05-Layer 3 - IP Services Configuration Guide-Book PDF

H3C SR8800 10G Core Routers
Layer 3—IP Services Configuration Guide
Hangzhou H3C Technologies Co., Ltd.

http://www.h3c.com
Software version: SR8800-CMW520-R3347

Document version: 6W103-20120224
Copyright © 2011-2012, Hangzhou H3C Technologies Co., Ltd. and its licensors
All rights reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C, , Aolynk, , H3Care, , TOP G, , IRF, NetPilot, Neocean, NeoVTL,

SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, VnG, PSPT,
XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,
Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C SR8800 documentation set includes 13 configuration guides, which describe the software
features for the H3C SR8800 10G Core Routers and guide you through the software configuration
procedures. These configuration guides also provide configuration examples to help you apply software
features to different network scenarios.
The Layer 3—IP Services Configuration Guide describes how to configure an IPv4/IPv6 address
manually, obtain an IP address dynamically, optimize IP performance, resolve an IPv4/IPv6 address to
a MAC address, and implement IPv4-IPv6 interconnection.
This preface includes:
• Audience
• Conventions
• About the H3C SR8800 documentation set
• Obtaining documentation
• Technical support
• Documentation feedback
Audience
This documentation is intended for:
• Network planners
• Field technical support and servicing engineers
• Network administrators working with the SR8800 series
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.
Italic Italic text represents arguments that you replace with actual values.
[] Square brackets enclose syntax choices (keywords or arguments) that are optional.
Braces enclose a set of required syntax choices separated by vertical bars, from which
{ x | y | ... }
you select one.
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
[ x | y | ... ]
which you select one or none.
Asterisk marked braces enclose a set of required syntax choices separated by vertical
{ x | y | ... } *
bars, from which you select at least one.
[ x | y | ... ] * Asterisk marked square brackets enclose optional syntax choices separated by vertical
bars, from which you select one choice, multiple choices, or none.
The argument or keyword and argument combination before the ampersand (&) sign can
&<1-n>
be entered 1 to n times.
# A line that starts with a pound (#) sign is comments.
GUI conventions
Window names, button names, field names, and menu items are in Boldface. For
Boldface
example, the New User window appears; click OK.
> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Symbols
An alert that calls attention to important information that if not understood or followed can
WARNING result in personal injury.
An alert that calls attention to important information that if not understood or followed can
CAUTION result in data loss, data corruption, or damage to hardware or software.
IMPORTANT An alert that calls attention to essential information.
NOTE An alert that contains additional or supplementary information.
TIP An alert that provides helpful information.
Network topology icons
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
Port numbering in examples

The port numbers in this document are for illustration only and might be unavailable on your router.
About the H3C SR8800 documentation set

The H3C SR8800 documentation set includes:
Category Documents Purposes
Marketing brochures Describe product specifications and benefits.
Product description and
specifications Provide an in-depth description of software features
Technology white papers
and technologies.
Category Documents Purposes
Card datasheets Describe card specifications, features, and standards.
Compliance and safety Provides regulatory information and the safety

manual instructions that must be followed during installation.
Provides a complete guide to hardware installation

Installation guide
and hardware specifications.
H3C N68 Cabinet

Guides you through installing and remodeling H3C
Installation and Remodel
N68 cabinets.
Hardware specifications Introduction
and installation
H3C Pluggable SFP
[SFP+][XFP] Transceiver Guides you through installing SFP/SFP+/XFP
Modules Installation transceiver modules.
Guide
H3C High-End Network Describes the hot-swappable modules available for

Products Hot-Swappable the H3C high-end network products, their external
Module Manual views, and specifications.
Describe software features and configuration

Configuration guides
Software configuration procedures.
Command references Provide a quick reference to all available commands.
Provide information about the product release,

including the version history, hardware and software
Operations and
Release notes compatibility matrix, version upgrade information,
maintenance
technical support information, and software
upgrading.
Obtaining documentation
You can access the most up-to-date H3C product documentation on the World Wide Web
at http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] – Provides hardware installation, software
upgrading, and software feature configuration and maintenance documentation.
[Products & Solutions] – Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] – Provides the documentation released with the
software version.
Technical support
service@h3c.com
http://www.h3c.com
Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
Contents
Configuring ARP ··························································································································································· 1

ARP overview ····································································································································································· 1
ARP function ······························································································································································ 1
ARP message format ················································································································································ 1
ARP address resolution process ······························································································································ 2
ARP table ··································································································································································· 3
Configuring ARP ································································································································································ 3
Configuring a static ARP entry ································································································································ 3
Configuring the maximum number of dynamic ARP entries for an interface ····················································· 4
Setting aging time for dynamic ARP entries ·········································································································· 4
Enabling dynamic ARP entry check ························································································································ 5
Enabling natural network support for ARP requests······························································································ 5
Displaying and maintaining ARP····································································································································· 5
Static ARP configuration example ··································································································································· 6
Configuring gratuitous ARP ········································································································································· 8

Introduction to gratuitous ARP ·········································································································································· 8
Configuring gratuitous ARP ·············································································································································· 9
Configuring proxy ARP ·············································································································································· 11

Proxy ARP overview ······················································································································································· 11
Proxy ARP ······························································································································································· 11
Local proxy ARP····················································································································································· 12
Enabling proxy ARP ······················································································································································· 12
Displaying and maintaining proxy ARP······················································································································· 13
Proxy ARP configuration examples ······························································································································ 13
Proxy ARP configuration example ······················································································································· 13
Local proxy ARP configuration example in case of port isolation ··································································· 14
Configuring IP addressing ········································································································································· 16

IP addressing overview·················································································································································· 16
IP address classes ·················································································································································· 16
Special IP addresses ············································································································································· 17
Subnetting and masking ······································································································································· 17
Configuring IP addresses ·············································································································································· 17
Assigning an IP address to an interface ············································································································· 18
Displaying and maintaining IP addressing ········································································································· 18
IP addressing configuration example ·················································································································· 19
Configuring IP unnumbered ·········································································································································· 20
IP unnumbered overview ······································································································································ 20
Configuration prerequisites ·································································································································· 20
Configuration procedure ······································································································································ 20
IP unnumbered configuration example ··············································································································· 21
DHCP overview ·························································································································································· 23

Introduction to DHCP ····················································································································································· 23
DHCP address allocation ·············································································································································· 23
Allocation mechanisms ········································································································································· 23
Dynamic IP address allocation process··············································································································· 24
IP address lease extension···································································································································· 24
DHCP message format··················································································································································· 25
i
DHCP options ································································································································································· 26
Overview ································································································································································ 26
Introduction to DHCP options ······························································································································· 26
Custom options ······················································································································································ 26
Protocols and standards ················································································································································ 29
Configuring DHCP server ·········································································································································· 31

Introduction to DHCP server ·········································································································································· 31
Application environment ······································································································································· 31
DHCP address pool··············································································································································· 31
IP address allocation sequence···························································································································· 32
DHCP server configuration task list ······························································································································ 33
Configuring an address pool for the DHCP server····································································································· 33
Configuration task list ··········································································································································· 33
Creating a DHCP address pool ··························································································································· 34
Configuring an address allocation mode for a common address pool ·························································· 34
Configuring dynamic address allocation for an extended address pool ························································ 36
Configuring a domain name suffix for the client ······························································································· 37
Configuring DNS servers for the client ··············································································································· 37
Configuring WINS servers and NetBIOS node type for the client ·································································· 37
Configuring BIMS server information for the client ···························································································· 38
Configuring gateways for the client ···················································································································· 38
Configuring Option 184 parameters for the client with voice service ···························································· 39
Configuring the TFTP server and bootfile name for the client ··········································································· 39
Configuring self-defined DHCP options ·············································································································· 40
Enabling DHCP ······························································································································································ 41
Enabling the DHCP server on an interface ·················································································································· 41
Applying an extended address pool on an interface ································································································ 42
Configuring the DHCP server security functions ········································································································· 42
Enabling unauthorized DHCP server detection ·································································································· 43
Configuring IP address conflict detection ··········································································································· 43
Configuring the DHCP server to work with authorized ARP ············································································· 44
Enabling Option 82 handling ······································································································································ 44
Specifying the threshold for sending trap messages ·································································································· 45
Displaying and maintaining the DHCP server ············································································································ 46
DHCP server configuration examples ·························································································································· 46
Static IP address assignment configuration example························································································· 47
Dynamic IP address assignment configuration example ··················································································· 48
Self-defined option configuration example ········································································································· 50
Troubleshooting DHCP server configuration ··············································································································· 50
Configuring DHCP relay agent ································································································································· 52

Introduction to DHCP relay agent ································································································································ 52
Application environment ······································································································································· 52
Fundamentals ························································································································································· 52
DHCP relay agent support for Option 82 ·········································································································· 53
DHCP relay agent configuration task list ····················································································································· 54
Enabling DHCP ······························································································································································ 54
Enabling the DHCP relay agent on an interface ········································································································ 54
Correlating a DHCP server group with a relay agent interface················································································ 55
Configuring the DHCP relay agent security functions ································································································ 56
Configure address check ······································································································································ 56
ii
Configuring periodic refresh of dynamic client entries ····················································································· 56
Configuring the DHCP relay agent to work with authorized ARP···································································· 57
Enabling unauthorized DHCP server detection ·································································································· 58
Enabling DHCP starvation attack protection ······································································································ 58
Enabling offline detection·············································································································································· 59
Configuring the DHCP relay agent to release an IP address ···················································································· 59
Configuring the DHCP relay agent to support Option 82 ························································································· 60
Displaying and maintaining the DHCP relay agent ··································································································· 61
DHCP relay agent configuration example··················································································································· 62
DHCP relay agent Option 82 support configuration example ················································································· 63
Troubleshooting DHCP relay agent configuration ······································································································ 64
Configuring IPv4 DNS ··············································································································································· 65

DNS overview ································································································································································ 65
Static domain name resolution····························································································································· 65
Dynamic domain name resolution ······················································································································· 65
DNS proxy ····························································································································································· 67
DNS spoofing ························································································································································ 67
Configuring the IPv4 DNS client ·································································································································· 68
Configuring static domain name resolution ········································································································ 68
Configuring dynamic domain name resolution ·································································································· 68
Configuring the DNS proxy ·········································································································································· 69
Configuring DNS spoofing ··········································································································································· 69
Displaying and maintaining IPv4 DNS ························································································································ 70
IPv4 DNS configuration examples ······························································································································· 70
Static domain name resolution configuration example ····················································································· 70
Dynamic domain name resolution configuration example ··············································································· 71
DNS proxy configuration example ······················································································································ 74
Troubleshooting IPv4 DNS configuration ···················································································································· 76
Configuring NAT ························································································································································ 77

NAT overview································································································································································· 77
Introduction to NAT ··············································································································································· 77
NAT control ···························································································································································· 78
NAT operation ······················································································································································· 79
NAT configuration task list ············································································································································ 82
Configuring address translation ··································································································································· 83
Introduction to address translation ······················································································································ 83
Configuring static NAT ········································································································································· 83
Configuring dynamic NAT ··································································································································· 84
Configuring an internal server ······································································································································ 87
Introduction to internal server ······························································································································· 87
Configuring a common internal server ··············································································································· 88
Configuring load shared internal servers ··········································································································· 88
Configuring DNS mapping ··········································································································································· 89
Binding a NAT-enabled interface to the NAT service interface ················································································ 89
Introduction ···························································································································································· 89
Configuring NAT logging ············································································································································· 89
Setting NAT connection limits ······································································································································· 90
Connection limit overview ···································································································································· 90
Creating a connection limit policy······················································································································· 90
Configuring the connection limit policy ·············································································································· 90
iii
Applying the connection limit policy ···························································································································· 91
Enabling connection limit logging ································································································································ 91
Displaying and maintaining NAT································································································································· 92
NAT configuration examples ········································································································································ 92
One-to-one static NAT configuration example ··································································································· 92
Dynamic NAT configuration example I··············································································································· 93
Dynamic NAT configuration example II·············································································································· 94
Dynamic NAT configuration example III ············································································································· 96
Dynamic NAT configuration example IV ············································································································ 98
Common internal server configuration example ································································································ 99
Load sharing internal server configuration example ······················································································· 100
NAT DNS mapping configuration example ····································································································· 101
Troubleshooting NAT ··················································································································································· 103
Symptom: internal server functions abnormally ······························································································· 103
Configuring IP performance optimization ············································································································· 104

IP performance optimization overview ······················································································································ 104
Enabling reception and forwarding of directed broadcasts to a directly connected network ···························· 104
Enabling forwarding of directed broadcasts to a directly connected network ············································· 104
Configuration example ······································································································································· 105
Configuring TCP attributes ·········································································································································· 106
Configuring TCP MSS for the interface ············································································································· 106
Configuring the TCP send/receive buffer size ································································································· 106
Configuring TCP timers ······································································································································· 106
Configuring ICMP to send error packets ··················································································································· 107
Introduction ·························································································································································· 107
Enabling support for ICMP extensions ······················································································································· 109
Introduction ·························································································································································· 109
Configuration procedure ···································································································································· 110
Enabling ICMP flow control ········································································································································ 110
Displaying and maintaining IP performance optimization ······················································································ 110
Configuring adjacency table·································································································································· 112

Overview······································································································································································· 112
Introduction to adjacency table ························································································································· 112
Fields ····································································································································································· 112
Displaying and maintaining adjacency table ··········································································································· 112
Configuring UDP Helper ········································································································································· 114

Introduction to UDP Helper ········································································································································· 114
Configuring UDP Helper·············································································································································· 114
Displaying and maintaining UDP Helper ·················································································································· 115
UDP Helper configuration example···························································································································· 115
Configuring IPv6 basics ·········································································································································· 117

IPv6 overview ······························································································································································· 117
IPv6 features ························································································································································· 117
IPv6 addresses ····················································································································································· 118
IPv6 neighbor discovery protocol ······················································································································ 121
IPv6 PMTU discovery ·········································································································································· 124
IPv6 transition technologies ································································································································ 124
Protocols and standards ····································································································································· 125
IPv6 basics configuration task list ······························································································································· 126
Configuring basic IPv6 functions ································································································································ 127
Enabling IPv6 ······················································································································································· 127
Configuring an IPv6 global unicast address ···································································································· 127
iv
Configuring an IPv6 link-local address ············································································································· 128
Configure an IPv6 anycast address··················································································································· 129
Configuring IPv6 ND ··················································································································································· 129
Configuring a static neighbor entry ·················································································································· 129
Configuring the maximum number of neighbors dynamically learned ························································· 130
Setting the age timer for ND entries in stale state ··························································································· 130
Configuring parameters related to RA messages ···························································································· 131
Configuring the maximum number of attempts to send an NS message for DAD ······································· 133
Configuring PMTU discovery ······································································································································ 134
Configuring the interface MTU ·························································································································· 134
Configuring a static PMTU for a specified IPv6 address ················································································ 134
Configuring the aging time for dynamic PMTUs ······························································································ 134
Configuring IPv6 TCP properties ································································································································ 135
Configuring IPv6 FIB load sharing ····························································································································· 135
Configuring ICMPv6 packet sending ························································································································· 136
Configuring the maximum ICMPv6 error packets sent in an interval ···························································· 136
Enabling replying to multicast echo requests ··································································································· 136
Enabling sending of ICMPv6 time exceeded messages ················································································· 137
Enabling sending of ICMPv6 destination unreachable messages ································································· 137
Displaying and maintaining IPv6 basics configuration···························································································· 138
IPv6 basics configuration example ···························································································································· 139
Troubleshooting IPv6 basics configuration ················································································································ 144
Configuring DHCPv6 ·············································································································································· 145

DHCPv6 configuration overview ································································································································ 145
Basic concepts ····················································································································································· 145
Typical DHCPv6 network application ··············································································································· 146
DHCPv6 relay agent operation ························································································································· 146
Configuring the DHCPv6 relay agent ························································································································ 147
Configuration prerequisites ································································································································ 147
Displaying and maintaining the DHCPv6 relay agent ····························································································· 148
DHCPv6 relay agent configuration example ············································································································ 148
Configuring IPv6 DNS ············································································································································ 151

Introduction to IPv6 DNS ············································································································································· 151
Configuring the IPv6 DNS client ································································································································ 151
Configuring static domain name resolution ······································································································ 151
Configuring dynamic domain name resolution ································································································ 151
Displaying and maintaining IPv6 DNS ······················································································································ 152
IPv6 DNS configuration examples ····························································································································· 152
Static domain name resolution configuration example ··················································································· 152
Dynamic domain name resolution configuration example ············································································· 153
Configuring NAT-PT ················································································································································ 159

NAT-PT overview ·························································································································································· 159
Application scenario ··········································································································································· 159
Basic concepts ····················································································································································· 159
Implementing NAT-PT ·········································································································································· 160
NAT-PT limitations ··············································································································································· 161
NAT-PT configuration task list ····································································································································· 162
Configuring NAT-PT ····················································································································································· 162
Enabling NAT-PT ················································································································································· 163
v
Configuring a NAT-PT prefix ······························································································································ 163
Configuring IPv4/IPv6 address mappings on the IPv6 side ··········································································· 163
Configuring IPv4/IPv6 address mappings on the IPv4 side ··········································································· 165
Setting the ToS field after NAT-PT translation ··································································································· 166
Setting the traffic class field after NAT-PT translation ······················································································ 167
Configuring static NAPT-PT mappings of IPv6 servers ···················································································· 167
Displaying and maintaining NAT-PT ·························································································································· 167
NAT-PT configuration examples ································································································································· 168
Configuring dynamic mapping on the IPv6 side ····························································································· 168
Configuring static mappings on the IPv4 side and the IPv6 side ··································································· 169
Troubleshooting NAT-PT ·············································································································································· 170
Configuring tunneling ············································································································································· 172

Tunneling overview ······················································································································································ 172
IPv6 over IPv4 tunnels ········································································································································· 172
IPv6 manual tunneling ········································································································································· 174
IPv4 over IPv4 tunnel ··········································································································································· 176
Tunneling configuration task list ································································································································· 177
Configuring a tunnel interface ···································································································································· 177
Configuring an IPv6 manual tunnel ···························································································································· 178
Configuration guidelines ···································································································································· 178
Configuring an automatic IPv4-compatible IPv6 tunnel ··························································································· 182
Configuring a 6to4 tunnel ··········································································································································· 186
6to4 tunnel configuration example ··················································································································· 187
6to4 relay configuration example ····················································································································· 189
Configuring an ISATAP tunnel ···································································································································· 191
Configuring an IPv4 over IPv4 tunnel ························································································································ 195
Displaying and maintaining tunneling configuration ······························································································· 199
Troubleshooting tunneling configuration ··················································································································· 199
Configuring GRE ····················································································································································· 200

GRE overview ······························································································································································· 200
GRE applications ················································································································································· 202
Configuring a GRE tunnel ··········································································································································· 203
vi
Displaying and maintaining GRE ······························································································································· 205
GRE tunnel configuration example ····························································································································· 205
Network requirements ········································································································································· 205
Troubleshooting GRE ··················································································································································· 207
Index ········································································································································································ 208
vii
Configuring ARP
ARP overview
ARP function
The Address Resolution Protocol (ARP) is used to resolve an IP address into a physical address (Ethernet
MAC address, for example).
In an Ethernet LAN, a router uses ARP to translate the IP address of the next hop to the corresponding
MAC address.
ARP message format

ARP messages are classified into ARP requests and ARP replies. Figure 1 shows the format of the ARP
request/reply.
Figure 1 ARP message format
The following explains the fields in Figure 1.

• Hardware type—The hardware address type. The value 1 represents Ethernet.
• Protocol type—The type of the protocol address to be mapped. The hexadecimal value “0x0800”
represents IP.
• Hardware address length and protocol address length—Length, in bytes, of a hardware address
and a protocol address. For an Ethernet address, the value of the hardware address length field is
6. For an IP(v4) address, the value of the protocol address length field is 4.
• OP—Operation code. The type of ARP message. The value 1 represents an ARP request and 2
represents an ARP reply.
• Sender hardware address—Hardware address of the router sending the message.
• Sender protocol address—Protocol address of the router sending the message.
• Target hardware address—Hardware address of the router the message is being sent to.
• Target protocol address—Protocol address of the router the message is being sent to.
1
ARP address resolution process
If Host A and Host B are on the same subnet and Host A sends a message to Host B, as show in Figure
2. The resolution process is as follows:
1. Host A looks in its ARP mapping table to see whether there is an ARP entry for Host B. If yes, Host
A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and
sends the frame to Host B.
2. If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request using
the following information:
{ Source IP address and source MAC address—Host A’s own IP address and MAC address
{ Target IP address—Host B’s IP address
{ Target MAC address—An all-zero MAC address
Because the ARP request is sent in broadcast mode, all hosts on this subnet can receive the request,
but only the requested host (namely, Host B) will process the request.
3. Host B compares its own IP address with the target IP address in the ARP request. If they are the
same, Host B
{ Adds the sender IP address and sender MAC address to its ARP table.
{ Encapsulates its MAC address into an ARP reply.
{ Unicasts the reply to Host A.
4. After receiving the ARP reply, Host A:
{ Adds the MAC address of Host B to its ARP table.
{ Encapsulates the MAC address into the IP packet and sends it to Host B.
Figure 2 ARP address resolution process
If Host A and Host B are not on the same subnet:

5. Host A sends an ARP request to the gateway. The target IP address in the ARP request is the IP
address of the gateway.
6. After obtaining the MAC address of the gateway from an ARP reply, Host A sends the packet to the
gateway.
7. If the gateway maintains the ARP entry of Host B, it forwards the packet to Host B directly; if not,
it broadcasts an ARP request, in which the target IP address is the IP address of Host B.
8. After obtaining the MAC address of Host B, the gateway sends the packet to Host B.
2
ARP table
After obtaining a host’s MAC address, the router adds the IP-to-MAC mapping into its own ARP mapping
table. This mapping is used for forwarding packets with the same destination in future.
An ARP table contains dynamic and static ARP entries.
Dynamic ARP entry

A dynamic entry is automatically created and maintained by ARP. It can age out, be updated by a new
ARP packet, or be overwritten by a static ARP entry. A dynamic ARP entry is removed when its age timer
expires or the interface goes down.
Static ARP entry

A static ARP entry is manually configured and maintained. It does not age out and cannot be overwritten
by any dynamic ARP entry.
Static ARP entries protect communication between devices, because attack packets cannot modify the
IP-to-MAC mapping in a static ARP entry.
Static ARP entries can be classified into long and short ARP entries.
• A long static ARP entry can be directly used to forward packets. When you configure a long static
ARP entry, you must configure a VLAN and outbound interface for the entry besides the IP address
and MAC address.
• A short static ARP entry has only an IP address and MAC address configured. If the outbound
interface is a Layer 3 Ethernet interface, the short ARP entry can be directly used for forwarding
data; if the outbound interface is a VLAN interface, it cannot be directly used for forwarding data.
If a short static ARP entry matches an IP packet to be forwarded, the router sends an ARP request.
If the source IP and MAC addresses in the received ARP reply are the same as those in the short
static ARP entry, the router adds the interface receiving the ARP reply into the short static ARP entry.
Then, the entry can be used for forwarding IP packets.
NOTE:
• Usually ARP dynamically generates APR entries without manual intervention.
• To allow communication with a host by using a fixed IP-to-MAC mapping, configure a short static ARP
entry for it. To allow communication with a host through a specific interface in a specific VLAN by using
a fixed IP-to-MAC mapping, configure a long static ARP entry for it.
Configuring ARP
Configuring a static ARP entry
A static ARP entry is effective when the router works normally. However, when a VLAN or VLAN interface
to which a static ARP entry corresponds is deleted, the entry, if long, will be deleted, and if short and
resolved, will become unresolved.
To configure a static ARP entry:
Step Command Remarks

1. Enter system view. system-view N/A
3
• Configure a long static ARP entry:
arp static ip-address mac-address vlan-id
interface-type interface-number Use either command.
2. Configure a static
[ vpn-instance vpn-instance-name ] By default, no long or short static
ARP entry.
• Configure a short static ARP entry: ARP entry is configured.
arp static ip-address mac-address
[ vpn-instance vpn-instance-name ]
CAUTION:
• The vlan-id argument must be the ID of an existing VLAN where the ARP entry resides; the specified
Ethernet interface must belong to that VLAN. The VLAN interface of the VLAN must be created.
• The IP address of the VLAN interface of the VLAN specified by the vlan-id argument must belong to the
same subnet as the IP address specified by the ip-address argument.
Configuring the maximum number of dynamic ARP entries for

an interface
An interface can dynamically learn ARP entries, so it may hold too many ARP entries. To solve this
problem, you can set the maximum number of dynamic ARP entries that an interface can learn. When the
maximum number is reached, the interface stops learning ARP entries.
To set the maximum number of dynamic ARP entries that an interface can learn:

4. Enter Layer 3 Ethernet interface interface interface-type

N/A
view or VLAN interface view. interface-number
The value defaults to 65533

when the system works in SPE or
SPC mode and defaults to 16381
when the system works in hybrid
5. Set the maximum number of mode. For more information
dynamic ARP entries that the arp max-learning-num number about system working modes, see
interface can learn. Fundamentals Configuration
Guide.
If the number argument is set to 0,
the interface is disabled from
learning dynamic ARP entries.
Setting aging time for dynamic ARP entries

Each dynamic ARP entry in the ARP table has a limited lifetime, called age timer. The age timer of a
dynamic ARP entry is reset each time the dynamic ARP entry is used. Dynamic ARP entries that are not
used before expiration are deleted from the ARP table. You can adjust the age timer for dynamic ARP
entries according to the actual network condition.
To set aging time for dynamic ARP entries:
4
2. Set the aging time for
arp timer aging aging-time 20 minutes by default
dynamic ARP entries.
Enabling dynamic ARP entry check

The dynamic ARP entry check function controls whether the router supports dynamic ARP entries with
multicast MAC addresses.
When dynamic ARP entry check is enabled, the router cannot learn dynamic ARP entries containing
When dynamic ARP entry check is disabled, the router can learn dynamic ARP entries containing
To enable dynamic ARP entry check:

2. Enable dynamic ARP entry Optional

arp check enable
check. Enabled by default
Enabling natural network support for ARP requests

This feature enables the router to learn the sender IP and MAC addresses in a received ARP request
whose sender IP address is on the same classful network as but a different subnet from the IP address of
the receiving interface. A classful network refers to a class A, B, or C network.
For example, VLAN-interface 10 with IP address 10.10.10.5/24 receives an ARP request from
10.11.11.1/8. Because the subnet address calculated by the AND operation of 10.11.11.1 and the receiving
interface’s 24-bit subnet mask is not in the subnet 10.10.10.5/24, VLAN-interface 10 cannot process the
ARP packet.
With this feature enabled, the router calculates the subnet address by using the default mask of the class
A network where 10.10.10.5/24 resides. Because 10.10.10.5/24 is on the same class A network as
10.11.11.1/8, VLAN-interface 10 can learn the sender IP and MAC addresses in the request.
To enable natural mask support for ARP requests:

2. Enable the support for ARP
naturemask-arp enable Disabled by default
requests from a natural network.
Displaying and maintaining ARP
5
Task Command Remarks
display arp [ [ all | dynamic | static ] [ slot slot-number ] |
Display the ARP entries in the vlan vlan-id | interface interface-type interface-number ] Available in any
ARP mapping table. [ count | verbose ] [ | { begin | exclude | include } view
regular-expression ]
Display the ARP entry for a display arp ip-address [ slot slot-number ] [ verbose ] [ | Available in any
specified IP address. { begin | exclude | include } regular-expression ] view
Display the ARP entries for a display arp vpn-instance vpn-instance-name [ count ] [ | Available in any
specified VPN instance. { begin | exclude | include } regular-expression ] view
Display the aging time for display arp timer aging [ | { begin | exclude | include } Available in any
dynamic ARP entries. regular-expression ] view
Clear ARP entries from the eset arp { all | dynamic | static | slot slot-number | Available in user
ARP mapping table. interface interface-type interface-number } view
NOTE:
Clearing ARP entries from the ARP table may cause communication failures.
Static ARP configuration example

Network requirements
As shown in Figure 3, hosts are connected to the device that connects to the router through interface
GigabitEthernet 4/1/1. The IP address of the router is 192.168.1.1/24. The MAC address of the router is
00e0-fc01-0000.
To enhance communication security for the device and the router, static ARP entries are configured on the
device.
Figure 3 Network diagram
Configuration procedure
# Specify an IP address for interface GigabitEthernet 4/1/1.
<Device> system-view
[Device] interface gigabitethernet 4/1/1
6
[Device-GigabitEthernet4/1/1] ip address 192.168.1.2 24
# Configure a static ARP entry with IP address 192.168.1.1 and MAC address 00e0-fc01-0000. The
outgoing interface corresponding to the static ARP entry is GigabitEthernet 4/1/1.
[Device] arp static 192.168.1.1 00e0-fc01-0000
# View information about static ARP entries.

[Device] display arp static
Type: S-Static D-Dynamic A-Authorized
IP Address MAC Address VLAN ID Interface Aging Type
192.168.1.1 00e0-fc01-0000 N/A N/A N/A S
7
Configuring gratuitous ARP
Introduction to gratuitous ARP

In a gratuitous ARP packet, the sender IP address and the target IP address are both the IP address of the
router issuing the packet, the sender MAC address is the MAC address of the router, and the target MAC
address is the broadcast address ff:ff:ff:ff:ff:ff.
A router implements the following functions by sending gratuitous ARP packets:
• Determining whether its IP address is already used by another router. If the IP address is already
used, the router issuing the gratuitous ARP packet will be informed by an ARP reply of the conflict.
• Informing other routers about the change of its MAC address so that they can update their ARP
entries.
Enabling learning of gratuitous ARP packets

With this feature enabled, a router receiving a gratuitous ARP packet adds the sender IP and MAC
addresses carried in the packet to its ARP table if no corresponding ARP entry exists. If a corresponding
ARP entry is found, the router updates the ARP entry.
After this feature is disabled, the router will use the address information in the received gratuitous ARP
packets to update the existing ARP entries only, but not to create new ARP entries.
Configuring periodic sending of gratuitous ARP packets

Enabling a router to periodically send gratuitous ARP packets helps downstream routers update their
corresponding ARP entries or MAC entries in time. This feature can be used to:
• Prevent gateway spoofing
If an attacker sends forged gratuitous ARP packets to the hosts on a network, the traffic destined for
the gateway from the hosts is sent to the attacker instead. As a result, the hosts cannot access the
external network.
To prevent such gateway spoofing attacks, you can enable the gateway to send gratuitous ARP
packets containing its primary IP address or one of its manually configured secondary IP addresses
at a specific interval. In this way, each host can learn correct gateway address information.
• Prevent ARP entries from being aged out
If network traffic is heavy or the CPU utility is high on a host, ARP packets received may be
discarded or cannot be processed in time. Eventually, the dynamic ARP entries on the receiving
host will be aged out, and the traffic between the host and the corresponding routers will be
interrupted until the host creates the ARP entries again.
To prevent such a problem, you can enable the gateway to send gratuitous ARP packets
periodically. The gratuitous ARP packets contain the gateway's primary IP address or one of its
manually configured secondary IP addresses. In this way, the receiving host can update ARP
entries in time and thus ensure traffic continuity.
• Prevent the virtual IP address of a VRRP group from being used by a host
The master router of a VRRP group can periodically send gratuitous ARP packets to the hosts on the
local network, so that the hosts can update local ARP entries and avoid using the virtual IP address
of the VRRP group.
8
If the virtual IP address of the VRRP group is associated with a virtual MAC address, the sender
MAC address in the gratuitous ARP packet takes the virtual MAC address of the virtual router. If the
virtual IP address of the VRRP group is associated with the real MAC address of an interface, the
sender MAC address in the gratuitous ARP packet takes the MAC address of the interface on the
master router in the VRRP group.
• Update MAC entries of routers in the VLANs having ambiguous VLAN termination configured
In VRRP configuration, if ambiguous VLAN termination is configured for many VLANs and VRRP
groups, interfaces configured with VLAN termination need to be disabled from transmitting
broadcast/multicast packets and a VRRP control VLAN needs to be configured so that VRRP
advertisements can be transmitted within the control VLAN only. In such cases, you can enable
periodic sending of gratuitous ARP packets containing the VRRP virtual IP address, and the primary
IP address or a manually configured secondary IP address of the sending interface on the
subinterfaces. In this way, when a VRRP failover occurs, routers in the VLANs having ambiguous
VLAN termination configured can use the gratuitous ARP packets to update their corresponding
MAC entries in time.
NOTE:
For more information about VRRP, see High Availability Configuration Guide.
Configuring gratuitous ARP

To configure gratuitous ARP:

2. Enable learning of gratuitous Optional

gratuitous-arp-learning enable
ARP packets. Enabled by default.
Optional
3. Enable the router to send
gratuitous ARP packets upon By default, a router does not send
gratuitous-arp-sending enable gratuitous ARP packets upon
receiving ARP requests from
another network segment. receiving ARP requests from
another network segment.
interface interface-type
4. Enter interface view. N/A
interface-number
5. Enable periodic sending of
arp send-gratuitous-arp [ interval
gratuitous ARP packets and Disabled by default.
milliseconds ]
set the sending interval.
9
NOTE:
• You can enable periodic sending of gratuitous ARP packets on a maximum of 1024 interfaces.
• Periodic sending of gratuitous ARP packets takes effect only when the link of the enabled interface goes
up and an IP address has been assigned to the interface.
• If you change the interval for sending gratuitous ARP packets, the configuration is effective at the next
sending interval.
• The frequency of sending gratuitous ARP packets may be much lower than is expected if this function is
enabled on multiple interfaces, or each interface is configured with multiple secondary IP addresses, or
a small sending interval is configured in the preceding cases.
10
Configuring proxy ARP
Proxy ARP overview

If a host sends an ARP request for the MAC address of another host that actually resides on another
network (but the sending host considers the requested host is on the same network) or that is isolated from
the sending host at Layer 2, the router in between must be able to respond to the request with the MAC
address of the receiving interface to allow Layer 3 communication between the two hosts. This is
achieved by proxy ARP. Proxy ARP hides the physical details of the network.
Proxy ARP involves common proxy ARP and local proxy ARP, which are described in the following
sections.
NOTE:
The term proxy ARP in the following sections of this chapter refers to common proxy ARP unless otherwise
specified.
Proxy ARP
A proxy ARP enabled router allows hosts that reside on different subnets to communicate.
As shown in Figure 4, Router connects to two subnets through GigabitEthernet 4/1/1 and
GigabitEthernet 4/1/2. The IP addresses of the two interfaces are 192.168.10.99/24 and
192.168.20.99/24. Host A and Host B have the same prefix 192.168.0.0 assigned and connect to
GigabitEthernet 4/1/1 and GigabitEthernet 4/1/2, respectively.
Figure 4 Application environment of proxy ARP
Because Host A considers that Host B is on the same network, it broadcasts an ARP request for the MAC
address of Host B. Host B, however, cannot receive this request because it is in a different broadcast
domain.
You can enable proxy ARP on Router so that Router can reply to the ARP request from Host A with the
MAC address of GigabitEthernet 4/1/1, and forward packets sent from Host A to Host B. In this case,
Router seems like a proxy of Host B.
A main advantage of proxy ARP is that you can enable it on a single router without disturbing routing
tables of other routers in the network. Proxy ARP acts as the gateway for IP hosts that are not configured
with a default gateway or do not have routing capability.
11
Local proxy ARP
As shown in Figure 5, Host A and Host B belong to VLAN 2, but are isolated at Layer 2. Host A connects
to GigabitEthernet 3/1/3 while Host B connects to GigabitEthernet 3/1/1. Enable local proxy ARP on
Router to allow Layer 3 communication between the two hosts.
Figure 5 Application environment of local proxy ARP
Router
GE3/1/2
VLAN 2
Vlan-int2
192.168.10.100/16
VLAN 2
port-isolate group 2
GE3/1/2
uplink-port
GE3/1/3
GE3/1/1
Host A Switch Host B

192.168.10.99/16 192.168.10.200/16
In one of the following cases, you need to enable local proxy ARP:
• Hosts connecting to different isolated Layer 2 ports in the same VLAN need to communicate at Layer
3.
• If a super VLAN is configured, hosts in different sub VLANs of the super VLAN need to communicate
at Layer 3.
• If an isolate-user-VLAN is configured, hosts in different secondary VLANs of the isolate-user-VLAN
need to communicate at Layer 3.
Enabling proxy ARP

To enable proxy ARP in VLAN interface view/Layer 3 Ethernet interface view/Layer 3 Ethernet
subinterface view/Layer 3 aggregate interface view/Layer 3 aggregate subinterface view:

2. Enter interface view. interface interface-type interface-number N/A
3. Enable proxy ARP. proxy-arp enable Disabled by default
To enable local proxy ARP in VLAN interface view/Layer 3 Ethernet interface view/Layer 3 aggregate
interface view:

interface-number
12
local-proxy-arp enable [ ip-range
3. Enable local proxy ARP. Disabled by default
startIP to endIP ]
Displaying and maintaining proxy ARP

display proxy-arp [ interface interface-type
Display whether proxy ARP is
interface-number ] [ | { begin | exclude | Available in any view
enabled.
include } regular-expression ]
display local-proxy-arp [ interface

Display whether local proxy ARP is
interface-type interface-number ] [ | { begin | Available in any view
enabled.
exclude | include } regular-expression ]
Proxy ARP configuration examples

Proxy ARP configuration example
As shown in Figure 6, Host A and Host D have the same prefix and mask (the IP addresses of Host A and
Host D are 192.168.10.100/16 and 192.168.20.200/16 respectively, and the two IP addresses belong
to the same network 192.168.0.0/16), but they are located on different subnets separated through the
router. As a result, Host D cannot receive or respond to any ARP request from Host A.
You need to configure proxy ARP on the router to enable communication between Host A and Host D.
13
<Router> system-view
[Router] interface gigabitethernet 3/1/1
[Router-GigabitEthernet3/1/1] ip address 192.168.10.99 255.255.255.0
# Enable proxy ARP on interface GigabitEthernet 3/1/1.

[Router-GigabitEthernet3/1/1] proxy-arp enable
[Router-GigabitEthernet3/1/1] quit

[Router] interface gigabitethernet 3/1/5
# Enable proxy ARP on interface GigabitEthernet 3/1/5.

[Router-GigabitEthernet3/1/5] proxy-arp enable
After the configuration, use the ping command to verify that Host A and Host D can ping each other.
Local proxy ARP configuration example in case of port isolation

As shown in Figure 7, Host A and Host B belong to the same VLAN, and are connected to
GigabitEthernet 3/1/1 and GigabitEthernet 3/1/2 of Switch respectively. The switch is connected to
Router via GigabitEthernet 3/1/3.
Configure port isolation on GigabitEthernet 3/1/1 and GigabitEthernet 3/1/2 to isolate Host A from
Host B at Layer 2. Enable local proxy ARP on the router to allow communication between Host A and
Host B at Layer 3.
Router
GE3/1/1
VLAN 2
192.168.10.100/16
VLAN 2
port-isolate group 2
GE3/1/3
uplink-port
GE3/1/1
GE3/1/2
Host A Switch Host B
192.168.10.99/16 192.168.10.200/16
14
NOTE:
In this configuration example, the switch blocks all traffic between hosts. Therefore, you need to configure
local proxy ARP on interface GigabitEthernet 3/1/1 of the router to allow communication between Host
A and Host B. If the two interfaces (GigabitEthernet 3/1/1 and GigabitEthernet 3//1/2) on the switch are
isolated only at Layer 2, you can enable communication between the two hosts by configuring local proxy
ARP on VLAN-interface 2 of the switch.
1. Configure the Switch:
# Add GigabitEthernet 3/1/1, GigabitEthernet 3/1/2 and GigabitEthernet 3/1/3 to VLAN 2.
Host A and Host B are isolated and unable to exchange Layer 2 packets.
<Switch> system-view
[Switch] port-isolate group 2
[Switch] vlan 2
[Switch-vlan2] port gigabitethernet 3/1/1
[Switch-vlan2] quit
[Switch] interface gigabitethernet 3/1/1
[Switch-GigabitEthernet3/1/1] port-isolate enable group 2
[Switch-GigabitEthernet3/1/1] quit
[Switch-GigabitEthernet3/1/2] port-isolate enable group 2
[Switch-GigabitEthernet3/1/2] quit
[Switch-GigabitEthernet3/1/3] port-isolate uplink-port group 2
2. Configure the Router:
# Specify an IP address for GigabitEthernet 3/1/1.
[Router] interface GigabitEthernet 3/1/1
Ping Host B on Host A to verify that the two hosts cannot be pinged through, which indicates they
are isolated at Layer 2.
# Configure local proxy ARP to let Host A and Host B communicate at Layer 3.
[Router-GigabitEthernet3/1/1] local-proxy-arp enable
The ping operation from Host A to Host B is successful after the configuration.
15
Configuring IP addressing
IP addressing overview
IP address classes
IP addressing uses a 32-bit address to identify each host on a network. To make addresses easier to read,
they are written in dotted decimal notation, each being four octets in length. For example, address
00001000000000010000000100000001 in binary is written as 10.1.1.1.
Each IP address breaks down into two parts:
• Net ID—Identifies a network. The first several bits of a net ID, known as the class field or class bits,
identify the class of the IP address.
• Host ID—Identifies a host on a network.
IP addresses are divided into five classes, as shown in Figure 8. The shaded areas represent the address
class. The first three classes are widely used.
Figure 8 IP address classes
0 7 15 23 31
Class A 0 Net ID Host ID
Class B 1 0 Net ID Host ID
Class C 1 1 0 Net ID Host ID
Class D 1 1 1 0 Multicast address
Class E 1 1 1 1 0 Reserved
Table 1 describes the address ranges of these five classes.

Table 1 IP address classes and ranges
Class Address range Description

The IP address 0.0.0.0 is used by a host at bootstrap for
temporary communication. This address is never a valid
destination address.
A 0.0.0.0 to 127.255.255.255
Addresses starting with 127 are reserved for loopback
test. Packets destined to these addresses are processed
locally as input packets rather than sent to the link.
B 128.0.0.0 to 191.255.255.255 N/A
C 192.0.0.0 to 223.255.255.255 N/A
D 224.0.0.0 to 239.255.255.255 Multicast address.
Reserved for future use except for the broadcast address

E 240.0.0.0 to 255.255.255.255
255.255.255.255.
16
Special IP addresses
The following IP addresses are for special use, and they cannot be used as host IP addresses:
• IP address with an all-zero net ID—Identifies a host on the local network. For example, IP address
0.0.0.16 indicates the host with a host ID of 16 on the local network.
• IP address with an all-zero host ID—Identifies a network.
• IP address with an all-one host ID—Identifies a directed broadcast address. For example, a packet
with the destination address of 192.168.1.255 will be broadcasted to all the hosts on the network
192.168.1.0.
Subnetting and masking

Subnetting divides a network down into smaller networks called subnets by using some bits of the host ID
to create a subnet ID.
Masking identifies the boundary between the host ID and the combination of net ID and subnet ID.
Each subnet mask comprises 32 bits that correspond to the bits in an IP address. In a subnet mask,
consecutive ones represent the net ID and subnet ID, and consecutive zeros represent the host ID.
Before being subnetted, Class A, B, and C networks use these default masks (also called natural masks):
255.0.0.0, 255.255.0.0, and 255.255.255.0 respectively.
Figure 9 Subnetting a Class B network
Subnetting increases the number of addresses that cannot be assigned to hosts. Therefore, using subnets
means accommodating somewhat fewer hosts.
For example, a Class B network without subnetting can accommodate 1022 more hosts than the same
network subnetted into 512 subnets.
• Without subnetting, 65,534 hosts (216 – 2). (The two deducted addresses are the broadcast
address, which has an all-one host ID, and the network address, which has an all-zero host ID.)
• With subnetting, using the first 9 bits of the host-id for subnetting provides 512 (29) subnets. However,
only 7 bits remain available for the host ID. This allows 126 (27 – 2) hosts in each subnet, a total of
64,512 hosts (512 × 126).
Configuring IP addresses
An interface must has an IP address to communicate with other hosts. You can either manually assign an
IP address to an interface, or configure the interface to obtain an IP address through BOOTP, DHCP, or
PPP address negotiation. If you change the way an interface obtains an IP address, the new IP address
will overwrite the previous one.
17
NOTE:
• This router does not support IP address assignment through DHCP and BOOTP.
• This chapter only covers how to assign an IP address manually.
• For how to obtain an IP address through PPP address negotiation, see Layer 2—WAN Configuration
Guide.
Assigning an IP address to an interface

You may assign an interface multiple IP addresses, one primary and multiple secondaries.
Generally, you only need to assign the primary address to an interface. In some cases, you need to
assign secondary IP addresses for the interface. For example, if the interface connects to two subnets, to
enable the router to communicate with all hosts on the LAN, you need to assign a primary IP address and
a secondary IP address to the interface.
To assign an IP address to an interface:

interface-number
No IP address is assigned by default.

3. Assign an IP address ip address ip-address You can assign only one primary, and up
to the interface. { mask-length | mask } [ sub ] to 127 secondary IP addresses to an
interface.
CAUTION:
• The primary IP address you assigned to the interface can overwrite the old one if there is any.
• You cannot assign secondary IP addresses to an interface that obtains an IP address through PPP
address negotiation or IP unnumbered.
• The primary and secondary IP addresses you assign to the interface can be located on the same
network segment, but different interfaces on your device must reside on different network segments.
Displaying and maintaining IP addressing

Display IP configuration information display ip interface [ interface-type
for a specified Layer 3 interface or all interface-number ] [ | { begin | exclude | Available in any view
Layer 3 interfaces. include } regular-expression ]
Display brief IP configuration display ip interface [ interface-type

information for a specified Layer 3 [ interface-number ] ] brief [ | { begin | Available in any view
interface or all Layer 3 interfaces. exclude | include } regular-expression ]
18
IP addressing configuration example
As shown in Figure 10, GigabitEthernet 3/1/1 on Router is connected to a LAN comprising two
segments: 172.16.1.0/24 and 172.16.2.0/24.
To enable the hosts on the two network segments to access the external network through the router, and
enable the hosts on the two network segments to communicate with each other, do the following:
• Assign a primary IP address and a secondary IP address to GigabitEthernet 3/1/1 on the router.
• Set the router as the gateway on all hosts.
172.16.1.0/24 Router
Host B
GE3/1/1
172.16.1.1/24
172.16.1.2/24 172.16.2.1/24 sub
172.16.2.2/24
Host A
172.16.2.0/24
# Assign a primary IP address and a secondary IP address to GigabitEthernet 3/1/1.
[Router-GigabitEthernet3/1/1] ip address 172.16.2.1 255.255.255.0 sub
# Set the gateway address to 172.16.1.1 on the PCs attached to 172.16.1.0/24, and to 172.16.2.1 on the
PCs attached to 172.16.2.0/24.
# Ping a host on subnet 172.16.1.0/24 from the router to check the connectivity.
<Router> ping 172.16.1.2
PING 172.16.1.2: 56 data bytes, press CTRL_C to break
Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=255 time=25 ms
19
--- 172.16.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/26/27 ms
The output shows that the router can communicate with the host on subnet 172.16.1.0/24.
# Ping a host on subnet 172.16.2.0/24 from the router to check the connectivity.
<Router> ping 172.16.2.2

0.00% packet loss
The output shows that the router can communicate with the host on subnet 172.16.2.0/24.
# Ping a host on subnet 172.16.1.0/24 from a host on subnet 172.16.2.0/24 to check the connectivity.
Host B can be successfully pinged from Host A.
Configuring IP unnumbered
IP unnumbered overview
Logically, to enable IP on an interface, you must assign this interface a unique IP address. Yet, you can
borrow an IP address already configured on one of other interfaces on your device instead. This is called
IP unnumbered and the interface borrowing the IP address is called IP unnumbered interface.
You may use IP unnumbered to save IP addresses either when available IP addresses are inadequate or
when an interface is brought up only for occasional use.
Configuration prerequisites
Assign a primary IP address to the interface from which you want to borrow the IP address. Alternatively,
you may configure the interface to obtain one through PPP address negotiation.
To configure IP unnumbered on an interface:
20
interface-number
3. Specify the current interface to The interface does not borrow IP

ip address unnumbered interface
borrow the IP address of the addresses from other interfaces by
interface-type interface-number
specified interface. default.
CAUTION:
• Serial, POS, and ATM interfaces can borrow IP addresses from Layer 3 Ethernet interfaces or other
interfaces.
• Layer 3 Ethernet interfaces and loopback interfaces cannot borrow IP addresses of other interfaces, but
other interfaces can borrow IP addresses of these interfaces.
• An interface cannot borrow an IP address from an unnumbered interface.
• Multiple interfaces can use the same unnumbered IP address.
• The IP address of the borrowing interface always keeps consistent and varies with that of the borrowed
interface. If an IP address is configured for the borrowed interface, the IP address of the borrowing
interface is the same as that of the borrowed interface; if no IP address is configured for the borrowed
interface, no IP address is assigned for the borrowing interface.
IP unnumbered configuration example

As shown in Figure 11, two routers on an intranet are connected to each other through serial interfaces
across a Digital Data Network (DDN), and they each connect to a LAN through Ethernet interfaces.
To save IP addresses, configure the serial interfaces to borrow IP addresses from the Ethernet interfaces.
DDN
S3/1/9:23 S3/1/9:23
Router A Router B
GE3/1/1 GE3/1/1
172.16.10.1/24 172.16.20.1/24
1. Configure Router A:
# Assign a primary IP address to GigabitEthernet 3/1/1.
<RouterA> system-view
[RouterA] interface GigabitEthernet 3/1/1
21
[RouterA-GigabitEthernet3/1/1] ip address 172.16.10.1 255.255.255.0
[RouterA-GigabitEthernet3/1/1] quit
# Configure Serial 3/1/9:23 to borrow an IP address from GigabitEthernet 3/1/1.
[RouterA] interface serial 3/1/9:23
[RouterA-Serial3/1/9:23] ip address unnumbered interface GigabitEthernet 3/1/1
[RouterA-Serial3/1/9:23] quit
# Create a route to the subnet attached to Router B, specifying interface Serial 3/1/9:23 as the
outgoing interface.
[RouterA] ip route-static 172.16.20.0 255.255.255.0 serial 3/1/9:23
2. Configure Router B:
# Assign a primary IP address to GigabitEthernet 3/1/1.
<RouterB> system-view
[RouterB] interface GigabitEthernet 3/1/1
[RouterB-GigabitEthernet3/1/1] ip address 172.16.20.1 255.255.255.0
[RouterB-GigabitEthernet3/1/1] quit
# Configure interface Serial 3/1/9:23 to borrow an IP address from GigabitEthernet 3/1/1.
[RouterB] interface serial 3/1/9:23
[RouterB-Serial3/1/9:23] ip address unnumbered interface GigabitEthernet 3/1/1
[RouterB-Serial3/1/9:23] quit
# Create a route to the subnet attached to Router A, specifying interface Serial 3/1/9:23 as the
outgoing interface.
[RouterB] ip route-static 172.16.10.0 255.255.255.0 serial 3/1/9:23
3. Ping a host attached to Router B from Router A to verify the configuration.
[RouterA] ping 172.16.20.2

0.00% packet loss
The output shows that the host can be pinged.
22
DHCP overview
Introduction to DHCP
The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration
information to network devices.
DHCP uses the client/server model. Figure 12 shows a typical DHCP application.
Figure 12 A typical DHCP application
NOTE:
A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on
another subnet via a DHCP relay agent. For more information about the DHCP relay agent, see
“Introduction to DHCP relay agent.”
DHCP address allocation

Allocation mechanisms
DHCP supports the following mechanisms for IP address allocation.
• Static allocation—The network administrator assigns an IP address to a client like a WWW server,
and DHCP conveys the assigned address to the client.
• Automatic allocation—DHCP assigns a permanent IP address to a client.
• Dynamic allocation—DHCP assigns an IP address to a client for a limited period of time, which is
called a lease. Most DHCP clients obtain their addresses in this way.
23
Dynamic IP address allocation process
Figure 13 Dynamic IP address allocation process
1. The client broadcasts a DHCP-DISCOVER message to locate a DHCP server.

2. A DHCP server offers configuration parameters such as an IP address to the client in a
DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in
the DHCP-DISCOVER message. For related information, see “DHCP message format.”
3. If several DHCP servers send offers to the client, the client accepts the first received offer, and
broadcasts it in a DHCP-REQUEST message to formally request the IP address.
4. All DHCP servers receive the DHCP-REQUEST message, but only the server from which the client
accepts the offered IP address returns a DHCP-ACK message to the client, confirming that the IP
address has been allocated to the client, or returns a DHCP-NAK message, denying the IP address
allocation.
NOTE:
• After the client receives the DHCP-ACK message, it broadcasts a gratuitous ARP packet to verify whether
the IP address assigned by the server is already in use. If the client receives no response within the
specified time, the client uses the assigned IP address. Otherwise, the client sends a DHCP-DECLINE
message to the server to request an IP address again.
• IP addresses offered by other DHCP servers are still assignable to other clients.
IP address lease extension

The IP address dynamically allocated by a DHCP server to a client has a lease. When the lease expires,
the IP address is reclaimed by the DHCP server. To continue using the IP address, the client must extend
the lease duration.
After half the lease duration, the DHCP client sends a DHCP-REQUEST unicast to the DHCP server to
extend the lease. Depending on availability of the IP address, the DHCP server returns a DHCP-ACK
unicast confirming that the client’s lease duration has been extended, or a DHCP-NAK unicast denying
the request.
If the client receives no reply, it broadcasts another DHCP-REQUEST message for lease extension after
7/8 lease duration elapses.
24
DHCP message format
Figure 14 shows the DHCP message format, which is based on the BOOTP message format although
DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size
of each field in bytes.
Figure 14 DHCP message format
• op—Message type defined in option field. 1 = REQUEST, 2 = REPLY

• htype, hlen—Hardware address type and length of a DHCP client.
• hops—Number of relay agents a request message traveled.
• xid—Transaction ID, a random number chosen by the client to identify an IP address allocation.
• secs—Filled in by the client, the number of seconds elapsed since the client began address
acquisition or renewal process. Currently this field is reserved and set to 0.
• flags—The leftmost bit is defined as the BROADCAST (B) flag. If this flag is set to 0, the DHCP server
sent a reply back by unicast; if this flag is set to 1, the DHCP server sent a reply back by broadcast.
The remaining bits of the flags field are reserved for future use.
• ciaddr—Client IP address.
• yiaddr—'your' (client) IP address, assigned by the server.
• siaddr—Server IP address, from which the client obtained configuration parameters.
• giaddr—IP address of the first relay agent a request message traveled.
• chaddr—Client hardware address.
• sname—Server host name, from which the client obtained configuration parameters.
• file—Bootfile name and path information, defined by the server to the client.
• options—Optional parameters field that is variable in length, which includes the message type,
lease, domain name server IP address, and WINS IP address.
25
DHCP options
Overview
DHCP uses the same message format as Bootstrap Protocol (BOOTP), but DHCP uses the Option field to
carry information for dynamic address allocation and to provide additional configuration information to
clients.
Figure 15 shows the DHCP option format.
Figure 15 DHCP option format
Introduction to DHCP options

Common DHCP options:
• Option 3—Router option. It specifies the gateway address to be assigned to the client.
• Option 6—DNS server option. It specifies the DNS server IP address to be assigned to the client.
• Option 33—Static route option. It specifies a list of classful static routes (the destination addresses
in these static routes are classful) that a client should add to its routing table. If both Option 33 and
Option 121 exist, Option 33 is ignored.
• Option 51—IP address lease option.
• Option 53—DHCP message type option. It identifies the type of the DHCP message.
• Option 55—Parameter request list option. It is used by a DHCP client to request specified
configuration parameters. The option contains values that correspond to the parameters requested
by the client.
• Option 60—Vendor class identifier option. It is used by a DHCP client to identify its vendor, and by
a DHCP server to distinguish DHCP clients by vendor class and assign specific IP addresses for the
DHCP clients.
• Option 66—TFTP server name option. It specifies a TFTP server to be assigned to the client.
• Option 67—Bootfile name option. It specifies the bootfile name to be assigned to the client.
• Option 121—Classless route option. It specifies a list of classless static routes (the destination
addresses in these static routes are classless) that the requesting client should add to its routing table.
If both Option 33 and Option 121 exist, Option 33 is ignored.
• Option 150—TFTP server IP address option. It specifies the TFTP server IP address to be assigned to
the client.
For more information about DHCP options, see RFC 2132 and RFC 3442.
Custom options
Some options, such as Option 43, have no unified definitions in RFC 2132.
26
Vendor-specific option (Option 43)
DHCP servers and clients use Option 43 to exchange vendor-specific configuration information. The
client sends a request with Option 43, including a vendor string that identifies a vendor. Upon receiving
the request, the DHCP server refers to the vendor-specific options table, and returns a response message
with Option 43 to assign the appropriate vendor-specific information to the DHCP client.
The DHCP client can obtain the following information through Option 43:
• Auto-Configuration Server (ACS) parameters, including the ACS URL, username, and password.
• Service provider identifier, which is acquired by the customer premises equipment (CPE) from the
DHCP server and sent to the ACS for selecting vender-specific configurations and parameters. For
more information about CPE and ACS, see Network Management and Monitoring Configuration
Guide.
• Preboot Execution Environment (PXE) server address, which is used to obtain the bootfile or other
control information from the PXE server.
• Access controller (AC) address, which is used by an AP to obtain the boot file or other control
information from the AC.
1. Format of Option 43
Figure 16 Format of Option 43
Network configuration parameters are carried in different sub-options of Option 43 as shown in Figure
16. The sub-option fields are described as follows:
{ Sub-option type—Type of a sub-option. The field value can be 0x01, 0x02, or 0x80. 0x01
indicates an ACS parameter sub-option. 0x02 indicates a service provider identifier sub-option.
0x80 indicates a PXE server address sub-option.
{ Sub-option length—Length of a sub-option excluding the sub-option type and sub-option length
fields.
{ Sub-option value—Value of a sub-option.
2. Format of the sub-option value field of Option 43
{ As shown in Figure 17, the value field of the ACS parameter sub-option contains variable ACS
URL, username, and password separated by spaces (0x20).
Figure 17 Format of the value field of the ACS parameter sub-option
URL of ACS (variable) 20
User name of ACS (variable) 20
Password of ACS (variable)
{ The value field of the service provider identifier sub-option contains the service provider
identifier.
27
{ Figure 18 shows the format of the value field of the PXE server address sub-option. Currently, the
value of the PXE server type can only be 0. The server number field indicates the number of PXE
servers contained in the sub-option. The server IP addresses field contains the IP addresses of
the PXE servers.
Figure 18 Format of the value field of the PXE server address sub-option
Relay agent option (Option 82)

Option 82 is the relay agent option in the option field of the DHCP message. It records the location
information of the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client’s
request, it adds Option 82 to the request message and sends it to the server.
The administrator can locate the DHCP client to further implement security control and accounting. The
Option 82 supporting server can also use such information to define individual assignment policies of IP
address and other parameters for the clients.
Option 82 involves at most 255 sub-options. At least one sub-option must be defined. The DHCP relay
agent supports two sub-options: sub-option 1 (Circuit ID) and sub-option 2 (Remote ID).
Option 82 has no unified definition. Its padding formats vary with vendors.
There are two methods for configuring Option 82:
• User-defined method—Manually specify the content of Option 82.
• Non-user-defined method—Pad Option 82 in the default normal or verbose format.
If you choose the second method, you can specify the code type for the sub-options as ASCII or HEX.
1. Normal padding format
The padding contents for sub-options in the normal padding format are as follows:
{ Sub-option 1—Padded with the VLAN ID and interface number of the interface that received
the client’s request. The value of the sub-option type is 1, and that of the circuit ID type is 0.
Figure 19 Sub-option 1 in normal padding format
{ Sub-option 2—Padded with the MAC address of the DHCP relay agent interface or the MAC
address of the DHCP snooping device that received the client’s request. The value of the
sub-option type is 2, and that of the remote ID type is 0.
28
Figure 20 Sub-option 2 in normal padding format
2. Verbose padding format

{ Sub-option 1—Padded with the user-specified access node identifier (ID of the router that adds
Option 82 in DHCP messages), and the type, number, and VLAN ID of the interface that
received the client’s request.
Figure 21 Sub-option 1 in verbose padding format
NOTE:
The VLAN ID field has a fixed length of 2 bytes. All the other padding contents of sub-option 1 are length
variable. See Figure 21.
{ Sub-option 2—Padded with the MAC address of the DHCP relay agent interface or the MAC
address of the DHCP snooping device that received the client’s request. It has the same format
as that in normal padding format. See Figure 20.
Option 184
Option 184 is a reserved option, and parameters in the option can be defined as needed. The router
supports Option 184 carrying the voice related parameters, so a DHCP client with voice functions can
get an IP address along with specified voice parameters from the DHCP server.
Option 184 involves the following sub-options:
• Sub-option 1—IP address of the primary network calling processor, which serves as the network
calling control source and provides program downloads.
• Sub-option 2—IP address of the backup network calling processor that DHCP clients will contact
when the primary one is unreachable.
• Sub-option 3—Voice VLAN ID and the result whether DHCP clients take this ID as the voice VLAN
or not.
• Sub-option 4—Failover route that specifies the destination IP address and the called number that a
Session Initiation Protocol (SIP) user uses to reach another SIP user when both the primary and
backup calling processors are unreachable.
NOTE:
You must define the sub-option 1 to make other sub-options effective.
Protocols and standards

• RFC 2131, Dynamic Host Configuration Protocol
29
• RFC 2132, DHCP Options and BOOTP Vendor Extensions
• RFC 1542, Clarifications and Extensions for the Bootstrap Protocol
• RFC 3046, DHCP Relay Agent Information Option
• RFC 3442, The Classless Static Route Option for Dynamic Host Configuration Protocol (DHCP)
version 4
30
Configuring DHCP server
NOTE:
Unless otherwise specified, the DHCP server configuration is supported only on Layer 3 Ethernet interfaces
(or subinterfaces), virtual Ethernet interfaces (or subinterfaces), VLAN interfaces, Layer 3 aggregate
interfaces, serial interfaces, ATM interfaces, MP-group interfaces, and loopback interfaces. The
secondary IP address pool configuration is not supported on serial, MP-group or loopback interfaces.
Introduction to DHCP server

Application environment
The DHCP server is well suited to networks where:
• Manual configuration and centralized management are difficult to implement.
• Many hosts need to acquire IP addresses dynamically. This may be because the number of hosts
exceeds the number of assignable IP addresses, so it is impossible to assign a fixed IP address to
each host. For example, an ISP has a limited number of host addresses.
• A few hosts need fixed IP addresses.
NOTE:
In addition to assigning IP addresses to DHCP clients on public networks, a MCE serving as the DHCP
server can also assign IP addresses to DHCP clients on private networks. The IP address ranges of public
and private networks or those of private networks on the DHCP server cannot overlap each other. For
more information about MCE, see MPLS Configuration Guide.
DHCP address pool

Address pool types
DHCP address pools include common and extended address pools.
• Common address pool—Supports both static binding and dynamic allocation.
• Extended address pool—Supports only dynamic allocation.
Common address pool structure

The common address pool database is organized as a tree. The root of the tree is the address pool for
natural networks, branches are address pools for subnets, and leaves are addresses statically bound to
clients. For the same level address pools, a previously configured pool has a higher selection priority
than a new one.
At the very beginning, subnets inherit network parameters and clients inherit subnetwork parameters.
Therefore, common parameters, for example a DNS server address, should be configured at the highest
(network or subnet) level of the tree.
31
After establishment of the inheritance relationship, the new configuration at the higher level (parent) of
the tree will be:
• Inherited if the lower level (child) has no such configuration, or
• Overridden if the lower level (child) has such configuration.
NOTE:
• The extended address pools on a DHCP server are independent of each other and no inheritance
relationship exists among them.
• IP address lease durations are not inherited.
Principles for selecting an address pool

The DHCP server observes the following principles to select an address pool when assigning an IP
address to a client:
1. If there is an address pool where an IP address is statically bound to the MAC address or ID of the
client, the DHCP server will select this address pool and assign the statically bound IP address to
the client. For the configuration of this address pool, see “Configuring static address allocation.”
2. If the receiving interface has an extended address pool referenced, the DHCP server will assign an
IP address from this address pool. If no IP address is available in the address pool, the DHCP
server will fail to assign an address to the client. For the configuration of such an address pool, see
“Configuring dynamic address allocation for an extended address pool.”
3. Otherwise, the DHCP server will select the smallest common address pool that contains the IP
address of the receiving interface (if the client and the server reside on the same subnet), or the
smallest common address pool that contains the IP address specified in the giaddr field of the
client’s request (if a DHCP relay agent is in-between). If no IP address is available in the address
pool, the DHCP server will fail to assign an address to the client because it cannot assign an IP
address from the parent address pool to the client. For the configuration of such an address pool,
see “Configuring dynamic address allocation.”
For example, two common address pools, 1.1.1.0/24 and 1.1.1.0/25, are configured on the DHCP server.
If the IP address of the interface receiving DHCP requests is 1.1.1.1/25, the DHCP server will select IP
addresses for clients from address pool 1.1.1.0/25. If no IP address is available in the address pool, the
DHCP server will fail to assign addresses to clients. If the IP address of the interface receiving DHCP
requests is 1.1.1.130/25, the DHCP server will select IP addresses for clients from the 1.1.1.0/24 address
pool.
NOTE:
Keep the IP addresses for dynamic allocation within the subnet where the interface of the DHCP server or
DHCP relay agent resides to avoid wrong IP address allocation.
IP address allocation sequence

A DHCP server assigns an IP address to a client according to the following sequence:
1. The IP address statically bound to the client’s MAC address or ID
2. The IP address that was ever assigned to the client
3. The IP address designated by the Option 50 field in a DHCP-DISCOVER message
4. The first assignable IP address found in an extended or common address pool
5. The IP address that was a conflict or passed its lease duration
32
If no IP address is assignable, the server will not respond.
NOTE:
Option 50 is the requested IP address field in DHCP-DISCOVER messages. It is padded by the client to
specify the IP address that the client wants to obtain. The contents to be padded depend on the client.
DHCP server configuration task list

Complete the following tasks to configure the DHCP server:
Task Remarks
Configuring an address pool for the DHCP server Required
Enabling DHCP Required
Enabling the DHCP server on an interface Required
Required by the extended address pool

configuration
Applying an extended address pool on an interface
When you configure a common
address pool, ignore this task.
Configuring the DHCP server security functions Optional
Enabling Option 82 handling Optional
Specifying the threshold for sending trap messages Optional
Configuring an address pool for the DHCP server

Configuration task list
Complete the following tasks to configure an address pool:
Task Remarks
Creating a DHCP address pool Required
Configuring an address Configuring static address allocation Required to configure either

allocation mode for a of the two for the common
common address pool Configuring dynamic address allocation address pool configuration
Required for the extended

Configuring dynamic address allocation for an extended address pool
address pool configuration
Configuring a domain name suffix for the client
Configuring DNS servers for the client
Configuring WINS servers and NetBIOS node type for the client
Optional
Configuring BIMS server information for the client
Configuring gateways for the client
Configuring Option 184 parameters for the client with voice service
33
Task Remarks
Configuring the TFTP server and bootfile name for the client
Configuring self-defined DHCP options
Creating a DHCP address pool

When creating a DHCP address pool, specify it as a common address pool or an extended address
pool.
To create a DHCP address pool:

2. Create a DHCP address pool dhcp server ip-pool pool-name No DHCP address pool is created by
and enter its view. [ extended ] default.
NOTE:
A common address pool and an extended address pool are different in address allocation mode
configuration. Configurations of other parameters (such as the domain name suffix and DNS server
address) for them are the same.
Configuring an address allocation mode for a common

address pool
CAUTION:
You can configure either a static binding or dynamic address allocation for a common address pool, but
not both.
You need to specify an address range for the dynamic address allocation. A static binding is a special
address pool containing only one IP address.
Configuring static address allocation

Some DHCP clients such as a WWW server need fixed IP addresses. To provide a fixed IP address, you
can create a static binding of a client’s MAC or ID to an IP address in the DHCP address pool. A static
binding is a special address pool containing only one IP address.
When the client with that MAC address or ID requests an IP address, the DHCP server will assign the IP
address from the binding to the client.
To configure a static binding in a common address pool:

2. Enter common address pool view. dhcp server ip-pool pool-name N/A
static-bind ip-address ip-address No IP addresses are statically

3. Specify the IP address.
[ mask-length | mask mask ] bound by default.
34
• Specify the MAC address:
static-bind mac-address
Configure either of the two.
4. Specify the MAC address or mac-address
client ID. Neither is bound statically by
• Specify the client ID:
default.
static-bind client-identifier
client-identifier
expired { day day [ hour hour Optional.

5. Specify the lease duration for the
[ minute minute [ second By default, the lease duration of
IP address.
second ] ] ] | unlimited } the IP address is unlimited.
NOTE:
• Use the static-bind ip-address command together with static-bind mac-address or static-bind
client-identifier to accomplish a static binding configuration.
• In a DHCP address pool, if you execute the static-bind mac-address command before the static-bind
client-identifier command, the latter will overwrite the former and vice versa.
• If you use the static-bind ip-address, static-bind mac-address, or static-bind client-identifier
command repeatedly in the DHCP address pool, the new configuration will overwrite the previous one.
• The IP address of the static binding cannot be an interface address of the DHCP server. Otherwise, an
IP address conflict may occur and the bound client cannot obtain an IP address correctly.
• If the interfaces on a DHCP client share the same MAC address, you need to specify the client ID, rather
than MAC address, in a static binding to identify the requesting interface; otherwise, the client may fail
to obtain an IP address.
Configuring dynamic address allocation

For dynamic address allocation, you must configure a DHCP address pool, specify one and only one
address range for the pool, and specify the lease duration. A DHCP address pool can have only one
lease duration.
To avoid address conflicts, configure the DHCP server to exclude IP addresses used by the gateway or
FTP server from dynamic allocation.
To configure dynamic address allocation for a common address pool:

2. Enter common address pool
dhcp server ip-pool pool-name N/A
view.
network network-address
3. Specify an IP address range. Not specified by default.
[ mask-length | mask mask ]

4. Specify the address lease
[ minute minute ] [ second
duration. One day by default.
second ] ] | unlimited }
5. Return to system view. quit N/A
35
Optional.
6. Exclude IP addresses from dhcp server forbidden-ip Except IP addresses of the DHCP
automatic allocation. low-ip-address [ high-ip-address ] server interfaces, all addresses in
the DHCP address pool are
assignable by default.
NOTE:
• In common address pool view, using the network command repeatedly overwrites the previous
configuration.
• After you exclude IP addresses from automatic allocation by using the dhcp server forbidden-ip
command, neither a common address pool nor an extended address pool can assign these IP addresses
through dynamic address allocation.
• Using the dhcp server forbidden-ip command repeatedly can exclude multiple IP address ranges from
allocation.
Configuring dynamic address allocation for an extended

address pool
Extended address pools support dynamic address allocation only.
When you configure an extended address pool, you need to specify:
• Assignable IP address range
• Mask
After the assignable IP address range and the mask are specified, the address pool becomes valid.
To configure dynamic address allocation for an extended address pool:

2. Enter extended address pool dhcp server ip-pool pool-name

N/A
view. extended
3. Specify the IP address network ip range min-address

Not specified by default.
range. max-address
4. Specify the IP address mask. network mask mask Not specified by default.
5. Specify the IP address range vendor-class-identifier Optional.

for the DHCP clients of a hex-string&<1-255> ip range
specified vendor. min-address max-address Not configured by default.

6. Specify the address lease
[ minute minute [ second second ] ] ]
duration. One day by default.
| unlimited }
Optional.
7. Exclude IP addresses from Except IP addresses of the DHCP

forbidden-ip ip-address&<1-8> server interfaces, all addresses in
dynamic allocation.
the DHCP address pool are
assignable by default.
36
NOTE:
Excluded IP addresses specified with the forbidden-ip command in DHCP address pool view are not
assignable in the current extended address pool, but are assignable in other address pools.
Configuring a domain name suffix for the client

You can specify a domain name suffix in each DHCP address pool on the DHCP server to provide the
clients with the domain name suffix. With this suffix assigned, the client only needs to input part of a
domain name, and the system will add the domain name suffix for name resolution. For more information
about DNS, see the chapter “IPv4 DNS configuration.”
To configure a domain name suffix in the DHCP address pool:

dhcp server ip-pool pool-name

2. Enter DHCP address pool view. N/A
[ extended ]
3. Specify a domain name suffix. domain-name domain-name Not specified by default
Configuring DNS servers for the client

A DHCP client contacts a Domain Name System (DNS) server to resolve names. You can specify up to
eight DNS servers in the DHCP address pool.
To configure DNS servers in the DHCP address pool:

2. Enter DHCP address pool dhcp server ip-pool pool-name

N/A
view. [ extended ]
3. Specify DNS servers. dns-list ip-address&<1-8> Not specified by default
Configuring WINS servers and NetBIOS node type for the

client
A Microsoft DHCP client using NetBIOS protocol contacts a Windows Internet Naming Service (WINS)
server for name resolution. Therefore, the DHCP server should assign a WINS server address when
assigning an IP address to the client.
You can specify up to eight WINS servers in a DHCP address pool.
You need to specify in a DHCP address pool a NetBIOS node type for the client to approach name
resolution. There are four NetBIOS node types:
• b (broadcast)-node—The b-node client sends the destination name in a broadcast message. The
destination returns its IP address to the client after receiving the message.
37
• p (peer-to-peer)-node—The p-node client sends the destination name in a unicast message to the
WINS server, and the WINS server returns the destination IP address.
• m (mixed)-node—A combination of broadcast first and peer-to-peer second. The m-node client
broadcasts the destination name, if no response is received, then unicasts the destination name to
the WINS server to get the destination IP address.
• h (hybrid)-node—A combination of peer-to-peer first and broadcast second. The h-node client
unicasts the destination name to the WINS server, and if no response is received, broadcasts it to
get the destination IP address.
To configure WINS servers and NetBIOS node type in the DHCP address pool:


N/A
view. [ extended ]
3. Specify WINS server IP Optional for b-node.

nbns-list ip-address&<1-8>
addresses. No address is specified by default.
4. Specify the NetBIOS node netbios-type { b-node | h-node

type. | m-node | p-node }
NOTE:
If b-node is specified for the client, you do not need to specify any WINS server address.
Configuring BIMS server information for the client

Some DHCP clients perform regular software update and backup by using configuration files obtained
from a branch intelligent management system (BIMS) server. Therefore, the DHCP server needs to offer
these DHCP clients the BIMS server IP address, port number, shared key from the DHCP address pool.
To configure the BIMS server IP address, port number, and shared key in the DHCP address pool:


N/A
view. [ extended ]
3. Specify the BIMS server IP
bims-server ip ip-address [ port
address, port number, and Not specified by default
port-number ] sharekey key
shared key.
Configuring gateways for the client

You can specify up to eight gateways in a DHCP address pool.
To configure the gateways in the DHCP address pool:

38
N/A
view. [ extended ]
No gateway is specified by
3. Specify gateways. gateway-list ip-address&<1-8>
default.
Configuring Option 184 parameters for the client with voice

service
To assign voice calling parameters along with an IP address to DHCP clients with voice service, you need
to configure Option 184 on the DHCP server. For more information about Option 184, see “Option 184”.
If Option 55 in the request from a DHCP client contains Option 184, the DHCP server will return
parameters specified in Option 184 to the client. The client then can initiate a call using parameters in
Option 184.
To configure option 184 parameters in the DHCP address pool:

dhcp server ip-pool pool-name

2. Enter DHCP address pool view. N/A
[ extended ]
3. Specify the IP address of the
primary network calling voice-config ncp-ip ip-address Not specified by default.
processor.
4. Specify the IP address of the Optional.
backup network calling voice-config as-ip ip-address
processor. Not specified by default.
voice-config voice-vlan vlan-id Optional.

5. Configure the voice VLAN.
{ disable | enable } Not configured by default.
Optional.
6. Specify the failover IP address voice-config fail-over
and dialer string. ip-address dialer-string No failover IP address or dialer
string is specified by default.
NOTE:
Specify an IP address for the network calling processor before performing other configurations.
Configuring the TFTP server and bootfile name for the client
For the DHCP server to support client auto-configuration, you must specify the IP address or name of a
TFTP server and the bootfile name in the DHCP address pool. You do not need to perform any
configuration on the DHCP client.
The DHCP client uses these parameters to contact the TFTP server and request the configuration file used
for system initialization.
1. When a router starts up without loading any configuration file, the system sets an active interface
(such as the interface of the default VLAN or a Layer 3 Ethernet interface) as the DHCP client to
39
request from the DHCP server for parameters, such as an IP address and name of a TFTP server,
and the bootfile name.
2. After getting related parameters, the DHCP client will send a TFTP request to obtain the
configuration file from the specified TFTP server for system initialization. If the client cannot get
such parameters, it will perform system initialization without loading any configuration file.
When Option 55 in the client’s request contains parameters of Option 66, Option 67, or Option 150, the
DHCP server will return the IP address or name of the specified TFTP server, and bootfile name to the
client.
To configure the IP address and name of the TFTP server and the bootfile name in the DHCP address
pool:

2. Enter DHCP address
dhcp server ip-pool pool-name [ extended ] N/A
pool view.
• Specify the IP address of the TFTP server:

3. Specify the IP address or Use either command
tftp-server ip-address ip-address
the name of the TFTP
server • Specify the name of the TFTP server: Not specified by default
tftp-server domain-name domain-name
4. Specify the bootfile

bootfile-name bootfile-name Not specified by default
name.
Configuring self-defined DHCP options

By configuring self-defined DHCP options, you can
• Define new DHCP options. New configuration options will come out with DHCP development. To
support these new options, you can add them into the attribute list of the DHCP server.
• Define existing DHCP options. Vendors use Option 43 to define options that have no unified
definitions in RFC 2132. The self-defined DHCP option enables DHCP clients to obtain
vendor-specific information.
• Extend existing DHCP options. When the current DHCP options cannot meet the customers’
requirements (for example, you cannot use the dns-list command to configure more than eight DNS
server addresses), you can configure a self-defined option for extension.
To configure a self-defined DHCP option in the DHCP address pool:


N/A
view. [ extended ]
option code { ascii ascii-string |

3. Configure a self-defined No DHCP option is configured by
hex hex-string&<1-16> |
DHCP option. default.
ip-address ip-address&<1-8> }
40
Table 2 Description of common options
Option Option name Corresponding command Command parameter

3 Router Option gateway-list ip-address
6 Domain Name Server Option dns-list ip-address
15 Domain Name domain-name ascii
NetBIOS over TCP/IP Name

44 nbns-list ip-address
Server Option
NetBIOS over TCP/IP Node Type

46 netbios-type hex
Option
66 TFTP server name tftp-server ascii
67 Bootfile name bootfile-name ascii
43 Vendor Specific Information N/A hex
CAUTION:
Be cautious When you configure self-defined DHCP options because such configuration may affect the
operation of DHCP.
Enabling DHCP
Enable DHCP before performing other configurations.
To enable DHCP:

2. Enable DHCP. dhcp enable Disabled by default
Enabling the DHCP server on an interface

With the DHCP server enabled on an interface, upon receiving a client’s request, the DHCP server will
assign an IP address from its address pool to the DHCP client.
To enable the DHCP server on an interface:

3. Enable the DHCP server on Optional

dhcp select server global-pool [ subaddress ]
an interface. Enabled by default
41
NOTE:
If a DHCP relay agent exists between the DHCP server and client, the DHCP server, regardless of whether
the subaddress keyword is used, will select an IP address from the address pool containing the primary IP
address of the DHCP relay agent’s interface (connected to the client) for a requesting client.
NOTE:
When the DHCP server and client are on the same subnet:
• With the keyword subaddress specified, the DHCP server will preferably assign an IP address from an
address pool that resides on the same subnet as the primary IP address of the server interface
(connecting to the client). If the address pool contains no assignable IP address, the server assigns an IP
address from an address pool that resides on the same subnet as the secondary IP addresses of the
server interface. If the interface has multiple secondary IP addresses, each address pool is tried in turn
for address allocation.
• Without the keyword subaddress specified, the DHCP server can only assign an IP address from the
address pool that resides on the same subnet as the primary IP address of the server interface.
Applying an extended address pool on an interface

After you create an extended address pool and apply it on an interface, the DHCP server, upon receiving
a client's request on the interface, attempts to assign the client the statically bound IP address first and
then an IP address from the specified address pool. If no IP address is available, address allocation fails,
and the DHCP server will not assign the client any IP address from other address pools.
To apply an extended address pool on an interface:

interface-number
Optional.
3. Apply an extended By default, the DHCP server has no

dhcp server apply ip-pool extended address pool applied on its
address pool on the
pool-name interface, and assigns an IP address
interface.
from a common address pool to a
requesting client.
NOTE:
• This function is available only on a Layer 3 Ethernet interface (or subinterface), or a VLAN interface.
• Only an extended address pool can be applied on the interface. The address pool to be referenced must
already exist.
Configuring the DHCP server security functions

Before performing this configuration, complete the following configurations on the DHCP server:
42
• Enable DHCP
• Configure the DHCP address pool
Enabling unauthorized DHCP server detection

Unauthorized DHCP servers on a network may assign wrong IP addresses to DHCP clients.
With unauthorized DHCP server detection enabled, the DHCP server checks whether a DHCP request
contains Option 54 (Server Identifier Option). If yes, the DHCP server records the IP address in the option,
which is the IP address of the DHCP server that assigned an IP address to the DHCP client and records
the receiving interface. The administrator can use this information to check for unauthorized DHCP
servers.
To enable unauthorized DHCP server detection:

2. Enable unauthorized DHCP
dhcp server detect Disabled by default
server detection.
NOTE:
With the unauthorized DHCP server detection enabled, the router logs each detected DHCP server once.
The administrator can use the log information to find unauthorized DHCP servers.
Configuring IP address conflict detection

With IP address conflict detection enabled, the DHCP server pings each IP address to be assigned using
ICMP. If the server receives a response within the specified period, the server selects and pings another
IP address. If not, the server pings the IP addresses once again until the specified number of ping packets
are sent. If still no response is received, the server assigns the IP address to the requesting client (The
DHCP client probes the IP address by sending gratuitous ARP packets).
To configure IP address conflict detection:

Optional.
2. Specify the number of ping dhcp server ping packets One ping packet by default.
packets. number The value 0 indicates that no ping
operation is performed.
Optional.
3. Configure a timeout waiting dhcp server ping timeout 500 ms by default.
for ping responses. milliseconds The value 0 indicates that no ping
operation is performed.
43
Configuring the DHCP server to work with authorized ARP
Only the clients that obtain an IP address from the DHCP server are considered as authorized clients. If
the DHCP server also serves as the gateway, it can work with authorized ARP to block unauthorized
clients and prevent ARP spoofing attacks.
To enable the DHCP server to work with authorized ARP, perform the following:
• Configure the DHCP server to support authorized ARP—The DHCP server notifies authorized ARP
to add/delete/change authorized ARP entries when adding/deleting/changing IP address leases.
• Enable authorized ARP—The ARP automatic learning function is disabled after you enable
authorized ARP. ARP entries are added according to the IP address leases specified by the DHCP
server, to avoid learning incorrect ARP entries.
The DHCP server works with authorized ARP for the following purposes:
• Only the clients that have obtained IP addresses from the DHCP server and have their ARP entries
recorded on the DHCP server are authorized clients and can access the network normally.
• The clients that have not obtained IP addresses from the DHCP server are considered unauthorized
clients and are unable to access the network.
• Disabling ARP automatic learning prevents network attacks such as IP/MAC address spoofing
attacks, and only authorized users can access the network.
To configure the DHCP server to work with authorized ARP:

interface-number
3. Enable the DHCP server to
dhcp update arp Not enabled by default
work with authorized ARP.
4. Enable authorized ARP. arp authorized enable Disabled by default
NOTE:
• Authorized ARP can only be configured on Layer 3 interfaces.
• When the working mode of the interface is changed from DHCP server to DHCP relay agent, neither the
IP address leases nor the authorized ARP entries will be deleted. However, these ARP entries may conflict
with new ARP entries generated on the DHCP relay agent. Therefore, H3C recommends you delete the
existing IP address leases by using the reset dhcp server ip-in-use command when you change the
interface working mode to DHCP relay agent.
• Disabling the DHCP server to support authorized ARP will not delete the IP address leases, but will delete
the corresponding authorized ARP entries.
• For more information about authorized ARP, see Security Configuration Guide. For more information
about the arp authorized enable command, see Security Command Reference.
Enabling Option 82 handling

With Option 82 handling enabled, when the DHCP server receives a request with Option 82, it adds
Option 82 into the response.
44
If the server is configured to ignore Option 82, it will assign an IP address to the client without adding
Option 82 in the response message.
Before performing this configuration, complete the following configuration on the DHCP server:
• Enable DHCP
• Configure the DHCP address pool
Enable Option 82 handling

To enable the DHCP server to handle Option 82:

2. Enable the server to handle dhcp server relay information Optional

Option 82. enable Enabled by default
NOTE:
Supporting Option 82 requires configuring both the DHCP server and relay agent (or the router enabled
with DHCP snooping). For more information, see the chapter “DHCP relay agent configuration.”
Specifying the threshold for sending trap messages

Before performing the configuration, use the snmp-agent target-host command to specify the destination
address of the trap messages. For more information about the command, see Network Management and
Monitoring Command Reference.
A DHCP server sends trap messages to the network management server when one of the following items
reaches the specified threshold:
• The ratio of successfully allocated IP addresses to received DHCP requests
• The average IP address utilization of the address pool
• The maximum IP address utilization of the address pool
Trap messages help network administrators know the latest usage information of the DHCP server.
To specify the threshold for sending trap messages:

2. Specify the threshold for dhcp server threshold { allocated-ip Optional

sending trap messages to the threshold-value | average-ip-use
network management server. threshold-value | max-ip-use threshold-value } Disabled by default
45
Displaying and maintaining the DHCP server
display dhcp server conflict { all | ip
Display information about IP address
ip-address } [ | { begin | exclude | include } Available in any view
conflicts.
display dhcp server expired { all | ip

Display information about lease
ip-address | pool [ pool-name ] } [ | { begin | Available in any view
expiration.
Display information about assignable display dhcp server free-ip [ | { begin |

Available in any view
IP addresses. exclude | include } regular-expression ]
Display IP addresses excluded from

display dhcp server forbidden-ip [ | { begin |
automatic allocation in the DHCP Available in any view
address pool.
display dhcp server ip-in-use { all | ip

Display information about bindings. ip-address | pool [ pool-name ] } [ | { begin | Available in any view
Display information about DHCP display dhcp server statistics [ | { begin |

server statistics. exclude | include } regular-expression ]
display dhcp server tree { all | pool

Display tree organization
[ pool-name ] } [ | { begin | exclude | Available in any view
information of address pool(s).
Clear information about IP address

reset dhcp server conflict { all | ip ip-address } Available in user view
conflicts.
Clear information about dynamic reset dhcp server ip-in-use { all | ip

Available in user view
bindings. ip-address | pool [ pool-name ] }
Clear information about DHCP server

reset dhcp server statistics Available in user view
statistics.
NOTE:
Using the save command does not save DHCP server lease information. Therefore, when the system boots
up or the reset dhcp server ip-in-use command is executed, no lease information will be available in the
configuration file. The server will deny the request for lease extension from a client and the client needs to
request an IP address again.
DHCP server configuration examples

DHCP networking involves two types:
• The DHCP server and client are on the same subnet and perform direct message delivery.
• The DHCP server and client are not on the same subnet and communicate with each other via a
DHCP relay agent.
The DHCP server configuration for the two types is the same.
46
Static IP address assignment configuration example
As shown in Figure 22, Router A (DHCP client) and Router B (BOOTP client) obtain a static IP address,
DNS server address, and gateway address from Device (DHCP server) respectively.
The MAC address of interface GigabitEthernet 3/1/1 on Router B:
000f-e200-01c0.
The client ID of interface GigabitEthernet 3/1/1 on Router A:
3030-3066-2e65-3230-302e-3030-3032-2d45-7468-6572-6e65-7430-2f30.
Gateway
10.1.1.126/25
GE3/1/1
10.1.1.1/25 10.1.1.2/25 GE3/1/1 GE3/1/1
Device Router A Router B

DHCP server DNS server DHCP Client BOOTP Client
1. Configure the IP address of GigabitEthernet 3/1/1 on Device.
[Device] interface GigabitEthernet 3/1/1
[Device-GigabitEthernet3/1/1] ip address 10.1.1.1 25
[Device-GigabitEthernet3/1/1] quit
2. Configure the DHCP server:
# Enable DHCP.
[Device] dhcp enable
# Enable the DHCP server on interface GigabitEthernet 3/1/1.
[Device] interface Gigabitethernet 3/1/1
[Device-Gigabitethernet3/1/1] dhcp select server global-pool
[Device-Gigabitethernet3/1/1] quit
# Create DHCP address pool 0, and configure a static binding, DNS server and gateway in it.
[Device] dhcp server ip-pool 0
[Device-dhcp-pool-0] static-bind ip-address 10.1.1.5
[Device-dhcp-pool-0] static-bind client-identifier
3030-3066-2e65-3230-302e-3030-3032-2d45-7468-6572-6e65-7430-2f30
[Device-dhcp-pool-0] dns-list 10.1.1.2
[Device-dhcp-pool-0] gateway-list 10.1.1.126
[Device-dhcp-pool-0] quit
# Create DHCP address pool 1, and configure a static binding, DNS server and gateway in it.
47
[Device-dhcp-pool-1] static-bind ip-address 10.1.1.6
[Device-dhcp-pool-1] static-bind mac-address 000f-e200-01c0
[Device-dhcp-pool-1] dns-list 10.1.1.2
[Device-dhcp-pool-1] gateway-list 10.1.1.126
3. Verification
After the preceding configuration is complete, Router A can obtain IP address 10.1.1.5 and other
network parameters, and Router B can obtain IP address 10.1.1.6 and other network parameters
from Device. You can use the display dhcp server ip-in-use command on the DHCP server to view
the IP addresses assigned to the clients.
Dynamic IP address assignment configuration example

• As shown in Figure 23, the DHCP server (Router A) assigns IP address to clients on subnet
10.1.1.0/24, which is subnetted into 10.1.1.0/25 and 10.1.1.128/25.
• The IP addresses of GigabitEthernet 3/1/1 and GigabitEthernet 3/1/2 on Router A are
10.1.1.1/25 and 10.1.1.129/25 respectively.
• In subnet 10.1.1.0/25, the address lease duration is ten days and twelve hours, domain name suffix
aabbcc.com, DNS server address 10.1.1.2/25, WINS server address 10.1.1.4/25, and gateway
address 10.1.1.126/25.
• In the subnet 10.1.1.128/25, the address lease duration is five days, domain name suffix
aabbcc.com, DNS server address 10.1.1.2/25, and gateway address 10.1.1.254/25 and there is
no WINS server address.
• The domain name suffix and DNS server address on subnets 10.1.1.0/25 and 10.1.1.128/25 are the
same. Therefore, the domain name suffix and DNS server address need to be configured only for
subnet 10.1.1.0/24. Subnet 10.1.1.128/25 can inherit the configuration of subnet 10.1.1.0/24.
NOTE:
In this example, the number of requesting clients connected to GigabitEthernet 3/1/1 should be less than
122, and that of clients connected to GigabitEthernet 3/1/2 less than 124.
Figure 23 DHCP network

Client WINS server Client Client
10.1.1.4/25
GE3/1/1 GE3/1/2
10.1.1.126/25 10.1.1.1/25 10.1.1.129/25 10.1.1.254/25
Router A Gateway B
10.1.1.2/25 DHCP server
GE3/1/1
Router B
DNS server Client Client
Client
48
1. Specify IP addresses for interfaces. (Details not shown)
# Enable DHCP.
[RouterA] dhcp enable
# Enable the DHCP server on GigabitEthernet 3/1/1 and GigabitEthernet3/1/2.
[RouterA-GigabitEthernet3/1/1] dhcp select server global-pool
# Exclude IP addresses from dynamic allocation (addresses of the DNS server, WINS server, and
gateways).
[RouterA] dhcp server forbidden-ip 10.1.1.2
# Configure DHCP address pool 0 (address range, client domain name suffix and DNS server
address).
[RouterA] dhcp server ip-pool 0
[RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
[RouterA-dhcp-pool-0] domain-name aabbcc.com
[RouterA-dhcp-pool-0] dns-list 10.1.1.2
[RouterA-dhcp-pool-0] quit
# Configure DHCP address pool 1 (address range, gateway, WINS server, and lease duration).
[RouterA-dhcp-pool-1] gateway-list 10.1.1.126
[RouterA-dhcp-pool-1] expired day 10 hour 12
[RouterA-dhcp-pool-1] nbns-list 10.1.1.4
[RouterA-dhcp-pool-1] quit
# Configure DHCP address pool 2 (address range, gateway and lease duration).
[RouterA-dhcp-pool-2] expired day 5
[RouterA-dhcp-pool-2] gateway-list 10.1.1.254
3. Verification
After the preceding configuration is complete, clients on networks 10.1.1.0/25 and
10.1.1.128/25 can obtain IP addresses on the corresponding network and other network
parameters from Router A. You can use the display dhcp server ip-in-use command on the DHCP
server to view the IP addresses assigned to the clients.
49
Self-defined option configuration example
As shown in Figure 24, the DHCP client (Router B) obtains its IP address and PXE server addresses from
the DHCP server (Router A). The IP address belongs to subnet 10.1.1.0/24. The PXE server addresses are
1.2.3.4 and 2.2.2.2.
The DHCP server assigns PXE server addresses to DHCP clients through Option 43, a self-defined option.
The format of Option 43 and that of the PXE server address sub-option are shown in Figure 16 and Figure
18, respectively. The value of Option 43 configured on the DHCP server in this example is 80 0B 00 00
02 01 02 03 04 02 02 02 02. The number 80 is the value of the sub-option type. The number 0B is the
value of the sub-option length. The numbers 00 00 are the value of the PXE server type. The number 02
indicates the number of servers. The numbers 01 02 03 04 02 02 02 02 indicate that the PXE server
addresses are 1.2.3.4 and 2.2.2.2.
1. Specify IP address for interface GigabitEthernet 3/1/1. (Details not shown)
# Enable DHCP.
[Device] dhcp enable
# Enable the DHCP server on GigabitEthernet 3/1/1.
# Configure DHCP address pool 0.
[Device-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
[Device-dhcp-pool-0] option 43 hex 80 0B 00 00 02 01 02 03 04 02 02 02 02
3. Verification
After the preceding configuration is complete, Router B can obtain its IP address on 10.1.1.0/24
and PXE server addresses from Router A. You can use the display dhcp server ip-in-use command
on the DHCP server to view the IP addresses assigned to the clients.
Troubleshooting DHCP server configuration

Symptom
A client’s IP address obtained from the DHCP server conflicts with another IP address.
Analysis
A host on the subnet may have the same IP address.
50
Solution
1. Disable the client’s network adapter or disconnect the client’s network cable. Ping the IP address
of the client from another host to check whether there is a host using the same IP address.
2. If a ping response is received, the IP address has been manually configured on a host. Execute the
dhcp server forbidden-ip command on the DHCP server to exclude the IP address from dynamic
allocation.
3. Enable the network adapter or connect the network cable. Release the IP address and obtain
another one on the client. Take WINDOW XP as an example, run cmd to enter DOS window.
Type ipconfig/release to relinquish the IP address and then ipconfig/renew to obtain another IP
address.
51
Configuring DHCP relay agent
NOTE:
The DHCP relay agent configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces),
virtual Ethernet interfaces (or subinterfaces), VLAN interfaces, Layer 3 aggregate interfaces, and serial
interfaces.
Introduction to DHCP relay agent

Application environment
Via a relay agent, DHCP clients communicate with a DHCP server on another subnet to obtain
configuration parameters. Thus, DHCP clients on different subnets can contact the same DHCP server
rather than having a DHCP server on each subnet.
NOTE:
An MCE device serving as the DHCP relay agent can forward DHCP packets not only between a DHCP
server and clients on a private network, but also between a DHCP server and clients on a public network.
Note that the IP address ranges of the public and private networks or those of private networks cannot
overlap each other. For more information about MCE, see MPLS Configuration Guide.
Fundamentals
Figure 25 shows a typical application of the DHCP relay agent.
Figure 25 DHCP relay agent application
No matter whether a relay agent exists or not, the DHCP server and client interact with each other in a
similar way (see the chapter “DHCP overview”).
52
Figure 26 DHCP relay agent work process
1. After receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP client,

the DHCP relay agent fills the giaddr field of the message with its IP address and forwards the
message to the designated DHCP server in unicast mode.
2. Based on the giaddr field, the DHCP server returns an IP address and other configuration
parameters to the relay agent, and the relay agent conveys them to the client.
DHCP relay agent support for Option 82

Option 82 records the location information of the DHCP client, letting the administrator locate the DHCP
client for security control and accounting purposes. For more information, see “Relay agent option
(Option 82).”
If the DHCP relay agent supports Option 82, it handles a client’s request according to the contents
defined in Option 82, if any. The handling strategies are described in Table 3.
If a reply returned by the DHCP server contains Option 82, the DHCP relay agent removes the Option 82
before forwarding the reply to the client.
Table 3 Handling strategies of the DHCP relay agent
If a client’s
Handling
requesting Padding format The DHCP relay agent will…
strategy
message has…
Drop Random Drop the message.
Forward the message without changing

Keep Random
Option 82.
Forward the message after replacing the

normal original Option 82 with the Option 82
padded in normal format.
Option 82
Replace verbose original Option 82 with the Option 82
padded in verbose format.

user-defined original Option 82 with the user-defined
Option 82.
53
If a client’s
Handling
requesting Padding format The DHCP relay agent will…
strategy
message has…
Forward the message after adding the
N/A normal
Option 82 padded in normal format.

no Option 82 N/A verbose
Option 82 padded in verbose format.

N/A user-defined
user-defined Option 82.
DHCP relay agent configuration task list

Complete the following tasks to configure the DHCP relay agent:
Task Remarks
Enabling DHCP Required
Enabling the DHCP relay agent on an interface Required
Correlating a DHCP server group with a relay agent interface Required
Configuring the DHCP relay agent security functions Optional
Enabling offline detection Optional
Configuring the DHCP relay agent to release an IP address Optional
Configuring the DHCP relay agent to support Option 82 Optional
Enabling DHCP
Enable DHCP before performing other configurations related to the DHCP relay agent.
To enable DHCP:

2. Enable DHCP. dhcp enable Disabled by default
Enabling the DHCP relay agent on an interface

With the DHCP relay agent enabled, an interface forwards incoming DHCP requests to a DHCP server
for address allocation.
To enable the DHCP relay agent on an interface:

54
interface-number
3. Enable the DHCP relay agent With DHCP enabled, interfaces

dhcp select relay
on the current interface. work in the DHCP server mode.
NOTE:
The IP address pool containing the IP address of the DHCP relay agent enabled interface must be
configured on the DHCP server. Otherwise, the DHCP clients connected to the relay agent cannot obtain
correct IP addresses.
Correlating a DHCP server group with a relay

agent interface
To improve reliability, you can specify several DHCP servers as a group on the DHCP relay agent and
correlate a relay agent interface with the server group. When the interface receives request messages
from clients, the relay agent will forward them to all the DHCP servers of the group.
To correlate a DHCP server group with a relay agent interface:

2. Create a DHCP server group
dhcp relay server-group group-id ip
and add a server into the Not created by default.
ip-address
group.
interface-number
4. Correlate the DHCP server By default, no interface is

group with the current dhcp relay server-select group-id correlated with any DHCP
interface. server group.
NOTE:
• You can specify up to twenty DHCP server groups on the relay agent.
• By executing the dhcp relay server-group command repeatedly, you can specify up to eight DHCP
server addresses for each DHCP server group.
• The IP addresses of DHCP servers and those of relay agent’s interfaces that connect DHCP clients cannot
be on the same subnet. Otherwise, the client cannot obtain an IP address.
• A DHCP server group can correlate with one or multiple DHCP relay agent interfaces, while a relay
agent interface can only correlate with one DHCP server group. Using the dhcp relay server-select
command repeatedly overwrites the previous configuration. However, if the specified DHCP server
group does not exist, the interface still uses the previous correlation.
• The group-id argument in the dhcp relay server-select command is configured by the dhcp relay
server-group command.
55
Configuring the DHCP relay agent security
functions
Configure address check
Address check can block illegal hosts from accessing external networks.
With this feature enabled, the DHCP relay agent can dynamically record clients’ IP-to-MAC bindings
after they obtain IP addresses through DHCP. You can also configure static IP-to-MAC bindings on the
DHCP relay agent so that users can access external networks using fixed IP addresses.
Upon receiving a packet from a host, the DHCP relay agent checks the source IP and MAC addresses in
the packet against the recorded dynamic and static bindings. If no match is found, the DHCP relay agent
does not learn the ARP entry of the host, and will not forward any reply to the host, which thus cannot
access external networks via the DHCP relay agent.
To create a static binding and enable address check:

dhcp relay security static ip-address Optional.

2. Create a static binding. mac-address [ interface interface-type No static binding is created by
interface-number ] default.
4. Enable address check. dhcp relay address-check enable Disabled by default.
NOTE:
• The dhcp relay address-check enable command can be executed only on Layer 3 Ethernet interfaces
(including sub-interfaces) and VLAN interfaces.
• Before enabling address check on an interface, you must enable the DHCP service, and enable the
DHCP relay agent on the interface; otherwise, the address check configuration is ineffective.
• The dhcp relay address-check enable command only checks IP and MAC addresses but not interfaces.
• When using the dhcp relay security static command to bind an interface to a static binding entry, make
sure that the interface is configured as a DHCP relay agent; otherwise, address entry conflicts may
occur.
Configuring periodic refresh of dynamic client entries

A DHCP client unicasts a DHCP-RELEASE message to the DHCP server when releasing its dynamically
obtained IP address. The DHCP relay agent simply conveys the message to the DHCP server and does
not remove the IP-to-MAC binding. To solve this problem, the periodic refresh of dynamic client entries
feature is introduced.
With this feature, the DHCP relay agent uses the IP address of a client and the MAC address of the DHCP
relay interface to periodically send a DHCP-REQUEST message to the DHCP server.
• If the server returns a DHCP-ACK message or does not return any message within a specified
interval, the DHCP relay agent ages out the client entry.
56
• If the server returns a DHCP-NAK message, the relay agent keeps the client entry.
To configure periodic refresh of dynamic client entries:

2. Enable periodic refresh dhcp relay security refresh Optional.

of dynamic client entries. enable Enabled by default.
Optional.
3. Configure the refresh dhcp relay security tracker auto by default. (auto interval is calculated
interval. { interval | auto } by the relay agent according to the number
of client entries.)
Configuring the DHCP relay agent to work with authorized ARP

Only the clients that obtain an IP address from the DHCP server are considered as authorized clients. If
the DHCP relay agent serves as the gateway, it can work with authorized ARP to block unauthorized
clients and prevent ARP spoofing attacks.
To enable the DHCP relay agent to work with authorized ARP, perform the following:
• Configure the DHCP relay agent to support authorized ARP: With this function enabled, the DHCP
relay agent automatically records DHCP clients’ IP-to-MAC bindings (called client entries), and
notifies authorized ARP to add/delete/change authorized ARP entries when
adding/deleting/changing client entries.
• Enable authorized ARP: The ARP automatic learning function is disabled after you enable
authorized ARP. ARP entries are added according to the client entries recorded by the DHCP relay
agent to avoid learning incorrect ARP entries.
The DHCP relay agent works with authorized ARP for the following purposes:
• Only the clients that have obtained IP addresses from the DHCP server and have their IP-to-MAC
bindings recorded on the DHCP relay agent are authorized clients and can access the network.
• The clients that have not obtained IP addresses from the DHCP server are considered unauthorized
clients and are unable to access the network.
• Disabling ARP automatic learning prevents network attacks such as IP/MAC address spoofing
attacks, and only authorized users can access the network, enhancing network security.
To configure the DHCP relay agent to work with authorized ARP:

interface-number
3. Enable the DHCP relay agent to
dhcp update arp Not enabled by default
work with authorized ARP.
4. Enable authorized ARP. arp authorized enable Not enabled by default
57
NOTE:
• Authorized ARP can only be configured on Layer 3 Ethernet interfaces.
• Disabling the DHCP relay agent to support authorized ARP will delete the corresponding authorized
ARP entries.
• Since the DHCP relay agent does not notify the authorized ARP module of the static bindings, you need
to configure the corresponding static ARP entries for authorized users that have IP addresses statically
specified.
• For more information about authorized ARP, see Security Configuration Guide. For more information
about the arp authorized enable command, see Security Command Reference.
Enabling unauthorized DHCP server detection

Unauthorized DHCP servers may assign wrong IP addresses to DHCP clients.
With unauthorized DHCP servers detection enabled, the DHCP relay agent checks whether a request
contains Option 54 (Server Identifier Option). If yes, the DHCP relay agent records the IP address in the
option, which is the IP address of the DHCP server that assigned an IP address to the DHCP client, and
records the receiving interface. The administrator can use this information to check for unauthorized
DHCP servers.
To enable unauthorized DHCP server detection:

2. Enable unauthorized DHCP
dhcp relay server-detect Disabled by default
server detection.
NOTE:
With unauthorized DHCP server detection enabled, the relay agent logs each detected DHCP server once.
The administrator can use the log information to find unauthorized DHCP servers.
Enabling DHCP starvation attack protection

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using
different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of
the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server may also fail
to work because of exhaustion of system resources.
• To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source
MAC addresses, you can limit the number of ARP entries that a Layer 3 interface can learn or MAC
addresses that a Layer 2 port can learn. You can also configure an interface that has learned the
maximum MAC addresses to discard packets whose source MAC addresses are not in the MAC
address table.
• To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source
MAC address, enable MAC address check on the DHCP relay agent. With this function enabled,
the DHCP relay agent compares the chaddr field of a received DHCP request with the source MAC
address field of the frame. If they are the same, the DHCP relay agent decides this request as valid
and forwards it to the DHCP server; if not, the DHCP request is discarded.
To enable MAC address check:
58
interface-number
3. Enable MAC address
dhcp relay check mac-address Disabled by default
check.
NOTE:
DHCP relay agents change the source MAC addresses when forwarding DHCP packets. Therefore, you
can enable MAC address check only on a DHCP relay agent directly connected to DHCP clients.
Otherwise, valid DHCP packets may be discarded and clients cannot obtain IP addresses.
Enabling offline detection

The DHCP relay agent checks whether a use is online by learning the ARP entry. When an ARP entry is
aged out, the corresponding client is considered to be offline.
With this function enabled on an interface, the DHCP relay agent removes a client’s IP-to-MAC entry
when it is aged out, and sends a DHCP-RELEASE message to the DHCP server to release the IP address
of the client.
To enable offline detection:

interface-number
3. Enable offline detection. dhcp relay client-detect enable Disabled by default
NOTE:
Removing an ARP entry manually does not remove the corresponding client’s IP-to-MAC binding. When
the client goes offline, use the undo dhcp relay security command to remove the IP-to-MAC binding
manually.
Configuring the DHCP relay agent to release an IP

address
You can configure the relay agent to release a client’s IP address. The relay agent sends a
DHCP-RELEASE message that contains the specified IP address. Upon receiving the DHCP-RELEASE
message, the DHCP server releases the IP address; meanwhile, the client entry is removed from the DHCP
relay agent.
To configure the DHCP relay agent to send DHCP-RELEASE messages:
59
Step Command
1. Enter system view. system-view
2. Configure the DHCP relay agent to release an IP
dhcp relay release ip client-ip
address.
NOTE:
• The IP address to be released must be available in a dynamic client entry.
• Dynamic client entries can be generated only after you enable address check, authorized ARP, or IP
source guard on the DHCP relay agent. For more information about IP source guard, see Security
Configuration Guide.
Configuring the DHCP relay agent to support

Option 82
Before performing this configuration, complete the following tasks:
• Enabling DHCP
• Enabling the DHCP relay agent on the specified interface
• Correlating a DHCP server group with relay agent interfaces
To configure the DHCP relay agent to support Option 82:

2. Enter interface
interface interface-type interface-number N/A
view.
3. Enable the relay
agent to support dhcp relay information enable Disabled by default.
Option 82.
4. Configure the
handling strategy
for requesting dhcp relay information strategy { drop | Optional.
messages keep | replace } replace by default.
containing Option
82.
60
Optional.
• Configure the padding format for
Option 82: By default,
dhcp relay information format • The padding format for Option 82
{ normal | verbose [ node-identifier is normal.
{ mac | sysname | user-defined • The code type for the circuit ID
node-identifier } ] } sub-option depends on the padding
5. Configure
• Configure the code type for the circuit format of Option 82. Each field has
non-user-defined
ID sub-option: its own code type.
Option 82.
dhcp relay information circuit-id • The code type for the remote ID
format-type { ascii | hex } sub-option is hex.
• Configure the code type for the remote The code type configuration for the
ID sub-option:
circuit ID sub-option and for the remote
dhcp relay information remote-id
ID sub-option apply to non-user-defined
format-type { ascii | hex }
Option 82 only.
• Configure the padding content for the

circuit ID sub-option:
dhcp relay information circuit-id Optional.
6. Configure
string circuit-id By default, the padding content
user-defined
Option 82. • Configure the padding content for the depends on the padding format of
remote ID sub-option: Option 82.
dhcp relay information remote-id
string { remote-id | sysname }
NOTE:
• To support Option 82, perform related configuration on both the DHCP server and relay agent. For
DHCP server configuration of this kind, see “Enabling Option 82 handling”.
• If the handling strategy of the DHCP relay agent is configured as replace, you need to configure a
padding format for Option 82. If the handling strategy is keep or drop, you need not configure any
padding format.
• If sub-option 1 (node identifier) of Option 82 is padded with the device name (sysname) of a node, the
device name must contain no spaces. Otherwise, the DHCP relay agent will drop the message.
Displaying and maintaining the DHCP relay agent

Display information about DHCP server display dhcp relay { all | interface
Available in any
groups correlated to a specified or all interface-type interface-number } [ | { begin
view
interfaces. | exclude | include } regular-expression ]
61
display dhcp relay information { all |
Display Option 82 configuration interface interface-type interface-number } Available in any
information on the DHCP relay agent. [ | { begin | exclude | include } view
display dhcp relay security [ ip-address |

Display information about bindings of Available in any
dynamic | static ] [ | { begin | exclude |
DHCP relay agents. view
display dhcp relay security statistics [ |

Display statistics information about Available in any
{ begin | exclude | include }
bindings of DHCP relay agents. view
Display information about the display dhcp relay security tracker [ |

Available in any
refreshing interval for entries of { begin | exclude | include }
view
dynamic IP-to-MAC bindings. regular-expression ]
Display information about the display dhcp relay server-group { group-id

Available in any
configuration of a specified or all DHCP | all } [ | { begin | exclude | include }
view
server groups. regular-expression ]
display dhcp relay statistics [ server-group

Available in any
Display packet statistics on relay agent. { group-id | all } ] [ | { begin | exclude |
view
reset dhcp relay statistics [ server-group Available in user

Clear packet statistics from relay agent.
group-id ] view
DHCP relay agent configuration example

As shown in Figure 27, DHCP clients reside on network 10.10.1.0/24. The IP address of the DHCP server
is 10.1.1.1/24. Because the DHCP clients reside on a different network with the DHCP server, a DHCP
relay agent is deployed to forward messages between DHCP clients and the DHCP server.
GigabitEthernet 3/1/1 of the DHCP relay agent (Router A) connects to the subnet where DHCP clients
reside. The IP address of GigabitEthernet 3/1/1 is 10.10.1.1/24, and the IP address of GigabitEthernet
3/1/2 is 10.1.1.2/24.
DHCP client DHCP client
GE3/1/1 GE3/1/2
10.10.1.1/24 10.1.1.2/24
GE3/1/1
10.1.1.1/24
Router A Router B
DHCP relay agent DHCP server
DHCP client DHCP client
62
# Enable DHCP.
# Add DHCP server 10.1.1.1 into DHCP server group 1

[RouterA] dhcp relay server-group 1 ip 10.1.1.1
# Enable the DHCP relay agent on GigabitEthernet 3/1/1.

[RouterA-GigabitEthernet3/1/1] dhcp select relay
# Correlate DHCP server group 1 with GigabitEthernet 3/1/1.

[RouterA-GigabitEthernet3/1/1] dhcp relay server-select 1
After the preceding configuration is complete, DHCP clients can obtain IP addresses and other network
parameters through the DHCP relay agent from the DHCP server. You can use the display dhcp relay
security command to view clients’ address bindings on the DHCP relay agent, and use the display dhcp
relay statistics command to view statistics of DHCP packets forwarded by the DHCP relay agent.
NOTE:
• Because the DHCP relay agent and server are on different subnets, you must configure a static route or
dynamic routing protocol to make them reachable to each other.
• Configurations on the DHCP server are also required to guarantee the client-server communication via
the DHCP relay agent. For DHCP server configuration information, see the chapter “DHCP server
configuration.”
DHCP relay agent Option 82 support configuration

example
• As shown in Figure 27, enable Option 82 on the DHCP relay agent (Router A).
• Configure the handling strategy for DHCP requests containing Option 82 as replace.
• Configure the padding content for the circuit ID sub-option as company001 and for the remote ID
sub-option as device001.
• Router A forwards DHCP requests to the DHCP server (Router B) after replacing Option 82 in the
requests, so that the DHCP clients can obtain IP addresses.
# Enable DHCP.
# Add DHCP server 10.1.1.1 into DHCP server group 1.

[RouterA] dhcp relay server-group 1 ip 10.1.1.1
# Enable the DHCP relay agent on GigabitEthernet 2/1/1.

63
[RouterA-GigabitEthernet2/1/1] dhcp select relay
# Correlate GigabitEthernet 2/1/1 to DHCP server group 1.

[RouterA-GigabitEthernet2/1/1] dhcp relay server-select 1
# Enable the DHCP relay agent to support Option 82, and perform Option 82-related configurations.
[RouterA-GigabitEthernet2/1/1] dhcp relay information enable
[RouterA-GigabitEthernet2/1/1] dhcp relay information strategy replace
[RouterA-GigabitEthernet2/1/1] dhcp relay information circuit-id string company001
[RouterA-GigabitEthernet2/1/1] dhcp relay information remote-id string device001
NOTE:
Configurations on the DHCP server are also required to make the Option 82 configurations function
normally.
Troubleshooting DHCP relay agent configuration

Symptom
DHCP clients cannot obtain any configuration parameters via the DHCP relay agent.
Analysis
Some problems may occur with the DHCP relay agent or server configuration.
Solution
To locate the problem, enable debugging and execute the display command on the DHCP relay agent
to view the debugging information and interface state information.
Check that:
• The DHCP is enabled on the DHCP server and relay agent.
• The address pool on the same subnet where DHCP clients reside is available on the DHCP server.
• The DHCP server and DHCP relay agent are reachable to each other.
• The relay agent interface connected to DHCP clients is correlated with a correct DHCP server group
and the IP addresses of the group members are correct.
64
Configuring IPv4 DNS
NOTE:
This document only covers IPv4 DNS configurations. For more information about the IPv6 DNS
configuration, see the chapter “IPv6 basics configuration.”
DNS overview
Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain
names into corresponding IP addresses. With DNS, you can use easy-to-remember domain names in
some applications and let the DNS server translate them into correct IP addresses.
There are two types of DNS services, static and dynamic. After a user specifies a name, the router checks
the local static name resolution table for an IP address. If no IP address is available, it contacts the DNS
server for dynamic name resolution, which takes more time than static name resolution. Therefore, some
frequently queried name-to-IP address mappings are stored in the local static name resolution table to
improve efficiency.
Static domain name resolution

Static domain name resolution means setting up mappings between domain names and IP addresses. IP
addresses of the corresponding domain names can be found in the static domain resolution table when
you use applications such as Telnet.
Dynamic domain name resolution

Resolving procedure
Dynamic domain name resolution is implemented by querying the DNS server. The resolution procedure
is as follows:
1. A user program sends a name query to the resolver of the DNS client.
2. The DNS resolver looks up the local domain name cache for a match. If the resolver finds a match,
it sends the corresponding IP address back. If not, it sends a query to the DNS server.
3. The DNS server looks up the corresponding IP address of the domain name in its DNS database.
If no match is found, it sends a query to a higher level DNS server. This process continues until a
result, whether successful or not, is returned.
4. After receiving a response from the DNS server, the DNS client returns the resolution result to the
application.
65
Figure 28 Dynamic domain name resolution
Figure 28 shows the relationship between the user program, DNS client, and DNS server.
The DNS client is made up of the resolver and cache. The user program and DNS client can run on the
same router or different routers, while the DNS server and the DNS client usually run on different routers.
Dynamic domain name resolution allows the DNS client to store latest mappings between domain names
and IP addresses in the dynamic domain name cache. There is no need to send a request to the DNS
server for a repeated query next time. The aged mappings are removed from the cache after some time,
and latest entries are required from the DNS server. The DNS server decides how long a mapping is valid,
and the DNS client gets the aging information from DNS messages.
DNS suffixes
The DNS client normally holds a list of suffixes which the user sets. It is used when the name to be resolved
is incomplete. The resolver can supply the missing part.
For example, a user can configure com as the suffix for aabbcc.com. The user only needs to type aabbcc
to obtain the IP address of aabbcc.com because the resolver adds the suffix and delimiter before passing
the name to the DNS server.
• If there is no dot in the domain name (for example, aabbcc), the resolver considers this a host name
and adds a DNS suffix before query. If no match is found after all the configured suffixes are used
respectively, the original domain name (for example, aabbcc) is used for query.
• If there is a dot in the domain name (for example, www.aabbcc), the resolver directly uses this
domain name for query. If the query fails, the resolver adds a DNS suffix for another query.
• If the dot is at the end of the domain name (for example, aabbcc.com.), the resolver considers it a
fully qualified domain name (FQDN) and returns the query result, successful or failed. The dot (.) at
the end of the domain name is considered a terminating symbol.
The router supports static and dynamic DNS services.
NOTE:
If an alias is configured for a domain name on the DNS server, the router can resolve the alias into the IP
address of the host.
66
DNS proxy
Introduction to DNS proxy
A DNS proxy forwards DNS requests and replies between DNS clients and a DNS server.
As shown in Figure 29, a DNS client sends a DNS request to the DNS proxy, which forwards the request
to the designated DNS server, and conveys the reply from the DNS server to the client.
The DNS proxy simplifies network management. When the DNS server address is changed, you only
need to change the configuration on the DNS proxy instead of on each DNS client.
Figure 29 DNS proxy networking application
Operation of a DNS proxy

1. A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS
proxy, that is, the destination address of the request is the IP address of the DNS proxy.
2. The DNS proxy searches the local static domain name resolution table after receiving the request.
If the requested information exists in the table, the DNS proxy returns a DNS reply to the client.
3. If the requested information does not exist in the static domain name resolution table, the DNS
proxy sends the request to the designated DNS server for domain name resolution.
4. After receiving a reply from the DNS server, the DNS proxy forwards the reply to the DNS client.
DNS spoofing
With DNS proxy enabled but no DNS server or route to the DNS server specified, a router cannot
forward a DNS request, or answer the request. In this case, you can enable DNS spoofing on the router
to spoof a reply with the configured IP address. Once a DNS server is reachable, the router will send
DNS requests to the server and return the replies to the requesting DNS clients.
67
Configuring the IPv4 DNS client
Configuring static domain name resolution
Configuring static domain name resolution refers to specifying the mappings between host names and
IPv4 addresses. Static domain name resolution allows applications such as Telnet to contact hosts by
using host names instead of IPv4 addresses.
To configure static domain name resolution:

2. Configure a mapping between a
ip host hostname ip-address Not configured by default
host name and an IPv4 address.
NOTE:
• The IPv4 address you last assign to the host name will overwrite the previous one if there is any.
• You may create up to 50 static mappings between domain names and IPv4 addresses.
Configuring dynamic domain name resolution

To send DNS queries to a correct server for resolution, dynamic domain name resolution must be enabled
and a DNS server must be configured.
In addition, you can configure a DNS suffix that the system will automatically add to the provided
domain name for resolution.
To configure dynamic domain name resolution:

2. Enable dynamic domain
dns resolve Disabled by default.
name resolution.
• Approach 1 (In system view):

dns server ip-address
• Approach 2 (In interface view): Configure the DNS server in at
3. Specify a DNS server. a. interface interface-type least one view.
interface-number Not specified by default.
b. dns server ip-address
c. quit
Optional.
4. Configure a domain name Not configured by default, that is,
dns domain domain-name
suffix. only the provided domain name
is resolved.
68
NOTE:
• You can configure up to six DNS servers, including those with IPv6 addresses, in system view and on all
interfaces of a router.
• A DNS server configured in system view has a higher priority than one configured in interface view. A
DNS server configured earlier has a higher priority than one configured later in the same view. A DNS
server manually configured has a higher priority than one dynamically obtained through DHCP. A
name query request is first sent to the DNS server that has the highest priority. If no reply is received, it
sent to the DNS server that has the second highest priority, and thus in turn.
• You may configure up to six DNS servers and ten DNS suffixes.
Configuring the DNS proxy

To configure the DNS proxy:

2. Enable DNS proxy. dns proxy enable Disabled by default.
• Approach 1 (In system view):

dns server ip-address Configure the DNS server in at least
• Approach 2 (In interface view): one view.
3. Specify a DNS server.
a. interface interface-type No DNS server is specified by
interface-number default.
b. dns server ip-address
NOTE:
You can specify multiple DNS servers by using the dns server command repeatedly. Upon receiving a
name query request from a client, the DNS proxy forwards the request to the DNS server that has the
highest priority. If having not received a reply, it forwards to the request to a DNS server that has the
second highest priority, and thus in turn.
Configuring DNS spoofing

DNS spoofing is effective only when:
• The DNS proxy is enabled on the router.
• No DNS server or route to any DNS server is specified on the router.
To configure DNS spoofing:
69
2. Enable DNS spoofing and specify the
dns spoofing ip-address Disabled by default
translated IP address.
Displaying and maintaining IPv4 DNS

Display the static IPv4 domain name display ip host [ | { begin | exclude |
resolution table. include } regular-expression ]
display dns server [ dynamic ] [ |

Display IPv4 DNS server information. { begin | exclude | include } Available in any view
display dns domain [ dynamic ] [ |

Display DNS suffixes. { begin | exclude | include } Available in any view
display dns dynamic-host [ | { begin

Display the information of the dynamic
| exclude | include } Available in any view
IPv4 domain name cache.
Clear the information of the dynamic IPv4

reset dns dynamic-host Available in user view
domain name cache.
IPv4 DNS configuration examples

Static domain name resolution configuration example
As shown in Figure 30, Device uses the static domain name resolution to access Host with IP address
10.1.1.2 through domain name host.com.
# Configure a mapping between host name host.com and IP address 10.1.1.2.
<Sysname> system-view
[Sysname] ip host host.com 10.1.1.2
# Execute the ping host.com command to verify that the device can use the static domain name resolution
to get the IP address 10.1.1.2 corresponding to host.com.
70
[Sysname] ping host.com
PING host.com (10.1.1.2):
56 data bytes, press CTRL_C to break
--- host.com ping statistics ---

0.00% packet loss
Dynamic domain name resolution configuration example

As shown in Figure 31, the IP address of the DNS server is 2.1.1.2/16 and the name suffix is com. The
mapping between domain name host and IP address 3.1.1.1/16 is stored in the com domain.
Dynamic domain name resolution and the domain name suffix are configured on the device that serves
as a DNS client, and thus the device can use domain name host to access the host with the domain name
host.com and the IP address 3.1.1.1/16. to access the host with the domain name host.com and the IP
address 3.1.1.1/16.
NOTE:
• Before performing the following configuration, make sure that there is a route between the device and
the host, and configurations are done on both the device and the host. For the IP addresses of the
interfaces, see Figure 31.
• This configuration may vary with different DNS servers. The following configuration is performed on a
PC running Windows Server 2000.
1. Configure the DNS server:
71
# Enter DNS server configuration page.
Select Start > Programs > Administrative Tools > DNS.
# Create zone com.
In Figure 32, right click Forward Lookup Zones, select New zone, and then follow the instructions
to create a new zone.
Figure 32 Creating a zone
# Create a mapping between the host name and IP address.
72
Figure 33 Adding a host
In Figure 33, right click zone com, and then select New Host to bring up a dialog box as shown
in Figure 34. Enter host name host and IP address 3.1.1.1.
Figure 34 Adding a mapping between domain name and IP address
73
2. Configure the DNS client:
# Enable dynamic domain name resolution.
<Sysname> system-view
[Sysname] dns resolve
# Specify the DNS server 2.1.1.2.
[Sysname] dns server 2.1.1.2
# Configure com as the name suffix.
[Sysname] dns domain com
3. Configuration verification:
# Execute the ping host command on the device to verify that the communication between the
device and the host is normal and that the corresponding destination IP address is 3.1.1.1.
[Sysname] ping host
Trying DNS resolve, press CTRL_C to break
Trying DNS server (2.1.1.2)

0.00% packet loss
DNS proxy configuration example

• As shown in Figure 35, specify Device A as the DNS server of Device B (the DNS client).
• Device A acts as a DNS proxy. The IP address of the real DNS server is 4.1.1.1.
• Device B implements domain name resolution through Device A.
74
Device B
DNS client 4.1.1.1/24
DNS server
2.1.1.1/24
Device A
DNS proxy
2.1.1.2/24 1.1.1.1/24
IP network
3.1.1.1/24
host.com
Host
NOTE:
Before performing the following configuration, assume that Device A, the DNS server, and the host are
reachable to each other and the IP addresses of the interfaces are configured as shown in Figure 35.
1. Configure the DNS server.

This configuration may vary with different DNS servers. When a Windows server 2000 PC acts as
the DNS server, see “Dynamic domain name resolution configuration example” for related
configuration information.
2. Configure the DNS proxy:
<DeviceA> system-view
[DeviceA] dns server 4.1.1.1
# Enable DNS proxy.
[DeviceA] dns proxy enable
# Enable the domain name resolution function.
<DeviceB> system-view
[DeviceB] dns resolve
[DeviceB] dns server 2.1.1.2
# Execute the ping host.com command on Device B to verify that the host can be pinged after the
host’s IP address 3.1.1.1 is resolved.
[DeviceB] ping host.com
Trying DNS server (2.1.1.2)
75

0.00% packet loss
Troubleshooting IPv4 DNS configuration

Symptom
After enabling the dynamic domain name resolution, the user cannot get the correct IP address.
Solution
• Use the display dns dynamic-host command to verify that the specified domain name is in the
cache.
• If there is no defined domain name, check that dynamic domain name resolution is enabled and the
DNS client can communicate with the DNS server.
• If the specified domain name is in the cache, but the IP address is incorrect, check that the DNS
client has the correct IP address of the DNS server.
• Verify the mapping between the domain name and IP address is correct on the DNS server.
76
Configuring NAT
NOTE:
SPE cards in this document refer to cards prefixed with SPE such as SPE-1020-E-II.
Only the cards SPE-1010-II, SPE-1010-E-II, SPE-1020-II, SPE-1020-E-II, IM-NAT, and IM-NAT-II support
NAT service interface configuration.
NAT overview
Introduction to NAT
Network Address Translation (NAT) provides a way of translating the IP address in an IP packet header
to another IP address. In practice, NAT is primarily used to allow users using private IP addresses to
access public networks. With NAT, a smaller number of public IP addresses are used to meet public
network access requirements from a larger number of private IP addresses, effectively alleviating the
depletion of IP addresses.
NOTE:
A private or internal IP address is used only in an internal network, whereas a public or external IP address
is used on the Internet and is globally unique.
According to RFC 1918, three blocks of IP addresses are reserved for private networks:
• In Class A: 10.0.0.0 to 10.255.255.255,
• In Class B: 172.16.0.0 to 172.31.255.255,
• In Class C: 192.168.0.0 to 192.168.255.255.
No host with an IP address in the above three ranges exists on the Internet. You can use those IP addresses
in an enterprise network freely without requesting them from an Internet Service Provider (ISP) or a
registration center.
In addition to translating private addresses to public addresses, NAT can also perform address translation
between any two networks. In this document, the two networks refer to an internal network and an external
network. Generally a private network is an internal network, and a public network is an external network.
Figure 36 depicts the operation of NAT.
77
Figure 36 NAT operation
1. The internal host with an IP address of 192.168.1.3 sends an IP packet to the external server with
an IP address of 1.1.1.2 through the NAT device.
2. Upon receiving the packet, the NAT device checks the IP header and finds that it is destined to the
external network. Then it translates the private address 192.168.1.3 to the globally unique public
address 20.1.1.1 and then forwards the packet to the server on the external network. Meanwhile,
the NAT device adds the mapping of the two addresses into its NAT table.
3. The external server responds to the internal host with an IP packet whose destination IP address is
20.1.1.1. Upon receiving the packet, the NAT device checks the IP header, looks into its NAT
table for the mapping, replaces the destination address with the private address of 192.168.1.3,
and then sends the new packet to the internal host.
The above NAT operation is transparent to the terminals involved. The external server believes that the IP
address of the internal host is 20.1.1.1 and is unaware of the private address 192.168.1.3. As such, NAT
hides the private network from the external networks.
Despite the advantages of allowing internal hosts to access external resources and providing privacy,
NAT also has the following disadvantages:
• As NAT involves translation of IP addresses, the IP headers cannot be encrypted. This is also true to
the application protocol packets when the contained IP address or port number needs to be
translated. For example, you cannot encrypt an FTP connection, or its port command cannot work
correctly.
• Network debugging becomes more difficult. For example, when a host in a private network tries to
attack other networks, it is harder to pinpoint the attacking host as the host IP address has been
hidden.
NAT control
An enterprise needs to allow some hosts in the internal network to access external networks but prohibit
others. This can be achieved through the NAT control mechanism. If a source IP address is among
addresses denied, the NAT device does not translate the address. In addition, the NAT device only
translates private addresses to specified public addresses.
NAT control can be achieved through an access control list (ACL) and an address pool.
• Only packets matching the ACL rules are served by NAT.
78
An address pool is a collection of consecutive public IP addresses for address translation. You can
specify an address pool based on the number of available public IP addresses, the number of internal
hosts, and network requirements. The NAT device selects an address from the address pool as the public
address of an IP packet.
NAT operation
Basic NAT
As shown in Figure 36, when an internal network host accesses an external network, NAT uses a public
IP address to replace the original internal IP address. In Figure 36, NAT uses the IP address of the
outgoing interface as the public IP address. Thus all internal hosts use the same public IP address to
access external networks and only one host is allowed to access external networks at a given time.
A NAT device can also hold multiple public IP addresses to support concurrent access requests.
Whenever a new external network access request comes from the internal network, the NAT device
chooses an available public IP address (if any) to replace the source IP address, adds the mapping to its
NAT table, and forwards the packet. In this way, multiple internal hosts can access external networks
simultaneously.
NOTE:
The number of public IP addresses that a NAT device needs is usually far less than the number of internal
hosts because not all internal hosts access external networks at the same time. The number of public IP
addresses is related to the number of internal hosts that might access external networks simultaneously
during peak hours.
NAPT
Network Address Port Translation (NAPT) is a variation of basic NAT. It allows multiple internal addresses
to be mapped to the same public IP address, which is called multiple-to-one NAT or address
multiplexing.
NAPT mapping is based on both the IP address and the port number. With NAPT, packets from multiple
internal hosts are mapped to the same external IP address with different port numbers.
Figure 37 depicts NAPT operation.
79
Figure 37 Diagram for NAPT operation
As shown in Figure 37, three IP packets arrive at the NAT gateway. Packets 1 and 2 are from the same
internal address but have different source port numbers. Packets 1 and 3 are from different internal
addresses but have the same source port number. NAPT maps the three IP packets to the same external
address but with different source port numbers. Therefore, the packets can still be differentiated. When
receiving the response packets, the NAT device forwards them to the corresponding hosts according to
the destination addresses and port numbers.
NAPT can better utilize IP address resources, enabling more internal hosts to access the external network
at the same time.
NAPT supports two NAT mapping behavior modes: Endpoint-Independent Mapping and
Endpoint-Dependent Mapping.
• Endpoint-Independent Mapping
In this mode, the NAT device uses entries, each of which comprises the source IP address, source
port number, and protocol type to translate addresses and filter packets. The same NAPT mapping
applies to packets sent from the same internal IP address and port to any external IP address and
port. The NAT device also allows external hosts to access the internal network by using the
translated external addresses and port numbers. This mode facilitates communication among hosts
that connect to different NAT devices.
• Address and Port-Dependent Mapping
In this mode, the NAT device uses entries each comprising the source IP address, source port
number, protocol type, destination IP address, and destination port number to translate addresses
and filter packets. For packets with the same source address and source port number but different
destination addresses and destination port numbers, different NAPT mappings apply so that the
source address and port number are mapped to the same external IP address but different port
numbers. The NAT device allows the hosts only on the corresponding external networks where
these destination addresses reside to access the internal network. This mode is secure but
inconvenient for communication among hosts that connect to different NAT devices.
Internal server
NAT hides the internal network structure, including the identities of internal hosts. However, internal hosts
such as a web server or an FTP server may need to be accessed by external hosts in practice. NAT
satisfies this requirement by supporting internal servers.
80
You can configure an internal server on the NAT device by mapping a public IP address and port number
to the private IP address and port number of the internal server. For instance, you can configure an
address like 20.1.1.12:8080 as an internal web server’s external address and port number.
You can configure an internal server on the NAT device by mapping a public IP address and port number
to the private IP address and port number of the internal server. For instance, you can configure an
address like 20.1.1.12:8080 as an internal web server’s external address and port number.
In Figure 38, when the NAT device receives a packet destined for the public IP address of an internal
server, it looks in the NAT entries and translates the destination address and port number in the packet
to the private IP address and port number of the internal server. When the NAT device receives a
response packet from the internal server, it translates the source private IP address and port number of the
packet into the public IP address and port number of the internal server.
Figure 38 Internal server operation
DNS mapping
Generally, the DNS server and users that need to access internal servers reside on the public network.
You can specify an external IP address and port number for an internal server on the public network
interface of a NAT device, so that external users can access the internal server using its domain name or
pubic IP address. In Figure 39, an internal host wants to access an internal web server by using its
domain name, while the DNS server is located on the public network. Typically, the DNS server replies
with the public address of the internal server to the host and thus the host cannot access the internal server.
The DNS mapping feature can solve the problem.
Figure 39 Operation of NAT DNS mapping
A DNS mapping entry records the domain name, public address, public port number, and protocol type
of an internal server. Upon receiving a DNS reply, the NAT-enabled interface matches the domain name
81
in the message against the DNS mapping entries. If a match is found, the private address of the internal
server is found and the interface replaces the public IP address in the reply with the private IP address.
Then, the host can use the private address to access the internal server.
Easy IP
Easy IP uses the public IP address of an interface on the router as the translated source address to save
IP address resources, and uses ACLs to permit only certain internal IP addresses to be NATed.
Support for special protocols

Apart from the basic address translation function, NAT also provides an application layer gateway (ALG)
mechanism that supports some special application protocols without requiring the NAT platform to be
modified, featuring high scalability. The IP addresses or port numbers contained in such protocol
messages may require address translation.
The special protocols that NAT supports include: File Transfer Protocol (FTP), Point-to-Point Tunneling
Protocol (PPTP), Internet Control Message Protocol (ICMP), Domain Name System (DNS), Internet
Locator Service (ILS), Real-Time Streaming Protocol (RTSP), H.323, Session Initiation Protocol (SIP),
Netmeeting 3.01, and NetBIOS over TCP/IP (NBT).
NAT multiple-instance
This feature allows users from different MPLS VPNs to access external networks through the same
outbound interface. It also allows them to have the same internal address. The process works as follows:
When an MPLS VPN user communicates with an external network, NAT replaces the internal IP address
and port number with the NAT gateway’s external IP address and port number. It also records the
relevant MPLS VPN information, such as the protocol type and router distinguisher (RD for short). When
the response packet arrives, the NAT gateway then restores the external IP address and port number to
the internal IP address and port number. Additionally, the NAT gateway can identify the MPLS VPN users
who access the external network. Besides NAT, NAPT also supports multiple-instance.
The multiple-instance feature can also apply to internal servers so that external users can access an
internal host of an MPLS VPN. For example, in MPLS VPN 1, the host that provides Web service has an
internal address 10.110.1.1. The host can use 202.110.10.20 as an external IP address so that the Internet
users can access the Web service in MPLS VPN 1 through this external address.
Moreover, NAT allows hosts in multiple MPLS VPNs to access each other by using the MPLS VPN
information carried in the external IP address.
NAT configuration task list

Complete the following tasks to configure NAT:
Task Remarks
Configuring static NAT
Configuring address translation Either is required
Configuring dynamic NAT
Configuring an internal server Required
Configuring DNS mapping Optional
Binding a NAT-enabled interface to the NAT service interface Required
Configuring NAT logging Optional
Setting NAT connection limits Optional
82
NOTE:
• NAT is supported on a provider edge router (PE), but not on a provider (P) router.
• If the NAT configuration (address translation or internal server configuration) on an interface is
changed, save the configuration and reboot the router (or use the reset nat session command to
manually clear the relevant NAT entries), to avoid problems. The following are the possible problems:
After you delete the NAT-related configuration, address translation can still work for sessions already
created; if you configure NAT when NAT is running, the same configuration may have different results
because of different configuration orders.
• Make sure all the IP address pools referenced by the interfaces do not overlap each other.
• When you configure twice NAT for multiple instances of a card with silkscreen IM-NAT and IM-NAT-II
of a PE, specify the VPN to which a NAT address pool belongs. For more information, see “Dynamic
NAT configuration example IV.”
Configuring address translation

Introduction to address translation
A NAT device can be configured with or dynamically generate mapping entries to translate between
internal and external network addresses. Generally, address translation can be classified into two types,
dynamic and static.
• Static NAT
The mapping relationships between external and internal network addresses are manually
configured. Static NAT can meet fixed access requirements of a few users.
• Dynamic NAT
A dynamic NAT entry is generated dynamically. It is implemented by associating an ACL with an
address pool (or the address of an interface in the case of Easy IP). This association defines what
packets can use the addresses in the address pool (or the interface’s address) to access the
external network. Dynamic NAT is applicable when a large number of internal users need to
access external networks. An IP address is selected from the associated address pool to translate
an outgoing packet. After the session terminates, the selected IP address is released.
Both static NAT and dynamic NAT support NAT multiple-instance as long as the VPN instance of
an IP address is provided.
Configuring static NAT

You must configure static NAT in system view, and make it effective in interface view.
Static NAT supports two modes, one-to-one and net-to-net.
CAUTION:
When you configure static NAT, do not use any address from the dynamic NAT address pool or use any
interface address as the public IP address; otherwise, traffic conflicts may occur.
Configuring one-to-one static NAT

One-to-one static NAT translates a private IP address into a public IP address.
83
To configure one-to-one static NAT:
Step Command
2. Enter NAT service interface view. interface nat interface-number
nat static local-ip [ vpn-instance local-name ] global-ip

3. Configure a one-to-one static NAT [ vpn-instance global-name ] [ destination ip-address { mask-length
mapping. | mask } ] [ interface interface-type interface-number [ next-hop
ip-address ] ] [ unidirectional ]
4. Return to system view. quit
5. Enter interface view. interface interface-type interface-number
6. Enable static NAT on the interface. nat outbound static
Configuring net-to-net static NAT

Net-to-net static NAT translates a private network into a public network.
To configure net-to-net static NAT (I):
Step Command
nat static net-to-net local-network [ vpn-instance local-name ]

global-network [ vpn-instance global-name ] { mask-length | mask }
3. Configure a net-to-net static NAT
[ destination ip-address { mask-length | mask } ] [ interface
mapping.
interface-type interface-number [ next-hop ip-address ] ]
[ unidirectional ]
4. Exit NAT service interface view. quit
6. Enable static NAT on the interface. nat outbound static
Configuring dynamic NAT

Dynamic NAT is usually implemented by associating an ACL with an address pool (or the address of an
interface) on an interface.
• To select the address of an interface as the translated address, use Easy IP.
• To select an address from an address pool as the translated address, use No-PAT or NAPT for
dynamic address translation. No-PAT is used in many-to-many address translation but does not
translate TCP/UDP port numbers. NAPT allows for many-to-one address translation by translating
also TCP/UDP port numbers.
Typically, a NAT entry is configured on the outbound interface of the NAT device. If internal hosts need
to access external networks through multiple outbound interfaces on the NAT device, you must configure
NAT entries on each of the interfaces, which is complex to implement. To avoid this, the router supports
configuring a NAT entry on the inbound interface on the NAT device. When hosts in a VPN want to
access other VPNs through multiple outbound interfaces on a NAT device, you can configure a NAT
entry on the inbound interface on the NAT device, simplifying NAT configuration.
84
When a packet from an internal host to the external network arrives:
• If it is the first packet and an address pool is associated with an outbound interface, NAT
determines whether to translate the packet based on the ACL (or packet source address). If yes,
NAT chooses an address from the associated address pool or gets the associated interface address,
performs address translation, and then saves the address mapping in the address translation table.
All subsequent packets from the internal host are serviced by NAT directly according to the
mapping entry.
• If an address pool is associated with an inbound interface, NAT determines whether to translate the
packet based on the ACL. If yes, NAT redirects the packet to the NAT service card and performs
address translation as in the above-mentioned process. You need to configure a QoS policy to
redirect packets to an IM-NAT or IM-NAT-II card. For more information, see ACL and QoS
Configuration Guide. This case does not support Easy IP.
NOTE:
• The association of an address pool to an inbound interface set with the nat inbound command is
effective only when an IM-NAT or IM-NAT-II card is present.
• If both the inbound and outbound interfaces of a NAT device are associated with an address pool, a
packet matching both of them uses an address from the address pool associated with the outbound
interface for address translation.
• You need to configure a QoS policy to redirect packets to an IM-NAT or IM-NAT-II card. For more
information, see ACL and QoS Configuration Guide. Traffic classification commands supported in a
QoS policy that is used for redirecting packets to a NAT board include: acl, customer-vlan-id,
destination-mac, dscp ip-precedence, protocol, service-dot1p, service-vlan-id, and source-mac.
• Configure an ACL to specify IP addresses permitted to be translated.
• Decide whether to use an interface’s IP address as the translated source address.
• Determine a public IP address pool for address translation.
• Decide whether to translate port information.
NOTE:
For more information about ACL, see ACL and QoS Configuration Guide.
Configuring NAT address pools

You can configure a NAT address pool, where the NAT device selects an IP address as the source
address of a packet.
To configure an address pool:

1. Enter system
system-view N/A
view.
nat address-group Not necessary when the router provides only Easy
2. Configure an
group-number start-address IP, where an interface’s public IP address is used
address pool.
end-address as the translated IP address.
85
NOTE:
The NAT address pool cannot contain addresses on the subnet where the interface resides, and a
broadcast address.
Configuring Easy IP
Easy IP allows the router to use the IP address of one of its interfaces as the source address of NATed
packets.
To configure Easy IP:
Step Command
3. Enable Easy IP by associating an ACL with the IP

nat outbound acl-number [ next-hop ip-address ]
address of the interface.
Configuring No-PAT
With a specific ACL associated with an address pool or interface address, No-PAT translates the source
address of a packet permitted by the ACL into an IP address of the address pool or the interface address,
without using the port information.
To configure No-PAT:

interface-number
• Configure No-PAT by associating
an ACL with an IP address pool
on the outbound interface for
translating only IP addresses:
nat outbound acl-number
address-group group-number
[ vpn-instance
vpn-instance-name ] [ next-hop
ip-address ] no-pat
3. Configure No-PAT. • Configure No-PAT by associating Either command is required.
an ACL with an IP address pool
on the inbound interface for
translating only IP addresses:
nat inbound acl-number
address-group group-number
[ vpn-instance
vpn-instance-name ] [ interface
interface-type interface-number
[ next-hop ip-address ] ] no-pat
86
Configuring NAPT
With a specific ACL associated with an address pool or interface address, NAPT translates the source
address of a packet permitted by the ACL into an IP address of the address pool or the interface address,
with using the port information.
To configure NAPT:

• Configure NAPT by associating an ACL with an IP

address pool on the outbound interface for translating
both IP address and port number:
nat outbound acl-number address-group group-number
[ vpn-instance vpn-instance-name ] [ next-hop
Use at least one
ip-address ]
3. Configure NAPT. of the
• Configure NAPT by associating an ACL with an IP commands.
address pool on the inbound interface for translating
both IP address and port number:
nat inbound acl-number address-group group-number
[ vpn-instance vpn-instance-name ] [ interface
interface-type interface-number [ next-hop ip-address ] ]
Configuring an internal server

Introduction to internal server
To configure an internal server, you need to map an external IP address and port number to the internal
server. This is done through executing the nat server command on an interface.
Internal server configurations include external network information (external IP address global-address
and external port number global-port), internal network information (internal IP address local-address
and internal port number local-port), and internal server protocol type. According to different
internal/external network information configurations, internal servers can be classified into common
internal servers and load shared internal servers.
Both internal servers and their external IP addresses can support MPLS VPN. If an internal server belongs
to an MPLS VPN instance, you also need to specify the vpn-instance-name argument. Without this
argument provided, the internal server does not belong to any VPN.
CAUTION:
When you configure an internal server on an IM-NAT or IM-NAT-II card, the configuration takes effect on
all Layer 3 interfaces bound to this NAT service interface.
87
Configuring a common internal server
After mapping the internal IP address/port number (local-address and local-port) of a common internal
server to an external IP address/port number (global-address and global-port), hosts in external
networks can access the server located in the internal network.
To configure a common internal server:

1. Enter system
system-view N/A
view.
2. Enter interface
interface interface-type interface-number N/A
view.
• nat server protocol pro-type global global-address

[ global-port ] [ vpn-instance global-name ] inside
3. Configure a
local-address [ local-port ] [ vpn-instance local-name ]
common
• nat server protocol pro-type global global-address Use either command.
internal
server. global-port1 global-port2 [ vpn-instance global-name ]
inside local-address1 local-address2 local-port
[ vpn-instance local-name ]
Configuring load shared internal servers

NOTE:
This feature is supported only when an IM-NAT or IM-NAT-II card is present.
You can add an internal server (private network information) into an internal server group. If multiple
members exist in the internal server group, they can provide the same service to hosts in external
networks, thus to implement load sharing.
To configure load shared internal servers:
Step Command
2. Configure an internal server
nat server-group group-number
group.
3. Add an internal server into the
inside ip inside-ip port port-number
group.
nat server protocol pro-type global global-address global-port

5. Configure load shared internal
[ vpn-instance global-name ] inside server-group group-number
servers.
[ vpn-instance local-name ]
NOTE:
• The internal server group referenced by the nat server command must have at least a member
configured.
• Each private IP address in an internal server group should be unique.
88
Configuring DNS mapping
With DNS mapping, an internal host can access an internal server on the same private network by using
the domain name of the internal server when the DNS server resides on the public network.
To configure a DNS mapping:
Step Command
nat dns-map domain domain-name protocol pro-type ip

2. Configure a DNS mapping.
global-ip port global-port
Binding a NAT-enabled interface to the NAT

service interface
Introduction
The IM-NAT card on the router is dedicated to process NAT services. You can bind a NAT-enabled
interface with the NAT service interface on the card so that the NAT-enabled interface redirects all
packets to the NAT service interface. This method improves NAT processing performance by using the
hardware-based processing capability of the IM-NAT card.
To configure a NAT service interface binding:

2. Enter NAT service interface
interface nat interface-number N/A
view.
A NAT service interface can be
3. Configure a NAT service nat binding interface interface-type
bound with multiple NAT-capable
interface binding. interface-number
interfaces.
NOTE:
An interface bound with a NAT service interface cannot serve as the outbound interface for QoS
redirection. This is because all packets out of the interface are redirected to the NAT service interface,
making QoS redirection ineffective.
Configuring NAT logging
89
NOTE:
• For the NAT log configuration, see Security Configuration Guide and the Network Management and
Monitoring Configuration Guide.
• A router installed with an IM-NAT or IM-NAT-II card does not output log information about static NAT
and internal servers.
Setting NAT connection limits

Connection limit overview
An internal user that initiates a large quantity of connections to external networks in a short period of
time occupies large amounts of system resources of the device, making other users unable to access
network resources normally. An internal server that receives large numbers of connection requests within
a short time cannot process them in time or accept other normal connection requests. To avoid such
situations, you can configure connection limit policies to collect statistics on and limit the number of
connections, connection establishment rate, and connection bandwidth.
Creating a connection limit policy

A connection limit policy comprises a set of connection limit rules, which define the valid range and
parameters for the policy.
To create a connection limit policy:
Step Command
2. Create a connection limit policy and enter its view. connection-limit policy policy-number
Configuring the connection limit policy

A connection limit policy contains one or more source IP-based connection limit rules, each specifying an
object or range for the limit. A user connection matching a rule will be limited based on the parameters
in the rule.
A source IP-based connection limit rule limits connections initiated from a specified host or subnet that is
on a VPN or the public network. It can limit the number of connections, connection establishment rate,
or connection bandwidth.
A connection limit policy may comprise limit rules of different types. These rules are identified by IDs in
different ranges. The limit rules are matched in ascending order of rule ID. When you configure
connection limit rules for a policy, check the rules and their order carefully. H3C recommends you
arrange the rules in ascending order of granularity and range.
A source IP-based connection limit rule can be any of these limit types:
• Host limit—Limits the connections of a specified host.
• Shared segment limit—Limits the connections of a specified network segment so that all the
connections share the specified resources. This mode is identified by the shared keyword.
90
• Non-shared segment limit—Limits the connections of a specified network segment so that each
connection on the segment enjoys the specified resources.
To configure a source IP-based connection limit rule:
Step Command
2. Enter connection limit policy view. connection-limit policy policy-number
limit limit-id source { user-ip mask-length } [ vpn-instance

3. Configure a source IP-based connection vpn-instance-name ] { amount { dns max-amount | http
limit rule. max-amount | other max-amount | tcp max-amount } * |
{ bandwidth max-bandwidth | rate max- rate } } * [ shared ]
Applying the connection limit policy

To make a connection limit policy take effect, apply it globally or to a service module.
To apply a connection limit policy:

2. Enter NAT interface view. interface nat interface-number N/A
Only one connection limit

3. Apply a connection limit connection-limit apply policy
policy can be applied to a
policy to the NAT interface. policy-number
NAT interface.
Enabling connection limit logging

After you enable the connection limit logging function, the connection limit operation information will be
sent to the information center. The information mainly includes the source address, destination address,
and protocol type of the connection, the maximum connections allowed, and a limit-reached message.
To enable connection limit logging:

2. Enter NAT service
interface view.
3. Enable connection limit Disabled by default.

connection-limit log enable
logging. Available on an IM-NAT service card.
NOTE:
This command is available only on an interface of an IM-NAT or IM-NAT-II card.
91
Displaying and maintaining NAT
display nat address-group [ group-number ] [ |
Display information about NAT Available in any
address pools. view
Display all NAT configuration display nat all [ | { begin | exclude | include } Available in any
information. regular-expression ] view
Display the NAT configuration display nat bound [ | { begin | exclude | Available in any
information. include } regular-expression ] view
Display the DNS mapping display nat dns-map [ | { begin | exclude | Available in any
configuration information. include } regular-expression ] view
Display the internal server display nat server [ | { begin | exclude | Available in any
information. include } regular-expression ] view
display nat server-group [ group-number ] [ |

Display internal server group Available in any
information. view
display nat static [ | { begin | exclude | Available in any

Display static NAT information.
include } regular-expression ] view
display interface nat-interface [ | { begin | Available in any

Display NAT statistics.
exclude | include } regular-expression ] view
display connection-limit policy { policy-number

Display information about the Available in any
| all } [ | { begin | exclude | include }
connection limit policy. view
display connection-limit statistic [ ip user-ip ]

[ vpn-instance vpn-instance-name ] interface Available in any
Display connection limit statistics.
interface-type interface-number [ | { begin | view
display connection-limit statistics total

Display total connection limit interface interface-type interface-number [ | Available in any
statistics. { begin | exclude | include } view
NAT configuration examples

One-to-one static NAT configuration example
An internal host 10.110.10.8/24 uses public address 202.38.1.100 to access the Internet.
On the router, one of the following cards SPE-1010-II, SPE-1010-E-II, SPE-1020-II, SPE-1020-E-II, IM-NAT,
and IM-NAT-II is installed in Slot 3.
An SPE card is installed in Slot 5.
92
# Configure the IP addresses for the interfaces as shown in Figure 40. (Details not shown)
# Configure a one-to-one static NAT mapping.
[Router] interface nat 3/0/2
[Router-NAT3/0/2] nat static 10.110.10.8 202.38.1.100
[Router-NAT3/0/2] quit
# Enable static NAT on interface GigabitEthernet 5/1/2.

[Router-GigabitEthernet5/1/2] nat outbound static
# Bind NAT service interface 3/0/2 to interface GigabitEthernet 5/1/2.

[Router-NAT3/0/2] nat binding interface GigabitEthernet 5/1/2
Dynamic NAT configuration example I

As shown in Figure 41, a company has three public IP addresses ranging from 202.38.1.1/24 to
202.38.1.3/24, and internal network address 10.110.0.0/16. Specifically, the company has the
following requirements:
The internal users in subnet 10.110.10.0/24 can access the Internet by using public IP addresses
202.38.1.2 and 202.38.1.3, while users in other network segments cannot.
On the router, one of the following cards SPE-1010-II, SPE-1010-E-II, SPE-1020-II, SPE-1020-E-II, IM-NAT,
and IM-NAT-II is installed in Slot 5.
An SPE card is installed in Slot 3.
93
# Configure address pool 1 containing 202.38.1.2 and 202.38.1.3.
[Router] nat address-group 1 202.38.1.2 202.38.1.3
# Configure ACL 2001, permitting only users from network segment 10.110.10.0/24 to access the
Internet.
[Router] acl number 2001
[Router-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Router-acl-basic-2001] rule deny
[Router-acl-basic-2001] quit
# Associate address pool 1 and ACL 2001 with the outbound interface GigabitEthernet 3/1/2.
[Router-GigabitEthernet3/1/2] nat outbound 2001 address-group 1
# Bind GigabitEthernet 3/1/2 to NAT service interface 5/0/1.

Dynamic NAT configuration example II

As shown in Figure 42, a company has three public IP addresses ranging from 202.38.1.1/24 to
202.38.1.3/24, and internal network address 10.110.0.0/16. Specifically, the company has the
following requirements:
• The internal users in subnet 10.110.10.0/24 can access the Internet using public IP addresses
202.38.1.2 and 202.38.1.3, while users in other network segments cannot.
• Configure the upper limit of connections (sourced from 10.110.10.100) as 1000, which means the
number of connections initiated from the internal user to external servers cannot exceed 1000.
94
• Method I: Configure NAT on the outbound interface. (On the router, an IM-NAT or IM-NAT-II card
is installed in Slot 5, and an SPE card is installed in Slot 3)
# Configure address pool 1 containing 202.38.1.2 and 202.38.1.3.
# Configure ACL 2001, permitting only users from network segment 10.110.10.0/24 to access
the Internet.
# Associate address pool 1 and ACL 2001 with the outbound interface GigabitEthernet 3/1/2.
# Bind GigabitEthernet 3/1/2 to NAT service interface 5/0/1.
# Configure connection limit policy 1, limiting user connections sourced from 10.110.10.100. Set
the upper limit of user connections to 1000.
[Router] connection-limit policy 1
[Router-connection-limit-policy-1] limit 0 source 10.110.10.100 32 amount other 1000
[Router-connection-limit-policy-1] quit
# Apply the connection limit policy to the NAT service interface 5/0/1.
[Router-NAT5/0/1] connection-limit apply policy 1
• Method II: Configure NAT on the inbound interface. (On the router, an IM-NAT or IM-NAT-II card is
installed in Slot 5, and an SPE card is installed in Slot 3.)
# Configure address pool 1.

# Configure ACL 2001, permitting only users from network segment 10.110.10.0/24 to access
the Internet.
95
# Configure ACL 2002 for redirecting packets to the NAT board. Packets that are to be redirected
to the NAT service interface requires address translation, so the ACL rules defined in ACL 2002
are the same as that in ACL 2001. You can also configure different ACL rules as needed.
# Configure a QoS policy to redirect packets to NAT 5/0/1.
[Router] traffic classifier 1
[Router-classifier-1] if-match acl 2002
[Router-classifier-1] quit
[Router] traffic behavior 1
[Router-behavior-1] redirect interface nat 5/0/1
[Router-behavior-1] quit
[Router] qos policy 1
[Router-qospolicy-1] classifier 1 behavior 1
[Router-qospolicy-1] quit
[Router-GigabitEthernet3/1/1] qos apply policy 1 inbound
# Associate address pool 1 and ACL 2001 with the inbound interface GigabitEthernet 3/1/1.
[Router-GigabitEthernet3/1/1] nat inbound 2001 address-group 1
# Bind the NAT service interface 5/0/1 with GigabitEthernet 3/1/1.
# Configure connection limit policy 1, limiting user connections sourced from 10.110.10.100. Set
the upper limit of user connections to 1000.
[Router] connection-limit policy 1
[Router-connection-limit-policy-1] limit 0 source 10.110.10.100 32 amount other 1000
[Router-connection-limit-policy-1] quit
# Apply connection limit policy 1 to the NAT service interface 5/0/1.
[Router-NAT5/0/1] connection-limit apply policy 1
Dynamic NAT configuration example III

As shown in Figure 44, a company has three valid public IP addresses ranging from 202.38.1.1/24 to
202.38.1.3/24, and an internal network address of 10.110.0.0/16. The internal network belongs to VPN
1. NAT allows VPN 1 users to access the Internet.
On the router, an IM-NAT or IM-NAT-II card is installed in Slot 5, and an SPE card is installed in Slot 3.
96
VPN network Host A
GE3/1/3 GE3/1/4
10.110.10.10/16 202. 38.1.1/24
Internet
Web server
202.38.1. 200
Host B Host C
# Configure VPN 1.
System View: return to User View with Ctrl+Z.
[Router] ip vpn-instance vpn1
[Router-vpn-instance-vpn1] route-distinguisher 1:1
[Router-vpn-instance-vpn1] quit
# Configure a default route with outbound interface GigabitEthernet 3/1/4 and next hop 202.38.1.250.
[Router] ip route-static vpn-instance vpn1 0.0.0.0 0 GigabitEthernet 3/1/4 202.38.1.250
# Associate GigabitEthernet 3/1/3 with VPN 1 and assign an IP address to GigabitEthernet 3/1/4.
[Router-GigabitEthernet3/1/3] ip binding vpn-instance vpn1
[Router-GigabitEthernet3/1/3] ip address 10.110.10.10 16
# Configure NAT address pool 0.

# Configure ACL 2000.

[Router] acl num 2000
[Router-acl-basic-2000] rule permit vpn-instance vpn1
# Associate ACL 2000 with address pool 0 on the outbound interface.


[Router-NAT5/0/1] nat binding interface gigabitethernet 3/1/4
97
Dynamic NAT configuration example IV
A company has two departments, A and B. Department A resides on network 192.168.1.0/24 and
belongs to VPN 1. Department B resides on network 172.21.1.0/24 and belongs to VPN 2. The address
pool contains IP addresses 202.38.1.2 and 202.38.1.3 and belongs to VPN 3. A web server resides on
the same network as department B.
Configure the routers to allow access from department A to the web server.
NOTE:
• When you configure twice NAT for multiple instances of a PE, specify the VPN to which the NAT address
pool belongs.
• When you configure twice NAT on a PE, do not specify the outbound interface. That is, do not specify
the interface keyword in the nat static net-to-net, nat static, and nat inbound commands.
# Configure VPNs.
[Router-vpn-instance-vpn1] vpn-target 3:3 import-extcommunity
[Router-vpn-instance-vpn2] vpn-target 3:3 import-extcommunity
[Router-vpn-instance-vpn3] vpn-target 3:3 export-extcommunity
# Enable route redistribution from NAT.
98
[Router] bgp 1
[Router-bgp] ipv4-family vpn-instance vpn3
[Router-bgp-vpn3] import-route static
[Router-bgp-vpn3] quit
[Router-bgp] quit
# Associate GigabitEthernet 3/1/3 with VPN 1 and GigabitEthernet 3/1/4 with VPN 2.
[Router] interface GigabitEthernet3/1/3
# Configure ACL 3005.

[Router-acl-adv-3005] rule permit ip vpn-instance vpn1 source any destination 202.38.1.3
0
[Router-acl-adv-3005] quit
# Configure NAT address pool 0.

# Associate ACL 3005 with address pool 0 on the inbound interface, and create a NAT server.
[Router-GigabitEthernet3/1/3] nat inbound 3005 address-group 0 vpn-instance vpn3
[Router-GigabitEthernet3/1/3] nat server protocol tcp global 202.38.1.3 www vpn-instance
vpn3 inside 172.21.1.243 www vpn-instance vpn2

[Router-NAT5/0/1] nat binding interface gigabitethernet 3/1/3
Common internal server configuration example

As shown in Figure 46, a company provides two web servers, one FTP server, and one SMTP server for
external users to access. The internal network address is 10.110.0.0/16. The internal address for the FTP
server is 10.110.10.3/16, for web server 1 is 10.110.10.1/16, for web server 2 is 10.110.10.2, and for the
SMTP server 10.110.10.4/16. The company has three public IP addresses ranging from 202.38.1.1/24 to
202.38.1.3/24. Specifically, the company has the following requirements:
• External hosts can access internal servers with public address 202.38.1.1/24.
• Port 8080 is used for web server 2.
99
# Enter interface GigabitEthernet 3/1/2 view.
# Configure the internal FTP server.

[Router-GigabitEthernet3/1/2] nat server protocol tcp global 202.38.1.1 ftp inside
10.110.10.3 ftp
# Configure the internal web server 1.

[Router-GigabitEthernet3/1/2] nat server protocol tcp global 202.38.1.1 www inside
10.110.10.1 www
# Configure the internal web server 2.

[Router-GigabitEthernet3/1/2] nat server protocol tcp global 202.38.1.1 8080 inside
10.110.10.2 www
# Configure the internal SMTP server.

[Router-GigabitEthernet3/1/2] nat server protocol tcp global 202.38.1.1 smtp inside
10.110.10.4 smtp

Load sharing internal server configuration example

As shown in Figure 47, a company provides FTP services for external users. The public network address
is 202.38.1.1/16. Three FTP servers are deployed to implement load sharing.
100
# Add members to internal server group 0.
[Router] nat server-group 0
[Router-nat-server-group-0] inside ip 10.110.10.1 port 21
[Router-nat-server-group-0] quit
# Associate internal server group 0 with GigabitEthernet 3/1/2 so that hosts in the server group can
provide FTP services.
[Router-GigabitEthernet3/1/2] nat server protocol tcp global 202.38.1.1 ftp inside
server-group 0

NAT DNS mapping configuration example

As shown in Figure 48, a company provides Web and FTP services to external users, and has its internal
IP addresses on the network segment 10.110.0.0/16. The IP addresses of the Web and FTP servers are
10.110.10.1/16 and 10.110.10.2/16 respectively. The company has three public addresses
202.38.1.1/24 through 202.38.1.3/24. The DNS server is at 202.38.1.4/24.
• The public IP address 202.38.1.2 is used to provide services to external users.
• External users can use the public address or domain name of internal servers to access them.
• Internal users can access the internal servers by using their domain names.
101
10.110 .10. 1/16 10. 110. 10.2/16 202.38 .1.4/24
Web ser ver FTP server DNS server
GE3/1/1 GE3/1/2
10.110.10.10/16 202.38 .1.1/24
Interne t
Router
Host A Host B
10.110.10 .3/16 20.38.1 .10/24
# Enter the view of interface GigabitEthernet 3/1/2.
# Configure the internal web server.

[Router-GigabitEthernet3/1/2] nat server protocol tcp global 202.38.1.2 inside
10.110.10.1 www
# Configure the internal FTP server.

[Router-GigabitEthernet3/1/2] nat server protocol tcp global 202.38.1.2 inside
10.110.10.2 ftp
# Configure two DNS mapping entries: map the domain name www.server.com of the web server to
202.38.1.2, and ftp.server.com of the FTP server to 202.38.1.2.
[Router] nat dns-map domain www.server.com protocol tcp ip 202.38.1.2 port www
[Router] nat dns-map domain ftp.server.com protocol tcp ip 202.38.1.2 port ftp
[Router] quit
Verifying the configuration

# After completing the above configurations, display the DNS mapping configuration information.
<Router> display nat dns-map
NAT DNS mapping information:
There are currently 2 NAT DNS mapping(s)
Domain-name: www.server.com
Global-IP : 202.38.1.2
Global-port: 80(www)
Protocol : 6(TCP)
Domain-name: ftp.server.com
Global-IP : 202.38.1.2
Global-port: 21(ftp)
Protocol : 6(TCP)
Host A and Host B can use the domain name www.server.com to access the web server, and use
ftp.server.com to access the FTP server.
102
Troubleshooting NAT
Symptom: internal server functions abnormally
Solution: Check whether the internal server host is properly configured; whether the router is correctly
configured with respect to the internal server parameters, such as the internal server IP address. It is also
possible that the firewall that has denied external access to the internal network. You can use the display
acl command to verify this. For more information about firewall, see Security Configuration Guide.
103
Configuring IP performance optimization
NOTE:
In this documentation, SPC cards refer to the interface cards prefixed with SPC, for example, SPC-GT48L.
SPE cards refer to the base cards prefixed with SPE, for example, SPE-1020-E-II.
IP performance optimization overview

You can adjust the IP parameters to achieve best network performance. IP performance optimization
includes:
• Enabling the router to receive and forward directed broadcasts
• Configuring the maximum TCP segment size (MSS) of the interface
• Configuring the TCP send/receive buffer size
• Configuring TCP timers
• Enabling the router to send ICMP error packets
• Enabling the router to support ICMP extensions
• Enabling ICMP flow control
Enabling reception and forwarding of directed

broadcasts to a directly connected network
Directed broadcast packets are broadcast on a specific network. In the destination IP address of a
directed broadcast, the network ID is a network ID identifies the target network, and the host ID is all-one.
If a router is allowed to forward directed broadcasts to a directly connected network, hackers may mount
attacks to the network. However, you should enable the feature when:
• Using the UDP Helper function to convert broadcasts to unicasts and forward them to a specified
server.
• Using the Wake on LAN function to forward directed broadcasts to a host on the remote network.
Enabling forwarding of directed broadcasts to a directly

connected network
To enable the router to forward directed broadcasts:

2. Enter interface view. interface interface-type

N/A
interface-number
104
By default, the router is disabled from
forwarding directed broadcasts. The
3. Enable the interface to system does not support this command
forward directed ip forward-broadcast [ acl
when working in the hybrid mode. For
broadcasts. acl-number ]
more information about the system working
modes, see Fundamentals Configuration
Guide.
NOTE:
The router does not support the acl keyword.
Configuration example
As shown in Figure 49, the host’s interface and GigabitEthernet 3/1/1 of Router A are on the same
network segment (1.1.1.0/24). Interface GigabitEthernet 3/1/2 of Router A and interface
GigabitEthernet 3/1/2 of Router B are on another network segment (2.2.2.0/24). The default gateway
of the host is GigabitEthernet 3/1/1 (IP address 1.1.1.2/24) of Router A. Configure a static route to the
host on Router B.
Configure Router B to receive directed broadcasts from the host to IP address 2.2.2.255.
• Configure Router A:
# Configure IP addresses for GigabitEthernet 3/1/1 and GigabitEthernet 3/1/2.
[RouterA-GigabitEthernet3/1/1] ip address 1.1.1.2 24
# Enable GigabitEthernet 3/1/2 to forward directed broadcasts.
[RouterA-GigabitEthernet3/1/2] ip forward-broadcast
• Configure Router B:
# Configure a static route to the host.
[RouterB] ip route-static 1.1.1.1 24 2.2.2.2
# Configure an IP address for GigabitEthernet 3/1/2.
[RouterB-GigabitEthernet3/1/2] ip address 2.2.2.1 24
105
After the above configurations, if you ping the subnet broadcast address (2.2.2.255) of interface
GigabitEthernet 3/1/2 of Router A on the host, the ping packets can be received by interface
GigabitEthernet 3/1/2 of Router B. However, if you remove the ip forward-broadcast command,
the ping packets cannot be received by interface GigabitEthernet 3/1/2 of Router B.
Configuring TCP attributes

Configuring TCP MSS for the interface
The Max Segment Size (MSS) option informs the receiver of the largest segment that the sender is willing
to accept. Each end announces the MSS it expects to receive during the TCP connection establishment.
The end that receives the MSS value from the other end then limits the size of each TCP segment to be sent.
If the size of a TCP segment is smaller than the MSS of the other end, the TCP segment is sent to the other
end without being fragmented; otherwise, it will be fragmented according to the MSS before being sent.
If you configure a TCP MSS on an interface, the size of each TCP segment received or sent on the
interface cannot exceed the MSS value.
To configure TCP MSS of the interface:

3. Configure TCP MSS of Optional

the interface. tcp mss value
1460 bytes by default
NOTE:
• This configuration takes effect only on TCP connections that are established after the configuration rather
than the TCP connections that already exist.
• This configuration is effective only on IP packets. If MPLS is enabled on the interface, you are not
recommended to configure the TCP MSS on the interface.
Configuring the TCP send/receive buffer size

To configure the TCP send/receive buffer size:

2. Configure the size of TCP Optional

receive/send buffer. tcp window window-size
8 KB by default
Configuring TCP timers

You can configure the following TCP timers:
• synwait timer—When sending a SYN packet, TCP starts the synwait timer. If no response packet is
received within the synwait timer interval, the TCP connection cannot be created.
106
• finwait timer—When a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is
started. If no FIN packet is received within the timer interval, the TCP connection will be terminated.
If a FIN packet is received, the TCP connection state changes to TIME_WAIT. If a non-FIN packet is
received, the system restarts the timer upon receiving the last non-FIN packet. The connection is
broken after the timer expires.
To configure TCP timers:

Optional
2. Configure the TCP synwait timer. tcp timer syn-timeout time-value
75 seconds by default
Optional
3. Configure the TCP finwait timer. tcp timer fin-timeout time-value
CAUTION:
The actual length of the finwait timer is determined by the following formula:
Actual length of the finwait timer = (Configured length of the finwait timer – 75) + configured length of the
synwait timer
Configuring ICMP to send error packets

Introduction
Sending error packets is a major function of ICMP protocol. In case of network abnormalities, error
packets are usually sent by the network or transport layer protocols to notify corresponding routers so as
to facilitate control and management.
Advantages of sending ICMP error packets

There are three kinds of ICMP error packets: redirect packets, timeout packets and destination
unreachable packets. Their sending conditions and functions are as follows.
1. Sending ICMP redirect packets
A host may have only a default route to the default gateway in its routing table after startup. The
default gateway will send ICMP redirect packets to the source host and notify it to reselect a correct
next hop to send the subsequent packets, if the following conditions are satisfied:
{ The receiving and forwarding interfaces are the same.
{ The selected route has not been created or modified by ICMP redirect packet.
{ The selected route is not the default route of the router.
{ There is no source route option in the packet.
ICMP redirect packets function simplifies host administration and enables a host to gradually
establish a sound routing table to find out the best route.
2. Sending ICMP timeout packets
If the router received an IP packet with a timeout error, it drops the packet and sends an ICMP
timeout packet to the source.
107
The router will send an ICMP timeout packet under the following conditions:
{ If the router finds the destination of a packet is not itself and the TTL field of the packet is 1, it
will send a “TTL timeout” ICMP error message.
{ When the router receives the first fragment of an IP datagram whose destination is the router
itself, it will start a timer. If the timer times out before all the fragments of the datagram are
received, the router will send a “reassembly timeout” ICMP error packet.
3. Sending ICMP destination unreachable packets
If the router receives an IP packet with the destination unreachable, it will drop the packet and
send an ICMP destination unreachable error packet to the source.
Conditions for sending this ICMP packet:
{ If neither a route nor the default route for forwarding a packet is available, the router will send
a “network unreachable” ICMP error packet.
{ If the destination of a packet is local while the transport layer protocol of the packet is not
supported by the local router, the router sends a “protocol unreachable” ICMP error packet to
the source.
{ When receiving a packet with the destination being local and transport layer protocol being
UDP, if the packet’s port number does not match the running process, the router will send the
source a “port unreachable” ICMP error packet.
{ If the source uses “strict source routing" to send packets, but the intermediate router finds the
next hop specified by the source is not directly connected, the router will send the source a
“source routing failure” ICMP error packet.
{ When forwarding a packet, if the MTU of the sending interface is smaller than the packet but
the packet has been set “Don’t Fragment”, the router will send the source a “fragmentation
needed and Don’t Fragment (DF)-set” ICMP error packet.
Disadvantages of sending ICMP error packets

Although sending ICMP error packets facilitates network control and management, it still has the
following disadvantages:
• Sending a lot of ICMP packets will increase network traffic.
• If receiving a lot of malicious packets that cause it to send ICMP error packets, the router’s
performance will be reduced.
• As the redirection function increases the routing table size of a host, the host’s performance will be
reduced if its routing table becomes very large.
• If a host sends malicious ICMP destination unreachable packets, end users may be affected.
To prevent such problems, you can disable the router from sending ICMP error packets.
To enable sending of ICMP error packets:

2. Enable sending of ICMP redirect
packets. ip redirects enable Disabled by default
3. Enable sending of ICMP timeout

packets. ip ttl-expires enable Disabled by default
108
4. Enable sending of ICMP destination
unreachable packets. ip unreachables enable Disabled by default
NOTE:
• On SPC cards, you can enable sending of ICMP redirect packets only on VLAN interfaces.
• The router stops sending “TTL timeout” ICMP error packets after sending ICMP timeout packets is
disabled. However, “reassembly timeout” error packets will be sent normally.
Enabling support for ICMP extensions

Introduction
Generally, ICMP messages are of a fixed format and cannot carry extension information. With support
for ICMP extensions enabled, a router appends an extension information field to the ICMP messages as
needed. Currently, the router can append only MPLS label information to ICMP messages.
ICMP extensions for MPLS

In MPLS networks, when a packet's TTL expires, MPLS stripes the MPLS header, encapsulates the
remaining datagram into an ICMP time exceeded message, and sends the message to the egress router
of the MPLS tunnel. Then the egress router sends the message back to the ingress router of the tunnel. The
ICMP message, however, does not contain the label information that is very important to the ingress
router. With support for ICMP extensions enabled, the router appends the MPLS label to the ICMP time
exceeded message before sending it back to the ingress router of the tunnel.
ICMP extensions are usually used for an enhanced traceroute implementation in MPLS networks, in
which MPLS label information of each hop the original datagram arrives at is printed.
Handling ICMP messages

ICMP messages can be classified into three types:
• Common ICMP messages: Without any extension information.
• Extended ICMP messages with a length field: Carry extension information and a length field. The
length field indicates the length of the original datagram that is encapsulated within the ICMP
header and excludes the ICMP extension length. Such an ICMP message complies with RFC 4884.
• Extended ICMP messages without a length field: Carry extension information but does not contain
a length field. Such an ICMP message does not comply with RFC 4884.
Based on how these messages are handled, the router can work in one of these modes: common mode,
compliant mode, and non-compliant mode. Table 4 shows how ICMP messages are handled in different
working modes.
Table 4 Handling ICMP messages
Device mode ICMP messages sent ICMP messages received Remarks

Extension information in
Common mode Common ICMP messages Common ICMP messages extended ICMP messages
will not be processed.
109
Device mode ICMP messages sent ICMP messages received Remarks
Common ICMP messages Common ICMP messages Extended ICMP messages

without a length field are
Compliant mode Extended ICMP messages Extended ICMP messages handled as common ICMP
with a length field with a length field messages.
Common ICMP messages

Non-compliant All three types of ICMP
Extended ICMP messages N/A
mode messages
without a length field
NOTE:
ICMP/ICMPv6 messages that can carry extension information include only IPv4 redirect messages,
IPv4/IPv6 time exceeded messages, and IPv4/IPv6 destination unreachable messages.
To enable support for ICMP extensions:

2. Enable support for ICMP
Optional
extensions in compliant ip icmp-extensions compliant
mode. Disabled by default
3. Enable support for ICMP

Optional
extensions in non-compliant ip icmp-extensions non-compliant
mode. Disabled by default
NOTE:
After support for ICMP extensions is disabled, no ICMP message sent by the router contains extension
information.
Enabling ICMP flow control

If a large number of ICMP packets are delivered to the CPU for processing, processing of other services
is affected. To prevent this, you can enable ICMP flow control.
To enable ICMP flow control:

2. Enable ICMP flow control. ip icmp flow-control Disabled by default
Displaying and maintaining IP performance

optimization
110
Display current TCP display tcp status [ | { begin | exclude | include }
connection state. regular-expression ]
Display TCP connection display tcp statistics [ | { begin | exclude |

statistics. include } regular-expression ]
display udp statistics [ | { begin | exclude |

Display UDP statistics. Available in any view
display ip statistics [ slot slot-number ] [ | { begin |

Display statistics of IP packets. Available in any view
Display statistics of ICMP display icmp statistics [ slot slot-number ] [ | { begin

flows. | exclude | include } regular-expression ]
display ip socket [ socktype sock-type ] [ task-id

Display socket information. socket-id ] [ slot slot-number ] [ | { begin | exclude Available in any view
| include } regular-expression ]
display fib [ vpn-instance vpn-instance-name ] [ |

{ begin | exclude | include } string | acl acl-number
Display FIB information. Available in any view
| ip-prefix ip-prefix-name ] [ | { begin | exclude |
Display FIB forward

display fib [ vpn-instance vpn-instance-name ]
information matching the
ip-address [ mask | mask-length ] [ | { begin | Available in any view
specified destination IP
address.
Clear statistics of IP packets

reset ip statistics [ slot slot-number ] Available in user view
For centralized.
Clear statistics of TCP

reset tcp statistics Available in user view
connections.
Clear statistics of UDP flows. reset udp statistics Available in user view
111
Configuring adjacency table
NOTE:
• The adjacency table feature only applies to hardware forwarding, but not software forwarding.
• The adjacency table feature does not apply to Ethernet networks that use ARP for storing and managing
neighbor information.
Overview
Introduction to adjacency table
An adjacency table stores information about active neighbors, including neighbor network layer address
(nexthop), outgoing interface, link layer service type, and link layer address (PVC for ATM; unavailable
for PPP).
The concept of neighbor is relevant to network layer. Node B may be an IP neighbor of node A, while
node B may not be an IPX neighbor of node A. Also, a neighbor in the active state is in relation to
network layer. The adjacency table feature only supports the neighbor concept in relation to IP.
A router can be connected with its neighbors through multiple link layer protocols, such as PPP, ATM and
frame relay (FR).
Fields
Some fields in the adjacency table are describes as follows:
• Routing interface—Outgoing interface in a route entry.
• Physical interface—Such as serial interface, POS interface, and ATM interface.
• Logical interface—An abstract interface that does not correspond to any physical entity and is used
for adjacency table implementation, for example, Virtual-Ethernet interface and Virtual-Template
interface.
• Service type—Type of service corresponding to the adjacency table, such as PPP and IP over ATM.
• Action type—Action to take on the packet that matches the entry, forward or drop.
• Link media type—Related to the link layer protocol used by the outgoing interface. P2P indicates
point-to-point, such as the point-to-point protocol (PPP).
• Link head information (IPv6)—Information of the link layer header corresponding to the IPv6
protocol.
Displaying and maintaining adjacency table
112
display adjacent-table { all | physical-interface
interface-type interface-number | routing-interface
Display IPv4 adjacency Available in any
interface-type interface-number | slot slot-number } [ count |
table entries. view
verbose ] [ | { begin | exclude | include }
display ipv6 adjacent-table { all | physical-interface

interface-type interface-number | routing-interface
Display IPv6 adjacency Available in any
interface-type interface-number | slot slot-number } [ count |
table entries. view
verbose ] [ | { begin | exclude | include }
113
Configuring UDP Helper
Introduction to UDP Helper

Sometimes, a host needs to forward broadcasts to obtain network configuration information or request
the names of other routers on the network. However, if the server or the router to be requested is located
in another broadcast domain, the host cannot obtain such information through broadcast.
To solve this problem, the router provides the UDP Helper function to relay specified UDP packets. In other
words, UDP Helper functions as a relay agent that converts UDP broadcast packets into unicast packets
and forwards them to a specified destination server.
With UDP Helper enabled, the router decides whether to forward a received UDP broadcast packet
according to the UDP destination port number of the packet.
• If the destination port number of the packet matches the one pre-configured on the router, the router
modifies the destination IP address in the IP header, and then sends the packet to the specified
destination server.
• If not, the router sends the packet to the upper layer protocol for processing.
Configuring UDP Helper

To configure UDP Helper:

2. Enable UDP Helper. udp-helper enable Disabled by default.

3. Enable the forwarding of
udp-helper port { port-number |
packets with the specified No UDP port number is specified by
dns | netbios-ds | netbios-ns |
UDP destination port default.
tacacs | tftp | time }
number(s).
interface-number
5. Specify the destination
server to which UDP No destination server is specified by
udp-helper server ip-address
packets are to be default.
forwarded.
114
CAUTION:
• The UDP Helper enabled router cannot forward DHCP broadcast packets. In other words, the UDP port
number cannot be set to 67 or 68.
• The UDP Helper enabled device must not forward DHCP broadcast packets that use destination port 67
or 68. Therefore, the UDP port numbers set with the udp-helper port command must not include 67 or
68.
• The configuration of all UDP ports is removed if you disable UDP Helper.
• You can configure up to 256 UDP port numbers to enable the forwarding of packets with these UDP port
numbers.
• You can configure up to 20 destination servers on an interface.
Displaying and maintaining UDP Helper

display udp-helper server [ interface
Displays the information of
interface-type interface-number ] [ | { begin Available in any view
forwarded UDP packets.
| exclude | include } regular-expression ]
Clear statistics about packets

reset udp-helper packet Available in user view
forwarded.
UDP Helper configuration example

As shown in Figure 50, the IP address of the interface GigabitEthernet 3/1/1 on Router A is
10.110.1.1/16. Configure UDP helper on Router A to forward broadcast packets with UDP destination
port number 55 and destination IP address 255.255.255.255 or 10.110.255.255 to the destination
server 10.2.1.1/16.
NOTE:
Make sure that a route from Router A to the network segment 10.2.0.0/16 is available.
115
# Enable UDP Helper.
[RouterA] udp-helper enable
# Enable the forwarding of broadcast packets with the UDP destination port number 55.
[RouterA] udp-helper port 55
# Specify the server with the IP address of 10.2.1.1 as the destination server to which UDP packets are to
be forwarded.
[RouterA-GigabitEthernet3/1/1] udp-helper server 10.2.1.1
116
Configuring IPv6 basics
IPv6 overview
Internet Protocol Version 6 (IPv6), also called IP next generation (IPng), was designed by the Internet
Engineering Task Force (IETF) as the successor to Internet Protocol version 4 (IPv4). The significant
difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits.
IPv6 features
Header format simplification
IPv6 removes several IPv4 header fields or moves them to the IPv6 extension headers to reduce the length
of the basic IPv6 packet header. The basic IPv6 packet header has a fixed length of 40 bytes to simplify
IPv6 packet handling and to improve the forwarding efficiency. Although an IPv6 address size is four
times larger than an IPv4 address, the basic IPv6 packet header size is only twice the size of the
option-less IPv4 packet header.
Figure 51 IPv4 packet header format and basic IPv6 packet header format
Larger address space

The source and destination IPv6 addresses are 128 bits (or 16 bytes) long. IPv6 can provide 3.4 x 1038
addresses to meet the requirements of hierarchical address division and the allocation of public and
private addresses.
Hierarchical address structure

IPv6 uses the hierarchical address structure to make route searches faster and reduce the system sources
occupied by the IPv6 routing table by route aggregation.
Address autoconfiguration
To simplify host configuration, IPv6 supports stateful and stateless address autoconfiguration.
117
• Stateful address autoconfiguration enables a host to acquire an IPv6 address and other
configuration information from a server (for example, a DHCP server).
• Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and
other configuration information by using its link-layer address and the prefix information advertised
by a router.
To communicate with other hosts on the same link, a host automatically generates a link-local address
based on its link-layer address and the link-local address prefix (FE80::/10).
Built-in security
IPv6 defines extension headers to support IPsec. IPsec provides end-to-end security for network security
solutions and enhances interoperability among different IPv6 applications.
QoS support
The Flow Label field in the IPv6 header allows the router to label the packets and facilitates the special
handling of a flow.
Enhanced neighbor discovery mechanism

The IPv6 neighbor discovery protocol is implemented through a group of Internet Control Message
Protocol version 6 (ICMPv6) messages to manage the information exchange among neighboring nodes
on the same link. The group of ICMPv6 messages replaces Address Resolution Protocol (ARP) messages,
Internet Control Message Protocol version 4 (ICMPv4) Router Discovery messages, and ICMPv4 Redirect
messages and provides a series of other functions.
Flexible extension headers

IPv6 cancels the Options field in the header and introduces optional extension headers to provide
scalability and improve efficiency. The Options field in the IPv4 packet header contains 40 bytes at most,
whereas the IPv6 extension headers are restricted to the maximum size of IPv6 packets only.
IPv6 addresses
IPv6 address format
An IPv6 address is represented as a set of 16-bit hexadecimals separated by colons. An IPv6 address is
divided into eight groups, and each 16-bit group is represented by four hexadecimal numbers, for
example, 2001:0000:130F:0000:0000:09C0:876A:130B.
To simplify the representation of IPv6 addresses, you can handle zeros in IPv6 addresses by using the
following methods.
• The leading zeros in each group can be removed. For example, the above address can be
represented in a shorter format as 2001:0:130F:0:0:9C0:876A:130B.
• If an IPv6 address contains two or more consecutive groups of zeros, they can be replaced by a
double colon (::). For example, the above address can be represented in the shortest format as
2001:0:130F::9C0:876A:130B.
CAUTION:
A double colon may appear once or not at all in an IPv6 address. Otherwise, the device cannot determine
how many zeros the double colons represent when converting them to zeros to restore a 128-bit IPv6
address.
An IPv6 address consists of an address prefix and an interface ID, which are equivalent to the network
ID and the host ID of an IPv4 address respectively.
118
An IPv6 address prefix is written in IPv6-address/prefix-length notation where the IPv6-address is
represented in any of the formats above and the prefix-length is a decimal number indicating how many
leftmost bits of the IPv6 address comprises the address prefix.
IPv6 address types

IPv6 addresses fall into three types, unicast address, multicast address, and anycast address.
• Unicast address—An identifier for a single interface, similar to an IPv4 unicast address. A packet
sent to a unicast address is delivered to the interface identified by that address.
• Multicast address—An identifier for a set of interfaces (typically belonging to different nodes),
similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all
interfaces identified by that address.
• Anycast address—An identifier for a set of interfaces (typically belonging to different nodes). A
packet sent to an anycast address is delivered to the nearest one of the interfaces identified by that
address. The nearest interface is chosen according to the routing protocols' measure of distance.
NOTE:
There are no broadcast addresses in IPv6. Their function is replaced by multicast addresses.
The type of an IPv6 address is designated by the first several bits, the format prefix. Table 5 lists the
mappings between address types and format prefixes.
Table 5 Mappings between address types and format prefixes
Type Format prefix (binary) IPv6 prefix ID

Unspecified address 00...0 (128 bits) ::/128
Loopback address 00...1 (128 bits) ::1/128

Unicast
Link-local address 1111111010 FE80::/10
address
Site-local address 1111111011 FEC0::/10
Global unicast address Other forms N/A
Multicast address 11111111 FF00::/8
Anycast addresses use the unicast address space and have the
Anycast address
identical structure of unicast addresses.
Unicast addresses
Unicast addresses comprise global unicast addresses, link-local unicast addresses, site-local unicast
addresses, the loopback address, and the unspecified address.
• The global unicast addresses, equivalent to public IPv4 addresses, are provided for network service
providers. This type of address allows efficient prefix aggregation to restrict the number of global
routing entries.
• The link-local addresses are used for communication among link-local nodes for neighbor discovery
and stateless autoconfiguration. Packets with link-local source or destination addresses are not
forwarded to other links.
• The site-local unicast addresses are similar to private IPv4 addresses. Packets with site-local source
or destination addresses are not forwarded out of the local site (or a private network).
119
• The loopback address is 0:0:0:0:0:0:0:1 (or ::1). It may never be assigned to any physical
interface and can be used by a node to send an IPv6 packet to itself in the same way as the
loopback address in IPv4.
• The unspecified address is 0:0:0:0:0:0:0:0 (or ::). It cannot be assigned to any node. Before
acquiring a valid IPv6 address, a node fills this address in the source address field of IPv6 packets.
The unspecified address cannot be used as a destination IPv6 address.
Multicast addresses
IPv6 multicast addresses listed in Table 6 are reserved for special purposes.
Table 6 Reserved IPv6 multicast addresses
Address Application
FF01::1 Node-local scope all-nodes multicast address
FF02::1 Link-local scope all-nodes multicast address
FF01::2 Node-local scope all-routers multicast address
FF02::2 Link-local scope all-routers multicast address
FF05::2 Site-local scope all-routers multicast address
Multicast addresses also include solicited-node addresses. A node uses a solicited-node multicast
address to acquire the link-layer address of a neighboring node on the same link and to detect duplicate
addresses. Each IPv6 unicast or anycast address has a corresponding solicited-node address. The format
of a solicited-node multicast address is:
FF02:0:0:0:0:1:FFXX:XXXX
Where FF02:0:0:0:0:1:FF is fixed and consists of 104 bits, and XX:XXXX is the last 24 bits of an IPv6
unicast address or anycast address.
EUI-64 address-based interface identifiers

An interface identifier is 64 bits and uniquely identifies an interface on a link.
Interfaces generate EUI-64 address-based interface identifiers differently.
• On an IEEE 802 interfaces (such as an Ethernet interface and a VLAN interface)
The interface identifier is derived from the link-layer address (typically a MAC address) of the
interface. To expand the 48-bit MAC address to a 64-bit interface identifier, the hexadecimal
number FFFE (that is, 16 bits of 1111111111111110) is inserted into the MAC address (behind
the 24th high-order bit). To make sure that the obtained interface identifier is globally unique, the
universal/local (U/L) bit (which is the seventh high-order bit) is set to 1. Thus, an EUI-64
address-based interface identifier is obtained.
Figure 52 shows the process of how an EUI-64 address-based interface identifier is generated
from a MAC address.
120
Figure 52 Converting a MAC address into an EUI-64 address-based interface identifier
• On a tunnel interface
The lower 32 bits of the EUI-64 address-based interface identifier are the source IPv4 address of
the tunnel interface. The higher 32 bits of the EUI-64 address-based interface identifier of an
ISATAP tunnel interface are 0000:5EFE, whereas those of other tunnel interfaces are all zeros. For
more information about tunnels, see the chapter “Tunneling configuration.”
• On an interface of another type (such as a serial interface)
The EUI-64 address-based interface identifier is generated randomly by the router.
IPv6 neighbor discovery protocol

The IPv6 Neighbor Discovery (ND) protocol uses five types of ICMPv6 messages to implement the
following functions:
• Address resolution
• Neighbor reachability detection
• Duplicate address detection
• Router/prefix discovery and address autoconfiguration
• Redirection
Table 7 lists the types and functions of ICMPv6 messages used by the ND protocol.
Table 7 ICMPv6 messages used by ND
ICMPv6 message Type Function

Acquires the link-layer address of a neighbor.
Neighbor Solicitation (NS)
135 Verifies whether a neighbor is reachable.
message
Detects duplicate addresses.
Neighbor Advertisement Responds to an NS message.

136
(NA) message Notifies the neighboring nodes of link layer changes.
Router Solicitation (RS) Requests for an address prefix and other configuration
133
message information for autoconfiguration after startup.
Responds to an RS message.
Router Advertisement (RA)
134 Advertises information such as the Prefix Information options and
message
flag bits.
121
ICMPv6 message Type Function
Informs the source host of a better next hop on the path to a
Redirect message 137
particular destination when certain conditions are satisfied.
Address resolution
Similar to the ARP function in IPv4, an IPv6 node acquires the link-layer addresses of neighboring nodes
on the same link through NS and NA message exchanges. Figure 53 shows how Host A acquires the
link-layer address of Host B on a single link.
Figure 53 Address resolution
The address resolution operates in the following steps:

1. Host A multicasts an NS message. The source address of the NS message is the IPv6 address of the
sending interface of Host A and the destination address is the solicited-node multicast address of
Host B. The NS message contains the link-layer address of Host A.
2. After receiving the NS message, Host B judges whether the destination address of the packet is its
solicited-node multicast address. If yes, Host B learns the link-layer address of Host A, and then
unicasts an NA message containing its link-layer address.
3. Host A acquires the link-layer address of Host B from the NA message.
Neighbor reachability detection

After Host A acquires the link-layer address of its neighbor Host B, Host A can use NS and NA messages
to check whether Host B is reachable.
1. Host A sends an NS message whose destination address is the IPv6 address of Host B.
2. If Host A receives an NA message from Host B, Host A decides that Host B is reachable. Otherwise,
Host B is unreachable.
Duplicate address detection

After Host A acquires an IPv6 address, it will perform Duplicate Address Detection (DAD) to check
whether the address is being used by any other node (similar to the gratuitous ARP function in IPv4). DAD
is accomplished through NS and NA message exchanges. Figure 54 shows the DAD process.
122
Figure 54 Duplicate address detection
The DAD operates in the following steps:

1. Host A sends an NS message whose source address is the unspecified address and whose
destination address is the corresponding solicited-node multicast address of the IPv6 address to be
detected. The NS message contains the IPv6 address.
2. If Host B uses this IPv6 address, Host B returns an NA message. The NA message contains the IPv6
address of Host B.
3. Host A learns that the IPv6 address is being used by Host B after receiving the NA message from
Host B. If receiving no NA message, Host A decides that the IPv6 address is not in use and uses
this address.
Router/prefix discovery and address autoconfiguration

Router/prefix discovery enables a node to locate the neighboring routers and to learn from the received
RA message configuration parameters such as the prefix of the network where the node is located.
Stateless address autoconfiguration enables a node to generate an IPv6 address automatically
according to the information obtained through router/prefix discovery.
Router/prefix discovery is implemented through RS and RA messages in the following steps.
1. At startup, a node sends an RS message to request the address prefix and other configuration
information for autoconfiguration.
2. A router returns an RA message containing information such as Prefix Information options. (The
router also periodically sends an RA message.)
3. The node automatically generates an IPv6 address and other configuration information according
to the address prefix and other configuration parameters in the RA message.
NOTE:
• SR8800 series routers do not support generating IPv6 addresses through stateless address
autoconfiguration.
• In addition to an address prefix, the Prefix Information option also contains the preferred lifetime and
valid lifetime of the address prefix. Nodes update the preferred lifetime and valid lifetime accordingly
through periodic RA messages.
Redirection
A newly started host may contain only a default route to the gateway in its routing table. When certain
conditions are satisfied, the gateway sends an ICMPv6 Redirect message to the source host so that the
host can select a better next hop to forward packets (similar to the ICMP redirection function in IPv4).
The gateway sends an ICMPv6 Redirect message when the following conditions are satisfied.
123
• The receiving interface is the forwarding interface.
• The selected route itself is not created or modified by an ICMPv6 Redirect message.
• The selected route is not the default route.
• The IPv6 packet to be forwarded does not contain any routing header.
IPv6 PMTU discovery

The links that a packet passes from a source to a destination may have different MTUs. In IPv6, when the
packet size exceeds the path MTU of a link, the packet is fragmented at the source end of the link to
reduce the processing pressure on intermediate routers and use network resources effectively.
The path MTU (PMTU) discovery mechanism is to find the minimum MTU of all links in the path between
a source and a destination. Figure 55 shows how a source host discovers the PMTU to a destination host.
Figure 55 PMTU discovery process
The PMTU discovery operates in the following steps.

1. The source host compares its MTU with the packet to be sent, performs necessary fragmentation,
and sends the resulting packet to the destination host.
2. If the MTU supported by a forwarding interface is smaller than the packet, the device discards the
packet and returns an ICMPv6 error packet containing the interface MTU to the source host.
3. After receiving the ICMPv6 error packet, the source host uses the returned MTU to limit the packet
size, performs fragmentation, and sends the resulting packet to the destination host.
4. Step 2 and step 3 are repeated until the destination host receives the packet. In this way, the
source host decides the minimum MTU of all links in the path to the destination host.
IPv6 transition technologies

Before IPv6 dominates the Internet, high-efficient, seamless IPv6 transition technologies are needed to
enable communication between IPv4 and IPv6 networks. Several IPv6 transition technologies, which can
be used in different environments and periods, such as dual stack (RFC 2893), tunneling (RFC 2893),
NAT-PT (RFC 2766), and IPv6 on the provider edge routers (6PE).
Dual stack
Dual stack is the most direct transition approach. A network node that supports both IPv4 and IPv6 is a
dual stack node. A dual stack node configured with an IPv4 address and an IPv6 address can forward
both IPv4 and IPv6 packets. For an upper layer application that supports both IPv4 and IPv6, either TCP
or UDP can be selected at the transport layer, whereas the IPv6 stack is preferred at the network layer.
Dual stack is suitable for communication between IPv4 nodes or between IPv6 nodes. It is the basis of all
124
transition technologies. However, it does not solve the IPv4 address depletion issue because each dual
stack node must have a globally unique IP address.
Tunneling
Tunneling is an encapsulation technology that utilizes one network protocol to encapsulate packets of
another network protocol and transfer them over the network. For more information about tunneling, see
the chapter “Tunneling configuration.”
NAT-PT
Network Address Translation – Protocol Translation (NAT-PT) is usually applied on a router between IPv4
and IPv6 networks to translate between IPv4 and IPv6 packets, allowing communication between IPv4
and IPv6 nodes. It performs IP address translation, and according to different protocols, performs
semantic translation for packets. This technology is only suitable for communication between a pure IPv4
node and a pure IPv6 node. For more information about NAT-PT, see the chapter “NAT-PT configuration.”
6PE
6PE is a transition technology by which Internet service providers (ISPs) can use existing IPv4 backbone
networks to allow communications between isolated IPv6 networks.
6PE adds labels to the IPv6 routing information of customer networks and advertises the information into
the IPv4 backbone network over Internal Border Gateway Protocol (IBGP) sessions. IPv6 packets are
labeled and forwarded over tunnels on the backbone network. The tunnels can be GRE tunnels or MPLS
LSPs.
CE IPv4/MPLS network CE
IBGP
IPv6 network 6PE 6PE IPv6 network
Customer site Customer site
When an ISP wants to utilize the existing IPv4/MPLS network to provide IPv6 traffic switching capability
through MPLS, only the PE routers need to be upgraded, so 6PE is a highly efficient solution. In addition,
the operation risk of 6PE is very low.
CAUTION:
• The router does not support NAT-PT.
• For more information or configuration related to 6PE, see Layer 3—IP Routing Configuration Guide.

Protocols and standards related to IPv6 include:
• RFC 1881, IPv6 Address Allocation Management
• RFC 1887, An Architecture for IPv6 Unicast Address Allocation
• RFC 1981, Path MTU Discovery for IP version 6
• RFC 2375, IPv6 Multicast Address Assignments
125
• RFC 2460, Internet Protocol, Version 6 (IPv6) Specification
• RFC 2461, Neighbor Discovery for IP Version 6 (IPv6)
• RFC 2462, IPv6 Stateless Address Autoconfiguration
• RFC 2463, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6)
Specification
• RFC 2464, Transmission of IPv6 Packets over Ethernet Networks
• RFC 2526, Reserved IPv6 Subnet Anycast Addresses
• RFC 3307, Allocation Guidelines for IPv6 Multicast Addresses
• RFC 3513, Internet Protocol Version 6 (IPv6) Addressing Architecture
• RFC 3596: DNS Extensions to Support IP Version 6
IPv6 basics configuration task list

Complete the following tasks to perform IPv6 basics configuration:
Task Remarks
Enabling IPv6 Required
Configuring an IPv6 global unicast address Required

Configuring basic IPv6 functions to
Configuring an IPv6 link-local address
configure
Configure an IPv6 anycast address one
Configuring a static neighbor entry Optional
Configuring the maximum number of neighbors dynamically

Optional
learned
Configuring IPv6 ND Setting the age timer for ND entries in stale state Optional
Configuring parameters related to RA messages Optional
Configuring the maximum number of attempts to send an NS

Optional
message for DAD
Configuring the interface MTU Optional
Configuring PMTU discovery Configuring a static PMTU for a specified IPv6 address Optional
Configuring the aging time for dynamic PMTUs Optional
Configuring IPv6 TCP properties Optional
Configuring IPv6 FIB load sharing Optional
Configuring the maximum ICMPv6 error packets sent in an

Optional
interval
Configuring ICMPv6 packet Enabling replying to multicast echo requests Optional

sending Enabling sending of ICMPv6 time exceeded messages Optional
Enabling sending of ICMPv6 destination unreachable

Optional
messages
126
Configuring basic IPv6 functions
Enabling IPv6
Enable IPv6 before you perform any IPv6-related configuration. Without IPv6 enabled, an interface
cannot forward IPv6 packets even if it has an IPv6 address configured.
To enable IPv6:

2. Enable IPv6. ipv6 Disabled by default
Configuring an IPv6 global unicast address

Configure an IPv6 global unicast address by using the following ways:
• EUI-64 IPv6 addressing—The IPv6 address prefix of an interface is manually configured, and the
interface identifier is generated automatically by the interface.
• Manual configuration—The IPv6 global unicast address is configured manually.
• Stateless address autoconfiguration—The IPv6 global unicast address is generated automatically
based on the address prefix information contained in the RA message.
NOTE:
• You can configure multiple IPv6 global unicast addresses with different prefixes on an interface.
• A manually configured global unicast address takes precedence over an automatically generated one.
If a global unicast address has been automatically generated on an interface when you manually
configure another one with the same address prefix, the latter overwrites the previous. The overwritten
automatic global unicast address will not be restored even if the manual one is removed. Instead, a new
global unicast address will be automatically generated based on the address prefix information in the
RA message that the interface receives at the next time.
EUI-64 IPv6 addressing

To configure an interface to generate an EUI-64 IPv6 address:

interface-number
3. Configure the interface to
ipv6 address ipv6-address | By default, no IPv6 global unicast
generate an EUI-64 IPv6
prefix-length eui-64 address is configured on an interface.
address.
Manual configuration
To specify an IPv6 address manually for an interface:
127
interface-number
ipv6 address { ipv6-address

3. Configure an IPv6 address By default, no IPv6 global unicast
prefix-length | ipv6-address |
manually. address is configured on an interface.
prefix-length }
Configuring an IPv6 link-local address

IPv6 link-local addresses can be configured in either of the following ways:
• Automatic generation—The device automatically generates a link-local address for an interface
according to the link-local address prefix (FE80::/10) and the link-layer address of the interface.
• Manual assignment—IPv6 link-local addresses can be assigned manually.
NOTE:
• An interface can have one link-local address only. To avoid link-local address conflicts, use the
automatic generation method.
• Manual assignment takes precedence over automatic generation. If you first use automatic generation
and then manual assignment, the manually assigned link-local address will overwrite the automatically
generated one. If you first use manual assignment and then automatic generation, the automatically
generated link-local address will not take effect and the link-local address is still the manually assigned
one. If you delete the manually assigned address, the automatically generated link-local address is
validated.
To configure automatic generation of an IPv6 link-local address for an interface:

interface-number
Optional.
By default, no link-local address is
3. Configure the interface to configured on an interface.
automatically generate an ipv6 address auto link-local After an IPv6 global unicast
IPv6 link-local address. address is configured on the
interface, a link-local address is
generated automatically.
To configure an IPv6 link-local address manually:

interface-number
128
Optional.
By default, no link-local address is
3. Configure an IPv6
ipv6 address ipv6-address configured on an interface.
link-local address
link-local After an IPv6 global unicast address is
manually.
configured on the interface, a link-local
address is generated automatically.
NOTE:
• After an IPv6 global unicast address is configured for an interface, a link-local address is generated
automatically. The automatically generated link-local address is the same as the one generated by using
the ipv6 address auto link-local command. If a link-local address is manually assigned to an interface,
this manual link-local address takes effect. If the manually assigned link-local address is removed, the
automatically generated link-local address takes effect.
• The undo ipv6 address auto link-local command can only remove the link-local addresses generated
through the ipv6 address auto link-local command. However, if an IPv6 global unicast address is
already configured for an interface, the interface still has a link-local address because the system
automatically generates one for the interface. If no IPv6 global unicast address is configured, the
interface has no link-local address.
Configure an IPv6 anycast address

To configure an IPv6 anycast address for an interface:

interface-number
Optional.
3. Configure an IPv6 anycast ipv6 address ipv6-address | By default, no IPv6 anycast
address. prefix-length anycast address is configured on an
interface.
Configuring IPv6 ND
Configuring a static neighbor entry
The IPv6 address of a neighboring node can be resolved into a link-layer address dynamically through
NS and NA messages or through a manually configured static neighbor entry.
The router uniquely identifies a static neighbor entry by the neighbor's IPv6 address and the local Layer
3 interface number. You can configure a static neighbor entry by using either of the following methods.
• Associate a neighbor IPv6 address and link-layer address with the Layer 3 interface of the local
node.
• Associate a neighbor IPv6 address and link-layer address with a port in a VLAN containing the
local node.
129
To configure a static neighbor entry:
Step Command
ipv6 neighbor ipv6-address mac-address { vlan-id

2. Configure a static neighbor entry. port-type port-number | interface interface-type
interface-number } [ vpn-instance vpn-instance-name ]
CAUTION:
You can use either method above to configure a static neighbor entry for a VLAN interface.
• After a static neighbor entry is configured by using the first method, the device needs to resolve the
corresponding Layer 2 port information of the VLAN interface.
• If you use the second method, make sure that the corresponding VLAN interface exists and that the Layer
2 port specified by port-type port-number belongs to the VLAN specified by vlan-id. After a static
neighbor entry is configured, the device associates the VLAN interface with the IPv6 address to identify
the static neighbor entry uniquely.
Configuring the maximum number of neighbors dynamically

learned
The router can dynamically acquire the link-layer address of a neighboring node through NS and NA
messages and add it into the neighbor table. A large table may reduce the forwarding performance of
the router. You can restrict the size of the neighbor table by setting the maximum number of neighbors
that an interface can dynamically learn. When the number of dynamically learned neighbors reaches
the threshold, the interface will stop learning neighbor information.
To configure the maximum number of neighbors dynamically learned:

interface-number
Optional.
3. Configure the maximum By default, up to 16381 neighbors

number of neighbors ipv6 neighbors can be learned on an interface in
dynamically learned by an max-learning-num number hybrid system working mode, and up
interface. to 65533 neighbors can be learned
on an interface in SPE or SPC system
working mode.
Setting the age timer for ND entries in stale state

ND entries in stale state have an age timer. If an ND entry in stale state is not refreshed before the timer
expires, it transits to the delay state. If it is still not refreshed in five seconds, the ND entry transits to the
probe state, and the device sends an NS message for detection. If no response is received after three NS
messages are sent, the device removes the ND entry.
130
To set the age timer for ND entries in stale state:

2. Set the age timer for ND ipv6 neighbor stale-aging Optional

entries in stale state. aging-time Four hours by default
Configuring parameters related to RA messages

You can enable an interface to send RA messages, and configure the interval for sending RA messages
and parameters in RA messages. After receiving an RA message, a host can use these parameters to
perform corresponding operations. Table 8 lists the configurable parameters in an RA message and their
descriptions.
Table 8 Parameters in an RA message and their descriptions
Parameters Description
When sending an IPv6 packet, a host uses the value to fill the Hop Limit field in IPv6
Cur Hop Limit headers. The value is also filled into the Hop Limit field in the response packet of a
device.
Prefix Information After receiving the prefix information, the hosts on the same link can perform
options stateless autoconfiguration.
MTU Makes sure that all nodes on a link use the same MTU value.
Determines whether hosts use the stateful autoconfiguration to acquire IPv6

addresses.
M flag If the M flag is set to 1, hosts use the stateful autoconfiguration (for example, through
a DHCP server) to acquire IPv6 addresses. Otherwise, hosts use the stateless
autoconfiguration to acquire IPv6 addresses and generate IPv6 addresses
according to their own link-layer addresses and the obtained prefix information.
Determines whether hosts use stateful autoconfiguration to acquire other

configuration information.
O flag If the O flag is set to 1, hosts use stateful autoconfiguration (for example, through a
DHCP server) to acquire other configuration information. Otherwise, hosts use
stateless autoconfiguration to acquire other configuration information.
Router Lifetime This field tells the receiving hosts how long the advertising device can live.
If the router fails to receive a response message within the specified time after
Retrans Timer
sending an NS message, it will retransmit the NS message.
If the neighbor reachability detection shows that a neighbor is reachable, the router
considers the neighbor reachable within the specified reachable time. If the router
Reachable Time
needs to send a packet to the neighbor after the specified reachable time expires,
the router will reconfirm whether the neighbor is reachable.
To allow sending of RA messages:

131
interface-number
3. Disable RA message
undo ipv6 nd ra halt By default, RA messages are suppressed.
suppression.
Optional.
By default, the maximum interval for
sending RA messages is 600 seconds,
and the minimum interval is 200
4. Configure the maximum and ipv6 nd ra interval seconds.
minimum intervals for max-interval-value The router sends RA messages at random
sending RA messages. min-interval-value intervals between the maximum interval
and the minimum interval.
The minimum interval should be less than
or equal to 0.75 times the maximum
interval.
To configure parameters related to RA messages:

Optional.
2. Configure the hop limit. ipv6 nd hop-limit value
64 by default.
interface-number
Optional.
By default, no prefix information is
ipv6 nd ra prefix { ipv6-prefix configured for RA messages, and the
4. Configure the prefix prefix-length | IPv6 address of the interface sending RA
information in RA ipv6-prefix/prefix-length } messages is used as the prefix
messages. valid-lifetime preferred-lifetime information with valid lifetime 2592000
[ no-autoconfig | off-link ] * seconds (that is, 30 days) and preferred
lifetime 604800 seconds (that is, 7
days).
Optional.
5. Turn off the MTU option in
ipv6 nd ra no-advlinkmtu By default, RA messages contain the
RA messages.
MTU option.
Optional.
ipv6 nd autoconfig By default, the M flag bit is set to 0 and
6. Set the M flag bit to 1.
managed-address-flag hosts acquire IPv6 addresses through
stateless autoconfiguration.
Optional.
By default, the O flag bit is set to 0 and
7. Set the O flag bit to 1. ipv6 nd autoconfig other-flag hosts acquire other configuration
information through stateless
autoconfiguration.
132
8. Configure the router Optional
ipv6 nd ra router-lifetime value
lifetime in RA messages. 1800 seconds by default.
Optional.
By default, the local interface sends NS
messages at 1000 millisecond intervals,
9. Set the NS retransmission and the value of the Retrans Timer field
ipv6 nd ns retrans-timer value
timer. in RA messages sent by the local
interface is 0. The interval for
retransmitting an NS message is
determined by the receiving device.
Optional.
By default, the neighbor reachable time
on the local interface is 30000
ipv6 nd nud reachable-time milliseconds, and the value of the
10. Set the reachable time.
value Reachable Time field in the RA messages
sent by the local interface is 0. The
neighbor reachable time is determined
by the receiving device.
NOTE:
• The maximum interval for sending RA messages should be less than or equal to the router lifetime in RA
messages, so that the router can be updated through an RA message before expiration.
• The values of the NS retransmission timer and the reachable time configured for an interface are sent to
hosts via RA messages. Furthermore, this interface sends NS messages at the interval of the NS
retransmission timer and considers a neighbor reachable within the reachable time.
Configuring the maximum number of attempts to send an NS

message for DAD
An interface sends an NS message for DAD after acquiring an IPv6 address. If the interface does not
receive a response within a specified time (determined by the ipv6 nd ns retrans-timer command), it
continues to send an NS message. If it still does not receive a response after the number of attempts
reaches the threshold (specified with the ipv6 nd dad attempts command), the acquired address is
considered usable.
To configure the attempts to send an NS message for DAD:

interface-number
Optional.
3. Configure the number of
attempts to send an NS ipv6 nd dad attempts value 1 by default. When the value
message for DAD. argument is set to 0, DAD is
disabled.
133
Configuring PMTU discovery
Configuring the interface MTU
IPv6 routers do not support packet fragmentation. After an IPv6 router receives an IPv6 packet, if the
packet size is greater than the MTU of the forwarding interface, the router will discard the packet.
Meanwhile, the router sends the MTU to the source host through an ICMPv6 packet — Packet Too Big
message. The source host fragments the packet according to the MTU and resends it. To reduce the extra
flow overhead resulting from packets being discarded, a proper interface MTU should be configured
according to the actual networking environment.
To configure the interface MTU:

interface-number
3. Configure the interface MTU. ipv6 mtu mtu-size 1500 bytes by default
Configuring a static PMTU for a specified IPv6 address

You can configure a static PMTU for a specified destination IPv6 address. When a source host sends a
packet through an interface, it compares the interface MTU with the static PMTU of the specified
destination IPv6 address. If the packet size is larger than the smaller one between the two values, the host
fragments the packet according to the smaller value.
To configure a static PMTU for a specified IPv6 address:

ipv6 pathmtu [ vpn-instance

2. Configure a static PMTU for a By default, no static PMTU is
vpn-instance-name ] ipv6-address
specified IPv6 address. configured.
[ value ]
Configuring the aging time for dynamic PMTUs

After the path MTU from a source host to a destination host is dynamically determined (see “IPv6 PMTU
discovery”), the source host sends subsequent packets to the destination host based on this MTU. After
the aging time expires, the dynamic PMTU is removed and the source host re-determines a dynamic path
MTU through the PMTU mechanism.
The aging time is invalid for a static PMTU.
To configure the aging time for dynamic PMTUs:

134
2. Configure the aging time for Optional
ipv6 pathmtu age age-time
dynamic PMTUs. 10 minutes by default
Configuring IPv6 TCP properties

You can configure the following IPv6 TCP properties.
• synwait timer—When a SYN packet is sent, the synwait timer is triggered. If no response packet is
received before the synwait timer expires, the IPv6 TCP connection establishment fails.
• finwait timer—When the IPv6 TCP connection status is FIN_WAIT_2, the finwait timer is triggered.
If no packet is received before the finwait timer expires, the IPv6 TCP connection is terminated. If a
FIN packet is received, the IPv6 TCP connection status becomes TIME_WAIT. If non-FIN packets are
received, the finwait timer is reset upon receipt of the last non-FIN packet and the connection is
terminated after the finwait timer expires.
• Size of the IPv6 TCP sending/receiving buffer.
To configure IPv6 TCP properties:

tcp ipv6 timer syn-timeout Optional

2. Set the synwait timer.
wait-time 75 seconds by default
Optional
3. Set the finwait timer. tcp ipv6 timer fin-timeout wait-time
4. Set the size of the IPv6 TCP Optional

tcp ipv6 window size
sending/receiving buffer. 8 KB by default
Configuring IPv6 FIB load sharing

In the IPv6 FIB load sharing mode, the router can decide how to select equal cost multi-paths (ECMP) to
forward packets. The router supports the following load sharing modes.
• Load sharing based on the HASH algorithm—A certain algorithm based on the source IPv6
address and destination IPv6 address is adopted to select an ECMP route to forward packets.
• Load sharing based on polling—Each ECMP route is used in turn to forward packets.
To configure the IPv6 FIB load sharing:

135
Configure the load sharing based on
the hash algorithm: Optional.
ipv6 fib-loadbalance-type hash-based By default, the load sharing based
2. Configure the IPv6 FIB
load sharing mode. Configure the load sharing based on on polling is adopted and each
polling: ECMP route is used in turn to
undo ipv6 fib-loadbalance-type forward packets.
hash-based
Configuring ICMPv6 packet sending

Configuring the maximum ICMPv6 error packets sent in an
interval
If too many ICMPv6 error packets are sent within a short time in a network, network congestion may
occur. To avoid network congestion, you can control the maximum number of ICMPv6 error packets sent
within a specified time by adopting the token bucket algorithm.
You can set the capacity of a token bucket to determine the number of tokens in the bucket. In addition,
you can set the update interval of the token bucket, that is, the interval for restoring the configured
capacity. One token allows one ICMPv6 error packet to be sent. Each time an ICMPv6 error packet is
sent, the number of tokens in a token bucket decreases by one. If the number of ICMPv6 error packets
successively sent exceeds the capacity of the token bucket, the additional ICMPv6 error packets cannot
be sent out until the capacity of the token bucket is restored.
To configure the capacity and update interval of the token bucket:

Optional.
By default, the capacity of a token
bucket is 10 and the update interval is
2. Configure the capacity 100 milliseconds. At most 10 ICMPv6
ipv6 icmp-error { bucket
and update interval of the error packets can be sent within 100
bucket-size | ratelimit interval } *
token bucket. milliseconds.
The update interval “0” indicates that
the number of ICMPv6 error packets
sent is not restricted.
Enabling replying to multicast echo requests

If hosts are configured to answer multicast echo requests, an attacker may use this mechanism to attack
a host. For example, if Host A (an attacker) sends an echo request with the source being Host B to a
multicast address, all the hosts in the multicast group will send echo replies to Host B. To prevent such an
attack, disable a router from answering multicast echo requests by default. In some application scenarios,
however, you need to enable the router to answer multicast echo requests.
To enable replying to multicast echo requests:
136
2. Enable replying to multicast ipv6 icmpv6 multicast-echo-reply

Disabled by default
echo requests. enable
Enabling sending of ICMPv6 time exceeded messages

A router sends out an ICMPv6 Time Exceeded message in the following cases:
• If a received IPv6 packet’s destination IP address is not a local address and its hop limit is 1, the
router sends an ICMPv6 Hop Limit Exceeded message to the source.
• Upon receiving the first fragment of an IPv6 datagram with the destination IP address being the
local address, the router starts a timer. If the timer expires before all the fragments arrive, an
ICMPv6 Fragment Reassembly Timeout message is sent to the source.
If large amounts of malicious packets are received, the performance of a router degrades greatly
because it has to send back ICMP Time Exceeded messages. You can disable sending of ICMPv6 Time
Exceeded messages.
To enable sending of ICMPv6 time exceeded messages:

2. Enable sending of ICMPv6 Optional

ipv6 hoplimit-expires enable
time exceeded messages. Enabled by default
Enabling sending of ICMPv6 destination unreachable

messages
If the router fails to forward a received IPv6 packet due to one of the following reasons, it drops the
packet and sends a corresponding ICMPv6 Destination Unreachable error message to the source.
• If no route is available for forwarding the packet, the router sends a "no route to destination"
ICMPv6 error message to the source.
• If the router fails to forward the packet due to administrative prohibition (such as a packet-filter
firewall or an ACL), the router sends the source a "destination network administratively prohibited"
ICMPv6 error message.
• If the router fails to deliver the packet because the destination is beyond the scope of the source IPv6
address (for example, the source IPv6 address of the packet is a link-local address whereas the
destination IPv6 address of the packet is a global unicast address), the router sends the source a
"beyond scope of source address" ICMPv6 error message.
• If the router fails to resolve the corresponding link layer address of the destination IPv6 address, the
router sends the source an "address unreachable" ICMPv6 error message.
• If the packet with the destination being local and transport layer protocol being UDP and the
packet’s destination port number does not match the running process, the router sends the source
a "port unreachable" ICMPv6 error message.
137
If an attacker sends abnormal traffic that causes the router to generate ICMPv6 destination unreachable
messages, end users may be affected. To prevent such attacks, you can disable the router from sending
ICMPv6 destination unreachable messages.
To enable sending of ICMPv6 destination unreachable messages:

2. Enable sending of ICMPv6 destination
ipv6 unreachables enable Disabled by default
unreachable messages.
Displaying and maintaining IPv6 basics

configuration
display ipv6 fib [ vpn-instance vpn-instance-name ]
Display the IPv6 FIB entries. [ acl6 acl6-number | ipv6-prefix ipv6-prefix-name ] Available in any view
[ | { begin | exclude | include } regular-expression ]
Display the IPv6 FIB entry of display ipv6 fib [ vpn-instance vpn-instance-name ]
a specified destination IPv6 ipv6-address [ prefix-length ] [ | { begin | exclude | Available in any view
address. include } regular-expression ]
display ipv6 interface [ interface-type

Display the IPv6 information
[ interface-number ] ] [ verbose ] [ | { begin | exclude Available in any view
of the interface.
| include } regular-expression ]
display ipv6 neighbors { { ipv6-address | all |

dynamic | static } [ slot slot-number ] | interface
Display neighbor
interface-type interface-number | vlan vlan-id } Available in any view
information.
[ verbose ] [ | { begin | exclude | include }
display ipv6 neighbors { { all | dynamic | static }

Display the total number of
[ slot slot-number ] | interface interface-type
neighbor entries satisfying Available in any view
interface-number | vlan vlan-id } count [ | { begin |
the specified conditions.
Display the neighbor display ipv6 neighbors vpn-instance

information of a specified vpn-instance-name [ count ] [ | { begin | exclude | Available in any view
VPN. include } regular-expression ]
display ipv6 pathmtu [ vpn-instance

Display the IPv6 PMTU vpn-instance-name ] { ipv6-address | all | dynamic |
information. static } [ | { begin | exclude | include }
display ipv6 socket [ socktype socket-type ] [ task-id

Display socket information. socket-id ] [ slot slot-number ] [ | { begin | exclude | Available in any view
Display the statistics of IPv6

display ipv6 statistics [ slot slot-number ] [ | { begin |
packets and ICMPv6 Available in any view
packets.
138
Display the IPv6 TCP display tcp ipv6 statistics [ | { begin | exclude |
connection statistics. include } regular-expression ]
Display the IPv6 TCP

display tcp ipv6 status [ | { begin | exclude |
connection status Available in any view
information.
Display the IPv6 UDP display udp ipv6 statistics [ | { begin | exclude |
connection statistics. include } regular-expression ]
reset ipv6 neighbors { all | dynamic | interface

Clear IPv6 neighbor
interface-type interface-number | slot slot-number | Available in user view
information.
static }
Clear the PMTU values. reset ipv6 pathmtu { all | static | dynamic} Available in user view
Clear the statistics of IPv6

reset ipv6 statistics [ slot slot-number ] Available in user view
and ICMPv6 packets.
Clear all IPv6 TCP

reset tcp ipv6 statistics Available in user view
connection statistics.
Clear the statistics of all IPv6

reset udp ipv6 statistics Available in user view
UDP packets.
IPv6 basics configuration example

• As shown in Figure 57, IPv6 addresses for the interfaces and verify that they are connected.
• The global unicast address of GigabitEthernet 2/1/1 and GigabitEthernet 2/1/2 on Router A are
3001::1/64 and 2001::1/64 respectively.
• The global unicast address of GigabitEthernet 2/1/1 on Router B is 3001::2/64, and a route to
Host is available.
• Host is enabled with IPv6 to automatically get an IPv6 address through IPv6 ND, and has a route
to Router B.
1. Configure Router A:
# Enable IPv6.
[RouterA] ipv6
# Assign a global unicast address for interface GigabitEthernet 2/1/1.
[RouterA-GigabitEthernet2/1/1] ipv6 address 3001::1/64
139
# Assign a global unicast addresses for interface GigabitEthernet 2/1/2 and allow it to advertise
RA messages (no interface advertises RA messages by default).
[RouterA-GigabitEthernet2/1/2] ipv6 address 2001::1/64
[RouterA-GigabitEthernet2/1/2] undo ipv6 nd ra halt
2. Configure Router B:
# Enable IPv6.
[RouterB] ipv6
# Assign a global unicast address for interface GigabitEthernet 2/1/1.
[RouterB-GigabitEthernet2/1/1] ipv6 address 3001::2/64
# Configure an IPv6 static route with destination IP address 2001::/64 and next hop address
3001::1.
[RouterB] ipv6 route-static 2001:: 64 3001::1
3. Configure Host:
Enable IPv6 for Host to automatically get an IPv6 address automatically through IPv6 ND.
[RouterA] display ipv6 neighbors interface GigabitEthernet 2/1/2
Type: S-Static D-Dynamic
IPv6 Address Link-layer VID Interface State T Age
FE80::215:E9FF:FEA6:7D14 0015-e9a6-7d14 N/A GE2/1/2 STALE D 1238
2001::15B:E0FA:3524:E791 0015-e9a6-7d14 N/A GE2/1/2 STALE D 1248
The output shows that the IPv6 global unicast address that Host obtained is
2001::15B:E0EA:3524:E791.

# Display the IPv6 interface information on Router A. All the IPv6 global unicast addresses configured on
the interface are displayed.
[RouterA] display ipv6 interface GigabitEthernet 2/1/1 verbose
GigabitEthernet2/1/1 current state :UP
Line protocol current state :UP
IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:2
Global unicast address(es):
3001::1, subnet is 3001::/64
Joined group address(es):
FF02::1:FF00:0
FF02::1:FF00:1
FF02::1:FF00:2
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
IPv6 Packet statistics:
140
InReceives: 25829
InTooShorts: 0
InTruncatedPkts: 0
InHopLimitExceeds: 0
InBadHeaders: 0
InBadOptions: 0
ReasmReqds: 0
ReasmOKs: 0
InFragDrops: 0
InFragTimeouts: 0
OutFragFails: 0
InUnknownProtos: 0
InDelivers: 47
OutRequests: 89
OutForwDatagrams: 48
InNoRoutes: 0
InTooBigErrors: 0
OutFragOKs: 0
OutFragCreates: 0
InMcastPkts: 6
InMcastNotMembers: 25747
OutMcastPkts: 48
InAddrErrors: 0
InDiscards: 0
OutDiscards: 0
[RouterA] display ipv6 interface GigabitEthernet 2/1/2 verbose

IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1C0
2001::1, subnet is 2001::/64
FF02::1:FF00:0
FF02::1:FF00:1
FF02::1:FF00:1C0
FF02::2
FF02::1
MTU is 1500 bytes
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 600 seconds
ND router advertisements live for 1800 seconds
141
InReceives: 272
InTooShorts: 0
InTruncatedPkts: 0
InBadHeaders: 0
InBadOptions: 0
ReasmReqds: 0
ReasmOKs: 0
InFragDrops: 0
InFragTimeouts: 0
OutFragFails: 0
InUnknownProtos: 0
InDelivers: 159
OutRequests: 1012
OutForwDatagrams: 35
InNoRoutes: 0
InTooBigErrors: 0
OutFragOKs: 0
OutFragCreates: 0
InMcastPkts: 79
OutMcastPkts: 938
InAddrErrors: 0
InDiscards: 0
OutDiscards: 0
# Display the IPv6 interface settings on Router B. All the IPv6 global unicast addresses configured on the
interface are displayed.
[RouterB] display ipv6 interface GigabitEthernet 2/1/1 verbose
IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1234
3001::2, subnet is 3001::/64
FF02::1:FF00:0
FF02::1:FF00:2
FF02::1:FF00:1234
FF02::2
FF02::1
MTU is 1500 bytes
InReceives: 117
InTooShorts: 0
142
InTruncatedPkts: 0
InBadHeaders: 0
InBadOptions: 0
ReasmReqds: 0
ReasmOKs: 0
InFragDrops: 0
InFragTimeouts: 0
OutFragFails: 0
InUnknownProtos: 0
InDelivers: 117
OutRequests: 83
OutForwDatagrams: 0
InNoRoutes: 0
InTooBigErrors: 0
OutFragOKs: 0
OutFragCreates: 0
InMcastPkts: 28
OutMcastPkts: 7
InAddrErrors: 0
InDiscards: 0
OutDiscards: 0
# Ping Router A and Router B from Host, and ping Router A and Host from Router B to verify that they are
connected.
CAUTION:
When you ping a link-local address, you should use the “–i” parameter to specify an interface for the
link-local address.
[RouterB] ping ipv6 -c 1 3001::1

PING 3001::1 : 56 data bytes, press CTRL_C to break
Reply from 3001::1
bytes=56 Sequence=1 hop limit=64 time = 2 ms
--- 3001::1 ping statistics ---

0.00% packet loss
[RouterB] ping ipv6 -c 1 2001::15B:E0EA:3524:E791
PING 2001::15B:E0EA:3524:E791 : 56 data bytes, press CTRL_C to break
Reply from 2001::15B:E0EA:3524:E791
--- 2001::15B:E0EA:3524:E791 ping statistics ---

0.00% packet loss
143
As shown in the output information, Host can ping Router B and Router A.
Troubleshooting IPv6 basics configuration

Symptom
The peer IPv6 address cannot be pinged.
Solution
• Use the display current-configuration command in any view or the display this command in system
view to verify that IPv6 is enabled.
• Use the display ipv6 interface command in any view to verify that the IPv6 address of the interface
is correct and the interface is up.
144
Configuring DHCPv6
DHCPv6 configuration overview

The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) was designed based on IPv6 addressing
scheme and is used for assigning IPv6 addresses and other configuration parameters to hosts.
Compared with other IPv6 address allocation methods (such as manual configuration and stateless
address autoconfiguration), DHCPv6 can:
• Record addresses assigned to hosts and assign addresses to specific hosts, thus facilitating network
management.
• Assign configuration parameters to hosts, such as the DNS server address or domain name.
Basic concepts
Multicast address of all DHCPv6 servers and relay agents
The multicast address FF02::1:2 identifies all DHCPv6 servers and relay agents on the local link.
DUID
A DHCP unique identifier (DUID) uniquely identifies a DHCPv6 client, relay agent, or server, and is used
for authentication between DHCPv6 devices.
A DUID based on link-layer address (DUID-LL) defined in RFC 3315 is used to identify a DHCPv6 device.
The DUID-LL format is shown in Figure 58, where:
• DUID type—The value 0x0003 indicates that the DUID type is DUID-LL.
• Hardware type—The router supports Ethernet as the hardware type with the value of 0x0001.
• Link layer address—Its value is the bridge MAC address of the router.
Figure 58 Format of DUID-LL
145
Typical DHCPv6 network application
A DHCPv6 client uses a multicast address to contact the DHCPv6 server on the local link to obtain an
IPv6 address and other configuration parameters. As shown in Figure 59, if the DHCPv6 server resides
on another subnet, the DHCPv6 client can contact the server via a DHCPv6 relay agent. Thus, you do not
need to deploy a DHCPv6 server on each subnet.
CAUTION:
The router can only serve as the DHCPv6 relay agent.
DHCPv6 relay agent operation

A DHCPv6 relay agent and DHCPv6 server exchange two types of messages, Relay-forward and
Relay-reply.
Figure 60 Operating process of a DHCPv6 relay agent
DHCPv6 client DHCPv6 relay agent DHCPv6 server
(1) DHCPv6 message from client
(2) Relay-forward
(3) Relay-reply
(4) DHCPv6 message to client
As shown in Figure 60, the DHCPv6 relay agent works as follows:

1. The DHCPv6 client sends a request to the multicast address FF02::1:2 of all the DHCPv6 servers
and relay agents.
2. After receiving the request, the DHCPv6 relay agent encapsulates the request into the Relay
Message Option of a Relay-forward message, and sends the message to the DHCPv6 server.
146
3. After obtaining the request from the Relay-forward message, the DHCPv6 server selects an IPv6
address and other required parameters and adds them into a reply which is encapsulated into the
Relay Message Option of a Relay-reply message. The DHCPv6 server then sends the Relay-reply
message to the DHCPv6 relay agent.
4. The DHCPv6 relay agent obtains the reply from the Relay-reply message and sends the reply to the
DHCPv6 client.
The DHCPv6 client uses the IPv6 address and other network parameters assigned by the DHCPv6 server
to perform network configuration.

• RFC 3736, Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6
• RFC 3315, Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
• RFC 2462, IPv6 Stateless Address Autoconfiguration
Configuring the DHCPv6 relay agent

Upon receiving a request from a DHCPv6 client, the interface that operates as a DHCPv6 relay agent
encapsulates the request into a Relay-forward message and forwards the message to the specified
DHCPv6 server, which then assigns an IPv6 address and other configuration parameters to the DHCPv6
client.
Before you configure DHCPv6 relay agent, enable IPv6 by using the ipv6 command in system view. For
more information about the ipv6 command, see the chapter “IPv6 basics configuration.”
To configure the DHCPv6 relay agent:

interface-number
3. Enable DHCPv6 relay ipv6 dhcp relay server-address By default, DHCPv6 relay agent is
agent on the interface and ipv6-address [ interface interface-type disabled and no DHCPv6 server is
specify a DHCPv6 server. interface-number ] specified on the interface.
147
NOTE:
• Executing the ipv6 dhcp relay server-address command repeatedly can specify multiple DHCPv6
servers, and up to eight DHCP servers can be specified for an interface. After receiving requests from
DHCPv6 clients, the DHCPv6 relay agent forwards the requests to all the specified DHCPv6 servers.
• If the DHCPv6 server address is a link-local address or link-scoped multicast address on the local link,
you must specify an outgoing interface using the interface keyword in the ipv6 dhcp relay
server-address command; otherwise, DHCPv6 packets may fail to be forwarded to the DHCPv6 server.
• Removing all the specified DHCPv6 server addresses from an interface with the undo ipv6 dhcp relay
server-address command disables DHCPv6 relay agent on the interface.
Displaying and maintaining the DHCPv6 relay

agent
display ipv6 dhcp duid [ | { begin | exclude |
Display the DUID of the local router. Available in any view
display ipv6 dhcp relay server-address { all |

Display DHCPv6 server addresses
interface interface-type interface-number } [ |
specified on the DHCPv6 relay Available in any view
agent.
Display packet statistics on the display ipv6 dhcp relay statistics [ | { begin |
DHCPv6 relay agent. exclude | include } regular-expression ]
Clear packets statistics on the

reset ipv6 dhcp relay statistics Available in user view
DHCPv6 relay agent.
DHCPv6 relay agent configuration example

As shown in Figure 61, the network address prefix of DHCPv6 clients is 1::/64, and the IPv6 address of
the DHCPv6 server is 2::2/64. The DHCPv6 client and server must communicate via a DHCPv6 relay
agent (Router A).
Router A acts as the gateway of network 1::/64. It sends RA messages to notify the hosts to obtain IPv6
addresses and other configuration parameters through DHCPv6. For more information about RA
messages, see the chapter “IPv6 basics configuration.”
148
1. Configure Router A as a DHCPv6 relay agent:
# Enable IPv6.
[RouterA] ipv6
# Configure the IPv6 addresses of GigabitEthernet 3/1/1 and GigabitEthernet 3/1/2
respectively.
[RouterA-GigabitEthernet3/1/2] ipv6 address 2::1 64
# Enable DHCPv6 relay agent and specify the DHCPv6 server address on interface
GigabitEthernet 3/1/1.
[RouterA-GigabitEthernet3/1/1] ipv6 dhcp relay server-address 2::2
2. Configure Router A as a gateway:
# Enable Router A to send RA messages and set the “M” and “O” flags.
[RouterA-GigabitEthernet3/1/1] undo ipv6 nd ra halt
[RouterA-GigabitEthernet3/1/1] ipv6 nd autoconfig managed-address-flag
[RouterA-GigabitEthernet3/1/1] ipv6 nd autoconfig other-flag
3. Verify the configuration:
# After completing the above configurations, display DHCPv6 server address information on
Router A.
<RouterA> display ipv6 dhcp relay server-address all
Interface: GE3/1/1
Server address(es) Output Interface
2::2
# Display packet statistics on the DHCPv6 relay agent.
<RouterA> display ipv6 dhcp relay statistics
Packets dropped : 0
Error : 0
Excess of rate limit : 0
Packets received : 14
149
SOLICIT : 0
REQUEST : 0
CONFIRM : 0
RENEW : 0
REBIND : 0
RELEASE : 0
DECLINE : 0
INFORMATION-REQUEST : 7
RELAY-FORWARD : 0
RELAY-REPLY : 7
Packets sent : 14
ADVERTISE : 0
RECONFIGURE : 0
REPLY : 7
RELAY-FORWARD : 7
RELAY-REPLY : 0
150
Configuring IPv6 DNS
Introduction to IPv6 DNS

IPv6 Domain Name System (DNS) is responsible for translating domain names into IPv6 addresses. Like
IPv4 DNS, IPv6 DNS includes static domain name resolution and dynamic domain name resolution. The
functions and implementations of the two types of domain name resolution are the same as those of IPv4
DNS. For more information, see the chapter “IPv4 DNS configuration.”
Configuring the IPv6 DNS client

Configuring static domain name resolution
Configuring static domain name resolution refers to specifying the mappings between host names and
IPv6 addresses. Static domain name resolution allows applications such as Telnet to contact hosts by
using host names instead of IPv6 addresses.
To configure static domain name resolution:

2. Configure a mapping between a
host name and an IPv6 address. ipv6 host hostname ipv6-address Not configured by default
NOTE:
• A host name can be mapped to one IPv6 address only. If you map a host name to different IPv6
addresses, the last configuration takes effect.
• You can configure up to 50 mappings between domain name and IPv6 address on the router.
Configuring dynamic domain name resolution

To send DNS queries to a correct server for resolution, dynamic domain name resolution needs to be
enabled and a DNS server needs to be configured.
In addition, you can configure a DNS suffix that the system will automatically add to the provided
domain name for resolution.
To configure dynamic domain name resolution:

2. Enable dynamic
domain name dns resolve Disabled by default.
resolution.
151
dns server ipv6 ipv6-address If the IPv6 address of a DNS server is a

3. Specify a DNS server. link-local address, you need to specify
[ interface-type interface-number ]
the interface-type and
interface-number arguments.
4. Configure a DNS Not configured by default, that is, only
suffix. dns domain domain-name
the provided domain name is resolved.
NOTE:
• For more information about the dns resolve and dns domain commands, see Layer 3—IP Services
Command Reference.
• You can configure up to six DNS servers, including those with IPv4 addresses.
• You can specify up to ten DNS suffixes.
Displaying and maintaining IPv6 DNS

Display the static IPv6 domain name display ipv6 host [ | { begin | exclude
resolution table. | include } regular-expression ]
display dns ipv6 server [ dynamic ] [ |

Display IPv6 DNS server information. { begin | exclude | include } Available in any view
display dns domain [ dynamic ] [ |

Display DNS suffixes. { begin | exclude | include } Available in any view
NOTE:
For more information about the display dns domain, display dns host ipv6, and reset dns host ipv6
commands, see Layer 3—IP Services Command Reference.
IPv6 DNS configuration examples

Static domain name resolution configuration example
As shown in Figure 62, static domain name resolution is configured on the device, so the device can use
the domain name host.com to access the host whose IPv6 address is 1::2.
152
# Configure a mapping between host name host.com and IPv6 address 1::2.
[Device] ipv6 host host.com 1::2
# Enable IPv6 packet forwarding.

[Device] ipv6
# Use the ping ipv6 host.com command to verify that the device can use static domain name resolution
to resolve domain name host.com into IPv6 address 1::2.
[Device] ping ipv6 host.com
PING host.com (1::2):
Reply from 1::2
Reply from 1::2
Reply from 1::2
Reply from 1::2
Reply from 1::2
0.00% packet loss
Dynamic domain name resolution configuration example

As shown in Figure 63, the IPv6 address of the DNS server is 2::2/64 and the name suffix is com. The
mapping between domain name host and IPv6 address 1::1/64 is stored in the com domain.
Dynamic domain name resolution and the domain name suffix are configured on the device that serves
as a DNS client, and thus the device can use domain name host to access the host with the domain name
host.com and the IPv6 address 1::1/64.
153
NOTE:
• Before performing the following configuration, make sure that the device and the host are accessible to
each another via available routes, and the IPv6 addresses of the interfaces are configured as
shown Figure 63.
• This configuration may vary with different DNS servers. The following configuration is performed on a
PC running Windows Server 2003. Make sure that the DNS server supports the IPv6 DNS function so
that the server can process IPv6 DNS packets, and the interfaces of the DNS server can forward IPv6
packets.
1. Configure the DNS server:

# Enter the DNS server configuration page.
Select Start > Programs > Administrative Tools > DNS.
# Create zone com.
As shown in Figure 64, right click Forward Lookup Zones, select New Zone, and then follow the
instructions to create a new zone named com.
Figure 64 Creating a zone
# Create a mapping between the host name and the IPv6 address.
As shown in Figure 65, right click zone com.
154
Figure 65 Creating a record
In Figure 65, select Other New Records to bring up a dialog box as shown in Figure 66. Select
IPv6 Host (AAA) as the resource record type.
155
Figure 66 Selecting the resource record type
As shown in Figure 67, type host name host and IPv6 address 1::1, and then click OK.
156
Figure 67 Adding a mapping between domain name and IPv6 address

# Enable dynamic domain name resolution.
[Device] dns resolve
# Specify the DNS server 2::2.
[Device] dns server ipv6 2::2
# Configure com as the DNS suffix.
[Device] dns domain com
# Use the ping ipv6 host command on the device to verify that the communication between the
device and the host is normal and that the corresponding destination IP address is 1::1.
[Device] ping ipv6 host
Trying DNS server (2::2)
PING host.com (1::1):
Reply from 1::1
Reply from 1::1
Reply from 1::1
157
Reply from 1::1
Reply from 1::1

0.00% packet loss
158
Configuring NAT-PT
NOTE:
SPE cards in this document refer to cards prefixed with SPE such as SPE-1020-E-II.
Only the cards SPE-1010-II, SPE-1010-E-II, SPE-1020-II, and SPE-1020-E-II support NAT service
interface configuration.
NAT-PT overview
Application scenario
Because of the coexistence of IPv4 networks and IPv6 networks, Network Address Translation – Protocol
Translation (NAT-PT) was introduced to realize translation between IPv4 and IPv6 addresses. For
example, it can enable a host in an IPv6 network to access the FTP server in an IPv4 network.
As shown in Figure 68, NAT-PT runs on the router between IPv4 and IPv6 networks. The address
translation is transparent to both IPv4 and IPv6 networks. Users in the IPv6 and IPv4 networks can
communicate without changing their configurations.
Basic concepts
NAT-PT mechanism
There are three NAT-PT mechanisms to realize translation between IPv4 and IPv6 addresses: static
mapping, dynamic mapping, and NAPT-PT.
1. Static mapping
Static mappings are manually configured for translation between IPv6 and IPv4 addresses.
2. Dynamic mapping
159
Dynamic mappings are dynamically generated for translation between IPv6 and IPv4 addresses.
Different from static mappings, dynamic mappings are not fixed one-to-one mappings between
IPv6 and IPv4 addresses.
3. NAPT-PT
Network Address Port Translation – Protocol Translation (NAPT-PT) realizes the TCP/UDP port
number translation besides static or dynamic address translation. With NAPT-PT, different IPv6
addresses can correspond to one IPv4 address. Different IPv6 hosts are distinguished by different
port numbers so that these IPv6 hosts can share one IPv4 address to accomplish the address
translation and save IPv4 addresses.
NAT-PT prefix
The 96-bit NAT-PT prefix in the IPv6 address prefix format is used in the following cases:
• Upon receiving a packet from an IPv6 host to an IPv4 host, the NAT-PT router detects the prefix of
the destination IPv6 address in the packet. If the prefix is the same as the configured NAT-PT prefix,
the router will translate source and destination IPv6 addresses of the packet into IPv4 addresses.
• After a packet from an IPv4 host to an IPv6 host is translated through NAT-PT, the prefix of the
translated source IPv6 address is the configured NAT-PT prefix.
Implementing NAT-PT
Session initiated by an IPv6 host
Figure 69 NAT-PT implementation (session initiated by an IPv6 host)
NAT-PT works as follows:

1. Determines whether to perform NAT-PT or not
Upon receiving a packet from an IPv6 host to an IPv4 host, the NAT-PT router detects the prefix of
the destination IPv6 address in the packet. If the prefix is the same as the configured NAT-PT prefix,
the router considers that the packet needs to be forwarded to the IPv4 network and NAT-PT needs
to be performed.
2. Translates the source IP address
The NAT-PT router translates the source IPv6 address of the packet into an IPv4 address according
to the static or dynamic mapping on the IPv6 side.
3. Translates the destination IP address
The NAT-PT router translates the destination IPv6 address of the packet into an IPv4 address
according to the static mapping, if configured, on the IPv4 network side. Without any static
mapping configured on the IPv4 network side, if the lowest 32 bits of the destination IPv6 address
in the packet can be directly translated into a valid IPv4 address, the destination IPv6 address is
translated into that IPv4 address. Otherwise, the translation fails.
160
4. Forwards the packet and stores the mappings
After the source and destination IPv6 addresses of the packet are translated into IPv4 addresses,
the NAT-PT router forwards the packet to the IPv4 host. Meanwhile, the IPv4/IPv6 address
mappings are stored in the NAT-PT router.
5. Forwards the reply packet according to the stored mappings
Upon receiving a reply packet from the IPv4 host to the IPv6 host, the NAT-PT router swaps the
source and destination IPv4 addresses according to the stored mappings and forwards the packet
to the IPv6 host.
Session initiated by an IPv4 host

The NAT-PT implementation process for a session initiated by an IPv4 host is as follows:
1. Determines whether to perform NAT-PT or not
Upon receiving a packet from an IPv4 host to an IPv6 host, the NAT-PT router checks the
destination IPv4 address in the packet against the static mappings configured on the IPv6 network
side. If a match is found, the router considers that the packet needs to be forwarded to the IPv6
network and NAT-PT needs to be performed.
2. Translates the source IP address
The NAT-PT router translates the source IPv4 address of the packet into an IPv6 address according
to the static or dynamic mapping on the IPv4 side. If no mapping is configured on the IPv4 side,
the source IPv4 address with the first configured NAT-PT prefix is used as the translated source IPv6
address.
3. Translates the destination IP address
The NAT-PT router translates the destination IPv4 address of the packet into an IPv6 address
according to the static mapping on the IPv6 side.
4. Forwards the packet and stores the mappings
After the source and destination IPv4 addresses of the packet are translated into IPv6 addresses,
the NAT-PT router forwards the packet to the IPv6 host. Meanwhile, the IPv4/IPv6 address
mappings are stored in the NAT-PT router.
5. Forwards the reply packet according to the stored mappings
Upon receiving a reply packet from the IPv6 host to the IPv4 host, the NAT-PT router swaps the
source and destination IPv6 addresses according to the stored mappings and forwards the packet
to the IPv4 host.
NAT-PT limitations
NAT-PT has the following limitations:
• In NAT-PT translation, the request and response packets of a session must be processed by the same
NAT-PT router.
• The Options field in the IPv4 packet header cannot be translated.
• NAT-PT does not provide end-to-end security.
Therefore, NAT-PT is not recommended in some applications. For example, tunneling is recommended in
the case where an IPv6 host needs to communicate with another IPv6 host across an IPv4 network. For
more information about tunneling, see the chapter “Configuring tunneling.”
161
Currently, NAT-PT supports Internet Control Message Protocol (ICMP), Domain Name System (DNS), File
Transfer Protocol (FTP), and other protocols that employ the network layer protocol but have no address
information in the protocol messages.

• RFC 2765, Stateless IP/ICMP Translation Algorithm
• RFC 2766, Network Address Translation - Protocol Translation (NAT-PT)
NAT-PT configuration task list

Complete the following tasks to configure NAT-PT to allow active access from an IPv6 host to an IPv4 host:
Task Remarks
Enabling NAT-PT Required
Configuring a NAT-PT prefix Required
Configuring IPv4/IPv6 address mappings on the IPv6

Required
side
Optional
Configuring a static IPv4/IPv6 address mapping on If no static IPv4/IPv6 address mapping is configured,
the IPv4 side the lowest 32 bits of the destination IPv6 address is
used as the translated destination IPv4 address.
Setting the ToS field after NAT-PT translation Optional
Complete the following tasks to configure NAT-PT to allow active access from an IPv4 host to an IPv6 host:
Task Remarks
Enabling NAT-PT Required
Configuring a NAT-PT prefix Required
Optional
If no IPv4/IPv6 address mapping is configured,
Configuring IPv4/IPv6 address mappings on the IPv4 side the source IPv4 address added with the first
configured NAT-PT prefix is used as the
translated source IPv6 address.
Configuring a static mapping on the IPv6 side Required

Configuring static NAPT-PT mappings of IPv6 servers Complete either task.
Setting the traffic class field after NAT-PT translation Optional
Configuring NAT-PT
Before implementing NAT-PT, complete the following tasks:
• Enable IPv6 on the router. For more information, see the chapter “IPv6 basics configuration.“
162
• Configure an IPv4 or IPv6 address as required on the interface to be enabled with NAT-PT.
Enabling NAT-PT
After NAT-PT is enabled on both the IPv4 network interface and the IPv6 network interface, the router can
implement translation between IPv4 and IPv6 addresses.
To enable NAT-PT:


3. Enable NAT-PT on the
natpt enable Disabled by default
interface.
Configuring a NAT-PT prefix

To configure a NAT-PT prefix:
Step Command
3. Configure a NAT-PT prefix. natpt prefix natpt-prefix
CAUTION:
• The NAT-PT prefix must be different from the IPv6 address prefix of a local interface. Otherwise,
incoming packets matching the prefix will get lost due to NAT-PT translation.
• To delete a NAT-PT prefix that has been referenced by using the natpt v4bound dynamic or natpt
v6bound dynamic command, you must cancel the referenced configuration first.
Configuring IPv4/IPv6 address mappings on the IPv6 side

IPv4/IPv6 address mappings on the IPv6 side can be static or dynamic.
Configuring a static mapping on the IPv6 side

A static mapping on the IPv6 side shows the one-to-one correspondence between an IPv4 address and
an IPv6 address.
• If the source IPv6 address in a packet sent from an IPv6 host to an IPv4 host matches the static
mapping, the source IPv6 address is translated into the corresponding IPv4 address.
• If the destination IPv4 address in a packet sent from an IPv4 host to an IPv6 host matches the static
mapping, the destination IPv4 address is translated into the corresponding IPv6 address.
To configure a static IPv4/IPv6 address mapping on the IPv6 side:
Step Command
163
Step Command
3. Configure a static IPv4/IPv6 address mapping on
natpt v6bound static ipv6-address ipv4-address
the IPv6 side.
Configuring a dynamic IPv4/IPv6 mapping policy on the IPv6 side

A dynamic IPv4/IPv6 mapping policy on the IPv6 side means that if the source IPv6 address matches a
specified IPv6 ACL or the destination IPv6 address is the same as the specified NAT-PT prefix, the source
IPv6 address will be translated into an IPv4 address in a specified NAT-PT address pool or the IPv4
address of a specified interface.
The router provides four types of dynamic mapping policies.
• Policy 1—Associate an IPv6 ACL with an address pool.
If the source IPv6 address of a packet matches the specified IPv6 ACL, the source IPv6 address will
be translated into an IPv4 address in the specified address pool.
• Policy 2—Associate an IPv6 ACL with an interface address.
If the source IPv6 address of a packet matches the specified IPv6 ACL, the source IPv6 address will
be translated into the IPv4 address of the specified interface.
• Policy 3—Associate a NAT-PT prefix with an address pool.
If the destination IPv6 address of a packet matches the NAT-PT prefix, the source IPv6 address will
be translated into an IPv4 address in the specified address pool.
• Policy 4—Associate a NAT-PT prefix with an interface address.
If the destination IPv6 address of a packet matches the NAT-PT prefix, the source IPv6 address will be
translated into the IPv4 address of the specified interface.
To use policy 1 or 3, you must configure a NAT-PT address pool first.
A NAT-PT address pool is a group of contiguous IPv4 addresses and is used to translate an IPv6 address
into an IPv4 address dynamically. When an IPv6 packet is sent from an IPv6 network to an IPv4 network,
if policy 1 or 3 is set, the NAT-PT device will select an IPv4 address from the NAT-PT address pool as the
source IPv4 address of the IPv6 packet.
To configure a dynamic IPv4/IPv6 address mapping policy on the IPv6 side:

Required for the first type and third

type in which the source IPv6
address is translated into an IPv4
2. Configure a NAT-PT natpt address-group group-number address in the specified address
address pool. start-ipv4-address end-ipv4-address pool.
This configuration is not needed in
the second type and fourth type.
3. Enter the NAT service
interface view.
164
Configure any of the four types of

dynamic mappings.
• If the source IPv6 address of an
• Associate an IPv6 ACL with an IPv6 packet matches the
address pool: specified IPv6 ACL, the source
natpt v6bound dynamic acl6 number IPv6 address will be translated
acl-number address-group into an IPv4 address of the
address-group [ no-pat ] specified address pool.
• Associate an IPv6 ACL with an • If the source IPv6 address of an
interface address: IPv6 packet matches the
natpt v6bound dynamic acl6 number specified IPv6 ACL, the source
4. Configure a dynamic acl-number interface interface-type IPv6 address will be translated
IPv4/IPv6 address interface-number into the IPv4 address of the
mapping policy on the • Associate a NAT-PT prefix with an specified interface.
IPv6 side. address pool: • If the destination IPv6 address
natpt v6bound dynamic prefix of an IPv6 packet matches the
natpt-prefix address-group specified NAT-PT prefix, the
address-group [ no-pat ] source IPv6 address will be
• Associate a NAT-PT prefix with an translated into an IPv4 address
interface address: of the specified address pool.
natpt v6bound dynamic prefix • If the destination IPv6 address
natpt-prefix interface interface-type of an IPv6 packet matches the
interface-number specified NAT-PT prefix, the
source IPv6 address will be
translated into the IPv4 address
of the specified interface.
NOTE:
• The NAT-PT prefix referenced in a natpt v6bound dynamic command must have been configured with
the natpt prefix command.
• If the no-pat keyword is specified, dynamic mapping policies are used for NAT-PT. If this keyword is not
specified, the NAPT-PT mechanism is used to translate between IPv4 addresses and IPv6 addresses.
• For more information about ACL, see ACL and QoS Configuration Guide.
Configuring IPv4/IPv6 address mappings on the IPv4 side

IPv4/IPv6 address mappings on the IPv4 side can be static or dynamic.
Configuring a static IPv4/IPv6 address mapping on the IPv4 side

A static IPv4/IPv6 address mapping on the IPv4 side shows the one-to-one correspondence between an
IPv4 address and an IPv6 address.
• If the source IPv4 address in a packet sent from an IPv4 host to an IPv6 host matches a static
IPv4/IPv6 address mapping, the source IPv4 address is translated into the corresponding IPv6
address.
165
• If the destination IPv6 address in a packet sent from an IPv6 host to an IPv4 host matches a static
IPv4/IPv6 address mapping, the destination IPv6 address is translated into the corresponding IPv4
address.
To configure a static IPv4/IPv6 address mapping on the IPv4 side:
Step Command
2. Enter the NAT service interface view. interface nat interface-number

3. Configure a static IPv4/IPv6 address
natpt v4bound static ipv4-address ipv6-address
mapping on the IPv4 side.
Configuring a dynamic IPv4/IPv6 address mapping policy on the IPv4 side

A dynamic IPv4/IPv6 address mapping policy on the IPv4 side is that if the source IPv4 address matches
a specified ACL, the source IPv4 address is added with a NAT-PT prefix as the translated IPv6 address.
To configure a dynamic IPv4/IPv6 mapping policy on the IPv4 side:
Step Command
3. Configure a dynamic IPv4/IPv6 source address natpt v4bound dynamic acl number acl-number
mapping policy on the IPv4 side. prefix natpt-prefix
NOTE:
• Before configuring a dynamic IPv4/IPv6 mapping policy on the IPv4 side, you must use the natpt prefix
command to specify the NAT-PT prefix for the natpt v6bound dynamic acl number command.
• For more information about ACLs, see ACL and QoS Configuration Guide.
Setting the ToS field after NAT-PT translation

You can set the ToS field in IPv4 packets translated from IPv6 packets to 0 or leave it unchanged. 0
indicates that the service priority of the translated packet is set to the lowest. Unchanged indicates that
the existing service priority is used.
To set the ToS field in packets after NAT-PT translation:

2. Set the ToS field in IPv4 By default, the value of the ToS field of IPv4
packets translated from natpt turn-off tos packets is the same as that of the Traffic
IPv6 packets to 0. Class field in corresponding IPv6 packets.
166
Setting the traffic class field after NAT-PT translation
You can set the Traffic Class field in IPv6 packets translated from IPv4 packets to 0 or leave it unchanged.
0 indicates that the service priority of the translated packet is set to the lowest. Unchanged indicates that
the existing service priority is used.
To set the Traffic Class field in packets after NAT-PT translation:

By default, the value of the Traffic Class

2. Set the Traffic Class field
field of IPv6 packets is the same as that of
in IPv6 packets translated natpt turn-off traffic-class
the ToS field in corresponding IPv4
from IPv4 packets to 0.
packets.
Configuring static NAPT-PT mappings of IPv6 servers

Generally, a server such as the FTP server, Web server, or Telnet server on an IPv6 network provides
services for IPv6 hosts only. To allow IPv4 hosts to access the IPv6 server, you can specify a static NAPT-PT
mapping between the IPv6 address plus the port number and the IPv4 address plus the port number of
the IPv6 server.
Upon receiving an access request to an IPv6 server from an IPv4 host, the NAT-PT router checks the
destination address and port number of the packet against the static address/port mapping of the IPv6
server. If they match, the router translates the destination IPv4 address of the packet into the
corresponding IPv6 address according to the IPv4/IPv6 address mapping on the IPv4 side, and
translates the destination IPv4 address and port number in the request to the corresponding IPv6 address
and port number according to the static address/port mapping of the IPv6 server.
When you configure a static address/port mapping of an IPv6 server, you must specify the following:
• Protocol type, that is, the type of the transport layer protocol used by the server. It can be TCP or
UDP.
• IPv4 address and port number of the server. They are used by IPv4 hosts to access the server.
• IPv6 address and port number of the server.
To configure a static NAPT-PT mapping for an IPv6 server:
Step Command
natpt v4bound static v6server protocol protocol-type

3. Configure a static address and port number
ipv4-address ipv4-port-number ipv6-address
mapping for an IPv6 server.
ipv6-port-number
Displaying and maintaining NAT-PT
167
Display all NAT-PT configuration display natpt all [ | { begin | exclude |
information. include } regular-expression ]
Display NAT-PT address pool display natpt address-group [ | { begin |

configuration information. exclude | include } regular-expression ]
Display the static and dynamic NAT-PT display natpt address-mapping [ | { begin |
address mappings. exclude | include } regular-expression ]
display natpt statistics [ slot slot-number ] [ |

Display NAT-PT statistics information. { begin | exclude | include } Available in any view
Clear all NAT-PT statistics information. reset natpt statistics [ slot slot-number ] Available in user view
NAT-PT configuration examples

Configuring dynamic mapping on the IPv6 side
As shown in Figure 70, Router C with IPv6 address 2001::2/64 on an IPv6 network wants to access
Router A with IPv4 address 8.0.0.2/24 on an IPv4 network, whereas Router A cannot actively access
Router C.
Configure Router B that is deployed between the IPv4 network and IPv6 network as a NAT-PT router, and
configure dynamic mapping policies on the IPv6 side on Router B so that IPv6 hosts can access IPv4 hosts
but IPv4 hosts cannot access IPv6 hosts. On router B, slot number1 is installed with one of the following
cards: SPE-1010-II, SPE-1010-E-II, SPE-1020-II, and SPE-1020-E-II; slot number 4 is installed with an SPE
card.
1. Configure Router B (NAT-PT router):
# Configure interface addresses and enable NAT-PT on the interfaces.
[RouterB] ipv6
[RouterB-Serial4/1/9:0] ip address 8.0.0.1 255.255.255.0
[RouterB-Serial4/1/9:0] natpt enable
[RouterB-Serial4/1/9:1] ipv6 address 2001::1/64
168
# Configure a NAT-PT prefix.
[RouterB] interface nat 1/0/1
[RouterB] natpt prefix 3001::
[RouterB-NAT1/0/1] quit
# Configure a NAT-PT address pool.
[RouterB] natpt address-group 1 9.0.0.10 9.0.0.19
# Associate the prefix with the address pool for IPv6 hosts accessing IPv4 hosts.
[RouterB-NAT1/0/1] natpt v6bound dynamic prefix 3001:: address-group 1
2. Configure Router A on the IPv4 side:
# Configure a static route to subnet 9.0.0.0/24.
[RouterA] ip route-static 9.0.0.0 24 8.0.0.1
3. Configure Router C on the IPv6 side:
# Enable IPv6.
<RouterC> system-view
[RouterC] ipv6
# Configure a static route to the subnet with the NAT-PT prefix.
[RouterC] ipv6 route-static 3001:: 16 2001::1

If you carry out the ping ipv6 3001::0800:0002 command on Router C after completing the
configurations above, response packets can be received.
Configuring static mappings on the IPv4 side and the IPv6 side
As shown in Figure 71, Router C with IPv6 address 2001::2/64 on an IPv6 network can communicate
with Router A with IPv4 address 8.0.0.2/24 on an IPv4 network.
Configure Router B that is deployed between the IPv4 network and IPv6 network as a NAT-PT router, and
configure static mappings on the IPv4 side and IPv6 side on Router B, so that Router A and Router C can
communicate with each other. On router B, slot number1 is installed with one of the following cards:
SPE-1010-II, SPE-1010-E-II, SPE-1020-II, and SPE-1020-E-II; slot number 4 is installed with an SPE card.
1. Configure Router B (NAT-PT router):
169
# Configure interface addresses and enable NAT-PT on the interfaces.
[RouterB] ipv6
[RouterB-Serial4/1/9:0] ip address 8.0.0.1 255.255.255.0
[RouterB-Serial4/1/9:1] ipv6 address 2001::1/64
# Configure a NAT-PT prefix.
[RouterB-NAT1/0/1] natpt prefix 3001::
# Configure a static IPv4/IPv6 mapping on the IPv4 side.
[RouterB-NAT1/0/1] natpt v4bound static 8.0.0.2 3001::5
# Configure a static IPv4/IPv6 mapping on the IPv6 side.
[RouterB-NAT1/0/1] natpt v6bound static 2001::2 9.0.0.5
2. Configure Router A on the IPv4 side:
# Configure the IP address of Serial 4/1/9:0.
[RouterA] interface serial 4/1/9:0
[RouterA-Serial4/1/9:0] ip address 8.0.0.2 255.255.255.0
[RouterA-Serial4/1/9:0] quit
# Configure a static route to subnet 9.0.0.0/24.
[RouterA] ip route-static 9.0.0.0 24 8.0.0.1
3. Configure Router C on the IPv6 side:
# Configure the IP address of Serial 4/1/9:0.
<RouterC> system-view
[RouterC] interface serial 4/1/9:0
[RouterC-Serial4/1/9:0] ipv6 address 2001::2/64
[RouterC-Serial4/1/9:0] quit
# Enable IPv6.
[RouterC] ipv6
# Configure a static route to the subnet with the NAT-PT prefix.
[RouterC] ipv6 route-static 3001:: 16 2001::1

After the above configurations, using the ping 9.0.0.5 command on Router A and the ping ipv6 3001::5
command on Router C can receive response packets.
Troubleshooting NAT-PT
Symptom
NAT-PT fails when a session is initiated on the IPv6 side.
170
Solution
• Enable debugging for NAT-PT and locate the fault according to the debugging information of the
router.
• During debugging, check whether the source address of a packet is translated successfully. If not,
it is possible that the address pool has no sufficient IP addresses.
• You can configure a larger address pool, or use NAPT-PT to perform NAT-PT.
171
Configuring tunneling
Tunneling overview
Tunneling is an encapsulation technology, which uses one network protocol to encapsulate packets of
another network protocol and transfer them over a virtual point-to-point connection. The virtual
connection is called a tunnel. Packets are encapsulated and de-encapsulated at both ends of a tunnel.
Tunneling refers to the whole process from data encapsulation to data transfer to data de-encapsulation.
Tunneling provides the following features:
• Transition techniques, such as IPv6 over IPv4 tunneling, to interconnect IPv4 and IPv6 networks.
• Virtual Private Networks (VPNs) for guaranteeing communication security, such as IPv4 over IPv4
tunneling and Generic Routing Encapsulation (GRE).
• Traffic engineering, such as Multiprotocol Label Switching traffic engineering (MPLS TE) to prevent
network congestion.
Unless otherwise specified, the term tunnel in this document refers to an IPv4/IPv6 transition tunnel or
IPv4 over IPv6 tunnel.
NOTE:
• For more information about GRE, see the chapter “GRE configuration.”
• For more information about MPLS TE, see MPLS TE Configuration Guide.
IPv6 over IPv4 tunnels

Implementation
The IPv6 over IPv4 tunneling adds an IPv4 header to IPv6 data packets so that IPv6 packets can pass an
IPv4 network through a tunnel to realize internetworking between isolated IPv6 networks, as shown
in Figure 72. The IPv6 over IPv4 tunnel can be established between two hosts, a host and a device, or two
devices. The tunnel destination node can forward IPv6 packets if it is not the destination of the IPv6
packets.
CAUTION:
The routers at both ends of an IPv6 over IPv4 tunnel must support IPv4/IPv6 dual stack.
172
Figure 72 Principle of IPv6 over IPv4 tunnel
The IPv6 over IPv4 tunnel processes packets in the following ways:
1. A host in the IPv6 network sends an IPv6 packet to Device A at the tunnel source.
2. After determining according to the routing table that the packet needs to be forwarded through the
tunnel, Device A encapsulates the IPv6 packet with an IPv4 header and forwards it through the
physical interface of the tunnel.
3. Upon receiving the packet, Device B de-encapsulates the packet.
4. Device B forwards the packet according to the destination address in the de-encapsulated IPv6
packet. If the destination address is the device itself, Device B forwards the IPv6 packet to the
upper-layer protocol for processing.
Tunnel types
IPv6 over IPv4 tunnels are divided into manually configured tunnels and automatic tunnels, depending
on how the IPv4 address of the tunnel destination is acquired.
• Manually configured tunnel—The destination address of the tunnel cannot be automatically
acquired through the destination IPv6 address of an IPv6 packet at the tunnel source, and must be
manually configured.
• Automatic tunnel—The destination address of the tunnel is an IPv6 address with an IPv4 address
embedded, and the IPv4 address can be automatically acquired through the destination IPv6
address of an IPv6 packet at the tunnel source.
According to the way an IPv6 packet is encapsulated, IPv6 over IPv4 tunnels are divided into the
following modes.
Table 9 IPv6 over IPv4 tunnel modes and key parameters
Tunnel source/destination Tunnel interface

Tunnel type Tunnel mode
address address type
The source/destination IP address
IPv6 manual tunneling is a manually configured IPv4 IPv6 address
Manually address.
configured tunnel The source/destination IP address
IPv6-over-IPv4 GRE
is a manually configured IPv4 IPv6 address
tunneling
address.
The source IP address is a IPv4-compatible IPv6

Automatic
manually configured IPv4 address, in the format
Automatic tunnel IPv4-compatible IPv6
address. The destination IP of ::IPv4-source-addres
tunneling
address need not be configured. s/96
173
Tunnel source/destination Tunnel interface
Tunnel type Tunnel mode
address address type
The source IP address is a 6to4 address, in the
manually configured IPv4 format of
6to4 tunneling
address. The destination IP 2002:IPv4-source-addr
address need not be configured. ess::/48
The source IP address is a ISATAP address, in the

Intra-site automatic tunnel
manually configured IPv4 format of
addressing protocol
address. The destination IP Prefix:0:5EFE:IPv4-sour
(ISATAP) tunneling
address need not be configured. ce-address/64
IPv6 manual tunneling

A manually configured tunnel is a point-to-point link. One link is a separate tunnel. The IPv6 manually
configured tunnels provide stable connections requiring regular secure communication between two
border routers or between a border router and a host for access to remote IPv6 networks.
1. IPv6-over-IPv4 GRE tunneling
IPv6 packets can be carried over IPv6-over-IPv4 GRE tunnels to pass through an IPv4 network. Like
an IPv6 manually configured tunnel, an IPv6-over-IPv4 GRE tunnel is a point-to-point link.
IPv6-over-IPv4 GRE tunnels are mainly used to provide stable connections for secure
communication between border routers or between host and border router. For more information,
see the chapter “GRE configuration.”
2. Automatic IPv4-compatible IPv6 tunnel
An automatic IPv4-compatible IPv6 tunnel is a point-to-multipoint link. IPv4-compatible IPv6
addresses are adopted at both ends of such a tunnel. The address format is
0:0:0:0:0:0:a.b.c.d/96, where a.b.c.d represents an embedded IPv4 address. The tunnel
destination is automatically determined by the embedded IPv4 address, which makes it easy to
create a tunnel for IPv6 over IPv4. However, an automatic IPv4-compatible IPv6 tunnel must use
IPv4-compatible IPv6 addresses and it is still dependent on IPv4 addresses. Therefore, automatic
IPv4-compatible IPv6 tunnels have limitations.
3. 6to4 tunnel
Ordinary 6to4 tunnel
An automatic 6to4 tunnel is a point-to-multipoint tunnel and is used to connect multiple isolated
IPv6 networks over an IPv4 network to remote IPv6 networks. The embedded IPv4 address in an
IPv6 address is used to automatically acquire the destination IPv4 address of the tunnel.
The automatic 6to4 tunnel adopts 6to4 addresses. The address format is 2002:abcd:efgh:subnet
number::interface ID/64, where abcd:efgh represents the 32-bit globally unique source IPv4
address of the 6to4 tunnel, in hexadecimal notation. For example, 1.1.1.1 can be represented by
0101:0101. The part that follows 2002:abcd:efgh uniquely identifies a host in a 6to4 network.
The tunnel destination is automatically determined by the embedded IPv4 address, which makes it
easy to create a 6to4 tunnel.
Since the 16-bit subnet number of the 64-bit address prefix in 6to4 addresses can be customized
and the first 48 bits in the address prefix are fixed by a permanent value and the IPv4 address of
the tunnel source or destination, it is possible that IPv6 packets can be forwarded by the tunnel. A
6to4 tunnel interconnects IPv6 networks over an IPv4 network, and overcomes the limitations of an
automatic IPv4-compatible IPv6 tunnel.
174
A 6to4 tunnel is only used to connect 6to4 networks, whose IP prefix must be 2002::/16.
However, IPv6 network addresses with the prefix such as 2001::/16 may also be used in IPv6
networks. To connect a 6to4 network to an IPv6 network, a 6to4 router must be used as a gateway
to forward packets to the IPv6 network. Such a router is called 6to4 relay router.
As shown in Figure 73, a static route must be configured on the border router (Device A) in the
6to4 network and the next-hop address must be the 6to4 address of the 6to4 relay router (Device
C). In this way, all packets destined for the IPv6 network will be forwarded to the 6to4 relay router,
and then to the IPv6 network. Thus, internetworking between the 6to4 network (with the address
prefix starting with 2002) and the IPv6 network is realized.
Figure 73 6to4 tunnel
4. ISATAP tunnel
With the application of the IPv6 technology, there will be more and more IPv6 hosts in the existing
IPv4 network. The ISATAP tunneling technology provides a satisfactory solution for IPv6
application. An ISATAP tunnel is a point-to-multipoint automatic tunnel. The destination of a tunnel
can automatically be acquired from the embedded IPv4 address in the destination address of an
IPv6 packet.
When an ISATAP tunnel is used, the destination address of an IPv6 packet and the IPv6 address
of a tunnel interface both adopt special ISATAP addresses. The ISATAP address format is
prefix(64bit):0:5EFE:abcd:efgh. The 64-bit prefix is the prefix of a valid IPv6 unicast address, but
abcd:efgh is a 32-bit source IPv4 address in hexadecimal, which might not be globally unique.
Through the embedded IPv4 address, an ISATAP tunnel can be automatically created to transfer
IPv6 packets.
The ISATAP tunnel is mainly used for communication between IPv6 routers or between a host and
an IPv6 router over an IPv4 network.
Figure 74 Principle of ISATAP tunnel
175
IPv4 over IPv4 tunnel
Introduction
The IPv4 over IPv4 tunneling (specified in RFC 1853) is developed for IP data packet encapsulation so
that data can be transferred from one IPv4 network to another IPv4 network.
Encapsulation and de-encapsulation

Figure 75 Principle of IPv4 over IPv4 tunneling
Packets traveling through a tunnel undergo encapsulation and de-encapsulation processes, as

shown in Figure 75.
• Encapsulation
The encapsulation process is as follows:
a. Router A receives an IP packet from an IPv4 host and submits it to the IP protocol stack.
b. The IP protocol stack determines how to forward the packet according to the destination
address in the IP header. If the packet is destined for the IPv4 host connected to Router B, Router
A delivers the packet to the tunnel interface.
c. The tunnel interface encapsulates the packet into an IPv4 packet and submitted to the IP
protocol stack. The IP protocol stack determines the outgoing interface of the tunnel according
to the IP header, and sends the packet out.
• De-encapsulation
d. After receiving the packet, Router B delivers it to the IP protocol stack, which then checks the
protocol number in the IP header.
e. If the protocol number is IPv4 (indicating an IPv4 packet is encapsulated within the packet), the
IP packet is sent to the tunnel module for de-encapsulation.
f. The de-encapsulated IP packet is sent back to the IP protocol stack for processing.

• RFC 1853, IP in IP Tunneling
• RFC 2473, Generic Packet Tunneling in IPv6 Specification
• RFC 2893, Transition Mechanisms for IPv6 Hosts and Routers
• RFC 3056, Connection of IPv6 Domains via IPv4 Clouds
• RFC 4214, Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
176
Tunneling configuration task list
Complete the following tasks to configure the tunneling feature:
Task Remarks
Configuring a tunnel interface Required
Configuring an IPv6 manual tunnel
Configuring IPv6 Configuring an automatic IPv4-compatible IPv6 tunnel Optional

over IPv4 tunnel Configuring a 6to4 tunnel Use one as needed.
Configuring an ISATAP tunnel
Configuring an IPv4 over IPv4 tunnel Optional
NOTE:
For how to configure the IPv6 MTU of a tunnel interface, see the ipv6 mtu command in Layer 3—IP
Services Command Reference.
Configuring a tunnel interface

Configure a Layer 3 virtual tunnel interface on each device on a tunnel so that devices at both ends can
send, identify, and process packets from the tunnel.
To configure a tunnel interface:

2. Create a tunnel interface and By default, no tunnel interface is

interface tunnel number
enter its view. created.
Optional.
3. Configure the description for the By default, the description of a
description text
interface. tunnel interface is the interface name
followed by the "Interface" string.
4. Specify the service card for Optional.
forwarding the traffic on the service slot slot-number
interface (distributed devices). Not specified by default.
• Set the MTU for IPv4

packets sent over the
interface: Optional.
5. Set the MTU for IPv4 or IPv6 mtu size
Use either command as needed.
packets sent over the interface. • Set the MTU of IPv6
packets sent over the 1500 by default.
interface:
ipv6 mtu size
Optional.
6. Set the bandwidth for the tunnel tunnel bandwidth
interface. bandwidth-value By default, the bandwidth of the
tunnel interface is 64 kbps.
177
7. Restore the default settings. default Optional.
Optional.
8. Shut down the tunnel interface. shutdown
By default, the interface is up.
NOTE:
• When active/standby switchover occurs or the standby card is removed from a distributed device,
tunnels configured on the active or standby card still exist. To delete tunnels, use the undo interface
tunnel command.
• For more information about the ipv6 mtu command, see Layer 3—IP Services Command Reference.
• The tunnel bandwidth command does not change the actual bandwidth of the tunnel interface, but sets
a bandwidth value for dynamical routing protocols to calculate the cost of a tunnel path. You can
determine the value according to the bandwidth of the output interface.
Configuring an IPv6 manual tunnel

Configure IP addresses for interfaces (such as the VLAN interface, Ethernet interface, and loopback
interface) on the router to ensure normal communication. One of the interfaces will be used as the source
interface of the tunnel.
Configuration guidelines
When you configure an IPv6 manual tunnel, follow these guidelines:
• After a tunnel interface is deleted, all the above features configured on the tunnel interface will be
deleted.
• To encapsulate and forward IPv6 packets whose destination address does not belong to the
network segment where the receiving tunnel interface resides, you need to configure a static route
or dynamic routing for forwarding those packets through this tunnel interface. If you configure a
static route to that destination IPv6 address, specify this tunnel interface as the outbound interface,
or the peer tunnel interface address as the next hop. A similar configuration needs to be performed
at the other tunnel end. If you configure dynamic routing at both ends, enable the dynamic routing
protocol on both tunnel interfaces. For the detailed configuration, see Layer 3—IP Routing
To configure an IPv6 manual tunnel:

By default, the IPv6 packet

2. Enable IPv6. ipv6
forwarding function is disabled.
178
3. Enter tunnel interface
interface tunnel number N/A
view.
Use either the ipv6 address

{ ipv6-address prefix-length |
ipv6-address | prefix-length } or the
• Configure a global unicast IPv6 ipv6 address ipv6-address |
address or a site-local address: prefix-length eui-64 command to
{ ipv6 address { ipv6-address configure a global unicast IPv6
prefix-length | ipv6-address | address or a site-local address.
4. Configure an IPv6 prefix-length } By default,

address for the tunnel { ipv6 address ipv6-address | • No IPv6 global unicast address or
interface. prefix-length eui-64 site-local address is configured for
• Configure a link-local IPv6 address: the tunnel interface.
a. ipv6 address auto link-local • A link-local address will
b. ipv6 address ipv6-address automatically be created when an
link-local IPv6 global unicast address or
site-local address is configured.
The link-local IPv6 address
configuration is optional.
By default, the tunnel is a GRE over

IPv4 tunnel. The same tunnel type
5. Specify the IPv6
tunnel-protocol ipv6-ipv4 should be configured at both ends of
manual tunnel mode.
the tunnel. Otherwise, packet delivery
will fail.
6. Configure a source
source { ip-address | interface-type By default, no source address or
address or interface for
interface-number } interface is configured for the tunnel.
the tunnel.
7. Configure a
By default, no destination address is
destination address for destination ip-address
configured for the tunnel.
the tunnel.
9. Enable dropping of
IPv6 packets using Optional.
tunnel discard ipv4-compatible-packet
IPv4-compatible IPv6 Disabled by default.
addresses.
As shown in Figure 76, two IPv6 networks are connected over an IPv4 network. Configure an IPv6
manual tunnel between Router A and Router B to make the two IPv6 networks reachable to each other.
If the destination IPv4 address cannot be automatically obtained from the destination IPv6 addresses of
packets, configure an IPv6 manual tunnel.
179
NOTE:
Before configuring an IPv6 manual tunnel, make sure that Router A and Router B are reachable to each
other.
# Enable IPv6.
[RouterA] ipv6
# Configure an IPv4 address for GigabitEthernet 2/1/1.
# Configure an IPv6 manual tunnel.
[RouterA] interface tunnel 0
[RouterA-Tunnel0] ipv6 address 3001::1/64
[RouterA-Tunnel0] source GigabitEthernet 2/1/1
[RouterA-Tunnel0] destination 192.168.50.1
[RouterA-Tunnel0] tunnel-protocol ipv6-ipv4
[RouterA-Tunnel0] quit
# Configure a static route to IPv6 Group 2 through tunnel 0 on Router A.
[RouterA] ipv6 route-static 3003:: 64 tunnel 0
# Enable IPv6.
[RouterB] ipv6
180
# Configure an IPv6 manual tunnel.
[RouterB] interface tunnel 0
[RouterB-Tunnel0] ipv6 address 3001::2/64
[RouterB-Tunnel0] source GigabitEthernet 2/1/1
[RouterB-Tunnel0] destination 192.168.100.1
[RouterB-Tunnel0] tunnel-protocol ipv6-ipv4
[RouterB-Tunnel0] quit
# Configure a static route to IPv6 Group 1 through tunnel 0 on Router B.
[RouterB] ipv6 route-static 3002:: 64 tunnel 0

After the above configurations, display the status of the tunnel interfaces on Router A and Router B,
respectively:
[RouterA] display ipv6 interface tunnel 0 verbose
Tunnel0 current state :UP
IPv6 is enabled, link-local address is FE80::C0A8:6401
3001::1, subnet is 3001::/64
FF02::1:FF00:0
FF02::1:FF00:1
FF02::1:FFA8:6401
FF02::2
FF02::1
MTU is 1480 bytes
InReceives: 55
……(omitted)
[RouterB] display ipv6 interface tunnel 0 verbose
3001::2, subnet is 3001::/64
FF02::1:FF00:0
FF02::1:FF00:1
FF02::1:FFA8:3201
FF02::2
FF02::1
MTU is 1480 bytes
181
InReceives: 55
……(omitted)
# Ping the IPv6 address of the peer interface GigabitEthernet 2/1/2 from Router A:
[RouterA] ping ipv6 3003::1
PING 3003::1 : 56 data bytes, press CTRL_C to break
Reply from 3003::1
Reply from 3003::1
Reply from 3003::1
Reply from 3003::1
Reply from 3003::1
--- 3003::1 ping statistics ---

0.00% packet loss
Configuring an automatic IPv4-compatible IPv6

tunnel
When you configure an automatic IPv4-compatible IPv6 tunnel, follow these guidelines:
• No destination address needs to be configured for an automatic IPv4-compatible IPv6 tunnel. The
destination address of the tunnel can be automatically obtained through the IPv4 address
embedded in the IPv4-compatible IPv6 address.
• The automatic tunnel interfaces encapsulated with the same protocol cannot share the same source
IP address.
182
To configure an automatic IPv4-compatible IPv6 tunnel:

2. Enable the IPv6 packet By default, the IPv6 packet

ipv6
forwarding function. forwarding function is disabled.
view.

ipv6-address | prefix-length } or
the ipv6 address ipv6-address |
• Configure an IPv6 global unicast prefix-length eui-64 command to
address or site-local address: configure an IPv6 global unicast
{ ipv6 address { ipv6-address address or site-local address.
prefix-length | ipv6-address | By default,
4. Configure an IPv6 prefix-length } • No IPv6 global unicast
address for the tunnel { ipv6 address ipv6-address | address or site-local address
interface. prefix-length eui-64 is configured for the tunnel
• Configure an IPv6 link-local address: interface.
a. ipv6 address auto link-local • A link-local address will
b. ipv6 address ipv6-address automatically be generated
link-local when an IPv6 global unicast
or site-local address is
configured for the interface.
The IPv6 link-local address
configuration is otional.
By default, the tunnel is a GRE

5. Configure an
over IPv4 tunnel. The same tunnel
automatic
tunnel-protocol ipv6-ipv4 auto-tunnel type should be configured at both
IPv4-compatible IPv6
ends of the tunnel. Otherwise,
tunnel.
packet delivery will fail.
6. Configure a source By default, no source address or

source { ip-address | interface-type
address or interface for interface is configured for the
interface-number }
the tunnel. tunnel.
As shown in Figure 77, dual-stack routers, Router A and Router B are connected over an IPv4 network.
Configure an automatic IPv4-compatible IPv6 tunnel between the two routers to enable the IPv6 networks
to communicate with each other over the tunnel.
183
NOTE:
Before configuring an automatic IPv4-compatible IPv6 tunnel, make sure that Router A and Router B are
reachable to each other.
# Enable IPv6.
[RouterA] ipv6
# Configure an automatic IPv4-compatible IPv6 tunnel.
[RouterA-Tunnel0] ipv6 address ::192.168.100.1/96
[RouterA-Tunnel0] tunnel-protocol ipv6-ipv4 auto-tunnel
# Enable IPv6.
[RouterB] ipv6
# Configure an automatic IPv4-compatible IPv6 tunnel.
[RouterB-Tunnel0] ipv6 address ::192.168.50.1/96
[RouterB-Tunnel0] tunnel-protocol ipv6-ipv4 auto-tunnel

After the above configurations, display the status of the tunnel interfaces on Router A and Router B,
respectively.
[RouterA] display ipv6 interface tunnel 0 verbose
184
::192.168.100.1, subnet is ::/96
FF02::1:FFA8:6401
FF02::1:FF00:0
FF02::2
FF02::1
MTU is 1480 bytes
InReceives: 65
……(omitted)
[RouterB] display ipv6 interface tunnel 0 verbose
::192.168.50.1, subnet is ::/96
FF02::1:FFA8:3201
FF02::1:FF00:0
FF02::2
FF02::1
MTU is 1480 bytes
InReceives: 65
……(omitted)
# Ping the IPv4-compatible IPv6 address of the peer tunnel interface from Router A.
[RouterA] ping ipv6 ::192.168.50.1
PING ::192.168.50.1 : 56 data bytes, press CTRL_C to break
Reply from ::192.168.50.1
Reply from ::192.168.50.1
Reply from ::192.168.50.1
Reply from ::192.168.50.1
Reply from ::192.168.50.1
185
--- ::192.168.50.1 ping statistics ---
0.00% packet loss
Configuring a 6to4 tunnel

When you configure a 6to4 tunnel, follow these guidelines:
• No destination address needs to be configured for a 6to4 tunnel because the destination address
can automatically be obtained from the IPv4 address embedded in the 6to4 IPv6 address.
to reach the destination IPv6 address through this tunnel interface on the router. Because automatic
tunnels do not support dynamic routing, you can configure a static route to that destination IPv6
address with this tunnel interface as the outbound interface or the peer tunnel interface address as
the next hop. A similar configuration needs to be performed at the other tunnel end. For the detailed
configuration, see Layer 3—IP Routing Configuration Guide.
• The automatic tunnel interfaces using the same encapsulation protocol cannot share the same
source IP address.
To configure a 6to4 tunnel:

By default, the IPv6 packet

forwarding function is disabled.
3. Enter tunnel interface view. interface tunnel number N/A
186
ipv6-address | prefix-length } or
the ipv6 address ipv6-address |
• Configure an IPv6 global unicast prefix-length eui-64 command to
address or site-local address: configure an IPv6 global unicast
{ ipv6 address { ipv6-address address or site-local address.
prefix-length | ipv6-address |
By default,
prefix-length }
ipv6 address ipv6-address |
• No IPv6 global unicast
4. Configure an IPv6 address for {
address or site-local address
the tunnel interface. prefix-length eui-64
is configured for the tunnel
• Configure an IPv6 link-local interface.
address:
• A link-local address will
a. ipv6 address auto link-local
automatically be generated
b. ipv6 address ipv6-address when an IPv6 global unicast
link-local address or site-local address
is configured.
The IPv6 link-local address
configuration is optional.
By default, the tunnel is a GRE

over IPv4 tunnel. The same
tunnel type should be
5. Specify the 6to4 tunnel mode. tunnel-protocol ipv6-ipv4 6to4
configured at both ends of the
tunnel. Otherwise, packet
delivery will fail.
By default, no source address or

6. Configure a source address or source { ip-address | interface-type
interface is configured for the
interface for the tunnel. interface-number }
tunnel.

8. Enable dropping of IPv6
packets using tunnel discard Optional.
IPv4-compatible IPv6 ipv4-compatible-packet Disabled by default.
addresses.
6to4 tunnel configuration example

As shown in Figure 78, two 6to4 networks are connected to an IPv4 network through two 6to4 routers
(Router A and Router B) respectively. Configure a 6to4 tunnel to make Host A and Host B reachable to
each other.
To enable communication between 6to4 networks, you need to configure 6to4 addresses for 6to4
routers and hosts in the 6to4 networks.
• The IPv4 address of GigabitEthernet 2/1/1 on Router A is 2.1.1.1/24, and the corresponding 6to4
prefix is 2002:0201:0101::/48 after it is translated to an IPv6 address. Assign interface tunnel 0 to
subnet 2002:0201:0101::/64 and GigabitEthernet 2/1/2 to subnet 2002:0201:0101:1::/64.
• The IPv4 address of GigabitEthernet 2/1/1 on Router B is 5.1.1.1/24, and the corresponding 6to4
prefix is 2002:0501:0101::/48 after it is translated to an IPv6 address. Assign interface tunnel 0 to
subnet 2002:0501:0101::/64 and GigabitEthernet 2/1/2 to subnet 2002:0501:0101:1::/64.
187
6to4 router GE2/1/1 6to4 router
GE2/1/1
2.1.1.1/24 5.1.1.1/24
Router A IPv4 netwok
6to4 tunnel Router B
GE2/1/2 Tunnel 0 Tunnel 0 GE2/1/2
2002:0201:0101:1::1/64 2002:0201:0101::1/64 2002:0501:0101::1/64 2002:0501:0101:1::1/64
6to4 6to4
Group 1 Group 2
Host A Host B
2002:0201:0101:1::2/64 2002:0501:0101:1::2/64
NOTE:
Before configuring a 6to4 tunnel, make sure that Router A and Router B are reachable to each other.
# Enable IPv6.
[RouterA] ipv6
[RouterA-GigabitEthernet2/1/2] ipv6 address 2002:0201:0101:1::1/64
# Configure the 6to4 tunnel.
[RouterA-Tunnel0] ipv6 address 2002:201:101::1/64
[RouterA-Tunnel0] tunnel-protocol ipv6-ipv4 6to4
# Configure a static route whose destination address is 2002::/16 and next-hop is the tunnel
interface.
[RouterA] ipv6 route-static 2002:: 16 tunnel 0
# Enable IPv6.
[RouterB] ipv6
[RouterB-GigabitEthernet2/1/1] ip address 5.1.1.1 24
188
[RouterB-GigabitEthernet2/1/2] ipv6 address 2002:0501:0101:1::1/64
# Configure a 6to4 tunnel.
[RouterB-Tunnel0] ipv6 address 2002:0501:0101::1/64
[RouterB-Tunnel0] tunnel-protocol ipv6-ipv4 6to4
interface.

After the above configuration, ping Host B from Host A or ping Host A from Host B.
D:\>ping6 -s 2002:201:101:1::2 2002:501:101:1::2
Pinging 2002:501:101:1::2
from 2002:201:101:1::2 with 32 bytes of data:
Reply from 2002:501:101:1::2: bytes=32 time=13ms

Reply from 2002:501:101:1::2: bytes=32 time<1ms
Ping statistics for 2002:501:101:1::2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 13ms, Average = 3ms
6to4 relay configuration example

As shown in Figure 79, Router A is a 6to4 router, and 6to4 addresses are used on the connected IPv6
network. Router B serves as a 6to4 relay router and is connected to the IPv6 network (2001::/16).
Configure a 6to4 tunnel between Router A and Router B to make Host A and Host B reachable to each
other.
189
6to4 router GE3/1/2 6to4 relay
GE3/1/2
2.1.1.1/24 6.1.1.1/24
Router A IPv4 netwok
6to4 tunnel Router B
GE3/1/1 Tunnel 0 Tunnel 0 GE3/1/1
2002:0201:0101:1::1/64 2002:0201:0101::1/64 2002:0601:0101::1/64 2001::1/64
6to4 network IPv6 network
Host A Host B
2002:0201:0101:1::2/64 2001::2/64
NOTE:
• Before configuring a 6to4 relay, make sure that Router A and Router B are reachable to each other.
• The configuration on a 6to4 relay router is similar to that on a 6to4 router. However, to enable
communication between the 6to4 network and the IPv6 network, you need to configure a route to the
IPv6 network on the 6to4 router.
# Enable IPv6.
[RouterA] ipv6
[RouterA-GigabitEthernet3/1/1] ipv6 address 2002:0201:0101:1::1/64
[RouterA-Tunnel0] ipv6 address 2002:0201:0101::1/64
[RouterA-Tunnel0] tunnel-protocol ipv6-ipv4 6to4
# Configure a static route to the 6to4 relay router.
[RouterA] ipv6 route-static 2002:0601:0101:: 64 tunnel 0
# Configure the default route to the IPv6-only network.
[RouterA] ipv6 route-static :: 0 2002:0601:0101::1
# Enable IPv6.
190
[RouterB] ipv6
[RouterB-GigabitEthernet3/1/1] ipv6 address 2001::1/16
[RouterB-Tunnel0] ipv6 address 2002:0601:0101::1/64
[RouterB-Tunnel0] tunnel-protocol ipv6-ipv4 6to4
interface.

After the above configuration, ping Host B from Host A.
D:\>ping6 -s 2002:201:101:1::2 2001::2
Pinging 2001::2
from 2002:201:101:1::2 with 32 bytes of data:
Reply from 2001::2: bytes=32 time=13ms

Reply from 2001::2: bytes=32 time<1ms
Ping statistics for 2001::2:

Configuring an ISATAP tunnel

When you configure an ISATAP tunnel, follow these guidelines:
191
• No destination address needs to be configured for an ISATAP tunnel. The destination address of the
tunnel can be automatically obtained through the IPv4 address embedded in the ISATAP address.
to reach the destination IPv6 address through this tunnel interface on the router. Because automatic
tunnels do not support dynamic routing, you can configure a static route to that destination IPv6
address with this tunnel interface as the outbound interface or the peer tunnel interface address as
the next hop. A similar configuration needs to be performed at the other tunnel end. For more
configuration information, see Layer 3—IP Routing Configuration Guide.
• The automatic tunnel interfaces using the same encapsulation protocol cannot share the same
source IP address.
To configure an ISATAP tunnel:

By default, the IPv6 forwarding function

is disabled.
view.

• Configure an IPv6 global unicast ipv6-address | prefix-length } or the ipv6
address or site-local address: address ipv6-address | prefix-length
{ ipv6 address { ipv6-address eui-64 command to configure an IPv6
prefix-length | ipv6-address | global unicast address or site-local
prefix-length } address.
4. Configure an IPv6 By default,
{ ipv6 address ipv6-address |
address for the
prefix-length eui-64 • No IPv6 global unicast address is
tunnel interface.
• Configure an IPv6 link-local configured for the tunnel interface.
address: • A link-local address will automatically
a. ipv6 address auto link-local be generated when an IPv6 global
b. ipv6 address ipv6-address unicast address or link-local address
link-local is configured.
The IPv6 link-local address configuration
is optional.
By default, the tunnel is a GRE over IPv4

5. Specify the ISATAP tunnel. The same tunnel type should be
tunnel-protocol ipv6-ipv4 isatap
tunnel mode. configured at both ends of the tunnel.
Otherwise, packet delivery will fail.
6. Configure a source
source { ip-address | interface-type By default, no source address or
address or interface
interface-number } interface is configured for the tunnel.
for the tunnel.
7. Return to system
quit N/A
view.
192
8. Enable dropping of
IPv6 packets using tunnel discard Optional.
IPv4-compatible IPv6 ipv4-compatible-packet Disabled by default.
addresses.
As shown in Figure 80, an IPv6 network is connected to an IPv4 network through an ISATAP router.
Configure the ISATAP tunnel to enable the IPv6 host in the IPv4 network to access the IPv6 network.
NOTE:
Before configuring an ISATAP tunnel, make sure that GigabitEthernet 2/1/2 on the ISATAP router and the
ISATAP host are reachable to each other.
• Configure the ISATAP router:

# Enable IPv6.
[Router] ipv6
# Configure addresses for interfaces.
[Router-GigabitEthernet2/1/1] ipv6 address 3001::1/64
# Configure an ISATAP tunnel.
[Router] interface tunnel 0
[Router-Tunnel0] ipv6 address 2001::5efe:0101:0101 64
[Router-Tunnel0] source GigabitEthernet 2/1/2
[Router-Tunnel0] tunnel-protocol ipv6-ipv4 isatap
# Disable the RA suppression so that hosts can acquire information such as the address prefix from
the RA message released by the ISATAP router.
[Router-Tunnel0] undo ipv6 nd ra halt
193
[Router-Tunnel0] quit
# Configure a static route to the ISATAP host.
[Router] ipv6 route-static 2001:: 16 tunnel 0
• Configure the ISATAP host:
The specific configuration on the ISATAP host is related to its operating system. The following
example shows the configuration of the host running the Windows XP.
# Install IPv6.
C:\>ipv6 install
# On a Windows XP-based host, the ISATAP interface is usually interface 2. Configure the IPv4
address of the ISATAP router on interface 2 to complete the configuration on the host. Before that,
display information on the ISATAP interface:
C:\>ipv6 if 2
Interface 2: Automatic Tunneling Pseudo-Interface
Guid {48FCE3FC-EC30-E50E-F1A7-71172AEEE3AE}
does not use Neighbor Discovery
does not use Router Discovery
routing preference 1
EUI-64 embedded IPv4 address: 0.0.0.0
router link-layer address: 0.0.0.0
preferred link-local fe80::5efe:2.1.1.2, life infinite
link MTU 1280 (true link MTU 65515)
current hop limit 128
reachable time 42500ms (base 30000ms)
retransmission interval 1000ms
DAD transmits 0
default site prefix length 48
# A link-local address (fe80::5efe:2.1.1.2) in the ISATAP format was automatically generated for
the ISATAP interface. Configure the IPv4 address of the ISATAP router on the ISATAP interface.
C:\>ipv6 rlu 2 1.1.1.1
After carrying out the above command, look at the information on the ISATAP interface.
C:\>ipv6 if 2
Interface 2: Automatic Tunneling Pseudo-Interface
Guid {48FCE3FC-EC30-E50E-F1A7-71172AEEE3AE}
does not use Neighbor Discovery
uses Router Discovery
routing preference 1
EUI-64 embedded IPv4 address: 2.1.1.2
router link-layer address: 1.1.1.1
preferred global 2001::5efe:2.1.1.2, life 29d23h59m46s/6d23h59m46s (public)
preferred link-local fe80::5efe:2.1.1.2, life infinite
link MTU 1500 (true link MTU 65515)
current hop limit 255
reachable time 42500ms (base 30000ms)
retransmission interval 1000ms
DAD transmits 0
default site prefix length 48
194
# By comparison, it is found that the host acquires the address prefix 2001::/64 and
automatically generates the address 2001::5efe:2.1.1.2. Meanwhile, “uses Router Discovery” is
displayed, indicating that the router discovery function is enabled on the host. At this time, ping the
IPv6 address of the tunnel interface of the router. If the address is successfully pinged, an ISATAP
tunnel is established.
C:\>ping 2001::5efe:1.1.1.1
Pinging 2001::5efe:1.1.1.1 with 32 bytes of data:
Reply from 2001::5efe:1.1.1.1: time=1ms

Ping statistics for 2001::5efe:1.1.1.1:


After the above configuration, the ISATAP host can access the host in the IPV6 network.
Configuring an IPv4 over IPv4 tunnel

When you configure an IPv4 over IPv4 tunnel, follow these guidelines:
• The router does not support IPv4 over IPv4 tunnels when working in hybrid or SPC mode. For more
information about the system working modes, see Fundamentals Configuration Guide.
or dynamic routing for forwarding those packets through this tunnel interface. If you configure a
static route to that destination IPv4 address, specify this tunnel interface as the outbound interface,
or the peer tunnel interface address as the next hop. A similar configuration needs to be performed
at the other tunnel end. If you configure dynamic routing at both ends, enable the dynamic routing
protocol on both tunnel interfaces. For the detailed configuration, see Layer 3—IP Routing
• The IPv4 address and the destination address of a tunnel interface cannot be in the same network
segment.
• The destination address of a route with a tunnel interface as the egress interface and the destination
address of the tunnel interface must not be in the same network segment.
195
• Two or more tunnel interfaces using the same encapsulation protocol must have different source and
destination addresses.
• If you specify a source interface instead of a source address for the tunnel, the source address of the
tunnel is the primary IP address of the source interface.
To configure an IPv4 over IPv4 tunnel:

2. Enter tunnel interface view. interface tunnel number N/A
3. Configure an IPv4 address for ip address ip-address { mask | By default, no IPv4 address is
the tunnel interface. mask-length } [ sub ] configured for the tunnel interface.
Optional.
By default, the tunnel is a GRE over
4. Specify the IPv4 over IPv4 IPv4 tunnel. The same tunnel type
tunnel-protocol ipv4-ipv4
tunnel mode. should be configured at both ends
of the tunnel. Otherwise, packet
delivery will fail.
By default, no source address or

5. Configure a source address or source { ip-address | interface-type
interface is configured for the
interface for the tunnel. interface-number }
tunnel.
6. Configure a destination By default, no destination address

destination ip-address
address for the tunnel. is configured for the tunnel.
As shown in Figure 81, the two IPv4 subnets Group 1 and Group 2 use private IPv4 addresses. Configure
an IPv4 over IPv4 tunnel between Router A and Router B to make the two subnets reachable to each
other.
Router A Router B
GE3/1/2 GE3/1/2
2.1.1.1/24 3.1.1.1/24
IPv4 netwok
IPv4 over IPv4 tunnel
GE3/1/1 GE3/1/1
10.1.1.1/24 Tunnel1 Tunnel2
10.1.3.1/24
10.1.2.1/24 10.1.2.2/24
IPv4 IPv4
Group 1 Group 2
196
NOTE:
Before configuring an IPv4 over IPv4 tunnel, make sure that Router A and Router B are reachable to each
other.
# Configure an IPv4 address for GigabitEthernet 3/1/2 (the physical interface of the tunnel).
# Create the interface tunnel 1.
# Configure an IPv4 address for the interface tunnel 1.
[RouterA-Tunnel1] ip address 10.1.2.1 255.255.255.0
# Configure the tunnel encapsulation mode.
[RouterA-Tunnel1] tunnel-protocol ipv4-ipv4
# Configure a source address for the interface tunnel 1 (IP address of VLAN-interface 100).
[RouterA-Tunnel1] source 2.1.1.1
# Configure a destination address for the interface tunnel 1 (IP address of VLAN-interface 100 of
Router B).
# Configure a static route from Router A through the interface tunnel 1 to Group 2.
[RouterA] ip route-static 10.1.3.0 255.255.255.0 tunnel 1
# Configure an IPv4 address for GigabitEthernet 3/1/2 (the physical interface of the tunnel).
# Create the interface tunnel 2.
# Configure an IPv4 address for the interface tunnel 2.
[RouterB-Tunnel2] ip address 10.1.2.2 255.255.255.0
197
[RouterB-Tunnel2] tunnel-protocol ipv4-ipv4
# Configure the source address for the interface tunnel 2 (IP address of VLAN-interface 100).
[RouterB-Tunnel2] source 3.1.1.1
# Configure a destination address for the interface tunnel 2 (IP address of VLAN-interface 100 of
Router A).
# Configure a static route from Router B through the interface tunnel 2 to Group 1.
[RouterB] ip route-static 10.1.1.0 255.255.255.0 tunnel 2

After the above configuration, display the status of the tunnel interfaces on Router A and Router B,
respectively.
<RouterA> display interface tunnel 1
Tunnel1 current state: UP
Line protocol current state: UP
Description: Tunnel1 Interface
The Maximum Transmit Unit is 64000
Internet Address is 10.1.2.1/24 Primary
Encapsulation is TUNNEL, aggregation ID not set
Tunnel source 2.1.1.1, destination 3.1.1.1
Tunnel protocol/transport IP/IP
Last 300 seconds input: 0 bytes/sec, 0 packets/sec
Last 300 seconds output: 0 bytes/sec, 0 packets/sec
0 packets input, 0 bytes
0 input error
0 packets output, 0 bytes
0 output error
<RouterB> display interface tunnel 2

Tunnel2 current state: UP
Line protocol current state: UP
Description: Tunnel2 Interface
The Maximum Transmit Unit is 64000
Internet Address is 10.1.2.2/24 Primary
Encapsulation is TUNNEL, aggregation ID not set
Tunnel source 3.1.1.1, destination 2.1.1.1
Tunnel protocol/transport IP/IP
Last 300 seconds input: 0 bytes/sec, 0 packets/sec
Last 300 seconds output: 0 bytes/sec, 0 packets/sec
0 packets input, 0 bytes
0 input error
0 packets output, 0 bytes
0 output error
# Ping the IPv4 address of the peer interface GigabitEthernet 3/1/1 from Router A.
[RouterA] ping 10.1.3.1
198

0.00% packet loss
Displaying and maintaining tunneling configuration

display interface [ tunnel ] [ brief [ down ] ] [ |
Display information about a regular-expression ]
specified tunnel interface. display interface tunnel number [ brief ] [ |
display ipv6 interface tunnel [ number ]

Display IPv6 information on tunnel
[ verbose ] [ | { begin | exclude | include } Available in any view
interfaces.
Clear statistics on tunnel interfaces. reset counters interface [ tunnel [ number ] ] Available in any view
Troubleshooting tunneling configuration

Symptom
After the configuration of related parameters such as tunnel source address, tunnel destination address,
and tunnel type, the tunnel interface is still not up.
Solution
To solve the problem:
1. The common cause is that the physical interface of the tunnel source is not up. Use the display
interface tunnel or display ipv6 interface tunnel commands to view whether the physical interface
of the tunnel source is up. If the physical interface is down, check the network connections.
2. Another possible cause is that the tunnel destination is unreachable. Use the display ipv6
routing-table or display ip routing-table command to view whether the tunnel destination is
reachable. If no routing entry is available for tunnel communication in the routing table, configure
related routes.
199
Configuring GRE
GRE overview
Generic Routing Encapsulation (GRE) is a tunneling protocol. It can encapsulate a wide variety of
network layer protocol packet types inside IP tunnels.
A GER tunnel is a virtual point-to-point (P2P) connection. Packets are encapsulated at one end of the
tunnel and de-encapsulated at the other end.
Figure 82 X protocol networks interconnected through the GRE tunnel
The following takes the network shown in Figure 82 as an example to describe how an X protocol packet
traverses the IP network through a GRE tunnel.
Encapsulation process
1. After receiving an X protocol packet from the interface connected to Group 1, Router A submits it
to the X protocol for processing.
2. The X protocol checks the destination address field in the packet header to determine how to route
the packet.
3. If the packet must be tunneled to reach its destination, Router A sends it to the tunnel interface.
4. Upon receipt of the packet, the tunnel interface encapsulates it in a GRE packet. Then, the system
encapsulates the packet in an IP packet and forwards the IP packet based on its destination
address and the routing table.
GRE encapsulation format

Figure 83 GRE encapsulation format
Delivery header
(Transport protocol)
GRE header
(Encapsulation protocol)
Payload header
(Passenger protocol)
As an example, Figure 84 shows the format of an X protocol packet encapsulated for transmission over
an IP tunnel.
200
Figure 84 Format of an X packet encapsulated for transmission over an IP tunnel
These are the terms involved:

• Payload—Packet that needs to be encapsulated and transmitted.
• Passenger protocol—Protocol that the payload packet uses, X in the example.
• Encapsulation or carrier protocol—Protocol used to encapsulate the payload packet, that is, GRE.
• Delivery or transport protocol—Protocol used to encapsulate the GRE packet and to forward the
resulting packet to the other end of the tunnel, IP in this example.
Depending on the transport protocol, two tunnel modes are present: GRE over IPv4 and GRE over IPv6.
De-encapsulation process
De-encapsulation is the reverse of the encapsulation process:
1. Upon receiving an IP packet from the tunnel interface, Router B checks the destination address.
2. If the destination is itself and the protocol number in the IP header is 47 (the protocol number for
GRE), Router B strips off the IP header of the packet and submits the resulting packet to the GRE
protocol.
3. The GRE protocol checks the key, checksum and sequence number in the packet, and then strips
off the GRE header and submits the payload to the X protocol for forwarding.
NOTE:
Encapsulation and de-encapsulation processes on both ends of the GRE tunnel and the resulting increase
in data volumes will degrade the forwarding efficiency of a GRE-enabled router to some extent.
201
GRE applications
Multi-protocol communications through a single-protocol backbone
Figure 85 Multi-protocol communications through a single-protocol backbone
In the example as shown in Figure 85, Group 1 and Group 2 are local networks running Novell IPX,
while Team 1 and Team 2 are local networks running IP. Through the GRE tunnel between Router A and
Router B, Group 1 can communicate with Group 2 and Team 1 can communicate with Team 2. They will
not interfere with each other.
Scope enlargement of a hop-limited protocol such as RIP

Figure 86 Network scope enlargement
Router A Router D
IP network GRE tunnel IP network
Router B Router C Host B

Host A
IP network
When the hop count between two terminals exceeds 15, the terminals cannot communicate with each
other. Using GRE, you can hide some hops so as to enlarge the scope of the network.
202
VPN creation by connecting discontinuous subnets
Figure 87 Connect discontinuous subnets with a tunnel to form a VPN
In the example as shown in Figure 87, Group 1 and Group 2 running Novell IPX are deployed in different
cities. They can constitute a trans-WAN virtual private network (VPN) through the tunnel.
NOTE:
The SR8800 routers do not support Novell IPX networks.

• RFC 1701, Generic Routing Encapsulation (GRE)
• RFC 1702, Generic Routing Encapsulation over IPv4 Networks
• RFC 2784, Generic Routing Encapsulation (GRE)
Configuring a GRE tunnel

Interfaces on a router, such as VLAN interfaces and GigabitEthernet interfaces, are configured with IPv4
addresses and can communicate. These interfaces can be used as the source of a virtual tunnel interface
to ensure the reachability of the tunnel destination address.
• The source address and destination address of a tunnel uniquely identify a path. They must be
configured at both ends of the tunnel and the source address at one end must be the destination
address at the other end and vice versa.
• Tunnel interfaces using the same encapsulation protocol must have different source addresses and
destination addresses.
• If you configure a source interface for a tunnel interface, the tunnel interface takes the primary IP
address of the source interface as its source address.
• When configuring a route through the tunnel, you are not allowed to set up a static route whose
destination address is in the subnet of the tunnel interface. Instead, you can do one of the following:
{ Configure a static route, using the address of the network segment that the original packet is
destined for as its destination address and the address of the peer tunnel interface as its next
hop.
203
{ Enable a dynamic routing protocol on both the tunnel interface and the router interface
connecting the private network, so that the dynamic routing protocol can establish a routing
entry to forward packets through the tunnel.
To configure a GRE tunnel:

Optional.
2. Enable the IPv6 packet Disabled by default.
ipv6
forwarding function. The function is required for IPv6 over
IPv4 GRE tunnels.
3. Create a tunnel interface
interface tunnel
and enter tunnel interface Not created by default.
interface-number
view.
• To configure an IPv4
address:
ip address ip-address { mask
| mask-length }
• To configure an IPv6 global Configure one as needed.
4. Configure an IPv4 address,
unicast address:
an IPv6 global unicast By default, a tunnel interface is not
ipv6 address { ipv6-address
address, or a site local configured with any IPv4 address, IPv6
prefix-length |
address for the tunnel global unicast address, or site local
ipv6-address/prefix-length }
interface. address.
• To configure a site local
address:
ipv6 address
ipv6-address/prefix-length
eui-64
• To automatically generate a
link-local address: Optional.
5. Configure an IPv6 link local ipv6 address auto link-local By default, if an interface is configured
address for the tunnel • Configure a link-local with an IPv6 global unicast address or
interface. address manually: site local address, a link local address
ipv6 address ipv6-address will be automatically created.
link-local
Optional.
GRE by default.
6. Set the tunnel mode to
tunnel-protocol gre You must configure the same tunnel
GRE.
mode on both ends of a tunnel.
Otherwise, packet delivery will fail.
7. Configure the source By default, no source address or

source { ip-address |
address or interface for the interface is configured for a tunnel
interface-type interface-number }
tunnel interface. interface.
8. Configure the destination
By default, no destination address is
address for the tunnel destination ip-address
configured for a tunnel interface.
interface.
204
Optional.
9. Configure a route through See Layer 3—IP Routing Each end of the tunnel must have a route
the tunnel. Configuration Guide. (static or dynamic) through the tunnel to
the other end.
10. Set the MTU value for the • mtu mtu-size Optional.
tunnel interface. • ipv6 mtu mtu-size Configure one command as needed.
12. Configure the router to Optional.

tunnel discard
discard IPv4-compatible By default, the router does not discard
ipv4-compatible-packet
IPv6 packets. the IPv4-compatible IPv6 packets.
NOTE:
For information about commands interface tunnel, source, destination, and mtu, see Layer 3—IP Services
Command Reference.
Displaying and maintaining GRE

display interface [ tunnel ] [ brief
[ down ] ] [ | { begin | exclude |
Display information about a include } regular-expression ]
specific or all tunnel interfaces. display interface tunnel number
[ brief ] [ | { begin | exclude |
display ipv6 interface tunnel

Display IPv6 information about a [ number ] [ verbose ] [ | { begin |
tunnel interface. exclude | include }
NOTE:
For information about commands display interface tunnel and display ipv6 interface tunnel, see Layer
3—IP Services Command Reference.
GRE tunnel configuration example

As shown in Figure 88, Router A and Router B are interconnected through the Internet. Two private IPv4
subnets Group 1 and Group 2 are interconnected through a GRE tunnel between the two routers.
205
GE4/1/1 GE3/1/1 GE4/1/1
GE3/1/2 10.1.3.1/ 24
10.1.1.1/ 24 1.1.1.1/ 24
IPv4 IPv4 network 2.2.2.2/ 24 IPv4
Group1 Group 2
GRE tunnel
Router A Router B
Tunnel 3 Tunnel 3
10.1.2.1/ 24 10.1.2.2/ 24
NOTE:
Before performing GRE tunnel configuration, configure the interfaces connected to the Internet on Router
A and Router B and configure routing protocols, so that a route is available between the two routers.
1. Configure Router A.
# Configure an IPv4 address for interface GigabitEthernet 4/1/1.
# Configure an IPv4 address for interface GigabitEthernet 3/1/1, the physical interface of the
tunnel.
# Create a tunnel interface named Tunnel3.
# Configure an IPv4 address for the tunnel interface Tunnel3.
[RouterA-Tunnel3] ip address 10.1.2.1 255.255.255.0
[RouterA-Tunnel3] tunnel-protocol gre
# Configure the source address of the tunnel interface Tunnel3 as the IP address of GigabitEthernet
3/1/1.
[RouterA-Tunnel3] source 1.1.1.1
# Configure the destination address of the tunnel interface Tunnel3 as the IP address of
GigabitEthernet 3/1/2 on Router B.
# Configure a static route from Router A through the tunnel interface Tunnel3 to Group 2.
2. Configure Router B.
# Configure an IPv4 address for interface GigabitEthernet 4/1/1.
206
# Configure an IPv4 address for interface GigabitEthernet 3/1/2, the physical interface of the
tunnel.
# Create an interface named Tunnel 3.
# Configure an IP address for the tunnel interface Tunnel3.
[RouterB-Tunnel3] ip address 10.1.2.2 255.255.255.0
[RouterB-Tunnel3] tunnel-protocol gre
# Configure the source address of the tunnel interface Tunnel3 to be the IP address of interface
GigabitEthernet 3/1/2.
[RouterB-Tunnel3] source 2.2.2.2
# Configure the destination address of the tunnel interface Tunnel3 as the IP address of interface
GigabitEthernet 3/1/1 on Router A.
# Configure a static route from Router B through interface Tunnel3 to Group 1.
[RouterB] ip route-static 10.1.1.0 255.255.255.0 tunnel 3
Troubleshooting GRE
The GRE configurations are relatively simple. The key is to keep the configurations consistent. Most faults
can be located by using debugging commands. This section analyzes only one type of fault, as shown
in Figure 89.
Figure 89 Troubleshoot GRE
Symptom: The interfaces at both ends of the tunnel are configured correctly and can ping each other, but
Host A and Host B cannot ping each other.
Solution:
• On Router A and Router C, execute the display ip routing-table command in any view respectively.
On Router A, observe whether there is a route from Router A through Tunnel 1 to 10.2.0.0/16. On
Router C, observe whether there is a route from Router C through Tunnel 1 to 10.1.0.0/16.
• For any missing static routes, use the ip route-static command in system view to configure. For
example, configure a static route on Router A as follows:
207
Index
ABCDEGINOPSTU
A Configuring the DHCP relay agent security
functions,56
Applying an extended address pool on an
Configuring the DHCP relay agent to release an IP
interface,42
address,59
Applying the connection limit policy,91
Configuring the DHCP relay agent to support Option
ARP overview,1 82,60
B Configuring the DHCP server security functions,42
Binding a NAT-enabled interface to the NAT service Configuring the DHCPv6 relay agent,147
interface,89 Configuring the DNS proxy,69
Configuring the IPv4 DNS client,68
C
Configuring the IPv6 DNS client,151
Configuring a 6to4 tunnel,186 Configuring UDP Helper,114
Configuring a GRE tunnel,203 Correlating a DHCP server group with a relay agent
Configuring a tunnel interface,177 interface,55
Configuring address translation,83
D
Configuring an address pool for the DHCP server,33
Configuring an automatic IPv4-compatible IPv6 DHCP address allocation,23
tunnel,182 DHCP message format,25
Configuring an internal server,87 DHCP options,26
Configuring an IPv4 over IPv4 tunnel,195 DHCP relay agent configuration example,62
Configuring an IPv6 manual tunnel,178 DHCP relay agent configuration task list,54
Configuring an ISATAP tunnel,191 DHCP relay agent Option 82 support configuration
Configuring ARP,3 example,63
Configuring basic IPv6 functions,127 DHCP server configuration examples,46
Configuring DNS mapping,89 DHCP server configuration task list,33
Configuring DNS spoofing,69 DHCPv6 configuration overview,145
Configuring gratuitous ARP,9 DHCPv6 relay agent configuration example,148
Configuring ICMP to send error packets,107 Displaying and maintaining adjacency table,112
Configuring ICMPv6 packet sending,136 Displaying and maintaining ARP,5
Configuring IP addresses,17 Displaying and maintaining GRE,205

Configuring IP unnumbered,20 Displaying and maintaining IP performance
optimization,110
Configuring IPv6 FIB load sharing,135
Displaying and maintaining IPv4 DNS,70
Configuring IPv6 ND,129
Displaying and maintaining IPv6 basics
Configuring IPv6 TCP properties,135
configuration,138
Configuring NAT logging,89
Displaying and maintaining IPv6 DNS,152
Configuring NAT-PT,162
Displaying and maintaining NAT,92
Configuring PMTU discovery,134
Displaying and maintaining NAT-PT,167
Configuring TCP attributes,106
Displaying and maintaining proxy ARP,13
Displaying and maintaining the DHCP relay agent,61
208
Displaying and maintaining the DHCP server,46 IPv6 DNS configuration examples,152
Displaying and maintaining the DHCPv6 relay IPv6 overview,117
agent,148
N
Displaying and maintaining tunneling
configuration,199 NAT configuration examples,92
Displaying and maintaining UDP Helper,115 NAT configuration task list,82
DNS overview,65 NAT overview,77
NAT-PT configuration examples,168
E
NAT-PT configuration task list,162
Enabling connection limit logging,91 NAT-PT overview,159
Enabling DHCP,41
O
Enabling DHCP,54
Enabling ICMP flow control,110 Overview,112
Enabling offline detection,59 P
Enabling Option 82 handling,44 Protocols and standards,29
Enabling proxy ARP,12 Proxy ARP configuration examples,13
Enabling reception and forwarding of directed Proxy ARP overview,11
broadcasts to a directly connected network,104
Enabling support for ICMP extensions,109 S
Enabling the DHCP relay agent on an interface,54 Setting NAT connection limits,90
Enabling the DHCP server on an interface,41 Specifying the threshold for sending trap messages,45
G Static ARP configuration example,6
GRE overview,200 T
GRE tunnel configuration example,205 Troubleshooting DHCP relay agent configuration,64
I Troubleshooting DHCP server configuration,50
Troubleshooting GRE,207
Introduction to DHCP,23
Troubleshooting IPv4 DNS configuration,76
Introduction to DHCP relay agent,52
Troubleshooting IPv6 basics configuration,144
Introduction to DHCP server,31
Troubleshooting NAT,103
Introduction to gratuitous ARP,8
Troubleshooting NAT-PT,170
Introduction to IPv6 DNS,151
Troubleshooting tunneling configuration,199
Introduction to UDP Helper,114
Tunneling configuration task list,177
IP addressing overview,16
Tunneling overview,172
IP performance optimization overview,104
IPv4 DNS configuration examples,70 U
IPv6 basics configuration example,139 UDP Helper configuration example,115
IPv6 basics configuration task list,126
209

05-Layer 3 - IP Services Configuration Guide-Book PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

05-Layer 3 - IP Services Configuration Guide-Book PDF

Загружено:

Авторское право:

Доступные форматы

H3C SR8800 10G Core Routers

Layer 3—IP Services Configuration Guide

Hangzhou H3C Technologies Co., Ltd.

Software version: SR8800-CMW520-R3347

All rights reserved

H3C, , Aolynk, , H3Care, , TOP G, , IRF, NetPilot, Neocean, NeoVTL,

# A line that starts with a pound (#) sign is comments.

IMPORTANT An alert that calls attention to essential information.

NOTE An alert that contains additional or supplementary information.

TIP An alert that provides helpful information.

Network topology icons

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Port numbering in examples

About the H3C SR8800 documentation set

Compliance and safety Provides regulatory information and the safety

Provides a complete guide to hardware installation

H3C N68 Cabinet

H3C High-End Network Describes the hot-swappable modules available for

Describe software features and configuration

Command references Provide a quick reference to all available commands.

Provide information about the product release,

Configuring DHCP relay agent ································································································································· 52

Configuring IP performance optimization ············································································································· 104

Configuring adjacency table·································································································································· 112

ARP message format

The following explains the fields in Figure 1.

If Host A and Host B are not on the same subnet:

Dynamic ARP entry

Static ARP entry

Step Command Remarks

Configuring the maximum number of dynamic ARP entries for

Step Command Remarks

4. Enter Layer 3 Ethernet interface interface interface-type

The value defaults to 65533

Setting aging time for dynamic ARP entries

Enabling dynamic ARP entry check

Step Command Remarks

2. Enable dynamic ARP entry Optional

Enabling natural network support for ARP requests

Step Command Remarks

Displaying and maintaining ARP

Static ARP configuration example

# View information about static ARP entries.

Introduction to gratuitous ARP

Enabling learning of gratuitous ARP packets

Configuring periodic sending of gratuitous ARP packets

Configuring gratuitous ARP

Step Command Remarks

2. Enable learning of gratuitous Optional

Proxy ARP overview

Host A Switch Host B

Enabling proxy ARP

Step Command Remarks

2. Enter interface view. interface interface-type interface-number N/A

3. Enable proxy ARP. proxy-arp enable Disabled by default

Step Command Remarks

Displaying and maintaining proxy ARP

display local-proxy-arp [ interface

Proxy ARP configuration examples

# Enable proxy ARP on interface GigabitEthernet 3/1/1.

# Specify an IP address for interface GigabitEthernet 3/1/5.

# Enable proxy ARP on interface GigabitEthernet 3/1/5.