HP FlexNetwork MSR2003, Configuration Manual

Page 1: ...HPE FlexNetwork MSR Router Series Comware 7 Layer 3 IP Services Configuration Guide Part number 5998 8832 Software version CMW710 R0305 Document version 6PW106 20160308 ...

Page 2: ...nd 12 212 Commercial Computer Software Computer Software Documentation and Technical Data for Commercial Items are licensed to the U S Government under vendor s standard commercial license Links to third party websites take you outside the Hewlett Packard Enterprise website Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise ...

Page 3: ... notification 10 Configuring proxy ARP 12 Enabling common proxy ARP 12 Enabling local proxy ARP 12 Displaying proxy ARP 13 Common proxy ARP configuration example 13 Network requirements 13 Configuration procedure 13 Verifying the configuration 14 Configuring ARP fast reply 15 Overview 15 Configuration procedure 15 ARP fast reply configuration example 15 Network requirements 15 Configuration proced...

Page 4: ...list 39 Configuring an address pool on the DHCP server 40 Configuration task list 40 Creating a DHCP address pool 40 Specifying IP address ranges for a DHCP address pool 40 Specifying gateways for DHCP clients 43 Specifying a domain name suffix for DHCP clients 44 Specifying DNS servers for DHCP clients 44 Specifying WINS servers and NetBIOS node type for DHCP clients 44 Specifying BIMS server for...

Page 5: ...y functions 69 Enabling the DHCP relay agent to record relay entries 69 Enabling periodic refresh of dynamic relay entries 69 Enabling DHCP starvation attack protection 70 Configuring the DHCP relay agent to release an IP address 71 Configuring Option 82 71 Setting the DSCP value for DHCP packets sent by the DHCP relay agent 72 Enabling DHCP server proxy on a DHCP relay agent 72 Configuring a DHCP...

Page 6: ...name resolution 95 Dynamic domain name resolution 95 DNS proxy 96 DNS spoofing 97 DNS configuration task list 98 Configuring the IPv4 DNS client 98 Configuring static domain name resolution 98 Configuring dynamic domain name resolution 99 Configuring the IPv6 DNS client 99 Configuring static domain name resolution 99 Configuring dynamic domain name resolution 100 Configuring the DNS proxy 101 Conf...

Page 7: ...erequisites 129 Configuring outbound one to one static NAT 129 Configuring outbound net to net static NAT 130 Configuring inbound one to one static NAT 130 Configuring inbound net to net static NAT 131 Configuring dynamic NAT 131 Configuration restrictions and guidelines 132 Configuration prerequisites 132 Configuring outbound dynamic NAT 132 Configuring inbound dynamic NAT 133 Configuring NAT Ser...

Page 8: ...nd hardware compatibility 179 Specifying a flow classification policy 179 Displaying the adjacency table 180 Overview 180 Command and hardware compatibility 181 Displaying commands 181 Configuring IRDP 182 Overview 182 IRDP operation 182 Basic concepts 182 Protocols and standards 183 Configuration procedure 183 IRDP configuration example 184 Network requirements 184 Configuration procedure 184 Ver...

Page 9: ...4 Configuring IPv6 ND 214 Configuring a static neighbor entry 214 Setting the maximum number of dynamic neighbor entries 215 Setting the aging timer for ND entries in stale state 215 Minimizing link local ND entries 216 Setting the hop limit 216 Configuring parameters for RA messages 216 Configuring the maximum number of attempts to send an NS message for DAD 218 Enabling ND proxy 219 Configuring ...

Page 10: ...t by the DHCPv6 server 248 Configuring DHCPv6 binding auto backup 248 Advertising subnets assigned to clients 249 Applying a DHCPv6 address pool to a VPN instance 250 Configuring DHCPv6 logging on the DHCPv6 server 250 Displaying and maintaining the DHCPv6 server 251 DHCPv6 server configuration examples 252 Dynamic IPv6 prefix assignment configuration example 252 Dynamic IPv6 address assignment co...

Page 11: ...ng DHCPv6 snooping 280 DHCPv6 snooping configuration example 280 Network requirements 280 Configuration procedure 281 Verifying the configuration 281 Configuring IPv6 fast forwarding 282 Overview 282 Compatibility information 282 Command and hardware compatibility 282 Configuring the aging time for IPv6 fast forwarding entries 282 Configuring IPv6 fast forwarding load sharing 283 Displaying and ma...

Page 12: ...alysis 330 Solution 331 Configuring ADVPN 332 Overview 332 ADVPN structures 332 How ADVPN operates 334 NAT traversal 337 ADVPN configuration task list 337 Configuring AAA 337 Configuring the VAM server 337 Creating an ADVPN domain 338 Enabling the VAM server 338 Configuring a pre shared key for the VAM server 338 Configuring hub groups 339 Configuring the port number of the VAM server 340 Specifyi...

Page 13: ...g AFT 429 Overview 429 Compatibility information 429 Command and hardware compatibility 429 AFT implementations 429 Static AFT 429 Dynamic AFT 429 Prefix translation 430 AFT internal server 431 AFT translation process 431 For IPv6 initiated communication 431 For IPv4 initiated communication 432 AFT with ALG 433 AFT configuration task list 433 For IPv6 initiated communication 433 For IPv4 initiated...

Page 14: ... Conventions 451 Network topology icons 452 Support and other resources 453 Accessing Hewlett Packard Enterprise Support 453 Accessing updates 453 Websites 454 Customer self repair 454 Remote support 454 Documentation feedback 454 Index 456 ...

Page 15: ...value 2 represents an ARP reply Sender hardware address Hardware address of the device sending the message Sender protocol address Protocol address of the device sending the message Target hardware address Hardware address of the device to which the message is being sent Target protocol address Protocol address of the device to which the message is being sent ARP operating mechanism As shown in Fi...

Page 16: ...in an ARP reply to Host A 3 Host A uses the gateway s MAC address to encapsulate the packet and then sends the packet to the gateway 4 If the gateway has an ARP entry for Host B it forwards the packet to Host B directly If not the gateway broadcasts an ARP request in which the target IP address is the IP address of Host B 5 After the gateway gets the MAC address of Host B it sends the packet to Ho...

Page 17: ...e OpenFlow Configuration Guide Rule ARP entry ARP creates Rule ARP entries by learning from the IPoE or portal module A Rule ARP entry does not age out and it cannot be updated It can be overwritten by a static ARP entry A Rule ARP entry can be used directly to forward packets For more information about IPoE see Layer 2 WAN Access Configuration Guide For more information about portal see Security ...

Page 18: ...2 Set the maximum number of dynamic ARP entries for the device arp max learning number number If the value for the number argument is set to 0 the device is disabled from learning dynamic ARP entries Setting the maximum number of dynamic ARP entries for an interface An interface can dynamically learn ARP entries To prevent an interface from holding too many ARP entries you can set the maximum numb...

Page 19: ...aining multicast MAC addresses obtained from the ARP packets sourced from a unicast MAC address You can also manually add static ARP entries containing multicast MAC addresses To enable dynamic ARP entry check Step Command Remarks 1 Enter system view system view N A 2 Enable dynamic ARP entry check arp check enable By default dynamic ARP entry check is enabled Enabling ARP logging This function en...

Page 20: ...id interface interface type interface number count verbose Display the ARP entry for an IP address centralized devices in standalone mode display arp ip address verbose Display the ARP entry for an IP address distributed devices in standalone mode centralized devices in IRF mode display arp ip address slot slot number verbose Display the ARP entry for an IP address distributed devices in IRF mode ...

Page 21: ...nterface gigabitethernet 2 0 1 RouterB GigabitEthernet2 0 1 port access vlan 10 RouterB GigabitEthernet2 0 1 quit Create VLAN interface 10 and configure its IP address RouterB interface vlan interface 10 RouterB vlan interface10 ip address 192 168 1 2 8 RouterB vlan interface10 quit Configure a static ARP entry that has IP address 192 168 1 1 MAC address 00e0 fc01 0000 and output interface Gigabit...

Page 22: ...e Configure an IP address for GigabitEthernet 2 0 2 RouterB system view RouterB interface gigabitethernet 2 0 2 RouterB GigabitEthernet2 0 2 ip address 192 168 1 2 24 RouterB GigabitEthernet2 0 2 quit Configure a static ARP entry that has IP address 192 168 1 1 and MAC address 00e0 fc01 001f RouterB arp static 192 168 1 1 00e0 fc01 001f Verifying the configuration Verify that Router B has a short ...

Page 23: ... sent to the attacker instead As a result the hosts cannot access the external network To prevent such gateway spoofing attacks you can enable the gateway to send gratuitous ARP packets at intervals Gratuitous ARP packets contain the primary IP address and manually configured secondary IP addresses of the gateway so hosts can learn correct gateway information Prevent ARP entries from aging out If ...

Page 24: ...ange the interval for sending gratuitous ARP packets the configuration is effective at the next sending interval The frequency of sending gratuitous ARP packets might be much lower than the sending interval set by the user in any of the following circumstances This function is enabled on multiple interfaces Each interface is configured with multiple secondary IP addresses A small sending interval ...

Page 25: ... before sending a gratuitous ARP reply or request for conflict confirmation To enable IP conflict notification Step Command Remarks 1 Enter system view system view N A 2 Enable IP conflict notification arp ip conflict log prompt By default IP conflict notification is disabled ...

Page 26: ...tep Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number The following interface types are supported VLAN interface Layer 3 Ethernet interface Layer 3 Ethernet subinterface Layer 3 aggregate interface Layer 3 aggregate subinterface 3 Enable common proxy ARP proxy arp enable By default common proxy ARP is disabled Enabling local proxy ...

Page 27: ...nt subnets No default gateway is configured on Host A and Host D Configure common proxy ARP on the router to enable communication between Host A and Host D Figure 5 Network diagram Configuration procedure Configure the IP address of interface GigabitEthernet 2 0 2 Router system view Router interface gigabitethernet 2 0 2 Router GigabitEthernet2 0 2 ip address 192 168 10 99 255 255 255 0 Enable com...

Page 28: ... 192 168 20 99 255 255 255 0 Enable common proxy ARP on interface GigabitEthernet 2 0 1 Router GigabitEthernet2 0 1 proxy arp enable Router GigabitEthernet2 0 1 quit Verifying the configuration Verify that Host A and Host D can ping each other ...

Page 29: ...eply If the interface is a wireless interface or an Ethernet interface other than the receiving interface the device returns a reply according to the matching entry 3 If no matching DHCP snooping entry is found the ARP request is forwarded to other interfaces except the receiving interface in the VLAN or delivered to other modules Configuration procedure To configure ARP fast reply Step Command Re...

Page 30: ... Network diagram Configuration procedure Enable ARP fast reply for VLAN 2 on the router Router vlan2 arp fast reply enable Router vlan2 quit Router Client 1 Client 16 Client 17 Client 32 DHCP server VLAN 2 VLAN 2 ...

Page 31: ...dress ARP PnP generates agent IP addresses based on the primary IP address and mask length of the interface Use the reset arp command to delete all ARP entries on the interface Configure NAT on the interface that connects to the external network For more information about NAT see Configuring NAT Configuration procedure Step Command Remarks 1 Enter system view system view N A 2 Configure an address...

Page 32: ...t at 1 2 3 4 to access the external server through GigabitEthernet 2 0 1 Figure 7 Network diagram Configuration procedure 1 Configure NAT Specify IP addresses for GigabitEthernet 2 0 1 and GigabitEthernet 2 0 2 Router system view Router interface gigabitethernet 2 0 1 Router GigabitEthernet2 0 1 ip address 192 168 0 2 24 Router GigabitEthernet2 0 1 quit Router interface gigabitethernet 2 0 2 Route...

Page 33: ...roup 1 2 Enable the ARP PnP feature on GigabitEthernet 2 0 1 Router interface gigabitethernet 2 0 1 Router GigabitEthernet2 0 1 arp pnp Router GigabitEthernet2 0 1 quit Verifying the configuration Verify that the router creates an ARP PnP mapping for the host IP address 1 2 3 4 on GigabitEthernet 2 0 1 Router display arp pnp interface gigabitethernet 2 0 1 Total number of entries 1 Agent IP addres...

Page 34: ...pression is enabled on the PE that connects to the base station The PE generates ARP suppression entries for the base station PE agg 1 and PE agg 2 and it directly replies subsequent ARP requests for these devices Figure 8 Typical application Configuration procedure Step Command Remarks 1 Enter system view system view N A 2 Create a cross connect group and enter its view xconnect group group name ...

Page 35: ... Display ARP suppression entries distributed devices in IRF mode display arp suppression xconnect group name group name chassis chassis number slot slot number count Clear ARP suppression entries centralized devices in standalone mode reset arp suppression xconnect group Clear ARP suppression entries distributed devices in standalone mode centralized devices in IRF mode reset arp suppression xconn...

Page 36: ...guration 1 On the base station clear ARP entries and ping the L3VE interface VE L3VPN 1 of Router B Details not shown 2 Verify that Router A has ARP suppression entries for the base station and Router B RouterA xcg vpna svc display arp suppression xconnect group IP address MAC address Xconnect group Connection Aging 10 1 1 1 00e0 fc04 582c vpna svc 25 10 1 1 3 0023 89b7 0861 vpna svc 25 3 Enable A...

Page 37: ...rom the PE in the L3VPN to the base station can be load shared by PE agg 1 and PE agg 2 If PE agg 1 fails the PE uses the host route through PE agg 2 to forward traffic Figure 10 Typical application Configuration procedure Step Command Remarks 1 Enter system view system view N A 2 Create an L3VE interface and enter its view interface ve l3vpn interface number By default no L3VE interface exists Fo...

Page 38: ... into the following sections Net ID Identifies a network The first several bits of a net ID known as the class field or class bits identify the class of the IP address Host ID Identifies a host on a network IP addresses are divided into five classes as shown in Figure 11 The shaded areas represent the address class The first three classes are most commonly used Figure 11 IP address classes Table 1...

Page 39: ...nsecutive zeros represent the host ID Before being subnetted Class A B and C networks use these default masks also called natural masks 255 0 0 0 255 255 0 0 and 255 255 255 0 respectively Figure 12 Subnetting a Class B network Subnetting increases the number of addresses that cannot be assigned to hosts Therefore using subnets means accommodating fewer hosts For example a Class B network without ...

Page 40: ... interface view interface interface type interface number N A 3 Assign an IP address to the interface ip address ip address mask mask length sub By default no IP address is assigned to the interface Configuring IP unnumbered Typically you assign an IP address to an interface either manually or through DHCP If the IP addresses are not enough or the interface is used only occasionally you can config...

Page 41: ...ion see IP unnumbered configuration example Displaying and maintaining IP addressing Execute display commands in any view Task Command Display IP configuration and statistics for the specified or all Layer 3 interfaces display ip interface interface type interface number Display brief IP configuration for Layer 3 interfaces display ip interface interface type interface number brief description Con...

Page 42: ...72 16 1 2 icmp_seq 0 ttl 128 time 7 000 ms 56 bytes from 172 16 1 2 icmp_seq 1 ttl 128 time 2 000 ms 56 bytes from 172 16 1 2 icmp_seq 2 ttl 128 time 1 000 ms 56 bytes from 172 16 1 2 icmp_seq 3 ttl 128 time 1 000 ms 56 bytes from 172 16 1 2 icmp_seq 4 ttl 128 time 2 000 ms Ping statistics for 172 16 1 2 5 packet s transmitted 5 packet s received 0 0 packet loss round trip min avg max std dev 1 00...

Page 43: ...sign a primary IP address to GigabitEthernet 2 0 1 RouterA system view RouterA interface gigabitethernet 2 0 1 RouterA GigabitEthernet2 0 1 ip address 172 16 10 1 255 255 255 0 RouterA GigabitEthernet2 0 1 quit Configure Serial 2 1 1 to borrow an IP address from GigabitEthernet 2 0 1 RouterA interface serial 2 1 1 RouterA Serial2 1 1 ip address unnumbered interface gigabitethernet 2 0 1 RouterA Se...

Page 44: ...guration Verify that a host attached to Router B can be pinged from Router A RouterA ping 172 16 20 2 Ping 172 16 20 2 172 16 20 2 56 data bytes press CTRL_C to break 56 bytes from 172 16 20 2 icmp_seq 0 ttl 128 time 7 000 ms 56 bytes from 172 16 20 2 icmp_seq 1 ttl 128 time 2 000 ms 56 bytes from 172 16 20 2 icmp_seq 2 ttl 128 time 1 000 ms 56 bytes from 172 16 20 2 icmp_seq 3 ttl 128 time 1 000 ...

Page 45: ...information about the DHCP relay agent see Configuring the DHCP relay agent Figure 15 A typical DHCP application DHCP address allocation Allocation mechanisms DHCP supports the following allocation mechanisms Static allocation The network administrator assigns an IP address to a client such as a WWW server and DHCP conveys the assigned address to the client Automatic allocation DHCP assigns a perm...

Page 46: ...ocated to the client Returns a DHCP NAK message to deny the IP address allocation After receiving the DHCP ACK message the client verifies the following details before using the assigned IP address The assigned IP address is not in use To verify this the client broadcasts a gratuitous ARP packet The assigned IP address is not in use if no response is received within the specified time The assigned...

Page 47: ... 0 flags The leftmost bit is defined as the BROADCAST B flag If this flag is set to 0 the DHCP server sent a reply back by unicast If this flag is set to 1 the DHCP server sent a reply back by broadcast The remaining bits of the flags field are reserved for future use ciaddr Client IP address if the client has an IP address that is valid and usable Otherwise set to zero The client does not use thi...

Page 48: ...d by the client Option 60 Vendor class identifier option A DHCP client uses this option to identify its vendor A DHCP server uses this option to distinguish DHCP clients and assigns IP addresses to them Option 66 TFTP server name option It specifies a TFTP server to be assigned to the client Option 67 Boot file name option It specifies the boot file name to be assigned to the client Option 121 Cla...

Page 49: ...e field value can be 0x01 ACS parameter sub option 0x02 service provider identifier sub option or 0x80 PXE server address sub option Sub option length Excludes the sub option type and sub option length fields Sub option value The value format varies by sub option 2 Sub option value field formats ACS parameter sub option value field Includes the ACS URL username and password separated by spaces 0x2...

Page 50: ...lient s request Sysname padding mode Includes the device name of the device To set the device name for the device use the sysname command in system view Option 184 Option 184 is a reserved option You can define the parameters in the option as needed The device supports Option 184 carrying voice related parameters so a DHCP client with voice functions can get voice parameters from the DHCP server O...

Page 51: ...cts an IP address from the matching IP address range in the address pool You can specify IP address ranges in an address pool by using either of the following methods Method 1 Specify a primary subnet in an address pool and divide the subnet into multiple address ranges These address ranges include a common IP address range and IP address ranges for DHCP user classes Upon receiving a DHCP request ...

Page 52: ...atch is found the server selects the address pool with the longest matching primary subnet If no match is found the DHCP server compares the IP address with the secondary subnets of all address pools The server selects the address pool with the longest matching secondary subnet Client on a different subnet than the server The DHCP server compares the IP address in the giaddr field of the DHCP requ...

Page 53: ...ts lease duration If no IP address is assignable the server does not respond NOTE If a client moves to another subnet the DHCP server selects an IP address in the address pool matching the new subnet It does not assign the IP address that was once assigned to the client Conflicted IP addresses can be assigned to other DHCP clients only after the addresses are in conflict for an hour DHCP server co...

Page 54: ...address pool exists Specifying IP address ranges for a DHCP address pool You can configure both static and dynamic address allocation mechanisms in a DHCP address pool For dynamic address allocation you can specify either a primary subnet with multiple address ranges or a primary subnet with multiple secondary subnets for a DHCP address pool You cannot configure both Specifying a primary subnet an...

Page 55: ...fy the primary subnet for the address pool network network address mask length mask mask By default no primary subnet is specified 7 Optional Specify the common address range address range start ip address end ip address vpn instance vpn instance name By default no IP address range is specified 8 Optional Specify an IP address range for a DHCP user class class class name range start ip address end...

Page 56: ...mask mask By default no primary subnet is specified 4 Optional Specify a secondary subnet network network address mask length mask mask secondary By default no secondary subnet is specified 5 Optional Return to address pool view quit N A 6 Optional Set the address lease duration expired day day hour hour minute minute second second unlimited The default setting is 1 day 7 Optional Exclude the spec...

Page 57: ... add more static bindings repeat this step 4 Optional Set the lease duration for the IP address expired day day hour hour minute minute second second unlimited The default setting is 1 day Specifying gateways for DHCP clients DHCP clients send packets destined for other networks to a gateway The DHCP server can assign the gateway address to the DHCP clients You can specify gateway addresses in eac...

Page 58: ...m view system view N A 2 Create a DHCP address pool and enter its view dhcp server ip pool pool name By default no DHCP address pool exists 3 Specify DNS servers dns list ip address 1 8 By default no DNS server is specified Specifying WINS servers and NetBIOS node type for DHCP clients A Microsoft DHCP client using NetBIOS protocol must contact a WINS server for name resolution You can specify up ...

Page 59: ...ult no DHCP address pool exists 3 Specify the BIMS server IP address port number and shared key bims server ip ip address port port number sharekey cipher simple key By default no BIMS server information is specified Specifying the configuration file for DHCP client auto configuration Auto configuration enables a device to obtain a set of configuration settings automatically from servers when the ...

Page 60: ... configuration file URL is specified Specifying a server for DHCP clients Some DHCP clients need to obtain configuration information from a server such as a TFTP server You can specify the IP address of that server The DHCP server sends the server s IP address to DHCP clients along with other configuration information To specify the IP address of a server Step Command Remarks 1 Enter system view s...

Page 61: ... options for which the CLI does not provide a dedicated configuration command For example you can use the option 4 ip address 1 1 1 1 command to define the time server address 1 1 1 1 for DHCP clients Add all option values if the actual requirement exceeds the limit for a dedicated option configuration command For example the dns list command can specify up to eight DNS servers To specify more tha...

Page 62: ...dress pool exists 8 Specify the DHCP option group for the DHCP user class class class name option group option group number By default no DHCP option group is specified for a DHCP user class Table 2 Common DHCP options Option Option name Corresponding command Recommended option command parameters 3 Router Option gateway list ip address 6 Domain Name Server Option dns list ip address 15 Domain Name...

Page 63: ... valid class class name 1 8 By default no DHCP user class is on the DHCP user class whitelist Enabling DHCP You must enable DHCP to validate other DHCP configurations To enable DHCP Step Command Remarks 1 Enter system view system view N A 2 Enable DHCP dhcp enable By default DHCP is disabled Enabling the DHCP server on an interface Perform this task to enable the DHCP server on an interface Upon r...

Page 64: ...eceives no response the server continues to ping the IP address until a specific number of ping packets are sent If still no response is received the server assigns the IP address to the requesting client The DHCP client uses gratuitous ARP to perform IP address conflict detection To configure IP address conflict detection Step Command Remarks 1 Enter system view system view N A 2 Optional Set the...

Page 65: ...whether this function is configured or not The DHCP request is from a DHCP client that has an IP address the ciaddr field is not 0 The DHCP request is forwarded by a DHCP relay agent from a DHCP client the giaddr field is not 0 To configure the DHCP server to broadcast all responses Step Command Remarks 1 Enter system view system view N A 2 Enable the DHCP server to broadcast all responses dhcp se...

Page 66: ...or DHCP packets sent by the DHCP server The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet To set the DSCP value for DHCP packets sent by the DHCP server Step Command Remarks 1 Enter system view system view N A 2 Set the DSCP value for DHCP packets sent by the DHCP server dhcp dscp dscp value By default the DSCP value in DHCP p...

Page 67: ... For more information about the information center see Network Management and Monitoring Configuration Guide To configure address pool usage alarming Step Command Remarks 1 Enter system view system view N A 2 Create a DHCP address pool and enter its view dhcp server ip pool pool name By default no DHCP address pool exists 3 Set the threshold for address pool usage alarming ip in use threshold thre...

Page 68: ...subnets assigned to DHCP clients This feature achieves symmetric routing for traffic of the same host As shown in Figure 23 Router A and Router B act as both the DHCP server and the BRAS device The BRAS devices send accounting packets to the RADIUS server To enable the BRAS devices to collect correct accounting information for each RADIUS user configure the DHCP server to advertise subnets assigne...

Page 69: ...erver s interface that receives DHCP packets from the client The VPN information from authentication modules takes priority over the VPN information of the receiving interface To apply a DHCP address pool to a VPN instance Step Command Remarks 1 Enter system view system view N A 2 Create a DHCP address pool and enter its view dhcp server ip pool pool name By default no DHCP address pool exists 3 A...

Page 70: ...ormation about IP address conflicts display dhcp server conflict ip ip address vpn instance vpn instance name Display information about DHCP binding auto backup display dhcp server database Display information about lease expired IP addresses display dhcp server expired ip ip address vpn instance vpn instance name pool pool name Display information about assignable IP addresses display dhcp server...

Page 71: ...erface GigabitEthernet 2 0 1 on Router B is 0030 3030 662e 6532 3030 2e30 3030 322d 4574 6865 726e 6574 The MAC address of the interface GigabitEthernet 2 0 1 on Router C is 000f e200 01c0 Figure 24 Network diagram Configuration procedure 1 Specify an IP address for GigabitEthernet 2 0 1 on Router A RouterA system view RouterA interface gigabitethernet 2 0 1 RouterA GigabitEthernet2 0 1 ip address...

Page 72: ...r ip in use IP address Client identifier Lease expiration Type Hardware address 10 1 1 5 0030 3030 662e 6532 Jan 21 14 27 27 2014 Static C 3030 2e30 3030 322d 4574 6865 726e 6574 10 1 1 6 000f e200 01c0 Unlimited Static C Dynamic IP address assignment configuration example Network requirements As shown in Figure 25 the DHCP server Router A assigns IP addresses to clients on subnet 10 1 1 0 24 whic...

Page 73: ... server forbidden ip 10 1 1 4 RouterA dhcp server forbidden ip 10 1 1 126 RouterA dhcp server forbidden ip 10 1 1 254 Configure DHCP address pool 1 to assign IP addresses and other configuration parameters to clients on subnet 10 1 1 0 25 RouterA dhcp server ip pool 1 RouterA dhcp pool 1 network 10 1 1 0 mask 255 255 255 128 RouterA dhcp pool 1 expired day 10 hour 12 RouterA dhcp pool 1 domain nam...

Page 74: ...en convey them to the DHCP server Configure the address allocation scheme as follows Assign IP addresses To clients 10 10 1 2 to 10 10 1 10 The DHCP request contains Option 82 10 10 1 11 to 10 10 1 26 The hardware address in the request is six bytes long and begins with aabb aabb aab Router B assigns the DNS server address 10 10 1 20 24 and the gateway address 10 10 1 254 24 to clients on subnet 1...

Page 75: ...er class tt RouterB dhcp pool aa class tt range 10 10 1 2 10 10 1 10 Specify the address range for the user class ss RouterB dhcp pool aa class ss range 10 10 1 11 10 10 1 26 Specify the gateway and the DNS server RouterB dhcp pool aa gateway list 10 10 1 254 RouterB dhcp pool aa dns list 10 10 1 20 Verifying the configuration Verify that clients matching the DHCP user classes can obtain IP addres...

Page 76: ...ser class ss to the DHCP user class whitelist RouterA dhcp pool aa valid class ss Verifying the configuration Verify that clients matching the DHCP user class can obtain IP addresses on subnet 10 1 1 0 24 from the DHCP server Details not shown On the DHCP server display the IP addresses assigned to the clients RouterA display dhcp server ip in use Primary and secondary subnets configuration exampl...

Page 77: ... 254 Specify the secondary subnet and the gateway for dynamic allocation RouterA dhcp pool aa network 10 1 2 0 mask 255 255 255 0 secondary RouterA dhcp pool aa secondary gateway list 10 1 2 254 RouterA dhcp pool aa secondary quit RouterA dhcp pool aa Verifying the configuration Verify that the DHCP server assigns clients IP addresses and gateway address from the secondary subnet when no assignabl...

Page 78: ... 4 and 2 2 2 2 Figure 29 Network diagram Configuration procedure 1 Specify an IP address for interface GigabitEthernet 2 0 1 Details not shown 2 Configure the DHCP server Enable DHCP RouterA system view RouterA dhcp enable Create DHCP user class ss and configure a match rule to match DHCP requests in which the hardware address is six bytes long and begins with aabb aabb RouterA dhcp class ss Route...

Page 79: ...ave the same IP address Solution 1 Disable the client s network adapter or disconnect the client s network cable Ping the IP address of the client from another host to check whether there is a host using the same IP address 2 If a ping response is received the IP address has been manually configured on a host Execute the dhcp server forbidden ip command on the DHCP server to exclude the IP address...

Page 80: ...tion about MCE see MPLS Configuration Guide Operation The DHCP server and client interact with each other in the same way regardless of whether the relay agent exists For the interaction details see IP address allocation process The following only describes steps related to the DHCP relay agent 1 After receiving a DHCP DISCOVER or DHCP REQUEST broadcast message from a DHCP client the DHCP relay ag...

Page 81: ... 82 before forwarding the response to the client Table 4 Handling strategies of the DHCP relay agent If a DHCP request has Handling strategy The DHCP relay agent Option 82 Drop Drops the message Keep Forwards the message without changing Option 82 Replace Forwards the message after replacing the original Option 82 with the Option 82 padded according to the configured padding format padding content...

Page 82: ...ent on an interface With the DHCP relay agent enabled an interface forwards incoming DHCP requests to a DHCP server An IP address pool that contains the IP address of the DHCP relay interface must be configured on the DHCP server Otherwise the DHCP clients connected to the relay agent cannot obtain correct IP addresses To enable the DHCP relay agent on an interface Step Command Remarks 1 Enter sys...

Page 83: ...entry In this way illegal hosts are not able to access external networks through the relay agent Examples of the security functions are ARP address check authorized ARP and IP source guard To enable the DHCP relay agent to record relay entries Step Command Remarks 1 Enter system view system view N A 2 Enable the relay agent to record relay entries dhcp relay client information record By default th...

Page 84: ... relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source MAC addresses you can use one of the following methods Limit the number of ARP entries that a Layer 3 interface can learn Limit the number of MAC addresses that a Layer 2 port can learn Configure an interface that has learned the maximum MAC addresses to discard packets whose source MAC addresses are not in...

Page 85: ...relay release ip client ip vpn instance vpn instance name This command can release only the IP addresses in the recorded relay entries Configuring Option 82 Follow these guidelines when you configure Option 82 To support Option 82 you must perform related configuration on both the DHCP server and relay agent For DHCP server Option 82 configuration see Enabling handling of Option 82 If the handling...

Page 86: ...et specifies the priority level of the packet and affects the transmission priority of the packet To set the DSCP value for DHCP packets sent by the DHCP relay agent Step Command Remarks 1 Enter system view system view N A 2 Set the DSCP value for DHCP packets sent by the DHCP relay agent dhcp dscp dscp value By default the DSCP value in DHCP packets sent by the DHCP relay agent is 56 Enabling DHC...

Page 87: ...mand When a PPPoE user goes offline the DHCP relay agent can find a matching relay entry and send a DHCP RELEASE message to the DHCP server This mechanism ensures the DHCP server to be aware of the releasing of the IP address in a timely manner The remote server command also configures the device as a DHCP relay agent You do not need to enable the DHCP relay agent by using the dhcp select relay co...

Page 88: ...essage to the DHCP server The feature does not function if an ARP entry is manually deleted To enable client offline detection on the DHCP relay agent Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Enable the DHCP relay agent dhcp select relay By default when DHCP is enabled an interface operates in the DHCP server mo...

Page 89: ... relay agent display dhcp relay information interface interface type interface number Display relay entries on the DHCP relay agent display dhcp relay client information interface interface type interface number ip ip address vpn instance vpn instance name Display packet statistics on the DHCP relay agent display dhcp relay statistics interface interface type interface number Display MAC address c...

Page 90: ...er network parameters from the DHCP server through the DHCP relay agent Details not shown Display the statistics of DHCP packets forwarded by the DHCP relay agent RouterA display dhcp relay statistics Display relay entries if you have enabled relay entry recording on the DHCP relay agent RouterA display dhcp relay client information Option 82 configuration example Network requirements As shown in ...

Page 91: ...ircuit id string company001 RouterA GigabitEthernet2 0 1 dhcp relay information remote id string device001 Troubleshooting DHCP relay agent configuration Symptom DHCP clients cannot obtain configuration parameters through the DHCP relay agent Analysis Some problems might occur with the DHCP relay agent or server configuration Solution To locate the problem enable debugging and execute the display ...

Page 92: ...gned address Instead it requests a new IP address from the DHCP server To enable the DHCP client on an interface Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Configure an interface to use DHCP for IP address acquisition ip address dhcp alloc By default an interface does not use DHCP for IP address acquisition Config...

Page 93: ...he client unable to use the IP address assigned by the server As a best practice disable duplicate address detection when ARP attacks exist on the network To enable duplicated address detection Step Command Remarks 1 Enter system view system view N A 2 Enable duplicate address detection dhcp client dad enable By default the duplicate address detection feature is enabled on an interface Setting the...

Page 94: ...ptor field contains the following parts subnet mask length and destination network address both in hexadecimal notation In this example the destination descriptor is 18 14 01 01 the subnet mask length is 24 and the network address is 20 1 1 0 in dotted decimal notation The next hop address is 0A 01 01 02 10 1 1 2 in dotted decimal notation Figure 33 Option 121 format Figure 34 Network diagram Conf...

Page 95: ...tate BOUND Allocated IP 10 1 1 3 255 255 255 0 Allocated lease 864000 seconds T1 331858 seconds T2 756000 seconds Lease from May 21 19 00 29 2012 to May 31 19 00 29 2012 DHCP server 10 1 1 1 Transaction ID 0xcde72232 Classless static route Destination 20 1 1 0 Mask 255 255 255 0 NextHop 10 1 1 2 DNS server 20 1 1 1 Client ID type acsii type value 00 Client ID value 000c 29d3 8659 GE2 0 1 Client ID...

Page 96: ...0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 127 255 255 255 32 Direct 0 0 127 0 0 1 InLoop0 224 0 0 0 4 Direct 0 0 0 0 0 0 NULL0 224 0 0 0 24 Direct 0 0 0 0 0 0 NULL0 255 255 255 255 32 Direct 0 0 127 0 0 1 InLoop0 ...

Page 97: ...eceived from trusted ports and DHCP REQUEST messages to create DHCP snooping entries A DHCP snooping entry includes the MAC and IP addresses of a client the port that connects to the DHCP client and the VLAN The following features need to use DHCP snooping entries ARP fast reply Uses DHCP snooping entries to reduce ARP broadcast traffic For more information see Configuring ARP fast reply ARP detec...

Page 98: ... shown in Figure 36 configure each DHCP snooping device s ports connected to other DHCP snooping devices as trusted ports To save system resources you can disable the untrusted ports that are not directly connected to DHCP clients from generating DHCP snooping entries Figure 36 Trusted and untrusted ports in a cascaded network DHCP snooping Switch A DHCP snooping Switch C DHCP client Host D DHCP c...

Page 99: ...ccording to the configured padding format padding content and code type No Option 82 N A Forwards the message after adding the Option 82 padded according to the configured padding format padding content and code type Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers MSR1002 4 1003 8S MSR2003 MSR2004 24 2004 48 MSR3012 3024 3044 3064...

Page 100: ...ystem view quit N A 6 Enter interface view interface interface type interface number This interface must connect to the DHCP client 7 Optional Enable recording of DHCP snooping entries dhcp snooping binding record By default after DHCP snooping is enabled recording of DHCP snooping entries is disabled Configuring Option 82 Follow these guidelines when you configure Option 82 The Option 82 configur...

Page 101: ...tion dhcp snooping information circuit id vlan vlan id string circuit id normal verbose node identifier mac sysname user defined node identifier format ascii hex By default the padding mode is normal and the padding format is hex for the Circuit ID sub option 6 Optional Configure the padding mode and padding format for the Remote ID sub option dhcp snooping information remote id normal format asci...

Page 102: ...n attack occurs when an attacker constantly sends forged DHCP requests that contain identical or different sender MAC addresses in the chaddr field to a DHCP server This attack exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses The DHCP server might also fail to work because of exhaustion of system resources For information about the fields o...

Page 103: ...s considered as valid and forwarded to the DHCP server If they are different the message is considered as a forged message and is discarded If no matching entry is found the message is considered valid and forwarded to the DHCP server To enable DHCP REQUEST check Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Enable D...

Page 104: ... display dhcp snooping trust Display information about the file that stores DHCP snooping entries display dhcp snooping binding database Clear DHCP snooping entries reset dhcp snooping binding all ip ip address vlan vlan id Clear DHCP packet statistics on the DHCP snooping device centralized devices in standalone mode reset dhcp snooping packet statistics Clear DHCP packet statistics on the DHCP s...

Page 105: ...dress and other configuration parameters only from the authorized DHCP server Details not shown Display the DHCP snooping entry recorded for the client RouterB display dhcp snooping binding Option 82 configuration example Network requirements As shown in Figure 38 enable DHCP snooping and configure Option 82 on Router B as follows Configure the handling strategy for DHCP requests that contain Opti...

Page 106: ...nformation circuit id string company001 RouterB GigabitEthernet2 0 2 dhcp snooping information remote id string device001 RouterB GigabitEthernet2 0 2 quit Configure Option 82 on GigabitEthernet 2 0 3 RouterB interface gigabitethernet 2 0 3 RouterB GigabitEthernet2 0 3 dhcp snooping information enable RouterB GigabitEthernet2 0 3 dhcp snooping information strategy replace RouterB GigabitEthernet2 ...

Page 107: ...ently DHCP is more suitable Because a DHCP server can interact with a BOOTP client you can use the DHCP server to assign an IP address to the BOOTP client You do not need to configure a BOOTP server Obtaining an IP address dynamically A BOOTP client dynamically obtains an IP address from a BOOTP server as follows 1 The BOOTP client broadcasts a BOOTP request which contains its own MAC address 2 Up...

Page 108: ...et 2 0 1 of Router B connects to the LAN to obtain an IP address from the DHCP server by using BOOTP To make the BOOTP client obtain an IP address from the DHCP server perform configuration on the DHCP server For more information see DHCP server configuration examples Configuration procedure The following describes the configuration on Router B which acts as a client Configure GigabitEthernet 2 0 ...

Page 109: ...e Dynamic domain name resolution Resolution process 1 A user program sends a name query to the resolver of the DNS client 2 The DNS resolver looks up the local domain name cache for a match If the resolver finds a match it sends the corresponding IP address back If not it sends a query to the DNS server 3 The DNS server looks up the corresponding IP address of the domain name in its DNS database I...

Page 110: ...rforming the query operation If no match is found for any host name and suffix combination the resolver uses the user entered domain name for example aabbcc for the IP address query If the user enters a domain name with a dot among the letters for example www aabbcc the resolver directly uses this domain name for the query operation If the query fails the resolver adds a DNS suffix for another que...

Page 111: ... device acts as a DNS proxy and is specified as a DNS server on the hosts After the dial up connection is established the device dynamically obtains the DNS server address through DHCP or another autoconfiguration mechanism Figure 41 DNS spoofing application The DNS proxy does not have the DNS server address or cannot reach the DNS server after startup A host accesses the HTTP server in the follow...

Page 112: ...guring the DNS proxy Optional Configuring DNS spoofing Optional Configuring network mode tracking for an output interface Optional Specifying the source interface for DNS packets Optional Configuring the DNS trusted interface Optional Setting the DSCP value for outgoing DNS packets Configuring the IPv4 DNS client Configuring static domain name resolution Static domain name resolution allows applic...

Page 113: ... server IPv4 addresses for the public network or each VPN You can specify DNS server IPv6 addresses as follows Specify DNS server IPv6 addresses for the public network and up to 1024 VPNs Specify a maximum of six DNS server IPv6 addresses for the public network or each VPN An IPv4 name query is first sent to the DNS server IPv4 addresses If no reply is received it is sent to the DNS server IPv6 ad...

Page 114: ...ion you can configure a DNS suffix that the system automatically adds to the provided domain name for resolution A DNS suffix manually configured takes precedence over the one dynamically obtained through DHCP and a DNS suffix configured earlier takes precedence The DNS resolver first uses the suffix that has the highest priority If the name resolution fails the DNS resolver uses the suffix that h...

Page 115: ...orwards the request to IPv4 DNS servers To configure the DNS proxy Step Command Remarks 1 Enter system view system view N A 2 Enable DNS proxy dns proxy enable By default DNS proxy is disabled 3 Specify a DNS server Specify a DNS server IPv4 address dns server ip address vpn instance vpn instance name Specify a DNS server IPv6 address ipv6 dns server ipv6 address interface type interface number vp...

Page 116: ...dress used to spoof DNS requests Specify an IPv4 address dns spoofing ip address vpn instance vpn instance name Specify an IPv6 address ipv6 dns spoofing ipv6 address vpn instance vpn instance name By default no IP address is specified for spoofing You can specify both an IPv4 address and an IPv6 address As a best practice specify a private IP address on the device 4 Configure the device to track ...

Page 117: ...ep Command Remarks 1 Enter system view system view N A 2 Specify the DNS trusted interface dns trust interface interface type interface number By default no DNS trusted interface is specified You can configure up to 128 DNS trusted interfaces Setting the DSCP value for outgoing DNS packets The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority o...

Page 118: ...the domain name host com to access the host whose IP address is 10 1 1 2 Figure 42 Network diagram Configuration procedure Configure a mapping between host name host com and IP address 10 1 1 2 Sysname system view Sysname ip host host com 10 1 1 2 Use the ping host com command to verify that the device can use static domain name resolution to resolve domain name host com into IP address 10 1 1 2 S...

Page 119: ...tion procedure Before performing the following configuration make sure that The device and the host can reach each other The IP addresses of the interfaces are configured as shown in Figure 43 1 Configure the DNS server The configuration might vary by DNS server The following configuration is performed on a PC running Windows Server 2000 a Select Start Programs Administrative Tools DNS The DNS ser...

Page 120: ...appears enter host name host and IP address 3 1 1 1 e Click Add Host The mapping between the IP address and host name is created Figure 46 Adding a mapping between domain name and IP address 2 Configure the DNS client Specify the DNS server 2 1 1 2 ...

Page 121: ...ved 0 0 packet loss round trip min avg max std dev 1 000 1 200 2 000 0 400 ms The output shows that the communication between the device and the host is normal and that the translated destination IP address is 3 1 1 1 DNS proxy configuration example Network requirements When the IP address of the DNS server changes you must configure the new IPv6 address of the DNS server on each device on the LAN...

Page 122: ...ing host com 3 1 1 1 56 data bytes press CTRL_C to break 56 bytes from 3 1 1 1 icmp_seq 0 ttl 255 time 1 000 ms 56 bytes from 3 1 1 1 icmp_seq 1 ttl 255 time 1 000 ms 56 bytes from 3 1 1 1 icmp_seq 2 ttl 255 time 1 000 ms 56 bytes from 3 1 1 1 icmp_seq 3 ttl 255 time 1 000 ms 56 bytes from 3 1 1 1 icmp_seq 4 ttl 255 time 2 000 ms Ping statistics for host com 5 packet s transmitted 5 packet s recei...

Page 123: ...cmp_seq 4 hlim 128 time 0 000 ms Ping6 statistics for host com 5 packet s transmitted 5 packet s received 0 0 packet loss round trip min avg max std dev 0 000 0 600 1 000 0 490 ms Dynamic domain name resolution configuration example Network requirements As shown in Figure 49 the DNS server at 2 2 64 has a com domain The server stores the mapping between domain name host and IPv6 address 1 1 64 Con...

Page 124: ...o it can process IPv6 DNS packets and its interfaces can forward IPv6 packets a Select Start Programs Administrative Tools DNS The DNS server configuration page appears as shown in Figure 50 b Right click Forward Lookup Zones select New Zone and then follow the wizard to create a new zone named com Figure 50 Creating a zone c On the DNS server configuration page right click zone com and select Oth...

Page 125: ...111 Figure 51 Creating a record d On the page that appears select IPv6 Host AAAA as the resource record type ...

Page 126: ...112 Figure 52 Selecting the resource record type e Type host name host and IPv6 address 1 1 f Click OK The mapping between the IPv6 address and host name is created ...

Page 127: ... CTRL_C to break 56 bytes from 1 1 icmp_seq 0 hlim 128 time 1 000 ms 56 bytes from 1 1 icmp_seq 1 hlim 128 time 0 000 ms 56 bytes from 1 1 icmp_seq 2 hlim 128 time 1 000 ms 56 bytes from 1 1 icmp_seq 3 hlim 128 time 1 000 ms 56 bytes from 1 1 icmp_seq 4 hlim 128 time 0 000 ms Ping6 statistics for host 5 packet s transmitted 5 packet s received 0 0 packet loss round trip min avg max std dev 0 000 0...

Page 128: ...am Configuration procedure Before performing the following configuration make sure that Device A the DNS server and the host are reachable to each other The IP addresses of the interfaces are configured as shown in Figure 54 1 Configure the DNS server This configuration might vary by DNS server When a PC running Windows Server 2003 acts as the DNS server see Dynamic domain name resolution configur...

Page 129: ... specified domain name is in the cache 2 If the specified domain name does not exist check that the DNS client can communicate with the DNS server 3 If the specified domain name is in the cache but the IP address is incorrect check that the DNS client has the correct IP address of the DNS server 4 Verify that the mapping between the domain name and IP address is correct on the DNS server Troublesh...

Page 130: ...using the server s domain name When its IP address changes the application layer server runs as a DDNS client It sends a request to the DDNS server for updating the mapping between its domain name and its IP address DDNS server Informs the DNS server of latest mappings When receiving the mapping update request from a DDNS client the DDNS server tells the DNS server to re map the domain name and th...

Page 131: ...html host h dnsto a TZO http cgi tzo com webclient signedon html TZOName h IPAddress a EASYDNS http members easydns com dyn ez ipupdate php action edit myip a host_id h HEIPV6TB http dyn dns he net nic update hostname h myip a CHANGE IP http nic changeip com nic update hostname h offline 1 NO IP http dynupdate no ip com nic update hostname h myip a DHS http members dhs org nic hosts domain dyn dhs...

Page 132: ... address is the primary IP address of the interface to which the DDNS policy is applied TIP The FQDN is the only identification of a node in the network An FQDN consists of a local host name and a parent domain name and can be translated into an IP address Configuration prerequisites Visit the website of a DDNS service provider register an account and apply for a domain name for the DDNS client Wh...

Page 133: ...omain name of the DDNS server into the IPv4 address For more information see Configuring the IPv4 DNS client To apply the DDNS policy to an interface Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Apply the DDNS policy to the interface to update the mapping between the specified FQDN and the primary IP address of the ...

Page 134: ...ress through DHCP Through DDNS service provided by www 3322 org the router informs the DNS server of the latest mapping between its domain name and IP address The router uses the DNS server to translate www 3322 org into its IP address Figure 56 Network diagram Configuration procedure Before configuring DDNS on the router perform the following tasks Register with username steven and password nevet...

Page 135: ...uter GigabitEthernet2 0 1 ddns apply policy 3322 org fqdn whatever 3322 org After the configuration is completed the router notifies the DNS server of its new domain name to IP address mapping through the DDNS server provided by www 3322 org whenever its IP address changes Therefore the router can always provide Web service at whatever 3322 org DDNS configuration example with PeanutHull server Net...

Page 136: ...date request interval to 12 minutes Router ddns policy oray cn interval 0 0 12 Router ddns policy oray cn quit Specify the IP address of the DNS server as 1 1 1 1 Router dns server 1 1 1 1 Apply the DDNS policy to GigabitEthernet 2 0 1 to enable DDNS update The mapping between whatever gicp cn and the primary IP address of GigabitEthernet 2 0 1 will be dynamically updated Router interface gigabite...

Page 137: ...AT hides the private network from the external users and shows that the IP address of the internal host is 20 1 1 1 Terminology The following describes NAT terminologies NAT device A device configured with NAT NAT interface An interface enabled with NAT NAT entry Stores the mapping between a private address and a public address For more information see NAT entries Easy IP Uses the IP address of an...

Page 138: ...s to access internal servers through NAT NAT control You can use ACLs to implement NAT control The match criteria in the ACLs include the source IP address source port number destination IP address destination port number transport layer protocol and VPN instance Only packets permitted by an ACL are processed by NAT Command and hardware compatibility Commands and descriptions for centralized devic...

Page 139: ... Independent Mapping Uses the same IP and port mapping EIM entry for packets from the same source IP and port to any destination EIM allows external hosts to initiate connections to the translated IP addresses and ports of internal hosts It allows internal hosts behind different NAT gateways to access each other Address and Port Dependent Mapping Uses different IP and port mappings for packets fro...

Page 140: ...ps a public IPv4 address and a port block to the IPv6 address of the B4 element The DS Lite host or hosts behind the B4 router use the mapped public IPv4 address and port block to access the public IPv4 network DS Lite NAT444 supports user tracing for DS Lite hosts based on the port block Figure 61 DS Lite NAT444 NAT entries NAT session entry NAT creates a NAT session entry for a session and creat...

Page 141: ...out after all related NAT session entries age out Using NAT with other features VRF aware NAT The following matrix shows the feature and hardware compatibility Hardware VRF aware NAT compatibility MSR954 JH296A JH297A JH298A JH299A No MSR1002 4 1003 8S Yes MSR2003 Yes MSR2004 24 2004 48 Yes MSR3012 3024 3044 3064 Yes MSR4060 4080 Yes VRF aware NAT allows users from different VRF VPN instances to a...

Page 142: ...e into the private IP address of the Web server 5 The internal host receives the DNS response and obtains the private IP address of the Web server DNS mapping can also be used by DNS ALG The DNS reply from the external DNS server contains only the domain name and public IP address of the internal server in the payload The NAT interface might have multiple internal servers configured with the same ...

Page 143: ...ted The match criteria include the source IP address source port number destination IP address destination port number transport layer protocol and VPN instance For more information about ACLs see ACL and QoS Configuration Guide Manually add a route for inbound static NAT Use local ip or local network as the destination address and use global ip an address in global network or the next hop directl...

Page 144: ... net static NAT Step Command Remarks 1 Enter system view system view N A 2 Configure a net to net mapping for outbound static NAT nat static outbound net to net local start address local end address vpn instance local name global global network mask length mask vpn instance global name acl acl number name acl name reversible By default no mappings exist If you specify an ACL NAT processes only pac...

Page 145: ...ange When the destination IP address of a packet from the private network matches the private address range the destination IP address is translated into a public address in the public address range To configure inbound net to net static NAT Step Command Remarks 1 Enter system view system view N A 2 Configure a net to net mapping for inbound static NAT nat static inbound net to net global start ad...

Page 146: ...te both IP addresses and port numbers Configuring outbound dynamic NAT To translate private IP addresses into public IP addresses configure outbound dynamic NAT on the interface connected to the external network The source IP addresses of the outgoing packets that match the ACL permit rule are translated into IP addresses in the address group The reversible keyword enables the device to perform th...

Page 147: ...keyword enables the device to automatically add a route destined for the private address when an inbound dynamic NAT rule is matched The output interface is the NAT interface and the next hop is the source address before translation If you do not specify this keyword you must manually add the route As a best practice create a route manually because it takes time to automatically add routes The rev...

Page 148: ...work or a VPN instance The NAT Server feature supports VRF aware NAT for external users to access the servers in a VPN instance For example to enable a host at 10 110 1 1 in VPN 1 to provide Web services for Internet users configure NAT Server to use 202 110 10 20 as the public IP address of the Web server If you specify the acl keyword for the common NAT Server or load sharing NAT Server configur...

Page 149: ...ve public addresses with a single public port nat server protocol pro type global global address1 global address2 global port vpn instance global name inside local address local port1 local port2 vpn instance local name acl acl number name acl name By default no NAT Server mapping exists You can configure multiple NAT Server mappings on an interface Configuring load sharing NAT Server You can add ...

Page 150: ...face interface type interface number N A 3 Configure ACL based NAT Server nat server global global acl number name global acl name inside local address local port vpn instance local name By default no ACL based NAT Server mapping exists You can configure multiple NAT Server mappings on an interface Configuring DS Lite NAT444 DS Lite NAT444 is configured on the AFTR s interface connected to the ext...

Page 151: ...interface interface type interface number ip global ip port global port By default no DNS mapping for NAT exists You can configure multiple DNS mappings for NAT Configuring NAT hairpin Configure NAT hairpin on the interface connected to the internal network NAT hairpin supports P2P mode and C S mode To configure the P2P mode you must configure outbound PAT on the interface connected to the externa...

Page 152: ...on including translation information and access information A NAT device generates NAT session logs for the following events NAT session establishment NAT session removal This event occurs when you add a configuration with a higher priority remove a configuration change ACLs when a NAT session ages out or when you manually delete a NAT session Active NAT session logging To enable NAT session loggi...

Page 153: ...nfiguration display nat server Display internal server group configuration display nat server group group number Display sessions that have been NATed centralized devices in standalone mode display nat session source ip source ip destination ip destination ip vpn instance vpn name verbose Display sessions that have been NATed distributed devices in standalone mode centralized devices in IRF mode d...

Page 154: ...8 24 to access the Internet Figure 63 Network diagram Configuration procedure Specify IP addresses for the interfaces on the router Details not shown Configure a one to one static NAT mapping between the private address 10 110 10 8 and the public address 202 38 1 100 Router system view Router nat static outbound 10 110 10 8 202 38 1 100 Enable static NAT on GigabitEthernet 2 0 2 Router interface g...

Page 155: ... 1 111 42496 Destination IP port 202 38 1 100 0 DS Lite tunnel peer VPN instance VLAN ID VLL ID Protocol ICMP 1 Inbound interface GigabitEthernet2 0 2 State ICMP_REPLY Application INVALID Start time 2012 08 16 09 30 49 TTL 27s Initiator Responder 5 packets 420 bytes Responder Initiator 5 packets 420 bytes Total sessions found 1 Outbound dynamic NAT configuration example non overlapping addresses N...

Page 156: ... dynamic PAT on interface GigabitEthernet 2 0 2 The source IP addresses of the packets permitted by the ACL rule is translated into the addresses in address group 0 Router interface gigabitethernet 2 0 2 Router GigabitEthernet2 0 2 nat outbound 2000 address group 0 Router GigabitEthernet2 0 2 quit Verifying the configuration Verify that Host A can access the WWW server while Host B cannot Details ...

Page 157: ...LS Enabled MGCP Enabled NBT Enabled PPTP Enabled RSH Enabled RTSP Enabled SCCP Enabled SIP Enabled SQLNET Enabled TFTP Enabled XDMCP Enabled Display NAT session information generated when Host A accesses the WWW server Router display nat session verbose Initiator Source IP port 192 168 1 10 52992 Destination IP port 200 1 1 10 2048 DS Lite tunnel peer VPN instance VLAN ID VLL ID Protocol ICMP 1 In...

Page 158: ...must perform the following tasks Configure inbound dynamic NAT with ALG to make sure the internal host reaches the Web server instead of another internal host NAT with ALG can translate the Web server s IP address in the DNS reply payload to a dynamically assigned public address Configure outbound dynamic NAT to translate the source IP address of packets from an internal host to a dynamically assi...

Page 159: ...roup 2 Router GigabitEthernet2 0 2 nat outbound 2000 address group 2 Router GigabitEthernet2 0 2 quit Configure a static route to 202 38 1 2 with GigabitEthernet 2 0 2 as the output interface and 20 2 2 2 as the next hop The next hop address varies by network Router ip route static 202 38 1 2 32 gigabitethernet 2 0 2 20 2 2 2 Verifying the configuration Verify that Host A can access the Web server...

Page 160: ...ehavior Mapping mode Address and Port Dependent ACL Config status Active NAT ALG DNS Enabled FTP Enabled H323 Enabled ICMP ERROR Enabled ILS Enabled MGCP Enabled NBT Enabled PPTP Enabled RSH Enabled RTSP Enabled SCCP Enabled SIP Enabled SQLNET Enabled TFTP Enabled XDMCP Enabled Display NAT session information generated when Host A accesses the Web server Router display nat session verbose Initiato...

Page 161: ...ernal network address is 10 110 0 0 16 The company has three public IP addresses from 202 38 1 1 24 to 202 38 1 3 24 Configure the NAT Server feature to allow the external user to access the internal servers with public address 202 38 1 1 24 Figure 66 Network diagram Configuration procedure Specify IP addresses for the interfaces on the router Details not shown Enter interface view of GigabitEther...

Page 162: ...using the public addresses Details not shown Display all NAT configuration and statistics Router display nat all NAT internal server information Totally 4 internal servers Interface GigabitEthernet2 0 2 Protocol 6 TCP Global IP port 202 38 1 1 21 Local IP port 10 110 10 3 21 Config status Active Global flow table status Active Local flow table status Active Interface GigabitEthernet2 0 2 Protocol ...

Page 163: ...nabled PPTP Enabled RSH Enabled RTSP Enabled SCCP Enabled SIP Enabled SQLNET Enabled TFTP Enabled XDMCP Enabled Display NAT session information generated when Host accesses the FTP server Router display nat session verbose Initiator Source IP port 202 38 1 10 1694 Destination IP port 202 38 1 1 21 DS Lite tunnel peer VPN instance VLAN ID VLL ID Protocol TCP 6 Inbound interface GigabitEthernet2 0 2...

Page 164: ...ure 67 Network diagram Requirements analysis To meet the network requirements you must perform the following tasks Configure NAT Server to map the private IP address and port of the DNS server to a public address and port NAT Server allows the external host to access the internal DNS server for domain name resolution Enable ALG for DNS and configure outbound dynamic NAT to translate the private IP...

Page 165: ...GigabitEthernet2 0 2 quit Verifying the configuration Verify that the host on the external network can access the internal Web server by using the server s domain name Details not shown Display all NAT configuration and statistics Router display nat all NAT address group information Totally 1 NAT address groups Address group 1 Port range 1 65535 Address information Start address End address 202 38...

Page 166: ...NAT session information generated when Host accesses Web server Router display nat session verbose Initiator Source IP port 202 1 1 2 1694 Destination IP port 202 38 1 3 8080 DS Lite tunnel peer VPN instance VLAN ID VLL ID Protocol TCP 6 Inbound interface GigabitEthernet2 0 2 Responder Source IP port 10 110 10 2 8080 Destination IP port 202 1 1 2 1694 DS Lite tunnel peer VPN instance VLAN ID VLL I...

Page 167: ...s and port NAT Server allows the external host to access the internal DNS server for domain name resolution Configure outbound dynamic NAT and enable ALG for DNS The Web server s IP address is the same as the external host s IP address NAT with ALG can translate the Web server s private address in the payload of the DNS response packet to a dynamically assigned public address Configure inbound dyn...

Page 168: ...ible NAT Router GigabitEthernet2 0 2 nat outbound 2000 address group 1 no pat reversible Enable inbound PAT on interface GigabitEthernet 2 0 2 to translate the source address of packets going to the internal network to the address in address group 2 Router GigabitEthernet2 0 2 nat inbound 2000 address group 2 Router GigabitEthernet2 0 2 quit Configure a static route to 202 38 1 3 with GigabitEther...

Page 169: ...erver information Totally 1 internal servers Interface GigabitEthernet2 0 2 Protocol 17 UDP Global IP port 202 38 1 4 53 Local IP port 200 1 1 3 53 Config status Active Global flow table status Active Local flow table status Active NAT logging Log enable Disabled Flow begin Disabled Flow end Disabled Flow active Disabled Port block assign Disabled Port block withdraw Disabled Alarm Disabled NAT ma...

Page 170: ...tunnel peer VPN instance VLAN ID VLL ID Protocol TCP 6 Inbound interface GigabitEthernet2 0 1 State TCP_ESTABLISHED Application HTTP Start time 2012 08 15 14 53 29 TTL 3597s Initiator Responder 7 packets 308 bytes Responder Initiator 5 packets 312 bytes Total sessions found 1 NAT hairpin in C S mode configuration example Network requirements As shown in Figure 69 the internal FTP server at 192 168...

Page 171: ... 1 0 0 0 0 255 Router acl ipv4 basic 2000 quit Configure NAT Server on interface GigabitEthernet 2 0 2 to map the IP address of the FTP server to a public address allowing external users to access the internal FTP server Router interface gigabitethernet 2 0 2 Router GigabitEthernet2 0 2 nat server protocol tcp global 202 38 1 2 inside 192 168 1 4 ftp Enable outbound NAT with Easy IP on interface G...

Page 172: ... 1 2 21 Local IP port 192 168 1 4 21 Config status Active Global flow table status Active Local flow table status Active NAT logging Log enable Disabled Flow begin Disabled Flow end Disabled Flow active Disabled Port block assign Disabled Port block withdraw Disabled Alarm Disabled NAT hairpinning Totally 1 interfaces enabled with NAT hairpinning Interface GigabitEthernet2 0 1 Config status Active...

Page 173: ...ESTABLISHED Application HTTP Start time 2012 08 15 14 53 29 TTL 3597s Initiator Responder 7 packets 308 bytes Responder Initiator 5 packets 312 bytes Total sessions found 1 NAT hairpin in P2P mode configuration example Network requirements In the P2P application internal clients must register their IP address to the external server and the server records the registered IP addresses and port number...

Page 174: ... 1 0 0 0 0 255 Router acl ipv4 basic 2000 quit Configure outbound dynamic PAT with Easy IP on interface GigabitEthernet 2 0 2 The IP address of GigabitEthernet 2 0 2 is used as the public address for the source address translation of the packets from internal to external Router interface gigabitethernet 2 0 2 Router GigabitEthernet2 0 2 nat outbound 2000 Router GigabitEthernet2 0 2 quit Configure ...

Page 175: ...Alarm Disabled NAT hairpinning Totally 1 interfaces enabled with NAT hairpinning Interface GigabitEthernet2 0 1 Config status Active NAT mapping behavior Mapping mode Endpoint Independent ACL 2000 Config status Active NAT ALG DNS Enabled FTP Enabled H323 Enabled ICMP ERROR Enabled ILS Enabled MGCP Enabled NBT Enabled PPTP Enabled RSH Enabled RTSP Enabled SCCP Enabled SIP Enabled SQLNET Enabled TFT...

Page 176: ...n access each other Figure 71 Network diagram Requirements analysis This is a typical application of twice NAT Both the source and destination addresses of packets between the two VPNs need to be translated Configure static NAT on both interfaces connected to the VPNs on the NAT device Configuration procedure Specify VPN instances and IP addresses for the interfaces on the router Details not shown...

Page 177: ...ppings IP to IP Local IP 192 168 1 2 Global IP 172 16 1 2 Local VPN vpn1 Global VPN vpn2 Config status Active Global flow table status Active Local flow table status Active IP to IP Local IP 192 168 1 2 Global IP 172 16 2 2 Local VPN vpn2 Global VPN vpn1 Config status Active Global flow table status Active Local flow table status Active Interfaces enabled with static NAT Totally 2 interfaces enabl...

Page 178: ...session verbose Initiator Source IP port 192 168 1 2 42496 Destination IP port 172 16 2 2 2048 DS Lite tunnel peer VPN instance VLAN ID VLL ID vpn1 Protocol ICMP 1 Inbound interface GigabitEthernet2 0 1 Responder Source IP port 192 168 1 2 42496 Destination IP port 172 16 1 2 0 DS Lite tunnel peer VPN instance VLAN ID VLL ID vpn2 Protocol ICMP 1 Inbound interface GigabitEthernet2 0 2 State ICMP_RE...

Page 179: ...21 Router nat server group 0 inside ip 10 110 10 2 port 21 Router nat server group 0 inside ip 10 110 10 3 port 21 Router nat server group 0 quit Associate NAT Server group 0 with GigabitEthernet 2 0 2 so that servers in the server group can provide FTP services Router interface gigabitethernet 2 0 2 Router GigabitEthernet2 0 2 nat server protocol tcp global 202 38 1 1 ftp inside server group 0 Ro...

Page 180: ...abled Port block assign Disabled Port block withdraw Disabled Alarm Disabled NAT mapping behavior Mapping mode Address and Port Dependent ACL Config status Active NAT ALG DNS Enabled FTP Enabled H323 Enabled ICMP ERROR Enabled ILS Enabled MGCP Enabled NBT Enabled PPTP Enabled RSH Enabled RTSP Enabled SCCP Enabled SIP Enabled SQLNET Enabled TFTP Enabled XDMCP Enabled Display NAT session information...

Page 181: ...e public addresses 202 38 1 1 through 202 38 1 3 The DNS server at 202 38 1 4 is on the external network Configure NAT so that The public IP address 202 38 1 2 is used by external users to access the Web and FTP servers External users can use the public address or domain name of internal servers to access them Internal users can access the internal servers by using their domain names Figure 73 Net...

Page 182: ...igure two DNS mapping entries by mapping the domain name www server com of the Web server to 202 38 1 2 and ftp server com of the FTP server to 202 38 1 2 Router nat dns map domain www server com protocol tcp ip 202 38 1 2 port http Router nat dns map domain ftp server com protocol tcp ip 202 38 1 2 port ftp Router quit Verifying the configuration Verify that both internal and external hosts can a...

Page 183: ...ve Domain name www server com Global IP 202 38 1 2 Global port 80 Protocol TCP 6 Config status Active NAT logging Log enable Disabled Flow begin Disabled Flow end Disabled Flow active Disabled Port block assign Disabled Port block withdraw Disabled Alarm Disabled NAT mapping behavior Mapping mode Address and Port Dependent ACL Config status Active NAT ALG DNS Enabled FTP Enabled H323 Enabled ICMP ...

Page 184: ...face gigabitethernet 2 0 2 Router GigabitEthernet2 0 2 ipv6 address 2 2 64 Router GigabitEthernet2 0 2 quit Create a tunnel interface on the AFTR Router interface tunnel 2 mode ds lite aftr Specify an IP address for the tunnel interface Router Tunnel2 ip address 30 1 2 2 255 255 255 0 Specify GigabitEthernet 2 0 2 as the source interface for the tunnel Router Tunnel2 source gigabitethernet 2 0 2 R...

Page 185: ...he IPv4 application server C ping 20 1 1 2 Pinging 20 1 1 2 with 32 bytes of data Reply from 20 1 1 2 bytes 32 time 51ms TTL 255 Reply from 20 1 1 2 bytes 32 time 44ms TTL 255 Reply from 20 1 1 2 bytes 32 time 1ms TTL 255 Reply from 20 1 1 2 bytes 32 time 1ms TTL 255 Ping statistics for 20 1 1 2 Packets Sent 4 Received 4 Lost 0 0 loss Approximate round trip times in milli seconds Minimum 1ms Maxim...

Page 186: ...hat a NAT444 mapping has been created for the DS Lite host Router display nat port block dynamic ds lite b4 Local VPN DS Lite B4 addr Global IP Port block Connections 1 1 20 1 1 11 1024 1323 1 Total entries found 1 ...

Page 187: ...e D Dynamic S Static R Relay F FRR Destination Mask Nexthop Flag OutInterface Token Label 10 2 0 0 16 10 2 1 1 U GE2 0 1 Null 10 2 1 1 32 127 0 0 1 UH InLoop0 Null 127 0 0 0 8 127 0 0 1 U InLoop0 Null 127 0 0 1 32 127 0 0 1 UH InLoop0 Null A FIB entry includes the following items Destination Destination IP address Mask Network mask The mask and the destination address identify the destination netw...

Page 188: ...174 Displaying FIB table entries Execute display commands in any view Task Command Display FIB entries display fib topology topo name vpn instance vpn instance name ip address mask mask length ...

Page 189: ...es You can configure the device to identify a flow based on the following criteria source IP address destination IP address source port number destination port number and IP protocol number In a complex network when these criteria cannot distinguish flows you can use the algorithm keyword to specify an algorithm to identify flows for load sharing To configure per flow load sharing Step Command Rem...

Page 190: ...rotocol LISP implement load sharing based on the ratios defined by these protocols To configure load sharing based on bandwidth Step Command Remarks 1 Enter system view system view N A 2 Enable IPv4 load sharing based on bandwidth bandwidth based sharing By default the IPv4 load sharing based on bandwidth is disabled 3 Enter interface view interface interface type interface number N A 4 Configure ...

Page 191: ...s for distributed devices apply to MSR4060 and MSR4080 routers Configuring the aging time for fast forwarding entries The fast forwarding table uses an aging timer for each forwarding entry If an entry is not updated before the timer expires the device deletes the entry If an entry has a hit within the aging time the aging timer restarts To configure the aging time for fast forwarding entries Step...

Page 192: ...tries about fragmented packets centralized devices in standalone mode display ip fast forwarding fragcache ip address Display fast forwarding entries about fragmented packets distributed devices in standalone mode centralized devices in IRF mode display ip fast forwarding fragcache ip address slot slot number Display fast forwarding entries for fragmented packets distributed devices in IRF mode di...

Page 193: ...rwards packets in sequence to different CPUs even though they are the same flow This policy does not ensure packet order Feature and hardware compatibility Hardware Flow classification compatibility MSR954 JH296A JH297A JH298A JH299A No MSR1002 4 1003 8S No MSR2003 No MSR2004 24 2004 48 No MSR3012 3024 3044 3064 Yes MSR4060 4080 Yes Specifying a flow classification policy IMPORTANT If a service re...

Page 194: ...table shows the items in an adjacency table output Item Description IP address IP address of the next hop in FIB table This address is used for adjacency table lookup IPv6 address IPv6 address of the next hop in FIB table This address is used for adjacency table lookup Routing interface Output interface in the matching route entry This interface is used for adjacency table lookup and it can be log...

Page 195: ...ace number routing interface interface type interface number slot slot number count verbose Display IPv4 adjacency table information distributed devices in IRF mode display adjacent table all physical interface interface type interface number routing interface interface type interface number chassis chassis number slot slot number count verbose Display IPv6 adjacency table information centralized ...

Page 196: ...When a host attached to the subnet starts up the host multicasts an RS message to request immediate advertisements If the host does not receive any advertisements it retransmits the RS several times If the host does not discover the IP addresses of neighboring routers because of network problems the host can still discover them from periodic RAs IRDP allows hosts to discover neighboring routers bu...

Page 197: ...sages Configuration procedure To configure IRDP Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number The interface can be a Layer 3 Ethernet interface or VLAN interface 3 Enable IRDP on the interface ip irdp By default IRDP is disabled After IRDP is enabled on an interface the IRDP configuration takes effect and the device sends ...

Page 198: ...etwork Router A and Router B act as the egress routers and connect to external networks 192 168 1 0 24 and 192 168 2 0 24 respectively Configure Router A as the default gateway for the hosts Packets to the external networks can be correctly routed Figure 75 Network diagram Configuration procedure 1 Configure Router A Specify an IP address for GigabitEthernet 2 0 1 RouterA system view RouterA inter...

Page 199: ...proxy advertise RouterB GigabitEthernet2 0 1 ip irdp address 192 168 2 0 400 Verifying the configuration Display the routing table for Host A HostA localhost netstat rne Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10 154 5 0 0 0 0 0 255 255 255 0 U 0 0 0 eth1 192 168 1 0 0 0 0 0 255 255 255 0 U 0 0 0 eth1 192 168 2 0 0 0 0 0 255 255 255 0 U 0 0 0 eth1 0 0 0 0 10 ...

Page 200: ...d directed broadcasts destined for the directly connected network hackers can exploit this vulnerability to attack the target network In some scenarios however an interface must receive and send such directed broadcast packets to support UDP helper and Wake on LAN This task enables an interface to accept directed broadcast packets that are destined for and received from the directly connected netw...

Page 201: ...4 RouterA GigabitEthernet2 0 1 quit RouterA interface gigabitethernet 2 0 2 RouterA GigabitEthernet2 0 2 ip address 2 2 2 2 24 Enable GigabitEthernet 2 0 2 to forward directed broadcasts destined for the directly connected network RouterA GigabitEthernet2 0 2 ip forward broadcast 2 Configure Router B Configure a static route to the host RouterB system view RouterB ip route static 1 1 1 1 24 2 2 2 ...

Page 202: ...its MSS during TCP connection establishment If the size of a TCP segment is smaller than the MSS of the receiver TCP sends the TCP segment without fragmentation If not it fragments the segment according to the receiver s MSS If you configure a TCP MSS on an interface the size of each TCP segment received or sent on the interface cannot exceed the MSS value This configuration takes effect only for ...

Page 203: ...TU discovery all new TCP connections will detect the path MTU The device uses the path MTU to calculate the MSS to avoid IP fragmentation The path MTU uses the following aging mechanism to make sure the source device can increase the path MTU when the minimum link MTU on the path increases When the TCP source device receives an ICMP error message it reduces the path MTU and starts an aging timer f...

Page 204: ...he connection FIN wait timer TCP starts the FIN wait timer when the state changes to FIN_WAIT_2 If no FIN packet is received within the timer interval TCP terminates the connection If a FIN packet is received TCP changes the connection state to TIME_WAIT If a non FIN packet is received TCP restarts the timer and tears down the connection when the timer expires To configure TCP timers Step Command ...

Page 205: ...any route No default route exists in the routing table The device sends the source an ICMP protocol unreachable message when the following conditions are met The packet is destined for the device The transport layer protocol of the packet is not supported by the device NOTE If a DHCP enabled device receives an ICMP echo reply without sending any ICMP echo requests the device does not send any ICMP...

Page 206: ... A token is placed in the bucket at intervals until the maximum number of tokens that the bucket can hold is reached A token is removed from the bucket when an ICMP error message is sent When the bucket is empty ICMP error messages are not sent until a new token is placed in the bucket To configure rate limit for ICMP error messages Step Command Remarks 1 Enter system view system view N A 2 Set th...

Page 207: ...any view and reset commands in user view Task Command Display brief information about RawIP connections centralized devices in standalone mode display rawip Display brief information about RawIP connections distributed devices in standalone mode centralized devices in IRF mode display rawip slot slot number Display brief information about RawIP connections distributed devices in IRF mode display r...

Page 208: ... slot slot number Display detailed information about UDP connections centralized devices in standalone mode display udp verbose pcb pcb index Display detailed information about UDP connections distributed devices in standalone mode centralized devices in IRF mode display udp verbose slot slot number pcb pcb index Display detailed information about UDP connections distributed devices in IRF mode di...

Page 209: ...play icmp statistics chassis chassis number slot slot number Clear IP packet statistics centralized devices in standalone mode reset ip statistics Clear IP packet statistics distributed devices in standalone mode centralized devices in IRF mode reset ip statistics slot slot number Clear IP packet statistics distributed devices in IRF mode reset ip statistics chassis chassis number slot slot number...

Page 210: ...broadcasts destined for the directly connected network To use UDP helper execute the ip forward broadcast command For more information about receiving directed broadcasts destined for the directly connected network see Optimizing IP performance Do not set UDP ports 67 and 68 for UDP helper because UDP helper cannot forward DHCP broadcast packets You can specify a maximum of 256 UDP ports for UDP h...

Page 211: ...tination servers UDP helper creates one copy for each server Use this command on the interface that receives broadcast packets Configuring UDP helper to convert broadcast to multicast You can configure UDP helper to convert broadcast packets with specific UDP port numbers to multicast packets Upon receiving a UDP broadcast packet UDP helper uses the configured UDP ports to match the UDP destinatio...

Page 212: ...s in the matched mapping Then UDP helper forwards the packet to its destination If no match is found UDP helper does not process the packet If the packet s destination port number does not match the configured UDP ports UDP helper does not process the packet To configure UDP helper to convert multicast to broadcast or unicast Step Command Remarks 1 Enter system view system view N A 2 Enable UDP he...

Page 213: ...A to forward broadcast packets with UDP destination port 55 to the destination server 10 2 1 1 16 Figure 77 Network diagram Configuration procedure Make sure Router A can reach the subnet 10 2 0 0 16 Enable UDP helper RouterA system view RouterA udp helper enable Enable UDP helper to forward broadcast packets with the UDP destination port 55 RouterA udp helper port 55 Specify the destination serve...

Page 214: ...kets with the UDP destination port 55 RouterA udp helper port 55 Configure UDP helper to convert broadcast packets to multicast packets destined for 225 1 1 1 on GigabitEthernet 2 0 1 RouterA interface gigabitethernet 2 0 1 RouterA GigabitEthernet2 0 1 ip address 10 110 1 1 16 RouterA GigabitEthernet2 0 1 udp helper broadcast map 225 1 1 1 RouterA GigabitEthernet2 0 1 quit Enable IP multicast rout...

Page 215: ...s on 10 110 0 0 16 The multicast packets have the following details UDP destination port number 55 Destination IP address 225 1 1 1 Figure 79 Network diagram Configuration procedure Make sure Router A can reach the subnet 10 2 0 0 16 Enable UDP helper RouterA system view RouterA udp helper enable Enable UDP helper to forward multicast packets with the UDP destination port 55 RouterA udp helper por...

Page 216: ...sic IPv6 packet header size is only twice the size of the option less IPv4 packet header Figure 80 IPv4 packet header format and basic IPv6 packet header format Larger address space IPv6 can provide 3 4 x 1038 addresses to meet the requirements of hierarchical address assignment for both public and private networks Hierarchical address structure IPv6 uses a hierarchical address structure to speed ...

Page 217: ...ddresses IPv6 address formats An IPv6 address is represented as a set of 16 bit hexadecimals separated by colons An IPv6 address is divided into eight groups and each 16 bit group is represented by four hexadecimal numbers for example 2001 0000 130F 0000 0000 09C0 876A 130B To simplify the representation of IPv6 addresses you can handle zeros in IPv6 addresses by using the following methods The le...

Page 218: ...Global unicast addresses Equivalent to public IPv4 addresses global unicast addresses are provided for Internet service providers This type of address allows for prefix aggregation to restrict the number of global routing entries Link local addresses Used for communication among link local nodes for neighbor discovery and stateless autoconfiguration Packets with link local source or destination ad...

Page 219: ...he interface identifier have the same local or global significance as the MAC address Figure 81 Converting a MAC address into an EUI 64 address based interface identifier On a tunnel interface The lower 32 bits of the EUI 64 address based interface identifier are the source IPv4 address of the tunnel interface The higher 32 bits of the EUI 64 address based interface identifier of an ISATAP tunnel ...

Page 220: ... NS message body contains the link layer address of Host A and the target IPv6 address 2 After receiving the NS message Host B determines whether the target address of the packet is its IPv6 address If it is Host B learns the link layer address of Host A and then unicasts an NA message containing its link layer address 3 Host A acquires the link layer address of Host B from the NA message Neighbor...

Page 221: ...prefix and the preferred lifetime and valid lifetime of the address prefix A node updates the preferred lifetime and valid lifetime upon receiving a periodic RA message The generated IPv6 address is valid within the valid lifetime and becomes invalid when the valid lifetime expires After the preferred lifetime expires the node cannot use the generated IPv6 address to establish new connections but ...

Page 222: ...ion between IPv4 and IPv6 networks The following IPv6 transition technologies can be used for different applications Dual stack RFC 2893 Tunneling RFC 2893 NAT PT RFC 2766 IPv6 on the provider edge routers 6PE Dual stack Dual stack is the most direct transition approach A network node that supports both IPv4 and IPv6 is a dual stack node A dual stack node configured with an IPv4 address and an IPv...

Page 223: ...cient solution When an ISP wants to utilize the existing IPv4 MPLS network to provide IPv6 traffic switching it only needs to upgrade the PE routers In addition the operation risk of 6PE is very low For more information about 6PE see Layer 3 IP Routing Configuration Guide Protocols and standards Protocols and standards related to IPv6 include RFC 1881 IPv6 Address Allocation Management RFC 1887 An...

Page 224: ... ND entries in stale state Minimizing link local ND entries Setting the hop limit Configuring parameters for RA messages Configuring the maximum number of attempts to send an NS message for DAD Enabling ND proxy Configuring IPv6 ND suppression Configuring IPv6 ND direct route advertisement Optional Configuring path MTU discovery Configuring the interface MTU Configuring a static path MTU for an IP...

Page 225: ...face the manually configured one takes effect However it does not overwrite the automatically generated address If you remove the manually configured global unicast address the device uses the automatically generated one EUI 64 IPv6 address To configure an interface to generate an EUI 64 IPv6 address Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interfac...

Page 226: ...lly use the temporary IPv6 address as the source address of sent packets When the valid lifetime of the temporary IPv6 address expires the interface removes the address and generates a new one This function enables the system to send packets with different source addresses through the same interface If the temporary IPv6 address cannot be used because of a DAD conflict the public IPv6 address is u...

Page 227: ...void link local address conflicts use the automatic generation method Manual assignment takes precedence over automatic generation If you first use automatic generation and then manual assignment the manually assigned link local address overwrites the automatically generated one If you first use manual assignment and then automatic generation both of the following occur The automatically generated...

Page 228: ...an IPv6 anycast address Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Configure an IPv6 anycast address ipv6 address ipv6 address prefix length ipv6 address prefix length anycast By default no IPv6 anycast address is configured on an interface Configuring IPv6 ND This section describes how to configure IPv6 ND Config...

Page 229: ...aximum number of dynamic neighbors that an interface can learn To set the maximum number of dynamic neighbor entries Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Set the maximum number of dynamic neighbor entries that the interface can learn ipv6 neighbors max learning num number The default setting for different de...

Page 230: ...Remarks 1 Enter system view system view N A 2 Set the Hop Limit field in the IP header ipv6 hop limit value The default setting is 64 Configuring parameters for RA messages You can enable an interface to send RA messages and configure the interval for sending RA messages and parameters in RA messages After receiving an RA message a host can use these parameters to perform corresponding operations ...

Page 231: ...or equal to the router lifetime in RA messages In this way the router can be updated by an RA message before expiration The values of the NS retransmission timer and the reachable time configured for an interface are sent in RA messages to hosts This interface sends NS messages at the interval of the NS retransmission timer and considers a neighbor reachable within the reachable time Enabling send...

Page 232: ...ime value By default the router lifetime is 1800 seconds 9 Set the NS retransmission timer ipv6 nd ns retrans timer value By default an interface sends NS messages every 1000 milliseconds and the value of the Retrans Timer field in RA messages is 0 10 Set the router preference in RA messages ipv6 nd router preference high low medium By default the router preference is medium 11 Set the reachable t...

Page 233: ...st A s IPv6 address is on the same subnet as Host B s Host A directly sends an NS message to obtain Host B s MAC address However Host B cannot receive the NS message because they belong to different broadcast domains To solve this problem enable common ND proxy on GigabitEthernet 2 0 1 and GigabitEthernet 2 0 2 of the router The router replies to the NS message from Host A and forwards packets fro...

Page 234: ...e number N A 3 Enable common ND proxy proxy nd enable By default common ND proxy is disabled To enable local ND proxy Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Enable local ND proxy local proxy nd enable By default local ND proxy is disabled Configuring IPv6 ND suppression The ND suppression feature enables a dev...

Page 235: ...ppression function is disabled 5 Quit cross connect view quit N A 6 Quit cross connect group view quit N A 7 Enable the suppression push function and set a push interval ipv6 nd suppression push interval interval By default the ND suppression push function is disabled Configuring IPv6 ND direct route advertisement The ND direct route advertisement feature advertises host routes instead of advertis...

Page 236: ...e advertisement is disabled Configuring path MTU discovery Configuring the interface MTU IPv6 routers do not support packet fragmentation If the size of a packet exceeds the MTU of the output interface the router discards the packet and sends a packet too big message to the source host The source host fragments the packet according to the MTU To avoid this situation configure a proper interface MT...

Page 237: ...he destination host based on the path MTU Starts the aging timer When the aging timer expires the device removes the dynamic path MTU and finds the path MTU again To configure the aging time for dynamic path MTUs Step Command Remarks 1 Enter system view system view N A 2 Configure the aging time for dynamic path MTUs ipv6 pathmtu age age time The default setting is 10 minutes The aging time is inv...

Page 238: ...le messages ICMPv6 No Route to Destination message A packet to be forwarded does not match any route ICMPv6 Communication with Destination Administratively Prohibited message An administrative prohibition is preventing successful communication with the destination This is typically caused by a firewall or an ACL on the device ICMPv6 Beyond Scope of Source Address message The destination is beyond ...

Page 239: ...ng conditions are met The interface receiving the packet is the interface forwarding the packet The selected route is not created or modified by any ICMPv6 redirect messages The selected route is not a default route The forwarded packet does not contain the routing extension header The ICMPv6 redirect function simplifies host management by enabling hosts that hold few routes to optimize their rout...

Page 240: ...ble By default IPv6 local fragment reassembly is disabled This function applies only to fragments received by the same LPU Configuring IPv6 load sharing based on bandwidth This feature shares IPv6 traffic among multiple output interfaces based on their expected load percentages The device calculates the load percentage for each output interface in terms of the interface expected bandwidth For devi...

Page 241: ...t number interface interface type interface number vlan vlan id verbose Display neighbor information distributed devices in IRF mode display ipv6 neighbors ipv6 address all dynamic static chassis chassis number slot slot number interface interface type interface number vlan vlan id verbose Display the total number of neighbor entries centralized devices in standalone mode display ipv6 neighbors al...

Page 242: ...n IRF mode display ipv6 tcp slot slot number Display brief information about IPv6 TCP connections distributed devices in IRF mode display ipv6 tcp chassis chassis number slot slot number Display brief information about IPv6 TCP proxy centralized devices in standalone mode display ipv6 tcp proxy Display brief information about IPv6 TCP proxy distributed devices in standalone mode centralized device...

Page 243: ...play IPv6 UDP traffic statistics distributed devices in standalone mode centralized devices in IRF mode display udp statistics slot slot number Display IPv6 UDP traffic statistics distributed devices in IRF mode display udp statistics chassis chassis number slot slot number Clear ND suppression entries centralized devices in standalone mode reset ipv6 nd suppression xconnect group name group name ...

Page 244: ...stem view RouterA interface gigabitethernet 2 0 1 RouterA GigabitEthernet2 0 1 ipv6 address 3001 1 64 RouterA GigabitEthernet2 0 1 quit Configure a global unicast address for interface GigabitEthernet 2 0 2 and enable it to advertise RA messages an interface does not advertises RA messages by default RouterA interface gigabitethernet 2 0 2 RouterA GigabitEthernet2 0 2 ipv6 address 2001 1 64 Router...

Page 245: ...Line protocol current state UP IPv6 is enabled link local address is FE80 20F E2FF FE00 2 Global unicast address es 3001 1 subnet is 3001 64 Joined group address es FF02 1 FF02 2 FF02 1 FF00 1 FF02 1 FF00 2 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv...

Page 246: ...rval is 1000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 600 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics InReceives 272 InTooShorts 0 InTruncatedPkts 0 InHopLimitExceeds 0 InBadHeaders 0 InBadOptions 0 ReasmReqds ...

Page 247: ...s 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics InReceives 117 InTooShorts 0 InTruncatedPkts 0 InHopLimitExceeds 0 InBadHeaders 0 InBadOptions 0 ReasmReqds 0 ReasmOKs 0 InFragDrops 0 InFragTimeouts 0 OutFragFails 0 InUnknownProtos 0 InDelivers 117 OutRequests 83 OutForwDatagrams 0 InNoRoutes 0 InTooBigErrors 0 Out...

Page 248: ...ure 91 the base station Router A and Router B are in an MPLS L2VPN The base station can reach the L3VE interface L3VE1 of Router B Enable IPv6 ND suppression on Router A to directly answer ND packets for Router B Figure 91 Network diagram Configuration procedure 1 Configure IPv6 addresses for the interfaces as shown in Figure 91 Make sure the base station can reach the L3VE interface of Router B D...

Page 249: ...ils not shown a Clear ND suppression entries on the base station b Ping L3VE interface VE L3VPN 1 of Router B from the base station Troubleshooting IPv6 basics configuration Symptom An IPv6 address cannot be pinged Solution 1 Use the display ipv6 interface command in any view to verify that the IPv6 address of the output interface is correct and the interface is up 2 Use the debugging ipv6 packet ...

Page 250: ...licit message that contains a Rapid Commit option to prefer rapid assignment 2 If the DHCPv6 server supports rapid assignment it responds with a Reply message containing the assigned IPv6 address prefix and other configuration parameters If the DHCPv6 server does not support rapid assignment Assignment involving four messages is performed Figure 92 Rapid assignment involving two messages Assignmen...

Page 251: ...eters are assigned to the client Figure 93 Assignment involving four messages Address prefix lease renewal An IPv6 address prefix assigned by a DHCPv6 server has a valid lifetime After the valid lifetime expires the DHCPv6 client cannot use the IPv6 address prefix To use the IPv6 address prefix the DHCPv6 client must renew the lease time Figure 94 Using the Renew message for address prefix lease r...

Page 252: ...set to 1 For more information about stateless address autoconfiguration see Configuring basic IPv6 settings Figure 96 Stateless DHCPv6 operation As shown in Figure 96 stateless DHCPv6 operates in the following steps 1 The DHCPv6 client sends an Information request message to the multicast address of all DHCPv6 servers and DHCPv6 relay agents The Information request message contains an Option Reque...

Page 253: ...239 RFC 3633 IPv6 Prefix Options for Dynamic Host Configuration Protocol DHCP version 6 ...

Page 254: ...lude the following types Temporary IPv6 addresses Frequently changed without lease renewal Non temporary IPv6 addresses Correctly used by DHCP clients with lease renewal Figure 97 IPv6 address assignment IPv6 prefix assignment As shown in Figure 98 the DHCPv6 server assigns an IPv6 prefix to the DHCPv6 client The client advertises the prefix information in a multicast RA message so that hosts on t...

Page 255: ...device supports the hardware type of Ethernet with the value of 0x0001 Link layer address Takes the value of the bridge MAC address of the device IA Identified by an IAID an identity association IA provides a construct through which a client manages the obtained addresses prefixes and other configuration parameters A client can have multiple IAs for example one for each of its interfaces IAID An I...

Page 256: ...ciples when selecting an IPv6 address or prefix for a client 1 If there is an address pool where an IPv6 address is statically bound to the DUID or IAID of the client the DHCPv6 server selects this address pool It assigns the statically bound IPv6 address or prefix and other configuration parameters to the client 2 If the receiving interface has an address pool applied the DHCP server selects an I...

Page 257: ... DHCPv6 logging on the DHCPv6 server Configuring IPv6 prefix assignment Use the following methods to configure IPv6 prefix assignment Configure a static IPv6 prefix binding in an address pool If you bind a DUID and an IAID to an IPv6 prefix the DUID and IAID in a request must match those in the binding before the DHCPv6 server can assign the IPv6 prefix to the DHCPv6 client If you only bind a DUID...

Page 258: ...efix assignment or both Configure a static prefix binding static bind prefix prefix prefix len duid duid iaid iaid preferred lifetime preferred lifetime valid lifetime valid lifetime Apply the prefix pool to the address pool prefix pool prefix pool number preferred lifetime preferred lifetime valid lifetime valid lifetime By default static or dynamic prefix assignment is not configured for an addr...

Page 259: ...etimes the settings do not affect existing leases The IPv6 addresses assigned after the modification will use the new lifetimes Configuration procedure To configure IPv6 address assignment Step Command Remarks 1 Enter system view system view N A 2 Optional Specify the IPv6 addresses excluded from dynamic assignment ipv6 dhcp server forbidden address start ipv6 address end ipv6 address vpn instance...

Page 260: ...igure network parameters in a DHCPv6 option group and reference the option group in a DHCPv6 address pool Network parameters configured in a DHCPv6 address pool take precedence over those configured in a DHCPv6 option group Configuring network parameters in a DHCPv6 address pool Step Command Remarks 1 Enter system view system view N A 2 Create a DHCPv6 address pool and enter its view ipv6 dhcp poo...

Page 261: ...DHCPv6 option option code hex hex string By default no self defined DHCPv6 option is configured Configuring the DHCPv6 server on an interface Enable the DHCP server and configure one of the following address prefix assignment methods on an interface Apply an address pool on the interface The DHCPv6 server selects an IPv6 address prefix from the applied address pool for a requesting client If there...

Page 262: ...DSCP value for DHCPv6 packets sent by the DHCPv6 server The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet To set the DSCP value for DHCPv6 packets sent by the DHCPv6 server Step Command Remarks 1 Enter system view system view N A 2 Set the DSCP value for DHCPv6 packets sent by the DHCPv6 server ipv6 dhcp dscp dscp value By def...

Page 263: ...ile is not updated 5 Optional Terminate the download of DHCPv6 bindings from the backup file ipv6 dhcp server database update stop N A Advertising subnets assigned to clients This feature enables the route management module to advertise subnets assigned to DHCPv6 clients This feature achieves symmetric routing for traffic of the same host As shown in Figure 100 Router A and Router B act as both th...

Page 264: ...from the client The VPN information from authentication modules takes priority over the VPN information of the receiving interface To apply a DHCPv6 address pool to a VPN instance Step Command Remarks 1 Enter system view system view N A 2 Create an address pool and enter its view ipv6 dhcp pool pool name By default no DHCPv6 address pool exists 3 Apply the address pool to a VPN instance vpn instan...

Page 265: ...dhcp server expired address ipv6 address vpn instance vpn instance name pool pool name Display information about IPv6 address bindings display ipv6 dhcp server ip in use address ipv6 address vpn instance vpn instance name pool pool name Display information about IPv6 prefix bindings display ipv6 dhcp server pd in use pool pool name prefix prefix prefix len vpn instance vpn instance name Display pa...

Page 266: ...terface gigabitethernet 2 0 1 Router GigabitEthernet2 0 1 ipv6 address 1 1 64 Disable RA message suppression on GigabitEthernet 2 0 1 Router GigabitEthernet2 0 1 undo ipv6 nd ra halt Set the M flag to 1 in RA advertisements to be sent on GigabitEthernet 2 0 1 Hosts that receive the advertisements will obtain IPv6 addresses through DHCPv6 Router GigabitEthernet2 0 1 ipv6 nd autoconfig managed addre...

Page 267: ...Enable the DHCPv6 server on interface GigabitEthernet 2 0 1 enable desired prefix assignment and rapid prefix assignment and set the preference to the highest Router interface gigabitethernet 2 0 1 Router GigabitEthernet2 0 1 ipv6 dhcp select server Router GigabitEthernet2 0 1 ipv6 dhcp server allow hint preference 255 rapid commit Verifying the configuration Display the DHCPv6 server configuratio...

Page 268: ... Lease expiration 2001 410 201 48 Static C Jul 10 19 45 01 2009 2001 410 48 Auto C Jul 10 20 44 05 2009 Dynamic IPv6 address assignment configuration example Network requirements As shown in Figure 102 Router A acts as a DHCPv6 server to assign IPv6 addresses to the clients on subnets 1 1 0 0 0 96 and 1 2 0 0 0 96 On Router A configure the IPv6 address 1 1 0 0 1 96 for GigabitEthernet 2 0 1 and 1 ...

Page 269: ... advertisements will obtain IPv6 addresses through DHCPv6 RouterA GigabitEthernet2 0 2 ipv6 nd autoconfig managed address flag Set the O flag to 1 in RA advertisements to be sent on GigabitEthernet 2 0 2 Hosts that receive the advertisements will obtain information other than IPv6 address through DHCPv6 RouterA GigabitEthernet2 0 2 ipv6 nd autoconfig other flag RouterA GigabitEthernet2 0 2 quit 2 ...

Page 270: ...hcp6 pool 2 dns server 1 2 0 0 2 RouterA dhcp6 pool 2 quit Verifying the configuration Verify that clients on subnets 1 1 0 0 0 96 and 1 2 0 0 0 96 can obtain IPv6 addresses and all other configuration parameters from the DHCPv6 server Router A Details not shown On the DHCPv6 server display IPv6 addresses assigned to the clients RouterA display ipv6 dhcp server ip in use ...

Page 271: ...pid Commit option to the multicast address FF02 1 2 of all the DHCPv6 servers and relay agents After receiving the Solicit message the DHCPv6 relay agent encapsulates the message into the Relay Message option of a Relay forward message and sends the message to the DHCPv6 server After obtaining the Solicit message from the Relay forward message the DHCPv6 server performs the following tasks Selects...

Page 272: ...rks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Enable DHCPv6 relay agent on the interface ipv6 dhcp select relay By default the DHCPv6 relay agent is disabled on the interface Do not enable the DHCPv6 relay agent and DHCPv6 client on the same interface Specifying DHCPv6 servers on the relay agent You can use the ipv6 dhcp relay server...

Page 273: ...P value for DHCPv6 packets sent by the DHCPv6 relay agent Step Command Remarks 1 Enter system view system view N A 2 Set the DSCP value for DHCPv6 packets sent by the DHCPv6 relay agent ipv6 dhcp dscp dscp value The default DSCP value is 56 Specifying a padding mode for the Interface ID option This function enables the relay agent to fill the Interface ID option in the specified mode When receivin...

Page 274: ...mand is the same for creating DHCPv6 address pools on a DHCPv6 server However the relay address pool name is not necessarily the same as the server address pool name 3 Specify gateway addresses for the clients matching the relay address pool gateway list ipv6 address 1 8 By default no gateway address is specified You can specify a maximum of eight gateway addresses but only the first one takes eff...

Page 275: ...face type interface number Display packet statistics on the DHCPv6 relay agent display ipv6 dhcp relay statistics interface interface type interface number Clear packets statistics on the DHCPv6 relay agent reset ipv6 dhcp relay statistics interface interface type interface number DHCPv6 relay agent configuration example Network requirements As shown in Figure 105 configure the DHCPv6 relay agent ...

Page 276: ...ernet 2 0 1 Hosts that receive the RA messages will obtain information other than IPv6 address through DHCPv6 RouterA GigabitEthernet2 0 1 ipv6 nd autoconfig other flag Enable the DHCPv6 relay agent on GigabitEthernet 2 0 1 and specify the DHCPv6 server on the relay agent RouterA GigabitEthernet2 0 1 ipv6 dhcp select relay RouterA GigabitEthernet2 0 1 ipv6 dhcp relay server address 2 2 Verifying t...

Page 277: ...263 Relay forward 7 Relay reply 0 ...

Page 278: ...ow these restrictions and guidelines The DHCPv6 client configuration is supported only on Layer 3 Ethernet interfaces Layer 3 Ethernet subinterfaces Layer 3 aggregate interfaces Layer 3 aggregate subinterfaces and VLAN interfaces Do not configure the DHCPv6 client on the same interface as the DHCPv6 server or the DHCPv6 relay agent DHCPv6 client configuration task list Tasks at a glance Required P...

Page 279: ...refix prefix number option group option group number rapid commit By default the interface does not use DHCPv6 for IPv6 address and prefix acquisition Configuring stateless DHCPv6 Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Configure the interface to support stateless DHCPv6 Enable stateless IPv6 address autoconfig...

Page 280: ...Clear the DHCPv6 client statistics reset ipv6 dhcp client statistics interface interface type interface number DHCPv6 client configuration examples IPv6 address acquisition configuration example Network requirements As shown in Figure 106 configure GigabitEthernet 2 0 1 of the router to use DHCPv6 to obtain configuration parameters from the DHCPv6 server The parameters include IPv6 address DNS ser...

Page 281: ...expire on Mar 27 2014 at 15 35 55 196 seconds left DNS server addresses 2000 FF Domain name example com SIP server addresses 2 2 4 SIP server domain names bbb com Verify that the client has created a dynamic DHCPv6 option group for saving configuration parameters Router GigabitEthernet2 0 1 display ipv6 dhcp option group 1 DHCPv6 option group 1 DNS server addresses Type Dynamic DHCPv6 address allo...

Page 282: ...address for GigabitEthernet 2 0 1 that connects to the DHCPv6 server Router system view Router interface gigabitethernet 2 0 1 Router GigabitEthernet2 0 1 ipv6 address 1 2 48 Configure GigabitEthernet 2 0 1 to support DHCPv6 rapid prefix assignment Enable the DHCPv6 client to assign an ID to the obtained IPv6 prefix and create a dynamic DHCPv6 option group for saving configuration parameters Route...

Page 283: ...ption group 1 DHCPv6 option group 1 DNS server addresses Type Dynamic DHCPv6 prefix allocation Interface GigabitEthernet2 0 1 2000 FF Domain name Type Dynamic DHCPv6 prefix allocation Interface GigabitEthernet2 0 1 example com SIP server addresses Type Dynamic DHCPv6 prefix allocation Interface GigabitEthernet2 0 1 2 2 4 SIP server domain names Type Dynamic DHCPv6 prefix allocation Interface Gigab...

Page 284: ...ful prefix 1 rapid commit option group 1 Router GigabitEthernet2 0 1 quit Verifying the configuration Display DHCPv6 client information The output shows that the DHCPv6 client has obtained an IPv6 address an IPv6 prefix and other configuration parameters from the DHCPv6 server Router display ipv6 dhcp client GigabitEthernet2 0 1 Type Stateful client requesting address and prefix State OPEN Client ...

Page 285: ...ient has created a dynamic DHCPv6 option group for saving configuration parameters Router display ipv6 dhcp option group 1 DHCPv6 option group 1 DNS server addresses Type Dynamic DHCPv6 address and prefix allocation Interface GigabitEthernet2 0 1 2000 FF Domain name Type Dynamic DHCPv6 address and prefix allocation Interface GigabitEthernet2 0 1 example com SIP server addresses Type Dynamic DHCPv6...

Page 286: ...ss autoconfiguration on GigabitEthernet 2 0 1 RouterA system view RouterA interface gigabitethernet 2 0 1 RouterA GigabitEthernet2 0 1 ipv6 address auto With stateless IPv6 address autoconfiguration enabled but no IPv6 address configured for GigabitEthernet 2 0 1 Router A generates a link local address It sends an RS message to Router B to request configuration information for IPv6 address generat...

Page 287: ...cs RouterA GigabitEthernet2 0 1 display ipv6 dhcp client statistics Interface GigabitEthernet2 0 1 Packets received 1 Reply 1 Advertise 0 Reconfigure 0 Invalid 0 Packets sent 5 Solicit 0 Request 0 Renew 0 Rebind 0 Information request 5 Release 0 Decline 0 ...

Page 288: ...ard DHCPv6 messages correctly to make sure the clients get IPv6 addresses from authorized DHCPv6 servers Untrusted An untrusted port discards received messages sent by DHCPv6 servers to prevent unauthorized servers from assigning IPv6 addresses DHCPv6 snooping reads DHCP ACK messages received from trusted ports and DHCP REQUEST messages to create DHCPv6 snooping entries A DHCPv6 snooping entry inc...

Page 289: ...routers Implementation of Option 18 and Option 37 Option 18 for DHCPv6 snooping Option 18 also called the interface ID option is used by the DHCPv6 relay agent to determine the interface to use to forward RELAY REPLY message The DHCPv6 snooping device adds Option 18 to the received DHCPv6 request message before forwarding it to the DHCPv6 server The server then assigns IP address to the client bas...

Page 290: ...ved DHCPv6 request message before forwarding it to the DHCPv6 server This option provides client information about address allocation Figure 112 Option 37 format Figure 112 shows the Option 37 format which includes the following fields Option code Option code Option length Size of the option data Enterprise number Enterprise number Port index Port that receives the DHCPv6 request from the client V...

Page 291: ...tep Command Remarks 1 Enter system view system view N A 2 Enable DHCPv6 snooping ipv6 dhcp snooping enable By default DHCPv6 snooping is disabled 3 Enter interface view interface interface type interface number This interface must connect to the DHCPv6 server 4 Specify the port as a trusted port ipv6 dhcp snooping trust By default all ports are untrusted ports after DHCPv6 snooping is enabled 5 Re...

Page 292: ...snooping enable command the device deletes all DHCPv6 snooping entries including those stored in the backup file To configure DHCPv6 snooping entry auto backup Step Command Remarks 1 Enter system view system view N A 2 Configure the DHCPv6 snooping device to back up DHCPv6 snooping entries to a file ipv6 dhcp snooping binding database filename filename url url username username password cipher sim...

Page 293: ...he IP addresses Attackers can also forge DHCPv6 DECLINE or DHCPv6 RELEASE messages to terminate leases for legitimate DHCPv6 clients that still need the IP addresses The DHCPv6 REQUEST check function enables the DHCPv6 snooping device to check every received DHCPv6 RENEW DHCPv6 DECLINE or DHCPv6 RELEASE message against DHCPv6 snooping entries If any criterion in an entry is matched the device comp...

Page 294: ...CPv6 snooping distributed devices in IRF mode display ipv6 dhcp snooping packet statistics chassis chassis number slot slot number Clear DHCPv6 snooping entries reset ipv6 dhcp snooping binding all address ipv6 address vlan vlan id Clear DHCPv6 packet statistics for DHCPv6 snooping centralized devices in standalone mode reset ipv6 dhcp snooping packet statistics Clear DHCPv6 packet statistics for ...

Page 295: ...nable recording of client information in DHCPv6 snooping entries RouterB interface gigabitethernet 2 0 2 RouterB GigabitEthernet2 0 2 ipv6 dhcp snooping binding record RouterB GigabitEthernet2 0 2 quit Verifying the configuration Verify that the DHCPv6 client obtains an IPv6 address and all other configuration parameters only from the authorized DHCPv6 server Details not shown Display DHCPv6 snoop...

Page 296: ...d descriptions for centralized devices apply to the following routers MSR1002 4 1003 8S MSR2003 MSR2004 24 2004 48 MSR3012 3024 3044 3064 MSR954 JH296A JH297A JH298A JH299A Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers Configuring the aging time for IPv6 fast forwarding entries The IPv6 fast forwarding table uses an aging timer for each forwarding entry If ...

Page 297: ...ask Command Display IPv6 fast forwarding entries centralized devices in standalone mode display ipv6 fast forwarding cache ipv6 address Display IPv6 fast forwarding entries distributed devices in standalone mode centralized devices in IRF mode display ipv6 fast forwarding cache ipv6 address slot slot number Display IPv6 fast forwarding entries distributed devices in IRF mode display ipv6 fast forw...

Page 298: ...nt refers to IPv6 over IPv4 IPv4 over IPv4 IPv4 over IPv6 and IPv6 over IPv6 tunnels IPv6 over IPv4 tunneling Implementation IPv6 over IPv4 tunneling enables isolated IPv6 networks to communicate as shown in Figure 114 NOTE The devices at both ends of an IPv6 over IPv4 tunnel must support the IPv4 IPv6 dual stack Figure 114 IPv6 over IPv4 tunnel The IPv6 over IPv4 tunnel processes packets by using...

Page 299: ...de Destination IPv6 address format Manually configured tunnel IPv6 over IPv4 manual tunneling Ordinary IPv6 address Automatic tunnel Automatic IPv4 compatible IPv6 tunneling IPv4 compatible IPv6 address The address format is 0 0 0 0 0 0 a b c d 96 where a b c d is the IPv4 address of the tunnel destination NOTE The tunnel source also uses an IPv4 compatible IPv6 address 6to4 tunneling 6to4 address...

Page 300: ...ay router is a gateway that forwards packets from a 6to4 network to an IPv6 network As shown in Figure 115 6to4 network Site 1 communicates with IPv6 network Site 3 over a 6to4 tunnel Configure a static route on the border router Device A in the 6to4 network The next hop address must be the 6to4 address of the 6to4 relay router Device C Device A forwards all packets destined for the IPv6 network o...

Page 301: ...stination IP address specifies the tunnel destination d The IP protocol stack uses the destination IP address of the new IP header to look up the routing table and then sends the packet out De encapsulation a After receiving the packet Device B delivers it to the IP protocol stack b If the protocol number is 4 indicating an IPv4 packet is encapsulated within the packet the IP protocol stack delive...

Page 302: ...mine the protocol type encapsulated in the data portion of the packet b If the protocol type is IPv4 the IPv6 protocol stack delivers the packet to the tunneling module c The tunneling module removes the IPv6 header and delivers the remaining IPv4 packet to the IPv4 protocol stack d The IPv4 protocol stack forwards the IPv4 packet Tunnel modes IPv4 over IPv6 manual tunnel A point to point link and...

Page 303: ...the subscriber s network Hosts that can act as the B4 router are referred to as DS Lite hosts Address Family Transition Router AFTR An AFTR resides in the ISP network and terminates the tunnel from the B4 router NAT is also implemented on the interface that connects the public IPv4 network An AFTR de encapsulates the tunneled packet translates the network address and routes the packet to the desti...

Page 304: ...orms the following operations Looks up the IPv6 address tunnel ID mapping to obtain the IP address of the B4 router Uses the address as the destination address of the encapsulated IPv6 packet Forwards the packet to the B4 router Figure 120 shows an example of PAT translation for dynamic NAT Typically dynamic NAT is used When you use static NAT for DS Lite tunneling make sure the IP addresses of pr...

Page 305: ...el interface adds an IPv6 header to it and submits it to the IPv6 protocol stack d The IPv6 protocol stack forwards the packet according to its destination IPv6 address De encapsulation a Upon receiving the IPv6 packet Device B delivers it to the IPv6 protocol stack b The IPv6 protocol stack checks the protocol type of the data portion encapsulated in the IPv6 packet If the encapsulation protocol ...

Page 306: ...080 routers Tunneling configuration task list Tasks at a glance Required Configuring a tunnel interface Perform one of the following tasks Configuring an IPv6 over IPv4 tunnel Configuring an IPv6 over IPv4 manual tunnel Configuring an automatic IPv4 compatible IPv6 tunnel Configuring a 6to4 tunnel Configuring an ISATAP tunnel Configuring an IPv4 over IPv4 tunnel Configuring an IPv4 over IPv6 tunne...

Page 307: ... slot number By default no primary traffic processing unit is specified 5 Optional Specify a primary traffic processing unit for the tunnel interface distributed devices in IRF mode service chassis chassis number slot slot number By default no primary traffic processing unit is specified 6 Optional Specify a backup traffic processing unit for the tunnel interface distributed devices in standalone ...

Page 308: ...s of the local tunnel interface are on the same subnet If they are not configure a route reaching the destination IPv6 network through the tunnel interface You can configure the route by using one of the following methods Configure a static route and specify the local tunnel interface as the egress interface or specify the IPv6 address of the peer tunnel interface as the next hop Enable a dynamic ...

Page 309: ...onfigure an IPv6 over IPv4 tunnel between Router A and Router B so the two IPv6 networks can reach each other over the IPv4 network Because the tunnel destination IPv4 address cannot be automatically obtained from the destination IPv6 addresses configure an IPv6 over IPv4 manual tunnel Figure 122 Network diagram Configuration procedure Make sure Router A and Router B can reach each other through I...

Page 310: ...2 64 Specify GigabitEthernet 2 0 2 as the source interface of the tunnel interface RouterB Tunnel0 source gigabitethernet 2 0 2 Specify the destination address for the tunnel interface as the IP address of GigabitEthernet 2 0 2 on Router A RouterB Tunnel0 destination 192 168 50 1 RouterB Tunnel0 quit Configure a static route destined for IPv6 network 1 through Tunnel 0 RouterB ipv6 route static 30...

Page 311: ...nnel interface 4 Configure a source address or source interface for the tunnel interface source ip address interface type interface number By default no source address or source interface is configured for the tunnel interface The specified source address or the primary IP address of the specified source interface is used as the source IP address of tunneled packets 5 Optional Set the DF bit for t...

Page 312: ...e gigabitethernet 2 0 1 Verifying the configuration Use the display ipv6 interface command to display tunnel interface status on Router A and Router B Verify that the interface tunnel 0 is up Details not shown Verify that Router B and Router A can ping the IPv4 compatible IPv6 address of each other The following shows the output on Router A RouterA Tunnel0 ping ipv6 192 168 50 1 Ping6 56 data byte...

Page 313: ...onfigured for the tunnel interface 4 Configure a source address or source interface for the tunnel interface source ip address interface type interface number By default no source address or source interface is configured for the tunnel interface The specified source address or the primary IP address of the specified source interface is used as the source IP address of tunneled packets 5 Optional ...

Page 314: ... interface tunnel 0 mode ipv6 ipv4 6to4 Specify an IPv6 address for the tunnel interface RouterA Tunnel0 ipv6 address 3001 1 64 Specify the source interface as GigabitEthernet 2 0 2 for the tunnel interface RouterA Tunnel0 source gigabitethernet 2 0 2 RouterA Tunnel0 quit Configure a static route destined for 2002 16 through the tunnel interface RouterA ipv6 route static 2002 16 tunnel 0 Configure...

Page 315: ...A is a 6to4 router and 6to4 addresses are used on the connected IPv6 network Router B acts as a 6to4 relay router and is connected to an IPv6 network 2001 16 Configure a 6to4 tunnel between Router A and Router B to make Host A and Host B reachable to each other The configuration on a 6to4 relay router is similar to that on a 6to4 router However to enable communication between the 6to4 network and ...

Page 316: ... RouterA ipv6 route static 0 2002 0601 0101 1 Configure Router B Specify an IPv4 address for GigabitEthernet 2 0 2 RouterB system view RouterB interface gigabitethernet 2 0 2 RouterB GigabitEthernet2 0 2 ip address 6 1 1 1 255 255 255 0 RouterB GigabitEthernet2 0 2 quit Specify an IPv6 address for GigabitEthernet 2 0 1 RouterB interface gigabitethernet 2 0 1 RouterB GigabitEthernet2 0 1 ipv6 addre...

Page 317: ...formation about route configuration see Layer 3 IP Routing Configuration Guide To configure an ISATAP tunnel Step Command Remarks 1 Enter system view system view N A 2 Enter ISATAP tunnel interface view interface tunnel number mode ipv6 ipv4 isatap N A 3 Specify an IPv6 address for the tunnel interface See Configuring basic IPv6 settings By default no IPv6 address is configured for the tunnel inte...

Page 318: ...er interface tunnel 0 mode ipv6 ipv4 isatap Specify an EUI 64 IPv6 address for the tunnel interface Router Tunnel0 ipv6 address 2001 64 eui 64 Specify GigabitEthernet 2 0 1 as the source interface of the tunnel interface Router Tunnel0 source gigabitethernet 2 0 1 Disable RA suppression so that the ISATAP host can acquire information such as the address prefix from the RA message advertised by the...

Page 319: ... 1 2 life 29d23h59m46s 6d23h59m46s public preferred link local fe80 5efe 1 1 1 2 life infinite link MTU 1500 true link MTU 65515 current hop limit 255 reachable time 42500ms base 30000ms retransmission interval 1000ms DAD transmits 0 default site prefix length 48 The host has obtained the prefix 2001 64 and has automatically generated the global unicast address 2001 5efe 1 1 1 2 The message uses R...

Page 320: ... next hop Enable a dynamic routing protocol on both tunnel interfaces to achieve the same purpose For more information about route configuration see Layer 3 IP Routing Configuration Guide The destination address of the route passing the tunnel interface cannot be on the same subnet as the destination address configured on the tunnel interface To configure an IPv4 over IPv4 tunnel Step Command Rema...

Page 321: ...0 RouterA GigabitEthernet2 0 1 quit Specify an IPv4 address for Serial 2 1 0 which is the physical interface of the tunnel RouterA interface serial 2 1 0 RouterA Serial2 1 0 ip address 2 1 1 1 255 255 255 0 RouterA Serial2 1 0 quit Create the IPv4 over IPv4 tunnel interface Tunnel 1 RouterA interface tunnel 1 mode ipv4 ipv4 Specify an IPv4 address for the tunnel interface RouterA Tunnel1 ip addres...

Page 322: ... that Router A and Router B can ping the IPv4 address of the peer interface GigabitEthernet 2 0 1 The following shows the output on Router A RouterA ping a 10 1 1 1 10 1 3 1 Ping 10 1 3 1 10 1 3 1 from 10 1 1 1 56 data bytes press CTRL_C to break 56 bytes from 10 1 3 1 icmp_seq 0 ttl 255 time 2 000 ms 56 bytes from 10 1 3 1 icmp_seq 1 ttl 255 time 1 000 ms 56 bytes from 10 1 3 1 icmp_seq 2 ttl 255...

Page 323: ...address or interface is configured for the tunnel The specified source address or the primary IPv6 address of the specified source interface is used as the source IPv6 address of tunneled packets 5 Configure the destination address for the tunnel interface destination ipv6 address By default no destination address is configured for the tunnel The tunnel destination address must be the IPv6 address...

Page 324: ...ss for Serial 2 1 1 which is the physical interface of the tunnel RouterB interface serial 2 1 1 RouterB Serial2 1 1 ipv6 address 2002 2 1 64 RouterB Serial2 1 1 quit Create the IPv6 tunnel interface Tunnel 2 RouterB interface tunnel 2 mode ipv6 Specify an IPv4 address for the tunnel interface RouterB Tunnel2 ip address 30 1 2 2 255 255 255 0 Specify the IP address of Serial 2 1 1 as the source ad...

Page 325: ...sing one of the following methods Configure a static route and specify the local tunnel interface as the egress interface or specify the IPv6 address of the peer tunnel interface as the next hop Enable a dynamic routing protocol on both tunnel interfaces to achieve the same purpose For more information about route configuration see Layer 3 IP Routing Configuration Guide Follow these guidelines whe...

Page 326: ...e this command the AFTR can tunnel IPv4 packets from the public IPv4 network to the B4 router Configuration example Network requirements As shown in Figure 129 configure a DS Lite tunnel between Router A and Router B and configure NAT on GigabitEthernet 2 0 1 on the AFTR so hosts in the private IPv4 network can access the public IPv4 network Figure 129 Network diagram Configuration procedure Make ...

Page 327: ...net2 0 2 quit Create the DS Lite tunnel interface Tunnel 2 RouterB interface tunnel 2 mode ds lite aftr Configure an IPv4 address for the tunnel interface RouterB Tunnel2 ip address 30 1 2 2 255 255 255 0 Specify GigabitEthernet 2 0 2 as the source interface of the tunnel interface RouterB Tunnel2 source gigabitethernet 2 0 2 RouterB Tunnel2 quit Enable DS Lite tunneling on GigabitEthernet 2 0 1 R...

Page 328: ...ify the IPv6 address of the peer tunnel interface as the next hop Enable a dynamic routing protocol on both tunnel interfaces to achieve the same purpose For more information about route configuration see Layer 3 IP Routing Configuration Guide The destination address of the route passing the tunnel interface cannot be on the same subnet as the destination address configured for the tunnel interfac...

Page 329: ...1 RouterA GigabitEthernet2 0 1 ipv6 address 2002 1 1 64 RouterA GigabitEthernet2 0 1 quit Specify an IPv6 address for Serial 2 1 0 which is the physical interface of the tunnel RouterA interface serial 2 1 0 RouterA Serial2 1 0 ipv6 address 2001 11 1 64 RouterA Serial2 1 0 quit Create the IPv6 tunnel interface Tunnel 1 RouterA interface tunnel 1 mode ipv6 Specify an IPv6 address for the tunnel int...

Page 330: ...B ipv6 route static 2002 1 64 tunnel 2 Verifying the configuration Use the display ipv6 interface command to display the status of the tunnel interfaces on Router A and Router B Verify that the tunnel interfaces are up Details not shown Verify that Router A and Router B can ping the IPv6 address of the peer interface GigabitEthernet 2 0 1 The following shows the output on Router A RouterA ping ipv...

Page 331: ...ers such as tunnel source address tunnel destination address and tunnel mode cannot come up Analysis The physical interface of the tunnel does not come up or the tunnel destination is unreachable Solution 1 To resolve the problem Use the display interface or display ipv6 interface command to verify that the physical interface of the tunnel is up If the physical interface is down check the network ...

Page 332: ...led the passenger protocol The passenger protocol can be any network layer protocol GRE header Header that is added to the payload packet to change the payload packet to a GRE packet A GRE header includes the number of encapsulations version passenger protocol type checksum and key GRE is called the encapsulation protocol Delivery header Header that is added to the GRE packet to deliver it to the ...

Page 333: ...ation is Device B itself and the protocol number in the IP header is 47 the protocol number for GRE Device B submits the packet to GRE for de encapsulation 5 GRE first removes the IPv4 header and then checks the GRE key checksum and packet sequence number After GRE finishes the checking it removes the GRE header and submits the payload to the IPv6 protocol for forwarding NOTE GRE encapsulation and...

Page 334: ...k scope Figure 134 Network diagram In an IP network the maximum TTL value of a packet is 255 If two devices have more than 255 hops in between they cannot communicate with each other By using a GRE tunnel you can hide some hops to enlarge the network scope As shown in Figure 134 only the tunnel end devices Device A and Device D of the GRE tunnel are counted in hop count calculation Therefore there...

Page 335: ...ing multicast broadcast and non IP packets After GRE encapsulation these packets become common unicast packets which can be protected by IPsec Simplifies IPsec configuration Packets are first encapsulated by GRE You can define the packets to be protected by IPsec according to the GRE tunnel s source and destination addresses without considering the source and destination addresses of the original ...

Page 336: ...g interface of the route Enable a dynamic routing protocol on both the tunnel interface and the interface connecting the private network This allows the dynamic routing protocol to establish a routing entry with the tunnel interface as the outgoing interface The IP address of the tunnel interface and the tunnel destination address configured on the tunnel interface must be in different subnets For...

Page 337: ...ackets from the GRE tunnel The tunnel local end uses this address as the destination address of the encapsulated packets 6 Optional Enable GRE keepalive and set the keepalive interval and keepalive number keepalive interval times By default GRE keepalive is disabled 7 Optional Enable GRE checksum gre checksum By default GRE checksum is disabled 8 Optional Configure a GRE key for the GRE tunnel int...

Page 338: ...tunnel interface and the interface connecting the private network This allows the dynamic routing protocol to establish a routing entry with the tunnel interface as the outgoing interface The IP address of the tunnel interface and the tunnel destination address configured on the tunnel interface must be in different subnets For information about tunnel interfaces the interface tunnel source destin...

Page 339: ...s of the encapsulated packets 6 Optional Enable GRE checksum gre checksum By default GRE checksum is disabled 7 Optional Configure a GRE key for the tunnel interface gre key key number By default no GRE key is configured for a GRE tunnel interface The two ends of a GRE tunnel must have the same key or both have no key 8 Return to system view quit N A 9 Optional Configure the device to discard IPv6...

Page 340: ... the destination address of the tunnel interface as the IP address of GigabitEthernet 2 0 2 on Router B RouterA Tunnel0 destination 2 2 2 2 RouterA Tunnel0 quit Configure a static route from Router A through the tunnel interface to Group 2 RouterA ip route static 10 1 3 0 255 255 255 0 tunnel 0 2 Configure Router B Create tunnel interface Tunnel 0 and specify the tunnel mode as GRE IPv4 RouterB sy...

Page 341: ...0 packets sec Last 300 seconds output rate 0 bytes sec 0 bits sec 0 packets sec Input 0 packets 0 bytes 0 drops Output 0 packets 0 bytes 0 drops Display tunnel interface information on Router B RouterB display interface tunnel 0 Tunnel0 Current state UP Line protocol state UP Description Tunnel0 Interface Bandwidth 64kbps Maximum Transmit Unit 1476 Internet Address is 10 1 2 2 24 Primary Tunnel so...

Page 342: ...communicate with each other through the GRE tunnel over the IPv6 network Figure 138 Network diagram Configuration procedure Before performing the following configuration configure an IP address for each interface and make sure Router A and Router B can reach each other 1 Configure Router A Create a tunnel interface Tunnel 0 and specify the tunnel mode as GRE IPv6 RouterA system view RouterA interf...

Page 343: ...ription Tunnel0 Interface Bandwidth 64kbps Maximum Transmit Unit 1456 Internet Address is 10 1 2 1 24 Primary Tunnel source 2002 1 1 destination 2001 2 1 Tunnel TTL 255 Tunnel protocol transport GRE IPv6 GRE key disabled Checksumming of GRE packets disabled Output queue Urgent queuing Size Length Discards 0 100 0 Output queue Protocol queuing Size Length Discards 0 500 0 Output queue FIFO queuing ...

Page 344: ...q 1 ttl 255 time 1 000 ms 56 bytes from 10 1 1 1 icmp_seq 2 ttl 255 time 1 000 ms 56 bytes from 10 1 1 1 icmp_seq 3 ttl 255 time 0 000 ms 56 bytes from 10 1 1 1 icmp_seq 4 ttl 255 time 1 000 ms Ping statistics for 10 1 1 1 5 packet s transmitted 5 packet s received 0 0 packet loss round trip min avg max std dev 0 000 1 000 2 000 0 632 ms The output shows that Router B can successfully ping Router ...

Page 345: ...her Device A has a route over tunnel 0 to 10 2 0 0 16 and whether Device C has a route over tunnel 0 to 10 1 0 0 16 2 If such a route does not exist execute the ip route static command in system view to add the route Take Device A as an example DeviceA ip route static 10 2 0 0 255 255 0 0 tunnel 0 ...

Page 346: ... one ADVPN domain A VAM server can serve multiple ADVPN domains and manage their clients VAM clients include hubs and spokes Hub A hub is the exchange center of routing information A hub in a hub spoke network is also a data forwarding center Spoke A spoke is the gateway of a branch It does not forward data received from other ADVPN nodes ADVPN supports the following structures Full mesh In a full...

Page 347: ...the full mesh backbone area All hubs obtain information about other hubs from the VAM server and establish permanent ADVPN tunnels to each other Spokes must belong to non backbone hub groups Each non backbone hub group includes at least one hub and uses either the full mesh or hub spoke structure Spokes obtain hub information in the ADVPN domain from the VAM server and establish permanent tunnels ...

Page 348: ...rver perform the following operations to initialize a connection 1 The client sends encryption and authentication algorithms to the server in a connection request 2 The server compares the algorithm list of the client to its own algorithm list in priority order 3 The server sends the matching algorithms to the client If no match is found the negotiation fails 4 The server and the client generate e...

Page 349: ...egisters the client and sends the client a registration acknowledgement VAM supports both PAP and CHAP authentication 3 The client submits its identity information to the server 4 The server performs authentication and accounting for the client through the AAA server 5 The server sends the client a registration acknowledgement that includes hub information Figure 144 Registration process Tunnel es...

Page 350: ...nge routes between spoke and spoke When a spoke receives a packet destined to a remote private network it performs the following operations to forward the packet a Locates the private next hop from the routing table b Uses the private next hop to obtain the corresponding public address from the VAM server c Sends the packet to the public address over the ADVPN tunnel Full mesh and hub spoke struct...

Page 351: ...tion task list Configure ADVPN in the order of VAM servers hubs and spokes Perform the following tasks to configure ADVPN Tasks at a glance Optional Configuring AAA Required Configuring the VAM server Required Configuring the VAM client Required Configuring an ADVPN tunnel interface Required Configuring routing Optional Configuring IPsec for ADVPN tunnels Configuring AAA The VAM server can use AAA...

Page 352: ...either command By default the VAM server is disabled Configuring a pre shared key for the VAM server The pre shared key is used to generate initial encryption and authentication keys during connection initialization It is also used to generate encryption and authentication keys for subsequent packets if encryption and authentication are needed The VAM server must have the same pre shared key as th...

Page 353: ...b group Step Command Remarks 1 Enter system view system view N A 2 Enter ADVPN domain view vam server advpn domain domain name id domain id N A 3 Create a hub group and enter hub group view hub group group name By default no hub group exists Configuring hub private addresses in a hub group A hub group must have at least one hub private address To configure hub private addresses in the hub group St...

Page 354: ... the spoke sends the VAM server the destination address of the packet obtains the remote spoke information and establishes a direct tunnel to the remote spoke To specify an ACL to control establishing spoke to spoke tunnels Step Command Remarks 1 Enter system view system view N A 2 Enter ADVPN domain view vam server advpn domain domain name id domain id N A 3 Enter hub group view hub group group n...

Page 355: ...cbc 128 aes cbc 192 aes cbc 256 aes ctr 128 aes ctr 192 aes ctr 256 des cbc none The default encryption algorithms are AES CBC 256 AES CBC 192 AES CBC 128 AES CTR 256 AES CTR 192 AES CTR 128 3DES CBC and DES CBC in descending order of priority Configuring an authentication method The VAM server uses the specified method to authenticate clients in the ADVPN domain The VAM server supports PAP and CH...

Page 356: ...rval retry retry times By default the keepalive interval is 180 seconds and the maximum number of keepalive retries is 3 Configuring the retry timer The VAM server starts the retry timer after it sends a request to a client If the server does not receive a response from the client before the retry timer expires the server resends the request The server stops sending the request after receiving a r...

Page 357: ...nt When the server fails the client uses the settings from the other server If the specified primary and secondary VAM servers have the same address or name only the primary VAM server takes effect The port number of a VAM server must be the same as that configured on the VAM server To specify VAM servers for a client Step Command Remarks 1 Enter system view system view N A 2 Enter VAM client view...

Page 358: ...key is configured for a VAM client Setting the retry timer and retry times for a VAM client A VAM client starts a retry timer after sending a request to the server If the client does not receive a response before the retry timer expires it resends the request If the client fails to receive a response after maximum attempts retry times the client considers the server is unreachable The retry times ...

Page 359: ...username and password is configured for the client Configuring an ADVPN tunnel interface ADVPN establishes tunnels over ADVPN tunnel interfaces To configure an ADVPN tunnel interface Step Command Remarks 1 Enter system view system view N A 2 Create an ADVPN tunnel interface and enter its view interface tunnel number mode advpn gre udp ipv6 By default no tunnel interface is created The two ends of ...

Page 360: ...ther tunnel interfaces 7 Bind a VAM client to the tunnel interface Bind an IPv4 VAM client to the tunnel interface vam client client name compatible advpn0 Bind an IPv6 VAM client to the tunnel interface vam ipv6 client client name By default no VAM client is bound to an ADVPN tunnel interface A VAM client can be bound to only one IPv4 or IPv6 ADVPN tunnel interface 8 Optional Configure a private ...

Page 361: ...is the IP address of the peer spoke in a full mesh network EBGP does not support full mesh or is the IP address of the hub in a hub spoke network ADVPN supports OSPFv3 RIPng and IPv6 BGP for IPv6 When OSPFv3 is used set the network type of an OSPFv3 interface to broadcast in a full mesh network or to P2MP in a hub spoke network When RIPng is used only the full mesh network is supported When IPv6 B...

Page 362: ...m client shortcut ipv6 interest name client name Display IPv4 ADVPN tunnel information display advpn session interface tunnel number private address private ip address verbose Display IPv6 ADVPN tunnel information display advpn ipv6 session interface tunnel number private address private ipv6 address verbose Clear IPv4 private to public address mapping information for VAM clients registered with t...

Page 363: ...nt Device Interface IP address Device Interface IP address Hub 1 GE2 0 1 1 0 0 1 24 Spoke 1 GE2 0 1 1 0 0 3 24 Tunnel1 192 168 0 1 24 GE2 0 2 192 168 1 1 24 Hub 2 GE2 0 1 1 0 0 2 24 Tunnel1 192 168 0 3 24 Tunnel1 192 168 0 2 24 Spoke 2 GE2 0 1 1 0 0 4 24 AAA server 1 0 0 10 24 GE2 0 2 192 168 2 1 24 Primary server GE2 0 1 1 0 0 11 24 Tunnel1 192 168 0 4 24 Secondary server GE2 0 1 1 0 0 12 24 Conf...

Page 364: ...er domain abc hub group 0 hub private address 192 168 0 1 PrimaryServer vam server domain abc hub group 0 hub private address 192 168 0 2 Specify a spoke private IPv4 network PrimaryServer vam server domain abc hub group 0 spoke private address network 192 168 0 0 255 255 255 0 PrimaryServer vam server domain abc hub group 0 quit Set the pre shared key to 123456 PrimaryServer vam server domain abc...

Page 365: ...m set abc esp encryption algorithm des cbc Hub1 ipsec transform set abc esp authentication algorithm sha1 Hub1 ipsec transform set abc quit Hub1 ipsec profile abc isakmp Hub1 ipsec profile isakmp abc transform set abc Hub1 ipsec profile isakmp abc ike profile abc Hub1 ipsec profile isakmp abc quit 4 Configure OSPF to advertise the private network Hub1 ospf 1 Hub1 ospf 1 area 0 Hub1 ospf 1 area 0 0...

Page 366: ... abc quit Configure the IPsec profile Hub2 ipsec transform set abc Hub2 ipsec transform set abc encapsulation mode transport Hub2 ipsec transform set abc esp encryption algorithm des cbc Hub2 ipsec transform set abc esp authentication algorithm sha1 Hub2 ipsec transform set abc quit Hub2 ipsec profile abc isakmp Hub2 ipsec profile isakmp abc transform set abc Hub2 ipsec profile isakmp abc ike prof...

Page 367: ... simple 123456 Spoke1 ike keychain abc quit Spoke1 ike profile abc Spoke1 ike profile abc keychain abc Spoke1 ike profile abc quit Configure the IPsec profile Spoke1 ipsec transform set abc Spoke1 ipsec transform set abc encapsulation mode transport Spoke1 ipsec transform set abc esp encryption algorithm des cbc Spoke1 ipsec transform set abc esp authentication algorithm sha1 Spoke1 ipsec transfor...

Page 368: ... 1 0 0 11 Spoke2 vam client Spoke2 server secondary ip address 1 0 0 12 Enable the VAM client Spoke2 vam client Spoke2 client enable Spoke2 vam client Spoke2 quit 3 Configure an IPsec profile Configure IKE Spoke2 ike keychain abc Spoke2 ike keychain abc pre shared key address 0 0 0 0 0 0 0 0 key simple 123456 Spoke2 ike keychain abc quit Spoke2 ike profile abc Spoke2 ike profile abc keychain abc S...

Page 369: ...Hub No 0H 47M 31S 0 192 168 0 3 1 0 0 3 Spoke No 0H 28M 25S 0 192 168 0 4 1 0 0 4 Spoke No 0H 19M 15S Display IPv4 address mapping information for all VAM clients registered with the secondary VAM server SecondaryServer display vam server address map ADVPN domain name 1 Total private address mappings 4 Group Private address Public address Type NAT Holding time 0 192 168 0 1 1 0 0 1 Hub No 0H 52M 7...

Page 370: ...trip min avg max std dev 0 000 1 000 4 000 1 549 ms Display IPv4 ADVPN tunnel information on Spokes This example uses Spoke 1 Spoke1 display advpn session Interface Tunnel1 Number of sessions 3 Private address Public address Port Type State Holding time 192 168 0 1 1 0 0 1 S H Success 0H 46M 8S 192 168 0 2 1 0 0 2 S H Success 0H 46M 8S 192 168 0 4 1 0 0 4 S S Success 0H 0M 1S The output shows the ...

Page 371: ...m view PrimaryServer radius scheme abc PrimaryServer radius abc primary authentication ipv6 1 10 1812 PrimaryServer radius abc primary accounting ipv6 1 10 1813 PrimaryServer radius abc key authentication simple 123 PrimaryServer radius abc key accounting simple 123 PrimaryServer radius abc user name format without domain PrimaryServer radius abc quit PrimaryServer radius session control enable Co...

Page 372: ...tion method chap Enable the VAM server for the ADVPN domain PrimaryServer vam server domain abc server enable PrimaryServer vam server domain abc quit Configuring the secondary VAM server Configure the secondary VAM server in the same way that the primary server is configured Details not shown Configuring Hub 1 1 Configure IP addresses for the interfaces Details not shown 2 Configure the VAM clien...

Page 373: ...3 1 quit 5 Configure GRE mode IPv6 ADVPN tunnel interface tunnel1 Hub1 interface tunnel1 mode advpn gre ipv6 Hub1 Tunnel1 ipv6 address 192 168 1 64 Hub1 Tunnel1 ipv6 address fe80 1 link local Hub1 Tunnel1 vam ipv6 client Hub1 Hub1 Tunnel1 ospfv3 1 area 0 Hub1 Tunnel1 ospfv3 network type broadcast Hub1 Tunnel1 source gigabitethernet 2 0 1 Hub1 Tunnel1 tunnel protection ipsec profile abc Hub1 Tunnel...

Page 374: ...sform set abc Hub2 ipsec profile isakmp abc ike profile abc Hub2 ipsec profile isakmp abc quit 4 Configure OSPFv3 Hub2 ospfv3 1 Hub2 ospfv3 1 router id 0 0 0 2 Hub2 ospfv3 1 area 0 Hub2 ospfv3 1 area 0 0 0 0 quit Hub2 ospfv3 1 quit 5 Configure GRE mode IPv6 ADVPN tunnel interface tunnel1 Hub2 interface tunnel1 mode advpn gre ipv6 Hub2 Tunnel1 ipv6 address 192 168 2 64 Hub1 Tunnel1 ipv6 address fe8...

Page 375: ... ipsec transform set abc esp encryption algorithm des cbc Spoke1 ipsec transform set abc esp authentication algorithm sha1 Spoke1 ipsec transform set abc quit Spoke1 ipsec profile abc isakmp Spoke1 ipsec profile isakmp abc transform set abc Spoke1 ipsec profile isakmp abc ike profile abc Spoke1 ipsec profile isakmp abc quit 4 Configure OSPFv3 Spoke1 ospfv3 1 Spoke1 ospfv3 1 router id 0 0 0 3 Spoke...

Page 376: ... key address ipv6 0 key simple 123456 Spoke2 ike keychain abc quit Spoke2 ike profile abc Spoke2 ike profile abc keychain abc Spoke2 ike profile abc quit Configure the IPsec profile Spoke2 ipsec transform set abc Spoke2 ipsec transform set abc encapsulation mode transport Spoke2 ipsec transform set abc esp encryption algorithm des cbc Spoke2 ipsec transform set abc esp authentication algorithm sha...

Page 377: ...r ipv6 address map ADVPN domain name 1 Total private address mappings 4 Group Private address Public address Type NAT Holding time 0 192 168 1 1 1 Hub No 0H 52M 7S 0 192 168 2 1 2 Hub No 0H 47M 31S 0 192 168 3 1 3 Spoke No 0H 28M 25S 0 192 168 4 1 4 Spoke No 0H 19M 15S The output shows that Hub 1 Hub 2 Spoke 1 Spoke 2 and Spoke 3 all have registered their address mapping information with the VAM s...

Page 378: ...y IPv6 ADVPN tunnel information on Spokes This example uses Spoke 1 Spoke1 display advpn ipv6 session Interface Tunnel1 Number of sessions 3 Private address Public address Port Type State Holding time 192 168 1 1 1 S H Success 0H 46M 8S 192 168 2 1 2 S H Success 0H 46M 8S 192 168 4 1 4 S S Success 0H 0M 1S The output shows the following information Spoke 1 has established a permanent hub spoke tun...

Page 379: ... system view PrimaryServer radius scheme abc PrimaryServer radius abc primary authentication 1 0 0 10 1812 PrimaryServer radius abc primary accounting 1 0 0 10 1813 PrimaryServer radius abc key authentication simple 123 PrimaryServer radius abc key accounting simple 123 PrimaryServer radius abc user name format without domain PrimaryServer radius abc quit PrimaryServer radius session control enabl...

Page 380: ...omain PrimaryServer vam server domain abc server enable PrimaryServer vam server domain abc quit Configuring the secondary VAM server Configure the secondary VAM server in the same way that the primary server is configured Details not shown Configuring Hub 1 1 Configure IP addresses for the interfaces Details not shown 2 Configure the VAM client Create VAM client Hub1 Hub1 system view Hub1 vam cli...

Page 381: ...ce tunnel1 Hub1 interface tunnel1 mode advpn gre Hub1 Tunnel1 ip address 192 168 0 1 255 255 255 0 Hub1 Tunnel1 vam client Hub1 Hub1 Tunnel1 ospf network type p2mp Hub1 Tunnel1 source gigabitethernet 2 0 1 Hub1 Tunnel1 tunnel protection ipsec profile abc Hub1 Tunnel1 undo shutdown Hub1 Tunnel1 quit Configuring Hub 2 1 Configure IP addresses for the interfaces Details not shown 2 Configure the VAM ...

Page 382: ...0 0 network 192 168 0 0 0 0 0 255 Hub2 ospf 1 area 0 0 0 0 quit Hub2 ospf 1 quit 5 Configure GRE mode IPv4 ADVPN tunnel interface tunnel1 Hub2 interface tunnel1 mode advpn gre Hub2 Tunnel1 ip address 192 168 0 2 255 255 255 0 Hub2 Tunnel1 vam client Hub2 Hub2 Tunnel1 ospf network type p2mp Hub2 Tunnel1 source gigabitethernet 2 0 1 Hub2 Tunnel1 tunnel protection ipsec profile abc Hub2 Tunnel1 undo ...

Page 383: ...e1 ipsec profile isakmp abc ike profile abc Spoke1 ipsec profile isakmp abc quit 4 Configure OSPF to advertise private networks Spoke1 ospf 1 Spoke1 ospf 1 area 0 Spoke1 ospf 1 area 0 0 0 0 network 192 168 0 0 0 0 0 255 Spoke1 ospf 1 area 0 0 0 0 network 192 168 1 0 0 0 0 255 Spoke1 ospf 1 area 0 0 0 0 quit Spoke1 ospf 1 quit 5 Configure GRE mode IPv4 ADVPN tunnel interface tunnel1 Spoke1 interfac...

Page 384: ...m des cbc Spoke2 ipsec transform set abc esp authentication algorithm sha1 Spoke2 ipsec transform set abc quit Spoke2 ipsec profile abc isakmp Spoke2 ipsec profile isakmp abc transform set abc Spoke2 ipsec profile isakmp abc ike profile abc Spoke2 ipsec profile isakmp abc quit 4 Configure OSPF to advertise private networks Spoke2 ospf 1 Spoke2 ospf 1 area 0 Spoke2 ospf 1 area 0 0 0 0 network 192 1...

Page 385: ...ss Public address Port Type State Holding time 192 168 0 2 1 0 0 2 H H Success 0H 46M 8S 192 168 0 3 1 0 0 3 H S Success 0H 27M 27S 192 168 0 4 1 0 0 4 H S Success 0H 18M 18S The output shows that Hub 1 has established a permanent tunnel to Hub 2 Spoke 1 and Spoke 2 Display IPv4 ADVPN tunnel information on Spokes This example uses Spoke 1 Spoke1 display advpn session Interface Tunnel1 Number of se...

Page 386: ...ub 1 GE2 0 1 1 1 64 Spoke 1 GE2 0 1 1 3 64 Tunnel1 192 168 1 64 GE2 0 2 192 168 1 1 64 Hub 2 GE2 0 1 1 2 64 Tunnel1 192 168 3 64 Tunnel1 192 168 2 64 Spoke 2 GE2 0 1 1 4 64 AAA server 1 10 64 GE2 0 2 192 168 2 1 64 Primary server GE2 0 1 1 11 64 Tunnel1 192 168 4 64 Secondary server GE2 0 1 1 12 64 Configuring the primary VAM server 1 Configure IP addresses for the interfaces Details not shown 2 C...

Page 387: ...r domain abc hub group 0 hub ipv6 private address 192 168 2 Specify a spoke private IPv6 network PrimaryServer vam server domain abc hub group 0 spoke ipv6 private address network 192 168 0 64 PrimaryServer vam server domain abc hub group 0 quit Set the pre shared key to 123456 PrimaryServer vam server domain abc pre shared key simple 123456 Set the authentication mode to CHAP PrimaryServer vam se...

Page 388: ...s cbc Hub1 ipsec transform set abc esp authentication algorithm sha1 Hub1 ipsec transform set abc quit Hub1 ipsec profile abc isakmp Hub1 ipsec profile isakmp abc transform set abc Hub1 ipsec profile isakmp abc ike profile abc Hub1 ipsec profile isakmp abc quit 4 Configure OSPFv3 Hub1 ospfv3 1 Hub1 ospfv3 1 router id 0 0 0 1 Hub1 ospfv3 1 area 0 Hub1 ospfv3 1 area 0 0 0 0 quit Hub1 ospfv3 1 quit 5...

Page 389: ...2 ike profile abc quit Configure the IPsec profile Hub2 ipsec transform set abc Hub2 ipsec transform set abc encapsulation mode transport Hub2 ipsec transform set abc esp encryption algorithm des cbc Hub2 ipsec transform set abc esp authentication algorithm sha1 Hub2 ipsec transform set abc quit Hub2 ipsec profile abc isakmp Hub2 ipsec profile isakmp abc transform set abc Hub2 ipsec profile isakmp...

Page 390: ... IPsec profile Configure IKE Spoke1 ike keychain abc Spoke1 ike keychain abc pre shared key address ipv6 0 key simple 123456 Spoke1 ike keychain abc quit Spoke1 ike profile abc Spoke1 ike profile abc keychain abc Spoke1 ike profile abc quit Configure the IPsec profile Spoke1 ipsec transform set abc Spoke1 ipsec transform set abc encapsulation mode transport Spoke1 ipsec transform set abc esp encry...

Page 391: ...y VAM servers Spoke2 vam client Spoke2 server primary ipv6 address 1 11 Spoke2 vam client Spoke2 server secondary ipv6 address 1 12 Enable the VAM client Spoke2 vam client Spoke2 client enable Spoke2 vam client Spoke2 quit 3 Configure an IPsec profile Configure IKE Spoke2 ike keychain abc Spoke2 ike keychain abc pre shared key address ipv6 0 key simple 123456 Spoke2 ike keychain abc quit Spoke2 ik...

Page 392: ...2 168 3 1 3 Spoke No 0H 28M 25S 0 192 168 4 1 4 Spoke No 0H 19M 15S Display IPv6 address mapping information for all VAM clients registered with the secondary VAM server SecondaryServer display vam server ipv6 address map ADVPN domain name 1 Total private address mappings 4 Group Private address Public address Type NAT Holding time 0 192 168 1 1 1 Hub No 0H 52M 7S 0 192 168 2 1 2 Hub No 0H 47M 31S...

Page 393: ... 168 4 icmp_seq 3 hlim 64 time 1 000 ms 56 bytes from 192 168 4 icmp_seq 4 hlim 64 time 1 000 ms Ping6 statistics for 192 168 4 5 packets transmitted 5 packets received 0 0 packet loss round trip min avg max std dev 0 000 1 200 3 000 0 980 ms IPv4 multi hub group ADVPN configuration example Network requirements As shown in Figure 150 the primary and secondary VAM servers manage and maintain VAM cl...

Page 394: ...92 168 2 2 24 Primary server GE2 0 1 1 0 0 11 24 Spoke 4 GE2 0 1 1 0 0 7 24 Secondary server GE2 0 1 1 0 0 12 24 GE2 0 2 192 168 50 1 24 GE2 0 3 192 168 60 1 24 Tunnel1 192 168 2 3 24 Configuring the primary VAM server 1 Configure IP addresses for the interfaces Details not shown 2 Configure AAA AAA server Hub3 Hub1 Group 1 Group 2 Group 0 Spoke1 Spoke4 Hub2 Tunnel 1 Tunnel 1 Tunnel 1 Tunnel 1 Tun...

Page 395: ...ub private address 192 168 0 2 PrimaryServer vam server domain abc hub group 0 hub private address 192 168 0 3 PrimaryServer vam server domain abc hub group 0 quit Create hub group 1 PrimaryServer vam server domain abc hub group 1 Specify hub private IPv4 addresses PrimaryServer vam server domain abc hub group 1 hub private address 192 168 1 1 PrimaryServer vam server domain abc hub group 1 hub pr...

Page 396: ...to hub1 Hub1 vam client Hub1Group0 user hub1 password simple hub1 Specify the primary and secondary VAM servers Hub1 vam client Hub1Group0 server primary ip address 1 0 0 11 Hub1 vam client Hub1Group0 server secondary ip address 1 0 0 12 Enable the VAM client Hub1 vam client Hub1Group0 client enable Hub1 vam client Hub1Group0 quit Create VAM client Hub1Group1 Hub1 vam client name Hub1Group1 Specif...

Page 397: ...k 192 168 1 0 0 0 0 255 Hub1 ospf 1 area 0 0 0 1 quit Hub1 ospf 1 quit 5 Configure ADVPN tunnels Configure UDP mode IPv4 ADVPN tunnel interface tunnel1 Hub1 interface tunnel1 mode advpn udp Hub1 Tunnel1 ip address 192 168 1 1 255 255 255 0 Hub1 Tunnel1 vam client Hub1Group1 Hub1 Tunnel1 ospf network type broadcast Hub1 Tunnel1 source gigabitethernet 2 0 1 Hub1 Tunnel1 tunnel protection ipsec profi...

Page 398: ...b2 vam client Hub2Group1 user Hub2 password simple Hub2 Specify the primary and secondary VAM servers Hub2 vam client Hub2Group1 server primary ip address 1 0 0 11 Hub2 vam client Hub2Group1 server secondary ip address 1 0 0 12 Enable the VAM client Hub2 vam client Hub2Group1 client enable Hub2 vam client Hub2Group1 quit 3 Configure an IPsec profile Configure IKE Hub2 ike keychain abc Hub2 ike key...

Page 399: ...ospf network type broadcast Hub2 Tunnel2 source gigabitethernet 2 0 1 Hub2 Tunnel2 tunnel protection ipsec profile abc Hub2 Tunnel2 undo shutdown Hub2 Tunnel2 quit Configuring Hub 3 1 Configure IP addresses for the interfaces Details not shown 2 Configure the VAM client Create VAM client Hub3Group0 Hub3 system view Hub3 vam client name Hub3Group0 Specify ADVPN domain abc for the VAM client Hub3 va...

Page 400: ...3 ipsec transform set abc encapsulation mode transport Hub3 ipsec transform set abc esp encryption algorithm des cbc Hub3 ipsec transform set abc esp authentication algorithm sha1 Hub3 ipsec transform set abc quit Hub3 ipsec profile abc isakmp Hub3 ipsec profile isakmp abc transform set abc Hub3 ipsec profile isakmp abc ike profile abc Hub3 ipsec profile isakmp abc quit 4 Configure OSPF to adverti...

Page 401: ...le spoke1 Specify the primary and secondary VAM servers Spoke1 vam client Spoke1 server primary ip address 1 0 0 11 Spoke1 vam client Spoke1 server secondary ip address 1 0 0 12 Enable the VAM client Spoke1 vam client Spoke1 client enable Spoke1 vam client Spoke1 quit 3 Configure an IPsec profile Configure IKE Spoke1 ike keychain abc Spoke1 ike keychain abc pre shared key address 0 0 0 0 0 0 0 0 k...

Page 402: ...hown 2 Configure the VAM client Create VAM client Spoke2 Spoke2 system view Spoke2 vam client name Spoke2 Specify ADVPN domain abc for the VAM client Spoke2 vam client Spoke2 advpn domain abc Set the pre shared key to 123456 Spoke2 vam client Spoke2 pre shared key simple 123456 Set both the username and password to spoke2 Spoke2 vam client Spoke2 user spoke2 password simple spoke2 Specify the prim...

Page 403: ...lient Spoke2 Spoke2 Tunnel1 ospf network type broadcast Spoke2 Tunnel1 ospf dr priority 0 Spoke2 Tunnel1 advpn network 192 168 20 0 255 255 255 0 Spoke2 Tunnel1 advpn network 192 168 30 0 255 255 255 0 Spoke2 Tunnel1 source gigabitethernet 2 0 1 Spoke2 Tunnel1 tunnel protection ipsec profile abc Spoke2 Tunnel1 undo shutdown Spoke2 Tunnel1 quit Configuring Spoke 3 1 Configure IP addresses for the i...

Page 404: ...f 1 area 0 0 0 2 network 192 168 40 0 0 0 0 255 Spoke3 ospf 1 area 0 0 0 2 quit Spoke3 ospf 1 quit 5 Configure UDP mode IPv4 ADVPN tunnel interface tunnel1 Configure its DR priority as 0 so Spoke 3 will not participate in DR BDR election Spoke3 interface tunnel 1 mode advpn udp Spoke3 Tunnel1 ip address 192 168 2 2 255 255 255 0 Spoke3 Tunnel1 vam client Spoke3 Spoke3 Tunnel1 ospf network type bro...

Page 405: ...t Spoke4 ipsec profile abc isakmp Spoke4 ipsec profile isakmp abc transform set abc Spoke4 ipsec profile isakmp abc ike profile abc Spoke4 ipsec profile isakmp abc quit 4 Configure OSPF to advertise private networks Spoke4 ospf 1 Spoke4 ospf 1 area 2 Spoke4 ospf 1 area 0 0 0 2 network 192 168 2 0 0 0 0 255 Spoke4 ospf 1 area 0 0 0 2 network 192 168 50 0 0 0 0 255 Spoke4 ospf 1 area 0 0 0 2 network...

Page 406: ...roup Private address Public address Type NAT Holding time 0 192 168 0 1 1 0 0 1 Hub No 0H 52M 7S 0 192 168 0 2 1 0 0 2 Hub No 0H 47M 31S 0 192 168 0 3 1 0 0 3 Hub No 0H 28M 25S 1 192 168 1 1 1 0 0 1 Hub No 0H 52M 7S 1 192 168 1 2 1 0 0 2 Hub No 0H 47M 31S 1 192 168 1 3 1 0 0 4 Spoke No 0H 18M 26S 1 192 168 1 4 1 0 0 5 Spoke No 0H 28M 25S 2 192 168 2 1 1 0 0 3 Hub No 0H 28M 25S 2 192 168 2 2 1 0 0 ...

Page 407: ...isplay advpn session Interface Tunnel1 Number of sessions 1 Private address Public address Port Type State Holding time 192 168 2 1 1 0 0 3 18001 S H Success 0H 46M 8S The output shows that Spoke 3 has established a permanent hub spoke tunnel to Hub 3 IPv6 multi hub group ADVPN configuration example Network requirements As shown in Figure 151 the primary and secondary VAM servers manage and mainta...

Page 408: ...64 Primary server GE2 0 1 1 11 64 Spoke 4 GE2 0 1 1 7 64 Secondary server GE2 0 1 1 12 64 GE2 0 2 192 168 50 1 64 GE2 0 3 192 168 60 1 64 Tunnel1 192 168 2 3 64 Configuring the primary VAM server 1 Configure IP addresses for the interfaces Details not shown 2 Configure AAA AAA server Hub3 Hub1 Group 1 Group 2 Group 0 Spoke1 Spoke4 Hub2 Tunnel 1 Tunnel 1 Tunnel 1 Tunnel 1 Tunnel 1 Tunnel 1 Spoke2 S...

Page 409: ...PrimaryServer vam server domain abc hub group 0 hub ipv6 private address 192 168 1 PrimaryServer vam server domain abc hub group 0 hub ipv6 private address 192 168 2 PrimaryServer vam server domain abc hub group 0 hub ipv6 private address 192 168 3 PrimaryServer vam server domain abc hub group 0 quit Create hub group 1 PrimaryServer vam server domain abc hub group 1 Specify hub private IPv6 addres...

Page 410: ...domain abc Set the pre shared key to 123456 Hub1 vam client Hub1Group0 pre shared key simple 123456 Set both the username and password to hub1 Hub1 vam client Hub1Group0 user hub1 password simple hub1 Specify the primary and secondary VAM servers Hub1 vam client Hub1Group0 server primary ipv6 address 1 11 Hub1 vam client Hub1Group0 server secondary ipv6 address 1 12 Enable the VAM client Hub1 vam ...

Page 411: ...0 0 quit Hub1 ospfv3 1 area 1 Hub1 ospfv3 1 area 0 0 0 1 quit Hub1 ospfv3 1 quit 5 Configure ADVPN tunnels Configure UDP mode IPv6 ADVPN tunnel interface tunnel1 Hub1 interface tunnel1 mode advpn udp Hub1 Tunnel1 ipv6 address 192 168 1 1 64 Hub1 Tunnel1 ipv6 address fe80 1 1 link local Hub1 Tunnel1 vam ipv6 client Hub1Group1 Hub1 Tunnel1 ospfv3 1 area 1 Hub1 Tunnel1 ospfv3 network type broadcast H...

Page 412: ...he VAM client Hub2 vam client Hub2Group1 advpn domain abc Set the pre shared key to 123456 Hub2 vam client Hub2Group1 pre shared key simple 123456 Set both the username and password to hub2 Hub2 vam client Hub2Group1 user Hub2 password simple Hub2 Specify the primary and secondary VAM servers Hub2 vam client Hub2Group1 server primary ipv6 address 1 11 Hub2 vam client Hub2Group1 server secondary ip...

Page 413: ...source gigabitethernet 2 0 1 Hub2 Tunnel1 tunnel protection ipsec profile abc Hub2 Tunnel1 undo shutdown Hub2 Tunnel1 quit Configure UDP mode IPv6 ADVPN tunnel interface tunnel2 Hub2 interface tunnel2 mode advpn udp Hub2 Tunnel2 ipv6 address 192 168 2 64 Hub2 Tunnel2 ipv6 address fe80 2 link local Hub2 Tunnel2 vam ipv6 client Hub2Group0 Hub2 Tunnel2 ospfv3 1 area 0 Hub2 Tunnel2 ospfv3 network type...

Page 414: ...ver secondary ipv6 address 1 12 Enable the VAM client Hub2 vam client Hub2Group1 client enable Hub2 vam client Hub2Group1 quit 3 Configure an IPsec profile Configure IKE Hub3 ike keychain abc Hub3 ike keychain abc pre shared key address 0 0 0 0 0 0 0 0 key simple 123456 Hub3 ike keychain abc quit Hub3 ike profile abc Hub3 ike profile abc keychain abc Hub3 ike profile abc quit Configure the IPsec p...

Page 415: ...3 Tunnel2 tunnel protection ipsec profile abc Hub3 Tunnel2 undo shutdown Hub3 Tunnel2 quit Configuring Spoke 1 1 Configure IP addresses for the interfaces Details not shown 2 Configure the VAM client Create VAM client Spoke1 Spoke1 system view Spoke1 vam client name Spoke1 Specify ADVPN domain abc for the VAM client Spoke1 vam client Spoke1 advpn domain abc Set the pre shared key to 123456 Spoke1 ...

Page 416: ...a 1 Spoke1 GigabitEthernet2 0 2 quit 5 Configure UDP mode IPv6 ADVPN tunnel interface tunnel1 Configure its DR priority as 0 so Spoke 1 will not participate in DR BDR election Spoke1 interface tunnel1 mode advpn udp Spoke1 Tunnel1 ipv6 address 192 168 1 3 64 Spoke1 Tunnel1 ipv6 address fe80 1 3 link local Spoke1 Tunnel1 vam ipv6 client Spoke1 Spoke1 Tunnel1 ospfv3 1 area 1 Spoke1 Tunnel1 ospfv3 ne...

Page 417: ...ation algorithm sha1 Spoke2 ipsec transform set abc quit Spoke2 ipsec profile abc isakmp Spoke2 ipsec profile isakmp abc transform set abc Spoke2 ipsec profile isakmp abc ike profile abc Spoke2 ipsec profile isakmp abc quit 4 Configure OSPFv3 Spoke2 ospfv3 1 Spoke2 ospfv3 1 router id 0 0 0 5 Spoke2 ospfv3 1 area 0 Spoke2 ospfv3 1 area 0 0 0 0 quit Spoke2 ospfv3 1 area 1 Spoke2 ospfv3 1 area 0 0 0 ...

Page 418: ...3 vam client Spoke3 server primary ipv6 address 1 11 Spoke3 vam client Spoke3 server secondary ipv6 address 1 12 Enable the VAM client Spoke3 vam client Spoke3 client enable Spoke3 vam client Spoke3 quit 3 Configure an IPsec profile Configure IKE Spoke3 ike keychain abc Spoke3 ike keychain abc pre shared key address 0 key simple 123456 Spoke3 ike keychain abc quit Spoke3 ike profile abc Spoke3 ike...

Page 419: ...nnel1 undo shutdown Spoke3 Tunnel1 quit Configuring Spoke 4 1 Configure IP addresses for the interfaces Details not shown 2 Configure the VAM client Create VAM client Spoke4 Spoke4 system view Spoke4 vam client name Spoke4 Specify ADVPN domain abc for the VAM client Spoke4 vam client Spoke4 advpn domain abc Set the pre shared key to 123456 Spoke4 vam client Spoke4 pre shared key simple 123456 Set ...

Page 420: ...a 2 Spoke4 GigabitEthernet2 0 3 quit 5 Configure UDP mode IPv6 ADVPN tunnel interface tunnel1 Configure its DR priority as 0 so Spoke 4 will not participate in DR BDR election Spoke4 interface tunnel1 mode advpn udp Spoke4 Tunnel1 ipv6 address 192 168 2 3 64 Spoke4 Tunnel1 ipv6 address fe80 2 3 link local Spoke4 Tunnel1 vam ipv6 client Spoke4 Spoke4 Tunnel1 ospfv3 1 area 2 Spoke4 Tunnel1 ospfv3 ne...

Page 421: ...0H 25M 40S 2 192 168 2 3 1 7 Spoke No 0H 25M 31S The output shows that Hub 1 Hub 2 Hub3 Spoke 1 Spoke 2 Spoke 3 and Spoke4 all have registered their address mapping information with the VAM servers Display IPv6 ADVPN tunnel information on Hubs This example uses Hub 1 Hub1 display advpn ipv6 session Interface Tunnel1 Number of sessions 3 Private address Public address Port Type State Holding time 1...

Page 422: ...hed a permanent hub spoke tunnel to Hub 3 IPv4 full mesh NAT traversal ADVPN configuration example Network requirements As shown in Figure 152 all the VAM servers and VAM clients reside behind a NAT gateway The primary and secondary VAM servers manage and maintain VAM client information for all hubs and spokes The AAA server performs authentication and accounting for VAM clients The two hubs back ...

Page 423: ... authentication 1 0 0 10 1812 PrimaryServer radius abc primary accounting 1 0 0 10 1813 PrimaryServer radius abc key authentication simple 123 PrimaryServer radius abc key accounting simple 123 PrimaryServer radius abc user name format without domain PrimaryServer radius abc quit PrimaryServer radius session control enable Configure AAA methods for ISP domain abc PrimaryServer domain abc PrimarySe...

Page 424: ...erver in the same way that the primary server is configured Details not shown Configuring Hub 1 1 Configure IP addresses for the interfaces Details not shown 2 Configure the VAM client Create VAM client Hub1 Hub1 system view Hub1 vam client name Hub1 Specify ADVPN domain abc for the VAM client Hub1 vam client Hub1 advpn domain abc Set the pre shared key to 123456 Hub1 vam client Hub1 pre shared ke...

Page 425: ...456 Set both the username and password to hub2 Hub2 vam client Hub2 user hub2 password simple hub2 Specify the primary and secondary VAM servers Hub2 vam client Hub2 server primary ip address 1 0 0 4 port 4001 Hub2 vam client Hub2 server secondary ip address 1 0 0 4 port 4002 Enable the VAM client Hub2 vam client Hub2 client enable Hub2 vam client Hub2 quit 3 Configure OSPF Configure OSPF to adver...

Page 426: ... advertise the private network Spoke1 ospf 1 Spoke1 ospf 1 area 0 Spoke1 ospf 1 area 0 0 0 0 network 192 168 0 0 0 0 0 255 Spoke1 ospf 1 area 0 0 0 0 quit Spoke1 ospf 1 quit Configure a default route Spoke1 ip route static 0 0 0 0 0 10 0 0 1 4 Configure UDP mode IPv4 ADVPN tunnel interface tunnel1 Configure its DR priority as 0 so Spoke 1 will not participate in DR BDR election Spoke1 interface tu...

Page 427: ...p address 192 168 0 4 255 255 255 0 Spoke2 Tunnel1 vam client Spoke2 Spoke2 Tunnel1 ospf network type broadcast Spoke2 Tunnel1 ospf dr priority 0 Spoke2 Tunnel1 source gigabitethernet 2 0 1 Spoke2 Tunnel1 undo shutdown Spoke2 Tunnel1 quit Configuring NAT 1 1 Configure IP addresses for the interfaces Details not shown 2 Configure NAT internal servers Configure ACL 2000 to permit packets sourced fro...

Page 428: ...matching ACL 2000 from the same address and port to the same source public address and port NAT2 nat mapping behavior endpoint independent acl 2000 Configuring NAT 3 Configure NAT 3 in the same way that NAT 2 is configured Details not shown Configuring NAT 4 1 Configure IP addresses for the interfaces Details not shown 2 Configure NAT internal servers on GigabitEthernet 2 0 1 Allow external VAM cl...

Page 429: ... address Port Type State Holding time 192 168 0 2 1 0 0 1 4002 H H Success 0H 46M 8S 192 168 0 3 1 0 0 2 2001 H S Success 0H 27M 27S 192 168 0 4 1 0 0 3 2001 H S Success 0H 18M 18S The output shows that Hub 1 has established a permanent tunnel to Hub 2 Spoke 1 and Spoke 2 Display IPv4 ADVPN tunnel information on Spokes This example uses Spoke 1 Spoke1 display advpn session Interface Tunnel1 Number...

Page 430: ...f sessions 3 Private address Public address Port Type State Holding time 192 168 0 1 1 0 0 1 4001 S H Success 0H 46M 8S 192 168 0 2 1 0 0 1 4002 S H Success 0H 46M 8S 192 168 0 4 1 0 0 3 2001 S S Success 0H 0M 1S The output shows the following information Spoke 1 has established a permanent hub spoke tunnel to Hub 1 and Hub 2 Spoke 1 has established a temporary spoke spoke tunnel to Spoke 2 ...

Page 431: ...rtens the slow start process by increasing the initial congestion window size Increased buffering TCP has a maximum buffer size of 64 KB After the sender sends 64 KB data it must wait for an ACK from the receiver before continuing to send data This mechanism wastes bandwidth on the WAN link Increased buffering increases the TCP buffer size to a maximum of 16384 KB improving link efficiency Congest...

Page 432: ...ock index and MD5 digest to the peer WAAS uses the sliding window technology to segment data and detect data redundancy This technology has the following advantages High calculation speed Effective repeated data block detection It uses a fixed size window to compare the original data with data blocks in the dictionary byte by byte DRE decompression process DRE decompresses data in the following pr...

Page 433: ... RFC 3390 Increasing TCP s Initial Window RFC 2581 TCP Congestion Control RFC 2018 TCP Selective Acknowledgment Options RFC 3042 Enhancing TCP s Loss Recovery Using Limited Transmit RFC 2582 The NewReno Modification to TCP s Fast Recovery Algorithm WAAS configuration task list Tasks at a glance Required Configuring a WAAS class Required Configuring a WAAS policy Required Applying a WAAS policy to ...

Page 434: ...ult only the predefined WAAS policy exists As a best practice configure a WAAS policy by modifying the predefined WAAS policy 3 Specify a WAAS class and enter WAAS policy class view class class name insert before existing_class By default no WAAS class is specified 4 Configure optimization actions or the passthrough action optimize tfo dre lz passthrough By default no action is configured An optim...

Page 435: ...ter system view system view N A 2 Set the initial congestion window size waas tfo base congestion window segments The default setting is two segments 3 Enable TFO keepalives waas tfo keepalive By default TFO keepalives are disabled 4 Set the receiving buffer size waas tfo receive buffer buffer size The default setting is 64 KB Configuring the TFO blacklist autodiscovery feature This feature automa...

Page 436: ...olicy applied Displaying and maintaining WAAS Execute display commands in any view and reset commands in user view Task Command Display WAAS class configuration display waas class class name Display WAAS policy configuration display waas policy policy name Display WAAS session information centralized devices in standalone mode display waas session ipv4 ipv6 client ip client ip client port client p...

Page 437: ...slot slot number Display autodiscovered blacklist information distributed devices in IRF mode display waas tfo auto discovery blacklist ipv4 ipv6 chassis chassis number slot slot number Clear the DRE data dictionary reset waas cache dre peer id peer id Clear DRE statistics reset waas statistics dre peer id peer id Clear all blacklist entries reset waas tfo auto discovery blacklist WAAS configurati...

Page 438: ...terB system view RouterB interface gigabitethernet 2 0 1 RouterB GigabitEthernet2 0 1 waas apply policy 5 Download a test file of 14 MB from the server to the host 6 Clear the DRE statistics on Router A RouterA reset waas statistic dre 7 Download the same file from the server to the host Verifying the configuration After the first download display the DRE statistics on Router A RouterA display waa...

Page 439: ...ce saving 79 Average latency 0 usec Decode Statistics Dre msgs 62791 Bytes in 2618457 bytes Bytes out 13972208 bytes Bypass bytes 0 bytes Space saved 81 Average latency 0 usec In the second download the number of received bytes for decompression is much more smaller and the download speed is much faster User defined WAAS policy configuration example Network requirements As shown in Figure 154 conf...

Page 440: ... waasclass c1 match tcp any RouterB waasclass c1 quit 4 Configure WAAS policies Create WAAS policy p1 on Router A use WAAS class c1 and configure TFO DRE and LZ optimization actions in the WAAS class RouterA waas policy p1 RouterA waaspolicy p1 class c1 RouterA waaspolicy p1 c1 optimize tfo dre lz RouterA waaspolicy p1 c1 quit RouterA waaspolicy p1 quit Create WAAS policy p1 on Router B use WAAS c...

Page 441: ...play the DRE statistics on Router A RouterA display waas statistic dre Peer ID cc3e 5fd8 5158 Peer version 1 0 Cache in storage 12718592 bytes Index number 49682 Age 00 weeks 00 days 00 hours 00 minutes 35 seconds Total connections 1 Active connections 0 Encode Statistics Dre msgs 2 Bytes in 286 bytes Bytes out 318 bytes Bypass bytes 0 bytes Bytes Matched 0 bytes Space saving 11 Average latency 0 ...

Page 442: ...tched 256 bytes Space saving 79 Average latency 0 usec Decode Statistics Dre msgs 62687 Bytes in 2592183 bytes Bytes out 13972208 bytes Bypass bytes 0 bytes Space saved 81 Average latency 0 usec In the second download the number of received bytes for decompression is much more smaller and the download speed is much faster ...

Page 443: ...lication scenario Compatibility information Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers MSR1002 4 1003 8S MSR2003 MSR2004 24 2004 48 MSR3012 3024 3044 3064 Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers AFT implementations Static AFT Static AFT creates a fixed mapping between an IPv4 add...

Page 444: ... methods vary depending on the NAT64 prefix length If the prefix length is 32 64 or 96 bits the IPv4 address is embedded as a whole If the prefix length is 40 48 or 56 bits the IPv4 address is separated by bits 64 through 71 in an IPv6 address Figure 156 IPv6 address construction with NAT 64 prefix and IPv4 address AFT uses a NAT64 prefix to perform the following translation IPv4 to IPv6 source ad...

Page 445: ...no matching policy is found AFT does not process the packet 2 AFT performs the pre lookup to determine the output interface for the translated packet PBR is not used for the pre lookup If a matching route is found the process goes to step 3 If no matching route is found AFT discards the packet 3 AFT compares the source IPv6 address of the packet with IPv6 to IPv4 source address translation policie...

Page 446: ...ce IPv4 address according to the policy If no matching policy is found AFT discards the packet 4 AFT forwards the translated packet and records the mapping between IPv4 addresses and IPv6 addresses 5 AFT translates the IPv6 addresses in the response packet header to IPv4 addresses based on the address mappings before packet forwarding For more information about IPv4 to IPv6 destination address tra...

Page 447: ...e control connection This requires AFT with ALG to translate the address and port information for data connection establishment AFT with ALG supports the following protocol packets FTP packets DNS packets and ICMP error messages AFT configuration task list For IPv6 initiated communication Task at a glance Required Enabling AFT Required Configuring an IPv6 to IPv4 destination address translation po...

Page 448: ...erface type interface number N A 3 Enable AFT aft enable By default AFT is disabled Configuring an IPv6 to IPv4 destination address translation policy AFT compares an IPv6 packet with IPv6 to IPv4 destination address translation policies in the following order 1 IPv4 to IPv6 source address static mappings 2 NAT64 prefixes To configure an IPv6 to IPv4 destination address translation policy Step Com...

Page 449: ... the address group address start address end address By default no address range exists You can add multiple address ranges to an address group The address ranges must not overlap 4 Return to system view quit N A 5 Configure an IPv6 to IPv4 source address translation policy Configure an IPv6 to IPv4 source address static mapping aft v6tov4 source ipv6 address vpn instance vpn instance name6 ipv4 a...

Page 450: ...ce vpn instance name4 Configure an IPv4 to IPv6 destination address dynamic translation policy aft v4tov6 destination acl number acl number name acl name prefix ivi prefix ivi vpn instance vpn instance name6 By default no IPv4 to IPv6 destination address translation policy exists Configuring an IPv4 to IPv6 source address translation policy AFT compares an IPv4 packet with IPv4 to IPv6 source addr...

Page 451: ... default AFT logging is disabled Setting the ToS field to 0 for translated IPv4 packets Step Command Remarks 1 Enter system view system view N A 2 Set the ToS field to 0 for IPv4 packets translated from IPv6 packets aft turn off tos By default the ToS field value of translated IPv4 packets is the same as the Traffic Class field value of original IPv6 packets Setting the Traffic Class field to 0 fo...

Page 452: ...slot number Display AFT port block mappings distributed devices in IRF mode display aft port block chassis chassis number slot slot number Display information about AFT sessions centralized devices in standalone mode display aft session ipv4 source ip source ip address destination ip destination ip address vpn instance vpn instance name4 verbose display aft session ipv6 source ip source ipv6 addre...

Page 453: ...ized devices in standalone mode reset aft statistics Clear AFT statistics distributed devices in standalone mode centralized devices in IRF mode reset aft statistics slot slot number Clear AFT statistics distributed devices in IRF mode reset aft statistics chassis chassis number slot slot number AFT configuration examples Allowing IPv4 Internet access from an IPv6 network Network requirements As s...

Page 454: ...uter aft v6tov4 source acl ipv6 number 2000 address group 0 Configure the router to use NAT64 prefix 2012 96 to translate destination IPv6 addresses of IPv6 packets Router aft prefix nat64 2012 96 Enable AFT on GigabitEthernet 2 0 1 which is connected to the IPv6 network Router interface gigabitethernet 2 0 1 Router GigabitEthernet2 0 1 aft enable Router GigabitEthernet2 0 1 quit Enable AFT on Gig...

Page 455: ...or Responder 4 packets 320 bytes Responder Initiator 4 packets 320 bytes Total sessions found 1 Display detailed information about IPv4 AFT sessions on the router Router display aft session ipv4 verbose Initiator Source IP port 10 1 1 1 1025 Destination IP port 20 1 1 1 2048 DS Lite tunnel peer VPN instance VLAN ID VLL ID Protocol ICMP 1 Inbound interface GigabitEthernet2 0 1 Responder Source IP p...

Page 456: ...21 for the IPv6 internal FTP server Router system view Router aft v6server protocol tcp 10 1 1 1 21 2013 102 21 Configure the router to use NAT64 prefix 2012 96 to translate source addresses of IPv4 packets Router aft prefix nat64 2012 96 Enable AFT on GigabitEthernet 2 0 1 which is connected to the IPv4 Internet Router interface gigabitethernet 2 0 1 Router GigabitEthernet2 0 1 aft enable Router ...

Page 457: ... ID VLL ID Protocol TCP 6 Inbound interface GigabitEthernet2 0 1 Responder Source IP port 2013 102 21 Destination IP port 2012 1401 0101 1029 VPN instance VLAN ID VLL ID Protocol TCP 6 Inbound interface GigabitEthernet2 0 2 State TCP_ESTABLISHED Application FTP Start time 2014 03 13 09 07 30 TTL 3582s Initiator Responder 3 packets 184 bytes Responder Initiator 2 packets 148 bytes Total sessions fo...

Page 458: ...f IPv6 packets Router aft prefix ivi 2013 Configure the router to use IVI prefix 2013 to translate destination addresses of packets permitted by IPv4 ACL 2000 Router aft v4tov6 destination acl number 2000 prefix ivi 2013 Enable AFT on GigabitEthernet 2 0 1 which is connected to the IPv4 network Router interface gigabitethernet 2 0 1 Router GigabitEthernet2 0 1 aft enable Router GigabitEthernet2 0 ...

Page 459: ...out IPv4 AFT sessions on the router Router display aft session ipv4 verbose Initiator Source IP port 20 1 1 1 1025 Destination IP port 10 1 1 1 2048 DS Lite tunnel peer VPN instance VLAN ID VLL ID Protocol ICMP 1 Inbound interface GigabitEthernet2 0 2 Responder Source IP port 10 1 1 1 1025 Destination IP port 20 1 1 1 0 DS Lite tunnel peer VPN instance VLAN ID VLL ID Protocol ICMP 1 Inbound interf...

Page 460: ...000 Router aft v4tov6 source acl number 2000 prefix nat64 2012 96 Map source IPv6 address 2013 0 ff14 0101 100 to source IPv4 address 20 1 1 1 Router aft v6tov4 source 2013 0 ff14 0101 100 20 1 1 1 Enable AFT on GigabitEthernet 2 0 1 which is connected to the IPv4 network Router interface gigabitethernet 2 0 1 Router GigabitEthernet2 0 1 aft enable Router GigabitEthernet2 0 1 quit Enable AFT on Gi...

Page 461: ... Responder Initiator 4 packets 240 bytes Total sessions found 1 Display detailed information about IPv4 AFT sessions on the router Router display aft session ipv6 verbose Initiator Source IP port 2012 0A01 0101 0 Destination IP port 2013 0 FF14 0101 0100 32768 VPN instance VLAN ID VLL ID Protocol IPV6 ICMP 58 Inbound interface GigabitEthernet2 0 1 Responder Source IP port 2013 0 FF14 0101 0100 0 D...

Page 462: ...tion procedure Specify IP addresses for the interfaces on the router Details not shown Map source IPv4 address 20 1 1 1 to source IPv6 address 2012 1 Router system view Router aft v4tov6 source 20 1 1 1 2012 1 Configure address group 0 and add the address range from 30 1 1 1 to 30 1 1 2 to the group Router aft address group 0 Router aft address group 0 address 30 1 1 1 30 1 1 2 Router aft address ...

Page 463: ...9 Destination IP port 2012 1 21 VPN instance VLAN ID VLL ID Protocol TCP 6 Inbound interface GigabitEthernet2 0 1 Responder Source IP port 2012 1 21 Destination IP port 2013 0 FF0A 0101 0100 1029 VPN instance VLAN ID VLL ID Protocol TCP 6 Inbound interface GigabitEthernet2 0 2 State TCP_ESTABLISHED Application FTP Start time 2014 03 13 09 07 30 TTL 3582s Initiator Responder 3 packets 184 bytes Res...

Page 464: ...Inbound interface GigabitEthernet2 0 2 State TCP_ESTABLISHED Application FTP Start time 2014 03 13 09 07 30 TTL 3577s Initiator Responder 3 packets 124 bytes Responder Initiator 2 packets 108 bytes Total sessions found 1 ...

Page 465: ...ast one x y Asterisk marked square brackets enclose optional syntax choices separated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Boldface Window names button names field nam...

Page 466: ... Represents an access controller a unified wired WLAN module or the access controller engine on a unified wired WLAN switch Represents an access point Represents a wireless terminator unit Represents a wireless terminator Represents a mesh access point Represents omnidirectional signals Represents directional signals Represents a security product such as a firewall UTM multiservice security gatewa...

Page 467: ...s provide a mechanism for accessing software updates through the product interface Review your product documentation to identify the recommended software update method To download product updates go to either of the following Hewlett Packard Enterprise Support Center Get connected with updates page www hpe com support e updates Software Depot website www hpe com support softwaredepot To view and u...

Page 468: ...r self repair CSR programs allow you to repair your product If a CSR part needs to be replaced it will be shipped directly to you so that you can install it at your convenience Some parts do not qualify for CSR Your Hewlett Packard Enterprise authorized service provider will determine whether a repair can be accomplished by CSR For more information about CSR contact your local service provider or ...

Page 469: ...number edition and publication date located on the front cover of the document For online help content include the product name product version help edition and publication date located on the legal notices page ...

Page 470: ...quence 39 DHCP IP address conflict detection 50 DHCP IP address lease extension 32 DHCP relay address pool 73 DHCP server address pool 40 DHCP server address pool creation 40 DHCP server address pool IP address range 40 DHCPv6 address allocation 242 DHCPv6 address pool 241 DHCPv6 address pool selection 242 DHCPv6 address pool VPN application 250 DHCPv6 address prefix assignment 236 DHCPv6 address ...

Page 471: ...jacency table adjacency table command and hardware compatibility 181 display 180 displaying commands 181 advertising ARP direct route advertisement configuration 23 IP services IRDP proxy advertised IP address 182 IP services IRDP router advertisement RA 182 ADVPN AAA configuration 337 configuration 332 337 349 connection initialization 334 display 347 domain creation 338 hub group configuration 3...

Page 472: ...IPv6 to IPv4 431 AFT session AFT logging enabling 437 alarm DHCP address pool usage alarm 53 IP addressing DHCP address pool usage alarm 53 ALG AFT support 433 NAT support 128 NAT ALG configuration 138 algorithm ADVPN VAM server authentication algorithm configuration 341 ADVPN VAM server encryption algorithm configuration 341 allocating DHCP address allocation 37 DHCP addresses allocation 31 DHCP ...

Page 473: ...uthentication algorithm 341 ADVPN VAM server authentication method 341 ADVPN VAM server configuration 337 auto automatic IPv4 compatible IPv6 tunnel 297 297 DHCP automatic address allocation 31 DHCP binding auto backup 52 DHCP client auto configuration file 45 DHCP snooping entry auto backup 87 DHCPv6 binding auto backup 248 DHCPv6 snooping entry auto backup 278 IPv6 interface link local address a...

Page 474: ...acket DSCP value 79 DHCP client WINS server 44 DHCP server specification 46 DHCP snooping Option 82 support 85 DHCP voice client Option 184 parameters 46 DHCPv6 address pool 241 DHCPv6 client packet DSCP value 265 DHCPv6 configuration 264 264 266 DHCPv6 IA 241 DHCPv6 IAID 241 DHCPv6 IPv6 address acquisition 264 DHCPv6 IPv6 address acquisition configuration 266 DHCPv6 IPv6 address prefix acquisitio...

Page 475: ...6 Internet 445 AFT IPv6 Internet to IPv4 server 448 AFT IPv6 network to IPv4 Internet 439 AFT logging 437 ARP 1 7 ARP direct route advertisement 23 ARP dynamic entry aging timer 5 ARP fast reply 15 15 ARP long static entry 7 ARP PnP 17 18 ARP short static entry 8 ARP static entry 3 ARP suppression 20 21 automatic IPv4 compatible IPv6 tunnel 297 297 bandwidth load sharing 176 common proxy ARP 13 DD...

Page 476: ...NS spoofing 101 DNS trusted interface 103 DS Lite tunnel 311 312 fast forwarding entry aging time 177 fast forwarding load sharing 177 flow classification 179 gratuitous ARP 9 10 GRE 318 326 GRE IPv4 tunnel 322 GRE IPv6 tunnel 323 IP addressing 24 27 27 IP addressing IP unnumbered 26 29 IP forwarding load sharing 175 IP services fast forwarding 177 IP services IRDP 182 183 184 IPPO directed broadc...

Page 477: ... static outbound net to net 130 NAT static 129 NAT hairpin 137 NAT hairpin C S mode 156 NAT hairpin P2P mode 159 NAT server 134 NAT server ACL based 136 NAT server common 134 NAT server external internal access 147 NAT server external internal access domain name 150 NAT server load sharing 135 165 NAT session logging 138 NAT ALG 138 NAT DNS mapping 137 167 NAT444 DS Lite 136 170 per packet or per ...

Page 478: ...PD 241 DHCPv6 server configuration 240 243 DNS outgoing packet DSCP value 103 DNS packet source interface 102 DNS proxy 96 DNS proxy configuration 101 DNS spoofing 97 DNS spoofing configuration 101 DNS trusted interface 103 IP addressing configuration 27 27 IP addressing IP unnumbered configuration 29 IP forwarding 173 IP forwarding load sharing 175 IPPO directed broadcast receive forward configur...

Page 479: ... 34 Option 82 relay agent Option 082 relay agent 34 36 option customization 47 options common 34 options custom 34 overview 31 protocols and standards 36 relay agent client gateway address 74 relay agent client offline detection 74 relay agent configuration 66 67 75 relay agent display 75 relay agent enable on interface 68 relay agent entry periodic refresh 69 relay agent IP address release 71 rel...

Page 480: ... acquisition configuration 268 client maintain 266 client packet DSCP value 265 client stateless DHCPv6 265 client stateless DHCPv6 configuration 271 client subnet advertisement 249 concepts 241 DHCPv6 binding auto backup 248 DHCPv6 feature and hardware compatibility 236 DUID 241 IA 241 IAID 241 IPv6 address assignment 240 IPv6 address prefix allocation sequence 242 IPv6 prefix assignment 240 mult...

Page 481: ...ng packet DSCP value 119 DHCP client domain name suffix 44 DHCP client server 44 dynamic domain name resolution 95 IPv4 client configuration 98 IPv4 client dynamic domain name resolution 99 105 IPv4 client static domain name resolution 98 104 IPv4 configuration 104 IPv4 DNS display 103 IPv4 DNS maintain 103 IPv4 proxy configuration 107 IPv6 client configuration 99 IPv6 client dynamic domain name r...

Page 482: ...ss whitelist 61 DHCPv6 dynamic address allocation 242 DHCPv6 dynamic prefix allocation 242 DHCPv6 server dynamic IPv6 address assignment 254 DHCPv6 server dynamic IPv6 prefix assignment 252 DNS domain name resolution 95 IPv4 DNS client dynamic domain name resolution 99 105 IPv6 DNS client dynamic domain name resolution 100 109 IPv6 dynamic path MTU aging timer 223 NAT dynamic 124 NAT configuration...

Page 483: ...ress dynamic assignment 58 DHCP server IP address static assignment 57 DHCP server option customization 63 DHCP server subnet 62 DHCP server user class 60 DHCP server user class whitelist 61 DHCP snooping basic configuration 90 DHCPv6 client configuration 264 266 DHCPv6 client IPv6 address acquisition configuration 266 DHCPv6 client IPv6 address prefix acquisition configuration 269 DHCPv6 client I...

Page 484: ...gateway address 74 DHCPv6 client gateway address 260 DS Lite NAT444 126 NAT configuration 123 129 140 NAT configuration bidirectional external internal access domain name 153 NAT configuration dynamic inbound 133 NAT configuration dynamic outbound 132 NAT configuration dynamic outbound non overlapping addresses 141 NAT configuration dynamic 131 NAT configuration outbound bidirectional 144 NAT conf...

Page 485: ... ICMP IP services IRDP configuration 184 IPPO ICMP error message rate limit 192 IPPO ICMP error message send 190 IPPO ICMP packet source address specification 192 IRDP configuration 182 183 Router Discovery Protocol Use IRDP ICMPv6 IP services destination unreachable message 224 IP services error message rate limit 223 IP services packet source address 225 IP services redirect message 225 IP servi...

Page 486: ...ection 50 DHCP address pool 37 DHCP address pool usage alarm 53 DHCP address pool VPN application 55 DHCP binding auto backup 52 DHCP BOOTP client configuration 93 94 DHCP BOOTP client dynamic IP address acquisition 93 DHCP client configuration 78 80 DHCP client subnet advertisement 54 DHCP gateway bind to common MAC address 53 DHCP lease extension 32 DHCP message format 33 DHCP relay agent IP add...

Page 487: ...mit 223 IPv6 ICMPv6 message send 223 IPv6 ICMPv6 redirect message 225 IPv6 ICMPv6 time exceeded message 225 IPv6 interface address assignment 211 IPv6 interface MTU 222 IPv6 link local address configuration 213 IPv6 max number NS message sent attempts 218 IPv6 multicast echo request reply 224 IPv6 NAT PT technology 209 IPv6 ND configuration 214 IPv6 ND duplicate address detection 206 IPv6 ND dynam...

Page 488: ...rdware compatibility 186 IP routing bandwidth load sharing 176 IP forwarding load sharing 175 per packet or per flow load sharing 175 IP service AFT process 431 AFT process from IPv4 to IPv6 432 AFT process from IPv6 to IPv4 431 IP services 6to4 relay configuration 301 6to4 tunnel configuration 298 299 adjacency table display 180 adjacency table displaying commands 181 ADVPN AAA configuration 337 ...

Page 489: ...7 DHCP address pool application on interface 49 DHCP address pool usage alarm 53 DHCP address pool VPN application 55 DHCP binding auto backup 52 DHCP BOOTP application 93 DHCP BOOTP client address acquisition 93 DHCP BOOTP client dynamic IP address acquisition 93 DHCP client BIMS server information 45 DHCP client DNS server 44 DHCP client domain name suffix 44 DHCP client gateway 43 DHCP client N...

Page 490: ...ess 260 DHCPv6 client IPv6 address acquisition 264 DHCPv6 client IPv6 address prefix acquisition 265 DHCPv6 client IPv6 prefix acquisition 265 DHCPv6 client maintain 266 DHCPv6 client stateless 265 DHCPv6 client subnet advertisement 249 DHCPv6 concepts 241 DHCPv6 configuration 240 DHCPv6 IPv6 address assignment 240 DHCPv6 IPv6 prefix assignment 240 DHCPv6 overview 236 DHCPv6 protocols and standard...

Page 491: ... IPv6 DNS configuration 108 IPv6 dynamic path MTU aging timer 223 IPv6 fast forwarding aging time configuration 282 IPv6 fast forwarding configuration 282 IPv6 fast forwarding load sharing configuration 283 IPv6 features 202 IPv6 ICMPv6 destination unreachable message 224 IPv6 ICMPv6 message send 223 IPv6 ICMPv6 packet source address specification 225 IPv6 ICMPv6 redirect message 225 IPv6 ICMPv6 t...

Page 492: ...tion DS Lite 136 170 proxy ARP configuration 12 proxy ARP display 13 special IP addresses 25 stateless DHCPv6 238 troubleshooting DHCP relay agent configuration 77 troubleshooting DHCP server configuration 65 troubleshooting GRE 330 troubleshooting GRE hosts cannot ping each other 330 troubleshooting IPv4 DNS configuration 115 troubleshooting IPv4 DNS incorrect IP address 115 troubleshooting IPv6 ...

Page 493: ... 309 IPv4 IPv6 tunnel types 288 IPv4 IPv6 tunneling implementation 287 IPv6 IPv4 manual tunnel configuration 294 295 IPv6 IPv4 tunnel types 285 IPv6 IPv4 tunneling implementation 284 ISATAP tunnel configuration 303 304 ISATAP tunneling 285 special IP addresses 25 tunneling configuration 284 292 IPv4 address AFT configuration 429 NAT64 prefix 430 IPv4 fragment IPPO IPv4 local fragment reassembly 19...

Page 494: ... address detection 206 ND dynamic neighbor entries max number 215 ND hop limit 216 ND link local entry minimization 216 ND neighbor reachability detection 206 ND protocol 205 ND protocol address resolution 206 ND proxy enable 219 ND redirection 207 ND router prefix discovery 207 ND stale state entry aging timer 215 ND stateless address autoconfiguration 207 ND static neighbor entry configuration 2...

Page 495: ...DHCP snooping basic configuration 90 DHCPv6 client configuration 264 264 266 DHCPv6 client IPv6 address acquisition configuration 266 DHCPv6 client IPv6 address prefix acquisition configuration 269 DHCPv6 client IPv6 prefix acquisition configuration 268 DHCPv6 client stateless DHCPv6 configuration 271 DHCPv6 relay agent configuration 258 DHCPv6 snooping configuration 274 276 280 UDP helper broadca...

Page 496: ...6 170 masking IP addressing 25 maximum segment size Use MSS message ARP configuration 1 7 ARP direct route advertisement configuration 23 ARP fast reply configuration 15 15 ARP long static entry configuration 7 ARP message format 1 ARP PnP configuration 17 18 ARP short static entry configuration 8 ARP suppression configuration 20 21 common proxy ARP configuration 13 DHCP format 33 DHCP REQUEST mes...

Page 497: ...iguration 114 NAT ADVPN configuration IPv4 full mesh NAT traversal 408 ADVPN NAT traversal 337 ALG configuration 138 ALG support 128 bidirectional NAT 124 configuration 123 129 140 configuration bidirectional external internal access domain name 153 configuration dynamic inbound 133 configuration dynamic outbound 132 configuration dynamic outbound non overlapping addresses 141 configuration dynami...

Page 498: ...4 full mesh NAT traversal 408 ADVPN configuration IPv4 full mesh 349 ADVPN configuration IPv4 hub spoke 364 ADVPN configuration IPv4 multi hub group 379 ADVPN configuration IPv6 full mesh 356 ADVPN configuration IPv6 hub spoke 372 ADVPN configuration IPv6 multi hub group 393 ADVPN NAT traversal 337 ADVPN operation 334 ADVPN tunnel interface configuration 345 AFT between IPv4 network and IPv6 netwo...

Page 499: ...nt packet DSCP value 265 DHCPv6 client stateless 265 DHCPv6 client stateless DHCPv6 configuration 271 DHCPv6 IPv6 address assignment 240 DHCPv6 IPv6 address prefix allocation sequence 242 DHCPv6 IPv6 prefix assignment 240 DHCPv6 packet DSCP value 248 DHCPv6 prefix allocation 242 DHCPv6 relay address pool configuration 260 DHCPv6 relay agent enable on interface 258 DHCPv6 relay agent Interface ID o...

Page 500: ... dynamic domain name resolution 109 IPv6 DNS client static domain name resolution 108 IPv6 DNS proxy configuration 114 IPv6 dual stack technology 208 IPv6 dynamic path MTU aging timer 223 IPv6 global unicast address 211 IPv6 ICMPv6 destination unreachable message 224 IPv6 ICMPv6 error message rate limit 223 IPv6 ICMPv6 message send 223 IPv6 ICMPv6 redirect message 225 IPv6 ICMPv6 time exceeded mes...

Page 501: ...oadcast conversion 201 UDP helper multicast to broadcast unicast conversion 198 Network Address Translation Protocol Translation Use NAT PT network management adjacency table display 180 adjacency table displaying commands 181 ADVPN configuration 332 337 349 ADVPN structure 332 AFT configuration 429 433 439 ARP configuration 1 7 ARP direct route advertisement configuration 23 ARP fast reply config...

Page 502: ... 188 IPPO TCP SYN cookie 189 IPPO TCP timers 190 option DHCP field 34 DHCP option customization 47 DHCP server option customization 63 DHCPv6 relay agent Interface ID option padding 259 Option 121 DHCP 34 Option 150 DHCP 34 Option 18 Option 018 DHCPv6 snooping 275 275 Option 184 DHCP reserved option 34 36 voice client parameters 46 Option 3 DHCP Option 003 DHCP 34 Option 33 DHCP Option 033 DHCP 34...

Page 503: ...link local address configuration 213 IPv6 max number NS message sent attempts 218 IPv6 multicast echo request reply 224 IPv6 NAT PT technology 209 IPv6 ND configuration 214 IPv6 ND duplicate address detection 206 IPv6 ND dynamic neighbor entries max number 215 IPv6 ND hop limit 216 IPv6 ND link local entry minimization 216 IPv6 ND neighbor reachability detection 206 IPv6 ND protocol address resolu...

Page 504: ...rt 84 DHCP snooping untrusted port 84 DHCPv6 snooping basic configuration 277 DHCPv6 snooping configuration 274 276 280 DHCPv6 snooping Option 18 configuration 277 DHCPv6 snooping Option 37 configuration 277 DHCPv6 snooping trusted port 274 DHCPv6 snooping untrusted port 274 DS Lite NAT444 126 NAT server ACL based 136 NAT server common 134 NAT server load sharing 135 NAT server configuration 134 N...

Page 505: ...amic entry aging timer 5 configuring ARP fast reply 15 configuring ARP long static entry 7 configuring ARP PnP 18 configuring ARP short static entry 8 configuring ARP static entry 3 configuring ARP suppression 21 configuring automatic IPv4 compatible IPv6 tunnel 297 297 configuring common proxy ARP 13 configuring DDNS PeanutHull server 121 configuring DDNS www 3322 org 120 configuring DDNS client ...

Page 506: ...e tracking 102 configuring DNS proxy 101 configuring DNS spoofing 101 configuring DNS trusted interface 103 configuring DS Lite tunnel 311 312 configuring gratuitous ARP 10 configuring GRE IPv4 tunnel 322 configuring GRE IPv6 tunnel 323 configuring IP addressing 27 configuring IP addressing IP unnumbered 26 29 configuring IP services IRDP 183 184 configuring IPPO directed broadcast receive forward...

Page 507: ...AT static inbound net to net 131 configuring NAT static outbound 1 1 129 140 configuring NAT static outbound net to net 130 configuring NAT static 129 configuring NAT hairpin 137 configuring NAT hairpin C S mode 156 configuring NAT hairpin P2P mode 159 configuring NAT server 134 configuring NAT server ACL based 136 configuring NAT server common 134 configuring NAT server external internal access 1...

Page 508: ...oping starvation attack protection 88 enabling DHCP REQUEST message attack protection 89 enabling DHCPv6 relay agent on interface 258 enabling DHCPv6 REQUEST check 279 enabling direct route advertisement 221 enabling gratuitous ARP IP conflict notification 10 enabling IPPO directed broadcast receive forward 186 enabling IPPO ICMP error message send 190 enabling IPPO IPv4 local fragment reassembly ...

Page 509: ...nt client gateway address 74 specifying DHCP relay agent server 68 specifying DHCP relay agent source gateway address 74 specifying DHCP server address pool IP address range 40 specifying DHCPv6 client gateway address 260 specifying DHCPv6 relay agent Interface ID option padding mode 259 specifying DHCPv6 relay agent server 258 specifying DNS packet source interface 102 specifying flow classificat...

Page 510: ...ration 75 DHCP relay agent Option 82 76 DHCP relay agent packet DSCP value 72 DHCP relay agent source gateway address 74 DHCP relay entry periodic refresh 69 DHCP relay entry recording 69 DHCP security functions 69 DHCP server proxy 72 DHCP server specification on relay agent 68 DHCP snooping configuration 83 85 90 DHCP starvation attack protection 70 DHCPv6 client gateway address 260 DHCPv6 confi...

Page 511: ...ses 24 IP addressing configuration 24 27 27 IP addressing interface address 25 IP addressing IP unnumbered 26 IP addressing IP unnumbered configuration 29 IP addressing masking 25 IP addressing subnetting 25 IP forwarding 173 IP forwarding optimal route selection 173 IP services fast forwarding aging time configuration 177 IP services fast forwarding configuration 177 IP services fast forwarding l...

Page 512: ... agent server 68 72 DHCP server BOOTP request ignore 51 DHCP server BOOTP response format 52 DHCP server IP address dynamic assignment 58 DHCP server IP address static assignment 57 DHCP server option customization 63 DHCP server packet DSCP value 52 DHCP server response broadcast 51 DHCP server subnet 62 DHCP server user class 60 DHCP server user class whitelist 61 DHCP voice client Option 184 pa...

Page 513: ...y address 74 DHCP server address pool IP address range 40 DHCPv6 client gateway address 260 DHCPv6 relay agent Interface ID option padding mode 259 DHCPv6 relay agent server 258 DNS packet source interface 102 flow classification policy 179 IPPO ICMP packet source address 192 IPv6 ICMPv6 packet source address 225 IPv6 interface link local address manually 213 spoke ADVPN hub group spoke private ad...

Page 514: ...ongestion algorithm optimization 417 increased buffering 417 selective acknowledgement 417 slow start optimization 417 WAAS policy configuration 420 time IP services ICMPv6 time exceeded message 225 timer ADVPN VAM client dumb timer 344 344 ADVPN VAM client retry timer times 344 344 ADVPN VAM server retry timer configuration 342 ARP dynamic entry aging timer 5 IPPO TCP FIN wait timer 190 IPPO TCP ...

Page 515: ...guration 314 315 IPv6 IPv6 tunneling implementation 291 ISATAP tunnel configuration 303 304 Layer 3 virtual tunnel interface 292 maintain 316 protocols and standards 291 troubleshoot configuration 317 tunnel types 285 288 twice NAT 124 type bidirectional NAT 124 NAT Easy IP 123 NAT EIM entry 127 NAT NO PAT entry 127 NAT session entry 126 traditional NAT 123 twice NAT 124 U UDP helper broadcast to ...

Page 516: ...class 60 DHCP snooping basic configuration 90 DHCPv6 client configuration 264 264 266 DHCPv6 client IPv6 address acquisition configuration 266 DHCPv6 client IPv6 address prefix acquisition configuration 269 DHCPv6 client IPv6 prefix acquisition configuration 268 DHCPv6 client stateless DHCPv6 configuration 271 DHCPv6 relay agent configuration 258 DHCPv6 snooping configuration 274 276 280 UDP helpe...

Page 517: ...licy configuring 420 WAN predefined WAAS policy configuration 423 TFO congestion algorithm optimization 417 TFO increased buffering 417 TFO selective acknowledgement 417 TFO slow start optimization 417 user defined WAAS policy configuration 425 WAAS configuration 417 423 WAAS policy application to interface 420 whitelist DHCP server user class whitelist 61 DHCP user class whitelist 48 Wide Area Ap...