Академический Документы
Профессиональный Документы
Культура Документы
No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C SR8800 documentation set includes 13 configuration guides, which describe the software
features for the H3C SR8800 10G Core Routers and guide you through the software configuration
procedures. These configuration guides also provide configuration examples to help you apply software
features to different network scenarios.
The Layer 3—IP Services Configuration Guide describes how to configure an IPv4/IPv6 address
manually, obtain an IP address dynamically, optimize IP performance, resolve an IPv4/IPv6 address to
a MAC address, and implement IPv4-IPv6 interconnection.
This preface includes:
• Audience
• Conventions
• About the H3C SR8800 documentation set
• Obtaining documentation
• Technical support
• Documentation feedback
Audience
This documentation is intended for:
• Network planners
• Field technical support and servicing engineers
• Network administrators working with the SR8800 series
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.
Italic Italic text represents arguments that you replace with actual values.
[] Square brackets enclose syntax choices (keywords or arguments) that are optional.
Braces enclose a set of required syntax choices separated by vertical bars, from which
{ x | y | ... }
you select one.
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
[ x | y | ... ]
which you select one or none.
Asterisk marked braces enclose a set of required syntax choices separated by vertical
{ x | y | ... } *
bars, from which you select at least one.
[ x | y | ... ] * Asterisk marked square brackets enclose optional syntax choices separated by vertical
Convention Description
bars, from which you select one choice, multiple choices, or none.
The argument or keyword and argument combination before the ampersand (&) sign can
&<1-n>
be entered 1 to n times.
GUI conventions
Convention Description
Window names, button names, field names, and menu items are in Boldface. For
Boldface
example, the New User window appears; click OK.
> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Symbols
Convention Description
An alert that calls attention to important information that if not understood or followed can
WARNING result in personal injury.
An alert that calls attention to important information that if not understood or followed can
CAUTION result in data loss, data corruption, or damage to hardware or software.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
Obtaining documentation
You can access the most up-to-date H3C product documentation on the World Wide Web
at http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] – Provides hardware installation, software
upgrading, and software feature configuration and maintenance documentation.
[Products & Solutions] – Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] – Provides the documentation released with the
software version.
Technical support
service@h3c.com
http://www.h3c.com
Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
Contents
i
DHCP options ································································································································································· 26
Overview ································································································································································ 26
Introduction to DHCP options ······························································································································· 26
Custom options ······················································································································································ 26
Protocols and standards ················································································································································ 29
ii
Configuring periodic refresh of dynamic client entries ····················································································· 56
Configuring the DHCP relay agent to work with authorized ARP···································································· 57
Enabling unauthorized DHCP server detection ·································································································· 58
Enabling DHCP starvation attack protection ······································································································ 58
Enabling offline detection·············································································································································· 59
Configuring the DHCP relay agent to release an IP address ···················································································· 59
Configuring the DHCP relay agent to support Option 82 ························································································· 60
Displaying and maintaining the DHCP relay agent ··································································································· 61
DHCP relay agent configuration example··················································································································· 62
DHCP relay agent Option 82 support configuration example ················································································· 63
Troubleshooting DHCP relay agent configuration ······································································································ 64
iii
Applying the connection limit policy ···························································································································· 91
Enabling connection limit logging ································································································································ 91
Displaying and maintaining NAT································································································································· 92
NAT configuration examples ········································································································································ 92
One-to-one static NAT configuration example ··································································································· 92
Dynamic NAT configuration example I··············································································································· 93
Dynamic NAT configuration example II·············································································································· 94
Dynamic NAT configuration example III ············································································································· 96
Dynamic NAT configuration example IV ············································································································ 98
Common internal server configuration example ································································································ 99
Load sharing internal server configuration example ······················································································· 100
NAT DNS mapping configuration example ····································································································· 101
Troubleshooting NAT ··················································································································································· 103
Symptom: internal server functions abnormally ······························································································· 103
iv
Configuring an IPv6 link-local address ············································································································· 128
Configure an IPv6 anycast address··················································································································· 129
Configuring IPv6 ND ··················································································································································· 129
Configuring a static neighbor entry ·················································································································· 129
Configuring the maximum number of neighbors dynamically learned ························································· 130
Setting the age timer for ND entries in stale state ··························································································· 130
Configuring parameters related to RA messages ···························································································· 131
Configuring the maximum number of attempts to send an NS message for DAD ······································· 133
Configuring PMTU discovery ······································································································································ 134
Configuring the interface MTU ·························································································································· 134
Configuring a static PMTU for a specified IPv6 address ················································································ 134
Configuring the aging time for dynamic PMTUs ······························································································ 134
Configuring IPv6 TCP properties ································································································································ 135
Configuring IPv6 FIB load sharing ····························································································································· 135
Configuring ICMPv6 packet sending ························································································································· 136
Configuring the maximum ICMPv6 error packets sent in an interval ···························································· 136
Enabling replying to multicast echo requests ··································································································· 136
Enabling sending of ICMPv6 time exceeded messages ················································································· 137
Enabling sending of ICMPv6 destination unreachable messages ································································· 137
Displaying and maintaining IPv6 basics configuration···························································································· 138
IPv6 basics configuration example ···························································································································· 139
Troubleshooting IPv6 basics configuration ················································································································ 144
v
Configuring a NAT-PT prefix ······························································································································ 163
Configuring IPv4/IPv6 address mappings on the IPv6 side ··········································································· 163
Configuring IPv4/IPv6 address mappings on the IPv4 side ··········································································· 165
Setting the ToS field after NAT-PT translation ··································································································· 166
Setting the traffic class field after NAT-PT translation ······················································································ 167
Configuring static NAPT-PT mappings of IPv6 servers ···················································································· 167
Displaying and maintaining NAT-PT ·························································································································· 167
NAT-PT configuration examples ································································································································· 168
Configuring dynamic mapping on the IPv6 side ····························································································· 168
Configuring static mappings on the IPv4 side and the IPv6 side ··································································· 169
Troubleshooting NAT-PT ·············································································································································· 170
vi
Configuration guidelines ···································································································································· 203
Configuration procedure ···································································································································· 204
Displaying and maintaining GRE ······························································································································· 205
GRE tunnel configuration example ····························································································································· 205
Network requirements ········································································································································· 205
Configuration procedure ···································································································································· 206
Troubleshooting GRE ··················································································································································· 207
vii
Configuring ARP
ARP overview
ARP function
The Address Resolution Protocol (ARP) is used to resolve an IP address into a physical address (Ethernet
MAC address, for example).
In an Ethernet LAN, a router uses ARP to translate the IP address of the next hop to the corresponding
MAC address.
1
ARP address resolution process
If Host A and Host B are on the same subnet and Host A sends a message to Host B, as show in Figure
2. The resolution process is as follows:
1. Host A looks in its ARP mapping table to see whether there is an ARP entry for Host B. If yes, Host
A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and
sends the frame to Host B.
2. If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request using
the following information:
{ Source IP address and source MAC address—Host A’s own IP address and MAC address
{ Target IP address—Host B’s IP address
{ Target MAC address—An all-zero MAC address
Because the ARP request is sent in broadcast mode, all hosts on this subnet can receive the request,
but only the requested host (namely, Host B) will process the request.
3. Host B compares its own IP address with the target IP address in the ARP request. If they are the
same, Host B
{ Adds the sender IP address and sender MAC address to its ARP table.
{ Encapsulates its MAC address into an ARP reply.
{ Unicasts the reply to Host A.
4. After receiving the ARP reply, Host A:
{ Adds the MAC address of Host B to its ARP table.
{ Encapsulates the MAC address into the IP packet and sends it to Host B.
Figure 2 ARP address resolution process
2
ARP table
After obtaining a host’s MAC address, the router adds the IP-to-MAC mapping into its own ARP mapping
table. This mapping is used for forwarding packets with the same destination in future.
An ARP table contains dynamic and static ARP entries.
NOTE:
• Usually ARP dynamically generates APR entries without manual intervention.
• To allow communication with a host by using a fixed IP-to-MAC mapping, configure a short static ARP
entry for it. To allow communication with a host through a specific interface in a specific VLAN by using
a fixed IP-to-MAC mapping, configure a long static ARP entry for it.
Configuring ARP
Configuring a static ARP entry
A static ARP entry is effective when the router works normally. However, when a VLAN or VLAN interface
to which a static ARP entry corresponds is deleted, the entry, if long, will be deleted, and if short and
resolved, will become unresolved.
To configure a static ARP entry:
3
Step Command Remarks
• Configure a long static ARP entry:
arp static ip-address mac-address vlan-id
interface-type interface-number Use either command.
2. Configure a static
[ vpn-instance vpn-instance-name ] By default, no long or short static
ARP entry.
• Configure a short static ARP entry: ARP entry is configured.
arp static ip-address mac-address
[ vpn-instance vpn-instance-name ]
CAUTION:
• The vlan-id argument must be the ID of an existing VLAN where the ARP entry resides; the specified
Ethernet interface must belong to that VLAN. The VLAN interface of the VLAN must be created.
• The IP address of the VLAN interface of the VLAN specified by the vlan-id argument must belong to the
same subnet as the IP address specified by the ip-address argument.
4
Step Command Remarks
1. Enter system view. system-view N/A
2. Set the aging time for
arp timer aging aging-time 20 minutes by default
dynamic ARP entries.
5
Task Command Remarks
display arp [ [ all | dynamic | static ] [ slot slot-number ] |
Display the ARP entries in the vlan vlan-id | interface interface-type interface-number ] Available in any
ARP mapping table. [ count | verbose ] [ | { begin | exclude | include } view
regular-expression ]
Display the ARP entry for a display arp ip-address [ slot slot-number ] [ verbose ] [ | Available in any
specified IP address. { begin | exclude | include } regular-expression ] view
Display the ARP entries for a display arp vpn-instance vpn-instance-name [ count ] [ | Available in any
specified VPN instance. { begin | exclude | include } regular-expression ] view
Display the aging time for display arp timer aging [ | { begin | exclude | include } Available in any
dynamic ARP entries. regular-expression ] view
Clear ARP entries from the eset arp { all | dynamic | static | slot slot-number | Available in user
ARP mapping table. interface interface-type interface-number } view
NOTE:
Clearing ARP entries from the ARP table may cause communication failures.
Configuration procedure
# Specify an IP address for interface GigabitEthernet 4/1/1.
<Device> system-view
[Device] interface gigabitethernet 4/1/1
6
[Device-GigabitEthernet4/1/1] ip address 192.168.1.2 24
# Configure a static ARP entry with IP address 192.168.1.1 and MAC address 00e0-fc01-0000. The
outgoing interface corresponding to the static ARP entry is GigabitEthernet 4/1/1.
[Device] arp static 192.168.1.1 00e0-fc01-0000
7
Configuring gratuitous ARP
8
If the virtual IP address of the VRRP group is associated with a virtual MAC address, the sender
MAC address in the gratuitous ARP packet takes the virtual MAC address of the virtual router. If the
virtual IP address of the VRRP group is associated with the real MAC address of an interface, the
sender MAC address in the gratuitous ARP packet takes the MAC address of the interface on the
master router in the VRRP group.
• Update MAC entries of routers in the VLANs having ambiguous VLAN termination configured
In VRRP configuration, if ambiguous VLAN termination is configured for many VLANs and VRRP
groups, interfaces configured with VLAN termination need to be disabled from transmitting
broadcast/multicast packets and a VRRP control VLAN needs to be configured so that VRRP
advertisements can be transmitted within the control VLAN only. In such cases, you can enable
periodic sending of gratuitous ARP packets containing the VRRP virtual IP address, and the primary
IP address or a manually configured secondary IP address of the sending interface on the
subinterfaces. In this way, when a VRRP failover occurs, routers in the VLANs having ambiguous
VLAN termination configured can use the gratuitous ARP packets to update their corresponding
MAC entries in time.
NOTE:
For more information about VRRP, see High Availability Configuration Guide.
Optional
3. Enable the router to send
gratuitous ARP packets upon By default, a router does not send
gratuitous-arp-sending enable gratuitous ARP packets upon
receiving ARP requests from
another network segment. receiving ARP requests from
another network segment.
interface interface-type
4. Enter interface view. N/A
interface-number
5. Enable periodic sending of
arp send-gratuitous-arp [ interval
gratuitous ARP packets and Disabled by default.
milliseconds ]
set the sending interval.
9
NOTE:
• You can enable periodic sending of gratuitous ARP packets on a maximum of 1024 interfaces.
• Periodic sending of gratuitous ARP packets takes effect only when the link of the enabled interface goes
up and an IP address has been assigned to the interface.
• If you change the interval for sending gratuitous ARP packets, the configuration is effective at the next
sending interval.
• The frequency of sending gratuitous ARP packets may be much lower than is expected if this function is
enabled on multiple interfaces, or each interface is configured with multiple secondary IP addresses, or
a small sending interval is configured in the preceding cases.
10
Configuring proxy ARP
NOTE:
The term proxy ARP in the following sections of this chapter refers to common proxy ARP unless otherwise
specified.
Proxy ARP
A proxy ARP enabled router allows hosts that reside on different subnets to communicate.
As shown in Figure 4, Router connects to two subnets through GigabitEthernet 4/1/1 and
GigabitEthernet 4/1/2. The IP addresses of the two interfaces are 192.168.10.99/24 and
192.168.20.99/24. Host A and Host B have the same prefix 192.168.0.0 assigned and connect to
GigabitEthernet 4/1/1 and GigabitEthernet 4/1/2, respectively.
Figure 4 Application environment of proxy ARP
Because Host A considers that Host B is on the same network, it broadcasts an ARP request for the MAC
address of Host B. Host B, however, cannot receive this request because it is in a different broadcast
domain.
You can enable proxy ARP on Router so that Router can reply to the ARP request from Host A with the
MAC address of GigabitEthernet 4/1/1, and forward packets sent from Host A to Host B. In this case,
Router seems like a proxy of Host B.
A main advantage of proxy ARP is that you can enable it on a single router without disturbing routing
tables of other routers in the network. Proxy ARP acts as the gateway for IP hosts that are not configured
with a default gateway or do not have routing capability.
11
Local proxy ARP
As shown in Figure 5, Host A and Host B belong to VLAN 2, but are isolated at Layer 2. Host A connects
to GigabitEthernet 3/1/3 while Host B connects to GigabitEthernet 3/1/1. Enable local proxy ARP on
Router to allow Layer 3 communication between the two hosts.
Figure 5 Application environment of local proxy ARP
Router
GE3/1/2
VLAN 2
Vlan-int2
192.168.10.100/16
VLAN 2
port-isolate group 2
GE3/1/2
uplink-port
GE3/1/3
GE3/1/1
In one of the following cases, you need to enable local proxy ARP:
• Hosts connecting to different isolated Layer 2 ports in the same VLAN need to communicate at Layer
3.
• If a super VLAN is configured, hosts in different sub VLANs of the super VLAN need to communicate
at Layer 3.
• If an isolate-user-VLAN is configured, hosts in different secondary VLANs of the isolate-user-VLAN
need to communicate at Layer 3.
To enable local proxy ARP in VLAN interface view/Layer 3 Ethernet interface view/Layer 3 aggregate
interface view:
interface interface-type
2. Enter interface view. N/A
interface-number
12
Step Command Remarks
local-proxy-arp enable [ ip-range
3. Enable local proxy ARP. Disabled by default
startIP to endIP ]
13
Configuration procedure
# Specify an IP address for interface GigabitEthernet 3/1/1.
<Router> system-view
[Router] interface gigabitethernet 3/1/1
[Router-GigabitEthernet3/1/1] ip address 192.168.10.99 255.255.255.0
After the configuration, use the ping command to verify that Host A and Host D can ping each other.
GE3/1/1
VLAN 2
192.168.10.100/16
VLAN 2
port-isolate group 2
GE3/1/3
uplink-port
GE3/1/1
GE3/1/2
Host A Switch Host B
192.168.10.99/16 192.168.10.200/16
14
NOTE:
In this configuration example, the switch blocks all traffic between hosts. Therefore, you need to configure
local proxy ARP on interface GigabitEthernet 3/1/1 of the router to allow communication between Host
A and Host B. If the two interfaces (GigabitEthernet 3/1/1 and GigabitEthernet 3//1/2) on the switch are
isolated only at Layer 2, you can enable communication between the two hosts by configuring local proxy
ARP on VLAN-interface 2 of the switch.
Configuration procedure
1. Configure the Switch:
# Add GigabitEthernet 3/1/1, GigabitEthernet 3/1/2 and GigabitEthernet 3/1/3 to VLAN 2.
Host A and Host B are isolated and unable to exchange Layer 2 packets.
<Switch> system-view
[Switch] port-isolate group 2
[Switch] vlan 2
[Switch-vlan2] port gigabitethernet 3/1/1
[Switch-vlan2] port gigabitethernet 3/1/2
[Switch-vlan2] port gigabitethernet 3/1/3
[Switch-vlan2] quit
[Switch] interface gigabitethernet 3/1/1
[Switch-GigabitEthernet3/1/1] port-isolate enable group 2
[Switch-GigabitEthernet3/1/1] quit
[Switch] interface gigabitethernet 3/1/2
[Switch-GigabitEthernet3/1/2] port-isolate enable group 2
[Switch-GigabitEthernet3/1/2] quit
[Switch] interface gigabitethernet 3/1/3
[Switch-GigabitEthernet3/1/3] port-isolate uplink-port group 2
2. Configure the Router:
# Specify an IP address for GigabitEthernet 3/1/1.
<Router> system-view
[Router] interface GigabitEthernet 3/1/1
[Router-GigabitEthernet3/1/1] ip address 192.168.10.100 255.255.255.0
Ping Host B on Host A to verify that the two hosts cannot be pinged through, which indicates they
are isolated at Layer 2.
# Configure local proxy ARP to let Host A and Host B communicate at Layer 3.
[Router-GigabitEthernet3/1/1] local-proxy-arp enable
[Router-GigabitEthernet3/1/1] quit
The ping operation from Host A to Host B is successful after the configuration.
15
Configuring IP addressing
IP addressing overview
IP address classes
IP addressing uses a 32-bit address to identify each host on a network. To make addresses easier to read,
they are written in dotted decimal notation, each being four octets in length. For example, address
00001000000000010000000100000001 in binary is written as 10.1.1.1.
Each IP address breaks down into two parts:
• Net ID—Identifies a network. The first several bits of a net ID, known as the class field or class bits,
identify the class of the IP address.
• Host ID—Identifies a host on a network.
IP addresses are divided into five classes, as shown in Figure 8. The shaded areas represent the address
class. The first three classes are widely used.
Figure 8 IP address classes
0 7 15 23 31
Class A 0 Net ID Host ID
Class E 1 1 1 1 0 Reserved
16
Special IP addresses
The following IP addresses are for special use, and they cannot be used as host IP addresses:
• IP address with an all-zero net ID—Identifies a host on the local network. For example, IP address
0.0.0.16 indicates the host with a host ID of 16 on the local network.
• IP address with an all-zero host ID—Identifies a network.
• IP address with an all-one host ID—Identifies a directed broadcast address. For example, a packet
with the destination address of 192.168.1.255 will be broadcasted to all the hosts on the network
192.168.1.0.
Subnetting increases the number of addresses that cannot be assigned to hosts. Therefore, using subnets
means accommodating somewhat fewer hosts.
For example, a Class B network without subnetting can accommodate 1022 more hosts than the same
network subnetted into 512 subnets.
• Without subnetting, 65,534 hosts (216 – 2). (The two deducted addresses are the broadcast
address, which has an all-one host ID, and the network address, which has an all-zero host ID.)
• With subnetting, using the first 9 bits of the host-id for subnetting provides 512 (29) subnets. However,
only 7 bits remain available for the host ID. This allows 126 (27 – 2) hosts in each subnet, a total of
64,512 hosts (512 × 126).
Configuring IP addresses
An interface must has an IP address to communicate with other hosts. You can either manually assign an
IP address to an interface, or configure the interface to obtain an IP address through BOOTP, DHCP, or
PPP address negotiation. If you change the way an interface obtains an IP address, the new IP address
will overwrite the previous one.
17
NOTE:
• This router does not support IP address assignment through DHCP and BOOTP.
• This chapter only covers how to assign an IP address manually.
• For how to obtain an IP address through PPP address negotiation, see Layer 2—WAN Configuration
Guide.
interface interface-type
2. Enter interface view. N/A
interface-number
CAUTION:
• The primary IP address you assigned to the interface can overwrite the old one if there is any.
• You cannot assign secondary IP addresses to an interface that obtains an IP address through PPP
address negotiation or IP unnumbered.
• The primary and secondary IP addresses you assign to the interface can be located on the same
network segment, but different interfaces on your device must reside on different network segments.
18
IP addressing configuration example
Network requirements
As shown in Figure 10, GigabitEthernet 3/1/1 on Router is connected to a LAN comprising two
segments: 172.16.1.0/24 and 172.16.2.0/24.
To enable the hosts on the two network segments to access the external network through the router, and
enable the hosts on the two network segments to communicate with each other, do the following:
• Assign a primary IP address and a secondary IP address to GigabitEthernet 3/1/1 on the router.
• Set the router as the gateway on all hosts.
Figure 10 Network diagram
172.16.1.0/24 Router
Host B
GE3/1/1
172.16.1.1/24
172.16.1.2/24 172.16.2.1/24 sub
172.16.2.2/24
Host A
172.16.2.0/24
Configuration procedure
# Assign a primary IP address and a secondary IP address to GigabitEthernet 3/1/1.
<Router> system-view
[Router] interface GigabitEthernet 3/1/1
[Router-GigabitEthernet3/1/1] ip address 172.16.1.1 255.255.255.0
[Router-GigabitEthernet3/1/1] ip address 172.16.2.1 255.255.255.0 sub
# Set the gateway address to 172.16.1.1 on the PCs attached to 172.16.1.0/24, and to 172.16.2.1 on the
PCs attached to 172.16.2.0/24.
# Ping a host on subnet 172.16.1.0/24 from the router to check the connectivity.
<Router> ping 172.16.1.2
PING 172.16.1.2: 56 data bytes, press CTRL_C to break
Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=255 time=25 ms
Reply from 172.16.1.2: bytes=56 Sequence=2 ttl=255 time=27 ms
Reply from 172.16.1.2: bytes=56 Sequence=3 ttl=255 time=26 ms
Reply from 172.16.1.2: bytes=56 Sequence=4 ttl=255 time=26 ms
Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=255 time=26 ms
19
--- 172.16.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/26/27 ms
The output shows that the router can communicate with the host on subnet 172.16.1.0/24.
# Ping a host on subnet 172.16.2.0/24 from the router to check the connectivity.
<Router> ping 172.16.2.2
PING 172.16.2.2: 56 data bytes, press CTRL_C to break
Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=255 time=25 ms
Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=255 time=26 ms
Reply from 172.16.2.2: bytes=56 Sequence=3 ttl=255 time=26 ms
Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=255 time=26 ms
Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=255 time=26 ms
The output shows that the router can communicate with the host on subnet 172.16.2.0/24.
# Ping a host on subnet 172.16.1.0/24 from a host on subnet 172.16.2.0/24 to check the connectivity.
Host B can be successfully pinged from Host A.
Configuring IP unnumbered
IP unnumbered overview
Logically, to enable IP on an interface, you must assign this interface a unique IP address. Yet, you can
borrow an IP address already configured on one of other interfaces on your device instead. This is called
IP unnumbered and the interface borrowing the IP address is called IP unnumbered interface.
You may use IP unnumbered to save IP addresses either when available IP addresses are inadequate or
when an interface is brought up only for occasional use.
Configuration prerequisites
Assign a primary IP address to the interface from which you want to borrow the IP address. Alternatively,
you may configure the interface to obtain one through PPP address negotiation.
Configuration procedure
To configure IP unnumbered on an interface:
20
Step Command Remarks
1. Enter system view. system-view N/A
interface interface-type
2. Enter interface view. N/A
interface-number
CAUTION:
• Serial, POS, and ATM interfaces can borrow IP addresses from Layer 3 Ethernet interfaces or other
interfaces.
• Layer 3 Ethernet interfaces and loopback interfaces cannot borrow IP addresses of other interfaces, but
other interfaces can borrow IP addresses of these interfaces.
• An interface cannot borrow an IP address from an unnumbered interface.
• Multiple interfaces can use the same unnumbered IP address.
• The IP address of the borrowing interface always keeps consistent and varies with that of the borrowed
interface. If an IP address is configured for the borrowed interface, the IP address of the borrowing
interface is the same as that of the borrowed interface; if no IP address is configured for the borrowed
interface, no IP address is assigned for the borrowing interface.
DDN
S3/1/9:23 S3/1/9:23
Router A Router B
GE3/1/1 GE3/1/1
172.16.10.1/24 172.16.20.1/24
Configuration procedure
1. Configure Router A:
# Assign a primary IP address to GigabitEthernet 3/1/1.
<RouterA> system-view
[RouterA] interface GigabitEthernet 3/1/1
21
[RouterA-GigabitEthernet3/1/1] ip address 172.16.10.1 255.255.255.0
[RouterA-GigabitEthernet3/1/1] quit
# Configure Serial 3/1/9:23 to borrow an IP address from GigabitEthernet 3/1/1.
[RouterA] interface serial 3/1/9:23
[RouterA-Serial3/1/9:23] ip address unnumbered interface GigabitEthernet 3/1/1
[RouterA-Serial3/1/9:23] quit
# Create a route to the subnet attached to Router B, specifying interface Serial 3/1/9:23 as the
outgoing interface.
[RouterA] ip route-static 172.16.20.0 255.255.255.0 serial 3/1/9:23
2. Configure Router B:
# Assign a primary IP address to GigabitEthernet 3/1/1.
<RouterB> system-view
[RouterB] interface GigabitEthernet 3/1/1
[RouterB-GigabitEthernet3/1/1] ip address 172.16.20.1 255.255.255.0
[RouterB-GigabitEthernet3/1/1] quit
# Configure interface Serial 3/1/9:23 to borrow an IP address from GigabitEthernet 3/1/1.
[RouterB] interface serial 3/1/9:23
[RouterB-Serial3/1/9:23] ip address unnumbered interface GigabitEthernet 3/1/1
[RouterB-Serial3/1/9:23] quit
# Create a route to the subnet attached to Router A, specifying interface Serial 3/1/9:23 as the
outgoing interface.
[RouterB] ip route-static 172.16.10.0 255.255.255.0 serial 3/1/9:23
3. Ping a host attached to Router B from Router A to verify the configuration.
[RouterA] ping 172.16.20.2
PING 172.16.20.2: 56 data bytes, press CTRL_C to break
Reply from 172.16.20.2: bytes=56 Sequence=1 ttl=255 time=25 ms
Reply from 172.16.20.2: bytes=56 Sequence=2 ttl=255 time=25 ms
Reply from 172.16.20.2: bytes=56 Sequence=3 ttl=255 time=26 ms
Reply from 172.16.20.2: bytes=56 Sequence=4 ttl=255 time=26 ms
Reply from 172.16.20.2: bytes=56 Sequence=5 ttl=255 time=26 ms
22
DHCP overview
Introduction to DHCP
The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration
information to network devices.
DHCP uses the client/server model. Figure 12 shows a typical DHCP application.
Figure 12 A typical DHCP application
NOTE:
A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on
another subnet via a DHCP relay agent. For more information about the DHCP relay agent, see
“Introduction to DHCP relay agent.”
23
Dynamic IP address allocation process
Figure 13 Dynamic IP address allocation process
NOTE:
• After the client receives the DHCP-ACK message, it broadcasts a gratuitous ARP packet to verify whether
the IP address assigned by the server is already in use. If the client receives no response within the
specified time, the client uses the assigned IP address. Otherwise, the client sends a DHCP-DECLINE
message to the server to request an IP address again.
• IP addresses offered by other DHCP servers are still assignable to other clients.
24
DHCP message format
Figure 14 shows the DHCP message format, which is based on the BOOTP message format although
DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size
of each field in bytes.
Figure 14 DHCP message format
25
DHCP options
Overview
DHCP uses the same message format as Bootstrap Protocol (BOOTP), but DHCP uses the Option field to
carry information for dynamic address allocation and to provide additional configuration information to
clients.
Figure 15 shows the DHCP option format.
Figure 15 DHCP option format
Custom options
Some options, such as Option 43, have no unified definitions in RFC 2132.
26
Vendor-specific option (Option 43)
DHCP servers and clients use Option 43 to exchange vendor-specific configuration information. The
client sends a request with Option 43, including a vendor string that identifies a vendor. Upon receiving
the request, the DHCP server refers to the vendor-specific options table, and returns a response message
with Option 43 to assign the appropriate vendor-specific information to the DHCP client.
The DHCP client can obtain the following information through Option 43:
• Auto-Configuration Server (ACS) parameters, including the ACS URL, username, and password.
• Service provider identifier, which is acquired by the customer premises equipment (CPE) from the
DHCP server and sent to the ACS for selecting vender-specific configurations and parameters. For
more information about CPE and ACS, see Network Management and Monitoring Configuration
Guide.
• Preboot Execution Environment (PXE) server address, which is used to obtain the bootfile or other
control information from the PXE server.
• Access controller (AC) address, which is used by an AP to obtain the boot file or other control
information from the AC.
1. Format of Option 43
Figure 16 Format of Option 43
Network configuration parameters are carried in different sub-options of Option 43 as shown in Figure
16. The sub-option fields are described as follows:
{ Sub-option type—Type of a sub-option. The field value can be 0x01, 0x02, or 0x80. 0x01
indicates an ACS parameter sub-option. 0x02 indicates a service provider identifier sub-option.
0x80 indicates a PXE server address sub-option.
{ Sub-option length—Length of a sub-option excluding the sub-option type and sub-option length
fields.
{ Sub-option value—Value of a sub-option.
2. Format of the sub-option value field of Option 43
{ As shown in Figure 17, the value field of the ACS parameter sub-option contains variable ACS
URL, username, and password separated by spaces (0x20).
Figure 17 Format of the value field of the ACS parameter sub-option
{ The value field of the service provider identifier sub-option contains the service provider
identifier.
27
{ Figure 18 shows the format of the value field of the PXE server address sub-option. Currently, the
value of the PXE server type can only be 0. The server number field indicates the number of PXE
servers contained in the sub-option. The server IP addresses field contains the IP addresses of
the PXE servers.
Figure 18 Format of the value field of the PXE server address sub-option
{ Sub-option 2—Padded with the MAC address of the DHCP relay agent interface or the MAC
address of the DHCP snooping device that received the client’s request. The value of the
sub-option type is 2, and that of the remote ID type is 0.
28
Figure 20 Sub-option 2 in normal padding format
NOTE:
The VLAN ID field has a fixed length of 2 bytes. All the other padding contents of sub-option 1 are length
variable. See Figure 21.
{ Sub-option 2—Padded with the MAC address of the DHCP relay agent interface or the MAC
address of the DHCP snooping device that received the client’s request. It has the same format
as that in normal padding format. See Figure 20.
Option 184
Option 184 is a reserved option, and parameters in the option can be defined as needed. The router
supports Option 184 carrying the voice related parameters, so a DHCP client with voice functions can
get an IP address along with specified voice parameters from the DHCP server.
Option 184 involves the following sub-options:
• Sub-option 1—IP address of the primary network calling processor, which serves as the network
calling control source and provides program downloads.
• Sub-option 2—IP address of the backup network calling processor that DHCP clients will contact
when the primary one is unreachable.
• Sub-option 3—Voice VLAN ID and the result whether DHCP clients take this ID as the voice VLAN
or not.
• Sub-option 4—Failover route that specifies the destination IP address and the called number that a
Session Initiation Protocol (SIP) user uses to reach another SIP user when both the primary and
backup calling processors are unreachable.
NOTE:
You must define the sub-option 1 to make other sub-options effective.
29
• RFC 2132, DHCP Options and BOOTP Vendor Extensions
• RFC 1542, Clarifications and Extensions for the Bootstrap Protocol
• RFC 3046, DHCP Relay Agent Information Option
• RFC 3442, The Classless Static Route Option for Dynamic Host Configuration Protocol (DHCP)
version 4
30
Configuring DHCP server
NOTE:
Unless otherwise specified, the DHCP server configuration is supported only on Layer 3 Ethernet interfaces
(or subinterfaces), virtual Ethernet interfaces (or subinterfaces), VLAN interfaces, Layer 3 aggregate
interfaces, serial interfaces, ATM interfaces, MP-group interfaces, and loopback interfaces. The
secondary IP address pool configuration is not supported on serial, MP-group or loopback interfaces.
NOTE:
In addition to assigning IP addresses to DHCP clients on public networks, a MCE serving as the DHCP
server can also assign IP addresses to DHCP clients on private networks. The IP address ranges of public
and private networks or those of private networks on the DHCP server cannot overlap each other. For
more information about MCE, see MPLS Configuration Guide.
31
After establishment of the inheritance relationship, the new configuration at the higher level (parent) of
the tree will be:
• Inherited if the lower level (child) has no such configuration, or
• Overridden if the lower level (child) has such configuration.
NOTE:
• The extended address pools on a DHCP server are independent of each other and no inheritance
relationship exists among them.
• IP address lease durations are not inherited.
NOTE:
Keep the IP addresses for dynamic allocation within the subnet where the interface of the DHCP server or
DHCP relay agent resides to avoid wrong IP address allocation.
32
If no IP address is assignable, the server will not respond.
NOTE:
Option 50 is the requested IP address field in DHCP-DISCOVER messages. It is padded by the client to
specify the IP address that the client wants to obtain. The contents to be padded depend on the client.
Task Remarks
Configuring an address pool for the DHCP server Required
Task Remarks
Creating a DHCP address pool Required
Configuring WINS servers and NetBIOS node type for the client
Optional
Configuring BIMS server information for the client
Configuring Option 184 parameters for the client with voice service
33
Task Remarks
Configuring the TFTP server and bootfile name for the client
2. Create a DHCP address pool dhcp server ip-pool pool-name No DHCP address pool is created by
and enter its view. [ extended ] default.
NOTE:
A common address pool and an extended address pool are different in address allocation mode
configuration. Configurations of other parameters (such as the domain name suffix and DNS server
address) for them are the same.
You need to specify an address range for the dynamic address allocation. A static binding is a special
address pool containing only one IP address.
2. Enter common address pool view. dhcp server ip-pool pool-name N/A
34
Step Command Remarks
• Specify the MAC address:
static-bind mac-address
Configure either of the two.
4. Specify the MAC address or mac-address
client ID. Neither is bound statically by
• Specify the client ID:
default.
static-bind client-identifier
client-identifier
NOTE:
• Use the static-bind ip-address command together with static-bind mac-address or static-bind
client-identifier to accomplish a static binding configuration.
• In a DHCP address pool, if you execute the static-bind mac-address command before the static-bind
client-identifier command, the latter will overwrite the former and vice versa.
• If you use the static-bind ip-address, static-bind mac-address, or static-bind client-identifier
command repeatedly in the DHCP address pool, the new configuration will overwrite the previous one.
• The IP address of the static binding cannot be an interface address of the DHCP server. Otherwise, an
IP address conflict may occur and the bound client cannot obtain an IP address correctly.
• If the interfaces on a DHCP client share the same MAC address, you need to specify the client ID, rather
than MAC address, in a static binding to identify the requesting interface; otherwise, the client may fail
to obtain an IP address.
35
Step Command Remarks
Optional.
6. Exclude IP addresses from dhcp server forbidden-ip Except IP addresses of the DHCP
automatic allocation. low-ip-address [ high-ip-address ] server interfaces, all addresses in
the DHCP address pool are
assignable by default.
NOTE:
• In common address pool view, using the network command repeatedly overwrites the previous
configuration.
• After you exclude IP addresses from automatic allocation by using the dhcp server forbidden-ip
command, neither a common address pool nor an extended address pool can assign these IP addresses
through dynamic address allocation.
• Using the dhcp server forbidden-ip command repeatedly can exclude multiple IP address ranges from
allocation.
4. Specify the IP address mask. network mask mask Not specified by default.
Optional.
36
NOTE:
Excluded IP addresses specified with the forbidden-ip command in DHCP address pool view are not
assignable in the current extended address pool, but are assignable in other address pools.
37
• p (peer-to-peer)-node—The p-node client sends the destination name in a unicast message to the
WINS server, and the WINS server returns the destination IP address.
• m (mixed)-node—A combination of broadcast first and peer-to-peer second. The m-node client
broadcasts the destination name, if no response is received, then unicasts the destination name to
the WINS server to get the destination IP address.
• h (hybrid)-node—A combination of peer-to-peer first and broadcast second. The h-node client
unicasts the destination name to the WINS server, and if no response is received, broadcasts it to
get the destination IP address.
To configure WINS servers and NetBIOS node type in the DHCP address pool:
NOTE:
If b-node is specified for the client, you do not need to specify any WINS server address.
38
Step Command Remarks
2. Enter DHCP address pool dhcp server ip-pool pool-name
N/A
view. [ extended ]
No gateway is specified by
3. Specify gateways. gateway-list ip-address&<1-8>
default.
Optional.
6. Specify the failover IP address voice-config fail-over
and dialer string. ip-address dialer-string No failover IP address or dialer
string is specified by default.
NOTE:
Specify an IP address for the network calling processor before performing other configurations.
Configuring the TFTP server and bootfile name for the client
For the DHCP server to support client auto-configuration, you must specify the IP address or name of a
TFTP server and the bootfile name in the DHCP address pool. You do not need to perform any
configuration on the DHCP client.
The DHCP client uses these parameters to contact the TFTP server and request the configuration file used
for system initialization.
1. When a router starts up without loading any configuration file, the system sets an active interface
(such as the interface of the default VLAN or a Layer 3 Ethernet interface) as the DHCP client to
39
request from the DHCP server for parameters, such as an IP address and name of a TFTP server,
and the bootfile name.
2. After getting related parameters, the DHCP client will send a TFTP request to obtain the
configuration file from the specified TFTP server for system initialization. If the client cannot get
such parameters, it will perform system initialization without loading any configuration file.
When Option 55 in the client’s request contains parameters of Option 66, Option 67, or Option 150, the
DHCP server will return the IP address or name of the specified TFTP server, and bootfile name to the
client.
To configure the IP address and name of the TFTP server and the bootfile name in the DHCP address
pool:
40
Table 2 Description of common options
CAUTION:
Be cautious When you configure self-defined DHCP options because such configuration may affect the
operation of DHCP.
Enabling DHCP
Enable DHCP before performing other configurations.
To enable DHCP:
41
NOTE:
If a DHCP relay agent exists between the DHCP server and client, the DHCP server, regardless of whether
the subaddress keyword is used, will select an IP address from the address pool containing the primary IP
address of the DHCP relay agent’s interface (connected to the client) for a requesting client.
NOTE:
When the DHCP server and client are on the same subnet:
• With the keyword subaddress specified, the DHCP server will preferably assign an IP address from an
address pool that resides on the same subnet as the primary IP address of the server interface
(connecting to the client). If the address pool contains no assignable IP address, the server assigns an IP
address from an address pool that resides on the same subnet as the secondary IP addresses of the
server interface. If the interface has multiple secondary IP addresses, each address pool is tried in turn
for address allocation.
• Without the keyword subaddress specified, the DHCP server can only assign an IP address from the
address pool that resides on the same subnet as the primary IP address of the server interface.
interface interface-type
2. Enter interface view. N/A
interface-number
Optional.
NOTE:
• This function is available only on a Layer 3 Ethernet interface (or subinterface), or a VLAN interface.
• Only an extended address pool can be applied on the interface. The address pool to be referenced must
already exist.
42
• Enable DHCP
• Configure the DHCP address pool
NOTE:
With the unauthorized DHCP server detection enabled, the router logs each detected DHCP server once.
The administrator can use the log information to find unauthorized DHCP servers.
Optional.
2. Specify the number of ping dhcp server ping packets One ping packet by default.
packets. number The value 0 indicates that no ping
operation is performed.
Optional.
3. Configure a timeout waiting dhcp server ping timeout 500 ms by default.
for ping responses. milliseconds The value 0 indicates that no ping
operation is performed.
43
Configuring the DHCP server to work with authorized ARP
Only the clients that obtain an IP address from the DHCP server are considered as authorized clients. If
the DHCP server also serves as the gateway, it can work with authorized ARP to block unauthorized
clients and prevent ARP spoofing attacks.
To enable the DHCP server to work with authorized ARP, perform the following:
• Configure the DHCP server to support authorized ARP—The DHCP server notifies authorized ARP
to add/delete/change authorized ARP entries when adding/deleting/changing IP address leases.
• Enable authorized ARP—The ARP automatic learning function is disabled after you enable
authorized ARP. ARP entries are added according to the IP address leases specified by the DHCP
server, to avoid learning incorrect ARP entries.
The DHCP server works with authorized ARP for the following purposes:
• Only the clients that have obtained IP addresses from the DHCP server and have their ARP entries
recorded on the DHCP server are authorized clients and can access the network normally.
• The clients that have not obtained IP addresses from the DHCP server are considered unauthorized
clients and are unable to access the network.
• Disabling ARP automatic learning prevents network attacks such as IP/MAC address spoofing
attacks, and only authorized users can access the network.
To configure the DHCP server to work with authorized ARP:
interface interface-type
2. Enter interface view. N/A
interface-number
3. Enable the DHCP server to
dhcp update arp Not enabled by default
work with authorized ARP.
4. Enable authorized ARP. arp authorized enable Disabled by default
NOTE:
• Authorized ARP can only be configured on Layer 3 interfaces.
• When the working mode of the interface is changed from DHCP server to DHCP relay agent, neither the
IP address leases nor the authorized ARP entries will be deleted. However, these ARP entries may conflict
with new ARP entries generated on the DHCP relay agent. Therefore, H3C recommends you delete the
existing IP address leases by using the reset dhcp server ip-in-use command when you change the
interface working mode to DHCP relay agent.
• Disabling the DHCP server to support authorized ARP will not delete the IP address leases, but will delete
the corresponding authorized ARP entries.
• For more information about authorized ARP, see Security Configuration Guide. For more information
about the arp authorized enable command, see Security Command Reference.
44
If the server is configured to ignore Option 82, it will assign an IP address to the client without adding
Option 82 in the response message.
Configuration prerequisites
Before performing this configuration, complete the following configuration on the DHCP server:
• Enable DHCP
• Configure the DHCP address pool
NOTE:
Supporting Option 82 requires configuring both the DHCP server and relay agent (or the router enabled
with DHCP snooping). For more information, see the chapter “DHCP relay agent configuration.”
Configuration procedure
A DHCP server sends trap messages to the network management server when one of the following items
reaches the specified threshold:
• The ratio of successfully allocated IP addresses to received DHCP requests
• The average IP address utilization of the address pool
• The maximum IP address utilization of the address pool
Trap messages help network administrators know the latest usage information of the DHCP server.
To specify the threshold for sending trap messages:
45
Displaying and maintaining the DHCP server
Task Command Remarks
display dhcp server conflict { all | ip
Display information about IP address
ip-address } [ | { begin | exclude | include } Available in any view
conflicts.
regular-expression ]
NOTE:
Using the save command does not save DHCP server lease information. Therefore, when the system boots
up or the reset dhcp server ip-in-use command is executed, no lease information will be available in the
configuration file. The server will deny the request for lease extension from a client and the client needs to
request an IP address again.
46
Static IP address assignment configuration example
Network requirements
As shown in Figure 22, Router A (DHCP client) and Router B (BOOTP client) obtain a static IP address,
DNS server address, and gateway address from Device (DHCP server) respectively.
The MAC address of interface GigabitEthernet 3/1/1 on Router B:
000f-e200-01c0.
The client ID of interface GigabitEthernet 3/1/1 on Router A:
3030-3066-2e65-3230-302e-3030-3032-2d45-7468-6572-6e65-7430-2f30.
Figure 22 Network diagram
Gateway
10.1.1.126/25
GE3/1/1
10.1.1.1/25 10.1.1.2/25 GE3/1/1 GE3/1/1
Configuration procedure
1. Configure the IP address of GigabitEthernet 3/1/1 on Device.
<Device> system-view
[Device] interface GigabitEthernet 3/1/1
[Device-GigabitEthernet3/1/1] ip address 10.1.1.1 25
[Device-GigabitEthernet3/1/1] quit
2. Configure the DHCP server:
# Enable DHCP.
[Device] dhcp enable
# Enable the DHCP server on interface GigabitEthernet 3/1/1.
[Device] interface Gigabitethernet 3/1/1
[Device-Gigabitethernet3/1/1] dhcp select server global-pool
[Device-Gigabitethernet3/1/1] quit
# Create DHCP address pool 0, and configure a static binding, DNS server and gateway in it.
[Device] dhcp server ip-pool 0
[Device-dhcp-pool-0] static-bind ip-address 10.1.1.5
[Device-dhcp-pool-0] static-bind client-identifier
3030-3066-2e65-3230-302e-3030-3032-2d45-7468-6572-6e65-7430-2f30
[Device-dhcp-pool-0] dns-list 10.1.1.2
[Device-dhcp-pool-0] gateway-list 10.1.1.126
[Device-dhcp-pool-0] quit
# Create DHCP address pool 1, and configure a static binding, DNS server and gateway in it.
47
[Device] dhcp server ip-pool 1
[Device-dhcp-pool-1] static-bind ip-address 10.1.1.6
[Device-dhcp-pool-1] static-bind mac-address 000f-e200-01c0
[Device-dhcp-pool-1] dns-list 10.1.1.2
[Device-dhcp-pool-1] gateway-list 10.1.1.126
3. Verification
After the preceding configuration is complete, Router A can obtain IP address 10.1.1.5 and other
network parameters, and Router B can obtain IP address 10.1.1.6 and other network parameters
from Device. You can use the display dhcp server ip-in-use command on the DHCP server to view
the IP addresses assigned to the clients.
NOTE:
In this example, the number of requesting clients connected to GigabitEthernet 3/1/1 should be less than
122, and that of clients connected to GigabitEthernet 3/1/2 less than 124.
10.1.1.4/25
GE3/1/1 GE3/1/2
10.1.1.126/25 10.1.1.1/25 10.1.1.129/25 10.1.1.254/25
Router A Gateway B
10.1.1.2/25 DHCP server
GE3/1/1
Router B
DNS server Client Client
Client
48
Configuration procedure
1. Specify IP addresses for interfaces. (Details not shown)
2. Configure the DHCP server:
# Enable DHCP.
<RouterA> system-view
[RouterA] dhcp enable
# Enable the DHCP server on GigabitEthernet 3/1/1 and GigabitEthernet3/1/2.
[RouterA] interface GigabitEthernet 3/1/1
[RouterA-GigabitEthernet3/1/1] dhcp select server global-pool
[RouterA-GigabitEthernet3/1/1] quit
[RouterA] interface GigabitEthernet 3/1/2
[RouterA-GigabitEthernet3/1/2] dhcp select server global-pool
[RouterA-GigabitEthernet3/1/2] quit
# Exclude IP addresses from dynamic allocation (addresses of the DNS server, WINS server, and
gateways).
[RouterA] dhcp server forbidden-ip 10.1.1.2
[RouterA] dhcp server forbidden-ip 10.1.1.4
[RouterA] dhcp server forbidden-ip 10.1.1.126
[RouterA] dhcp server forbidden-ip 10.1.1.254
# Configure DHCP address pool 0 (address range, client domain name suffix and DNS server
address).
[RouterA] dhcp server ip-pool 0
[RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
[RouterA-dhcp-pool-0] domain-name aabbcc.com
[RouterA-dhcp-pool-0] dns-list 10.1.1.2
[RouterA-dhcp-pool-0] quit
# Configure DHCP address pool 1 (address range, gateway, WINS server, and lease duration).
[RouterA] dhcp server ip-pool 1
[RouterA-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.128
[RouterA-dhcp-pool-1] gateway-list 10.1.1.126
[RouterA-dhcp-pool-1] expired day 10 hour 12
[RouterA-dhcp-pool-1] nbns-list 10.1.1.4
[RouterA-dhcp-pool-1] quit
# Configure DHCP address pool 2 (address range, gateway and lease duration).
[RouterA] dhcp server ip-pool 2
[RouterA-dhcp-pool-2] network 10.1.1.128 mask 255.255.255.128
[RouterA-dhcp-pool-2] expired day 5
[RouterA-dhcp-pool-2] gateway-list 10.1.1.254
3. Verification
After the preceding configuration is complete, clients on networks 10.1.1.0/25 and
10.1.1.128/25 can obtain IP addresses on the corresponding network and other network
parameters from Router A. You can use the display dhcp server ip-in-use command on the DHCP
server to view the IP addresses assigned to the clients.
49
Self-defined option configuration example
Network requirements
As shown in Figure 24, the DHCP client (Router B) obtains its IP address and PXE server addresses from
the DHCP server (Router A). The IP address belongs to subnet 10.1.1.0/24. The PXE server addresses are
1.2.3.4 and 2.2.2.2.
The DHCP server assigns PXE server addresses to DHCP clients through Option 43, a self-defined option.
The format of Option 43 and that of the PXE server address sub-option are shown in Figure 16 and Figure
18, respectively. The value of Option 43 configured on the DHCP server in this example is 80 0B 00 00
02 01 02 03 04 02 02 02 02. The number 80 is the value of the sub-option type. The number 0B is the
value of the sub-option length. The numbers 00 00 are the value of the PXE server type. The number 02
indicates the number of servers. The numbers 01 02 03 04 02 02 02 02 indicate that the PXE server
addresses are 1.2.3.4 and 2.2.2.2.
Figure 24 Network diagram
Configuration procedure
1. Specify IP address for interface GigabitEthernet 3/1/1. (Details not shown)
2. Configure the DHCP server:
# Enable DHCP.
<Device> system-view
[Device] dhcp enable
# Enable the DHCP server on GigabitEthernet 3/1/1.
[RouterA] interface GigabitEthernet 3/1/1
[RouterA-GigabitEthernet3/1/1] dhcp select server global-pool
[RouterA-GigabitEthernet3/1/1] quit
# Configure DHCP address pool 0.
[Device] dhcp server ip-pool 0
[Device-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
[Device-dhcp-pool-0] option 43 hex 80 0B 00 00 02 01 02 03 04 02 02 02 02
3. Verification
After the preceding configuration is complete, Router B can obtain its IP address on 10.1.1.0/24
and PXE server addresses from Router A. You can use the display dhcp server ip-in-use command
on the DHCP server to view the IP addresses assigned to the clients.
Analysis
A host on the subnet may have the same IP address.
50
Solution
1. Disable the client’s network adapter or disconnect the client’s network cable. Ping the IP address
of the client from another host to check whether there is a host using the same IP address.
2. If a ping response is received, the IP address has been manually configured on a host. Execute the
dhcp server forbidden-ip command on the DHCP server to exclude the IP address from dynamic
allocation.
3. Enable the network adapter or connect the network cable. Release the IP address and obtain
another one on the client. Take WINDOW XP as an example, run cmd to enter DOS window.
Type ipconfig/release to relinquish the IP address and then ipconfig/renew to obtain another IP
address.
51
Configuring DHCP relay agent
NOTE:
The DHCP relay agent configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces),
virtual Ethernet interfaces (or subinterfaces), VLAN interfaces, Layer 3 aggregate interfaces, and serial
interfaces.
NOTE:
An MCE device serving as the DHCP relay agent can forward DHCP packets not only between a DHCP
server and clients on a private network, but also between a DHCP server and clients on a public network.
Note that the IP address ranges of the public and private networks or those of private networks cannot
overlap each other. For more information about MCE, see MPLS Configuration Guide.
Fundamentals
Figure 25 shows a typical application of the DHCP relay agent.
Figure 25 DHCP relay agent application
No matter whether a relay agent exists or not, the DHCP server and client interact with each other in a
similar way (see the chapter “DHCP overview”).
52
Figure 26 DHCP relay agent work process
If a client’s
Handling
requesting Padding format The DHCP relay agent will…
strategy
message has…
Drop Random Drop the message.
53
If a client’s
Handling
requesting Padding format The DHCP relay agent will…
strategy
message has…
Forward the message after adding the
N/A normal
Option 82 padded in normal format.
Task Remarks
Enabling DHCP Required
Enabling DHCP
Enable DHCP before performing other configurations related to the DHCP relay agent.
To enable DHCP:
54
Step Command Remarks
interface interface-type
2. Enter interface view. N/A
interface-number
NOTE:
The IP address pool containing the IP address of the DHCP relay agent enabled interface must be
configured on the DHCP server. Otherwise, the DHCP clients connected to the relay agent cannot obtain
correct IP addresses.
NOTE:
• You can specify up to twenty DHCP server groups on the relay agent.
• By executing the dhcp relay server-group command repeatedly, you can specify up to eight DHCP
server addresses for each DHCP server group.
• The IP addresses of DHCP servers and those of relay agent’s interfaces that connect DHCP clients cannot
be on the same subnet. Otherwise, the client cannot obtain an IP address.
• A DHCP server group can correlate with one or multiple DHCP relay agent interfaces, while a relay
agent interface can only correlate with one DHCP server group. Using the dhcp relay server-select
command repeatedly overwrites the previous configuration. However, if the specified DHCP server
group does not exist, the interface still uses the previous correlation.
• The group-id argument in the dhcp relay server-select command is configured by the dhcp relay
server-group command.
55
Configuring the DHCP relay agent security
functions
Configure address check
Address check can block illegal hosts from accessing external networks.
With this feature enabled, the DHCP relay agent can dynamically record clients’ IP-to-MAC bindings
after they obtain IP addresses through DHCP. You can also configure static IP-to-MAC bindings on the
DHCP relay agent so that users can access external networks using fixed IP addresses.
Upon receiving a packet from a host, the DHCP relay agent checks the source IP and MAC addresses in
the packet against the recorded dynamic and static bindings. If no match is found, the DHCP relay agent
does not learn the ARP entry of the host, and will not forward any reply to the host, which thus cannot
access external networks via the DHCP relay agent.
To create a static binding and enable address check:
NOTE:
• The dhcp relay address-check enable command can be executed only on Layer 3 Ethernet interfaces
(including sub-interfaces) and VLAN interfaces.
• Before enabling address check on an interface, you must enable the DHCP service, and enable the
DHCP relay agent on the interface; otherwise, the address check configuration is ineffective.
• The dhcp relay address-check enable command only checks IP and MAC addresses but not interfaces.
• When using the dhcp relay security static command to bind an interface to a static binding entry, make
sure that the interface is configured as a DHCP relay agent; otherwise, address entry conflicts may
occur.
56
• If the server returns a DHCP-NAK message, the relay agent keeps the client entry.
To configure periodic refresh of dynamic client entries:
Optional.
3. Configure the refresh dhcp relay security tracker auto by default. (auto interval is calculated
interval. { interval | auto } by the relay agent according to the number
of client entries.)
interface interface-type
2. Enter interface view. N/A
interface-number
3. Enable the DHCP relay agent to
dhcp update arp Not enabled by default
work with authorized ARP.
4. Enable authorized ARP. arp authorized enable Not enabled by default
57
NOTE:
• Authorized ARP can only be configured on Layer 3 Ethernet interfaces.
• Disabling the DHCP relay agent to support authorized ARP will delete the corresponding authorized
ARP entries.
• Since the DHCP relay agent does not notify the authorized ARP module of the static bindings, you need
to configure the corresponding static ARP entries for authorized users that have IP addresses statically
specified.
• For more information about authorized ARP, see Security Configuration Guide. For more information
about the arp authorized enable command, see Security Command Reference.
NOTE:
With unauthorized DHCP server detection enabled, the relay agent logs each detected DHCP server once.
The administrator can use the log information to find unauthorized DHCP servers.
58
Step Command Remarks
1. Enter system view. system-view N/A
interface interface-type
2. Enter interface view. N/A
interface-number
3. Enable MAC address
dhcp relay check mac-address Disabled by default
check.
NOTE:
DHCP relay agents change the source MAC addresses when forwarding DHCP packets. Therefore, you
can enable MAC address check only on a DHCP relay agent directly connected to DHCP clients.
Otherwise, valid DHCP packets may be discarded and clients cannot obtain IP addresses.
interface interface-type
2. Enter interface view. N/A
interface-number
NOTE:
Removing an ARP entry manually does not remove the corresponding client’s IP-to-MAC binding. When
the client goes offline, use the undo dhcp relay security command to remove the IP-to-MAC binding
manually.
59
Step Command
1. Enter system view. system-view
2. Configure the DHCP relay agent to release an IP
dhcp relay release ip client-ip
address.
NOTE:
• The IP address to be released must be available in a dynamic client entry.
• Dynamic client entries can be generated only after you enable address check, authorized ARP, or IP
source guard on the DHCP relay agent. For more information about IP source guard, see Security
Configuration Guide.
Configuration procedure
To configure the DHCP relay agent to support Option 82:
60
Step Command Remarks
Optional.
• Configure the padding format for
Option 82: By default,
dhcp relay information format • The padding format for Option 82
{ normal | verbose [ node-identifier is normal.
{ mac | sysname | user-defined • The code type for the circuit ID
node-identifier } ] } sub-option depends on the padding
5. Configure
• Configure the code type for the circuit format of Option 82. Each field has
non-user-defined
ID sub-option: its own code type.
Option 82.
dhcp relay information circuit-id • The code type for the remote ID
format-type { ascii | hex } sub-option is hex.
• Configure the code type for the remote The code type configuration for the
ID sub-option:
circuit ID sub-option and for the remote
dhcp relay information remote-id
ID sub-option apply to non-user-defined
format-type { ascii | hex }
Option 82 only.
NOTE:
• To support Option 82, perform related configuration on both the DHCP server and relay agent. For
DHCP server configuration of this kind, see “Enabling Option 82 handling”.
• If the handling strategy of the DHCP relay agent is configured as replace, you need to configure a
padding format for Option 82. If the handling strategy is keep or drop, you need not configure any
padding format.
• If sub-option 1 (node identifier) of Option 82 is padded with the device name (sysname) of a node, the
device name must contain no spaces. Otherwise, the DHCP relay agent will drop the message.
61
Task Command Remarks
display dhcp relay information { all |
Display Option 82 configuration interface interface-type interface-number } Available in any
information on the DHCP relay agent. [ | { begin | exclude | include } view
regular-expression ]
GE3/1/1 GE3/1/2
10.10.1.1/24 10.1.1.2/24
GE3/1/1
10.1.1.1/24
Router A Router B
DHCP relay agent DHCP server
62
Configuration procedure
# Enable DHCP.
<RouterA> system-view
[RouterA] dhcp enable
After the preceding configuration is complete, DHCP clients can obtain IP addresses and other network
parameters through the DHCP relay agent from the DHCP server. You can use the display dhcp relay
security command to view clients’ address bindings on the DHCP relay agent, and use the display dhcp
relay statistics command to view statistics of DHCP packets forwarded by the DHCP relay agent.
NOTE:
• Because the DHCP relay agent and server are on different subnets, you must configure a static route or
dynamic routing protocol to make them reachable to each other.
• Configurations on the DHCP server are also required to guarantee the client-server communication via
the DHCP relay agent. For DHCP server configuration information, see the chapter “DHCP server
configuration.”
Configuration procedure
# Enable DHCP.
<RouterA> system-view
[RouterA] dhcp enable
63
[RouterA-GigabitEthernet2/1/1] dhcp select relay
# Enable the DHCP relay agent to support Option 82, and perform Option 82-related configurations.
[RouterA-GigabitEthernet2/1/1] dhcp relay information enable
[RouterA-GigabitEthernet2/1/1] dhcp relay information strategy replace
[RouterA-GigabitEthernet2/1/1] dhcp relay information circuit-id string company001
[RouterA-GigabitEthernet2/1/1] dhcp relay information remote-id string device001
NOTE:
Configurations on the DHCP server are also required to make the Option 82 configurations function
normally.
Analysis
Some problems may occur with the DHCP relay agent or server configuration.
Solution
To locate the problem, enable debugging and execute the display command on the DHCP relay agent
to view the debugging information and interface state information.
Check that:
• The DHCP is enabled on the DHCP server and relay agent.
• The address pool on the same subnet where DHCP clients reside is available on the DHCP server.
• The DHCP server and DHCP relay agent are reachable to each other.
• The relay agent interface connected to DHCP clients is correlated with a correct DHCP server group
and the IP addresses of the group members are correct.
64
Configuring IPv4 DNS
NOTE:
This document only covers IPv4 DNS configurations. For more information about the IPv6 DNS
configuration, see the chapter “IPv6 basics configuration.”
DNS overview
Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain
names into corresponding IP addresses. With DNS, you can use easy-to-remember domain names in
some applications and let the DNS server translate them into correct IP addresses.
There are two types of DNS services, static and dynamic. After a user specifies a name, the router checks
the local static name resolution table for an IP address. If no IP address is available, it contacts the DNS
server for dynamic name resolution, which takes more time than static name resolution. Therefore, some
frequently queried name-to-IP address mappings are stored in the local static name resolution table to
improve efficiency.
65
Figure 28 Dynamic domain name resolution
Figure 28 shows the relationship between the user program, DNS client, and DNS server.
The DNS client is made up of the resolver and cache. The user program and DNS client can run on the
same router or different routers, while the DNS server and the DNS client usually run on different routers.
Dynamic domain name resolution allows the DNS client to store latest mappings between domain names
and IP addresses in the dynamic domain name cache. There is no need to send a request to the DNS
server for a repeated query next time. The aged mappings are removed from the cache after some time,
and latest entries are required from the DNS server. The DNS server decides how long a mapping is valid,
and the DNS client gets the aging information from DNS messages.
DNS suffixes
The DNS client normally holds a list of suffixes which the user sets. It is used when the name to be resolved
is incomplete. The resolver can supply the missing part.
For example, a user can configure com as the suffix for aabbcc.com. The user only needs to type aabbcc
to obtain the IP address of aabbcc.com because the resolver adds the suffix and delimiter before passing
the name to the DNS server.
• If there is no dot in the domain name (for example, aabbcc), the resolver considers this a host name
and adds a DNS suffix before query. If no match is found after all the configured suffixes are used
respectively, the original domain name (for example, aabbcc) is used for query.
• If there is a dot in the domain name (for example, www.aabbcc), the resolver directly uses this
domain name for query. If the query fails, the resolver adds a DNS suffix for another query.
• If the dot is at the end of the domain name (for example, aabbcc.com.), the resolver considers it a
fully qualified domain name (FQDN) and returns the query result, successful or failed. The dot (.) at
the end of the domain name is considered a terminating symbol.
The router supports static and dynamic DNS services.
NOTE:
If an alias is configured for a domain name on the DNS server, the router can resolve the alias into the IP
address of the host.
66
DNS proxy
Introduction to DNS proxy
A DNS proxy forwards DNS requests and replies between DNS clients and a DNS server.
As shown in Figure 29, a DNS client sends a DNS request to the DNS proxy, which forwards the request
to the designated DNS server, and conveys the reply from the DNS server to the client.
The DNS proxy simplifies network management. When the DNS server address is changed, you only
need to change the configuration on the DNS proxy instead of on each DNS client.
Figure 29 DNS proxy networking application
DNS spoofing
With DNS proxy enabled but no DNS server or route to the DNS server specified, a router cannot
forward a DNS request, or answer the request. In this case, you can enable DNS spoofing on the router
to spoof a reply with the configured IP address. Once a DNS server is reachable, the router will send
DNS requests to the server and return the replies to the requesting DNS clients.
67
Configuring the IPv4 DNS client
Configuring static domain name resolution
Configuring static domain name resolution refers to specifying the mappings between host names and
IPv4 addresses. Static domain name resolution allows applications such as Telnet to contact hosts by
using host names instead of IPv4 addresses.
To configure static domain name resolution:
NOTE:
• The IPv4 address you last assign to the host name will overwrite the previous one if there is any.
• You may create up to 50 static mappings between domain names and IPv4 addresses.
Optional.
4. Configure a domain name Not configured by default, that is,
dns domain domain-name
suffix. only the provided domain name
is resolved.
68
NOTE:
• You can configure up to six DNS servers, including those with IPv6 addresses, in system view and on all
interfaces of a router.
• A DNS server configured in system view has a higher priority than one configured in interface view. A
DNS server configured earlier has a higher priority than one configured later in the same view. A DNS
server manually configured has a higher priority than one dynamically obtained through DHCP. A
name query request is first sent to the DNS server that has the highest priority. If no reply is received, it
sent to the DNS server that has the second highest priority, and thus in turn.
• You may configure up to six DNS servers and ten DNS suffixes.
NOTE:
You can specify multiple DNS servers by using the dns server command repeatedly. Upon receiving a
name query request from a client, the DNS proxy forwards the request to the DNS server that has the
highest priority. If having not received a reply, it forwards to the request to a DNS server that has the
second highest priority, and thus in turn.
Configuration procedure
To configure DNS spoofing:
69
Step Command Remarks
1. Enter system view. system-view N/A
2. Enable DNS spoofing and specify the
dns spoofing ip-address Disabled by default
translated IP address.
Configuration procedure
# Configure a mapping between host name host.com and IP address 10.1.1.2.
<Sysname> system-view
[Sysname] ip host host.com 10.1.1.2
# Execute the ping host.com command to verify that the device can use the static domain name resolution
to get the IP address 10.1.1.2 corresponding to host.com.
70
[Sysname] ping host.com
PING host.com (10.1.1.2):
56 data bytes, press CTRL_C to break
Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=128 time=1 ms
Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=128 time=4 ms
Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=128 time=3 ms
Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=128 time=2 ms
Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=128 time=3 ms
Configuration procedure
NOTE:
• Before performing the following configuration, make sure that there is a route between the device and
the host, and configurations are done on both the device and the host. For the IP addresses of the
interfaces, see Figure 31.
• This configuration may vary with different DNS servers. The following configuration is performed on a
PC running Windows Server 2000.
71
# Enter DNS server configuration page.
Select Start > Programs > Administrative Tools > DNS.
# Create zone com.
In Figure 32, right click Forward Lookup Zones, select New zone, and then follow the instructions
to create a new zone.
Figure 32 Creating a zone
72
Figure 33 Adding a host
In Figure 33, right click zone com, and then select New Host to bring up a dialog box as shown
in Figure 34. Enter host name host and IP address 3.1.1.1.
Figure 34 Adding a mapping between domain name and IP address
73
2. Configure the DNS client:
# Enable dynamic domain name resolution.
<Sysname> system-view
[Sysname] dns resolve
# Specify the DNS server 2.1.1.2.
[Sysname] dns server 2.1.1.2
# Configure com as the name suffix.
[Sysname] dns domain com
3. Configuration verification:
# Execute the ping host command on the device to verify that the communication between the
device and the host is normal and that the corresponding destination IP address is 3.1.1.1.
[Sysname] ping host
Trying DNS resolve, press CTRL_C to break
Trying DNS server (2.1.1.2)
PING host.com (3.1.1.1):
56 data bytes, press CTRL_C to break
Reply from 3.1.1.1: bytes=56 Sequence=1 ttl=126 time=3 ms
Reply from 3.1.1.1: bytes=56 Sequence=2 ttl=126 time=1 ms
Reply from 3.1.1.1: bytes=56 Sequence=3 ttl=126 time=1 ms
Reply from 3.1.1.1: bytes=56 Sequence=4 ttl=126 time=1 ms
Reply from 3.1.1.1: bytes=56 Sequence=5 ttl=126 time=1 ms
74
Figure 35 Network diagram
Device B
DNS client 4.1.1.1/24
DNS server
2.1.1.1/24
Device A
DNS proxy
2.1.1.2/24 1.1.1.1/24
IP network
3.1.1.1/24
host.com
Host
Configuration procedure
NOTE:
Before performing the following configuration, assume that Device A, the DNS server, and the host are
reachable to each other and the IP addresses of the interfaces are configured as shown in Figure 35.
75
56 data bytes, press CTRL_C to break
Reply from 3.1.1.1: bytes=56 Sequence=1 ttl=126 time=3 ms
Reply from 3.1.1.1: bytes=56 Sequence=2 ttl=126 time=1 ms
Reply from 3.1.1.1: bytes=56 Sequence=3 ttl=126 time=1 ms
Reply from 3.1.1.1: bytes=56 Sequence=4 ttl=126 time=1 ms
Reply from 3.1.1.1: bytes=56 Sequence=5 ttl=126 time=1 ms
Solution
• Use the display dns dynamic-host command to verify that the specified domain name is in the
cache.
• If there is no defined domain name, check that dynamic domain name resolution is enabled and the
DNS client can communicate with the DNS server.
• If the specified domain name is in the cache, but the IP address is incorrect, check that the DNS
client has the correct IP address of the DNS server.
• Verify the mapping between the domain name and IP address is correct on the DNS server.
76
Configuring NAT
NOTE:
SPE cards in this document refer to cards prefixed with SPE such as SPE-1020-E-II.
Only the cards SPE-1010-II, SPE-1010-E-II, SPE-1020-II, SPE-1020-E-II, IM-NAT, and IM-NAT-II support
NAT service interface configuration.
NAT overview
Introduction to NAT
Network Address Translation (NAT) provides a way of translating the IP address in an IP packet header
to another IP address. In practice, NAT is primarily used to allow users using private IP addresses to
access public networks. With NAT, a smaller number of public IP addresses are used to meet public
network access requirements from a larger number of private IP addresses, effectively alleviating the
depletion of IP addresses.
NOTE:
A private or internal IP address is used only in an internal network, whereas a public or external IP address
is used on the Internet and is globally unique.
According to RFC 1918, three blocks of IP addresses are reserved for private networks:
• In Class A: 10.0.0.0 to 10.255.255.255,
• In Class B: 172.16.0.0 to 172.31.255.255,
• In Class C: 192.168.0.0 to 192.168.255.255.
No host with an IP address in the above three ranges exists on the Internet. You can use those IP addresses
in an enterprise network freely without requesting them from an Internet Service Provider (ISP) or a
registration center.
In addition to translating private addresses to public addresses, NAT can also perform address translation
between any two networks. In this document, the two networks refer to an internal network and an external
network. Generally a private network is an internal network, and a public network is an external network.
77
Figure 36 NAT operation
1. The internal host with an IP address of 192.168.1.3 sends an IP packet to the external server with
an IP address of 1.1.1.2 through the NAT device.
2. Upon receiving the packet, the NAT device checks the IP header and finds that it is destined to the
external network. Then it translates the private address 192.168.1.3 to the globally unique public
address 20.1.1.1 and then forwards the packet to the server on the external network. Meanwhile,
the NAT device adds the mapping of the two addresses into its NAT table.
3. The external server responds to the internal host with an IP packet whose destination IP address is
20.1.1.1. Upon receiving the packet, the NAT device checks the IP header, looks into its NAT
table for the mapping, replaces the destination address with the private address of 192.168.1.3,
and then sends the new packet to the internal host.
The above NAT operation is transparent to the terminals involved. The external server believes that the IP
address of the internal host is 20.1.1.1 and is unaware of the private address 192.168.1.3. As such, NAT
hides the private network from the external networks.
Despite the advantages of allowing internal hosts to access external resources and providing privacy,
NAT also has the following disadvantages:
• As NAT involves translation of IP addresses, the IP headers cannot be encrypted. This is also true to
the application protocol packets when the contained IP address or port number needs to be
translated. For example, you cannot encrypt an FTP connection, or its port command cannot work
correctly.
• Network debugging becomes more difficult. For example, when a host in a private network tries to
attack other networks, it is harder to pinpoint the attacking host as the host IP address has been
hidden.
NAT control
An enterprise needs to allow some hosts in the internal network to access external networks but prohibit
others. This can be achieved through the NAT control mechanism. If a source IP address is among
addresses denied, the NAT device does not translate the address. In addition, the NAT device only
translates private addresses to specified public addresses.
NAT control can be achieved through an access control list (ACL) and an address pool.
• Only packets matching the ACL rules are served by NAT.
78
An address pool is a collection of consecutive public IP addresses for address translation. You can
specify an address pool based on the number of available public IP addresses, the number of internal
hosts, and network requirements. The NAT device selects an address from the address pool as the public
address of an IP packet.
NAT operation
Basic NAT
As shown in Figure 36, when an internal network host accesses an external network, NAT uses a public
IP address to replace the original internal IP address. In Figure 36, NAT uses the IP address of the
outgoing interface as the public IP address. Thus all internal hosts use the same public IP address to
access external networks and only one host is allowed to access external networks at a given time.
A NAT device can also hold multiple public IP addresses to support concurrent access requests.
Whenever a new external network access request comes from the internal network, the NAT device
chooses an available public IP address (if any) to replace the source IP address, adds the mapping to its
NAT table, and forwards the packet. In this way, multiple internal hosts can access external networks
simultaneously.
NOTE:
The number of public IP addresses that a NAT device needs is usually far less than the number of internal
hosts because not all internal hosts access external networks at the same time. The number of public IP
addresses is related to the number of internal hosts that might access external networks simultaneously
during peak hours.
NAPT
Network Address Port Translation (NAPT) is a variation of basic NAT. It allows multiple internal addresses
to be mapped to the same public IP address, which is called multiple-to-one NAT or address
multiplexing.
NAPT mapping is based on both the IP address and the port number. With NAPT, packets from multiple
internal hosts are mapped to the same external IP address with different port numbers.
Figure 37 depicts NAPT operation.
79
Figure 37 Diagram for NAPT operation
As shown in Figure 37, three IP packets arrive at the NAT gateway. Packets 1 and 2 are from the same
internal address but have different source port numbers. Packets 1 and 3 are from different internal
addresses but have the same source port number. NAPT maps the three IP packets to the same external
address but with different source port numbers. Therefore, the packets can still be differentiated. When
receiving the response packets, the NAT device forwards them to the corresponding hosts according to
the destination addresses and port numbers.
NAPT can better utilize IP address resources, enabling more internal hosts to access the external network
at the same time.
NAPT supports two NAT mapping behavior modes: Endpoint-Independent Mapping and
Endpoint-Dependent Mapping.
• Endpoint-Independent Mapping
In this mode, the NAT device uses entries, each of which comprises the source IP address, source
port number, and protocol type to translate addresses and filter packets. The same NAPT mapping
applies to packets sent from the same internal IP address and port to any external IP address and
port. The NAT device also allows external hosts to access the internal network by using the
translated external addresses and port numbers. This mode facilitates communication among hosts
that connect to different NAT devices.
• Address and Port-Dependent Mapping
In this mode, the NAT device uses entries each comprising the source IP address, source port
number, protocol type, destination IP address, and destination port number to translate addresses
and filter packets. For packets with the same source address and source port number but different
destination addresses and destination port numbers, different NAPT mappings apply so that the
source address and port number are mapped to the same external IP address but different port
numbers. The NAT device allows the hosts only on the corresponding external networks where
these destination addresses reside to access the internal network. This mode is secure but
inconvenient for communication among hosts that connect to different NAT devices.
Internal server
NAT hides the internal network structure, including the identities of internal hosts. However, internal hosts
such as a web server or an FTP server may need to be accessed by external hosts in practice. NAT
satisfies this requirement by supporting internal servers.
80
You can configure an internal server on the NAT device by mapping a public IP address and port number
to the private IP address and port number of the internal server. For instance, you can configure an
address like 20.1.1.12:8080 as an internal web server’s external address and port number.
You can configure an internal server on the NAT device by mapping a public IP address and port number
to the private IP address and port number of the internal server. For instance, you can configure an
address like 20.1.1.12:8080 as an internal web server’s external address and port number.
In Figure 38, when the NAT device receives a packet destined for the public IP address of an internal
server, it looks in the NAT entries and translates the destination address and port number in the packet
to the private IP address and port number of the internal server. When the NAT device receives a
response packet from the internal server, it translates the source private IP address and port number of the
packet into the public IP address and port number of the internal server.
Figure 38 Internal server operation
DNS mapping
Generally, the DNS server and users that need to access internal servers reside on the public network.
You can specify an external IP address and port number for an internal server on the public network
interface of a NAT device, so that external users can access the internal server using its domain name or
pubic IP address. In Figure 39, an internal host wants to access an internal web server by using its
domain name, while the DNS server is located on the public network. Typically, the DNS server replies
with the public address of the internal server to the host and thus the host cannot access the internal server.
The DNS mapping feature can solve the problem.
Figure 39 Operation of NAT DNS mapping
A DNS mapping entry records the domain name, public address, public port number, and protocol type
of an internal server. Upon receiving a DNS reply, the NAT-enabled interface matches the domain name
81
in the message against the DNS mapping entries. If a match is found, the private address of the internal
server is found and the interface replaces the public IP address in the reply with the private IP address.
Then, the host can use the private address to access the internal server.
Easy IP
Easy IP uses the public IP address of an interface on the router as the translated source address to save
IP address resources, and uses ACLs to permit only certain internal IP addresses to be NATed.
NAT multiple-instance
This feature allows users from different MPLS VPNs to access external networks through the same
outbound interface. It also allows them to have the same internal address. The process works as follows:
When an MPLS VPN user communicates with an external network, NAT replaces the internal IP address
and port number with the NAT gateway’s external IP address and port number. It also records the
relevant MPLS VPN information, such as the protocol type and router distinguisher (RD for short). When
the response packet arrives, the NAT gateway then restores the external IP address and port number to
the internal IP address and port number. Additionally, the NAT gateway can identify the MPLS VPN users
who access the external network. Besides NAT, NAPT also supports multiple-instance.
The multiple-instance feature can also apply to internal servers so that external users can access an
internal host of an MPLS VPN. For example, in MPLS VPN 1, the host that provides Web service has an
internal address 10.110.1.1. The host can use 202.110.10.20 as an external IP address so that the Internet
users can access the Web service in MPLS VPN 1 through this external address.
Moreover, NAT allows hosts in multiple MPLS VPNs to access each other by using the MPLS VPN
information carried in the external IP address.
Task Remarks
Configuring static NAT
Configuring address translation Either is required
Configuring dynamic NAT
82
NOTE:
• NAT is supported on a provider edge router (PE), but not on a provider (P) router.
• If the NAT configuration (address translation or internal server configuration) on an interface is
changed, save the configuration and reboot the router (or use the reset nat session command to
manually clear the relevant NAT entries), to avoid problems. The following are the possible problems:
After you delete the NAT-related configuration, address translation can still work for sessions already
created; if you configure NAT when NAT is running, the same configuration may have different results
because of different configuration orders.
• Make sure all the IP address pools referenced by the interfaces do not overlap each other.
• When you configure twice NAT for multiple instances of a card with silkscreen IM-NAT and IM-NAT-II
of a PE, specify the VPN to which a NAT address pool belongs. For more information, see “Dynamic
NAT configuration example IV.”
CAUTION:
When you configure static NAT, do not use any address from the dynamic NAT address pool or use any
interface address as the public IP address; otherwise, traffic conflicts may occur.
83
To configure one-to-one static NAT:
Step Command
1. Enter system view. system-view
Step Command
1. Enter system view. system-view
84
When a packet from an internal host to the external network arrives:
• If it is the first packet and an address pool is associated with an outbound interface, NAT
determines whether to translate the packet based on the ACL (or packet source address). If yes,
NAT chooses an address from the associated address pool or gets the associated interface address,
performs address translation, and then saves the address mapping in the address translation table.
All subsequent packets from the internal host are serviced by NAT directly according to the
mapping entry.
• If an address pool is associated with an inbound interface, NAT determines whether to translate the
packet based on the ACL. If yes, NAT redirects the packet to the NAT service card and performs
address translation as in the above-mentioned process. You need to configure a QoS policy to
redirect packets to an IM-NAT or IM-NAT-II card. For more information, see ACL and QoS
Configuration Guide. This case does not support Easy IP.
NOTE:
• The association of an address pool to an inbound interface set with the nat inbound command is
effective only when an IM-NAT or IM-NAT-II card is present.
• If both the inbound and outbound interfaces of a NAT device are associated with an address pool, a
packet matching both of them uses an address from the address pool associated with the outbound
interface for address translation.
• You need to configure a QoS policy to redirect packets to an IM-NAT or IM-NAT-II card. For more
information, see ACL and QoS Configuration Guide. Traffic classification commands supported in a
QoS policy that is used for redirecting packets to a NAT board include: acl, customer-vlan-id,
destination-mac, dscp ip-precedence, protocol, service-dot1p, service-vlan-id, and source-mac.
Configuration prerequisites
• Configure an ACL to specify IP addresses permitted to be translated.
• Decide whether to use an interface’s IP address as the translated source address.
• Determine a public IP address pool for address translation.
• Decide whether to translate port information.
NOTE:
For more information about ACL, see ACL and QoS Configuration Guide.
85
NOTE:
The NAT address pool cannot contain addresses on the subnet where the interface resides, and a
broadcast address.
Configuring Easy IP
Easy IP allows the router to use the IP address of one of its interfaces as the source address of NATed
packets.
To configure Easy IP:
Step Command
1. Enter system view. system-view
Configuring No-PAT
With a specific ACL associated with an address pool or interface address, No-PAT translates the source
address of a packet permitted by the ACL into an IP address of the address pool or the interface address,
without using the port information.
To configure No-PAT:
interface interface-type
2. Enter interface view. N/A
interface-number
• Configure No-PAT by associating
an ACL with an IP address pool
on the outbound interface for
translating only IP addresses:
nat outbound acl-number
address-group group-number
[ vpn-instance
vpn-instance-name ] [ next-hop
ip-address ] no-pat
3. Configure No-PAT. • Configure No-PAT by associating Either command is required.
an ACL with an IP address pool
on the inbound interface for
translating only IP addresses:
nat inbound acl-number
address-group group-number
[ vpn-instance
vpn-instance-name ] [ interface
interface-type interface-number
[ next-hop ip-address ] ] no-pat
86
Configuring NAPT
With a specific ACL associated with an address pool or interface address, NAPT translates the source
address of a packet permitted by the ACL into an IP address of the address pool or the interface address,
with using the port information.
To configure NAPT:
CAUTION:
When you configure an internal server on an IM-NAT or IM-NAT-II card, the configuration takes effect on
all Layer 3 interfaces bound to this NAT service interface.
87
Configuring a common internal server
After mapping the internal IP address/port number (local-address and local-port) of a common internal
server to an external IP address/port number (global-address and global-port), hosts in external
networks can access the server located in the internal network.
To configure a common internal server:
You can add an internal server (private network information) into an internal server group. If multiple
members exist in the internal server group, they can provide the same service to hosts in external
networks, thus to implement load sharing.
To configure load shared internal servers:
Step Command
1. Enter system view. system-view
2. Configure an internal server
nat server-group group-number
group.
3. Add an internal server into the
inside ip inside-ip port port-number
group.
4. Enter interface view. interface interface-type interface-number
NOTE:
• The internal server group referenced by the nat server command must have at least a member
configured.
• Each private IP address in an internal server group should be unique.
88
Configuring DNS mapping
With DNS mapping, an internal host can access an internal server on the same private network by using
the domain name of the internal server when the DNS server resides on the public network.
To configure a DNS mapping:
Step Command
1. Enter system view. system-view
Configuration procedure
To configure a NAT service interface binding:
NOTE:
An interface bound with a NAT service interface cannot serve as the outbound interface for QoS
redirection. This is because all packets out of the interface are redirected to the NAT service interface,
making QoS redirection ineffective.
89
NOTE:
• For the NAT log configuration, see Security Configuration Guide and the Network Management and
Monitoring Configuration Guide.
• A router installed with an IM-NAT or IM-NAT-II card does not output log information about static NAT
and internal servers.
Step Command
1. Enter system view. system-view
2. Create a connection limit policy and enter its view. connection-limit policy policy-number
90
• Non-shared segment limit—Limits the connections of a specified network segment so that each
connection on the segment enjoys the specified resources.
To configure a source IP-based connection limit rule:
Step Command
1. Enter system view. system-view
NOTE:
This command is available only on an interface of an IM-NAT or IM-NAT-II card.
91
Displaying and maintaining NAT
Task Command Remarks
display nat address-group [ group-number ] [ |
Display information about NAT Available in any
{ begin | exclude | include }
address pools. view
regular-expression ]
Display all NAT configuration display nat all [ | { begin | exclude | include } Available in any
information. regular-expression ] view
Display the NAT configuration display nat bound [ | { begin | exclude | Available in any
information. include } regular-expression ] view
Display the DNS mapping display nat dns-map [ | { begin | exclude | Available in any
configuration information. include } regular-expression ] view
Display the internal server display nat server [ | { begin | exclude | Available in any
information. include } regular-expression ] view
92
Figure 40 Network diagram
Configuration procedure
# Configure the IP addresses for the interfaces as shown in Figure 40. (Details not shown)
# Configure a one-to-one static NAT mapping.
<Router> system-view
[Router] interface nat 3/0/2
[Router-NAT3/0/2] nat static 10.110.10.8 202.38.1.100
[Router-NAT3/0/2] quit
93
Configuration procedure
# Configure the IP addresses for the interfaces as shown in Figure 41. (Details not shown)
# Configure address pool 1 containing 202.38.1.2 and 202.38.1.3.
<Router> system-view
[Router] nat address-group 1 202.38.1.2 202.38.1.3
# Configure ACL 2001, permitting only users from network segment 10.110.10.0/24 to access the
Internet.
[Router] acl number 2001
[Router-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Router-acl-basic-2001] rule deny
[Router-acl-basic-2001] quit
# Associate address pool 1 and ACL 2001 with the outbound interface GigabitEthernet 3/1/2.
[Router] interface GigabitEthernet 3/1/2
[Router-GigabitEthernet3/1/2] nat outbound 2001 address-group 1
[Router-GigabitEthernet3/1/2] quit
Configuration procedure
# Configure the IP addresses for the interfaces as shown in Figure 42. (Details not shown)
94
• Method I: Configure NAT on the outbound interface. (On the router, an IM-NAT or IM-NAT-II card
is installed in Slot 5, and an SPE card is installed in Slot 3)
# Configure address pool 1 containing 202.38.1.2 and 202.38.1.3.
<Router> system-view
[Router] nat address-group 1 202.38.1.2 202.38.1.3
# Configure ACL 2001, permitting only users from network segment 10.110.10.0/24 to access
the Internet.
[Router] acl number 2001
[Router-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Router-acl-basic-2001] rule deny
[Router-acl-basic-2001] quit
# Associate address pool 1 and ACL 2001 with the outbound interface GigabitEthernet 3/1/2.
[Router] interface GigabitEthernet 3/1/2
[Router-GigabitEthernet3/1/2] nat outbound 2001 address-group 1
[Router-GigabitEthernet3/1/2] quit
# Bind GigabitEthernet 3/1/2 to NAT service interface 5/0/1.
[Router] interface nat 5/0/1
[Router-NAT5/0/1] nat binding interface GigabitEthernet 3/1/2
[Router-NAT5/0/1] quit
# Configure connection limit policy 1, limiting user connections sourced from 10.110.10.100. Set
the upper limit of user connections to 1000.
[Router] connection-limit policy 1
[Router-connection-limit-policy-1] limit 0 source 10.110.10.100 32 amount other 1000
[Router-connection-limit-policy-1] quit
# Apply the connection limit policy to the NAT service interface 5/0/1.
[Router] interface nat 5/0/1
[Router-NAT5/0/1] connection-limit apply policy 1
[Router-NAT5/0/1] quit
• Method II: Configure NAT on the inbound interface. (On the router, an IM-NAT or IM-NAT-II card is
installed in Slot 5, and an SPE card is installed in Slot 3.)
Figure 43 Network diagram
95
[Router] acl number 2001
[Router-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Router-acl-basic-2001] rule deny
[Router-acl-basic-2001] quit
# Configure ACL 2002 for redirecting packets to the NAT board. Packets that are to be redirected
to the NAT service interface requires address translation, so the ACL rules defined in ACL 2002
are the same as that in ACL 2001. You can also configure different ACL rules as needed.
[Router] acl number 2002
[Router-acl-basic-2002] rule permit source 10.110.10.0 0.0.0.255
[Router-acl-basic-2002] rule deny
[Router-acl-basic-2002] quit
# Configure a QoS policy to redirect packets to NAT 5/0/1.
[Router] traffic classifier 1
[Router-classifier-1] if-match acl 2002
[Router-classifier-1] quit
[Router] traffic behavior 1
[Router-behavior-1] redirect interface nat 5/0/1
[Router-behavior-1] quit
[Router] qos policy 1
[Router-qospolicy-1] classifier 1 behavior 1
[Router-qospolicy-1] quit
[Router] interface GigabitEthernet 3/1/1
[Router-GigabitEthernet3/1/1] qos apply policy 1 inbound
# Associate address pool 1 and ACL 2001 with the inbound interface GigabitEthernet 3/1/1.
[Router] interface GigabitEthernet 3/1/1
[Router-GigabitEthernet3/1/1] nat inbound 2001 address-group 1
# Bind the NAT service interface 5/0/1 with GigabitEthernet 3/1/1.
[Router] interface nat 5/0/1
[Router-NAT5/0/1] nat binding interface GigabitEthernet 3/1/1
# Configure connection limit policy 1, limiting user connections sourced from 10.110.10.100. Set
the upper limit of user connections to 1000.
[Router] connection-limit policy 1
[Router-connection-limit-policy-1] limit 0 source 10.110.10.100 32 amount other 1000
[Router-connection-limit-policy-1] quit
# Apply connection limit policy 1 to the NAT service interface 5/0/1.
[Router] interface nat 5/0/1
[Router-NAT5/0/1] connection-limit apply policy 1
[Router-NAT5/0/1] quit
96
Figure 44 Network diagram
VPN network Host A
GE3/1/3 GE3/1/4
10.110.10.10/16 202. 38.1.1/24
Internet
Web server
202.38.1. 200
Host B Host C
Configuration procedure
# Configure the IP addresses for the interfaces as shown in Figure 44. (Details not shown)
# Configure VPN 1.
<Router> system-view
System View: return to User View with Ctrl+Z.
[Router] ip vpn-instance vpn1
[Router-vpn-instance-vpn1] route-distinguisher 1:1
[Router-vpn-instance-vpn1] quit
# Configure a default route with outbound interface GigabitEthernet 3/1/4 and next hop 202.38.1.250.
[Router] ip route-static vpn-instance vpn1 0.0.0.0 0 GigabitEthernet 3/1/4 202.38.1.250
# Associate GigabitEthernet 3/1/3 with VPN 1 and assign an IP address to GigabitEthernet 3/1/4.
[Router-GigabitEthernet3/1/3] ip binding vpn-instance vpn1
[Router-GigabitEthernet3/1/3] ip address 10.110.10.10 16
[Router-GigabitEthernet3/1/3] quit
[Router] interface GigabitEthernet 3/1/4
[Router-GigabitEthernet3/1/4] ip address 202.38.1.1 24
[Router-GigabitEthernet3/1/4] quit
97
Dynamic NAT configuration example IV
Network requirements
A company has two departments, A and B. Department A resides on network 192.168.1.0/24 and
belongs to VPN 1. Department B resides on network 172.21.1.0/24 and belongs to VPN 2. The address
pool contains IP addresses 202.38.1.2 and 202.38.1.3 and belongs to VPN 3. A web server resides on
the same network as department B.
Configure the routers to allow access from department A to the web server.
On the router, an IM-NAT or IM-NAT-II card is installed in Slot 5, and an SPE card is installed in Slot 3.
Figure 45 Network diagram
Configuration procedure
NOTE:
• When you configure twice NAT for multiple instances of a PE, specify the VPN to which the NAT address
pool belongs.
• When you configure twice NAT on a PE, do not specify the outbound interface. That is, do not specify
the interface keyword in the nat static net-to-net, nat static, and nat inbound commands.
# Configure the IP addresses for the interfaces as shown in Figure 45. (Details not shown)
# Configure VPNs.
<Router> system-view
[Router] ip vpn-instance vpn1
[Router-vpn-instance-vpn1] route-distinguisher 1:1
[Router-vpn-instance-vpn1] vpn-target 3:3 import-extcommunity
[Router-vpn-instance-vpn1] quit
[Router] ip vpn-instance vpn2
[Router-vpn-instance-vpn2] route-distinguisher 2:2
[Router-vpn-instance-vpn2] vpn-target 3:3 import-extcommunity
[Router-vpn-instance-vpn2] quit
[Router] ip vpn-instance vpn3
[Router-vpn-instance-vpn3] route-distinguisher 3:3
[Router-vpn-instance-vpn3] vpn-target 3:3 export-extcommunity
[Router-vpn-instance-vpn3] quit
98
[Router] bgp 1
[Router-bgp] ipv4-family vpn-instance vpn3
[Router-bgp-vpn3] import-route static
[Router-bgp-vpn3] quit
[Router-bgp] quit
# Associate GigabitEthernet 3/1/3 with VPN 1 and GigabitEthernet 3/1/4 with VPN 2.
[Router] interface GigabitEthernet3/1/3
[Router-GigabitEthernet3/1/3] ip binding vpn-instance vpn1
[Router-GigabitEthernet3/1/3] ip address 192.168.1.1 24
[Router-GigabitEthernet3/1/3] quit
[Router] interface GigabitEthernet 3/1/4
[Router-GigabitEthernet3/1/4] ip binding vpn-instance vpn2
[Router-GigabitEthernet3/1/4] ip address 172.21.1.1 24
[Router-GigabitEthernet3/1/4] quit
# Associate ACL 3005 with address pool 0 on the inbound interface, and create a NAT server.
[Router] interface GigabitEthernet 3/1/3
[Router-GigabitEthernet3/1/3] nat inbound 3005 address-group 0 vpn-instance vpn3
[Router-GigabitEthernet3/1/3] nat server protocol tcp global 202.38.1.3 www vpn-instance
vpn3 inside 172.21.1.243 www vpn-instance vpn2
[Router-GigabitEthernet3/1/3] quit
99
Figure 46 Network diagram
Configuration procedure
# Configure the IP addresses for the interfaces as shown in Figure 46. (Details not shown)
# Enter interface GigabitEthernet 3/1/2 view.
<Router> system-view
[Router] interface GigabitEthernet 3/1/2
100
Figure 47 Network diagram
Configuration procedure
# Configure the IP addresses for the interfaces as shown in Figure 47. (Details not shown)
# Add members to internal server group 0.
<Router> system-view
[Router] nat server-group 0
[Router-nat-server-group-0] inside ip 10.110.10.1 port 21
[Router-nat-server-group-0] inside ip 10.110.10.2 port 21
[Router-nat-server-group-0] inside ip 10.110.10.3 port 21
[Router-nat-server-group-0] quit
# Associate internal server group 0 with GigabitEthernet 3/1/2 so that hosts in the server group can
provide FTP services.
[Router] interface GigabitEthernet 3/1/2
[Router-GigabitEthernet3/1/2] nat server protocol tcp global 202.38.1.1 ftp inside
server-group 0
[Router-GigabitEthernet3/1/2] quit
101
Figure 48 Network diagram
10.110 .10. 1/16 10. 110. 10.2/16 202.38 .1.4/24
Web ser ver FTP server DNS server
GE3/1/1 GE3/1/2
10.110.10.10/16 202.38 .1.1/24
Interne t
Router
Host A Host B
10.110.10 .3/16 20.38.1 .10/24
Configuration procedure
# Configure the IP addresses for the interfaces as shown in Figure 48. (Details not shown)
# Enter the view of interface GigabitEthernet 3/1/2.
<Router> system-view
[Router] interface GigabitEthernet 3/1/2
# Configure two DNS mapping entries: map the domain name www.server.com of the web server to
202.38.1.2, and ftp.server.com of the FTP server to 202.38.1.2.
[Router] nat dns-map domain www.server.com protocol tcp ip 202.38.1.2 port www
[Router] nat dns-map domain ftp.server.com protocol tcp ip 202.38.1.2 port ftp
[Router] quit
Domain-name: ftp.server.com
Global-IP : 202.38.1.2
Global-port: 21(ftp)
Protocol : 6(TCP)
Host A and Host B can use the domain name www.server.com to access the web server, and use
ftp.server.com to access the FTP server.
102
Troubleshooting NAT
Symptom: internal server functions abnormally
Solution: Check whether the internal server host is properly configured; whether the router is correctly
configured with respect to the internal server parameters, such as the internal server IP address. It is also
possible that the firewall that has denied external access to the internal network. You can use the display
acl command to verify this. For more information about firewall, see Security Configuration Guide.
103
Configuring IP performance optimization
NOTE:
In this documentation, SPC cards refer to the interface cards prefixed with SPC, for example, SPC-GT48L.
SPE cards refer to the base cards prefixed with SPE, for example, SPE-1020-E-II.
104
Step Command Remarks
By default, the router is disabled from
forwarding directed broadcasts. The
3. Enable the interface to system does not support this command
forward directed ip forward-broadcast [ acl
when working in the hybrid mode. For
broadcasts. acl-number ]
more information about the system working
modes, see Fundamentals Configuration
Guide.
NOTE:
The router does not support the acl keyword.
Configuration example
Network requirements
As shown in Figure 49, the host’s interface and GigabitEthernet 3/1/1 of Router A are on the same
network segment (1.1.1.0/24). Interface GigabitEthernet 3/1/2 of Router A and interface
GigabitEthernet 3/1/2 of Router B are on another network segment (2.2.2.0/24). The default gateway
of the host is GigabitEthernet 3/1/1 (IP address 1.1.1.2/24) of Router A. Configure a static route to the
host on Router B.
Configure Router B to receive directed broadcasts from the host to IP address 2.2.2.255.
Figure 49 Network diagram
Configuration procedure
• Configure Router A:
# Configure IP addresses for GigabitEthernet 3/1/1 and GigabitEthernet 3/1/2.
[RouterA] interface GigabitEthernet 3/1/1
[RouterA-GigabitEthernet3/1/1] ip address 1.1.1.2 24
[RouterA-GigabitEthernet3/1/1] quit
[RouterA] interface GigabitEthernet 3/1/2
[RouterA-GigabitEthernet3/1/2] ip address 2.2.2.2 24
# Enable GigabitEthernet 3/1/2 to forward directed broadcasts.
[RouterA-GigabitEthernet3/1/2] ip forward-broadcast
• Configure Router B:
# Configure a static route to the host.
[RouterB] ip route-static 1.1.1.1 24 2.2.2.2
# Configure an IP address for GigabitEthernet 3/1/2.
[RouterB] interface GigabitEthernet 3/1/2
[RouterB-GigabitEthernet3/1/2] ip address 2.2.2.1 24
[RouterB-GigabitEthernet3/1/2] quit
105
After the above configurations, if you ping the subnet broadcast address (2.2.2.255) of interface
GigabitEthernet 3/1/2 of Router A on the host, the ping packets can be received by interface
GigabitEthernet 3/1/2 of Router B. However, if you remove the ip forward-broadcast command,
the ping packets cannot be received by interface GigabitEthernet 3/1/2 of Router B.
NOTE:
• This configuration takes effect only on TCP connections that are established after the configuration rather
than the TCP connections that already exist.
• This configuration is effective only on IP packets. If MPLS is enabled on the interface, you are not
recommended to configure the TCP MSS on the interface.
106
• finwait timer—When a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is
started. If no FIN packet is received within the timer interval, the TCP connection will be terminated.
If a FIN packet is received, the TCP connection state changes to TIME_WAIT. If a non-FIN packet is
received, the system restarts the timer upon receiving the last non-FIN packet. The connection is
broken after the timer expires.
To configure TCP timers:
Optional
2. Configure the TCP synwait timer. tcp timer syn-timeout time-value
75 seconds by default
Optional
3. Configure the TCP finwait timer. tcp timer fin-timeout time-value
675 seconds by default
CAUTION:
The actual length of the finwait timer is determined by the following formula:
Actual length of the finwait timer = (Configured length of the finwait timer – 75) + configured length of the
synwait timer
107
The router will send an ICMP timeout packet under the following conditions:
{ If the router finds the destination of a packet is not itself and the TTL field of the packet is 1, it
will send a “TTL timeout” ICMP error message.
{ When the router receives the first fragment of an IP datagram whose destination is the router
itself, it will start a timer. If the timer times out before all the fragments of the datagram are
received, the router will send a “reassembly timeout” ICMP error packet.
3. Sending ICMP destination unreachable packets
If the router receives an IP packet with the destination unreachable, it will drop the packet and
send an ICMP destination unreachable error packet to the source.
Conditions for sending this ICMP packet:
{ If neither a route nor the default route for forwarding a packet is available, the router will send
a “network unreachable” ICMP error packet.
{ If the destination of a packet is local while the transport layer protocol of the packet is not
supported by the local router, the router sends a “protocol unreachable” ICMP error packet to
the source.
{ When receiving a packet with the destination being local and transport layer protocol being
UDP, if the packet’s port number does not match the running process, the router will send the
source a “port unreachable” ICMP error packet.
{ If the source uses “strict source routing" to send packets, but the intermediate router finds the
next hop specified by the source is not directly connected, the router will send the source a
“source routing failure” ICMP error packet.
{ When forwarding a packet, if the MTU of the sending interface is smaller than the packet but
the packet has been set “Don’t Fragment”, the router will send the source a “fragmentation
needed and Don’t Fragment (DF)-set” ICMP error packet.
108
Step Command Remarks
4. Enable sending of ICMP destination
unreachable packets. ip unreachables enable Disabled by default
NOTE:
• On SPC cards, you can enable sending of ICMP redirect packets only on VLAN interfaces.
• The router stops sending “TTL timeout” ICMP error packets after sending ICMP timeout packets is
disabled. However, “reassembly timeout” error packets will be sent normally.
109
Device mode ICMP messages sent ICMP messages received Remarks
NOTE:
ICMP/ICMPv6 messages that can carry extension information include only IPv4 redirect messages,
IPv4/IPv6 time exceeded messages, and IPv4/IPv6 destination unreachable messages.
Configuration procedure
To enable support for ICMP extensions:
NOTE:
After support for ICMP extensions is disabled, no ICMP message sent by the router contains extension
information.
Clear statistics of UDP flows. reset udp statistics Available in user view
111
Configuring adjacency table
NOTE:
• The adjacency table feature only applies to hardware forwarding, but not software forwarding.
• The adjacency table feature does not apply to Ethernet networks that use ARP for storing and managing
neighbor information.
Overview
Introduction to adjacency table
An adjacency table stores information about active neighbors, including neighbor network layer address
(nexthop), outgoing interface, link layer service type, and link layer address (PVC for ATM; unavailable
for PPP).
The concept of neighbor is relevant to network layer. Node B may be an IP neighbor of node A, while
node B may not be an IPX neighbor of node A. Also, a neighbor in the active state is in relation to
network layer. The adjacency table feature only supports the neighbor concept in relation to IP.
A router can be connected with its neighbors through multiple link layer protocols, such as PPP, ATM and
frame relay (FR).
Fields
Some fields in the adjacency table are describes as follows:
• Routing interface—Outgoing interface in a route entry.
• Physical interface—Such as serial interface, POS interface, and ATM interface.
• Logical interface—An abstract interface that does not correspond to any physical entity and is used
for adjacency table implementation, for example, Virtual-Ethernet interface and Virtual-Template
interface.
• Service type—Type of service corresponding to the adjacency table, such as PPP and IP over ATM.
• Action type—Action to take on the packet that matches the entry, forward or drop.
• Link media type—Related to the link layer protocol used by the outgoing interface. P2P indicates
point-to-point, such as the point-to-point protocol (PPP).
• Link head information (IPv6)—Information of the link layer header corresponding to the IPv6
protocol.
112
Task Command Remarks
display adjacent-table { all | physical-interface
interface-type interface-number | routing-interface
Display IPv4 adjacency Available in any
interface-type interface-number | slot slot-number } [ count |
table entries. view
verbose ] [ | { begin | exclude | include }
regular-expression ]
113
Configuring UDP Helper
114
CAUTION:
• The UDP Helper enabled router cannot forward DHCP broadcast packets. In other words, the UDP port
number cannot be set to 67 or 68.
• The UDP Helper enabled device must not forward DHCP broadcast packets that use destination port 67
or 68. Therefore, the UDP port numbers set with the udp-helper port command must not include 67 or
68.
• The configuration of all UDP ports is removed if you disable UDP Helper.
• You can configure up to 256 UDP port numbers to enable the forwarding of packets with these UDP port
numbers.
• You can configure up to 20 destination servers on an interface.
Configuration procedure
NOTE:
Make sure that a route from Router A to the network segment 10.2.0.0/16 is available.
115
# Enable UDP Helper.
<RouterA> system-view
[RouterA] udp-helper enable
# Enable the forwarding of broadcast packets with the UDP destination port number 55.
[RouterA] udp-helper port 55
# Specify the server with the IP address of 10.2.1.1 as the destination server to which UDP packets are to
be forwarded.
[RouterA] interface GigabitEthernet 3/1/1
[RouterA-GigabitEthernet3/1/1] ip address 10.110.1.1 16
[RouterA-GigabitEthernet3/1/1] udp-helper server 10.2.1.1
116
Configuring IPv6 basics
IPv6 overview
Internet Protocol Version 6 (IPv6), also called IP next generation (IPng), was designed by the Internet
Engineering Task Force (IETF) as the successor to Internet Protocol version 4 (IPv4). The significant
difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits.
IPv6 features
Header format simplification
IPv6 removes several IPv4 header fields or moves them to the IPv6 extension headers to reduce the length
of the basic IPv6 packet header. The basic IPv6 packet header has a fixed length of 40 bytes to simplify
IPv6 packet handling and to improve the forwarding efficiency. Although an IPv6 address size is four
times larger than an IPv4 address, the basic IPv6 packet header size is only twice the size of the
option-less IPv4 packet header.
Figure 51 IPv4 packet header format and basic IPv6 packet header format
Address autoconfiguration
To simplify host configuration, IPv6 supports stateful and stateless address autoconfiguration.
117
• Stateful address autoconfiguration enables a host to acquire an IPv6 address and other
configuration information from a server (for example, a DHCP server).
• Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and
other configuration information by using its link-layer address and the prefix information advertised
by a router.
To communicate with other hosts on the same link, a host automatically generates a link-local address
based on its link-layer address and the link-local address prefix (FE80::/10).
Built-in security
IPv6 defines extension headers to support IPsec. IPsec provides end-to-end security for network security
solutions and enhances interoperability among different IPv6 applications.
QoS support
The Flow Label field in the IPv6 header allows the router to label the packets and facilitates the special
handling of a flow.
IPv6 addresses
IPv6 address format
An IPv6 address is represented as a set of 16-bit hexadecimals separated by colons. An IPv6 address is
divided into eight groups, and each 16-bit group is represented by four hexadecimal numbers, for
example, 2001:0000:130F:0000:0000:09C0:876A:130B.
To simplify the representation of IPv6 addresses, you can handle zeros in IPv6 addresses by using the
following methods.
• The leading zeros in each group can be removed. For example, the above address can be
represented in a shorter format as 2001:0:130F:0:0:9C0:876A:130B.
• If an IPv6 address contains two or more consecutive groups of zeros, they can be replaced by a
double colon (::). For example, the above address can be represented in the shortest format as
2001:0:130F::9C0:876A:130B.
CAUTION:
A double colon may appear once or not at all in an IPv6 address. Otherwise, the device cannot determine
how many zeros the double colons represent when converting them to zeros to restore a 128-bit IPv6
address.
An IPv6 address consists of an address prefix and an interface ID, which are equivalent to the network
ID and the host ID of an IPv4 address respectively.
118
An IPv6 address prefix is written in IPv6-address/prefix-length notation where the IPv6-address is
represented in any of the formats above and the prefix-length is a decimal number indicating how many
leftmost bits of the IPv6 address comprises the address prefix.
NOTE:
There are no broadcast addresses in IPv6. Their function is replaced by multicast addresses.
The type of an IPv6 address is designated by the first several bits, the format prefix. Table 5 lists the
mappings between address types and format prefixes.
Table 5 Mappings between address types and format prefixes
Anycast addresses use the unicast address space and have the
Anycast address
identical structure of unicast addresses.
Unicast addresses
Unicast addresses comprise global unicast addresses, link-local unicast addresses, site-local unicast
addresses, the loopback address, and the unspecified address.
• The global unicast addresses, equivalent to public IPv4 addresses, are provided for network service
providers. This type of address allows efficient prefix aggregation to restrict the number of global
routing entries.
• The link-local addresses are used for communication among link-local nodes for neighbor discovery
and stateless autoconfiguration. Packets with link-local source or destination addresses are not
forwarded to other links.
• The site-local unicast addresses are similar to private IPv4 addresses. Packets with site-local source
or destination addresses are not forwarded out of the local site (or a private network).
119
• The loopback address is 0:0:0:0:0:0:0:1 (or ::1). It may never be assigned to any physical
interface and can be used by a node to send an IPv6 packet to itself in the same way as the
loopback address in IPv4.
• The unspecified address is 0:0:0:0:0:0:0:0 (or ::). It cannot be assigned to any node. Before
acquiring a valid IPv6 address, a node fills this address in the source address field of IPv6 packets.
The unspecified address cannot be used as a destination IPv6 address.
Multicast addresses
IPv6 multicast addresses listed in Table 6 are reserved for special purposes.
Table 6 Reserved IPv6 multicast addresses
Address Application
FF01::1 Node-local scope all-nodes multicast address
Multicast addresses also include solicited-node addresses. A node uses a solicited-node multicast
address to acquire the link-layer address of a neighboring node on the same link and to detect duplicate
addresses. Each IPv6 unicast or anycast address has a corresponding solicited-node address. The format
of a solicited-node multicast address is:
FF02:0:0:0:0:1:FFXX:XXXX
Where FF02:0:0:0:0:1:FF is fixed and consists of 104 bits, and XX:XXXX is the last 24 bits of an IPv6
unicast address or anycast address.
120
Figure 52 Converting a MAC address into an EUI-64 address-based interface identifier
• On a tunnel interface
The lower 32 bits of the EUI-64 address-based interface identifier are the source IPv4 address of
the tunnel interface. The higher 32 bits of the EUI-64 address-based interface identifier of an
ISATAP tunnel interface are 0000:5EFE, whereas those of other tunnel interfaces are all zeros. For
more information about tunnels, see the chapter “Tunneling configuration.”
• On an interface of another type (such as a serial interface)
The EUI-64 address-based interface identifier is generated randomly by the router.
Router Solicitation (RS) Requests for an address prefix and other configuration
133
message information for autoconfiguration after startup.
Responds to an RS message.
Router Advertisement (RA)
134 Advertises information such as the Prefix Information options and
message
flag bits.
121
ICMPv6 message Type Function
Informs the source host of a better next hop on the path to a
Redirect message 137
particular destination when certain conditions are satisfied.
Address resolution
Similar to the ARP function in IPv4, an IPv6 node acquires the link-layer addresses of neighboring nodes
on the same link through NS and NA message exchanges. Figure 53 shows how Host A acquires the
link-layer address of Host B on a single link.
Figure 53 Address resolution
122
Figure 54 Duplicate address detection
NOTE:
• SR8800 series routers do not support generating IPv6 addresses through stateless address
autoconfiguration.
• In addition to an address prefix, the Prefix Information option also contains the preferred lifetime and
valid lifetime of the address prefix. Nodes update the preferred lifetime and valid lifetime accordingly
through periodic RA messages.
Redirection
A newly started host may contain only a default route to the gateway in its routing table. When certain
conditions are satisfied, the gateway sends an ICMPv6 Redirect message to the source host so that the
host can select a better next hop to forward packets (similar to the ICMP redirection function in IPv4).
The gateway sends an ICMPv6 Redirect message when the following conditions are satisfied.
123
• The receiving interface is the forwarding interface.
• The selected route itself is not created or modified by an ICMPv6 Redirect message.
• The selected route is not the default route.
• The IPv6 packet to be forwarded does not contain any routing header.
Dual stack
Dual stack is the most direct transition approach. A network node that supports both IPv4 and IPv6 is a
dual stack node. A dual stack node configured with an IPv4 address and an IPv6 address can forward
both IPv4 and IPv6 packets. For an upper layer application that supports both IPv4 and IPv6, either TCP
or UDP can be selected at the transport layer, whereas the IPv6 stack is preferred at the network layer.
Dual stack is suitable for communication between IPv4 nodes or between IPv6 nodes. It is the basis of all
124
transition technologies. However, it does not solve the IPv4 address depletion issue because each dual
stack node must have a globally unique IP address.
Tunneling
Tunneling is an encapsulation technology that utilizes one network protocol to encapsulate packets of
another network protocol and transfer them over the network. For more information about tunneling, see
the chapter “Tunneling configuration.”
NAT-PT
Network Address Translation – Protocol Translation (NAT-PT) is usually applied on a router between IPv4
and IPv6 networks to translate between IPv4 and IPv6 packets, allowing communication between IPv4
and IPv6 nodes. It performs IP address translation, and according to different protocols, performs
semantic translation for packets. This technology is only suitable for communication between a pure IPv4
node and a pure IPv6 node. For more information about NAT-PT, see the chapter “NAT-PT configuration.”
6PE
6PE is a transition technology by which Internet service providers (ISPs) can use existing IPv4 backbone
networks to allow communications between isolated IPv6 networks.
6PE adds labels to the IPv6 routing information of customer networks and advertises the information into
the IPv4 backbone network over Internal Border Gateway Protocol (IBGP) sessions. IPv6 packets are
labeled and forwarded over tunnels on the backbone network. The tunnels can be GRE tunnels or MPLS
LSPs.
Figure 56 Network diagram
CE IPv4/MPLS network CE
IBGP
IPv6 network 6PE 6PE IPv6 network
Customer site Customer site
When an ISP wants to utilize the existing IPv4/MPLS network to provide IPv6 traffic switching capability
through MPLS, only the PE routers need to be upgraded, so 6PE is a highly efficient solution. In addition,
the operation risk of 6PE is very low.
CAUTION:
• The router does not support NAT-PT.
• For more information or configuration related to 6PE, see Layer 3—IP Routing Configuration Guide.
125
• RFC 2460, Internet Protocol, Version 6 (IPv6) Specification
• RFC 2461, Neighbor Discovery for IP Version 6 (IPv6)
• RFC 2462, IPv6 Stateless Address Autoconfiguration
• RFC 2463, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6)
Specification
• RFC 2464, Transmission of IPv6 Packets over Ethernet Networks
• RFC 2526, Reserved IPv6 Subnet Anycast Addresses
• RFC 3307, Allocation Guidelines for IPv6 Multicast Addresses
• RFC 3513, Internet Protocol Version 6 (IPv6) Addressing Architecture
• RFC 3596: DNS Extensions to Support IP Version 6
Task Remarks
Enabling IPv6 Required
Configuring IPv6 ND Setting the age timer for ND entries in stale state Optional
Configuring PMTU discovery Configuring a static PMTU for a specified IPv6 address Optional
126
Configuring basic IPv6 functions
Enabling IPv6
Enable IPv6 before you perform any IPv6-related configuration. Without IPv6 enabled, an interface
cannot forward IPv6 packets even if it has an IPv6 address configured.
To enable IPv6:
NOTE:
• You can configure multiple IPv6 global unicast addresses with different prefixes on an interface.
• A manually configured global unicast address takes precedence over an automatically generated one.
If a global unicast address has been automatically generated on an interface when you manually
configure another one with the same address prefix, the latter overwrites the previous. The overwritten
automatic global unicast address will not be restored even if the manual one is removed. Instead, a new
global unicast address will be automatically generated based on the address prefix information in the
RA message that the interface receives at the next time.
interface interface-type
2. Enter interface view. N/A
interface-number
3. Configure the interface to
ipv6 address ipv6-address | By default, no IPv6 global unicast
generate an EUI-64 IPv6
prefix-length eui-64 address is configured on an interface.
address.
Manual configuration
To specify an IPv6 address manually for an interface:
127
Step Command Remarks
1. Enter system view. system-view N/A
interface interface-type
2. Enter interface view. N/A
interface-number
NOTE:
• An interface can have one link-local address only. To avoid link-local address conflicts, use the
automatic generation method.
• Manual assignment takes precedence over automatic generation. If you first use automatic generation
and then manual assignment, the manually assigned link-local address will overwrite the automatically
generated one. If you first use manual assignment and then automatic generation, the automatically
generated link-local address will not take effect and the link-local address is still the manually assigned
one. If you delete the manually assigned address, the automatically generated link-local address is
validated.
interface interface-type
2. Enter interface view. N/A
interface-number
Optional.
By default, no link-local address is
3. Configure the interface to configured on an interface.
automatically generate an ipv6 address auto link-local After an IPv6 global unicast
IPv6 link-local address. address is configured on the
interface, a link-local address is
generated automatically.
interface interface-type
2. Enter interface view. N/A
interface-number
128
Step Command Remarks
Optional.
By default, no link-local address is
3. Configure an IPv6
ipv6 address ipv6-address configured on an interface.
link-local address
link-local After an IPv6 global unicast address is
manually.
configured on the interface, a link-local
address is generated automatically.
NOTE:
• After an IPv6 global unicast address is configured for an interface, a link-local address is generated
automatically. The automatically generated link-local address is the same as the one generated by using
the ipv6 address auto link-local command. If a link-local address is manually assigned to an interface,
this manual link-local address takes effect. If the manually assigned link-local address is removed, the
automatically generated link-local address takes effect.
• The undo ipv6 address auto link-local command can only remove the link-local addresses generated
through the ipv6 address auto link-local command. However, if an IPv6 global unicast address is
already configured for an interface, the interface still has a link-local address because the system
automatically generates one for the interface. If no IPv6 global unicast address is configured, the
interface has no link-local address.
interface interface-type
2. Enter interface view. N/A
interface-number
Optional.
3. Configure an IPv6 anycast ipv6 address ipv6-address | By default, no IPv6 anycast
address. prefix-length anycast address is configured on an
interface.
Configuring IPv6 ND
Configuring a static neighbor entry
The IPv6 address of a neighboring node can be resolved into a link-layer address dynamically through
NS and NA messages or through a manually configured static neighbor entry.
The router uniquely identifies a static neighbor entry by the neighbor's IPv6 address and the local Layer
3 interface number. You can configure a static neighbor entry by using either of the following methods.
• Associate a neighbor IPv6 address and link-layer address with the Layer 3 interface of the local
node.
• Associate a neighbor IPv6 address and link-layer address with a port in a VLAN containing the
local node.
129
To configure a static neighbor entry:
Step Command
1. Enter system view. system-view
CAUTION:
You can use either method above to configure a static neighbor entry for a VLAN interface.
• After a static neighbor entry is configured by using the first method, the device needs to resolve the
corresponding Layer 2 port information of the VLAN interface.
• If you use the second method, make sure that the corresponding VLAN interface exists and that the Layer
2 port specified by port-type port-number belongs to the VLAN specified by vlan-id. After a static
neighbor entry is configured, the device associates the VLAN interface with the IPv6 address to identify
the static neighbor entry uniquely.
interface interface-type
2. Enter interface view. N/A
interface-number
Optional.
130
To set the age timer for ND entries in stale state:
Parameters Description
When sending an IPv6 packet, a host uses the value to fill the Hop Limit field in IPv6
Cur Hop Limit headers. The value is also filled into the Hop Limit field in the response packet of a
device.
Prefix Information After receiving the prefix information, the hosts on the same link can perform
options stateless autoconfiguration.
MTU Makes sure that all nodes on a link use the same MTU value.
M flag If the M flag is set to 1, hosts use the stateful autoconfiguration (for example, through
a DHCP server) to acquire IPv6 addresses. Otherwise, hosts use the stateless
autoconfiguration to acquire IPv6 addresses and generate IPv6 addresses
according to their own link-layer addresses and the obtained prefix information.
Router Lifetime This field tells the receiving hosts how long the advertising device can live.
If the router fails to receive a response message within the specified time after
Retrans Timer
sending an NS message, it will retransmit the NS message.
If the neighbor reachability detection shows that a neighbor is reachable, the router
considers the neighbor reachable within the specified reachable time. If the router
Reachable Time
needs to send a packet to the neighbor after the specified reachable time expires,
the router will reconfirm whether the neighbor is reachable.
131
Step Command Remarks
interface interface-type
2. Enter interface view. N/A
interface-number
3. Disable RA message
undo ipv6 nd ra halt By default, RA messages are suppressed.
suppression.
Optional.
By default, the maximum interval for
sending RA messages is 600 seconds,
and the minimum interval is 200
4. Configure the maximum and ipv6 nd ra interval seconds.
minimum intervals for max-interval-value The router sends RA messages at random
sending RA messages. min-interval-value intervals between the maximum interval
and the minimum interval.
The minimum interval should be less than
or equal to 0.75 times the maximum
interval.
Optional.
2. Configure the hop limit. ipv6 nd hop-limit value
64 by default.
interface interface-type
3. Enter interface view. N/A
interface-number
Optional.
By default, no prefix information is
ipv6 nd ra prefix { ipv6-prefix configured for RA messages, and the
4. Configure the prefix prefix-length | IPv6 address of the interface sending RA
information in RA ipv6-prefix/prefix-length } messages is used as the prefix
messages. valid-lifetime preferred-lifetime information with valid lifetime 2592000
[ no-autoconfig | off-link ] * seconds (that is, 30 days) and preferred
lifetime 604800 seconds (that is, 7
days).
Optional.
5. Turn off the MTU option in
ipv6 nd ra no-advlinkmtu By default, RA messages contain the
RA messages.
MTU option.
Optional.
ipv6 nd autoconfig By default, the M flag bit is set to 0 and
6. Set the M flag bit to 1.
managed-address-flag hosts acquire IPv6 addresses through
stateless autoconfiguration.
Optional.
By default, the O flag bit is set to 0 and
7. Set the O flag bit to 1. ipv6 nd autoconfig other-flag hosts acquire other configuration
information through stateless
autoconfiguration.
132
Step Command Remarks
8. Configure the router Optional
ipv6 nd ra router-lifetime value
lifetime in RA messages. 1800 seconds by default.
Optional.
By default, the local interface sends NS
messages at 1000 millisecond intervals,
9. Set the NS retransmission and the value of the Retrans Timer field
ipv6 nd ns retrans-timer value
timer. in RA messages sent by the local
interface is 0. The interval for
retransmitting an NS message is
determined by the receiving device.
Optional.
By default, the neighbor reachable time
on the local interface is 30000
ipv6 nd nud reachable-time milliseconds, and the value of the
10. Set the reachable time.
value Reachable Time field in the RA messages
sent by the local interface is 0. The
neighbor reachable time is determined
by the receiving device.
NOTE:
• The maximum interval for sending RA messages should be less than or equal to the router lifetime in RA
messages, so that the router can be updated through an RA message before expiration.
• The values of the NS retransmission timer and the reachable time configured for an interface are sent to
hosts via RA messages. Furthermore, this interface sends NS messages at the interval of the NS
retransmission timer and considers a neighbor reachable within the reachable time.
interface interface-type
2. Enter interface view. N/A
interface-number
Optional.
3. Configure the number of
attempts to send an NS ipv6 nd dad attempts value 1 by default. When the value
message for DAD. argument is set to 0, DAD is
disabled.
133
Configuring PMTU discovery
Configuring the interface MTU
IPv6 routers do not support packet fragmentation. After an IPv6 router receives an IPv6 packet, if the
packet size is greater than the MTU of the forwarding interface, the router will discard the packet.
Meanwhile, the router sends the MTU to the source host through an ICMPv6 packet — Packet Too Big
message. The source host fragments the packet according to the MTU and resends it. To reduce the extra
flow overhead resulting from packets being discarded, a proper interface MTU should be configured
according to the actual networking environment.
To configure the interface MTU:
interface interface-type
2. Enter interface view. N/A
interface-number
3. Configure the interface MTU. ipv6 mtu mtu-size 1500 bytes by default
134
Step Command Remarks
2. Configure the aging time for Optional
ipv6 pathmtu age age-time
dynamic PMTUs. 10 minutes by default
Optional
3. Set the finwait timer. tcp ipv6 timer fin-timeout wait-time
675 seconds by default
135
Step Command Remarks
Configure the load sharing based on
the hash algorithm: Optional.
ipv6 fib-loadbalance-type hash-based By default, the load sharing based
2. Configure the IPv6 FIB
load sharing mode. Configure the load sharing based on on polling is adopted and each
polling: ECMP route is used in turn to
undo ipv6 fib-loadbalance-type forward packets.
hash-based
Optional.
By default, the capacity of a token
bucket is 10 and the update interval is
2. Configure the capacity 100 milliseconds. At most 10 ICMPv6
ipv6 icmp-error { bucket
and update interval of the error packets can be sent within 100
bucket-size | ratelimit interval } *
token bucket. milliseconds.
The update interval “0” indicates that
the number of ICMPv6 error packets
sent is not restricted.
136
Step Command Remarks
1. Enter system view. system-view N/A
137
If an attacker sends abnormal traffic that causes the router to generate ICMPv6 destination unreachable
messages, end users may be affected. To prevent such attacks, you can disable the router from sending
ICMPv6 destination unreachable messages.
To enable sending of ICMPv6 destination unreachable messages:
Display the IPv6 FIB entry of display ipv6 fib [ vpn-instance vpn-instance-name ]
a specified destination IPv6 ipv6-address [ prefix-length ] [ | { begin | exclude | Available in any view
address. include } regular-expression ]
138
Task Command Remarks
Display the IPv6 TCP display tcp ipv6 statistics [ | { begin | exclude |
Available in any view
connection statistics. include } regular-expression ]
Display the IPv6 UDP display udp ipv6 statistics [ | { begin | exclude |
Available in any view
connection statistics. include } regular-expression ]
Clear the PMTU values. reset ipv6 pathmtu { all | static | dynamic} Available in user view
Configuration procedure
1. Configure Router A:
# Enable IPv6.
<RouterA> system-view
[RouterA] ipv6
# Assign a global unicast address for interface GigabitEthernet 2/1/1.
[RouterA] interface GigabitEthernet 2/1/1
[RouterA-GigabitEthernet2/1/1] ipv6 address 3001::1/64
[RouterA-GigabitEthernet2/1/1] quit
139
# Assign a global unicast addresses for interface GigabitEthernet 2/1/2 and allow it to advertise
RA messages (no interface advertises RA messages by default).
[RouterA] interface GigabitEthernet 2/1/2
[RouterA-GigabitEthernet2/1/2] ipv6 address 2001::1/64
[RouterA-GigabitEthernet2/1/2] undo ipv6 nd ra halt
2. Configure Router B:
# Enable IPv6.
<RouterB> system-view
[RouterB] ipv6
# Assign a global unicast address for interface GigabitEthernet 2/1/1.
[RouterB] interface GigabitEthernet 2/1/1
[RouterB-GigabitEthernet2/1/1] ipv6 address 3001::2/64
[RouterB-GigabitEthernet2/1/1] quit
# Configure an IPv6 static route with destination IP address 2001::/64 and next hop address
3001::1.
[RouterB] ipv6 route-static 2001:: 64 3001::1
3. Configure Host:
Enable IPv6 for Host to automatically get an IPv6 address automatically through IPv6 ND.
[RouterA] display ipv6 neighbors interface GigabitEthernet 2/1/2
Type: S-Static D-Dynamic
IPv6 Address Link-layer VID Interface State T Age
FE80::215:E9FF:FEA6:7D14 0015-e9a6-7d14 N/A GE2/1/2 STALE D 1238
2001::15B:E0FA:3524:E791 0015-e9a6-7d14 N/A GE2/1/2 STALE D 1248
The output shows that the IPv6 global unicast address that Host obtained is
2001::15B:E0EA:3524:E791.
140
InReceives: 25829
InTooShorts: 0
InTruncatedPkts: 0
InHopLimitExceeds: 0
InBadHeaders: 0
InBadOptions: 0
ReasmReqds: 0
ReasmOKs: 0
InFragDrops: 0
InFragTimeouts: 0
OutFragFails: 0
InUnknownProtos: 0
InDelivers: 47
OutRequests: 89
OutForwDatagrams: 48
InNoRoutes: 0
InTooBigErrors: 0
OutFragOKs: 0
OutFragCreates: 0
InMcastPkts: 6
InMcastNotMembers: 25747
OutMcastPkts: 48
InAddrErrors: 0
InDiscards: 0
OutDiscards: 0
141
InReceives: 272
InTooShorts: 0
InTruncatedPkts: 0
InHopLimitExceeds: 0
InBadHeaders: 0
InBadOptions: 0
ReasmReqds: 0
ReasmOKs: 0
InFragDrops: 0
InFragTimeouts: 0
OutFragFails: 0
InUnknownProtos: 0
InDelivers: 159
OutRequests: 1012
OutForwDatagrams: 35
InNoRoutes: 0
InTooBigErrors: 0
OutFragOKs: 0
OutFragCreates: 0
InMcastPkts: 79
InMcastNotMembers: 65
OutMcastPkts: 938
InAddrErrors: 0
InDiscards: 0
OutDiscards: 0
# Display the IPv6 interface settings on Router B. All the IPv6 global unicast addresses configured on the
interface are displayed.
[RouterB] display ipv6 interface GigabitEthernet 2/1/1 verbose
GigabitEthernet2/1/1 current state :UP
Line protocol current state :UP
IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1234
Global unicast address(es):
3001::2, subnet is 3001::/64
Joined group address(es):
FF02::1:FF00:0
FF02::1:FF00:2
FF02::1:FF00:1234
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
IPv6 Packet statistics:
InReceives: 117
InTooShorts: 0
142
InTruncatedPkts: 0
InHopLimitExceeds: 0
InBadHeaders: 0
InBadOptions: 0
ReasmReqds: 0
ReasmOKs: 0
InFragDrops: 0
InFragTimeouts: 0
OutFragFails: 0
InUnknownProtos: 0
InDelivers: 117
OutRequests: 83
OutForwDatagrams: 0
InNoRoutes: 0
InTooBigErrors: 0
OutFragOKs: 0
OutFragCreates: 0
InMcastPkts: 28
InMcastNotMembers: 0
OutMcastPkts: 7
InAddrErrors: 0
InDiscards: 0
OutDiscards: 0
# Ping Router A and Router B from Host, and ping Router A and Host from Router B to verify that they are
connected.
CAUTION:
When you ping a link-local address, you should use the “–i” parameter to specify an interface for the
link-local address.
143
round-trip min/avg/max = 3/3/3 ms
As shown in the output information, Host can ping Router B and Router A.
Solution
• Use the display current-configuration command in any view or the display this command in system
view to verify that IPv6 is enabled.
• Use the display ipv6 interface command in any view to verify that the IPv6 address of the interface
is correct and the interface is up.
144
Configuring DHCPv6
Basic concepts
Multicast address of all DHCPv6 servers and relay agents
The multicast address FF02::1:2 identifies all DHCPv6 servers and relay agents on the local link.
DUID
A DHCP unique identifier (DUID) uniquely identifies a DHCPv6 client, relay agent, or server, and is used
for authentication between DHCPv6 devices.
A DUID based on link-layer address (DUID-LL) defined in RFC 3315 is used to identify a DHCPv6 device.
The DUID-LL format is shown in Figure 58, where:
• DUID type—The value 0x0003 indicates that the DUID type is DUID-LL.
• Hardware type—The router supports Ethernet as the hardware type with the value of 0x0001.
• Link layer address—Its value is the bridge MAC address of the router.
Figure 58 Format of DUID-LL
145
Typical DHCPv6 network application
Figure 59 Network diagram
A DHCPv6 client uses a multicast address to contact the DHCPv6 server on the local link to obtain an
IPv6 address and other configuration parameters. As shown in Figure 59, if the DHCPv6 server resides
on another subnet, the DHCPv6 client can contact the server via a DHCPv6 relay agent. Thus, you do not
need to deploy a DHCPv6 server on each subnet.
CAUTION:
The router can only serve as the DHCPv6 relay agent.
(2) Relay-forward
(3) Relay-reply
146
3. After obtaining the request from the Relay-forward message, the DHCPv6 server selects an IPv6
address and other required parameters and adds them into a reply which is encapsulated into the
Relay Message Option of a Relay-reply message. The DHCPv6 server then sends the Relay-reply
message to the DHCPv6 relay agent.
4. The DHCPv6 relay agent obtains the reply from the Relay-reply message and sends the reply to the
DHCPv6 client.
The DHCPv6 client uses the IPv6 address and other network parameters assigned by the DHCPv6 server
to perform network configuration.
Configuration prerequisites
Before you configure DHCPv6 relay agent, enable IPv6 by using the ipv6 command in system view. For
more information about the ipv6 command, see the chapter “IPv6 basics configuration.”
Configuration procedure
To configure the DHCPv6 relay agent:
interface interface-type
2. Enter interface view. N/A
interface-number
3. Enable DHCPv6 relay ipv6 dhcp relay server-address By default, DHCPv6 relay agent is
agent on the interface and ipv6-address [ interface interface-type disabled and no DHCPv6 server is
specify a DHCPv6 server. interface-number ] specified on the interface.
147
NOTE:
• Executing the ipv6 dhcp relay server-address command repeatedly can specify multiple DHCPv6
servers, and up to eight DHCP servers can be specified for an interface. After receiving requests from
DHCPv6 clients, the DHCPv6 relay agent forwards the requests to all the specified DHCPv6 servers.
• If the DHCPv6 server address is a link-local address or link-scoped multicast address on the local link,
you must specify an outgoing interface using the interface keyword in the ipv6 dhcp relay
server-address command; otherwise, DHCPv6 packets may fail to be forwarded to the DHCPv6 server.
• Removing all the specified DHCPv6 server addresses from an interface with the undo ipv6 dhcp relay
server-address command disables DHCPv6 relay agent on the interface.
Display packet statistics on the display ipv6 dhcp relay statistics [ | { begin |
Available in any view
DHCPv6 relay agent. exclude | include } regular-expression ]
148
Figure 61 Network diagram
Configuration procedure
1. Configure Router A as a DHCPv6 relay agent:
# Enable IPv6.
<RouterA> system-view
[RouterA] ipv6
# Configure the IPv6 addresses of GigabitEthernet 3/1/1 and GigabitEthernet 3/1/2
respectively.
[RouterA] interface GigabitEthernet 3/1/2
[RouterA-GigabitEthernet3/1/2] ipv6 address 2::1 64
[RouterA-GigabitEthernet3/1/2] quit
[RouterA] interface GigabitEthernet 3/1/1
[RouterA-GigabitEthernet3/1/1] ipv6 address 1::1 64
# Enable DHCPv6 relay agent and specify the DHCPv6 server address on interface
GigabitEthernet 3/1/1.
[RouterA-GigabitEthernet3/1/1] ipv6 dhcp relay server-address 2::2
2. Configure Router A as a gateway:
# Enable Router A to send RA messages and set the “M” and “O” flags.
[RouterA-GigabitEthernet3/1/1] undo ipv6 nd ra halt
[RouterA-GigabitEthernet3/1/1] ipv6 nd autoconfig managed-address-flag
[RouterA-GigabitEthernet3/1/1] ipv6 nd autoconfig other-flag
3. Verify the configuration:
# After completing the above configurations, display DHCPv6 server address information on
Router A.
<RouterA> display ipv6 dhcp relay server-address all
Interface: GE3/1/1
Server address(es) Output Interface
2::2
# Display packet statistics on the DHCPv6 relay agent.
<RouterA> display ipv6 dhcp relay statistics
Packets dropped : 0
Error : 0
Excess of rate limit : 0
Packets received : 14
149
SOLICIT : 0
REQUEST : 0
CONFIRM : 0
RENEW : 0
REBIND : 0
RELEASE : 0
DECLINE : 0
INFORMATION-REQUEST : 7
RELAY-FORWARD : 0
RELAY-REPLY : 7
Packets sent : 14
ADVERTISE : 0
RECONFIGURE : 0
REPLY : 7
RELAY-FORWARD : 7
RELAY-REPLY : 0
150
Configuring IPv6 DNS
NOTE:
• A host name can be mapped to one IPv6 address only. If you map a host name to different IPv6
addresses, the last configuration takes effect.
• You can configure up to 50 mappings between domain name and IPv6 address on the router.
151
Step Command Remarks
Not specified by default.
NOTE:
• For more information about the dns resolve and dns domain commands, see Layer 3—IP Services
Command Reference.
• You can configure up to six DNS servers, including those with IPv4 addresses.
• You can specify up to ten DNS suffixes.
NOTE:
For more information about the display dns domain, display dns host ipv6, and reset dns host ipv6
commands, see Layer 3—IP Services Command Reference.
152
Figure 62 Network diagram
Configuration procedure
# Configure a mapping between host name host.com and IPv6 address 1::2.
<Device> system-view
[Device] ipv6 host host.com 1::2
# Use the ping ipv6 host.com command to verify that the device can use static domain name resolution
to resolve domain name host.com into IPv6 address 1::2.
[Device] ping ipv6 host.com
PING host.com (1::2):
56 data bytes, press CTRL_C to break
Reply from 1::2
bytes=56 Sequence=1 hop limit=128 time = 3 ms
Reply from 1::2
bytes=56 Sequence=2 hop limit=128 time = 1 ms
Reply from 1::2
bytes=56 Sequence=3 hop limit=128 time = 1 ms
Reply from 1::2
bytes=56 Sequence=4 hop limit=128 time = 2 ms
Reply from 1::2
bytes=56 Sequence=5 hop limit=128 time = 2 ms
--- host.com ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/3 ms
153
Figure 63 Network diagram
Configuration procedure
NOTE:
• Before performing the following configuration, make sure that the device and the host are accessible to
each another via available routes, and the IPv6 addresses of the interfaces are configured as
shown Figure 63.
• This configuration may vary with different DNS servers. The following configuration is performed on a
PC running Windows Server 2003. Make sure that the DNS server supports the IPv6 DNS function so
that the server can process IPv6 DNS packets, and the interfaces of the DNS server can forward IPv6
packets.
# Create a mapping between the host name and the IPv6 address.
As shown in Figure 65, right click zone com.
154
Figure 65 Creating a record
In Figure 65, select Other New Records to bring up a dialog box as shown in Figure 66. Select
IPv6 Host (AAA) as the resource record type.
155
Figure 66 Selecting the resource record type
As shown in Figure 67, type host name host and IPv6 address 1::1, and then click OK.
156
Figure 67 Adding a mapping between domain name and IPv6 address
157
bytes=56 Sequence=3 hop limit=126 time = 1 ms
Reply from 1::1
bytes=56 Sequence=4 hop limit=126 time = 1 ms
Reply from 1::1
bytes=56 Sequence=5 hop limit=126 time = 1 ms
158
Configuring NAT-PT
NOTE:
SPE cards in this document refer to cards prefixed with SPE such as SPE-1020-E-II.
Only the cards SPE-1010-II, SPE-1010-E-II, SPE-1020-II, and SPE-1020-E-II support NAT service
interface configuration.
NAT-PT overview
Application scenario
Because of the coexistence of IPv4 networks and IPv6 networks, Network Address Translation – Protocol
Translation (NAT-PT) was introduced to realize translation between IPv4 and IPv6 addresses. For
example, it can enable a host in an IPv6 network to access the FTP server in an IPv4 network.
As shown in Figure 68, NAT-PT runs on the router between IPv4 and IPv6 networks. The address
translation is transparent to both IPv4 and IPv6 networks. Users in the IPv6 and IPv4 networks can
communicate without changing their configurations.
Figure 68 Network diagram
Basic concepts
NAT-PT mechanism
There are three NAT-PT mechanisms to realize translation between IPv4 and IPv6 addresses: static
mapping, dynamic mapping, and NAPT-PT.
1. Static mapping
Static mappings are manually configured for translation between IPv6 and IPv4 addresses.
2. Dynamic mapping
159
Dynamic mappings are dynamically generated for translation between IPv6 and IPv4 addresses.
Different from static mappings, dynamic mappings are not fixed one-to-one mappings between
IPv6 and IPv4 addresses.
3. NAPT-PT
Network Address Port Translation – Protocol Translation (NAPT-PT) realizes the TCP/UDP port
number translation besides static or dynamic address translation. With NAPT-PT, different IPv6
addresses can correspond to one IPv4 address. Different IPv6 hosts are distinguished by different
port numbers so that these IPv6 hosts can share one IPv4 address to accomplish the address
translation and save IPv4 addresses.
NAT-PT prefix
The 96-bit NAT-PT prefix in the IPv6 address prefix format is used in the following cases:
• Upon receiving a packet from an IPv6 host to an IPv4 host, the NAT-PT router detects the prefix of
the destination IPv6 address in the packet. If the prefix is the same as the configured NAT-PT prefix,
the router will translate source and destination IPv6 addresses of the packet into IPv4 addresses.
• After a packet from an IPv4 host to an IPv6 host is translated through NAT-PT, the prefix of the
translated source IPv6 address is the configured NAT-PT prefix.
Implementing NAT-PT
Session initiated by an IPv6 host
Figure 69 NAT-PT implementation (session initiated by an IPv6 host)
160
4. Forwards the packet and stores the mappings
After the source and destination IPv6 addresses of the packet are translated into IPv4 addresses,
the NAT-PT router forwards the packet to the IPv4 host. Meanwhile, the IPv4/IPv6 address
mappings are stored in the NAT-PT router.
5. Forwards the reply packet according to the stored mappings
Upon receiving a reply packet from the IPv4 host to the IPv6 host, the NAT-PT router swaps the
source and destination IPv4 addresses according to the stored mappings and forwards the packet
to the IPv6 host.
NAT-PT limitations
NAT-PT has the following limitations:
• In NAT-PT translation, the request and response packets of a session must be processed by the same
NAT-PT router.
• The Options field in the IPv4 packet header cannot be translated.
• NAT-PT does not provide end-to-end security.
Therefore, NAT-PT is not recommended in some applications. For example, tunneling is recommended in
the case where an IPv6 host needs to communicate with another IPv6 host across an IPv4 network. For
more information about tunneling, see the chapter “Configuring tunneling.”
161
Currently, NAT-PT supports Internet Control Message Protocol (ICMP), Domain Name System (DNS), File
Transfer Protocol (FTP), and other protocols that employ the network layer protocol but have no address
information in the protocol messages.
Task Remarks
Enabling NAT-PT Required
Optional
Configuring a static IPv4/IPv6 address mapping on If no static IPv4/IPv6 address mapping is configured,
the IPv4 side the lowest 32 bits of the destination IPv6 address is
used as the translated destination IPv4 address.
Complete the following tasks to configure NAT-PT to allow active access from an IPv4 host to an IPv6 host:
Task Remarks
Enabling NAT-PT Required
Optional
If no IPv4/IPv6 address mapping is configured,
Configuring IPv4/IPv6 address mappings on the IPv4 side the source IPv4 address added with the first
configured NAT-PT prefix is used as the
translated source IPv6 address.
Configuring NAT-PT
Configuration prerequisites
Before implementing NAT-PT, complete the following tasks:
• Enable IPv6 on the router. For more information, see the chapter “IPv6 basics configuration.“
162
• Configure an IPv4 or IPv6 address as required on the interface to be enabled with NAT-PT.
Enabling NAT-PT
After NAT-PT is enabled on both the IPv4 network interface and the IPv6 network interface, the router can
implement translation between IPv4 and IPv6 addresses.
To enable NAT-PT:
Step Command
1. Enter system view. system-view
CAUTION:
• The NAT-PT prefix must be different from the IPv6 address prefix of a local interface. Otherwise,
incoming packets matching the prefix will get lost due to NAT-PT translation.
• To delete a NAT-PT prefix that has been referenced by using the natpt v4bound dynamic or natpt
v6bound dynamic command, you must cancel the referenced configuration first.
Step Command
1. Enter system view. system-view
163
Step Command
2. Enter NAT service interface view. interface nat interface-number
3. Configure a static IPv4/IPv6 address mapping on
natpt v6bound static ipv6-address ipv4-address
the IPv6 side.
164
Step Command Remarks
NOTE:
• The NAT-PT prefix referenced in a natpt v6bound dynamic command must have been configured with
the natpt prefix command.
• If the no-pat keyword is specified, dynamic mapping policies are used for NAT-PT. If this keyword is not
specified, the NAPT-PT mechanism is used to translate between IPv4 addresses and IPv6 addresses.
• For more information about ACL, see ACL and QoS Configuration Guide.
165
• If the destination IPv6 address in a packet sent from an IPv6 host to an IPv4 host matches a static
IPv4/IPv6 address mapping, the destination IPv6 address is translated into the corresponding IPv4
address.
To configure a static IPv4/IPv6 address mapping on the IPv4 side:
Step Command
1. Enter system view. system-view
Step Command
1. Enter system view. system-view
3. Configure a dynamic IPv4/IPv6 source address natpt v4bound dynamic acl number acl-number
mapping policy on the IPv4 side. prefix natpt-prefix
NOTE:
• Before configuring a dynamic IPv4/IPv6 mapping policy on the IPv4 side, you must use the natpt prefix
command to specify the NAT-PT prefix for the natpt v6bound dynamic acl number command.
• For more information about ACLs, see ACL and QoS Configuration Guide.
2. Set the ToS field in IPv4 By default, the value of the ToS field of IPv4
packets translated from natpt turn-off tos packets is the same as that of the Traffic
IPv6 packets to 0. Class field in corresponding IPv6 packets.
166
Setting the traffic class field after NAT-PT translation
You can set the Traffic Class field in IPv6 packets translated from IPv4 packets to 0 or leave it unchanged.
0 indicates that the service priority of the translated packet is set to the lowest. Unchanged indicates that
the existing service priority is used.
To set the Traffic Class field in packets after NAT-PT translation:
Step Command
1. Enter system view. system-view
167
Task Command Remarks
Display all NAT-PT configuration display natpt all [ | { begin | exclude |
Available in any view
information. include } regular-expression ]
Display the static and dynamic NAT-PT display natpt address-mapping [ | { begin |
Available in any view
address mappings. exclude | include } regular-expression ]
Clear all NAT-PT statistics information. reset natpt statistics [ slot slot-number ] Available in user view
Configuration procedure
1. Configure Router B (NAT-PT router):
# Configure interface addresses and enable NAT-PT on the interfaces.
<RouterB> system-view
[RouterB] ipv6
[RouterB] interface serial 4/1/9:0
[RouterB-Serial4/1/9:0] ip address 8.0.0.1 255.255.255.0
[RouterB-Serial4/1/9:0] natpt enable
[RouterB-Serial4/1/9:0] quit
[RouterB] interface serial 4/1/9:1
[RouterB-Serial4/1/9:1] ipv6 address 2001::1/64
168
[RouterB-Serial4/1/9:1] natpt enable
[RouterB-Serial4/1/9:1] quit
# Configure a NAT-PT prefix.
[RouterB] interface nat 1/0/1
[RouterB] natpt prefix 3001::
[RouterB-NAT1/0/1] quit
# Configure a NAT-PT address pool.
[RouterB] natpt address-group 1 9.0.0.10 9.0.0.19
# Associate the prefix with the address pool for IPv6 hosts accessing IPv4 hosts.
[RouterB] interface nat 1/0/1
[RouterB-NAT1/0/1] natpt v6bound dynamic prefix 3001:: address-group 1
2. Configure Router A on the IPv4 side:
# Configure a static route to subnet 9.0.0.0/24.
<RouterA> system-view
[RouterA] ip route-static 9.0.0.0 24 8.0.0.1
3. Configure Router C on the IPv6 side:
# Enable IPv6.
<RouterC> system-view
[RouterC] ipv6
# Configure a static route to the subnet with the NAT-PT prefix.
[RouterC] ipv6 route-static 3001:: 16 2001::1
Configuring static mappings on the IPv4 side and the IPv6 side
Network requirements
As shown in Figure 71, Router C with IPv6 address 2001::2/64 on an IPv6 network can communicate
with Router A with IPv4 address 8.0.0.2/24 on an IPv4 network.
Configure Router B that is deployed between the IPv4 network and IPv6 network as a NAT-PT router, and
configure static mappings on the IPv4 side and IPv6 side on Router B, so that Router A and Router C can
communicate with each other. On router B, slot number1 is installed with one of the following cards:
SPE-1010-II, SPE-1010-E-II, SPE-1020-II, and SPE-1020-E-II; slot number 4 is installed with an SPE card.
Figure 71 Network diagram
Configuration procedure
1. Configure Router B (NAT-PT router):
169
# Configure interface addresses and enable NAT-PT on the interfaces.
<RouterB> system-view
[RouterB] ipv6
[RouterB] interface serial 4/1/9:0
[RouterB-Serial4/1/9:0] ip address 8.0.0.1 255.255.255.0
[RouterB-Serial4/1/9:0] natpt enable
[RouterB-Serial4/1/9:0] quit
[RouterB] interface serial 4/1/9:1
[RouterB-Serial4/1/9:1] ipv6 address 2001::1/64
[RouterB-Serial4/1/9:1] natpt enable
[RouterB-Serial4/1/9:1] quit
# Configure a NAT-PT prefix.
[RouterB] interface nat 1/0/1
[RouterB-NAT1/0/1] natpt prefix 3001::
# Configure a static IPv4/IPv6 mapping on the IPv4 side.
[RouterB-NAT1/0/1] natpt v4bound static 8.0.0.2 3001::5
# Configure a static IPv4/IPv6 mapping on the IPv6 side.
[RouterB-NAT1/0/1] natpt v6bound static 2001::2 9.0.0.5
2. Configure Router A on the IPv4 side:
# Configure the IP address of Serial 4/1/9:0.
<RouterA> system-view
[RouterA] interface serial 4/1/9:0
[RouterA-Serial4/1/9:0] ip address 8.0.0.2 255.255.255.0
[RouterA-Serial4/1/9:0] quit
# Configure a static route to subnet 9.0.0.0/24.
[RouterA] ip route-static 9.0.0.0 24 8.0.0.1
3. Configure Router C on the IPv6 side:
# Configure the IP address of Serial 4/1/9:0.
<RouterC> system-view
[RouterC] interface serial 4/1/9:0
[RouterC-Serial4/1/9:0] ipv6 address 2001::2/64
[RouterC-Serial4/1/9:0] quit
# Enable IPv6.
[RouterC] ipv6
# Configure a static route to the subnet with the NAT-PT prefix.
[RouterC] ipv6 route-static 3001:: 16 2001::1
Troubleshooting NAT-PT
Symptom
NAT-PT fails when a session is initiated on the IPv6 side.
170
Solution
• Enable debugging for NAT-PT and locate the fault according to the debugging information of the
router.
• During debugging, check whether the source address of a packet is translated successfully. If not,
it is possible that the address pool has no sufficient IP addresses.
• You can configure a larger address pool, or use NAPT-PT to perform NAT-PT.
171
Configuring tunneling
Tunneling overview
Tunneling is an encapsulation technology, which uses one network protocol to encapsulate packets of
another network protocol and transfer them over a virtual point-to-point connection. The virtual
connection is called a tunnel. Packets are encapsulated and de-encapsulated at both ends of a tunnel.
Tunneling refers to the whole process from data encapsulation to data transfer to data de-encapsulation.
Tunneling provides the following features:
• Transition techniques, such as IPv6 over IPv4 tunneling, to interconnect IPv4 and IPv6 networks.
• Virtual Private Networks (VPNs) for guaranteeing communication security, such as IPv4 over IPv4
tunneling and Generic Routing Encapsulation (GRE).
• Traffic engineering, such as Multiprotocol Label Switching traffic engineering (MPLS TE) to prevent
network congestion.
Unless otherwise specified, the term tunnel in this document refers to an IPv4/IPv6 transition tunnel or
IPv4 over IPv6 tunnel.
NOTE:
• For more information about GRE, see the chapter “GRE configuration.”
• For more information about MPLS TE, see MPLS TE Configuration Guide.
CAUTION:
The routers at both ends of an IPv6 over IPv4 tunnel must support IPv4/IPv6 dual stack.
172
Figure 72 Principle of IPv6 over IPv4 tunnel
The IPv6 over IPv4 tunnel processes packets in the following ways:
1. A host in the IPv6 network sends an IPv6 packet to Device A at the tunnel source.
2. After determining according to the routing table that the packet needs to be forwarded through the
tunnel, Device A encapsulates the IPv6 packet with an IPv4 header and forwards it through the
physical interface of the tunnel.
3. Upon receiving the packet, Device B de-encapsulates the packet.
4. Device B forwards the packet according to the destination address in the de-encapsulated IPv6
packet. If the destination address is the device itself, Device B forwards the IPv6 packet to the
upper-layer protocol for processing.
Tunnel types
IPv6 over IPv4 tunnels are divided into manually configured tunnels and automatic tunnels, depending
on how the IPv4 address of the tunnel destination is acquired.
• Manually configured tunnel—The destination address of the tunnel cannot be automatically
acquired through the destination IPv6 address of an IPv6 packet at the tunnel source, and must be
manually configured.
• Automatic tunnel—The destination address of the tunnel is an IPv6 address with an IPv4 address
embedded, and the IPv4 address can be automatically acquired through the destination IPv6
address of an IPv6 packet at the tunnel source.
According to the way an IPv6 packet is encapsulated, IPv6 over IPv4 tunnels are divided into the
following modes.
Table 9 IPv6 over IPv4 tunnel modes and key parameters
173
Tunnel source/destination Tunnel interface
Tunnel type Tunnel mode
address address type
The source IP address is a 6to4 address, in the
manually configured IPv4 format of
6to4 tunneling
address. The destination IP 2002:IPv4-source-addr
address need not be configured. ess::/48
174
A 6to4 tunnel is only used to connect 6to4 networks, whose IP prefix must be 2002::/16.
However, IPv6 network addresses with the prefix such as 2001::/16 may also be used in IPv6
networks. To connect a 6to4 network to an IPv6 network, a 6to4 router must be used as a gateway
to forward packets to the IPv6 network. Such a router is called 6to4 relay router.
As shown in Figure 73, a static route must be configured on the border router (Device A) in the
6to4 network and the next-hop address must be the 6to4 address of the 6to4 relay router (Device
C). In this way, all packets destined for the IPv6 network will be forwarded to the 6to4 relay router,
and then to the IPv6 network. Thus, internetworking between the 6to4 network (with the address
prefix starting with 2002) and the IPv6 network is realized.
Figure 73 6to4 tunnel
4. ISATAP tunnel
With the application of the IPv6 technology, there will be more and more IPv6 hosts in the existing
IPv4 network. The ISATAP tunneling technology provides a satisfactory solution for IPv6
application. An ISATAP tunnel is a point-to-multipoint automatic tunnel. The destination of a tunnel
can automatically be acquired from the embedded IPv4 address in the destination address of an
IPv6 packet.
When an ISATAP tunnel is used, the destination address of an IPv6 packet and the IPv6 address
of a tunnel interface both adopt special ISATAP addresses. The ISATAP address format is
prefix(64bit):0:5EFE:abcd:efgh. The 64-bit prefix is the prefix of a valid IPv6 unicast address, but
abcd:efgh is a 32-bit source IPv4 address in hexadecimal, which might not be globally unique.
Through the embedded IPv4 address, an ISATAP tunnel can be automatically created to transfer
IPv6 packets.
The ISATAP tunnel is mainly used for communication between IPv6 routers or between a host and
an IPv6 router over an IPv4 network.
Figure 74 Principle of ISATAP tunnel
175
IPv4 over IPv4 tunnel
Introduction
The IPv4 over IPv4 tunneling (specified in RFC 1853) is developed for IP data packet encapsulation so
that data can be transferred from one IPv4 network to another IPv4 network.
176
Tunneling configuration task list
Complete the following tasks to configure the tunneling feature:
Task Remarks
Configuring a tunnel interface Required
NOTE:
For how to configure the IPv6 MTU of a tunnel interface, see the ipv6 mtu command in Layer 3—IP
Services Command Reference.
Optional.
3. Configure the description for the By default, the description of a
description text
interface. tunnel interface is the interface name
followed by the "Interface" string.
4. Specify the service card for Optional.
forwarding the traffic on the service slot slot-number
interface (distributed devices). Not specified by default.
177
Step Command Remarks
7. Restore the default settings. default Optional.
Optional.
8. Shut down the tunnel interface. shutdown
By default, the interface is up.
NOTE:
• When active/standby switchover occurs or the standby card is removed from a distributed device,
tunnels configured on the active or standby card still exist. To delete tunnels, use the undo interface
tunnel command.
• For more information about the ipv6 mtu command, see Layer 3—IP Services Command Reference.
• The tunnel bandwidth command does not change the actual bandwidth of the tunnel interface, but sets
a bandwidth value for dynamical routing protocols to calculate the cost of a tunnel path. You can
determine the value according to the bandwidth of the output interface.
Configuration guidelines
When you configure an IPv6 manual tunnel, follow these guidelines:
• After a tunnel interface is deleted, all the above features configured on the tunnel interface will be
deleted.
• To encapsulate and forward IPv6 packets whose destination address does not belong to the
network segment where the receiving tunnel interface resides, you need to configure a static route
or dynamic routing for forwarding those packets through this tunnel interface. If you configure a
static route to that destination IPv6 address, specify this tunnel interface as the outbound interface,
or the peer tunnel interface address as the next hop. A similar configuration needs to be performed
at the other tunnel end. If you configure dynamic routing at both ends, enable the dynamic routing
protocol on both tunnel interfaces. For the detailed configuration, see Layer 3—IP Routing
Configuration Guide.
Configuration procedure
To configure an IPv6 manual tunnel:
178
Step Command Remarks
3. Enter tunnel interface
interface tunnel number N/A
view.
Configuration example
Network requirements
As shown in Figure 76, two IPv6 networks are connected over an IPv4 network. Configure an IPv6
manual tunnel between Router A and Router B to make the two IPv6 networks reachable to each other.
If the destination IPv4 address cannot be automatically obtained from the destination IPv6 addresses of
packets, configure an IPv6 manual tunnel.
179
Figure 76 Network diagram
Configuration procedure
NOTE:
Before configuring an IPv6 manual tunnel, make sure that Router A and Router B are reachable to each
other.
• Configure Router A:
# Enable IPv6.
<RouterA> system-view
[RouterA] ipv6
# Configure an IPv4 address for GigabitEthernet 2/1/1.
[RouterA] interface GigabitEthernet 2/1/1
[RouterA-GigabitEthernet2/1/1] ip address 192.168.100.1 255.255.255.0
[RouterA-GigabitEthernet2/1/1] quit
# Configure an IPv6 address for GigabitEthernet 2/1/2.
[RouterA] interface GigabitEthernet 2/1/2
[RouterA-GigabitEthernet2/1/2] ipv6 address 3002::1 64
[RouterA-GigabitEthernet2/1/2] quit
# Configure an IPv6 manual tunnel.
[RouterA] interface tunnel 0
[RouterA-Tunnel0] ipv6 address 3001::1/64
[RouterA-Tunnel0] source GigabitEthernet 2/1/1
[RouterA-Tunnel0] destination 192.168.50.1
[RouterA-Tunnel0] tunnel-protocol ipv6-ipv4
[RouterA-Tunnel0] quit
# Configure a static route to IPv6 Group 2 through tunnel 0 on Router A.
[RouterA] ipv6 route-static 3003:: 64 tunnel 0
• Configure Router B:
# Enable IPv6.
<RouterB> system-view
[RouterB] ipv6
# Configure an IPv4 address for GigabitEthernet 2/1/1.
[RouterB] interface GigabitEthernet 2/1/1
[RouterB-GigabitEthernet2/1/1] ip address 192.168.50.1 255.255.255.0
[RouterB-GigabitEthernet2/1/1] quit
# Configure an IPv6 address for GigabitEthernet 2/1/2.
180
[RouterA] interface GigabitEthernet 2/1/2
[RouterA-GigabitEthernet2/1/2] ipv6 address 3003::1 64
[RouterA-GigabitEthernet2/1/2] quit
# Configure an IPv6 manual tunnel.
[RouterB] interface tunnel 0
[RouterB-Tunnel0] ipv6 address 3001::2/64
[RouterB-Tunnel0] source GigabitEthernet 2/1/1
[RouterB-Tunnel0] destination 192.168.100.1
[RouterB-Tunnel0] tunnel-protocol ipv6-ipv4
[RouterB-Tunnel0] quit
# Configure a static route to IPv6 Group 1 through tunnel 0 on Router B.
[RouterB] ipv6 route-static 3002:: 64 tunnel 0
181
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
IPv6 Packet statistics:
InReceives: 55
……(omitted)
# Ping the IPv6 address of the peer interface GigabitEthernet 2/1/2 from Router A:
[RouterA] ping ipv6 3003::1
PING 3003::1 : 56 data bytes, press CTRL_C to break
Reply from 3003::1
bytes=56 Sequence=1 hop limit=64 time = 1 ms
Reply from 3003::1
bytes=56 Sequence=2 hop limit=64 time = 1 ms
Reply from 3003::1
bytes=56 Sequence=3 hop limit=64 time = 1 ms
Reply from 3003::1
bytes=56 Sequence=4 hop limit=64 time = 1 ms
Reply from 3003::1
bytes=56 Sequence=5 hop limit=64 time = 1 ms
Configuration guidelines
When you configure an automatic IPv4-compatible IPv6 tunnel, follow these guidelines:
• No destination address needs to be configured for an automatic IPv4-compatible IPv6 tunnel. The
destination address of the tunnel can be automatically obtained through the IPv4 address
embedded in the IPv4-compatible IPv6 address.
• The automatic tunnel interfaces encapsulated with the same protocol cannot share the same source
IP address.
182
Configuration procedure
To configure an automatic IPv4-compatible IPv6 tunnel:
Configuration example
Network requirements
As shown in Figure 77, dual-stack routers, Router A and Router B are connected over an IPv4 network.
Configure an automatic IPv4-compatible IPv6 tunnel between the two routers to enable the IPv6 networks
to communicate with each other over the tunnel.
183
Figure 77 Network diagram
Configuration procedure
NOTE:
Before configuring an automatic IPv4-compatible IPv6 tunnel, make sure that Router A and Router B are
reachable to each other.
• Configure Router A:
# Enable IPv6.
<RouterA> system-view
[RouterA] ipv6
# Configure an IP address for GigabitEthernet 2/1/1.
[RouterA] interface GigabitEthernet 2/1/1
[RouterA-GigabitEthernet2/1/1] ip address 192.168.100.1 255.255.255.0
[RouterA-GigabitEthernet2/1/1] quit
# Configure an automatic IPv4-compatible IPv6 tunnel.
[RouterA] interface tunnel 0
[RouterA-Tunnel0] ipv6 address ::192.168.100.1/96
[RouterA-Tunnel0] source GigabitEthernet 2/1/1
[RouterA-Tunnel0] tunnel-protocol ipv6-ipv4 auto-tunnel
• Configure Router B:
# Enable IPv6.
<RouterB> system-view
[RouterB] ipv6
# Configure an IP address for GigabitEthernet 2/1/1.
[RouterB] interface GigabitEthernet 2/1/1
[RouterB-GigabitEthernet2/1/1] ip address 192.168.50.1 255.255.255.0
[RouterB-GigabitEthernet2/1/1] quit
# Configure an automatic IPv4-compatible IPv6 tunnel.
[RouterB] interface tunnel 0
[RouterB-Tunnel0] ipv6 address ::192.168.50.1/96
[RouterB-Tunnel0] source GigabitEthernet 2/1/1
[RouterB-Tunnel0] tunnel-protocol ipv6-ipv4 auto-tunnel
184
Tunnel0 current state :UP
Line protocol current state :UP
IPv6 is enabled, link-local address is FE80::C0A8:6401
Global unicast address(es):
::192.168.100.1, subnet is ::/96
Joined group address(es):
FF02::1:FFA8:6401
FF02::1:FF00:0
FF02::2
FF02::1
MTU is 1480 bytes
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
IPv6 Packet statistics:
InReceives: 65
……(omitted)
[RouterB] display ipv6 interface tunnel 0 verbose
Tunnel0 current state :UP
Line protocol current state :UP
IPv6 is enabled, link-local address is FE80::C0A8:3201
Global unicast address(es):
::192.168.50.1, subnet is ::/96
Joined group address(es):
FF02::1:FFA8:3201
FF02::1:FF00:0
FF02::2
FF02::1
MTU is 1480 bytes
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
IPv6 Packet statistics:
InReceives: 65
……(omitted)
# Ping the IPv4-compatible IPv6 address of the peer tunnel interface from Router A.
[RouterA] ping ipv6 ::192.168.50.1
PING ::192.168.50.1 : 56 data bytes, press CTRL_C to break
Reply from ::192.168.50.1
bytes=56 Sequence=1 hop limit=64 time = 1 ms
Reply from ::192.168.50.1
bytes=56 Sequence=2 hop limit=64 time = 1 ms
Reply from ::192.168.50.1
bytes=56 Sequence=3 hop limit=64 time = 1 ms
Reply from ::192.168.50.1
bytes=56 Sequence=4 hop limit=64 time = 1 ms
Reply from ::192.168.50.1
bytes=56 Sequence=5 hop limit=64 time = 1 ms
185
--- ::192.168.50.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
Configuration guidelines
When you configure a 6to4 tunnel, follow these guidelines:
• No destination address needs to be configured for a 6to4 tunnel because the destination address
can automatically be obtained from the IPv4 address embedded in the 6to4 IPv6 address.
• To encapsulate and forward IPv6 packets whose destination address does not belong to the
network segment where the receiving tunnel interface resides, you need to configure a static route
to reach the destination IPv6 address through this tunnel interface on the router. Because automatic
tunnels do not support dynamic routing, you can configure a static route to that destination IPv6
address with this tunnel interface as the outbound interface or the peer tunnel interface address as
the next hop. A similar configuration needs to be performed at the other tunnel end. For the detailed
configuration, see Layer 3—IP Routing Configuration Guide.
• The automatic tunnel interfaces using the same encapsulation protocol cannot share the same
source IP address.
Configuration procedure
To configure a 6to4 tunnel:
186
Step Command Remarks
Use either the ipv6 address
{ ipv6-address prefix-length |
ipv6-address | prefix-length } or
the ipv6 address ipv6-address |
• Configure an IPv6 global unicast prefix-length eui-64 command to
address or site-local address: configure an IPv6 global unicast
{ ipv6 address { ipv6-address address or site-local address.
prefix-length | ipv6-address |
By default,
prefix-length }
ipv6 address ipv6-address |
• No IPv6 global unicast
4. Configure an IPv6 address for {
address or site-local address
the tunnel interface. prefix-length eui-64
is configured for the tunnel
• Configure an IPv6 link-local interface.
address:
• A link-local address will
a. ipv6 address auto link-local
automatically be generated
b. ipv6 address ipv6-address when an IPv6 global unicast
link-local address or site-local address
is configured.
The IPv6 link-local address
configuration is optional.
187
Figure 78 Network diagram
6to4 router GE2/1/1 6to4 router
GE2/1/1
2.1.1.1/24 5.1.1.1/24
Router A IPv4 netwok
6to4 tunnel Router B
GE2/1/2 Tunnel 0 Tunnel 0 GE2/1/2
2002:0201:0101:1::1/64 2002:0201:0101::1/64 2002:0501:0101::1/64 2002:0501:0101:1::1/64
6to4 6to4
Group 1 Group 2
Host A Host B
2002:0201:0101:1::2/64 2002:0501:0101:1::2/64
Configuration procedure
NOTE:
Before configuring a 6to4 tunnel, make sure that Router A and Router B are reachable to each other.
• Configure Router A:
# Enable IPv6.
<RouterA> system-view
[RouterA] ipv6
# Configure an IPv4 address for GigabitEthernet 2/1/1.
[RouterA] interface GigabitEthernet 2/1/1
[RouterA-GigabitEthernet2/1/1] ip address 2.1.1.1 24
[RouterA-GigabitEthernet2/1/1] quit
# Configure an IPv6 address for GigabitEthernet 2/1/2.
[RouterA] interface GigabitEthernet 2/1/2
[RouterA-GigabitEthernet2/1/2] ipv6 address 2002:0201:0101:1::1/64
[RouterA-GigabitEthernet2/1/2] quit
# Configure the 6to4 tunnel.
[RouterA] interface tunnel 0
[RouterA-Tunnel0] ipv6 address 2002:201:101::1/64
[RouterA-Tunnel0] source GigabitEthernet 2/1/1
[RouterA-Tunnel0] tunnel-protocol ipv6-ipv4 6to4
[RouterA-Tunnel0] quit
# Configure a static route whose destination address is 2002::/16 and next-hop is the tunnel
interface.
[RouterA] ipv6 route-static 2002:: 16 tunnel 0
• Configure Router B:
# Enable IPv6.
<RouterB> system-view
[RouterB] ipv6
# Configure an IPv6 address for GigabitEthernet 2/1/1.
[RouterB] interface GigabitEthernet 2/1/1
[RouterB-GigabitEthernet2/1/1] ip address 5.1.1.1 24
188
[RouterB-GigabitEthernet2/1/1] quit
# Configure an IPv6 address for GigabitEthernet 2/1/2.
[RouterB] interface GigabitEthernet 2/1/2
[RouterB-GigabitEthernet2/1/2] ipv6 address 2002:0501:0101:1::1/64
[RouterB-GigabitEthernet2/1/2] quit
# Configure a 6to4 tunnel.
[RouterB] interface tunnel 0
[RouterB-Tunnel0] ipv6 address 2002:0501:0101::1/64
[RouterB-Tunnel0] source GigabitEthernet 2/1/1
[RouterB-Tunnel0] tunnel-protocol ipv6-ipv4 6to4
[RouterB-Tunnel0] quit
# Configure a static route whose destination address is 2002::/16 and next-hop is the tunnel
interface.
[RouterB] ipv6 route-static 2002:: 16 tunnel 0
Pinging 2002:501:101:1::2
from 2002:201:101:1::2 with 32 bytes of data:
189
Figure 79 Network diagram
6to4 router GE3/1/2 6to4 relay
GE3/1/2
2.1.1.1/24 6.1.1.1/24
Router A IPv4 netwok
6to4 tunnel Router B
GE3/1/1 Tunnel 0 Tunnel 0 GE3/1/1
2002:0201:0101:1::1/64 2002:0201:0101::1/64 2002:0601:0101::1/64 2001::1/64
Host A Host B
2002:0201:0101:1::2/64 2001::2/64
Configuration procedure
NOTE:
• Before configuring a 6to4 relay, make sure that Router A and Router B are reachable to each other.
• The configuration on a 6to4 relay router is similar to that on a 6to4 router. However, to enable
communication between the 6to4 network and the IPv6 network, you need to configure a route to the
IPv6 network on the 6to4 router.
• Configure Router A:
# Enable IPv6.
<RouterA> system-view
[RouterA] ipv6
# Configure an IPv4 address for GigabitEthernet 3/1/2.
[RouterA] interface GigabitEthernet 3/1/2
[RouterA-GigabitEthernet3/1/2] ip address 2.1.1.1 255.255.255.0
[RouterA-GigabitEthernet3/1/2] quit
# Configure an IPv6 address for GigabitEthernet 3/1/1.
[RouterA] interface GigabitEthernet 3/1/1
[RouterA-GigabitEthernet3/1/1] ipv6 address 2002:0201:0101:1::1/64
[RouterA-GigabitEthernet3/1/1] quit
# Configure a 6to4 tunnel.
[RouterA] interface tunnel 0
[RouterA-Tunnel0] ipv6 address 2002:0201:0101::1/64
[RouterA-Tunnel0] source GigabitEthernet 3/1/2
[RouterA-Tunnel0] tunnel-protocol ipv6-ipv4 6to4
[RouterA-Tunnel0] quit
# Configure a static route to the 6to4 relay router.
[RouterA] ipv6 route-static 2002:0601:0101:: 64 tunnel 0
# Configure the default route to the IPv6-only network.
[RouterA] ipv6 route-static :: 0 2002:0601:0101::1
• Configure Router B:
# Enable IPv6.
<RouterB> system-view
190
[RouterB] ipv6
# Configure an IPv4 address for GigabitEthernet 3/1/2.
[RouterB] interface GigabitEthernet 3/1/2
[RouterB-GigabitEthernet3/1/2] ip address 6.1.1.1 255.255.255.0
[RouterB-GigabitEthernet3/1/2] quit
# Configure an IPv6 address for GigabitEthernet 3/1/1.
[RouterB] interface GigabitEthernet 3/1/1
[RouterB-GigabitEthernet3/1/1] ipv6 address 2001::1/16
[RouterB-GigabitEthernet3/1/1] quit
# Configure a 6to4 tunnel.
[RouterB] interface tunnel 0
[RouterB-Tunnel0] ipv6 address 2002:0601:0101::1/64
[RouterB-Tunnel0] source GigabitEthernet 3/1/2
[RouterB-Tunnel0] tunnel-protocol ipv6-ipv4 6to4
[RouterB-Tunnel0] quit
# Configure a static route whose destination address is 2002::/16 and next-hop is the tunnel
interface.
[RouterB] ipv6 route-static 2002:: 16 tunnel 0
Pinging 2001::2
from 2002:201:101:1::2 with 32 bytes of data:
Configuration guidelines
When you configure an ISATAP tunnel, follow these guidelines:
191
• No destination address needs to be configured for an ISATAP tunnel. The destination address of the
tunnel can be automatically obtained through the IPv4 address embedded in the ISATAP address.
• To encapsulate and forward IPv6 packets whose destination address does not belong to the
network segment where the receiving tunnel interface resides, you need to configure a static route
to reach the destination IPv6 address through this tunnel interface on the router. Because automatic
tunnels do not support dynamic routing, you can configure a static route to that destination IPv6
address with this tunnel interface as the outbound interface or the peer tunnel interface address as
the next hop. A similar configuration needs to be performed at the other tunnel end. For more
configuration information, see Layer 3—IP Routing Configuration Guide.
• The automatic tunnel interfaces using the same encapsulation protocol cannot share the same
source IP address.
Configuration procedure
To configure an ISATAP tunnel:
192
Step Command Remarks
8. Enable dropping of
IPv6 packets using tunnel discard Optional.
IPv4-compatible IPv6 ipv4-compatible-packet Disabled by default.
addresses.
Configuration example
Network requirements
As shown in Figure 80, an IPv6 network is connected to an IPv4 network through an ISATAP router.
Configure the ISATAP tunnel to enable the IPv6 host in the IPv4 network to access the IPv6 network.
Figure 80 Network diagram
Configuration procedure
NOTE:
Before configuring an ISATAP tunnel, make sure that GigabitEthernet 2/1/2 on the ISATAP router and the
ISATAP host are reachable to each other.
193
[Router-Tunnel0] quit
# Configure a static route to the ISATAP host.
[Router] ipv6 route-static 2001:: 16 tunnel 0
• Configure the ISATAP host:
The specific configuration on the ISATAP host is related to its operating system. The following
example shows the configuration of the host running the Windows XP.
# Install IPv6.
C:\>ipv6 install
# On a Windows XP-based host, the ISATAP interface is usually interface 2. Configure the IPv4
address of the ISATAP router on interface 2 to complete the configuration on the host. Before that,
display information on the ISATAP interface:
C:\>ipv6 if 2
Interface 2: Automatic Tunneling Pseudo-Interface
Guid {48FCE3FC-EC30-E50E-F1A7-71172AEEE3AE}
does not use Neighbor Discovery
does not use Router Discovery
routing preference 1
EUI-64 embedded IPv4 address: 0.0.0.0
router link-layer address: 0.0.0.0
preferred link-local fe80::5efe:2.1.1.2, life infinite
link MTU 1280 (true link MTU 65515)
current hop limit 128
reachable time 42500ms (base 30000ms)
retransmission interval 1000ms
DAD transmits 0
default site prefix length 48
# A link-local address (fe80::5efe:2.1.1.2) in the ISATAP format was automatically generated for
the ISATAP interface. Configure the IPv4 address of the ISATAP router on the ISATAP interface.
C:\>ipv6 rlu 2 1.1.1.1
After carrying out the above command, look at the information on the ISATAP interface.
C:\>ipv6 if 2
Interface 2: Automatic Tunneling Pseudo-Interface
Guid {48FCE3FC-EC30-E50E-F1A7-71172AEEE3AE}
does not use Neighbor Discovery
uses Router Discovery
routing preference 1
EUI-64 embedded IPv4 address: 2.1.1.2
router link-layer address: 1.1.1.1
preferred global 2001::5efe:2.1.1.2, life 29d23h59m46s/6d23h59m46s (public)
preferred link-local fe80::5efe:2.1.1.2, life infinite
link MTU 1500 (true link MTU 65515)
current hop limit 255
reachable time 42500ms (base 30000ms)
retransmission interval 1000ms
DAD transmits 0
default site prefix length 48
194
# By comparison, it is found that the host acquires the address prefix 2001::/64 and
automatically generates the address 2001::5efe:2.1.1.2. Meanwhile, “uses Router Discovery” is
displayed, indicating that the router discovery function is enabled on the host. At this time, ping the
IPv6 address of the tunnel interface of the router. If the address is successfully pinged, an ISATAP
tunnel is established.
C:\>ping 2001::5efe:1.1.1.1
Configuration guidelines
When you configure an IPv4 over IPv4 tunnel, follow these guidelines:
• The router does not support IPv4 over IPv4 tunnels when working in hybrid or SPC mode. For more
information about the system working modes, see Fundamentals Configuration Guide.
• To encapsulate and forward IPv4 packets whose destination address does not belong to the
network segment where the receiving tunnel interface resides, you need to configure a static route
or dynamic routing for forwarding those packets through this tunnel interface. If you configure a
static route to that destination IPv4 address, specify this tunnel interface as the outbound interface,
or the peer tunnel interface address as the next hop. A similar configuration needs to be performed
at the other tunnel end. If you configure dynamic routing at both ends, enable the dynamic routing
protocol on both tunnel interfaces. For the detailed configuration, see Layer 3—IP Routing
Configuration Guide.
• The IPv4 address and the destination address of a tunnel interface cannot be in the same network
segment.
• The destination address of a route with a tunnel interface as the egress interface and the destination
address of the tunnel interface must not be in the same network segment.
195
• Two or more tunnel interfaces using the same encapsulation protocol must have different source and
destination addresses.
• If you specify a source interface instead of a source address for the tunnel, the source address of the
tunnel is the primary IP address of the source interface.
Configuration procedure
To configure an IPv4 over IPv4 tunnel:
3. Configure an IPv4 address for ip address ip-address { mask | By default, no IPv4 address is
the tunnel interface. mask-length } [ sub ] configured for the tunnel interface.
Optional.
By default, the tunnel is a GRE over
4. Specify the IPv4 over IPv4 IPv4 tunnel. The same tunnel type
tunnel-protocol ipv4-ipv4
tunnel mode. should be configured at both ends
of the tunnel. Otherwise, packet
delivery will fail.
Configuration example
Network requirements
As shown in Figure 81, the two IPv4 subnets Group 1 and Group 2 use private IPv4 addresses. Configure
an IPv4 over IPv4 tunnel between Router A and Router B to make the two subnets reachable to each
other.
Figure 81 Network diagram
Router A Router B
GE3/1/2 GE3/1/2
2.1.1.1/24 3.1.1.1/24
IPv4 netwok
IPv4 over IPv4 tunnel
GE3/1/1 GE3/1/1
10.1.1.1/24 Tunnel1 Tunnel2
10.1.3.1/24
10.1.2.1/24 10.1.2.2/24
IPv4 IPv4
Group 1 Group 2
Configuration procedure
196
NOTE:
Before configuring an IPv4 over IPv4 tunnel, make sure that Router A and Router B are reachable to each
other.
• Configure Router A:
# Configure an IPv4 address for GigabitEthernet 3/1/1.
<RouterA> system-view
[RouterA] interface GigabitEthernet 3/1/1
[RouterA-GigabitEthernet3/1/1] ip address 10.1.1.1 255.255.255.0
[RouterA-GigabitEthernet3/1/1] quit
# Configure an IPv4 address for GigabitEthernet 3/1/2 (the physical interface of the tunnel).
<RouterA> system-view
[RouterA] interface GigabitEthernet 3/1/2
[RouterA-GigabitEthernet3/1/2] ip address 2.1.1.1 255.255.255.0
[RouterA-GigabitEthernet3/1/2] quit
# Create the interface tunnel 1.
[RouterA] interface tunnel 1
# Configure an IPv4 address for the interface tunnel 1.
[RouterA-Tunnel1] ip address 10.1.2.1 255.255.255.0
# Configure the tunnel encapsulation mode.
[RouterA-Tunnel1] tunnel-protocol ipv4-ipv4
# Configure a source address for the interface tunnel 1 (IP address of VLAN-interface 100).
[RouterA-Tunnel1] source 2.1.1.1
# Configure a destination address for the interface tunnel 1 (IP address of VLAN-interface 100 of
Router B).
[RouterA-Tunnel1] destination 3.1.1.1
[RouterA-Tunnel1] quit
# Configure a static route from Router A through the interface tunnel 1 to Group 2.
[RouterA] ip route-static 10.1.3.0 255.255.255.0 tunnel 1
• Configure Router B:
# Configure an IPv4 address for GigabitEthernet 3/1/1.
<RouterB> system-view
[RouterB] interface GigabitEthernet 3/1/1
[RouterB-GigabitEthernet3/1/1] ip address 10.1.3.1 255.255.255.0
[RouterB-GigabitEthernet3/1/1] quit
# Configure an IPv4 address for GigabitEthernet 3/1/2 (the physical interface of the tunnel).
<RouterA> system-view
[RouterA] interface GigabitEthernet 3/1/2
[RouterA-GigabitEthernet3/1/2] ip address 3.1.1.1 255.255.255.0
[RouterA-GigabitEthernet3/1/2] quit
# Create the interface tunnel 2.
[RouterB] interface tunnel 2
# Configure an IPv4 address for the interface tunnel 2.
[RouterB-Tunnel2] ip address 10.1.2.2 255.255.255.0
# Configure the tunnel encapsulation mode.
197
[RouterB-Tunnel2] tunnel-protocol ipv4-ipv4
# Configure the source address for the interface tunnel 2 (IP address of VLAN-interface 100).
[RouterB-Tunnel2] source 3.1.1.1
# Configure a destination address for the interface tunnel 2 (IP address of VLAN-interface 100 of
Router A).
[RouterB-Tunnel2] destination 2.1.1.1
[RouterB-Tunnel2] quit
# Configure a static route from Router B through the interface tunnel 2 to Group 1.
[RouterB] ip route-static 10.1.1.0 255.255.255.0 tunnel 2
# Ping the IPv4 address of the peer interface GigabitEthernet 3/1/1 from Router A.
[RouterA] ping 10.1.3.1
PING 10.1.3.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.3.1: bytes=56 Sequence=1 ttl=255 time=15 ms
198
Reply from 10.1.3.1: bytes=56 Sequence=2 ttl=255 time=15 ms
Reply from 10.1.3.1: bytes=56 Sequence=3 ttl=255 time=16 ms
Reply from 10.1.3.1: bytes=56 Sequence=4 ttl=255 time=16 ms
Reply from 10.1.3.1: bytes=56 Sequence=5 ttl=255 time=15 ms
Clear statistics on tunnel interfaces. reset counters interface [ tunnel [ number ] ] Available in any view
Solution
To solve the problem:
1. The common cause is that the physical interface of the tunnel source is not up. Use the display
interface tunnel or display ipv6 interface tunnel commands to view whether the physical interface
of the tunnel source is up. If the physical interface is down, check the network connections.
2. Another possible cause is that the tunnel destination is unreachable. Use the display ipv6
routing-table or display ip routing-table command to view whether the tunnel destination is
reachable. If no routing entry is available for tunnel communication in the routing table, configure
related routes.
199
Configuring GRE
GRE overview
Generic Routing Encapsulation (GRE) is a tunneling protocol. It can encapsulate a wide variety of
network layer protocol packet types inside IP tunnels.
A GER tunnel is a virtual point-to-point (P2P) connection. Packets are encapsulated at one end of the
tunnel and de-encapsulated at the other end.
Figure 82 X protocol networks interconnected through the GRE tunnel
The following takes the network shown in Figure 82 as an example to describe how an X protocol packet
traverses the IP network through a GRE tunnel.
Encapsulation process
1. After receiving an X protocol packet from the interface connected to Group 1, Router A submits it
to the X protocol for processing.
2. The X protocol checks the destination address field in the packet header to determine how to route
the packet.
3. If the packet must be tunneled to reach its destination, Router A sends it to the tunnel interface.
4. Upon receipt of the packet, the tunnel interface encapsulates it in a GRE packet. Then, the system
encapsulates the packet in an IP packet and forwards the IP packet based on its destination
address and the routing table.
Delivery header
(Transport protocol)
GRE header
(Encapsulation protocol)
Payload header
(Passenger protocol)
As an example, Figure 84 shows the format of an X protocol packet encapsulated for transmission over
an IP tunnel.
200
Figure 84 Format of an X packet encapsulated for transmission over an IP tunnel
De-encapsulation process
De-encapsulation is the reverse of the encapsulation process:
1. Upon receiving an IP packet from the tunnel interface, Router B checks the destination address.
2. If the destination is itself and the protocol number in the IP header is 47 (the protocol number for
GRE), Router B strips off the IP header of the packet and submits the resulting packet to the GRE
protocol.
3. The GRE protocol checks the key, checksum and sequence number in the packet, and then strips
off the GRE header and submits the payload to the X protocol for forwarding.
NOTE:
Encapsulation and de-encapsulation processes on both ends of the GRE tunnel and the resulting increase
in data volumes will degrade the forwarding efficiency of a GRE-enabled router to some extent.
201
GRE applications
Multi-protocol communications through a single-protocol backbone
Figure 85 Multi-protocol communications through a single-protocol backbone
In the example as shown in Figure 85, Group 1 and Group 2 are local networks running Novell IPX,
while Team 1 and Team 2 are local networks running IP. Through the GRE tunnel between Router A and
Router B, Group 1 can communicate with Group 2 and Team 1 can communicate with Team 2. They will
not interfere with each other.
When the hop count between two terminals exceeds 15, the terminals cannot communicate with each
other. Using GRE, you can hide some hops so as to enlarge the scope of the network.
202
VPN creation by connecting discontinuous subnets
Figure 87 Connect discontinuous subnets with a tunnel to form a VPN
In the example as shown in Figure 87, Group 1 and Group 2 running Novell IPX are deployed in different
cities. They can constitute a trans-WAN virtual private network (VPN) through the tunnel.
NOTE:
The SR8800 routers do not support Novell IPX networks.
Configuration guidelines
• The source address and destination address of a tunnel uniquely identify a path. They must be
configured at both ends of the tunnel and the source address at one end must be the destination
address at the other end and vice versa.
• Tunnel interfaces using the same encapsulation protocol must have different source addresses and
destination addresses.
• If you configure a source interface for a tunnel interface, the tunnel interface takes the primary IP
address of the source interface as its source address.
• When configuring a route through the tunnel, you are not allowed to set up a static route whose
destination address is in the subnet of the tunnel interface. Instead, you can do one of the following:
{ Configure a static route, using the address of the network segment that the original packet is
destined for as its destination address and the address of the peer tunnel interface as its next
hop.
203
{ Enable a dynamic routing protocol on both the tunnel interface and the router interface
connecting the private network, so that the dynamic routing protocol can establish a routing
entry to forward packets through the tunnel.
Configuration procedure
To configure a GRE tunnel:
Optional.
2. Enable the IPv6 packet Disabled by default.
ipv6
forwarding function. The function is required for IPv6 over
IPv4 GRE tunnels.
3. Create a tunnel interface
interface tunnel
and enter tunnel interface Not created by default.
interface-number
view.
• To configure an IPv4
address:
ip address ip-address { mask
| mask-length }
• To configure an IPv6 global Configure one as needed.
4. Configure an IPv4 address,
unicast address:
an IPv6 global unicast By default, a tunnel interface is not
ipv6 address { ipv6-address
address, or a site local configured with any IPv4 address, IPv6
prefix-length |
address for the tunnel global unicast address, or site local
ipv6-address/prefix-length }
interface. address.
• To configure a site local
address:
ipv6 address
ipv6-address/prefix-length
eui-64
• To automatically generate a
link-local address: Optional.
5. Configure an IPv6 link local ipv6 address auto link-local By default, if an interface is configured
address for the tunnel • Configure a link-local with an IPv6 global unicast address or
interface. address manually: site local address, a link local address
ipv6 address ipv6-address will be automatically created.
link-local
Optional.
GRE by default.
6. Set the tunnel mode to
tunnel-protocol gre You must configure the same tunnel
GRE.
mode on both ends of a tunnel.
Otherwise, packet delivery will fail.
204
Step Command Remarks
Optional.
9. Configure a route through See Layer 3—IP Routing Each end of the tunnel must have a route
the tunnel. Configuration Guide. (static or dynamic) through the tunnel to
the other end.
10. Set the MTU value for the • mtu mtu-size Optional.
tunnel interface. • ipv6 mtu mtu-size Configure one command as needed.
NOTE:
For information about commands interface tunnel, source, destination, and mtu, see Layer 3—IP Services
Command Reference.
NOTE:
For information about commands display interface tunnel and display ipv6 interface tunnel, see Layer
3—IP Services Command Reference.
205
Figure 88 Network diagram
GE4/1/1 GE3/1/1 GE4/1/1
GE3/1/2 10.1.3.1/ 24
10.1.1.1/ 24 1.1.1.1/ 24
IPv4 IPv4 network 2.2.2.2/ 24 IPv4
Group1 Group 2
GRE tunnel
Router A Router B
Tunnel 3 Tunnel 3
10.1.2.1/ 24 10.1.2.2/ 24
Configuration procedure
NOTE:
Before performing GRE tunnel configuration, configure the interfaces connected to the Internet on Router
A and Router B and configure routing protocols, so that a route is available between the two routers.
1. Configure Router A.
# Configure an IPv4 address for interface GigabitEthernet 4/1/1.
<RouterA> system-view
[RouterA] interface GigabitEthernet 4/1/1
[RouterA-GigabitEthernet4/1/1] ip address 10.1.1.1 255.255.255.0
[RouterA-GigabitEthernet4/1/1] quit
# Configure an IPv4 address for interface GigabitEthernet 3/1/1, the physical interface of the
tunnel.
[RouterA] interface GigabitEthernet 3/1/1
[RouterA-GigabitEthernet3/1/1] ip address 1.1.1.1 255.255.255.0
[RouterA-GigabitEthernet3/1/1] quit
# Create a tunnel interface named Tunnel3.
[RouterA] interface tunnel 3
# Configure an IPv4 address for the tunnel interface Tunnel3.
[RouterA-Tunnel3] ip address 10.1.2.1 255.255.255.0
# Configure the tunnel encapsulation mode.
[RouterA-Tunnel3] tunnel-protocol gre
# Configure the source address of the tunnel interface Tunnel3 as the IP address of GigabitEthernet
3/1/1.
[RouterA-Tunnel3] source 1.1.1.1
# Configure the destination address of the tunnel interface Tunnel3 as the IP address of
GigabitEthernet 3/1/2 on Router B.
[RouterA-Tunnel3] destination 2.2.2.2
[RouterA-Tunnel3] quit
# Configure a static route from Router A through the tunnel interface Tunnel3 to Group 2.
[RouterA] ip route-static 10.1.3.0 255.255.255.0 tunnel 3
2. Configure Router B.
# Configure an IPv4 address for interface GigabitEthernet 4/1/1.
<RouterB> system-view
[RouterB] interface GigabitEthernet 4/1/1
[RouterB-GigabitEthernet4/1/1] ip address 10.1.3.1 255.255.255.0
[RouterB-GigabitEthernet4/1/1] quit
206
# Configure an IPv4 address for interface GigabitEthernet 3/1/2, the physical interface of the
tunnel.
[RouterB] interface GigabitEthernet 3/1/2
[RouterB-GigabitEthernet3/1/2] ip address 2.2.2.2 255.255.255.0
[RouterB-GigabitEthernet3/1/2] quit
# Create an interface named Tunnel 3.
[RouterB] interface tunnel 3
# Configure an IP address for the tunnel interface Tunnel3.
[RouterB-Tunnel3] ip address 10.1.2.2 255.255.255.0
# Configure the tunnel encapsulation mode.
[RouterB-Tunnel3] tunnel-protocol gre
# Configure the source address of the tunnel interface Tunnel3 to be the IP address of interface
GigabitEthernet 3/1/2.
[RouterB-Tunnel3] source 2.2.2.2
# Configure the destination address of the tunnel interface Tunnel3 as the IP address of interface
GigabitEthernet 3/1/1 on Router A.
[RouterB-Tunnel3] destination 1.1.1.1
[RouterB-Tunnel3] quit
# Configure a static route from Router B through interface Tunnel3 to Group 1.
[RouterB] ip route-static 10.1.1.0 255.255.255.0 tunnel 3
Troubleshooting GRE
The GRE configurations are relatively simple. The key is to keep the configurations consistent. Most faults
can be located by using debugging commands. This section analyzes only one type of fault, as shown
in Figure 89.
Figure 89 Troubleshoot GRE
Symptom: The interfaces at both ends of the tunnel are configured correctly and can ping each other, but
Host A and Host B cannot ping each other.
Solution:
• On Router A and Router C, execute the display ip routing-table command in any view respectively.
On Router A, observe whether there is a route from Router A through Tunnel 1 to 10.2.0.0/16. On
Router C, observe whether there is a route from Router C through Tunnel 1 to 10.1.0.0/16.
• For any missing static routes, use the ip route-static command in system view to configure. For
example, configure a static route on Router A as follows:
[RouterA] ip route-static 10.2.0.0 255.255.0.0 tunnel 1
207
Index
ABCDEGINOPSTU
A Configuring the DHCP relay agent security
functions,56
Applying an extended address pool on an
Configuring the DHCP relay agent to release an IP
interface,42
address,59
Applying the connection limit policy,91
Configuring the DHCP relay agent to support Option
ARP overview,1 82,60
B Configuring the DHCP server security functions,42
Binding a NAT-enabled interface to the NAT service Configuring the DHCPv6 relay agent,147
interface,89 Configuring the DNS proxy,69
Configuring the IPv4 DNS client,68
C
Configuring the IPv6 DNS client,151
Configuring a 6to4 tunnel,186 Configuring UDP Helper,114
Configuring a GRE tunnel,203 Correlating a DHCP server group with a relay agent
Configuring a tunnel interface,177 interface,55
Configuring address translation,83
D
Configuring an address pool for the DHCP server,33
Configuring an automatic IPv4-compatible IPv6 DHCP address allocation,23
tunnel,182 DHCP message format,25
Configuring an internal server,87 DHCP options,26
Configuring an IPv4 over IPv4 tunnel,195 DHCP relay agent configuration example,62
Configuring an IPv6 manual tunnel,178 DHCP relay agent configuration task list,54
Configuring an ISATAP tunnel,191 DHCP relay agent Option 82 support configuration
Configuring ARP,3 example,63
Configuring basic IPv6 functions,127 DHCP server configuration examples,46
Configuring DNS mapping,89 DHCP server configuration task list,33
Configuring DNS spoofing,69 DHCPv6 configuration overview,145
Configuring gratuitous ARP,9 DHCPv6 relay agent configuration example,148
Configuring ICMP to send error packets,107 Displaying and maintaining adjacency table,112
Configuring ICMPv6 packet sending,136 Displaying and maintaining ARP,5
208
Displaying and maintaining the DHCP server,46 IPv6 DNS configuration examples,152
Displaying and maintaining the DHCPv6 relay IPv6 overview,117
agent,148
N
Displaying and maintaining tunneling
configuration,199 NAT configuration examples,92
Displaying and maintaining UDP Helper,115 NAT configuration task list,82
DNS overview,65 NAT overview,77
NAT-PT configuration examples,168
E
NAT-PT configuration task list,162
Enabling connection limit logging,91 NAT-PT overview,159
Enabling DHCP,41
O
Enabling DHCP,54
Enabling ICMP flow control,110 Overview,112
Enabling offline detection,59 P
Enabling Option 82 handling,44 Protocols and standards,29
Enabling proxy ARP,12 Proxy ARP configuration examples,13
Enabling reception and forwarding of directed Proxy ARP overview,11
broadcasts to a directly connected network,104
Enabling support for ICMP extensions,109 S
Enabling the DHCP relay agent on an interface,54 Setting NAT connection limits,90
Enabling the DHCP server on an interface,41 Specifying the threshold for sending trap messages,45
G Static ARP configuration example,6
GRE overview,200 T
GRE tunnel configuration example,205 Troubleshooting DHCP relay agent configuration,64
I Troubleshooting DHCP server configuration,50
Troubleshooting GRE,207
Introduction to DHCP,23
Troubleshooting IPv4 DNS configuration,76
Introduction to DHCP relay agent,52
Troubleshooting IPv6 basics configuration,144
Introduction to DHCP server,31
Troubleshooting NAT,103
Introduction to gratuitous ARP,8
Troubleshooting NAT-PT,170
Introduction to IPv6 DNS,151
Troubleshooting tunneling configuration,199
Introduction to UDP Helper,114
Tunneling configuration task list,177
IP addressing overview,16
Tunneling overview,172
IP performance optimization overview,104
IPv4 DNS configuration examples,70 U
IPv6 basics configuration example,139 UDP Helper configuration example,115
IPv6 basics configuration task list,126
209