HP A3100 v2 Switch Series

HP A3100 v2 Switch Series
Layer 3 - IP Services
Configuration Guide
HP A3100-8 v2 SI Switch (JG221A)
HP A3100-16 v2 SI Switch (JG222A)
HP A3100-24 v2 SI Switch (JG223A)
HP A3100-8 v2 EI Switch (JD318B)
HP A3100-16 v2 EI Switch (JD319B)
HP A3100-24 v2 EI Switch (JD320B)
HP A3100-8-PoE v2 EI Switch (JD311B)
HP A3100-16-PoE v2 EI Switch (JD312B)
HP A3100-24-PoE v2 EI Switch (JD313B)
Part number: 5998-1965
Software version: Release 5103
Document version: 6W100-20110909
Legal and notice information
© Copyright 2011 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or
use of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained
herein.
Contents
ARP configuration························································································································································· 1
ARP overview·····································································································································································1
ARP function ······························································································································································1
ARP message format ················································································································································1
Operation of ARP ·····················································································································································2
ARP table···································································································································································3
Configuring ARP································································································································································3
Configuring a static ARP entry ································································································································3
Configuring the maximum number of dynamic ARP entries for an interface·····················································4
Setting the age timer for dynamic ARP entries ······································································································4
Enabling dynamic ARP entry check························································································································5
Displaying and maintaining ARP·····································································································································5
ARP configuration example··············································································································································5
Gratuitous ARP configuration ······································································································································ 7
Introduction to gratuitous ARP··········································································································································7
Configuring gratuitous ARP··············································································································································7
IP addressing configuration········································································································································· 9
IP addressing overview·····················································································································································9
IP address classes·····················································································································································9
Special IP addresses ············································································································································· 10
Subnetting and masking ······································································································································· 10
Configuring IP addresses ·············································································································································· 10
Assigning an IP address to an interface ············································································································· 11
Displaying and maintaining IP addressing ················································································································· 11
DHCP overview ··························································································································································12
Introduction to DHCP ····················································································································································· 12
DHCP address allocation ·············································································································································· 12
Allocation mechanisms ········································································································································· 12
Dynamic IP address allocation process··············································································································· 13
IP address lease extension···································································································································· 13
DHCP message format··················································································································································· 14
DHCP options ································································································································································· 15
Overview································································································································································ 15
Introduction to DHCP options······························································································································· 15
Self-defined options··············································································································································· 15
Protocols and standards ················································································································································ 18
DHCP client configuration ·········································································································································20
Introduction to DHCP client ··········································································································································· 20
Enabling the DHCP client on an interface ··················································································································· 20
Displaying and maintaining the DHCP client·············································································································· 20
DHCP client configuration example ····························································································································· 21
DHCP snooping configuration ··································································································································22
DHCP snooping overview ············································································································································· 22
Functions of DHCP snooping································································································································ 22
Application environment of trusted ports ············································································································ 23
DHCP snooping support for Option 82 ·············································································································· 24
i
DHCP snooping configuration task list ························································································································ 25
Configuring DHCP snooping basic functions·············································································································· 25
Configuring DHCP snooping to support Option 82··································································································· 26
Configuring DHCP snooping entries backup ·············································································································· 27
Enabling DHCP starvation attack protection ··············································································································· 28
Enabling DHCP-REQUEST message attack protection ······························································································· 29
Displaying and maintaining DHCP snooping ············································································································· 29
DHCP snooping configuration examples····················································································································· 30
DHCP snooping configuration example ············································································································· 30
DHCP snooping Option 82 support configuration example ············································································ 31
BOOTP client configuration·······································································································································32
Introduction to BOOTP client ········································································································································ 32
BOOTP application ··············································································································································· 32
Obtaining an IP address dynamically················································································································· 32
Protocols and standards ······································································································································· 32
Configuring an interface to dynamically obtain an IP address through BOOTP ···················································· 33
Displaying and maintaining BOOTP client configuration·························································································· 33
BOOTP client configuration example··························································································································· 33
IPv4 DNS configuration ·············································································································································34
DNS overview ································································································································································ 34
Static domain name resolution····························································································································· 34
Dynamic domain name resolution ······················································································································· 34
Configuring the IPv4 DNS client··································································································································· 35
Configuring static domain name resolution········································································································ 35
Configuring dynamic domain name resolution·································································································· 36
Displaying and maintaining IPv4 DNS························································································································ 36
IPv4 DNS configuration examples ······························································································································· 37
Static domain name resolution configuration example ····················································································· 37
Dynamic domain name resolution configuration example ··············································································· 38
Troubleshooting IPv4 DNS configuration ···················································································································· 41
IPv6 DNS configuration ·············································································································································42
Introduction to IPv6 DNS··············································································································································· 42
Configuring the IPv6 DNS client··································································································································· 42
Configuring static domain name resolution········································································································ 42
Configuring dynamic domain name resolution·································································································· 42
Displaying and maintaining IPv6 DNS························································································································ 43
IPv6 DNS configuration examples ······························································································································· 43
Static domain name resolution configuration example ····················································································· 43
Dynamic domain name resolution configuration example ··············································································· 44
IP performance optimization configuration ··············································································································50
IP performance optimization overview ························································································································ 50
Configuring TCP attributes ············································································································································ 50
Configuring the TCP send/receive buffer size ··································································································· 50
Configuring TCP timers ········································································································································· 50
Configuring ICMP to send error packets ····················································································································· 51
Introduction ···························································································································································· 51
Configuration procedure ······································································································································ 52
Displaying and maintaining IP performance optimization ························································································ 53
IPv6 basics configuration···········································································································································54
IPv6 overview ································································································································································· 54
IPv6 features··························································································································································· 54
IPv6 addresses ······················································································································································· 55
ii
IPv6 neighbor discovery protocol ························································································································ 58
IPv6 PMTU discovery ············································································································································ 60
IPv6 transition technologies·································································································································· 61
Protocols and standards ······································································································································· 62
IPv6 basics configuration task list································································································································· 62
Configuring basic IPv6 functions ·································································································································· 63
Enabling IPv6························································································································································· 63
Configuring an IPv6 global unicast address ······································································································ 63
Configuring an IPv6 link-local address ··············································································································· 65
Configure an IPv6 anycast address····················································································································· 66
Configuring IPv6 ND ····················································································································································· 67
Configuring a static neighbor entry ···················································································································· 67
Configuring the maximum number of neighbors dynamically learned ··························································· 67
Configuring parameters related to RA messages ······························································································ 68
Configuring the maximum number of attempts to send an NS message for DAD ········································· 70
Setting the age timer for ND entries···················································································································· 71
Configuring ND snooping···································································································································· 71
Configuring PMTU discovery ········································································································································ 73
Configuring a static PMTU for a specified IPv6 address ·················································································· 73
Configuring the aging time for dynamic PMTUs································································································ 73
Configuring IPv6 TCP properties ·································································································································· 73
Configuring ICMPv6 packet sending··························································································································· 74
Configuring the maximum ICMPv6 error packets sent in an interval ······························································ 74
Enabling replying to multicast echo requests ····································································································· 74
Enabling sending of ICMPv6 time exceeded messages ··················································································· 75
Enabling sending of ICMPv6 destination unreachable messages ··································································· 75
Displaying and maintaining IPv6 basics configuration······························································································ 76
DHCPv6 overview ······················································································································································78
Introduction to DHCPv6················································································································································· 78
DHCPv6 address/prefix assignment···························································································································· 78
Rapid assignment involving two messages········································································································· 78
Assignment involving four messages··················································································································· 78
Address/prefix lease renewal ······································································································································ 79
Stateless DHCPv6 configuration ··································································································································· 80
Introduction ···························································································································································· 80
Operation······························································································································································· 81
Protocols and standards ················································································································································ 81
DHCPv6 client configuration ·····································································································································82
Introduction to the DHCPv6 client ································································································································ 82
Configuring the DHCPv6 client····································································································································· 82
Configuration prerequisites ·································································································································· 82
Configuration procedure ······································································································································ 82
Displaying and maintaining the DHCPv6 client ········································································································· 82
Stateless DHCPv6 configuration example ··················································································································· 83
DHCPv6 snooping configuration ······························································································································85
DHCPv6 snooping overview········································································································································· 85
Enabling DHCPv6 snooping ········································································································································· 86
Configuring a DHCPv6 snooping trusted port ············································································································ 86
Configuring the maximum number of DHCPv6 snooping entries an interface can learn ······································ 87
Displaying and maintaining DHCPv6 snooping········································································································· 87
DHCPv6 snooping configuration example ·················································································································· 87
Network requirements··········································································································································· 87
Configuration procedure ······································································································································ 88
iii
Support and other resources ·····································································································································89
Contacting HP ································································································································································ 89
Subscription service ·············································································································································· 89
Related information························································································································································ 89
Documents ······························································································································································ 89
Websites································································································································································· 89
Conventions ···································································································································································· 90
Index ···········································································································································································92
iv
ARP configuration
ARP overview
ARP function
The Address Resolution Protocol (ARP) is used to resolve an IP address into a physical address (Ethernet
MAC address, for example).
In an Ethernet LAN, a switch uses ARP to resolve the IP address of the next hop to the corresponding
MAC address.
ARP message format
ARP messages include ARP requests and ARP replies. Figure 1 shows the format of the ARP request/reply.
Numbers in the figure refer to field lengths.
Figure 1 ARP message format
The following describe the fields in Figure 1.
•
Hardware type: The hardware address type. The value 1 represents Ethernet.
•
Protocol type: The type of the protocol address to be mapped. The hexadecimal value 0x0800
represents IP.
•
Hardware address length and protocol address length: Length, in bytes, of a hardware address
and protocol address. For an Ethernet address, the value of the hardware address length field is 6.
For an IP(v4) address, the value of the protocol address length field is 4.
•
OP: Operation code. The type of the ARP message. The value 1 represents an ARP request and 2
represents an ARP reply.
•
Sender hardware address: Hardware address of the switch sending the message.
•
Sender protocol address: Protocol address of the switch sending the message.
•
Target hardware address: Hardware address of the switch the message is being sent to.
•
Target protocol address: Protocol address of the switch the message is being sent to.
1
Operation of ARP
If Host A and Host B are on the same subnet and Host A sends a packet to Host B, as shown in Figure
2:
1.
Host A looks in its ARP table to see whether there is an ARP entry for Host B. If yes, Host A uses the
MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the
frame to Host B.
2.
If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request using
the following information.
•
Source IP address and source MAC address: Host A’s own IP address and the MAC address
•
Target IP address: Host B’s IP address
•
Target MAC address: An all-zero MAC address
Because the ARP request is broadcast, all hosts on this subnet can receive the request, but only the
requested host (Host B) will process the request.
3.
Host B compares its own IP address with the target IP address in the ARP request. If they are the
same, Host B:
•
Adds the sender IP address and sender MAC address into its ARP table.
•
Encapsulates its MAC address into an ARP reply.
•
Unicasts the ARP reply to Host A.
4.
After receiving the ARP reply, Host A:
•
Adds the MAC address of Host B into its ARP table.
•
Encapsulates the MAC address in the IP packet and sends it to Host B.
Figure 2 ARP address resolution process
If Host A and Host B are not on the same subnet:
1.
Host A sends an ARP request to the gateway. The target IP address in the ARP request is the IP
address of the gateway.
2.
After obtaining the MAC address of the gateway from an ARP reply, Host A sends the packet to
the gateway.
3.
If the gateway maintains the ARP entry of Host B, it forwards the packet to Host B directly; if not,
it broadcasts an ARP request, in which the target IP address is the IP address of Host B.
4.
After obtaining the MAC address of Host B, the gateway sends the packet to Host B.
2
ARP table
After obtaining a host’s MAC address, the switch adds the IP-to-MAC mapping to its own ARP table. This
mapping is used for forwarding packets with the same destination in the future.
An ARP table contains dynamic and static ARP entries.
Dynamic ARP entry
A dynamic entry is automatically created and maintained by ARP. It can age out, be updated by a new
ARP packet, and be overwritten by a static ARP entry. A dynamic ARP entry is removed when its age
timer expires or the interface goes down.
Static ARP entry
A static ARP entry is manually configured and maintained. It does not age out and cannot be overwritten
by a dynamic ARP entry.
Static ARP entries protect communication between devices, because attack packets cannot modify the
IP-to-MAC mapping in a static ARP entry.
Static ARP entries can be long or short.
•
A long static ARP entry can be directly used to forward packets directly, because it includes not only
the IP address and MAC address, but also a configured VLAN and outbound interface.
•
A short static ARP entry includes only an IP address and a MAC address. It cannot be used to
forward data directly if the outbound interface is a VLAN interface. When a short static ARP entry
matches an IP packet to be forwarded, the switch sends an ARP request first. If the sender IP and
MAC addresses in the received ARP reply match the IP and MAC addresses of the short static ARP
entry, the switch adds the interface receiving the ARP reply to the short static ARP entry. Then the
entry can be used for forwarding IP packets.
NOTE:
• Usually ARP dynamically resolves IP addresses to MAC addresses without manual intervention.
• To allow communication with a host using a fixed IP-to-MAC mapping, configure a short static ARP
entry for it. To allow communication with a host using a fixed IP-to-MAC mapping through a specific
interface in a specific VLAN, configure a long static ARP entry for it.
Configuring ARP
Configuring a static ARP entry
A static ARP entry is effective when the device it corresponds to works normally. However, when a VLAN
or VLAN interface is deleted, any static ARP entry corresponding to it will also be deleted (if it is a long
static ARP entry) or will become unresolved (if it is a short and resolved static ARP entry).
Follow these steps to configure a static ARP entry:
To do…
Use the command…
Remarks
Enter system view
system-view
—
3
To do…
Use the command…
Remarks
Configure a long static ARP
entry
arp static ip-address mac-address
vlan-id interface-type
interface-number
Required
Configure a short static
ARP entry
arp static ip-address mac-address
No long static ARP entry is configured by
default.
Required
No short static ARP entry is configured by
default.
CAUTION:
• The vlan-id argument must be the ID of an existing VLAN that corresponds to the ARP entries. In
addition, the Ethernet interface following the argument must belong to that VLAN. A VLAN interface
must be created for the VLAN.
• The IP address of the VLAN interface corresponding to the vlan-id argument must belong to the same
subnet as the IP address specified by the ip-address argument.
Configuring the maximum number of dynamic ARP entries for
an interface
Follow these steps to set the maximum number of dynamic ARP entries that an interface can learn:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter Ethernet interface view
interface interface-type
interface-number
—
Optional
Set the maximum number of
dynamic ARP entries that an
interface can learn
256 by default
arp max-learning-num number
If the value of the number argument is set
to 0, the interface is disabled from
learning dynamic ARP entries.
Setting the age timer for dynamic ARP entries
Each dynamic ARP entry in the ARP table has a limited lifetime, called its age timer. The age timer of a
dynamic ARP entry is reset each time the dynamic ARP entry is used. Dynamic ARP entries that are not
used before expiration are deleted from the ARP table. You can adjust the age timers for dynamic ARP
entries.
Follow these steps to set the age timer for dynamic ARP entries:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Set the age timer for dynamic ARP
entries
arp timer aging aging-time
4
Optional
20 minutes by default.
Enabling dynamic ARP entry check
The dynamic ARP entry check function controls whether the switch supports dynamic ARP entries with
multicast MAC addresses.
When dynamic ARP entry check is enabled, the switch cannot learn dynamic ARP entries containing
multicast MAC addresses.
When dynamic ARP entry check is disabled, the switch can learn dynamic ARP entries containing
multicast MAC addresses.
Follow these steps to enable ARP entry check:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable dynamic ARP entry
check
arp check enable
Optional
Enabled by default.
Displaying and maintaining ARP
To do…
Use the command…
Remarks
Display ARP entries in the ARP
table
display arp [ [ all | dynamic | static ] [ slot
slot-number ] | vlan vlan-id | interface
interface-type interface-number ] [ count ] [ |
{ begin | exclude | include }
regular-expression ]
Available in any view
Display the ARP entry for a
specified IP address
display arp ip-address [ slot slot-number ] [ |
{ begin | exclude | include }
regular-expression ]
Available in any view
Display the age timer for dynamic
ARP entries
display arp timer aging [ | { begin | exclude
| include } regular-expression ]
Available in any view
Clear ARP entries from the ARP
table
reset arp { all | dynamic | static | slot
slot-number | interface interface-type
interface-number }
Available in user view
NOTE:
Clearing ARP entries from the ARP table may cause communication failures.
ARP configuration example
Network requirements
As shown in Figure 3, hosts are connected to the switch, which is connected to the router through
interface Ethernet 1/0/1 belonging to VLAN 10. The IP address of the router is 192.168.1.1/24. The
MAC address of the router is 00e0-fc01-0000.
To prevent malicious users from attacking the switch and enhance security for communications between
the router and the switch, configure a static ARP entry for the router on the switch.
5
Figure 3 Network diagram for configuring static ARP entries
Configuration procedure
Configure the switch
# Create VLAN 10.
<Switch> system-view
[Switch] vlan 10
[Switch-vlan10] quit
# Add interface Ethernet 1/0/1 to VLAN 10.
[Switch] interface Ethernet 1/0/1
[Switch-Ethernet1/0/1] port link-type trunk
[Switch-Ethernet1/0/1] port trunk permit vlan 10
[Switch-Ethernet1/0/1] quit
# Create interface VLAN-interface 10 and configure its IP address.
[Switch] interface vlan-interface 10
[Switch-vlan-interface10] ip address 192.168.1.2 24
[Switch-vlan-interface10] quit
# Configure a static ARP entry with IP address 192.168.1.1 and MAC address 00e0-fc01-0000. The
outgoing interface corresponding to the static ARP entry is Ethernet 1/0/1 belonging to VLAN 10.
[Switch] arp static 192.168.1.1 00e0-fc01-0000 10 Ethernet 1/0/1
# Display information about static ARP entries.
[Switch] display arp static
Type: S-Static
D-Dynamic
A-Authorized
IP Address
MAC Address
VLAN ID
Interface
192.168.1.1
00e0-fc01-0000
10
Eth1/0/1
6
Aging Type
N/A
S
Gratuitous ARP configuration
Introduction to gratuitous ARP
In a gratuitous ARP packet, the sender IP address and the target IP address are both the IP address of the
switch issuing the packet, the sender MAC address is the MAC address of the switch, and the target MAC
address is the broadcast address ff:ff:ff:ff:ff:ff.
A switch sends gratuitous ARP packets for the following purposes:
•
To determine whether its IP address is already used by another device. If the IP address is already
used, the device issuing the gratuitous ARP packet is informed of the conflict by an ARP reply.
•
To inform other devices of a change of its MAC address so they can update their ARP entries.
Enabling learning of gratuitous ARP packets
With this feature enabled, a switch receiving a gratuitous ARP packet adds the sender IP and MAC
addresses carried in the packet to its ARP table if no corresponding ARP entry exists. If a corresponding
ARP entry is found, the switch updates the ARP entry.
After this feature is disabled, the switch will use the address information in the received gratuitous ARP
packets to update the existing ARP entries only, but not to create new ARP entries.
Configuring periodic sending of gratuitous ARP packets
Enabling a switch to periodically send gratuitous ARP packets helps downstream devices update their
corresponding ARP entries or MAC entries. This feature can be used to prevent gateway spoofing and
prevent ARP entries from aging out.
•
Prevent gateway spoofing
When an attacker sends forged gratuitous ARP packets to the hosts on a network, the traffic destined for
the gateway from the hosts is sent to the attacker instead. As a result, the hosts cannot access the external
network.
To prevent gateway spoofing attacks, enable the gateway to send gratuitous ARP packets containing its
primary IP address and manually configured secondary IP addresses at a specific interval, so hosts can
learn correct gateway address information.
•
Prevent ARP entries from aging out
If network traffic is heavy or if a host’s CPU usage is high, received ARP packets may be discarded or not
processed in time. Eventually, the dynamic ARP entries on the receiving host age out, and the traffic
between the host and the corresponding devices is interrupted until the host re-creates the ARP entries.
To prevent this problem, enable the gateway to send gratuitous ARP packets periodically. The gratuitous
ARP packets contain the gateway's primary IP address or one of its manually configured secondary IP
addresses, so the receiving hosts can update ARP entries in time, ensuring traffic continuity.
Configuring gratuitous ARP
Follow these steps to configure gratuitous ARP:
7
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable learning of gratuitous ARP
packets
gratuitous-arp-learning enable
Optional
Enabled by default.
Required
Enable the switch to send
gratuitous ARP packets upon
receiving ARP requests from
another subnet
gratuitous-arp-sending enable
Enter interface view
interface interface-type
interface-number
Enable periodic sending of
gratuitous ARP packets and set the
sending interval
arp send-gratuitous-arp [ interval
milliseconds ]
By default, the switch does not
send gratuitous ARP packets upon
receiving ARP requests from
another subnet.
—
Required
Disabled by default.
NOTE:
• You can enable periodic sending of gratuitous ARP packets on a maximum of 1024 interfaces.
• Periodic sending of gratuitous ARP packets takes effect only when the link of the enabled interface goes
up and an IP address has been assigned to the interface.
• If you change the interval for sending gratuitous ARP packets, the configuration is effective at the next
sending interval.
8
IP addressing configuration
IP addressing overview
IP address classes
IP addressing uses a 32-bit address to identify each host on a network. To make addresses easier to read,
they are written in dotted decimal notation, each address being four octets in length. For example,
address 00001000000000010000000100000001 in binary is written as 10.1.1.1.
Each IP address breaks down into two parts:
•
Net ID: Identifies a network. The first several bits of a net ID, known as the class field or class bits,
identify the class of the IP address.
•
Host ID: Identifies a host on a network.
IP addresses are divided into five classes, as shown in Figure 4. The shaded areas represent the address
class. The first three classes are widely used.
Figure 4 IP address classes
Table 1 IP address classes and ranges
Class
Address range
Remarks
The IP address 0.0.0.0 is used by a host at startup for temporary
communication. This address is never a valid destination address.
A
0.0.0.0 to
127.255.255.255
B
128.0.0.0 to
191.255.255.255
––
C
192.0.0.0 to
223.255.255.255
––
D
224.0.0.0 to
239.255.255.255
Multicast addresses.
E
240.0.0.0 to
255.255.255.255
Reserved for future use except for the broadcast address
255.255.255.255.
Addresses starting with 127 are reserved for loopback test.
Packets destined to these addresses are processed locally as input
packets rather than sent to the link.
9
Special IP addresses
The following IP addresses are for special use, so they cannot be used as host IP addresses.
•
IP address with an all-zero net ID: Identifies a host on the local network. For example, IP address
0.0.0.16 indicates the host with a host ID of 16 on the local network.
•
IP address with an all-zero host ID: Identifies a network.
•
IP address with an all-one host ID: Identifies a directed broadcast address. For example, a packet
with the destination address of 192.168.1.255 will be broadcast to all the hosts on the network
192.168.1.0.
Subnetting and masking
Subnetting divides a network down into smaller networks called subnets by using some bits of the host ID
to create a subnet ID.
Masking identifies the boundary between the host ID and the combination of net ID and subnet ID.
(When subnetting is not adopted, a mask identifies the boundary between the net ID and the host ID.)
Each subnet mask is made up of 32 bits that correspond to the bits in an IP address. In a subnet mask,
the consecutive ones represent the net ID and subnet ID, and consecutive zeros represents the host ID.
Before being subnetted, Class A, B, and C networks use the following default masks (also called natural
masks): 255.0.0.0, 255.255.0.0, and 255.255.255.0 respectively.
Figure 5 shows how a Class B network is subnetted.
Figure 5 Subnet a Class B network
Subnetting increases the number of addresses that cannot be assigned to hosts. Therefore, using subnets
means accommodating somewhat fewer hosts.
For example, a Class B network without subnetting can accommodate 1022 more hosts than the same
network subnetted into 512 subnets.
•
Without subnetting: 65,534 hosts (216 – 2). (The two deducted addresses are the broadcast
address, which has an all-one host ID, and the network address, which has an all-zero host ID.)
•
With subnetting: Using the first 9 bits of the host-id for subnetting provides 512 (29) subnets.
However, only 7 bits remain available for the host ID. This allows 126 (27 – 2) hosts in each subnet,
a total of 64,512 hosts (512 × 126).
Configuring IP addresses
An interface must have an IP address to communicate with other hosts. You can manually assign an IP
address to an interface, or configure the interface to obtain an IP address through BOOTP or DHCP. If
you change the way an interface obtains an IP address, the new IP address overwrites the previous one.
10
NOTE:
This chapter only covers how to assign an IP address manually. For information about how to obtain an IP
address through BOOTP or DHCP, see the chapters “DHCP overview” and “BOOTP client configuration.”
Assigning an IP address to an interface
Follow these steps to assign an IP address to an interface:
To do…
Use the command…
Remarks
Enter system view
system-view
––
Enter interface view
interface interface-type
interface-number
––
Assign an IP address to the
interface
ip address ip-address { mask-length
| mask }
Required
No IP address is assigned by default.
Displaying and maintaining IP addressing
To do…
Use the command…
Remarks
Display IP configuration information
for a specified Layer 3 interface or all
Layer 3 interfaces
display ip interface [ interface-type
interface-number ] [ | { begin | exclude |
include } regular-expression ]
Available in any view
Display brief IP configuration
information for a specified Layer 3
interface or all Layer 3 interfaces
display ip interface [ interface-type
[ interface-number ] ] brief [ | { begin |
exclude | include } regular-expression ]
Available in any view
11
DHCP overview
Introduction to DHCP
The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration
information to network devices. It uses the client/server model.
A typical DHCP application, as shown in Figure 6, includes a DHCP server and multiple clients (PCs and
laptops).
Figure 6 A typical DHCP application
NOTE:
A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on
another subnet via a DHCP relay agent. For more information about the DHCP relay agent, see the
chapter “DHCP relay agent configuration.”
DHCP address allocation
Allocation mechanisms
DHCP supports the following mechanisms for IP address allocation.
•
Static allocation: The network administrator assigns an IP address to a client like a WWW server,
and DHCP conveys the assigned address to the client.
•
Automatic allocation: DHCP assigns a permanent IP address to a client.
•
Dynamic allocation: DHCP assigns an IP address to a client for a limited period of time, which is
called a lease. Most DHCP clients obtain their addresses in this way.
12
Dynamic IP address allocation process
Figure 7 Dynamic IP address allocation process
1.
The client broadcasts a DHCP-DISCOVER message to locate a DHCP server.
2.
A DHCP server offers configuration parameters, such as an IP address to the client in a
DHCP-OFFER message. The sending mode of the DHCP-OFFER message is determined by the flag
field in the DHCP-DISCOVER message. For related information, see “DHCP message format.”
3.
If several DHCP servers send offers to the client, the client accepts the first received offer, and
broadcasts it in a DHCP-REQUEST message to formally request the IP address.
4.
All DHCP servers receive the DHCP-REQUEST message, but only the server from which the client
accepts the offered IP address returns a either DHCP-ACK message to the client, confirming that the
IP address has been allocated to the client, or a DHCP-NAK message, denying the IP address
allocation.
NOTE:
• After the client receives the DHCP-ACK message, it broadcasts a gratuitous ARP packet to verify whether
the IP address assigned by the server is already in use. If the client receives no response within the
specified time, the client uses the assigned IP address. Otherwise, the client sends a DHCP-DECLINE
message to the server and requests an IP address again.
• IP addresses offered by other DHCP servers are still assignable to other clients.
IP address lease extension
The IP address dynamically allocated by a DHCP server to a client has a lease. When the lease expires,
the IP address is reclaimed by the DHCP server. To continue using the IP address, the client must extend
the lease duration.
After half the lease duration, the DHCP client sends the DHCP server a DHCP-REQUEST unicast to extend
the lease duration. Depending on availability of the IP address, the DHCP server returns a DHCP-ACK
unicast confirming that the client’s lease has been extended, or a DHCP-NAK unicast denying the
request.
If the client receives no reply, it broadcasts another DHCP-REQUEST message for lease extension after
7/8 lease duration. Again, depending on availability of the IP address, the DHCP server returns either
a DHCP-ACK unicast confirming that the client’s lease has been extended, or a DHCP-NAK unicast
denying the request.
13
DHCP message format
Figure 8 shows the DHCP message format, which is based on the BOOTP message format although
DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size
of each field in bytes.
Despite the name “option”, some of the parameters in the Options field are required for basic DHCP
functionality.
Figure 8 DHCP message format
0
7
op (1)
23
15
htype (1)
hlen (1)
31
hops (1)
xid (4)
secs (2)
flags (2)
ciaddr (4)
yiaddr (4)
siaddr (4)
giaddr (4)
chaddr (16)
sname (64)
file (128)
options (variable)
•
op: Message type defined in option field. 1 = REQUEST, 2 = REPLY
•
htype, hlen: Hardware address type and length of a DHCP client.
•
hops: Number of relay agents a request message traveled.
•
xid: Transaction ID, a random number chosen by the client to identify an IP address allocation.
•
secs: Filled in by the client, the number of seconds elapsed since the client began address
acquisition or renewal process. This field is reserved and set to 0.
•
flags: The leftmost bit is defined as the BROADCAST (B) flag. If this flag is set to 0, the DHCP server
sent a reply back by unicast; if this flag is set to 1, the DHCP server sent a reply back by broadcast.
The remaining bits of the flags field are reserved for future use.
•
ciaddr: Client IP address if the client has an IP address that is valid and usable; otherwise, set to
zero. (The client does not use this field to request a specific IP address to lease.)
•
yiaddr: 'your' (client) IP address, assigned by the server.
•
siaddr: Server IP address, from which the client obtained configuration parameters.
•
giaddr: (Gateway) IP address of the first relay agent a request message traveled.
•
chaddr: Client hardware address.
•
sname: Server host name, from which the client obtained configuration parameters.
•
file: Bootfile name and path information, defined by the server to the client.
•
options: Optional parameters field that is variable in length, which includes the message type,
lease duration, subnet mask, domain name server IP address, WINS IP address, and other
information.
14
DHCP options
Overview
DHCP uses the same message format as BOOTP, but DHCP uses the Option field to carry information for
dynamic address allocation and to provide additional configuration information to clients.
Figure 9 shows the DHCP option format.
Figure 9 DHCP option format
Introduction to DHCP options
Common DHCP options
•
Option 3: Router option. It specifies the gateway address to be assigned to the client.
•
Option 6: DNS server option. It specifies the DNS server IP address to be assigned to the client.
•
Option 33: Static route option. It specifies a list of classful static routes (the destination addresses in
these static routes are classful) that a client should add into its routing table. If Option 121 exists,
Option 33 is ignored.
•
Option 51: IP address lease option.
•
Option 53: DHCP message type option. It identifies the type of the DHCP message.
•
Option 55: Parameter request list option. It is used by a DHCP client to request specified
configuration parameters. The option contains values that correspond to the parameters requested
by the client.
•
Option 60: Vendor class identifier option. It is used by a DHCP client to identify its vendor, and by
a DHCP server to distinguish DHCP clients by vendor class and assign specific IP addresses for the
DHCP clients.
•
Option 66: TFTP server name option. It specifies a TFTP server to be assigned to the client.
•
Option 67: Bootfile name option. It specifies the bootfile name to be assigned to the client.
•
Option 121: Classless route option. It specifies a list of classless static routes (the destination
addresses in these static routes are classless) that the requesting client should add into its routing
table.
•
Option 150: TFTP server IP address option. It specifies the TFTP server IP address to be assigned to
the client.
For more information about DHCP options, see RFC 2132.
Self-defined options
Some options, such as Option 43, Option 82, and Option 184, have no unified definitions in RFC 2132.
15
Vendor-specific option (Option 43)
DHCP servers and clients use Option 43 to exchange vendor-specific configuration information. The
client sends a request with Option 43, including a vendor string that identifies a vendor. Upon receiving
the request, the DHCP server refers to the vendor-specific options table, and returns a response message
with Option 43 to assign the appropriate vendor-specific information to the DHCP client.
The DHCP client can obtain the following information through Option 43:
•
Auto-Configuration Server (ACS) parameters, including the ACS URL, username, and password.
•
Service provider identifier acquired by the Customer Premises Equipment (CPE) from the DHCP
server and sent to the ACS for selecting vender-specific configurations and parameters.
•
Preboot Execution Environment (PXE) server address for further obtaining the bootfile or other
control information from the PXE server.
1.
Format of Option 43
Figure 10 Format of Option 43
Network configuration parameters are carried in different sub-options of Option 43, as shown in Figure
10.
•
Sub-option type: Identifies the type of a sub-option. The field value can be 0x01, 0x02, or 0x80.
{
0x01 indicates an ACS parameter sub-option.
{
0x02 indicates a service provider identifier sub-option.
{
0x80 indicates a PXE server address sub-option.
•
Sub-option length: Length of a sub-option excluding the sub-option type and sub-option length
fields.
•
Sub-option value: Value of a sub-option.
2.
Format of the sub-option value field of Option 43
•
As shown in Figure 11, the value field of the ACS parameter sub-option contains the following
variables separated by spaces (0x20):
{
ACS URL
{
ACS username
{
ACS password
Figure 11 Format of the value field of the ACS parameter sub-option
•
The value field of the service provider identifier sub-option contains the service provider identifier.
16
•
Figure 12 shows the format of the value field of the PXE server address sub-option. The value of the
PXE server type can only be 0. The server number field indicates the number of PXE servers
contained in the sub-option. The server IP addresses field contains the IP addresses of the PXE
servers.
Figure 12 Format of the value field of the PXE server address sub-option
Relay agent option (Option 82)
Option 82 is the relay agent option in the option field of the DHCP message. It records the location
information of the DHCP client. When a DHCP relay agent or DHCP snooping switch receives a client’s
request, it adds Option 82 to the request message and sends it to the server.
The administrator can locate the DHCP client to further implement security control and accounting. The
Option 82 supporting server can also use such information to define individual assignment policies of IP
address and other parameters for the clients.
Option 82 involves at most 255 sub-options. At least one sub-option must be defined. The DHCP relay
agent supports two sub-options: sub-option 1 (Circuit ID) and sub-option 2 (Remote ID).
Option 82 has no unified definition. Its padding formats vary with vendors.
There are two methods for configuring Option 82:
•
User-defined method: Manually specify the content of Option 82.
•
Non-user-defined method: Pad Option 82 in the default normal or verbose format.
If you choose the second method, you can specify the code type for the sub-options as ASCII or HEX.
1.
Normal padding format
•
Sub-option 1: Padded with the VLAN ID and interface number of the interface that received the
client’s request. The value of the sub-option type is 1, and that of the circuit ID type is 0.
Figure 13 Sub-option 1 in normal padding format
•
Sub-option 2: Padded with the MAC address of the DHCP relay agent interface or the MAC
address of the DHCP snooping switch that received the client’s request. The value of the sub-option
type is 2, and that of the remote ID type is 0.
17
Figure 14 Sub-option 2 in normal padding format
2.
Verbose padding format
•
Sub-option 1: Padded with the user-specified access node identifier (ID of the switch that adds
Option 82 in DHCP messages), and the type, number, and VLAN ID of the interface that received
the client’s request. See Figure 15.
Figure 15 Sub-option 1 in verbose padding format
NOTE:
The VLAN ID field has a fixed length of 2 bytes. All the other padding contents of sub-option 1 are length
variable. See Figure 15.
•
Sub-option 2: Padded with the MAC address of the DHCP relay agent interface or the MAC
address of the DHCP snooping device that received the client’s request. It has the same format as
that in normal padding format. See Figure 14.
Option 184
Option 184 is a reserved option, and parameters in the option can be defined as needed. The switch
supports Option 184 carrying the voice related parameters, so a DHCP client with voice functions can
get an IP address along with specified voice parameters from the DHCP server.
Option 184 involves the following sub-options:
•
Sub-option 1: IP address of the primary network calling processor, which serves as the network
calling control source and provides program downloads.
•
Sub-option 2: IP address of the backup network calling processor. DHCP clients contact the backup
when the primary is unreachable.
•
Sub-option 3: Voice VLAN ID and the result whether or not DHCP clients take this ID as the voice
VLAN.
•
Sub-option 4: Failover route that specifies the destination IP address and the called number. A
Session Initiation Protocol (SIP) user uses this IP address and number to reach another SIP user when
both the primary and backup calling processors are unreachable.
NOTE:
You must define sub-option 1 to make other sub-options effective.
Protocols and standards
•
RFC 2131, Dynamic Host Configuration Protocol
18
•
RFC 2132, DHCP Options and BOOTP Vendor Extensions
•
RFC 1542, Clarifications and Extensions for the Bootstrap Protocol
•
RFC 3046, DHCP Relay Agent Information Option
•
RFC 3442, The Classless Static Route Option for Dynamic Host Configuration Protocol (DHCP)
version 4
19
DHCP client configuration
NOTE:
• The DHCP client configuration is supported only on VLAN interfaces.
• When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition via a
relay agent, the DHCP server cannot be a Windows Server 2000 or Windows Server 2003.
Introduction to DHCP client
With DHCP client enabled, an interface uses DHCP to obtain configuration parameters, such as an IP
address, from the DHCP server.
Enabling the DHCP client on an interface
Follow these steps to enable the DHCP client on an interface:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type interface-number
—
Enable the DHCP client on the
interface
ip address dhcp-alloc [ client-identifier mac
interface-type interface-number ]
Required
Disabled by default.
NOTE:
• An interface can be configured to acquire an IP address in multiple ways, but these ways are mutually
exclusive. The latest configuration overwrites the previous one.
• If the IP address that interface A obtains from the DHCP server is on the same subnet as the IP address
of interface B, interface A neither uses the IP address nor requests any IP address from the DHCP server,
unless you do the following: Delete the IP address of interface B and bring up interface A again by first
executing the shutdown command and then the undo shutdown command, or, re-enable the DHCP
client on interface A by executing the undo ip address dhcp-alloc command and then the ip address
dhcp-alloc command.
Displaying and maintaining the DHCP client
To do…
Use the command…
Remarks
Display specified
configuration information
display dhcp client [ verbose ] [ interface
interface-type interface-number ] [ | { begin |
exclude | include } regular-expression ]
Available in any view
20
DHCP client configuration example
Network requirements
As shown in Figure 16, Switch A’s port belonging to VLAN 2 is connected to the LAN. VLAN-interface
2 obtains an IP address from the DHCP server by using DHCP.
Figure 16 Network diagram for DHCP client configuration
Configuration procedure
•
Configure Switch A
# Enable the DHCP client on VLAN-interface 2.
<SwitchA> system-view
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address dhcp-alloc
21
DHCP snooping configuration
NOTE:
The DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between
the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server.
DHCP snooping overview
Functions of DHCP snooping
DHCP snooping is a security feature with the following uses:
1.
Ensure that DHCP clients obtain IP addresses from authorized DHCP servers
2.
Record IP-to-MAC mappings of DHCP clients
Ensuring that DHCP clients obtain IP addresses from authorized DHCP servers
With DHCP snooping, the ports of a switch can be configured as trusted or untrusted to ensure that client
obtain IP address only from authorized DHCP servers.
•
Trusted: A trusted port forwards DHCP messages normally to ensure the clients get IP addresses
from an authorized DHCP server.
•
Untrusted: An untrusted port discards received DHCP-ACK and DHCP-OFFER messages to avoid IP
address allocation from any unauthorized server.
Configure ports that connect to authorized DHCP servers or other DHCP snooping devices as trusted,
and configure other ports as untrusted.
Recording IP-to-MAC mappings of DHCP clients
DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record
DHCP snooping entries. A DHCP snooping entry includes the MAC and IP addresses of the clients, the
port that connects to DHCP clients, and the VLAN of the port. Using DHCP snooping entries, DHCP
snooping can implement the following functions:
•
ARP detection: Whether ARP packets are sent from an authorized client is determined based on
DHCP snooping entries. This feature prevents ARP attacks from unauthorized clients. For more
information, see the Security Configuration Guide.
•
IP source guard: IP source guard uses dynamic binding entries generated by DHCP snooping to
filter packets on a per-port basis. This prevents unauthorized packets from traveling through. For
more information, see the Security Configuration Guide.
•
VLAN mapping: The switch replaces service provider VLANs (SVLANs) in packets with customer
VLANs (CVLANs) by searching corresponding DHCP snooping entries for DHCP client information
including IP addresses, MAC addresses, and CVLANs, before sending the packets to clients. For
more information, see the Layer 2—LAN Switching.
22
Application environment of trusted ports
Configuring a trusted port connected to a DHCP server
Figure 17 Configure trusted and untrusted ports
As shown in Figure 17, the trusted port forwards reply messages from the DHCP server to the client, but
the untrusted port connected to the unauthorized DHCP server cannot forward any reply messages. This
ensures that the DHCP client obtains an IP address from the authorized DHCP server.
Configuring trusted ports in a cascaded network
In a cascaded network involving multiple DHCP snooping devices, the ports connected to other DHCP
snooping devices should be configured as trusted ports.
To save system resources, you can disable the trusted ports, which are indirectly connected to DHCP
clients, from recording client IP-to-MAC bindings upon receiving DHCP requests.
Figure 18 Configure trusted ports in a cascaded network
DHCP client
Host A
DHCP snooping
Switch A
Eth1/0/1
DHCP client
Host B
Eth1/0/2
Eth1/0/4
Eth1/0/3
Eth1/0/3
DHCP server
Eth1/0/1
Eth1/0/2
DHCP snooping
Switch C
Eth1/0/1
Eth1/0/4
DHCP client
Host C
Eth1/0/3
Eth1/0/2
DHCP snooping
Switch B
Untrusted ports
Trusted ports disabled from recording binding entries
Trusted ports enabled to record binding entries
DHCP client
Host D
Table 2 describes roles of the ports shown in Figure 18.
23
Table 2 Roles of ports
Device
Untrusted port
Trusted port disabled from
recording binding entries
Trusted port enabled to
record binding entries
Switch A
Ethernet 1/0/1
Ethernet 1/0/3
Ethernet 1/0/2
Switch B
Ethernet 1/0/3 and
Ethernet 1/0/4
Ethernet 1/0/1
Ethernet 1/0/2
Switch C
Ethernet 1/0/1
Ethernet 1/0/3 and Ethernet
1/0/4
Ethernet 1/0/2
DHCP snooping support for Option 82
Option 82 records the location information of the DHCP client, so the administrator can locate the DHCP
client for security control and accounting purposes. For more information, see the chapter “DHCP relay
agent configuration.”
If DHCP snooping supports Option 82, it handles a client’s request according to the contents defined in
Option 82, if any. The handling strategies are described in Table 3.
If a reply returned by the DHCP server contains Option 82, the DHCP snooping switch removes the
Option 82 before forwarding the reply to the client. If the reply contains no Option 82, the DHCP
snooping switch forwards it directly.
Table 3 Handling strategies of DHCP snooping
If a client’s
requesting message
has…
Handling
strategy
Padding format
The DHCP snooping switch will…
Drop
—
Drop the message.
Keep
Random
Forward the message without changing Option
82.
normal
Forward the message after replacing the
original Option 82 with the Option 82 padded
in normal format.
verbose
Forward the message after replacing the
original Option 82 with the Option 82 padded
in verbose format.
user-defined
Forward the message after replacing the
original Option 82 with the user-defined
Option 82.
—
normal
Forward the message after adding the Option
82 padded in normal format.
—
verbose
Forward the message after adding the Option
82 padded in verbose format.
—
user-defined
Forward the message after adding the
user-defined Option 82.
Option 82
Replace
no Option 82
24
NOTE:
The handling strategy and padding format for Option 82 on the DHCP snooping switch are the same as
those on the relay agent.
DHCP snooping configuration task list
Complete the following tasks to configure DHCP snooping:
Task
Remarks
Configuring DHCP snooping basic functions
Required
Configuring DHCP snooping to support Option 82
Optional
Configuring DHCP snooping entries backup
Optional
Enabling DHCP starvation attack protection
Optional
Enabling DHCP-REQUEST message attack protection
Optional
Configuring DHCP snooping basic functions
Follow these steps to configure DHCP snooping basic functions:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable DHCP snooping
dhcp-snooping
Enter interface view
interface interface-type
interface-number
Required
Disabled by default.
—
Required
Specify the port as a trusted port
that records the IP-to-MAC
bindings of clients
dhcp-snooping trust
After DHCP snooping is enabled, a
port is an untrusted port by default.
Return to system view
quit
—
Enter interface view
interface interface-type
interface-number
Specify the port as a trusted port
that does not record the IP-to-MAC
bindings of clients
dhcp-snooping trust
no-user-binding
25
—
The interface indirectly connects to
the DHCP client.
Optional
After DHCP snooping is enabled, a
port is an untrusted port by default.
NOTE:
• You must specify the ports connected to the authorized DHCP servers as trusted to ensure that DHCP
clients can obtain valid IP addresses. The trusted port and the port connected to the DHCP client must be
in the same VLAN.
• You can specify Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces as trusted ports. For more
information about aggregate interfaces, see the Layer 2—LAN Switching Configuration Guide.
• If a Layer 2 Ethernet interface is added to an aggregation group, the DHCP snooping configuration of
the interface will not take effect. After the interface quits the aggregation group, the configuration will be
effective.
• DHCP snooping can work with QinQ. When receiving a packet without any VLAN tag from the DHCP
client to the DHCP server, the DHCP snooping switch adds a VLAN tag to the packet. If the packet has
one VLAN tag, the device adds another VLAN tag to the packet and records the two VLAN tags in a
DHCP snooping entry. The newly added VLAN tag is the outer tag. If the packet has two VLAN tags, the
device directly forwards the packet to the DHCP server without adding any tag. If you need to add a new
VLAN tag and meanwhile modify the original VLAN tag for the packet, DHCP snooping cannot work
with QinQ.
Configuring DHCP snooping to support Option 82
Follow these steps to configure DHCP snooping to support Option 82:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type interface-number
—
Enable DHCP snooping to support
Option 82
dhcp-snooping information enable
Configure the handling strategy for
requesting messages containing Option
82
dhcp-snooping information strategy
{ drop | keep | replace }
Configure
non-user-defined
Option 82
dhcp-snooping information format
{ normal | verbose [ node-identifier { mac
| sysname | user-defined
node-identifier } ] }
Configure the
padding format for
Option 82
Required
Disabled by default.
Optional
replace by default.
Optional
normal by default.
Optional
Configure the code
type for the circuit
ID sub-option
dhcp-snooping information circuit-id
format-type { ascii | hex }
By default, the code
type depends on the
padding format of
Option 82. Each field
has its own code type.
This code type
configuration applies
to non-user-defined
Option 82 only.
26
To do…
Use the command…
Remarks
Optional
Configure the code
type for the remote
ID sub-option
dhcp-snooping information remote-id
format-type { ascii | hex }
hex by default.
The code type
configuration applies
to non-user-defined
Option 82 only.
Optional
Configure
user-defined
Option 82
Configure the
padding content
for the circuit ID
sub-option
dhcp-snooping information [ vlan
vlan-id ] circuit-id string circuit-id
By default, the
padding content
depends on the
padding format of
Option 82.
Optional
Configure the
padding content
for the remote ID
sub-option
dhcp-snooping information [ vlan
vlan-id ] remote-id string { remote-id |
sysname }
By default, the
padding content
depends on the
padding format of
Option 82.
NOTE:
• You can configure DHCP snooping to support Option 82 on Layer 2 Ethernet interfaces, and Layer 2
aggregate interfaces only.
• If a Layer 2 Ethernet interface is added to an aggregation group, enabling DHCP snooping to support
Option 82 on the interface will not take effect. After the interface quits the aggregation group, the
configuration will be effective.
• To support Option 82, perform related configuration on both the DHCP server and the switch enabled
with DHCP snooping.
• If the handling strategy of the DHCP-snooping-enabled device is configured as replace, you must
configure a padding format for Option 82. If the handling strategy is keep or drop, you need not
configure any padding format.
• If the Option 82 is padded with the device name (sysname) of a node, the device name must contain no
spaces. Otherwise, the DHCP-snooping-enabled device will drop the message. You can use the
sysname command to specify the device name. For more information about this command, see Device
management commands in the Fundamentals Command Reference.
• If DHCP snooping and QinQ work together or the DHCP snooping switch receives a DHCP packet with
two VLAN tags, and the normal or verbose padding format is adopted for Option 82, DHCP snooping
fills the VLAN ID field of sub-option 1 with outer VLAN tag.inter VLAN tag. For example, if the outer
VLAN tag is 10 (a in hexadecimal) and the inner VLAN tag is 20 (14 in hexadecimal), the VLAN ID is
000a.0014.
Configuring DHCP snooping entries backup
DHCP snooping entries cannot survive a reboot. If the DHCP snooping switch is rebooted, security
modules (such as IP source guard) that use DHCP snooping entries to authenticate users will reject
requests from clients until new entries are learned.
27
The DHCP snooping entries backup feature enables you to store DHCP snooping entries in a file. When
the DHCP snooping switch reboots, it reads DHCP snooping entries from this file.
Follow these steps to configure DHCP snooping entries backup
To do…
Use the command…
Remarks
Enter system view
system-view
—
Required
Not specified by default.
DHCP snooping entries are stored
immediately after this command is
used and then updated at the
interval set by the dhcp-snooping
binding database update interval
command.
Specify the name of the file for
storing DHCP snooping entries
dhcp-snooping binding
database filename filename
Back up DHCP snooping entries to
the file
dhcp-snooping binding
database update now
DHCP snooping entries will be
stored to the file each time this
command is used.
Set the interval at which the DHCP
snooping entry file is refreshed
dhcp-snooping binding
database update interval
minutes
Optional
Optional
By default, the file is not refreshed
periodically.
NOTE:
After DHCP snooping is disabled with the undo dhcp-snooping command, the switch will delete all DHCP
snooping entries, including those stored in the file.
Enabling DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using
different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of
the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server may also fail
to work because of exhaustion of system resources. You can protect against starvation attacks in the
following ways:
•
To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source
MAC addresses, you can limit the number of MAC addresses that a Layer 2 port can learn.
•
To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source
MAC address, enable MAC address check on the DHCP snooping switch. With this function
enabled, the DHCP snooping switch compares the chaddr field of a received DHCP request with
the source MAC address field of the frame. If they are the same, the request is considered valid and
forwarded to the DHCP server; if not, the request is discarded.
Follow these steps to enable MAC address check:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type
interface-number
—
28
To do…
Use the command…
Enable MAC address check
dhcp-snooping check mac-address
Remarks
Required
Disabled by default.
NOTE:
You can enable MAC address check only on Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces.
Enabling DHCP-REQUEST message attack
protection
Attackers may forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP
clients that no longer need the IP addresses. These forged messages keep a victim DHCP server renewing
the leases of IP addresses instead of releasing the IP addresses. This wastes IP address resources.
To prevent such attacks, you can enable DHCP-REQUEST message check on DHCP snooping devices.
With this feature enabled, upon receiving a DHCP-REQUEST message, a DHCP snooping switch looks
up local DHCP snooping entries for the corresponding entry of the message. If an entry is found, the
DHCP snooping switch compares the entry with the message information. If they are consistent, the
DHCP-REQUEST message is considered as a valid lease renewal request and forwarded to the DHCP
server. If they are not consistent, the message is considered as a forged lease renewal request and
discarded. If no corresponding entry is found locally, the message is considered valid and forwarded to
the DHCP server.
Follow these steps to enable DHCP-REQUEST message check:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type
interface-number
—
Enable DHCP-REQUEST
message check
dhcp-snooping check
request-message
Required
Disabled by default.
NOTE:
You can enable DHCP-REQUEST message check only on Layer 2 Ethernet interfaces and Layer 2
aggregate interfaces.
Displaying and maintaining DHCP snooping
To do…
Use the command…
Remarks
Display DHCP snooping entries
display dhcp-snooping [ ip ip-address ]
[ | { begin | exclude | include }
regular-expression ]
Available in any view
Display Option 82 configuration
information on the DHCP snooping
switch
display dhcp-snooping information { all |
interface interface-type interface-number }
[ | { begin | exclude | include }
regular-expression ]
Available in any view
29
To do…
Use the command…
Remarks
Display DHCP packet statistics on the
DHCP snooping switch
display dhcp-snooping packet statistics
[ slot slot-number ] [ | { begin | exclude |
include } regular-expression ]
Available in any view
Display information about trusted ports
display dhcp-snooping trust [ | { begin |
exclude | include } regular-expression ]
Available in any view
Display the DHCP snooping entry file
information
display dhcp-snooping binding database
[ | { begin | exclude | include }
regular-expression ]
Available in any view
Clear DHCP snooping entries
reset dhcp-snooping { all | ip ip-address }
Available in user view
Clear DHCP packet statistics on the
DHCP snooping switch
reset dhcp-snooping packet statistics
[ slot slot-number ]
Available in user view
DHCP snooping configuration examples
DHCP snooping configuration example
Network requirements
As shown in Figure 19, Switch is connected to a DHCP server through Ethernet 1/0/1, and to two DHCP
clients through Ethernet 1/0/2 and Ethernet 1/0/3. Ethernet 1/0/1 forwards DHCP server responses
while the other two do not.
Switch records clients’ IP-to-MAC address bindings in DHCP-REQUEST messages and DHCP-ACK
messages received from trusted ports.
Figure 19 Network diagram for DHCP snooping configuration
Configuration procedure
# Enable DHCP snooping.
<Switch> system-view
[Switch] dhcp-snooping
# Specify Ethernet 1/0/1 as trusted.
[Switch] interface Ethernet 1/0/1
[Switch-Ethernet1/0/1] dhcp-snooping trust
30
[Switch-Ethernet1/0/1] quit
DHCP snooping Option 82 support configuration example
Network requirements
•
As shown in Figure 19, enable DHCP snooping and Option 82 support on Switch.
•
Configure the handling strategy for DHCP requests containing Option 82 as replace.
•
On Ethernet 1/0/2, configure the padding content for the circuit ID sub-option as company001
and for the remote ID sub-option as device001.
•
On Ethernet 1/0/3, configure the padding format as verbose, access node identifier as sysname,
and code type as ascii for Option 82.
•
Switch forwards DHCP requests to the DHCP server after replacing Option 82 in the requests, so
that the DHCP clients can obtain IP addresses.
Configuration procedure
# Enable DHCP snooping.
<Switch> system-view
[Switch] dhcp-snooping
# Specify Ethernet 1/0/1 as trusted.
[Switch] interface Ethernet 1/0/1
[Switch-Ethernet1/0/1] dhcp-snooping trust
[Switch-Ethernet1/0/1] quit
# Configure Ethernet 1/0/2 to support Option 82.
[Switch] interface Ethernet 1/0/2
[Switch-Ethernet1/0/2] dhcp-snooping information enable
[Switch-Ethernet1/0/2] dhcp-snooping information strategy replace
[Switch-Ethernet1/0/2] dhcp-snooping information circuit-id string company001
[Switch-Ethernet1/0/2] dhcp-snooping information remote-id string device001
[Switch-Ethernet1/0/2] quit
# Configure Ethernet 1/0/3 to support Option 82.
[Switch] interface Ethernet 1/0/3
[Switch-Ethernet1/0/3] dhcp-snooping information enable
[Switch-Ethernet1/0/3] dhcp-snooping information strategy replace
[Switch-Ethernet1/0/3] dhcp-snooping information format verbose node-identifier sysname
[Switch-Ethernet1/0/3] dhcp-snooping information circuit-id format-type ascii
[Switch-Ethernet1/0/3] dhcp-snooping information remote-id format-type ascii
31
BOOTP client configuration
NOTE:
• BOOTP client configuration only applies to VLAN interfaces.
• If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay
agent, the BOOTP server cannot be a Windows Server 2000 or Windows Server 2003.
Introduction to BOOTP client
BOOTP application
After you specify an interface of switch as a BOOTP client, the interface can use BOOTP to get
information (such as IP address) from the BOOTP server.
To use BOOTP, an administrator must configure a BOOTP parameter file for each BOOTP client on the
BOOTP server. The parameter file contains information such as MAC address and IP address of a
BOOTP client. When a BOOTP client sends a request to the BOOTP server, the BOOTP server searches
for the BOOTP parameter file and returns the corresponding configuration information.
BOOTP is usually used in relatively stable environments. In network environments change frequently,
DHCP is more suitable.
NOTE:
Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to configure an IP
address for the BOOTP client, without any BOOTP server.
Obtaining an IP address dynamically
NOTE:
A DHCP server can take the place of the BOOTP server in the following dynamic IP address acquisition.
A BOOTP client dynamically obtains an IP address from a BOOTP server in the following steps:
1.
The BOOTP client broadcasts a BOOTP request, which contains its own MAC address.
2.
The BOOTP server receives the request and searches the configuration file for the corresponding
IP address and other information according to the MAC address of the BOOTP client. The BOOTP
server then returns a BOOTP response to the BOOTP client.
3.
The BOOTP client obtains the IP address from the received response.
Protocols and standards
•
RFC 951, Bootstrap Protocol (BOOTP)
•
RFC 2132, DHCP Options and BOOTP Vendor Extensions
32
•
RFC 1542, Clarifications and Extensions for the Bootstrap Protocol
Configuring an interface to dynamically obtain an
IP address through BOOTP
Follow these steps to configure an interface to dynamically obtain an IP address:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type
interface-number
—
Configure an interface to
dynamically obtain an IP address
through BOOTP
Required
ip address bootp-alloc
By default, an interface does not
use BOOTP to obtain an IP
address.
Displaying and maintaining BOOTP client
configuration
To do…
Use the command…
Remarks
Display BOOTP client information
display bootp client [ interface interface-type
interface-number ] [ | { begin | exclude |
include } regular-expression ]
Available in any view
BOOTP client configuration example
Network requirements
As shown in Figure 16, Switch A’s port belonging to VLAN 2 is connected to the LAN. VLAN-interface
2 obtains an IP address from the DHCP server by using BOOTP.
Configuration procedure
# Configure VLAN-interface 2 to dynamically obtain an IP address from the DHCP server.
<SwitchA> system-view
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address bootp-alloc
# Use the display bootp client command to view the IP address assigned to the BOOTP client.
33
IPv4 DNS configuration
DNS overview
Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain
names into corresponding IP addresses. With DNS, you can use easy-to-remember domain names in
some applications and let the DNS server translate them into correct IP addresses.
DNS services can be static and dynamic. After a user specifies a name, the switch checks the local static
name resolution table for an IP address. If no IP address is available, it contacts the DNS server for
dynamic name resolution, which takes more time than static name resolution. Therefore, some frequently
queried name-to-IP address mappings are stored in the local static name resolution table to improve
efficiency.
Static domain name resolution
Static domain name resolution means setting up mappings between domain names and IP addresses. IP
addresses of the corresponding domain names can be found in the static domain resolution table when
you use applications such as Telnet.
Dynamic domain name resolution
Resolution process
1.
A user program sends a name query to the resolver of the DNS client.
2.
The DNS resolver looks up the local domain name cache for a match. If the resolver finds a match,
it sends the corresponding IP address back. If not, it sends a query to the DNS server.
3.
The DNS server looks up the corresponding IP address of the domain name in its DNS database.
If no match is found, the server sends a query to a higher level DNS server. This process continues
until a result, whether successful or not, is returned.
4.
After receiving a response from the DNS server, the DNS client returns the resolution result to the
application.
Figure 20 Dynamic domain name resolution
Figure 20 shows the relationship between the user program, DNS client, and DNS server.
34
The DNS client is made up of the resolver and cache. The user program and DNS client can run on the
same device or different devices, but the DNS server and the DNS client usually run on different devices.
Dynamic domain name resolution allows the DNS client to store latest mappings between domain names
and IP addresses in the dynamic domain name cache. There is no need to send a request to the DNS
server for a repeated query next time. The aged mappings are removed from the cache after some time,
and latest entries are required from the DNS server. The DNS server decides how long a mapping is valid,
and the DNS client gets the aging information from DNS messages.
DNS suffixes
The DNS client holds a list of suffixes, which can be defined by users. The resolver can uses the list to
supply the missing part of incomplete names.
For example, a user can configure com as the suffix for aabbcc.com. The user only needs to type aabbcc
to obtain the IP address of aabbcc.com, because the resolver adds the suffix and delimiter before
passing the name to the DNS server.
•
If there is no dot in the domain name (for example, aabbcc), the resolver considers this a host name
and adds a DNS suffix before the query. If no match is found after all the configured suffixes are
used respectively, the original domain name (for example, aabbcc) is used for the query.
•
If there is a dot in the domain name (for example, www.aabbcc), the resolver directly uses this
domain name for the query. If the query fails, the resolver adds a DNS suffix for another query.
•
If the dot is at the end of the domain name (for example, aabbcc.com.), the resolver considers it a
Fully Qualified Domain Name (FQDN) and returns the query result, successful or failed. The dot (.)
is considered a terminating symbol.
The switch supports static and dynamic DNS client services.
NOTE:
If an alias is configured for a domain name on the DNS server, the switch can resolve the alias into the IP
address of the host.
Configuring the IPv4 DNS client
Configuring static domain name resolution
Configuring static domain name resolution refers to specifying the mappings between host names and
IPv4 addresses. Static domain name resolution allows applications such as Telnet to contact hosts by
using host names instead of IPv4 addresses.
Follow these steps to configure static domain name resolution:
To do…
Use the command…
Remarks
Enter system view
system-view
––
Configure a mapping between a host
name and an IPv4 address
ip host hostname ip-address
Required
Not configured by default.
NOTE:
• The IPv4 address you last assign to the host name overwrites the previous one if there is any.
• You may create up to 50 static mappings between domain names and IPv4 addresses.
35
Configuring dynamic domain name resolution
To send DNS queries to a correct server for resolution, dynamic domain name resolution needs to be
enabled and a DNS server needs to be configured.
In addition, you can configure a DNS suffix that the system will automatically add to the provided
domain name for resolution.
Follow these steps to configure dynamic domain name resolution:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable dynamic domain name
resolution
dns resolve
System view
Specify a DNS
server
Disabled by default.
dns server ip-address
interface interface-type
interface-number
Interface view
Required
dns server ip-address
Required
Not specified by default.
quit
Optional
Configure a DNS suffix
dns domain domain-name
Not configured by default. Only
the provided domain name is
resolved.
NOTE:
• In system view, you can configure up to six DNS servers, including those with IPv6 addresses. The total
number of DNS servers configured in interface view must be no more than six.
• A DNS server configured in system view has a higher priority than one configured in interface view. A
DNS server configured earlier has a higher priority than one configured later in the same view. A DNS
server manually configured has a higher priority than one dynamically obtained through DHCP. A
name query request is first sent to the DNS server that has the highest priority. If no reply is received, it
is sent to the DNS server that has the second highest priority, and thus in turn.
• You can specify up to ten DNS suffixes.
Displaying and maintaining IPv4 DNS
To do…
Use the command…
Remarks
Display the static IPv4 domain name
resolution table
display ip host [ | { begin | exclude |
include } regular-expression ]
Available in any view
Display IPv4 DNS server information
display dns server [ dynamic ] [ | { begin |
exclude | include } regular-expression ]
Available in any view
Display DNS suffixes
display dns domain [ dynamic ] [ | { begin |
exclude | include } regular-expression ]
Available in any view
Display the information of the dynamic
IPv4 domain name cache
display dns host ip [ | { begin | exclude |
include } regular-expression ]
Available in any view
36
To do…
Use the command…
Remarks
Clear the information of the dynamic
IPv4 domain name cache
reset dns host ip
Available in user view
IPv4 DNS configuration examples
Static domain name resolution configuration example
Network requirements
As shown in Figure 21, the device wants to access the host by using an easy-to-remember domain name
rather than an IP address.
Configure static domain name resolution on the device so that the device can use the domain name
host.com to access the host whose IP address is 10.1.1.2.
Figure 21 Network diagram for static domain name resolution
Configuration procedure
# Configure a mapping between host name host.com and IP address 10.1.1.2.
<Sysname> system-view
[Sysname] ip host host.com 10.1.1.2
# Use the ping host.com command to verify that the device can use static domain name resolution to
resolve domain name host.com into IP address 10.1.1.2.
[Sysname] ping host.com
PING host.com (10.1.1.2):
56
data bytes, press CTRL_C to break
Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=128 time=1 ms
Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=128 time=4 ms
Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=128 time=3 ms
Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=128 time=2 ms
Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=128 time=3 ms
--- host.com ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/2/4 ms
37
Dynamic domain name resolution configuration example
Network requirements
As shown in Figure 22, the device wants to access the host by using an easy-to-remember domain name
rather than an IP address, and to request the DNS server on the network for an IP address by using
dynamic domain name resolution. The IP address of the DNS server is 2.1.1.2/16 and the DNS server has
a com domain, which stores the mapping between domain name host and IP address 2.1.1.1/16.
Configure dynamic domain name resolution and the domain name suffix com on the device that serves
as a DNS client so that the device can use domain name host to access the host with the domain name
host.com and the IP address 2.1.1.1/16.
Figure 22 Network diagram for dynamic domain name resolution
2.1.1.1/16
host.com
Host
2.1.1.2/16
DNS server
2.1.1.3/16
Device
DNS client
Configuration procedure
NOTE:
• Before performing the following configuration, check that the IP addresses of the interfaces are
configured, as shown Figure 22.
• This configuration may vary with different DNS servers. The following configuration is performed on a
PC running Windows Server 2000.
1.
Configure the DNS server
# Enter the DNS server configuration page.
Select Start > Programs > Administrative Tools > DNS.
# Create zone com.
As shown in Figure 23, right click Forward Lookup Zones, select New zone, and then follow the
instructions to create a new zone named com.
38
Figure 23 Create a zone
# Create a mapping between host name and IP address.
Figure 24 Add a host
In Figure 24, right click zone com, and then select New Host to bring up a dialog box as shown in Figure
25. Enter host name host and IP address 2.1.1.1.
39
Figure 25 Add a mapping between domain name and IP address
Configure the DNS client
2.
# Enable dynamic domain name resolution.
<Sysname> system-view
[Sysname] dns resolve
# Specify the DNS server 2.1.1.2.
[Sysname] dns server 2.1.1.2
# Configure com as the name suffix.
[Sysname] dns domain com
Configuration verification
3.
# Use the ping host command on the device to verify that the communication between the device and the
host is normal and that the corresponding destination IP address is 2.1.1.1.
[Sysname] ping host
Trying DNS resolve, press CTRL_C to break
Trying DNS server (2.1.1.2)
PING host.com (2.1.1.1):
56
data bytes, press CTRL_C to break
Reply from 2.1.1.1: bytes=56 Sequence=1 ttl=126 time=3 ms
Reply from 2.1.1.1: bytes=56 Sequence=2 ttl=126 time=1 ms
Reply from 2.1.1.1: bytes=56 Sequence=3 ttl=126 time=1 ms
Reply from 2.1.1.1: bytes=56 Sequence=4 ttl=126 time=1 ms
Reply from 2.1.1.1: bytes=56 Sequence=5 ttl=126 time=1 ms
--- host.com ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/3 ms
40
Troubleshooting IPv4 DNS configuration
Symptom
After enabling dynamic domain name resolution, the user cannot get the correct IP address.
Solution
•
Use the display dns host ip command to verify that the specified domain name is in the cache.
•
If the specified domain name does not exist, check that dynamic domain name resolution is
enabled and that the DNS client can communicate with the DNS server.
•
If the specified domain name is in the cache, but the IP address is incorrect, check that the DNS
client has the correct IP address of the DNS server.
•
Verify that the mapping between the domain name and IP address is correct on the DNS server.
41
IPv6 DNS configuration
Introduction to IPv6 DNS
IPv6 DNS is responsible for translating domain names into IPv6 addresses. Like IPv4 DNS, IPv6 DNS
includes static domain name resolution and dynamic domain name resolution. The functions and
implementations of the two types of domain name resolution are the same as those of IPv4 DNS. For
more information, see the chapter “IPv4 DNS configuration.”
Configuring the IPv6 DNS client
Configuring static domain name resolution
Configuring static domain name resolution refers to specifying the mappings between host names and
IPv6 addresses. Static domain name resolution allows applications such as Telnet to contact hosts by
using host names instead of IPv6 addresses.
Follow these steps to configure static domain name resolution:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Configure a mapping between a host
name and an IPv6 address
Required
ipv6 host hostname ipv6-address
Not configured by
default.
NOTE:
• A host name can be mapped to one IPv6 address only. If you map a host name to different IPv6
addresses, the last configuration takes effect.
• You can configure up to 50 mappings between domain name and IPv6 address.
Configuring dynamic domain name resolution
To send DNS queries to a correct server for resolution, dynamic domain name resolution needs to be
enabled and a DNS server needs to be configured.
In addition, you can configure a DNS suffix that the system will automatically add to the provided
domain name for resolution.
Follow these steps to configure dynamic domain name resolution:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable dynamic domain
name resolution
dns resolve
Required
Disabled by default.
42
To do…
Use the command…
Remarks
Required
Specify a DNS server
dns server ipv6 ipv6-address
[ interface-type interface-number ]
Configure a DNS suffix
dns domain domain-name
Not specified by default.
If the IPv6 address of a DNS server is a
link-local address, you need to specify
the interface-type and
interface-number arguments.
Required
Not configured by default. Only the
provided domain name is resolved.
NOTE:
• The dns resolve and dns domain commands are the same as those of IPv4 DNS.
• You can configure up to six DNS servers, including those with IPv4 addresses.
• You can specify up to ten DNS suffixes.
Displaying and maintaining IPv6 DNS
To do…
Use the command…
Remarks
Display the static IPv6 domain
name resolution table
display ipv6 host [ | { begin | exclude |
include } regular-expression ]
Available in any view
Display IPv6 DNS server
information
display dns ipv6 server [ dynamic ] [ | { begin |
exclude | include } regular-expression ]
Available in any view
Display DNS suffixes
display dns domain [ dynamic ] [ | { begin |
exclude | include } regular-expression ]
Available in any view
Display the information of dynamic
IPv6 domain name cache
display dns host ipv6 [ | { begin | exclude |
include } regular-expression ]
Available in any view
Clear the information of dynamic
IPv6 domain name cache
reset dns host ipv6
Available in user view
IPv6 DNS configuration examples
Static domain name resolution configuration example
Network requirements
As shown in Figure 26, the device wants to access the host by using an easy-to-remember domain name
rather than an IPv6 address. Configure static domain name resolution on the device so that the device
can use the domain name host.com to access the host whose IPv6 address is 1::2.
43
Figure 26 Network diagram for static domain name resolution
Configuration procedure
# Configure a mapping between host name host.com and IPv6 address 1::2.
<Device> system-view
[Device] ipv6 host host.com 1::2
# Enable IPv6 packet forwarding.
[Device] ipv6
# Use the ping ipv6 host.com command to verify that the device can use static domain name resolution
to resolve domain name host.com into IPv6 address 1::2.
[Device] ping ipv6 host.com
PING host.com (1::2):
56
data bytes, press CTRL_C to break
Reply from 1::2
bytes=56 Sequence=1 hop limit=128
time = 3 ms
Reply from 1::2
bytes=56 Sequence=2 hop limit=128
time = 1 ms
Reply from 1::2
bytes=56 Sequence=3 hop limit=128
time = 1 ms
Reply from 1::2
bytes=56 Sequence=4 hop limit=128
time = 2 ms
Reply from 1::2
bytes=56 Sequence=5 hop limit=128
time = 2 ms
--- host.com ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/3 ms
Dynamic domain name resolution configuration example
Network requirements
As shown in Figure 27, the device wants to access the host by using an easy-to-remember domain name
rather than an IPv6 address. The IPv6 address of the DNS server is 2::2/64 and the server has a com
domain, which stores the mapping between domain name host and IPv6 address 2::1/64.
Configure dynamic domain name resolution and the domain name suffix com on the device that serves
as a DNS client so that the device can use domain name host to access the host with the domain name
host.com and the IPv6 address 2::1/64.
44
Figure 27 Network diagram of dynamic domain name resolution
2::1/64
host.com
Host
2::2/64
DNS server
2::3/64
Device
DNS client
Configuration procedure
NOTE:
• Before performing the following configuration, make sure that the IPv6 addresses of the interfaces are
configured as shown Figure 27.
• This configuration may vary with different DNS servers. The following configuration is performed on a
PC running Windows Server 2003. Make sure that the DNS server supports the IPv6 DNS function so
that the server can process IPv6 DNS packets, and the interfaces of the DNS server can forward IPv6
packets.
1.
Configure the DNS server
# Enter the DNS server configuration page.
Select Start > Programs > Administrative Tools > DNS.
# Create zone com.
As shown in Figure 28, right click Forward Lookup Zones, select New zone, and then follow the
instructions to create a new zone named com.
Figure 28 Create a zone
# Create a mapping between the host name and the IPv6 address.
As shown in Figure 29, right click zone com.
45
Figure 29 Create a record
In Figure 29, select Other New Records to bring up a dialog box as shown in Figure 30. Select IPv6 Host
(AAA) as the resource record type.
46
Figure 30 Select the resource record type
As shown in Figure 31, type host name host and IPv6 address 2::1, and then click OK.
47
Figure 31 Add a mapping between domain name and IPv6 address
Configure the DNS client
2.
# Enable dynamic domain name resolution.
<Device> system-view
[Device] dns resolve
# Specify the DNS server 2::2.
[Device] dns server ipv6 2::2
# Configure com as the DNS suffix.
[Device] dns domain com
Configuration verification
3.
# Use the ping ipv6 host command on the device to verify that the communication between the device
and the host is normal and that the corresponding destination IP address is 2::1.
[Device] ping ipv6 host
Trying DNS resolve, press CTRL_C to break
Trying DNS server (2::2)
PING host.com (2::1):
56
data bytes, press CTRL_C to break
Reply from 2::1
bytes=56 Sequence=1 hop limit=126
time = 2 ms
Reply from 2::1
bytes=56 Sequence=2 hop limit=126
time = 1 ms
48
Reply from 2::1
bytes=56 Sequence=3 hop limit=126
time = 1 ms
Reply from 2::1
bytes=56 Sequence=4 hop limit=126
time = 1 ms
Reply from 2::1
bytes=56 Sequence=5 hop limit=126
time = 1 ms
--- host.com ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/2 ms
49
IP performance optimization configuration
IP performance optimization overview
Use the following configurations to optimize IP performance:
•
Configuring the TCP send/receive buffer size
•
Configuring TCP timers
•
Enabling ICMP error packets sending
Configuring TCP attributes
Configuring the TCP send/receive buffer size
Follow these steps to configure the TCP send/receive buffer size:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Configure the size of TCP
receive/send buffer
tcp window window-size
Optional
8 KB by default.
Configuring TCP timers
You can configure the following TCP timers:
•
synwait timer: When sending a SYN packet, TCP starts the synwait timer. If no response packet is
received within the synwait timer interval, the TCP connection cannot be created.
•
finwait timer: When a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is
started. If no FIN packet is received within the timer interval, the TCP connection is terminated. If a
FIN packet is received, the TCP connection state changes to TIME_WAIT. If a non-FIN packet is
received, the system restarts the timer upon receiving the last non-FIN packet. The connection is
broken after the timer expires.
Follow these steps to configure TCP timers:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Configure the TCP synwait timer
tcp timer syn-timeout time-value
Configure the TCP finwait timer
tcp timer fin-timeout time-value
50
Optional
75 seconds by default.
Optional
675 seconds by default.
CAUTION:
The actual length of the finwait timer is determined by the following formula:
Actual length of the finwait timer = (Configured length of the finwait timer – 75) + configured length of the
synwait timer
Configuring ICMP to send error packets
Introduction
Sending error packets is a major function of ICMP. In case of network abnormalities, error packets are
usually sent by the network or transport layer protocols to notify corresponding devices so as to facilitate
control and management.
Advantages of sending ICMP error packets
ICMP error packets include redirect, timeout, and destination unreachable packets.
1.
Sending ICMP redirect packets
A host may have only a default route to the default gateway in its routing table after startup. If the
following conditions are satisfied, the default gateway will send ICMP redirect packets to the source host,
telling it to reselect a correct next hop to send the subsequent packets:
•
The receiving and forwarding interfaces are the same.
•
The selected route has not been created or modified by an ICMP redirect packet.
•
The selected route is not the default route of the switch.
•
There is no source route option in the packet.
The ICMP redirect packets function simplifies host administration and enables a host to gradually
establish a sound routing table to find the best route.
2.
Sending ICMP timeout packets
If the switch received an IP packet with a timeout error, it drops the packet and sends an ICMP timeout
packet to the source.
The switch will send an ICMP timeout packet under the following conditions:
•
If the switch finds that the destination of a packet is not itself and the TTL field of the packet is 1, it
will send a “TTL timeout” ICMP error message.
•
When the switch receives the first fragment of an IP datagram whose destination is the switch itself,
it starts a timer. If the timer times out before all the fragments of the datagram are received, the
switch will send a “reassembly timeout” ICMP error packet.
3.
Sending ICMP destination unreachable packets
If the switch receives an IP packet with the destination unreachable, it will drop the packet and send an
ICMP destination unreachable error packet to the source.
Conditions for sending this ICMP packet:
•
If neither a route nor the default route for forwarding a packet is available, the switch sends a
“network unreachable” ICMP error packet.
•
If the destination of a packet is local but the transport layer protocol of the packet is not supported
by the local device, the switch sends a “protocol unreachable” ICMP error packet to the source.
51
•
When receiving a packet with the destination being local and transport layer protocol being UDP,
if the packet’s port number does not match the running process, the switch sends the source a “port
unreachable” ICMP error packet.
•
If the source uses “strict source routing" to send packets, but the intermediate device finds that the
next hop specified by the source is not directly connected, the switch will send the source a “source
routing failure” ICMP error packet.
•
When forwarding a packet, if the MTU of the sending interface is smaller than the packet but the
packet has been set as “Don’t Fragment,” the switch will send the source a “fragmentation needed
and Don’t Fragment (DF)-set” ICMP error packet.
Disadvantages of sending ICMP error packets
Sending ICMP error packets facilitates network control and management, but it has the following
disadvantages:
•
Sending a lot of ICMP packets increases network traffic.
•
If a switch receives a lot of malicious packets that cause it to send ICMP error packets, its
performance is reduced.
•
As the redirection function increases the routing table size of a host, the host’s performance is
reduced if its routing table becomes very large.
•
If an attacker sends abnormal traffic that causes the switch to generate ICMP destination
unreachable packets, end users may be affected.
To prevent such problems, disable the switch from sending ICMP error packets.
Configuration procedure
Follow these steps to enable sending of ICMP error packets:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable sending of ICMP redirect packets
ip redirects enable
Enable sending of ICMP timeout packets
ip ttl-expires enable
Enable sending of ICMP destination
unreachable packets
ip unreachables enable
Required
Disabled by default.
Required
Disabled by default.
Required
Disabled by default.
NOTE:
The switch stops sending “TTL timeout” ICMP error packets after the sending of ICMP timeout packets is
disabled. However, “reassembly timeout” error packets will be sent normally.
52
Displaying and maintaining IP performance
optimization
To do…
Use the command…
Remarks
Display TCP connection statistics
display tcp statistics [ | { begin | exclude |
include } regular-expression ]
Available in any view
Display UDP statistics
display udp statistics [ | { begin | exclude |
include } regular-expression ]
Available in any view
Display statistics of IP packets
display ip statistics [ slot slot-number ] [ |
{ begin | exclude | include }
regular-expression ]
Available in any view
Display ICMP statistics
display icmp statistics [ slot slot-number ] [ |
{ begin | exclude | include }
regular-expression ] regular-expression ]
Available in any view
Display socket information
display ip socket [ socktype sock-type ] [ task-id
socket-id ] [ slot slot-number ] [ | { begin |
exclude | include } regular-expression ]
Available in any view
Display FIB information
display fib [ acl acl-number | ip-prefix
ip-prefix-name ] [ | { begin | include |
exclude } regular-expression ]
Available in any view
Display FIB information matching
the specified destination IP address
display fib ip-address [ mask | mask-length ]
[ | { begin | exclude | include }
regular-expression ]
Available in any view
Clear statistics of IP packets
reset ip statistics [ slot slot-number ]
Available in user view
Clear statistics of TCP connections
reset tcp statistics
Available in user view
Clear statistics of UDP traffic
reset udp statistics
Available in user view
53
IPv6 basics configuration
IPv6 overview
Internet Protocol Version 6 (IPv6), also called IP next generation (IPng), was designed by the Internet
Engineering Task Force (IETF) as the successor to Internet Protocol version 4 (IPv4). The significant
difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits.
IPv6 features
Header format simplification
IPv6 removes several IPv4 header fields or moves them to the IPv6 extension headers to reduce the length
of the basic IPv6 packet header. The basic IPv6 packet header has a fixed length of 40 bytes to simplify
IPv6 packet handling and to improve forwarding efficiency. Although IPv6 address size is four times of
IPv4 address size, the basic IPv6 packet header size is only twice the size of the option-less IPv4 packet
header.
Figure 32 IPv4 packet header format and basic IPv6 packet header format
Larger address space
The source and destination IPv6 addresses are 128 bits (or 16 bytes) long. IPv6 can provide 3.4 x 1038
addresses to meet the requirements of hierarchical address division and the allocation of public and
private addresses.
Hierarchical address structure
IPv6 uses hierarchical address structure to make route searches faster and reduce the IPv6 routing table
size by route aggregation.
Address autoconfiguration
To simplify host configuration, IPv6 supports stateful and stateless address autoconfiguration.
54
•
Stateful address autoconfiguration enables a host to acquire an IPv6 address and other
configuration information from a server (for example, a DHCP server).
•
Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and
other configuration information by using its link-layer address and the prefix information advertised
by a router.
To communicate with other hosts on the same link, a host automatically generates a link-local address
based on its link-layer address and the link-local address prefix (FE80::/10).
Built-in security
IPv6 defines extension headers to support IPsec. IPsec provides end-to-end security for network security
solutions and enhances interoperability among different IPv6 applications.
QoS support
The Flow Label field in the IPv6 header allows the switch to label the packets and facilitates the special
handling of a flow.
Enhanced neighbor discovery mechanism
The IPv6 neighbor discovery protocol is implemented through a group of Internet Control Message
Protocol version 6 (ICMPv6) messages to manage the information exchange among neighboring nodes
on the same link. The group of ICMPv6 messages replaces Address Resolution Protocol (ARP) messages,
Internet Control Message Protocol version 4 (ICMPv4) Router Discovery messages, and ICMPv4 Redirect
messages and provides a series of other functions.
Flexible extension headers
IPv6 eliminates the Options field in the header and introduces optional extension headers to provide
scalability and improve efficiency. The Options field in the IPv4 packet header contains a maximum of
40 bytes, whereas the IPv6 extension headers are restricted to the maximum size of IPv6 packets only.
IPv6 addresses
IPv6 address format
An IPv6 address is represented as a set of 16-bit hexadecimals separated by colons. An IPv6 address is
divided into eight groups, and each 16-bit group is represented by four hexadecimal numbers, for
example, 2001:0000:130F:0000:0000:09C0:876A:130B.
To simplify the representation of IPv6 addresses, you can handle zeros in IPv6 addresses by using the
following methods.
•
The leading zeros in each group can be removed. For example, the previous address can be
represented in a shorter format as 2001:0:130F:0:0:9C0:876A:130B.
•
If an IPv6 address contains two or more consecutive groups of zeros, they can be replaced by a
double colon (::). For example, the previous address can be represented in the shortest format as
2001:0:130F::9C0:876A:130B.
CAUTION:
A double colon may appear once or not at all in an IPv6 address. This limit allows the switch to determine
how many zeros the double colon represents, and correctly convert it to zeros to restore a 128-bit IPv6
address.
An IPv6 address consists of an address prefix and an interface ID, both of which are equivalent to the
network ID and the host ID of an IPv4 address respectively.
55
An IPv6 address prefix is written in IPv6-address/prefix-length notation, where the IPv6-address is
represented in any of the formats previously mentioned and the prefix-length is a decimal number
indicating how many leftmost bits of the IPv6 address comprises the address prefix.
IPv6 address types
IPv6 addresses fall into three types: unicast address, multicast address, and anycast address.
•
Unicast address: An identifier for a single interface, similar to an IPv4 unicast address. A packet
sent to a unicast address is delivered to the interface identified by that address.
•
Multicast address: An identifier for a set of interfaces (typically belonging to different nodes),
similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all
interfaces identified by that address.
•
Anycast address: An identifier for a set of interfaces (typically belonging to different nodes). A
packet sent to an anycast address is delivered to the nearest one of the interfaces identified by that
address. The nearest interface is chosen according to the routing protocols' measure of distance.
NOTE:
There are no broadcast addresses in IPv6. Their function is replaced by multicast addresses.
The type of an IPv6 address is designated by the first several bits, called the format prefix. Table 4 lists
the mappings between address types and format prefixes.
Table 4 Mappings between address types and format prefixes
Type
Format prefix (binary)
IPv6 prefix ID
Unspecified address
00...0 (128 bits)
::/128
Loopback address
00...1 (128 bits)
::1/128
Link-local address
1111111010
FE80::/10
Site-local address
1111111011
FEC0::/10
Global unicast address
Other forms
—
Multicast address
11111111
FF00::/8
Anycast address
Anycast addresses use the unicast address space and have the
identical structure of unicast addresses.
Unicast
address
Unicast addresses
Unicast addresses comprise global unicast addresses, link-local unicast addresses, site-local unicast
addresses, the loopback address, and the unspecified address.
•
Global unicast addresses, equivalent to public IPv4 addresses, are provided for network service
providers. This type of address allows efficient prefix aggregation to restrict the number of global
routing entries.
•
Link-local addresses are used for communication among link-local nodes for neighbor discovery
and stateless autoconfiguration. Packets with link-local source or destination addresses are not
forwarded to other links.
•
A site-local unicast addresses are similar to private IPv4 addresses. Packets with site-local source or
destination addresses are not forwarded out of the local site (or a private network).
56
•
A loopback address is 0:0:0:0:0:0:0:1 (or ::1). It cannot be assigned to any physical interface and
can be used by a node to send an IPv6 packet to itself in the same way as the loopback address
in IPv4.
•
An unspecified address is 0:0:0:0:0:0:0:0 (or ::). It cannot be assigned to any node. Before
acquiring a valid IPv6 address, a node fills this address in the source address field of IPv6 packets.
The unspecified address cannot be used as a destination IPv6 address.
Multicast addresses
IPv6 multicast addresses listed in Table 5 are reserved for special purposes.
Table 5 Reserved IPv6 multicast addresses
Address
Application
FF01::1
Node-local scope all-nodes multicast address
FF02::1
Link-local scope all-nodes multicast address
FF01::2
Node-local scope all-routers multicast address
FF02::2
Link-local scope all-routers multicast address
FF05::2
Site-local scope all-routers multicast address
Multicast addresses also include solicited-node addresses. A node uses a solicited-node multicast
address to acquire the link-layer address of a neighboring node on the same link and to detect duplicate
addresses. Each IPv6 unicast or anycast address has a corresponding solicited-node address. The format
of a solicited-node multicast address is FF02:0:0:0:0:1:FFXX:XXXX. FF02:0:0:0:0:1:FF is fixed and
consists of 104 bits, and XX:XXXX is the last 24 bits of an IPv6 unicast address or anycast address.
EUI-64 address-based interface identifiers
An interface identifier is 64 bits, and uniquely identifies an interface on a link.
Interfaces generate EUI-64 address-based interface identifiers differently.
•
On an IEEE 802 interface (such as a VLAN interface)
The interface identifier is derived from the link-layer address (typically a MAC address) of the interface.
To expand the 48-bit MAC address to a 64-bit interface identifier, you must insert the hexadecimal
number FFFE (16 bits of 1111111111111110) into the MAC address (behind the 24th high-order bit). To ensure
that the obtained interface identifier is globally unique, you must also set the universal/local (U/L) bit
(which is the seventh high-order bit) to 1. Therefore, an EUI-64 address-based interface identifier is
obtained.
Figure 33 shows how an EUI-64 address-based interface identifier is generated from a MAC address.
57
Figure 33 Convert a MAC address into an EUI-64 address-based interface identifier
•
On an interface of another type
The EUI-64 address-based interface identifier is generated randomly by the switch.
IPv6 neighbor discovery protocol
The IPv6 Neighbor Discovery (ND) protocol uses the following types of ICMPv6 messages to implement
the following functions:
•
Address resolution
•
Neighbor reachability detection
•
Duplicate address detection
•
Router/prefix discovery and address autoconfiguration
•
Redirection
Table 6 lists the types and functions of ICMPv6 messages used by the ND protocol.
Table 6 ICMPv6 messages used by ND
ICMPv6 message
Neighbor Solicitation (NS)
message
Type
Function
Acquires the link-layer address of a neighbor.
135
Verifies whether a neighbor is reachable.
Detects duplicate addresses.
Neighbor Advertisement
(NA) message
136
Router Solicitation (RS)
message
133
Responds to an NS message.
Notifies the neighboring nodes of link layer changes.
Requests an address prefix and other configuration information
for autoconfiguration after startup.
Responds to an RS message.
Router Advertisement (RA)
message
134
Redirect message
137
Advertises information such as the Prefix Information options and
flag bits.
Informs the source host of a better next hop on the path to a
particular destination when certain conditions are satisfied.
58
Address resolution
This function is similar to the ARP function in IPv4. An IPv6 node acquires the link-layer addresses of
neighboring nodes on the same link through NS and NA message exchanges. Figure 34 shows how
Host A acquires the link-layer address of Host B on a single link.
Figure 34 Address resolution
The address resolution operates in the following steps.
1.
Host A multicasts an NS message. The source address of the NS message is the IPv6 address of the
sending interface of Host A and the destination address is the solicited-node multicast address of
Host B. The NS message contains the link-layer address of Host A.
2.
After receiving the NS message, Host B determines whether the destination address of the packet
is its solicited-node multicast address. If yes, Host B learns the link-layer address of Host A, and
then unicasts an NA message containing its link-layer address.
3.
Host A acquires the link-layer address of Host B from the NA message.
Neighbor reachability detection
After Host A acquires the link-layer address of its neighbor Host B, Host A can use NS and NA messages
to check whether Host B is reachable.
1.
Host A sends an NS message whose destination address is the IPv6 address of Host B.
2.
If Host A receives an NA message from Host B, Host A decides that Host B is reachable. Otherwise,
Host B is unreachable.
Duplicate address detection
After Host A acquires an IPv6 address, it performs Duplicate Address Detection (DAD) to check whether
the address is being used by any other node (similar to the gratuitous ARP function in IPv4). DAD is
accomplished through NS and NA message exchanges. Figure 35 shows the DAD process.
Figure 35 Duplicate address detection
59
The DAD works in the following steps.
1.
Host A sends an NS message whose source address is the unspecified address and whose
destination address is the corresponding solicited-node multicast address of the IPv6 address to be
detected. The NS message contains the IPv6 address.
2.
If Host B uses this IPv6 address, Host B returns an NA message. The NA message contains the IPv6
address of Host B.
3.
Host A learns that the IPv6 address is being used by Host B after receiving the NA message from
Host B. If receiving no NA message, Host A decides that the IPv6 address is not in use and uses this
address.
Router/prefix discovery and address autoconfiguration
Router/prefix discovery enables a node to locate the neighboring routers and to learn from the received
RA message configuration parameters such as the prefix of the network where the node is located.
Stateless address autoconfiguration enables a node to generate an IPv6 address automatically
according to the information obtained through router/prefix discovery.
Router/prefix discovery is implemented through RS and RA messages in the following steps:
1.
At startup, a node sends an RS message to request from any available router the address prefix
and other configuration information for autoconfiguration.
2.
A router returns an RA message containing information such as Prefix Information options. (The
router also periodically sends an RA message.)
3.
The node automatically generates an IPv6 address and other configuration information according
to the address prefix and other configuration parameters in the RA message.
NOTE:
• In addition to an address prefix, the Prefix Information option also contains the preferred lifetime and
valid lifetime of the address prefix. Nodes update the preferred lifetime and valid lifetime accordingly
through periodic RA messages.
• An automatically generated address is applicable within the valid lifetime and is removed when the
valid lifetime expires.
Redirection
A newly started host may contain only a default route to the gateway in its routing table. When certain
conditions are satisfied, the gateway sends an ICMPv6 Redirect message to the source host, so the host
can select a better next hop to forward packets (similar to the ICMP redirection function in IPv4).
The gateway sends an ICMPv6 Redirect message when the following conditions are satisfied.
•
The receiving interface is the forwarding interface.
•
The selected route itself is not created or modified by an ICMPv6 Redirect message.
•
The selected route is not the default route.
•
The IPv6 packet to be forwarded does not contain any routing header.
IPv6 PMTU discovery
The links that a packet passes from a source to a destination may have different MTUs. In IPv6, when the
packet size exceeds the path MTU (PMTU) of a link, the packet is fragmented at the source end of the link
to reduce the processing pressure on intermediate devices to use network resources effectively.
60
The PMTU discovery mechanism is designed to find the minimum MTU of all links in the path between a
source and a destination. Figure 36 shows how a source host discovers the PMTU to a destination host.
Figure 36 PMTU discovery process
The PMTU discovery works in the following steps.
1.
The source host compares its MTU with the packet to be sent, performs necessary fragmentation,
and sends the resulting packet to the destination host.
2.
If the MTU supported by a forwarding interface is smaller than the packet, the switch discards the
packet and returns an ICMPv6 error packet containing the interface MTU to the source host.
3.
After receiving the ICMPv6 error packet, the source host uses the returned MTU to limit the packet
size, performs fragmentation, and sends the resulting packet to the destination host.
4.
Step 2 and step 3 are repeated until the destination host receives the packet. In this way, the
source host decides the minimum MTU of all links in the path to the destination host.
IPv6 transition technologies
Before IPv6 dominates the Internet, high-efficient and seamless IPv6 transition technologies are needed
to enable communication between IPv4 and IPv6 networks. Several IPv6 transition technologies can be
used in different environments and periods, such as dual stack (RFC 2893), tunneling (RFC 2893), and
NAT-PT (RFC 2766).
•
Dual stack is the most direct transition approach. A network node that supports both IPv4 and IPv6
is a dual stack node. A dual stack node configured with an IPv4 address and an IPv6 address can
forward both IPv4 and IPv6 packets. For an upper layer application that supports both IPv4 and
IPv6, either TCP or UDP can be selected at the transport layer, whereas the IPv6 stack is preferred
at the network layer. Dual stack is suitable for communication between IPv4 nodes or between IPv6
nodes. It is the basis of all transition technologies. However, it does not solve the IPv4 address
depletion issue because each dual stack node must have a globally unique IP address.
•
Tunneling is an encapsulation technology that utilizes one network protocol to encapsulate packets
of another network protocol, and then transfers them over the network.
•
Network Address Port Translation – Protocol Translation (NAPT-PT) is usually applied on a switch
between IPv4 and IPv6 networks to translate between IPv4 and IPv6 packets, allowing
communication between IPv4 and IPv6 nodes. It performs IP address translation, and according to
different protocols, performs semantic translation for packets. This technology is only suitable for
communication between a pure IPv4 node and a pure IPv6 node.
NOTE:
The switch does not support Tunneling and NAT-PT.
61
Protocols and standards
Protocols and standards related to IPv6 include:
•
RFC 1881, IPv6 Address Allocation Management
•
RFC 1887, An Architecture for IPv6 Unicast Address Allocation
•
RFC 1981, Path MTU Discovery for IP version 6
•
RFC 2375, IPv6 Multicast Address Assignments
•
RFC 2460, Internet Protocol, Version 6 (IPv6) Specification
•
RFC 2461, Neighbor Discovery for IP Version 6 (IPv6)
•
RFC 2462, IPv6 Stateless Address Autoconfiguration
•
RFC 2463, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6)
Specification
•
RFC 2464, Transmission of IPv6 Packets over Ethernet Networks
•
RFC 2526, Reserved IPv6 Subnet Anycast Addresses
•
RFC 3307, Allocation Guidelines for IPv6 Multicast Addresses
•
RFC 3513, Internet Protocol Version 6 (IPv6) Addressing Architecture
IPv6 basics configuration task list
Complete the following tasks to perform IPv6 basics configuration:
Task
Remarks
Enabling IPv6
Configuring basic IPv6 functions
Configuring an IPv6 global unicast address
Configuring an IPv6 link-local address
Configure an IPv6 anycast address
Configuring IPv6 ND
Configuring PMTU discovery
Required to
configure
one
Configuring a static neighbor entry
Optional
Configuring the maximum number of neighbors dynamically
learned
Optional
Configuring parameters related to RA messages
Optional
Configuring the maximum number of attempts to send an NS
message for DAD
Optional
Setting the age timer for ND entries
Optional
Configuring ND snooping
Optional
Configuring a static PMTU for a specified IPv6 address
Optional
Configuring the aging time for dynamic PMTUs
Optional
Configuring IPv6 TCP properties
Configuring ICMPv6 packet
sending
Required
Optional
Configuring the maximum ICMPv6 error packets sent in an
interval
Optional
Enabling replying to multicast echo requests
Optional
62
Task
Remarks
Enabling sending of ICMPv6 time exceeded messages
Optional
Enabling sending of ICMPv6 destination unreachable
messages
Optional
Configuring basic IPv6 functions
Enabling IPv6
Enable IPv6 before you perform any IPv6-related configuration. Without IPv6 enabled, an interface
cannot forward IPv6 packets even if it has an IPv6 address configured.
Follow these steps to enable IPv6:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enable IPv6
ipv6
Required
Disabled by default.
Configuring an IPv6 global unicast address
Configure an IPv6 global unicast address by using the following options:
•
EUI-64 IPv6 addressing: The IPv6 address prefix of an interface is manually configured, and the
interface identifier is generated automatically by the interface.
•
Manual configuration: The IPv6 global unicast address is configured manually.
•
Stateless address autoconfiguration: The IPv6 global unicast address is generated automatically
based on the address prefix information contained in the RA message.
NOTE:
• You can configure multiple IPv6 global unicast addresses with different prefixes on an interface.
• A manually configured global unicast address takes precedence over an automatically generated one.
If a global unicast address has been automatically generated on an interface when you manually
configure another one with the same address prefix, the latter overwrites the previous. The overwritten
automatic global unicast address will not be restored even if the manual one is removed. Instead, a new
global unicast address will be automatically generated based on the address prefix information in the
RA message that the interface receives at the next time.
EUI-64 IPv6 addressing
Follow these steps to configure an interface to generate an EUI-64 IPv6 address:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type
interface-number
—
63
To do…
Use the command…
Configure the interface to
generate an EUI-64 IPv6
address
ipv6 address
ipv6-address/prefix-length eui-64
Remarks
Required
By default, no IPv6 global unicast
address is configured on an interface.
Manual configuration
Follow these steps to specify an IPv6 address manually for an interface:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type
interface-number
—
Configure an IPv6 address
manually
ipv6 address { ipv6-address
prefix-length |
ipv6-address/prefix-length }
Required
By default, no IPv6 global unicast
address is configured on an interface.
Stateless address autoconfiguration
Follow these steps to configure an interface to generate an IPv6 address by using stateless address
autoconfiguration:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type
interface-number
—
Configure an IPv6 address to be
generated through stateless
address autoconfiguration
ipv6 address auto
Required
By default, no IPv6 global unicast
address is configured on an interface.
NOTE:
Using the undo ipv6 address auto command on an interface removes all IPv6 global unicast addresses
automatically generated on the interface.
With stateless address autoconfiguration enabled on an interface, the switch automatically generates an
IPv6 global unicast address by using the address prefix information in the received RA message and the
interface ID. On an IEEE 802 interface (such as a VLAN interface), the interface ID is generated based
on the MAC address of the interface, and is globally unique. As a result, the interface ID portion of the
IPv6 global address remains unchanged and exposes the sender. An attacker can further exploit
communication details such as the communication peer and time.
To fix the vulnerability, configure the temporary address function that enables the system to generate and
use temporary IPv6 addresses with different interface ID portions on an interface. With this function
configured on an IEEE 802 interface, the system can generate two addresses, public IPv6 address and
temporary IPv6 address.
•
Public IPv6 address: Comprises an address prefix provided by the RA message, and a fixed
interface ID generated based on the MAC address of the interface.
•
Temporary IPv6 address: Comprises an address prefix provided by the RA message, and a random
interface ID generated through MD5.
64
Before sending a packet, the system preferably uses the temporary IPv6 address of the sending interface
as the source address of the packet to be sent. When this temporary IPv6 address expires, the system
removes it and generates a new one, which enables the system to send packets with different source
addresses through the same interface. If the temporary IPv6 address cannot be used because of a DAD
conflict, the public IPv6 address is used.
The preferred lifetime and valid lifetime for temporary IPv6 addresses are specified as follows:
•
The preferred lifetime of a temporary IPv6 address takes the value of the smaller of the following
values: the preferred lifetime of the address prefix in the RA message or the preferred lifetime
configured for temporary IPv6 addresses minus DESYNC_FACTOR (which is a random number
ranging 0 to 600, in seconds).
•
The valid lifetime of a temporary IPv6 address takes the value of the smaller of the following values:
the valid lifetime of the address prefix, or the valid lifetime configured for temporary IPv6 addresses.
Follow these steps to configure the temporary address function:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Configure the system to generate and
preferably use the temporary IPv6
address of the sending interface as
the source address of the packet to be
sent
ipv6 prefer temporary-address
[ valid-lifetime preferred-lifetime ]
Required
By default, the system does
not generate or use a
temporary IPv6 address.
CAUTION:
• You must also enable stateless address autoconfiguration on an interface if you need temporary IPv6
addresses to be generated on that interface. Temporary IPv6 addresses do not override public IPv6
addresses. Therefore, an interface may have multiple IPv6 addresses with the same address prefix but
different interface ID portions.
• If the public IPv6 address fails to be generated on an interface because of a prefix conflict or other
reasons, no temporary IPv6 address will be generated on the interface.
Configuring an IPv6 link-local address
IPv6 link-local addresses can be configured in either of the following ways:
•
Automatic generation: The switch automatically generates a link-local address for an interface
according to the link-local address prefix (FE80::/10) and the link-layer address of the interface.
•
Manual assignment: IPv6 link-local addresses can be assigned manually.
NOTE:
• An interface can have only one link-local address. To avoid link-local address conflicts, use automatic
generation method.
• Manual assignment takes precedence over automatic generation. If you first use automatic generation
and then manual assignment, the manually assigned link-local address will overwrite the automatically
generated one. If you first use manual assignment and then automatic generation, the automatically
generated link-local address will not take effect and the link-local address is still the manually assigned
one. If you delete the manually assigned address, the automatically generated link-local address is
validated.
65
Follow these steps to configure automatic generation of an IPv6 link-local address for an interface:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type
interface-number
—
Optional
Configure the interface to
automatically generate an
IPv6 link-local address
ipv6 address auto link-local
By default, no link-local address is
configured on an interface.
After an IPv6 global unicast address is
configured on the interface, a link-local
address is generated automatically.
Follow these steps to configure an IPv6 link-local address manually:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type
interface-number
—
Optional
Configure an IPv6 link-local
address manually
ipv6 address ipv6-address
link-local
By default, no link-local address is
configured on an interface.
After an IPv6 global unicast address is
configured on the interface, a link-local
address is generated automatically.
NOTE:
• After an IPv6 global unicast address is configured for an interface, a link-local address is generated
automatically. The automatically generated link-local address is the same as the one generated by using
the ipv6 address auto link-local command. If a link-local address is manually assigned to an interface,
this manual link-local address takes effect. If the manually assigned link-local address is removed, the
automatically generated link-local address takes effect.
• The undo ipv6 address auto link-local command can only remove the link-local addresses generated
through the ipv6 address auto link-local command. However, if an IPv6 global unicast address is
already configured for an interface, the interface still has a link-local address because the system
automatically generates one for the interface. If no IPv6 global unicast address is configured, the
interface has no link-local address.
Configure an IPv6 anycast address
Follow these steps to configure an IPv6 anycast address for an interface:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type
interface-number
—
66
To do...
Use the command...
Remarks
Optional
Configure an IPv6 anycast address
ipv6 address
ipv6-address/prefix-length anycast
By default, no IPv6 anycast
address is configured on an
interface.
Configuring IPv6 ND
Configuring a static neighbor entry
The IPv6 address of a neighboring node can be resolved into a link-layer address dynamically through
NS and NA messages or through a manually configured static neighbor entry.
The switch uniquely identifies a static neighbor entry by the neighbor's IPv6 address and the local Layer
3 interface number.
Follow these steps to configure a static neighbor entry:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Configure a static
neighbor entry
ipv6 neighbor ipv6-address mac-address { vlan-id
port-type port-number | interface interface-type
interface-number }
Required
CAUTION:
You can use either of the previous configuration methods to configure a static neighbor entry for a VLAN
interface.
• After a static neighbor entry is configured by associating a neighbor IPv6 address and link-layer
address with the Layer 3 interface of the local node, the switch must resolve the corresponding Layer 2
port information of the VLAN interface.
• If you use the configuration method of associating a neighbor IPv6 address and a link-layer address
with a port in a VLAN containing the local node, ensure that the corresponding VLAN interface exists
and that the Layer 2 port specified by port-type port-number belongs to the VLAN specified by vlan-id.
After a static neighbor entry is configured, the switch associates the VLAN interface with the IPv6
address to identify the static neighbor entry uniquely.
Configuring the maximum number of neighbors dynamically
learned
The switch can dynamically acquire the link-layer address of a neighboring node through NS and NA
messages and add it into the neighbor table. A large table can reduce the forwarding performance of
the switch. You can restrict the size of the neighbor table by setting the maximum number of neighbors
that an interface can dynamically learn. When the number of dynamically learned neighbors reaches
the threshold, the interface will stop learning neighbor information.
Follow these steps to configure the maximum number of neighbors dynamically learned:
67
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type
interface-number
—
Configure the maximum number of
neighbors dynamically learned by
an interface
ipv6 neighbors max-learning-num
number
Optional
1024 by default
Configuring parameters related to RA messages
You can enable an interface to send RA messages, and configure the interval for sending RA messages
and parameters in RA messages. After receiving an RA message, a host can use these parameters to
perform corresponding operations. Table 7 lists the configurable parameters in an RA message and their
descriptions.
Table 7 Parameters in an RA message and their descriptions
Parameters
Description
Cur Hop Limit
When sending an IPv6 packet, a host uses the value to fill the Hop Limit field in IPv6
headers. The value is also filled into the Hop Limit field in the response packet of a
switch.
Prefix Information
options
After receiving the prefix information advertised by the switch, the hosts on the same
link can perform stateless autoconfiguration.
MTU
Ensures that all nodes on a link use the same MTU value.
Determines whether hosts use the stateful autoconfiguration to acquire IPv6
addresses.
M flag
If the M flag is set to 1, hosts use the stateful autoconfiguration (for example, through
a DHCP server) to acquire IPv6 addresses. Otherwise, hosts use the stateless
autoconfiguration to acquire IPv6 addresses and generate IPv6 addresses
according to their own link-layer addresses and the prefix information advertised by
the router.
Determines whether hosts use stateful autoconfiguration to acquire other
configuration information.
O flag
If the O flag is set to 1, hosts use stateful autoconfiguration (for example, through a
DHCP server) to acquire other configuration information. Otherwise, hosts use
stateless autoconfiguration to acquire other configuration information.
Router Lifetime
Tells the receiving hosts how long this router can serve as a default router.
According to the router lifetime in the received RA messages, hosts determine
whether the router sending RA messages can serve as the default router.
Retrans Timer
If the switch fails to receive a response message within the specified time after
sending an NS message, the switch will retransmit the NS message.
Reachable Time
If the neighbor reachability detection shows that a neighbor is reachable, the switch
considers the neighbor reachable within the specified reachable time. If the switch
must send a packet to a neighbor after the specified reachable time expires, the
switch will reconfirm whether the neighbor is reachable.
Follow these steps to allow sending of RA messages:
68
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type
interface-number
—
Disable RA message
suppression
undo ipv6 nd ra halt
Required
By default, RA messages are suppressed.
Optional
Configure the maximum
and minimum intervals
for sending RA
messages
By default, the maximum interval for sending
RA messages is 600 seconds, and the
minimum interval is 200 seconds.
ipv6 nd ra interval
max-interval-value
min-interval-value
The switch sends RA messages at random
intervals between the maximum interval and
the minimum interval.
The minimum interval should be less than or
equal to 0.75 times the maximum interval.
Follow these steps to configure parameters related to RA messages:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Configure the hop limit
ipv6 nd hop-limit value
Enter interface view
interface interface-type
interface-number
Optional
64 by default.
—
Optional
Configure the prefix information
in RA messages
ipv6 nd ra prefix { ipv6-prefix
prefix-length | ipv6-prefix /
prefix-length } valid-lifetime
preferred-lifetime
[ no-autoconfig | off-link ] *
Turn off the MTU option in RA
messages
ipv6 nd ra no-advlinkmtu
By default, no prefix information is
configured for RA messages, and the
IPv6 address of the interface sending RA
messages is used as the prefix
information with valid lifetime 2592000
seconds (that is, 30 days) and preferred
lifetime 604800 seconds (that is, 7
days).
Optional
By default, RA messages contain the
MTU option.
Optional
Set the M flag bit to 1
ipv6 nd autoconfig
managed-address-flag
By default, the M flag bit is set to 0, and
hosts acquire IPv6 addresses through
stateless autoconfiguration.
Optional
Set the O flag bit to 1
ipv6 nd autoconfig other-flag
69
By default, the O flag bit is set to 0, and
hosts acquire other configuration
information through stateless
autoconfiguration.
To do…
Use the command…
Configure the router lifetime in
RA messages
ipv6 nd ra router-lifetime value
Remarks
Optional
1800 seconds by default.
Optional
Set the NS retransmission timer
ipv6 nd ns retrans-timer value
By default, the local interface sends NS
messages at 1000 millisecond intervals,
and the value of the Retrans Timer field
in RA messages sent by the local
interface is 0. The interval for
retransmitting an NS message is
determined by the receiving switch.
Optional
Set the reachable time
ipv6 nd nud reachable-time
value
By default, the neighbor reachable time
on the local interface is 30000
milliseconds, and the value of the
Reachable Time field in the RA messages
sent by the local interface is 0. The
neighbor reachable time is determined
by the receiving switch.
NOTE:
• The maximum interval for sending RA messages should be less than (or equal to) the router lifetime in
RA messages, so the router can be updated through an RA message before expiration.
• The values of the NS retransmission timer and the reachable time configured for an interface are sent to
hosts via RA messages. Furthermore, this interface sends NS messages at the interval of the NS
retransmission timer and considers a neighbor reachable within the reachable time.
Configuring the maximum number of attempts to send an NS
message for DAD
An interface sends an NS message for DAD after acquiring an IPv6 address. If the interface does not
receive a response within a specified time (determined by the ipv6 nd ns retrans-timer command), it
continues to send an NS message. If the interface still does not receive a response after the number of
sent attempts reaches the threshold (specified with the ipv6 nd dad attempts command), the acquired
address is considered usable.
Follow these steps to configure the attempts to send an NS message for DAD:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type
interface-number
—
Optional
Configure the number of attempts
to send an NS message for DAD
ipv6 nd dad attempts value
70
1 by default. When the value
argument is set to 0, DAD is
disabled.
Setting the age timer for ND entries
ND entries have an age timer. If an ND entry is not refreshed within a certain time after aging out, the
switch sends an NS message for detection. If no response is received, it removes the ND entry. You can
set the age timer as needed.
Follow these steps to set the age timer for ND entries:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Set the age timer for ND entries
ipv6 neighbor stale-aging
aging-time
Optional
Four hours by default.
Configuring ND snooping
Introduction
The ND snooping feature is used in Layer 2 switching networks. It creates ND snooping entries using
DAD NS messages.
After you enable ND snooping on a VLAN of a device, ND packets received by the interfaces of the
VLAN are redirected to the CPU. When ND snooping is enabled globally, the CPU uses the ND packets
to create or update ND snooping entries comprising source IPv6 address, source MAC address,
receiving VLAN, and receiving port information.
The following items describe how an ND snooping entry is created, updated, and aged out.
1.
Creating an ND snooping entry
The device only uses received DAD NS messages to create ND snooping entries.
2.
Updating an ND snooping entry
Upon receiving an ND packet, the device searches the ND snooping table for an entry containing the
source IPv6 address of the packet. If the entry was refreshed within one second, the device does not
update the entry. If the entry is not refreshed for more than one second, the device matches the MAC
address of the ND packet and the receiving port against that in the entry.
•
If both of them match those in the entry, the device updates the aging time of the ND snooping
entry.
•
If neither of them matches the entry and the received packet is a DAD NS message, the message is
ignored.
•
If neither of them matches the entry and the received packet is not a DAD NS message, the device
performs active acknowledgement.
The active acknowledgement is performed in the following steps.
•
The switch checks the validity of the existing ND snooping entry. The switch sends out a DAD NS
message, including the IPv6 address of the ND snooping entry. If a corresponding NA message
(whose source IPv6 address, source MAC address, receiving port, and source VLAN are consistent
with those of the existing entry) is received, the switch updates the aging time of the existing entry.
If no corresponding NA message is received within one second after the DAD NS message is sent,
the device begins checking the validity of the received ND packet.
•
To check the validity of the received ND packet (packet A for example), the switch sends out a DAD
NS message, including the source IPv6 address of packet A. If a corresponding NA message
(whose source IPv6 address, source MAC address, receiving port, and source VLAN are consistent
71
with those of packet A) is received, the switch updates the aging time of the entry. If no
corresponding NA message is received within one second after the DAD NS message is sent, the
switch does not update the entry.
3.
Aging out an ND snooping entry
An ND snooping entry is aged out after 25 minutes. If an ND snooping entry is not updated within 15
minutes, the switch performs active acknowledgement.
The switch sends out a DAD NS message including the IPv6 address of the ND snooping.
•
If a corresponding NA message is received (the source IPv6 address, source MAC address,
receiving port, and source VLAN are consistent with those of the existing entry), the switch updates
the aging time of the existing entry.
•
If no corresponding NA message is received within one second after the DAD NS message is sent
out, the device removes the entry when the timer expires.
Configuration procedure
Follow these steps to configure ND snooping:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable ND snooping based on
global unicast addresses (the
devices uses DAD NS messages
containing global unicast
addresses to create ND snooping
entries)
ipv6 nd snooping enable global
Enable ND snooping based on link
local addresses (the devices uses
DAD NS messages containing link
local addresses to create ND
snooping entries)
ipv6 nd snooping enable link-local
Enter VLAN view
vlan vlan-id
Enable ND snooping
ipv6 nd snooping enable
Return to system view
quit
—
Enter Layer 2 Ethernet interface
view/Layer 2 aggregate interface
view
interface interface-type
interface-number
—
Configure the maximum number of
ND snooping entries the interface
can learn
Use either approach.
By default, ND snooping is
disabled.
—
Required
Disabled by default.
Optional
ipv6 nd snooping
max-learning-num number
By default, the number of ND
snooping entries an interface can
learn is unlimited.
Optional
Configure the interface as an
uplink interface and disable it from
learning ND snooping entries
ipv6 nd snooping uplink
72
By default, when ND snooping is
enabled on the device, an
interface is allowed to learn ND
snooping entries.
Configuring PMTU discovery
Configuring a static PMTU for a specified IPv6 address
You can configure a static PMTU for a specified destination IPv6 address. When a source host sends a
packet through an interface, it compares the interface MTU with the static PMTU of the specified
destination IPv6 address, and compares the smaller of the two values to the packet size. If the packet size
is larger, the host fragments the packet according to the smaller value.
Follow these steps to configure a static PMTU for a specified IPv6 address:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Configure a static PMTU for a
specified IPv6 address
ipv6 pathmtu ipv6-address
[ value ]
Required
By default, no static PMTU is
configured.
Configuring the aging time for dynamic PMTUs
After the path MTU from a source host to a destination host is dynamically determined (see “IPv6 PMTU
discovery”), the source host sends subsequent packets to the destination host based on this MTU. After
the aging time expires, the dynamic PMTU is removed and the source host re-determines a dynamic path
MTU through the PMTU mechanism.
The aging time is invalid for a static PMTU.
Follow these steps to configure the aging time for dynamic PMTUs:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Configure the aging time for
dynamic PMTUs
ipv6 pathmtu age age-time
Optional
10 minutes by default.
Configuring IPv6 TCP properties
You can configure the following IPv6 TCP properties.
•
synwait timer: When a SYN packet is sent, the synwait timer is triggered. If no response packet is
received before the synwait timer expires, the IPv6 TCP connection establishment fails.
•
finwait timer: When the IPv6 TCP connection status is FIN_WAIT_2, the finwait timer is triggered. If
no packet is received before the finwait timer expires, the IPv6 TCP connection is terminated. If a
FIN packet is received, the IPv6 TCP connection status becomes TIME_WAIT. If non-FIN packets are
received, the finwait timer is reset upon receipt of the last non-FIN packet and the connection is
terminated after the finwait timer expires.
•
Size of the IPv6 TCP sending/receiving buffer.
Follow these steps to configure IPv6 TCP properties:
To do…
Use the command…
Remarks
Enter system view
system-view
—
73
To do…
Use the command…
Remarks
Set the synwait timer
tcp ipv6 timer syn-timeout
wait-time
Optional
Set the finwait timer
tcp ipv6 timer fin-timeout wait-time
Set the size of the IPv6 TCP
sending/receiving buffer
tcp ipv6 window size
75 seconds by default.
Optional
675 seconds by default.
Optional
8 KB by default.
Configuring ICMPv6 packet sending
Configuring the maximum ICMPv6 error packets sent in an
interval
To avoid network congestion, you can control the maximum number of ICMPv6 error packets sent within
a specified time by adopting the token bucket algorithm.
You can set the capacity of a token bucket to determine the number of tokens in the bucket. In addition,
you can set the update interval of the token bucket, that is, the interval for restoring the configured
capacity. One token allows one ICMPv6 error packet to be sent. Each time an ICMPv6 error packet is
sent, the number of tokens in a token bucket decreases by one. If the number of ICMPv6 error packets
successively sent exceeds the capacity of the token bucket, the additional ICMPv6 error packets cannot
be sent out until the capacity of the token bucket is restored.
Follow these steps to configure the capacity and update interval of the token bucket:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Optional
Configure the capacity
and update interval of
the token bucket
ipv6 icmp-error { bucket
bucket-size | ratelimit
interval } *
By default, the capacity of a token bucket is 10 and
the update interval is 100 milliseconds. At most 10
ICMPv6 error packets can be sent within 100
milliseconds.
The update interval “0” indicates that the number
of ICMPv6 error packets sent is not restricted.
Enabling replying to multicast echo requests
If hosts are configured to answer multicast echo requests, an attacker can use this mechanism to attack
a host. For example, if Host A (an attacker) sends an echo request with the source being Host B to a
multicast address, all the hosts in the multicast group will send echo replies to Host B. To prevent such an
attack, disable the switch from replying to multicast echo requests by default. In some application
scenarios, however, you must enable the switch to reply multicast echo requests.
Follow these steps to enable replying to multicast echo requests:
To do…
Use the command…
Remarks
Enter system view
system-view
—
74
To do…
Use the command…
Remarks
Enable replying to multicast echo
requests
ipv6 icmpv6 multicast-echo-reply
enable
Required
Not enabled by default.
Enabling sending of ICMPv6 time exceeded messages
A switch sends out an ICMPv6 Time Exceeded message in the following situations.
•
If a received IPv6 packet’s destination IP address is not a local address and its hop limit is 1, the
switch sends an ICMPv6 Hop Limit Exceeded message to the source.
•
Upon receiving the first fragment of an IPv6 datagram with the destination IP address being the
local address, the switch starts a timer. If the timer expires before all the fragments arrive, an
ICMPv6 Fragment Reassembly Timeout message is sent to the source.
If large quantities of malicious packets are received, the performance of the switch degrades greatly
because it must send back ICMP Time Exceeded messages. You can disable sending of ICMPv6 Time
Exceeded messages.
Follow these steps to enable sending of ICMPv6 time exceeded messages:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable sending of ICMPv6 Time
Exceeded messages
ipv6 hoplimit-expires enable
Optional
Enabled by default.
Enabling sending of ICMPv6 destination unreachable
messages
If the switch fails to forward a received IPv6 packet because of one of the following reasons, it drops the
packet and sends a corresponding ICMPv6 Destination Unreachable error message to the source.
•
If no route is available for forwarding the packet, the switch sends a "no route to destination"
ICMPv6 error message to the source.
•
If the switch fails to forward the packet because of an administrative prohibition (such as a firewall
filter or an ACL), the switch sends the source a "destination network administratively prohibited"
ICMPv6 error message.
•
If the switch fails to deliver the packet because the destination is beyond the scope of the source
IPv6 address (for example, the source IPv6 address of the packet is a link-local address whereas the
destination IPv6 address of the packet is a global unicast address), the switch sends the source a
"beyond scope of source address" ICMPv6 error message.
•
If the switch fails to resolve the corresponding link layer address of the destination IPv6 address, the
switch sends the source an "address unreachable" ICMPv6 error message.
•
If the packet with the destination being local and transport layer protocol being UDP and the
packet’s destination port number does not match the running process, the switch sends the source
a "port unreachable" ICMPv6 error message.
If an attacker sends abnormal traffic that causes the switch to generate ICMPv6 destination unreachable
messages, end users may be affected. To prevent such attacks, you can disable the switch from sending
ICMPv6 destination unreachable messages.
75
Follow these steps to enable sending of ICMPv6 destination unreachable messages:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable sending of ICMPv6 destination
unreachable messages
ipv6 unreachables enable
Required
Disabled by default.
Displaying and maintaining IPv6 basics
configuration
To do…
Use the command…
Remarks
Display the IPv6 information of
the interface
display ipv6 interface [ interface-type
[ interface-number ] ] [ verbose ] [ | { begin |
exclude | include } regular-expression ]
Available in any view
Display IPv6 FIB entries
display ipv6 fib [ acl6 acl6-number | ipv6-prefix
ipv6-prefix-name ] [ | { begin | exclude | include }
regular-expression ]
Available in any view
Display IPv6 FIB entries of
specified destination IPv6
addresses
display ipv6 fib ipv6-address [ prefix-length ] [ |
{ begin | exclude | include } regular-expression ]
Available in any view
Display neighbor information
display ipv6 neighbors { { ipv6-address | all |
dynamic | static } [ slot slot-number ] | interface
interface-type interface-number | vlan vlan-id } [ |
{ begin | exclude | include } regular-expression ]
Available in any view
Display the total number of
neighbor entries satisfying the
specified conditions
display ipv6 neighbors { { all | dynamic | static }
[ slot slot-number ] | interface interface-type
interface-number | vlan vlan-id } count [ | { begin |
exclude | include } regular-expression ]
Available in any view
Display the IPv6 PMTU
information
display ipv6 pathmtu { ipv6-address | all |
dynamic | static } [ | { begin | exclude | include }
regular-expression ]
Available in any view
Display socket information
display ipv6 socket [ socktype socket-type ] [ task-id
socket-id ] [ slot slot-number ] [ | { begin | exclude
| include } regular-expression ]
Available in any view
Display the statistics of IPv6
packets and ICMPv6 packets
display ipv6 statistics [ slot slot-number ] [ | { begin
| exclude | include } regular-expression ]
Available in any view
Display the IPv6 TCP connection
statistics
display tcp ipv6 statistics [ | { begin | exclude |
include } regular-expression ]
Available in any view
Display the IPv6 TCP connection
status information
display tcp ipv6 status [ | { begin | exclude |
include } regular-expression ]
Available in any view
Display the IPv6 UDP connection
statistics
display udp ipv6 statistics [ | { begin | exclude |
include } regular-expression ]
Available in any view
Display ND snooping entries
display ipv6 nd snooping [ ipv6-address | vlan
vlan-id ] [ | { begin | exclude | include }
regular-expression ]
Available in any view
76
To do…
Use the command…
Remarks
Clear IPv6 neighbor information
reset ipv6 neighbors { all | dynamic | interface
interface-type interface-number | slot slot-number |
static }
Available in user
view
Clear the PMTU values
reset ipv6 pathmtu { all | static | dynamic}
Available in user
view
Clear the statistics of IPv6 and
ICMPv6 packets
reset ipv6 statistics [ slot slot-number ]
Available in user
view
Clear all IPv6 TCP connection
statistics
reset tcp ipv6 statistics
Available in user
view
Clear the statistics of all IPv6
UDP packets
reset udp ipv6 statistics
Available in user
view
Clear ND snooping entries
reset ipv6 nd snooping [ ipv6-address | vlan
vlan-id ]
Available in user
view
77
DHCPv6 overview
Introduction to DHCPv6
The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) was designed based on IPv6 addressing
scheme and is used for assigning IPv6 prefixes, IPv6 addresses and other configuration parameters to
hosts.
Compared with other IPv6 address allocation methods (such as manual configuration and stateless
address autoconfiguration), DHCPv6 can do the following:
•
Record addresses assigned to hosts and assign specific addresses to hosts, thus facilitating network
management.
•
Assign prefixes to devices, facilitating automatic configuration and management of the entire
network.
•
Assign other configuration parameters, such as the DNS server addresses and domain names, to
hosts.
DHCPv6 address/prefix assignment
A process of DHCPv6 address/prefix assignment involves two or four messages. The following describe
the detailed processes.
Rapid assignment involving two messages
Figure 37 Rapid assignment involving two messages
As shown in Figure 37, the rapid assignment involving two messages operates in the following steps.
1.
The DHCPv6 client sends out a Solicit message that contains a Rapid Commit option, requesting
that rapid assignment of address/prefix and other configuration parameters should be preferred.
2.
If the DHCPv6 server supports rapid assignment, it responds with a Reply message containing the
assigned IPv6 address/prefix and other configuration parameters. If the DHCPv6 server does not
support rapid assignment, Assignment involving four messages is implemented.
Assignment involving four messages
Figure 38 shows the process of IPv6 address/prefix assignment involving four messages.
78
Figure 38 Assignment involving four messages
The assignment involving four messages operates in the following steps.
1.
The DHCPv6 client sends out a Solicit message, requesting an IPv6 address/prefix and other
configuration parameters.
2.
If the Solicit message does not contain a Rapid Commit option, or if the DHCPv6 server does not
support rapid assignment even though the Solicit message contains a Rapid Commit option, the
DHCPv6 server responds with an Advertise message, informing the DHCPv6 client of the
assignable address/prefix and other configuration parameters.
3.
The DHCPv6 client may receive multiple Advertise messages offered by different DHCPv6 servers.
It then selects an offer according to the receiving sequence and server priority, and sends a
Request message to the selected server for the confirmation of assignment.
4.
The DHCPv6 server sends a Reply message to the client, confirming that the address/prefix and
other configuration parameters are assigned to the client.
Address/prefix lease renewal
The IPv6 address/prefix assigned by the DHCPv6 server has a lease time, which depends on the valid
lifetime. When the valid lifetime of the IPv6 address/prefix expires, the DHCPv6 client cannot use the
IPv6 address/prefix any longer. To continue using the IPv6 address/prefix, the DHCPv6 client has to
renew the lease time.
Figure 39 Using the Renew message for address/prefix lease renewal
As shown in Figure 39, at T1, the DHCPv6 client unicasts a Renew message to the DHCPv6 server that
assigned the IPv6 address/prefix to the DHCPv6 client. The recommended value of T1 is half the
preferred lifetime. Then the DHCPv6 server responds with a Reply message, informing the client about
whether or not the lease is renewed.
79
Figure 40 Using the Rebind message for address/prefix lease renewal
……
As shown in Figure 40, if the DHCPv6 client receives no response from the DHCPv6 server after sending
out a Renew message at T1, it multicasts a Rebind message to all DHCPv6 servers at T2 (that is, when
80% preferred lifetime expires). Then the DHCPv6 server responds with a Reply message, informing the
client about whether or not the lease is renewed.
If the DHCPv6 client receives no response from the DHCPv6 servers, the client stops using the
address/prefix when the valid lifetime expires.
NOTE:
For more information about the valid lifetime and the preferred lifetime, see the chapter “IPv6 basics
configuration.”
Stateless DHCPv6 configuration
Introduction
After obtaining an IPv6 address/prefix, a switch can use stateless DHCPv6 to obtain other configuration
parameters from a DHCPv6 server. This application is called stateless DHCPv6 configuration.
With an IPv6 address obtained through stateless address autoconfiguration, a switch automatically
enables the stateless DHCPv6 function after it receives an RA message with the managed address
configuration flag (M flag) set to 0 and with the other stateful configuration flag (O flag) set to 1.
NOTE:
Stateless address autoconfiguration means that a node automatically generates an IPv6 address based on
the information obtained through router/prefix discovery. For more information, see the chapter “IPv6
basics configuration.”
80
Operation
Figure 41 Operation of stateless DHCPv6
DHCPv6 client
DHCPv6 server
Information-request:
includes an Option Request option
Reply:
includes the requested options
As shown in Figure 41, stateless DHCPv6 operates in the following steps.
1.
The DHCPv6 client multicasts an Information-request message to the multicast address of all
DHCPv6 servers and DHCPv6 relay agents. The Information-request message contains an Option
Request option, specifying the configuration parameters that the client requests from the DHCPv6
server.
2.
After receiving the Information-request message, the DHCPv6 server returns to the client a Reply
message containing the requested configuration parameters.
3.
The client checks the Reply message. If the obtained configuration parameters match those
requested in the Information-request message, the client performs network configuration with the
parameters. If not, the client ignores the configuration parameters. If multiple replies are received,
the first received reply will be used.
Protocols and standards
•
RFC 3736, Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6
•
RFC 3315, Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
•
RFC 2462, IPv6 Stateless Address Autoconfiguration
•
RFC 3633, IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6
81
DHCPv6 client configuration
Introduction to the DHCPv6 client
Serving as a DHCPv6 client, the switch only supports stateless DHCPv6 configuration and can only
obtain other network configuration parameters, except the IPv6 address and prefix from the DHCPv6
server.
With an IPv6 address obtained through stateless address autoconfiguration, the switch automatically
enables the stateless DHCPv6 function after it receives an RA message with the M flag set to 0 and the
O flag set to 1.
Configuring the DHCPv6 client
Configuration prerequisites
To make the DHCPv6 client successfully obtain configuration parameters through stateless DHCPv6
configuration, make sure that the DHCPv6 server is available.
Configuration procedure
Follow these steps to configure the DHCPv6 client:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable the IPv6 packet forwarding
function
ipv6
Required
Enter interface view
interface interface-type interface-number
—
Enable IPv6 stateless address
autoconfiguration
ipv6 address auto
Required
NOTE:
For more information about the ipv6 address auto command, see the chapter “IPv6 basics configuration
commands.”
Displaying and maintaining the DHCPv6 client
To do…
Use the command…
Remarks
Display DHCPv6 client information
display ipv6 dhcp client [ interface
interface-type interface-number ] [ | { begin |
exclude | include } regular-expression ]
Available in any view
82
To do…
Use the command…
Remarks
Display DHCPv6 client statistics
display ipv6 dhcp client statistics [ interface
interface-type interface-number ] [ | { begin |
exclude | include } regular-expression ]
Available in any view
Display the DUID of the local
device
display ipv6 dhcp duid [ | { begin | exclude |
include } regular-expression ]
Available in any view
Clear DHCPv6 client statistics
reset ipv6 dhcp client statistics [ interface
interface-type interface-number ]
Available in user view
Stateless DHCPv6 configuration example
Network requirements
As shown in Figure 42, through stateless DHCPv6, Switch A obtains the DNS server address, domain
name, and other information from the server.
Switch B acts as the gateway to send RA messages periodically.
Figure 42 Stateless DHCPv6 configuration
Configuration procedure
1.
Configure Switch B
# Enable the IPv6 packet forwarding function.
<SwitchB> system-view
[SwitchB] ipv6
# Configure the IPv6 address of VLAN-interface 2.
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ipv6 address 1::1 64
# Set the O flag in the RA messages to 1.
[SwitchB-Vlan-interface2] ipv6 nd autoconfig other-flag
# Enable Switch B to send RA messages.
[SwitchB-Vlan-interface2] undo ipv6 nd ra halt
2.
Configure Switch A
# Enable the IPv6 packet forwarding function.
<SwitchA> system-view
[SwitchA] ipv6
# Enable stateless IPv6 address autoconfiguration on VLAN-interface 2.
83
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ipv6 address auto
With this command executed, if VLAN-interface 2 has no IPv6 address configured, Switch A will
automatically generate a link-local address, and send an RS message, requesting the gateway (Switch B)
to reply with an RA message immediately.
Verification
After receiving an RA message with the M flag set to 0 and the O flag set to 1, Switch A automatically
enables the stateless DHCPv6 function.
# Use the display ipv6 dhcp client command to view the current client configuration information. If the
client successfully obtains configuration information from the server, the following information will be
displayed.
[SwitchA-Vlan-interface2] display ipv6 dhcp client interface vlan-interface 2
Vlan-interface2 is in stateless DHCPv6 client mode
State is OPEN
Preferred Server:
Reachable via address
:
FE80::213:7FFF:FEF6:C818
DUID
:
0003000100137ff6c818
DNS servers
:
1:2:3::5
Domain names
:
1:2:4::7
abc.com
Sysname.com
# Use the display ipv6 dhcp client statistics command to view the current client statistics.
[SwitchA-Vlan-interface2] display ipv6 dhcp client statistics
Interface
:
Vlan-interface2
Packets Received
:
1
Reply
:
1
Advertise
:
0
Reconfigure
:
0
Invalid
:
0
Packets Sent
:
5
Solicit
:
0
Request
:
0
Confirm
:
0
Renew
:
0
Rebind
:
0
Information-request
:
5
Release
:
0
Decline
:
0
84
DHCPv6 snooping configuration
NOTE:
• A DHCPv6 snooping switch does not work if it is between a DHCPv6 relay agent and a DHCPv6 server.
The DHCPv6 snooping switch works when it is between a DHCPv6 client and a DHCPv6 relay agent or
between a DHCPv6 client and a DHCPv6 server.
• You can configure only Layer 2 Ethernet interfaces or Layer 2 aggregate interfaces as DHCPv6 snooping
trusted ports. For more information about aggregate interfaces, see the Layer 2—LAN Switching
Configuration Guide.
DHCPv6 snooping overview
DHCPv6 snooping is a security feature with the following uses:
•
Ensure that DHCPv6 clients obtain IPv6 addresses from authorized DHCPv6 servers.
•
Record IP-to-MAC mappings of DHCPv6 clients.
Ensure that DHCPv6 clients obtain IPv6 addresses from authorized DHCPv6 servers
If DHCPv6 clients obtain invalid IPv6 addresses and network configuration parameters from an
unauthorized DHCPv6 server, they will be unable to communicate normally with other network devices.
With DHCPv6 snooping, the ports of a switch can be configured as trusted or untrusted to ensure than
the clients obtain IPv6 addresses only from authorized DHCPv6 servers.
•
Trusted: A trusted port forwards DHCPv6 messages normally.
•
Untrusted: An untrusted port discards reply messages from any DHCPv6 server.
Figure 43 Trusted and untrusted ports
A DHCPv6 snooping switch’s port that is connected to an authorized DHCPv6 server, DHCPv6 relay
agent, or another DHCPv6 snooping switch should be configured as a trusted port. The trusted port
forwards reply messages from the authorized DHCPv6 server. Other ports are configured as untrusted so
they do not forward reply messages from unauthorized DHCPv6 servers. This ensures that the DHCPv6
85
client can obtain an IPv6 address from the authorized DHCPv6 server only. As shown in Figure 43,
configure the port that connects to the DHCPv6 server as a trusted port, and other ports as untrusted.
Recording IP-to-MAC mappings of DHCPv6 clients
DHCPv6 snooping reads DHCPv6 messages to create and update DHCPv6 snooping entries, including
MAC addresses of clients, IPv6 addresses obtained by the clients, ports that connect to DHCPv6 clients,
and VLANs to which the ports belong. You can use the display ipv6 dhcp snooping user-binding
command to view the IPv6 address obtained by each client, so that you can manage and monitor the
clients' IPv6 addresses.
Enabling DHCPv6 snooping
To allow clients to obtain IPv6 addresses from an authorized DHCPv6 server, enable DHCPv6 snooping
globally and configure trusted and untrusted ports properly. To record DHCPv6 snooping entries for a
VLAN, enable DHCPv6 snooping for the VLAN.
Follow these steps to enable DHCPv6 snooping:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable DHCPv6 snooping globally
ipv6 dhcp snooping enable
Enter VLAN view
vlan vlan-id
Enable DHCPv6 snooping for the
VLAN
ipv6 dhcp snooping vlan enable
Required
Disabled by default.
—
Optional
Disabled by default.
Configuring a DHCPv6 snooping trusted port
After enabling DHCPv6 snooping globally, you can specify trusted and untrusted ports for a VLAN as
needed. A DHCPv6 snooping trusted port forwards DHCPv6 packets. A DHCPv6 snooping untrusted
port discards any DHCPv6 reply message received from a DHCPv6 server. Upon receiving a DHCPv6
request from a client in the VLAN, the DHCPv6 snooping switch forwards the packet through trusted ports
rather than any untrusted port in the VLAN, reducing network traffic.
Follow these steps to configure a DHCPv6 snooping trusted port:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type
interface-number
—
Required
Configure the port as trusted
ipv6 dhcp snooping trust
86
By default, all ports of the device
with DHCPv6 snooping globally
enabled are untrusted.
NOTE:
• You must specify a port connected to an authorized DHCPv6 server as trusted to ensure that DHCPv6
clients can obtain valid IPv6 addresses. The trusted port and the ports connected to the DHCPv6 clients
must be in the same VLAN.
• If a Layer 2 Ethernet interface is added to an aggregation group, the DHCPv6 snooping configuration
of the interface will not take effect until the interface quits from the aggregation group.
Configuring the maximum number of DHCPv6
snooping entries an interface can learn
Follow these steps to configure the maximum number of DHCPv6 snooping entries an interface can
learn:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type
interface-number
—
Configure the maximum number of
DHCPv6 snooping entries that the
interface can learn
ipv6 dhcp snooping
max-learning-num number
Optional
By default, the number of DHCPv6
snooping entries learned by an
interface is not limited.
Displaying and maintaining DHCPv6 snooping
To do…
Use the command…
Remarks
Display DHCPv6 snooping
trusted ports
display ipv6 dhcp snooping trust [ | { begin |
exclude | include } regular-expression ]
Available in any view
Display DHCPv6 snooping
entries
display ipv6 dhcp snooping user-binding
{ ipv6-address | dynamic } [ | { begin | exclude |
include } regular-expression ]
Available in any view
Clear DHCPv6 snooping entries
reset ipv6 dhcp snooping user-binding
{ ipv6-address | dynamic }
Available in user view
DHCPv6 snooping configuration example
Network requirements
As shown in Figure 44, Switch is connected to a DHCPv6 server through Ethernet 1/0/1, and is
connected to DHCPv6 clients through Ethernet 1/0/2 and Ethernet 1/0/3. These three interfaces
belong to VLAN 2. Configure Switch to do the following:
•
Forward DHCPv6 reply messages received on Ethernet 1/0/1 only.
•
Record the IP-to-MAC mappings for DHCPv6 clients.
87
Figure 44 Network diagram for DHCPv6 snooping configuration
Configuration procedure
# Enable DHCPv6 snooping globally.
<Switch> system-view
[Switch] ipv6 dhcp snooping enable
# Add Ethernet 1/0/1, Ethernet 1/0/2, and Ethernet 1/0/3 to VLAN 2.
[Switch] vlan 2
[Switch-vlan2] port Ethernet 1/0/1 Ethernet 1/0/2 Ethernet 1/0/3
# Enable DHCPv6 snooping for VLAN 2.
[Switch-vlan2] ipv6 dhcp snooping vlan enable
[Switch] quit
# Configure Ethernet 1/0/1 as a DHCPv6 snooping trusted port.
[Switch] interface Ethernet 1/0/1
[Switch-Ethernet1/0/1] ipv6 dhcp snooping trust
Verification
After completing the configuration, connect Ethernet 1/0/2 to a DHCPv6 client, Ethernet 1/0/1 to a
DHCPv6 server, and Ethernet 1/0/3 to an unauthorized DHCPv6 server. The DHCPv6 client obtains an
IPv6 address from the DHCPv6 server, but cannot obtain any IPv6 address from the unauthorized
DHCPv6 server. You can use the display ipv6 dhcp snooping user-binding command to view the
DHCPv6 snooping entries on Switch.
88
Support and other resources
Contacting HP
For worldwide technical support information, see the HP support website:
http://www.hp.com/support
Before contacting HP, collect the following information:
•
Product model names and numbers
•
Technical support registration number (if applicable)
•
Product serial numbers
•
Error messages
•
Operating system type and revision level
•
Detailed questions
Subscription service
HP recommends that you register your product at the Subscriber's Choice for Business website:
http://www.hp.com/go/wwalerts
After registering, you will receive email notification of product enhancements, new driver versions,
firmware updates, and other product resources.
Related information
Documents
To find related documents, browse to the Manuals page of the HP Business Support Center website:
http://www.hp.com/support/manuals
•
For related documentation, navigate to the Networking section, and select a networking category.
•
For a complete list of acronyms and their definitions, see HP A-Series Acronyms.
Websites
•
HP.com http://www.hp.com
•
HP Networking http://www.hp.com/go/networking
•
HP manuals http://www.hp.com/support/manuals
•
HP download drivers and software http://www.hp.com/support/downloads
•
HP software depot http://www.software.hp.com
•
HP Education http://www.hp.com/learn
89
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention
Description
Boldface
Bold text represents commands and keywords that you enter literally as shown.
Italic
Italic text represents arguments that you replace with actual values.
[]
Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
which you select one or none.
{ x | y | ... } *
Asterisk-marked braces enclose a set of required syntax choices separated by vertical
bars, from which you select at least one.
[ x | y | ... ] *
Asterisk-marked square brackets enclose optional syntax choices separated by vertical
bars, from which you select one choice, multiple choices, or none.
&<1-n>
The argument or keyword and argument combination before the ampersand (&) sign can
be entered 1 to n times.
#
A line that starts with a pound (#) sign is comments.
GUI conventions
Convention
Description
Boldface
Window names, button names, field names, and menu items are in bold text. For
example, the New User window appears; click OK.
>
Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Convention
Description
Symbols
WARNING
An alert that calls attention to important information that if not understood or followed can
result in personal injury.
CAUTION
An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
IMPORTANT
An alert that calls attention to essential information.
NOTE
TIP
An alert that contains additional or supplementary information.
An alert that provides helpful information.
Network topology icons
Represents a generic network device, such as a router, switch, or firewall.
90
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
Port numbering in examples
The port numbers in this document are for illustration only and might be unavailable on your device.
91
Index
ABCDEIPRST
DHCP snooping overview,22
A
DHCPv6 address/prefix assignment,78
Address/prefix lease renewal,79
DHCPv6 snooping configuration example,87
ARP configuration example,5
DHCPv6 snooping overview,85
ARP overview,1
Displaying and maintaining ARP,5
B
Displaying and maintaining BOOTP client
configuration,33
BOOTP client configuration example,33
Displaying and maintaining DHCP snooping,29
C
Displaying and maintaining DHCPv6 snooping,87
Configuring a DHCPv6 snooping trusted port,86
Displaying and maintaining IP addressing,11
Configuring an interface to dynamically obtain an IP
address through BOOTP,33
Displaying and maintaining IP performance
optimization,53
Configuring ARP,3
Displaying and maintaining IPv4 DNS,36
Configuring basic IPv6 functions,63
Displaying and maintaining IPv6 basics
configuration,76
Configuring DHCP snooping basic functions,25
Configuring DHCP snooping entries backup,27
Displaying and maintaining IPv6 DNS,43
Configuring DHCP snooping to support Option 82,26
Displaying and maintaining the DHCP client,20
Configuring gratuitous ARP,7
Displaying and maintaining the DHCPv6 client,82
Configuring ICMP to send error packets,51
DNS overview,34
Configuring ICMPv6 packet sending,74
E
Configuring IP addresses,10
Enabling DHCP starvation attack protection,28
Configuring IPv6 ND,67
Enabling DHCP-REQUEST message attack
protection,29
Configuring IPv6 TCP properties,73
Configuring PMTU discovery,73
Enabling DHCPv6 snooping,86
Configuring TCP attributes,50
Enabling the DHCP client on an interface,20
Configuring the DHCPv6 client,82
Configuring the IPv4 DNS client,35
I
Configuring the IPv6 DNS client,42
Introduction to BOOTP client,32
Configuring the maximum number of DHCPv6
snooping entries an interface can learn,87
Introduction to DHCP,12
Contacting HP,89
Introduction to DHCPv6,78
Introduction to DHCP client,20
Conventions,90
Introduction to gratuitous ARP,7
D
Introduction to IPv6 DNS,42
DHCP address allocation,12
Introduction to the DHCPv6 client,82
IP addressing overview,9
DHCP client configuration example,21
IP performance optimization overview,50
DHCP message format,14
IPv4 DNS configuration examples,37
DHCP options,15
IPv6 basics configuration task list,62
DHCP snooping configuration examples,30
IPv6 DNS configuration examples,43
DHCP snooping configuration task list,25
92
IPv6 overview,54
S
P
Stateless DHCPv6 configuration,80
Protocols and standards,81
Stateless DHCPv6 configuration example,83
Protocols and standards,18
T
R
Troubleshooting IPv4 DNS configuration,41
Related information,89
93