Академический Документы
Профессиональный Документы
Культура Документы
V200R002C00
01
Date
2012-03-30
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 01 (2012-03-30)
Commissioning engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
DANGER
WARNING
CAUTION
Issue 01 (2012-03-30)
TIP
NOTE
ii
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
Italic
[]
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... }*
[ x | y | ... ]*
&<1-n>
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Issue 01 (2012-03-30)
iii
Contents
Contents
About This Document.....................................................................................................................ii
1 ARP Configuration........................................................................................................................1
1.1 ARP Overview....................................................................................................................................................3
1.2 ARP Features Supported by the AR2200-S.......................................................................................................3
1.3 Configuring Static ARP......................................................................................................................................4
1.3.1 Establishing the Configuration Task.........................................................................................................4
1.3.2 Configuring a Static ARP Entry................................................................................................................5
1.3.3 Configuring a Static ARP Entry in a VLAN.............................................................................................5
1.3.4 Configuring a Static ARP Entry in a VPN Instance..................................................................................6
1.3.5 Checking the Configuration.......................................................................................................................6
1.4 Optimizing Dynamic ARP..................................................................................................................................7
1.4.1 Establishing the Configuration Task.........................................................................................................7
1.4.2 Adjusting Parameters of Dynamic ARP Entries........................................................................................8
1.4.3 Enabling ARP Suppression.......................................................................................................................9
1.4.4 Enabling Layer 2 Topology Detection......................................................................................................9
1.4.5 Checking the Configuration.......................................................................................................................9
1.5 Configuring Routed Proxy ARP.......................................................................................................................10
1.5.1 Establishing the Configuration Task.......................................................................................................10
1.5.2 Configuring an IP Addresses for an Interface.........................................................................................11
1.5.3 Configuring Routed Proxy ARP..............................................................................................................12
1.5.4 Checking the Configuration.....................................................................................................................12
1.6 Configuring Intra-VLAN Proxy ARP..............................................................................................................13
1.6.1 Establishing the Configuration Task.......................................................................................................13
1.6.2 Configuring an IP Address for an Interface.............................................................................................14
1.6.3 (Optional) Configuring the VLAN ID of a Sub-interface.......................................................................14
1.6.4 Enabling Intra-VLAN Proxy ARP..........................................................................................................15
1.6.5 Checking the Configuration.....................................................................................................................15
1.7 Configuring Inter-VLAN Proxy ARP..............................................................................................................16
1.7.1 Establishing the Configuration Task.......................................................................................................16
1.7.2 Configuring an IP Addresses for an Interface.........................................................................................17
1.7.3 (Optional) Configuring the VLAN ID of the Sub-interface....................................................................18
1.7.4 Enabling Inter-VLAN Proxy ARP..........................................................................................................18
1.7.5 Checking the Configuration.....................................................................................................................19
Issue 01 (2012-03-30)
iv
Contents
2 IP Address Configuration..........................................................................................................38
2.1 IP Address Overview........................................................................................................................................39
2.2 IP Addresses Supported by the AR2200-S.......................................................................................................39
2.3 Configuring IP Addresses for an Interface.......................................................................................................39
2.3.1 Establishing the Configuration Task.......................................................................................................39
2.3.2 Configuring a Primary IP Address for an Interface.................................................................................40
2.3.3 (Optional) Configuring a Secondary IP Address for an Interface...........................................................41
2.3.4 Checking the Configuration.....................................................................................................................41
2.4 Configuring IP Address Unnumbered on an Interface.....................................................................................42
2.4.1 Establishing the Configuration Task.......................................................................................................42
2.4.2 Configuring a Primary IP Address for the Interface from Which an IP Address Will Be Borrowed
..........................................................................................................................................................................43
2.4.3 Configuring IP Address Unnumbered on an Interface............................................................................43
2.4.4 Checking the Configuration.....................................................................................................................44
2.5 Configuration Examples...................................................................................................................................45
2.5.1 Example for Configuring Primary and Secondary IP Addresses for an Interface...................................45
2.5.2 Example for Configuring IP Address Unnumbered on an Interface.......................................................46
Contents
4 DNS Configuration.....................................................................................................................82
4.1 DNS Overview.................................................................................................................................................83
4.2 DNS Features Supported by the AR2200-S.....................................................................................................83
4.3 Configuring a DNS Client................................................................................................................................84
4.3.1 Establishing the Configuration Task.......................................................................................................84
4.3.2 Configuring Static DNS...........................................................................................................................85
4.3.3 Configuring Dynamic DNS.....................................................................................................................85
4.3.4 Checking the Configuration.....................................................................................................................86
4.4 Configuring DNS Proxy or Relay....................................................................................................................87
4.4.1 Establishing the Configuration Task.......................................................................................................87
4.4.2 Configuring a DNS Server......................................................................................................................88
4.4.3 (Optional) Configuring DNS Spoofing...................................................................................................88
4.4.4 (Optional) Setting the Aging Time of DNS Entries................................................................................89
Issue 01 (2012-03-30)
vi
Contents
5 NAT Configuration...................................................................................................................104
5.1 NAT Overview...............................................................................................................................................105
5.2 NAT Features Supported by the AR2200-S...................................................................................................106
5.3 Configuring NAT...........................................................................................................................................109
5.3.1 Establishing the Configuration Task.....................................................................................................109
5.3.2 Configuring an Address Pool................................................................................................................110
5.3.3 Associating an ACL with an Address Pool...........................................................................................111
5.3.4 Configuring Easy IP..............................................................................................................................111
5.3.5 Configuring an Internal Server..............................................................................................................112
5.3.6 Configuring Static NAT........................................................................................................................112
5.3.7 Enabling NAT ALG..............................................................................................................................113
5.3.8 Configuring NAT Filtering....................................................................................................................113
5.3.9 Configuring NAT Mapping...................................................................................................................114
5.3.10 Configuring DNS Mapping.................................................................................................................115
5.3.11 Configuring Twice NAT.....................................................................................................................115
5.3.12 Checking the Configuration.................................................................................................................116
5.4 Configuration Examples.................................................................................................................................117
5.4.1 Example for Configuring the NAT Server............................................................................................117
5.4.2 Example for Configuring Outbound NAT.............................................................................................119
5.4.3 Example for Configuring Twice NAT...................................................................................................122
6 DHCP Configuration................................................................................................................125
6.1 DHCP Overview.............................................................................................................................................127
6.2 DHCP Features Supported by the AR2200-S.................................................................................................127
6.3 Configuring a DHCP Server Based on a Global Address Pool......................................................................128
6.3.1 Establishing the Configuration Task.....................................................................................................128
6.3.2 Configuring an Interface to Select a Global Address Pool for IP Address Allocation..........................130
6.3.3 Configuring Global Address Pool Attributes........................................................................................130
Issue 01 (2012-03-30)
vii
Contents
6.3.4 (Optional) Configuring the DNS Service and NetBIOS Service Dynamically on the DHCP Client
........................................................................................................................................................................132
6.3.5 (Optional) Configuring the Static DNS Service on a DHCP Client......................................................133
6.3.6 (Optional) Configuring the Static NetBIOS Service on a DHCP Client...............................................133
6.3.7 (Optional) Configuring User-Defined DHCP Options of the Global Address Pool.............................134
6.3.8 (Optional) Configuring the Function That Prevents Identical IP Addresses.........................................135
6.3.9 (Optional) Configuring the DHCP Data Saving Function.....................................................................136
6.3.10 Checking the Configuration.................................................................................................................137
6.4 Configuring a DHCP Server Based on an Interface Address Pool.................................................................138
6.4.1 Establishing the Configuration Task.....................................................................................................138
6.4.2 Configuring Interface Address Pool Attributes.....................................................................................139
6.4.3 (Optional) Configuring the DNS Service and NetBIOS Service Dynamically on the DHCP Client
........................................................................................................................................................................140
6.4.4 (Optional) Configuring the Static DNS Service on a DHCP Client......................................................141
6.4.5 (Optional) Configuring the Static NetBIOS Service on a DHCP Client...............................................142
6.4.6 (Optional) Configuring User-Defined DHCP Options of the Interface Address Pool..........................143
6.4.7 (Optional) Configuring the Function That Prevents Identical IP Addresses.........................................143
6.4.8 (Optional) Configuring the DHCP Data Saving Function.....................................................................144
6.4.9 Checking the Configuration...................................................................................................................145
6.5 Configuring a DHCP Relay Agent.................................................................................................................146
6.5.1 Establishing the Configuration Task.....................................................................................................146
6.5.2 Configuring an Interface to Function as a DHCP Relay Agent.............................................................147
6.5.3 Specifying a Server Group on the DHCP Relay Agent.........................................................................148
6.5.4 Binding a DHCP Server Group to a DHCP Relay Interface.................................................................149
6.5.5 (Optional) Configuring the DHCP Relay Agent to Instruct the DHCP Server to Reclaim the Client IP
address............................................................................................................................................................149
6.5.6 Checking the Configuration...................................................................................................................150
6.6 Configuring a DHCP/BOOTP Client.............................................................................................................151
6.6.1 Establishing the Configuration Task.....................................................................................................151
6.6.2 (Optional) Configuring the DHCP/BOOTP Client Attributes..............................................................152
6.6.3 Enabling the DHCP/BOOTP Client......................................................................................................153
6.6.4 Checking the Configuration...................................................................................................................154
6.7 Configuring the DHCP Rate Limit Function..................................................................................................155
6.8 Maintaining DHCP.........................................................................................................................................157
6.8.1 Clearing DHCP Statistics......................................................................................................................157
6.8.2 Monitoring the Operating Status of DHCP...........................................................................................158
6.9 Configuration Examples.................................................................................................................................158
6.9.1 Example for Configuring a DHCP Server Based on a Global Address Pool in the Scenario Where DHCP
Clients and the DHCP Server Are on the Same Network Segment...............................................................158
6.9.2 Example for Configuring a DHCP Server Based on an Interface Address Pool in the Scenario Where
DHCP Clients and the Server Are on the Same Network Segment...............................................................162
6.9.3 Example for Configuring a DHCP Server and a DHCP Relay Agent When the DHCP Server and Clients
Are on Different Network Segments..............................................................................................................165
6.9.4 Example for Configuring the DHCP and BOOTP Clients....................................................................169
Issue 01 (2012-03-30)
viii
Contents
7 IP Performance Configuration................................................................................................176
7.1 IP Performance Overview..............................................................................................................................177
7.2 IP Performance Features Supported by the AR2200-S..................................................................................177
7.3 Optimizing IP Performance............................................................................................................................177
7.3.1 Establishing the Configuration Task.....................................................................................................177
7.3.2 Checking Validity of Source IP Addresses of Received Packets..........................................................178
7.3.3 Controlling IP packets with Source Route Options...............................................................................179
7.3.4 Setting the Route Delivery Mode of an LPU........................................................................................179
7.3.5 Configuring an Interface to Forward Broadcast Packets.......................................................................179
7.3.6 Configuring an Outbound Interface to Fragment IP Packets.................................................................180
7.3.7 Configuring an Interface to Send ICMP Redirection Packets...............................................................180
7.3.8 Setting the Mode in Which Protocol Packets Are Sent.........................................................................181
7.3.9 Disabling the Routing and Forwarding Function on High-end LAN Cards..........................................182
7.3.10 Checking the Configuration.................................................................................................................182
7.4 Configuring Load Balancing for IP Packet Forwarding.................................................................................184
7.4.1 Establishing the Configuration Task.....................................................................................................184
7.4.2 Configuring the Unequal-Cost Multiple Path During IP Packet Forwarding.......................................185
7.4.3 Checking the Configuration...................................................................................................................186
7.5 Configuring TCP Attributes...........................................................................................................................187
7.5.1 Establishing the Configuration Task.....................................................................................................187
7.5.2 Setting Values of TCP Timers...............................................................................................................188
7.5.3 Setting the Aging Time of the PMTU...................................................................................................188
7.5.4 Setting the Size of the TCP Sliding Window........................................................................................189
7.5.5 Setting the MSS of TCP Packets on an Interface..................................................................................189
7.5.6 Checking the Configuration...................................................................................................................190
7.6 Maintaining IP Performance...........................................................................................................................191
7.6.1 Clearing IP Performance Statistics........................................................................................................191
7.6.2 Monitoring the IP Running Status.........................................................................................................191
7.7 Configuration Examples.................................................................................................................................192
7.7.1 Example for Disabling the Sending of ICMP Redirection Packets.......................................................192
7.7.2 Example for Configuring UCMP..........................................................................................................195
ix
Contents
Issue 01 (2012-03-30)
1 ARP Configuration
ARP Configuration
1 ARP Configuration
Issue 01 (2012-03-30)
1 ARP Configuration
ARP
ARP is classified into the following types:
l
Static ARP: Mappings between IP addresses and MAC addresses are configured manually.
Dynamic ARP: Dynamic ARP entries are maintained by the ARP protocol.
Proxy ARP
The AR2200-S supports the following types of proxy ARP:
l
Issue 01 (2012-03-30)
1 ARP Configuration
Proxy ARP within a VLAN implements the interworking between isolated users in the
same VLAN.
l
ARPing
ARPing is classified into ARP-Ping IP and ARP-Ping MAC. ARPing facilitates maintenance of
deployed Layer 2 features.
ARP-Ping IP checks whether an IP address on a LAN is in use by sending ARP packets.
ARP-Ping MAC checks whether a MAC address on a LAN is in use by sending Internet Control
Management Protocol (ICMP) packets.
Applicable Environment
Static ARP entries ensure communication between the local device and another specified device.
They use the specified MAC address to keep attackers from modifying mappings between IP
addresses and MAC addresses in static ARP entries.
When static ARP and the Virtual Router Redundancy Protocol (VRRP) are configured on the
router, the IP address in a static ARP entry cannot be set to the VRRP virtual IP address on a
sub-interface for dot1q VLAN tag termination, a sub-interface for VLAN tag termination, or a
VLANIF interface. Otherwise, an incorrect host route is generated, causing forwarding errors.
Pre-configuration Tasks
Before configuring static ARP, complete the following tasks:
Issue 01 (2012-03-30)
1 ARP Configuration
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical layer status of the interfaces is Up
Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
Setting network layer protocol parameters for the interfaces to ensure that the routing
protocol status on the interfaces is Up
Data Preparation
To configure static ARP, you need the following data.
No.
Data
Name of the VPN instance and ID of the VLAN that a static ARP entry
belongs to
Context
NOTE
To configure static ARP entries for double-tagged packets, run the arp static cevid command.
Procedure
Step 1 Run:
system-view
Context
NOTE
To configure static ARP entries for double-tagged packets, run the arp static cevid command.
Issue 01 (2012-03-30)
1 ARP Configuration
Procedure
Step 1 Run:
system-view
Context
NOTE
To configure static ARP entries for double-tagged packets, run the arp static cevid command.
Procedure
Step 1 Run:
system-view
Run the display arp [ all ] command to check all ARP entries, including static ARP entries
and dynamic ARP entries.
Run the display arp network net-number net-mask [ dynamic | static ] command to check
ARP entries on the specified network segment.
Run the display arp static command to check static ARP entries.
Run the display arp statistics { all | interface interface-type interface-number } command
to check statistics on ARP entries on the AR2200-S or the specified interface.
----End
Issue 01 (2012-03-30)
1 ARP Configuration
Example
# Display all the static ARP entries.
<Huawei> display arp static
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------1.1.1.1
0efc-0505-86e3
S-10/129.102.0.1
0e00-fc01-0000
S-11.0.0.1
aa00-fcc0-1200
S-3/-----------------------------------------------------------------------------Total:3
Dynamic:0
Static:3
Interface:0
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------129.102.0.1
00e0-fc01-0000
S-118.118.118.1
0018-2000-0083
I Vlanif11
vpna
10.1.1.1
0018-2000-0083
I Vlanif10
100.1.1.116
0018-2000-0083
I Eth2/0/0
100.1.1.118
0001-0c01-3401 14
D-0
Eth2/0/0
100.1.1.4
0016-ecb7-a879 18
D-0
Eth2/0/0
-----------------------------------------------------------------------------Total:6
Dynamic:2
Static:1
Interface:3
Applicable Environment
Dynamic ARP entries are maintained dynamically by the ARP protocol. They can be aged out,
updated, or overridden by static ARP entries. When the aging time is reached or the interface is
Down, corresponding dynamic ARP entries are deleted.
The AR2200-S can dynamically create dynamic ARP entries. You can adjust parameters of
dynamic ARP entries to optimize forwarding performance of the AR2200-S.
Pre-configuration Tasks
Before optimizing Dynamic ARP, complete the following tasks:
l
Issue 01 (2012-03-30)
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical layer status of the interfaces is Up
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
1 ARP Configuration
Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
Data Preparation
To optimize Dynamic ARP, you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
Issue 01 (2012-03-30)
1 ARP Configuration
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
1 ARP Configuration
Procedure
l
Run the display arp [ all ] command to check all ARP entries, including static ARP entries
and dynamic ARP entries.
Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlanid ] ] command to check ARP entries on the specified interface.
Run the display arp network net-number net-mask [ dynamic | static ] command to check
ARP entries on the specified network segment.
Run the display arp dynamic command to check dynamic ARP entries.
Run the display arp statistics { all | interface interface-type interface-number } command
to check statistics on ARP entries on the AR2200-S or the specified interface.
----End
Example
# Run the display arp interface command, and you can view ARP entries on GE1/0/0.
<Huawei> display arp interface gigabitethernet 1/0/0
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------192.168.1.11
0000-0a41-0201
I GE1/0/0
r1
192.168.1.1
0000-0a41-0200 15
D-6
GE1/0/0
r1
-----------------------------------------------------------------------------Total:2
Dynamic:1
Static:0
Interface:1
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------10.137.217.210 00e0-fc01-0203
I GE1/0/0
10.137.216.1
0025-9e38-a09e 20
D-0
GE1/0/0
10.137.217.208 00e0-fc01-0205 16
D-0
GE1/0/0
10.2.2.1
00e0-fc99-9999
I Eth-Trunk0
10.6.3.34
00e0-fc01-0204
I GE2/0/0.1
192.168.20.1
00e0-fc99-9999
I Vlanif100
10.0.0.1
00e0-fc99-9999
I Vlanif200
-----------------------------------------------------------------------------Total:7
Dynamic:2
Static:0
Interface:5
Issue 01 (2012-03-30)
10
1 ARP Configuration
Applicable Environment
If two hosts on different network segments are not configured with the default gateways, you
can enable routed proxy ARP to on a routing device connecting the two hosts to resolve IP
addresses between the two hosts.
Pre-configuration Tasks
Before configuring routed proxy ARP, complete the following tasks:
l
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical layer status of the interfaces is Up
Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
Data Preparation
To configure routed proxy ARP, you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
11
1 ARP Configuration
Procedure
Step 1 Run:
system-view
Procedure
l
Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlanid ] ] command to check ARP entries on the specified interface.
Run the display arp dynamic command to check dynamic ARP entries.
Run the display arp statistics { all | interface interface-type interface-number } command
to check statistics on ARP entries on the AR2200-S or the specified interface.
----End
Example
# Run the display arp interface command, and you can view ARP entries on GE1/0/0.
<Huawei> display arp interface gigabitethernet 1/0/0
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------192.168.1.11
0000-0a41-0201
I GE1/0/0
r1
192.168.1.1
0000-0a41-0200 15
D-6
GE1/0/0
r1
-----------------------------------------------------------------------------Total:2
Dynamic:1
Static:0
Interface:1
Issue 01 (2012-03-30)
12
1 ARP Configuration
# Run the display arp vpn-instance command, and you can view all the ARP entries in the
VPN instance r1.
<Huawei> display arp vpn-instance r1
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------10.10.20.9
0018-2000-0083
I Vlanif888
10.10.10.6
0018-2000-0083
I Vlanif833
-----------------------------------------------------------------------------Total:2
Dynamic:0
Static:0
Interface:2
# Run the display arp statistics command, and you can view the statistics on ARP entries.
<Huawei> display arp statistics all
Dynamic:1
Static:0
Applicable Environment
If two users are connected to Layer 2 isolated interfaces in the same VLAN, you can enable
intra-VLAN proxy ARP to implement Layer 3 communication between the two users.
Pre-configuration Tasks
Before configuring intra-VLAN proxy ARP, complete the following tasks:
l
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical layer status of the interfaces is Up
Configuring a VLAN
Data Preparation
To configure intra-VLAN proxy ARP, you need the following data.
Issue 01 (2012-03-30)
No.
Data
VLAN ID associated with the interface to be enabled with proxy ARP in a VLAN
13
1 ARP Configuration
Procedure
Step 1 Run:
system-view
Context
NOTE
You must complete this task before you enable intra-VLAN proxy ARP on Ethernet sub-interfaces, GE
sub-interfaces, or Eth-Trunk sub-interfaces. You can skip step when you are enabling intra-VLAN proxy
ARP on the VLANIF interface.
Procedure
Step 1 Run:
system-view
Issue 01 (2012-03-30)
14
1 ARP Configuration
The control VLAN and encapsulation mode of the sub-interface are configured.
Step 4 Run:
dot1q termination vid vid
Procedure
Step 1 Run:
system-view
Procedure
l
Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlanid ] ] command to check ARP entries on the specified interface.
Run the display arp dynamic command to check dynamic ARP entries.
Issue 01 (2012-03-30)
15
1 ARP Configuration
Run the display arp statistics { all | interface interface-type interface-number } command
to check statistics on ARP entries on the AR2200-S or the specified interface.
----End
Example
# Run the display arp interface command, and you can view ARP entries on GE1/0/0.
<Huawei> display arp interface gigabitethernet 1/0/0
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------192.168.1.11
0000-0a41-0201
I GE1/0/0
r1
192.168.1.1
0000-0a41-0200 15
D-6
GE1/0/0
r1
-----------------------------------------------------------------------------Total:2
Dynamic:1
Static:0
Interface:1
# Run the display arp vpn-instance command, and you can view all the ARP entries in the
VPN instance r1.
<Huawei> display arp vpn-instance r1
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------10.10.20.9
0018-2000-0083
I Vlanif888
10.10.10.6
0018-2000-0083
I Vlanif833
-----------------------------------------------------------------------------Total:2
Dynamic:0
Static:0
Interface:2
# Run the display arp statistics command, and you can view the statistics on ARP entries.
<Huawei> display arp statistics all
Dynamic:1
Static:0
Applicable Environment
The VLAN aggregation technology isolates broadcast domain by using multiple VLANs on a
physical network so that different VLANs belong to the same subnet. This technology introduces
the super-VLAN and sub-VLAN. A super-VLAN contains one or more sub-VLANs in different
broadcast domains. A sub-VLAN does not occupy an independent subnet segment. In a superVLAN, IP addresses of hosts in different sub-VLANs are on the subnet segment corresponding
to the super-VLAN.
Sub-VLANs use the same Layer 3 interface to communicate. This reduces subnet IDs and subnet
default gateway addresses. The VLAN aggregation function allows different broadcast domains
to use the same subnet address, implements flexible addressing, and saves IP addresses.
Issue 01 (2012-03-30)
16
1 ARP Configuration
Hosts in different sub-VLANs of a super-VLAN cannot communicate with each other. To enable
these hosts to communicate with each other, you can enable inter-VLAN proxy ARP on the subinterface or VLANIF interface corresponding to the super-VLAN.
Pre-configuration Tasks
Before configuring inter-VLAN proxy ARP, complete the following tasks:
l
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical layer status of the interfaces is Up
Data Preparation
To configure inter-VLAN proxy ARP, you need the following data.
No.
Data
VLAN ID associated with the interface to be enabled with proxy ARP between
VLANs
Procedure
Step 1 Run:
system-view
17
1 ARP Configuration
The IP address of the interface must be on the same network segment as the IP address of the
user in a VLAN that the interface belongs to.
----End
Context
NOTE
You must complete this task before you enable inter-VLAN proxy ARP on Ethernet sub-interfaces, GE
sub-interfaces, or Eth-Trunk sub-interfaces. You can skip this task if you are enabling inter-VLAN proxy
ARP on the VLANIF interface.
Procedure
Step 1 Run:
system-view
The control VLAN and encapsulation mode of the sub-interface are configured.
Step 4 Run:
dot1q termination vid vid
Procedure
Step 1 Run:
system-view
18
1 ARP Configuration
Or, run:
interface vlanif vlan-id
Procedure
l
Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlanid ] ] command to check ARP entries on the specified interface.
Run the display arp dynamic command to check dynamic ARP entries.
Run the display arp statistics { all | interface interface-type interface-number } command
to check statistics on ARP entries on the AR2200-S or the specified interface.
----End
Example
# Run the display arp interface command, and you can view ARP entries on GE1/0/0.
<Huawei> display arp interface gigabitethernet 1/0/0
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------192.168.1.11
0000-0a41-0201
I GE1/0/0
r1
192.168.1.1
0000-0a41-0200 15
D-6
GE1/0/0
r1
-----------------------------------------------------------------------------Total:2
Dynamic:1
Static:0
Interface:1
# Run the display arp vpn-instance command, and you can view all the ARP entries in the
VPN instance r1.
<Huawei> display arp vpn-instance r1
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------10.10.20.9
0018-2000-0083
I Vlanif888
10.10.10.6
0018-2000-0083
I Vlanif833
-----------------------------------------------------------------------------Total:2
Dynamic:0
Static:0
Interface:2
# Run the display arp statistics command, and you can view the statistics on ARP entries.
<Huawei> display arp statistics all
Dynamic:1
Static:0
Issue 01 (2012-03-30)
19
1 ARP Configuration
Applicable Environment
ARP-Ping IP checks whether an IP address on a LAN is in use by sending ARP packets.
Before configuring an IP address for a device, ensure that this IP address is not in use by sending
ARP packets. You can configure ARP-Ping IP on the device.
Pre-configuration Tasks
Before configuring ARP-Ping IP, complete the following task:
l
Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
Data Preparation
To configure ARP-Ping IP, you need the following data.
No.
Data
IP address to be checked
Context
ARP-Ping IP checks whether an IP address on a LAN is in use by sending ARP packets. You
can also use the ping command to check whether an IP address is in use, but the result of this
method may be inaccurate. The ping command uses Layer 3 packets as ICMP Echo Request
packets. If the destination host or the routing device enabled with the firewall function is
configured not to respond to the ICMP Echo Request packets, the destination host or the routing
device does not send ICMP Reply packets. Consequently, the IP address is considered unused.
ARP packets, which are Layer 2 protocol packets, can pass through the firewall that is configured
not to reply to ICMP Echo Request packets; therefore, the result of ARP-Ping IP is accurate.
Issue 01 (2012-03-30)
20
1 ARP Configuration
Procedure
Step 1 Run:
arp-ping ip ip-address [ interface interface-type interface-number [ vlan-id vlanid ] ]
Example
l
Applicable Environment
If you know the specific MAC address but not the corresponding IP address on a network
segment, you can obtain the corresponding IP address by using ARP-Ping MAC to broadcast
ICMP packets. In this way, you can obtain the IP address mapping the MAC address on the
network segment.
Pre-configuration Tasks
Before configuring ARP-Ping MAC, complete the following task:
l
Issue 01 (2012-03-30)
Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
21
1 ARP Configuration
Data Preparation
To configure ARP-Ping MAC, you need the following data.
No.
Data
Procedure
Step 1 Run:
arp-ping mac mac-address { ip-address [ vpn-instance vpn-instance-name ] |
interface interface-type interface-number }
The AR2200-S is configured to check whether the MAC address is in use on a LAN.
----End
Example
l
Issue 01 (2012-03-30)
MAC ADDRESS
00-E0-FC-03-02-01
22
1 ARP Configuration
Context
CAUTION
l After ARP entries are deleted, mappings between IP addresses and MAC addresses are
deleted. As a result, users may fail to access some devices. Exercise caution when you delete
ARP entries.
l Static ARP entries cannot be restored after being deleted. Exercise caution when you delete
static ARP entries.
Procedure
Step 1 Run the reset arp { all | dynamic | interface interface-type interface-number | packet
statistics | static } command in the user view to delete ARP entries.
----End
Context
To check the ARP running status during routine maintenance, run the following display
commands in any view.
Procedure
l
Run the display arp [ all ] command to check all ARP entries, including static ARP entries
and dynamic ARP entries.
Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlanid ] ] command to check ARP entries on the specified interface.
Run the display arp network net-number net-mask [ dynamic | static ] command to check
ARP entries on the specified network segment.
Run the display arp static command to check static ARP entries.
Run the display arp dynamic command to check dynamic ARP entries.
Issue 01 (2012-03-30)
23
1 ARP Configuration
Run the display arp statistics { all | interface interface-type interface-number } command
to check statistics on ARP entries on the AR2200-S or the specified interface.
----End
Example
# Run the display arp interface command, and you can view ARP entries on GE1/0/0.
<Huawei> display arp interface gigabitethernet 1/0/0
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------192.168.1.11
0000-0a41-0201
I GE1/0/0
r1
192.168.1.1
0000-0a41-0200 15
D-6
GE1/0/0
r1
-----------------------------------------------------------------------------Total:2
Dynamic:1
Static:0
Interface:1
# Run the display arp dynamic command, and you can view all the dynamic ARP entries.
<Huawei> display arp dynamic
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------10.137.217.210 00e0-fc01-0203
I GE1/0/0
10.137.216.1
0025-9e38-a09e 20
D-0
GE1/0/0
10.137.217.208 00e0-fc01-0205 16
D-0
GE1/0/0
10.2.2.1
00e0-fc99-9999
I Eth-Trunk0
10.6.3.34
00e0-fc01-0204
I GE2/0/0.1
192.168.20.1
00e0-fc99-9999
I Vlanif100
10.0.0.1
00e0-fc99-9999
I Vlanif200
-----------------------------------------------------------------------------Total:7
Dynamic:2
Static:0
Interface:5
Networking Requirements
As shown in Figure 1-1, the Router connects departments of a company and each department
joins different VLANs. Hosts in the headquarters office and the file backup server are allocated
manually configured IP addresses, and hosts in departments dynamically obtain IP addresses by
using DHCP. Hosts in the marketing department can access the Internet and are often attacked
by ARP packets. Attackers attack the Router and modify dynamic ARP entries on the Router.
As a result, communication between hosts in the headquarters office and external devices is
interrupted and hosts in departments fail to access the file backup server. The company requires
that static ARP entries be configured on the Router so that hosts in the headquarters office can
communicate with external devices and hosts in departments can access the file backup server.
Issue 01 (2012-03-30)
24
1 ARP Configuration
Etherent2/0/1
Router
10.164.10.1/24
0df0-fc01-003a
10.164.1.1/24
00e0-fc01-0001
PC A
Etherent2/0/0
Etherent2/0/2
Marketing department
Headquarters office
10.164.2.0/24
10.164.1.0/24
VLAN 20
VLAN 10
R&D department
10.164.3.0/24
VLAN 30
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure static ARP entries for hosts in the headquarters office on the Router to prevent
ARP entries of the hosts in the headquarters office from being modified in ARP attack
packets.
2.
Configure a static ARP entry for the file backup server on the Router to prevent the ARP
entry of the file backup server from being modified in ARP attack packets.
Data Preparation
To complete the configuration, you need the following data:
l
Interface connecting the Router and hosts in the headquarters office: Ethernet2/0/0
Network segment where the IP addresses of hosts in the headquarters office are located:
10.164.1.0/24 (PC A with IP address 10.164.1.1 is used as an example. The IP address
10.164.1.1 maps the MAC address 00e0-fc01-0001.)
Interface connecting the Router and the file backup server: GE3/0/0
IP address of the file backup server: 10.164.10.1/24 (corresponding MAC address 0df0fc01-003a)
Issue 01 (2012-03-30)
25
1 ARP Configuration
Procedure
Step 1 Configure static ARP entries for the host in the headquarters office on the Router.
# Create VLAN 10.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan 10
[Router-vlan10] quit
# Configure static ARP entries for hosts in the headquarters office. Configuring a static ARP
entry for PC A is used as an example. In the static ARP entry, PCA IP address 10.164.1.1 maps
the MAC address 00e0-fc01-0001, and the VLAN ID is 10 and the outbound interface is
Ethernet2/0/0.
[Router] arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface ethernet 2/0/0
# Configure static ARP entries for other hosts in the headquarters office. The configuration
method is similar to that of PC A.
Step 2 Configure a static ARP entry for the file backup server on the Router.
# Configure an IP address for GE3/0/0.
[Router] interface gigabitEthernet 3/0/0
[Router-GigabitEthernet3/0/0] ip address 10.164.10.10 255.255.255.0
[Router-GigabitEthernet3/0/0] quit
# Configure a static ARP entry for the file backup server: The IP address 10.164.10.1/24 maps
the MAC address 0df0-fc01-003a.
[Router] arp static 10.164.10.1 0df0-fc01-003a
----End
Example
The following lists the configuration file of the Router.
#
sysname Router
#
vlan batch 10 20 30
Issue 01 (2012-03-30)
26
1 ARP Configuration
#
interface Ethernet 2/0/0
port hybrid tagged vlan 10
#
interface Ethernet 2/0/1
port hybrid tagged vlan 20
#
interface Ethernet 2/0/2
port hybrid tagged vlan 30
##
interface Vlanif 10
ip address 10.2.2.2 255.255.255.0
#
interface GigabitEthernet3/0/0
ip address 10.164.10.10 255.255.255.0
#
arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface ethernet 2/0/0
arp static 10.164.1.2 00e0-fc01-0002 vid 10 interface ethernet 2/0/0
arp static 10.164.1.3 00e0-fc01-0003 vid 10 interface ethernet 2/0/0
arp static 10.164.10.1 0df0-fc01-003a
#
return
Networking Requirements
As shown in Figure 1-2, branch A and branch B of a company are located in different cities;
multiple routing devices are deployed between branches and routes are reachable; IP addresses
of the routing devices are on the same network segment 172.16.0.0/16. Branch A and branch B
belong to different broadcast domains; therefore, they cannot communicate on a LAN. Hosts of
branches are not configured with default gateway addresses; therefore, they cannot communicate
across network segments. The company requires that branch A and branch B communicate
without changing the host configurations.
Figure 1-2 Network diagram for configuring routed proxy ARP
RouterA
RouterD
RouterC
RouterB
Internet
Etherent2/0/0
Etherent2/0/0
VLAN10
Branch A
VLAN20
Branch B
Host A
172.16.1.2/16
0000-5e33-ee20
Issue 01 (2012-03-30)
Host B
172.16.2.2/16
0000-5e33-ee10
27
1 ARP Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
Add the interface connecting RouterA and branch A to VLAN 10 and add the interface
connecting RouterB and branch B to VLAN 20.
2.
Enable routed proxy ARP on VLANIF interfaces of branch A and branch B to implement
communication between the two branches.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure RouterA.
# Create VLAN 10.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] vlan 10
[RouterA-vlan10] quit
Issue 01 (2012-03-30)
28
from
from
from
from
172.16.2.2:
172.16.2.2:
172.16.2.2:
172.16.2.2:
1 ARP Configuration
bytes=56
bytes=56
bytes=56
bytes=56
Sequence=2
Sequence=3
Sequence=4
Sequence=5
ttl=255
ttl=255
ttl=255
ttl=255
time=10
time=10
time=10
time=10
ms
ms
ms
ms
# View the ARP table of host A. You can see that the MAC address of host B is the MAC address
of VLANIF 10.
C:\Documents and Settings\Administrator>arp -a
Interface: 172.16.1.2 --- 0x2
Internet Address
Physical Address
Type
172.16.2.2
00e0-fc39-80aa
dynamic
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
vlan batch 10
#
interface Vlanif 10
ip address 172.16.1.1 255.255.255.0
arp-proxy enable
#
interface ethernet 2/0/0
port link-type access
port default vlan 10
#
return
29
1 ARP Configuration
Networking Requirements
As shown in Figure 1-3, hosts of the accounting department are located in a VLAN. Hosts of
the accounting department are attacked by viruses when they access the Internet. The attacked
hosts send a large number of broadcast packets, causing broadcast storms in the VLAN. Even
hosts cannot communicate. The company requires that broadcast storms be prevented to ensure
communication between hosts and information security.
Figure 1-3 Networking diagram of intra-VLAN proxy ARP
Router
Ethernet2/0/0
PC B
PC A
100.1.1.100/24
100.1.1.10/24
VLAN 10
Accounting Department
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure port isolation on the downstream interface of the Router to forbid Layer 2
communication and remove broadcast storms.
2.
Enable intra-VLAN proxy ARP on the VLANIF interface to prevent broadcast storms and
Layer 3 communication between hosts in the accounting department.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Add Ethernet2/0/0 to VLAN 10.
# Create VLAN 10.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan 10
Issue 01 (2012-03-30)
30
1 ARP Configuration
[Router-vlan10] quit
to break
ttl=255 time=10
ttl=255 time=10
ttl=255 time=10
ttl=255 time=10
ttl=255 time=10
ms
ms
ms
ms
ms
----End
Configuration Files
Configuration file of the Router
#
sysname Router
#
vlan batch 10
#
interface Vlanif 10
ip address 100.1.1.12 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
#
interface ethernet 2/0/0
port hybrid tagged vlan 10
Issue 01 (2012-03-30)
31
1 ARP Configuration
#
return
Router
VLAN2
VLAN3
VLAN4
VLAN2
VLAN3
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 01 (2012-03-30)
32
1 ARP Configuration
Procedure
Step 1 Create and configure the super-VLAN and sub-VLANs.
# Create sub-VLAN 2.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan 2
[Router-vlan2] quit
2/0/0
link-type access
default vlan 2
2/0/1
link-type access
default vlan 2
# Create sub-VLAN 3.
[Router] vlan 3
[Router-vlan3] quit
2/0/2
link-type access
default vlan 3
2/0/3
link-type access
default vlan 3
33
1 ARP Configuration
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN
-----------------------------------------------------------------------------10.10.10.1
0018-2000-0083
I Vlanif4
10.10.10.2
00e0-fc00-0002 19
D-0
Ethernet2/0/0
2/10.10.10.3
00e0-fc00-0003 19
D-0
Ethernet2/0/1
2/10.10.10.4
00e0-fc00-0004 19
D-0
Ethernet2/0/2
3/10.10.10.5
00e0-fc00-0005 19
D-0
Ethernet2/0/3
3/-----------------------------------------------------------------------------Total:5
Dynamic:4
Static:0
Interface:1
----End
Example
The following lists only the configuration file of the Router.
#
sysname Router
#
vlan batch 2 to 4
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 10.10.10.1 255.255.255.0
arp-proxy inter-sub-vlan-proxy enable
#
interface ethernet 2/0/0
port link-type access
port default vlan 2
#
interface ethernet 2/0/1
port link-type access
port default vlan 2
#
interface ethernet 2/0/2
port link-type access
port default vlan 3
#
interface ethernet 2/0/3
port link-type access
port default vlan 3
#
return
Issue 01 (2012-03-30)
34
1 ARP Configuration
Router
Etherent 2/0/0
PC A
10.1.1.1/24
Etherent 2/0/1
VLANIF100
10.1.1.2/24
VLAN100
PC B
10.1.1.3/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Create VLAN 100 and add the two Ethernet interfaces on the Router to VLAN 100 in default
mode.
# Create VLAN 100 and configure an IP addresses for the VLANIF interface.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan 100
[Router-vlan100] quit
[Router] interface vlanif 100
[Router-vlanif100] ip address 10.1.1.2 24
[Router-vlanif100] quit
Issue 01 (2012-03-30)
2/0/0
link-type access
default vlan 100
2/0/1
link-type access
default vlan 100
35
1 ARP Configuration
Step 3 Restart Ethernet 2/0/0 and view changes of ARP entries and aging time.
# View ARP entries on the Router. You can see that the Router has learned the MAC address
of the PC.
[Router] display arp all
IP ADDRESS
MAC ADDRESS
INSTANCE
EXPIRE(M)
TYPE
INTERFACE
VPN-
VLAN/CEVLAN PVC
----------------------------------------------------------------------------10.1.1.2
00e0-c01a-4900
I Vlanif100
10.1.1.1
00e0-c01a-4901 20
D-0
Ethernet2/0/0
10.1.1.3
00e0-de24-bf04 20
D-0
Ethernet2/0/1
----------------------------------------------------------------------------Total:3
Dynamic:2
Static:0
Interface:1
# Run the shutdown and undo shutdown commands on Ethernet2/0/0 and view the aging time
of ARP entries.
[Router] interface ethernet 2/0/0
[Router-Ethernet2/0/0] shutdown
[Router-Ethernet2/0/0] undo shutdown
[Router-Ethernet2/0/0] display arp all
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
---------------------------------------------------------------------------10.1.1.2
00e0-c01a-4900
I Vlanif100
10.1.1.3
00e0-de24-bf04 0
D-0
Ethernet2/0/1
-----------------------------------------------------------------------------Total:2
Dynamic:1
Static:0
Interface:1
NOTE
According to the preceding information, the ARP entries learned from Ethernet2/0/1 are deleted after
Ethernet2/0/0 is shut down. After Ethernet2/0/0 is enabled and becomes Up, the aging time of ARP entries
learned from Ethernet2/0/1 changes to 0.
# When the aging time is 0, the Router sends an ARP probe packet for updating ARP entries.
[Router-Ethernet2/0/0] display arp all
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN
---------------------------------------------------------------------------10.1.1.2
00e0-c01a-4900
I Vlanif100
10.1.1.3
00e0-de24-bf04 20
D-0
Ethernet2/0/1
---------------------------------------------------------------------------Total:2
Dynamic:1
Static:0
Interface:1
NOTE
After ARP entries are updated, the aging time is restored to be the default value, 1200s.
----End
Configuration Files
Configuration file of the Router
#
sysname Router
#
l2-topolgy detect enable
Issue 01 (2012-03-30)
36
1 ARP Configuration
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Ethernet 2/0/0
port link-type access
port default vlan 100
#
interface Ethernet 2/0/1
port link-type access
port default vlan 100
#
return
Issue 01 (2012-03-30)
37
2 IP Address Configuration
IP Address Configuration
Issue 01 (2012-03-30)
38
2 IP Address Configuration
To save IP addresses, the AR2200-S supports the 31-bit address mask on a P2P interface. After
a 31-bit address mask is configured, there are two IP addresses on a subnet: the subnet address
and the broadcast address of the subnet. Both the addresses are called host addresses.
The AR2200-S supports the 32-bit address mask on a loopback interface.
Applicable Environment
To run IP services on an interface, you must configure IP addresses for the interface. Each
interface of the AR2200-S can be allocated multiple IP addresses, one of which is the primary
IP address and the others are secondary IP addresses.
Generally, an interface needs only the primary IP address. In special cases, the secondary IP
addresses need to be configured for the interface. For example, an interface of the AR2200-S is
connects to a physical network, and hosts on this physical network belong to two network
Issue 01 (2012-03-30)
39
2 IP Address Configuration
segments. To allow the AR2200-S to communicate with all the hosts on the physical network,
configure a primary IP address and a secondary IP address for the interface.
NOTE
Pre-configuration Tasks
Before configuring IP addresses for an interface, complete the following tasks:
l
Connecting interfaces and setting physical parameters of each interface so that the physical
status of the interfaces is Up
Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
Data Preparation
To configure IP addresses for an interface, you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
40
2 IP Address Configuration
Procedure
Step 1 Run:
system-view
----End
Example
# Run the display ip interface command to view information about the IP address on
GigabitEthernet1/0/0.
<Huawei> display ip interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP
Line protocol current state : UP
The Maximum Transmit Unit : 1500 bytes
input packets : 11022, bytes : 660443, multicasts : 0
output packets : 9634, bytes : 533292, multicasts : 0
Directed-broadcast packets:
received packets:
1796, sent packets:
forwarded packets:
0, dropped packets:
ARP packet input number:
52872
Request packet:
52852
Reply packet:
20
Unknown packet:
0
Internet Address is 10.137.217.210/23
Broadcast address : 10.137.217.255
Issue 01 (2012-03-30)
0
0
41
2 IP Address Configuration
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
# Run the display ip interface brief command to view brief information about the IP address
on GigabitEthernet1/0/0.
<Huawei> display ip interface brief gigabitethernet 1/0/0
*down: administratively down
(l): loopback
(s): spoofing
Interface
IP Address/Mask
Physical
GigabitEthernet1/0/0
10.137.217.210/23
up
up
Protocol
Applicable Environment
In some application environments, an interface needs to be configured to borrow an IP address
from another interface to save IP addresses. If an interface is seldom used, a fixed IP address is
unnecessary. You can configure the interface to borrow an IP address from another interface.
Pre-configuration Tasks
Before configuring IP address unnumbered on an interface, complete the following tasks:
l
Setting physical attributes of the IP unnumbered interface and the interface from which an
IP address will be borrowed
Setting link layer protocols of the IP unnumbered interface and the interface from which
an IP address will be borrowed
Data Preparation
To configure IP address unnumbered on an interface, you need the following data.
Issue 01 (2012-03-30)
42
2 IP Address Configuration
No.
Data
NOTE
Only the configurations related to IP address unnumbered are described here. The procedure for configuring
a static route to the peer device is not mentioned here.
The IP unnumbered interface cannot be enabled with dynamic routing protocols because it does not have
an IP address itself. To implement communication between the AR2200-S and the peer device, configure
a static route to the peer device.
The view of the interface from which an IP address will be borrowed is displayed.
The interface can be an Ethernet interface, a loopback interface, an Eth-Trunk interface, or a
VLANIF interface.
Step 3 Run:
ip address ip-address { mask | mask-length }
A primary IP address is configured for the interface from which an IP address will be borrowed.
An interface has only one primary IP address. If you configure a new primary address on an
interface that already has a primary IP address, the new IP address overrides the original one.
----End
43
2 IP Address Configuration
The IP unnumbered interface is configured to borrow an IP address from the specified interface.
----End
----End
Example
# Run the display ip interface command to view information about GE2/0/0 borrowing an IP
address from LoopBack0.
<Huawei> display ip interface gigabitethernet 2/0/0
GigabitEthernet2/0/0 is standby,
Line protocol current state : DOWN
The Maximum Transmit Unit : 1500 bytes
input packets : 0, bytes : 0, multicasts : 0
output packets : 0, bytes : 0, multicasts : 0
Directed-broadcast packets:
received packets:
0, sent packets:
0
forwarded packets:
0, dropped packets:
0
ARP packet input number:
0
Request packet:
0
Reply packet:
0
Unknown packet:
0
Internet Address is unnumbered, using address of LoopBack0(202.117.23.45/24)
Broadcast address : 202.117.23.255
TTL being 1 packet number:
0
TTL invalid packet number:
0
ICMP packet input number:
0
Echo reply:
0
Unreachable:
0
Source quench:
0
Routing redirect:
0
Echo request:
0
Router advert:
0
Router solicit:
0
Issue 01 (2012-03-30)
44
2 IP Address Configuration
0
0
0
0
0
0
0
0
0
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure primary and secondary IP addresses for on Router.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface ethernet 2/0/0
[Router-Ethernet2/0/0] ip address 172.16.1.1 24
[Router-Ethernet2/0/0] ip address 172.16.2.1 24 sub
Issue 01 (2012-03-30)
ms
ms
ms
ms
45
2 IP Address Configuration
Ping a host on network segment 172.16.2.0 from the Router. The ping operation succeeds.
<Router> ping 172.16.2.2
PING 172.16.2.2: 56 data bytes, press CTRL_C to break
Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=128 time=25
Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=128 time=26
Reply from 172.16.2.2: bytes=56 Sequence=3 ttl=128 time=26
Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=128 time=26
Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=128 time=26
--- 172.16.2.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/25/26 ms
ms
ms
ms
ms
ms
----End
Configuration Files
Configuration file of the Router
#
sysname Router
#
interface 2/0/0
ip address 172.16.1.1 255.255.255.0
ip address 172.16.2.1 255.255.255.0 sub
#
return
Issue 01 (2012-03-30)
46
2 IP Address Configuration
RouterB
RouterC
LoopBack 0
9.9.9.9/32
LoopBack 0
6.6.6.6/32
RouterA
Tunnel
Tunnel 0/0/1
Tunnel 0/0/1
PC 1
PC 2
Configuration Roadmap
The configuration roadmap is as follows:
l
Configure OSPF.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure RouterA.
# Configure an IP address for Loopback0.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface loopback 0
[RouterA-LoopBack0] ip address 6.6.6.6 32
[RouterA-LoopBack0] quit
# Configure OSPF.
[RouterA] ospf
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 6.6.6.6 0.0.0.0
Issue 01 (2012-03-30)
47
2 IP Address Configuration
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] quit
----End
Configuration Files
l
Issue 01 (2012-03-30)
48
2 IP Address Configuration
Issue 01 (2012-03-30)
49
50
Issue 01 (2012-03-30)
51
Serial interfaces (Only the Serial interfaces configured with PPP or HDLC as the link
protocol support IPv6.)
POS interfaces (Only the POS interfaces configured with PPP or HDLC as the link protocol
support IPv6.)
Tunnel interfaces
Loopback interfaces
VLANIF interfaces
IPv6 Address
A 128-bit IPv6 address has the following formats:
l
X:X:X:X:X:X:X:X
In this format, a 128-bit IP address is divided into eight groups. The 16 bits of each group
are represented by four hexadecimal characters, that is, 0 to 9, and A to F. The groups are
separated by colons. Every "X" represents a group of hexadecimal values.
X:X:X:X:X:X:d.d.d.d
This format is for the following types of addresses:
IPv4-compatible IPv6 address
IPv4-mapped IPv6 address
In this type of address, "X" represents the first six groups of numbers. Each "X" stands for
16 bits that are represented by hexadecimal numbers. "d" represents the subsequent four
group of numbers. Each "d" stands for eight bits that are represented by decimal numbers.
"d.d.d.d" is a standard IPv4 address.
52
IPv6 PMTU
Generally, the problem that different networks have different Maximum Transmission Units
(MTU) can be solved in the following ways:
l
Devices fragment packets as required. The source host only needs to fragment packets;
however, the intermediate router not only needs to fragment packets, but also to reassemble
packets.
The source host sends packets based on a proper MTU so that packets need not be
fragmented on the intermediate router. In such a case, packet processing burden on the
intermediate router can be reduced. During IPv6 packet transmission, only this way can be
adopted because IPv6 intermediate routers do not support packet fragmentation.
The Path MTU (PMTU) Discovery mechanism aims at finding a proper MTU value on the path
from the source to the destination.
IPv6 FIB
Connecting network topologies of different types needs the configuration of different routing
protocols. This brings about Routing Information Base (RIB). The RIB is a base of the
Forwarding Information Base (FIB). Guided by route management policies, a device extracts a
minimum of necessary forwarding information from RIB and adds the information to the FIB.
Through the route management module, you can also add static routes into the FIB.
A FIB contains a group of minimum information needed by a device during packet forwarding.
An FIB entry usually contains the destination address, prefix length, transport port, next-hop
address, route flag, and time stamp. A device forwards packets according to FIB entries.
The FIB mechanism consists of two parts: FIB agent (used on the control plane) and FIB
container (used on the forwarding plane). A FIB agent is responsible for interacting with the
RM module for delivering FIB entries to the forwarding engine, and to the I/O board in a
distributed system.
A FIB contains the following information:
l
Issue 01 (2012-03-30)
53
Prefix length: indicates the length of the destination address prefix. From the prefix length,
you can infer that the destination address is a network address or a host address.
Nexthop: indicates the address of the close next hop through which the packet reaches the
destination.
The IPv6 function is used with a license. To use the IPv6 function, apply for and purchase the following
license from the Huawei local office:
l
Applicable Environment
When a device communicates with an IPv6 device, you need to configure IPv6 address for the
interface. The AR2200-S supports configuring IPv6 addresses for the following interfaces:
l
Tunnel interfaces
Loopback interfaces
Eth-Trunk interfaces, Eth-Trunk sub-interfaces(support IPv6 only when they work in Layer
3 mode)
VLANIF interfaces
VE interfaces
VT interfaces
You can configure 10 addresses for one interface. Addresses can be the link-local address and
the global unicast address.
The link-local address is used in ND, and in the communication between nodes on the local link
in the stateless address auto-configuration. The packets using the link-local address as the source
or destination address are not forwarded to other links.
The link-local address can be automatically generated or manually configured. After being
enable with automatic address generation capability, the system automatically generates a linklocal address. The link-local address configured manually must be a valid link-local address
(FE80::/10).
Issue 01 (2012-03-30)
54
Pre-configuration Tasks
Before configuring IPv6 addresses, complete the following tasks:
l
Configuring the physical features of the interface and ensuring that the status of the physical
layer of the interface is Up
Configuring the link layer parameters for the interface and ensuring that the status of the
link layer protocol on the interface is Up
Data Preparation
To configure IPv6 addresses for an interface, you need the following data.
No.
Data
Context
To enable a device to forward IPv6 packets, you must enable the IPv6 capability in both the
system view and the interface view. This is because:
l
Issue 01 (2012-03-30)
If you run the ipv6 command only in the system view, only the IPv6 packet forwarding
capability is enabled on a device. The IPv6 function, however, is not enabled on the interface
and hence you cannot perform any IPv6 configurations.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
55
If you run the ipv6 enable command only in the interface view, the IPv6 capability is
enabled only on an interface. Therefore, the device cannot forward IPv6 data.
Procedure
Step 1 Run:
system-view
The view of the interface to be enabled with the IPv6 capability is displayed.
Step 4 Run:
ipv6 enable
Procedure
Step 1 Run:
system-view
56
Procedure
Step 1 Run:
system-view
Context
Anycast addresses and unicast addresses are in the same address range. An anycast address is
used to identify a group of interfaces on different nodes.
l
The packets destined for an anycast address are transmitted to an interface that is in the
interface group identified by the anycast address and is closest to the source node. (The
distance between an interface and the source node is calculated based on the routing
Issue 01 (2012-03-30)
57
protocol). The packets destined for a multicast address are transmitted to a group of
interfaces with the multicast address.
When the 6to4 tunnel is used for the communication between the 6to4 network and the native
IPv6 network, the AR2200-S supports the configuration of an anycast address with the prefix
of 2002:c058:6301:: on the tunnel interface of the 6to4 relay route device.
Alternatively, you can configure a 6to4 address on the tunnel interface of the 6to4 relay route
device. When multiple 6to4 relay route devices are configured on the network, the difference
between the two methods is as follows:
l
If an 6to4 address is used, you need to configure different addresses for tunnel interfaces
of all devices.
If an anycast address is used, you need to configure the same address for the tunnel
interfaces of all devices. In this manner, the number of addresses is reduced.
Procedure
Step 1 Run:
system-view
Prerequisites
The configurations of the IPv6 addresses are complete.
Procedure
l
Run the display ipv6 statistics command to check the IPv6 packet statistics.
----End
Example
Run the display ipv6 interface command. If the IPv6 address of the interface is displayed, it
means that the configuration succeeds. For example:
<Huawei> display ipv6 interface gigabitethernet 1/0/0
Issue 01 (2012-03-30)
58
Run the display ipv6 interface command. If the configured IPv6 address and interface status
are displayed, it means that the configuration succeeds.
<Huawei> display ipv6 interface brief
*down: administratively down
(l): loopback
(s): spoofing
Interface
Physical
GigabitEthernet2/0/0
up
[IPv6 Address] 2030::101:101
GigabitEthernet2/0/1
up
[IPv6 Address] 2001::1
LoopBack0
up
[IPv6 Address] Unassigned
Protocol
up
up
up(s)
Run the display ipv6 statistics command. If the statistics on IPv6 packets is displayed, it means
that the configuration succeeds.
<Huawei> display ipv6 statistics
IPv6 Protocol:
Sent packets:
Total
Local sent out
Raw packets
Fragmented
Fragments failed
:
:
:
:
:
3630
3630
0
0
0
Forwarded
Discarded
Fragments
Multicast
:
:
:
:
0
0
0
0
Received packets:
Total
Hop count exceeded
Too big
Address error
Truncated
Fragments
Reassembly timeout
:
:
:
:
:
:
:
3630
0
0
0
0
0
0
Local host
Header error
Routing failed
Protocol error
Option error
Reassembled
Multicast
:
:
:
:
:
:
:
3630
0
0
0
0
0
0
Issue 01 (2012-03-30)
59
Applicable Environment
After an IPv6 address is configured for a node, the node checks whether this address can be used
and does not conflict with any other address. If a node is a host, a router needs to notify the host
of the optimal next hop address of a packet to be sent by the host to a specific destination. If a
node is a router, it needs to advertise its address, address prefix, and other configuration
parameters to instruct hosts to configure parameters. During IPv6 packet forwarding, a node
needs to know the neighboring nodes' link-layer addresses and check their reachability. The
Neighbor Discovery (ND) function can be used to meet the requirements.
Most of the ND configurations are implemented based on the interfaces.
The IPv6 ND configuration is supported on the following interfaces:
l
Tunnel interfaces
VLANIF interfaces
Pre-configuration Tasks
Before configuring IPv6 neighbor discovery, complete the following tasks:
l
Configuring the physical features for the interface and ensuring that the status of the
physical layer of the interface is Up
Data Preparation
To configure IPv6 neighbor discovery, you need the following data.
Issue 01 (2012-03-30)
No.
Data
Hop limit of ND
60
No.
Data
Interface MTU
Procedure
Step 1 Run:
system-view
If an interface is configured with dynamic QinQ, you cannot configure a static neighbor entry on it.
Static neighbors can be configured for interfaces and their sub-interfaces. You can configure up
to 300 neighbors on each interface.
----End
Procedure
Step 1 Run:
system-view
Issue 01 (2012-03-30)
61
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
62
Context
Duplicate Address Detect (DAD) is a process of IPv6 automatic address configuration. You can
configure the number of DAD messages which are sent continuously.
Set the interval of sending Neighbor Solicitation (NS) messages on the device. By default, NS
re-transmitting time interval is 1000ms.
Neighbor Unreachability Detection (NUD) checks the reachability of neighbors. By default,
NUD value is 30000ms.
The MTU of the interface determines whether to fragment IP packets on the interface. Default
MTUs vary with interface types. The MTU on an GigabitEthernet interface defaults to be 1500
bytes.
Procedure
Step 1 Run:
system-view
l If the ipv6 nd ra hop-limit command has been run on an interface, the hop limit for an RA message
uses the value configured on the interface.
l If the ipv6 nd ra hop-limit command has not been run on an interface, the hop limit for an RA message
uses the value configured globally, that is, the value configured in the ipv6 nd hop-limit command.
Issue 01 (2012-03-30)
63
Step 5 Run:
ipv6 nd ra router-lifetime ra-lifetime
l When the ipv6 nd ra command is run to set the interval for advertising RA messages, the interval must
be less than or equal to the life duration.
l By default, the maximum interval is 600 seconds, and the minimum interval is 200 seconds.
l By default, the life duration of RA messages is 1800 seconds. If the prefix is configured, the duration
is still 1800 seconds.
Step 6 Run:
ipv6 nd dad attempts value
Follow-up Procedure
If the IPv6 MTU value is changed, run the shutdown command and the undo shutdown
command orderly in the interface view to validate the configuration.
Context
If a host is connected to multiple routers, the host must select a router to forward packets based
on the destination addresses of packets. The router can advertise the default router priority and
specified route information to the host so that the host can select a proper forwarding router
based on the destination addresses of packets.
After receiving the RA packets carrying the route information, the host updates its routing table.
When sending packets to another device, the host queries the routing table and selects a proper
route to send packets.
When receiving the RA packets that carry the priority of default routers, the host updates its
default router table. When sending packets to another device, if there is no route to be selected,
Issue 01 (2012-03-30)
64
the host queries the default router table. Then, the host selects a router with the highest priority
on the local link to send packets. If the router is faulty, the host selects another router in
descending order of priority.
Procedure
Step 1 Run:
system-view
Prerequisites
The configurations of the IPv6 neighbor discovery function are complete.
Procedure
l
Run the display ipv6 neighbors [ ipv6-address | [ vid vlan-id ] interface-type interfacenumber | vpn-instance vpn-instance-name ]display ipv6 neighbors interface-type
interface-number| [vid vid ] | [cevid cevid] command to check the neighbor information in
the cache.
----End
Example
Run the display ipv6 neighbors command. If the cache of the neighbor information contains
neighbors' IPv6 addresses and the specified interfaces, it means that the configuration succeeds.
<Huawei> display ipv6 neighbors gigabitethernet 1/0/0
-------------------------------------------------------IPv6 Address : 3003::2
Link-layer
: 00e0-fc89-fe6e
State : STALE
Issue 01 (2012-03-30)
65
:
:
:
:
GE1/0/0
10
vpn1
UN-SECURE
Run the display ipv6 interface command. If information about the IPv6 address on the interface
is displayed, it means that the configuration succeeds.
<Huawei> display ipv6 interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::1
Global unicast address(es):
2001::1, subnet is 2001::/64
5000::A19:A6FF:FECE:7D4B, subnet is 5000::/63
Joined group address(es):
FF02::1:FFCE:7D4B
FF02::2
FF02::1
FF02::1:FF00:1
MTU is 1280 bytes
ND DAD is disabled
ND reachable time is 10000 milliseconds
ND retransmit interval is 10000 milliseconds
Hosts use DHCP to obtain routable addresses.
Run the display ipv6 interface brief command. If information about the IPv6 address on the
interface and interface status are displayed, it means that the configuration succeeds.
<Huawei> display ipv6 interface brief
*down: administratively down
(l): loopback
(s): spoofing
Interface
Physical
GigabitEthernet2/0/2
up
[IPv6 Address] 2030::101:101
GigabitEthernet2/0/3
up
[IPv6 Address] 2001::1
LoopBack0
up
[IPv6 Address] Unassigned
Protocol
up
up
up(s)
Issue 01 (2012-03-30)
66
Applicable Environment
If a device has both IPv4 and IPv6 connections, the IPv4/IPv6 dual protocol stacks need to be
enabled on the device.
Enabling the IPv4/IPv6 dual protocol stacks on the AR2200-S is a simple process. Enable the
IPv6 packet forwarding capacity in the system view and configure an IPv4 address or IPv6
address on the corresponding interface. The device can then forward IPv4 and IPv6 packets on
the corresponding interface.
Pre-configuration Tasks
Before configuring IPv6 tunnels, complete the following tasks:
l
Configuring the physical parameters for the interface and ensuring that the status of the
physical layer of the interface is Up
Data Preparation
To configure IPv4/IPv6 dual stacks, you need the following data.
No.
Data
Type and number of the interface connected with the IPv4 network
IPv4 address and mask of the interface connected with the IPv4 network
Type and number of the interface connected with the IPv6 network
IPv6 address and prefix of the interface connected with the IPv6 network
Context
To enable a device to forward IPv6 packets, you must enable the IPv6 capability in both the
system view and the interface view. This is because:
l
If you run the ipv6 command only in the system view, only the IPv6 packet forwarding
capability is enabled on a device. The interface on the device is not of the IPv6 capability
and hence you cannot perform any IPv6 configurations.
If you run the ipv6 enable command only in the interface view, the IPv6 capability is
enabled only on an interface but the device cannot forward IPv6 data.
Procedure
Step 1 Run:
system-view
Issue 01 (2012-03-30)
67
The view of the interface to be enabled with the IPv6 capability is displayed.
Step 4 Run:
ipv6 enable
Procedure
Step 1 Run:
system-view
68
} eui-64
Prerequisites
The IPv4/IPv6 stack has been configured.
Procedure
l
Run the display this command in the interface view to view the information about the IPv4/
IPv6 stack.
----End
Example
GERun the display this command to view information about the IPv4/IPv6 stack.
[Huawei-GigabitEthernet1/0/0] display this
[V200R002C00]
#
interface GigabitEthernet0/0/1
ipv6 enable
ip address 20.1.1.1 255.255.255.0
ipv6 address 1002::1/64
ospfv3 1 area 0.0.0.0
#
return
Issue 01 (2012-03-30)
69
Applicable Environment
By setting PMTUs on interfaces, you can enable devices to send packets based on proper MTUs
across the network. This avoids packet fragmentation, reduces the burden of the devices,
implements efficient usage of network resources and achieves the best throughput.
Pre-configuration Tasks
Before configuring PMTUs, complete the following tasks:
l
Configuring the physical features for the interface and ensuring that the status of the
physical layer of the interface is Up
Data Preparation
To configure PMTUs, you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
70
Procedure
Step 1 Run:
system-view
Prerequisites
The configurations of the PMTU are complete.
Procedure
l
Run the display ipv6 pathmtu { ipv6-address | all | dynamic | static } command to check
all PMTU items.
----End
Example
Run the display ipv6 pathmtu command. If the destination IPv6 address, the PMTU value, the
aging time and type are displayed, it means that the configuration succeeds.
<Huawei> display ipv6 pathmtu all
IPv6 Destination Address
ZoneID
PathMTU
LifeTime(M) Type
fe80::12
0
1300
40
Dynamic
2222::3
0
1280
-Static
------------------------------------------------------------------------------Total: 2
Dynamic: 1
Static: 1
Run the display ipv6 interface command. If the current MTU of the interface is displayed, it
means that the configuration succeeds.
<Huawei> display ipv6 interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::200:1FF:FE04:5D00
Issue 01 (2012-03-30)
71
Applicable Environment
To optimize network performance, you need to adjust the TCP6 parameters.
Pre-configuration Tasks
Before configuring TCP6, complete the following tasks:
l
Connecting and configuring the physical features for the interface and ensuring that the
status of the physical layer of the interface is Up
Configuring the link layer protocol parameters for the interface and ensuring that the status
of the link layer protocol on the interface is Up
Data Preparation
To configure TCP6, you need the following data.
No.
Data
72
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Prerequisites
The configurations of the TCP6 function are complete.
Procedure
l
Run the display tcp ipv6 statistics command to check related TCP6 statistics.
Run the display tcp ipv6 status command to check the TCP6 connection status.
Issue 01 (2012-03-30)
73
Run the display udp ipv6 statistics command to check related UDP6 statistics.
Run the display ipv6 socket [ socktype socket-type | task-id task-id socket-id socket-id ]
command to check the information of the specified socket.
----End
Example
Run the display tcp ipv6 statistics, display tcp ipv6 status, and display udp ipv6 statistics
commands. If the connection status and statistic of TCP6 and UDP6 are displayed, it means that
the configuration succeeds.
<Huawei> display tcp ipv6 statistics
Received packets:
total: 0
total(64bit high-capacity counter): 0
packets in sequence: 0 (0 bytes)
window probe packets: 0
window update packets: 0
checksum error: 0
offset error: 0
short error: 0
duplicate packets: 0 (0 bytes)
partially duplicate packets: 0 (0 bytes)
out-of-order packets: 0 (0 bytes)
packets with data after window: 0 (0 bytes)
packets after close: 0
ACK packets: 0 (0 bytes)
duplicate ACK packets: 0
too much ACK packets: 0
packets dropped due to MD5 authentication failure: 0
packets dropped due to absence of MSO: 0
packets dropped due to presence of MSO: 0
packets received with MD5 Signature Option: 0
Sent packets:
total: 0
urgent packets: 0
total(64bit high-capacity counter): 0
control packets: 0 (including 0 RST)
window probe packets: 0
window update packets: 0
data packets: 0 (0 bytes)
data packets retransmitted: 0 (0 bytes)
ACK only packets: 0 (0 delayed)
packets sent with MD5 Signature Option: 0
Other Statistics:
retransmitted timeout: 0
connections dropped in retransmitted timeout: 0
keepalive timeout: 0
keepalive probe: 0
keepalive timeout, so connections disconnected: 0
initiated connections: 0
accepted connections: 0
established connections: 0
closed connections: 0 (dropped: 0, initiated dropped: 0)
<Huawei> display tcp ipv6 status
* - MD5 Authentication is enabled.
TCP6CB
TID/SoID Local Address
Foreign Address
19df05d0 9/3
::->23
::->0
<Huawei> display udp ipv6 statistics
Received packets:
total: 0
total(64bit high-capacity counter): 0
checksum error: 0
Issue 01 (2012-03-30)
State
Listening
VPNID
0
74
Run the display ipv6 socket command. If the related socket information is displayed, it means
that the configuration succeeds.
<Huawei> display ipv6 socket
SOCK_STREAM:
Task = VTYD(14), socketid = 4, Proto = 6,
LA = ::->22, FA = ::->0,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN SO_REUSEPORT SO_SENDVPNID,
socket state = SS_PRIV SS_ASYNC
SOCK_DGRAM:
Task = VTYD(14), socketid = 3, Proto = 6,
LA = ::->23, FA = ::->0,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN SO_REUSEPORT SO_SENDVPNID,
socket state = SS_PRIV SS_ASYNC
SOCK_RAW:
Context
CAUTION
IPv6 statistics cannot restore after you clear it. So, confirm the action before you use the
command.
Procedure
l
Run the reset ipv6 statistics command in the user view to clear statistics of processing
IPv6 packets after you confirm it.
Run the reset ipv6 pathmtu { all | dynamic | static } command in the user view to clear
PMTU entries in the cache after you confirm it.
Issue 01 (2012-03-30)
75
Run the reset ipv6 neighbors { all | dynamic | static | vid vlan-id [ interface-type interfacenumber] | interface-type interface-number [ dynamic | static ] } command in the user view
to clear IPv6 neighbor entries in the cache after you confirm it.
Run the reset ipv6 address-policy command in the user view to clear address selection
policy entries.
Run the reset tcp ipv6 statistics command in the user view to clear all TCP6 statistics after
you confirm it.
Run the reset udp ipv6 statistics command in the user view to clear all UDP6 statistics
after you confirm it.
----End
Networking Requirement
As shown in Figure 3-1, Router A and Router B are connected through GE interfaces. It is
required to configure IPv6 global unicast addresses for the interfaces and test the connectivity
between them.
The IPv6 global unicast addresses to be configured for the interfaces are 3001::1/64 and
3001::2/64.
Figure 3-1 Networking diagram of configuring an IPv6 address for an interface
GE 1/0/0
3001::1/64
RouterA
GE 1/0/0
3001::2/64
RouterB
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Data Preparation
To complement the configuration, you need the following data:
Issue 01 (2012-03-30)
76
Procedure
Step 1 Enable IPv6 packet forwarding on Router A and Router B.
# Configure Router A
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] ipv6
# Configure Router B
<Huawei> system-view
[Huawei] sysname RouterB
[RouterB] ipv6
# Configure Router B.
[RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] ipv6 enable
[RouterB-GigabitEthernet1/0/0] ipv6 address 3001::2/64
[RouterB-GigabitEthernet1/0/0] quit
Issue 01 (2012-03-30)
77
FF02::2
FF02::1
FF02::1:FF9B:6D3B
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
----End
Configuration Files
l
Issue 01 (2012-03-30)
78
Networking Requirements
As shown in Figure 3-2, two routers are connected through GE interfaces. Configure IPv6 linklocal address for the GE interfaces and enable the routers to send RA messages.
Figure 3-2 Networking diagram for IPv6 neighbor discovery
Eth1/0/0
RouterA
Eth 1/0/0
RouterB
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Enable the IPv6 forwarding capability on the routers.
# Configure RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] ipv6
# Configure RouterB.
<Huawei> system-view
[Huawei] sysname RouterB
[RouterB] ipv6
# Configure RouterB.
[RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] ipv6 enable
[RouterB-GigabitEthernet1/0/0] ipv6 address auto link-local
Issue 01 (2012-03-30)
79
Issue 01 (2012-03-30)
80
:
:
:
:
Eth1/0/0
TRUE
UN-SECURE
----------------------------------------------------------------------------Total: 1
Dynamic: 1
Static: 0
----End
Configuration Files
l
Issue 01 (2012-03-30)
81
4 DNS Configuration
DNS Configuration
Issue 01 (2012-03-30)
82
4 DNS Configuration
Static DNS resolution. Mappings between domain names and IP addresses are configured
manually. When a DNS client requests the IP address mapping a domain name, it searches
for the specified domain name in the static DNS table to obtain the mapping IP address.
Dynamic DNS resolution. A DNS server searches for the IP address mapping a domain
name. When the DNS server receives a query message from a DNS client, it searches for
the IP address mapping the domain name in its DNS database. If no matching entry is found,
it sends a query message to an upper-level DNS server. This process continues until the
DNS server finds the corresponding IP address or detecting that the domain name does not
exist. The DNS server then sends a response to the DNS client.
83
4 DNS Configuration
Applicable Environment
IP addresses such as 202.112.131.109 are difficult to remember; therefore, most organizations
use abbreviations or meaningful names (also called domain names) such as www.sina.com.cn
to identify devices. Name resolvers or domain servers resolve mappings between IP addresses
and domain names.
A DNS client provides functions of a name resolver and completes resolution between IP
addresses and domain names.
If your organization seldom uses domain names to access other devices or there are no available
DNS servers, you must configure static DNS entries. To configure static DNS entries, you must
know mappings between domain names and IP addresses. When mappings between domain
names and IP addresses change, you must manually modify DNS entries.
If your organization uses domain names to access many devices and DNS servers are available,
you can configure dynamic DNS entries.
Pre-configuration Tasks
Before configuring a DNS client, complete the following tasks:
l
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical layer status of the interfaces is Up
Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
Configuring a route between the local routing device and the DNS server
Data Preparation
To configure a DNS client, you need the following data.
Issue 01 (2012-03-30)
No.
Data
84
4 DNS Configuration
Procedure
Step 1 Run:
system-view
Context
To implement dynamic DNS, you need to enable dynamic DNS resolution, configure a DNS
server, and configure a source IP address for the local routing device and a domain name suffix.
If the local routing device uses an IP address allocated by the DHCP server and the information
delivered by the DHCP server to the local routing device contains the DNS server address and
the domain name suffix list, you only need to enable dynamic DNS resolution.
Procedure
Step 1 Run:
system-view
Issue 01 (2012-03-30)
85
4 DNS Configuration
The source IP address is specified for the local routing device to communicate with the DNS
client.
The local routing device uses the specified address to communicate with the DNS server. This
ensures communication security.
Step 5 (Optional) Run:
dns domain domain-name
Follow-up Procedure
The system supports a maximum of six DNS servers, one specified source address, and 10
domain name suffixes. If multiple DNS servers are required, repeat step 3. If multiple domain
name suffixes are required, repeat step 5.
Procedure
l
Run the display dns server command to check the DNS server configuration.
Run the display dns domain command to check the domain name suffix configuration.
Run the display dns dynamic-host command to check dynamic DNS entries.
----End
Example
# Run the display ip host command to view static DNS entries.
<Huawei> display ip host
Host
Age
www.3322.org
0
members.3322.org
0
checkip.dyndns.com
0
members.dyndns.org
0
Flags
static
static
static
static
Address
10.138.90.34
10.138.90.51
10.138.90.51
10.138.90.51
# Run the display dns server command to view the DNS server configuration.
<Huawei> display dns server
Type:
D:Dynamic
S:Static
DNS Server
1
2
Type
S
S
IP Address
10.10.1.1
10.10.1.2
# Run the display dns domain command to view the domain name suffix configuration.
<Huawei> display dns domain
No
Domain-name
1
com
2
net
Issue 01 (2012-03-30)
86
4 DNS Configuration
# Run the display dns dynamic-host command to view dynamic DNS entries saved in the
domain name cache.
<Huawei> display dns dynamic-host
Host
sipx.autosrv.com
192.168.2.18
sip.autosrv.com
192.168.2.61
sip.autonaptr.com
192.168.2.19
_sip._tcp.autosrv.com
autonaptr.com
TTL
114
Type
IP
237
IP
117
IP
55
SRV
NAPTR
Address(es)
0 0 0 sipx.autosrv.com
0 0 0 sip.autosrv.com
101 10 A SIP+D2T sip.autona
Applicable Environment
If no DNS server is deployed on a LAN, a DNS client on the LAN can connect to an external
DNS server through the AR2200-S enabled with DNS proxy or relay. After the external DNS
server translates the domain name of the DNS client to an IP address, the DNS client can access
the Internet.
DNS proxy or relay reduces network management costs. Changing the IP address of the DNS
server requires that you change only the configuration on the DNS proxy or relay.
Pre-configuration Tasks
Before configuring DNS proxy or relay, complete the following tasks:
l
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical layer status of the interfaces is Up
Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
Configuring routes between the local routing device and the DNS client and between the
local routing device and the DNS server
Data Preparation
Issue 01 (2012-03-30)
No.
Data
87
No.
Data
4 DNS Configuration
Procedure
Step 1 Run:
system-view
The IP address of the DNS server that the DNS proxy or relay access is configured.
----End
Context
If the AR2200-S is enabled with DNS proxy or relay but is not configured with a DNS server
address or has no route to the DNS server, it does not forward or respond to DNS query messages
from DNS clients. If DNS spoofing is enabled, the AR2200-S uses the configured IP address to
respond to all DNS query messages.
In addition to enabling DNS proxy or relay, one of the following conditions must be met to make
DNS spoofing take effect:
l
There is no source IP address on the outbound interface connected to the DNS server.
If one of the preceding conditions is met, when the DNS proxy or relay receives an address
record query, it spoofs reply messages to any DNS query messages using the configured IP
address.
Procedure
Step 1 Run:
Issue 01 (2012-03-30)
88
4 DNS Configuration
system-view
Context
When the DNS proxy or relay is attacked, the DNS table becomes full. As a result, the DNS
proxy or relay cannot resolve new domain names into IP addresses. To solve the problem, you
can set the aging time of DNS entries so that the local routing device can delete expired DNS
entries.
Procedure
Step 1 Run:
system-view
89
4 DNS Configuration
Step 3 Run:
dns forward expire-time time
The aging time is set for DNS entries on the DNS proxy or relay.
By default, the aging time of DNS entries is 60s.
----End
Procedure
l
Run the display dns forward table [ source-ip ip-address ] command to check the DNS
table.
----End
Example
# Run the display dns forward table [ source-ip ip-address ] command to view the DNS table
of the DNS proxy or relay.
<Huawei> display dns forward table
Domain name
: ma.huawei.com
Source IP
: 1.1.1.3
Source port
: 33025
Source packet id
: 42564
Forward packet id
: 1
Retry count
: 2
Query type
: 1
Applicable Environment
DNS can resolve domain names into IP addresses so that you can use domain names to access
network nodes. DNS just provides static mappings between domain names and IP addresses. It
cannot dynamically update the mapping when the IP address of a node changes. If you use the
original domain name to access the node, you cannot access the node because the IP address
mapping the domain name is incorrect.
The AR2200-S can function as the DDNS client. The AR2200-S notifies the DDNS server about
the new IP address when the IP address of the interface that provides web services changes. The
Issue 01 (2012-03-30)
90
4 DNS Configuration
DDNS server dynamically updates the mapping between the domain name and the IP address
on the DNS server to ensure that the IP address can be resolved correctly.
Pre-configuration Tasks
Before configuring a DDNS client, complete the following tasks:
l
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical layer status of the interfaces is Up
Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
Configuring a route between the local routing device and the DDNS server
Data Preparation
No.
Data
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
91
4 DNS Configuration
Step 2 Run:
ddns policy policy-name
Procedure
Step 1 Run:
system-view
92
4 DNS Configuration
On the AR2200-S, DDNS policies can only be bound to Layer 3 interfaces and VLANIF
interfaces.
----End
Procedure
l
Run the display ddns policy policy-name command to view DDNS policy information.
Run the display ddns interface interface-type interface-number command to view DDNS
policy information on the interface.
----End
Example
# Run the display ddns policy command to view information about the DDNS policy
JackPolicy.
<Huawei> display ddns policy JackPolicy
Policy name
: JackPolicy
Policy interval time : 3600
Policy URL
: oray://Jack:Jack2010@phddnsdev.oray.net
Policy bind count
: 1
===== interface GigabitEthernet1/0/0
======
Statuses: START
Refresh: enable
# Run the display ddns interface command to view the DDNS policy information on VLANIF
100.
<Huawei> display ddns interface Vlanif 100
===== Policy JackPolicy =======
URL: oray://Jack:Jack2010@phddnsdev.oray.net
Statuses: START
Refresh: enable
Procedure
Step 1 Run the reset dns dynamic-host command to delete dynamic DNS entries of DNS clients.
Dynamic DNS entries cannot be restored after being deleted. Exercise caution when you run the
command.
----End
Issue 01 (2012-03-30)
93
4 DNS Configuration
Procedure
Step 1 Run the reset dns forward table [ ip-address ] command to delete DNS entries of the DNS
proxy or relay.
----End
Procedure
Step 1 Run the reset ddns policy policy-name [ interface-type interface-num ] command to update
mappings between all the IP addresses and host names in the DDNS policy are updated.
----End
Loopback0
4.1.1.1/32
GE1/0/0 RouterB
1.1.1.2/16
DNS Client
RouterA
GE1/0/0
1.1.1.1/16
Loopback0
4.1.1.2/32
RouterC
GE2/0/0
2.1.1.1/16
GE1/0/0
3.1.1.1/16
GE2/0/0
2.1.1.2/16
DNS Server
3.1.1.2/16
huawei.com
2.1.1.3/16
Issue 01 (2012-03-30)
94
4 DNS Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
5.
Configure OSPF.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure RouterA.
# Configure an IP address for GE1/0/0.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface GigabitEthernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 1.1.1.2 255.255.0.0
[RouterA-GigabitEthernet1/0/0] quit
# Configure OSPF.
[RouterA] ospf
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 1.1.0.0 0.0.255.255
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] quit
Issue 01 (2012-03-30)
95
4 DNS Configuration
NOTE
You must configure OSPF on RouterB and RouterC so that a route between RouterA and the DNS server
can be generated. For details about OSPF configurations on RouterB and RouterC, see the configuration
files.
Run the display ip host command on RouterA. You can view mappings between host names
and IP addresses in static DNS entries.
<RouterA> display ip host
Host
Age
DeviceB
0
DeviceC
0
Flags Address
static 4.1.1.1
static 4.1.1.2
# Run the display dns dynamic-host command on RouterA. You can view information about
dynamic DNS entries in the domain name cache.
<RouterA> display dns dynamic-host
Host
huawei.com
2.1.1.3
TTL
114
Type
IP
Address(es)
NOTE
The TTL field in the command output indicates the time left before a DNS entry is aged out, in seconds.
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
ip host DeviceB 4.1.1.1
ip host DeviceC 4.1.1.2
#
dns resolve
dns server 3.1.1.2
dns domain net
dns domain com
#
interface GigabitEthernet 1/0/0
ip address 1.1.1.2 255.255.0.0
#
Issue 01 (2012-03-30)
96
4 DNS Configuration
ospf 1
area 0.0.0.0
network 1.1.0.0 0.0.255.255
#
return
Issue 01 (2012-03-30)
97
4 DNS Configuration
RouterA
DNS Proxy
NetworkA
GE1/0/0
1.1.1.2/16
GE1/0/0
1.1.1.1/16
GE2/0/0
2.1.1.2/16
RouterB
DNS Server
2.1.1.1/16
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure an IP address for GE1/0/0.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.0.0
[RouterA-GigabitEthernet1/0/0] quit
# Set the aging time of DNS entries to 150s on the DNS proxy or relay.
[RouterA] dns forward expire-time 150
Step 3 Enable DNS spoofing and specify the IP address in response messages as 10.1.1.3.
[RouterA] dns spoofing 10.1.1.3
Issue 01 (2012-03-30)
98
4 DNS Configuration
You must configure OSPF on RouterB so that a route between RouterA and the DNS server can be
generated. For details about OSPF configurations on RouterB, see the configuration file.
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
interface GigabitEthernet 1/0/0
ip address 1.1.1.1 255.255.0.0
#
dns resolve
dns server 2.1.1.1
dns proxy enable
dns forward expire-time 150
#
dns spoofing 10.1.1.3
#
ospf 1
area 0.0.0.0
network 1.1.0.0 0.0.255.255
#
return
Issue 01 (2012-03-30)
99
4 DNS Configuration
Loopback0
4.1.1.1/32
Loopback0
4.1.1.2/32
RouterC
GE1/0/0
3.1.1.1/16
GE1/0/0
DDNS Client
GE1/0/0
1.1.1.1/16
GE2/0/0
2.1.1.1/16
GE2/0/0
2.1.1.2/16 DNS Server
3.1.1.2/16
DDNS Server
2.1.1.3/16
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Data Preparation
To complete the configuration, you need the following data:
l
User name and password for the DDNS client to log in to the DDNS server
Issue 01 (2012-03-30)
100
4 DNS Configuration
Procedure
Step 1 Configure RouterA.
# Create a DDNS policy.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] ddns policy mypolicy
After the configuration is complete, when the IP address of GE1/0/0 changes, RouterA instructs
the DNS server to establish a mapping between the domain name www.abc.com and the new IP
address through the DDNS server. By doing this, users on the Internet can resolve a new IP
address mapping the domain name www.abc.com.
# Configure OSPF.
[RouterA] ospf
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 1.1.0.0 0.0.255.255
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] quit
NOTE
To implement communication between the DDNS client, DDNS server, and the DNS server, configure
OSPF on RouterB and RouterC. For details about OSPF configurations on RouterB and RouterC, see the
configuration files.
policy mypolicy
mypolicy
3600
oray://steven:nevets@phddnsdev.oray.net
1
Issue 01 (2012-03-30)
101
4 DNS Configuration
ESTABLISH
Refresh: enable
# Run the display ddns interface gigabitethernet 1/0/0 command on RouterA, and you can
view information about the DDNS policy on GE1/0/0.
<RouterA> display ddns interface gigabitethernet 1/0/0
===== Policy mypolicy =======
URL: oray://steven:nevets@phddnsdev.oray.net
Statuses:
ESTABLISH
Refresh: enable
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
ddns policy mypolicy
url oray://steven:nevets@phddnsdev.oray.net
#
interface GigabitEthernet1/0/0
ip address 1.1.1.2 255.255.0.0
ddns apply policy mypolicy fqdn www.abc.com
#
ospf 1
area 0.0.0.0
network 1.1.0.0 0.0.255.255
#
return
Issue 01 (2012-03-30)
102
4 DNS Configuration
#
interface GigabitEthernet1/0/0
ip address 3.1.1.1 255.255.0.0
#
interface GigabitEthernet2/0/0
ip address 2.1.1.2 255.255.0.0
#
ospf 1
area 0.0.0.0
network 2.1.0.0 0.0.255.255
network 3.1.0.0 0.0.255.255
network 4.1.1.2 0.0.0.0
#
return
Issue 01 (2012-03-30)
103
5 NAT Configuration
NAT Configuration
Issue 01 (2012-03-30)
104
5 NAT Configuration
Class A: 10.0.0.0-10.255.255.255
Class B: 172.16.0.0-172.31.255.255
Class C: 192.168.0.0-192.168.255.255
After planning the scale of the intranet, an enterprise chooses the proper private address segment.
The private address segments of enterprises can overlap each other. If an intranet does not use
the IP address in the defined private address segments, errors may occur during communication
with other networks.
Principle of NAT
As shown in Figure 5-1, the private address must be translated when a host on a private network
accesses the Internet or interworks with the hosts on a public network.
Figure 5-1 Networking of NAT
PC
10.1.1.10
WWW client
10.1.1.48
PC
........
Router
Internalnetwork
203.196.3.23
Externalnetwork
WWW Server
202.18.245.251
The private network uses network segment 10.0.0.0 and its public address is 203.196.3.23. The
host 10.1.1.48 on the private network accesses the server 202.18.245.251 on the public network
in Web mode.
The host sends a data packet, and uses port 6084 as the source port and port 80 as the destination
port. After the address is translated, the source address/port of the packet is changed to
203.196.3.23:32814, and the destination address/port remains unchanged. The AR2200-S
maintains a mapping table between addresses and ports.
Issue 01 (2012-03-30)
105
5 NAT Configuration
After the web server responds to the host, the AR2200-S translates the destination IP address/
port in the returned data packet to 10.1.1.48:6084. In this way, the host on the private network
can access the server on the public network.
Static NAT
Static NAT maps a private address to a public address. That is, the number of private addresses
is equal to the number of public addresses. Static NAT cannot save public addresses, but can
shield the topology of the private network.
When a packet is sent from a private network to the public network, static NAT translates the
source IP address of the packet to a public address. When the public network returns a response,
static NAT translates the destination IP address of the response packet to the private address.
PAT
Port address translation (PAT), which is also called network address port translation (NAPT),
maps a public address to multiple private addresses. Therefore, public addresses are saved. PAT
translates source IP addresses of packets from hosts that reside on the private network to a public
address. The translated port numbers of these packets are different, and the private addresses
can share a public address.
A mapping table between private addresses and ports is configured for PAT. Before packets
from different private addresses are sent to the public network, the PAT-enabled device replaces
the source addresses with the same public address. The source port numbers of the packets,
however, are replaced with different port numbers. When the public network returns response
packets to private networks, the PAT-enabled device translates the destination IP addresses to
private addresses according to the port numbers. Figure 5-2 shows how PAT translates IP
addresses and port numbers.
Issue 01 (2012-03-30)
106
5 NAT Configuration
PAT
Datagram 1
Src IP:192.168.1.3
Src Port:23
Datagram 1
Src IP: 202.169.10.1
Src Port:10023
Datagram 2
Src IP: 192.168.1.3
Src Port:80
Datagram 2
Src IP: 202.169.10.1
Src Port:10080
192.168.1.3
Router
192.168.1.2
Datagram 3
Src IP: 192.168.1.2
Src Port:23
Datagram 4
Src IP: 192.168.1.2
Src Port:80
Datagram 3
Src IP: 202.169.10.1
Src Port:11023
Datagram 4
Src IP: 202.169.10.1
Src Port:11080
Internal Server
NAT can shield internal hosts. In applications, users on the public network may need to access
the internal hosts. For example, users on the public network need to access a Web server or a
file transfer protocol (FTP) server.
NAT allows you to flexibly configure IP addresses for internal servers. For example, you can
use 202.110.10.10 or even 202.110.10.12:8080 as the public address of a Web server, and use
202.110.10.11 as the public address of an FTP server. Multiple servers (Web servers for
example) can be provided for external user.
You can configure an internal server and map the public address and port to the internal server.
In this way, hosts on the public network can access the internal server.
NAT Mapping
The NAT function saves IPv4 addresses and improves network security. NAT implementation
of different vendors may be different; therefore, the applications using the simple traversal of
UDP through NAT (STUN), traversal using relay NAT (TURN), and Interactive Connectivity
Establishment (ICE) technologies may fail to traverse the NAT devices of these vendors. These
technologies are commonly used on the SIP proxy. NAT mapping enables these applications to
traverse the NAT devices.
NAT Filtering
A NAT device filters the traffic from external network to internal network. After a host on the
internal network sends an access request to a host on the external network, the host on the external
Issue 01 (2012-03-30)
107
5 NAT Configuration
network transmits traffic to the internal host. The NAT device filters the traffic sent to the internal
host.
Easy IP
Easy IP takes the public IP address of the interface as the source address after NAT is performed.
In addition, it uses the Access Control List (ACL) to control the private addresses to be translated.
NAT ALG
Some protocols are sensitive to the NAT function and cannot work correctly without special
processing. Packets of these protocols contain the IP address and/or port number in the payload,
which affects protocol interaction.
The NAT ALG function allows such protocol packets to traverse NAT devices. It replaces the
IP address and port number in the payload to implement transparent transmission and relay of
protocol packets. The NAT ALG of the AR2200-S supports the domain name system (DNS),
FTP, Real-Time Streaming Protocol (RTSP) and Session Initiation Protocol (SIP).
Twice NAT
Basic NAT translates only the source or destination address of packets, whereas twice NAT
translates both the source and destination addresses. The twice NAT technology applies to the
scenario where IP addresses of hosts on private and public networks overlap. As shown in Figure
5-3, the IP address of PC1 on the private network is the same as the IP address of PC3 on the
public network. If PC2 on the private network sends a packet to PC3, the packet will be forwarded
to PC1. Twice NAT translates the overlapping IP address into a unique temporary address (based
on basic NAT) according to the mapping between the overlapping address pool and the
temporary address pool. In this way, packets can be forwarded correctly.
Figure 5-3 Networking of twice NAT
PC 1
10.0.0.1/24
PC 3
Router
PC 2
10.0.0.1/24
www.web.com
10.0.0.1/24
DNS Server
Configure basic NAT (many-to-many NAT): Configure an NAT address pool that contains
IP addresses 200.0.0.1 to 200.0.0.100 and apply it to the interface connecting to the WAN.
2.
Issue 01 (2012-03-30)
108
5 NAT Configuration
The mapping indicates that one overlapping address pool maps one temporary address pool. The
translation rules are as follows:
Temporary address = Start IP address in the temporary address pool + (Overlapping IP address
- Start IP address in the overlapping address pool)
Overlapping address = Start IP address in the overlapping address pool + (Temporary IP address
- Start IP address in the temporary address pool)
When PC2 on the private network accesses PC3 on the public network using the domain name,
packets are processed as follows:
1.
PC2 sends a DNS request for resolving the domain name www.web.com of the web server.
After the DNS server resolves the DNS request, the AR2200-S receives the response packet
from the DNS server. The AR2200-S resolves the address 10.0.0.1 in the payload of the
response packet and detects that the address is an overlapping address (it is in the
overlapping address pool). The AR2200-S translates the address 10.0.0.1 into the temporary
address 3.0.0.1, and translates the destination address of the response packet using basic
NAT. Then the AR2200-S sends the packet to PC2.
2.
PC2 sends an access request packet with the temporary address 3.0.0.1 corresponding to
www.web.com to access the public network. When the packet reaches the AR2200-S, the
AR2200-S translates the source address of the packet using basic NAT and then translates
the destination address (temporary address) to the overlapping address 10.0.0.1.
3.
The AR2200-S sends the packet to the WAN-side outbound interface. The packet is then
forwarded to PC3 hop by hop.
4.
When the packet sent from PC3 to PC2 reaches the AR2200-S, the AR2200-S checks the
source address 10.0.0.1, which is the overlapping address (it is in the overlapping address
pool). The AR2200-S translates the source address to the temporary address 3.0.0.1, and
translates the destination address using basic NAT. Then the AR2200-S sends it to PC2.
109
5 NAT Configuration
Applicable Environment
NAT must be configured at the boundary between the private network and the public network
so that it can translate private and public addresses.
Pre-configuration Tasks
Before configuring NAT, complete the following task:
l
Data Preparation
To configure NAT, you need the following data.
No.
Data
Number of the public address pool, start IP address, and end IP address
Information about the internal server, including the protocol type, public address,
public port number, private address (the VPN instance may be included), and
(optional) private port number
Information about static NAT, including the protocol type, public address, public
port number, private address (the VPN instance may be included), (optional)
private port number, and subnet mask
Index of the overlapping address pool and temporary address pool, start IP
address, address pool length, and (optional) VPN instance
Procedure
Step 1 Run:
system-view
110
5 NAT Configuration
The public address pool IDs are numerals. Up to address pools can be configured.
By default, no public address pool is configured on the AR2200-S.
----End
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Issue 01 (2012-03-30)
111
5 NAT Configuration
Easy IP is configured.
----End
Procedure
Step 1 Run:
system-view
When configuring an internal server, ensure that global-address and host-address are different from
interface IP addresses and IP addresses in the user address pool.
----End
Procedure
Step 1 Run:
system-view
Issue 01 (2012-03-30)
112
5 NAT Configuration
When configuring static NAT, ensure that global-address and host-address are different from interface IP
addresses and IP addresses in the user address pool.
----End
Procedure
Step 1 Run:
system-view
113
5 NAT Configuration
Context
NAT filtering has the following modes:
l
Endpoint-independent filtering
Address-dependent filtering
Procedure
Step 1 Run:
system-view
Context
The NAT function saves IPv4 addresses and improves network security. NAT mapping has the
following modes:
l
Endpoint-independent mapping: reuses the port mapping for subsequent packets sent from
the same internal IP address and port to any external IP address and port.
Address-dependent mapping: reuses the port mapping for subsequent packets sent from the
same internal IP address and port to the same external IP address, regardless of the external
port.
Address and port-dependent mapping: reuses the port mapping for subsequent packets sent
from the same internal IP address and port to the same external IP address and port while
the mapping is still active.
Procedure
Step 1 Run:
system-view
114
5 NAT Configuration
Procedure
Step 1 Run:
system-view
The mapping from a domain name to a public IP address, port number, and protocol type is
configured.
Up to 64 mapping entries can be configured on the AR2200-S.
Step 3 Run:
nat alg { all | dns | ftp
CAUTION
The NAT ALG function allows hosts on a private network to access servers on the private
network through the external DNS server.
----End
Context
When IP addresses of internal hosts and external hosts overlap, configure the mapping between
the overlapping address pool and the temporary address pool. Then the overlapping address is
translated to a unique temporary address and packets can be forwarded correctly. In addition,
configure outbound NAT to implement twice NAT.
Issue 01 (2012-03-30)
115
5 NAT Configuration
Procedure
Step 1 Run:
system-view
Procedure
l
Run the display nat alg command to check whether the NAT ALG function is enabled.
Run the display nat address-group [ group-index ] [ verbose ] command to check the
configuration of the NAT address pool.
Run the display nat dns-map [ domain-name ] command to check information about DNS
mapping.
Run the display nat overlap-address { map-index | all | inside-vpn-instance inside-vpninstance-name } command to check information about twice NAT.
Run the display nat server [ global global-address | inside host-address [ vpn-instance
vpn-instance-name ] | interface interface-type interface-number.subnumber ] command to
check the configuration of the NAT server.
Run the display nat static [ global global-address | inside host-address [ vpn-instance
vpn-instance-name ] | interface interface-type interface-name ] command to check the
configuration of static NAT.
Run the display nat mapping table { all | number } command to view the NAT mapping
table information or number of entries in the table.
----End
Issue 01 (2012-03-30)
116
5 NAT Configuration
WWW Server
192.168.20.2:8080
Eth2/0/0
GE3/0/0
Eth2/0/1 Router
Host
FTP Server
10.0.0.3/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure IP addresses for interfaces and configure the NAT servers on the WAN-side
interface to allow external users to access the internal servers.
2.
3.
Enable the FTP NAT ALG function to allow the external FTP packets to traverse the NAT
servers.
Issue 01 (2012-03-30)
117
5 NAT Configuration
Procedure
Step 1 Configure IP addresses for the interfaces on the AR2200-S and configure the NAT server on the
WAN-side interface.
<Huawei> system-view
[Huawei] vlan 100
[Huawei-vlan100] quit
[Huawei] interface vlanif 100
[Huawei-Vlanif100] ip address 192.168.20.1 24
[Huawei-Vlanif100] quit
[Huawei] interface Ethernet 2/0/0
[Huawei-Ethernet2/0/0] port link-type access
[Huawei-Ethernet2/0/0] port default vlan 100
[Huawei-Ethernet2/0/0] quit
[Huawei] vlan 200
[Huawei-vlan200] quit
[Huawei] interface vlanif 200
[Huawei-Vlanif200] ip address 10.0.0.1 24
[Huawei-Vlanif200] quit
[Huawei] interface Ethernet 2/0/1
[Huawei-Ethernet2/0/1] port link-type access
[Huawei-Ethernet2/0/1] port default vlan 200
[Huawei-Ethernet2/0/1] quit
[Huawei] interface gigabitethernet 3/0/0
[Huawei-GigabitEthernet3/0/0] ip address 202.169.10.1 24
[Huawei-GigabitEthernet3/0/0] nat server protocol tcp global 202.169.10.5 www
inside 192.168.20.2 8080
[Huawei-GigabitEthernet3/0/0] nat server protocol tcp global 202.169.10.33 ftp
inside 10.0.0.3 ftp
[Huawei-GigabitEthernet3/0/0] quit
Step 2 On the AR2200-S, configure a static route with the next hop address 202.169.10.2
[Huawei] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
Step 3 Enable the NAT ALG function for FTP packets on the AR2200-S.
[Huawei] nat alg ftp enable
: 202.169.10.33/21(ftp)
: 10.0.0.3/21(ftp)
: ---: ----
Run the display nat alg command on the AR2200-S, and the command output is as follows:
[Huawei] display nat alg
NAT Application Level Gateway Information:
---------------------------------Application
Status
---------------------------------dns
Disabled
Issue 01 (2012-03-30)
118
5 NAT Configuration
ftp
Enabled
rtsp
Disabled
sip
Disabled
----------------------------------
Verify that external users can access the web server and FTP server.
----End
Configuration Files
#
vlan batch 100 200
#
nat alg ftp enable
#
interface Vlanif100
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif200
ip address 10.0.0.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type access
port default vlan 100
#
interface Ethernet2/0/1
port link-type access
port default vlan 200
#
interface GigabitEthernet3/0/0
ip address 202.169.10.1 255.255.255.0
nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080
nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp
#
ip route-static 0.0.0.0 0.0.0.0 gigabitethernet 3/0/0
#
return
Issue 01 (2012-03-30)
119
5 NAT Configuration
Area A
PC 1...PC n
192.168.20.0
Eth2/0/0
GE3/0/0
Eth2/0/1 Router
Area B
PC 1...PC n
10.0.0.0
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Configure outbound NAT on the WAN-side interface to allow internal hosts to access
external networks.
Procedure
Step 1 Configure IP addresses for the interfaces of the AR2200-S.
<Huawei> system-view
[Huawei] vlan 100
[Huawei-vlan100] quit
[Huawei] interface vlanif 100
[Huawei-Vlanif100] ip address 192.168.20.1 24
[Huawei-Vlanif100] quit
[Huawei] interface Ethernet 2/0/0
[Huawei-Ethernet2/0/0] port link-type access
[Huawei-Ethernet2/0/0] port default vlan 100
[Huawei-Ethernet2/0/0] quit
[Huawei] vlan 200
[Huawei-vlan200] quit
[Huawei] interface vlanif 200
[Huawei-Vlanif200] ip address 10.0.0.1 24
[Huawei-Vlanif200] quit
[Huawei] interface Ethernet 2/0/1
[Huawei-Ethernet2/0/1] port link-type access
[Huawei-Ethernet2/0/1] port default vlan 200
[Huawei-Ethernet2/0/1] quit
[Huawei] interface gigabitethernet 3/0/0
[Huawei-GigabitEthernet3/0/0] ip address 202.169.10.1 24
[Huawei-GigabitEthernet3/0/0] quit
Issue 01 (2012-03-30)
120
5 NAT Configuration
Step 2 On the AR2200-S, configure a static route with the next hop address 202.169.10.2.
[Huawei] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
Type
to break
ttl=255 time=1
ttl=255 time=1
ttl=255 time=1
ttl=255 time=1
ttl=255 time=1
ms
ms
ms
ms
ms
to break
ttl=255 time=1
ttl=255 time=1
ttl=255 time=1
ttl=255 time=1
ttl=255 time=1
ms
ms
ms
ms
ms
----End
Configuration Files
#
vlan batch 100 200
#
acl number 2000
rule 5 permit source 192.168.20.0 0.0.0.255
#
acl number 2001
rule 5 permit source 10.0.0.0
0.0.0.255
#
interface Vlanif100
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif200
ip address 10.0.0.1 255.255.255.0
Issue 01 (2012-03-30)
121
5 NAT Configuration
#
interface Ethernet2/0/0
port link-type access
port default vlan 100
#
interface Ethernet2/0/1
port link-type access
port default vlan
200
#
interface GigabitEthernet3/0/0
ip address 202.169.10.1
255.255.255.0
nat outbound 2000 address-group 1 no-pat
nat outbound 2001 address-group 2
#
nat address-group 1 202.169.10.100 202.169.10.200
nat address-group 2 202.169.10.80
202.169.10.83
#
ip route-static 0.0.0.0 0.0.0.0 gigabitethernet 3/0/0
#
return
www.Server.com
Host A
192.168.20.2/24
Company A
PC 1
192.168.20.2/24
PC 1
Eth2/0/0
Eth2/0/1
GE3/0/0
Router
202.169.10.2
Company B
PC 2
10.0.0.3/24
Issue 01 (2012-03-30)
DNS Server
122
5 NAT Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Configure DNS mappings to allow users to access servers by using domain names.
3.
4.
Procedure
Step 1 Configure IP addresses for the interfaces of the AR2200-S.
<Huawei> system-view
[Huawei] vlan 100
[Huawei-vlan100] quit
[Huawei] interface vlanif 100
[Huawei-Vlanif100] ip address 192.168.20.1 24
[Huawei-Vlanif100] quit
[Huawei] interface Ethernet 2/0/0
[Huawei-Ethernet2/0/0] port link-type access
[Huawei-Ethernet2/0/0] port default vlan 100
[Huawei-Ethernet2/0/0] quit
[Huawei] vlan 200
[Huawei-vlan200] quit
[Huawei] interface vlanif 200
[Huawei-Vlanif200] ip address 10.0.0.1 24
[Huawei-Vlanif200] quit
[Huawei] interface Ethernet 2/0/1
[Huawei-Ethernet2/0/1] port link-type access
[Huawei-Ethernet2/0/1] port default vlan 200
[Huawei-Ethernet2/0/1] quit
[Huawei] interface gigabitethernet 3/0/0
[Huawei-GigabitEthernet3/0/0] ip address 202.169.10.2 24
[Huawei-GigabitEthernet3/0/0] quit
Step 3 Configure the mapping between the overlapping address pool and the temporary address pool
on the AR2200-S.
[Huawei] nat overlap-address 0 192.168.20.2 202.169.100.2 pool-length 254
Step 4 Configure a static route on the AR2200-S from the temporary address pool to outbound interface
Ethernet2/0/0.
[Huawei] ip route-static 202.169.100.2 32 gigabitethernet 3/0/0
202.169.10.2
Create an ACL and configure an ACL rule to permit the packets of host A.
[Huawei] acl 3180
[Huawei-acl-adv-3180] rule permit ip source 192.168.20.0 0.0.0.255
[Huawei-acl-adv-3180] quit
2.
3.
Issue 01 (2012-03-30)
123
5 NAT Configuration
Run the display nat outbound command on the AR2200-S to view outbound NAT information.
[Huawei] display nat outbound
NAT Outbound Information:
----------------------------------------------------------------Interface
Acl
Address-group/IP/Interface
----------------------------------------------------------------GigabitEthernet3/0/0
3180
1
----------------------------------------------------------------Total : 1
Type
pat
----End
Configuration Files
#
vlan batch 100 200
#
acl number 3180
rule 5 permit ip source 192.168.20.0
0.0.0.255
#
nat alg dns enable
#
nat address-group 1 160.160.0.2
160.160.0.254
#
nat dns-map www.server.com 192.168.20.2 80 tcp
#
nat overlap-address 0 192.168.20.2 202.169.100.2 pool-length 254
#
ip route-static 202.169.100.2 255.255.255.255 GigabitEthernet3/0/0 202.169.10.2
#
interface Vlanif100
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif200
ip address 10.0.0.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type access
port default vlan 100
#
interface Ethernet2/0/1
port link-type access
port default vlan 200
#
interface GigabitEthernet3/0/0
ip address 202.169.10.1 255.255.255.0
nat outbound 3180 address-group 1
#
return
Issue 01 (2012-03-30)
124
6 DHCP Configuration
DHCP Configuration
125
6 DHCP Configuration
This section describes how to clear DHCP statistics and monitor DHCP status.
6.9 Configuration Examples
The DHCP configuration examples provide networking requirements, networking diagram,
precautions, configuration roadmaps, and configuration procedures.
Issue 01 (2012-03-30)
126
6 DHCP Configuration
After a DHCP server based on a global address pool is configured, all online users of the
server can obtain IP addresses from this address pool.
After a DHCP server based on an interface address pool is configured, only users that get
online from this specified interface can obtain IP addresses from this address pool.
The AR2200-S allocates IP addresses to clients by using the global address pool or an interface
address pool.
127
6 DHCP Configuration
Applicable Environment
When the AR2200-S functions as a DHCP server, you can configure a global address pool on
the AR2200-S. The AR2200-S then allocates IP addresses and configuration parameters to
clients from the global address pool.
The global address pool applies to the following scenarios:
DHCP clients and the AR2200-S used as a DHCP server are on the same network segment.
DHCP clients can obtain IP addresses and other configuration parameters from a global address
pool. Figure 6-1 shows the networking.
Figure 6-1 Application scenario 1 of a global address pool
DHCP Server
DHCP Client
DHCP clients and the AR2200-S functioning as a DHCP server are on different network
segments. DHCP clients can obtain IP addresses and other configuration parameters from a
global address pool through a DHCP relay agent. Figure 6-2 shows the networking.
Issue 01 (2012-03-30)
128
6 DHCP Configuration
DHCP Server
Internet
DHCP Relay
DHCP Client
Pre-configuration Tasks
Before configuring a DHCP server based on a global address pool, complete the following tasks:
l
Ensuring that the link between the DHCP client and the AR2200-S works properly
Configuring the routes destined to the DNS server and the NetBIOS server on the AR2200S (The routes are configured only after the DNS and NetBIOS servers are configured.)
Data Preparation
To configure the DHCP server based on a global address pool, you need the following data.
Issue 01 (2012-03-30)
No.
Data
Name of a global address pool, IP address range and lease, (optional) range of IP
addresses that cannot be assigned dynamically, and (optional) IP and MAC address
entries that need to be statically bound
(Optional) IP address of the DNS server and domain name of a DHCP client
(Optional) IP address of the NetBIOS server and the NetBIOS node type of a DHCP
client
129
6 DHCP Configuration
Procedure
Step 1 Run:
system-view
The interface is configured to select a global address pool for IP address allocation. After the
configuration, users who get online from this interface can obtain IP addresses and other
configuration parameters from a global address pool.
----End
130
6 DHCP Configuration
are bound manually. IP addresses in the global address pool can be assigned dynamically or
bound manually as required.
Procedure
Step 1 Run:
system-view
The range of dynamically assignable IP addresses in the global address pool is configured.
Only one address segment can be specified for an address pool. A mask can be used to set the
address range of the address pool.
NOTE
When configuring the range of dynamically assignable IP addresses in the global address pool, ensure that the
range is that same as the network segment on which the DHCP server interface address or the DHCP relay agent
interface address resides. This avoids incorrect assignment of IP addresses.
The range of the IP addresses that cannot be dynamically assigned in the global address pool is
configured.
If an IP address has been assigned to a server, such as a DNS server, it cannot be assigned to a
DHCP client. You can run the excluded-ip-address command for one time to configure an IP
address that cannot be assigned dynamically. Running the excluded-ip-address command
multiple times specifies multiple IP addresses that cannot be dynamically assigned.
Step 6 Run:
gateway-list ip-address &<1-8>
Issue 01 (2012-03-30)
131
6 DHCP Configuration
NOTE
When a DHCP client is communicating with a server or a host outside the local network segment, the data
transmitted between them is forwarded or received by using the gateway.
To perform load balancing for traffic and improve network reliability, you can configure multiple gateways.
An address pool can be configured with a maximum of eight gateway addresses. Gateway addresses cannot
be subnet broadcast addresses.
Before binding the IP address to a MAC address, ensure that the IP address is one of IP addresses that can be
dynamically assigned.
IP addresses that cannot be released from the IP address pool are recycled.
----End
Context
The DNS and NetBIOS configurations have been specified before the DHPC server allocates
IP addresses to the DHCP client. If you do not have the configurations allocated by the carrier,
dynamically allocate the DNS and NetBIOS configurations to the DHCP client.
NOTE
If the static DNS, NetBIOS, and domain name are available in the address pool, use the static configurations.
Procedure
Step 1 Run:
system-view
Issue 01 (2012-03-30)
132
6 DHCP Configuration
The DHCP client is dynamically allocated the DNS and NetBIOS configurations.
----End
Context
When a host accesses the Internet through the domain name, the domain name needs to be
resolved to the IP address. This is implemented by the DNS. To ensure that a DHCP client can
successfully connect to the Internet, the DHCP server needs to specify the DNS server address
when allocating the IP address to the client.
Procedure
Step 1 Run:
system-view
The DNS domain name that is assigned to the DHCP client is configured.
On the DHCP server, you can specify a DNS domain name used by the client for each address
pool.
Step 4 Run:
dns-list ip-address &<1-8>
The IP address of the DNS server connected to the DHCP client is configured.
To perform load balancing on traffic and improve network reliability, you can configure multiple
DNS servers. An address pool can be configured with a maximum of eight DNS server addresses.
----End
133
6 DHCP Configuration
Context
NOTE
Before a DHCP client communicates with hosts by using NetBIOS, the mapping between the
host names and IP addresses of the client and host needs to be established. The DHCP client can
be specified as one of the following NetBIOS nodes based on mappings between host names
and IP addresses:
l
B-node: b indicates broadcast. B-nodes obtain mappings between host names and IP
addresses in broadcast mode.
P-node: p indicates peer-to-peer. P-nodes obtain mappings between host names and IP
addresses from the NetBIOS server.
M-node: m indicates mixed. M-nodes are the p-nodes that have some broadcast features.
H-node: h indicates hybrid. H-nodes are the b-nodes that provide the peer-to-peer
communication mechanism.
Procedure
Step 1 Run:
system-view
The IP address of the NetBIOS server connected to the DHCP client is configured.
An address pool can be configured with a maximum of eight NetBIOS server addresses.
Step 4 Run:
netbios-type { b-node | h-node | m-node | p-node }
Context
If the Option attribute has been configured on the DHCP server and a DHCP client applies for
an IP address, the client can obtain the configurations in the Option field of the DHCPREPLY
packet from the server.
Issue 01 (2012-03-30)
134
6 DHCP Configuration
NOTE
The DNS service, NetBIOS service, and IP address lease can be configured by commands. If these
commands are not supported by the device, you can run the option command to configure values for the
options corresponding to the DNS service, NetBIOS service, and IP address lease.
The related commands are as follows:
l
Procedure
Step 1 Run:
system-view
Context
You can use the dhcp server ping command to check whether a response to the ping packet is
received within a specified period. If the AR2200-S does not receive a response packet within
the specified period, it sends ping packets continuously until the number of sent ping packets
reaches the upper limit. If the AR2200-S still does not receive a response packet, the IP address
is not used on the local network segment. This ensures that the IP address to be assigned is
unique.
Procedure
Step 1 Run:
system-view
135
6 DHCP Configuration
Step 2 Run:
dhcp server ping packet number
The maximum number of ping packets that the AR2200-S can send to the same destination is
configured.
The default value is 0. The AR2200-S sends no ping packet and does not perform a ping.
Step 3 Run:
dhcp server ping timeout milliseconds
The timeout period to wait for a response packet is set for the AR2200-S.
By default, the timeout period is 500 milliseconds.
----End
Context
When the DHCP data is saved to the storage device of the AR2200-S, and the AR2200-S is
faulty, the DHCP data in the storage device can be used for data restoration.
Procedure
Step 1 Run:
system-view
136
6 DHCP Configuration
Prerequisites
The configurations of the DHCP server based on the global address pool are complete.
Procedure
l
Run the display dhcp server statistics command to check the statistics on the DHCP
server.
----End
Example
Run the display dhcp server statistics command to view statistics on the DHCP server.
<Huawei> display dhcp server statistics
DHCP Server Statistics:
Client Request:
Dhcp Discover:
Dhcp Request:
Dhcp Decline:
Dhcp Release:
Dhcp Inform:
Server Reply:
Dhcp Offer:
Dhcp Ack:
Dhcp Nak:
Bad Messages:
6
1
4
0
1
0
4
1
3
0
0
Run the display ip pool name ip-pool-name command to view information about the IP address
pool named pool1.
<Huawei> display ip pool name pool1
Pool-Name
: pool1
Pool-No
: 2
Lease
: 3 Days 0 Hours 0 Minutes
Domain-name
: DNS-Server0
: 10.10.10.5
DNS-Server1
: 10.10.10.6
NBNS-Server0
: 20.20.20.5
Netbios-type
: Position
: Local
Status
: Unlocked
Gateway-0
: 10.10.10.10
Mask
: 255.255.255.0
Vpn instance
: --------------------------------------------------------------------------Start
End Total
Used
Idle(Expired)
Conflict
Disable
-------------------------------------------------------------------------10.10.10.1
10.10.10.254
253
0
253
0
0
--------------------------------------------------------------------------
Issue 01 (2012-03-30)
137
6 DHCP Configuration
Applicable Environment
On the AR2200-S functioning as a DHCP server, you can configure an interface address pool.
As shown in Figure 6-3, interface address pools are applicable only to the scenario where a
DHCP client and a server are on the same network segment.
Figure 6-3 Application scenario of an interface address pool
DHCP Server
DHCP Client
Pre-configuration Tasks
Before configuring a DHCP server based on an interface address pool, complete the following
tasks:
l
Ensuring that the link between a DHCP client and the AR2200-S works properly
Configuring the routes destined to the DNS server and the NetBIOS server on the AR2200S (The routes can be configured only after the DNS and NetBIOS servers are configured.)
Data Preparation
To configure a DHCP server based on an interface address pool, you need the following data.
Issue 01 (2012-03-30)
138
6 DHCP Configuration
No.
Data
Number of the interface on which the interface address pool is enabled, IP address
range and lease, (optional) range of IP addresses that cannot be assigned dynamically,
and (optional) IP and MAC address entries that need to be bound statically
(Optional) IP address of the DNS server and domain name of a DHCP client
(Optional) IP address of the NetBIOS server and NetBIOS node type of a DHCP
client
Procedure
Step 1 Run:
system-view
The AR2200-S is configured to select an interface address pool for IP address allocation.
The range of dynamically assignable IP addresses in the interface address pool is the network
segment to which the address of the interface belongs. The users whose IP addresses are in this
network segment can get online only from this interface.
Issue 01 (2012-03-30)
139
6 DHCP Configuration
The IP address that cannot be assigned dynamically in the interface address pool is specified.
If an IP address has been assigned to a server, such as a DNS server, it cannot be assigned to a
DHCP client. You can run the dhcp server excluded-ip-address command at one time to
configure an IP address that cannot be assigned dynamically. Running the dhcp server
excluded-ip-address command multiple times specifies multiple IP addresses that cannot be
dynamically assigned.
Step 8 (Optional) Run:
dhcp server static-bind ip-address ip-address mac-address mac-address
Before binding the IP address to the MAC address, ensure that the IP address is dynamically assignable in the
interface address pool.
----End
Context
The DNS and NetBIOS configurations have been specified before the DHPC server allocates
IP addresses to the DHCP client. If you do not have the configurations allocated by the carrier,
dynamically allocate the DNS and NetBIOS configurations to the DHCP client.
NOTE
If the static DNS, NetBIOS, and domain name are available in the address pool, use the static configurations.
Procedure
Step 1 Run:
system-view
Issue 01 (2012-03-30)
140
6 DHCP Configuration
The DHCP client is dynamically allocated the DNS and NetBIOS configurations.
----End
Context
When a host accesses the Internet through the domain name, the domain name needs to be
resolved to the IP address. This is implemented by the DNS. To ensure that a DHCP client can
successfully connect to the Internet, the DHCP server needs to specify the DNS server address
when allocating the IP address to the client.
Procedure
Step 1 Run:
system-view
The DNS domain name that is assigned to the DHCP client is configured.
Step 4 Run:
dhcp server dns-list ip-address &<1-8>
The IP address of the DNS server used by the DHCP client is configured.
Issue 01 (2012-03-30)
141
6 DHCP Configuration
To perform load balancing on traffic and improve network reliability, you can configure multiple
DNS servers. An address pool can be configured with a maximum of eight DNS server addresses.
----End
Context
Before a host on the DHCP client communicates with another host by using NetBIOS, the
mappings between the host names and IP addresses need to be established. The DHCP client
can be specified as one of the following NetBIOS nodes based on mappings between host names
and IP addresses:
l
B-node: b indicates broadcast. B-nodes obtain mappings between host names and IP
addresses in broadcast mode.
P-node: p indicates peer-to-peer. P-nodes obtain mappings between host names and IP
addresses from the NetBIOS server.
M-node: m indicates mixed. M-nodes are the p-nodes that have some broadcast features.
H-node: h indicates hybrid. H-nodes are the b-nodes that provide the peer-to-peer
communication mechanism.
Procedure
Step 1 Run:
system-view
The IP address of the NetBIOS server used by the DHCP client is configured.
An address pool can be configured with a maximum of eight NetBIOS server addresses.
Step 4 Run:
dhcp server netbios-type { b-node | h-node | m-node | p-node }
142
6 DHCP Configuration
Context
If the Option attribute has been configured on the DHCP server and the DHCP client applies for
an IP address, the client can obtain the configurations in the Option field of the DHCP packet
from the server.
NOTE
The DNS service, NetBIOS service, and IP address lease can be configured by using commands. If these
commands are not supported by the device, you can run the option command to configure values for the
options corresponding to the DNS service, NetBIOS service, and IP address lease.
The related commands are as follows:
l
Procedure
Step 1 Run:
system-view
143
6 DHCP Configuration
Context
You can use the dhcp server ping command to check whether a response to the ping packet is
received within a specified period. If the AR2200-S does not receive a response packet within
the specified period, it sends ping packets continuously until the number of sent ping packets
reaches the upper limit. If the AR2200-S still does not receive a response packet, the IP address
is not used on the local network segment. This ensures that the IP address to be assigned is
unique.
Procedure
Step 1 Run:
system-view
The maximum number of ping packets that the AR2200-S can send to the same destination is
configured.
The default value is 0. The AR2200-S sends no ping packet and does not perform a ping.
Step 3 Run:
dhcp server ping timeout milliseconds
The timeout period to wait for a response packet is set for the AR2200-S.
By default, the timeout period is 500 milliseconds.
----End
Context
When the DHCP data is saved to the storage device of the AR2200-S, and the AR2200-S is
faulty, the DHCP data in the storage device can be used for data restoration.
Procedure
Step 1 Run:
system-view
144
6 DHCP Configuration
After the preceding operations, a lease.txt file and a conflict.txt file are generated and saved in
the DHCP folder in the SD card. The lease.txt file stores lease information, and the conflict.txt
file stores address conflict information.
Step 3 Run:
dhcp server database write-delay interval
Context
The configurations of a DHCP server based on an interface address pool are complete.
Procedure
l
Run the display dhcp server statistics command to check the statistics on the DHCP
server.
----End
Example
Run the display dhcp server statistics command to view the statistics on the DHCP server.
<Huawei> display dhcp server statistics
DHCP Server Statistics:
Client Request:
Dhcp Discover:
Dhcp Request:
Dhcp Decline:
Dhcp Release:
Dhcp Inform:
Server Reply:
Dhcp Offer:
Dhcp Ack:
Dhcp Nak:
Bad Messages:
Issue 01 (2012-03-30)
6
1
4
0
1
0
4
1
3
0
0
145
6 DHCP Configuration
Run the display ip pool interface ip-pool-name command to view information about the
interface address pool on VLANIF 10.
<Huawei> display ip pool interface VLANIF10
Pool-name
: vlanif10
Pool-No
: 2
Lease
: 1 Days 0 Hours 0 Minutes
Domain-name
: DNS-server0
: NBNS-server0
: Netbios-type
: Position
: Interface
Status
: Unlocked
Gateway-0
: 192.168.10.2
Mask
: 255.255.255.0
VPN instance
: -----------------------------------------------------------------------------Start
End
Total Used Idle(Expired) Conflict Disable
----------------------------------------------------------------------------192.168.10.1 192.168.10.254
253
0
253
0
0
0
-----------------------------------------------------------------------------
Applicable Environment
A DHCP client can communicate with a DHCP server on another network segment by using the
AR2200-S functioning as a DHCP relay agent to obtain an IP address and other configurations
from the global address pool of the DHCP server. In this manner, DHCP clients on multiple
network segments can share one DHCP server. This reduces costs and facilitates centralized
management. Figure 6-4 shows the application scenario of a DHCP relay agent.
Figure 6-4 Application scenario of a DHCP relay agent
DHCP Server
Internet
DHCP Relay
DHCP Client
Issue 01 (2012-03-30)
146
6 DHCP Configuration
NOTE
Pre-configuration Tasks
Before configuring a DHCP relay agent, complete the following tasks:
l
Data Preparation
To configure a DHCP relay agent, you need the following data.
No.
Data
Number and IP address of the interface on which the DHCP relay function is enabled
Context
NOTE
A DHCP packet can be relayed for a maximum of 16 times from a DHCP client to a DHCP server. A DHCP
packet that has been relayed more than 16 times is dropped.
A super VLAN interface that has been enabled with the DHCP relay function cannot be enabled with the
DHCP snooping function.
Procedure
Step 1 Run:
system-view
147
6 DHCP Configuration
The IP address of the egress gateway that is configured in the IP address pool of the server must be consistent
with the IP address of the DHCP relay.
Step 5 Run:
dhcp select relay
Follow-up Procedure
When the AR2200-S functions as a DHCP relay agent, it can forward the client's DHCP requests
to the DHCP server. Configure the IP address of the DHCP server on the interface that has been
enabled with the DHCP relay function. The AR2200-S supports the following methods by which
the IP address of the DHCP server is specified on the interface that functions as a DHCP relay
agent:
l
6.5.3 Specifying a Server Group on the DHCP Relay Agent and 6.5.4 Binding a DHCP
Server Group to a DHCP Relay Interface.
Run the dhcp relay server-ip ip-address command in the interface view to configure the
IP address of the DHCP server connected to the DHCP relay agent.
Procedure
Step 1 Run:
system-view
A DHCP server group is created and the DHCP server group view is displayed.
The AR2200-S supports a maximum of 64 DHCP server groups.
Step 3 Run:
dhcp-server ip-address [ ip-address-index ]
148
6 DHCP Configuration
A DHCP server group comprises a maximum of eight DHCP servers. If no indexes are specified
for the DHCP group servers, the system automatically assigns idle indexes to them.
----End
Procedure
Step 1 Run:
system-view
Context
When a DHCP relay agent is configured to instruct the DHCP server to reclaim the IP address
of a DHCP client, the relay agent sends a DHCP Release packet to the DHCP server. After
receiving the packet, the DHCP server reclaims the lease of the IP address.
Procedure
Step 1 Run:
system-view
149
6 DHCP Configuration
A request packet is sent to the DHCP server to instruct the server to reclaim the IP address that
is obtained by a DHCP client.
----End
Prerequisites
The DHCP relay configurations are complete.
Procedure
l
Run the display dhcp relay { all | interface interface-type interface-number } command
to check the DHCP server group that is bound to the interface and information about the
DHCP group servers.
Run the display dhcp relay statistics command to check the statistics on the DHCP relay
agent.
Run the display dhcp server group group-name command to check the configurations of
the DHCP server group.
----End
Example
Run the display dhcp relay interface interface-type interface-number command to view the
DHCP server group bound to VLANIF 100 and information about the DHCP group servers.
<Huawei> display dhcp relay interface vlanif 100
** Vlanif100 DHCP Relay Configuration
DHCP server group name : group1
DHCP server IP [0] :10.10.10.10
DHCP server IP [1] :10.10.10.11
DHCP server IP [2] :10.10.10.12
**
Run the display dhcp relay statistics command to view the statistics on the DHCP relay agent.
<Huawei> display dhcp relay statistics
The statistics of DHCP RELAY:
DHCP packets received from clients
DHCP DISCOVER packets received
DHCP REQUEST packets received
DHCP RELEASE packets received
DHCP INFORM packets received
DHCP DECLINE packets received
DHCP packets sent to clients
Unicast packets sent to clients
Broadcast packets sent to clients
DHCP packets received from servers
DHCP OFFER packets received
Issue 01 (2012-03-30)
:
:
:
:
:
:
:
:
:
:
:
0
0
0
0
0
0
0
0
0
0
0
150
6 DHCP Configuration
:
:
:
:
0
0
0
0
Run the display dhcp server group group-name command to view the configurations of DHCP
server group 1.
<Huawei> display dhcp server group group1
Group-name
: group1
Group-type
: -(0) Server-IP
: 100.10.10.1
(1) Server-IP
: 100.10.10.2
Gateway
: -VPN instance
: -1 DHCP server group(s) in total
Applicable Environment
After a Layer 3 interface on the AR2200-S is configured to function as a DHCP/BOOTP client,
the interface can use the DHCP/BOOTP protocol to dynamically obtain an IP address and other
configurations from a DHCP server. This facilitates the configuration for users and centralized
management.
NOTE
After the DHCP/BOOTP client is configured, the DHCP server can assign an IP address to the DHCP/BOOTP
client. Therefore, a BOOTP server is not necessary.
Pre-configuration Tasks
Before configuring a DHCP/BOOTP client, complete the following tasks:
l
Configuring a route destined to the DHCP relay agent or the DHCP server on the AR2200S
Data Preparation
To configure a DHCP/BOOTP client, you need the following data.
Issue 01 (2012-03-30)
151
6 DHCP Configuration
No.
Data
Number and IP address of the interface on which the DHCP relay function is enabled
Procedure
l
Run:
system-view
Run:
dhcp enable
Run:
interface interface-type interface-number
Run:
ip address dhcp client hostname hostname
Run:
ip address dhcp client option61 client-name
Run:
ip address dhcp client request-option { dhcp-file-name | dns-domain | ftpuser-ip | ftp-user-name | ftp-user-password | route | tftp-server-ip |
tftp-server-name }*
Run:
system-view
Run:
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
152
6 DHCP Configuration
dhcp enable
Run:
interface interface-type interface-number
Run:
ip address bootp client hostname hostname
Procedure
l
Run:
system-view
Run:
dhcp enable
Run:
interface interface-type interface-number
Run:
ip address dhcp-alloc
Run:
system-view
Run:
dhcp enable
153
3.
6 DHCP Configuration
Run:
interface interface-type interface-number
Run:
ip address bootp-alloc
Prerequisites
The DHCP/BOOTP client configurations are complete.
Procedure
l
----End
Example
# Run the display current-configuration command to view the configurations of the DHCP
client.
[Huawei] display current-configuration
...
#
interface GigabitEthernet1/0/0
ip address dhcp-alloc
#
...
# Run the display interface command to view the IP address that is obtained by the interface.
[Huawei] display interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : DOWN
Line protocol current state : DOWN
Description:HUAWEI, Huawei Series, GigabitEthernet1/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is allocated by DHCP, 22.22.22.222/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc11-000a
Last physical up time
: 2007-12-01 10:48:50
Last physical down time : 2007-12-01 10:52:56
Current system time: 2007-12-01 16:52:01
Port Mode: COMMON COPPER
Speed : 100, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi
: AUTO
Last 300 seconds input rate 0 bits/sec, 0 packets/sec
Last 300 seconds output rate 0 bits/sec, 0 packets/sec
Input peak rate 1928 bits/sec,Record time: 2007-11-30 14:57:22
Issue 01 (2012-03-30)
154
6 DHCP Configuration
757
0
0
Applicable Environment
If network attackers send DHCP packets continuously, the DHCP protocol stack of the AR2200S is affected.
To protect the AR2200-S against the attacks by sending a large number of DHCP packets, you
can configure the highest rate at which DHCP packets are sent to the protocol stack on the
AR2200-S. After the configuration is complete, the AR2200-S checks the rates at which DHCP
packets are sent to the AR2200-S. Only a specific number of packets can be sent to the protocol
stack in a specified period and excess packets are discarded.
Procedure
l
Configure the highest rate at which DHCP packets are sent to the protocol stack in the
system view.
1.
Run:
system-view
Run:
dhcp enable
Run:
dhcp check dhcp-rate enable
Run:
dhcp check dhcp-rate rate
The checking rate of DHCP messages sent to the DHCP protocol stack is configured.
By default, the rate does not exceed 100 pps. The DHCP messages that exceed the
rate are discarded.
5.
(Optional) Run:
dhcp check dhcp-rate alarm enable
155
6 DHCP Configuration
(Optional) Run:
dhcp check dhcp-rate alarm threshold threshold
Configure the highest rate at which DHCP packets are sent to the protocol stack in the
VLAN view.
1.
Run:
system-view
Run:
dhcp enable
Run:
vlan vlan-id
Run:
dhcp check dhcp-rate enable
Run:
dhcp check dhcp-rate rate
The checking rate of DHCP messages sent to the DHCP protocol stack is configured.
By default, the rate does not exceed 100 pps. The DHCP messages that exceed the
rate are discarded.
l
Configure the highest rate at which DHCP packets are sent to the protocol stack in the
interface view.
1.
Run:
system-view
Run:
interface interface-type interface-number
Run:
dhcp check dhcp-rate enable
Run:
dhcp check dhcp-rate rate
Issue 01 (2012-03-30)
156
6 DHCP Configuration
The checking rate of DHCP messages sent to the DHCP protocol stack is configured.
By default, the rate does not exceed 100 pps. The DHCP messages that exceed the
rate are discarded.
5.
(Optional) Run:
dhcp alarm dhcp-rate enable
(Optional) Run:
dhcp alarm dhcp-rate threshold threshold
The alarm threshold for the DHCP message checking on an interface is configured.
By default, the threshold is 100. When the number of packets that are discarded
because their sending rates exceed the upper limit is larger than the threshold, an alarm
is generated.
----End
Context
CAUTION
DHCP statistics cannot be restored after you clear them. Exercise caution when running reset
commands.
Issue 01 (2012-03-30)
157
6 DHCP Configuration
Procedure
l
Run the reset dhcp server statistics command in the user view to clear the statistics on a
DHCP server.
Run the reset dhcp relay statistics command in the user view to clear the statistics on a
DHCP relay agent.
----End
Procedure
l
Run the display dhcp relay { all | interface interface-type interface-number } command
to check the DHCP server group that is bound to the relay interface and information about
the group servers.
Run the display dhcp relay statistics command to check the statistics on a DHCP relay
agent.
Run the display dhcp server group [ group-name ] command to check the configurations
of the servers in the DHCP server group.
----End
Networking Requirements
As shown in Figure 6-5, the two offices of a company are deployed on the same network. To
save resources, all hosts in the two offices are assigned IP addresses by the Router that functions
as a DHCP server.
Office 1 belongs to the network segment 10.1.1.0/25, and all hosts in Office 1 are added to VLAN
10. These hosts use the DNS service but not the NetBIOS service. Office 2 belongs to the network
segment 10.1.1.128/25, and all hosts in Office 2 are added to VLAN 20. These hosts use both
DNS and NetBIOS services.
Issue 01 (2012-03-30)
158
6 DHCP Configuration
A global address pool needs to be configured on the Router. In addition, IP addresses need to
be dynamically assigned to the hosts in the two offices.
Figure 6-5 Networking diagram for configuring a DHCP server based on a global address pool
NetBIOS
server
DHCP
client
DHCP
client
Etherent2/0/0
VLANIF10
10.1.1.1/25
DHCP
client
Etherent2/0/1
VLANIF20
10.1.1.129/25
Router
DHCP server
DNS
server
DHCP
client
DHCP
client
Network: 10.1.1.0/25
DHCP
client
Network: 10.1.1.128/25
Office1
Office2
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Create a global address pool for Office 1 and another for Office 2, and configure related
attributes for each address pool, such as the address range, egress gateway, NetBIOS server
address, and IP address lease.
3.
Configure the address assignment method for VLANIF interfaces of the local DHCP server,
that is, configure the DHCP server to assign IP addresses in global address pools to clients.
Data Preparation
To complete the configuration, you need the following data:
1.
Names of the global address pools created for Office 1 and Office 2: pool1 and pool2
respectively
2.
3.
IP addresses of egress gateways configured for Office 1 and Office 2: 10.1.1.1 and
10.1.1.129 respectively
4.
IP address leases for Office 1 and Office 2: 10 days and 2 days respectively
5.
6.
7.
Issue 01 (2012-03-30)
159
6 DHCP Configuration
Procedure
Step 1 # Enable the DHCP function.
<Huawei> system-view
[Huawei] sysname Router
[Router] dhcp enable
# Create pool2 and configure attributes for pool2, including address range of pool2, DNS server
address, egress gateway, and IP address lease.
[Router] ip pool pool2
[Router-ip-pool-pool2]
[Router-ip-pool-pool2]
[Router-ip-pool-pool2]
[Router-ip-pool-pool2]
[Router-ip-pool-pool2]
[Router-ip-pool-pool2]
2/0/0
hybrid pvid vlan 10
hybrid untagged vlan 10
2/0/1
hybrid pvid vlan 20
hybrid untagged vlan 20
# Configure the clients connected to VLANIF 10 to obtain IP addresses from the global address
pool.
[Router] interface vlanif 10
[Router-Vlanif10] ip address 10.1.1.1 255.255.255.128
[Router-Vlanif10] dhcp select global
[Router-Vlanif10] quit
# Configure the clients connected to VLANIF 20 to obtain IP addresses from the global address
pool.
[Router] interface vlanif 20
[Router-Vlanif20] ip address 10.1.1.129 255.255.255.128
[Router-Vlanif20] dhcp select global
[Router-Vlanif20] quit
160
6 DHCP Configuration
Idle
Conflict
:248
:0
Disable
:2
----End
Configuration Files
Configuration file of the Router
#
sysname Router
#
vlan batch 10 20
#
dhcp enable
#
ip pool pool1
ip pool pool2
#
ip pool pool1
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.128
excluded-ip-address 10.1.1.2
excluded-ip-address 10.1.1.4
dns-list 10.1.1.2
lease day 10 hour 0 minute 0
#
ip pool pool2
gateway-list 10.1.1.254
network 10.1.1.128 mask 255.255.255.128
dns-list 10.1.1.2
nbns-list 10.1.1.4
lease day 2 hour 0 minute 0
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.128
dhcp select global
#
interface Vlanif20
ip address 10.1.1.129 255.255.255.128
dhcp select global
#
interface Ethernet 2/0/0
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface Ethernet 2/0/1
port hybrid pvid vlan 20
Issue 01 (2012-03-30)
161
6 DHCP Configuration
Networking Requirements
As shown in Figure 6-6, the two offices of a company are deployed on the same network. To
save resources, all hosts in the two offices are assigned IP addresses by the Router that functions
as a DHCP server.
Office 1 belongs to the network segment 10.1.1.0/24, and all hosts in Office 1 are added to VLAN
10. These hosts use the DNS and NetBIOS services. Office 2 belongs to the network segment
10.1.2.0/24, and all host in Office 2 are added to VLAN 20. These hosts do not use DNS and
NetBIOS services.
An interface address pool needs to be configured on the Router. In addition, IP addresses need
to be dynamically assigned to the hosts in the two offices.
Figure 6-6 Networking diagram for configuring a DHCP server based on an interface address
pool
Office1
NetBIOS Server
10.1.1.3/24
DHCP
Client
DNS Server
10.1.1.2/24
VLANIF10
10.1.1.1/24
Etherent2/0/0
Etherent2/0/1
VLANIF20
10.1.2.1/24
DHCP
Client
DHCP
Client
Router
DHCP
Server
DHCP
Client
Office2
Issue 01 (2012-03-30)
162
6 DHCP Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Configure two VLANIF interfaces, and configure IP addresses for the VLANIF interfaces
so that the interface address pool range can be determined.
3.
4.
Configure address pool attributes for the clients, including the DNS server address,
NetBOIS server address, and IP address leases.
Data Preparation
To complete the configuration, you need the following data:
1.
2.
IP address leases for Office 1 and Office 2: 30 days and 20 days respectively
3.
4.
Procedure
Step 1 Enable the DHCP service.
<Huawei> system-view
[Huawei] sysname Router
[Router] dhcp enable
Step 2 Configure the address assignment method for the VLANIF interfaces.
# Add Ethernet 2/0/0 and Ethernet 2/0/1 to the corresponding VLANs respectively.
[Router] vlan batch 10 20
[Router] interface ethernet
[Router-Ethernet2/0/0] port
[Router-Ethernet2/0/0] port
[Router-Ethernet2/0/0] quit
[Router] interface ethernet
[Router-Ethernet2/0/1] port
[Router-Ethernet2/0/1] port
[Router-Ethernet2/0/1] quit
2/0/0
hybrid pvid vlan 10
hybrid untagged vlan 10
2/0/1
hybrid pvid vlan 20
hybrid untagged vlan 20
# Configure the clients connected to VLANIF 10 to obtain IP addresses from the interface address
pool.
[Router] interface vlanif 10
[Router-Vlanif10] ip address 10.1.1.1 255.255.255.0
[Router-Vlanif10] dhcp select interface
[Router-Vlanif10] quit
# Configure the clients connected to VLANIF 20 to obtain IP addresses from the interface address
pool.
[Router] interface vlanif 20
[Router-Vlanif20] ip address 10.1.2.1 255.255.255.0
[Router-Vlanif20] dhcp select interface
[Router-Vlanif20] quit
Step 3 Configure the attributes related to DNS and NetBOIS services for the interface address pool.
# Configure the DNS and NetBOIS services for VLANIF 10 address pool.
Issue 01 (2012-03-30)
163
6 DHCP Configuration
domain-name huawei.com
dns-list 10.1.1.2
nbns-list 10.1.1.3
excluded-ip-address 10.1.1.2
excluded-ip-address 10.1.1.3
netbios-type b-node
Step 4 Configure the IP address lease for the interface address pool.
# Set the IP address lease for Office 1 to 30 days.
[Router] interface vlanif 10
[Router-Vlanif10] dhcp server lease day 30
[Router-Vlanif10] quit
----End
Example
Configuration file of the Router
Issue 01 (2012-03-30)
164
6 DHCP Configuration
#
sysname Router
#
vlan batch 10 to 20
#
dhcp enable
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp select interface
dhcp server dns-list 10.1.1.2
dhcp server netbios-type b-node
dhcp server nbns-list 10.1.1.3
dhcp server excluded-ip-address 10.1.1.2 10.1.1.3
dhcp server lease day 30 hour 0 minute 0
dhcp server domain-name huawei.com
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
dhcp select interface
dhcp server lease day 20 hour 0 minute 0
#
interface Ethernet 2/0/0
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface Ethernet 2/0/1
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
return
Networking Requirements
As shown in Figure 6-7, multiple offices of a company are in different commercial buildings,
and the hosts in one office are on the same VLAN. RouterB that functions as a DHCP server is
required to assign IP addresses to hosts in different offices.
Hosts in Office A of the company are on the network segment 20.20.20.0/24, and the DHCP
server is on the network segment 100.10.10.0/24. RouterA must be configured to function as a
DHCP relay agent to forward DHCP packets so that the DHCP clients can obtain IP addresses
and other configurations from the DHCP server.
On RouterA, the public address of Ethernet0/0/8 is 100.10.20.1/24 and the interface address of
RouterA connected to the carrier device is 100.10.20.2/24.
On RouterB, the public address of GigabitEthernet3/0/0 is 100.10.10.1/24 and the interface
address of RouterB connected to the carrier device is 100.10.10.2/24.
Issue 01 (2012-03-30)
165
6 DHCP Configuration
GE3/0/0
RouterB
DHCP Server
Internet
100.10.10.1/24
Etherent0/0/8
100.10.20.1/24
RouterA
DHCP Relay
Etherent2/0/0
DHCP
Client
VLANIF100
20.20.20.1/24
DHCP
Client
DHCP
Client
VLAN100
OFFICE A
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure the DHCP relay function on RouterA. RouterA can forward DHCP packets
between the hosts in Office A and hosts in other network segments.
2.
Configure a global address pool 20.20.20.0/24 on RouterB. RouterB can assign IP addresses
in the global address pool to hosts in Office A on a different network segment.
Data Preparation
To complete the configuration, you need the following data:
1.
2.
3.
4.
5.
6.
7.
Issue 01 (2012-03-30)
166
6 DHCP Configuration
Procedure
l
Create a DHCP server group and add a DHCP server to the group.
# Create a DHCP server group.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] dhcp server group dhcpgroup1
2.
# Enable the DHCP function globally and the DHCP relay function on VLANIF 100.
[RouterA] dhcp enable
[RouterA] interface vlanif 100
[RouterA-Vlanif100] dhcp select relay
[RouterA-Vlanif100] quit
3.
2.
3.
Issue 01 (2012-03-30)
167
4.
6 DHCP Configuration
Configure a static route from the DHCP server to RouterA. This ensures that the route
from the DHCP server to the network segment 20.20.20.0/24 is reachable. (The
configuration details are not provided here.)
# Run the display ip pool command on RouterB. You can view the configurations of the
IP address pool.
[RouterB] display ip pool
----------------------------------------------------------------------Pool-name
: pool1
Pool-No
: 0
Position
: Local
Status
: Unlocked
Gateway-0
: 10.1.1.1
Mask
: 255.255.255.0
Vpn instance
: -IP address Statistic
Total
:250
Used
:0
Expired
:0
Idle
Conflict
:248
:0
Disable
:2
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
vlan 100
#
dhcp enable
#
dhcp server group dhcpgroup1
dhcp-server 100.10.10.1
#
interface Vlanif100
ip address 20.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-select dhcpgroup1
#
interface Ethernet 2/0/0
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
ip route-static 0.0.0.0 0.0.0.0 100.10.20.2
#
return
Issue 01 (2012-03-30)
168
6 DHCP Configuration
vlan batch 20
#
dhcp enable
#
ip pool pool1
network 20.20.20.0 mask 255.255.255.0
gateway-list 20.20.20.1
#
interface GigabitEthernet3/0/0
ip address 100.10.10.1 255.255.255.0
dhcp select global
#
ip route-static 0.0.0.0 0.0.0.0 100.10.10.2
#
return
Networking Requirements
As shown in Figure 6-8, Router A functions as a DHCP client; Router B functions as a BOOTP
client; Router C functions as a DHCP server. Router A dynamically obtains an IP address, a
DNS server address, and a gateway address from Router C. Router B obtains an IP address from
an IP-MAC binding entry, a DNS server address, and a gateway address from Router C
functioning as a DHCP server.
Figure 6-8 Networking diagram for configuring DHCP and BOOTP clients
Gateway
10.1.1.126/24
GE1/0/0
10.1.1.1/24
10.1.1.2/24
RouterC
DHCP Server
GE1/0/0
DNS Server
GE1/0/0
RouterB
BOOTP Client
RouterA
DHCP Client
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Issue 01 (2012-03-30)
169
6 DHCP Configuration
Data Preparation
To complete the configuration, you need the following data:
1.
2.
3.
IP address of the egress gateway configured for the DHCP client: 10.1.1.126
4.
Procedure
# Enable the DHCP service.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] dhcp enable
2.
3.
Issue 01 (2012-03-30)
170
6 DHCP Configuration
#
interface
GigabitEthernet1/0/0
ip address dhcp-alloc
#
...
# Run the display interface command on Router A after the interface obtains an IP address.
You can view the IP address of the interface.
[RouterA] display interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state :
DOWN
Line protocol current state :
DOWN
Description:HUAWEI, Huawei Series, GigabitEthernet1/0/0
Interface
Route Port,The Maximum Transmit Unit is
1500
Internet Address is allocated by DHCP,10.1.1.11/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0fc11-000a
Last physical up time
: 2007-12-01
10:48:50
Last physical down time : 2007-12-01
10:52:56
Current system time: 2007-12-01
16:52:01
Port Mode: COMMON
COPPER
Speed : 100, Loopback:
NONE
Duplex: FULL, Negotiation:
ENABLE
Mdi
:
AUTO
Last 300 seconds input rate 0 bits/sec, 0 packets/
sec
Last 300 seconds output rate 0 bits/sec, 0 packets/
sec
Input peak rate 1928 bits/sec,Record time: 2007-11-30
14:57:22
Output peak rate 7384 bits/sec,Record time: 2007-11-30
10:13:15
Input: 833 packets, 72696
bytes
Unicast:
59,
757
Broadcast:
17,
0
Discard:
0,
Multicast:
Jumbo:
Total Error:
# Run the display current-configuration command on Router B. You can view the
configurations of the BOOTP client function.
[RouterB] display current-configuration
...
#
interface
GigabitEthernet1/0/0
ip address bootp-alloc
#
...
# Run the display interface command on Router B after the interface obtains an IP address.
You can view the IP address of the interface.
[RouterB] display interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state :
Issue 01 (2012-03-30)
171
6 DHCP Configuration
DOWN
Line protocol current state :
DOWN
Description:HUAWEI, Huawei Series, GigabitEthernet1/0/0
Interface
Route Port,The Maximum Transmit Unit is
1500
Internet Address is allocated by DHCP,10.1.1.22/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0fc11-000a
Last physical up time
: 2007-12-01
10:48:50
Last physical down time : 2007-12-01
10:52:56
Current system time: 2007-12-01
16:52:01
Port Mode: COMMON
COPPER
Speed : 100, Loopback:
NONE
Duplex: FULL, Negotiation:
ENABLE
Mdi
:
AUTO
Last 300 seconds input rate 0 bits/sec, 0 packets/
sec
Last 300 seconds output rate 0 bits/sec, 0 packets/
sec
Input peak rate 1928 bits/sec,Record time: 2007-11-30
14:57:22
Output peak rate 7384 bits/sec,Record time: 2007-11-30
10:13:15
Input: 833 packets, 72696
bytes
Unicast:
59,
757
Broadcast:
17,
0
Discard:
0,
Multicast:
Jumbo:
Total Error:
# Run the display ip pool command on Router C. You can view the configuration about
the IP address pool of Router C.
[RouterB] display ip pool
----------------------------------------------------------------------Pool-name
: pool1
Pool-No
: 0
Position
: Local
Status
: Unlocked
Gateway-0
: 10.1.1.126
Mask
: 255.255.255.0
Vpn instance
: -IP address Statistic
Total
:250
Used
:1
Expired
:0
Idle
Conflict
:248
:0
Disable
:2
----End
Example
Configuration file of Router A
#
sysname RouterA
#
Issue 01 (2012-03-30)
172
6 DHCP Configuration
dhcp enable
#
interface GigabitEthernet 1/0/0
ip address dhcp-alloc
#
return
Networking Requirements
As shown in Figure 6-9, a department uses Router A to directly connect the client. Hosts in this
department function as DHCP clients and are assigned IP addresses by the DHCP server. If the
attacker sends a large number of DHCP packets to Router A, the CPU resources of Router A
will become insufficient. As a result, the requests of authorized users cannot be processed in
time. To avoid this problem, network administrators limit the rate at which DHCP packets are
sent to Router A. This allows Router A to effectively defend against DHCP attack packets, and
to process requests of authorized users in time.
Issue 01 (2012-03-30)
173
6 DHCP Configuration
DHCP Server
Internet
RouterB
DHCP Relay
RouterA
DHCP
Client
DHCP
Client
Attacker
Configuration Roadmap
The configuration roadmap is as follows:
l
Configure the highest rate at which DHCP packets are sent to Router A in the system view.
This allows Router A to limit the rate at which DHCP packets are received within a normal
range.
Data Preparation
1.
Highest rate at which DHCP packets are sent to the protocol stack: 90 pps
2.
Alarm threshold: 80
Procedure
Step 1 Enable the DHCP service.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] dhcp enable
Step 2 Configure the highest rate at which DHCP packets are sent to the protocol stack.
# Enable the system to check the rate at which DHCP packets are sent to the protocol stack.
[RouterA] dhcp check dhcp-rate enable
# Configure the highest rate at which DHCP packets are sent to the protocol stack.
[RouterA] dhcp check dhcp-rate 90
174
6 DHCP Configuration
----End
Configuration Files
Configuration file of Router A
#
sysname RouterA
#
dhcp enable
dhcp check dhcp-rate
dhcp check dhcp-rate
dhcp check dhcp-rate
dhcp check dhcp-rate
#
return
Issue 01 (2012-03-30)
enable
90
alarm enable
alarm threshold 80
175
7 IP Performance Configuration
IP Performance Configuration
Issue 01 (2012-03-30)
176
7 IP Performance Configuration
Collecting and displaying TCP traffic, IP traffic, UDP traffic, and socket monitor statistics
Fragmenting IP packets
Applicable Environment
On certain networks, you need to modify parameters for IP packets to optimize network
performance.
Pre-configuration Tasks
Before optimizing IP performance, complete the following tasks:
Issue 01 (2012-03-30)
177
7 IP Performance Configuration
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical layer status of the interfaces is Up
Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
Configuring an ACL
Data Preparation
To optimize IP performance, you need the following data.
No.
Data
Number of the interface where validity of source addresses of received packets will
be checked
Number of an ACL and number of the interface that will forward broadcast packets
Procedure
Step 1 Run:
system-view
Issue 01 (2012-03-30)
178
7 IP Performance Configuration
Procedure
Step 1 Run:
system-view
Context
In most cases, packets received by a LAN-side LPU need to be sent to a WAN-side LPU for
forwarding. The packets may match incorrect routes in certain scenarios. As a result, the packets
cannot be forwarded. To solve the problem, configure the AR2200-S to deliver all the routes
including WAN-side routes and LAN-side routes to a LAN-side LPU.
Procedure
Step 1 Run:
system-view
179
7 IP Performance Configuration
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
The function that resets the DF field is valid for outgoing packets; therefore, this function must be
configured on the outbound interface.
Step 3 Run:
clear ip df
Context
By default, an interface is enabled to send ICMP redirection packets.
Issue 01 (2012-03-30)
180
7 IP Performance Configuration
CAUTION
If an interface is not enabled to send ICMP redirection packets, the router does not send ICMP
redirection packets.
Procedure
Step 1 Run:
system-view
Context
By default, IP unicast protocol packets generated by the AR2200-S are scheduled first and can
preempt all the bandwidth.
You can change the priority of IP unicast protocol packets generated by the AR2200-S to
implement proper bandwidth allocation.
Procedure
Step 1 Run:
system-view
181
7 IP Performance Configuration
Context
By default, the routing and forwarding function is enabled on high-end LAN cards (8FE1GE
and 24GE cards) to implement IP packet routing and forwarding. Configuring ACLs on highend LAN cards (8FE1GE and 24GE cards) is complex, and ACL-based traffic policy and URPF
cannot be configured on high-end LAN cards. This restricts the use of ACLs. When the routing
and forwarding function is disabled on high-end LAN cards, you can redirect the packets
received on high-end LAN cards to the sub-core CPU for packet forwarding. In this situation,
you can configure ACL-based traffic policies and URPF and simplify the ACL configuration.
Procedure
Step 1 Run:
system-view
The routing and forwarding function is disabled on high-end LAN cards (8FE1GE and 24GE
cards).
CAUTION
l After this command is used, an interface can only be manually added to a voice VLAN.
l After this command is used, protocol packets with source or destination MAC addresses as
blackhole MAC addresses will not be discarded.
----End
Procedure
l
Run the display udp statistics command to check the UDP traffic statistics.
Run the display icmp statistics command to check the ICMP traffic statistics.
Issue 01 (2012-03-30)
182
7 IP Performance Configuration
Run the display ip socket [ monitor ] [ task-id task-id socket-id socket-id | socket-type
socket-type ] command to check the IP socket information.
----End
Example
# Run the display udp statistics command, and you can view the UDP traffic statistics.
<Huawei> display udp statistics
Received packets:
Total: 13228
Total(64bit high-capacity counter): 13228
checksum error: 0
shorter than header: 0, data length larger than packet: 0
unicast(no socket on port): 0
broadcast/multicast(no socket on port): 954
not delivered, input socket full: 0
input packets missing pcb cache: 0
Sent packets:
Total: 11904
Total(64bit high-capacity counter): 11904
# Run the display ip interface command, and you can view information about the interface.
<Huawei> display ip interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP
Line protocol current state : DOWN
The Maximum Transmit Unit : 1500 bytes
input packets : 0, bytes : 0, multicasts : 0
output packets : 0, bytes : 0, multicasts : 0
Directed-broadcast packets:
received packets:
0, sent packets:
forwarded packets:
0, dropped packets:
ARP packet input number:
0
Request packet:
0
Reply packet:
0
Unknown packet:
0
Internet protocol processing : disabled
Broadcast address : 0.0.0.0
TTL being 1 packet number:
0
TTL invalid packet number:
0
ICMP packet input number:
0
Echo reply:
0
Unreachable:
0
Source quench:
0
Routing redirect:
0
Echo request:
0
Router advert:
0
Router solicit:
0
Time exceed:
0
IP header bad:
0
Timestamp request:
0
Timestamp reply:
0
Information request:
0
Information reply:
0
Netmask request:
0
Netmask reply:
0
Unknown type:
0
0
0
# Run the display ip statistics command, and you can view the IP traffic statistics.
<Huawei> display ip statistics
Input:
sum
31786
bad protocol
0
bad checksum
0
discard srr
0
Issue 01 (2012-03-30)
local
bad format
bad options
TTL exceeded
31786
0
0
183
forwarding
dropped
Fragment: input
dropped
fragmented
Reassembling:sum
7 IP Performance Configuration
0
0
0
0
0
0
local
no route
output
couldn't fragment
timeouts
41289
1
0
0
0
# Run the display icmp statistics command, and you can view the ICMP traffic statistics.
<Huawei> display icmp statistics
Input: bad formats
0
echo
0
source quench
0
echo reply
0
timestamp
0
mask requests
0
time exceeded
0
Mping request
0
Output:echo
0
source quench
0
echo reply
0
timestamp
0
mask requests
0
time exceeded
0
Mping request
0
bad checksum
destination unreachable
redirects
parameter problem
information request
mask replies
0
0
0
0
0
0
Mping reply
destination unreachable
redirects
parameter problem
information reply
mask replies
0
168
0
0
0
0
Mping reply
Applicable Environment
On the AR2200-S, there are multiple equal-cost routes over multiple equal-cost links to a
destination. Among the equal-cost links, there are high-speed links and low-speed links.
NOTE
If multiple routes to the same destination have the same preference, the same number of hops, and the same
cost, these routes are equal-cost routes.
By default, the AR2200-S uses the flow-based ECMP mode, in which traffic is evenly load
balanced among equal-cost links regardless of the bandwidth. In this mode, congestion may
occur on low-speed links and bandwidth of high-speed links cannot be used efficiently.
ECMP evenly load balances traffic over multiple equal-cost links, regardless of the bandwidth.
Consequently, traffic congestion may occur on low-speed links and bandwidth of high-speed
links cannot be used efficiently. To load balance traffic on the equal-cost links based on
bandwidth, configure UCMP.
Pre-configuration Tasks
Before configuring load balancing for IP packet forwarding, complete the following tasks:
Issue 01 (2012-03-30)
184
7 IP Performance Configuration
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical status of the interfaces is Up
Setting parameters for data link layer protocols on interfaces to ensure that the data link
layer protocol status of the interfaces is Up
Data Preparation
To configure load balancing for IP packet forwarding, you need the following data.
No.
Data
(Optional) Number of the interface where the bandwidth will be configured manually
Context
ECMP evenly load balances traffic over multiple equal-cost links, regardless of the bandwidth.
Consequently, traffic congestion may occur on low-speed links and bandwidth of high-speed
links cannot be used efficiently. To load balance traffic on the equal-cost links based on
bandwidth, configure UCMP.
When configuring the UCMP function, manually set the bandwidth of an interface in the
following scenarios:
l
Users need to adjust the bandwidth of equal-cost links so that the equal-cost links load
balance traffic based on the configured bandwidth.
Procedure
Step 1 Run:
system-view
Issue 01 (2012-03-30)
185
7 IP Performance Configuration
Traffic is load balanced based on bandwidth only when UCMP is enabled on outbound interfaces of all the
equal-cost links and FIB entry updating is triggered. If UCMP is not enabled on any outbound interface,
the equal-cost links evenly load balance traffic even though FIB entry updating is triggered.
----End
Procedure
l
Run the display fib [ slot-id ] command to check the FIB table on a specified LPU.
Run the display fib acl acl-number [ verbose ] command to check FIB entries matching
an ACL.
Run the display fib [ slot-id ] destination-address1 destination-mask1 destinationaddress2 destination-mask2 [ verbose ] command to check FIB entries matching
destination addresses in the range of destination-address1 destination-mask1 to
destination-address2 destination-mask2.
Run the display fib ip-prefix prefix-name [ verbose ] command to check FIB entries
matching the specified IP prefix list.
Run the display fib interface interface-type interface-number command to check FIB
entries matching a specified interface.
Run the display fib next-hop ip-address command to check FIB entries matching a
specified next hop address.
Issue 01 (2012-03-30)
186
7 IP Performance Configuration
Run the display fib [ slot-id ] statistics command to check the total number of FIB entries.
----End
Example
# Run the display fib command to view the summary of the FIB table.
<Huawei> display fib
Route Flags: G - Gateway Route, H - Host Route,
U - Up Route
S - Static Route, D - Dynamic Route, B - Black Hole Route
-----------------------------------------------------------------------------FIB Table:
Total number of Routes : 4
Destination/Mask
Nexthop
Flag TimeStamp
Interface
TunnelID
127.0.0.1/32
127.0.0.1
HU
t[49]
InLoop0
0x0
127.0.0.0/8
127.0.0.1
U
t[49]
InLoop0
0x0
127.255.255.255/32 127.0.0.1
HU
t[49]
InLoop0
0x0
255.255.255.255/32 127.0.0.1
HU
t[49]
InLoop0
0x0
Applicable Environment
On certain networks, you need to adjust TCP parameters to improve network performance.
Pre-configuration Tasks
Before configuring TCP attributes, complete the following tasks:
l
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical layer status of the interfaces is Up
Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
Setting network layer protocol parameters for interfaces to ensure that the routing protocol
status on the interfaces is Up
Data Preparation
To configure TCP attributes, you need the following data.
Issue 01 (2012-03-30)
No.
Data
Values of the SYN-Wait timer and FIN-Wait timer, and packet receive or transmit
buffer size of a connection-oriented socket
187
7 IP Performance Configuration
Context
TCP uses the following timers:
l
SYN-Wait timer: When SYN packets are sent, the SYN-Wait timer is started. If no response
packet is received after the SYN-Wait timer expires, the TCP connection is closed. The
value of the SYN-Wait timer ranges from 2 to 600, in seconds. The default value is 75s.
FIN-Wait timer: When the TCP connection status changes from FIN_WAIT_1 to
FIN_WAIT_2, the FIN-Wait timer is started. If no response packet is received after the
FIN-Wait timer expires, the TCP connection is closed. The value of the FIN-Wait timer
ranges from 76 to 3600, in seconds. The default value is 675s.
Procedure
Step 1 Run:
system-view
Context
When hosts on the same network communicate with each other, the MTU of the network is
important for the hosts. When hosts communicate with each other across multiple networks, it
is important to determine the minimum MTU on the network path because the MTUs of the link
layers on different networks are different. The minimum MTU on the network path is called the
PMTU.
Procedure
Step 1 Run:
system-view
188
7 IP Performance Configuration
Step 2 Run:
tcp timer pathmtu-age age-time
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
189
7 IP Performance Configuration
Procedure
l
Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipv4address ] [ local-port local-port-number ] [ remote-ip ipv4-address ] [ remote-port
remote-port-number ] ] command to check the TCP connection status.
Run the display tcp statistics command to check the TCP traffic statistics.
----End
Example
# Run the display tcp status command to view the TCP connection status.
<Huawei> display tcp status
TCPCB
Tid/Soid Local Add:port
0b148a24 90 /1
0.0.0.0:23
0ba8fb2c 90 /11
100.1.1.116:23
0ba91254 90 /12
100.1.1.116:23
Foreign Add:port
0.0.0.0:0
100.1.1.4:1334
100.1.1.4:2266
VPNID State
14849 Listening
0
Established
0
Established
# Run the display tcp statistics command to view the TCP traffic statistics.
<Huawei> display tcp statistics
Received packets:
Total: 34574
Total(64bit high-capacity counter): 34574
packets in sequence: 2852 (3242 bytes)
window probe packets: 0, window update packets: 0
checksum error: 0, offset error: 0, short error: 0
duplicate packets: 6 (6 bytes), partially duplicate packets: 0 (0 bytes)
out-of-order packets: 0 (0 bytes)
packets of data after window: 0 (0 bytes)
packets received after close: 0
ACK packets: 3757 (126230 bytes)
duplicate ACK packets: 29083, too much ACK packets: 0
Sent packets:
Total: 35094
Total(64bit high-capacity counter): 35094
urgent packets: 0
control packets: 0 (including 1 RST)
window probe packets: 0, window update packets: 0
data packets: 5364 (126736 bytes),
s)
ACK-only packets: 657 (626 delayed)
Other information:
Retransmitted timeout: 0, connections dropped in retransmitted timeout: 0
Keep alive timeout: 29072, keep alive probe: 29072,
Keep alive timeout,
so connections disconnected : 0
Initiated connections: 0,
accepted connections: 16, established connecti
ons: 16
Closed connections: 13 (
dropped: 10, initiated dropped: 0)
Packets dropped with MD5 authentication: 0
Packets permitted with MD5 authentication: 0
Send Packets permitted with Keychain authentication: 0
Receive Packets permitted with Keychain authentication: 0
Receive Packets Dropped with Keychain authentication: 0
Issue 01 (2012-03-30)
190
7 IP Performance Configuration
Context
CAUTION
The IP/TCP/UDP traffic statistics cannot be restored after being cleared. Exercise caution when
you run the commands.
Procedure
l
Run the reset ip socket monitor [ task-id task-id socket-id socket-id ] command in the
user view to clear information in a socket monitor.
Run the reset tcp statistics command in the user view to clear the TCP traffic statistics.
Run the reset udp statistics command in the user view to clear the UDP traffic statistics.
----End
Context
In routine maintenance, you can run the following commands in any view to view the IP running
status.
Procedure
l
Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipv4address ] [ local-port local-port-number ] [ remote-ip ipv4-address ] [ remote-port
remote-port-number ] ] command in any view to check the TCP connection status.
Run the display tcp statistics command in any view to check the TCP traffic statistics.
Run the display udp statistics command in any view to check the UDP traffic statistics.
Run the display ip statistics command in any view to check the IP traffic statistics.
Issue 01 (2012-03-30)
191
7 IP Performance Configuration
Run the display icmp statistics command in any view to check the ICMP traffic statistics.
Run the display fib acl acl-number [ verbose ] command in any view to check FIB entries
matching the specified ACL.
Run the display fib [ slot-id ] destination-address1 destination-mask1 destinationaddress2 destination-mask2 [ verbose ] command in any view to check FIB entries
matching destination addresses in the range of destination-address1 destination-mask1 to
destination-address2 destination-mask2.
Run the display fib ip-prefix prefix-name [ verbose ] command in any view to check FIB
entries matching the specified IP prefix list.
Run the display fib interface interface-type interface-number command in any view to
check FIB entries matching a specified interface.
Run the display fib next-hop ip-address command in any view to check FIB entries
matching a specified next hop address.
Run the display fib [ slot-id ] statistics command in any view to check the total number
of FIB entries.
Run the display fib [ slot-id ] command in any view to check information about the FIB
table.
Run the display ip socket [ monitor ] [ task-id task-id socket-id socket-id | sock-type
socket-type ] command in any view to check the IP socket information.
----End
Issue 01 (2012-03-30)
192
7 IP Performance Configuration
Figure 7-1 Network diagram of Disabling the Sending of ICMP Redirection Packets
RouterA
Eth1/0/0
1.1.1.1/24
Internet
Eth1/0/0
2.2.2.2/24
RouterC
Eth1/0/0
1.1.1.2/24
RouterB
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
IP addresses of interfaces.
Procedure
Step 1 Configure IP addresses for interfaces.
# Configure RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 24
[RouterA-GigabitEthernet1/0/0] quit
# Configure RouterB.
<Huawei> system-view
[Huawei] sysname RouterB
[RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] ip address 1.1.1.2 24
[RouterB-GigabitEthernet1/0/0] quit
Issue 01 (2012-03-30)
193
7 IP Performance Configuration
# Configure RouterC.
<Huawei> system-view
[Huawei] sysname RouterC
[RouterC] interface gigabitethernet 1/0/0
[RouterC-GigabitEthernet1/0/0] ip address 2.2.2.2 24
[RouterC-GigabitEthernet1/0/0] quit
# Configure RouterB.
[RouterB] ip route-static 2.2.2.0 255.255.255.0 1.1.1.1
# Ping RouterA. You can see that RouterB does not send ICMP redirection packets. There is no
information about ICMP redirection packets in the debugging command output.
[RouterA] ping 2.2.2.2
PING 2.2.2.2: 56 data bytes, press CTRL_C to break
Reply from 2.2.2.2: bytes=56 Sequence=1 ttl=255 time=3
Reply from 2.2.2.2: bytes=56 Sequence=2 ttl=255 time=3
Reply from 2.2.2.2: bytes=56 Sequence=3 ttl=255 time=3
Reply from 2.2.2.2: bytes=56 Sequence=4 ttl=255 time=3
Reply from 2.2.2.2: bytes=56 Sequence=5 ttl=255 time=3
ms
ms
ms
ms
ms
----End
Configuration Files
l
Issue 01 (2012-03-30)
194
7 IP Performance Configuration
interface GigabitEthernet1/0/0
ip address 1.1.1.2 255.255.255.0
undo icmp redirect send
#
ip route-static 2.2.2.0 255.255.255.0 1.1.1.1
#
return
Networking Requirements
As shown in Figure 7-2, RouterA and RouterB are connected through two links.
l
On RouterA and RouterB, GE1/0/0 and GE2/0/0 are member interfaces of Eth-Trunk1.
Eth-Trunk1 has two member interfaces, so the bandwidth of Eth-Trunk1 is two times the
bandwidth of a physical interface. Traffic must be load balanced between the two links based
on bandwidth.
Figure 7-2 Networking diagram of UCMP configurations
Loopback0
1.1.1.1/32
Loopback0
2.2.2.2/32
GE1/0/0
GE2/0/0
GE1/0/0
Eth-trunk1
RouterA GE3/0/0
GE2/0/0
GE3/0/0 RouterB
Device Name
Interface Name
IP Address
RouterA
Eth-Trunk1
30.1.1.1/24
GE3/0/0
40.1.1.1/24
Eth-Trunk1
30.1.1.2/24
GE3/0/0
40.1.1.2/24
RouterB
Configuration Roadmap
The configuration roadmap is as follows:
l
Issue 01 (2012-03-30)
195
7 IP Performance Configuration
Enable UCMP on interfaces of RouterA so that the two links between RouterA and
RouterB load balance traffic based on bandwidth.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Assign an IP address to each interface. The configuration details are not mentioned here.
Step 2 Configure static routes.
# Configure static routes on RouterA.
[RouterA] ip route-static 2.2.2.2 32 30.1.1.2
[RouterA] ip route-static 2.2.2.2 32 40.1.1.2
Proto
Pre
Cost
Flags NextHop
Interface
Direct
Static
0
60
0
0
D
RD
127.0.0.1
30.1.1.1
InLoopBack0
Eth-
Static
60
RD
40.1.1.1
GigabitEthernet
Static
60
RD
30.1.1.1
Eth-
Static
60
RD
40.1.1.1
GigabitEthernet
Trunk1
3/0/0
2.2.2.2/32
Trunk1
3/0/0
Step 5 Restart interfaces of RouterA to make the UCMP configuration take effect on RouterA.
[RouterA] interface eth-trunk 1
Issue 01 (2012-03-30)
196
7 IP Performance Configuration
[RouterA-Eth-Trunk1] shutdown
[RouterA-Eth-Trunk1] undo shutdown
[RouterA-Eth-Trunk1] quit
[RouterA] interface gigabitethernet 3/0/0
[RouterA-GigabitEthernet3/0/0] shutdown
[RouterA-GigabitEthernet3/0/0] undo shutdown
[RouterA-GigabitEthernet3/0/0] quit
time=2
time=2
time=2
time=2
time=2
ms
ms
ms
ms
ms
# Run the display current-configuration in the user view. You can view the UCMP
configuration on interfaces of RouterA.
<RouterA> display current-configuration
...
interface Eth-trunk1
undo portswitch
load-balance bandwidth 1500000
load-balance unequal-cost enable
ip address 30.1.1.1 255.255.255.0
interface GigabitEthernet3/0/0
load-balance unequal-cost enable
ip address 40.1.1.1 255.255.255.0
...
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
interface Eth-trunk1
undo portswitch
trunkport GigabitEthernet1/0/0
trunkport GigabitEthernet2/0/0
load-balance bandwidth 1500000
load-balance unequal-cost
enable
ip address 30.1.1.1 255.255.255.0
#
interface GigabitEthernet3/0/0
load-balance unequal-cost
enable
ip address 40.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
Issue 01 (2012-03-30)
197
7 IP Performance Configuration
Issue 01 (2012-03-30)
198
Issue 01 (2012-03-30)
199
A traffic policy can be configured on the AR2200-S's interface to redirect the data packets of which the
destination address is not the local address. This traffic policy is invalid for the local packets sent to the
CPU. It applies to the following situations:
l Load balancing: specifies a forwarding path for special packets.
l Security inspection: redirects certain packets to the firewall.
For details about the redirection configuration, see Configuring Redirection in the Huawei AR2200-S
Series Enterprise Routers Configuration Guide - QoS.
Applicable Environment
An internal network is connected to an external network through a router. The router has multiple
egresses to the external network. You can use IP unicast PBR on the interface to control some
packets to pass the specified egress of the router.
To perform PBR on the packets generated by the router, you should configure the local PBR.
Pre-configuration Tasks
Before configuring IP unicast PBR, complete the following tasks:
l
Issue 01 (2012-03-30)
200
Configuring the VPN first if you want the packet to enter VPN
Data Preparation
To configure IP Policy-based Routing, you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
201
Follow-up Procedure
Note the following when configuring PBR:
l
You can use the policy to import the routes or to forward the IP packets.
You can specify the routing policy by using the if-match and apply clauses.
A single policy can include multiple if-match clauses, such as if-match acl and if-match
packet-length, which can be used in combination.
If if-match acl acl-number is used repeatedly to set ACL rules, the new configuration
supersedes the old configuration.
If if-match packet-length min-length max-length is used repeatedly to set ACL rules,
the new configuration supersedes the old configuration.
permit means allowing the packets matching the rule to pass during the policy-based
routing; deny means denying the packets that match the rule to pass during the policy-based
routing.
A routing policy contains several policy nodes. Each policy node is specified by a nodeid. The smaller the node-id is, the higher the preference of the policy node is. The policy
of a higher preference is first executed.
Procedure
Step 1 Run:
system-view
Step 5 Run:
apply default output-interface interface-type1 interface-number1 [ interface-type2
interface-number2 ]
202
NOTE
The default outbound interface cannot be a broadcast interface, such as an Ethernet interface.
Step 6 Run:
apply ip-address next-hop ip-address1 [ ip-address2 ]
Step 7 Run:
apply output-interface interface-type interface-number
Step 8 Run:
apply access-vpn vpn-instance vpn-instance-name &<1-6>
Key Word
Routine
Priority
Immediate
Flash
Flash-override
Critical
Internet
Network
----End
Follow-up Procedure
Note the following when defining actions in PBR:
l
Issue 01 (2012-03-30)
A policy can include multiple apply clauses, which can be used in combination.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
203
If multiple next hops are specified, the load balancing is complemented among multiple
next hops.
If multiple outbound interfaces are specified, the load balancing is complemented among
multiple outbound interfaces.
If outbound interfaces and next hops are configured at the same time, the load balancing is
implemented only on outbound interfaces.
If you run the apply output-interface command to configure two egresses at first and then
run the command again to configure another one. The thirdly configured egress supersedes
only the first configured one.
Procedure
l
Run:
system-view
Run:
ip local policy-based-route policy-name
Prerequisites
The configurations of the IP Policy-based Routing function are complete.
Procedure
l
Run the display ip policy-based-route setup local command to check the configuration
of local PBR.
Run the display ip policy-based-route statistics local command to check the statistics of
the local packet that is enabled with PBR.
Run the display policy-based-route [ policy-name ] command to check the created policy.
----End
Example
Run the display ip policy-based-route command to check the enabled PBR.
<Huawei> display ip policy-based-route
Issue 01 (2012-03-30)
204
Run the display ip policy-based-route setup local command. If configurations of the local PBR
are displayed, the configuration is successful.
<Huawei> display ip policy-based-route setup local
policy-based-route aaa permit node 5
if-match acl 2000
apply output-interface Ethernet1/0/0
Run the display ip policy-based-route statistics local command. If statistics of local PBR is
displayed, it means the configuration succeeds.
<Huawei> display ip policy-based-route statistics local
Local policy based routing information:
policy-based-route: aaa
permit node 21
Total denied: 0, forwarded: 0
Networking Requirements
As shown in Figure 8-1, IP unicast PBR is applied to RouterA:
l
The next hop address 150.1.1.2 is set for packets with 64 to 1400 bytes.
The next hop address 151.1.1.2 is set for packets with 1401 to 1500 bytes.
Loopback0
10.1.1.1/24
RouterA
Loopback0
10.1.2.1/24
GE1/0/0
150.1.1.1/24
GE1/0/0
150.1.1.2/24
GE2/0/0
151.1.1.1/24
GE2/0/0
RouterB
151.1.1.2/24
Configuration Roadmap
The configuration roadmap is as follows:
l
Issue 01 (2012-03-30)
205
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Assign an IP address to each interface.
# Assign an IP address to each interface on RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 150.1.1.1 255.255.255.0
[RouterA-GigabitEthernet1/0/0] quit
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] ip address 151.1.1.1 255.255.255.0
[RouterA-GigabitEthernet2/0/0] quit
Issue 01 (2012-03-30)
206
# On RouterA, ping the IP address of Loopback0 interface on RouterB and set the packet length
to 80 bytes.
<RouterA> ping -s 80 10.1.2.1
PING 100.1.2.1: 80 data bytes, press CTRL_C to break
Mar 9 2011 15:00:35.40.2 RouterA PBR/7/POLICY-ROUTING:IP Policy routing success
: next-hop : 150.1.1.2
Reply from 100.1.2.1: bytes=80 Sequence=1 ttl=254 time=1 ms
Reply from 100.1.2.1: bytes=80 Sequence=2 ttl=254 time=1 ms
Reply from 100.1.2.1: bytes=80 Sequence=3 ttl=254 time=1 ms
Reply from 100.1.2.1: bytes=80 Sequence=4 ttl=254 time=1 ms
Reply from 100.1.2.1: bytes=80 Sequence=5 ttl=254 time=1 ms
--- 100.1.2.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
15:00:37.50.2
: 150.1.1.2
15:00:37.50.3
: 150.1.1.2
15:00:37.50.4
: 150.1.1.2
15:00:37.50.5
: 150.1.1.2
RouterA forwards the received packets from GigabitEthernet1/0/0 because the next hop address
in the PBR route is 150.1.1.2.
# On RouterA, ping the IP address of Loopback0 interface on RouterB and set the packet length
to 1401 bytes.
<RouterA> ping -s 1401 10.1.2.1
PING 100.1.2.1: 1401 data bytes, press CTRL_C to break
Mar 9 2011 15:41:26.350.2 RouterA PBR/7/POLICY-ROUTING:IP Policy
s : next-hop : 151.1.1.2
Mar 9 2011 15:41:26.350.3 RouterA PBR/7/POLICY-ROUTING:IP Policy
s : next-hop : 151.1.1.2
Reply from 100.1.2.1: bytes=1401 Sequence=1 ttl=254 time=2 ms
Mar 9 2011 15:41:26.850.1 RouterA PBR/7/POLICY-ROUTING:IP Policy
s : next-hop : 151.1.1.2
Reply from 100.1.2.1: bytes=1401 Sequence=2 ttl=254 time=2 ms
Mar 9 2011 15:41:27.340.1 RouterA PBR/7/POLICY-ROUTING:IP Policy
s : next-hop : 151.1.1.2
Reply from 100.1.2.1: bytes=1401 Sequence=3 ttl=254 time=2 ms
Mar 9 2011 15:41:27.840.1 RouterA PBR/7/POLICY-ROUTING:IP Policy
s : next-hop : 151.1.1.2
Reply from 100.1.2.1: bytes=1401 Sequence=4 ttl=254 time=2 ms
Mar 9 2011 15:41:28.340.1 RouterA PBR/7/POLICY-ROUTING:IP Policy
s : next-hop : 151.1.1.2
Reply from 100.1.2.1: bytes=1401 Sequence=5 ttl=254 time=2 ms
routing succes
routing succes
routing succes
routing succes
routing succes
routing succes
Issue 01 (2012-03-30)
207
RouterA forwards the received packets from GigabitEthernet2/0/0 because the next hop address
in the PBR route is 151.1.1.2.
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
interface GigabitEthernet1/0/0
ip address 150.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 151.1.1.1 255.255.255.0
#
ip route-static 10.1.2.0 255.255.255.0 150.1.1.2
ip route-static 10.1.2.0 255.255.255.0 151.1.1.2
#
policy-based-route lab1 permit node 10
if-match packet-length 64 1400
apply ip-address next-hop 150.1.1.2
policy-based-route lab1 permit node 20
if-match packet-length 1401 1500
apply ip-address next-hop 151.1.1.2
#
ip local policy-based-route lab1
Issue 01 (2012-03-30)
208
Issue 01 (2012-03-30)
209
69
Domain Name
System (DNS)
53
Time Service
37
NetBIOS Name
Service (NetBIOSNS)
137
NetBIOS Datagram
Service (NetBIOSDS)
138
Terminal Access
Controller Access
Control System
(TACACS)
49
The UDP helper function cannot relay Dynamic Host Configuration Protocol (DHCP) messages,
so the destination port numbers cannot be set to 67 or 68. To relay DHCP messages, enable the
DHCP relay function.
Issue 01 (2012-03-30)
210
Applicable Environment
A host on an intranet needs to obtain the configuration from a server by sending broadcast packets
such as UDP broadcast packets. If the host and the server are located in different broadcast
domains, broadcast packets cannot reach the server and the host cannot obtain the configuration
from the server.
The AR2200-S provides the UDP Helper function to solve this problem. It can relay broadcast
packets with specified UDP ports by converting broadcast packets into unicast packets and
sending the unicast packets to the specified destination server.
Pre-configuration Tasks
Before configuring UDP helper, complete the following task:
l
Data Preparation
To configure UDP helper, you need the following data.
No.
Data
Context
After UDP helper is enabled, the Router checks the destination UDP port of a received broadcast
packet and determines whether to relay the packet:
l
Issue 01 (2012-03-30)
If the packet destination UDP port number is the same as the specified UDP port number
and the destination MAC address is a broadcast MAC address, the Router changes the
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
211
destination IP address in the IP packet header and sends the packet to a specified destination
server.
l
If the destination UDP port number of packets is different from the specified UDP port
number, the Router discards the packet.
Procedure
Step 1 Run:
system-view
Prerequisites
UDP helper has been enabled.
Context
After the UDP helper function is enabled, the AR2200-S relays broadcast packets with UDP
ports 37, 49, 53, 69, 137, and 138 by default. If the port number that needs to be configured is
in the range of default UDP port numbers, you can skip this configuration procedure.
The AR2200-S does not relay DHCP messages with UDP ports 67 or 68.
Perform the following operations on the AR2200-S.
Procedure
Step 1 Run:
system-view
212
Procedure
Step 1 Run:
system-view
Run the display udp-helper server command to check the numbers of the interfaces that
have relayed UDP packets, IP addresses of destination servers, and the number of forwarded
UDP packets.
Run the display udp-helper port command to check the UDP port numbers of the packets
that need to be relayed.
----End
Example
# Run the display udp-helper server command to view UDP helper information.
<Huawei> display udp-helper server
Server-interface
Server-Ip
packet-num
-----------------------------------------------------------------------Vlanif20
1.1.1.2
0
GigabitEthernet1/0/0.1
192.168.1.200
0
# Run the display udp-helper port command to view the UDP port numbers of the packets that
need to be relayed.
<Huawei> display udp-helper port
Udp-Port-Number
Description
------------------------------------------------------------1
TCP Port Service Multiplexer
37
Time
49
Login Host Protocol
53
Domain Name Server
69
Trivial File Transfer
Issue 01 (2012-03-30)
213
CAUTION
UDP helper statistics cannot be restored after being cleared. Exercise caution when you run the
reset udp-helper packet command.
Procedure
Step 1 Run the reset udp-helper packet command in the user view to clear UDP helper statistics.
----End
Issue 01 (2012-03-30)
214
Internet
Ethernet2/0/0
VLANIF100
10.110.1.1/16
Router
PC1
NETBIOS-NS
Name Server
10.2.1.1/16
PC2
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Create a VLAN and a VLANIF interface, configure an IP address for the VLANIF interface,
and configure the destination server to which UDP packets will be relayed on the VLANIF
interface.
NOTE
After UDP helper is enabled on the Router, the Router forwards broadcast packets with destination UDP port
137 by default. The UDP port number, therefore, does not need to be configured here.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Enable UDP helper.
<Huawei> system-view
[Huawei] sysname Router
[Router] udp-helper enable
Issue 01 (2012-03-30)
215
vlanif 100
ip address 10.110.1.1 16
udp-helper server 10.2.1.1
quit
packet-num
0
----End
Configuration Files
Configuration file of the Router
#
sysname Router
#
udp-helper enable
#
vlan batch 100
#
interface Ethernet2/0/0
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
interface Vlanif100
ip address 10.110.1.1 255.255.0.0
udp-helper server 10.2.1.1
#
return
Issue 01 (2012-03-30)
216