffic class field after NAT-PT translation
Optional.
Configuring a NAT-PT session aging time for a
protocol
Optional.
Configuring the maximum number of sessions
Optional.
Configuration prerequisites
Before you implement NAT-PT, complete the following tasks:
1.
Enable IPv6 on the device. For more information, see "Configuring IPv6 basics."
2.
Configure an IPv4 or IPv6 address as required on the interface to be enabled with NAT-PT.
140
CAUTION:
Fast forwarding invalidates NAT-PT. Therefore, before you enable NAT-PT, disable IPv4 or IPv6 fast
forwarding by using undo ip fast-forwarding or undo ipv6 fast-forwarding in interface view, or clear
existing fast-forwarding entries by using reset ip fast-forwarding cache or reset ipv6 fast-forwarding
cache in user view.
Enabling NAT-PT
After NAT-PT is enabled on both the IPv4 network interface and the IPv6 network interface, the device
can implement translation between IPv4 and IPv6 addresses.
To enable NAT-PT:
Step
Command
Remarks
260. Enter system view.
system-view
N/A
261. Enter interface view.
interface interface-type interface-number
N/A
262. Enable NAT-PT on the
interface.
natpt enable
Disabled by default.
Configuring a NAT-PT prefix
Follow these guidelines when you configure a NAT-PT prefix:
•
The NAT-PT prefix must be different from the IPv6 address prefix of a local interface. Otherwise,
incoming packets matching the prefix get lost due to NAT-PT translation.
•
To delete a NAT-PT prefix that has been referenced by using the natpt v4bound dynamic or natpt
v6bound dynamic command, you must cancel the referenced configuration first.
To configure a NAT-PT prefix:
Step
Command
263. Enter system view.
system-view
264. Configure a NAT-PT prefix.
natpt prefix natpt-prefix [ interface interface-type
interface-number [ nexthop ipv4-address ] ]
Configuring IPv4/IPv6 address mappings on the
IPv6 side
IPv4/IPv6 address mappings on the IPv6 side can be static or dynamic.
Configuring a static mapping on the IPv6 side
A static mapping on the IPv6 side shows the one-to-one correspondence between an IPv4 address and
an IPv6 address:
141
•
If the source IPv6 address in a packet sent from an IPv6 host to an IPv4 host matches the static
mapping, the source IPv6 address is translated into the corresponding IPv4 address.
•
If the destination IPv4 address in a packet sent from an IPv4 host to an IPv6 host matches the static
mapping, the destination IPv4 address is translated into the corresponding IPv6 address.
To configure a static IPv4/IPv6 address mapping on the IPv6 side:
Step
Command
265. Enter system view.
system-view
266. Configure a static IPv4/IPv6 address mapping
on the IPv6 side.
natpt v6bound static ipv6-address ipv4-address
Configuring a dynamic mapping policy on the IPv6 side
A dynamic IPv4/IPv6 mapping policy on the IPv6 side is that if the source IPv6 address matches a
specific IPv6 ACL or the destination IPv6 address is the same as the specified NAT-PT prefix, the source
IPv6 address will be translated into an IPv4 address in a specified NAT-PT address pool or the IPv4
address of a specific interface. For ACL configuration, see ACL and QoS Configuration Guide.
The device provides four dynamic mapping policies:
•
Policy 1—Associate an IPv6 ACL with an address pool.
If the source IPv6 address of a packet matches the specified IPv6 ACL, the source IPv6 address will
be translated into an IPv4 address in the specified address pool.
•
Policy 2—Associate an IPv6 ACL with an interface address.
If the source IPv6 address of a packet matches the specified IPv6 ACL, the source IPv6 address will
be translated into the IPv4 address of the specified interface.
•
Policy 3—Associate a NAT-PT prefix with an address pool.
If the destination IPv6 address of a packet matches the NAT-PT prefix, the source IPv6 address will
be translated into an IPv4 address in the specified address pool.
•
Policy 4—Associate a NAT-PT prefix with an interface address.
If the destination IPv6 address of a packet matches the NAT-PT prefix, the source IPv6 address will
be translated into the IPv4 address of the specified interface.
To use policy 1 or 3, configure a NAT-PT address pool first.
A NAT-PT address pool is a group of contiguous IPv4 addresses and is used to translate an IPv6 address
into an IPv4 address dynamically. When an IPv6 packet is sent from an IPv6 network to an IPv4 network,
if policy 1 or 3 is set, the NAT-PT device will select an IPv4 address from the NAT-PT address pool as the
source IPv4 address of the IPv6 packet.
To configure a dynamic IPv4/IPv6 address mapping policy on the IPv6 side:
Step
Command
Remarks
267. Enter system view.
system-view
N/A
268. Configure a NAT-PT
address pool.
natpt address-group group-number
start-ipv4-address end-ipv4-address
Skip this step if you use policy 2 or
policy 4.
142
Step
Command
Remarks
• Associate an IPv6 ACL with an address
pool:
natpt v6bound dynamic acl6 number
acl-number address-group
address-group [ no-pat ]
Use one of the commands.
• If the source IPv6 address of an
IPv6 packet matches the
specified IPv6 ACL, the source
IPv6 address will be translated
into an IPv4 address of the
specified address pool or
interface.
• Associate an IPv6 ACL with an interface
269. Configure a dynamic
IPv4/IPv6 address
mapping policy on
the IPv6 side.
address:
natpt v6bound dynamic acl6 number
acl-number interface interface-type
interface-number
• Associate a NAT-PT prefix with an
address pool:
natpt v6bound dynamic prefix
natpt-prefix address-group
address-group [ no-pat ]
• If the destination IPv6 address
• Associate a NAT-PT prefix with an
interface address:
natpt v6bound dynamic prefix
natpt-prefix interface interface-type
interface-number
of an IPv6 packet matches the
specified NAT-PT prefix, the
source IPv6 address will be
translated into an IPv4 address
of the specified address pool or
interface.
The NAT-PT prefix referenced in a natpt v6bound dynamic command must have been configured with the
natpt prefix command.
If the no-pat keyword is specified, dynamic mapping policies are used for NAT-PT. If this keyword is not
specified, the NAPT-PT mechanism is used to translate between IPv4 addresses and IPv6 addresses, and
the end IPv4 address in the address pool is used for NAPT-PT.
Configuring IPv4/IPv6 address mappings on the
IPv4 side
IPv4/IPv6 address mappings on the IPv4 side can be static or dynamic.
Configuring a static mapping on the IPv4 side
A static IPv4/IPv6 address mapping on the IPv4 side shows the one-to-one correspondence between an
IPv4 address and an IPv6 address:
•
If the source IPv4 address in a packet sent from an IPv4 host to an IPv6 host matches a static
IPv4/IPv6 address mapping, the source IPv4 address is translated into the corresponding IPv6
address.
•
If the destination IPv6 address in a packet sent from an IPv6 host to an IPv4 host matches a static
IPv4/IPv6 address mapping, the destination IPv6 address is translated into the corresponding IPv4
address.
To configure a static IPv4/IPv6 address mapping on the IPv4 side:
Step
Command
270. Enter system view.
system-view
143
Step
Command
271. Configure a static IPv4/IPv6 address mapping on the
IPv4 side.
natpt v4bound static ipv4-address ipv6-address
Configuring a dynamic mapping policy on the IPv4 side
A dynamic IPv4/IPv6 address mapping policy on the IPv4 side is that if the source IPv4 address matches
a specific ACL, the source IPv4 address is added with a NAT-PT prefix as the translated IPv6 address.
The natpt-prefix argument specified in the natpt v6bound dynamic acl number acl-number prefix
natpt-prefix command must have been configured with the natpt prefix command. For more information
about ACL, see ACL and QoS Configuration Guide.
To configure a dynamic IPv4/IPv6 mapping policy on the IPv4 side:
Step
Command
272. Enter system view.
system-view
273. Configure a dynamic IPv4/IPv6 source
address mapping policy on the IPv4 side.
natpt v4bound dynamic acl number acl-number prefix
natpt-prefix
Setting the ToS field after NAT-PT translation
You can set the ToS field in IPv4 packets translated from IPv6 packets to 0 or leave it unchanged. 0
indicates that the service priority of the translated packet is set to the lowest. Unchanged indicates that
the existing service priority is used.
To set the ToS field in packets after NAT-PT translation:
Step
Command
Remarks
274. Enter system view.
system-view
N/A
275. Set the ToS field in IPv4 packets
translated from IPv6 packets to
0.
natpt turn-off tos
By default, the value of the ToS field of IPv4
packets is the same as that of the Traffic
Class field in corresponding IPv6 packets.
Setting the traffic class field after NAT-PT translation
You can set the Traffic Class field in IPv6 packets translated from IPv4 packets to 0 or leave it unchanged.
0 indicates that the service priority of the translated packet is set to the lowest. Unchanged indicates that
the existing service priority is used.
To set the Traffic Class field in packets after NAT-PT translation:
Step
Command
Remarks
276. Enter system view.
system-view
N/A
144
Step
277. Set the Traffic Class field
in IPv6 packets translated
from IPv4 packets to 0.
Command
Remarks
natpt turn-off traffic-class
By default, the value of the Traffic Class
field of IPv6 packets is the same as that of
the ToS field in corresponding IPv4
packets.
Configuring static NAPT-PT mappings of IPv6
servers
Generally, a server such as the FTP server, Web server, or Telnet server on an IPv6 network provides
services for IPv6 hosts only. To allow IPv4 hosts to access the IPv6 server, you can specify a static NAPT-PT
mapping between the IPv6 address plus the port number and the IPv4 address plus the port number of
the IPv6 server.
Upon receiving an access request to an IPv6 server from an IPv4 host, the NAT-PT device checks the
destination address and port number of the packet against the static address/port mapping of the IPv6
server. If they match, the device translates the source IPv4 address of the packet into the corresponding
IPv6 address according to the IPv4/IPv6 address mapping on the IPv4 side, and translates the
destination IPv4 address and port number in the request to the corresponding IPv6 address and port
number according to the static address/port mapping of the IPv6 server.
When you configure a static address/port mapping of an IPv6 server, specify the following:
•
Protocol type—The type of the transport layer protocol used by the server. It can be TCP or UDP.
•
IPv4 address and port number of the server—Used by IPv4 hosts to access the server.
•
IPv6 address and port number of the server.
To configure a static NAPT-PT mapping for an IPv6 server:
Step
Command
278. Enter system view.
system-view
279. Configure a static address and port number
mapping for an IPv6 server.
natpt v4bound static v6server protocol protocol-type
ipv4-address ipv4-port-number ipv6-address
ipv6-port-number
Configuring a NAT-PT session aging time for a
protocol
You can set a NAT-PT session aging time for a protocol. If the idle time of a NAT-PT session exceeds the
specified aging time, the NAT-PT session is removed.
To configure a NAT-PT session aging time for a protocol:
Step
Command
Remarks
280. Enter system view.
system-view
N/A
145
Step
Command
Remarks
The defaults are as follows:
281. Configure a NAT-PT
session aging time
for a protocol.
natpt aging-time { default | { dns |
finrst | frag | icmp | syn | tcp | udp }
time-value }
•
•
•
•
•
•
•
10 seconds for a DNS packet.
5 seconds for a FINRST packet.
5 seconds for a FRAG packet.
20 seconds for an ICMP packet.
240 seconds for a SYN packet.
40 seconds for a UDP packet.
86400 seconds for a TCP packet.
Configuring the maximum number of sessions
You can set the maximum number of allowed sessions. When the number of concurrent sessions reaches
the maximum, no new session can be established.
To configure the maximum number of sessions:
Step
Command
Remarks
282. Enter system view.
system-view
N/A
283. Configure the maximum
number of NAT-PT sessions.
natpt max-session max-number
2048 by default.
Displaying and maintaining NAT-PT
Task
Command
Remarks
Display all NAT-PT configuration
information.
display natpt all [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Display NAT-PT address pool
configuration information.
display natpt address-group [ | { begin
| exclude | include }
regular-expression ]
Available in any view.
Display the static and dynamic NAT-PT
address mappings.
display natpt address-mapping [ |
{ begin | exclude | include }
regular-expression ]
Available in any view.
Display the NAT-PT session aging time.
display natpt aging-time [ | { begin |
exclude | include } regular-expression ]
Available in any view.
Display the NAT-PT fragment session
information.
display natpt frag-sessions [ | { begin
| exclude | include }
regular-expression ]
Available in any view.
Display the dynamic NAT-PT session
information.
display natpt session { all | icmp | tcp
| udp } [ | { begin | exclude | include }
regular-expression ]
Available in any view.
Display NAT-PT statistics information.
display natpt statistics [ | { begin |
exclude | include } regular-expression ]
Available in any view.
Clear dynamic NAT-PT address
mappings.
reset natpt dynamic-mappings
Available in user view.
146
Task
Command
Remarks
Clear all NAT-PT statistics information.
reset natpt statistics
Available in user view.
NAT-PT configuration examples
Configuring dynamic mapping on the IPv6 side
Network requirements
As shown in Figure 66, Router C with IPv6 address 2001::2/64 on an IPv6 network wants to access
Router A with IPv4 address 8.0.0.2/24 on an IPv4 network, whereas Router A cannot actively access
Router C.
To meet the preceding requirements, you need to configure Router B that is deployed between the IPv4
network and IPv6 network as a NAT-PT device, and configure dynamic mapping policies on the IPv6 side
on Router B so that IPv6 hosts can access IPv4 hosts but IPv4 hosts cannot access IPv6 hosts.
Figure 66 Network diagram
Configuration procedure
1.
Configure Router B (NAT-PT device):
# Configure interface addresses and enable NAT-PT on the interfaces.
<RouterB> system-view
[RouterB] ipv6
[RouterB] interface serial 2/0
[RouterB-Serial2/0] ip address 8.0.0.1 255.255.255.0
[RouterB-Serial2/0] natpt enable
[RouterB-Serial2/0] quit
[RouterB] interface serial 2/1
[RouterB-Serial2/1] ipv6 address 2001::1/64
[RouterB-Serial2/1] natpt enable
[RouterB-Serial2/1] quit
# Configure a NAT-PT prefix.
[RouterB] natpt prefix 3001::
# Configure a NAT-PT address pool.
[RouterB] natpt address-group 1 9.0.0.10 9.0.0.19
# Associate the prefix with the address pool for IPv6 hosts accessing IPv4 hosts.
[RouterB] natpt v6bound dynamic prefix 3001:: address-group 1
2.
Configure Router A on the IPv4 side:
# Configure a static route to subnet 9.0.0.0/24.
147
<RouterA> system-view
[RouterA] ip route-static 9.0.0.0 24 8.0.0.1
3.
Configure Router C on the IPv6 side:
# Enable IPv6.
<RouterC> system-view
[RouterC] ipv6
# Configure a static route to the subnet with the NAT-PT prefix.
[RouterC] ipv6 route-static 3001:: 16 2001::1
Verifying the configuration
Use the ping ipv6 3001::0800:0002 command on Router C, response packets can be received.
You can see on Router B the established NAT-PT session.
[RouterB] display natpt session all
NATPT Session Info:
No
IPV6Source
IPV4Source
IPV6Destination
1
Pro
IPV4Destination
2001::0002
^43984 9.0.0.19
^12288
3001::0800:0002
^
^
0 8.0.0.2
ICMP
0
Configuring static mappings on the IPv4 side and the IPv6 side
Network requirements
As shown in Figure 67, Router C with IPv6 address 2001::2/64 on an IPv6 network can communicate
with Router A with IPv4 address 8.0.0.2/24 on an IPv4 network.
To meet the preceding requirement, you need to configure Router B that is deployed between the IPv4
network and IPv6 network as a NAT-PT device, and configure static mappings on the IPv4 side and IPv6
side on Router B, so that Router A and Router C can communicate with each other.
Figure 67 Network diagram
Configuration procedure
1.
Configure Router B:
# Configure interface addresses and enable NAT-PT on the interfaces.
<RouterB> system-view
[RouterB] ipv6
[RouterB] interface serial 2/0
[RouterB-Serial2/0] ip address 8.0.0.1 255.255.255.0
[RouterB-Serial2/0] natpt enable
[RouterB-Serial2/0] quit
[RouterB] interface serial 2/1
148
[RouterB-Serial2/1] ipv6 address 2001::1/64
[RouterB-Serial2/1] natpt enable
[RouterB-Serial2/1] quit
# Configure a NAT-PT prefix.
[RouterB] natpt prefix 3001::
# Configure a static IPv4/IPv6 mapping on the IPv4 side.
[RouterB] natpt v4bound static 9.0.0.2 3001::5
# Configure a static IPv4/IPv6 mapping on the IPv6 side.
[RouterB] natpt v6bound static 2001::2 8.0.0.5
2.
Configure Router A:
# Configure a static route to subnet 9.0.0.0/24.
<RouterA> system-view
[RouterA] ip route-static 9.0.0.0 24 8.0.0.1
3.
Configure Router C on the IPv6 side:
# Enable IPv6.
<RouterC> system-view
[RouterC] ipv6
# Configure a static route to the subnet with the NAT-PT prefix.
[RouterC] ipv6 route-static 3001:: 16 2001::1
Verifying the configuration
Using the ping 9.0.0.5 command on Router A can receive responses, and you can view the following
NAT-PT session information on Router B using the display command.
[RouterB] display natpt session all
NATPT Session Info:
No
IPV6Source
IPV4Source
IPV6Destination
1
Pro
IPV4Destination
3001::0005
^
0 8.0.0.2
^
0
2001::0002
^
0 9.0.0.5
^
0
ICMP
Using the ping ipv6 3001::5 command on Router C can receive response packets, and you can view the
following NAT-PT session information on Router B using the display command.
[RouterB] display natpt session all
NATPT Session Info:
No
1
IPV6Source
IPV4Source
IPV6Destination
IPV4Destination
Pro
2001::0002
^
0 9.0.0.5
^
0
3001::0005
^
0 8.0.0.2
^
0
Troubleshooting NAT-PT
Symptom
NAT-PT fails when a session is initiated on the IPv6 side.
149
ICMP
Solution
1.
Enable debugging for NAT-PT and locate the fault according to the debugging information of the
device.
2.
During debugging, check whether the source address of a packet is translated successfully. If not,
it is possible that the address pool has no sufficient IP addresses.
3.
You can configure a larger address pool, or use NAPT-PT to perform NAT-PT.
150
Configuring DVPN
Overview
DVPN collects, maintains, and distributes dynamic public addresses through the VPN Address
Management (VAM) protocol, making VPN establishment available between enterprise branches that
use dynamic addresses to access the public network.
In DVPN, a collection of nodes connected to the public network form a VPN. From the perspective of
DVPN, the public network is the link layer of the VPN, and the tunnels which are used as the virtual
channels between subnets of an intranet constitute the network layer. Branch devices dynamically access
the public network. DVPN can get the public IP addresses of the peers through VAM to set up secure
internal tunnels conveniently.
When a DVPN device forwards a packet from a user subnet to another, it performs these operations:
1.
Gets the next hop on the private network through a routing protocol.
2.
Gets the public network address of the next hop through the VAM protocol.
3.
Encapsulates the packet, using the public address as the destination address of the tunnel.
4.
Sends the packet along the tunnel to the destination.
Basic concepts
The following key roles are involved in DVPN:
•
DVPN node—A DVPN node is a device at an end of a DVPN tunnel. It can be a networking device
or a host. A DVPN node takes part in tunnel setup and must implement the VAM client.
•
VAM server—A VAM server receives registration information from DVPN nodes and manages and
maintains information about DVPN clients. A VAM server is usually a high performance routing
device with VAM server enabled.
•
VAM client—A VAM client registers its private address and public address with the VAM server and
obtains information about other VAM clients from the VAM server. The VAM client function must be
implemented on DVPN nodes. Unless otherwise noted, the term "VAM client" refers to a hub or a
spoke.
•
Hub—A hub is a type of VAM client. As a central device of a VPN, it is the exchange center of
routing information. A hub in a hub-spoke network is also a data forwarding center.
•
Spoke—A spoke is a type of VAM client. Usually acting as the gateway of a branch office, a spoke
does not forward data received from other DVPN nodes.
•
AAA server—An AAA server is used for user authentication and accounting.
How DVPN operates
DVPN employs the client/server model. Operating at the application layer of the TCP/IP protocol stack,
DVPN supports two tunnel encapsulation modes: UDP and GRE.
A DVPN includes one server and multiple clients. The public address of the server in a DVPN must be
static. The private address of a client needs to be statically assigned. The public address of a client can
151
be manually configured or dynamically assigned. All the private addresses of the nodes composing a
DVPN must belong to the same network segment.
Each client registers the mapping of its private address and public address with the server. After a client
registers its address mapping with the server, other clients can get the public address of this client from
the server. This is for DVPN tunnel establishment between clients. Each client uses the VAM protocol to
communicate with the server and uses the DVPN tunneling protocol to establish, maintain, and remove
tunnels to other clients. Whenever there is a change in the topology, the server will be notified
automatically.
Network structures
DVPN supports two typical networking structures: full mesh and hub-spoke.
•
Full mesh DVPN—In a full mesh DVPN, spokes can communicate with each other directly by
establishing tunnels between them, and the hub is mainly used as the routing information exchange
center.
As shown in Figure 68, after the spokes (the clients) register with the VAM server and get the hub
information in the VPN domain, they establish permanent tunnels with the hub.
Any two spokes can establish a tunnel directly between them. The tunnel is dynamic and will be
aged out if no data exchange occurs on it during the specified period of time (the idle timeout for
the spoke-spoke tunnel).
Figure 68 Full mesh DVPN
•
Hub-spoke DVPN—In a hub-spoke DVPN, no tunnel can be established between two spokes, and
data between them has to be forwarded through the hub. The hub is used as both the routing
information exchange center and the data forwarding center.
As shown in Figure 69, each spoke establishes a permanent tunnel with the hub, and data
between spokes is forwarded through the hub.
152
Figure 69 Hub-spoke DVPN
DVPN implementation
DVPN operates in three phases: connection initialization, registration, and tunnel establishment.
Connection initialization phase
When a client accesses the server for the first time, connection initialization is performed. During the
initialization procedure, the two parties negotiate whether VAM protocol packets should be secured. If so,
they negotiate the packet encryption and integrity verification algorithms, generate the keys, and
acknowledge the negotiated result.
Figure 70 Initialization process
As shown in Figure 70, a client and server take the following steps to initialize the connection:
1.
The client sends the server a connection request, which carries the supported encryption and
integrity verification algorithms.
2.
Upon receiving the connection request, the server begins to negotiate the algorithms to be used
with the client.
The server first compares the algorithm of the highest priority on its own algorithm list against the
algorithm list of the client. If a match is found, the algorithm is used. If not, the server compares its
153
next-highest priority algorithm against the list. The operation continues until a match is found or all
the algorithms on the server's algorithm list have been compared.
If a match is found, the server sends to the client a connection response, which carries the
negotiation result, and at the same time, the server and the client generate the encryption key and
integrity verification key.
3.
The client sends an initialization complete packet to the server, so the server can use it to check
whether the algorithm negotiation and key negotiation are successful.
4.
Upon receiving the initialization complete packet from the client, the server sends an initialization
complete packet to the client, so the client can use it to check whether the algorithm negotiation
and key negotiation are successful.
After the connection initialization process completes, the client proceeds with the registration phase.
Registration phase
Figure 71 Registration process
Client
Server
1) Registration request
2) Identity authentication request
3) Identity information
4) Registration acknowledgement
Figure 71 shows the registration process:
1.
The client sends the server a registration request, which carries information about the client.
2.
Upon receiving the registration request, the server first determines whether to authenticate the
identity of the client.
{
{
If identity authentication is not required, the server directly registers the client and sends the
client a registration acknowledgement.
If identity authentication is required, the server sends the client an identity authentication request,
indicating the required authentication algorithm. In the case of CHAP authentication, a random
number is also sent.
3.
The client submits its identity information to the server.
4.
After receiving the identity information of the client, the server sends an authentication request to
the AAA server and, after receiving the expected authentication acknowledgement, sends an
accounting request to the AAA server. When the server receives the accounting acknowledgement,
it sends the client a registration acknowledgement, telling the client information about the hubs in
the VPN.
Tunnel establishment phase
After a spoke successfully registers itself, it needs to establish a permanent tunnel with a hub. A spoke can
establish permanent tunnels with up to two hubs. If there are two hubs in a VPN domain, a permanent
tunnel is required between the hubs. Figure 72 shows the tunnel establishment process.
154
Figure 72 Tunnel establishment process
1.
The initiator originates a tunnel establishment request.
{
{
{
2.
Hub-spoke tunnel—After a spoke registers itself successfully, it needs to establish a permanent
tunnel with each hub in the VPN. Upon receiving the registered information of the hubs from the
server, the spoke checks whether a tunnel is present to each hub. If no tunnel exists between the
spoke and a hub, the spoke sends a tunnel establishment request to the hub.
Hub-hub tunnel—After a hub registers itself successfully, the server sends the registered
information of the other hubs in the VPN to the hub and the hub checks whether a tunnel exists
to each of its peer hubs. If not, the hub sends a tunnel establishment request to the peer hub.
Spoke-spoke tunnel—In a full mesh network, when a spoke receives a data packet but finds no
tunnel for forwarding the packet, it sends an address resolution request to the server and then,
after receiving the resolved address, sends a tunnel establishment request to the peer spoke.
The tunnel establishment request receiver saves the tunnel establishment information and sends a
response to the sender. If the request sender receives the response, a tunnel is established.
Otherwise, tunnel establishment attempt fails.
Supported DVPN features
NAT traversal of DVPN packets encapsulated by UDP
When a spoke needs to communicate with another spoke, one of the following cases will occur:
•
If neither of the two spokes is behind a NAT gateway, a direct tunnel will be established between
them.
•
If only the tunnel initiator resides behind a NAT gateway, a spoke-spoke tunnel can be established
traversing the NAT gateway.
•
If the tunnel request receiver is behind a NAT gateway, packets must be forwarded by a hub before
the intended receiver originates a tunnel establishment request.
•
If both spokes reside behind NAT gateways, no tunnel can be established between them and
packets between them will be forwarded by a hub.
Support for dynamic VAM client IP address
As each VAM client registers its public and private addresses with the VAM server and can get the public
address of the peer VAM client from the VAM server, no tunnel destination address needs to be
configured on either tunnel interface of a tunnel. When a VAM client has its IP address changed, it
reregisters with the VAM server, thus supporting dynamic IP address.
155
AAA identity authentication of VAM clients on the VAM server
After the initialization process completes, a VAM client registers with the VAM server. You can specify to
authenticate VAM clients during the registration process. VAM supports PAP authentication and CHAP
authentication. The VAM server uses AAA to authenticate clients in the VPN domain. A VAM client must
pass authentication to access the VPN.
Identity authentication of the VAM server and VAM client using the pre-shared key
A VAM client and the VAM server must be configured with the same pre-shared key to generate the
encryption/integrity verification key. The VAM client/VAM server can determine whether the pre-shared
keys of both sides are the same by checking the result of packet decryption and integrity verification, so
as to implement identity authentication of the VAM server/VAM client.
Encryption of VAM protocol packets
VAM protocol packets can be encrypted by using AES-128, AES-256, DES, or 3DES.
IPsec protection of data packets
Data packets in a DVPN tunnel can be protected by an IPsec profile, using security protocols ESP, AH, or
AH-ESP (ESP first, and then AH) and negotiating security policies through IKE.
Centralized management of policies
A VAM server manages all policies in a VPN domain centrally.
Support for multiple VPN domains
A VAM server supports up to 10 VPN domains.
DVPN configuration task list
When configuring DVPN, perform configuration in this order: the VAM server, the hubs, the spokes.
Complete the following tasks to configure DVPN:
Task
Server side configuration
Client side configuration
Remarks
Configuring AAA
Optional.
Configuring the VAM server
Required.
Configuring a VAM client
Required.
Configuring an IPsec profile
Optional.
Configuring DVPN tunnel parameters
Required.
Configuring routing
Required.
Configuring AAA
A VAM server can employ AAA to authenticate the identities of clients accessing a VPN domain. For
AAA configuration, see Security Configuration Guide.
Configuring the VAM server
Complete the following tasks to configure a VAM server:
156
Task
Remarks
Creating a VPN domain
Required.
Enabling VAM server
Required.
Configuring the listening IP address and UDP port number
Optional.
Configuring the security parameters of VAM protocol packets
Optional.
Specifying the client authentication mode
Optional.
Specifying a hub
Required.
Configuring the pre-shared key of the VAM server
Required.
Configuring keepalive parameters
Optional.
Creating a VPN domain
Step
Command
Remarks
284. Enter system view.
system-view
N/A
285. Create a VPN domain and
enter VPN domain view.
vam server vpn vpn-name
No VPN domain exists by default.
Enabling VAM server
Step
Command
Remarks
286. Enter system view.
system-view
N/A
• (Method 1) Enable VAM server for one or all
VPN domains:
vam server enable { all | vpn vpn-name }
287. Enable VAM server.
• (Method 2) Enable VAM server for a VPN
domain:
a. vam server vpn vpn-name
Use either method.
By default, VAM server is
disabled.
b. server enable
Configuring the listening IP address and UDP port number
To configure the listening IP address and UDP port number of the VAM server:
Step
Command
Remarks
288. Enter system view.
system-view
N/A
289. Configure the listening IP
address and UDP port
number of the server.
Optional.
vam server ip-address ip-address
[ port port-number ]
By default, no listening IP address
and UDP port number are
configured.
If you do not specify a listening IP address and port number on a VAM server, the VAM server listens to
all packets whose destination IP address is a local interface IP address and destination port number is
18000.
157
Configuring the security parameters of VAM protocol packets
Based on the packet integrity authentication algorithm and encryption algorithm configuration, a VAM
server negotiates with a client to determine the protocol packets' integrity authentication and encryption
algorithms to be used between them.
In the connection initialization process, SHA-1 is always used for authenticating connection requests from
clients and connection responses from the server. Whether subsequent protocol packets are to be
authenticated and what algorithms are available for authentication depend on your configuration.
In the connection initialization process, AES-128 is always used for encrypting connection requests from
clients and connection responses from the server. Whether subsequent protocol packets are to be
encrypted and what algorithms are available for encryption depend on your configuration.
The configuration order of the authentication and encryption algorithms determines the priorities of the
algorithms. For example, if you configure the encryption-algorithm aes-128 3des command, the AES-128
algorithm has a higher priority than 3DES.
To configure VAM protocol packet security parameters:
Step
Command
Remarks
290. Enter system view.
system-view
N/A
291. Enter VPN domain view.
vam server vpn vpn-name
N/A
292. Specify the algorithms for
protocol packet
authentication and their
priorities.
authentication-algorithm { none |
{ md5 | sha-1 } * }
293. Specify the algorithms for
protocol packet encryption
and their priorities.
encryption-algorithm { { 3des |
aes-256 | aes-128 | des } * |
none }
Optional.
By default, SHA-1 is used for
protocol packet authentication.
Optional.
By default, four encryption
algorithms are available and
preferred in this order: AES-128,
AES-256, 3DES, and DES.
Specifying the client authentication mode
A VAM server supports only PAP and CHAP authentication.
To configure the client authentication mode:
Step
Command
Remarks
294. Enter system view.
system-view
N/A
295. Enter VPN domain view.
vam server vpn vpn-name
N/A
Optional.
296. Specify the client
authentication mode.
authentication-method { none |
{ chap | pap } [ domain
name-string ] }
158
By default, a VAM server performs
CHAP authentication of clients,
using the default domain
configured for the system.
Specifying a hub
On a server, you can configure a hub by specifying its private IP address and public IP address. In a VPN
domain, you can configure up to two hubs, and the total number of spokes and hubs can be 5000 at
most.
The public IP address is optional. When a hub registers, the VAM server gets the public address of the
hub and then send the public-private address mapping to other clients.
If you specify both the private and public addresses of a hub on the server, the server considers a client
a valid hub only when both the public and private addresses that the client registers with the server match
those specified on the server.
To specify a hub:
Step
Command
Remarks
297. Enter system view.
system-view
N/A
298. Enter VPN domain view.
vam server vpn vpn-name
N/A
299. Specify the private IP address
and public IP address of a
hub.
hub private-ip private-ip-address
[ public-ip public-ip-address ]
No hub is specified by default.
Configuring the pre-shared key of the VAM server
The pre-shared key is used to generate the keys for securing the channels between the server and a client.
In the connection initialization process, the pre-shared key is used to generate the initial key for
validating and encrypting connection requests and connection responses. If encryption and
authentication is needed for subsequent packets, the pre-shared key is also used to generate the
connection key for validating and encrypting the subsequent packets.
To configure the pre-shared key of the VAM server:
Step
Command
Remarks
300. Enter system view.
system-view
N/A
301. Enter VPN domain view.
vam server vpn vpn-name
N/A
302. Configure the pre-shared key
of the VAM server.
pre-shared-key { cipher | simple }
key-string
No pre-shared key exists by
default.
Configuring keepalive parameters
A client sends keepalive packets to the server periodically, and the server sends responses back to prove
its existence. If a server receives no keepalive packets from a client within a specific period (which equals
the product of the keepalive interval and the maximum number of transmission attempts), the server
removes information about the client and logs off the client.
You can set the interval at which a client sends keepalive packets and the maximum number of
transmission attempts. After a client registers with the server, the server sends these settings to the client
through its response packet.
To configure keepalive parameters:
159
Step
Command
Remarks
303. Enter system view.
system-view
N/A
304. Enter VPN domain view.
vam server vpn vpn-name
N/A
305. Set the keepalive interval.
keepalive interval time-interval
306. Set the maximum number of
transmission attempts.
keepalive retry retry-times
Optional.
180 seconds by default.
Optional.
3 by default.
NOTE:
Your keepalive settings only apply to the clients registered after the configuration. The clients registered
before that continue to use the old settings.
Configuring a VAM client
Complete the following tasks to configure a VAM client:
Task
Remarks
Creating a VAM client
Required.
Setting the VAM protocol packet retransmission interval
Optional.
Specifying the primary VAM server
Required.
Specifying the secondary VAM server
Specify a primary VAM server, a
secondary VAM server, or both.
Configuring the username and password
Optional.
Specifying the VPN domain of the VAM client
Required.
Specifying the pre-shared key of the VAM client
Required.
Enabling VAM client
Required.
Creating a VAM client
Step
Command
Remarks
307. Enter system view.
system-view
N/A
308. Create a VAM client and
enter its view.
vam client name client-name
No client is created by default.
Setting the VAM protocol packet retransmission interval
If a client sends a VAM protocol packet to the server but receives no response in a specific period of time,
it retransmits the packet. A VAM protocol packet can be a connection request, negotiation
acknowledgement, registration request, or authentication request.
The maximum number of attempts to retransmit a VAM protocol packet is always 3. You cannot change
this value.
160
To set the interval for retransmitting a VAM protocol packet:
Step
Command
Remarks
309. Enter system view.
system-view
N/A
310. Enter VAM client view.
vam client name client-name
N/A
311. Set the VAM protocol packet
retransmission interval.
resend interval time-interval
Optional.
5 seconds by default.
Specifying the primary VAM server
Step
Command
Remarks
312. Enter system view.
system-view
N/A
313. Enter VAM client view.
vam client name client-name
N/A
314. Specify the primary VAM
server.
server primary ip-address
ip-address [ port port-number ]
Not specified by default.
Specifying the secondary VAM server
Step
Command
Remarks
315. Enter system view.
system-view
N/A
316. Enter VAM client view.
vam client name client-name
N/A
317. Specify the secondary VAM
server.
server secondary ip-address
ip-address [ port port-number]
Not specified by default.
Configuring the username and password
A client needs a username and a password to be authenticated by the server. You can configure the
username and password for a client by creating a local user. Only one local user can be configured for
a VAM client.
To configure a username and password for a VAM client:
Step
Command
Remarks
318. Enter system view.
system-view
N/A
319. Enter VAM client view.
vam client name client-name
N/A
320. Configure a username and
password for the client.
user username password { cipher |
simple } string
Not configured by default.
Specifying the VPN domain of the VAM client
Step
Command
Remarks
321. Enter system view.
system-view
N/A
322. Enter VAM client view.
vam client name client-name
N/A
161
Step
Command
Remarks
323. Specify the VPN domain of
the VAM client.
vpn vpn-name
A VAM client does not belong to
any VPN domain by default.
Specifying the pre-shared key of the VAM client
The pre-shared key is used to generate the keys for security of the channels between the server and a
client. In a VPN domain, all the VAM clients and the VAM server must be configured with the same
pre-shared key.
To specify the pre-shared key of the VAM client:
Step
Command
Remarks
324. Enter system view.
system-view
N/A
325. Enter VAM client view.
vam client name client-name
N/A
326. Specify the pre-shared key of
the VAM client.
pre-shared-key { cipher | simple }
key-string
Not specified by default.
Enabling VAM client
Step
Command
Remarks
327. Enter system view.
system-view
N/A
• (Method 1) Enable VAM client for all
328. Enable VAM client.
VAM clients or a specific VAM client:
vam client enable { all | name
client-name }
• (Method 2) Enable VAM client for a
VAM client:
Use either method.
Disabled by default.
a. vam client name client-name
b. client enable
Configuring an IPsec profile
An IPsec profile secures the transmission of data packets and control packets over a DVPN tunnel. It uses
the security protocol ESP, AH, or AH-ESP (ESP first, and then AH) and employs IKE for security policy
negotiation.
Configuration guidelines
•
An IPsec profile depends on IKE for SA negotiation. An IPsec profile can reference up to six IPsec
transform sets. IKE searches for IPsec transform sets that match at both ends during negotiation. If no
match is found, SAs cannot be established and the packets requiring IPsec protection will be
discarded.
•
When IKE uses a security policy to initiate a negotiation, if the local end uses PFS, the remote end
must also use PFS for negotiation and both ends must use the same DH group. Otherwise, the
negotiation will fail.
162
•
When an IPsec profile protects DVPN traffic, you can configure the IPsec transform sets referenced
by the IPsec profile to use the ESP protocol, the AH protocol, or both.
•
As DVPN addresses are dynamic, the setting by the remote-address keyword for the IKE peer that
an IPsec profile references does not take effect on the initiator.
Configuration prerequisites
Before you configure an IPsec profile, complete the following tasks:
•
Configure the IPsec transform sets for the IPsec profile to reference
•
Configure the IKE peer for the IPsec profile to reference
For more information about IPsec and IKE, see Security Configuration Guide.
Configuration procedure
To configure an IPsec profile:
Step
Command
Remarks
329. Enter system view.
system-view
N/A
330. Create an IPsec profile and
enter IPsec profile view.
ipsec profile profile-name
By default, no IPsec profile is
created.
331. Specify the IPsec transform
sets for the IPsec profile to
reference.
transform-set
transform-set-name&<1-6>
By default, an IPsec profile
references no IPsec transform set.
332. Specify the IKE peer for the
IPsec profile to reference.
ike-peer peer-name
By default, an IPsec profile
references no IKE peer.
Optional.
333. Enable and configure perfect
forward secrecy (PFS).
pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 }
By default, PFS is not used for
negotiation.
For information about PFS, see
Security Configuration Guide.
Optional.
334. Configure the SA lifetime.
sa duration { time-based seconds |
traffic-based kilobytes }
By default, an IPsec profile uses the
global SA lifetime.
For information about global SA
lifetime, see Security Configuration
Guide.
For more information about commands ipsec profile, transform-set, ike-peer, pfs, and sa duration, see
Security Command Reference.
Configuring DVPN tunnel parameters
Configuration guidelines
Follow these guidelines when you configure DVPN tunnel parameters:
163
•
If you configure the source address of a tunnel interface by specifying the source interface, the
tunnel takes the primary IP address of the source interface as its source address.
•
To configure multiple DVPN tunnels that use GRE encapsulation, you must configure unique source
addresses and source interfaces for these tunnels.
•
Tunnel interfaces of the same VPN domain must be configured with private addresses in the same
segment.
•
Tunnel interfaces of the same VPN domain must be configured with the same DVPN keepalive
interval and transmission attempt limit.
•
A DVPN tunnel interface can reference only one IPsec profile. To change the IPsec profile referenced
by a DVPN tunnel interface, you need to cancel the reference of the current IPsec profile and then
apply a new IPsec profile to the tunnel interface.
Configuration prerequisites
IP addresses have been configured for the source interfaces (VLAN interfaces, Ethernet interfaces, or
Loopback interfaces) of the virtual tunnel interfaces and there are routes available between the
interfaces.
Configuration procedure
To configure a DVPN tunnel:
Step
Command
Remarks
335. Enter system view.
system-view
N/A
336. Create a tunnel interface and
enter its view.
interface tunnel number
No tunnel interface is created by
default.
337. Configure a private IPv4
address for the tunnel
interface.
ip address ip-address { mask |
mask-length } [ sub ]
A tunnel interface has no private
IPv4 address configured by
default.
338. Configure the tunnel mode as
DVPN, and specify the
encapsulation mode of the
DVPN tunnel.
tunnel-protocol dvpn { gre | udp }
The two ends of a tunnel must
operate in the same tunnel mode.
339. Specify the source address or
interface of the tunnel
interface.
340. Bind a VAM client to the
tunnel interface.
source { ip-address | interface-type
interface-number }
The source IP address is the IP
address of the physical interface
that sends the DVPN packets.
A tunnel interface has no source
address or interface configured by
default.
A DVPN tunnel interface must be
bound to a VAM client. Otherwise
the tunnel interface cannot come
up.
vam client client-name
The client to be bound must exist
and has not been bound to any
other tunnel interface.
No VAM client is bound to a DVPN
tunnel interface by default.
164
Step
Command
Remarks
Optional.
341. Set the DVPN keepalive
interval and transmission
attempt limit.
The defaults are as follows:
keepalive [ seconds [ times ] ]
• DVPN keepalive interval: 180
seconds.
• Transmission attempt limit: 3.
Optional.
342. Set the idle timeout for the
spoke-spoke tunnel.
dvpn session idle-time time-interval
343. Set the DVPN tunneling quiet
period.
dvpn session dumb-time
time-interval
By default, the idle timeout is 600
seconds.
Optional.
By default, the quiet period is 120
seconds.
Required when OSPF is used.
344. Specify the network type of
the OSPF interface.
ospf network-type { broadcast |
p2mp }
By default, no network type is
specified.
A DVPN tunnel can use only two
types of OSPF interfaces:
broadcast and P2MP.
Optional for a hub but required for
a spoke, when OSPF is used.
345. Set the DR priority of the OSPF
interface.
By default, the interface DR priority
is 1.
ospf dr-priority priority
The DR priority of a hub should be
higher than that of a spoke. HP
recommends setting the DR priority
of a spoke to 0 to keep the spoke
from participating in DR/BDR
election.
Optional.
346. Bind an IPsec profile to the
DVPN tunnel interface.
ipsec profile ipsec-profile-name
By default, no IPsec profile is
bound to a DVPN tunnel interface.
The IPsec profile to be bound must
already exist.
Optional.
347. Associate the tunnel interface
with a VPN instance.
ip binding vpn-instance
vpn-instance-name
165
By default, a tunnel interface is
associated with no VPN instance.
To isolate individual VPN domains,
you need to configure multiple
VPN instances to distinguish routes
of private networks.
Step
Command
Remarks
Optional.
By default, a tunnel's destination
address belongs to the public
network. The device searches the
public routing table to forward
tunneled packets.
348. Specify the VPN to which the
tunnel destination address
belongs.
tunnel vpn-instance
vpn-instance-name
If you use this command to specify
the VPN to which the tunnel
destination address belongs, the
device searches the routing table
of the specified VPN instance to
forward tunneled packets.
You can use the ip binding
vpn-instance command on the
tunnel's source interface to specify
the VPN to which the tunnel source
address belongs. The tunnel source
address and the tunnel destination
address must belong to the same
VPN or both belong to the public
network.
For more information about commands interface tunnel, tunnel-protocol, and source, see Layer 3—IP
Services Command Reference.
For information about command ipsec profile, see Security Command Reference.
For more information about the ospf network-type and ospf dr-priority commands, see Layer 3—IP
Routing Command Reference.
For more information about VPN instance configuration, see MPLS Configuration Guide.
Configuring routing
To establish private networks across the public network by using DVPN, you must perform routing
configuration for devices in the private networks. In private networks of this type, route-related operations
such as neighbor discovery, route updating, routing table establishment, are done over DVPN tunnels.
Routing information is exchanged between hubs or between hubs and spokes. It is not exchanged
between spokes.
The routing protocol can be OSPF or BGP in a DVPN network.
•
When the routing protocol is OSPF, set the network type of an OSPF interface to broadcast in a full
mesh network and P2MP in a hub-spoke network.
•
When the routing protocol is BGP, configure IBGP between the hubs and spokes and configure the
hubs as the route reflectors in a full mesh network. Configure EBGP between the hubs and spokes
in a hub-spoke network.
For information about OSPF configuration on DVPN clients, and information about BGP, see Layer 3—IP
Routing Configuration Guide.
166
Displaying and maintaining DVPN
Task
Command
Remarks
Display address mapping
information about VAM clients
registered with the VAM server.
display vam server address-map { all | vpn
vpn-name [ private-ip private-ip ] } [ | { begin
| exclude | include } regular-expression ]
Available in any view.
Display statistics about VAM
clients registered with the VAM
server.
display vam server statistic { all | vpn
vpn-name } [ | { begin | exclude | include }
regular-expression ]
Available in any view.
Display registration information
about VAM clients.
display vam client { address-map | fsm }
[ client-name ] [ | { begin | exclude | include }
regular-expression ]
Available in any view.
Display information about DVPN
tunnels.
display dvpn session { all | interface
interface-type interface-number [ private-ip
ip-address ] } [ | { begin | exclude | include }
regular-expression ]
Available in any view.
Display information about a
specific or all IPsec profiles.
display ipsec profile [ name profile-name ] [ |
{ begin | exclude | include }
regular-expression ]
Available in any view.
Remove DVPN tunnels.
reset dvpn session { all | interface
interface-type interface-number [ private-ip
ip-address ] }
Available in user view.
For information about command display ipsec profile, see Security Command Reference.
Full mesh DVPN configuration example
Network requirements
In the full mesh network shown in Figure 73, the primary VAM server and the secondary VAM server
manage and maintain information about the nodes. The AAA server takes charge of VAM client
authentication and accounting. With each being the backup of the other, the two hubs perform data
forwarding and routing information exchange.
Create a permanent tunnel between each hub-spoke pair.
Spokes in the same VPN exchange data through dynamically established tunnels between them.
167
Figure 73 Network diagram
Hub 1
Tunnel1
Tunnel2
VPN 1 and VPN 2 Hub-to-Hub
static tunnel
Hub 2
Eth1/1
Eth1/1
VPN 1 Hub-to-Spoke static tunnel
Tunnel1
Tunnel2
AAA server
IP network
Eth1/1
VPN 2 Hub-to-Spoke static tunnel
Primary VAM server
Eth1/1
Spoke-to-Spoke dynamic tunnel
Tunnel1
Eth1/1
Eth1/1
Spoke 2
Spoke 1
Site 1
Tunnel2
Eth1/1
Eth1/3
Eth1/2
Eth1/2
Secondary VAM server
Tunnel1
Tunnel2
Site 2
Site 3
Spoke 3
Eth1/2
Site 4
Device
Interface
IP address
Device
Interface
IP address
Hub 1
Eth1/1
192.168.1.1/24
Spoke 1
Eth1/1
192.168.1.3/24
Tunnel1
10.0.1.1/24
Eth1/2
10.0.3.1/24
Tunnel2
10.0.2.1/24
Tunnel1
10.0.1.3/24
Eth1/1
192.168.1.2/24
Eth1/1
192.168.1.4/24
Tunnel1
10.0.1.2/24
Eth1/2
10.0.4.1/24
Tunnel2
10.0.2.2/24
Eth1/3
10.0.6.1/24
Eth1/1
192.168.1.5/24
Tunnel1
10.0.1.4/24
Hub 2
Spoke 3
Spoke 2
Eth1/2
10.0.5.1/24
Tunnel2
10.0.2.4/24
Tunnel2
10.0.2.3/24
Primary server
Eth1/1
192.168.1.22/24
192.168.1.11/24
Secondary server
Eth1/1
192.168.1.33//24
AAA server
Configuration procedure
Configuring the primary VAM server
1.
Configure IP addresses for the interfaces. (Details not shown.)
2.
Configure AAA:
<PrimaryServer> system-view
# Configure RADIUS scheme radsun.
[PrimaryServer] radius scheme radsun
[PrimaryServer-radius-radsun] primary authentication 192.168.1.11 1812
[PrimaryServer-radius-radsun] primary accounting 192.168.1.11 1813
[PrimaryServer-radius-radsun] key authentication expert
[PrimaryServer-radius-radsun] key accounting expert
[PrimaryServer-radius-radsun] server-type extended
[PrimaryServer-radius-radsun] user-name-format without-domain
[PrimaryServer-radius-radsun] quit
168
# Configure the AAA methods for the ISP domain domain1.
[PrimaryServer] domain domain1
[PrimaryServer-isp-domain1] authentication dvpn radius-scheme radsun
[PrimaryServer-isp-domain1] authorization dvpn radius-scheme radsun
[PrimaryServer-isp-domain1] accounting dvpn radius-scheme radsun
[PrimaryServer-isp-domain1] quit
[PrimaryServer] domain default enable domain1
3.
Configure the VAM server:
# Specify the listening address of the server.
[PrimaryServer] vam server ip-address 192.168.1.22
# Create VPN domain 1.
[PrimaryServer] vam server vpn 1
# Set the pre-shared key to 123.
[PrimaryServer-vam-server-vpn-1] pre-shared-key simple 123
# Set the VAM client authentication mode to CHAP.
[PrimaryServer-vam-server-vpn-1] authentication-method chap
# Specify the IP addresses of the hubs for VPN 1.
[PrimaryServer-vam-server-vpn-1] hub private-ip 10.0.1.1
[PrimaryServer-vam-server-vpn-1] hub private-ip 10.0.1.2
[PrimaryServer-vam-server-vpn-1] quit
# Create VPN domain 2.
[PrimaryServer] vam server vpn 2
# Set the pre-shared key to 456.
[PrimaryServer-vam-server-vpn-2] pre-shared-key simple 456
# Set the VAM client authentication mode to PAP.
[PrimaryServer-vam-server-vpn-2] authentication-method pap
# Specify the IP addresses of the hubs for VPN 2.
[PrimaryServer-vam-server-vpn-2] hub private-ip 10.0.2.1
[PrimaryServer-vam-server-vpn-2] hub private-ip 10.0.2.2
[PrimaryServer-vam-server-vpn-1] quit
# Enable VAM server for all VPNs.
[PrimaryServer] vam server enable all
Configuring the secondary VAM server
Except for the listening IP address configuration, the configurations for the secondary VAM server are the
same as those for the primary VAM server. (Details not shown.)
Configuring Hub 1
1.
Configure IP addresses for the interfaces. (Details not shown.)
2.
Configure the VAM clients:
<Hub1> system-view
# Create a VAM client named dvpn1hub1 for VPN 1.
[Hub1] vam client name dvpn1hub1
[Hub1-vam-client-name-dvpn1hub1] vpn 1
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Hub1-vam-client-name-dvpn1hub1] server primary ip-address 192.168.1.22
169
[Hub1-vam-client-name-dvpn1hub1] server secondary ip-address 192.168.1.33
[Hub1-vam-client-name-dvpn1hub1] pre-shared-key simple 123
# Create a local user named dvpn1hub1, setting the password as dvpn1hub1.
[Hub1-vam-client-name-dvpn1hub1] user dvpn1hub1 password simple dvpn1hub1
[Hub1-vam-client-name-dvpn1hub1] client enable
[Hub1-vam-client-name-dvpn1hub1] quit
# Create a VAM client named dvpn2hub1 for VPN 2.
[Hub1] vam client name dvpn2hub1
[Hub1-vam-client-name-dvpn2hub1] vpn 2
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Hub1-vam-client-name-dvpn2hub1] server primary ip-address 192.168.1.22
[Hub1-vam-client-name-dvpn2hub1] server secondary ip-address 192.168.1.33
[Hub1-vam-client-name-dvpn2hub1] pre-shared-key simple 456
# Create a local user named dvpn2hub1, setting the password as dvpn2hub1.
[Hub1-vam-client-name-dvpn2hub1] user dvpn2hub1 password simple dvpn2hub1
[Hub1-vam-client-name-dvpn2hub1] client enable
[Hub1-vam-client-name-dvpn2hub1] quit
3.
Configure the IPsec profile:
# Configure the IPsec transform set.
[Hub1] ipsec transform-set vam
[Hub1-ipsec-transform-set-vam] encapsulation-mode tunnel
[Hub1-ipsec-transform-set-vam] transform esp
[Hub1-ipsec-transform-set-vam] esp encryption-algorithm des
[Hub1-ipsec-transform-set-vam] esp authentication-algorithm sha1
[Hub1-ipsec-transform-set-vam] quit
# Configure the IKE peer.
[Hub1] ike peer vam
[Hub1-ike-peer-vam] pre-shared-key abcde
[Hub1-ike-peer-vam] quit
# Configure the IPsec profile.
[Hub1] ipsec profile vamp
[Hub1-ipsec-profile-vamp] transform-set vam
[Hub1-ipsec-profile-vamp] ike-peer vam
[Hub1-ipsec-profile-vamp] sa duration time-based 600
[Hub1-ipsec-profile-vamp] pfs dh-group2
[Hub1-ipsec-profile-vamp] quit
4.
Configure DVPN tunnels:
# Configure tunnel interface Tunnel1 for VPN 1. Tunnel 1 uses UDP for encapsulation.
[Hub1] interface tunnel 1
[Hub1-Tunnel1] tunnel-protocol dvpn udp
[Hub1-Tunnel1] vam client dvpn1hub1
[Hub1-Tunnel1] ip address 10.0.1.1 255.255.255.0
[Hub1-Tunnel1] source ethernet 1/1
[Hub1-Tunnel1] ospf network-type broadcast
[Hub1-Tunnel1] ipsec profile vamp
[Hub1-Tunnel1] quit
170
# Configure tunnel interface Tunnel2 for VPN 2. Tunnel 2 uses GRE for encapsulation.
[Hub1] interface tunnel 2
[Hub1-Tunnel2] tunnel-protocol dvpn gre
[Hub1-Tunnel2] vam client dvpn2hub1
[Hub1-Tunnel2] ip address 10.0.2.1 255.255.255.0
[Hub1-Tunnel2] source ethernet 1/1
[Hub1-Tunnel2] ospf network-type broadcast
[Hub1-Tunnel2] ipsec profile vamp
[Hub1-Tunnel2] quit
5.
Configure OSPF:
# Configure OSPF for the public network.
[Hub1] ospf 100
[Hub1-ospf-100] area 0
[Hub1-ospf-100-area-0.0.0.0] network 192.168.1.1 0.0.0.255
[Hub1-ospf-100-area-0.0.0.0] quit
# Configure OSPF for the private networks.
[Hub1] ospf 200
[Hub1-ospf-200] area 0
[Hub1-ospf-200-area-0.0.0.0] network 10.0.1.1 0.0.0.255
[Hub1-ospf-200-area-0.0.0.0] quit
[Hub1] ospf 300
[Hub1-ospf-300] area 0
[Hub1-ospf-300-area-0.0.0.0] network 10.0.2.1 0.0.0.255
Configuring Hub 2
1.
Configure IP addresses for the interfaces. (Details not shown.)
2.
Configure the VAM clients:
<Hub2> system-view
# Create a VAM client named dvpn1hub2 for VPN 1.
[Hub2] vam client name dvpn1hub2
[Hub2-vam-client-name-dvpn1hub2] vpn 1
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Hub2-vam-client-name-dvpn1hub2] server primary ip-address 192.168.1.22
[Hub2-vam-client-name-dvpn1hub2] server secondary ip-address 192.168.1.33
[Hub2-vam-client-name-dvpn1hub2] pre-shared-key simple 123
# Create a local user named dvpn1hub2, setting the password as dvpn1hub2.
[Hub2-vam-client-name-dvpn1hub2] user dvpn1hub2 password simple dvpn1hub2
[Hub2-vam-client-name-dvpn1hub2] client enable
[Hub2-vam-client-name-dvpn1hub2] quit
# Create a VAM client named dvpn2hub2 for VPN 2.
[Hub2] vam client name dvpn2hub2
[Hub2-vam-client-name-dvpn2hub2] vpn 2
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Hub2-vam-client-name-dvpn2hub2] server primary ip-address 192.168.1.22
[Hub2-vam-client-name-dvpn2hub2] server secondary ip-address 192.168.1.33
[Hub2-vam-client-name-dvpn2hub2] pre-shared-key simple 456
171
# Create a local user named dvpn2hub2, setting the password as dvpn2hub2.
[Hub2-vam-client-name-dvpn2hub2] user dvpn2hub2 password simple dvpn2hub2
[Hub2-vam-client-name-dvpn2hub2] client enable
[Hub2-vam-client-name-dvpn2hub2] quit
3.
Configure the IPsec profile:
# Configure the IPsec transform set.
[Hub2] ipsec transform-set vam
[Hub2-ipsec-transform-set-vam] encapsulation-mode tunnel
[Hub2-ipsec-transform-set-vam] transform esp
[Hub2-ipsec-transform-set-vam] esp encryption-algorithm des
[Hub2-ipsec-transform-set-vam] esp authentication-algorithm sha1
[Hub2-ipsec-transform-set-vam] quit
# Configure the IKE peer.
[Hub2] ike peer vam
[Hub2-ike-peer-vam] pre-shared-key abcde
[Hub2-ike-peer-vam] quit
# Configure the IPsec profile.
[Hub2] ipsec profile vamp
[Hub2-ipsec-profile-vamp] transform-set vam
[Hub2-ipsec-profile-vamp] ike-peer vam
[Hub2-ipsec-profile-vamp] sa duration time-based 600
[Hub2-ipsec-profile-vamp] pfs dh-group2
[Hub2-ipsec-profile-vamp] quit
4.
Configure the DVPN tunnels:
# Configure tunnel interface Tunnel1 for VPN 1. Tunnel 1 uses UDP for encapsulation.
[Hub2] interface tunnel 1
[Hub2-Tunnel1] tunnel-protocol dvpn udp
[Hub2-Tunnel1] vam client dvpn1hub2
[Hub2-Tunnel1] ip address 10.0.1.2 255.255.255.0
[Hub2-Tunnel1] source ethernet 1/1
[Hub2-Tunnel1] ospf network-type broadcast
[Hub2-Tunnel1] ipsec profile vamp
[Hub2-Tunnel1] quit
# Configure tunnel interface Tunnel2 for VPN 2. Tunnel 2 uses GRE for encapsulation.
[Hub2] interface tunnel 2
[Hub2-Tunnel2] tunnel-protocol dvpn gre
[Hub2-Tunnel2] vam client dvpn2hub2
[Hub2-Tunnel2] ip address 10.0.2.2 255.255.255.0
[Hub2-Tunnel2] source ethernet 1/1
[Hub2-Tunnel2] ospf network-type broadcast
[Hub2-Tunnel2] ipsec profile vamp
[Hub2-Tunnel2] quit
5.
Configure OSPF:
# Configure OSPF for the public network.
[Hub2] ospf 100
[Hub2-ospf-100] area 0
172
[Hub2-ospf-100-area-0.0.0.0] network 192.168.1.2 0.0.0.255
[Hub2-ospf-100-area-0.0.0.0] quit
# Configure OSPF for the private networks.
[Hub2] ospf 200
[Hub2-ospf-200] area 0
[Hub2-ospf-200-area-0.0.0.0] network 10.0.1.2 0.0.0.255
[Hub2-ospf-200-area-0.0.0.0] quit
[Hub2] ospf 300
[Hub2-ospf-300] area 0
[Hub2-ospf-300-area-0.0.0.0] network 10.0.2.2 0.0.0.255
Configuring Spoke 1
1.
Configure IP addresses for the interfaces. (Details not shown.)
2.
Configure the VAM client:
<Spoke1> system-view
# Create a VAM client named dvpn1spoke1 for VPN 1.
[Spoke1] vam client name dvpn1spoke1
[Spoke1-vam-client-name-dvpn1spoke1] vpn 1
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Spoke1-vam-client-name-dvpn1spoke1] server primary ip-address 192.168.1.22
[Spoke1-vam-client-name-dvpn1spoke1] server secondary ip-address 192.168.1.33
[Spoke1-vam-client-name-dvpn1spoke1] pre-shared-key simple 123
# Create a local user named dvpn1spoke1, setting the password as dvpn1spoke1.
[Spoke1-vam-client-name-dvpn1spoke1] user dvpn1spoke1 password simple dvpn1spoke1
[Spoke1-vam-client-name-dvpn1spoke1] client enable
[Spoke1-vam-client-name-dvpn1spoke1] quit
3.
Configure the IPsec profile:
# Configure the IPsec transform set.
[Spoke1] ipsec transform-set vam
[Spoke1-ipsec-transform-set-vam] encapsulation-mode tunnel
[Spoke1-ipsec-transform-set-vam] transform esp
[Spoke1-ipsec-transform-set-vam] esp encryption-algorithm des
[Spoke1-ipsec-transform-set-vam] esp authentication-algorithm sha1
[Spoke1-ipsec-transform-set-vam] quit
# Configure the IKE peer.
[Spoke1] ike peer vam
[Spoke1-ike-peer-vam] pre-shared-key abcde
[Spoke1-ike-peer-vam] quit
# Configure the IPsec profile.
[Spoke1] ipsec profile vamp
[Spoke1-ipsec-profile-vamp] transform-set vam
[Spoke1-ipsec-profile-vamp] ike-peer vam
[Spoke1-ipsec-profile-vamp] sa duration time-based 600
[Spoke1-ipsec-profile-vamp] pfs dh-group2
[Spoke1-ipsec-profile-vamp] quit
4.
Configure the DVPN tunnel:
173
# Configure tunnel interface Tunnel1 for VPN 1. Tunnel 1 uses UDP for encapsulation.
[Spoke1] interface tunnel 1
[Spoke1-Tunnel1] tunnel-protocol dvpn udp
[Spoke1-Tunnel1] vam client dvpn1spoke1
[Spoke1-Tunnel1] ip address 10.0.1.3 255.255.255.0
[Spoke1-Tunnel1] source ethernet 1/1
[Spoke1-Tunnel1] ospf network-type broadcast
[Spoke1-Tunnel1] ospf dr-priority 0
[Spoke1-Tunnel1] ipsec profile vamp
[Spoke1-Tunnel1] quit
5.
Configure OSPF:
# Configure OSPF for the public network.
[Spoke1] ospf 100
[Spoke1-ospf-100] area 0
[Spoke1-ospf-100-area-0.0.0.0] network 192.168.1.3 0.0.0.255
[Spoke1-ospf-100-area-0.0.0.0] quit
# Configure OSPF for the private network.
[Spoke1] ospf 200
[Spoke1-ospf-200] area 0
[Spoke1-ospf-200-area-0.0.0.0] network 10.0.1.3 0.0.0.255
[Spoke1-ospf-200-area-0.0.0.0] network 10.0.3.1 0.0.0.255
Configuring Spoke 2
1.
Configure IP addresses for the interfaces. (Details not shown.)
2.
Configure the VAM client:
<Spoke2> system-view
# Create a VAM client named dvpn1spoke2 for VPN 1.
[Spoke2] vam client name dvpn1spoke2
[Spoke2-vam-client-name-dvpn1spoke2] vpn 1
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Spoke2-vam-client-name-dvpn1spoke2] server primary ip-address 192.168.1.22
[Spoke2-vam-client-name-dvpn1spoke2] server secondary ip-address 192.168.1.33
[Spoke2-vam-client-name-dvpn1spoke2] pre-shared-key simple 123
# Create a local user named dvpn1spoke2, setting the password as dvpn1spoke2.
[Spoke2-vam-client-name-dvpn1spoke2] user dvpn1spoke2 password simple dvpn1spoke2
[Spoke2-vam-client-name-dvpn1spoke2] client enable
[Spoke2-vam-client-name-dvpn1spoke2] quit
# Create a VAM client named dvpn2spoke2 for VPN 2.
[Spoke2] vam client name dvpn2spoke2
[Spoke2-vam-client-name-dvpn1spoke2] vpn 2
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Spoke2-vam-client-name-dvpn2spoke2] server primary ip-address 192.168.1.22
[Spoke2-vam-client-name-dvpn2spoke2] server secondary ip-address 192.168.1.33
[Spoke2-vam-client-name-dvpn2spoke2] pre-shared-key simple 456
# Create a local user named dvpn2spoke2, setting the password as dvpn2spoke2.
[Spoke2-vam-client-name-dvpn1spoke2] user dvpn2spoke2 password simple dvpn2spoke2
174
[Spoke2-vam-client-name-dvpn1spoke2] client enable
[Spoke2-vam-client-name-dvpn1spoke2] quit
3.
Configure the IPsec profile:
# Configure the IPsec transform set.
[Spoke2] ipsec transform-set vam
[Spoke2-ipsec-transform-set-vam] encapsulation-mode tunnel
[Spoke2-ipsec-transform-set-vam] transform esp
[Spoke2-ipsec-transform-set-vam] esp encryption-algorithm des
[Spoke2-ipsec-transform-set-vam] esp authentication-algorithm sha1
[Spoke2-ipsec-transform-set-vam] quit
# Configure the IKE peer.
[Spoke2] ike peer vam
[Spoke2-ike-peer-vam] pre-shared-key abcde
[Spoke2-ike-peer-vam] quit
# Configure the IPsec profile.
[Spoke2] ipsec profile vamp
[Spoke2-ipsec-profile-vamp] transform-set vam
[Spoke2-ipsec-profile-vamp] ike-peer vam
[Spoke2-ipsec-profile-vamp] sa duration time-based 600
[Spoke2-ipsec-profile-vamp] pfs dh-group2
[Spoke2-ipsec-profile-vamp] quit
4.
Configure the DVPN tunnels:
# Configure tunnel interface Tunnel1 for VPN 1. Tunnel 1 uses UDP for encapsulation.
[Spoke2] interface tunnel 1
[Spoke2-Tunnel1] tunnel-protocol dvpn udp
[Spoke2-Tunnel1] vam client dvpn1spoke2
[Spoke2-Tunnel1] ip address 10.0.1.4 255.255.255.0
[Spoke2-Tunnel1] source ethernet 1/1
[Spoke2-Tunnel1] ospf network-type broadcast
[Spoke2-Tunnel1] ospf dr-priority 0
[Spoke2-Tunnel1] ipsec profile vamp
[Spoke2-Tunnel1] quit
# Configure tunnel interface Tunnel2 for VPN 2. Tunnel 2 uses GRE for encapsulation.
[Spoke2] interface tunnel 2
[Spoke2-Tunnel2] tunnel-protocol dvpn gre
[Spoke2-Tunnel2] vam client dvpn2spoke2
[Spoke2-Tunnel2] ip address 10.0.2.4 255.255.255.0
[Spoke2-Tunnel2] source ethernet 1/1
[Spoke2-Tunnel2] ospf network-type broadcast
[Spoke2-Tunnel2] ospf dr-priority 0
[Spoke2-Tunnel2] ipsec profile vamp
[Spoke2-Tunnel2] quit
5.
Configure OSPF:
# Configure OSPF for the public network.
[Spoke2] ospf 100
[Spoke2-ospf-100] area 0
175
[Spoke2-ospf-100-area-0.0.0.0] network 192.168.1.4 0.0.0.255
[Spoke2-ospf-100-area-0.0.0.0] quit
# Configure OSPF for the private networks.
[Spoke2] ospf 200
[Spoke2-ospf-200] area 0
[Spoke2-ospf-200-area-0.0.0.0] network 10.0.1.4 0.0.0.255
[Spoke2-ospf-200-area-0.0.0.0] network 10.0.4.1 0.0.0.255
[Spoke2-ospf-200-area-0.0.0.0] quit
[Spoke2] ospf 300
[Spoke2-ospf-300] area 0
[Spoke2-ospf-300-area-0.0.0.0] network 10.0.2.4 0.0.0.255
[Spoke2-ospf-300-area-0.0.0.0] network 10.0.6.1 0.0.0.255
Configuring Spoke 3
1.
Configure IP addresses for the interfaces. (Details not shown.)
2.
Configure the VAM client:
<Spoke3> system-view
# Create a VAM client named dvpn2spoke3 for VPN 2.
[Spoke3] vam client name dvpn2spoke3
[Spoke3-vam-client-name-dvpn2spoke3] vpn 2
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Spoke3-vam-client-name-dvpn2spoke3] server primary ip-address 192.168.1.22
[Spoke3-vam-client-name-dvpn2spoke3] server secondary ip-address 192.168.1.33
[Spoke3-vam-client-name-dvpn2spoke3] pre-shared-key simple 456
# Create a local user named dvpn2spoke3, setting the password as dvpn2spoke3.
[Spoke3-vam-client-name-dvpn2spoke3] user dvpn2spoke3 password simple dvpn2spoke3
[Spoke3-vam-client-name-dvpn2spoke3] client enable
[Spoke3-vam-client-name-dvpn2spoke3] quit
3.
Configure the IPsec profile:
# Configure the IPsec transform set.
[Spoke3] ipsec transform-set vam
[Spoke3-ipsec-transform-set-vam] encapsulation-mode tunnel
[Spoke3-ipsec-transform-set-vam] transform esp
[Spoke3-ipsec-transform-set-vam] esp encryption-algorithm des
[Spoke3-ipsec-transform-set-vam] esp authentication-algorithm sha1
[Spoke3-ipsec-transform-set-vam] quit
# Configure the IKE peer.
[Spoke3] ike peer vam
[Spoke3-ike-peer-vam] pre-shared-key abcde
[Spoke3-ike-peer-vam] quit
# Configure the IPsec profile.
[Spoke3] ipsec profile vamp
[Spoke3-ipsec-profile-vamp] transform-set vam
[Spoke3-ipsec-profile-vamp] ike-peer vam
[Spoke3-ipsec-profile-vamp] sa duration time-based 600
[Spoke3-ipsec-profile-vamp] pfs dh-group2
[Spoke3-ipsec-profile-vamp] quit
176
4.
Configure the DVPN tunnel:
# Configure tunnel interface Tunnel 2 for VPN 2. Tunnel 2 uses GRE for encapsulation.
[Spoke3] interface tunnel 2
[Spoke3-Tunnel2] tunnel-protocol dvpn gre
[Spoke3-Tunnel2] vam client dvpn2spoke3
[Spoke3-Tunnel2] ip address 10.0.2.3 255.255.255.0
[Spoke3-Tunnel2] source ethernet 1/1
[Spoke3-Tunnel2] ospf network-type broadcast
[Spoke3-Tunnel2] ospf dr-priority 0
[Spoke3-Tunnel2] ipsec profile vamp
[Spoke3-Tunnel2] quit
5.
Configure OSPF:
# Configure OSPF for the public network.
[Spoke3] ospf 100
[Spoke3-ospf-100] area 0
[Spoke3-ospf-100-area-0.0.0.0] network 192.168.1.5 0.0.0.255
[Spoke3-ospf-100-area-0.0.0.0] quit
# Configure OSPF for the private network.
[Spoke3] ospf 200
[Spoke3-ospf-200] area 0
[Spoke3-ospf-200-area-0.0.0.0] network 10.0.2.3 0.0.0.255
[Spoke3-ospf-200-area-0.0.0.0] network 10.0.5.1 0.0.0.255
Verifying the configuration
# Display the address mapping information of all VAM clients registered with the primary VAM server.
[PrimaryServer] display vam server address-map all
VPN name:
1
Total address-map number:
4
Private-ip
Public-ip
10.0.1.1
192.168.1.1
hub
0H 52M
10.0.1.2
192.168.1.2
hub
0H 47M 31S
10.0.1.3
192.168.1.3
spoke
0H 28M 25S
10.0.1.4
192.168.1.4
spoke
0H 19M 15S
VPN name:
Type
Holding time
7S
2
Total address-map number:
4
Private-ip
Public-ip
10.0.2.1
192.168.1.1
hub
Type
0H 51M 44S
Holding time
10.0.2.2
192.168.1.2
hub
0H 46M 45S
10.0.2.3
192.168.1.5
spoke
0H 11M 25S
10.0.2.4
192.168.1.4
spoke
0H 18M 32S
# Display the address mapping information of all VAM clients registered with the secondary VAM server.
[SecondaryServer] display vam server address-map all
VPN name:
1
Total address-map number:
Private-ip
Public-ip
4
Type
Holding time
177
10.0.1.1
192.168.1.1
hub
0H 55M
10.0.1.2
192.168.1.2
hub
0H 50M 30S
10.0.1.3
192.168.1.3
spoke
0H 31M 24S
10.0.1.4
192.168.1.4
spoke
0H 22M 15S
VPN name:
3S
2
Total address-map number:
4
Private-ip
Public-ip
Type
Holding time
10.0.2.1
192.168.1.1
hub
0H 54M 43S
10.0.2.2
192.168.1.2
hub
0H 49M 44S
10.0.2.3
192.168.1.5
spoke
0H 14M 24S
10.0.2.4
192.168.1.4
spoke
0H 21M 32S
The above output indicates that Hub 1, Hub 2, Spoke 1, Spoke 2, and Spoke 3 all have registered their
address mapping information with the VAM servers.
# Display the DVPN tunnel information of Hub 1.
[Hub1] display dvpn session all
Interface: Tunnel1
VPN name: 1
Private IP:
10.0.1.2
Public IP:
192.168.1.2
Session type:
hub-Hub
State:
Total number: 3
SUCCESS
Holding time: 0h 1m 44s
Input:
101 packets,
100 data packets,
87 multicasts,
Output: 106 packets,
99 data packets,
87 multicasts,
7 control packets
10 errors
Private IP:
10.0.1.3
Public IP:
192.168.1.3
Session type:
hub-spoke
State:
1 control packets
0 errors
SUCCESS
Holding time: 0h 8m 7s
Input:
164 packets,
163 data packets,
54 multicasts,
Output: 77 packets,
76 data packets,
55 multicasts,
1 control packets
0 errors
Private IP:
10.0.1.4
Public IP:
192.168.1.4
Session type:
hub-spoke
State:
1 control packets
0 errors
SUCCESS
Holding time: 0h 27m 13s
Input:
174 packets,
167 data packets,
160 multicasts,
0 errors
178
7 control packets
Output: 172 packets,
171 data packets,
165 multicasts,
Interface: Tunnel2
VPN name: 2
Private IP:
10.0.2.2
Public IP:
192.168.1.2
Session type:
hub-Hub
State:
1 control packets
0 errors
Total number: 3
SUCCESS
Holding time: 0h 12m 10s
Input:
183 packets,
182 data packets,
0 multicasts,
Output: 186 packets,
185 data packets,
155 multicasts,
1 control packets
0 errors
Private IP:
10.0.2.4
Public IP:
192.168.1.4
Session type:
hub-spoke
State:
1 control packets
0 errors
SUCCESS
Holding time: 0h 26m 39s
Input:
174 packets,
169 data packets,
162 multicasts,
Output: 173 packets,
172 data packets,
167 multicasts,
1 control packets
0 errors
Private IP:
10.0.2.3
Public IP:
192.168.1.5
Session type:
hub-spoke
State:
5 control packets
0 errors
SUCCESS
Holding time: 0h 19m 30s
Input:
130 packets,
127 data packets,
120 multicasts,
Output: 127 packets,
126 data packets,
119 multicasts,
3 control packets
0 errors
1 control packets
0 errors
The output shows that:
•
In VPN 1, Hub 1 has established a permanent tunnel with Hub 2, Spoke 1, and Spoke 2,
respectively.
•
In VPN 2, Hub 1 has established a permanent tunnel with Hub 2, Spoke 2, and Spoke 3,
respectively.
The DVPN tunnel information of Hub 2 is similar to that of Hub 1.
# Display the DVPN tunnel information of Spoke 2.
[Spoke2] display dvpn session all
Interface: Tunnel1
VPN name: 1
Private IP:
10.0.1.1
Public IP:
192.168.1.1
Session type:
spoke-Hub
Total number: 2
179
State:
SUCCESS
Holding time: 1h 1m 22s
Input:
381 packets,
380 data packets,
374 multicasts,
Output: 384 packets,
376 data packets,
369 multicasts,
8 control packets
0 errors
Private IP:
10.0.1.2
Public IP:
192.168.1.2
Session type:
spoke-Hub
State:
1 control packets
0 errors
SUCCESS
Holding time: 0h 21m 53s
Input:
251 packets,
249 data packets,
230 multicasts,
Output: 252 packets,
240 data packets,
224 multicasts,
Interface: Tunnel2
7 control packets
0 errors
VPN name: 2
Private IP:
10.0.2.1
Public IP:
192.168.1.1
Session type:
spoke-Hub
State:
1 control packets
0 errors
Total number: 2
SUCCESS
Holding time: 0h 2m 47s
Input:
383 packets,
382 data packets,
377 multicasts,
Output: 385 packets,
379 data packets,
372 multicasts,
6 control packets
0 errors
Private IP:
10.0.2.2
Public IP:
192.168.1.2
Session type:
spoke-Hub
State:
1 control packets
0 errors
SUCCESS
Holding time: 0h 1m 50s
Input:
242 packets,
241 data packets,
231 multicasts,
Output: 251 packets,
241 data packets,
225 multicasts,
1 control packets
0 errors
7 control packets
0 errors
The output shows that Spoke 2 has established a permanent hub-spoke tunnel with Hub 1 and Hub 2
respectively in both VPN 1 and VPN 2.
The DVPN tunnel information of Spoke 1 and Spoke 3 is similar to that of Spoke 2.
# On Spoke 2, ping private address 10.0.5.1 of Spoke 3.
[Spoke2] ping 10.0.5.1
PING 10.0.5.1: 56
data bytes, press CTRL_C to break
Reply from 10.0.5.1: bytes=56 Sequence=1 ttl=254 time=5 ms
Reply from 10.0.5.1: bytes=56 Sequence=2 ttl=254 time=5 ms
Reply from 10.0.5.1: bytes=56 Sequence=3 ttl=254 time=5 ms
180
Reply from 10.0.5.1: bytes=56 Sequence=4 ttl=254 time=4 ms
Reply from 10.0.5.1: bytes=56 Sequence=5 ttl=254 time=4 ms
--- 10.0.5.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/4/5 ms
# Display the DVPN tunnel information of interface Tunnel 2 on Spoke 2.
[Spoke2] display dvpn session interface tunnel 2
Interface: Tunnel2
VPN name: 2
Private IP:
10.0.2.1
Public IP:
192.168.1.1
Session type:
spoke-Hub
State:
Total number: 3
SUCCESS
Holding time: 1h 10m 0s
Input:
451 packets,
450 data packets,
435 multicasts,
Output: 453 packets,
0 errors
447 data packets,
430 multicasts,
6 control packets
0 errors
Private IP:
10.0.2.2
Public IP:
192.168.1.2
Session type:
spoke-Hub
State:
1 control packets
SUCCESS
Holding time: 0h 1m 50s
Input:
242 packets,
241 data packets,
231 multicasts,
Output: 251 packets,
0 errors
241 data packets,
225 multicasts,
7 control packets
0 errors
Private IP:
10.0.2.3
Public IP:
192.168.1.5
Session type:
spoke-spoke
State:
1 control packets
SUCCESS
Holding time: 0h 0m 0s
Input:
1 packets,
0 data packets,
0 multicasts,
Output: 1 packets,
0 errors
0 data packets,
0 multicasts,
1 control packets
1 control packets
0 errors
The output shows that a spoke-spoke tunnel has been established dynamically between Spoke 2 and
Spoke 3.
181
Hub-spoke DVPN configuration example
Network requirements
In the hub-spoke network shown in Figure 74, data is forwarded along hub-spoke tunnels. The primary
and secondary VAM servers manage and maintain information about the nodes. The AAA server takes
charge of VAM client authentication and accounting. With each being the backup of the other, the two
hubs perform data forwarding and routing information exchange.
Create a permanent tunnel between each hub-spoke pair.
Figure 74 Network diagram
Device
Interface
IP address
Device
Interface
IP address
Hub 1
Eth1/1
192.168.1.1/24
Spoke 1
Eth1/1
192.168.1.3/24
Tunnel1
10.0.1.1/24
Eth1/2
10.0.2.1/24
Hub 2
Eth1/1
192.168.1.2/24
Tunnel1
10.0.1.3/24
Tunnel1
10.0.1.2/24
Eth1/1
192.168.1.4/24
Primary server
Eth1/1
192.168.1.22/24
Eth1/2
10.0.3.1/24
Secondary server
Eth1/1
192.168.1.33//2
4
Tunnel1
10.0.1.4/24
AAA server
Spoke 2
192.168.1.11/24
Configuration procedure
Configuring the primary VAM server
1.
Configure IP addresses for the interfaces. (Details not shown.)
2.
Configure AAA:
<PrimaryServer> system-view
# Configure RADIUS scheme radsun.
182
[PrimaryServer] radius scheme radsun
[PrimaryServer-radius-radsun] primary authentication 192.168.1.11 1812
[PrimaryServer-radius-radsun] primary accounting 192.168.1.11 1813
[PrimaryServer-radius-radsun] key authentication expert
[PrimaryServer-radius-radsun] key accounting expert
[PrimaryServer-radius-radsun] server-type extended
[PrimaryServer-radius-radsun] user-name-format without-domain
[PrimaryServer-radius-radsun] quit
# Configure the AAA methods for the ISP domain domain1.
[PrimaryServer] domain domain1
[PrimaryServer-isp-domain1] authentication dvpn radius-scheme radsun
[PrimaryServer-isp-domain1] authorization dvpn radius-scheme radsun
[PrimaryServer-isp-domain1] accounting dvpn radius-scheme radsun
[PrimaryServer-isp-domain1] quit
[PrimaryServer] domain default enable domain1
3.
Configure the VAM server:
# Specify the listening address of the server.
[PrimaryServer] vam server ip-address 192.168.1.22
# Create VPN domain 1.
[PrimaryServer] vam server vpn 1
# Set the pre-shared key to 123.
[PrimaryServer-vam-server-vpn-1] pre-shared-key simple 123
# Set VAM client authentication mode to CHAP.
[PrimaryServer-vam-server-vpn-1] authentication-method chap
# Specify the IP addresses of the hubs for VPN 1.
[PrimaryServer-vam-server-vpn-1] hub private-ip 10.0.1.1
[PrimaryServer-vam-server-vpn-1] hub private-ip 10.0.1.2
# Enable VAM server for all VPNs.
[PrimaryServer] vam server enable all
Configuring the secondary VAM server
Except for the listening IP address configuration, the configurations for the secondary VAM server are the
same as those for the primary VAM server. (Details not shown.)
Configuring Hub 1
1.
Configure IP addresses for the interfaces. (Details not shown.)
2.
Configure the VAM client:
<Hub1> system-view
# Create a VAM client named dvpn1hub1 for VPN 1.
[Hub1] vam client name dvpn1hub1
[Hub1-vam-client-name-dvpn1hub1] vpn 1
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Hub1-vam-client-name-dvpn1hub1] server primary ip-address 192.168.1.22
[Hub1-vam-client-name-dvpn1hub1] server secondary ip-address 192.168.1.33
[Hub1-vam-client-name-dvpn1hub1] pre-shared-key simple 123
# Create a local user named dvpn1hub1, setting the password as dvpn1hub1.
183
[Hub1-vam-client-name-dvpn1hub1] user dvpn1hub1 password simple dvpn1hub1
[Hub1-vam-client-name-dvpn1hub1] client enable
[Hub1-vam-client-name-dvpn1hub1] quit
3.
Configure the IPsec profile:
# Configure the IPsec transform set.
[Hub1] ipsec transform-set vam
[Hub1-ipsec-transform-set-vam] encapsulation-mode tunnel
[Hub1-ipsec-transform-set-vam] transform esp
[Hub1-ipsec-transform-set-vam] esp encryption-algorithm des
[Hub1-ipsec-transform-set-vam] esp authentication-algorithm sha1
[Hub1-ipsec-transform-set-vam] quit
# Configure the IKE peer.
[Hub1] ike peer vam
[Hub1-ike-peer-vam] pre-shared-key abcde
[Hub1-ike-peer-vam] quit
# Configure the IPsec profile.
[Hub1] ipsec profile vamp
[Hub1-ipsec-profile-vamp] transform-set vam
[Hub1-ipsec-profile-vamp] ike-peer vam
[Hub1-ipsec-profile-vamp] sa duration time-based 600
[Hub1-ipsec-profile-vamp] pfs dh-group2
[Hub1-ipsec-profile-vamp] quit
4.
Configure DVPN tunnels:
# Configure tunnel interface Tunnel 1 for VPN 1.
To use UDP for tunnel encapsulation, perform the following configurations:
[Hub1] interface tunnel 1
[Hub1-Tunnel1] tunnel-protocol dvpn udp
[Hub1-Tunnel1] vam client dvpn1hub1
[Hub1-Tunnel1] ip address 10.0.1.1 255.255.255.0
[Hub1-Tunnel1] source ethernet 1/1
[Hub1-Tunnel1] ospf network-type p2mp
[Hub1-Tunnel1] ipsec profile vamp
[Hub1-Tunnel1] quit
To use GRE for tunnel encapsulation, perform the following configurations:
[Hub1] interface tunnel 1
[Hub1-Tunnel1] tunnel-protocol dvpn gre
[Hub1-Tunnel1] vam client dvpn1hub1
[Hub1-Tunnel1] ip address 10.0.1.1 255.255.255.0
[Hub1-Tunnel1] source ethernet 1/1
[Hub1-Tunnel1] ospf network-type p2mp
[Hub1-Tunnel1] ipsec profile vamp
[Hub1-Tunnel1] quit
5.
Configure OSPF:
# Configure OSPF for the public network.
[Hub1] ospf 100
[Hub1-ospf-100] area 0
184
[Hub1-ospf-100-area-0.0.0.0] network 192.168.1.1 0.0.0.255
[Hub1-ospf-100-area-0.0.0.0] quit
# Configure OSPF for the private network.
[Hub1] ospf 200
[Hub1-ospf-200] area 0
[Hub1-ospf-200-area-0.0.0.0] network 10.0.1.1 0.0.0.255
Configuring Hub 2
1.
Configure IP addresses for the interfaces. (Details not shown.)
2.
Configure the VAM client:
<Hub2> system-view
# Create a VAM client named dvpn1hub2 for VPN 1.
[Hub2] vam client name dvpn1hub2
[Hub2-vam-client-name-dvpn1hub2] vpn 1
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Hub2-vam-client-name-dvpn1hub2] server primary ip-address 192.168.1.22
[Hub2-vam-client-name-dvpn1hub2] server secondary ip-address 192.168.1.33
[Hub2-vam-client-name-dvpn1hub2] pre-shared-key simple 123
# Create a local user named dvpn1hub2, setting the password as dvpn1hub2.
[Hub2-vam-client-name-dvpn1hub2] user dvpn1hub2 password simple dvpn1hub2
[Hub2-vam-client-name-dvpn1hub2] client enable
[Hub2-vam-client-name-dvpn1hub2] quit
3.
Configure the IPsec profile:
# Configure the IPsec transform set.
[Hub2] ipsec transform-set vam
[Hub2-ipsec-transform-set-vam] encapsulation-mode tunnel
[Hub2-ipsec-transform-set-vam] transform esp
[Hub2-ipsec-transform-set-vam] esp encryption-algorithm des
[Hub2-ipsec-transform-set-vam] esp authentication-algorithm sha1
[Hub2-ipsec-transform-set-vam] quit
# Configure the IKE peer.
[Hub2] ike peer vam
[Hub2-ike-peer-vam] pre-shared-key abcde
[Hub2-ike-peer-vam] quit
# Configure the IPsec profile.
[Hub2] ipsec profile vamp
[Hub2-ipsec-profile-vamp] transform-set vam
[Hub2-ipsec-profile-vamp] ike-peer vam
[Hub2-ipsec-profile-vamp] sa duration time-based 600
[Hub2-ipsec-profile-vamp] pfs dh-group2
[Hub2-ipsec-profile-vamp] quit
4.
Configure the DVPN tunnel:
# Configure tunnel interface Tunnel 1 for VPN 1.
To use UDP for tunnel encapsulation, perform the following configurations:
[Hub2] interface tunnel 1
[Hub2-Tunnel1] tunnel-protocol dvpn udp
185
[Hub2-Tunnel1] vam client dvpn1hub2
[Hub2-Tunnel1] ip address 10.0.1.2 255.255.255.0
[Hub2-Tunnel1] source ethernet 1/1
[Hub2-Tunnel1] ospf network-type p2mp
[Hub2-Tunnel1] ipsec profile vamp
[Hub2-Tunnel1] quit
To use GRE for tunnel encapsulation, perform the following configurations:
[Hub2] interface tunnel 1
[Hub2-Tunnel1] tunnel-protocol dvpn gre
[Hub2-Tunnel1] vam client dvpn1hub2
[Hub2-Tunnel1] ip address 10.0.1.2 255.255.255.0
[Hub2-Tunnel1] source ethernet 1/1
[Hub2-Tunnel1] ospf network-type p2mp
[Hub2-Tunnel1] ipsec profile vamp
[Hub2-Tunnel1] quit
5.
Configure OSPF:
# Configure OSPF for the public network.
[Hub2] ospf 100
[Hub2-ospf-100] area 0
[Hub2-ospf-100-area-0.0.0.0] network 192.168.1.2 0.0.0.255
[Hub2-ospf-100-area-0.0.0.0] quit
# Configure OSPF for the private network.
[Hub2] ospf 200
[Hub2-ospf-200] area 0
[Hub2-ospf-200-area-0.0.0.0] network 10.0.1.2 0.0.0.255
Configuring Spoke 1
1.
Configure IP addresses for the interfaces. (Details not shown.)
2.
Configure the VAM client:
<Spoke1> system-view
# Create a VAM client named dvpn1spoke1 for VPN 1.
[Spoke1] vam client name dvpn1spoke1
[Spoke1-vam-client-name-dvpn1spoke1] vpn 1
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Spoke1-vam-client-name-dvpn1spoke1] server primary ip-address 192.168.1.22
[Spoke1-vam-client-name-dvpn1spoke1] server secondary ip-address 192.168.1.33
[Spoke1-vam-client-name-dvpn1spoke1] pre-shared-key simple 123
# Create a local user named dvpn1spoke1, setting the password as dvpn1spoke1.
[Spoke1-vam-client-name-dvpn1spoke1] user dvpn1spoke1 password simple dvpn1spoke1
[Spoke1-vam-client-name-dvpn1spoke1] client enable
[Spoke1-vam-client-name-dvpn1spoke1] quit
3.
Configure the IPsec profile:
# Configure the IPsec transform set.
[Spoke1] ipsec transform-set vam
[Spoke1-ipsec-transform-set-vam] encapsulation-mode tunnel
[Spoke1-ipsec-transform-set-vam] transform esp
186
[Spoke1-ipsec-transform-set-vam] esp encryption-algorithm des
[Spoke1-ipsec-transform-set-vam] esp authentication-algorithm sha1
[Spoke1-ipsec-transform-set-vam] quit
# Configure the IKE peer.
[Spoke1] ike peer vam
[Spoke1-ike-peer-vam] pre-shared-key abcde
[Spoke1-ike-peer-vam] quit
# Configure the IPsec profile.
[Spoke1] ipsec profile vamp
[Spoke1-ipsec-profile-vamp] transform-set vam
[Spoke1-ipsec-profile-vamp] ike-peer vam
[Spoke1-ipsec-profile-vamp] sa duration time-based 600
[Spoke1-ipsec-profile-vamp] pfs dh-group2
[Spoke1-ipsec-profile-vamp] quit
4.
Configure the DVPN tunnel:
# Configure tunnel interface Tunnel 1 for VPN 1.
To use UDP for tunnel encapsulation, perform the following configurations:
[Spoke1] interface tunnel 1
[Spoke1-Tunnel1] tunnel-protocol dvpn udp
[Spoke1-Tunnel1] vam client dvpn1spoke1
[Spoke1-Tunnel1] ip address 10.0.1.3 255.255.255.0
[Spoke1-Tunnel1] source ethernet 1/1
[Spoke1-Tunnel1] ospf network-type p2mp
[Spoke1-Tunnel1] ospf dr-priority 0
[Spoke1-Tunnel1] ipsec profile vamp
[Spoke1-Tunnel1] quit
To use GRE for tunnel encapsulation, perform the following configurations:
[Spoke1] interface tunnel 1
[Spoke1-Tunnel1] tunnel-protocol dvpn gre
[Spoke1-Tunnel1] vam client dvpn1spoke1
[Spoke1-Tunnel1] ip address 10.0.1.3 255.255.255.0
[Spoke1-Tunnel1] source ethernet 1/1
[Spoke1-Tunnel1] ospf network-type p2mp
[Spoke1-Tunnel1] ospf dr-priority 0
[Spoke1-Tunnel1] ipsec profile vamp
[Spoke1-Tunnel1] quit
5.
Configure OSPF:
# Configure OSPF for the public network.
[Spoke1] ospf 100
[Spoke1-ospf-100] area 0
[Spoke1-ospf-100-area-0.0.0.0] network 192.168.1.3 0.0.0.255
[Spoke1-ospf-100-area-0.0.0.0] quit
# Configure OSPF for the private network.
[Spoke1] ospf 200
[Spoke1-ospf-200] area 0
[Spoke1-ospf-200-area-0.0.0.0] network 10.0.1.3 0.0.0.255
187
[Spoke1-ospf-200-area-0.0.0.0] network 10.0.2.1 0.0.0.255
Configuring Spoke 2
1.
Configure IP addresses for the interfaces. (Details not shown.)
2.
Configure the VAM client:
<Spoke2> system-view
# Create a VAM client named dvpn1spoke2 for VPN 1.
[Spoke2] vam client name dvpn1spoke2
[Spoke2-vam-client-name-dvpn1spoke2] vpn 1
# Specify the IP addresses of the VAM servers and set the pre-shared key.
[Spoke2-vam-client-name-dvpn1spoke2] server primary ip-address 192.168.1.22
[Spoke2-vam-client-name-dvpn1spoke2] server secondary ip-address 192.168.1.33
[Spoke2-vam-client-name-dvpn1spoke2] pre-shared-key simple 123
# Create a local user named dvpn1spoke2, setting the password as dvpn1spoke2.
[Spoke2-vam-client-name-dvpn1spoke2] user dvpn1spoke2 password simple dvpn1spoke2
[Spoke2-vam-client-name-dvpn1spoke2] client enable
[Spoke2-vam-client-name-dvpn1spoke2] quit
3.
Configure the IPsec profile:
# Configure the IPsec transform set.
[Spoke2] ipsec transform-set vam
[Spoke2-ipsec-transform-set-vam] encapsulation-mode tunnel
[Spoke2-ipsec-transform-set-vam] transform esp
[Spoke2-ipsec-transform-set-vam] esp encryption-algorithm des
[Spoke2-ipsec-transform-set-vam] esp authentication-algorithm sha1
[Spoke2-ipsec-transform-set-vam] quit
# Configure the IKE peer.
[Spoke2] ike peer vam
[Spoke2-ike-peer-vam] pre-shared-key abcde
[Spoke2-ike-peer-vam] quit
# Configure the IPsec profile.
[Spoke2] ipsec profile vamp
[Spoke2-ipsec-profile-vamp] transform-set vam
[Spoke2-ipsec-profile-vamp] ike-peer vam
[Spoke2-ipsec-profile-vamp] sa duration time-based 600
[Spoke2-ipsec-profile-vamp] pfs dh-group2
[Spoke2-ipsec-profile-vamp] quit
4.
Configure the DVPN tunnel:
# Configure tunnel interface Tunnel 1 for VPN 1.
To use UDP for tunnel encapsulation, perform the following configurations:
[Spoke2] interface tunnel 1
[Spoke2-Tunnel1] tunnel-protocol dvpn udp
[Spoke2-Tunnel1] vam client dvpn1spoke2
[Spoke2-Tunnel1] ip address 10.0.1.4 255.255.255.0
[Spoke2-Tunnel1] source ethernet 1/1
[Spoke2-Tunnel1] ospf network-type p2mp
[Spoke2-Tunnel1] ospf dr-priority 0
188
[Spoke2-Tunnel1] ipsec profile vamp
[Spoke2-Tunnel1] quit
To use GRE for tunnel encapsulation, perform the following configurations:
[Spoke2] interface tunnel 1
[Spoke2-Tunnel1] tunnel-protocol dvpn gre
[Spoke2-Tunnel1] vam client dvpn1spoke2
[Spoke2-Tunnel1] ip address 10.0.1.4 255.255.255.0
[Spoke2-Tunnel1] source ethernet 1/1
[Spoke2-Tunnel1] ospf network-type p2mp
[Spoke2-Tunnel1] ospf dr-priority 0
[Spoke2-Tunnel1] ipsec profile vamp
[Spoke2-Tunnel1] quit
5.
Configure OSPF:
# Configure OSPF for the public network.
[Spoke2] ospf 100
[Spoke2-ospf-100] area 0
[Spoke2-ospf-100-area-0.0.0.0] network 192.168.1.4 0.0.0.255
[Spoke2-ospf-100-area-0.0.0.0] quit
# Configure OSPF for the private network.
[Spoke2] ospf 200
[Spoke2-ospf-200] area 0
[Spoke2-ospf-200-area-0.0.0.0] network 10.0.1.4 0.0.0.255
[Spoke2-ospf-200-area-0.0.0.0] network 10.0.3.1 0.0.0.255
Verifying the configuration
# Display the address mapping information of all VAM clients registered with the primary VAM server.
[PrimaryServer] display vam server address-map all
VPN name:
1
Total address-map number:
4
Private-ip
Public-ip
Type
Holding time
10.0.1.1
192.168.1.1
hub
0H
10.0.1.2
192.168.1.2
hub
0H 13M
10.0.1.3
192.168.1.3
spoke
0H
3M 58S
10.0.1.4
192.168.1.4
spoke
0H
0M 29S
7M 35S
8S
# Display the address mapping information of all VAM clients registered with the secondary VAM server.
[SecondaryServer] display vam server address-map all
VPN name:
1
Total address-map number:
4
Private-ip
Public-ip
Type
Holding time
10.0.1.1
192.168.1.1
hub
0H
10.0.1.2
192.168.1.2
hub
0H 14M 58S
10.0.1.3
192.168.1.3
spoke
0H
189
8M 46S
5M
9S
10.0.1.4
192.168.1.4
spoke
0H
1M 40S
The output shows that Hub 1, Hub 2, Spoke 1, and Spoke 2 all have registered their address mapping
information with the VAM servers.
# Display the DVPN tunnel information of Hub 1.
[Hub1] display dvpn session all
Interface: Tunnel1
VPN name: 1
Private IP:
10.0.1.2
Public IP:
192.168.1.2
Session type:
hub-Hub
State:
Total number: 3
SUCCESS
Holding time: 0h 1m 44s
Input:
101 packets,
100 data packets,
87 multicasts,
Output: 106 packets,
99 data packets,
87 multicasts,
7 control packets
10 errors
Private IP:
10.0.1.3
Public IP:
192.168.1.3
Session type:
hub-spoke
State:
1 control packets
0 errors
SUCCESS
Holding time: 0h 4m 32s
Input:
36 packets,
18 data packets,
10 multicasts,
Output: 35 packets,
17 data packets,
11 multicasts,
18 control packets
0 errors
Private IP:
10.0.1.4
Public IP:
192.168.1.4
Session type:
hub-spoke
State:
18 control packets
0 errors
SUCCESS
Holding time: 0h 3m 15s
Input:
20 packets,
0 data packets,
0 multicasts,
Output: 20 packets,
6 data packets,
6 multicasts,
20 control packets
0 errors
14 control packets
0 errors
The output shows that in VPN 1, Hub 1 has established a permanent tunnel with Hub 2, Spoke 1, and
Spoke 2, respectively. The DVPN tunnel information of Hub 2 is similar to that of Hub 1.
# Display the DVPN tunnel information of Spoke 1.
[Spoke1] display dvpn session all
Interface: Tunnel1
VPN name: 1
Private IP:
10.0.1.1
Public IP:
192.168.1.1
Session type:
spoke-Hub
State:
Total number: 2
SUCCESS
Holding time: 1h 1m 22s
190
Input:
381 packets,
380 data packets,
374 multicasts,
Output: 384 packets,
376 data packets,
369 multicasts,
8 control packets
0 errors
Private IP:
10.0.1.2
Public IP:
192.168.1.2
Session type:
spoke-Hub
State:
1 control packets
0 errors
SUCCESS
Holding time: 0h 21m 53s
Input:
251 packets,
249 data packets,
230 multicasts,
Output: 252 packets,
240 data packets,
224 multicasts,
1 control packets
0 errors
7 control packets
0 errors
The output shows that in VPN 1, Spoke 1 has established a permanent hub-spoke tunnel with Hub 1 and
Hub 2, respectively. The DVPN tunnel information of Spoke 2 is similar to that of Spoke 1.
# On Spoke 1, ping private address 10.0.3.1 of Spoke 2.
[Spoke1] ping 10.0.3.1
PING 10.0.3.1: 56
data bytes, press CTRL_C to break
Reply from 10.0.3.1: bytes=56 Sequence=1 ttl=254 time=6 ms
Reply from 10.0.3.1: bytes=56 Sequence=2 ttl=254 time=54 ms
Reply from 10.0.3.1: bytes=56 Sequence=3 ttl=254 time=5 ms
Reply from 10.0.3.1: bytes=56 Sequence=4 ttl=254 time=6 ms
Reply from 10.0.3.1: bytes=56 Sequence=5 ttl=254 time=37 ms
--- 10.0.3.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 5/21/54 ms
# Display the DVPN tunnel information of Spoke 1.
[Spoke1] display dvpn session all
Interface: Tunnel2
VPN name: 2
Private IP:
10.0.2.1
Public IP:
192.168.1.1
Session type:
spoke-Hub
State:
Total number: 2
SUCCESS
Holding time: 1h 10m 0s
Input:
451 packets,
450 data packets,
435 multicasts,
Output: 453 packets,
0 errors
447 data packets,
430 multicasts,
0 errors
Private IP:
10.0.2.2
Public IP:
192.168.1.2
Session type:
spoke-Hub
State:
1 control packets
SUCCESS
191
6 control packets
Holding time: 0h 1m 50s
Input:
242 packets,
241 data packets,
231 multicasts,
Output: 251 packets,
0 errors
241 data packets,
225 multicasts,
1 control packets
7 control packets
0 errors
The output shows that Spoke 1 and Spoke 2 have no dynamic spoke-spoke tunnel established between
them, and they exchange data through the hub.
192
Configuring tunneling
Overview
Tunneling is an encapsulation technology. One network protocol encapsulates packets of another
network protocol and transfers them over a virtual point-to-point connection. The virtual connection is
called a tunnel. Packets are encapsulated at the tunnel source end and de-encapsulated at the tunnel
destination end. Tunneling refers to the whole process from data encapsulation to data transfer to data
de-encapsulation.
Tunneling supports the following technologies:
•
Transition techniques, such as IPv6 over IPv4 tunneling, to interconnect IPv4 and IPv6 networks.
•
Virtual Private Network (VPN) such as IPv4 over IPv4 tunneling, IPv4/IPv6 over IPv6 tunneling,
Generic Routing Encapsulation (GRE), Dynamic Virtual Private Network (DVPN), and IPsec
tunneling.
•
Traffic engineering, such as Multiprotocol Label Switching traffic engineering (MPLS TE) to prevent
network congestion.
Unless otherwise specified, the term tunnel in this document refers to IPv6 over IPv4, IPv4 over IPv4, IPv4
over IPv6, and IPv6 over IPv6 tunnels.
For more information about GRE, see "Configuring GRE."
For more information about DVPN, see "Configuring DVPN."
For more information about IPsec, see Security Configuration Guide.
For more information about MPLS TE, see MPLS Configuration Guide.
IPv6 over IPv4 tunneling
Implementation
IPv6 over IPv4 tunneling adds an IPv4 header to IPv6 packets so that IPv6 packets can pass an IPv4
network through a tunnel to realize interworking between isolated IPv6 networks, as shown in Figure 75.
The devices at the ends of an IPv6 over IPv4 tunnel must support the IPv4/IPv6 dual stack.
Figure 75 IPv6 over IPv4 tunnel
193
The IPv6 over IPv4 tunnel processes packets as follows:
1.
A host in the IPv6 network sends an IPv6 packet to Device A at the tunnel source.
2.
After determining according to the routing table that the packet needs to be forwarded through the
tunnel, Device A encapsulates the IPv6 packet with an IPv4 header and forwards it through the
physical interface of the tunnel. In the IPv4 header, the source IPv4 address is the IPv4 address of
the tunnel source, and the destination IPv4 address is the IPv4 address of the tunnel destination.
3.
Upon receiving the packet, Device B de-encapsulates the packet.
4.
If the destination address of the IPv6 packet is itself, Device B forwards it to the upper-layer
protocol for processing. If not, Device B forwards it according to the routing table.
Tunnel types
IPv6 over IPv4 tunnels include manually configured tunnels and automatic tunnels, depending on how
the IPv4 address of the tunnel destination is acquired.
•
Manually configured tunnel—The destination IPv4 address of the tunnel cannot be automatically
acquired from the destination IPv6 address of an IPv6 packet at the tunnel source, and must be
manually configured.
•
Automatic tunnel—The destination IPv4 address of the tunnel can be automatically acquired from
the destination IPv6 address (with an IPv4 address embedded) of an IPv6 packet at the tunnel
source.
According to the way an IPv6 packet is encapsulated, IPv6 over IPv4 tunnels are divided into the
following modes.
Table 7 IPv6 over IPv4 tunnel modes and key parameters
Tunnel type
Tunnel mode
Tunnel source/destination
address
Tunnel interface
address type
Manually
configured tunnel
IPv6 manual tunneling
The source and destination IPv4
addresses are manually
configured.
IPv6 address
Automatic
IPv4-compatible IPv6
tunneling
The source IPv4 address is
manually configured. The
destination IPv6 address is
automatically obtained.
IPv4-compatible IPv6
address, in the format
of ::IPv4-source-addres
s/96
6to4 tunneling
The source IPv4 address is
manually configured. The
destination IPv4 address is
automatically obtained..
6to4 address, in the
format of
2002:IPv4-source-addr
ess::/48
Intra-site automatic tunnel
addressing protocol
(ISATAP) tunneling
The source IPv4 address is
manually configured. The
destination IP address is
automatically obtained.
ISATAP address, in the
format of
Prefix:0:5EFE:IPv4-sour
ce-address/64
Automatic tunnel
1.
IPv6 over IPv4 manual tunneling
An IPv6 over IPv4 manual tunnel is a point-to-point link and its source and destination IPv4
addresses are manually configured. You can establish an IPv6 over IPv4 manual tunnel to connect
isolated IPv6 networks over an IPv4 network, or connect an IPv6 network to an IPv4/IPv6
dual-stack host over an IPv4 network.
2.
Automatic IPv4-compatible IPv6 tunneling
194
An automatic IPv4-compatible IPv6 tunnel is a point-to-multipoint link. Both ends of the tunnel use
IPv4-compatible IPv6 addresses. The address format is 0:0:0:0:0:0:a.b.c.d/96, where a.b.c.d is
the IPv4 address of the tunnel destination. This mechanism simplifies tunnel establishment.
Automatic IPv4-compatible IPv6 tunnels have limitations because IPv4-compatible IPv6 addresses
must use globally unique IPv4 addresses.
3.
6to4 tunneling
{
Ordinary 6to4 tunneling
A 6to4 tunnel is a point-to-multipoint automatic tunnel. It is used to connect multiple isolated
IPv6 networks over an IPv4 network. The destination IPv4 address of a 6to4 tunnel is
embedded in the destination 6to4 addresses of packets. This mechanism enables the device to
automatically get the tunnel destination address, simplifying tunnel establishment.
The 6to4 address format is 2002:abcd:efgh:subnet number::interface ID/64, where 2002 is
the fixed IPv6 address prefix, and abcd:efgh represents a 32-bit globally unique IPv4 address
in hexadecimal notation. For example, 1.1.1.1 can be represented by 0101:0101. The IPv4
address identifies a 6to4 network (an IPv6 network where all hosts use 6to4 addresses). The
border router of a 6to4 network must have the IPv4 address abcd:efgh configured on the
interface connected to the IPv4 network. The subnet number identifies a subnet in the 6to4
network. The subnet number::interface ID uniquely identifies a host in the 6to4 network.
6to4 tunneling uses an IPv4 address to identify a 6to4 network. This method overcomes the
limitations of automatic IPv4-compatible IPv6 tunneling.
{
6to4 relay
A 6to4 tunnel is only used to connect 6to4 networks using IP prefix 2002::/16. IPv6 network
addresses such as 2001::/16 might also be used in IPv6 networks. To connect a 6to4 network
to an IPv6 network, a 6to4 router must be used as a gateway to forward packets to the IPv6
network. Such a router is called a 6to4 relay router.
As shown in Figure 76, 6to4 network Site 1 communicates with IPv6 network Site 3 over a
6to4 tunnel. A static route must be configured on the border router (Device A) in the 6to4
network and the next-hop address must be the 6to4 address of the 6to4 relay router (Device C).
Device A forwards all packets destined for the IPv6 network over the 6to4 tunnel and Device
C then forwards them to the IPv6 network.
Figure 76 Principle of 6to4 tunneling and 6to4 relay
4.
ISATAP tunneling
An ISATAP tunnel is a point-to-point automatic tunnel. It provides a solution to connect an IPv6 host
to an IPv6 network over an IPv4 network.
195
The destination addresses of IPv6 packets and the IPv6 addresses of tunnel interfaces are all
ISATAP addresses. The ISATAP address format is prefix(64bit):0:5EFE:ip-address. The 64-bit
prefix is a valid IPv6 unicast address prefix, ip-address is a 32-bit IPv4 address in the format of
abcd or abcd:efgh, which identifies the tunnel destination and does not need to be globally
unique.
ISATAP tunnels are mainly used for communication between IPv6 routers or between an IPv6 host
and an IPv6 router over an IPv4 network.
Figure 77 Principle of ISATAP tunneling
IPv4 over IPv4 tunneling
IPv4 over IPv4 tunneling (RFC 1853) enables isolated IPv4 networks to communicate with each other over
another IPv4 network. For example, an IPv4 over IPv4 tunnel can connect isolated private IPv4 networks
over a public IPv4 network.
Figure 78 Principle of IPv4 over IPv4 tunneling
Packets traveling through a tunnel undergo encapsulation and de-encapsulation, as shown in Figure 78.
•
Encapsulation:
a. Device A receives an IP packet from an IPv4 host and submits it to the IP protocol stack.
b. The IP protocol stack determines how to forward the packet according to the destination
address in the IP header. If the packet is destined for the IPv4 host connected to Device B,
Device A delivers the packet to the tunnel interface.
c. The tunnel interface adds a new IPv4 header to the IPv4 packet and submits to the IP protocol
stack. In the new header, the source IP address specifies the tunnel source and the destination
IP address specifies the tunnel destination. The IP protocol stack uses the destination IP address
of the new IP header to look up the routing table and sends the packet out.
•
De-encapsulation:
d. After receiving the packet, Device A delivers it to the IP protocol stack.
e. If the protocol number is 4 (indicating an IPv4 packet is encapsulated within the packet), the IP
protocol stack delivers the packet to the tunnel module for de-encapsulation.
196
f. The tunnel module de-encapsulates the IP packet and sends it back to the IP protocol stack.
g. The protocol stack forwards the de-encapsulated packet.
IPv4 over IPv6 tunneling
IPv4 over IPv6 tunneling enables isolated IPv4 networks to communicate with each other over an IPv6
network.
Figure 79 Principle of IPv4 over IPv6 tunneling
The encapsulation and de-encapsulation processes illustrated in Figure 79 are described as follows:
•
Encapsulation:
a. Upon receiving a IPv4 packet, Device A delivers it to the IPv4 protocol stack.
b. The IPv4 protocol stack uses the destination address of the packet to determine the output
interface. If the output interface is the tunnel interface, the IPv4 protocol stack delivers the
packet to the tunnel interface.
c. The tunnel interface adds an IPv6 header to the original IPv4 packet and delivers the packet to
the IPv6 protocol stack.
d. The IPv6 protocol stack uses the destination IPv6 address of the packet to look up the routing
table and sends it out.
•
De-encapsulation:
e. Upon receiving the IPv6 packet from the attached IPv6 network, Device B delivers the packet
to the IPv6 protocol stack to examine the protocol type encapsulated in the data portion of the
packet.
f. If the protocol type is IPv4, the IPv6 protocol stack delivers the packet to the tunneling module.
g. The tunneling module removes the IPv6 header and delivers the remaining IPv4 packet to the
IPv4 protocol stack.
h. The IPv4 protocol stack forwards the IPv4 packet.
IPv4 over IPv6 tunnel modes
IPv4 over IPv6 tunnels include the following modes:
•
IPv4 over IPv6 manual tunnel
In this tunnel mode, you must manually configure the source and destination IPv6 addresses for the
tunnel. An IPv4 over IPv6 manual tunnel is a point-to-point virtual link.
•
DS-Lite tunnel
197
Dual Stack Lite (DS-Lite) combines the IPv4 over IPv6 tunneling and network address translation
(NAT) to connect IPv4 networks over IPv6 networks without sacrificing the benefits of NAT.
Figure 80 DS-Lite network diagram
Subscriber network
ISP core network
DS
-lit
DS-lite host
Private
IPv4 network
Internet
et
un
ne
l
IPv6 network
IPv4 network
DS-lite tunnel
AFTR
CPE
IPv4 host
IPv4 host
As shown in Figure 80, a DS-Lite network involves the following parts:
{
Customer Premises Equipment (CPE)
Resides at the customer's premise, connects the customer's network to an Internet Service
Provider (ISP) network, and usually serves as the gateway of the customer's network. As a
tunnel end, the CPE encapsulates IPv4 packets of the customer's network into IPv6 packets and
sends them to the other end of the tunnel, and de-encapsulates IPv6 packets into IPv4 packets
and sends them to the customer's network. Some hosts can serve as the CPE. Such hosts are
referred to as DS-Lite hosts.
{
Address Family Transition Router (AFTR)
Resides in the ISP network and serves as both an IPv4 over IPv6 tunnel end and the NAT device.
After IPv6 packets are de-encapsulated into IPv4 packets, the AFTR translates the source
private IPv4 address of each packet into a public IPv4 address and sends the packet to the
destination IPv4 host. The AFTR also translates the destination public IPv4 address of each
response packet into a private IPv4 address, encapsulates the packet into an IPv6 packet, and
forwards the packet to the CPE. In addition, the AFTR records the NAT entries and the IPv6
address of each CPE so that IPv4 networks connected to different CPEs can use the same
address space.
{
DS-Lite tunnel
The IPv4 over IPv6 tunnel between the CPE and AFTR which carries IPv4 packets over an IPv6
network.
198
Figure 81 Packet forwarding process in DS-Lite
When a gateway serves as the CPE, the changes of source and destination IP addresses and port
numbers are illustrated in Figure 81. The entire process is summarized as follows:
{
The CPE and AFTR encapsulate and de-encapsulate packets.
{
The AFTR performs NAT.
When a host serves as the CPE, the process is similar and therefore is not shown.
NAT supports both basic address translation between private and public addresses and Network
Address Port Translation (NAPT), which translates both IP address (private or public) and port
number. Figure 81 shows an example of NAPT. For more information about NAT, see
"Configuring NAT."
DS-Lite tunnel supports only an IPv4 host in a private network initiating communication with an IPv4
host on the Internet and does not support an IPv4 host on the Internet initiating communication with
an IPv4 host in a private network.
IPv6 over IPv6 tunneling
Introduction
IPv6 over IPv6 tunneling (RFC 2473) enables isolated IPv6 networks to communicate with each other over
another IPv6 network. For example, two isolated IPv6 networks that do not want to show their addresses
to the Internet can use an IPv6 over IPv6 tunnel to communicate with each other.
199
Encapsulation and de-encapsulation
Figure 82 Principle of IPv6 over IPv6 tunneling
Figure 82 shows the encapsulation and de-encapsulation processes:
•
Encapsulation
a. After receiving the an IPv6 packet, Device A submits it to the IPv6 protocol stack.
b. The IPv6 protocol stack uses the destination IPv6 address of the packet to find the output
interface. If the output interface is the tunnel interface, the stack delivers it to the tunnel
interface.
c. After receiving the packet, the tunnel interface adds an IPv6 header to it and submits it to the
IPv6 protocol stack.
d. The IPv6 protocol stack forwards the packet according to its destination IPv6 address.
•
De-encapsulation
e. Upon receiving the IPv6 packet, Device B delivers it to the IPv6 protocol stack.
f. The IPv6 protocol stack checks the protocol type of the data portion encapsulated in the IPv6
packet. If the encapsulation protocol is IPv6, the stack delivers the packet to the tunnel module.
g. The tunnel module de-encapsulates the packet and sends it back to the IPv6 protocol stack.
h. The IPv6 protocol stack forwards the IPv6 packet.
Protocols and standards
•
RFC 1853, IP in IP Tunneling
•
RFC 2473, Generic Packet Tunneling in IPv6 Specification
•
RFC 2893, Transition Mechanisms for IPv6 Hosts and Routers
•
RFC 3056, Connection of IPv6 Domains via IPv4 Clouds
•
RFC 4214, Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
Tunneling configuration task list
Task
Remarks
Configuring a tunnel interface
N/A
Configuring an
Optional.
Configuring an IPv6 manual tunnel
200
Task
Remarks
Configuring an automatic IPv4-compatible IPv6 tunnel
Configuring a 6to4 tunnel
Configuring an ISATAP tunnel
Configuring an IPv4 over IPv4 tunnel
Optional.
Configuring an IPv4 over IPv6 manual
tunnel
Configuring an IPv4 over IPv6 manual
tunnel
Optional.
Configuring a DS-Lite tunnel
Configuring an IPv6 over IPv6 tunnel
Optional.
Configuring a tunnel interface
Configuration prerequisites
Configure a Layer 3 virtual tunnel interface on each device on a tunnel so that devices at both ends can
send, identify, and process packets from the tunnel.
Configuration guidelines
The tunnel bandwidth command sets a bandwidth value for dynamical routing protocols to calculate the
cost of the tunnel and does not affect the actual interface bandwidth. You can determine the value
according to the bandwidth of the actual output interface.
Configuration procedure
To configure a tunnel interface:
Step
Command
Remarks
349. Enter system view.
system-view
N/A
350. Create a tunnel interface and
enter its view.
interface tunnel number
By default, no tunnel interface is
created.
Optional.
351. Configure a description for the
interface.
description text
By default, the description of a
tunnel interface is Tunnel number
Interface.
• Set the MTU for IPv4 packets
352. Set the MTU of the tunnel
interface.
sent over the interface:
mtu mtu-size
• Set the MTU for IPv6 packets
sent over the interface:
ipv6 mtu mtu-size
201
Optional.
Use either command as needed.
The default value is 64 KB.
Step
Command
353. Set the bandwidth for the
tunnel interface.
Remarks
Optional.
tunnel bandwidth bandwidth-value
By default, the bandwidth for the
tunnel interface is 64 kbps.
Optional.
354. Set the intended bandwidth
for the tunnel interface.
bandwidth bandwidth-value
355. Restore the default setting.
default
356. Shut down the tunnel
interface.
shutdown
You can obtain the intended
bandwidth of an interface by
querying the ifspeed value of the
MIB node with third-party
software.
The intended bandwidth is used
for bandwidth monitoring of the
network management, but does
not affect the actual bandwidth of
the interface.
Optional.
Optional.
By default, the tunnel interface is
up.
Configuring an IPv6 manual tunnel
Configuration prerequisites
Configure an IP addresses for the interface (such as a VLAN interface, Ethernet interface, or loopback
interface) to be configured as the source interface of the tunnel interface.
Configuration guidelines
Follow these guidelines when you configure an IPv6 manual tunnel:
•
After a tunnel interface is deleted, all the features configured on the tunnel interface are deleted.
•
If the destination IPv6 network is not in the same subnet as the IPv6 address of the tunnel interface,
you must configure a static route destined for the destination IPv6 network. You can specify the local
tunnel interface as the output interface of the route or specify the IPv6 address of the peer tunnel
interface as the next hop. Alternatively, you can enable a dynamic routing protocol on both tunnel
interfaces to achieve the same purpose. For more configuration, see Layer 3—IP Routing
Configuration Guide.
Configuration procedure
To configure an IPv6 manual tunnel:
Step
Command
Remarks
357. Enter system view.
system-view
N/A
358. Enable IPv6.
ipv6
By default, the IPv6 packet forwarding
function is disabled.
202
Step
Command
Remarks
359. Enter tunnel
interface view.
interface tunnel number
N/A
• Configure a global unicast IPv6
address or a site-local address:
{
360. Configure an IPv6
address for the
tunnel interface.
{
ipv6 address { ipv6-address
prefix-length |
ipv6-address/prefix-length }
ipv6 address
ipv6-address/prefix-length
eui-64
• Configure a link-local IPv6 address:
{
{
ipv6 address auto link-local
ipv6 address ipv6-address
link-local
The link-local IPv6 address configuration
is optional.
By default:
• No IPv6 global unicast address or
site-local address is configured for the
tunnel interface.
• A link-local address is automatically
created when an IPv6 global unicast
address or site-local address is
configured.
361. Specify the IPv6
manual tunnel
mode.
tunnel-protocol ipv6-ipv4
The same tunnel mode should be
configured at both ends of the tunnel.
Otherwise, packet delivery fails.
362. Configure a source
address or
interface for the
tunnel.
source { ip-address | interface-type
interface-number }
By default, no source address or
interface is configured for the tunnel.
363. Configure a
destination
address for the
tunnel interface.
destination ip-address
By default, no destination address is
configured for the tunnel.
364. Return to system
view.
quit
N/A
365. Enable dropping
of IPv6 packets
using
IPv4-compatible
IPv6 addresses.
tunnel discard ipv4-compatible-packet
Optional.
This feature is disabled by default.
Configuration example
Network requirements
As shown in Figure 83, configure an IPv4 network between Router A and Router B so the two IPv6
networks can reach each other over the IPv4 network. The tunnel destination IPv4 address cannot be
automatically obtained from the destination IPv6 addresses of packets. Therefore, configure an IPv6
manual tunnel.
203
Figure 83 Network diagram
Configuration procedure
Make sure Router A and Router B can reach each other through IPv4.
•
Configure Router A:
# Enable IPv6.
<RouterA> system-view
[RouterA] ipv6
# Configure an IPv4 address for Ethernet 1/2.
[RouterA] interface ethernet 1/2
[RouterA-Ethernet1/2] ip address 192.168.100.1 255.255.255.0
[RouterA-Ethernet1/2] quit
# Configure an IPv6 address for Ethernet 1/1.
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] ipv6 address 3002::1 64
[RouterA-Ethernet1/1] quit
# Configure an IPv6 manual tunnel.
[RouterA] interface tunnel 0
[RouterA-Tunnel0] ipv6 address 3001::1/64
[RouterA-Tunnel0] source ethernet 1/2
[RouterA-Tunnel0] destination 192.168.50.1
[RouterA-Tunnel0] tunnel-protocol ipv6-ipv4
[RouterA-Tunnel0] quit
# Configure a static route to IPv6 Group 2 through Tunnel 0 on Router A.
[RouterA] ipv6 route-static 3003:: 64 tunnel 0
•
Configure Router B:
# Enable IPv6.
<RouterB> system-view
[RouterB] ipv6
# Configure an IPv4 address for Ethernet 1/2.
[RouterB] interface ethernet 1/2
[RouterB-Ethernet1/2] ip address 192.168.50.1 255.255.255.0
[RouterB-Ethernet1/2] quit
# Configure an IPv6 address for Ethernet 1/1.
[RouterB] interface ethernet 1/1
[RouterB-Ethernet1/1] ipv6 address 3003::1 64
[RouterB-Ethernet1/1] quit
# Configure an IPv6 manual tunnel.
204
[RouterB] interface tunnel 0
[RouterB-Tunnel0] ipv6 address 3001::2/64
[RouterB-Tunnel0] source ethernet 1/2
[RouterB-Tunnel0] destination 192.168.100.1
[RouterB-Tunnel0] tunnel-protocol ipv6-ipv4
[RouterB-Tunnel0] quit
# Configure a static route to IPv6 Group 1 through Tunnel 0 on Router B.
[RouterB] ipv6 route-static 3002:: 64 tunnel 0
Verifying the configuration
# Display the status of the tunnel interfaces on Router A and Router B, respectively.
[RouterA] display ipv6 interface tunnel 0
Tunnel0 current state :UP
Line protocol current state :UP
IPv6 is enabled, link-local address is FE80::C0A8:6401
Global unicast address(es):
3001::1, subnet is 3001::/64
Joined group address(es):
FF02::1:FF00:0
FF02::1:FF00:1
FF02::1:FFA8:6401
FF02::2
FF02::1
MTU is 1480 bytes
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
IPv6 Packet statistics:
InReceives:
55
...
[RouterB] display ipv6 interface tunnel 0
Tunnel0 current state :UP
Line protocol current state :UP
IPv6 is enabled, link-local address is FE80::C0A8:3201
Global unicast address(es):
3001::2, subnet is 3001::/64
Joined group address(es):
FF02::1:FF00:0
FF02::1:FF00:1
FF02::1:FFA8:3201
FF02::2
FF02::1
MTU is 1480 bytes
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
IPv6 Packet statistics:
InReceives:
55
205
...
# Ping the IPv6 address of Ethernet 1/1 at the peer end from Router A.
[RouterA] ping ipv6 3003::1
PING 3003::1 : 56
data bytes, press CTRL_C to break
Reply from 3003::1
bytes=56 Sequence=1 hop limit=64
time = 1 ms
Reply from 3003::1
bytes=56 Sequence=2 hop limit=64
time = 1 ms
Reply from 3003::1
bytes=56 Sequence=3 hop limit=64
time = 1 ms
Reply from 3003::1
bytes=56 Sequence=4 hop limit=64
time = 1 ms
Reply from 3003::1
bytes=56 Sequence=5 hop limit=64
time = 1 ms
--- 3003::1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
Configuring an automatic IPv4-compatible IPv6
tunnel
Configuration prerequisites
Configure an IP addresses for the interface (such as a VLAN interface, Ethernet interface, or a loopback
interface) to be used as the source interface of the tunnel interface.
Configuration guidelines
Follow these guidelines when you configure an automatic IPv4-compatible IPv6 tunnel:
•
No destination address needs to be configured for an automatic IPv4-compatible IPv6 tunnel.
Because the destination address of the tunnel is embedded in the destination IPv4-compatible IPv6
address of packets.
•
The tunnel interfaces using the same encapsulation protocol cannot use the same source IP address.
Configuration procedure
To configure an automatic IPv4-compatible IPv6 tunnel:
Step
Command
Remarks
366. Enter system view.
system-view
N/A
367. Enable the IPv6
packet forwarding
function.
ipv6
By default, the IPv6 packet forwarding
function is disabled.
206
Step
Command
Remarks
368. Enter tunnel interface
view.
interface tunnel number
N/A
• Configure an IPv6 global unicast
address or a site-local address:
{
369. Configure an IPv6
address for the
tunnel interface.
{
ipv6 address { ipv6-address
prefix-length |
ipv6-address/prefix-length }
ipv6 address
ipv6-address/prefix-length
eui-64
• Configure an IPv6 link-local
address:
{
{
ipv6 address auto link-local
ipv6 address ipv6-address
link-local
The IPv6 link-local address configuration is
optional.
By default:
• No IPv6 global unicast address or
site-local address is configured for the
tunnel interface.
• A link-local address is automatically
generated when an IPv6 global unicast
or site-local address is configured for
the interface.
370. Specify the
automatic
IPv4-compatible IPv6
tunnel mode.
tunnel-protocol ipv6-ipv4
auto-tunnel
The same tunnel mode should be
configured at both ends of the tunnel.
Otherwise, packet delivery fails.
371. Configure a source
address or interface
for the tunnel.
source { ip-address | interface-type
interface-number }
By default, no source address or interface
is configured for the tunnel.
Configuration example
Network requirements
As shown in Figure 84, dual-stack routers, Router A and Router B communicate over an IPv4 network.
Configure an automatic IPv4-compatible IPv6 tunnel between the two routers to enable IPv6
communications other over the IPv4 network.
Figure 84 Network diagram
Configuration procedure
Before configuring an automatic IPv4-compatible IPv6 tunnel, make sure Router A and Router B can
reach each other through IPv4.
•
Configure Router A:
# Enable IPv6.
<RouterA> system-view
[RouterA] ipv6
# Configure an IPv4 address for Ethernet 1/1.
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] ip address 192.168.100.1 255.255.255.0
207
[RouterA-Ethernet1/1] quit
# Configure an automatic IPv4-compatible IPv6 tunnel.
[RouterA] interface tunnel 0
[RouterA-Tunnel0] ipv6 address ::192.168.100.1/96
[RouterA-Tunnel0] source ethernet 1/1
[RouterA-Tunnel0] tunnel-protocol ipv6-ipv4 auto-tunnel
Configure Router B:
•
# Enable IPv6.
<RouterB> system-view
[RouterB] ipv6
# Configure an IPv4 address for Ethernet 1/1.
[RouterB] interface ethernet 1/1
[RouterB-Ethernet1/1] ip address 192.168.50.1 255.255.255.0
[RouterB-Ethernet1/1] quit
# Configure an automatic IPv4-compatible IPv6 tunnel.
[RouterB] interface tunnel 0
[RouterB-Tunnel0] ipv6 address ::192.168.50.1/96
[RouterB-Tunnel0] source ethernet 1/1
[RouterB-Tunnel0] tunnel-protocol ipv6-ipv4 auto-tunnel
Verifying the configuration
# Display the status of the tunnel interfaces on Router A and Router B, respectively.
[RouterA-Tunnel0] display ipv6 interface tunnel 0
Tunnel0 current state :UP
Line protocol current state :UP
IPv6 is enabled, link-local address is FE80::C0A8:6401
Global unicast address(es):
::192.168.100.1, subnet is ::/96
Joined group address(es):
FF02::1:FFA8:6401
FF02::1:FF00:0
FF02::2
FF02::1
MTU is 1480 bytes
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
IPv6 Packet statistics:
InReceives:
65
...
[RouterB-Tunnel0] display ipv6 interface tunnel 0
Tunnel0 current state :UP
Line protocol current state :UP
IPv6 is enabled, link-local address is FE80::C0A8:3201
Global unicast address(es):
::192.168.50.1, subnet is ::/96
Joined group address(es):
208
FF02::1:FFA8:3201
FF02::1:FF00:0
FF02::2
FF02::1
MTU is 1480 bytes
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
IPv6 Packet statistics:
InReceives:
65
...
# Ping the IPv4-compatible IPv6 address at the peer end from Router A.
[RouterA-Tunnel0] ping ipv6 ::192.168.50.1
PING ::192.168.50.1 : 56
data bytes, press CTRL_C to break
Reply from ::192.168.50.1
bytes=56 Sequence=1 hop limit=64
time = 1 ms
Reply from ::192.168.50.1
bytes=56 Sequence=2 hop limit=64
time = 1 ms
Reply from ::192.168.50.1
bytes=56 Sequence=3 hop limit=64
time = 1 ms
Reply from ::192.168.50.1
bytes=56 Sequence=4 hop limit=64
time = 1 ms
Reply from ::192.168.50.1
bytes=56 Sequence=5 hop limit=64
time = 1 ms
--- ::192.168.50.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
Configuring a 6to4 tunnel
Configuration prerequisites
Configure an IP address for the interface (such as a VLAN interface, Ethernet interface, or loopback
interface) to be configured as the source interface of the tunnel interface..
Configuration guidelines
Follow these guidelines when you configure a 6to4 tunnel:
•
No destination address needs to be configured for a 6to4 tunnel because the destination IPv4
address is embedded in the 6to4 IPv6 address.
•
Because automatic tunnels do not support dynamic routing, you must configure a static route
destined for the destination IPv6 network at each tunnel end. You can specify the local tunnel
interface as the output interface of the route or specify the IPv6 address of the peer tunnel interface
209
as the next hop of the route. For the detailed configuration, see Layer 3—IP Routing Configuration
Guide.
•
The automatic tunnel interfaces using the same encapsulation protocol cannot use the same source
IP address.
Configuration procedure
To configure a 6to4 tunnel:
Step
Command
Remarks
372. Enter system view.
system-view
N/A
373. Enable IPv6.
ipv6
By default, the IPv6 packet
forwarding function is disabled.
374. Enter tunnel interface
view.
interface tunnel number
N/A
• Configure an IPv6 global unicast
address or a site-local address:
{
375. Configure an IPv6
address for the tunnel
interface.
{
ipv6 address { ipv6-address
prefix-length |
ipv6-address/prefix-length }
ipv6 address
ipv6-address/prefix-length
eui-64
• Configure an IPv6 link-local
address:
{
{
ipv6 address auto link-local
ipv6 address ipv6-address
link-local
The IPv6 link-local address
configuration is optional.
By default:
• No IPv6 global unicast address or
site-local address is configured
for the tunnel interface.
• A link-local address is
automatically generated when an
IPv6 global unicast address or
site-local address is configured.
376. Specify the 6to4 tunnel
mode.
tunnel-protocol ipv6-ipv4 6to4
The same tunnel mode should be
configured at both ends of the tunnel.
Otherwise, packet delivery fails.
377. Configure a source
address or interface for
the tunnel.
source { ip-address | interface-type
interface-number }
By default, no source address or
interface is configured for the tunnel.
378. Return to system view.
quit
N/A
379. Enable dropping of IPv6
packets using
IPv4-compatible IPv6
addresses.
tunnel discard
ipv4-compatible-packet
Optional.
The default setting is disabled.
6to4 tunnel configuration example
Network requirements
As shown in Figure 85, configure a 6to4 tunnel between 6to4 routers Router A and Router B to make Host
A and Host B reachable to each other.
210
Figure 85 Network diagram
Configuration considerations
To enable communication between 6to4 networks, configure 6to4 addresses for 6to4 routers and hosts
in the 6to4 networks.
•
The IPv4 address of Ethernet 1/2 on Router A is 2.1.1.1/24, and the corresponding 6to4 prefix is
2002:0201:0101::/48. Assign interface Tunnel 0 to subnet 2002:0201:0101::/64 and Ethernet
1/1 to subnet 2002:0201:0101:1::/64.
•
The IPv4 address of Ethernet 1/2 on Router B is 5.1.1.1/24, and the corresponding 6to4 prefix is
2002:0501:0101::/48. Assign interface Tunnel 0 to subnet 2002:0501:0101::/64 and Ethernet
1/1 to subnet 2002:0501:0101:1::/64.
Configuration procedure
Before configuring a 6to4 tunnel, make sure Router A and Router B can reach each other through IPv4.
•
Configure Router A:
# Enable IPv6.
<RouterA> system-view
[RouterA] ipv6
# Configure an IPv4 address for Ethernet 1/2.
[RouterA] interface ethernet 1/2
[RouterA-Ethernet1/2] ip address 2.1.1.1 24
[RouterA-Ethernet1/2] quit
# Configure an IPv6 address for Ethernet 1/1.
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] ipv6 address 2002:0201:0101:1::1/64
[RouterA-Ethernet1/1] quit
# Configure the 6to4 tunnel.
[RouterA] interface tunnel 0
[RouterA-Tunnel0] ipv6 address 2002:201:101::1/64
[RouterA-Tunnel0] source ethernet 1/2
[RouterA-Tunnel0] tunnel-protocol ipv6-ipv4 6to4
[RouterA-Tunnel0] quit
# Configure a static route whose destination address is 2002::/16 and next-hop is the tunnel
interface.
[RouterA] ipv6 route-static 2002:: 16 tunnel 0
211
•
Configure Router B:
# Enable IPv6.
<RouterB> system-view
[RouterB] ipv6
# Configure an IPv6 address for Ethernet 1/2.
[RouterB] interface ethernet 1/2
[RouterB-Ethernet1/2] ip address 5.1.1.1 24
[RouterB-Ethernet1/2] quit
# Configure an IPv6 address for Ethernet 1/1.
[RouterB] interface ethernet 1/1
[RouterB-Ethernet1/1] ipv6 address 2002:0501:0101:1::1/64
[RouterB-Ethernet1/1] quit
# Configure a 6to4 tunnel.
[RouterB] interface tunnel 0
[RouterB-Tunnel0] ipv6 address 2002:0501:0101::1/64
[RouterB-Tunnel0] source ethernet 1/2
[RouterB-Tunnel0] tunnel-protocol ipv6-ipv4 6to4
[RouterB-Tunnel0] quit
# Configure a static route whose destination address is 2002::/16 and next-hop is the tunnel
interface.
[RouterB] ipv6 route-static 2002:: 16 tunnel 0
Verifying the configuration
# Ping either host from the other, and the ping operation succeeds.
D:\>ping6 -s 2002:201:101:1::2 2002:501:101:1::2
Pinging 2002:501:101:1::2
from 2002:201:101:1::2 with 32 bytes of data:
Reply from 2002:501:101:1::2: bytes=32 time=13ms
Reply from 2002:501:101:1::2: bytes=32 time=1ms
Reply from 2002:501:101:1::2: bytes=32 time=1ms
Reply from 2002:501:101:1::2: bytes=32 time<1ms
Ping statistics for 2002:501:101:1::2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 13ms, Average = 3ms
6to4 relay configuration example
Network requirements
As shown in Figure 86, Router A is a 6to4 router, and 6to4 addresses are used on the connected IPv6
network. Router B serves as a 6to4 relay router and is connected to an IPv6 network (2001::/16).
Configure a 6to4 tunnel between Router A and Router B to make Host A and Host B reachable to each
other.
212
Figure 86 Network diagram
Configuration procedure
Make sure Router A and Router B can reach each other through IPv4.
The configuration on a 6to4 relay router is similar to that on a 6to4 router. However, to enable
communication between the 6to4 network and the IPv6 network, you must configure a route to the IPv6
network on the 6to4 router.
•
Configure Router A:
# Enable IPv6.
<RouterA> system-view
[RouterA] ipv6
# Configure an IPv4 address for Ethernet 1/2.
[RouterA] interface ethernet 1/2
[RouterA-Ethernet1/2] ip address 2.1.1.1 255.255.255.0
[RouterA-Ethernet1/2] quit
# Configure an IPv6 address for Ethernet 1/1.
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] ipv6 address 2002:0201:0101:1::1/64
[RouterA-Ethernet1/1] quit
# Configure a 6to4 tunnel.
[RouterA] interface tunnel 0
[RouterA-Tunnel0] ipv6 address 2002:0201:0101::1/64
[RouterA-Tunnel0] source ethernet 1/2
[RouterA-Tunnel0] tunnel-protocol ipv6-ipv4 6to4
[RouterA-Tunnel0] quit
# Configure a static route to the 6to4 relay router.
[RouterA] ipv6 route-static 2002:0601:0101:: 64 tunnel 0
# Configure the default route to the IPv6-only network.
[RouterA] ipv6 route-static :: 0 2002:0601:0101::1
•
Configure Router B:
# Enable IPv6.
<RouterB> system-view
[RouterB] ipv6
# Configure an IPv4 address for Ethernet 1/2.
213
[RouterB] interface ethernet 1/2
[RouterB-Ethernet1/2] ip address 6.1.1.1 255.255.255.0
[RouterB-Ethernet1/2] quit
# Configure an IPv6 address for Ethernet 1/1.
[RouterB] interface ethernet 1/1
[RouterB-Ethernet1/1] ipv6 address 2001::1/16
[RouterB-Ethernet1/1] quit
# Configure a 6to4 tunnel.
[RouterB] interface tunnel 0
[RouterB-Tunnel0] ipv6 address 2002:0601:0101::1/64
[RouterB-Tunnel0] source ethernet 1/2
[RouterB-Tunnel0] tunnel-protocol ipv6-ipv4 6to4
[RouterB-Tunnel0] quit
# Configure a static route whose destination address is 2002::/16 and next-hop is the tunnel
interface.
[RouterB] ipv6 route-static 2002:: 16 tunnel 0
Verifying the configuration
# Ping Host B from Host A. The ping operation succeeds.
D:\>ping6 -s 2002:201:101:1::2 2001::2
Pinging 2001::2
from 2002:201:101:1::2 with 32 bytes of data:
Reply from 2001::2: bytes=32 time=13ms
Reply from 2001::2: bytes=32 time=1ms
Reply from 2001::2: bytes=32 time=1ms
Reply from 2001::2: bytes=32 time<1ms
Ping statistics for 2001::2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 13ms, Average = 3ms
Configuring an ISATAP tunnel
Configuration prerequisites
Configure an IP addresses for the interface (such as a VLAN interface, Ethernet interface, or loopback
interface) to be configured as the source interface of the tunnel interface.
Configuration guidelines
Follow these guidelines when you configure an ISATAP tunnel:
•
No destination address needs to be configured for an ISATAP tunnel because the destination IPv4
address is embedded in the ISATAP address.
214
•
Because automatic tunnels do not support dynamic routing, you must configure a static route
destined for the destination IPv6 network at each tunnel end. You can specify the local tunnel
interface as the output interface of the route or specify the IPv6 address of the peer tunnel interface
as the next hop of the route. For more configuration, see Layer 3—IP Routing Configuration Guide.
•
The automatic tunnel interfaces using the same encapsulation protocol cannot use the same source
IP address.
Configuration procedure
To configure an ISATAP tunnel:
Step
Command
Remarks
380. Enter system view.
system-view
N/A
381. Enable IPv6.
ipv6
By default, the IPv6 forwarding
function is disabled.
382. Enter tunnel interface view.
interface tunnel number
N/A
• Configure an IPv6 global unicast
address or site-local address:
{
383. Configure an IPv6 address
for the tunnel interface.
{
ipv6 address { ipv6-address
prefix-length |
ipv6-address/prefix-length }
ipv6 address
ipv6-address/prefix-length
eui-64
• Configure an IPv6 link-local
address:
{
{
ipv6 address auto link-local
ipv6 address ipv6 address
link-local
The IPv6 link-local address
configuration is optional.
By default:
• No IPv6 global unicast
address is configured for the
tunnel interface.
• A link-local address is
automatically generated
when an IPv6 global unicast
address or link-local address
is configured.
384. Specify the ISATAP tunnel
mode.
tunnel-protocol ipv6-ipv4 isatap
The same tunnel mode should be
configured at both ends of the
tunnel. Otherwise, packet
delivery fails.
385. Configure a source
address or interface for the
tunnel.
source { ip-address | interface-type
interface-number }
By default, no source address or
interface is configured for the
tunnel.
386. Return to system view.
quit
N/A
387. Enable dropping of IPv6
packets using
IPv4-compatible IPv6
addresses.
tunnel discard ipv4-compatible-packet
Optional.
Disabled by default.
Configuration example
Network requirements
As shown in Figure 87, configure an ISATAP tunnel between the router and the ISATAP host so the ISATAP
host in the IPv4 network can access the IPv6 network.
215
Figure 87 Network diagram
ISATAP router
IPv6 network
Eth1/2
3001::1/64
Eth1/1
1.1.1.1/8
IPv4 network
ISATAP tunnel
IPv6 host
Router Tunnel0
3002::2/64
2001::5EFE:0101:0101/64
ISATAP host
IPv4 address:2.1.1.2/32
IPv6 address:
FE80::5EFE:0201:0102
2001::5EFE:0201:0102
Configuration procedure
Make sure Ethernet 1/1 on the ISATAP router and the ISATAP host can reach each other through IPv4.
•
Configure the router:
# Enable IPv6.
<Router> system-view
[Router] ipv6
# Configure addresses for interfaces.
[Router] interface ethernet 1/2
[Router-Ethernet1/2] ipv6 address 3001::1/64
[Router-Ethernet1/2] quit
[Router] interface ethernet 1/1
[Router-Ethernet1/1] ip address 1.1.1.1 255.0.0.0
[Router-Ethernet1/1] quit
# Configure an ISATAP tunnel.
[Router] interface tunnel 0
[Router-Tunnel0] ipv6 address 2001::5efe:0101:0101 64
[Router-Tunnel0] source ethernet 1/1
[Router-Tunnel0] tunnel-protocol ipv6-ipv4 isatap
# Disable RA suppression so that the ISATAP host can acquire information such as the address
prefix from the RA message advertised by the ISATAP router.
[Router-Tunnel0] undo ipv6 nd ra halt
[Router-Tunnel0] quit
# Configure a static route to the ISATAP host.
[Router] ipv6 route-static 2001:: 16 tunnel 0
•
Configure the ISATAP host:
Configurations on the ISATAP host vary depending on the operating system. The following
example is performed on Windows XP.
# Install IPv6.
C:\>ipv6 install
# On a host running Windows XP, the ISATAP interface is usually interface 2. Configure the IPv4
address of the ISATAP router on interface 2 to complete the configuration on the host. Before that,
view the ISATAP interface information:
C:\>ipv6 if 2
Interface 2: Automatic Tunneling Pseudo-Interface
Guid {48FCE3FC-EC30-E50E-F1A7-71172AEEE3AE}
does not use Neighbor Discovery
does not use Router Discovery
216
routing preference 1
EUI-64 embedded IPv4 address: 0.0.0.0
router link-layer address: 0.0.0.0
preferred link-local fe80::5efe:2.1.1.2, life infinite
link MTU 1280 (true link MTU 65515)
current hop limit 128
reachable time 42500ms (base 30000ms)
retransmission interval 1000ms
DAD transmits 0
default site prefix length 48
# A link-local address (fe80::5efe:2.1.1.2) in the ISATAP format has been automatically
generated for the ISATAP interface. Configure the IPv4 address of the ISATAP router on the ISATAP
interface.
C:\>ipv6 rlu 2 1.1.1.1
After carrying out the command, display the information on the ISATAP interface.
C:\>ipv6 if 2
Interface 2: Automatic Tunneling Pseudo-Interface
Guid {48FCE3FC-EC30-E50E-F1A7-71172AEEE3AE}
does not use Neighbor Discovery
uses Router Discovery
routing preference 1
EUI-64 embedded IPv4 address: 2.1.1.2
router link-layer address: 1.1.1.1
preferred global 2001::5efe:2.1.1.2, life 29d23h59m46s/6d23h59m46s (public)
preferred link-local fe80::5efe:2.1.1.2, life infinite
link MTU 1500 (true link MTU 65515)
current hop limit 255
reachable time 42500ms (base 30000ms)
retransmission interval 1000ms
DAD transmits 0
default site prefix length 48
# The host acquires the address prefix 2001::/64 and has automatically generated the address
2001::5efe:2.1.1.2. The message "uses Router Discovery" indicates that the router discovery
function is enabled on the host. Ping the IPv6 address of the tunnel interface of the router. The ping
operation succeeds, indicating an ISATAP tunnel has been established.
C:\>ping 2001::5efe:1.1.1.1
Pinging 2001::5efe:1.1.1.1 with 32 bytes of data:
Reply from 2001::5efe:1.1.1.1: time=1ms
Reply from 2001::5efe:1.1.1.1: time=1ms
Reply from 2001::5efe:1.1.1.1: time=1ms
Reply from 2001::5efe:1.1.1.1: time=1ms
Ping statistics for 2001::5efe:1.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
217
Verifying the configuration
After the configuration, the ISATAP host can access the host in the IPv6 network.
Configuring an IPv4 over IPv4 tunnel
Configuration prerequisites
Configure an IP addresses for the interface (such as a VLAN interface, Ethernet interface, or loopback
interface) to be configured as the source interface of the tunnel interface.
Configuration guidelines
Follow these guidelines when you configure an IPv4 over IPv4 tunnel:
•
If the destination IPv4 network is not on the same subnet as the IPv4 address of the local tunnel
interface, you must configure a route destined for the destination IPv4 network through the tunnel
interface. You can configure a static route, and specify the local tunnel interface as the output
interface or specify the IPv4 address of the peer tunnel interface as the next hop. Alternatively, you
can enable a dynamic routing protocol on both tunnel interfaces to achieve the same purpose. For
the detailed configuration, see Layer 3—IP Routing Configuration Guide.
•
The IPv4 address of the local tunnel interface cannot be on the same subnet as the destination
address configured on the tunnel interface.
•
The destination address of the route passing the tunnel interface must not be on the same subnet as
the destination address configured on the tunnel interface.
•
Two or more local tunnel interfaces using the same encapsulation protocol must have different
source and destination addresses.
•
If you specify a source interface instead of a source address for a tunnel interface, the source
address of the tunnel is the primary IP address of the source interface.
Configuration procedure
To configure an IPv4 over IPv4 tunnel:
Step
Command
Remarks
388. Enter system view.
system-view
N/A
389. Enter tunnel interface
view.
interface tunnel number
N/A
390. Configure an IPv4
address for the tunnel
interface.
ip address ip-address { mask |
mask-length } [ sub ]
By default, no IPv4 address is
configured for the tunnel interface.
391. Specify the IPv4 over
IPv4 tunnel mode.
tunnel-protocol ipv4-ipv4
The same tunnel mode should be
configured at both ends of the tunnel.
Otherwise, packet delivery fails.
392. Configure a source
address or interface for
the tunnel interface.
source { ip-address | interface-type
interface-number }
By default, no source address or
interface is configured for the tunnel.
218
Step
Command
Remarks
393. Configure a destination
address for the tunnel
interface.
destination ip-address
By default, no destination address is
configured for the tunnel.
Configuration example
Network requirements
As shown in Figure 88, the two subnets Group 1 and Group 2 use private IPv4 addresses. Configure an
IPv4 over IPv4 tunnel between Router A and Router B to make the two subnets reachable to each other.
Figure 88 Network diagram
Configuration procedure
Make sure Router A and Router B can reach each other through IPv4.
•
Configure Router A:
# Configure an IPv4 address for Ethernet 1/1.
<RouterA> system-view
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] ip address 10.1.1.1 255.255.255.0
[RouterA-Ethernet1/1] quit
# Configure an IPv4 address for Serial 2/0 (the physical interface of the tunnel).
[RouterA] interface serial 2/0
[RouterA-Serial2/0] ip address 2.1.1.1 255.255.255.0
[RouterA-Serial2/0] quit
# Create interface Tunnel 1.
[RouterA] interface tunnel 1
# Configure an IPv4 address for interface Tunnel 1.
[RouterA-Tunnel1] ip address 10.1.2.1 255.255.255.0
# Configure the tunnel encapsulation mode as IPv4 over IPv4.
[RouterA-Tunnel1] tunnel-protocol ipv4-ipv4
# Configure the source address for interface Tunnel 1 (IP address of Serial 2/0).
[RouterA-Tunnel1] source 2.1.1.1
# Configure the destination address for interface Tunnel 1 (IP address of Serial 2/1 of Router B).
[RouterA-Tunnel1] destination 3.1.1.1
[RouterA-Tunnel1] quit
219
# Configure a static route destined for the IP network Group 2 through interface Tunnel 1.
[RouterA] ip route-static 10.1.3.0 255.255.255.0 tunnel 1
•
Configure Router B:
# Configure an IPv4 address for Ethernet 1/1.
<RouterB> system-view
[RouterB] interface ethernet 1/1
[RouterB-Ethernet1/1] ip address 10.1.3.1 255.255.255.0
[RouterB-Ethernet1/1] quit
# Configure an IPv4 address for Serial 2/1 (the physical interface of the tunnel).
[RouterB] interface serial 2/1
[RouterB-Serial2/1] ip address 3.1.1.1 255.255.255.0
[RouterB-Serial2/1] quit
# Create interface Tunnel 2.
[RouterB] interface tunnel 2
# Configure an IPv4 address for interface Tunnel 2.
[RouterB-Tunnel2] ip address 10.1.2.2 255.255.255.0
# Configure the tunnel encapsulation mode as IPv4 over IPv4.
[RouterB-Tunnel2] tunnel-protocol ipv4-ipv4
# Configure the source address for interface Tunnel 2 (IP address of Serial 2/1).
[RouterB-Tunnel2] source 3.1.1.1
# Configure a destination address for interface Tunnel 2 (IP address of Serial 2/0 of Router A).
[RouterB-Tunnel2] destination 2.1.1.1
[RouterB-Tunnel2] quit
# Configure a static route destined for the IP network Group 1 through interface Tunnel 2.
[RouterB] ip route-static 10.1.1.0 255.255.255.0 tunnel 2
Verifying the configuration
# Display the status of the tunnel interfaces on Router A and Router B, respectively.
[RouterA] display interface tunnel 1
Tunnel1 current state: UP
Line protocol current state: UP
Description: Tunnel1 Interface
The Maximum Transmit Unit is 64000
Internet Address is 10.1.2.1/24 Primary
Encapsulation is TUNNEL, service-loopback-group ID not set
Tunnel source 2.1.1.1, destination 3.1.1.1
Tunnel protocol/transport IP/IP
Output queue : (Urgent queuing : Size/Length/Discards)
0/100/0
Output queue : (Protocol queuing : Size/Length/Discards)
Output queue : (FIFO queuing : Size/Length/Discards)
Last 300 seconds input:
Last 300 seconds output:
4 packets input,
2 bytes/sec, 0 packets/sec
0 input error
12 packets output,
0/75/0
0 bytes/sec, 0 packets/sec
256 bytes
768 bytes
0 output error
220
0/500/0
[RouterB] display interface tunnel 2
Tunnel2 current state: UP
Line protocol current state: UP
Description: Tunnel2 Interface
The Maximum Transmit Unit is 64000
Internet Address is 10.1.2.2/24 Primary
Encapsulation is TUNNEL, service-loopback-group ID not set
Tunnel source 3.1.1.1, destination 2.1.1.1
Tunnel protocol/transport IP/IP
Output queue : (Urgent queuing : Size/Length/Discards)
0/100/0
Output queue : (Protocol queuing : Size/Length/Discards)
Output queue : (FIFO queuing : Size/Length/Discards)
Last 300 seconds input:
Last 300 seconds output:
5 packets input,
0/500/0
0/75/0
0 bytes/sec, 0 packets/sec
0 bytes/sec, 0 packets/sec
320 bytes
0 input error
9 packets output,
576 bytes
0 output error
# Ping the IPv4 address of the peer interface Ethernet 1/0 from Router A.
[RouterA] ping 10.1.3.1
PING 10.1.3.1: 56
data bytes, press CTRL_C to break
Reply from 10.1.3.1: bytes=56 Sequence=1 ttl=255 time=15 ms
Reply from 10.1.3.1: bytes=56 Sequence=2 ttl=255 time=15 ms
Reply from 10.1.3.1: bytes=56 Sequence=3 ttl=255 time=16 ms
Reply from 10.1.3.1: bytes=56 Sequence=4 ttl=255 time=16 ms
Reply from 10.1.3.1: bytes=56 Sequence=5 ttl=255 time=15 ms
--- 10.1.3.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 15/15/16 ms
Configuring an IPv4 over IPv6 manual tunnel
Configuration prerequisites
Configure an IPv6 addresses for the interface (such as a VLAN interface, Ethernet interface, or loopback
interface) to be configured as the source interface of the tunnel interface.
Configuration guidelines
Follow these guidelines when you configure an IPv4 over IPv6 manual tunnel:
•
If the destination IPv4 network is not on the same subnet as the IPv4 address of the local tunnel
interface, you must configure a route destined for the destination IPv4 network through the tunnel
interface. You can configure a static route, and specify the local tunnel interface as the output
221
interface of the route or specify the IPv6 address of the peer tunnel interface as the next hop.
Alternatively, you can enable a dynamic routing protocol on both tunnel interfaces to achieve the
same purpose. For the detailed configuration, see Layer 3—IP Routing Configuration Guide.
•
Two or more local tunnel interfaces using the same encapsulation protocol must have different
source and destination addresses.
•
If you specify a source interface instead of a source address for a tunnel interface, the source
address of the tunnel interface is the primary IP address of the source interface.
Configuration procedure
To configure an IPv4 over IPv6 manual tunnel:
Step
Command
Remarks
394. Enter system view.
system-view
N/A
395. Enable IPv6.
ipv6
By default, the IPv6 packet forwarding
function is disabled.
396. Enter tunnel interface
view.
interface tunnel number
N/A
397. Configure an IPv4
address for the tunnel
interface.
ip address ip-address { mask |
mask-length } [ sub ]
By default, no IPv4 address is configured
for the tunnel interface.
398. Specify the IPv4 over
IPv6 manual tunnel
mode.
tunnel-protocol ipv4-ipv6
The same tunnel mode should be
configured at both ends of the tunnel.
Otherwise, packet delivery fails.
399. Configure the source
address or interface for
the tunnel interface.
source { ipv6-address |
interface-type interface-number }
By default, no source address or interface
is configured for the tunnel.
400. Configure the
destination address for
the tunnel interface.
destination ipv6-address
By default, no destination address is
configured for the tunnel.
Configuration example
Network requirements
As shown in Figure 89, configure an IPv4 over IPv6 manual tunnel between Router A and Router B so the
two IPv4 networks can reach each other over the IPv6 network.
Figure 89 Network diagram
222
Configuration procedure
Make sure Router A and Router B can reach each other through IPv6.
•
Configure Router A:
# Enable IPv6.
<RouterA> system-view
[RouterA] ipv6
# Configure an IPv4 address for Ethernet 1/1.
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] ip address 30.1.1.1 255.255.255.0
[RouterA-Ethernet1/1] quit
# Configure an IPv6 address for Serial 2/0 (the physical interface of the tunnel).
[RouterA] interface serial 2/0
[RouterA-Serial2/0] ipv6 address 2002::1:1 64
[RouterA-Serial2/0] quit
# Create interface Tunnel 1.
[RouterA] interface tunnel 1
# Configure an IPv4 address for interface Tunnel 1.
[RouterA-Tunnel1] ip address 30.1.2.1 255.255.255.0
# Configure the tunnel encapsulation mode as IPv4 over IPv6.
[RouterA-Tunnel1] tunnel-protocol ipv4-ipv6
# Configure the source address for interface Tunnel 1 (IP address of Serial 2/0).
[RouterA-Tunnel1] source 2002::1:1
# Configure the destination address for interface Tunnel 1 (IP address of Serial 2/1 of Router B).
[RouterA-Tunnel1] destination 2002::2:1
[RouterA-Tunnel1] quit
# Configure a static route from Router A through interface Tunnel 1 to Group 2.
[RouterA] ip route-static 30.1.3.0 255.255.255.0 tunnel 1
•
Configure Router B:
# Enable IPv6.
<RouterB> system-view
[RouterB] ipv6
# Configure an IPv4 address for Ethernet 1/1.
[RouterB] interface ethernet 1/1
[RouterB-Ethernet1/1] ip address 30.1.3.1 255.255.255.0
[RouterB-Ethernet1/1] quit
# Configure an IPv6 address for Serial 2/1 (the physical interface of the tunnel).
[RouterB] interface serial 2/1
[RouterB-Serial2/1] ipv6 address 2002::2:1 64
[RouterB-Serial2/1] quit
# Create interface Tunnel 2.
[RouterB] interface tunnel 2
# Configure an IPv4 address for interface Tunnel 2.
[RouterB-Tunnel2] ip address 30.1.2.2 255.255.255.0
# Configure the tunnel encapsulation mode as IPv4 over IPv6.
223
[RouterB-Tunnel2] tunnel-protocol ipv4-ipv6
# Configure the source address for interface Tunnel 2 (IP address of Serial 2/1).
[RouterB-Tunnel2] source 2002::2:1
# Configure a destination address for interface Tunnel 2 (IP address of Serial 2/0 of Router A).
[RouterB-Tunnel2] destination 2002::1:1
[RouterB-Tunnel2] quit
# Configure a static route from Router B through interface Tunnel 2 to Group 1.
[RouterB] ip route-static 30.1.1.0 255.255.255.0 tunnel 2
Verifying the configuration
# Display the status of the tunnel interfaces on Router A and Router B, respectively.
[RouterA] display interface tunnel 1
Tunnel1 current state: UP
Line protocol current state: UP
Description: Tunnel1 Interface
The Maximum Transmit Unit is 64000
Internet Address is 30.1.2.1/24 Primary
Encapsulation is TUNNEL, service-loopback-group ID not set
Tunnel source 2002::0001:0001, destination 2002::0002:0001
Tunnel protocol/transport IP/IPv6
Output queue : (Urgent queuing : Size/Length/Discards)
0/100/0
Output queue : (Protocol queuing : Size/Length/Discards)
Output queue : (FIFO queuing : Size/Length/Discards)
Last 300 seconds input:
Last 300 seconds output:
152 packets input,
0/500/0
0/75/0
0 bytes/sec, 0 packets/sec
0 bytes/sec, 0 packets/sec
9728 bytes
0 input error
168 packets output,
10752 bytes
0 output error
[RouterB] display interface tunnel 2
Tunnel2 current state: UP
Line protocol current state: UP
Description: Tunnel2 Interface
The Maximum Transmit Unit is 64000
Internet Address is 30.1.2.2/24 Primary
Encapsulation is TUNNEL, service-loopback-group ID not set
Tunnel source 2002::0002:0001, destination 2002::0001:0001
Tunnel protocol/transport IP/IPv6
Output queue : (Urgent queuing : Size/Length/Discards)
0/100/0
Output queue : (Protocol queuing : Size/Length/Discards)
Output queue : (FIFO queuing : Size/Length/Discards)
Last 300 seconds input:
Last 300 seconds output:
167 packets input,
1 bytes/sec, 0 packets/sec
0 input error
170 packets output,
0/75/0
1 bytes/sec, 0 packets/sec
10688 bytes
10880 bytes
0 output error
224
0/500/0
# Ping the IPv4 address of the peer interface Ethernet 1/0 from Router A.
[RouterA] ping 30.1.3.1
PING 30.1.3.1: 56
data bytes, press CTRL_C to break
Reply from 30.1.3.1: bytes=56 Sequence=1 ttl=255 time=46 ms
Reply from 30.1.3.1: bytes=56 Sequence=2 ttl=255 time=15 ms
Reply from 30.1.3.1: bytes=56 Sequence=3 ttl=255 time=16 ms
Reply from 30.1.3.1: bytes=56 Sequence=4 ttl=255 time=15 ms
Reply from 30.1.3.1: bytes=56 Sequence=5 ttl=255 time=16 ms
--- 30.1.3.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 15/21/46 ms
Configuring a DS-Lite tunnel
The following section describes the DS-Lite tunnel configuration on the CPE and on the AFTR.
Configuration prerequisites
Configure IPv6 addresses for interfaces (such as the VLAN interface, Ethernet interface, and loopback
interface). One of the interfaces is used as the source interface of the tunnel.
Configuring the CPE of a tunnel
You can configure the CPE of a DS-Lite tunnel or IPv4 over IPv6 manual tunnel:
•
If you configure a DS-Lite tunnel on the CPE, the CPE automatically obtains the IPv6 address of the
AFTR through DHCPv6 and uses the address as the destination address of the tunnel.
•
If you configure an IPv4 over IPv6 manual tunnel on the CPE, you must manually specify the address
of the AFTR as the destination address of the tunnel.
This section describes how to configure a DS-Lite tunnel on the CPE. For information about how to
configure an IPv4 over IPv6 manual tunnel on the CPE, see "Configuring an IPv4 over IPv6 manual
tunnel."
Follow these guidelines when you configure the CPE of a DS-Lite tunnel:
•
Tunnel interfaces using the same encapsulation protocol must have different source and destination
addresses.
•
To encapsulate and forward IPv4 packets whose destination address does not belong to the subnet
where the receiving tunnel interface resides, configure a static route or dynamic routing for
forwarding those packets through this tunnel interface. If you configure a static route to that
destination IPv4 address, specify this tunnel interface as the outbound interface, or the peer tunnel
interface address as the next hop. A similar configuration is required at the other tunnel end. If you
configure dynamic routing at both ends, enable the dynamic routing protocol on both tunnel
interfaces. For more configuration, see Layer 3—IP Routing Configuration Guide.
•
If you configure a DS-Lite tunnel on the CPE, you can specify the source interface but not source
address for the tunnel interface. The primary IP address of the source interface is the source address
of the tunnel. After you configure the source interface for the tunnel, the CPE automatically obtains
225
the address of the AFTR through DHCPv6 and uses the address as the destination address of the
tunnel.
To configure the CPE of a DS-Lite tunnel:
Step
Command
Remarks
401. Enter system view.
system-view
N/A
402. Enable IPv6.
ipv6
No enabled by default.
403. Enter tunnel interface view.
interface tunnel number
N/A
404. Configure an IPv4 address
for the tunnel interface.
ip address ip-address { mask |
mask-length } [ sub ]
By default, no IPv4 address is
configured for the tunnel interface.
405. Specify the DS-Lite- CPE
tunnel mode.
tunnel-protocol ipv4-ipv6
dslite-cpe
The tunnel mode at the other end of
the tunnel should be DS-Lite AFTR.
Otherwise, packet delivery fails.
406. Configure the source
interface for the tunnel
interface.
source interface-type
interface-number
By default, no source interface is
configured for the tunnel.
Configuring the AFTR of a tunnel
Follow these guidelines when you configure the AFTR of a DS-Lite tunnel:
•
Tunnel interfaces using the same encapsulation protocol must have different source and destination
addresses.
•
If you configure the source interface for the tunnel, the primary IP address of the source interface is
the source address of the tunnel.
•
Configuring a destination address on the AFTR is unnecessary. When receiving a packet from the
tunnel, the AFTR records the source IPv6 address of the packet and uses it as the IPv6 address of the
tunnel destination (address of the CPE).
•
Enable NAT on the AFTR's interface which is connected to the Internet. AFTR does not support static
NAT mappings or VPN instance matching. If an ACL rule includes a VPN instance, the rule does not
take effect.
•
A CPE tunnel interface can establish tunnel with only one AFTR tunnel interface, but an AFTR tunnel
interface can establish tunnels with multiple CPE tunnel interfaces.
To configure the AFTR of a DS-Lite tunnel:
Step
Command
Remarks
407. Enter system view.
system-view
N/A
408. Enable IPv6.
ipv6
By default, the IPv6 packet
forwarding function is disabled.
409. Enter tunnel interface view.
interface tunnel number
N/A
410. Configure an IPv4 address for
the tunnel interface.
ip address ip-address { mask |
mask-length } [ sub ]
By default, no IPv4 address is
configured for the tunnel interface.
411. Specify the DS-Lite AFTR tunnel
mode.
tunnel-protocol ipv4-ipv6
dslite-aftr
The tunnel mode at the other end of
the tunnel should be DS-Lite CPE.
Otherwise, packet delivery fails.
226
Step
Command
Remarks
412. Configure the source address
or interface for the tunnel
interface.
source { ipv6-address |
interface-type
interface-number }
By default, no source address or
interface is configured for the tunnel.
Configuration example
Network requirements
As shown in Figure 90, a private IPv4 network and a public IPv4 network are separated by an IPv6
network.
Build a DS-Lite tunnel between CPE (Router A) and AFTR (Router B) and configure NAT on AFTR's
interface connecting to the public IPv4 network, so that hosts in the private IPv4 network can access the
public IPv4 network and hosts from different private IPv4 networks can use the same IPv4 addresses.
In the IPv6 network, deploy a DHCPv6 server (Router C) for CPE to obtain AFTR's IPv6 address.
Figure 90 Network diagram
Configuration procedure
Before you configure a DS-Lite tunnel, make sure Router A and Router B are reachable to each other.
In this example, Router A and Router C are in the same network segment. Otherwise, you must deploy a
DHCPv6 relay agent between them. DHCPv6 relay agent is beyond the scope of this document. For more
information about DHCPv6, see "Configuring DHCPv6 relay agent."
•
Configure Router A (the CPE):
# Enable IPv6.
<RouterA> system-view
[RouterA] ipv6
# Configure an IPv4 address for interface Ethernet1/1.
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] ip address 10.0.0.2 255.255.255.0
[RouterA-Ethernet1/1] quit
# Configure an IPv6 address for interface Ethernet1/2 (the physical interface of the tunnel).
[RouterA] interface Ethernet1/2
[RouterA- Ethernet1/2] ipv6 address 1::1 64
[RouterA- Ethernet1/2] quit
# Create interface Tunnel 1.
227
[RouterA] interface tunnel 1
# Configure an IPv4 address for interface Tunnel 1.
[RouterA-Tunnel1] ip address 30.1.2.1 255.255.255.0
# Specify the tunnel encapsulation mode as IPv4 over IPv6.
[RouterA-Tunnel1] tunnel-protocol ipv4-ipv6 dslite-cpe
# Configure a source interface for Tunnel 1
[RouterA-Tunnel1] source ethernet 1/2
[RouterA-Tunnel1] quit
# Configure a static route to the public IPv4 network.
[RouterA] ip route-static 20.1.1.0 255.255.255.0 tunnel 1
•
Configure Router B (the AFTR):
# Enable IPv6.
<RouterB> system-view
[RouterB] ipv6
# Configure an IPv6 address for interface Ethernet 1/1 (the physical interface of the tunnel).
[RouterB] interface ethernet 1/1
[RouterB-Ethernet1/1] ipv6 address 1::2 64
[RouterB-Ethernet1/1] quit
# Configure an IPv4 address for interface Ethernet 1/2.
[RouterB] interface ethernet 1/2
[RouterB- Ethernet1/2] ip address 20.1.1.1 24
[RouterB- Ethernet1/2] quit
# Create interface Tunnel 2.
[RouterB] interface tunnel 2
# Configure an IPv4 address for interface Tunnel 2.
[RouterB-Tunnel2] ip address 30.1.2.2 255.255.255.0
# Specify the tunnel encapsulation mode as IPv4 over IPv6.
[RouterB-Tunnel2] tunnel-protocol ipv4-ipv6 dslite-aftr
# Configure the source interface for interface Tunnel 2.
[RouterB-Tunnel2] source ethernet 1/1
[RouterB-Tunnel2] quit
# Configure NAT and use the IP address of interface Ethernet 1/2 as the translated IP address.
[RouterB] acl number 2000
[RouterB-acl-basic-2000] rule permit source 10.0.0.0 0.0.0.255
[RouterB-acl-basic-2000] quit
[RouterB] interface ethernet 1/2
[RouterB-Ethernet1/2] nat outbound 2000
[RouterB-Ethernet1/2] quit
•
Configure Router C (the DHCPv6 server):
# Enable IPv6.
<RouterC> system-view
[RouterC] ipv6
# Enable DHCPv6.
[RouterC] ipv6 dhcp server enable
# Create address pool 1 and specify the address of the AFTR (1::2).
228
[RouterC] ipv6 dhcp pool 1
[RouterC-dhcp6-pool-1] ds-lite address 1::2
[RouterC-dhcp6-pool-1] quit
# Configure the IPv6 address of interface Ethernet1/1.
[RouterC] interface ethernet 1/1
[RouterC-Ethernet1/1] ipv6 address 1::3 64
# Apply address pool 1 to the interface.
[RouterC-Ethernet1/1] ipv6 dhcp server apply pool 1
Verifying the configuration
Display the status of the tunnel interfaces on Router A and Router B:
[RouterA] display interface tunnel 1
Tunnel1 current state: UP
Line protocol current state: UP
Description: Tunnel1 Interface
The Maximum Transmit Unit is 1460
Internet Address is 30.1.2.1/24 Primary
Encapsulation is TUNNEL, service-loopback-group ID not set.
Tunnel source 1::1 (Ethernet1/2)
Tunnel bandwidth 64 (kbps)
Tunnel protocol/transport IP/IPv6 dslite-cpe
Output queue : (Urgent queuing : Size/Length/Discards)
0/100/0
Output queue : (Protocol queuing : Size/Length/Discards)
Output queue : (FIFO queuing : Size/Length/Discards)
Last clearing of counters:
Last 300 seconds input:
Last 300 seconds output:
9 packets input,
0/500/0
0/75/0
Never
0 bytes/sec, 0 packets/sec
0 bytes/sec, 0 packets/sec
540 bytes
0 input error
9 packets output,
540 bytes
0 output error
[RouterB] display interface tunnel 2
Tunnel2 current state: UP
Line protocol current state: UP
Description: Tunnel2 Interface
The Maximum Transmit Unit is 1460
Internet Address is 30.1.2.2/24 Primary
Encapsulation is TUNNEL, service-loopback-group ID not set.
Tunnel source 1::2 (Ethernet1/1)
Tunnel bandwidth 64 (kbps)
Tunnel protocol/transport IP/IPv6 dslite-aftr
Output queue : (Urgent queuing : Size/Length/Discards)
0/100/0
Output queue : (Protocol queuing : Size/Length/Discards)
Output queue : (FIFO queuing : Size/Length/Discards)
Last clearing of counters:
Last 300 seconds input:
Last 300 seconds output:
65 packets input,
Never
0 bytes/sec, 0 packets/sec
0 bytes/sec, 0 packets/sec
3900 bytes
229
0/500/0
0/75/0
0 input error
65 packets output,
3900 bytes
0 output error
# Ping the IPv4 host on the public network from the IPv4 host on the private network:
[RouterA] ping –a 10.0.0.2 20.1.1.2
PING 20.1.1.2: 56
data bytes, press CTRL_C to break
Reply from 20.1.1.2: bytes=56 Sequence=1 ttl=255 time=1 ms
Reply from 20.1.1.2: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 20.1.1.2: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 20.1.1.2: bytes=56 Sequence=4 ttl=255 time=1 ms
Reply from 20.1.1.2: bytes=56 Sequence=5 ttl=255 time=1 ms
--- 20.1.1.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
Configuring an IPv6 over IPv6 tunnel
Configuration prerequisites
Configure an IPv6 address for the interface (such as a VLAN interface, Ethernet interface, or loopback
interface) to be configured as the source interface of the tunnel interface.
Configuration guidelines
Follow these guidelines when you configure an IPv6 over IPv6 tunnel:
•
If the two tunnel interfaces at the tunnel ends reside on different subnets, you must configure a static
route or dynamic routing at each tunnel end so that the tunnel interfaces can reach other over the
tunnel.
•
If the destination IPv6 network is not on the same subnet as the IPv6 address of the local tunnel
interface, you must configure a route destined for the destination IPv6 network through the tunnel
interface. You can configure a static route, and specify the local tunnel interface as the output
interface or specify the IPv6 address of the peer tunnel interface as the next hop. Alternatively, you
can enable a dynamic routing protocol on both tunnel interfaces to achieve the same purpose. For
more configuration, see Layer 3—IP Routing Configuration Guide.
•
The IPv6 address of the tunnel interface cannot be on the same subnet as the destination address
configured for the tunnel interface.
•
The destination address of the route passing the tunnel interface cannot be on the same subnet as
the destination address configured for the tunnel interface.
•
Two or more tunnel interfaces using the same encapsulation protocol must have different source and
destination addresses.
•
If you specify a source interface instead of a source address for the tunnel, the source address of the
tunnel is the primary IP address of the source interface.
•
Only the IPv6 over IPv6 tunnel has a maximum number of nested encapsulations for a packet.
230
Configuration procedure
To configure an IPv6 over IPv6 tunnel:
Step
Command
Remarks
413. Enter system view.
system-view
N/A
414. Enable IPv6.
ipv6
By default, the IPv6 packet
forwarding function is
disabled.
415. Enter tunnel interface view.
Interface tunnel number
N/A
• (Method 1) Configure an IPv6 global
unicast address or site-local address:
{
416. Configure an IPv6 address
for the tunnel interface.
{
ipv6 address { ipv6-address
prefix-length |
ipv6-address/prefix-length }
ipv6 address
ipv6-address/prefix-length eui-64
• (Method 2) Configure an IPv6
link-local address:
{
{
Use either method.
By default, no IPv6 address is
configured for the tunnel
interface.
ipv6 address auto link-local
ipv6 address ipv6-address
link-local
417. Specify the IPv6 over IPv6
tunnel mode.
tunnel-protocol ipv6-ipv6
The same tunnel mode should
be configured at both ends of
the tunnel. Otherwise, packet
delivery fails.
418. Configure a source address
or interface for the tunnel
interface.
source { ipv6-address | interface-type
interface-number }
By default, no source address
or interface is configured for
the tunnel.
419. Configure the destination
address for the tunnel
interface.
destination ipv6-address
By default, no destination
address is configured for the
tunnel.
420. Return to system view.
quit
N/A
421. Enable dropping of IPv6
packets using
IPv4-compatible IPv6
addresses.
tunnel discard ipv4-compatible-packet
Optional.
The default setting is
disabled.
Configuration example
Network requirements
As shown in Figure 91, configure an IPv6 over IPv6 tunnel between Router A and Router B so the two IPv6
networks can reach each other without disclosing their IPv6 addresses.
231
Figure 91 Network diagram
Configuration procedure
Make sure Router A and Router B can reach each other through IPv6.
•
Configure Router A:
# Enable IPv6.
<RouterA> system-view
[RouterA] ipv6
# Configure an IPv6 address for Ethernet 1/1.
[RouterA] interface ethernet 1/1
[RouterA-Ethernet1/1] ipv6 address 2002:1::1 64
[RouterA-Ethernet1/1] quit
# Configure an IPv6 address for Serial 2/0 (the physical interface of the tunnel).
[RouterA] interface serial 2/0
[RouterA-Serial2/0] ipv6 address 2002::11:1 64
[RouterA-Serial2/0] quit
# Create interface Tunnel 1.
[RouterA] interface tunnel 1
# Configure an IPv6 address for interface Tunnel 1.
[RouterA-Tunnel1] ipv6 address 3001::1:1 64
# Configure the tunnel encapsulation mode as IPv6 over IPv6.
[RouterA-Tunnel1] tunnel-protocol ipv6-ipv6
# Configure a source address for interface Tunnel 1 (IP address of Serial 2/0).
[RouterA-Tunnel1] source 2002::11:1
# Configure a destination address for interface Tunnel 1 (IP address of Serial 2/1 of Router B).
[RouterA-Tunnel1] destination 2002::22:1
[RouterA-Tunnel1] quit
# Configure a static route destined for the IPv6 network Group 2 through interface Tunnel 1.
[RouterA] ipv6 route-static 2002:3:: 64 tunnel 1
•
Configure Router B:
# Enable IPv6.
<RouterB> system-view
[RouterB] ipv6
# Configure an IPv6 address for Ethernet 1/1.
[RouterB] interface ethernet 1/1
[RouterB-Ethernet1/1] ipv6 address 2002:3::1 64
[RouterB-Ethernet1/1] quit
232
# Configure an IPv6 address for Serial 2/1 (the physical interface of the tunnel).
[RouterB] interface serial 2/1
[RouterB-Serial2/1] ipv6 address 2002::22:1 64
[RouterB-Serial2/1] quit
# Create interface Tunnel 2.
[RouterB] interface tunnel 2
# Configure an IPv6 address for interface Tunnel 2.
[RouterB-Tunnel2] ipv6 address 3001::1:2 64
# Configure the tunnel encapsulation mode as IPv6 over IPv6.
[RouterB-Tunnel2] tunnel-protocol ipv6-ipv6
# Configure the source address for interface Tunnel 2 (IP address of Serial 2/1).
[RouterB-Tunnel2] source 2002::22:1
# Configure the destination address for interface Tunnel 2 (IP address of Serial 2/0 of Router A).
[RouterB-Tunnel2] destination 2002::11:1
[RouterB-Tunnel2] quit
# Configure a static route destined for the IPv6 network Group 1 through interface Tunnel 2.
[RouterB] ipv6 route-static 2002:1:: 64 tunnel 2
Verifying the configuration
# Display the status of the tunnel interfaces on Router A and Router B, respectively.
[RouterA] display ipv6 interface tunnel 1
Tunnel1 current state :UP
Line protocol current state :UP
IPv6 is enabled, link-local address is FE80::2013:1
Global unicast address(es):
3001::1:1, subnet is 3001::/64
Joined group address(es):
FF02::1:FF13:1
FF02::1:FF01:1
FF02::1:FF00:0
FF02::2
FF02::1
MTU is 1460 bytes
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
IPv6 Packet statistics:
...
[RouterB] display ipv6 interface tunnel 2
Tunnel2 current state :UP
Line protocol current state :UP
IPv6 is enabled, link-local address is FE80::2024:1
Global unicast address(es):
3001::1:2, subnet is 3001::/64
Joined group address(es):
FF02::1:FF24:1
FF02::1:FF01:2
233
FF02::1:FF00:0
FF02::2
FF02::1
MTU is 1460 bytes
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
IPv6 Packet statistics:
...
# Ping the IPv6 address of the peer interface Ethernet 1/1 from Router A.
[RouterA] ping ipv6 2002:3::1
PING 2002:3::1 : 56
data bytes, press CTRL_C to break
Reply from 2002:3::1
bytes=56 Sequence=1 hop limit=64
time = 31 ms
Reply from 2002:3::1
bytes=56 Sequence=2 hop limit=64
time = 1 ms
Reply from 2002:3::1
bytes=56 Sequence=3 hop limit=64
time = 16 ms
Reply from 2002:3::1
bytes=56 Sequence=4 hop limit=64
time = 16 ms
Reply from 2002:3::1
bytes=56 Sequence=5 hop limit=64
time = 31 ms
--- 2002:3::1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/19/31 ms
Displaying and maintaining tunneling configuration
Task
Display information about tunnel
interfaces.
Command
display interface [ tunnel ] [ brief [ down ] ] [ |
{ begin | exclude | include }
regular-expression ]
display interface tunnel number [ brief ] [ |
{ begin | exclude | include }
regular-expression ]
Remarks
Available in any view.
Display IPv6 information on tunnel
interfaces.
display ipv6 interface tunnel [ number ]
[ brief ] [ | { begin | exclude | include }
regular-expression ]
Available in any view.
Clear statistics on tunnel
interfaces.
reset counters interface [ tunnel [ number ] ]
Available in user view.
234
Troubleshooting tunneling configuration
Symptom
A tunnel interface configured with related parameters such as tunnel source address, tunnel destination
address, and tunnel mode cannot go up.
Solution
1.
The common cause is that the physical interface of the tunnel source is not up. Use the display
interface tunnel or display ipv6 interface tunnel command to verify the physical interface of the
tunnel source is up. If the physical interface is down, check the network connections.
2.
Another possible cause is that the tunnel destination is unreachable. Use the display ipv6
routing-table or display ip routing-table command to verify the tunnel destination is reachable. If
no routing entry is available for tunnel communication in the routing table, configure a route to
reach the tunnel destination.
235
Configuring UDP helper
Overview
The UDP helper function supports two modes:
•
Broadcast UDP helper—Relay specified UDP broadcast packets.
•
Multicast UDP helper—Relay specified UDP multicast packets.
Broadcast UDP helper
Sometimes, a host needs to forward broadcasts to obtain network configuration information or request
the names of other devices on the network. However, if the server or the device to be requested is located
in another broadcast domain, the host cannot obtain such information through broadcast.
To solve this problem, the device provides the broadcast UDP helper function to relay specified UDP
packets. In other words, UDP helper functions as a relay agent that converts UDP broadcast packets into
unicast packets and forwards them to a specified destination server.
With broadcast UDP helper enabled, if the destination port number of the received UDP broadcast
packet matches the one pre-configured on the device, the device makes a copy of the packet, modifies
the destination IP address in the IP header, and then sends the packet to the specified destination server.
Multicast UDP helper
In some networks, the intermediate device multicasts packets and the edge device broadcasts packets.
On the last hop of the multicast configure a mapping between a multicast address and a subnet
broadcast address so that a multicast packet can passed through the intermediate devices.
With multicast UDP helper enabled, if the destination port number of the received UDP multicast packet
matches the one pre-configured on the device, the device looks for the mapping between multicast
address and subnet broadcast address. If the mapping can be found, the device makes a copy of the
packet, modifies the destination IP address in the IP header to the subnet broadcast address, and then
sends the packet.
Configuring broadcast UDP helper
When you configure broadcast UDP helper, follow these guidelines:
•
The broadcast UDP helper enabled device must not forward DHCP broadcast packets that use
destination port 67 or 68. Therefore, the UDP port numbers set with the udp-helper port command
must not include 67 or 68.
•
By default, some devices that support directed broadcasts