HUAWEI NetEngine80E/40E Router V600R001C00 Configuration Guide - IP Services Issue 03 Date 2010-03-31 HUAWEI TECHNOLOGIES CO., LTD. Copyright © Huawei Technologies Co., Ltd. 2010. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China Website: http://www.huawei.com Email: support@huawei.com Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. i HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services About This Document About This Document Purpose This document describes multiple IP services supported by the NE80E/40E and basic configurations of IP addresses, ARP, DNS, DHCP, COPS, ANCP, IP performance, ACL, IPv6, ACL6, IPv6 over IPv4 tunnel, and IPv4 over IPv6 tunnel. Related Versions The following table lists the product versions related to this document. Product Name Version HUAWEI NetEngine80E/40E Router V600R001C00 Intended Audience This document is intended for: l Commissioning Engineer l Data Configuration Engineer l Network Monitoring Engineer l System Maintenance Engineer Organization This document is organized as follows. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. iii HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services About This Document iv Chapter Description 1 IP Addresses Configuration This chapter describes the fundamentals of IP addresses, including its classes, methods and important characteristics. It also describes steps for configuring IP addresses and provides typical configuration examples. 2 ARP Configuration This chapter describes the principle of ARP and steps for configuring ARP, and provides typical configuration examples. 3 DNS Configuration This chapter describes the principle of DNS and steps for configuring DNS, and provides typical configuration examples. 4 DHCP Configuration This chapter describes the principle of DHCP and steps for configuring DHCP, and provides typical configuration examples. 5 COPS Configuration This chapter describes the principle of COPS and steps for configuring COPS, and provides typical configuration examples. 6 ANCP Configuration This chapter describes the principle of ANCP and steps for configuring ANCP, and provides typical configuration examples. 7 IP Performance Configuration This chapter describes basic concepts about IP performance and steps for configuring IP performance, and provides typical configuration examples. 8 ACL Configuration This chapter describes basic concepts about ACL and steps for configuring ACL, and provides typical configuration examples. 9 Basic IPv6 Configuration This chapter describes basic concepts about IPv6 and steps for configuring IPv6, and provides typical configuration examples. 10 IPv6 DNS Configuration This chapter describes basic IPv6 applications and steps for configuring IPv6 applications, and provides typical configuration examples. 11 ACL6 Configuration This chapter describes basic concepts about ACL6 and steps for configuring ACL6, and provides typical configuration examples. 12 IPv6 over IPv4 Tunnel Configuration This chapter describes basic concepts about IPv6 over IPv4 tunnels and steps for configuring IPv6 over IPv4 tunnels, and provides typical configuration examples. 13 IPv4 over IPv6 Tunnel Configuration This chapter describes basic concepts about IPv4 over IPv6 tunnels and steps for configuring IPv4 over IPv6 tunnels, and provides typical configuration examples. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services About This Document Chapter Description A Glossary This appendix collates frequently used glossaries in this document. B Acronyms and Abbreviations This appendix collates frequently used acronyms and abbreviations in this document. Conventions Symbol Conventions The symbols that may be found in this document are defined as follows. Symbol Description Indicates a hazard with a high level of risk that, if not avoided, will result in death or serious injury. Indicates a hazard with a medium or low level of risk which, if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation that, if not avoided, could cause device damage, data loss, and performance degradation, or unexpected results. Provides additional information to emphasize or supplement important points of the main text. Indicates a tip that may help you solve a problem or save your time. General Conventions The general conventions that may be found in this document are defined as follows. Issue 03 (2010-03-31) Convention Description Times New Roman Normal paragraphs are in Times New Roman. boldface Names of files, directories, folders, and users are in boldface. For example, log in as user root. Italic Book titles are in italics. Courier New Terminal display is in Courier New. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. v HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services About This Document Command Conventions The command conventions that may be found in this document are defined as follows. Convention Description boldface The keywords of a command line are in boldface. Italic Command arguments are in italic. [] Items (keywords or arguments) in square brackets [ ] are optional. { x | y | ... } Alternative items are grouped in braces and separated by vertical bars. One is selected. [ x | y | ... ] Optional alternative items are grouped in square brackets and separated by vertical bars. One or none is selected. { x | y | ... }* Alternative items are grouped in braces and separated by vertical bars. A minimum of one or a maximum of all can be selected. [ x | y | ... ]* Optional alternative items are grouped in square brackets and separated by vertical bars. Many or none can be selected. &<1-n> This parameter before the & sign can be repeated 1 to n times. # A line starting with the # sign is comments. GUI Conventions The GUI conventions that may be found in this document are defined as follows. Convention Description boldface Buttons, menus, parameters, tabs, windows, and dialog titles are in boldface. For example, click OK. > Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder. Keyboard Operations The keyboard operations that may be found in this document are defined as follows. vi Format Description Key Press the key. For example, press Enter and press Tab. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services About This Document Format Description Key 1+Key 2 Press the keys concurrently. For example, pressing Ctrl +Alt+A means the three keys should be pressed concurrently. Key 1, Key 2 Press the keys in turn. For example, pressing Alt, A means the two keys should be pressed in turn. Mouse Operations The mouse operations that may be found in this document are defined as follows. Action Description Click Select and release the primary mouse button without moving the pointer. Double-click Press the primary mouse button twice continuously and quickly without moving the pointer. Drag Press and hold the primary mouse button and move the pointer to a certain position. Update History Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues. Updates in Issue 03 (2010-03-31) Third commercial release. Updates in Issue 02 (2009-12-10) Second commercial release. Updates in Issue 01 (2009-09-05) Initial commercial release. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. vii HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services Contents Contents About This Document...................................................................................................................iii 1 IP Addresses Configuration.....................................................................................................1-1 1.1 IP Addresses Overview...................................................................................................................................1-2 1.1.1 Introduction to IP Addresses..................................................................................................................1-2 1.1.2 Features of IP Addresses Supported by the NE80E/40E....................................................................... 1-2 1.2 Configuring IP Addresses for Interfaces.........................................................................................................1-3 1.2.1 Establishing the Configuration Task......................................................................................................1-3 1.2.2 Configuring a Primary IP Address for an Interface............................................................................... 1-4 1.2.3 (Optional) Configuring a Secondary IP Address for an Interface..........................................................1-4 1.2.4 Checking the Configuration...................................................................................................................1-5 1.3 Configuring IP Address Negotiation on Interfaces.........................................................................................1-6 1.3.1 Establishing the Configuration Task......................................................................................................1-6 1.3.2 Configuring a Server to Assign an IP Address for a Client Through Negotiation.................................1-7 1.3.3 Configuring a Client to Obtain an IP Address Through Negotiation.....................................................1-8 1.3.4 Checking the Configuration...................................................................................................................1-9 1.4 Configuring IP Address Unnumbered for Interfaces....................................................................................1-10 1.4.1 Establishing the Configuration Task....................................................................................................1-10 1.4.2 Configuring the Primary IP Address of the Interface That Lends an IP Address................................1-11 1.4.3 Configuring an Interface That Borrows an IP Address from Another Interface..................................1-11 1.4.4 Checking the Configuration.................................................................................................................1-12 1.5 Maintaining IP Addresses.............................................................................................................................1-13 1.5.1 Monitoring Network Operation Status of IP Addresses.......................................................................1-13 1.6 Configuration Examples................................................................................................................................1-13 1.6.1 Example for Configuring Primary and Secondary IP Addresses.........................................................1-14 1.6.2 Example for Obtaining an IP Address Through Negotiation...............................................................1-15 1.6.3 Example for Configuring IP Address Unnumbered.............................................................................1-18 1.6.4 Example for Configuring IP Address Overlapping on the Same Device.............................................1-20 1.6.5 Example for Configuring an IP Address with a 31-bit Mask...............................................................1-25 2 ARP Configuration....................................................................................................................2-1 2.1 Introduction to ARP........................................................................................................................................2-3 2.1.1 Overview of ARP...................................................................................................................................2-3 2.1.2 Features of ARP Supported by the NE80E/40E.....................................................................................2-3 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. ix HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services Contents 2.2 Configuring Static ARP.................................................................................................................................. 2-6 2.2.1 Establishing the Configuration Task......................................................................................................2-6 2.2.2 Configuring Common Static ARP Entries.............................................................................................2-7 2.2.3 Configuring Static ARP Entries in a VLAN..........................................................................................2-7 2.2.4 Configuring Static ARP Entries in a VPN Instance...............................................................................2-8 2.2.5 Checking the Configuration...................................................................................................................2-9 2.3 Optimizing Dynamic ARP............................................................................................................................2-10 2.3.1 Establishing the Configuration Task....................................................................................................2-10 2.3.2 Modify the aging parameters of dynamic ARP....................................................................................2-10 2.3.3 Enabling ARP Suppression Function...................................................................................................2-11 2.3.4 Enabling Layer 2 Topology Detection Function..................................................................................2-12 2.3.5 Checking the Configuration.................................................................................................................2-12 2.4 Configuring Routed Proxy ARP...................................................................................................................2-13 2.4.1 Establishing the Configuration Task....................................................................................................2-13 2.4.2 Configure an IP Addresses for the Interface........................................................................................2-14 2.4.3 Enabling the Routed Proxy ARP Function..........................................................................................2-14 2.4.4 Checking the Configuration.................................................................................................................2-15 2.5 Configuring Proxy ARP Within a VLAN.....................................................................................................2-16 2.5.1 Establishing the Configuration Task....................................................................................................2-16 2.5.2 Configure an IP Addresses for the Interface........................................................................................2-17 2.5.3 Configuring the VLAN Associated with the Sub-interface.................................................................2-18 2.5.4 Enabling Proxy ARP Within a VLAN.................................................................................................2-18 2.5.5 Checking the Configuration.................................................................................................................2-19 2.6 Configuring Proxy ARP Between VLANs...................................................................................................2-20 2.6.1 Establishing the Configuration Task....................................................................................................2-20 2.6.2 Configuring an IP Addresses for the Interface.....................................................................................2-21 2.6.3 Configuring the VLAN Associated with the Sub-interface.................................................................2-21 2.6.4 Enabling Proxy ARP Between VLANs...............................................................................................2-22 2.6.5 Checking the Configuration.................................................................................................................2-23 2.7 Configuring ARPing-IP.................................................................................................................................2-24 2.7.1 Establishing the Configuration Task....................................................................................................2-24 2.7.2 Detecting the IP Address by Using the arp-ping ip Command............................................................2-24 2.8 Configuring ARPing-MAC...........................................................................................................................2-25 2.8.1 Establishing the Configuration Task....................................................................................................2-25 2.8.2 Detecting the MAC Address by Using the arp-ping mac Command...................................................2-26 2.9 Configuring the Association Between ARP and Interface Status.................................................................2-26 2.9.1 Establishing the Configuration Task....................................................................................................2-27 2.9.2 Configuring the Association Between ARP and Interface Status........................................................2-28 2.9.3 (Optional) Adjusting Parameters about the Association Between ARP and Interface Status..............2-28 2.10 Maintaining ARP.........................................................................................................................................2-29 2.10.1 Clearing ARP Statistics......................................................................................................................2-30 2.10.2 Monitoring Network Operation Status of ARP..................................................................................2-30 x Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services Contents 2.11 Configuration Examples..............................................................................................................................2-30 2.11.1 Example for Configuring Routed Proxy ARP....................................................................................2-31 2.11.2 Example for Configuring Proxy ARP Within a VLAN.....................................................................2-33 2.11.3 Example for Configuring Proxy ARP Between VLANs...................................................................2-35 2.11.4 Example for Configuring the Association Between ARP and Interface Status.................................2-37 2.11.5 Example for Configuring Layer 2 Topology Detection.....................................................................2-41 3 DNS Configuration....................................................................................................................3-1 3.1 DNS Overview................................................................................................................................................3-2 3.1.1 Introduction to DNS...............................................................................................................................3-2 3.1.2 DNS Supported by the NE80E/40E.......................................................................................................3-2 3.2 Configuring DNS............................................................................................................................................ 3-2 3.2.1 Establishing the Configuration Task......................................................................................................3-2 3.2.2 Configuring Static DNS Entries.............................................................................................................3-3 3.2.3 Configuring Dynamic DNS....................................................................................................................3-4 3.2.4 Checking the Configuration...................................................................................................................3-4 3.3 Maintaining DNS............................................................................................................................................ 3-5 3.3.1 Clearing DNS Entries.............................................................................................................................3-6 3.3.2 Monitoring Network Operation Status of DNS......................................................................................3-6 3.4 Configuration Examples..................................................................................................................................3-6 3.4.1 Example for Configuring DNS.............................................................................................................. 3-6 4 DHCP Configuration.................................................................................................................4-1 4.1 DHCP Overview............................................................................................................................................. 4-3 4.1.1 Introduction to DHCP............................................................................................................................ 4-3 4.1.2 DHCP Supported by the NE80E/40E.....................................................................................................4-3 4.2 Configuring the Global Address Pool-based DHCP Server............................................................................4-3 4.2.1 Establishing the Configuration Task......................................................................................................4-4 4.2.2 Configuring the DHCP Global Address Pool........................................................................................ 4-5 4.2.3 Configure Static IP Address Binding.....................................................................................................4-6 4.2.4 Configuring DNS Services for the DHCP Client...................................................................................4-7 4.2.5 Configuring NetBIOS Services for the DHCP Client............................................................................4-7 4.2.6 Configuring Egress Gateway for the DHCP Client............................................................................... 4-8 4.2.7 Configuring DHCP Self-Defined Options............................................................................................. 4-9 4.2.8 Assigning IP Addresses in the Global Address Pool to the DHCP Clients on the Specified Interface .......................................................................................................................................................................4-10 4.2.9 Checking the Configuration.................................................................................................................4-11 4.3 Configuring the Interface Address Pool-based DHCP Server......................................................................4-13 4.3.1 Establishing the Configuration Task....................................................................................................4-13 4.3.2 Configuring the Interface Address Pool...............................................................................................4-14 4.3.3 Configuring DNS on the Interface Address Pool.................................................................................4-15 4.3.4 Configuring NetBIOS on the Interface Address Pool..........................................................................4-16 4.3.5 Configuring DHCP Self-Defined Options...........................................................................................4-17 4.3.6 Checking the Configuration.................................................................................................................4-18 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. xi HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services Contents 4.4 Configuring the Sub-interface Address Pool-based DHCP Server...............................................................4-20 4.4.1 Establishing the Configuration Task....................................................................................................4-20 4.4.2 Enabling Address Pools on Sub-interfaces..........................................................................................4-21 4.4.3 Configuring Address Pools on Ethernet Sub-interfaces.......................................................................4-22 4.4.4 Configuring DNS on Address Pools of Sub-interfaces........................................................................4-23 4.4.5 Configuring NetBIOS on Address Pools of Sub-interfaces.................................................................4-24 4.4.6 Configuring the DHCP Self-Defined Options for Address Pools of Sub-interfaces...........................4-25 4.4.7 Checking the Configuration.................................................................................................................4-26 4.5 Configuring VLANIF Interface Address Pool-based DHCP Server.............................................................4-28 4.5.1 Establishing the Configuration Task....................................................................................................4-28 4.5.2 Enabling Address Pools on VLANIF Interfaces..................................................................................4-29 4.5.3 Configuring the Address Pool on the VLANIF Interface....................................................................4-30 4.5.4 Configuring DNS on the Address Pool of the VLANIF Interface.......................................................4-31 4.5.5 Configuring NetBIOS on the Address Pool of the VLANIF Interface................................................4-32 4.5.6 Configuring DHCP Self-Defined Options for the Address Pool of the VLANIF Interface................4-34 4.5.7 Checking the Configuration.................................................................................................................4-35 4.6 Configuring the Security Function for DHCP...............................................................................................4-35 4.6.1 Establishing the Configuration Task....................................................................................................4-36 4.6.2 Starting the Detection of the Pseudo DHCP Server on a DHCP Server..............................................4-36 4.6.3 Avoiding Repetitive IP Address Assignment.......................................................................................4-37 4.6.4 Saving DHCP Data...............................................................................................................................4-37 4.6.5 Restoring DHCP Data..........................................................................................................................4-38 4.6.6 Checking the Configuration.................................................................................................................4-38 4.7 Configuring DHCP Relay.............................................................................................................................4-39 4.7.1 Establishing the Configuration Task....................................................................................................4-39 4.7.2 Configuring Relay................................................................................................................................4-40 4.7.3 Checking the Configuration.................................................................................................................4-42 4.8 Maintaining DHCP........................................................................................................................................4-42 4.8.1 Resetting DHCP...................................................................................................................................4-43 4.8.2 Releasing Conflicting IP Addresses.....................................................................................................4-43 4.8.3 (Optional) Requesting the DHCP Server to Release IP Addresses of the Client.................................4-44 4.8.4 Clearing DHCP Statistics.....................................................................................................................4-45 4.8.5 Monitoring Network Operation Status of DHCP.................................................................................4-45 4.9 Configuration Examples................................................................................................................................4-46 4.9.1 Example for Configuring the Global Address Pool-based DHCP Server............................................4-46 4.9.2 Example for Configuring the Interface Address Pool-based DHCP Server........................................4-49 4.9.3 Example for Configuring the Sub-interface Address Pool-based DHCP Server.................................4-51 4.9.4 Example for Configuring the VLANIF Interface Address Pool-based DHCP Server.........................4-54 4.9.5 Example for Configuring DHCP Relay...............................................................................................4-57 4.9.6 Example for Configuring the DHCP Option Association....................................................................4-60 5 COPS Configuration..................................................................................................................5-1 5.1 COPS Overview..............................................................................................................................................5-2 xii Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services Contents 5.1.1 Introduction to COPS.............................................................................................................................5-2 5.1.2 COPS Features Supported by the NE80E/40E.......................................................................................5-3 5.2 Configuring the COPS Server Group..............................................................................................................5-4 5.2.1 Establishing the Configuration Task......................................................................................................5-4 5.2.2 Creating a COPS Server Group..............................................................................................................5-5 5.2.3 Configuring the COPS Server................................................................................................................5-5 5.2.4 Setting the PEP ID for the COPS Server................................................................................................5-6 5.2.5 (Optional) Setting the Flow Keeping Time of the COPS Server...........................................................5-7 5.2.6 (Optional) Setting the Shared Key of the COPS Server.........................................................................5-7 5.2.7 Activating the COPS Server Group.......................................................................................................5-8 5.2.8 Configuring the Global Parameters of COPS........................................................................................5-9 5.2.9 Checking the Configuration.................................................................................................................5-10 5.3 Configuration Examples................................................................................................................................5-10 5.3.1 Example for Configuring COPS Interfaces to Report Online and Offline Messages..........................5-10 6 ANCP Configuration.................................................................................................................6-1 6.1 ANCP Overview.............................................................................................................................................6-2 6.1.1 Introduction to the ANCP Protocol........................................................................................................6-2 6.1.2 Applicable Environment........................................................................................................................6-3 6.2 Configuring the ANCP Server........................................................................................................................6-5 6.2.1 Establishing the Configuration Task......................................................................................................6-5 6.2.2 Enabling ANCP......................................................................................................................................6-6 6.2.3 Configuring the Source Interface of an ANCP Connection...................................................................6-7 6.2.4 (Optional) Configuring Parameters of ANCP Sessions.........................................................................6-7 6.2.5 Configuring ANCP Neighbor Profiles...................................................................................................6-8 6.2.6 (Optional) Configuring Bandwidth Adjustment Factors........................................................................6-9 6.2.7 (Optional) Configuring ANCP Message Damping..............................................................................6-10 6.2.8 (Optional) Configuring ANCP OAM Detection..................................................................................6-11 6.2.9 (Optional) Adjusting the Upstream and Downstream Bandwidths of a User Automatically..............6-12 6.2.10 Checking the Configuration...............................................................................................................6-12 6.3 Configuring the ANCP Proxy.......................................................................................................................6-14 6.3.1 Establishing the Configuration Task....................................................................................................6-14 6.3.2 Enabling ANCP....................................................................................................................................6-15 6.3.3 Configuring the Source Interface of an ANCP Connection.................................................................6-16 6.3.4 (Optional) Configuring Parameters of ANCP Sessions.......................................................................6-16 6.3.5 Configuring the ANCP Neighbor Profile.............................................................................................6-17 6.3.6 (Optional) Configuring Bandwidth Adjustment Factors......................................................................6-18 6.3.7 (Optional) Enabling the Function of Configuring ANCP Access Lines..............................................6-19 6.3.8 (Optional) Configuring ANCP Message Damping..............................................................................6-20 6.3.9 (Optional) Configuring ANCP OAM Detection..................................................................................6-21 6.3.10 Checking the Configuration...............................................................................................................6-22 6.4 Configuring the Association Between ANCP and HQoS in the ANCP Proxy Scenario..............................6-23 6.4.1 Establishing the Configuration Task....................................................................................................6-24 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. xiii HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services Contents 6.4.2 Configuring the Mode of the Association Between ANCP and HQoS................................................6-25 6.4.3 Configuring the QoS Profile and Scheduling Parameters....................................................................6-25 6.4.4 Configuring the BRAS to Deliver the QoS Policy Name....................................................................6-26 6.4.5 Applying the QoS Profile to the Interface............................................................................................6-27 6.4.6 Enabling ANCP on the Interface and Associating the Interface with the ANCP Neighbor Profile .......................................................................................................................................................................6-27 6.4.7 Checking the Configuration.................................................................................................................6-28 6.5 Maintaining ANCP........................................................................................................................................6-30 6.5.1 Clearing ANCP Running Information..................................................................................................6-30 6.6 Configuration Examples................................................................................................................................6-30 6.6.1 Example for Configuring the ANCP Server........................................................................................ 6-31 6.6.2 Configuring router as the ANCP Proxy and Configuring ANCP-HQoS Association.........................6-34 7 IP Performance Configuration.................................................................................................7-1 7.1 IP Performance Overview...............................................................................................................................7-2 7.1.1 Introduction to IP Performance..............................................................................................................7-2 7.1.2 IP Performance Supported by the NE80E/40E......................................................................................7-2 7.2 Improving IP Performance..............................................................................................................................7-3 7.2.1 Establishing the Configuration Task......................................................................................................7-3 7.2.2 Configuring the Maximum Transmission Unit of the Interface.............................................................7-4 7.2.3 Configuring ICMP Attributes.................................................................................................................7-5 7.2.4 Checking the Configuration...................................................................................................................7-5 7.3 Configuring TCP.............................................................................................................................................7-7 7.3.1 Establishing the Configuration Task......................................................................................................7-7 7.3.2 Configuring TCP Timer.........................................................................................................................7-8 7.3.3 Specifying the Size of a TCP Sliding Window......................................................................................7-8 7.3.4 Checking the Configuration...................................................................................................................7-9 7.4 Configuring Load Balancing for IP Packet Forwarding............................................................................... 7-10 7.4.1 Establishing the Configuration Task....................................................................................................7-10 7.4.2 Configuring the Load Balancing Mode of IP Packet Forwarding........................................................7-11 7.4.3 Configuring Interface Unequal-Cost Multiple Path During IP Packet Forwarding.............................7-12 7.4.4 Configuring Global Unequal-Cost Multiple Path During IP Packet Forwarding................................7-13 7.4.5 Checking the Configuration.................................................................................................................7-13 7.5 Maintaining IP Performance......................................................................................................................... 7-14 7.5.1 Clearing IP Performance Statistics.......................................................................................................7-14 7.5.2 Monitoring Network Operation Status of IP Performance...................................................................7-15 7.6 Configuration Examples................................................................................................................................7-16 7.6.1 Example for Limiting Transmission of ICMP Host-Unreachable Packets..........................................7-16 7.6.2 Example for Configuring Interface Unequal-Cost Multiple Path During IP Packet Forwarding........7-18 7.6.3 Example for Configuring Global Unequal-Cost Load Balancing for IP Packet Forwarding.............. 7-24 8 ACL Configuration....................................................................................................................8-1 8.1 ACL Overview................................................................................................................................................8-2 8.1.1 Introduction to ACL...............................................................................................................................8-2 xiv Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services Contents 8.1.2 ACL Supported by the NE80E/40E.......................................................................................................8-2 8.2 Configuring an Interface-based ACL..............................................................................................................8-2 8.2.1 Establishing the Configuration Task......................................................................................................8-3 8.2.2 (Optional) Creating a Time Range.........................................................................................................8-3 8.2.3 Creating an Interface-based ACL...........................................................................................................8-4 8.2.4 (Optional) Configuring ACL Descriptions............................................................................................8-4 8.2.5 (Optional) Configuring ACL Step..........................................................................................................8-5 8.2.6 Checking the Configuration...................................................................................................................8-5 8.3 Configuring a Basic ACL................................................................................................................................8-6 8.3.1 Establishing the Configuration Task......................................................................................................8-6 8.3.2 (Optional) Creating a Time Range.........................................................................................................8-7 8.3.3 Creating a Basic ACL............................................................................................................................8-7 8.3.4 (Optional) Configuring ACL Descriptions............................................................................................8-8 8.3.5 (Optional) Configuring ACL Step..........................................................................................................8-8 8.3.6 Checking the Configuration...................................................................................................................8-9 8.4 Configuring an Advanced ACL....................................................................................................................8-10 8.4.1 Establishing the Configuration Task....................................................................................................8-10 8.4.2 (Optional) Creating a Time Range.......................................................................................................8-11 8.4.3 Creating an Advanced ACL.................................................................................................................8-11 8.4.4 (Optional) Configuring ACL Descriptions..........................................................................................8-12 8.4.5 (Optional) Configuring ACL Step........................................................................................................8-13 8.4.6 Checking the Configuration.................................................................................................................8-13 8.5 Configuring an ACL Based on the Ethernet Frame Header..........................................................................8-14 8.5.1 Establishing the Configuration Task....................................................................................................8-14 8.5.2 Creating an ACL Based on the Ethernet Frame Header......................................................................8-15 8.5.3 (Optional) Configuring ACL Descriptions..........................................................................................8-15 8.5.4 (Optional) Configuring ACL Step........................................................................................................8-16 8.5.5 Checking the Configuration.................................................................................................................8-16 8.6 Configuring an UCL......................................................................................................................................8-17 8.6.1 Establishing the Configuration Task....................................................................................................8-17 8.6.2 (Optional) Creating a Time Range.......................................................................................................8-18 8.6.3 Creating an UCL..................................................................................................................................8-18 8.6.4 (Optional) Configuring ACL Descriptions..........................................................................................8-19 8.6.5 (Optional) Configuring ACL Step........................................................................................................8-20 8.6.6 Checking the Configuration.................................................................................................................8-20 8.7 Configuring a Named ACL...........................................................................................................................8-21 8.7.1 Establishing the Configuration Task....................................................................................................8-21 8.7.2 (Optional) Creating a Time Range.......................................................................................................8-22 8.7.3 Creating a Named ACL........................................................................................................................8-22 8.7.4 (Optional) Configuring named ACL Descriptions...............................................................................8-23 8.7.5 (Optional) Configuring named ACL Step............................................................................................8-24 8.7.6 Checking the Configuration.................................................................................................................8-24 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. xv HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services Contents 8.8 Maintaining an ACL......................................................................................................................................8-25 8.8.1 Clearing ACL Statistics........................................................................................................................8-25 8.8.2 Monitoring Network Operation Status of ACL....................................................................................8-26 8.9 Configuration Examples................................................................................................................................8-26 8.9.1 Example for Configuring a Traffic Policy Based on Complex Traffic Classification.........................8-26 8.9.2 Example for Configuring the Security Function of Access Devices....................................................8-34 8.9.3 Example for Configuring an ACL Rule that Is Based on the VPN Instance....................................... 8-37 9 Basic IPv6 Configuration..........................................................................................................9-1 9.1 Basic IPv6 Overview.......................................................................................................................................9-2 9.1.1 Introduction to IPv6...............................................................................................................................9-2 9.1.2 IPv6 Supported by the NE80E/40E........................................................................................................9-2 9.2 Configuring an IPv6 Address for an Interface................................................................................................9-3 9.2.1 Establishing the Configuration Task......................................................................................................9-4 9.2.2 Enabling IPv6 Packet Forwarding Capability........................................................................................9-5 9.2.3 Configuring an IPv6 Link-Local Address for an Interface....................................................................9-6 9.2.4 Configuring an IPv6 Global Unicast Address for an Interface..............................................................9-6 9.2.5 Checking the Configuration...................................................................................................................9-7 9.3 Configuring IPv6 Neighbor Discovery...........................................................................................................9-8 9.3.1 Establishing the Configuration Task......................................................................................................9-8 9.3.2 Configuring Static Neighbors.................................................................................................................9-9 9.3.3 Enabling RA Message Advertising......................................................................................................9-10 9.3.4 Setting the Interval for Advertising RA Messages...............................................................................9-10 9.3.5 Enabling Stateful Auto Configuration..................................................................................................9-11 9.3.6 Configuring the Address Prefixes to Be Advertised............................................................................9-11 9.3.7 Configuring Other Information to Be Advertised................................................................................9-12 9.3.8 Checking the Configuration.................................................................................................................9-13 9.4 Configuring PMTU.......................................................................................................................................9-14 9.4.1 Establishing the Configuration Task....................................................................................................9-15 9.4.2 Creating Static PMTU Entries..............................................................................................................9-15 9.4.3 Configuring PMTU Aging Time..........................................................................................................9-16 9.4.4 Checking the Configuration.................................................................................................................9-16 9.5 Enabling the FIB Cache................................................................................................................................ 9-17 9.5.1 Establishing the Configuration Task....................................................................................................9-17 9.5.2 Enabling the FIB Cache....................................................................................................................... 9-17 9.5.3 Checking the Configuration.................................................................................................................9-18 9.6 Configuring TCP6.........................................................................................................................................9-19 9.6.1 Establishing the Configuration Task....................................................................................................9-19 9.6.2 Configuring TCP6 Timers....................................................................................................................9-20 9.6.3 Configuring the Size of the TCP6 Sliding Window.............................................................................9-20 9.6.4 Checking the Configuration.................................................................................................................9-21 9.7 Maintaining IPv6...........................................................................................................................................9-22 9.7.1 Resetting IPv6......................................................................................................................................9-23 xvi Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services Contents 9.7.2 Monitoring Network Operation Status of IPv6....................................................................................9-23 9.8 Configuration Examples................................................................................................................................9-24 9.8.1 Example for Configuring an IPv6 Address for an Interface................................................................9-24 9.8.2 Example for Configuring IPv6 Neighbor Discovery...........................................................................9-27 10 IPv6 DNS Configuration......................................................................................................10-1 10.1 IPv6 DNS Overview....................................................................................................................................10-2 10.1.1 Introduction to IPv6 DNS..................................................................................................................10-2 10.1.2 IPv6 DNS Supported by the NE80E/40E...........................................................................................10-2 10.2 Configuring IPv6 DNS................................................................................................................................10-2 10.2.1 Establishing the Configuration Task..................................................................................................10-2 10.2.2 Configuring a Static IPv6 DNS Entry................................................................................................10-3 10.2.3 Configuring the Dynamic IPv6 DNS Services...................................................................................10-3 10.2.4 Checking the Configuration...............................................................................................................10-4 10.3 Maintaining IPv6 DNS................................................................................................................................10-5 10.3.1 Clearing IPv6 DNS Entries................................................................................................................10-6 10.3.2 Monitoring Network Operation Status of IPv6 DNS.........................................................................10-6 10.4 Configuration Examples..............................................................................................................................10-6 10.4.1 Example for Configuring IPv6 DNS..................................................................................................10-7 11 ACL6 Configuration..............................................................................................................11-1 11.1 ACL6 Overview..........................................................................................................................................11-2 11.1.1 Introduction to ACL6.........................................................................................................................11-2 11.1.2 ACL6 Supported by the NE80E/40E.................................................................................................11-2 11.2 Configuring an Interfaced-based ACL6......................................................................................................11-2 11.2.1 Establishing the Configuration Task..................................................................................................11-2 11.2.2 (Optional) Configuring the Valid Time Range of ACL6...................................................................11-3 11.2.3 Creating an Interfaced-based ACL6...................................................................................................11-3 11.2.4 Checking the Configuration...............................................................................................................11-4 11.3 Configuring a Basic ACL6..........................................................................................................................11-5 11.3.1 Establishing the Configuration Task..................................................................................................11-5 11.3.2 (Optional) Configuring the Valid Time Range of ACL6...................................................................11-5 11.3.3 Creating a Basic ACL6......................................................................................................................11-6 11.3.4 Checking the Configuration...............................................................................................................11-6 11.4 Configuring an Advanced ACL6................................................................................................................11-7 11.4.1 Establishing the Configuration Task..................................................................................................11-7 11.4.2 (Optional) Configuring the Valid Time Range of ACL6...................................................................11-8 11.4.3 Creating an Advanced ACL6.............................................................................................................11-8 11.4.4 Checking the Configuration...............................................................................................................11-9 11.5 Configuring a Named ACL6.....................................................................................................................11-10 11.5.1 Establishing the Configuration Task................................................................................................11-10 11.5.2 (Optional) Configuring the Valid Time Range of ACL6.................................................................11-11 11.5.3 Creating a Named ACL6..................................................................................................................11-12 11.5.4 Checking the Configuration.............................................................................................................11-13 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. xvii HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services Contents 11.6 Maintaining ACL6....................................................................................................................................11-13 11.6.1 Clearing ACL6 Statistics..................................................................................................................11-14 11.6.2 Monitoring Network Operation Status of ACL6..............................................................................11-14 11.7 Configuration Examples............................................................................................................................11-14 11.7.1 Example for Configuring an ACL6 to Filter IPv6 Packets..............................................................11-14 12 IPv6 over IPv4 Tunnel Configuration................................................................................12-1 12.1 IPv6 over IPv4 Tunnel Overview................................................................................................................12-2 12.1.1 Introduction to IPv6 over IPv4...........................................................................................................12-2 12.1.2 IPv6 over IPv4 Supported by the NE80E/40E...................................................................................12-2 12.2 Configuring IPv4/IPv6 Dual Stacks............................................................................................................12-8 12.2.1 Establishing the Configuration Task..................................................................................................12-8 12.2.2 Enabling IPv6 Packet Forwarding......................................................................................................12-9 12.2.3 Configuring IPv4 and IPv6 Addresses for the Interface..................................................................12-10 12.3 Configuring an IPv6 over IPv4 Tunnel.....................................................................................................12-11 12.3.1 Establishing the Configuration Task................................................................................................12-11 12.3.2 Configuring an IPv6 over IPv4 Manual Tunnel...............................................................................12-12 12.3.3 Configuring an IPV6 over IPv4 GRE Tunnel..................................................................................12-13 12.3.4 Configuring an IPv6 over IPv4 Automatic Tunnel..........................................................................12-14 12.3.5 Configuring a 6to4 Tunnel...............................................................................................................12-15 12.3.6 Configuring an ISATAP Tunnel......................................................................................................12-16 12.3.7 Configuring Routes in the Tunnel....................................................................................................12-17 12.3.8 Checking the Configuration.............................................................................................................12-18 12.4 Configuring 6PE........................................................................................................................................12-19 12.4.1 Establishing the Configuration Task................................................................................................12-19 12.4.2 Configuring IPv4/IPv6 Dual Protocol Stacks..................................................................................12-20 12.4.3 Configuring MPLS...........................................................................................................................12-21 12.4.4 Enabling 6PE Peer............................................................................................................................12-22 12.5 Maintaining IPv6 over IPv4 Tunnels........................................................................................................12-22 12.5.1 Monitoring the Running Status of IPv6 over IPv4 Tunnel..............................................................12-23 12.6 Configuration Examples............................................................................................................................12-23 12.6.1 Example for Configuring an IPv6 over IPv4 Manual Tunnel..........................................................12-23 12.6.2 Example for Configuring an IPv6 over IPv4 GRE Tunnel..............................................................12-27 12.6.3 Example for Configuring an IPv6 over IPv4 Automatic Tunnel.....................................................12-31 12.6.4 Example for Configuring a 6to4 Tunnel..........................................................................................12-34 12.6.5 Example for Configuring 6to4 Relay...............................................................................................12-38 12.6.6 Example for Configuring an ISATAP Tunnel.................................................................................12-41 12.6.7 Example for Configuring 6PE..........................................................................................................12-44 13 IPv4 over IPv6 Tunnel Configuration................................................................................13-1 13.1 IPv4 over IPv6 Tunnel Overview................................................................................................................13-2 13.1.1 Introduction to IPv4 over IPv6...........................................................................................................13-2 13.1.2 IPv4 over IPv6 Supported by the NE80E/40E...................................................................................13-2 13.2 Configuring an IPv4 over IPv6 Tunnel.......................................................................................................13-3 xviii Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services Contents 13.2.1 Establishing the Configuration Task..................................................................................................13-3 13.2.2 Configuring a Tunnel Interface..........................................................................................................13-4 13.2.3 Configuring Routes in the Tunnel......................................................................................................13-5 13.2.4 Configuring Other Items for an IPv4 over IPv6 Tunnel.................................................................... 13-5 13.2.5 Checking the Configuration...............................................................................................................13-6 13.3 Maintaining IPv4 over IPv6 Tunnels..........................................................................................................13-7 13.3.1 Monitoring the Operation Status of IPv4 over IPv6 Tunnel..............................................................13-8 13.4 Configuration Examples..............................................................................................................................13-8 13.4.1 Example for Configuring an IPv4 over IPv6 Tunnel.........................................................................13-8 A Glossary.....................................................................................................................................A-1 B Acronyms and Abbreviations.................................................................................................B-1 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. xix HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services Figures Figures Figure 1-1 Configuring primary and secondary IP addresses for an interface...................................................1-14 Figure 1-2 Networking diagram of allocating IP address through negotiation..................................................1-16 Figure 1-3 Networking diagram of an IP address unnumbered configuration...................................................1-18 Figure 1-4 Networking diagram of configuring IP address overlapping on the same device............................1-21 Figure 1-5 Networking diagram of configuring an IP address with a 31-bit mask............................................1-25 Figure 2-1 Implementation procedure of ARP-Ping IP........................................................................................2-4 Figure 2-2 Implementation procedure of ARP-Ping MAC..................................................................................2-5 Figure 2-3 Schematic diagram of transmission device existing between devices..............................................2-27 Figure 2-4 Networking diagram of configuring proxy ARP..............................................................................2-31 Figure 2-5 Networking diagram of configuring proxy ARP in a VLAN...........................................................2-34 Figure 2-6 Networking diagram of configuring proxy ARP between VLANs..................................................2-36 Figure 2-7 Networking diagram of configuring the association between ARP and interface status................. 2-37 Figure 2-8 Networking diagram of configuring Layer 2 topology detection.....................................................2-42 Figure 3-1 Networking diagram of DNS..............................................................................................................3-7 Figure 4-1 Networking diagram of the DHCP server and the client that are in the same network segment..... 4-46 Figure 4-2 Networking diagram of the DHCP server based on the address pool on the interface.................... 4-50 Figure 4-3 Networking diagram of the DCHP server based on the address pools on the sub-interfaces.......... 4-52 Figure 4-4 Networking diagram of the DHCP server based on the address pool on the VLANIF interface .............................................................................................................................................................................4-55 Figure 4-5 Networking diagram for configuring DHCP relay...........................................................................4-58 Figure 4-6 Networking diagram of configuring the DHCP option association..................................................4-61 Figure 5-1 Typical networking diagram of COPS configuration.......................................................................5-11 Figure 6-1 Networking diagram of configuring an ANCP server........................................................................6-3 Figure 6-2 Networking diagram of configuring an ANCP proxy........................................................................6-4 Figure 6-3 Networking diagram of configuring the ANCP server.....................................................................6-32 Figure 6-4 Networking diagram of configuring router as the ANCP proxy and configuring ANCP-HQoS association...........................................................................................................................................................6-35 Figure 7-1 Networking diagram of configuring ICMP host unreachable packets............................................. 7-16 Figure 7-2 Networking diagram of configuring UCMP.....................................................................................7-19 Figure 7-3 Networking diagram of configuring unequal-cost load balancing...................................................7-24 Figure 8-1 Diagram for configuring a traffic policy based on the complex traffic classification......................8-27 Figure 8-2 Networking of configuring the security function of access devices.................................................8-35 Figure 8-3 Typical networking of configuring an ACL rule..............................................................................8-38 Figure 9-1 Networking diagram of configuring an IPv6 address for an interface............................................. 9-24 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. xxi HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services Figures Figure 9-2 Example for configuring IPv6 neighbor discovery..........................................................................9-27 Figure 10-1 DNS server connecting IPv4 and IPv6 networks...........................................................................10-3 Figure 10-2 Networking diagram of IPv6 DNS configurations.........................................................................10-7 Figure 11-1 Networking diagram of configuring an ACL6 to filter IPv6 packets...........................................11-15 Figure 12-1 Single stack and dual stack structures (Ethernet)...........................................................................12-2 Figure 12-2 Schematic diagram of IPv6 over IPv4 tunnel.................................................................................12-3 Figure 12-3 6to4 tunnel and 6to4 relay..............................................................................................................12-5 Figure 12-4 ISATAP tunnel...............................................................................................................................12-7 Figure 12-5 Networking diagram of 6PE...........................................................................................................12-7 Figure 12-6 Networking diagram of the IPv6 over IPv4 manual tunnel..........................................................12-24 Figure 12-7 Networking diagram of the IPv6 over IPv4 GRE tunnel..............................................................12-27 Figure 12-8 Networking diagram of the IPv6 over IPv4 automatic tunnel......................................................12-32 Figure 12-9 Networking diagram of the 6to4 tunnel........................................................................................12-35 Figure 12-10 Networking diagram of accessing the IPv6 network through 6to4 relay...................................12-38 Figure 12-11 Networking diagram of the ISATAP tunnel...............................................................................12-41 Figure 12-12 Networking diagram of 6PE.......................................................................................................12-44 Figure 13-1 Networking diagram of an IPv4 over IPv6 tunnel..........................................................................13-2 Figure 13-2 Networking diagram of an IPv4 over IPv6 tunnel..........................................................................13-8 xxii Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration 1 IP Addresses Configuration About This Chapter This chapter describes the basic concepts and working mechanism of IP addresses. It also describes the procedure for configuring IP addresses and provides typical configuration examples. 1.1 IP Addresses Overview This section describes the concepts of IP addresses and how to use an IP address. 1.2 Configuring IP Addresses for Interfaces This section describes how to configure IP addresses for interfaces. 1.3 Configuring IP Address Negotiation on Interfaces This section describes how to configure the interface on the client to obtain the interface from the server through PPP negotiation. 1.4 Configuring IP Address Unnumbered for Interfaces This section describes how to configure an interface to borrow the IP address from other interfaces. 1.5 Maintaining IP Addresses This section describes how to view IP address configurations. 1.6 Configuration Examples This section provides several examples for configuring IP addresses. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 1-1 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration 1.1 IP Addresses Overview This section describes the concepts of IP addresses and how to use an IP address. 1.1.1 Introduction to IP Addresses 1.1.2 Features of IP Addresses Supported by the NE80E/40E 1.1.1 Introduction to IP Addresses To communicate with each other on Internet Protocol (IP) networks, each host must be assigned an IP address. An IP address is a 32-bit number that is composed of two parts, namely, the network ID and host ID. The network ID identifies a network and the host ID identifies a host on the network. If the network IDs of hosts are the same, it indicates that the hosts are on the same network regardless of their physical locations. 1.1.2 Features of IP Addresses Supported by the NE80E/40E The NE80E/40E supports IP address configuration through the following methods: l Manually configuring an IP address for an interface l Obtaining an IP address through negotiation l Borrowing an IP address from other interfaces The NE80E/40E supports the space overlapping of network segment addresses to save the address space. l Different IP addresses in the overlapped network segments but not same can be configured on different interfaces of the same device. For example, after an interface on a device is configured with the IP address 20.1.1.1/16, if another interface is configured with the IP address 20.1.1.2/24, the system prompts a message. However, the configuration is still successful; if another interface is configured with the IP address 20.1.1.2/16, the system prompts an IP address conflict. The configuration fails. l The primary IP address and the secondary IP address in the overlapped network segments but not same can be configured on the same interface. For example, after the interface is configured with a primary IP address 20.1.1.1/24, if the secondary IP address is 20.1.1.2/16 sub, the system prompts a message. However, the configuration is still successful. l The primary IP address and the secondary IP address in the overlapped network segments but not same can be configured on different interfaces of the same device. However, the primary IP address and the secondary IP address cannot be the same. For example, after an interface on a device is configured with the IP address 20.1.1.1/16, if another interface is configured with the IP address 20.1.1.2/24 sub, the system prompts a message. However, the configuration is still successful. The NE80E/40E supports 31-bit IP address masks. Therefore, there are only two IP addresses in a network segment, that is, the network address and broadcast address. The two IP addresses can be used as host addresses. 1-2 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration You can assign the IP addresses with 31-bit masks to Point-to-Point (P2P), Point-to-Multipoint (P2MP), NBMA Address Resolution Protocol (NBMA),broadcast, and loopback interfaces. For non-P2P interfaces, if a 31-bit mask is configured, the system prompts acknowledgement information to protect P2MP orbroadcast links. For example, if an Ethernet interface on a device is assigned an IP address with a 31-bit mask, this device can access only the host in the directly connected subnet. It cannot access all hosts in the subnet. In the backbone network of a broadcast link, if a P2P link exists, you can configure the IP addresses with 31-bit masks. 1.2 Configuring IP Addresses for Interfaces This section describes how to configure IP addresses for interfaces. 1.2.1 Establishing the Configuration Task 1.2.2 Configuring a Primary IP Address for an Interface 1.2.3 (Optional) Configuring a Secondary IP Address for an Interface 1.2.4 Checking the Configuration 1.2.1 Establishing the Configuration Task Applicable Environment To start IP services on an interface, configure the IP address for the interface. You can assign several IP addresses to each interface. Among them, one is the primary IP address and the others are secondary IP addresses. Generally, you need to configure only a primary IP address for an interface. Secondary IP addresses, however, are required in some cases. For instance, when a device connects to a physical network through an interface, and computers on this network belong to two Class C networks, you need to configure a primary IP address and a secondary IP address for this interface to ensure that the device can communication with all computers on this network. Pre-configuration Tasks Before configuring an IP addresses for an interface, complete the following tasks: l Configuring the physical parameters for the interface and ensuring that the physical layer status of the interface is Up l Configuring the link layer parameters for the interface and ensuring that the status of the link layer protocol on the interface is Up Data Preparation To configure IP addresses for an interface, you need the following data. Issue 03 (2010-03-31) No. Data 1 Interface number 2 Primary IP address and subnet mask of the interface Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 1-3 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration No. Data 3 (Optional) Secondary IP address and subnet mask of the interface 1.2.2 Configuring a Primary IP Address for an Interface Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 Run: ip address ip-address { mask | mask-length } A primary IP address is configured. An interface has only one primary IP address. If the interface already has a primary IP address, the newly configured primary IP address replaces the original one. ----End 1.2.3 (Optional) Configuring a Secondary IP Address for an Interface Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 Run: ip address ip-address { mask | mask-length } sub 1-4 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration A secondary IP address is configured. A secondary IP address with a 31-bit mask can be configured for an interface. You can configure a maximum of 255 secondary IP addresses on an interface. ----End 1.2.4 Checking the Configuration Prerequisite The configurations of the IP addresses for the interface are complete. Procedure l Run the display ip interface [ brief ] [ interface-type interface-number ] command to check the IP configuration on the interface. l Run the display interface [ interface-type [ interface-number ] ] [ | { begin | exclude | include } regular-expression ] command to check interface information. ----End Example Run the display ip interface command to check that the physical status and link protocol status of the interface are Up. <HUAWEI> display ip interface brief gigabitethernet 1/1/0 *down: administratively down !down: FIB overload down (l): loopback (s): spoofing Interface IP Address/Mask Physical GigabitEthernet1/1/0 172.16.13.2/24 up up Protocol Run the display interface command to check information about the IP address and subnet mask of the interface. <HUAWEI> display interface gigabitethernet 1/1/0 GigabitEthernet1/1/0 current state : UP Line protocol current state : UP Last line protocol up time : 2007-11-16, 12:26:17 Description : GigabitEthernet1/1/0 Interface The Maximum Transmit Unit is 1500 bytes Internet Address is 172.16.13.2/24 Internet Address is 172.16.13.150/25 Sub Internet Address is 172.16.13.200/28 Sub IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc08-2b73 Media type is twisted pair, loopback not set, promiscuous mode not set 100Mbps-speed mode, full-duplex mode, link type is autonegotiation Last 300 seconds input rate 338 bits/sec, 0 packets/sec Last 300 seconds output rate 514 bits/sec, 0 packets/sec Input: 1065 packets, 1571513 bytes 0 broadcasts, 1065 multicasts 0 errors, 0 runts, 0 giants, 0 CRC, 0 collisions, 0 align errors, 0 other errors Output:2866 packets, 2708571 bytes 0 broadcasts, 2866 multicasts 0 errors, 0 underruns, 0 collisions 0 packets had been deferred Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 1-5 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration 1.3 Configuring IP Address Negotiation on Interfaces This section describes how to configure the interface on the client to obtain the interface from the server through PPP negotiation. 1.3.1 Establishing the Configuration Task 1.3.2 Configuring a Server to Assign an IP Address for a Client Through Negotiation 1.3.3 Configuring a Client to Obtain an IP Address Through Negotiation 1.3.4 Checking the Configuration 1.3.1 Establishing the Configuration Task Applicable Environment When devices are connected through the PPP link, the client interface can obtains the IP address from the server through PPP negotiation. This is usually applicable to the situation when the client connects to the Internet Service Provider (ISP) to access the Internet through the PPP link such as dial-up. In this case, the ISP device assigns an IP address to the client through PPP negotiation. Pre-configuration Tasks Before configuring IP addresses for interfaces through PPP negotiation, complete the following tasks: l Configuring physical parameters of the interface and the link layer protocol PPP on the server l Configuring IP addresses for interfaces on the server and making the link layer protocol Up l Configuring physical parameters on the interface and the link layer protocol PPP on the client Data Preparation To configure IP addresses for interfaces through PPP negotiation, you need the following data. 1-6 No. Data 1 Number of the interface connecting the server to the client 2 ID of the address pool on the server or IP address assigned to the client 3 Range of IP addresses when an address pool is used 4 Number of the interface connecting the client to the server Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration 1.3.2 Configuring a Server to Assign an IP Address for a Client Through Negotiation Context Do as follows on the router functioning as a server: Procedure Step 1 Run: system-view The system view is displayed. NOTE If there is only one client, the address pool is unnecessary. In this case, skip Steps 2, 3, and 4, and do not use the keyword pool in Step 6. Instead, directly assign the specified IP address to the client. Step 2 (Optional) Run: aaa The AAA view is displayed. Step 3 (Optional) Run: ip pool pool-number start-address [ end-address ] The local IP address pool is configured. Step 4 (Optional) Run: Quit the AAA view. Step 5 Run: interface interface-type interface-number The interface view is displayed. Obtaining an IP address through negotiation is applied to only the interface encapsulated with PPP. Step 6 Run: remote address { ip-address | pool [ pool-number ] } An IP address is assigned to the client. Step 7 Run: restart The interface is restarted. ----End Postrequisite During preceding configurations, the address pool can also be configured in the domain view. For details, see the HUAWEI NetEngine80E/40E Router Configuration Guide - Security. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 1-7 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration l If the server authenticates the client, the address is selected from the address pool of the domain that the client belongs to by default. l If the server does not authenticate the client and needs to assign an IP address to the client, the address is selected from the system address pool. The IP address or the address pool assigned to the peer must differ from the IP address of the local device. 1.3.3 Configuring a Client to Obtain an IP Address Through Negotiation Context Do as follows on the router working as a client: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Obtaining an IP address through negotiation is applied to only the interface encapsulated with PPP. Step 3 Run: ip address ppp-negotiate The client is configured to obtain an IP address through negotiation. ----End Postrequisite If an interface without an IP address supports PPP while the remote peer is configured with an IP address, enable IP address negotiation on the local interface. This enables the local interface to obtain an IP address that is generated through PPP negotiation and is assigned by the remote peer. When you configure to obtain an IP address through negotiation on the interface, note the following: 1-8 l You can configure IP address negotiation on only the PPP-encapsulated interface. When the status of the PPP protocol is Down, the IP address generated through negotiation is deleted. l After IP address negotiation is configured on the interface, the configuration of IP address for this interface is not needed any more. You can obtain a new IP address through negotiation, and the original IP address configured before the IP address negotiation is deleted. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration l You cannot configure a secondary IP address for the interface configured with IP address negotiation. l If you re-configure negotiation on this interface, the IP address generated through the previous negotiation is deleted and a new IP address is obtained. l If the address generated through negotiation is deleted, the interface is in the non-address state. 1.3.4 Checking the Configuration Prerequisite The configurations of IP address negotiation on interfaces are complete. Procedure l Run the display ip interface [ brief ] [ interface-type interface-number ] command to check the IP configuration on the interface. l Run the display interface [ interface-type [ interface-number ] ] [ | { begin | exclude | include } regular-expression ] command to check interface information. ----End Example Run the display ip interface command to check that the physical status and link protocol status of the interface are Up. <HUAWEI> display ip interface brief gigabitethernet 1/1/0 *down: administratively down !down: FIB overload down (l): loopback (s): spoofing Interface IP Address/Mask Physical Protocol GigabitEthernet1/1/0 192.168.1.10/24 up up Run the display interface command to check information about the IP address and subnet mask of the interface. <HUAWEI> display interface pos 1/0/0 Pos1/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2007-11-07, 11:44:08 Description : Pos1/0/0 Interface Route Port,The Maximum Transmit Unit is 4470 bytes, Hold timer is 10(sec) Internet Address is 192.168.1.10/24 Link layer protocol is PPP LCP opened, IPCP opened The Vendor PN is FTRJ1321P1BTL Port BW: 2.5G, Transceiver max BW: 2.5G, Transceiver Mode: SingleMode WaveLength: 1310nm, Transmission Distance: 5km Rx Power: -2.81dBm, Tx Power: -1.91dBm Physical layer is Packet Over SDH Scramble enabled, clock master, CRC-32, loopback: none Flag J0 "NetEngine " Flag J1 "NetEngine " Flag C2 22(0x16) SDH alarm: section layer: none line layer: none path layer: none SDH error: Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 1-9 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration section layer: B1 61575 line layer: B2 12002824 REI 16835916 path layer: B3 65535 Statistics last cleared:never Last 300 seconds input rate 16 bits/sec, 0 packets/sec Last 300 seconds output rate 40 bits/sec, 0 packets/sec Input: 3510 packets, 57372 bytes Input error: 0 shortpacket, 0 longpacket, 4 CRC, 0 lostpacket Output: 7270 packets, 344198 bytes Output error: 0 lostpackets Output error: 0 overrunpackets, 0 underrunpackets 1.4 Configuring IP Address Unnumbered for Interfaces This section describes how to configure an interface to borrow the IP address from other interfaces. 1.4.1 Establishing the Configuration Task 1.4.2 Configuring the Primary IP Address of the Interface That Lends an IP Address 1.4.3 Configuring an Interface That Borrows an IP Address from Another Interface 1.4.4 Checking the Configuration 1.4.1 Establishing the Configuration Task Applicable Environment To save IP address resources in some cases, configure the IP address unnumbered on the interface. You can also perform this configuration for an interface that is occasionally used rather than making the interface occupy an IP address constantly. Restrictions on configuring IP address unnumbered on an interface are as follows: l The interface of IP address borrower can not be an Ethernet interface. l The interface of IP address lender cannot be IP address from other. l Multiple interfaces can borrow the IP address from the interface of IP address lender. l If the interface of IP address lender has multiple IP addresses, the IP address lender can only be the primary IP address. l If the interface of IP address borrower borrows an IP address from the interface with no IP address, the IP address borrower gets the IP adderss 0.0.0.0. l The IP address of the virtual loopback interface can be borrowed by other interfaces. The loopback interface, however, cannot borrow the IP address from other interfaces. Pre-configuration Tasks Before configuring IP address unnumbered on an interface, complete the following tasks: 1-10 l Configuring physical attributes for the IP address borrower and lender l Configuring link layer protocols for the IP address borrower and lender Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration Data Preparation To configure IP address unnumbered on an interface, you need the following data. No. Data 1 Number, IP address, and mask of the interface that lends the IP address to other interfaces 2 Number of the interface that borrows an IP address from another interface NOTE The configuration here only describes how to configure an unnumbered interface to borrow an IP address. Dynamic routing protocols cannot be enabled on an interface without an IP address. Therefore, you need to manually configure a static route to the remote network segment to realize communication between devices. 1.4.2 Configuring the Primary IP Address of the Interface That Lends an IP Address Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 Run: ip address ip-address { mask | mask-length } The primary IP address of the interface is configured. An interface can also obtain the primary IP address through PPP negotiation. ----End 1.4.3 Configuring an Interface That Borrows an IP Address from Another Interface Context Do as follows on the router: Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 1-11 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 Run: ip address unnumbered interface interface-type interface-number The interface is configured to borrow an IP address from the specified interface. The ATM interface, tunnel interface, and the interface encapsulated with frame relay, PPP or HDLC can borrow the IP address from an Ethernet interface or other interfaces. ----End 1.4.4 Checking the Configuration Prerequisite The configurations of IP address unnumbered are complete. Procedure l Run the display ip interface [ brief ] [ interface-type interface-number ] command to check the IP configuration on the interface. l Run the display interface [ interface-type [ interface-number ] ] [ | { begin | exclude | include } regular-expression ] command to check interface information. ----End Example Run the display ip interface command. If the physical status and link protocol status of the interface are Up, it means that the configuration succeeds. Run the display interface command. If information about the IP address and mask of the interface is displayed, it means that the configuration succeeds. For example: <HUAWEI> display interface pos 6/0/0 Pos6/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2008-01-30, 12:06:08 Description: Pos6/0/0 Interface Route Port,The Maximum Transmit Unit is 4470, Hold timer is 10(sec) Internet Address is unnumbered, using address of GigabitEthernet3/0/9(120.1.1.1/ 24) Link layer protocol is PPP LCP opened, IPCP opened The Vendor PN is FTRJ1321P1BTL Port BW: 2.5G, Transceiver max BW: 2.5G, Transceiver Mode: SingleMode WaveLength: 1310nm, Transmission Distance: 5km Rx Power: -7.19dBm, Tx Power: -5.76dBm Physical layer is Packet Over SDH 1-12 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration Scramble enabled, clock master, CRC-32, loopback: none Flag J0 "NetEngine " Flag J1 "NetEngine " Flag C2 22(0x16) SDH alarm: section layer: none line layer: none path layer: none SDH error: section layer: B1 0 line layer: B2 0 REI 1370245 path layer: B3 0 REI 56395 Statistics last cleared:never Last 300 seconds input rate 24 bits/sec, 0 packets/sec Last 300 seconds output rate 24 bits/sec, 0 packets/sec Input: 1420 packets, 23131 bytes Input error: 2 shortpacket, 0 longpacket, 1 CRC, 0 lostpacket Output: 1421 packets, 23150 bytes Output error: 0 lostpackets Output error: 0 overrunpackets, 0 underrunpackets 1.5 Maintaining IP Addresses This section describes how to view IP address configurations. 1.5.1 Monitoring Network Operation Status of IP Addresses 1.5.1 Monitoring Network Operation Status of IP Addresses Context In routine maintenance, you can run the following commands in any view to check the operation of IP addresses. Procedure l Run the display ip interface [ brief ] [ interface-type interface-number ] command in any view to check the IP address configuration on the interface. l Run the display interface [ interface-type [ interface-number ] ] [ | { begin | exclude | include } regular-expression ] command in any view to check information about the interface. ----End 1.6 Configuration Examples This section provides several examples for configuring IP addresses. 1.6.1 Example for Configuring Primary and Secondary IP Addresses 1.6.2 Example for Obtaining an IP Address Through Negotiation 1.6.3 Example for Configuring IP Address Unnumbered 1.6.4 Example for Configuring IP Address Overlapping on the Same Device 1.6.5 Example for Configuring an IP Address with a 31-bit Mask Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 1-13 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration 1.6.1 Example for Configuring Primary and Secondary IP Addresses Networking Requirements As shown in Figure 1-1, GE 1/0/1 of the device connects to a LAN in which computers belong to one of the two network segments: 172.16.1.0/24 and 172.16.2.0/24. It is required that the device can communicate with the two network segments. At the same time, the hosts of the two network segments cannot communicate with each other. Figure 1-1 Configuring primary and secondary IP addresses for an interface 172.16.1.0/24 Router GE1/0/1 172.16.1.1/24 172.16.2.1/24 sub 172.16.2.0/24 Configuration Roadmap The configuration roadmap is as follows: 1. Analyze the address of the network segment to which the interface connects. 2. Configure the primary IP address for the interface and then configure one or more secondary IP addresses for the interface. NOTE The primary IP address and the secondary IP address in the overlapped network segments but not same can be configured on the same interface. The secondary IP addresses of an interface cannot be in the same network segment. Data Preparation To complete the configuration, you need the following data: l Primary IP address and subnet mask of the interface l Secondary IP address and subnet mask of the interface Procedure Step 1 Configure the device. # Configure the primary and secondary IP addresses for GE 1/0/1 of the device. 1-14 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration <HUAWEI> system-view [HUAWEI] sysname Router [Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] ip address 172.16.1.1 255.255.255.0 [Router-GigabitEthernet1/0/1] ip address 172.16.2.1 255.255.255.0 sub [Router-GigabitEthernet1/0/1] undo shutdown [Router-GigabitEthernet1/0/1] quit Step 2 Verify the configuration. # Ping the host on the network segment 172.16.1.0 from the device. The ping succeeds. [Router] ping 172.16.1.2 PING 172.16.1.2: 56 data bytes, press CTRL_C to break Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=128 time=25 Reply from 172.16.1.2: bytes=56 Sequence=2 ttl=128 time=27 Reply from 172.16.1.2: bytes=56 Sequence=3 ttl=128 time=26 Reply from 172.16.1.2: bytes=56 Sequence=4 ttl=128 time=26 Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=128 time=26 --- 172.16.1.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/26/27 ms ms ms ms ms ms # Ping the host on the segment 172.16.2.0 from the device. The ping succeeds. [Router] ping 172.16.2.2 PING 172.16.2.2: 56 data bytes, press CTRL_C to break Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=128 time=25 Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=128 time=26 Reply from 172.16.2.2: bytes=56 Sequence=3 ttl=128 time=26 Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=128 time=26 Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=128 time=26 --- 172.16.2.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/25/26 ms ms ms ms ms ms # The hosts of the two network segments cannot ping through each other. ----End Configuration Files The following lists the configuration file of the device: # sysname Router # interface GigabitEthernet1/0/1 undo shutdown ip address 172.16.1.1 255.255.255.0 ip address 172.16.2.1 255.255.255.0 sub # return 1.6.2 Example for Obtaining an IP Address Through Negotiation Networking Requirements As shown in Figure 1-2, Router A allocates an IP address for POS 1/0/0 on Router B through PPP negotiation. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 1-15 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration Figure 1-2 Networking diagram of allocating IP address through negotiation Ethernet POS 1/0/0 192.168.1.1/24 POS 1/0/0 RouterA Ethernet RouterB Configuration Roadmap The configuration roadmap is as follows: 1. Configure a local IP address pool. 2. Configure an IP address for the local interface. 3. Specify an IP address or address pool for the remote end. 4. Enable obtaining an IP address through negotiation on the remote end. Data Preparation To complete the configuration, you need the following data: l IP address and subnet mask of the local interface l The range of the IP address to be allocated to the remote end Procedure Step 1 Configure Router A. # Configure a local IP address pool. <HUAWEI> system-view [HUAWEI] sysname RouterA [RouterA] aaa [RouterA-aaa] ip pool 1 192.168.1.10 192.168.1.20 [RouterA-aaa] quit # Configure an IP address for POS 1/0/0. [RouterA] interface pos 1/0/0 [RouterA-Pos1/0/0] ip address 192.168.1.1 255.255.255.0 # Configure POS 1/0/0 to allocate an IP address to the remote end. [RouterA-Pos1/0/0] [RouterA-Pos1/0/0] [RouterA-Pos1/0/0] [RouterA-Pos1/0/0] remote address pool 1 shutdown undo shutdown quit Step 2 Configure Router B. # Enable obtaning an IP address of the interface through PPP negotiation. <HUAWEI> system-view [HUAWEI] sysname RouterB [RouterB] interface pos 1/0/0 [RouterB-Pos1/0/0] ip address ppp-negotiate [RouterB-Pos1/0/0] undo shutdown 1-16 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration [RouterB-Pos1/0/0] quit Step 3 Verify the configuration. Router B can ping through POS 1/0/0 on Router A. [RouterB] ping 192.168.1.1 PING 192.168.1.1: 56 data bytes, press CTRL_C to break Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=156 ms Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=255 time=63 ms Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=255 time=62 ms Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=255 time=63 ms Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=255 time=63 ms --- 192.168.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 62/81/156 ms # View the status of POS 1/0/0 on Router B. [RouterB] display interface pos 1/0/0 Pos1/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2007-12-07, 17:12:39 Description : Pos1/0/0 Interface Route Port,The Maximum Transmit Unit is 4470, Hold timer is 10(sec) Internet Address is negotiated, 192.168.1.10/32 Link layer protocol is PPP LCP opened, IPCP opened The Vendor PN is FTRJ1321P1BTL Port BW: 2.5G, Transceiver max BW: 2.5G, Transceiver Mode: SingleMode WaveLength: 1310nm, Transmission Distance: 5km Rx Power: -2.81dBm, Tx Power: -1.91dBm Physical layer is Packet Over SDH Scramble enabled, clock master, CRC-32, loopback: none Flag J0 "NetEngine " Flag J1 "NetEngine " Flag C2 22(0x16) SDH alarm: section layer: none line layer: none path layer: none SDH error: section layer: B1 61575 line layer: B2 12002824 REI 16835916 path layer: B3 65535 Statistics last cleared:never Last 300 seconds input rate 16 bits/sec, 0 packets/sec Last 300 seconds output rate 40 bits/sec, 0 packets/sec Input: 3510 packets, 57372 bytes Input error: 0 shortpacket, 0 longpacket, 4 CRC, 0 lostpacket Output: 7270 packets, 344198 bytes Output error: 0 lostpackets Output error: 0 overrunpackets, 0 underrunpackets If the information "Internet Address is negotiated, 192.168.1.10/32" is displayed, it means that the address negotiation succeeds. ----End Configuration Files l Configuration file of Router A # sysname RouterA # aaa Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 1-17 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration ip pool 1 192.168.1.10 192.168.1.20 # interface Pos1/0/0 link-protocol ppp undo shutdown remote address pool 1 ip address 192.168.1.1 255.255.255.0 # return Configuration file of Router B l # sysname RouterB # interface Pos1/0/0 link-protocol ppp undo shutdown ip address ppp-negotiate # return 1.6.3 Example for Configuring IP Address Unnumbered Networking Requirements As shown in Figure 1-3, an enterprise builds its intranet through the ISDN. Router A and Router B connect to a local LAN through the GE interfaces. The devices connect to each other through the dialing ports. Each device connects to the LAN through GE 1/0/0 and connects to the ISDN through POS 2/0/0. To save IP address resources, the dialing ports are planed to borrow the IP addresses from the GE interfaces. Figure 1-3 Networking diagram of an IP address unnumbered configuration RouterB RouterA Ethernet Ethernet ISDN GE1/0/0 POS 2/0/0 172.16.10.1/24 POS 2/0/0 GE1/0/0 172.16.20.1/24 Configuration Roadmap The configuration roadmap is as follows: 1. Configure IP addresses to be borrowed. 2. Configure the interfaces to borrow IP addresses from other interfaces. Data Preparation To complete the configuration, you need the following data: 1-18 l IP address of the interface that lends an IP address l Number of the interface that lends an IP address Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration Procedure Step 1 Configure Router A. # Configure an IP address for GE 1/0/0. <HUAWEI> system-view [HUAWEI] sysname RouterA [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 172.16.10.1 255.255.255.0 [RouterA-GigabitEthernet1/0/0] undo shutdown [RouterA-GigabitEthernet1/0/0] quit # Configure the POS interface to borrow an IP address from the GE interface. [RouterA] interface pos 2/0/0 [RouterA-Pos2/0/0] ip address unnumbered interface gigabitethernet 1/0/0 [RouterA-Pos2/0/0] link-protocol ppp [RouterA-Pos2/0/0] undo shutdown [RouterA-Pos2/0/0] quit # Configure an Ethernet route to Router B. [RouterA] ip route-static 172.16.20.0 255.255.255.0 pos 2/0/0 Step 2 Configure Router B. # Configure an IP address for GE 1/0/0. <HUAWEI> system-view [HUAWEI] sysname RouterB [RouterB] interface gigabitethernet 1/0/0 [RouterB-GigabitEthernet1/0/0] ip address 172.16.20.1 255.255.255.0 [RouterB-GigabitEthernet1/0/0] undo shutdown [RouterB-GigabitEthernet1/0/0] quit # Configure the POS interface to borrow an IP address from the GE interface. [RouterB] interface pos 2/0/0 [RouterB-Pos2/0/0] ip address unnumbered interface gigabitethernet 1/0/0 [RouterB-Pos2/0/0] link-protocol ppp [RouterB-Pos2/0/0] undo shutdown [RouterB-Pos2/0/0] quit # Configure an Ethernet route to Router A. [RouterB] ip route-static 172.16.10.0 255.255.255.0 pos 2/0/0 Step 3 Verify the configuration. # Router A can ping through the address of the host connected to Router B. [RouterA] ping 172.16.20.2 PING 172.16.20.2: 56 data bytes, press CTRL_C to break Reply from 172.16.20.2: bytes=56 Sequence=1 ttl=254 time=25 Reply from 172.16.20.2: bytes=56 Sequence=2 ttl=254 time=25 Reply from 172.16.20.2: bytes=56 Sequence=3 ttl=254 time=26 Reply from 172.16.20.2: bytes=56 Sequence=4 ttl=254 time=26 Reply from 172.16.20.2: bytes=56 Sequence=5 ttl=254 time=26 --- 172.16.20.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/25/26 ms ms ms ms ms ms ----End Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 1-19 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration Configuration Files l Configuration file of Router A # sysname RouterA # interface Pos2/0/0 link-protocol ppp undo shutdown ip address unnumbered interface GigabitEthernet1/0/0 # interface GigabitEthernet1/0/0 undo shutdown ip address 172.16.10.1 255.255.255.0 # ip route-static 172.16.20.0 255.255.255.0 Pos2/0/0 # return l Configuration file of Router B # sysname RouterB # interface Pos2/0/0 link-protocol ppp undo shutdown ip address unnumbered interface GigabitEthernet1/0/0 # interface GigabitEthernet1/0/0 undo shutdown ip address 172.16.20.1 255.255.255.0 # ip route-static 172.16.10.0 255.255.255.0 Pos2/0/0 # return 1.6.4 Example for Configuring IP Address Overlapping on the Same Device Networking Requirements As shown in Figure 1-4, Network A and Network B are independent from each other. They access the Internet through different paths. Using the same Layer 2 network provided by ISP 1, Network A and Network B can access each other. It is required to use Router B to connect Network A and Network B to the Layer 2 network provided by ISP 1 by using the IP addresses 192.168.1.11/24 and 192.168.1.12/24. 1-20 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration Figure 1-4 Networking diagram of configuring IP address overlapping on the same device GE1/0/0 192.168.1.1/24 RouterA AS:100 Layer2 network r1 GE1/0/0 192.168.1.11/24 r2 GE3/0/0 192.168.1.12/24 POS2/0/0 10.1.1.1/24 POS4/0/0 20.1.1.1/24 POS2/0/0 10.1.1.2/24 RouterB ISP1 AS:200 RouterC Network A POS4/0/0 20.1.1.2/24 RouterD Network B Procedure Step 1 Configure a VPN instance. # On Router B, create a VPN instance for Network A, and bind the VPN instance to the upstream interface GE 1/0/0 and the downstream interface POS 2/0/0. <HUAWEI> system-view [HUAWEI] sysname B [RouterB] ip vpn-instance r1 [RouterB-vpn-instance-r1] route-distinguisher 100:1 [RouterB-vpn-instance-r1] quit [RouterB] interface gigabitethernet 1/0/0 [RouterB-GigabitEthernet1/0/0] ip binding vpn-instance r1 [RouterB-GigabitEthernet1/0/0] ip address 192.168.1.11 24 [RouterB-GigabitEthernet1/0/0] undo shutdown [RouterB-GigabitEthernet1/0/0] quit [RouterB] interface pos 2/0/0 [RouterB-Pos2/0/0] ip binding vpn-instance r1 [RouterB-Pos2/0/0] ip address 10.1.1.1 24 [RouterB-Pos2/0/0] undo shutdown [RouterB-Pos2/0/0] quit # On Router B, create a VPN instance for Network B, and bind the VPN instance to the upstream interface GE 3/0/0 and the downstream interface POS 4/0/0. [RouterB] ip vpn-instance r2 [RouterB-vpn-instance-r2] route-distinguisher 100:2 [RouterB-vpn-instance-r2] quit [RouterB] interface gigabitethernet 3/0/0 [RouterB-GigabitEthernet3/0/0] ip binding vpn-instance r2 [RouterB-GigabitEthernet3/0/0] ip address 192.168.1.12 24 [RouterB-GigabitEthernet3/0/0] undo shutdown [RouterB-GigabitEthernet3/0/0] quit [RouterB] interface pos 4/0/0 [RouterB-Pos4/0/0] ip binding vpn-instance r2 [RouterB-Pos4/0/0] ip address 20.1.1.1 24 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 1-21 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration [RouterB-Pos4/0/0] undo shutdown [RouterB-Pos4/0/0] quit # On Router B, configure static routes for the two VPN instances. [RouterB] ip route-static vpn-instance r1 0.0.0.0 0 192.168.1.1 [RouterB] ip route-static vpn-instance r2 0.0.0.0 0 192.168.1.1 Step 2 Set up the EBGP neighbor relationship between Router A and the two upstream interfaces on Router B respectively. # Configure Router B. [RouterB] bgp 200 [RouterB-bgp] router-id 100.1.1.1 [RouterB-bgp] ipv4-family vpn-instance r1 [RouterB-bgp-r1] peer 192.168.1.1 as-number 100 [RouterB-bgp-r1] import-route direct [RouterB-bgp-r1] quit [RouterB-bgp] ipv4-family vpn-instance r2 [RouterB-bgp-r2] peer 192.168.1.1 as-number 100 [RouterB-bgp-r2] import-route direct [RouterB-bgp-r2] quit # Configure Router A. <HUAWEI> system-view [HUAWEI] sysname RouterA [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 192.168.1.1 24 [RouterA-GigabitEthernet1/0/0] undo shutdown [RouterA-GigabitEthernet1/0/0] quit [RouterA] bgp 100 [RouterA-bgp] peer 192.168.1.11 as-number 200 [RouterA-bgp] peer 192.168.1.12 as-number 200 [RouterA-bgp] quit Step 3 Configure IP addresses and static routes for Router C and Router D on the local network. # Configure the IP address and static route for Router C. <HUAWEI> system-view [HUAWEI] sysname RouterC [RouterC] interface pos 2/0/0 [RouterC-Pos2/0/0] ip address 10.1.1.2 24 [RouterC-Pos2/0/0] undo shutdown [RouterC-Pos2/0/0] quit [RouterC] ip route-static 0.0.0.0 0 10.1.1.1 # Configure the IP address and static route for Router D. <HUAWEI> system-view [HUAWEI] sysname RouterD [RouterD] interface pos 4/0/0 [RouterD-Pos4/0/0] ip address 20.1.1.2 24 [RouterD-Pos4/0/0] undo shutdown [RouterD-Pos4/0/0] quit [RouterD] ip route-static 0.0.0.0 0 20.1.1.1 Step 4 Verify the configuration. # After the configurations, view the private routing table on Router B. The routes of the two local networks connected to Router B belong to two VPN instances (r1 and r2) respectively. This indicates that the routes are isolated. [RouterB] display ip routing-table vpn-instance r1 Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: r1 1-22 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration Destinations : 6 Destination/Mask Proto 0.0.0.0/0 10.1.1.0/24 10.1.1.1/32 10.1.1.2/32 192.168.1.0/24 192.168.1.11/32 Static Direct Direct Direct Direct Direct Routes : 6 Pre Cost 60 0 0 0 0 0 0 0 0 0 0 0 Flags RD D D D D D NextHop 192.168.1.1 10.1.1.1 127.0.0.1 10.1.1.2 192.168.1.11 127.0.0.1 Interface GigabitEthernet1/0/0 Pos2/0/0 InLoopBack0 Pos2/0/0 GigabitEthernet1/0/0 InLoopBack0 [RouterB] display ip routing-table vpn-instance r2 Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: r2 Destinations : 6 Routes : 6 Destination/Mask 0.0.0.0/0 20.1.1.0/24 20.1.1.1/32 20.1.1.2/32 192.168.1.0/24 192.168.1.12/32 Proto Pre Static Direct Direct Direct Direct Direct Cost 60 0 0 0 0 0 0 0 0 0 0 0 Flags RD D D D D D NextHop 192.168.1.1 20.1.1.1 127.0.0.1 20.1.1.2 192.168.1.12 127.0.0.1 Interface GigabitEthernet3/0/0 Pos4/0/0 InLoopBack0 Pos4/0/0 GigabitEthernet3/0/0 InLoopBack0 # Run the display ip routing-table command on Router A. The command output shows that the public routing table on Router A contains routes to the two local networks. [RouterA] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 8 Routes : 8 Destination/Mask Proto Pre 10.1.1.0/24 10.1.1.2/32 20.1.1.0/24 20.1.1.2/32 127.0.0.0/8 127.0.0.1/32 192.168.1.0/24 192.168.1.1/32 BGP BGP BGP BGP Direct Direct Direct Direct 255 255 255 255 0 0 0 0 Cost 0 0 0 0 0 0 0 0 Flags D D D D D D D D NextHop Interface 192.168.1.11 192.168.1.11 192.168.1.12 192.168.1.12 127.0.0.1 127.0.0.1 192.168.1.1 127.0.0.1 GigabitEthernet1/0/0 GigabitEthernet1/0/0 GigabitEthernet1/0/0 GigabitEthernet1/0/0 InLoopBack0 InLoopBack0 GigabitEthernet1/0/0 InLoopBack0 Network A and Network B can ping through each other. ----End Configuration Files l Configuration file of Router A # sysname RouterA # interface GigabitEthernet1/0/0 undo shutdown ip address 192.168.1.1 255.255.255.0 # bgp 100 peer 192.168.1.11 as-number 200 peer 192.168.1.12 as-number 200 # ipv4-family unicast undo synchronization peer 192.168.1.11 enable Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 1-23 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration peer 192.168.1.12 enable # return l Configuration file of Router B. # sysname RouterB # ip vpn-instance r1 route-distinguisher 100:1 # ip vpn-instance r2 route-distinguisher 100:2 # interface GigabitEthernet1/0/0 undo shutdown ip binding vpn-instance r1 ip address 192.168.1.11 255.255.255.0 # interface GigabitEthernet3/0/0 undo shutdown ip binding vpn-instance r2 ip address 192.168.1.12 255.255.255.0 # interface Pos2/0/0 link-protocol ppp undo shutdown ip binding vpn-instance r1 ip address 10.1.1.1 255.255.255.0 # interface Pos4/0/0 link-protocol ppp undo shutdown ip binding vpn-instance r2 ip address 20.1.1.1 255.255.255.0 # bgp 200 router-id 100.1.1.1 # ipv4-family unicast undo synchronization # ipv4-family vpn-instance r1 peer 192.168.1.1 as-number 100 import-route direct # ipv4-family vpn-instance r2 peer 192.168.1.1 as-number 100 import-route direct # ip route-static vpn-instance r1 0.0.0.0 0.0.0.0 192.168.1.1 ip route-static vpn-instance r2 0.0.0.0 0.0.0.0 192.168.1.1 # return l Configuration file of Router C # sysname RouterC # interface pos 2/0/0 link-protocol ppp undo shutdown ip address 10.1.1.2 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.1.1.1 # return l Configuration file of Route D # 1-24 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration sysname RouterD # interface pos 4/0/0 link-protocol ppp undo shutdown ip address 20.1.1.2 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 20.1.1.1 # Return 1.6.5 Example for Configuring an IP Address with a 31-bit Mask Networking Requirements As shown in Figure 1-5, Router A and Router B are connected through a PPP link. Figure 1-5 Networking diagram of configuring an IP address with a 31-bit mask POS1/0/0 10.1.1.1/31 POS1/0/0 10.1.1.0/31 RouterB RouterA Configuration Roadmap The configuration roadmap is as follows: 1. Configure an IP address with a 31-bit mask for POS 1/0/0 on Router A. 2. Configure an IP address with a 31-bit mask for POS 1/0/0 on Router B. Data Preparation To complete the configuration, you need the following data: l IP address and mask of POS 1/0/0 on Router A l IP address and mask of POS 1/0/0 on Router B Procedure Step 1 Configure an IP address for each interface. # Configure an IP address for POS 1/0/0 on Router A. <HUAWEI> system-view [HUAWEI] sysname RouterA [RouterA] interface pos 1/0/0 [RouterA-Pos1/0/0] ip address 10.1.1.1 31 [RouterA-Pos1/0/0] undo shutdown [RouterA-Pos1/0/0] quit # Configure an IP address for POS 1/0/0 on Router B. <HUAWEI> system-view Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 1-25 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 1 IP Addresses Configuration [HUAWEI] sysname RouterB [RouterB] interface pos 1/0/0 [RouterB-Pos1/0/0] ip address 10.1.1.0 31 [RouterB-Pos1/0/0] undo shutdown [RouterB-Pos1/0/0] quit Step 2 Verify the configuration. # After the preceding configurations, you can check the routing table on Router A. You can find that in the routing table, the network address and the broadcast address of the network segment are both used as host addresses. [RouterA] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 5 Routes : 5 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/31 Direct 0 0 D 10.1.1.1 Pos1/0/0 10.1.1.0/32 Direct 0 0 D 10.1.1.0 Pos1/0/0 10.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 # After the preceding configurations, you can check the routing table on Router B. You can find that in the routing table, the network address and the broadcast address of the network segment are both used as host addresses. [RouterB] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 5 Routes : 5 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/31 Direct 0 0 D 10.1.1.0 Pos1/0/0 10.1.1.0/32 Direct 0 0 D 127.0.0.1 InLoopBack0 10.1.1.1/32 Direct 0 0 D 10.1.1.1 Pos1/0/0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 ----End Configuration Files l Configuration file of Router A # sysname RouterA # interface Pos1/0/0 link-protocol ppp undo shutdown ip address 10.1.1.1 255.255.255.254 # return l Configuration file of Router B # sysname RouterB # interface Pos1/0/0 link-protocol ppp undo shutdown ip address 10.1.1.0 255.255.255.254 # return 1-26 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration 2 ARP Configuration About This Chapter This chapter describes the principle of ARP and the procedure for configuring ARP, and provides typical configuration examples. 2.1 Introduction to ARP This section describes the basic principle and concepts of the Address Resolution Protocol (ARP). 2.2 Configuring Static ARP This section describes how to configure static ARP. 2.3 Optimizing Dynamic ARP 2.4 Configuring Routed Proxy ARP This section describes how to configure routed proxy ARP to make different sub-networks communicate with each other. 2.5 Configuring Proxy ARP Within a VLAN This section describes how to implement communication between hosts in the same VLAN configured with user isolation. 2.6 Configuring Proxy ARP Between VLANs This section describes how to implement communication between hosts in different VLANs. 2.7 Configuring ARPing-IP This section describes how to configure ARPing-IP. 2.8 Configuring ARPing-MAC This section describes how to configure ARPing-MAC. 2.9 Configuring the Association Between ARP and Interface Status This section describes how to control the protocol status of the interface through ARP probes. 2.10 Maintaining ARP This section describes how to display ARP configurations, clear ARP statistics and debug ARP. 2.11 Configuration Examples Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2-1 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration This section provides some configurations example, such as Routed Proxy ARP, Proxy ARP Within a VLAN and Proxy ARP Between VLANs. 2-2 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration 2.1 Introduction to ARP This section describes the basic principle and concepts of the Address Resolution Protocol (ARP). 2.1.1 Overview of ARP 2.1.2 Features of ARP Supported by the NE80E/40E 2.1.1 Overview of ARP Each host or device on the Local Area Network (LAN) has a 32-bit IP address to communicate with others. The assigned IP address is independent of the hardware address. On the Ethernet, a host or a device transmits and receives Ethernet frames according to a 48-bit Medium Access Control (MAC) address. The MAC address is also called the physical address or the hardware address, which is assigned to an Ethernet interface when an equipment is produced. Therefore, on an interconnected network, an address resolution mechanism is required to provide the mapping between MAC addresses and IP addresses. The Address Resolution Protocol (ARP) maps an IP address to the corresponding MAC address. 2.1.2 Features of ARP Supported by the NE80E/40E ARP is classified into dynamic ARP and static ARP. The NE80E/40E supports dynamic ARP, static ARP, and proxy ARP. Introduction to ARPing ARPing consists of ARP-Ping IP and ARP-Ping MAC. ARPing is developed to maintain the deployed Layer 2 features. Introduction to ARP-Ping IP ARP-Ping IP uses ARP packets to check whether an IP address is used by another device on the LAN. Before configuring an IP address for a device, you need to check that the IP address is not used by another device on the network by sending ARP packets. You can also run the ping command to check whether the IP address is used by another device on the network. If enabled with the firewall function that does not reply to Ping packets, the destination host and device do not reply to Ping packets and think that the IP address is not in use. ARP is a Layer 2 protocol. In most cases, ARP packets can pass through the firewall. In this way, the preceding situation does not occur. Principles of ARP-Ping IP ARP-Ping IP sends ARP Request packets. The following describes how to implement ARP-Ping IP: Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2-3 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration 1. After setting the specified IP address through command lines, you can send ARP Request packets and start the timeout timer. 2. After receiving an ARP Request packet, each device or host on the LAN replies with an ARP Reply packet. 3. After receiving the ARP Reply packet, the source device compares the source IP address contained in the Reply packet with the IP address input in the command line. If they are consistent, the MAC address corresponding to the input IP address is displayed and the timeout timer of ARP Reply packets is disabled. The operation finishes. If the timeout timer of ARP Reply packets times out, it means that the IP address is not in use. As shown in Figure 2-1, Router A and Gigabitethernet A are directly connected. You can run the arp-ping ip command on Router A to check whether the IP address 10.1.1.2 is in use. Figure 2-1 Implementation procedure of ARP-Ping IP Host B Host A 10.1.1.3/32 10.1.1.2/32 GE1/0/0 10.1.1.1/24 RouterA Gigabitethernet A Run the arp-ping ip 10.1.1.2 command on Router A. After receiving the ARP Reply packet from Host A 10.1.1.2 on the network, Router A displays the MAC address of Host A. Through the command output, you can know whether the IP address is used by another host on the network. NOTE The arp-ping ip command is applicable to the outgoing interface in one of the following types: the Gigabit Ethernet interface, and Eth-Trunk interface, VLANIF interface, member interface of the VLANIF interface, Ethernet interface, (including the Layer 2 interfaces into which these interfaces are switched). Introduction to ARP-Ping MAC ARP-Ping MAC uses ICMP packets to check whether a MAC address is used by another device on the LAN. When you know a specific MAC address on a network segment but do not know the corresponding IP address, you can obtain the IP address corresponding to the MAC address by sending the broadcast Internet Control Messages Protocol (ICMP) packets through ARP-Ping MAC. In this way, you can query the IP address corresponding to the specific MAC address on the network segment. 2-4 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration Principles of ARP-Ping MAC ARP-Ping MAC sends broadcast ICMP Echo Request packets. The following describes how to implement ARP-Ping MAC: 1. After setting the specified MAC address through the command line, you can send broadcast ICMP Echo Request packets and start the timeout timer. 2. After receiving an ICMP Echo Request packet, each device or host on the LAN replies with an ICMP Echo Reply packet. 3. After receiving the ICMP Echo Reply packet, the source device compares the source MAC address contained in the Echo Reply packet with the MAC address input in the command line. If they are consistent, the IP address of the Echo Reply packet is displayed. Then the source device prompts you that the MAC address is in use and disables the timeout timer. The operation finishes. If the timeout timer of the ICMP Echo Reply packets times out, it means that the MAC address is not in use. NOTE If the system denies the request for replying with the network segment address, the sender cannot receive the ICMP Echo Reply packet. As shown in Figure 2-2, Router A and Gigabitethernet A are directly connected. You can run the arp-ping mac command on Router A to check whether the MAC address 0013-46E7-2EF5 is in use. Figure 2-2 Implementation procedure of ARP-Ping MAC Host A 0013-46E7-2EF5 GE1/0/0 10.1.1.1/24 RouterA Gigabitethernet A The following describes how to implement ARP-Ping MAC on Router A: Run the arp-ping mac 0013-46E7-2EF5 10.1.1.0 or arp-ping mac 0013-46E7-2EF5 gigabitethernet 1/0/0 command on Router A. After receiving the ICMP Reply packets replied by all the hosts on the network, Router A displays the IP address of the host with the MAC address 0013-46E7-2EF5. Through the command output, you can obtain the IP address corresponding to the MAC address. NOTE The arp-ping mac command is applicable to the outgoing interface in one of the following types: Gigabit Ethernet interface, VLANIF interface, the Ethernet interface, and Eth-Trunk interface. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2-5 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration 2.2 Configuring Static ARP This section describes how to configure static ARP. 2.2.1 Establishing the Configuration Task 2.2.2 Configuring Common Static ARP Entries 2.2.3 Configuring Static ARP Entries in a VLAN 2.2.4 Configuring Static ARP Entries in a VPN Instance 2.2.5 Checking the Configuration 2.2.1 Establishing the Configuration Task Applicable Environment Static ARP is used in the following situations: l For the packets whose destination IP address is on another network segment, static ARP can help these packets traverse a gateway of the local network segment so that the gateway can forward the packets to their destination. l When you need to filter out some packets with illegitimate destination IP addresses, static ARP can bind these illegitimate addresses to a nonexistent MAC address. Pre-configuration Tasks Before configuring ARP, complete the following tasks: l Configuring physical parameters for the interface and ensuring that the status of the physical layer of the interface is Up l Configuring link layer protocol parameters for the interface and ensuring that the status of the link layer protocol on the interface is Up l Configuring the network layer protocol for the interface Data Preparation To configure ARP, you need the following data. 2-6 No. Data 1 IP address and MAC address of the static ARP entry 2 VPN instance name and VLAN ID to which the static ARP entry belongs Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration 2.2.2 Configuring Common Static ARP Entries Context If static ARP and the Virtual Router Redundancy Protocol (VRRP) are enabled on a device simultaneously, the virtual IP address of the VRRP backup group configured on the Dot1q termination sub-interface, QinQ termination sub-interface, or VLANIF interface cannot be the IP address contained in the static ARP entries; otherwise, incorrect host routes are generated and thus packets cannot be normally forwarded. NOTE To configure static ARP for the packets with double tags, run the arp static cevid command. For details, see the HUAWEI NetEngine80E/40E Router Command Reference - LAN Access and MAN Access. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: arp static ip-address mac-address Configure common static ARP entries. NOTE Static ARP entries keep valid when a device works normally. ----End 2.2.3 Configuring Static ARP Entries in a VLAN Context If static ARP and the Virtual Router Redundancy Protocol (VRRP) are enabled on a device simultaneously, the virtual IP address of the VRRP backup group configured on the Dot1q termination sub-interface, QinQ termination sub-interface, or VLANIF interface cannot be the IP address contained in the static ARP entries; otherwise, incorrect host routes are generated and thus packets cannot be normally forwarded. NOTE To configure static ARP for the packets with double tags, run the arp static cevid command. For details, see the HUAWEI NetEngine80E/40E Router Command Reference - LAN Access and MAN Access. Do as follows on the router: Procedure Step 1 Run: system-view Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2-7 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration The system view is displayed. Step 2 Configure static ARP entries in a Virtual Local Area Network (VLAN). To configure static ARP entries in a Virtual Local Area Network (VLAN), do as follows: l Run the arp static ip-address mac-address vid vlan-id interface interface-type interfacenumber command. If the interface corresponding to the VLAN is bound to a Virtual Private Network (VPN), the device can automatically associate the configured static ARP entry with the VPN. This command is applicable to port-based VLANs. l Run the arp static ip-address mac-address [ vpn-instance vpn-instance-name ] vid vlanid command. This command is applicable to the sub-interface that supports VLAN and can be bound to the VPN. NOTE Static ARP entries keep valid when a device works normally. ----End 2.2.4 Configuring Static ARP Entries in a VPN Instance Context If static ARP and the Virtual Router Redundancy Protocol (VRRP) are enabled on a device simultaneously, the virtual IP address of the VRRP backup group configured on the Dot1q termination sub-interface, QinQ termination sub-interface, or VLANIF interface cannot be the IP address contained in the static ARP entries; otherwise, incorrect host routes are generated and thus packets cannot be normally forwarded. NOTE To configure static ARP for the packets with double tags, run the arp static cevid command. For details, see the HUAWEI NetEngine80E/40E Router Command Reference - LAN Access and MAN Access. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: arp static ip-address mac-address vpn-instance vpn-instance-name Configure static ARP entries in a VPN instance. NOTE Static ARP entries keep valid when a device works normally. ----End 2-8 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration 2.2.5 Checking the Configuration Prerequisite The configurations of the ARP function are complete. Procedure l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlanid ] ] [ | { begin | exclude | include } regular-expression ] command to check information about ARP mapping tables based on interfaces. l Run the display arp slot slot-id [ network net-number [ net-mask ] ] [ dynamic | static ] [ | { begin | exclude | include } regular-expression] command to check information about ARP mapping tables based on slots. l Run the display arp vpn-instance vpn-instance-name slot slot-id [ dynamic | static ] [ | { begin | exclude | include } regular-expression ] command to check information about ARP mapping tables based on VPN instances. l Run the display arp statistics { all | slot slot-id } command to check the statistics for ARP entries. ----End Example Run the display arp interface command. If all the ARP entries of the interface are displayed, it means that the configuration succeeds. For example: <HUAWEI> display arp interface gigabitethernet 1/0/0 IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------192.168.1.11 0000-0a41-0201 I GE1/0/0 r1 192.168.1.1 0000-0a41-0200 15 D-6 GE1/0/0 r1 -----------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1 Run the display arp slot command. If all the ARP entries of the interface board are displayed, it means that the configuration succeeds. For example: <HUAWEI> display arp slot 1 IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------192.168.1.12 0000-0a41-0202 I GE1/0/1 r2 192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/1 r2 192.168.1.11 0000-0a41-0201 I GE1/0/0 r1 192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/0 r1 -----------------------------------------------------------------------------Total:4 Dynamic:2 Static:0 Interface:2 Run the display arp vpn-instance command. If all the ARP entries of the VPN instance are displayed, it means that the configuration succeeds. For example: <HUAWEI> display arp vpn-instance r1 slot 1 IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------192.168.1.11 0000-0a41-0201 I GE1/0/0 r1 192.168.1.1 0000-0a41-0200 12 D-6 GE1/0/0 r1 -----------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2-9 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration Run the display arp statistics { all | slot slot-id } command. If the statistics for ARP entries are displayed, it means that the configuration succeeds. For example: <HUAWEI> display arp statistics all Dynamic:20 Static:10 2.3 Optimizing Dynamic ARP 2.3.1 Establishing the Configuration Task 2.3.2 Modify the aging parameters of dynamic ARP 2.3.3 Enabling ARP Suppression Function 2.3.4 Enabling Layer 2 Topology Detection Function 2.3.5 Checking the Configuration 2.3.1 Establishing the Configuration Task Applicable Environment Dynamic ARP is one of functions owned by a device or host. You do not need to run a command to enable dynamic ARP but you can modify some parameters of dynamic ARP. Pre-configuration Tasks None Data Preparation Optimizing dynamic ARP, you need the following data. No. Data 1 ID of the Ethernet interface or the virtual Ethernet interface to which the dynamic ARP entry belongs 2 Aging detection times of the dynamic ARP entry 3 Aging time of the dynamic ARP entry 2.3.2 Modify the aging parameters of dynamic ARP Context Do as follows on the router: 2-10 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The Ethernet interface view or the virtual Ethernet interface view is displayed. Step 3 Run: arp detect-times detect-times The number of aging detection times of the dynamic ARP entries is configured. Step 4 Run: arp expire-time expire-times The timeout period for aging dynamic ARP entries is configured. By default, the aging detection times of the dynamic ARP entries is three, and the aging timeout period is 1200 seconds. Step 5 Run: arp detect-mode unicast The interface is configured to send ARP Aging Detection packets in unicast mode. By default, an interface sends ARP Aging Detection packets in broadcast mode. ----End 2.3.3 Enabling ARP Suppression Function Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: arp-suppress enable ARP suppression is enabled on the current device. The ARP suppression function can be enabled only on the Eth-Trunk interface, and VLANIF interface. By default, ARP suppression is disabled and only VLANIF interfaces are suppressed. ----End Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2-11 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration 2.3.4 Enabling Layer 2 Topology Detection Function Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: l2-topology detect enable The Layer 2 topology detection function is enabled. By default, this function is not enabled. ----End 2.3.5 Checking the Configuration Prerequisite The configurations of the ARP function are complete. Procedure l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlanid ] ] [ | { begin | exclude | include } regular-expression ] command to check information about ARP mapping tables based on interfaces. l Run the display arp slot slot-id [ network net-number [ net-mask ] ] [ dynamic | static ] [ | { begin | exclude | include } regular-expression] command to check information about ARP mapping tables based on slots. l Run the display arp vpn-instance vpn-instance-name slot slot-id [ dynamic | static ] [ | { begin | exclude | include } regular-expression ] command to check information about ARP mapping tables based on VPN instances. l Run the display arp statistics { all | slot slot-id } command to check the statistics for ARP entries. ----End Example Run the display arp interface command. If all the ARP entries of the interface are displayed, it means that the configuration succeeds. For example: <HUAWEI> display arp interface gigabitethernet 1/0/0 IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------192.168.1.11 0000-0a41-0201 I GE1/0/0 r1 192.168.1.1 0000-0a41-0200 15 D-6 GE1/0/0 r1 2-12 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration -----------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1 Run the display arp slot command. If all the ARP entries of the interface board are displayed, it means that the configuration succeeds. For example: <HUAWEI> display arp slot 1 IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------192.168.1.12 0000-0a41-0202 I GE1/0/1 r2 192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/1 r2 192.168.1.11 0000-0a41-0201 I GE1/0/0 r1 192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/0 r1 -----------------------------------------------------------------------------Total:4 Dynamic:2 Static:0 Interface:2 Run the display arp vpn-instance command. If all the ARP entries of the VPN instance are displayed, it means that the configuration succeeds. For example: <HUAWEI> display arp vpn-instance r1 slot 1 IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------192.168.1.11 0000-0a41-0201 I GE1/0/0 r1 192.168.1.1 0000-0a41-0200 12 D-6 GE1/0/0 r1 -----------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1 Run the display arp statistics { all | slot slot-id } command. If the statistics for ARP entries are displayed, it means that the configuration succeeds. For example: <HUAWEI> display arp statistics all Dynamic:20 Static:10 2.4 Configuring Routed Proxy ARP This section describes how to configure routed proxy ARP to make different sub-networks communicate with each other. 2.4.1 Establishing the Configuration Task 2.4.2 Configure an IP Addresses for the Interface 2.4.3 Enabling the Routed Proxy ARP Function 2.4.4 Checking the Configuration 2.4.1 Establishing the Configuration Task Applicable Environment The two physical networks of an enterprise are in different subnets of the same IP network, and are separated by a device. You need to enable the proxy ARP on the device interface connected to the physical networks. This enables communication between the two networks. Network IDs of subnet hosts must be the same. You need not configure default gateways for hosts. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2-13 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration Pre-configuration Tasks Before configuring routed proxy ARP, complete the following tasks: l Configuring the physical parameters for the interface and ensuring that the status of the physical layer of the interface is Up l Configuring the link layer parameters for the interface and ensuring that the status of the link layer protocol on the interface is Up Data Preparation To configure routed proxy ARP, you need the following data. No. Data 1 Number of the interface to be enabled with routed proxy ARP 2 IP address of the interface to be enabled with routed proxy ARP 2.4.2 Configure an IP Addresses for the Interface Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. The interfaces supporting routed proxy ARP include GE interfaces, GE sub-interfaces, Ethernet interfaces, Ethernet sub-interfaces, virtual Ethernet interfaces, VLANIF interfaces, Eth-Trunk interfaces, and Eth-Trunk sub-interfaces. Step 3 Run: ip address ip-address { mask | mask-length } The interface is configured with an IP address. The IP address configured for the interface must be in the same network segment with that of hosts in the LAN connected with this interface. ----End 2.4.3 Enabling the Routed Proxy ARP Function 2-14 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 Run: arp-proxy enable By default, the routed proxy ARP function is disabled on the interface. After routed proxy ARP is enabled, you must reduce the aging time of ARP entries in the host so that the number of packets received but cannot be forwarded by the device is decreased. To configure the aging time of ARP entries, run the arp expire-time expire-time command. ----End 2.4.4 Checking the Configuration Prerequisite The configurations of the routed proxy ARP function are complete. Procedure l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlanid ] ] [ | { begin | exclude | include } regular-expression ] command to check information about ARP mapping tables based on interfaces. l Run the display arp slot slot-id [ network net-number [ net-mask ] ] [ dynamic | static ] [ | { begin | exclude | include } regular-expression] command to check information about ARP mapping tables based on slots. l Run the display arp vpn-instance vpn-instance-name slot slot-id [ dynamic | static ] [ | { begin | exclude | include } regular-expression ] command to check information about ARP mapping tables based on VPN instances. l Run the display arp statistics { all | slot slot-id } command to check statistics about ARP entries. ----End Example Run the display arp interface command. If all the ARP entries of the interface are displayed, it means that the configuration succeeds. For example: <HUAWEI> display arp interface gigabitethernet 1/0/0 IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. INTERFACE VPN-INSTANCE 2-15 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration VLAN/CEVLAN PVC -----------------------------------------------------------------------------192.168.1.11 0000-0a41-0201 I GE1/0/0 r1 192.168.1.1 0000-0a41-0200 15 D-6 GE1/0/0 r1 -----------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1 Run the display arp slot command. If all the ARP entries of the interface board are displayed, it means that the configuration succeeds. For example: <HUAWEI> display arp slot 1 IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------192.168.1.12 0000-0a41-0202 I GE1/0/1 r2 192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/1 r2 192.168.1.11 0000-0a41-0201 I GE1/0/0 r1 192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/0 r1 -----------------------------------------------------------------------------Total:4 Dynamic:2 Static:0 Interface:2 Run the display arp vpn-instance command. If all the ARP entries of the VPN instance are displayed, it means that the configuration succeeds. For example: <HUAWEI> display arp vpn-instance r1 slot 1 IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------192.168.1.11 0000-0a41-0201 I GE1/0/0 r1 192.168.1.1 0000-0a41-0200 12 D-6 GE1/0/0 r1 -----------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1 Run the display arp statistics { all | slot slot-id } command. If statistics about ARP entries are displayed, it means that the configuration succeeds. For example: <HUAWEI> display arp statistics all Dynamic:20 Static:10 2.5 Configuring Proxy ARP Within a VLAN This section describes how to implement communication between hosts in the same VLAN configured with user isolation. 2.5.1 Establishing the Configuration Task 2.5.2 Configure an IP Addresses for the Interface 2.5.3 Configuring the VLAN Associated with the Sub-interface 2.5.4 Enabling Proxy ARP Within a VLAN 2.5.5 Checking the Configuration 2.5.1 Establishing the Configuration Task Applicable Environment If two users are in the same VLAN but they are isolated from each other, to ensure the two users can communicate, you need to enable proxy ARP within the VLAN on the interface associated with the VLAN. 2-16 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration Pre-configuration Tasks Before configuring proxy ARP within a VLAN, complete the following tasks: l Configuring physical attributes for the interface and ensuring that the status of the physical layer of the interface is Up l Configuring the VLAN l Configuring user isolation in the VLAN Data Preparation To configure proxy ARP within a VLAN, you need the following data. No. Data 1 Number of the interface to be enabled with proxy ARP in a VLAN 2 IP address of the interface to be enabled with proxy ARP in a VLAN 3 VLAN ID associated with the interface to be enabled with proxy ARP in a VLAN 2.5.2 Configure an IP Addresses for the Interface Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface { ethernet | gigabitethernet | eth-trunk } interface-number.subinterface-number Or interface vlanif vlan-id The interface view is displayed. The interfaces supporting routed proxy ARP in a VLAN include VLANIF interfaces, Ethernet sub-interfaces, GE sub-interfaces, and Eth-Trunk sub-interfaces. Step 3 Run: ip address ip-address { mask | mask-length } The interface is configured with an IP address. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2-17 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration The IP address configured for the interface must be in the same network segment with that of hosts in the VLAN associated with this interface. ----End 2.5.3 Configuring the VLAN Associated with the Sub-interface Context NOTE This step is required when you enable proxy ARP in a VLAN on the Ethernet sub-interfaces, GE subinterfaces, or Eth-Trunk sub-interfaces.To enable proxy ARP in a VLAN on the VLANIF interface, skip this step. Do as follows on the router that uses sub-interfaces to implement interworking in a VLAN: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface { ethernet | gigabitethernet | eth-trunk } interface-number.subinterface-number The sub-interface view is displayed. Step 3 Run: vlan-type low-vid [ high-vid ] The Ethernet sub-interface is encapsulated with 802.1Q and the VLAN ID associated with the sub-interface is configured. In the NE80E/40E, one sub-interface can be associated with one VLAN. By default, the sub-interface is not encapsulated and the associated VLAN ID is not configured. ----End 2.5.4 Enabling Proxy ARP Within a VLAN Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: 2-18 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration interface { ethernet | gigabitethernet | eth-trunk } interface-number.subinterface-number Or interface vlanif vlan-id The interface view is displayed. Step 3 Run: arp-proxy inner-sub-vlan-proxy enable Proxy ARP within a VLAN is enabled. ----End 2.5.5 Checking the Configuration Prerequisite The configurations of the proxy ARP within a VLAN function are complete. Procedure l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlanid ] ] [ | { begin | exclude | include } regular-expression ] command to check information about ARP mapping tables based on interfaces. l Run the display arp slot slot-id [ network net-number [ net-mask ] ] [ dynamic | static ] [ | { begin | exclude | include } regular-expression] command to check information about ARP mapping tables based on slots. l Run the display arp vpn-instance vpn-instance-name slot slot-id [ dynamic | static ] [ | { begin | exclude | include } regular-expression ] command to check information about ARP mapping tables based on VPN instances. l Run the display arp statistics { all | slot slot-id } command to check statistics about ARP entries. ----End Example Run the display arp interface command. If all the ARP entries of the interface are displayed, it means that the configuration succeeds. For example: <HUAWEI> display arp interface gigabitethernet 1/0/0 IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------192.168.1.11 0000-0a41-0201 I GE1/0/0 r1 192.168.1.1 0000-0a41-0200 15 D-6 GE1/0/0 r1 -----------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1 Run the display arp slot command. If all the ARP entries of the interface board are displayed, it means that the configuration succeeds. For example: <HUAWEI> display arp slot 1 IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------192.168.1.12 0000-0a41-0202 I GE1/0/1 r2 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2-19 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration 192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/1 r2 192.168.1.11 0000-0a41-0201 I GE1/0/0 r1 192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/0 r1 -----------------------------------------------------------------------------Total:4 Dynamic:2 Static:0 Interface:2 Run the display arp vpn-instance command. If all the ARP entries of the VPN instance are displayed, it means that the configuration succeeds. For example: <HUAWEI> display arp vpn-instance r1 slot 1 IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------192.168.1.11 0000-0a41-0201 I GE1/0/0 r1 192.168.1.1 0000-0a41-0200 12 D-6 GE1/0/0 r1 -----------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1 Run the display arp statistics { all | slot slot-id } command. If statistics about ARP entries are displayed, it means that the configuration succeeds. For example: <HUAWEI> display arp statistics all Dynamic:20 Static:10 2.6 Configuring Proxy ARP Between VLANs This section describes how to implement communication between hosts in different VLANs. 2.6.1 Establishing the Configuration Task 2.6.2 Configuring an IP Addresses for the Interface 2.6.3 Configuring the VLAN Associated with the Sub-interface 2.6.4 Enabling Proxy ARP Between VLANs 2.6.5 Checking the Configuration 2.6.1 Establishing the Configuration Task Applicable Environment If two users belong to different VLANs and they need to communicate, you need to enable proxy ARP between VLANs on the sub-interface associated with the VLAN. Sub-VLANs in a super-VLAN cannot communicate with each other. To solve this problem, enable proxy ARP between VLANs on the VLANIF interface corresponding to the superVLAN. Implementing communication between VLANs through proxy ARP occupies fewer resources than through than through configuring a VLANIF interface for each sub-VLAN. IP addresses of hosts in a VLAN must be in the same network segment. Pre-configuration Tasks Before configuring proxy ARP between VLANs, complete the following tasks: 2-20 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration l Configuring physical attributes for the interface and ensuring that the status of the physical layer of the interface is Up l Configuring VLAN aggregation Data Preparation To configure proxy ARP between VLANs, you need the following data. No. Data 1 Number of the interface to be enabled with proxy ARP between VLANs 2 IP address of the interface to be enabled with proxy ARP between VLANs 3 VLAN ID associated with the interface to be enabled with proxy ARP between VLANs 2.6.2 Configuring an IP Addresses for the Interface Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface { ethernet | gigabitethernet } interface-number.sub-interface-number Or interface vlanif vlan-id The interface view is displayed. The interfaces supporting routed proxy ARP between VLANs include VLANIF interfaces, Ethernet sub-interfaces, GE sub-interfaces, and Eth-Trunk sub-interfaces. Step 3 Run: ip address ip-address { mask | mask-length } The interface is configured with an IP address. The IP address configured for the interface must be in the same network segment with that of hosts in the VLAN associated with this interface. ----End 2.6.3 Configuring the VLAN Associated with the Sub-interface Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2-21 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration Context NOTE This step is required when you enable proxy ARP between VLANs on the Ethernet sub-interfaces, GE subinterfaces, or Eth-Trunk sub-interfaces. To enable proxy ARP between VLANs on the VLANIF interface, skip this step. Do as follows on the router that uses sub-interfaces to implement interworking between VLANs: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface { ethernet | gigabitethernet | eth-trunk } interface-number.subinterface-number The sub-interface view is displayed. Step 3 Run: vlan-type low-vid [ high-vid ] The Ethernet sub-interface is encapsulated with 802.1Q and the VLAN ID associated with the sub-interface is configured. In the NE80E/40E, one sub-interface can be associated with one VLAN. By default, the sub-interface is not encapsulated and the associated VLAN ID is not configured. ----End 2.6.4 Enabling Proxy ARP Between VLANs Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface { ethernet | gigabitethernet } interface-number.sub-interface-number Or interface vlanif vlan-id The interface view is displayed. The interfaces supporting routed proxy ARP between VLANs include Eth-Trunk sub-interfaces, VLANIF interfaces, Ethernet sub-interfaces,and GE sub-interfaces. 2-22 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration Step 3 Run: arp-proxy inter-sub-vlan-proxy enable Proxy ARP between VLANs is enabled. ----End 2.6.5 Checking the Configuration Prerequisite The configurations of Proxy ARP Between VLANs are complete. Procedure l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlanid ] ] [ | { begin | exclude | include } regular-expression ] command to check information about ARP mapping tables based on interfaces. l Run the display arp slot slot-id [ network net-number [ net-mask ] ] [ dynamic | static ] [ | { begin | exclude | include } regular-expression ] command to check information about ARP mapping tables based on slots. l Run the display arp vpn-instance vpn-instance-name slot slot-id [ dynamic | static ] [ | { begin | exclude | include } regular-expression ] command to check information about ARP mapping tables based on VPN instances. l Run the display arp statistics { all | slot slot-id } command to check statistics about ARP entries. ----End Example Run the display arp interface command. If all the ARP entries of the interface are displayed, it means that the configuration succeeds. For example: <HUAWEI> display arp interface gigabitethernet 1/0/0 IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------192.168.1.11 0000-0a41-0201 I GE1/0/0 r1 192.168.1.1 0000-0a41-0200 15 D-6 GE1/0/0 r1 -----------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1 Run the display arp slot command. If all the ARP entries of the interface board are displayed, it means that the configuration succeeds. For example: <HUAWEI> display arp slot 1 IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------192.168.1.12 0000-0a41-0202 I GE1/0/1 r2 192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/1 r2 192.168.1.11 0000-0a41-0201 I GE1/0/0 r1 192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/0 r1 -----------------------------------------------------------------------------Total:4 Dynamic:2 Static:0 Interface:2 Run the display arp vpn-instance command. If all the ARP entries of the VPN instance are displayed, it means that the configuration succeeds. For example: Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2-23 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration <HUAWEI> display arp vpn-instance r1 slot 1 IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC -----------------------------------------------------------------------------192.168.1.11 0000-0a41-0201 I GE1/0/0 r1 192.168.1.1 0000-0a41-0200 12 D-6 GE1/0/0 r1 -----------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1 Run the display arp statistics { all | slot slot-id } command. If statistics about ARP entries are displayed, it means that the configuration succeeds. For example: <HUAWEI> display arp statistics all Dynamic:20 Static:10 2.7 Configuring ARPing-IP This section describes how to configure ARPing-IP. 2.7.1 Establishing the Configuration Task 2.7.2 Detecting the IP Address by Using the arp-ping ip Command 2.7.1 Establishing the Configuration Task Applicable Environment In the LAN, to configure an IP address for a device, you need to use the arp-ping ip command to check whether this IP address is used by another device in the network. The arp-ping ip command is mainly used in the maintenance of the deployed Lay 2 features. For example, in the L2VPN networking, such as the virtual private LAN segment (VPLS) and virtual private wire service (VPWS) that the Ethernet or VLAN is used to access, you can run the arp-ping ip command on the PE or CE to check whether the IP address is used by the local or remote host. Pre-configuration Tasks Before configuring ARPing-IP, complete the following tasks: l Configuring parameters of the link layer protocol and IP addresses for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up. Data Preparation To configure ARPing-IP, you need the following data. No. Data 1 IP address to be checked 2.7.2 Detecting the IP Address by Using the arp-ping ip Command 2-24 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration Context Do as follows on the device: Procedure Step 1 Run: arp-ping ip ip-address [ interface interface-type interface-number [ vlan-id vlanid ] ] Check whether the IP address is in use. NOTE When the specified outgoing interface is a Layer 2 interface, you need to configure vlan-id vlan-id; when the specified outgoing interface is a Layer 3 interface, you cannot configure vlan-id vlan-id. The following information is displayed: l If the following information is displayed, it means that the IP address is not in use. [HUAWEI] arp-ping ip 110.1.1.2 ARP-Pinging 110.1.1.2: Request timed out Request timed out Request timed out The IP address is not used by anyone! l If the following information is displayed, it means that the IP address is in use. [HUAWEI] arp-ping ip 128.1.1.1 ARP-Pinging 128.1.1.1: 128.1.1.1 is used by 00e0-517d-f202 ----End 2.8 Configuring ARPing-MAC This section describes how to configure ARPing-MAC. 2.8.1 Establishing the Configuration Task 2.8.2 Detecting the MAC Address by Using the arp-ping mac Command 2.8.1 Establishing the Configuration Task Applicable Environment To check whether a MAC address is in use or query the IP address through the MAC address, you can use the arp-ping mac command. Pre-configuration Tasks Before configuring ARPing-MAC, complete the following tasks: l Issue 03 (2010-03-31) Configuring parameters of the link layer protocol and IP addresses for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2-25 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration Data Preparation To configure ARPing-MAC, you need the following data. No. Data 1 MAC address to be checked 2.8.2 Detecting the MAC Address by Using the arp-ping mac Command Context Do as follows on the device: Procedure Step 1 Run: arp-ping mac mac-address { ip-address [ vpn-instance vpn-instance-name ] | interface interface-type interface-number } Check whether the MAC address is in use. Alternatively, you can query the IP address through the MAC address. The following information is displayed: l If the following information is displayed, it means that the MAC address is not in use. [HUAWEI] arp-ping mac 00e0-517d-f201 interface gigabitethernet 1/0/0 OutInterface: GigabitEthernet1/0/0 MAC[00-E0-51-7D-F2-01], press CTRL_C to break Request timed out Request timed out Request timed out ----- ARP-Ping MAC statistics ----3 packet(s) transmitted 0 packet(s) received MAC[00-E0-51-7D-F2-01] not be used l If the following information is displayed, it means that the MAC address is in use. [HUAWEI] arp-ping mac 00e0-517d-f202 interface gigabitethernet 1/0/0 OutInterface: GigabitEthernet1/0/0 MAC[00-E0-51-7D-F2-02], press CTRL_C to break ----- ARP-Ping MAC statistics ----1 packet(s) transmitted 1 packet(s) received IP ADDRESS MAC ADDRESS 128.1.1.1 00-E0-51-7D-F2-02 ----End 2.9 Configuring the Association Between ARP and Interface Status This section describes how to control the protocol status of the interface through ARP probes. 2-26 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration 2.9.1 Establishing the Configuration Task 2.9.2 Configuring the Association Between ARP and Interface Status 2.9.3 (Optional) Adjusting Parameters about the Association Between ARP and Interface Status 2.9.1 Establishing the Configuration Task Applicable Environment If transmission devices exist over a link (between devices in the diagram), the actual physical path is segmented by the transmission devices although communication ends and transmission devices are directly connected at the network layer. In such a case, if the link or remote end fails, the local end must take a long time to detect the fault. To solve the preceding problem, configure the association between the Bidirectional Forwarding Detection (BFD) status and the interface status. For details, refer to the chapter "BFD Configuration" in the HUAWEI NetEngine80E/40E Router Configuration Guide - Reliability. For the device that does not support the BFD function, the NE80E/40E provides the ARP and interface status association function so that local interfaces can correctly judge the forwarding status of the remote end and change its protocol status accordingly (Up or Down). Fast convergence of routes is thus triggered. Figure 2-3 Schematic diagram of transmission device existing between devices RouterA RouterB Pre-configuration Task Before configuring the association between ARP and interface status, complete the following tasks: l Configuring physical parameters for interfaces to make the physical statuses of interfaces Up. l Configuring link layer parameters and IP addresses for interfaces to make the link protocol status of interfaces Up. Data Preparation To configure the association between ARP and interface status, you need the following data. Issue 03 (2010-03-31) No. Data 1 Destination IP address of an ARP probe packet 2 Interval for sending ARP probe packets Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2-27 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration No. Data 3 Maximum times that no response is received for the continually sent ARP probe packets before the protocol status of an interface turns Down 4 Probe mode 2.9.2 Configuring the Association Between ARP and Interface Status Context Do as follows on the router to perform probes: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The view of the interface to be enabled with the association between ARP and interface status is displayed. NOTE The association between ARP and interface status can be configured only on Ethernet interfaces, Ethernet sub-interfaces, Gigabit Ethernet interfaces, and Gigabit Ethernet sub-interfaces. Step 3 Run: arp status-detect ip-address The association between ARP and interface status and the destination IP address of the probe are configured. The probed IP address must be the IP address of the directly-connected device. The device to be probed need not be configured. ----End 2.9.3 (Optional) Adjusting Parameters about the Association Between ARP and Interface Status Context Do as follows on the router to perform probes: 2-28 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The view of the interface to be enabled with the association between ARP and interface status is displayed. Step 3 Run: arp status-detect interval detect-interval The interval for sending ARP probe packets is set. By default, the interval is 1000 ms. Step 4 Run: arp status-detect times detect-times The maximum times that no response is received for the continually sent ARP probe packets before the protocol status of an interface turns Down are set. By default, the maximum times are 3. Step 5 Run: arp status-detect mode loose The probe mode is set to loose. By default, the probe mode is strict. l In loose mode, probe packets are sent only when the protocol status turns Up. The remote end declares the protocol to be Up when receiving any types of legal ARP packets. l In strict mode, probe packets are sent no matter the protocol status is Up or Down. The device declares the protocol to be Up only when receiving legal ARP response packets. NOTE When you configure ARP probe on both ends, configure the strict mode at least on one end. That is, two ends cannot be configured with the loose mode concurrently. .This is because when the interface on one end is Down, the protocol status of the remote end turns Down because of a timeout probe. If the probe mode is set to loose, both ends never send probe packets actively, which results in the deadlock state. ----End Postrequisite The device to be probed need not be configured. 2.10 Maintaining ARP This section describes how to display ARP configurations, clear ARP statistics and debug ARP. 2.10.1 Clearing ARP Statistics 2.10.2 Monitoring Network Operation Status of ARP Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2-29 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration 2.10.1 Clearing ARP Statistics Context CAUTION The mapping between the IP and MAC addresses is deleted after you clear ARP statistics. So, confirm the action before you use the command. Procedure Step 1 Run the reset arp { all | dynamic | interface interface-type interface-number | slot slot-id | static } command in the user view to clear the ARP entries in the ARP mapping table. ----End 2.10.2 Monitoring Network Operation Status of ARP Context In routine maintenance, you can run the following command in any view to check the operation of ARP. Procedure l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlanid ] ] [ | { begin | exclude | include } regular-expression ] command in any view to check the information about the ARP mapping table based on interfaces. l Run the display arp slot slot-id [ network net-number [ net-mask ] ] [ dynamic | static ] [ | { begin | exclude | include } regular-expression ] command in any view to check the information about ARP mapping tables based on slots. l Run the display arp vpn-instance vpn-instance-name slot slot-id [ dynamic | static ] [ | { begin | exclude | include } regular-expression ] command in any view to check the information about ARP mapping tables based on VPN instances. ----End 2.11 Configuration Examples This section provides some configurations example, such as Routed Proxy ARP, Proxy ARP Within a VLAN and Proxy ARP Between VLANs. 2.11.1 Example for Configuring Routed Proxy ARP 2.11.2 Example for Configuring Proxy ARP Within a VLAN 2.11.3 Example for Configuring Proxy ARP Between VLANs 2.11.4 Example for Configuring the Association Between ARP and Interface Status 2-30 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration 2.11.5 Example for Configuring Layer 2 Topology Detection 2.11.1 Example for Configuring Routed Proxy ARP Networking Requirements As shown in Figure 2-4, two devices are connected through serial lines. Each device has a GE 1/0/0 interface connecting with a local network. The network segment of the two local networks is 172.16.0.0/16. No default gateways are specified for Host A and Host B. The device should be configured with proxy ARP, enabling hosts in two local networks to communicate with each other. Figure 2-4 Networking diagram of configuring proxy ARP Host A Host B 172.16.1.2/16 0000-5e33-ee20 172.16.2.2/16 0000-5e33-ee10 GE1/0/0 172.16.1.1/24 RouterA 00e0-fc39-80aa POS2/0/0 172.17.3.1/24 GE1/0/0 RouterB 172.16.2.1/24 00e0-fc39-80bb POS2/0/0 172.17.3.2/24 Ethernet A Ethernet B Configuration Roadmap The configuration roadmap is as follows: 1. Configure IP addresses for interfaces. 2. Enable proxy ARP on interfaces. 3. Configure the default routes. Data Preparation To complete the configuration, you need the following data: l IP address for related interfaces l Default routes l IP address of the host Procedure Step 1 Configure Router A. # Configure an IP address for GE 1/0/0. <HUAWEI> system-view Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2-31 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration [HUAWEI] sysname RouterA [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 172.16.1.1 255.255.255.0 # Enable proxy ARP. [RouterA-GigabitEthernet1/0/0] arp-proxy enable [RouterA-GigabitEthernet1/0/0] undo shutdown [RouterA-GigabitEthernet1/0/0] quit # Configure a static route. [RouterA] ip route-static 0.0.0.0 0 pos 2/0/0 172.17.3.2 # Configure an IP address for POS 2/0/0. [RouterA] interface pos 2/0/0 [RouterA-Pos2/0/0] ip address 172.17.3.1 255.255.0.0 [RouterA-Pos2/0/0] undo shutdown [RouterA-Pos2/0/0] quit Step 2 Configure Router B. # Configure an IP address for GE 1/0/0. <HUAWEI> system-view [HUAWEI] sysname RouterB [RouterB] interface gigabitethernet 1/0/0 [RouterB-GigabitEthernet1/0/0] ip address 172.16.2.1 255.255.255.0 # Enable proxy ARP. [RouterB-GigabitEthernet1/0/0] arp-proxy enable [RouterB-GigabitEthernet1/0/0] undo shutdown [RouterB-GigabitEthernet1/0/0] quit # Configure a static route. [RouterB] ip route-static 0.0.0.0 0 pos 2/0/0 172.17.3.1 # Configure an IP address for POS 2/0/0. [RouterB] interface pos 2/0/0 [RouterB-Pos2/0/0] ip address 172.17.3.2 255.255.0.0 [RouterB-Pos2/0/0] undo shutdown [RouterB-Pos2/0/0] quit Step 3 Configure the host. # Configure the IP address of Host A to 172.16.1.2/16. # Configure the IP address of Host B to 172.16.2.2/16. Step 4 Verify the configuration. # Host A can ping through Host B. # The ARP table of Host A shows that the MAC address of Host B is the MAC address of GE1/0/0 on Router A. C:\Documents and Settings\Administrator> arp -a Interface: 172.16.1.2 --- 0x2 Internet Address Physical Address Type 172.16.2.2 00e0-fc39-80aa dynamic ----End 2-32 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration Configuration Files l Configuration file of Router A # sysname RouterA # interface GigabitEthernet1/0/0 undo shutdown ip address 172.16.1.1 255.255.255.0 arp-proxy enable # interface Pos2/0/0 link-protocol ppp undo shutdown ip address 172.17.3.1 255.255.255.0 # ip route-static 0.0.0.0 0 Pos2/0/0 172.17.3.2 # return l Configuration file of Router B # sysname RouterB # interface GigabitEthernet1/0/0 undo shutdown ip address 172.16.2.1 255.255.255.0 arp-proxy enable # interface Pos2/0/0 link-protocol ppp undo shutdown ip address 172.17.3.2 255.255.255.0 # ip route-static 0.0.0.0 0 Pos2/0/0 172.17.3.1 # return 2.11.2 Example for Configuring Proxy ARP Within a VLAN Networking Requirements As shown in Figure 2-5, DSLAM is connected to the sub-interface Eth-Trunk1.10 of the device. Eth-Trunk1.10 is associated with VLAN 10. PC A and PC B are two users connected with DSLAM. On DSLAM, the interfaces connected with PC A and PC B belong to the same VLAN. User isolation in a VLAN is configured on DSLAM. To implement communication between PC A and PC B, enable proxy ARP within a VLAN on Eth-Trunk1.10 of the device. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2-33 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration Figure 2-5 Networking diagram of configuring proxy ARP in a VLAN Router Eth-trunk 1.10(Proxy ARP) 100.1.1.12/24 DSLAM PC A PC B VLAN 10 Configuration Roadmap The configuration roadmap is as follows: 1. Configure an IP addresses for Eth-Trunk1.10. 2. Configure the VLAN associated with the sub-interface. 3. Enable proxy ARP in a VLAN on Eth-Trunk1.10. Data Preparation To complete the configuration, you need the following data: l IP address of Eth-Trunk1.10 l VLAN ID associated with Eth-Trunk1.10 Procedure Step 1 Configure an IP address for Eth-Trunk1.10. <HUAWEI> system-view [HUAWEI] sysname router [router] interface eth-trunk 1 [router-Eth-Trunk] undo shutdown [router-Eth-Trunk] quit [router] interface eth-trunk 1.10 [router-Eth-Trunk1.10] ip address 100.1.1.12 255.255.255.0 [router-Eth-Trunk1.10] undo shutdown [router-Eth-Trunk1.10] quit Step 2 Configure IP addresses for PCs. # Configure IP addresses for PCs. The IP addresses must be in the same network segment with the IP address of Eth-Trunk1.10. 2-34 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration # After the configurations, PCs and the device can ping through each other but PCs cannot ping through each other. Step 3 Associate Eth-Trunk1.10 with VLAN 10. [router] interface eth-trunk 1.10 [router-Eth-Trunk1.10] vlan-type dot1q 10 Step 4 Enable proxy ARP in VLAN 10 on Eth-Trunk1.10. [router-Eth-Trunk1.10] arp-proxy inner-sub-vlan-proxy enable [router-Eth-Trunk1.10] quit Step 5 Verify the configuration. # PC A and PC B can ping through each other. ----End Configuration Files The configuration file of the device is as follows: # sysname router # interface Eth-Trunk1 undo shutdown mac-address 00e0-271e-f652 # interface Eth-Trunk1.10 undo shutdown vlan-type dot1q 10 ip address 100.1.1.12 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable # return 2.11.3 Example for Configuring Proxy ARP Between VLANs Networking Requirements As shown in Figure 2-6, VLAN 2 and VLAN 3 compose a super-VLAN, VLAN 4. The sub-VLANs (VLAN 2 and VLAN 3) cannot ping through each other. To implement communication between VLAN 2 and VLAN 3, configure proxy ARP between VLANs. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2-35 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration Figure 2-6 Networking diagram of configuring proxy ARP between VLANs RouterA VLAN2 VLAN3 VLAN4 VLAN2 VLAN3 Configuration Roadmap The configuration roadmap is as follows: 1. Configure an IP addresses for VLANIF4. 2. Enable proxy ARP between VLANs on VLANIF4. Data Preparation To complete the configuration, you need IP addresses of interfaces. Procedure Step 1 Configure an IP address for the VLANIF interface. <HUAWEI> system-view [HUAWEI] sysname RouterA [RouterA] interface vlanif 4 [RouterA-Vlanif4] ip address 100.1.1.12 255.255.255.0 [RouterA-Vlanif4] undo shutdown [RouterA-Vlanif4] quit Step 2 Configure IP addresses for PCs. # Configure IP addresses for PCs. The IP addresses must be in the same network segment with the IP address of VLANIF4. # After configurations, PCs and the device can ping through each other but PCs in VLAN 2 and PCs in VLAN 3 cannot ping through each other. Step 3 Configure proxy ARP between VLANs. [RouterA] interface vlanif 4 [RouterA-Vlanif4] arp-proxy inter-sub-vlan-proxy enable [RouterA-Vlanif4] quit Step 4 Verify the configuration. 2-36 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration l PCs in VLAN 2 and PCs in VLAN 3 can ping through each other. l Check the ARP table on the PC. # You can find that in the ARP tables of PCs in VLAN 2, the MAC addresses of all PCs in VLAN 3 are the MAC address of VLANIF4 on the device. ----End Configuration Files The configuration file of Router A is as follows: # sysname RouterA # vlan batch 2 to 4 # vlan 4 aggregate-vlan access-vlan 2 to 3 # interface Vlanif4 undo shutdown ip address 100.1.1.12 255.255.255.0 arp-proxy inter-sub-vlan-proxy enable # Return 2.11.4 Example for Configuring the Association Between ARP and Interface Status Networking Requirements As shown in Figure 2-7, two devices are connected through a Layer 2 switch. If a fault occurs on the GE interface of Router A but the GE interface of Router B is Up because the link between the switch and Router B works normally. The protocol status of the GE interface of Router B is also Up. It is required to configure the association between ARP and interface status on Router B to probe the status of the GE interface of Router A. Router B can then rapidly change its protocol status according to the interface status change of Router A. Figure 2-7 Networking diagram of configuring the association between ARP and interface status GE 1/0/0 10.1.1.1/24 RouterA GE 1/0/0 10.1.1.2/24 Switch RouterB Configuration Roadmap The configuration roadmap is as follows: 1. Issue 03 (2010-03-31) Configure an IP address for each interface. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2-37 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration 2. Enable the association between ARP and interface status on the interface. 3. Adjust parameters about the association between ARP and interface status to optimize performance. Data Preparation To complete the configuration, you need the following data: l IP addresses of the interfaces l Destination IP address of an ARP probe packet l Interval for sending ARP probe packets l Maximum times that no response is received for the continually sent ARP probe packets before the protocol of an interface turns Down Procedure Step 1 Configuring an IP address for each interface # Configure Router A. <HUAWEI> system-view [HUAWEI] sysname RouterA [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 10.1.1.1 24 [RouterA-GigabitEthernet1/0/0] undo shutdown [RouterA-GigabitEthernet1/0/0] quit # Configure Router B. <HUAWEI> system-view [HUAWEI] sysname RouterB [RouterB] interface gigabitethernet 1/0/0 [RouterB-GigabitEthernet1/0/0] ip address 10.1.1.2 24 [RouterB-GigabitEthernet1/0/0] undo shutdown [RouterB-GigabitEthernet1/0/0] quit # Ping Router A on Router B. The ping succeeds. Run the display interface command on Router A and Router B to view statuses of the GE interfaces. You can find that the physical status and protocol status of the GE interfaces are Up. [RouterB] ping 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=110 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=60 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=100 ms Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=70 ms Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=70 ms --- 10.1.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 60/82/110 ms [RouterA] display interface gigabitethernet 1/0/0 GigabitEthernet1/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2007-12-22, 16:52:54 Description : GigabitEthernet1/0/0 Interface, Route Port Route Port,The Maximum Transmit Unit is 1500 bytes Internet Address is 10.1.1.1/24 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0000-5e13-0101 The Vendor PN is SCP6F86-GL-CWH Port BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiMode 2-38 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration WaveLength: 850nm, Transmission Distance: 300m Rx Power: -8.00dBm, Tx Power: -5.13dBm Loopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Receive Enable and Send Enable Last physical up time : 2007-12-22, 16:52:54 Last physical down time : 2007-12-22, 16:52:54 Statistics last cleared:never Last 300 seconds input rate: 208 bits/sec, 0 packets/sec Last 300 seconds output rate: 544 bits/sec, 1 packets/sec Input: 882114 bytes, 10877 packets Output: 2147780 bytes, 31585 packets Input: Unicast: 0 packets, Multicast: 7368 packets Broadcast: 3509 packets, JumboOctets: 0 packets CRC: 0 packets, Symbol: 0 packets Overrun: 0 packets InRangeLength: 0 packets LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets Fragment: 0 packets, Undersized Frame: 0 packets RxPause: 0 packets Output: Unicast: 0 packets, Multicast: 0 packets Broadcast: 31585 packets, JumboOctets: 0 packets Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets TxPause: 0 packets [RouterB] display interface gigabitethernet 1/0/0 GigabitEthernet1/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2007-12-22, 16:53:41 Description : GigabitEthernet1/0/0 Interface, Route Port Route Port,The Maximum Transmit Unit is 1500 bytes Internet Address is 10.1.1.2/24 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0000-5e13-0100 The Vendor PN is SCP6F86-GL-CWH Port BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiMode WaveLength: 850nm, Transmission Distance: 300m Rx Power: -8.00dBm, Tx Power: -5.13dBm Loopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Receive Enable and Send Enable Last physical up time : 2007-12-22, 16:53:41 Last physical down time : 2007-12-22, 16:53:41 Statistics last cleared:never Last 300 seconds input rate: 208 bits/sec, 0 packets/sec Last 300 seconds output rate: 544 bits/sec, 1 packets/sec Input: 882114 bytes, 10877 packets Output: 2147780 bytes, 31585 packets Input: Unicast: 0 packets, Multicast: 7368 packets Broadcast: 3509 packets, JumboOctets: 0 packets CRC: 0 packets, Symbol: 0 packets Overrun: 0 packets InRangeLength: 0 packets LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets Fragment: 0 packets, Undersized Frame: 0 packets RxPause: 0 packets Output: Unicast: 0 packets, Multicast: 0 packets Broadcast: 31585 packets, JumboOctets: 0 packets Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets Step 2 Run the shutdown command on the GE interface of Router A to simulate a fault. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] shutdown # Run the display interface command on Router B to view the status of the GE interfaces. You can find that the physical status and protocol status of the GE interfaces are Up. Router B, however, cannot ping through Router A. [RouterB] display interface gigabitethernet 1/0/0 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2-39 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration GigabitEthernet1/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2007-12-22, 16:53:41 Description : GigabitEthernet1/0/0 Interface, Route Port Route Port,The Maximum Transmit Unit is 1500 bytes Internet Address is 10.1.1.2/24 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0000-5e13-0100 The Vendor PN is SCP6F86-GL-CWH Port BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiMode WaveLength: 850nm, Transmission Distance: 300m Rx Power: -8.00dBm, Tx Power: -5.13dBm Loopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Receive Enable and Send Enable Last physical up time : 2007-12-22, 16:53:41 Last physical down time : 2007-12-22, 16:53:41 Statistics last cleared:never Last 300 seconds input rate: 208 bits/sec, 0 packets/sec Last 300 seconds output rate: 544 bits/sec, 1 packets/sec Input: 882114 bytes, 10877 packets Output: 2147780 bytes, 31585 packets Input: Unicast: 0 packets, Multicast: 7368 packets Broadcast: 3509 packets, JumboOctets: 0 packets CRC: 0 packets, Symbol: 0 packets Overrun: 0 packets InRangeLength: 0 packets LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets Fragment: 0 packets, Undersized Frame: 0 packets RxPause: 0 packets Output: Unicast: 0 packets, Multicast: 0 packets Broadcast: 31585 packets, JumboOctets: 0 packets Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets [RouterB] ping 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.1.1.1 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss Step 3 Enable the association between ARP and interface status on Router B. # Specify the IP address of the GE interface of Router A as the destination IP address of the probe. [RouterB] interface gigabitethernet 1/0/0 [RouterB-GigabitEthernet1/0/0] arp status-detect 10.1.1.1 Step 4 Adjust parameters about the association between ARP and interface status on Router B. # Set the interval for sending ARP probe packets to 3 seconds. [RouterB-GigabitEthernet1/0/0] arp status-detect interval 3000 # Set the probe times to five. [RouterB-GigabitEthernet1/0/0] arp status-detect times 5 [RouterB-GigabitEthernet1/0/0] quit # After about 15 seconds (three seconds x five times), the GE interface status of Router B is Up and the protocol status turns Down. [RouterB] Sep 16 2007 15:37:45 RouterB %%01IFNET/4/LINK_STATE(l): Line protocol on interfa 2-40 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration ce GigabitEthernet1/0/0 has turned into DOWN state. [RouterB] display interface gigabitethernet 1/0/0 GigabitEthernet1/0/0 current state : UP Line protocol current state : DOWN Description : GigabitEthernet1/0/0 Interface, Route Port Route Port,The Maximum Transmit Unit is 1500 bytes Internet Address is 10.1.1.2/24 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0000-5e13-0100 The Vendor PN is SCP6F86-GL-CWH Port BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiMode WaveLength: 850nm, Transmission Distance: 300m Rx Power: -8.00dBm, Tx Power: -5.13dBm Loopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Receive Enable and Send Enable Last physical up time : 2007-12-22, 16:54:41 Last physical down time : 2007-12-22, 16:53:41 Statistics last cleared:never Last 300 seconds input rate: 208 bits/sec, 0 packets/sec Last 300 seconds output rate: 544 bits/sec, 1 packets/sec Input: 882114 bytes, 10877 packets Output: 2147780 bytes, 31585 packets Input: Unicast: 0 packets, Multicast: 7368 packets Broadcast: 3509 packets, JumboOctets: 0 packets CRC: 0 packets, Symbol: 0 packets Overrun: 0 packets InRangeLength: 0 packets LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets Fragment: 0 packets, Undersized Frame: 0 packets RxPause: 0 packets Output: Unicast: 0 packets, Multicast: 0 packets Broadcast: 31585 packets, JumboOctets: 0 packets Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets ----End Configuration Files l Configuration file of Router A # sysname RouterA # interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.1.1 255.255.255.0 # return l Configuration file of Router B # sysname RouterB # interface GigabitEthernet1/0/0 undo shutdown arp status-detect 10.1.1.1 arp status-detect times 5 arp status-detect interval 3000 ip address 10.1.1.2 255.255.255.0 # return 2.11.5 Example for Configuring Layer 2 Topology Detection Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2-41 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration Networking Requirements As shown in Figure 2-8, configure VLAN 100 as the default VLAN of the two GE interfaces on the device enabled with the portswitch function. Configure the IP addresses of the two GE interfaces based on the figure. Figure 2-8 Networking diagram of configuring Layer 2 topology detection GE 1/0/1 GE 1/0/2 VLANIF100 10.1.1.2/24 VLAN100 PC A 10.1.1.1/24 PC B 10.1.1.3/24 Configuration Roadmap The configuration roadmap is as follows: 1. Enable portswitch on two GE interfaces and configure them to join VLAN 100 by default. 2. Enable Layer 2 topology detection and view changes of ARP entries. Data Preparation To complete the configuration, you need the following data: l Types and numbers of the interfaces to be added to a VLAN l IP addresses of the VLANIF interface and the PCs Procedure Step 1 Create VLAN 100 and configure VLAN 100 to be the default VLAN of the two GE interfaces on the device. # Create VLAN 100 and configure an IP address for the VLANIF interface. <HUAWEI> system-view [HUAWEI] sysname router [router] vlan 100 [router-vlan100] quit [router] interface vlanif 100 [router-vlanif100] undo shutdown [router-vlanif100] ip address 10.1.1.2 24 [router-vlanif100] quit 2-42 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration # Configure the two GE interfaces to join VLAN 100 by default. [router] interface gigabitethernet 1/0/1 [router-GigabitEthernet1/0/1] undo shutdown [router-GigabitEthernet1/0/1] portswitch [router-GigabitEthernet1/0/1] port default vlan 100 [router-GigabitEthernet1/0/1] quit [router] interface gigabitethernet 1/0/2 [router-GigabitEthernet1/0/2] undo shutdown [router-GigabitEthernet1/0/2] portswitch [router-GigabitEthernet1/0/2] port default vlan 100 [router-GigabitEthernet1/0/2] quit Step 2 Enable the Layer 2 topology detection function. [router] l2-topology detect enable Step 3 Restart GE 1/0/1 and view changes of ARP entries and aging time. # View ARP entries on the device. You can find that the device has learnt the MAC address of the PC. [router] display arp all IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPNINSTANCE VLAN/CEVLAN PVC ----------------------------------------------------------------------------10.1.1.2 00e0-c01a-4900 I Vlanif100 10.1.1.1 00e0-c01a-4901 20 DF6 GE1/0/1 100/10.1.1.3 00e0-de24-bf04 20 DF6 GE1/0/2 100/----------------------------------------------------------------------------Total:3 Dynamic:2 Static:0 Interface:1 # Run the shutdown command and then the undoshutdown command on GE 1/0/1 to view the aging time of ARP entries. [router] interface gigabitethernet 1/0/1 [router-GigabitEthernet1/0/1] shutdown [router-GigabitEthernet1/0/1] undo shutdown [router-GigabitEthernet1/0/1] display arp all IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC ---------------------------------------------------------------------------10.1.1.2 00e0-c01a-4900 I Vlanif100 10.1.1.3 00e0-de24-bf04 0 DF6 GE1/0/2 100/-----------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1 NOTE From the preceding display, you can find that the ARP entries learnt from GE 1/0/1 are deleted after GE 1/0/1 is shut down and the aging time of the ARP entries learnt from GE 1/0/2 changes to 0. When the aging time is 0, the device sends an ARP probe packet for updating ARP entries. [router-GigabitEthernet1/0/1] display arp all IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC ---------------------------------------------------------------------------10.1.1.2 00e0-c01a-4900 I Vlanif100 10.1.1.3 00e0-de24-bf04 20 DF6 GE1/0/2 100/---------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2-43 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 2 ARP Configuration NOTE After the entry is updated, the aging time restores the default value, 20 minutes. ----End Configuration Files The configuration file of router is as follows: # sysname router # L2-topolgy detect enable # vlan 100 # interface Vlanif100 undo shutdown ip address 10.1.1.2 255.255.255.0 # interface GigabitEthernet1/0/1 undo shutdown portswitch port default vlan 100 # interface GigabitEthernet1/0/2 undo shutdown portswitch port default vlan 100 # return 2-44 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 3 DNS Configuration 3 DNS Configuration About This Chapter This chapter describes the static and dynamic DNS concepts and their configuration steps, along with typical examples. 3.1 DNS Overview This section describes the basic principle and concepts of Domain Name System (DNS). 3.2 Configuring DNS This section describes how to use the domain name to communicate with other devices. 3.3 Maintaining DNS This section describes how to clear DNS entries and debug DNS. 3.4 Configuration Examples This section provides a configuration example of DNS. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 3-1 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 3 DNS Configuration 3.1 DNS Overview This section describes the basic principle and concepts of Domain Name System (DNS). 3.1.1 Introduction to DNS 3.1.2 DNS Supported by the NE80E/40E 3.1.1 Introduction to DNS The Domain Name System (DNS) is a host naming mechanism provided by TCP/IP, with which hosts can be named in the form of character string. This system assumes a hierarchical naming structure. It designates a meaningful name for the device in the Internet and associates the name with the IP address through a domain name resolution server. In this manner, you can use domain names that are easy to remember instead of memorizing complex IP addresses. 3.1.2 DNS Supported by the NE80E/40E DNS has two resolution modes: dynamic DNS resolution and static DNS resolution. To resolve a domain name, the system first uses static DNS resolution. If this mode fails, the system uses dynamic DNS resolution. To improve resolution efficiency, you can put common domain names in a static domain name resolution table. The NE80E/40E supports static resolution and dynamic resolution. 3.2 Configuring DNS This section describes how to use the domain name to communicate with other devices. 3.2.1 Establishing the Configuration Task 3.2.2 Configuring Static DNS Entries 3.2.3 Configuring Dynamic DNS 3.2.4 Checking the Configuration 3.2.1 Establishing the Configuration Task Applicable Environment If local users accessing devices need to communicate with other devices by using domain names, you can configure DNS on the device. An DNS entry is an mapping between a domain name and an IP address. If local users communicate with other devices hardly through the domain name or if the DNS server is unavailable, configure static DNS. Prior to configuring static DNS, you must know the mapping between the domain name and the IP address. In case of a change in the mapping, you must modify the DNS entry manually. 3-2 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 3 DNS Configuration You can configure dynamic DNS on the device if local users frequently use domain names for communicating with other devices and the DNS server is available. Pre-configuration Tasks Before configuring DNS, complete the following tasks: l Configuring physical attributes of the interface and ensuring that the physical layer status of the interface is Up l Configuring parameters of the link layer protocol of the interface and ensuring that the link layer protocol status of the interface is Up l Configuring routes between the local device and the DNS server l Configuring the DNS server Data Preparation To configure DNS, you need the following data. No. Data 1 Domain name and the corresponding IP address in a static DNS entry 2 IP address of a DNS server 3 Domain name or the domain name list of a dynamic DNS entry 3.2.2 Configuring Static DNS Entries Context You can configure a maximum of 50 static DNS entries. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ip host host-name ip-address The IP address corresponding to the host name is configured. A host name corresponds to only one IP address. When you configure an IP address for a host for several times, only the IP address configured at the latest is valid. To resolve several host names, repeat Step 2. ----End Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 3-3 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 3 DNS Configuration 3.2.3 Configuring Dynamic DNS Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: dns resolve Dynamic domain name resolution is enabled. Step 3 Run: dns server ip-address A DNS server is specified. Step 4 (Optional) Run: dns server source-ip source-ip-address The IP address of the local device is specified. The local device uses the specified IP address to communicate with the DNS server, which ensures communication security. Step 5 Run: dns domain domain-name The suffix of the domain name is added. ----End Postrequisite The system supports the configuration of a maximum of 6 domain name servers, 1 source address, and 10 domain name suffixes. To configure more than one domain name server, repeat Step 3. To configure more than one domain name suffix, repeat Step 5. 3.2.4 Checking the Configuration Prerequisite The configurations of the DNS function are complete. 3-4 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 3 DNS Configuration Procedure l Run the display ip host command to check the information about the static DNS entry table. l Run the display dns server command to check the configurations about DNS servers. l Run the display dns domain command to check the configurations about domain name suffixes. l Run the display dns dynamic-host command to check the information about dynamic DNS entries in the domain name cache. ----End Example Run the display ip host command. If static DNS entries including the mappings between host names and IP addresses, are displayed, it means that the configuration succeeds. For example: <HUAWEI> display ip host Host Age Flags hw 0 static gww 0 static Address 10.1.1.1 192.168.1.1 Run the display dns server command. If IP addresses of all domain servers are displayed, it means that the configuration succeeds. For example: <HUAWEI> display dns server IPv4 Dns Servers : Domain-server IpAddress 1 172.16.1.1 2 172.16.1.2 IPv6 Dns Servers : No configured servers. Run the display dns domain command. If the list of suffixes of domain names is displayed, it means that the configuration succeeds. For example: <HUAWEI> display dns domain No Domain-name 1 com 2 net Run the display dns dynamic-host command. If information about the dynamic domain name cache is displayed, it means that the configuration succeeds. For example: <HUAWEI> display dns dynamic-host No Domain-name IpAddress 1 www.huawei.com 91.1.1.1 2 www.huawei.com.cn 87.1.1.1 TTL 3521 3000 Alias 3.3 Maintaining DNS This section describes how to clear DNS entries and debug DNS. 3.3.1 Clearing DNS Entries 3.3.2 Monitoring Network Operation Status of DNS Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 3-5 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 3 DNS Configuration 3.3.1 Clearing DNS Entries Context CAUTION DNS entries cannot be restored after being cleared. So, confirm the action before you use this command. Procedure Step 1 Run the reset dns dynamic-host command in the user view to clear dynamic DNS entries statistics in the domain name cache. ----End 3.3.2 Monitoring Network Operation Status of DNS Context In routine maintenance, you can run the following command in any view to check the operation of DNS. Procedure l Run the display ip host command to check the information about the static DNS entry table. l Run the display dns server command to check configurations about DNS servers. l Run the display dns domain command to check configurations about domain name suffixes. l Run the display dns dynamic-host command to check the information about dynamic DNS entries in the domain name cache. ----End 3.4 Configuration Examples This section provides a configuration example of DNS. 3.4.1 Example for Configuring DNS 3.4.1 Example for Configuring DNS 3-6 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 3 DNS Configuration Networking Requirements As shown in Figure 3-1, Router A acts as a DNS client, being required to access the host 2.1.1.3/16 by using the domain name huawei.com. You need to configure domain name suffixes "com" and "net". On Router A, configure static DNS entries of Router B and Router C so that Router A can communicate with them by using domain names. Figure 3-1 Networking diagram of DNS Loopback0 4.1.1.1/32 GE1/0/0 RouterB 1.1.1.2/16 DNS Client RouterA GE1/0/1 1.1.1.1/16 Loopback0 4.1.1.2/32 RouterC GE1/0/0 2.1.1.1/16 GE1/0/1 3.1.1.1/16 GE1/0/0 DNS Server 2.1.1.2/16 3.1.1.2/16 huawei.com 2.1.1.3/16 Configuration Roadmap The configuration roadmap is as follows: 1. Configure static DNS entries. 2. Enable DNS resolution. 3. Configure an IP address for the DNS server. 4. Configure suffixes of domain names. Data Preparation To complete the configuration, you need the following data: l Domain names of Router B and Router C l IP address of the DNS server l Suffixes of domain names Procedure Step 1 Configure Router A. # Configure static DNS entries. <RouterA> system-view [RouterA] ip host RouterB 4.1.1.1 [RouterA] ip host RouterC 4.1.1.2 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 3-7 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 3 DNS Configuration # Enable DNS resolution. [RouterA] dns resolve # Configure an IP address for the DNS server. [RouterA] dns server 3.1.1.2 # Configure a domain name suffix "net". [RouterA] dns domain net # Configure a domain name suffix "com". [RouterA] dns domain com [RouterA] quit NOTE To complete DNS resolution, configuring routes from Router A to the DNS server is mandatory. For procedures for configuring routes, refer to the NE80E/40E Router Configuration Guide - IP Routing. Step 2 Verify the configuration. # Run the ping huawei command on Router A to ping the IP address 2.1.1.3. The ping succeeds. <RouterA> ping huawei.com Trying DNS server (3.1.1.2) PING huawei.com (2.1.1.3): 56 data bytes, press CTRL_C to break Reply from 2.1.1.3: bytes=56 Sequence=1 ttl=126 time=6 ms Reply from 2.1.1.3: bytes=56 Sequence=2 ttl=126 time=4 ms Reply from 2.1.1.3: bytes=56 Sequence=3 ttl=126 time=4 ms Reply from 2.1.1.3: bytes=56 Sequence=4 ttl=126 time=4 ms Reply from 2.1.1.3: bytes=56 Sequence=5 ttl=126 time=4 ms --- huawei.com ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/4/6 ms # Run the display ip host command on Router A to view static DNS entries, including mappings between host names and IP addresses. <RouterA> display ip host Host Age RouterB 0 RouterC 0 Flags Address static 4.1.1.1 static 4.1.1.2 # Run the display dns dynamic-host command on Router A to view dynamic DNS entries in the domain name cache. <RouterA> display dns dynamic-host No Domain-name IpAddress 1 huawei.com 2.1.1.3 TTL 3579 Alias NOTE TTL value in the above display indicates the lifetime of an entry. It is in seconds. ----End Configuration Files l Configuration file of Router A # sysname RouterA # ip host RouterB 4.1.1.1 3-8 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 3 DNS Configuration ip host RouterC 4.1.1.2 # dns resolve dns server 3.1.1.2 dns domain net dns domain com # interface GigabitEthernet1/0/0 undo shutdown ip address 1.1.1.2 255.255.0.0 # rip 1 network 1.0.0.0 # return l Configuration file of Router B # sysname RouterB # interface GigabitEthernet1/0/0 undo shutdown ip address 2.1.1.1 255.255.0.0 # interface GigabitEthernet1/0/1 undo shutdown ip address 1.1.1.1 255.255.0.0 # interface LoopBack0 ip address 4.1.1.1 255.255.255.255 # rip 1 network 2.0.0.0 network 1.0.0.0 network 4.0.0.0 # return l Configuration file of Router C # sysname RouterC # interface GigabitEthernet1/0/0 undo shutdown ip address 2.1.1.2 255.255.0.0 # interface GigabitEthernet1/0/1 undo shutdown ip address 3.1.1.1 255.255.0.0 # interface LoopBack0 ip address 4.1.1.2 255.255.255.255 # rip 1 network 2.0.0.0 network 3.0.0.0 network 4.0.0.0 # return Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 3-9 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration 4 DHCP Configuration About This Chapter This chapter describes the DHCP fundamentals including DHCP service, DHCP server, and relay agent. It also includes configuration steps for DHCP Server based on different parameters, DHCP relay agent, and security functions in DHCP service, along with typical examples. 4.1 DHCP Overview This section describes the principle and concepts of Dynamic Host Configuration Protocol (DHCP). 4.2 Configuring the Global Address Pool-based DHCP Server If a large number of clients need to be assigned with IP addresses, a global address pool-based DHCP server is usually configured on the network segment where the clients reside. Configuring a relay agent on the same network segment to forward packets between the clients and DHCP servers is an alternative method of configuring a global address pool-based DHCP server. In this manner, the communications between the clients and DHCP servers on other network segments can be realized. This saves bandwidths and facilitates the centralized management of IP addresses by the DHCP server. 4.3 Configuring the Interface Address Pool-based DHCP Server If a few clients need to be assigned with IP addresses, an interface address pool-based DHCP server is usually configured on the network segment where the clients reside. 4.4 Configuring the Sub-interface Address Pool-based DHCP Server This section describes how to assign IP addresses by using address pools on Ethernet subinterfaces to reduce repeated configurations. 4.5 Configuring VLANIF Interface Address Pool-based DHCP Server This section describes how to configure a DHCP server that uses the address pool of the VLANIF interface. 4.6 Configuring the Security Function for DHCP This section describes how to enhance the security of the DHCP service. 4.7 Configuring DHCP Relay This section describes how to enable DHCP relay so that DHCP relay can forward DHCP requests from local clients to the DHCP server on other networks. 4.8 Maintaining DHCP Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-1 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration This section describes how to clear the statistics about DHCP and debug DHCP. 4.9 Configuration Examples This section provides several configuration examples of the DHCP server and DHCP relay. 4-2 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration 4.1 DHCP Overview This section describes the principle and concepts of Dynamic Host Configuration Protocol (DHCP). 4.1.1 Introduction to DHCP 4.1.2 DHCP Supported by the NE80E/40E 4.1.1 Introduction to DHCP With the rapid growth in network scale and complexity, network configuration becomes more difficult. The location of hosts changes (such as laptops and wireless network) and the number of hosts has exceeded that of the available IP addresses. The Dynamic Host Configuration Protocol (DHCP) is developed to solve these problems. 4.1.2 DHCP Supported by the NE80E/40E The NE80E/40E supports the following DHCP applications, ensures the security of DHCP services, and provides the DHCP relay agent function. l Global address pool l Address pool on the physical interface l Address pool on the VLANIF interface NOTE The NE80E/40E supports the configuration of the DHCP address pools containing the IP addresses with 31-bit masks. This configuration, however, is not recommended because the IP addresses with 31-bit masks currently cannot be assigned to users. 4.2 Configuring the Global Address Pool-based DHCP Server If a large number of clients need to be assigned with IP addresses, a global address pool-based DHCP server is usually configured on the network segment where the clients reside. Configuring a relay agent on the same network segment to forward packets between the clients and DHCP servers is an alternative method of configuring a global address pool-based DHCP server. In this manner, the communications between the clients and DHCP servers on other network segments can be realized. This saves bandwidths and facilitates the centralized management of IP addresses by the DHCP server. 4.2.1 Establishing the Configuration Task 4.2.2 Configuring the DHCP Global Address Pool 4.2.3 Configure Static IP Address Binding 4.2.4 Configuring DNS Services for the DHCP Client 4.2.5 Configuring NetBIOS Services for the DHCP Client Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-3 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration 4.2.6 Configuring Egress Gateway for the DHCP Client 4.2.7 Configuring DHCP Self-Defined Options 4.2.8 Assigning IP Addresses in the Global Address Pool to the DHCP Clients on the Specified Interface 4.2.9 Checking the Configuration 4.2.1 Establishing the Configuration Task Applicable Environment In a large network, hosts in the network may not be directly connected with the device through Ethernet interfaces. To obtain IP addresses from the device dynamically, you need to configure a global address pool-based DHCP server. The global address pool-based DHCP server usually works together with the DHCP relay agent. Pre-configuration Tasks Before configuring the global address pool-based DHCP server, complete the following tasks: l Configuring the interface of the device l Configuring the egress gateway for the client l (Optional) Configuring the DNS server l (Optional) Configuring the NetBIOS server l (If the DNS server and the NetBIOS server are not configured, you do not need to configure the routes.) Configuring the routes to the DNS server and the NetBIOS server l (Optional) Configuring the DHCP customized option Data Preparation To configure the global address pool-based DHCP server, you need the following data. 4-4 No. Data 1 Name and the address range of the address pool, which is configured based on the number of clients 2 Range of the IP addresses that cannot be dynamically assigned to hosts 3 IP addresses and the MAC addresses that need to be bound statically 4 Lease of the IP address 5 (Optional) IP address of the DNS server and the domain name of the DHCP client 6 (Optional) IP address of the NetBIOS server and the NetBIOS node type of the DHCP client 7 (Optional) Coding of the DHCP self-defined options and the corresponding ASCII strings or hexadecimal number or IP address Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration 4.2.2 Configuring the DHCP Global Address Pool Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: dhcp enable DHCP is enabled. Step 3 Run: dhcp server ip-pool pool-name A DHCP address pool is created and the DHCP address pool view is displayed. NOTE Each DHCP server can be configured with a maximum of 128 global address pools. Step 4 Run: network ip-address [ mask { mask | mask-length } ] The address pool range is configured. NOTE Currently, an address pool can be configured with only one address segment and the address range is set through the mask. NE80E/40E supports the configuration of the DHCP address pools containing the IP addresses with 31bit masks. This configuration, however, is not recommended because the IP addresses with 31-bit masks currently cannot be assigned to users. Step 5 Run: expired { day day [ hour hour [ minute minute ] ] | unlimited } The lease of the IP addresses dynamically assigned to hosts is configured. By default, the IP lease is one day. NOTE The DHCP server can specify the IP lease for each address pool. The IP lease may vary with address pools. The addresses in the same DHCP address pool, however, have the same IP lease. Step 6 Run: quit Back to the system view. Step 7 Run: dhcp server forbidden-ip start-ip-address [ end-ip-address ] The range of IP addresses that cannot be dynamically assigned is configured. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-5 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration NOTE After repeatedly running the dhcp server forbidden-ip command, you can configure multiple IP address segments that cannot be automatically assigned. When using the undo dhcp server forbidden-ip command to delete the setting, ensure that the specified parameters are consistent with the previously configured parameters. That is, you cannot delete only partial originally configured addresses. ----End 4.2.3 Configure Static IP Address Binding Context Based on the clients' needs, you can adopt either static address binding or dynamic address assignation. However, you cannot configure the same DHCP address pool with these two modes at the same time. Dynamic address distribution needs specification of the address range for assignment, while static address binding can be regarded as a special DHCP address pool with only one address. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: dhcp server ip-pool pool-name A DHCP address pool is created and the DHCP address pool view is displayed. Step 3 Run: static-bind ip-address ip-address [ mask { mask | mask-length } ] Certain IP addresses are statically bound. NOTE The NE80E/40E supports the statically bound address pools to be assigned the IP addresses with 31-bit masks. This configuration, however, is not recommended because the IP addresses with 31-bit masks currently cannot be assigned to users. Step 4 Run: static-bind mac-address mac-address MAC addresses of certain clients are statically bound. ----End Postrequisite Some clients may need fixed IP addresses that are bound with their MAC addresses. When the client with a specific MAC address uses DHCP to apply for an IP address, the DHCP server finds out the fixed IP address bound with the MAC address and assigns it to the client. 4-6 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration NOTE The static-bind ip-address command must be used together with the static-bind mac-address command. The new configuration supersedes the previous one when you use the two commands for several times 4.2.4 Configuring DNS Services for the DHCP Client Context The configurition is optional. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: dhcp server ip-pool pool-name The DHCP address pool view is displayed. Step 3 Run: domain-name domain-name The domain name of the DHCP client is configured. Step 4 Run: dns-list ip-address &<1-8> The IP address of the DNS server of the DHCP client is configured. ----End Postrequisite On the DHCP server, designate a domain name for the client per address pool basis. When a host accesses the Internet by using the domain name, the DNS server resolves the domain name into an IP address. Therefore, to ensure that the client can successfully access the Internet, the DHCP server also needs to specify the DNS server address for the client when it assigns IP addresses. To perform load balancing and improve the network reliability, you can configure several DNS servers and egress gateways. 4.2.5 Configuring NetBIOS Services for the DHCP Client Context The configurition is optional. Do as follows on the router: Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-7 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: dhcp server ip-pool pool-name The DHCP address pool view is displayed. Step 3 Run: nbns-list ip-address &<1-8> The IP address of the NetBIOS server of the DHCP client is configured. Step 4 Run: netbios-type { b-node | h-node | m-node | p-node } The NetBIOS node type of the DHCP client is configured. By default, the node type of the DHCP client is not specified. ----End Postrequisite For the client using the OS of Microsoft, Windows Internet Naming Service (WINS) server provides resolution from the host name to the IP address. This is given to the host that uses NetBIOS protocol for communication. Most of the Windows clients need to be configured with WINS. When a DHCP client communicates in a WAN by adopting the NetBIOS protocol, a mapping between the host name and the IP address should be set up. The following lists the types of NetBIOS nodes for obtaining mappings: l Type b nodes (b-node): "b" stands for broadcast; that is, type b nodes obtain the mapping relation by means of broadcast. l Type p nodes (p-node): "p" stands for peer-to-peer, namely, type p nodes obtain the mapping relation by means of communicating with NetBIOS servers. l Type m nodes (m-node): "m" stands for mixed. Type m nodes are the type p nodes owning part of the broadcasting features. l Type h nodes (h-node): "h" stands for hybrid. Type h nodes are type b nodes owning the "peer-to-peer" communicating mechanism. 4.2.6 Configuring Egress Gateway for the DHCP Client Context Do as follows on the router: Procedure Step 1 Run: 4-8 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration system-view The system view is displayed. Step 2 Run: dhcp server ip-pool pool-name The DHCP address pool view is displayed. Step 3 Run: gateway-list ip-address &<1-8> The egress gateway of the DHCP client is configured. When a DHCP client wants to access a server (or host) that is not on the local network, an egress gateway needs to be configured on the local network. To perform load balancing and improve the network reliability, you can configure several DNS servers and egress gateways. ----End 4.2.7 Configuring DHCP Self-Defined Options Context NOTE Configuring DHCP self-defined options are optional. Services, such as DNS on the client, NETBIOS, and IP lease cannot be configured through this command but through the commands early mentioned. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: dhcp server ip-pool pool-name The DHCP address pool view is displayed. Step 3 Run: option code { ascii ascii-string | hex hex-string | ip-address ip-address &<1-8> } The DHCP self-defined options are configured. ----End Postrequisite The Option field in DHCP packets carries the control information and parameters that are not defined in some common protocols. If the DHCP server is configured with Option, the DHCP client gets the configuration information saved in the Option filed of DHCP response packets. You need to add the options to the attribute tables of the DHCP servers. For example, Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-9 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration l To configure the IP address of a log server to 10.110.204.1, use the command option 7 ipaddress 10.110.204.1. l To configure the TTL of the client packet to 64, use the command option 23 hex 40. NOTE Using the option command, you can specify the options to be included in the DHCP response packets. Before using this command, you need to know the function of each option: Option 77 identifies user types or applications of DHCP client. Based on User Class in the Option field, the DHCP server selects the proper address pool and configuration parameters. Option77 usually is configured on the client. 4.2.8 Assigning IP Addresses in the Global Address Pool to the DHCP Clients on the Specified Interface Context Do as follows on the router: Procedure l Assigning IP addresses to the clients on the current interface 1. Run: system-view The system view is displayed. 2. Perform the following as required. – Run: interface interface-type interface-number The interface view is displayed. – Run: interface { ethernet | gigabitethernet } interface-number.subinterface-number The sub-interface view is displayed. 3. Run: dhcp select global The IP addresses in the global address pool are assigned. NOTE For the DHCP implementation on the NE80E/40E, the address pool specified for the Ethernet sub-interface is applied to allocating IP addresses for users in the VLAN. l Assigning IP addresses to the clients on multiple interfaces 1. Run: system-view The system view is displayed. 2. Perform the following as required to specify a global address pool: – Run: dhcp select global interface interface-type interface-number The global address pool is specified for an interface. 4-10 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services – 4 DHCP Configuration Run: dhcp select global interface { ethernet | gigabitethernet } interfacenumber.sub-interface-number1 [ to { ethernet | gigabitethernet } interface-number.sub-interface-number2 ] The global address pool is specified for multiple Ethernet sub-interfaces. NOTE If multiple Ethernet sub-interfaces are specified, all sub-interfaces must be on the same physical interface. – Run: dhcp select global all The global address pool is specified for all interfaces. This command is used to specify a global address pool for all the Ethernet interface, Ethernet sub-interfaces,VLANIF interface, GE interface, and GE sub-interfaces that are configured with IP addresses. l Assigning IP addresses to the clients in VLANs 1. Run: system-view The system view is displayed. 2. Run: dhcp select global vlan vlan-id1 [ to vlan-id2 ] &<1-10> The IP addresses in the global address pool are assigned. ----End 4.2.9 Checking the Configuration Prerequisite The configurations of the global address pool-based DHCP server are complete. Procedure l Run the display dhcp server free-ip command to check the available address information in the DHCP address pool. l Run the display dhcp server expired { all | interface [ interface-type interface-number ] | ip ip-address | pool [ pool-name ] | vlan vlan-id } command to check the expired lease in the DHCP address pool. l Run the display dhcp server ip-in-use { all | interface [ interface-type interfacenumber ] | ip ip-address | pool [ pool-name ] | vlan vlan-id } command to check the address binding information. l Run the display dhcp server statistics command to check the statistics of DHCP server. l Run the display dhcp server tree { all | interface [ interface-type interface-number ] | pool [ pool-name ] | vlan vlan-id } command to check the information on the tree-structure of the DHCP address pool. ----End Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-11 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Example Run the display dhcp server free-ip command. If there are unused IP addresses in the address pool, it means that the configuration succeeds. <HUAWEI> IP Range IP Range IP Range display dhcp server free-ip from 5.5.5.1 to from 202.38.160.1 to from 202.38.160.4 to 5.5.5.254 202.38.160.1 202.38.160.126 Run the display dhcp server expired command. If information about the expired leases of IP addresses in DHCP address pools is displayed, it means that the configuration succeeds. <HUAWEI> display dhcp server expired all Global pool: IP address Hardware address Lease expiration 2.2.2.2 44444-4444-4444 NOT Used Interface pool: IP address Hardware address Lease expiration Type Manual Type Run the display dhcp server ip-in-use command. If the binding information of IP address, such as the hardware address and the IP lease, is displayed, it means that the configuration succeeds. <HUAWEI> display dhcp server ip-in-use all Global pool: IP address Hardware address Lease expiration 2.2.2.2 4444-4444-4444 NOT Used Interface pool: IP address Hardware address Lease expiration 5.5.5.1 0050-ba28-930a Jul 5 2006 13: 00:10 PM Type Manual Type Auto:COMMITED Run the display dhcp server statistics command. If statistics of the DHCP server, including the number of DHCP address pools, the number of the automatic binding, the manual binding and the expired binding and the number of DHCP packets is displayed, it means that the configuration succeeds. <HUAWEI> display dhcp Global Pool: Pool Number: Binding Auto: Manual: Expire: Interface Pool: Pool Number: Binding Auto: Manual: Expire: Boot Request: Dhcp Discover: Dhcp Request: Dhcp Decline: Dhcp Release: Dhcp Inform: Boot Reply: Dhcp Offer: Dhcp Ack: Dhcp Nak: Bad Messages: HA Message: BatchBackup send BatchBackup recv BatchBackup send BatchBackup recv 4-12 server statistics 5 0 1 0 1 1 0 0 6 1 4 0 1 0 4 1 3 0 0 msg: msg: lease: lease: 0 0 0 0 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Run the display dhcp server tree command. If the tree structure of the DHCP address pool, including DNS, the IP lease and Option parameters, is displayed, it means that the configuration succeeds. <HUAWEI> display dhcp server tree all Global pool: Pool name: 5 network 10.10.1.0 255.255.255.0 Child node:6 Sibling node:7 option 1 ip-address 255.0.0.0 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C Pool name: 6 host 10.10.1.2 255.0.0.0 hardware-address 1111.2222.3333 gigabitethernet Parent node:5 option 1 ip-address 255.255.0.0 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C Interface pool: Pool name: GigabitEthernet11/2/0 network 5.5.5.0 mask 255.255.255.0 option 1 ip-address 255.255.255.0 gateway-list 5.5.5.5 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C 4.3 Configuring the Interface Address Pool-based DHCP Server If a few clients need to be assigned with IP addresses, an interface address pool-based DHCP server is usually configured on the network segment where the clients reside. 4.3.1 Establishing the Configuration Task 4.3.2 Configuring the Interface Address Pool 4.3.3 Configuring DNS on the Interface Address Pool 4.3.4 Configuring NetBIOS on the Interface Address Pool 4.3.5 Configuring DHCP Self-Defined Options 4.3.6 Checking the Configuration 4.3.1 Establishing the Configuration Task Applicable Environment In a small network, some hosts are connected to a device through the Ethernet interface. You can configure the DHCP server on the Ethernet interface of the device. This will enable the hosts to obtain IP addresses from the router dynamically. For the interface address pool-based DHCP server, single address pool and egress gateway need not be configured. After you configure an IP address on the Ethernet interface of the device, all the addresses of the network segment which this IP address is on are assignable and this IP address is also the address of the egress gateway of this network segment. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-13 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Pre-configuration Tasks Before configuring the interface address pool-based DHCP server, complete the following tasks: l Configuring the Ethernet interface of the device l (Optional) Configuring the DNS server l (Optional) Configuring the NetBIOS server l (If the DNS server and the NetBIOS server are not configured, you do not need to configure the routes.) Configuring the routes to the DNS server and the NetBIOS server l (Optional) Configuring the DHCP customized option Data Preparation To configure the interface address pool-based DHCP server, you need the following data. No. Data 1 Number, IP address and the subnet mask of the Ethernet interface of the device 2 IP addresses and the MAC addresses that need to be bound statically 3 Lease of the IP address (It can be some days, hours, or minutes) 4 (Optional) IP address of the DNS server and the domain name of the DHCP client 5 (Optional) IP address of the NetBIOS server and the NetBIOS node type of the DHCP client 6 (Optional) Coding of the DHCP self-defined options and the corresponding ASCII strings or hexadecimal number or IP address 4.3.2 Configuring the Interface Address Pool Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: dhcp enable DHCP is enabled. Step 3 Run: interface interface-type interface-number 4-14 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration The Ethernet interface view is displayed. Step 4 Run: ip address ip-address { mask | mask-length } The IP address of the interface is configured. The address pool on an interface actually is the network segment to which the interface belongs, and such an interface address pool takes effect only on this interface. NOTE You can configure address pools on GE interfaces, GE sub-interfaces, Eth-Trunk interfaces, Ethernet interfaces, Ethernet sub-interfaces, VE interfaces, and VLANIF interfaces.NE80E/40E supports the address pools on these interfaces to be assigned the IP addresses with 31-bit masks. This configuration, however, is not recommended because the IP addresses with 31-bit masks currently cannot be assigned to users. Step 5 Run: dhcp select interface The interface address pool is enabled. Step 6 Run: dhcp server static-bind ip-address ip-address mac-address mac-address Certain IP addresses and MAC addresses are bound with the address pool. Step 7 Perform the following as required. l To configure the IP lease, run: dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited } By default, the IP lease is one day. l To configure the IP lease of an interface, run the quit command to return to the system view. Then run: dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited } interface interface-type interface-number The lease of the IP address of an interface is configured. By default, the IP lease is one day. ----End Postrequisite The interface address pool has a higher priority than the global address pool. If an address pool is configured on an interface, clients obtain IP addresses preferentially from the interface address pool though a global address pool is configured. Similarly, although a global address pool and the IP lease have been configured on a device and clients have obtained IP addresses from the global address pool, the leases of IP addresses in the global address pool are deleted once the interfaces connecting the device to the clients are configured with address pools in the same network segment with the global address pool. Then after the leases of the IP addresses obtained from the global address pool expire, the clients obtain IP addresses preferentially from the interface address pool. 4.3.3 Configuring DNS on the Interface Address Pool Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-15 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Context The configurition is optional. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 Run: dhcp server domain-name domain-name The domain name of the DHCP client is configured. Step 4 Run: dhcp server dns-list ip-address &<1-8> The IP address of the DNS server is specified for the DHCP client. ----End 4.3.4 Configuring NetBIOS on the Interface Address Pool Context The configurition is optional. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 Run: dhcp server nbns-list ip-address &<1-8> The IP address of the NetBIOS server is specified for the DHCP client. Step 4 Run: dhcp server netbios-type { b-node | h-node | m-node | p-node } The NetBIOS node type of the DHCP client is configured. 4-16 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration By default, the NetBIOS node type is not specified for the DHCP client. ----End Postrequisite For the client using the OS of Microsoft, WINS server provides the resolution from the host name to the IP address for the host that uses the NetBIOS protocol to communicate. In this way, most of the Windows network clients need to be configured with WINS. When a DHCP client communicates in a WAN, by adopting NetBIOS protocol, a mapping between the host name and the IP address should be set. The types of NetBIOS nodes for obtaining mappings are as follows: l Type b nodes (b-node): "b" stands for broadcast; that is, type b nodes obtain the mapping relation by means of broadcast. l Type p nodes (p-node): "p" stands for peer-to-peer; that is, type p nodes obtain the mapping relation by means of communicating with NetBIOS servers. l Type m nodes (m-node): "m" stands for mixed. Type m nodes are the type p nodes owning part of the broadcasting features. l Type h nodes (h-node): "h" stands for hybrid. Type h nodes are type b nodes owning the "peer-to-peer" communicating mechanism. 4.3.5 Configuring DHCP Self-Defined Options Context NOTE Configuring DHCP self-defined options is optional. Services, such as DNS on the client, NETBIOS and IP lease cannot be configured through this command but through the related command described above. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 Run: dhcp server option code { ascii ascii-string | hex hex-string | ip-address ipaddress &<1-8> } The DHCP self-defined options are configured. ----End Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-17 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Postrequisite The Option field in DHCP packets carries the control information and parameters that are not defined in some common protocols. If the DHCP server is configured with Option, the DHCP client gets the configuration information saved in Option filed of DHCP response packets. You can add new options to the attribute list of the DHCP server by manual definition. For example, l To configure the IP address of the log server to 10.110.204.1, run the dhcp server option 7 ip-address 10.110.204.1 command. l To configure the TTL of the client packet to 64, run the dhcp server option 23 hex 40 command. 4.3.6 Checking the Configuration Prerequisite The configurations of the interface address pool-based DHCP server are complete. Procedure l Run the display dhcp server free-ip command to check the available address information in the DHCP address pool. l Run the display dhcp server expired { all | interface [ interface-type interface-number ] | ip ip-address | pool [ pool-name ] | vlan vlan-id } command to check the expired lease in the DHCP address pool. l Run the display dhcp server ip-in-use { all | interface [ interface-type interfacenumber ] | ip ip-address | pool [ pool-name ] | vlan vlan-id } command to check the address binding information. l Run the display dhcp server statistics command to check the statistics of DHCP server. l Run the display dhcp server tree { all | interface [ interface-type interface-number ] | pool [ pool-name ] | vlan vlan-id } command to check the information on the tree-structure of the DHCP address pool. ----End Example Run the display dhcp server free-ip command. If there are unused IP addresses in the address pool, it means that the configuration succeeds. <HUAWEI> IP Range IP Range IP Range display dhcp server free-ip from 5.5.5.1 to from 202.38.160.1 to from 202.38.160.4 to 5.5.5.254 202.38.160.1 202.38.160.126 Run the display dhcp server expired command. If information about the expired leases of IP addresses in DHCP address pools is displayed, it means that the configuration succeeds. <HUAWEI> display dhcp server expired all Global pool: IP address Hardware address Lease expiration 2.2.2.2 44444-4444-4444 NOT Used Interface pool: IP address Hardware address Lease expiration 4-18 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Type Manual Type Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Run the display dhcp server ip-in-use command. If the binding information of IP address, such as the hardware address and the IP lease, is displayed, it means that the configuration succeeds. <HUAWEI> display dhcp server ip-in-use all Global pool: IP address Hardware address Lease expiration 2.2.2.2 4444-4444-4444 NOT Used Interface pool: IP address Hardware address Lease expiration 5.5.5.1 0050-ba28-930a Jul 5 2006 13: 00:10 PM Type Manual Type Auto:COMMITED Run the display dhcp server statistics command. If statistics of the DHCP server, including the number of DHCP address pools, the number of the automatic binding, the manual binding and the expired binding and the number of DHCP packets is displayed, it means that the configuration succeeds. <HUAWEI> display dhcp Global Pool: Pool Number: Binding Auto: Manual: Expire: Interface Pool: Pool Number: Binding Auto: Manual: Expire: Boot Request: Dhcp Discover: Dhcp Request: Dhcp Decline: Dhcp Release: Dhcp Inform: Boot Reply: Dhcp Offer: Dhcp Ack: Dhcp Nak: Bad Messages: HA Message: BatchBackup send BatchBackup recv BatchBackup send BatchBackup recv server statistics 5 0 1 0 1 1 0 0 6 1 4 0 1 0 4 1 3 0 0 msg: msg: lease: lease: 0 0 0 0 Run the display dhcp server tree command. If the tree structure of the DHCP address pool, including DNS, the IP lease and Option parameters, is displayed, it means that the configuration succeeds. <HUAWEI> display dhcp server tree all Global pool: Pool name: 5 network 10.10.1.0 255.255.255.0 Child node:6 Sibling node:7 option 1 ip-address 255.0.0.0 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C Pool name: 6 host 10.10.1.2 255.0.0.0 hardware-address 1111.2222.3333 gigabitethernet Parent node:5 option 1 ip-address 255.255.0.0 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C Interface pool: Pool name: GigabitEthernet11/2/0 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-19 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration network 5.5.5.0 mask 255.255.255.0 option 1 ip-address 255.255.255.0 gateway-list 5.5.5.5 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C 4.4 Configuring the Sub-interface Address Pool-based DHCP Server This section describes how to assign IP addresses by using address pools on Ethernet subinterfaces to reduce repeated configurations. 4.4.1 Establishing the Configuration Task 4.4.2 Enabling Address Pools on Sub-interfaces 4.4.3 Configuring Address Pools on Ethernet Sub-interfaces 4.4.4 Configuring DNS on Address Pools of Sub-interfaces 4.4.5 Configuring NetBIOS on Address Pools of Sub-interfaces 4.4.6 Configuring the DHCP Self-Defined Options for Address Pools of Sub-interfaces 4.4.7 Checking the Configuration 4.4.1 Establishing the Configuration Task Applicable Environment For the interface address pool-based DHCP server, single address pool and egress gateway need not be configured. After you configure an IP address on the Ethernet interface of the device, all the addresses of the network segment which this IP address is on are assignable and this IP address is also the address of the egress gateway of this network segment. In the NE80E/40E, Ethernet sub-interfaces are applied only to implementing communication between different VLANs. Therefore, to configure a DHCP server that is based on the address pool on the Ethernet sub-interface, encapsulate the sub-interface with 802.1Q first. Pre-configuration Tasks Before configuring the sub-interface address pool-based DHCP server, complete the following tasks: 4-20 l Configuring the Ethernet sub-interfaces of the device l (Optional) Configuring the DNS server l (Optional) Configuring the NetBIOS server l (If the DNS server and the NetBIOS server are not configured, you do not need to configure the routes.) Configuring the routes to the DNS server and the NetBIOS server l (Optional) Configuring the DHCP customized option Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Data Preparation To configure the sub-interface address pool-based DHCP server, you need the following data. No. Data 1 Number, IP address and the subnet mask of the Ethernet sub-interface of the device 2 IP addresses and the MAC addresses that need to be bound statically 3 Lease of the IP address (It can be some days, hours, or minutes) 4 (Optional) IP address of the DNS server and the domain name of the DHCP client 5 (Optional) IP address of the NetBIOS server and the NetBIOS node type of the DHCP client 6 (Optional) Coding of the DHCP self-defined options and the corresponding ASCII strings or hexadecimal number or IP address 4.4.2 Enabling Address Pools on Sub-interfaces Context Do as follows on the DHCP server: Procedure l Enabling address pools in the sub-interface view 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number.sub-interface-number The Ethernet sub-interface view is displayed. 3. Run: ip address ip-address { mask | mask-length } The IP address of the Ethernet sub-interface is displayed. 4. Run: dhcp select interface The address pool on the sub-interface is enabled to allocate IP addresses to clients. l Enabling address pools on one sub-interface or multiple sub-interfaces in the system view 1. Run: system-view The system view is displayed. 2. Issue 03 (2010-03-31) Perform the following as required: Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-21 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration – Run: dhcp select interface interface interface-type interface-number.subinterface-number The address pool on one sub-interface is enabled to allocate IP addresses to clients. – Run: dhcp select interface interface interface-type interface-number.subinterface-number1 to interface-type interface-number.sub-interfacenumber2 The address pools on multiple sub-interfaces are enabled to allocate IP addresses to clients. NOTE Before configuring this command, you need to create sub-interfaces and configure IP addresses for them. Running this command in the system view equals configuring the dhcp select interface command in each sub-interface view. ----End 4.4.3 Configuring Address Pools on Ethernet Sub-interfaces Context Do as follows on the DHCP server: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: dhcp enable DHCP is enabled. Step 3 Run: interface interface-type interface-number.sub-interface-number The Ethernet sub-interface view is displayed. Step 4 Run: vlan-type vlan-id1 [ vlan-id2 ] The sub-interface is encapsulated with 802.1Q. Step 5 Run: dhcp server static-bind ip-address ip-address mac-address mac-address Certain IP addresses and MAC addresses are bound with the address pool. Step 6 The following steps are optional, so perform them as required. Run: dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited } 4-22 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration The IP lease of the sub-interface is configured. By default, the IP lease is one day. Or Run: quit Return to the system view. Run: dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited } { interface interface-type interface-number.sub-interface-number1 [ to interfacetype interface-number.sub-interface-number2 ] | all } The leases of the IP addresses of several sub-interfaces are configured. By default, the IP lease is one day. ----End Postrequisite The IP address and its mask of the Ethernet sub-interface determine the range of the sub-interface address pool. If you need to configure the address pool for multiple Ethernet sub-interfaces, repeat Steps 3, 4, 5, and 6. 4.4.4 Configuring DNS on Address Pools of Sub-interfaces Context The configurition is optional. Do as follows on the DHCP server: Procedure l Configuring DNS on sub-interfaces 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number.sub-interface-number The Ethernet sub-interface view is displayed. 3. Run: dhcp server domain-name domain-name Domain names are configured for the clients of the sub-interface. 4. Run: dhcp server dns-list ip-address &<1-8> The IP address of the DNS server is specified for the clients of the sub-interface. l Configuring DNS on one or multiple sub-interfaces 1. Issue 03 (2010-03-31) Run: Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-23 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration system-view The system view is displayed. 2. Run: dhcp server domain-name domain-name { all | interface interface-type interface-number sub-interface-number1 [ to interface-type interfacenumber.sub-interface-number2 ] } The domain name of the DHCP client is configured. 3. Run: dhcp server dns-list ip-address &<1-8> { all | interface interface-type interface-number sub-interface-number1 [ to interface-type interfacenumber.sub-interface-number2 ] } The IP address of the DNS server is specified for the DHCP client. ----End 4.4.5 Configuring NetBIOS on Address Pools of Sub-interfaces Context The configurition is optional. Do as follows on the DHCP server: Procedure l Configuring NetBIOS on sub-interfaces 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number.sub-interface-number The sub-interface view is displayed. 3. Run: dhcp server nbns-list ip-address &<1-8> The IP address of the NetBIOS server is specified for the DHCP clients of the subinterface. 4. Run: dhcp server netbios-type { b-node | h-node | m-node | p-node } The NetBIOS node type is specified for the DHCP clients of the sub-interface. l Configuring NetBIOS on one or multiple sub-interfaces 1. Run: system-view The system view is displayed. 2. Run: dhcp server nbns-list ip-address &<1-8> { all | interface interface-type interface-number.sub-interface-number1 [ to interface-type interfacenumber.sub-interface-number2 ] } 4-24 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration The IP address of the NetBIOS server is specified on the DHCP client. 3. Run: dhcp server netbios-type { b-node | h-node | m-node | p-node } { all | interface interface-type interface-number.sub-interface-number1 [ to interface-type interface-number.sub-interface-number2 ] } The NetBIOS node type is specified for the DHCP client. By default, the node type of the client is not specified. ----End Postrequisite For the client using the OS of Microsoft, WINS server provides the resolution from the host name to the IP address. This is given to the host that uses the NetBIOS protocol to communicate. Thus, most of the Windows network clients need to be configured with WINS. When a DHCP client communicates in a WAN by adopting the NetBIOS protocol, a mapping between the host name and the IP address should be set up. There are four types of NetBIOS nodes for obtaining mappings: l Type b nodes (b-node): "b" stands for broadcast; that is, type b nodes obtain the mapping by means of broadcast. l Type p nodes (p-node): "p" stands for peer-to-peer; that is, type p nodes obtain the mapping relation by means of communicating with NetBIOS servers. l Type m nodes (m-node): "m" stands for mixed. Type m nodes are the type p nodes owning part of the broadcasting features. l Type h nodes (h-node): "h" stands for hybrid. Type h nodes are type b nodes owning the "peer-to-peer" communicating mechanism. 4.4.6 Configuring the DHCP Self-Defined Options for Address Pools of Sub-interfaces Context NOTE Configuring DHCP self-defined options is optional. Services, such as DNS on the client, NETBIOS and IP lease cannot be configured through this command but through the related command described above. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: dhcp server option code { ascii ascii-string | hex hex-string | ip-address ipaddress &<1-8>} { all | interface interface-type interface-number.sub-interfacenumber1 [ to interface-type interface-number.sub-interface-number2 ] } Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-25 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration The DHCP self-defined options are configured. ----End Postrequisite The Option field in DHCP packets carries the control information and parameters that are not defined in some common protocols. If the DHCP server is configured with Option, the DHCP client gets the configuration information saved in Option filed of DHCP response packets. You can add new options to the attribute list of the DHCP server by manual definition. For example, l To configure the IP address of the log server to 10.110.204.1, run the dhcp server option 7 ip-address 10.110.204.1 command. l To configure the TTL of the client packet to 64, run the dhcp server option 23 hex 40 command. NOTE Using the option command, you can specify the options that need be included in the DHCP response packets. Before using this command, you need to know the function of each option: Option 77 identifies user types or applications of the DHCP client. Based on User Class in the Option field, the DHCP server selects the proper address pool and configuration parameters. Option77 usually is configured on the client. 4.4.7 Checking the Configuration Prerequisite The configurations of the sub-interface address pool-based DHCP server are complete. Procedure l Run the display dhcp server free-ip command to check the available address information in the DHCP address pool. l Run the display dhcp server expired { all | interface [ interface-type interface-number ] | ip ip-address | pool [ pool-name ] | vlan vlan-id } command to check the expired lease in the DHCP address pool. l Run the display dhcp server ip-in-use { all | interface [ interface-type interfacenumber ] | ip ip-address | pool [ pool-name ] | vlan vlan-id } command to check the address binding information. l Run the display dhcp server statistics command to check the statistics of DHCP server. l Run the display dhcp server tree { all | interface [ interface-type interface-number ] | pool [ pool-name ] | vlan vlan-id } command to check the information on the tree-structure of the DHCP address pool. ----End Example Run the display dhcp server free-ip command. If there are unused IP addresses in the address pool, it means that the configuration succeeds. <HUAWEI> display dhcp server free-ip 4-26 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration IP Range from 5.5.5.1 IP Range from 202.38.160.1 IP Range from 202.38.160.4 to to to 5.5.5.254 202.38.160.1 202.38.160.126 Run the display dhcp server expired command. If information about the expired leases of IP addresses in DHCP address pools is displayed, it means that the configuration succeeds. <HUAWEI> display dhcp server expired all Global pool: IP address Hardware address Lease expiration 2.2.2.2 44444-4444-4444 NOT Used Interface pool: IP address Hardware address Lease expiration Type Manual Type Run the display dhcp server ip-in-use command. If the binding information of IP address, such as the hardware address and the IP lease, is displayed, it means that the configuration succeeds. <HUAWEI> display dhcp server ip-in-use all Global pool: IP address Hardware address Lease expiration 2.2.2.2 4444-4444-4444 NOT Used Interface pool: IP address Hardware address Lease expiration 5.5.5.1 0050-ba28-930a Jul 5 2006 13: 00:10 PM Type Manual Type Auto:COMMITED Run the display dhcp server statistics command. If statistics of the DHCP server, including the number of DHCP address pools, the number of the automatic binding, the manual binding and the expired binding and the number of DHCP packets is displayed, it means that the configuration succeeds. <HUAWEI> display dhcp Global Pool: Pool Number: Binding Auto: Manual: Expire: Interface Pool: Pool Number: Binding Auto: Manual: Expire: Boot Request: Dhcp Discover: Dhcp Request: Dhcp Decline: Dhcp Release: Dhcp Inform: Boot Reply: Dhcp Offer: Dhcp Ack: Dhcp Nak: Bad Messages: HA Message: BatchBackup send BatchBackup recv BatchBackup send BatchBackup recv server statistics 5 0 1 0 1 1 0 0 6 1 4 0 1 0 4 1 3 0 0 msg: msg: lease: lease: 0 0 0 0 Run the display dhcp server tree command. If the tree structure of the DHCP address pool, including DNS, the IP lease and Option parameters, is displayed, it means that the configuration succeeds. <HUAWEI> display dhcp server tree all Global pool: Pool name: 5 network 10.10.1.0 255.255.255.0 Child node:6 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-27 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Sibling node:7 option 1 ip-address 255.0.0.0 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C Pool name: 6 host 10.10.1.2 255.0.0.0 hardware-address 1111.2222.3333 gigabitethernet Parent node:5 option 1 ip-address 255.255.0.0 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C Interface pool: Pool name: GigabitEthernet11/2/0 network 5.5.5.0 mask 255.255.255.0 option 1 ip-address 255.255.255.0 gateway-list 5.5.5.5 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C 4.5 Configuring VLANIF Interface Address Pool-based DHCP Server This section describes how to configure a DHCP server that uses the address pool of the VLANIF interface. 4.5.1 Establishing the Configuration Task 4.5.2 Enabling Address Pools on VLANIF Interfaces 4.5.3 Configuring the Address Pool on the VLANIF Interface 4.5.4 Configuring DNS on the Address Pool of the VLANIF Interface 4.5.5 Configuring NetBIOS on the Address Pool of the VLANIF Interface 4.5.6 Configuring DHCP Self-Defined Options for the Address Pool of the VLANIF Interface 4.5.7 Checking the Configuration 4.5.1 Establishing the Configuration Task Applicable Environment The interface address pool on the VLANIF interface, is used for devices to support the switched Ethernet interface. Because the switched Ethernet interface cannot be configured with IP addresses directly, you need to create a VLANIF interface and then configure DHCP address pools on the VLANIF interface. Pre-configuration Tasks Before configuring the VLANIF interface address pool-based DHCP server, complete the following tasks: 4-28 l Creating a VLANIF interface l (Optional) Configuring the DNS server Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration l (Optional) Configuring the NetBIOS server l (If the DNS server and the NetBIOS server are not configured, you do not need to configure the routes.) Configuring routes to the DNS server and the NetBIOS server l (Optional) Configuring the DHCP customized option Data Preparation To configure the VLANIF interface address pool-based DHCP server, you need the following data. No. Data 1 Number, IP address and subnet mask of the VLANIF interface 2 IP addresses in the address pools of VLANIF interface and the MAC addresses to be bound with the IP addresses 3 Lease of the IP address (It can be some days, hours, or minutes) 4 (Optional) IP address of the DNS server and the domain name of the DHCP client 5 (Optional) IP address of the NetBIOS server and the NetBIOS node type of the DHCP client 6 (Optional) Coding of the DHCP self-defined options and the corresponding ASCII strings or hexadecimal number or IP address 4.5.2 Enabling Address Pools on VLANIF Interfaces Context Do as follows on the DHCP server: Procedure l Enabling address pools in the VLANIF interface view 1. Run: system-view The system view is displayed. 2. Run: vlan vlan-id A VLAN is created. 3. Run: quit Back to the system view. 4. Run: interface vlanif vlan-id Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-29 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration The VLANIF interface is displayed. 5. Run: ip address ip-address { mask | mask-length } The IP address of the VLANIF interface is configured. 6. Run: dhcp select interface The address pool on the VLANIF interface is enabled. l Enabling address pools on one VLANIF interface or multiple VLANIF interfaces in the system view 1. Run: system-view The system view is displayed. 2. Run: vlan vlan-id A VLAN is created. 3. Run: quit Back to the system view. 4. Run: interface vlanif vlan-id The VLANIF interface is displayed. 5. Run: ip address ip-address { mask | mask-length } The IP address of the VLANIF interface is configured. 6. Run: quit Back to the system view. 7. Run: dhcp select interface vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> The address pool on the specified VLANIF interface is enabled. NOTE Running this command in the system view equals configuring the dhcp select interface command in each VLANIF interface view. ----End 4.5.3 Configuring the Address Pool on the VLANIF Interface Context Do as follows on the DHCP server: 4-30 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: dhcp enable DHCP is enabled. Step 3 Run: interface vlanif vlan-id The VLANIF interface view is displayed. Step 4 Run: dhcp select interface The address pool on the interface is enabled. Step 5 Run: dhcp server static-bind ip-address ip-address mac-address mac-address Certain IP addresses and MAC addresses are bound with the address pool. Step 6 The following steps are optional, so perform them as required. l If you want to configure the IP lease for the local VLANIF interface, do as follows. Run: dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited } The IP lease of the VLANIF interface is configured. By default, the IP lease is one day. l If you want to configure the IP lease for several VLANIF interface, do as follows. Run: quit Return to the system view. Run: dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited } vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> The leases of the IP addresses of several VLANIF interfaces are configured. By default, the IP lease is one day. ----End Postrequisite The IP address and its mask of the VLANIF interface determine the range of the address pool on the VLANIF interface. If you need to configure several address pools for VLANIF interfaces, repeat Steps 3, 4, 5, and 6. 4.5.4 Configuring DNS on the Address Pool of the VLANIF Interface Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-31 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Context The configurition is optional. Do as follows on the DHCP server: Procedure l Configuring DNS on VLANIF interfaces 1. Run: system-view The system view is displayed. 2. Run: interface vlanif vlan-id The VLAIF interface view is displayed. 3. Run: dhcp server domain-name domain-name Domain names are configured for the clients of the VLANIF interface. 4. Run: dhcp server dns-list ip-address &<1-8> The IP address of the DNS server is specified for the clients of the VLANIF interface. l Configuring DNS on one or multiple VLANIF interfaces 1. Run: system-view The system view is displayed. 2. Run: dhcp server domain-name domain-name vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> The domain name of the DHCP client is configured. 3. The following steps are optional, so perform them as required. Run: dhcp server dns-list ip-address &<1-8> vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> The IP address of the DNS server is specified for the DHCP client. ----End 4.5.5 Configuring NetBIOS on the Address Pool of the VLANIF Interface Context The configurition is optional. Do as follows on the DHCP server: 4-32 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Procedure l Configuring NetBIOS on VLANIF interfaces 1. Run: system-view The system view is displayed. 2. Run: interface vlanif vlan-id The VLANIF interface view is displayed. 3. Run: dhcp server nbns-list ip-address &<1-8> The IP address of the NetBIOS server is specified for the DHCP clients of the VLANIF interface. 4. Run: dhcp server netbios-type { b-node | h-node | m-node | p-node } The NetBIOS node type is specified for the DHCP clients of the VLANIF interface. l Configuring NetBIOS on one or multiple VLANIF interfaces 1. Run: system-view The system view is displayed. 2. Run: dhcp server nbns-list ip-address &<1-8> vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> The IP address of the NetBIOS server is specified for the DHCP client. 3. Run: dhcp server netbios-type { b-node | h-node | m-node | p-node } vlan { vlanid1 [ to vlan-id2 ] } &<1-10> The NetBIOS node type is specified for the DHCP client. By default, the node type of the client is not specified. ----End Postrequisite Before using the NetBIOS service, make sure that l The NetBIOS server is configured correctly l There are routes between the device and the NetBIOS server. For the client using the OS of Microsoft, WINS server provides the resolution from the host name to the IP address for the host that uses the NetBIOS protocol to communicate. In this way, most of the Windows network clients need to be configured with WINS. When a DHCP client communicates on a WAN, by adopting NetBIOS protocol, a mapping between the host name and the IP address should be set up. The types of NetBIOS nodes for obtaining mappings are as follows: Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-33 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration l Type b nodes (b-node): "b" stands for broadcast; that is, type b nodes obtain the mapping relation by means of broadcast. l Type p nodes (p-node): "p" stands for peer-to-peer; that is, type p nodes obtain the mapping relation by means of communicating with NetBIOS servers. l Type m nodes (m-node): "m" stands for mixed. Type m nodes are the type p nodes owning part of the broadcasting features. l Type h nodes (h-node): "h" stands for hybrid. Type h nodes are type b nodes owning the "peer-to-peer" communicating mechanism. 4.5.6 Configuring DHCP Self-Defined Options for the Address Pool of the VLANIF Interface Context NOTE Configuring DHCP self-defined options is optional. Services, such as DNS on the client, NETBIOS and IP lease cannot be configured through the option code command but through the related command described above. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: dhcp server option code { ascii ascii-string | hex hex-string | ip-address ipaddress &<1-8> } { all | vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> } The DHCP self-defined options are configured. The DHCP self-defined options are optional. You can configure it when needed. ----End Postrequisite The Option field in DHCP packets carries the control information and parameters that are not defined in some common protocols. If the DHCP server is configured with Option, the DHCP client gets the configuration information saved in Option filed of DHCP response packets. You can add new options to the attribute list of the DHCP server by manual definition. For example, 4-34 l To configure the IP address of the log server to 10.110.204.1, run the dhcp server option 7 ip-address 10.110.204.1 command. l To configure the TTL of the client packet to 64, run the dhcp server option 23 hex 40 command. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration NOTE Using the option command, you can specify the options that need be included in the DHCP response packets. Before using this command, you need to know the function of each option: Option 77 applies to identify user types or applications of DHCP client. Based on User Class in the Option field, the DHCP server selects proper address pool and configuration parameters. Option 77 usually is configured by the client. 4.5.7 Checking the Configuration Prerequisite The configurations of the VLANIF interface address pool-based DHCP server are complete. Procedure l Run the display dhcp server tree vlan vlan-id command to check the information on the tree-structure of DHCP address pool on VLANIF interface. l Run the display dhcp server ip-in-use vlan vlan-id command to check the information on the DHCP address bound with the specified VLANIF interface. l Run the display dhcp server expired vlan vlan-id command to check the expired lease in the DHCP address pool of the specified VLANIF interface. ----End Example Run the display dhcp server tree vlan command. If the tree structure information of DHCP address pools on VLANIF interfaces, such as DNS, IP lease and Option parameters, is displayed, it means that the configuration succeeds. <HUAWEI> display dhcp server tree vlan 2 Interface pool: Pool name: Vlanif2 network 50.1.1.0 mask 255.255.255.0 gateway-list 50.1.1.1 expired day 1 hour 0 minute 0 Run the display dhcp server ip-in-use vlan command. If the binding information of IP address on VLANIF interfaces, such as the hardware address and the IP lease, is displayed, it means that the configuration succeeds. <HUAWEI> display dhcp server ip-in-use vlan 2 IP address Hardware address Lease expiration 50.1.1.12 0023-0034-0053 NOT Used Type Manual Run the display dhcp server expired vlan command. If the expired IP address in the address pool on VLANIF interfaces is displayed, it means that the configuration succeeds. <HUAWEI> display dhcp server expired vlan 2 IP address Hardware address Lease expiration Type 4.6 Configuring the Security Function for DHCP This section describes how to enhance the security of the DHCP service. 4.6.1 Establishing the Configuration Task Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-35 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration 4.6.2 Starting the Detection of the Pseudo DHCP Server on a DHCP Server 4.6.3 Avoiding Repetitive IP Address Assignment 4.6.4 Saving DHCP Data 4.6.5 Restoring DHCP Data 4.6.6 Checking the Configuration 4.6.1 Establishing the Configuration Task Applicable Environment After configuring the DHCP server, you need configure the security function of the DHCP service. This enhances security of the DHCP service and prevents other pseudo DHCP servers from allocating invalid IP addresses for clients. By viewing logs, the administrator determines whether invalid DHCP servers allocate invalid IP addresses for clients. Pre-configuration Tasks l Before configuring the security function of DHCP, complete the DHCP server configuration. Data Preparation To configure the security function of DHCP service, you need the following data. No. Data 1 Interval at which ping packets are sent and the number of ping packets 2 Interval for saving the DHCP data 4.6.2 Starting the Detection of the Pseudo DHCP Server on a DHCP Server Context If a private DHCP server exists in the network, users cannot obtain correct IP addresses and thus cannot log in to the network because this private DHCP server will interact with the DHCP client during address application. Such a private DHCP server is called a pseudo DHCP server. The logs contain IP addresses of all the DHCP servers that allocate IP addresses for clients. By viewing these logs, the administrator can determine whether a pseudo DHCP servers exists. Do as follows on the DHCP server: Procedure Step 1 Run: system-view 4-36 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration The system view is displayed. Step 2 Run: dhcp server detect Detecting the pseudo DHCP server is enabled on the DHCP server. By default, this function is disabled. ----End 4.6.3 Avoiding Repetitive IP Address Assignment Context Do as follows on the DHCP server: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: dhcp server ping timeout milliseconds The time for waiting the response after the ping packets is sent by the DHCP server is configured. Step 3 Run: dhcp server ping packets number The maximum number of ping packets sent by the DHCP server is configured. By default, the maximum number of ping packets being sent is 2 and the longest waiting time for ping response packets is 500 ms. ----End Postrequisite Before assigning addresses to a client, the DHCP server should detect the IP address to avoid address collision. Using the ping command, you can check if there is a ping response of the address to be assigned within the specific time. If there is no response after a specific time, the DHCP server re-sends ping packets to this address until it reaches the maximum number of ping packets allowed to be sent. If there is still no response, it indicates that the IP address is not in use. In this way, it is ensured that a unique IP address is assigned to the client. 4.6.4 Saving DHCP Data Context Do as follows on the DHCP server: Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-37 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: dhcp server database enable Saving the DHCP data to the hard disk is enabled. Step 3 Run: dhcp server database write-delay seconds The time delay for saving the data is set. By default, DHCP data cannot be saved to the hard disk. If the function is enabled, the default interval for saving the current DHCP data is 300 seconds, and the new data overwrites the previous data. ----End Postrequisite The system can save the current DHCP data to the hard disk and restore the data from the hard disk when the device fails. The DHCP data is saved with a fixed file name on the hard disk. Normally, the IP leasing information is saved in lease.txt file and the address collision information is saved in conflict.txt file. Back up these two files to other directories because they are replaced regularly. 4.6.5 Restoring DHCP Data Context Do as follows on the DHCP server: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: dhcp server database recover DHCP data is restored on the hard disk. ----End 4.6.6 Checking the Configuration Prerequisite The configurations of the security function for DHCP are complete. 4-38 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Procedure l Run the display dhcp server conflict { all | ip ip-address } command to check the statistics of DHCP address collisions. l Run the display dhcp server database command to check the storage path and file information of the DHCP database. ----End Example Run the display dhcp server conflict command. If the conflicted IP address and the time when the conflict occurs are displayed, it means that the configuration succeeds. <HUAWEI> display dhcp server conflict all Address Discover Time 10.110.1.2 Jan 11 2003 11:57: 7 PM Run the display dhcp server database command. If the saved path of the DHCP data is displayed, it means that the configuration succeeds. <HUAWEI> display dhcp server database Status: disable Recover from files after reboot: disable File saving lease items: hda1:/dhcp/lease.txt File saving conflict items: hda1:/dhcp/conflict.txt Save Interval: 300 (seconds) 4.7 Configuring DHCP Relay This section describes how to enable DHCP relay so that DHCP relay can forward DHCP requests from local clients to the DHCP server on other networks. 4.7.1 Establishing the Configuration Task 4.7.2 Configuring Relay 4.7.3 Checking the Configuration 4.7.1 Establishing the Configuration Task Applicable Environment When there is no DHCP server configured on the local network, enable the DHCP relay function on the other devices in the network. Thus, the DHCP relay can forward the DHCP requests from local clients to the DHCP server on the other network. To ensure that the client can normally obtain the IP address, the server must be the DHCP server based on the global address pool.That is, the interface connecting the DHCP server to the DHCP relay must not be configured with any interface address pool. NOTE The relay between the server and the client cannot exceed four. Otherwise, the DHCP packet is discarded. Pre-configuration Tasks Before configuring the DHCP relay, complete the following tasks: Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-39 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration l Configuring the DHCP server l Configuring the interface of the relay l Configuring the routes from the relay to the DHCP server Data Preparation To configure the DHCP relay, you need the following data. No. Data 1 IP address of the DHCP server 2 Number of the interface to be enabled the DHCP relay function 3 Number of the VLAN to be enabled the DHCP relay function 4 (Option) IP address to be released and the corresponding MAC address 5 DHCP option that needs to be associated with the DHCP server address and the relay agent address. 4.7.2 Configuring Relay Context When a client and a DHCP server are not on the same network segment, you can configure the address of the interface that functions as the DHCP relay agent of the DHCP server. In this manner, the client can send a Request packet that is forwarded by the DHCP replay agent to the DHCP server, and then the client can be assigned with an IP address. On the relay device, you can also configure the association between the DHCP option and the DHCP server address and the association between the DHCP option and the relay agent address. According to the option field in the DHCP Request packet, the relay agent can identify the type of the client and thus forward the Request packet to the corresponding DHCP server. This helps the DHCP server assign the IP addresses of different network segments to the clients with different services. If no DHCP option is configured to associate with either the DHCP server address or the relay agent address, the relay device needs to check whether a DHCP server address is configured on the interface (that is, the interface functions as the relay agent of the DHCP server). If the interface is configured with the relay function, the relay agent forwards packets to the corresponding DHCP server; otherwise, the packets are discarded. You can configure relay in the interface view and system view. NOTE Because the DHCP client may send broadcast packets during DHCP configuration, the interface where IP relay is enabled should support the broadcast mode. This IP address must be in the same network segment with the IP addresses in the address pool on the DHCP server. The number of address of the DHCP server for which the interface functions as the relay agent is up to 20. Do as follows on the router acting as the DHCP relay: 4-40 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Procedure l Configure DHCP relay function in the interface view. 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. Run: ip address ip-address { mask | mask-length } The primary IP address of the interface is configured. 4. (Optional) Run: ip address ip-address { mask | mask-length } sub The secondary IP address of the interface is configured. 5. Run: dhcp select relay The DHCP relay function is enabled. 6. Run: ip relay address ip-address [ dhcp-option { 60 [ option-text ] | code } ] The address of the DHCP server for which the interface functions as the relay agent is configured. It is optional to associate the DHCP option with the DHCP server address. 7. (Optional) Run: ip relay giaddr ip-address [ dhcp-option { 60 [ option-text ] | code } ] The DHCP option is configured to associate with the primary or secondary IP address of the interface. By default, the primary IP address of the interface on the relay device functions as the relay agent address. l Configuring the DHCP relay function in the system view. 1. Run: system-view The system view is displayed. 2. Run: dhcp select relay { all | interface interface-type interface-number.sub-interfacenumber1 [ to interface-type interface-number.sub-interface-number2 ] | interface interface-type interface-number | vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> } The DHCP relay function is enabled globally. 3. Issue 03 (2010-03-31) Run: ip relay address ip-address { all | interface interface-type interface-number.subinterface-number1 [ to interface-type interface-number.sub-interface-number2 ] | interface interface-type interface-number | vlan vlan-id } Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-41 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration The IP address of the DHCP server for which the multiple interfaces function as the relay agent are configured. ----End 4.7.3 Checking the Configuration Prerequisite The configurations of the DHCP relay are complete. Procedure l Run the display dhcp relay statistics command to check the related statistics of the DHCP relay. l Run the display dhcp relay address { all | interfaceinterface-type interface-number | vlanvlan-id } command to check the DHCP configuration of the interface enabled with the DHCP relay function. ----End Example Run the display dhcp relay address command to view the DHCP configurations of all interfaces. <HUAWEI> display dhcp relay address all ** GigabitEthernet1/0/0 DHCP Relay Address ** *:option is none, (*):option-text is none Dhcp Option Relay Agent IP Server IP * 10.1.1.1 70.1.1.2 101.40.1.2 45 20.1.1.1 101.40.1.2 60(*) 30.1.1.1 202.40.1.2 60(abc) 40.1.1.1 202.40.1.2 Run the display dhcp relay statistics command. If statistics of DHCP relay, such as the number of wrong DHCP packets and the number of various DHCP packet, is displayed, it means that the configuration succeeds. <HUAWEI> display dhcp relay statistics Bad Packets received: DHCP packets received from clients: DHCP DISCOVER packets received: DHCP REQUEST packets received: DHCP INFORM packets received: DHCP DECLINE packets received: DHCP packets received from servers: DHCP OFFER packets received: DHCP ACK packets received: DHCP NAK packets received: DHCP packets sent to servers: DHCP packets sent to clients: Unicast packets sent to clients: Broadcast packets sent to clients: 0 2 1 1 0 0 2 1 1 0 1 1 0 0 4.8 Maintaining DHCP This section describes how to clear the statistics about DHCP and debug DHCP. 4-42 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration 4.8.1 Resetting DHCP 4.8.2 Releasing Conflicting IP Addresses 4.8.3 (Optional) Requesting the DHCP Server to Release IP Addresses of the Client 4.8.4 Clearing DHCP Statistics 4.8.5 Monitoring Network Operation Status of DHCP 4.8.1 Resetting DHCP Context CAUTION Resetting DHCP binding through the reset dhcp command interrupts the operation of the DHCP server. Please confirm that before you want to clear the information of DHCP binding. Procedure l Run the reset dhcp server ip-in-use ip-address command in the user view to reset the information about the binding of the specified IP address. l Run the reset dhcp server ip-in-use pool [ pool-name ] command in the user view to reset the information about the dynamic address bindings of the global address pool. l Run the reset dhcp server ip-in-use interface [ interface-type interface-number ] command in the user view to reset the information about the dynamic address bindings of the interface address pool. l Run the reset dhcp server ip-in-use vlan vlan-id command in the user view to reset the information about dynamic IP address bindings on the address pool of the VLANIF interface. l Run the reset dhcp server ip-in-use all command in the user view to reset the information about the dynamic address bindings of all the address pools. ----End 4.8.2 Releasing Conflicting IP Addresses Context The DHCP server detects the conflicting IP addresses through the ping command while the DHCP client detects the conflicting IP address through sending ARP packets. CAUTION After the conflicting IP addresses are released, they can be reallocated by the DHCP server. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-43 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Procedure l Run the reset dhcp server conflict ip ip-address command to release the conflicting IP addresses in the specified address pool. l Run the reset dhcp server conflict all command to release all conflicting IP addresses. ----End 4.8.3 (Optional) Requesting the DHCP Server to Release IP Addresses of the Client Context Do as follows on the router acting as the DHCP relay: Procedure l Requesting all the DHCP servers to release an IP address. 1. Run: system-view The system view is displayed. 2. Run: dhcp relay release client-ip-address mac-address The DHCP servers are required to release the IP address which is applied by the client. l Requesting the specified DHCP server to release an IP address. 1. Run: system-view The system view is displayed. 2. Run: dhcp relay release client-ip-address mac-address server-ip-address The specified DHCP server is required to release the IP address which is applied by the client. l Requesting the DHCP server connected with the interface to release an IP address. 1. Run: system-view The system view is displayed. 2. Run: interface interface-type interface-number The interface view is displayed. 3. Run: dhcp relay release client-ip-address mac-address [ server-ip-address ] The DHCP server connected with the interface on the DHCP relay is required to release the IP address which is applied by the client. ----End 4-44 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration 4.8.4 Clearing DHCP Statistics Context CAUTION DHCP statistics cannot be restored after you clear it. So, confirm the action before you use the command. Procedure l Run the reset dhcp server statistics command in the user view to clear the DHCP server statistics. l Run the reset dhcp relay statistics command in the user view to clear the DHCP relay statistics. ----End 4.8.5 Monitoring Network Operation Status of DHCP Context In routine maintenance, you can run the following command in any view to check the operation of DHCP. Procedure l Run the display dhcp server free-ip command in any view to check the information about available IP addresses in the DHCP address pool. l Run the display dhcp server expired { all | interface [ interface-type interface-number ] | ip ip-address | pool [ pool-name ] | vlan vlan-id } command in any view to check the information about the IP addresses with expired leases in the DHCP address pool. l Run the display dhcp server ip-in-use { all | interface [ interface-type interfacenumber ] | ip ip-address | pool [ pool-name ] | vlan vlan-id } command in any view to check the information about address bindings. l Run the display dhcp server statistics command in any view to check the statistics about the DHCP server. l Run the display dhcp server tree { all | interface [ interface-type interface-number ] | pool [ pool-name ] | vlan vlan-id } command in any view to check the information about the tree structure of the DHCP address pool. l Run the display dhcp server conflict { all | ip ip-address } command in any view to check the information about the conflict addresses in the DHCP address pool. l Run the display dhcp server database command in any view to check the path at which DHCP database is saved and file information about the database. l Run the display interface [ interface-type interface-number ] command in any view to check the relay address of the interface. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-45 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration l Run the display dhcp relay address { all | interface interface-type interface-number | vlan vlan-id } command in any view to check configurations about the DHCP relay address. ----End 4.9 Configuration Examples This section provides several configuration examples of the DHCP server and DHCP relay. 4.9.1 Example for Configuring the Global Address Pool-based DHCP Server 4.9.2 Example for Configuring the Interface Address Pool-based DHCP Server 4.9.3 Example for Configuring the Sub-interface Address Pool-based DHCP Server 4.9.4 Example for Configuring the VLANIF Interface Address Pool-based DHCP Server 4.9.5 Example for Configuring DHCP Relay 4.9.6 Example for Configuring the DHCP Option Association 4.9.1 Example for Configuring the Global Address Pool-based DHCP Server Networking Requirements As shown in Figure 4-1, a DHCP server dynamically assigns the IP addresses to a client in the same network segment. The address pool segment 10.1.1.0/24 is divided into two segments: 10.1.1.0/25 and 10.1.1.128/25. The IP addresses of the two Ethernet interfaces on the DHCP server are 10.1.1.1/25 and 10.1.1.129/25. The IP lease of the segment 10.1.1.0/25 is 10 days and 12 hours, with domain name as huawei.com, DNS address as 10.1.1.2, egress device address as 10.1.1.126 and without the NetBIOS address. The IP lease of the segment 10.1.1.128/25 is 5 days, with DNS address as 10.1.1.2, egress device address as 10.1.1.254, and NetBIOS address as 10.1.1.4. Figure 4-1 Networking diagram of the DHCP server and the client that are in the same network segment NetBIOS server DHCP client GE1/0/0 10.1.1.1/25 DHCP client DHCP client GE1/0/1 10.1.1.129/25 DHCP server DNS DHCP server client Network: 10.1.1.0/25 4-46 DHCP client DHCP client Network: 10.1.1.128/25 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Configuration Roadmap The configuration roadmap is as follows: 1. Enable DHCP. 2. Configure the IP addresses that need not be assigned automatically, such as IP addresses of the DNS server, the NetBIOS server and the egress gateway. 3. Configure an address pool, including the address range and the domain name, and configure the IP address of the DNS server. 4. Configure related attributes for the address pool, such as the address range, the egress gateway, the IP address of the NetBIOS server and the IP lease. This example covers the configurations of three address pools. Address pool 0 is configured with the common attribute of all client; address pool 1 and address pool 2 are configured with different attributes of various clients. In this example, you can configure only address pool 1 and address pool 2. They cannot adopt configurations of the root address pool. You need to configure attributes for them respectively. Data Preparation To complete the configuration, you need the following data: l IP address that need not be assigned automatically l Address pool number Procedure Step 1 Configure the DHCP server. # Enable DHCP on the device. <HUAWEI> system-view [HUAWEI] sysname HUAWEI [HUAWEI] dhcp enable # Configure the IP addresses that do not participate in auto-allocation, including addresses of the DNS server, the NetBIOS server and the egress gateway. [HUAWEI] [HUAWEI] [HUAWEI] [HUAWEI] dhcp dhcp dhcp dhcp server server server server forbidden-ip forbidden-ip forbidden-ip forbidden-ip 10.1.1.2 10.1.1.4 10.1.1.126 10.1.1.254 # Configure general attributes of DHCP address pool 0, including the address pool range, domain name and the IP address of the DNS server. [HUAWEI] dhcp server ip-pool 0 [HUAWEI-dhcp-0] network 10.1.1.0 mask 255.255.255.0 [HUAWEI-dhcp-0] domain-name huawei.com [HUAWEI-dhcp-0] dns-list 10.1.1.2 [HUAWEI-dhcp-0] quit # Configure attributes of DHCP address pool 1, including the address pool range, egress gateway and the IP lease. [HUAWEI] dhcp server ip-pool 1 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-47 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration [HUAWEI-dhcp-1] [HUAWEI-dhcp-1] [HUAWEI-dhcp-1] [HUAWEI-dhcp-1] network 10.1.1.0 mask 255.255.255.128 expired day 10 hour 12 gateway-list 10.1.1.126 quit # Configure attributes of DHCP address pool 2, including the address pool range, egress gateway, the IP address of the NetBIOS server and the IP lease. [HUAWEI] dhcp server ip-pool 2 [HUAWEI-dhcp-2] network 10.1.1.128 mask 255.255.255.128 [HUAWEI-dhcp-2] expired day 5 [HUAWEI-dhcp-2] nbns-list 10.1.1.4 [HUAWEI-dhcp-2] gateway-list 10.1.1.254 [HUAWEI-dhcp-2] quit # Configure the clients of the GE 1/0/0 to obtain their IP addresses from the global address pool. [HUAWEI] interface gigabitethernet 1/0/0 [HUAWEI-GigabitEthernet1/0/0] ip address 10.1.1.1 255.255.255.128 [HUAWEI-GigabitEthernet1/0/0] dhcp select global [HUAWEI-GigabitEthernet1/0/0] undo shutdown [HUAWEI-GigabitEthernet1/0/0] quit # Configure the clients of the GE 1/0/1 to obtain their IP addresses from the global address pool. [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] ip address 10.1.1.129 255.255.255.128 [HUAWEI-GigabitEthernet1/0/1] dhcp select global [HUAWEI-GigabitEthernet1/0/1] undo shutdown [HUAWEI-GigabitEthernet1/0/1] quit Step 2 Verify the configuration. After the configuration, run the display dhcp server tree command on the DHCP server. If the tree structure information of DHCP address pools, including DNS, IP lease, and Option parameters, is displayed, it means that the configuration succeeds. [HUAWEI] display dhcp server tree all Global pool: Pool name: 0 Child node:1 network 10.1.1.0 mask 255.255.255.0 dns-list 10.1.1.2 domain-name huawei.com expired day 1 hour 0 minute 0 Pool name: 1 Parent node:0 Sibling node:2 network 10.1.1.0 mask 255.255.255.128 gateway-list 10.1.1.126 dns-list 10.1.1.2 domain-name huawei.com expired day 10 hour 12 minute 0 Pool name: 2 Parent node:0 PrevSibling node:1 network 10.1.1.128 mask 255.255.255.128 gateway-list 10.1.1.254 dns-list 10.1.1.2 domain-name huawei.com nbns-list 10.1.1.4 expired day 5 hour 0 minute 0 ----End Configuration File The configuration file of HUAWEI is as follows: 4-48 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration # sysname HUAWEI # dhcp server ip-pool 0 network 10.1.1.0 mask 255.255.255.0 dns-list 10.1.1.2 domain-name huawei.com # dhcp server ip-pool 1 network 10.1.1.0 mask 255.255.255.128 gateway-list 10.1.1.126 expired day 10 hour 12 # dhcp server ip-pool 2 network 10.1.1.128 mask 255.255.255.128 gateway-list 10.1.1.254 nbns-list 10.1.1.4 expired day 5 # interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.1.1 255.255.255.128 # interface GigabitEthernet1/0/1 undo shutdown ip address 10.1.1.129 255.255.255.128 # dhcp server forbidden-ip 10.1.1.2 dhcp server forbidden-ip 10.1.1.4 dhcp server forbidden-ip 10.1.1.126 dhcp server forbidden-ip 10.1.1.254 # return NOTE By default, IP addresses in the global address pool are assigned. So, the configuration file does not contain the dhcp select global command. 4.9.2 Example for Configuring the Interface Address Pool-based DHCP Server Networking Requirements As shown in Figure 4-2, the network 10.1.1.0/24 is of a smaller size. GE 1/0/0 connects with two DHCP clients and two servers. To assign IP addresses for the clients dynamically, configure a DHCP server based on the address pool on GE 1/0/0. After GE 1/0/0 is configured with the IP address 10.1.1.1/24, addresses from 10.1.1.2/24 to 10.1.1.254/24 can be assigned to the clients. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-49 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Figure 4-2 Networking diagram of the DHCP server based on the address pool on the interface NetBIOS server DHCP client 10.1.1.3/24 GE1/0/0 10.1.1.1/24 Router DHCP server DHCP client DNS server 10.1.1.2/24 Configuration Roadmap The configuration roadmap is as follows: 1. Enable DHCP. 2. Configure the IP addresses that need not be assigned automatically, such as IP addresses of the DNS server, the NetBIOS server and the egress gateway. 3. Configure IP address of the interfaces and the DNS server and the domain name. 4. Enable the address pool on the interface. 5. (Optional) Configure related attributes for the address pool, such as, the egress gateway, the IP address of the NetBIOS server, the IP lease, and the security function. Data Preparation To complete the configuration, you need the following data: l IP address that need not be assigned automatically l IP Address of the interface Procedure Step 1 Configure the DHCP server. # Enable DHCP on the device. <HUAWEI> system-view [HUAWEI] sysname HUAWEI [HUAWEI] dhcp enable # Configure the IP addresses that do not participate in auto-allocation, including IP addresses of the DNS server and the NetBIOS server. [HUAWEI] dhcp server forbidden-ip 10.1.1.2 [HUAWEI] dhcp server forbidden-ip 10.1.1.3 # Configure the IP address of GE 1 /0/0. 4-50 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration [HUAWEI] interface gigabitethernet 1/0/0 [HUAWEI-GigabitEthernet1/0/0] ip address 10.1.1.1 24 # Enable the address pool on the interface. [HUAWEI-GigabitEthernet1/0/0] dhcp select interface # Configure the domain name and IP addresses of the DNS server and NetBIOS server. [HUAWEI-GigabitEthernet1/0/0] [HUAWEI-GigabitEthernet1/0/0] [HUAWEI-GigabitEthernet1/0/0] [HUAWEI-GigabitEthernet1/0/0] dhcp dhcp dhcp dhcp server server server server domain-name huawei.com dns-list 10.1.1.2 nbns-list 10.1.1.3 netbios-type b-node # (optional) Configure the IP lease and detection of pseudo DHCP server. [HUAWEI-GigabitEthernet1/0/0] dhcp server expired day 10 hour 12 [HUAWEI-GigabitEthernet1/0/0] undo shutdown [HUAWEI-GigabitEthernet1/0/0] quit [HUAWEI] dhcp server detect Step 2 Verify the configuration. After the configuration, run the display dhcp server tree command on the DHCP server. If the tree structure information of DHCP address pools, including DNS, IP lease, and Option parameters, is displayed, it means that the configuration succeeds. [HUAWEI] display dhcp server tree all Interface pool: Pool name: GigabitEthernet2/0/3 network 10.1.1.0 mask 255.255.255.0 gateway-list 10.1.1.1 dns-list 10.1.1.2 domain-name huawei.com nbns-list 10.1.1.3 netbios-type b-node expired day 10 hour 12 minute 0 ----End Configuration File The configuration file of HUAWEI is as follows: # sysname HUAWEI # interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.1.1 255.255.255.0 dhcp select interface dhcp server dns-list 10.1.1.2 dhcp server domain-name huawei.com dhcp server nbns-list 10.1.1.3 dhcp server netbios-type b-node dhcp server expired day 10 hour 12 # dhcp server forbidden-ip 10.1.1.2 dhcp server forbidden-ip 10.1.1.3 dhcp server detect # return 4.9.3 Example for Configuring the Sub-interface Address Poolbased DHCP Server Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-51 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Networking Requirements As shown in Figure 4-3, GE 1/0/0 has two sub-interfaces. To be more effective, configure address pools on several sub-interfaces so that the PCs that are in the same VLAN with the subinterfaces can dynamically obtain their IP addresses from the address pool. VALN10 and VLAN20 are connected with the switch, as shown in the following diagram. On the switch, set GE0/0/4 that is connected with the device to be a Trunk interface. Configure the interfaces on the device to allow frame from VLAN10 and VLAN20 to pass. Configure the interfaces that connect the switch with PCs to join the corresponding default VLANs. Figure 4-3 Networking diagram of the DCHP server based on the address pools on the subinterfaces NetBIOS server DHCP client 10.1.1.3/24 VLAN 20 DHCP GE1/0/0.1 server GE0/0/4 10.1.1.1/24 GE1/0/0.2 10.1.2.1/24 VLAN 10 DNS server DHCP client 10.1.2.2/24 Configuration Roadmap The configuration roadmap is as follows: 1. Enable DHCP. 2. Configure the IP addresses that need not be assigned automatically, such as IP addresses of the DNS server, the NetBIOS server and the egress gateway. 3. Create sub-interfaces, configure IP addresses for them and encapsulate them with 802.1Q. 4. Enable the address pool for the sub-interfaces. 5. Configure related attributes for the address pool, such as the domain name, IP addresses of the NetBIOS server and the DNS server, and the IP lease. Data Preparation To complete the configuration, you need the following data: l 4-52 IP address that need not be assigned automatically Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services l 4 DHCP Configuration IP address of the interface Procedure Step 1 Configure the DHCP server. # Enable DHCP on the device. <HUAWEI> system-view [HUAWEI] sysname HUAWEI [HUAWEI] dhcp enable # Configure the IP addresses that do not participate in auto-allocation, including IP addresses of the DNS server and NetBIOS server. [HUAWEI] dhcp server forbidden-ip 10.1.2.2 [HUAWEI] dhcp server forbidden-ip 10.1.1.3 # Create sub-interface GE 1/0/0.1, configure its IP address, and encapsulate it with 802.1Q. [HUAWEI] interface gigabitethernet 1/0/0.1 [HUAWEI-GigabitEthernet1/0/0.1] vlan-type dot1q 20 [HUAWEI-GigabitEthernet1/0/0.1] ip address 10.1.1.1 24 [HUAWEI-GigabitEthernet1/0/0.1] undo shutdown [HUAWEI-GigabitEthernet1/0/0.1] quit # Create sub-interface GE 1/0/0.2, configure its IP address, and encapsulate it with 802.1Q. [HUAWEI] interface gigabitethernet 1/0/0.2 [HUAWEI-GigabitEthernet1/0/0.2] vlan-type dot1q 10 [HUAWEI-GigabitEthernet1/0/0.2] ip address 10.1.2.1 24 [HUAWEI-GigabitEthernet1/0/0.2] undo shutdown [HUAWEI-GigabitEthernet1/0/0.2] quit # Enable the address pool that is based on sub-interfaces. [HUAWEI] dhcp select interface interface gigabitethernet 1/0/0.1 to gigabitethernet 1/0/0.2 # Configure the domain name and IP addresses of the DNS server and NetBIOS server. [HUAWEI] dhcp server domain-name huawei.com interface gigabitethernet 1/0/0.1 to gigabitethernet 1/0/0.2 [HUAWEI] dhcp server dns-list 10.1.2.2 interface gigabitethernet 1/0/0.1 to gigabitethernet 1/0/0.2 [HUAWEI] dhcp server nbns-list 10.1.1.3 interface gigabitethernet 1/0/0.1 to gigabitethernet 1/0/0.2 [HUAWEI] dhcp server netbios-type b-node interface gigabitethernet 1/0/0.1 to gigabitethernet 1/0/0.2 # Configure the IP lease for the address pool. [HUAWEI] dhcp server expired day 10 hour 12 interface gigabitethernet 1/0/0.1 to gigabitethernet 1/0/0.2 Step 2 Verify the configuration. After the configuration, run the display dhcp server tree command on the DHCP server. If the tree structure information of DHCP address pools, including DNS, IP lease, and Option parameters, is displayed, it means that the configuration succeeds. [HUAWEI] display dhcp server tree all Interface pool: Pool name: GigabitEthernet1/0/0.1 network 10.1.1.0 mask 255.255.255.0 gateway-list 10.1.1.1 dns-list 10.1.2.2 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-53 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration domain-name huawei.com nbns-list 10.1.1.3 netbios-type b-node expired day 10 hour 12 minute 0 Pool name: GigabitEthernet1/0/0.2 network 10.1.2.0 mask 255.255.255.0 gateway-list 10.1.2.1 dns-list 10.1.2.2 domain-name huawei.com nbns-list 10.1.1.3 netbios-type b-node expired day 10 hour 12 minute 0 After the preceding configurations, PCs in VLAN 10 and VLAN 20 can obtain IP addresses in the address pools of the sub-interfaces. PCs in two VLANs can ping through each other. ----End Configuration File The configuration file of router is as follows: # interface GigabitEthernet1/0/0.1 undo shutdown ip address 10.1.1.1 255.255.255.0 vlan-type dot1q 20 dhcp select interface dhcp server dns-list 10.1.2.2 dhcp server domain-name huawei.com dhcp server nbns-list 10.1.1.3 dhcp server netbios-type b-node dhcp server expired day 10 hour 12 # interface GigabitEthernet 1/0/0.2 undo shutdown ip address 10.1.2.1 255.255.255.0 vlan-type dot1q 10 dhcp select interface dhcp server dns-list 10.1.2.2 dhcp server domain-name huawei.com dhcp server nbns-list 10.1.1.3 dhcp server netbios-type b-node dhcp server expired day 10 hour 12 # dhcp server forbidden-ip 10.1.2.2 dhcp server forbidden-ip 10.1.1.3 # return 4.9.4 Example for Configuring the VLANIF Interface Address Poolbased DHCP Server Networking Requirements Figure 4-4 shows the diagram of applying the VLANIF-interface-based address pool to the device that supports switched Ethernet interfaces. The Ethernet interface cannot be configured with an IP address, so you need to create a VLANIF interface and configure a DHCP address pool on it to assign IP addresses. 4-54 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Figure 4-4 Networking diagram of the DHCP server based on the address pool on the VLANIF interface NetBIOS server 10.1.1.3/24 DNS server DHCP client 10.1.1.2/24 Vlanif10 GE1/0/0 10.1.1.1/24 Vlanif11 GE1/0/1 10.1.2.1/24 DHCP client DHCP client DHCP server DHCP client Configuration Roadmap The configuration roadmap is as follows: 1. Enable DHCP. 2. Configure the IP addresses that need not be assigned automatically, such as IP addresses of the DNS server, IP addresses of the NetBIOS server. 3. Create VLANIF interfaces and configure IP addresses for them. 4. Enable the address pool that is based on the VLANIF interface. 5. Configure related attributes for the address pool, such as the domain name, IP addresses of the NetBIOS server and the DNS server, and the IP lease. Data Preparation To complete the configuration, you need the following data: l IP address that need not be assigned automatically l IP address of the interface Procedure Step 1 Configure the DHCP server. # Enable DHCP on the device. <HUAWEI> system-view [HUAWEI] sysname HUAWEI [HUAWEI] dhcp enable Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-55 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration # Configure the IP addresses that do not participate in auto-allocation, including IP addresses of the DNS server and NetBIOS server. [HUAWEI] dhcp server forbidden-ip 10.1.1.2 [HUAWEI] dhcp server forbidden-ip 10.1.1.3 # Create a VLAN. [HUAWEI] vlan 10 [HUAWEI-vlan10] quit [HUAWEI] vlan 11 [HUAWEI-vlan11] quit # Configure attributes for the switched Ethernet interface and join the interface to a VLAN. [HUAWEI] interface gigabitethernet 1/0/0 [HUAWEI-GigabitEthernet1/0/0] portswitch [HUAWEI-GigabitEthernet1/0/0] port default vlan 10 [HUAWEI-GigabitEthernet1/0/0] undo shutdown [HUAWEI-GigabitEthernet1/0/0] quit [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] portswitch [HUAWEI-GigabitEthernet1/0/1] port default vlan 11 [HUAWEI-GigabitEthernet1/0/1] undo shutdown [HUAWEI-GigabitEthernet1/0/1] quit # Create a VLANIF interface and configure an IP address for the VLANIF interface. [HUAWEI] interface vlanif 10 [HUAWEI-Vlanif10] ip address 10.1.1.1 24 [HUAWEI-Vlanif10] undo shutdown [HUAWEI-Vlanif10] quit [HUAWEI] interface vlanif 11 [HUAWEI-Vlanif11] ip address 10.1.2.1 24 [HUAWEI-Vlanif11] undo shutdown [HUAWEI-Vlanif11] quit # Enable the address pool on the VLANIF interface. [HUAWEI] dhcp select interface vlan 10 to 11 # Configure the domain name of the address pool and IP addresses of the DNS server and the NetBIOS server. [HUAWEI] [HUAWEI] [HUAWEI] [HUAWEI] dhcp dhcp dhcp dhcp server server server server domain-name huawei.com vlan 10 to 11 dns-list 10.1.1.2 vlan 10 to 11 nbns-list 10.1.1.3 vlan 10 to 11 netbios-type b-node vlan 10 to 11 # Configure the IP lease. [HUAWEI] dhcp server expired day 10 hour 12 vlan 10 to 11 Step 2 Verify the configuration. After the configuration, run the display dhcp server tree command on the DHCP server. If the tree structure information of DHCP address pools, including DNS, IP lease, and Option parameters, is displayed, it means that the configuration succeeds. [HUAWEI] display dhcp server tree all Interface pool: Pool name: Vlanif10 network 10.1.1.0 mask 255.255.255.0 gateway-list 10.1.1.1 dns-list 10.1.1.2 domain-name huawei.com nbns-list 10.1.1.3 netbios-type b-node expired day 10 hour 12 minute 0 4-56 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Pool name: Vlanif11 network 10.1.2.0 mask 255.255.255.0 gateway-list 10.1.2.1 dns-list 10.1.1.2 domain-name huawei.com nbns-list 10.1.1.3 netbios-type b-node expired day 10 hour 12 minute 0 ----End Configuration File The configuration file of HUAWEI is as follows: # sysname HUAWEI # vlan batch 10 to 11 # interface Vlanif10 undo shutdown ip address 10.1.1.1 255.255.255.0 dhcp select interface dhcp server dns-list 10.1.1.2 dhcp server domain-name huawei.com dhcp server nbns-list 10.1.1.3 dhcp server netbios-type b-node dhcp server expired day 10 hour 12 # interface Vlanif11 undo shutdown ip address 10.1.2.1 255.255.255.0 dhcp select interface dhcp server dns-list 10.1.1.2 dhcp server domain-name huawei.com dhcp server nbns-list 10.1.1.3 dhcp server netbios-type b-node dhcp server expired day 10 hour 12 # interface gigabitEthernet1/0/0 undo shutdown portswitch port default vlan 10 # interface gigabitEthernet1/0/1 undo shutdown portswitch port default vlan 11 # dhcp server forbidden-ip 10.1.1.2 dhcp server forbidden-ip 10.1.1.3 # return 4.9.5 Example for Configuring DHCP Relay Networking Requirements As shown in Figure 4-5, the DHCP client is in the network segment 10.110.0.0/16, while the DHCP server is in the network segment 202.40.0.0/16. A DHCP relay device is needed to forward DHCP packets so that the DHCP client obtains the IP addresses from the DHCP server. The DHCP server is assigned with an address pool in the network segment 10.100.0.0/16. The IP address of the DNS server is 10.100.1.2/16, the IP address of the NetBIOS server is Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-57 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration 10.100.1.3/16, and the IP address of the gateway is 10.100.1.4. On the DHCP server, the routing table must contain at least one reachable a route to the network segment 10.110.0.0. Figure 4-5 Networking diagram for configuring DHCP relay DNS server NetBIOS server 10.100.1.2/16 10.100.1.3/16 DHCP Relay GE1/0/0 RouterA 10.100.1.1/16 POS2/0/0 202.40.1.1/16 DHCP client DHCP server RouterB POS1/0/0 202.40.1.2/16 DHCP client Configuration Roadmap The configuration roadmap is as follows: 1. Enable DHCP on Router A that acts as the DHCP relay. 2. Configure POS 2/0/0 that needs to implement the DHCP relay function. 3. Configure the the address of the DHCP server for which the interface functions as the relay agent for GE 1/0/0 and enable DHCP relay on GE 1/0/0. 4. Configure a route from the DHCP server Router B to GE 1/0/0 of Router A. 5. Enable DHCP on Router B. 6. Configure the clients attached to POS 1/0/0 to obtain IP addresses through the global address pool. 7. Configure a global address pool on Router B. Data Preparation To complement the configuration, you need the following data: l IP address of the interface that need to be enabled with DHCP relay l IP address of the DHCP server Procedure Step 1 Configure the DHCP relay. # Enable DHCP on the device. <HUAWEI> system-view [HUAWEI] sysname RouterA 4-58 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration [RouterA] dhcp enable # Configure an IP address for POS 2/0/0. [RouterA] interface pos 2/0/0 [RouterA-Pos2/0/0] ip address 202.40.1.1 255.255.0.0 [RouterA-Pos2/0/0] undo shutdown [RouterA-Pos2/0/0] quit # Enter the view of the interface that needs to be enabled with DHCP relay. Configure the IP address and mask of the interface, which should be in the same network segment with that of the DHCP client. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 10.100.1.1 255.255.0.0 [RouterA-GigabitEthernet1/0/0] ip relay address 202.40.1.2 [RouterA-GigabitEthernet1/0/0] dhcp select relay [RouterA-GigabitEthernet1/0/0] undo shutdown [RouterA-GigabitEthernet1/0/0] quit Step 2 Configure the DHCP server. # On Router B, configure routes to GE 1/0/0 that connects Router A and its client. <HUAWEI> system-view [HUAWEI] sysname RouterB [RouterB] ip route-static 10.100.0.0 255.255.0.0 202.40.1.1 # Enable DHCP. [RouterB] dhcp enable # Configure the clients of POS 1/0/0 to obtain the IP addresses from the global address pool. [RouterB] interface pos 1/0/0 [RouterB-Pos1/0/0] ip address 202.40.1.2 255.255.0.0 [RouterB-Pos1/0/0] dhcp select global [RouterB-Pos1/0/0] undo shutdown [RouterB-Pos1/0/0] quit # Configure the IP addresses that do not participate in auto-allocation, including IP addresses of the DNS server, the NetBIOS server and the egress gateway. [RouterB] dhcp server forbidden-ip 10.100.1.2 [RouterB] dhcp server forbidden-ip 10.100.1.3 [RouterB] dhcp server forbidden-ip 10.100.1.4 # Configure attributes of DHCP address pool 1, including the address pool range, domain name, egress gateway, the IP address of the DNS server and IP lease. [RouterB] dhcp server ip-pool 1 [RouterB-dhcp-1] network 10.100.0.0 mask 255.255.0.0 [RouterB-dhcp-1] domain-name huawei.com [RouterB-dhcp-1] dns-list 10.100.1.2 [RouterB-dhcp-1] nbns-list 10.100.1.3 [RouterB-dhcp-1] gateway-list 10.100.1.4 [RouterB-dhcp-1] expired day 10 hour 12 [RouterB-dhcp-1] quit Step 3 Verify the configuration. Run the display dhcp server tree command on the DHCP server. If the tree structure information of DHCP address pools, including DNS, IP lease, and Option parameters, is displayed, it means that the configuration succeeds. [RouterB] display dhcp server tree all Global pool: Pool name: 1 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-59 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration network 10.100.0.0 mask 255.255.0.0 gateway-list 10.100.1.4 dns-list 10.100.1.2 domain-name huawei.com nbns-list 10.100.1.3 expired day 10 hour 12 minute 0 Run the display dhcp relay address command on the DHCP relay device to view configurations of the relay IP address. [RouterA] display dhcp relay address all ** GigabitEthernet1/0/0 DHCP Relay Address Dhcp Option Relay Agent IP * - ** Server IP 202.40.1.2 ----End Configuration Files l Configuration file of Router A # sysname RouterA # interface GigabitEthernet1/0/0 undo shutdown ip address 10.100.1.1 255.255.0.0 ip relay address 202.40.1.2 dhcp select relay # interface Pos 2/0/0 link-protocol ppp undo shutdown ip address 202.40.1.1 255.255.0.0 # return l Configuration file of Router B # sysname RouterB # dhcp server ip-pool 1 network 10.100.0.0 mask 255.255.0.0 gateway-list 10.100.1.4 dns-list 10.100.1.2 domain-name huawei.com nbns-list 10.100.1.3 expired day 10 hour 12 # interface Pos 1/0/0 link-protocol ppp undo shutdown ip address 202.40.1.2 255.255.0.0 # dhcp server forbidden-ip 10.100.1.2 dhcp server forbidden-ip 10.100.1.3 dhcp server forbidden-ip 10.100.1.4 # ip route-static 10.100.0.0 255.255.0.0 202.40.1.1 # return 4.9.6 Example for Configuring the DHCP Option Association 4-60 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Networking Requirements As shown in Figure 4-6, the four DHCP clients transmit different types of services. After the DHCP option is configured to associate with the addresses of the DHCP server and relay agent, packets from clients can be forwarded to the corresponding DHCP server. In this manner, configuration information such as the IP address can be provided for different clients. As a DHCP server, Router B is configured with two global address pools of two network segments being 10.1.0.0/16 and 20.1.0.0/16 respectively. In addition, Router B is configured with the route to the relay device Router A. On the network segment 10.1.0.0/16, 10.1.1.1/16 is the address of the DNS server, NetBIOS server, and egress gateway. On the network segment 20.1.0.0/16, 20.1.1.1/16 is the address of the DNS server, NetBIOS server, and egress gateway. As a DHCP server, Router C is configured with two global address pools of two network segments being 30.1.0.0/16 and 40.1.0.0/16 respectively. In addition, Router C is configured with the route to the relay device Router A. On the network segment 30.1.0.0/16, 30.1.1.1/16 is the address of the DNS server, NetBIOS server, and egress gateway. On the network segment 40.1.0.0/16, 40.1.1.1/16 is the address of the DNS server, NetBIOS server, and egress gateway. Figure 4-6 Networking diagram of configuring the DHCP option association DHCP Server RouterB DHCP clientA POS1/0/0 101.40.1.2/16 DHCP clientB DHCP Relay POS2/0/0 RouterA 101.40.1.1/16 DHCP clientC DHCP clientD GE1/0/0 DSLAM 10.1.1.1/16 20.1.1.1/16 sub 30.1.1.1/16 sub 40.1.1.1/16 sub POS3/0/0 202.40.1.1/16 POS1/0/0 202.40.1.2/16 DHCP Server RouterC Configuration Roadmap The configuration roadmap is as follows: 1. Configure the association between the DHCP option and the IP address of each interface on Router A. 2. Configure the DHCP function and address pools on Router B. 3. Configure the DHCP function and address pools on Router C. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-61 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration Data Preparation To complete the configuration, you need the following data: l Primary and secondary IP addresses of the interface that functions as the DHCP relay agent l IP address of each DHCP server l DHCP option Procedure Step 1 Do as follows on the relay device: # Enable DHCP. <HUAWEI> system-view [HUAWEI] sysname RouterA [RouterA] dhcp enable # Configure the IP address of POS 2/0/0. [RouterA] interface pos 2/0/0 [RouterA-Pos2/0/0] ip address 101.40.1.1 255.255.0.0 [RouterA-Pos2/0/0] undo shutdown [RouterA-Pos2/0/0] quit # Configure the IP address of POS 3/0/0. [RouterA] interface pos 3/0/0 [RouterA-Pos3/0/0] ip address 202.40.1.1 255.255.0.0 [RouterA-Pos3/0/0] undo shutdown [RouterA-Pos3/0/0] quit # Enter the view of the interface to be configured with the DHCP relay function. Configure the IP address and DHCP option association for the interface. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 10.1.1.1 255.255.0.0 [RouterA-GigabitEthernet1/0/0] ip address 20.1.1.1 255.255.0.0 sub [RouterA-GigabitEthernet1/0/0] ip address 30.1.1.1 255.255.0.0 sub [RouterA-GigabitEthernet1/0/0] ip address 40.1.1.1 255.255.0.0 sub [RouterA-GigabitEthernet1/0/0] ip relay address 101.40.1.2 [RouterA-GigabitEthernet1/0/0] ip relay address 101.40.1.2 dhcp-option [RouterA-GigabitEthernet1/0/0] ip relay address 202.40.1.2 dhcp-option [RouterA-GigabitEthernet1/0/0] ip relay address 202.40.1.2 dhcp-option [RouterA-GigabitEthernet1/0/0] ip relay giaddr 10.1.1.1 [RouterA-GigabitEthernet1/0/0] ip relay giaddr 20.1.1.1 dhcp-option 45 [RouterA-GigabitEthernet1/0/0] ip relay giaddr 30.1.1.1 dhcp-option 60 [RouterA-GigabitEthernet1/0/0] ip relay giaddr 40.1.1.1 dhcp-option 60 [RouterA-GigabitEthernet1/0/0] dhcp select relay [RouterA-GigabitEthernet1/0/0] undo shutdown [RouterA-GigabitEthernet1/0/0] quit 45 60 60 abc abc Step 2 Do as follows on Router B functioning as a DHCP server: # Configure the routes from Router B to Router A. <HUAWEI> system-view [HUAWEI] sysname RouterB [RouterB] ip route-static 10.1.0.0 255.255.0.0 101.40.1.1 [RouterB] ip route-static 20.1.0.0 255.255.0.0 101.40.1.1 # Enable DHCP on RouterB. [RouterB] dhcp enable 4-62 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration # Configure the clients connected to POS 1/0/0 to obtain IP addresses from the global address pool. [RouterB] interface pos 1/0/0 [RouterB-Pos1/0/0] ip address 101.40.1.2 255.255.0.0 [RouterB-Pos1/0/0] dhcp select global [RouterB-Pos1/0/0] undo shutdown [RouterB-Pos1/0/0] quit # Configure the IP addresses that cannot be automatically allocated, including the DNS server address, NetBIOS address, and egress gateway address. [RouterB] dhcp server forbidden-ip 10.1.1.1 10.1.1.2 [RouterB] dhcp server forbidden-ip 20.1.1.1 # Configure the attributes for DHCP address pool 1, including the address pool range, domain name, egress gateway, DNS address, and address lease. [RouterB] dhcp server ip-pool 1 [RouterB-dhcp-1] network 10.1.0.0 mask 255.255.0.0 [RouterB-dhcp-1] domain-name abc.com [RouterB-dhcp-1] dns-list 10.1.1.1 [RouterB-dhcp-1] nbns-list 10.1.1.1 [RouterB-dhcp-1] gateway-list 10.1.1.1 [RouterB-dhcp-1] expired day 10 hour 12 [RouterB-dhcp-1] quit # Configure the attributes for DHCP address pool 2, including the address pool range, domain name, egress gateway, DNS address, and address lease. [RouterB] dhcp server ip-pool 2 [RouterB-dhcp-2] network 20.1.0.0 mask 255.255.0.0 [RouterB-dhcp-2] domain-name def.com [RouterB-dhcp-2] dns-list 20.1.1.1 [RouterB-dhcp-2] nbns-list 20.1.1.1 [RouterB-dhcp-2] gateway-list 20.1.1.1 [RouterB-dhcp-2] expired day 10 hour 12 [RouterB-dhcp-2] quit Step 3 Do as follows on Router C functioning as a DHCP server: # Configure the route from Router C to Router A. <HUAWEI> system-view [HUAWEI] sysname RouterC [RouterC] ip route-static 30.1.0.0 255.255.0.0 202.40.1.1 [RouterC] ip route-static 40.1.0.0 255.255.0.0 202.40.1.1 # Enable DHCP on RouterC. [RouterC] dhcp enable # Configure the clients connected to POS 1/0/0 to obtain IP addresses from the global address pool. [RouterC] interface pos 1/0/0 [RouterC-Pos1/0/0] ip address 202.40.1.2 255.255.0.0 [RouterC-Pos1/0/0] dhcp select global [RouterC-Pos1/0/0] undo shutdown [RouterC-Pos1/0/0] quit # Configure the IP addresses that do not participate in the auto-allocation, including the DNS server address, NetBIOS address, and egress gateway address. [RouterC] dhcp server forbidden-ip 30.1.1.1 [RouterC] dhcp server forbidden-ip 40.1.1.1 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-63 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration # Configure the attributes for DHCP address pool 1, including the address pool range, domain name, egress gateway, DNS address, and address lease. [RouterC] dhcp server ip-pool 1 [RouterC-dhcp-1] network 30.1.0.0 mask 255.255.0.0 [RouterC-dhcp-1] domain-name ghi.com [RouterC-dhcp-1] dns-list 30.1.1.1 [RouterC-dhcp-1] nbns-list 30.1.1.1 [RouterC-dhcp-1] gateway-list 30.1.1.1 [RouterC-dhcp-1] expired day 10 hour 12 [RouterC-dhcp-1] quit # Configure the attributes for DHCP address pool 2, including the address pool range, domain name, egress gateway, DNS address, and address lease. [RouterC] dhcp server ip-pool 2 [RouterC-dhcp-2] network 40.1.0.0 mask 255.255.0.0 [RouterC-dhcp-2] domain-name jkl.com [RouterC-dhcp-2] dns-list 40.1.1.1 [RouterC-dhcp-2] nbns-list 40.1.1.1 [RouterC-dhcp-2] gateway-list 40.1.1.1 [RouterC-dhcp-2] expired day 10 hour 12 [RouterC-dhcp-2] quit Step 4 Verify the configuration. Run the display dhcp relay address all command on Router A. You can view the configuration of the interface enabled with the DHCP relay function. [RouterA] display dhcp relay address all ** GigabitEthernet1/0/0 DHCP Relay Address ** DHCP Option Relay Agent IP Server IP * 10.1.1.1 101.40.1.2 45 20.1.1.1 101.40.1.2 60(*) 30.1.1.1 202.40.1.2 60(abc) 40.1.1.1 202.40.1.2 Run the display dhcp server tree command on Router B. You can view information about DHCP address pools in a tree structure, including DNS, IP address lease, and parameters such as the option. [RouterB] display dhcp server tree all Global pool: Pool name: 1 network 10.1.0.0 mask 255.255.0.0 gateway-list 10.1.1.1 dns-list 10.1.1.1 domain-name abc.com nbns-list 10.1.1.1 expired day 10 hour 12 minute 0 Pool name: 2 network 20.1.0.0 mask 255.255.0.0 gateway-list 20.1.1.1 dns-list 20.1.1.1 domain-name def.com nbns-list 20.1.1.1 expired day 10 hour 12 minute 0 Run the display dhcp server tree command on Router C. You can view information about DHCP address pools in a tree structure, including DNS, IP address lease, and parameters such as the option. [RouterC] display dhcp server tree all Global pool: Pool name: 1 network 30.1.0.0 mask 255.255.0.0 gateway-list 30.1.1.1 dns-list 30.1.1.1 4-64 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration domain-name ghi.com nbns-list 30.1.1.1 expired day 10 hour 12 minute 0 Pool name: 2 network 40.1.0.0 mask 255.255.0.0 gateway-list 40.1.1.1 dns-list 40.1.1.1 domain-name jkl.com nbns-list 40.1.1.1 expired day 10 hour 12 minute 0 ----End Configuration Files l Configuration file of Router A # sysname RouterA # interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.1.1 255.255.0.0 ip address 20.1.1.1 255.255.0.0 sub ip address 30.1.1.1 255.255.0.0 sub ip address 40.1.1.1 255.255.0.0 sub ip relay address 101.40.1.2 ip relay address 101.40.1.2 dhcp-option ip relay address 202.40.1.2 dhcp-option ip relay address 202.40.1.2 dhcp-option ip relay giaddr 10.1.1.1 ip relay giaddr 20.1.1.1 dhcp-option 45 ip relay giaddr 30.1.1.1 dhcp-option 60 ip relay giaddr 40.1.1.1 dhcp-option 60 dhcp select relay # interface Pos 1/0/0 undo shutdown ip address 101.40.1.1 255.255.0.0 # return # interface Pos 2/0/0 undo shutdown ip address 202.40.1.1 255.255.0.0 # return l 45 60 60 abc abc Configuration file of Router B # sysname RouterB # dhcp server ip-pool 1 network 10.1.0.0 mask 255.255.0.0 gateway-list 10.1.1.1 dns-list 10.1.1.1 domain-name abc.com nbns-list 10.1.1.1 expired day 10 hour 12 # # dhcp server ip-pool 2 network 20.1.0.0 mask 255.255.0.0 gateway-list 20.1.1.1 dns-list 20.1.1.1 domain-name def.com nbns-list 20.1.1.1 expired day 10 hour 12 # Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4-65 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 4 DHCP Configuration interface Pos 1/0/0 undo shutdown ip address 101.40.1.2 255.255.0.0 # dhcp server forbidden-ip 10.1.1.1 10.1.1.2 dhcp server forbidden-ip 20.1.1.1 # ip route-static 10.1.0.0 255.255.0.0 101.40.1.1 ip route-static 20.1.0.0 255.255.0.0 101.40.1.1 # return l Configuration file of Router C # sysname RouterC # dhcp server ip-pool 1 network 30.1.0.0 mask 255.255.0.0 gateway-list 30.1.1.1 dns-list 30.1.1.1 domain-name ghi.com nbns-list 30.1.1.1 expired day 10 hour 12 # # dhcp server ip-pool 2 network 40.1.0.0 mask 255.255.0.0 gateway-list 40.1.1.1 dns-list 40.1.1.1 domain-name jkl.com nbns-list 40.1.1.1 expired day 10 hour 12 # interface Pos 1/0/0 undo shutdown ip address 202.40.1.2 255.255.0.0 # dhcp server forbidden-ip 30.1.1.1 dhcp server forbidden-ip 40.1.1.1 # ip route-static 30.1.0.0 255.255.0.0 202.40.1.1 ip route-static 40.1.0.0 255.255.0.0 202.40.1.1 # return 4-66 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 5 COPS Configuration 5 COPS Configuration About This Chapter This chapter describes the fundamentals, the configuration procedures and configuration examples of the COPS. 5.1 COPS Overview This section describes the basic concepts of COPS and the handling process of COPS services. 5.2 Configuring the COPS Server Group This section describes how to configure the COPS server group. 5.3 Configuration Examples This section presents an example for configuring COPS. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 5-1 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 5 COPS Configuration 5.1 COPS Overview This section describes the basic concepts of COPS and the handling process of COPS services. 5.1.1 Introduction to COPS 5.1.2 COPS Features Supported by the NE80E/40E 5.1.1 Introduction to COPS The increasing number of Internet broadband users boosts widespread applications of data services and increases revenue of telecommunication services. With the development of packet networks, IP services tend to replace voice telecommunication. Broadband access has become the core drive for the development of IP services and the operation mode of IP services is more and more mature. IP services, however, still have deficiencies in service bearing and operation. Therefore, carriers keep wondering whether the current IP network can bear all types of telecommunication services. Many types of data services including voice, video, and other multimedia services, put forward high demands for bandwidth, delay, and packet loss ratio. Quality of service (QoS) will be heavily reduced if the bandwidth, delay, and packet loss ratio of a network cannot meet demands. Generally, the Internet provides best-effort services. It does not provide resource reservation and thus solves network congestion to ensure QoS only by discarding packets. The current IP networks have many deficiencies in bearing carrier-class services. Although QoS of IP networks has been greatly improved, it is mainly achieved on single nodes that process packets with precedence. End-to-end quality, however, cannot be ensured if service aware and access control are not achieved on the whole network especially on the access network. How to provide services with end-to-end QoS guarantee on an IP bearer network has become an urgent demand. Therefore, the current Internet needs to be upgraded to provide better data services. In this context, Huawei puts forward the IP telecommunication network (IPTN) solution. The IPTN solution aims to provide end-to-end QoS on current IP networks. In this solution, the concept of bearer control layer is introduced between the service control layer and the bearer layer; resources are applied for, kept, and released respectively before, during, and after they are used so as to improve the transmission efficiency of a bearer network. Based on IP networks, IPTN can guarantee end-to-end QoS, decrease investment of carriers, and add values to them. The main characteristics of IPTN are: l It can coexist with current IP networks and does not affect traditional services that have no QoS guarantee. l It can bear traditional telecommunication services and support more types of services. l It applies for resources before a connection is set up, guarantees the quality of service during the connection, and releases the resource after the connection is closed. l Its network structure consists of three layers: logical bearer layer, bearer control layer, and service control layer. l Its bearer layer is based on MPLS, which enables the resource of IPTN services to be separated from that of IP services. COPS is an application protocol. It employs a simple query or response model and is used to exchange policies between a policy server and its clients. 5-2 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 5 COPS Configuration In COPS, a policy server is also called Policy Decision Point (PDP) and its clients are also called Policy Enforcement Points (PEPs). In IPTN, COPS is used to exchange policies between an RM server and a router. The RM server receives messages from the Soft Switch and then sends the message to the router through the COPS protocol. 5.1.2 COPS Features Supported by the NE80E/40E Three Levels of Limits of Number of Users The NE80E/40E allows Internet Service Providers (ISPs) to configure a number of users exceeding the network bearing capability and to limit the number of users who access the Internet at the same time. To identify Digital Subscriber Line Access Multiplexers (DSLAMs) and users, a PE device provides IPTN services by using QinQ termination sub-interfaces. The NE80E/40E provides three levels of limits of number of users: l VLAN-group: is a set of users that use the same statistics policies and queue policies. l QinQ termination sub-interface: is used for the access of users in the same IP network segment. Multiple VLAN-groups can be configured on a sub-interface. l Primary interface: Multiple QinQ termination sub-interfaces can be configured on a primary interface. After the three levels of limits are configured, the NE80E/40E can guarantee that the number of online users satisfies requirements of any level. Detection of Online and Offline of Users When a user goes offline, a DHCP Release message was send to the DHCP server. If DHCP Relay is enabled on the PE, the PE can sense the message and notifies the COPS server about the offline of the user. The COPS server then releases the network resources held by that user. The NE80E/40E detects users by using the Address Resolution Protocol (ARP). ARP sends ARP Request messages at intervals according to IP addresses of users recorded on the local device. When users are online, they send ARP Response messages. The PE knows that the users are online based on the ARP Response messages. If the PE does not receive any ARP Response message in several continuous periods from a user, it considers that the user goes offline abnormally. Then, the PE sends DHCP Release messages to the DHCP server so that the DHCP server releases the IP address of the user, which avoids waste of IP addresses. At the same time, the PE notifies the COPS server of the offline of the user. Security Checking over Users The NE80E/40E provides the DHCP security binding function. The NE80E/40E saves the information on users according to the combination of IP addresses, MAC addresses, access interfaces, and VLANs. Users can access the network only when they match all the information. The saved information is released with the release of IP addresses. After the DHCP security binding function is enabled and the link for a user fails, the user can achieve Internet services only when the user resends DHCP packets to apply for a valid IP address. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 5-3 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 5 COPS Configuration Control over Users The NE80E/40E can display information about online users and force users to go offline. Such functions are used when user operations are found abnormal or when network resources need to be adjusted. The NE80E/40E can force users to go offline in either of the following modes: l Force users to go offline by interfaces. l Force users to go offline by interface plus VLAN-group labels. In the case that network configurations are not changed, the users that are forced to go offline can resend DHCP Request messages to use network resources again. 5.2 Configuring the COPS Server Group This section describes how to configure the COPS server group. 5.2.1 Establishing the Configuration Task 5.2.2 Creating a COPS Server Group 5.2.3 Configuring the COPS Server 5.2.4 Setting the PEP ID for the COPS Server 5.2.5 (Optional) Setting the Flow Keeping Time of the COPS Server 5.2.6 (Optional) Setting the Shared Key of the COPS Server 5.2.7 Activating the COPS Server Group 5.2.8 Configuring the Global Parameters of COPS 5.2.9 Checking the Configuration 5.2.1 Establishing the Configuration Task Applicable Environment To send policies for value-added services using a COPS server, you need to configure a COPS server group on the device. A COPS server group is used to manage COPS servers. A COPS server group is a group of COPS servers that carry out load balancing and have the same attributes except the IP address, VPN instance, port number, and weight values. Pre-configuration Tasks None. Data Preparation To configure the COPS server group, you need the following data. 5-4 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 5 COPS Configuration No. Data 1 Name of the COPS server group 2 IP address, VPN instance, server port number, client port number, and weight of the COPS server 3 PEP ID of the COPS client 4 (Optional) Flow keeping time after the COPS client and the COPS server are disconnected 5 (Optional) Shared key of the COPS server 6 (Optional) Timeout period of COPS Open messages and source interface of the device sending COPS messages 5.2.2 Creating a COPS Server Group Context Do as follows on the device: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: cops-server group groupname [ client-type ssg ] A COPS server group is created. NOTE When creating a COPS server group for the first time, you must specify the parameter client-type, indicating for enjoying which kind of services the client connects to the COPS server. ----End Postrequisite After a COPS server group is created, the view of the COPS server group is displayed. If there is an existing COPS server group, run the preceding command to enter its view. 5.2.3 Configuring the COPS Server Context When you configure a COPS server, you can specify the IP address and port number of the COPS server, the port number of the COPS client, the VPN instance of the COPS server, and the weight. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 5-5 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 5 COPS Configuration Do as follows on the device: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: cops-server group group-name The view of the COPS server group is displayed. Step 3 Run: cops-server ip-address [ server-port | client-port client-port | vpn-instance instance-name | weight value ] * The COPS server is configured. NOTE l It is not recommended to modify the port number of the COPS server; otherwise, the device fails to set up the TCP connection with the COPS server if the modified port number is in use. l Ensure that at least one reachable route exists between the device and the COPS server. ----End 5.2.4 Setting the PEP ID for the COPS Server Context The PEP ID is used by the COPS server to identify its clients. Normally, the IP address of a loopback interface on the device can be specified as the PEP ID. Do as follows on the device: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: cops-server group group-name The view of the COPS server group is displayed. Step 3 Run: cops-server pep-id client-id The PEP ID is set for the COPS client. ----End 5-6 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 5 COPS Configuration Postrequisite You can set the PEP ID according to the COPS server group. That is, you can set diverse PEP IDs for the device when the device corresponds to various COPS server groups. The default PEP ID is huawei. 5.2.5 (Optional) Setting the Flow Keeping Time of the COPS Server Context Do as follows on the device: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: cops-server group group-name The view of the COPS server group is displayed. Step 3 Run: cops-server flow-keeping-time time The flow keeping time of the COPS server is set. ----End Postrequisite The flow keeping time refers to the duration in which connection information is kept after the COPS client is disconnected from the COPS server. Flow keeping prevents the connection from being intermittently broken due to the network instability. After the cops-server flow-keeping-time command is run, the system can promptly restore connection information when the COPS client re-establishes the connection with the COPS server within the flow keeping time. NOTE l When the network is unstable, especially the routes to the COPS server frequently flap, it is recommended to set the flow keeping time. l By default, the flow keeping time of the COPS server is 300 seconds. 5.2.6 (Optional) Setting the Shared Key of the COPS Server Context Do as follows on the device: Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 5-7 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 5 COPS Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: cops-server group group-name The view of the COPS server group is displayed. Step 3 Run: cops-server shared-key key-string The shared key of the COPS server is set. ----End Postrequisite The shared key encrypts COPS messages. The device and the COPS server must be set with the same shared key. By setting the shared key, the security of message exchange between the client and the COPS server can be improved. NOTE When high requirements for the security of message exchange between the client and the COPS server group are put forward, it is recommended to set the shared key of the COPS server. 5.2.7 Activating the COPS Server Group Context Do as follows on the device: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: cops-server group group-name The view of the COPS server group is displayed. Step 3 Run: active All the COPS servers in the COPS server group are activated. NOTE The device attempts to set up connections with the COPS servers only when the COPS server group is activated. ----End 5-8 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 5 COPS Configuration Postrequisite After the preceding configuration, the device attempts to set up TCP connections with all the COPS servers in the COPS server group. 5.2.8 Configuring the Global Parameters of COPS Context Do as follows on the device: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: cops-server open-timeout time The timeout period of the COPS Open message is set. The timeout period of the COPS Open messages refers to the period for the device to wait for the response after it sends a COPS Open message to the COPS server. If the device does not receive any response from the COPS server within this period, it resends the Open message to the server. Be default, the timeout period of the COPS Open message is 15 seconds. NOTE When the network is not stable, it is recommended to prolong the timeout period of the COPS Open message. Step 3 Run: cops-server source-interface interface-type interface-number The source interface that sends the COPS message is configured. The source interface of the COPS message refers to the interface from which the COPS message originates. A COPS session can be established only after the source interface of the COPS messages is configured. NOTE It is recommended to configure a logical interface, such as the loopback interface, to be the source interface of the COPS message. This is because the invalidation of a physical interface may cause the system incapable of receiving responses from the COPS server. Step 4 Run: cops-group iptn-binding group-name The COPS server group is bound to IPTN services. NOTE The created COPS server group takes effect in IPTN services only when they are bound to the IPTN services. ----End Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 5-9 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 5 COPS Configuration 5.2.9 Checking the Configuration Prerequisite The configurations of the COPS Server Group are complete. Procedure Step 1 Run the display cops-server configuration [ group group-name ] command to check the configuration of a specified COPS server group. ----End Example Check information about the COPS server group huawei. <HUAWEI> display cops-server configuration group huawei -- Cops group table display ------------------------------------------------Group index : 0 Group name : huawei Client type : ssg Group up or down flag : Down Group active state : Active Secret key : huawei Flow keeping time (second) : 500 PEP ID : client1 Group Source interface name : -Group Reference number : 0 [state][server IPv4 addr][server port][client port][weight][vpn name][server key ] Down 202.40.2.2 3288 0 0 ---- End cops group table ----------------------------------------------------- 5.3 Configuration Examples This section presents an example for configuring COPS. 5.3.1 Example for Configuring COPS Interfaces to Report Online and Offline Messages 5.3.1 Example for Configuring COPS Interfaces to Report Online and Offline Messages Networking Requirements As shown in Figure 5-1, the DHCP client accesses the PE through the DSLAM. Through DHCP relay, the DHCP client applies to the DHCP server for the relevant configuration such as an IP address. After the DHCP server replies the DHCP client with an allocated IP address, the PE reports information about the user getting online to the COPS server. When the user gets offline and releases the IP address, the PE also reports information about the user getting offline to the COPS server for updating the maintained user record. 5-10 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 5 COPS Configuration Figure 5-1 Typical networking diagram of COPS configuration COPS server 202.40.2.2/16 GE2/0/1 202.40.2.1/16 PE DHCP client DSLAM DHCP Relay GE2/0/0 202.40.1.1/16 202.40.1.2/16 DHCP server Configuration Roadmap The configuration roadmap is as follows: 1. Configure the parameters of DHCP relay. 2. Configure the global COPS parameters. 3. Create a COPS server group and add COPS servers to it. 4. Configure the PEP ID and other optional items for the COPS server. 5. Activate the COPS server group. 6. Bind the COPS server group to IPTN services. 7. Verify the configuration. Data Preparation To complete the configuration, you need the following data: l Name, IP address, VPN instance, and port number of the COPS server, port number of the COPS client, and weight l PEP ID l (Optional) Flow keeping time after the COPS client is disconnected from the COPS server l (Optional) Shared key of the COPS server l Timeout period of COPS Open messages and source interface of the device sending COPS messages Procedure Step 1 Configure the DHCP relay functions on the device. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 5-11 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 5 COPS Configuration For the detailed configuration, refer to the chapter "DHCP Configuration" in the NE80E/40E Router Configuration Guide - IP Services. Step 2 Configure the global parameters of COPS, including the timeout period of COPS Open messages and the source interface sending COPS messages. <PE> system-view [PE] cops-server open-timeout 30 [PE] cops-server source-interface loopBack 0 Step 3 Create a COPS server group and add COPS servers to it. [PE] cops-server group huawei client-type ssg [PE-cops-huawei] cops-server 202.40.2.2 Step 4 Configure the COPS PEP ID and other optional items. [PE-cops-huawei] cops-server pep-id client1 [PE-cops-huawei] cops-server flow-keeping-time 500 [PE-cops-huawei] cops-server shared-key huawei Step 5 Activate the COPS server group. [PE-cops-huawei] undo active [PE-cops-huawei] active [PE-cops-huawei] quit Step 6 Bind the COPS server group to IPTN services. [PE] cops-group iptn-binding huawei Step 7 Verify the configuration. <PE> display cops-server configuration group huawei -- Cops group table display ------------------------------------------------Group index : 0 Group name : huawei Client type : ssg Group up or down flag : Up Group active state : Active Secret key : huawei Flow keeping time (second) : 500 PEP ID : client1 Group Source interface name : -Group Reference number : 0 [state][server IPv4 addr][server port][client port][weight][vpn name][server key ] Down 202.40.2.2 3288 0 0 ---- End cops group table ----------------------------------------------------- ----End Configuration Files The configuration file of router is as follows: # sysname PE1 # cops-server open-timeout 30 cops-server source-interface LoopBack0 cops-group iptn-binding huawei # interface Gigabitethernet2/0/0 ip address 202.40.1.1 255.255.255.252 ip relay address 202.40.3.2 dhcp select relay # interface Gigabitethernet2/0/1 ip address 202.40.2.1 255.255.255.252 # 5-12 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 5 COPS Configuration interface Gigabitethernet2/0/2 ip address 202.40.3.1 255.255.255.252 # interface LoopBack0 ip address 9.9.9.9 255.255.255.255 # cops-server group huawei client-type ssg cops-server flow-keeping-time 500 cops-server shared-key huawei cops-server pep-id client1 cops-server 202.40.2.2 active # return Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 5-13 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration 6 ANCP Configuration About This Chapter This document describes the concept, principle, and configuration of ANCP. 6.1 ANCP Overview This section describes the basic concept of ANCP. 6.2 Configuring the ANCP Server This section describes how to configure the router to function as an ANCP server. 6.3 Configuring the ANCP Proxy This section describes how to configure the router as the ANCP proxy. 6.4 Configuring the Association Between ANCP and HQoS in the ANCP Proxy Scenario This section describes how to configure the association between ANCP and HQoS in the ANCP proxy scenario. 6.5 Maintaining ANCP This section describes how to view and clear ANCP running information and how to debug ANCP. 6.6 Configuration Examples This section provides examples for ANCP configurations. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6-1 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration 6.1 ANCP Overview This section describes the basic concept of ANCP. 6.1.1 Introduction to the ANCP Protocol 6.1.2 Applicable Environment 6.1.1 Introduction to the ANCP Protocol The Access Node Control Protocol (ANCP) provides a channel through which control messages can be transmitted between a broadband remote access server (BRAS) and an access node (AN) such as a Digital Subscriber Line Access Multiplexer (DSLAM). ANCP is based on and also an extension of General Switch Management Protocol Version 3 (GSMPv3). It introduces the mechanism of establishing and maintaining neighbor relationships. The ANCP protocol works as follows: 1. An AN initiates a TCP connection with the BRAS. The BRAS uses port 6068 to listen, and the configured AN is powered on and then initiates a TCP connection with the listening port on the BRAS. The BRAS functions as a TCP server while the AN functions as a TCP client. 2. The AN sets up the GSMP neighbor relationship with the BRAS, and performs ANCP capability negotiations. The capabilities defined in the ANCP protocol include: l Discovery of dynamic topologies l Configuration of line parameters l Multicast control l Management of line detection l Transaction in batches Currently, the NE80E/40E supports three capabilities, namely, discovery of dynamic topologies, configuration of line parameters, and management of line detection. 3. The ANCP protocol starts to work. After the neighbor relationship is established, the ANCP protocol starts to work as follows: l Discovers dynamic topologies and updates line information. The AN monitors the status of the access lines and reports information about the access lines to the BRAS through ANCP. The information includes the IDs of active access lines, the standard of access lines, and upstream and downstream bandwidths. The ID is defined as Access-Loop-Circuit-ID in ANCP, and is the same as the Option82 field value in DHCP control messages and the PPPoE+ field value in PPP control messages. When the line information changes, the AN notifies the BRAS through ANCP to update related line information. l Applys corresponding line information when users go online. When users connected to the AN go online, the connection request messages from the users carry Option82 information or PPPoE+ information that is consistent with the access line IDs. The BRAS then obtains the mapping between the users and the access 6-2 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration line, and thus can control service bandwidths and perform traffic policing for the users on the access line accordingly. l (Optional) The Remote Authentication Dial-In User Service (RADIUS) server delivers a line policy to the DSLAM. When a user goes online or customizes services, the RADIUS server delivers a line policy according to the line information. Then, the BRAS delivers the policy to the DSLAM. The DSLAM then applies the policy. l Performs OAM detection on access lines. The BRAS sends OAM detection packets to the DSLAM through ANCP. After receiving the packets, the DSLAM performs loopback detection on Digital Subscriber Lines (DSLs), and then reports the test results to the BRAS through ANCP. 6.1.2 Applicable Environment ANCP Sever Figure 6-1 Networking diagram of configuring an ANCP server Access Line ANCP Session RADIUS Server Policy Server ISP Access Line ASP NSP DSLAM Router Access Line As shown in Figure 6-1, the DSLAM supports ANCP, and the router, as an ANCP server, functions as the BRAS. In this case, the router supports the following functions: l Access line management – Discovery of dynamic topologies To avoid congestion in an access network, the router supports Hierarchical QoS (HQoS), which requires the BRAS to detect the topologies in the access ntework and the parameters of access lines. The parameters include the DSL link status, actual upstream and downstream rates of synchronized Digital Subscriber Line (DSL) links, and maximum upstream and downstream rates. All these can be reported dynamically to the BRAS by the DSLAM. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6-3 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration Some of the preceding information, such as the network rate of DSL links, always changes. Therefore, it cannot be obtained from the operation and maintenance system. Some information, such as the upstream bandwidth of the DSLAM, seldom changes, but still needs to be strictly synchronized with the information stored on the BRAS. The operation and maintenance system, however, cannot maintain the information through a reliable and scalable method. Dynamic topology discovery helps address the problem. – Update of the line information When the DSLAM re-sychronizes access line status with the Integrated Access Device (IAD), the DSLAM detects the status change of the access lines and needs to update line parameters. Then, the DSLAM sends a Port up message to the BRAS to update the line bandwidth. l Service management Generally, parameters of access lines are fixed. When users need value-added services, such as triple-play services, the DSL lines need to be processed specially on the DSLAM. In addition, when users subscribe to services on self-service networks, the line parameters need to be automatically updated without manual intervention. When users go online, the DSLAM listens to DHCP or PPPoE control messages, and adds Option82 or PPPoE+ information to the messages. The router then matches the Option82 information in DHCP control messages or PPPoE+ information in PPPoE control messages with the access line IDs (defined as Access-Loop-Circuit-ID in ANCP). In this manner, the router can find the access line that is unique to the users. l Adjustment of user bandwidths and queue scheduling modes on downstream links The DSLAM reports information about user bandwidths through ANCP packets, and the router delivers a QoS policy through the interface on the Multi-Service Edge (MSE). ANCP Proxy Figure 6-2 Networking diagram of configuring an ANCP proxy Access Line ANCP Session 1 ANCP Session 2 Policy Server RADIUS Server ISP Access Line ASP NSP DSLAM Router BRAS Access Line 6-4 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration As shown in Figure 6-2, the DSLAM and the BRAS both support ANCP. As an ANCP proxy, the router sets up ANCP neighbor relationships with the DSLAM and the BRAS to aggregate ANCP lines. In this case, the router supports the following functions: l Discovery of topologies The DSLAM reports the access line IDs and information about user bandwidths to the router through ANCP packets. The router then sets up and maintains ANCP access line entries. The router forwards the access line IDs reported by the DSLAM to the BRAS through the ANCP neighbor. l HQoS QoS parameters can be adjusted by the router according to the information about user bandwidths reported by the DSLAM. As an alternative, the BARS can deliver the QoS policy to the router through ANCP packets, and the QoS parameters can be adjusted accordingly. l OAM detection The router receives the OAM detection packets sent by the BRAS and forwards the packets to the DSLAM. Then, the router sends the detection results responded from the DSLAM back to the BRAS. 6.2 Configuring the ANCP Server This section describes how to configure the router to function as an ANCP server. 6.2.1 Establishing the Configuration Task 6.2.2 Enabling ANCP 6.2.3 Configuring the Source Interface of an ANCP Connection 6.2.4 (Optional) Configuring Parameters of ANCP Sessions 6.2.5 Configuring ANCP Neighbor Profiles 6.2.6 (Optional) Configuring Bandwidth Adjustment Factors 6.2.7 (Optional) Configuring ANCP Message Damping 6.2.8 (Optional) Configuring ANCP OAM Detection 6.2.9 (Optional) Adjusting the Upstream and Downstream Bandwidths of a User Automatically 6.2.10 Checking the Configuration 6.2.1 Establishing the Configuration Task Applicable Environment If the DSLAM supports ANCP, and the router needs to function as the BRAS to manage users and detect user online and offline statuses and user services, you need to configure the router to function as an ANCP server. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6-5 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration Pre-configuration Tasks Before configuring the router to function as an ANCP server, complete the following tasks: l Configuring physical parameters and link attributes to ensure that interfaces work properly l Configuring IP addresses and route discovery for interfaces Data Preparation To configure the router to function as an ANCP server, you need the following data. No. Data 1 Source interface on which the ANCP connection is set up 2 (Optional) Timeout period before an ANCP session is set up and the maximum number of packet retransmissions 3 Name of the ANCP neighbor profile 4 IP address of the ANCP neighbor 5 (Optional) Port number for TCP connection listening on the ANCP neighbor 6 (Optional) Maximum number of lines permitted by each ANCP neighbor 7 (Optional) Interval for sending Keepalive packets of ANCP sessions 8 (Optional) Aging time of line entries 9 (Optional) Timeout period of the response to the delivered profile 10 (Optional) Damping percentage of ANCP messages 11 (Optional) Number of OAM detections 12 (Optional) Timeout period of waiting for the response to OAM detection 6.2.2 Enabling ANCP Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ancp enable ANCP is enabled. 6-6 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration The system performs socket listening and processes TCP connection requests from the DSLAM only after ANCP is enabled. When ANCP is disabled, all ANCP TCP connections are cut off, and socket listening is disabled. By default, ANCP is disabled. ----End 6.2.3 Configuring the Source Interface of an ANCP Connection Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ancp The ANCP view is displayed. Step 3 Run: source-interface loopback interface-number The source interface is configured for setting up an ANCP connection. When the interface is connected to the DSLAM to set up a TCP connection, the source interface can only be a loopback interface. The change of the source-interface loopback interfacenumber command or the IP address of the interface does not affect the established TCP connection. The new configuration takes effect only when ANCP is disabled and then enabled again. ----End 6.2.4 (Optional) Configuring Parameters of ANCP Sessions Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ancp Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6-7 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration The ANCP view is displayed. Step 3 Run: session { interval interval-value | retransmit retransmit-value }* The timeout period of ANCP sessions and the maximum number of ANCP packet retransmissions are configured. After a TCP connection is established, router sends SYN packets to set up an ANCP session. If the end does not receive a correct response, it resends SYN packets until the ANCP session is successfully set up. If ANCP sessions are not successfully set up when the number of SYN packet retransmissions reaches the upper threshold, the TCP connection will be closed. By default, the interval of sending SYN or SYN-ACK packets to the peer is 1s , and the maximum number of retransmissions is 10. ----End 6.2.5 Configuring ANCP Neighbor Profiles Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ancp The ANCP view is displayed. Step 3 Run: neighbor-profile neighbor-profile-name An ANCP neighbor profile is created and the ANCP neighbor view is displayed. To facilitate the management of ANCP access lines, the router adopts ANCP neighbor profiles. In each neighbor profile, the IP address of a neighbor can be configured. If the IP address in a packet received by the router from a neighbor is the same as the configured IP address, the router associates the neighbor with the neighbor profile. Before a neighbor profile is created, the system checks whether a neighbor view with the same name exists. If so, the neighbor view is displayed; if not, a neighbor view is created and then displayed. If a neighbor profile is in use, it cannot be deleted. Step 4 (Optional) Run: tcp-listen port port-number The port number on an ANCP neighbor for TCP connection listening is configured. Before the tcp-listen port port-number command is run, if the ANCP neighbor has already set up a TCP connection, the TCP connection will be cut off, and the ANCP neighbor will use the new listening port number to re-establish a TCP connection. 6-8 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration By default, the port number for TCP connection listening is 6068. NOTE If a global source interface is configured in the ANCP view, the configuration of the tcp-listen port portnumber command is not supported. Step 5 Run: peer-id peer-id The ID of the ANCP neighbor is configured. Step 6 (Optional) Run: max-access-loop value The maximum number of access lines is configured for the ANCP neighbor. That is, the maximum number of lines that can be accessed to the router is configured. If access lines have already exist in the neighbor profile and the maximum number of access lines is smaller than the number of existing access lines, no access line entries will be created, and the existing access line entries remain unchanged. By default, a maximum of 65536 access lines can be configured in the neighbor profile. Step 7 (Optional) Run: keep-alive interval interval-value The interval for sending Keepalive packets is configured. To detect the neighbor status (for example, whether the link is Up), the router sends Keepalive packets to its neighbor (such as the DSLAM) at a fixed interval after the ANCP session is set up. By default, the interval is 10s. Step 8 (Optional) Run: aging-time value The aging time of line entries is configured. When the ANCP neighbor line becomes Down, the system needs to delete the line entry. This helps properly utilize system resources. When the aging time of a line entry is set to 0, the router deletes the line entry immediately when the neighbor line becomes Down; otherwise, the line entry can be deleted only when the timer expires. By default, the aging time of an ANCP neighbor line entry is 150s. NOTE In the case that the function of configuring ANCP access lines is enabled, if the DSLAM needs to restart the lines after receiving the service profile name delivered by the router, a longer aging time of an ANCP line entry must be configured on the router. ----End 6.2.6 (Optional) Configuring Bandwidth Adjustment Factors Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6-9 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ancp The ANCP view is displayed. Step 3 Run: neighbor-profile neighbor-profile-name [ proxy ] An ANCP neighbor profile is created and the ANCP neighbor view is displayed. Step 4 Run: adjustment { adsl adjust-percentage | adsl2 adjust-percentage | adsl2plus adjustpercentage | vdsl1 adjust-percentage | vdsl2 adjust-percentage | sdsl adjustpercentage } * The bandwidth adjustment percentages for different link types in the ANCP neighbor profile are configured. NOTE The bandwidths that are reported by the DSLAM to the router are determined by the types of the physical links, whereas the router traffic implements user traffic scheduling by the Ethernet link. Therefore, bandwidths need to be translated between different types of physical links. You can use the adjustment command to translate the packet overhead between different physical links. For example, if you set the bandwidth adjustment factor for ADSL to 77%, this means that when a user reports an ADSL link, the actual bandwidth that HQoS assures for the user is the reported bandwidth x 77%. ----End 6.2.7 (Optional) Configuring ANCP Message Damping Context If the DSLAM repeatedly sends messages to the router to report user bandwidth change, the router adjusts the user bandwidth accordingly and delivers related configurations. This affects the performance of the router. To abstain this affection, ANCP message damping needs to be configured on the router. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: 6-10 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration ancp The ANCP view is displayed. Step 3 Run: neighbor-profile neighbor-profile-name The neighbor view is displayed. Step 4 Run: damping damping-percentage ANCP message damping is configured. After ANCP message damping is configured, the router adjusts the user bandwidth and delivers related configurations only when the user bandwidth changes out of the specified range. That is, if the user bandwidth changes within the specified range, the router does not respond to the ANCP messages that report related changes, and thus does not adjust the user bandwidth. By default, no ANCP message is damped. ----End 6.2.8 (Optional) Configuring ANCP OAM Detection Context To test the remote connection of access lines, you can configure ANCP OAM detection. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ancp The ANCP view is displayed. Step 3 Run: oam [ count test-counter ] access-loop access-loop-circuit-id OAM detection is configured for a specific access line, and the number of times of OAM detection is also configured. By default, the number of OAM detection times is 5. Step 4 (Optional) Run: neighbor-profile neighbor-profile-name [ proxy ] The ANCP neighbor view is displayed. Step 5 (Optional) Run: oam timeout Issue 03 (2010-03-31) time Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6-11 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration The timeout period of the response to OAM detection is configured. If the router does not receive any response to OAM detection during the timeout period, it considers that ANCP OAM detection fails. By default, the timeout period is 5s. NOTE The oam timeout command can be configured when the neighbor profile mode is server or proxy server. ----End 6.2.9 (Optional) Adjusting the Upstream and Downstream Bandwidths of a User Automatically Context If the downstream bandwidth of a user needs to be automatically adjusted according to the access line information, the configuration needs to be performed in the AAA domain of the user. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: aaa The AAA view is displayed. Step 3 Run: domain domain-name The domain view is displayed. Step 4 Run: ancp auto-qos-adapt The automatic adjustment of the downstream bandwidth of a user is enabled. By default, the automatic adjustment of the downstream bandwidth of a user is not enabled. ----End 6.2.10 Checking the Configuration Procedure Step 1 Run the display ancp neighbor [ profile neighbor-profile | id id-value ] command to view information about an ANCP neighbor. 6-12 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration Step 2 Run the display ancp neighbor-profile [ neighbor-profile-name ] command to view information about an ANCP neighbor profile. Step 3 Run the display ancp access-loop [ access-loop-circuit- index | circuit-id circuit-id-text | circuit-id-include circuit-id-include-text | neighbor-profile neighbor-profile-name | neighborid neighbor-id ] command to view information about line entries in the ANCP neighbor profile. Step 4 Run the display ancp statistic [ neighbor-id ] command to view the statistics of an ANCP neighbor. ----End Example After running the display ancp neighbor command, you can view the status of the ANCP neighbor in the specified neighbor profile and the status of the ANCP neighbor with the specified neighbor ID. For example: <HUAWEI> display ancp neighbor -------------------------------------------------------------------------Index Peer-ID State Role Line-num Profile -------------------------------------------------------------------------0 1.1.1.1 ESTAB sever 0 bras -------------------------------------------------------------------------The total is 1,printed is 1 <HUAWEI> display ancp neighbor id 1.1.1.1 Neighbor Profile name :bras Neighbor state :ESTAB Peer ID :1.1.1.1 Peer port :51729 Neighbor capacity :discovery;line-cfg;oam;Bulk Transacti on; Neighbor techtype :5(5 is DSL) Access loop circuit number :7 Session message interval :12(seconds) Session message retransmit :10 Max access loop number :65536 Access loop configure timeout :2(seconds) Access loop configure ack mandatory :false Access loop aging time :150(seconds) Access loop oam timeout :5(seconds) Keep-alive interval :10(seconds) Wait-ack timeout :30000(milliseconds) ANCP role :server After running the display ancp neighbor-profile command, you can view the configuration of the specified neighbor profile. For example: <HUAWEI> display ancp neighbor-profile bras Index :3 Neighbor Profile name :bras Neighbor Used state :used ANCP role :server ANCP source interface :LoopBack1 TCP-listen port number :6068 Damping percentage :0 Peer ID :1.1.1.1 Max access loop number :65536 Access loop configure timeout :2(seconds) Access loop configure ack mandatory :false Access loop aging time :150(seconds) Access loop oam timeout :5(seconds) Keep-alive interval :10(seconds) After running the display ancp access-loop command, you can view information about access line entries. For example: <HUAWEI> display ancp access-loop neighbor-id 1.1.1.1 ---------------------------------------------------------------- Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6-13 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration Index State Peer-ID Circuit-ID ---------------------------------------------------------------80 UP 1.1.1.1 001882362CFF eth 1/3/1/5:5 81 UP 1.1.1.1 001882362CFF eth 1/3/0/1:1 ---------------------------------------------------------------The total is 2,printed is 2 After running the display ancp statistic command, you can view the statistics of ANCP neighbors. For example: <HUAWEI> display ancp statistic 10.1.1.1 Received ack packet :307 Received syn packet :1 Received synack packet :1 Received reset ack packet :0 Received lineup packet :7 Received linedown packet :0 Received oam packet :0 Received line config packet :0 Received multicast packet :0 Received unknown packet :0 Send ack packet :307 Send synack packet :1 Send syn packet :1 Send reset ack packet :0 Send oam packet :0 Send access loop config packet :2 Send multicast packet :0 Send failed packet :0 6.3 Configuring the ANCP Proxy This section describes how to configure the router as the ANCP proxy. 6.3.1 Establishing the Configuration Task 6.3.2 Enabling ANCP 6.3.3 Configuring the Source Interface of an ANCP Connection 6.3.4 (Optional) Configuring Parameters of ANCP Sessions 6.3.5 Configuring the ANCP Neighbor Profile 6.3.6 (Optional) Configuring Bandwidth Adjustment Factors 6.3.7 (Optional) Enabling the Function of Configuring ANCP Access Lines 6.3.8 (Optional) Configuring ANCP Message Damping 6.3.9 (Optional) Configuring ANCP OAM Detection 6.3.10 Checking the Configuration 6.3.1 Establishing the Configuration Task Applicable Environment When the router functions as the convergence device between the DSLAM and the BRAS, and both the DSLAM and the BRAS support ANCP, you need to configure the router as the ANCP proxy. In this case, the router detects neither user services nor user login and logout. 6-14 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration Pre-configuration Tasks Before configuring the router to function as an ANCP proxy, complete the following tasks: l Configuring the physical parameters and link attributes of interfaces to ensure that the interfaces work properly l Configuring IP addresses and routing protocols for interfaces Data Preparation To configure the router to function as an ANCP proxy, you need the following data. No. Data 1 Source interface of the ANCP connection 2 (Optional) Timeout period before an ANCP session is set up and the maximum times that packets are resent 3 Name of the ANCP neighbor profile 4 IP address of the ANCP neighbor 5 (Optional) Maximum number of lines permitted by each ANCP neighbor 6 (Optional) Interval for sending Keepalive packets of the ANCP session 7 (Optional) Aging time of the line entry 8 (Optional) Damping percentage of ANCP messages 9 (Optional) Number of OAM detections 10 (Optional) Timeout period of waiting for the response to OAM detection 6.3.2 Enabling ANCP Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ancp enable ANCP is enabled. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6-15 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration The system performs socket listening and processes TCP connection requests from the DSLAM only after ANCP is enabled. When ANCP is disabled, all ANCP TCP connections are cut off, and socket listening is disabled. By default, ANCP is disabled. ----End 6.3.3 Configuring the Source Interface of an ANCP Connection Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ancp The ANCP view is displayed. Step 3 Run: source-interface loopback interface-number The source interface is configured for setting up an ANCP connection. When the interface is connected to the DSLAM to set up a TCP connection, the source interface can only be a loopback interface. The change of the source-interface loopback interfacenumber command or the IP address of the interface does not affect the established TCP connection. The new configuration takes effect only when ANCP is disabled and then enabled again. ----End 6.3.4 (Optional) Configuring Parameters of ANCP Sessions Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ancp 6-16 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration The ANCP view is displayed. Step 3 Run: session { interval interval-value | retransmit retransmit-value }* The timeout period of ANCP sessions and the maximum number of ANCP packet retransmissions are configured. After a TCP connection is established, router sends SYN packets to set up an ANCP session. If the end does not receive a correct response, it resends SYN packets until the ANCP session is successfully set up. If ANCP sessions are not successfully set up when the number of SYN packet retransmissions reaches the upper threshold, the TCP connection will be closed. By default, the interval of sending SYN or SYN-ACK packets to the peer is 1s , and the maximum number of retransmissions is 10. ----End 6.3.5 Configuring the ANCP Neighbor Profile Context To facilitate the management of ANCP access lines, the router adopts ANCP neighbor profiles. Each neighbor profile can be configured with the IP address of a neighbor. If the IP address of a packet from a neighbor is the same as the configured IP address, the neighbor is considered to belong to the neighbor profile. When a neighbor profile is created, the system checks whether a neighbor profile with the same name exists. If so, the neighbor view is displayed; if not, a neighbor view is created and then displayed. If a neighbor profile is in use, it cannot be deleted. When the router functions as the ANCP proxy, you need to create the neighbor profile on the router to set up neighbor relationships with the upstream BRAS and with the downstream DSLAM. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ancp The ANCP view is displayed. Step 3 Run: neighbor-profile neighbor-profile-name proxy [ client ] An ANCP neighbor profile in proxy mode is created and the neighbor view is displayed. If client is not specified, it indicates that the neighbor profile works in proxy server mode and is used to set up the neighbor relationship with the downstream DSLAM. If client is specified, it indicates that the neighbor profile works in proxy client mode and is used to set up the neighbor relationship with the upstream BRAS. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6-17 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration NOTE In proxy mode, only one neighbor profile can be configured to work in proxy client mode. Step 4 (Optional) Run: tcp-listen port port-number The port number on an ANCP neighbor for TCP connection listening is configured. Before the tcp-listen port command is run, if the ANCP neighbor has already set up a TCP connection, the TCP connection will be cut off, and the ANCP neighbor will use the new listening port to re-establish a TCP connection. By default, the port number for TCP connection listening is 6068. Step 5 Run: peer-id peer-id The ID of the ANCP neighbor is configured. Step 6 (Optional) Run: max-access-loop value The maximum number of access lines is configured for the ANCP neighbor. If there are lines accessing the neighbor and the maximum number of access lines is smaller than the number of existing access lines, no access line entries will be created, and the existing access line entries remain unchanged. By default, a maximum of 65536 access lines can be configured in the neighbor profile. Step 7 (Optional) Run: keep-alive interval interval-value The interval for sending Keepalive packets is configured. To detect the neighbor status (for example, whether the link is Up), after an ANCP session is set up, the router sends Keepalive packets to its neighbor, such as the DSLAM, at a fixed interval. By default, the interval is 10s. Step 8 (Optional) Run: aging-time value The aging time of line entries is configured. When an ANCP neighbor line becomes Down, the system needs to delete the line entry. This helps rationally use system resources. If the value is 0, it indicates that a line entry is deleted immediately the line becomes Down. Otherwise, the line entry is deleted only after the aging timer expires. By default, the aging time of an ANCP neighbor line entry is 150s. ----End 6.3.6 (Optional) Configuring Bandwidth Adjustment Factors Context Do as follows on the router: 6-18 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ancp The ANCP view is displayed. Step 3 Run: neighbor-profile neighbor-profile-name [ proxy ] An ANCP neighbor profile is created and the ANCP neighbor view is displayed. Step 4 Run: adjustment { adsl adjust-percentage | adsl2 adjust-percentage | adsl2plus adjustpercentage | vdsl1 adjust-percentage | vdsl2 adjust-percentage | sdsl adjustpercentage } * The bandwidth adjustment percentages for different link types in the ANCP neighbor profile are configured. NOTE The bandwidths that are reported by the DSLAM to the router are determined by the types of the physical links, whereas the router traffic implements user traffic scheduling by the Ethernet link. Therefore, bandwidths need to be translated between different types of physical links. You can use the adjustment command to translate the packet overhead between different physical links. For example, if you set the bandwidth adjustment factor for ADSL to 77%, this means that when a user reports an ADSL link, the actual bandwidth that HQoS assures for the user is the reported bandwidth x 77%. ----End 6.3.7 (Optional) Enabling the Function of Configuring ANCP Access Lines Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ancp The ANCP view is displayed. Step 3 Run: access-loop-configure { circuit-id circuit-id | index index } service-profile profile-name Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6-19 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration The name of the profile delivered to the peer is configured and the configuration of ANCP access lines is enabled. The access-loop-configure { circuit-id circuit-id | index index } service-profile profilename command is used to enable the ANCP access line configurations, and to configure the router to deliver the profile name to the DSLAM. When the access-loop-configure { circuit-id circuit-id | index index } service-profile profilename command is run on the ANCP server, the parameters in the profile, such as QoS parameters and bandwidths, need to be configured on the DSLAM. The parameters in the profile are valid for the users that go online after the profile is delivered. NOTE If the DSLAM needs to restart the line after receiving the profile name delivered by the router, you need to run the aging-time command on the router to set a longer aging time for ANCP line entries. Step 4 (Optional) Run either of the following commands as required. l Run the line-configure timeout time command, and the timeout period of the response to the delivered profile is configured. If the router does not receive any response during the timeout period, it considers that the delivery of the profile fails. l Run the line-configure ack-mandatory command, and no response to the delivered profile is required. By default, the timeout period is 5s. ----End 6.3.8 (Optional) Configuring ANCP Message Damping Context If the DSLAM repeatedly sends messages to the router to report user bandwidth change, the router adjusts the user bandwidth accordingly and delivers related configurations. This affects the performance of the router. To abstain this affection, ANCP message damping needs to be configured on the router. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ancp The ANCP view is displayed. Step 3 Run: neighbor-profile neighbor-profile-name The neighbor view is displayed. 6-20 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration Step 4 Run: damping damping-percentage ANCP message damping is configured. After ANCP message damping is configured, the router adjusts the user bandwidth and delivers related configurations only when the user bandwidth changes out of the specified range. That is, if the user bandwidth changes within the specified range, the router does not respond to the ANCP messages that report related changes, and thus does not adjust the user bandwidth. By default, no ANCP message is damped. ----End 6.3.9 (Optional) Configuring ANCP OAM Detection Context To test the remote connection of access lines, you can configure ANCP OAM detection. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ancp The ANCP view is displayed. Step 3 Run: oam [ count test-counter ] access-loop access-loop-circuit-id OAM detection is configured for a specific access line, and the number of times of OAM detection is also configured. By default, the number of OAM detection times is 5. Step 4 (Optional) Run: neighbor-profile neighbor-profile-name [ proxy ] The ANCP neighbor view is displayed. Step 5 (Optional) Run: oam timeout time The timeout period of the response to OAM detection is configured. If the router does not receive any response to OAM detection during the timeout period, it considers that ANCP OAM detection fails. By default, the timeout period is 5s. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6-21 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration NOTE The oam timeout command can be configured when the neighbor profile mode is server or proxy server. ----End 6.3.10 Checking the Configuration Procedure Step 1 Run the display ancp neighbor [ profile neighbor-profile | id id-value ] command to view information about the ANCP neighbor. Step 2 Run the display ancp neighbor-profile [ neighbor-profile-name ] command to view the configuration of the ANCP neighbor profile. Step 3 Run the display ancp access-loop [ access-loop-circuit- index | circuit-id circuit-id-text | circuit-id-include circuit-id-include-text | neighbor-profile neighbor-profile-name | neighborid neighbor-id ] command to view information about line entries in the ANCP neighbor profile. Step 4 Run the display ancp statistic [ neighbor-id ] command to view the ANCP statistics of the neighbor. ----End Example After running the display ancp neighbor command, you can view the status of all ANCP neighbors, the neighbor with the specified neighbor profile, and the neighbor with the specified neighbor ID. For example: <HUAWEI> display ancp neighbor Index Peer-ID State Role Line-num Profile -------------------------------------------------------------------------0 123.1.3.1 ESTAB proxy client 0 bras 1 10.1.1.1 ESTAB proxy server 2 dslam -------------------------------------------------------------------------The total is 2,printed is 2 <HUAWEI> display ancp neighbor id 10.1.1.1 Neighbor Profile name :dslam Neighbor state :ESTAB Peer ID :10.1.1.1 Peer port :49233 Neighbor capacity :discovery;line-cfg;oam; Neighbor techtype :5(5 is DSL) Access loop circuit number :2 Session message interval :20(seconds) Session message retransmit :5 Max access loop number :65536 Access loop configure timeout :5(seconds) Access loop configure ack mandatory :false Access loop aging time :47(seconds) Access loop oam timeout :50(seconds) Keep-alive interval :10(seconds) Wait-ack timeout :30000(milliseconds) ANCP role :proxy server After running the display ancp neighbor-profile command, you can view the configuration of the specified neighbor profile. For example: <HUAWEI> display ancp neighbor-profile dslam1 Index :1 Neighbor Profile name :dslam Neighbor Used state :used 6-22 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration ANCP role Auto-qos-adapt attribute TCP-listen port number Damping percentage Peer ID Max access loop number Access loop configure timeout Access loop configure ack mandatory Access loop aging time Access loop oam timeout Keep-alive interval :proxy server :both :6068 :0 :10.1.1.1 :65536 :5(seconds) :false :47(seconds) :50(seconds) :10(seconds) After running the display ancp access-loop command, you can view information about access line entries. For example: <HUAWEI> display ancp access-loop neighbor-profile dslam ---------------------------------------------------------------Index State Peer-ID Circuit-ID ---------------------------------------------------------------10 UP 10.1.1.1 001882362CFF eth 0/3/0/1:10 11 UP 10.1.1.1 001882362CFF eth 0/3/0/2:6 ---------------------------------------------------------------The total is 2,printed is 2 After running the display ancp statistic command, you can view the ANCP statistics of the neighbor. For example: <HUAWEI> display ancp statistic 10.1.1.1 Received ack packet :96 Received syn packet :0 Received synack packet :1 Received reset ack packet :0 Received lineup packet :2 Received linedown packet :0 Received oam packet :0 Received line config packet :0 Received multicast packet :0 Received unknown packet :0 Send ack packet :96 Send synack packet :1 Send syn packet :1 Send reset ack packet :0 Send oam packet :0 Send access loop config packet :0 Send multicast packet :0 Send failed packet :0 6.4 Configuring the Association Between ANCP and HQoS in the ANCP Proxy Scenario This section describes how to configure the association between ANCP and HQoS in the ANCP proxy scenario. 6.4.1 Establishing the Configuration Task 6.4.2 Configuring the Mode of the Association Between ANCP and HQoS 6.4.3 Configuring the QoS Profile and Scheduling Parameters 6.4.4 Configuring the BRAS to Deliver the QoS Policy Name 6.4.5 Applying the QoS Profile to the Interface 6.4.6 Enabling ANCP on the Interface and Associating the Interface with the ANCP Neighbor Profile Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6-23 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration 6.4.7 Checking the Configuration 6.4.1 Establishing the Configuration Task Applicable Environment When the router functions as the ANCP server or the ANCP proxy, if ANCP is required to control downstream rates of user lines and QoS scheduling parameters of various services, you need to configure ANCP to support HQoS. l When the router functions as the ANCP server, only the bandwidth adjustment factor needs to be configured. l When the router functions as the ANCP proxy, you need to configure the bandwidth adjustment factor, association between ANCP and HQoS, and QoS profile and scheduling parameters, enable ANCP on the interface, associate the interface with the ANCP neighbor profile, and apply the QoS profile. Pre-configuration Tasks Before configuring ANCP functions, complete the following tasks: l Configuring the physical parameters and link attributes of interfaces to ensure that the interfaces work properly l Configuring IP addresses and routing protocols for interfaces l Enabling ANCP and configuring ANCP neighbor profiles Data Preparation To configure the function that ANCP supports HQoS, you need the following data. 6-24 No. Data 1 Source interface of the ANCP connection 2 Name of the ANCP neighbor profile 3 IP address of the ANCP neighbor 4 Bandwidth adjustment factor for the ANCP neighbor 5 ANCP-enabled sub-interface 6 Mode of the association between ANCP and HQoS 7 Scheduling parameter in the QoS profile 8 Interface to which the QoS profile is applied Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration 6.4.2 Configuring the Mode of the Association Between ANCP and HQoS Context When ANCP is associated with QoS, if both the DSLAM and the BRAS report QoS messages, the mode of the association between ANCP and HQoS determines which QoS message is selected by the device. NOTE This configuration is applicable only to the neighbor profile whose attribute is proxy server. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ancp The ANCP view is displayed. Step 3 Run: neighbor-profile neighbor-profile-name proxy The neighbor profile view is displayed. Step 4 Run: auto-qos-adapt { dslam | bras | both } The mode of the association between ANCP and HQoS is configured. If dslam is specified, you need to apply the specified QoS profile name to the downstream interface of user services so that the router restricts the downstream bandwidth of user services according to the actual physical bandwidth and the minimum value of HQoS that are reported by the ANCP line. If bras is specified, the BRAS delivers a QoS profile name to a user, and the router receives and applies the QoS policy. If both is specified, the BRAS needs to deliver a QoS profile name to a user, and the router receives and applies the QoS policy. Then, if the DSLAM reports line update messages, ANCP adjusts the user bandwidth according to the new bandwidth information. ----End 6.4.3 Configuring the QoS Profile and Scheduling Parameters Context Do as follows on the router: Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6-25 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration NOTE This configuration is applicable only when the neighbor profile whose attribute is proxy server is enabled with the function that ANCP supports HQoS. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: qos-profile qos-profile-name A QoS profile is created and the QoS profile view is displayed. Step 3 You can choose to configure user queue scheduling parameters or traffic assurance for users as required. l Run:user-queue cir cir-value [ pir pir-value] [ flow-queue flow-queue name ] [ flowmapping flow-mapping name ] [ user-group-queue user-group-queue name ] [ servicetemplate service-template-name ],The user queue scheduling parameters are configured to implement HQoS on user services. l Run:car { cir cir-value [ pir pir-value] } [ cbs cbs-value pbs pbs-value ] [ green { discard | pass } | yellow { discard | pass } | red { discard | pass } ]* A committed access rate (CAR) is configured to ensure that user traffic can be normally forwarded. l Run:broadcast-suppression cir cir-value [ cbs cbs-value ]The suppression rate of broadcast packets is configured in the QoS profile. l Run:multicast-suppression cir cir-value [ cbs cbs-value ] The suppression rate of multicast packets is configured in the QoS profile. l Run:unknown-unicast-suppression cir cir-value [ cbs cbs-value ] The suppression rate of unknown unicast packets is configured in the QoS profile. NOTE l The car command and the user-queue command in the QoS profile are mutually exclusive. That is, the two commands cannot be both configured. l If you have run the qos-profile command on an interface, you cannot run the user-queue command or the car command or enable the traffic suppression function on the interface. For detailed configurations of the QoS profile, refer to the HUAWEI NetEngine80E/40E Configuration Guide - QoS. ----End 6.4.4 Configuring the BRAS to Deliver the QoS Policy Name Context Do as follows on the router: Procedure Step 1 Run: system-view 6-26 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration The system view is displayed. Step 2 Run: ancp The ANCP view is displayed. Step 3 Run: access-loop-configure { circuit-id circuit-id |index index } service-profile profile-name Configure the BRAS to deliver the QoS policy name. ----End 6.4.5 Applying the QoS Profile to the Interface Context Do as follows on the router: NOTE This configuration is applicable only when the neighbor profile whose attribute is proxy server is enabled with the association between ANCP and HQoS in dslam mode. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number [.sub-interface ] The interface view for adjusting bandwidths is displayed. Step 3 Choose the matched command line to apply QoS profiles on interfaces of different types. l Run the qos-profile qos-profile-name { inbound | outbound } [ group group-name ] command on GE interfaces, Eth-Trunk interfaces, Ethernet interfaces and their sub-interfaces to apply QoS profiles. l Run the qos-profile qos-profile-name { inbound | outbound } vlan vlan-id1 [ to vlan-id2 ] identifier { vlan-id | none } [ group group-name ] command on Layer 2 GE interfaces, Layer 2 Eth-Trunk interfaces, Dot1q termination sub-interfaces, QinQ stacking subinterfaces to apply QoS profiles. l Run the qos-profile qos-profile-name { inbound | outbound } pe-vid pe-vlan-id ce-vid cevlan-id1 [to ce-vlan-id2 ] identifier { pe-vid | ce-vid | pe-ce-vid | none } [ group groupname ] command on QinQ termination sub-interfaces and QinQ mapping interfaces to apply QoS profiles. ----End 6.4.6 Enabling ANCP on the Interface and Associating the Interface with the ANCP Neighbor Profile Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6-27 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration Context Do as follows on the router: NOTE This configuration is applicable only when the neighbor profile whose attribute is proxy server is enabled with the function that ANCP supports HQoS. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number [.subinterface-number] The interface view is displayed. Step 3 Run: ancp enable neighbor-profile-name The ANCP function is enabled on the interface, and the ANCP neighbor profile is associated with the interface. ----End 6.4.7 Checking the Configuration Procedure Step 1 Run the display ancp neighbor [ profile neighbor-profile | id id-value ] command to view information about the ANCP neighbor. Step 2 Run the display ancp neighbor-profile [ neighbor-profile-name ] command to view the configuration of the ANCP neighbor profile. Step 3 Run the display ancp access-loop [ access-loop-circuit- index | circuit-idcircuit-id-text | circuit-id-include circuit-id-include-text | neighbor-profile neighbor-profile-name | neighborid neighbor-id ] command to view information about line entries in the ANCP neighbor profile. Step 4 Run the display ancp statistic [ neighbor-id ] command to view the statistics of an ANCP neighbor. ----End Example After running the display ancp neighbor command, you can view the status of all neighbors. For example: <HUAWEI> display ancp neighbor Index Peer-ID State Role Line-num Profile -------------------------------------------------------------------------0 123.1.3.1 ESTAB proxy client 0 bras 1 10.1.1.1 ESTAB proxy server 2 dslam -------------------------------------------------------------------------The total is 2,printed is 2 6-28 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration After running the display ancp neighbor id 10.1.1.1 command, you can view the status of the neighbor whose ID is 10.1.1.1. <HUAWEI> display ancp neighbor id 10.1.1.1 Neighbor Profile name :dslam Neighbor state :ESTAB Peer ID :10.1.1.1 Peer port :49233 Neighbor capacity :discovery;line-cfg;oam; Neighbor techtype :5(5 is DSL) Access loop circuit number :2 Session message interval :20(seconds) Session message retransmit :5 Max access loop number :65536 Access loop configure timeout :5(seconds) Access loop configure ack mandatory :false Access loop aging time :47(seconds) Access loop oam timeout :50(seconds) Keep-alive interval :10(seconds) Wait-ack timeout :30000(milliseconds) ANCP role :proxy server After running the display ancp neighbor-profile command, you can view the configuration of the specified neighbor profile. For example: <HUAWEI> display ancp neighbor-profile dslam1 Index :1 Neighbor Profile name :dslam1 Neighbor Used state :used ANCP role :proxy server Auto-qos-adapt attribute :both TCP-listen port number :6068 Damping percentage :0 Peer ID :10.1.1.1 Max access loop number :65536 Access loop configure timeout :5(seconds) Access loop configure ack mandatory :false Access loop aging time :47(seconds) Access loop oam timeout :50(seconds) Keep-alive interval :10(seconds) After running the display ancp access-loop command, you can view information about access line entries. For example: <HUAWEI> display ancp access-loop neighbor-profile dslam ---------------------------------------------------------------Index State Peer-ID Circuit-ID ---------------------------------------------------------------10 UP 10.1.1.1 001882362CFF eth 0/3/0/1:10 11 UP 10.1.1.1 001882362CFF eth 0/3/0/2:6 ---------------------------------------------------------------The total is 2,printed is 2 After running the display ancp statistic command, you can view the ANCP statistics of a neighbor. For example: <HUAWEI> display ancp statistic 10.1.1.1 Received ack packet :96 Received syn packet :0 Received synack packet :1 Received reset ack packet :0 Received lineup packet :2 Received linedown packet :0 Received oam packet :0 Received line config packet :0 Received multicast packet :0 Received unknown packet :0 Send ack packet :96 Send synack packet :1 Send syn packet :1 Send reset ack packet :0 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6-29 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration Send Send Send Send oam packet access loop config packet multicast packet failed packet :0 :0 :0 :0 6.5 Maintaining ANCP This section describes how to view and clear ANCP running information and how to debug ANCP. 6.5.1 Clearing ANCP Running Information 6.5.1 Clearing ANCP Running Information CAUTION ANCP running information cannot be restored after you clear it. Therefore, confirm the action before you use the command. To clear ANCP running information, run the following reset commands in the ANCP view. Action Command Clear information about ANCP access line entries. reset ancp access-loop [ circuit-id access-loopcircuit-id | neighbor-profile neighbor-profilename | neighbor-id neighbor-id ] Clear information about ANCP neighbor entries. reset ancp neighbor [ profile neighbor-profilename | id neighbor-id-value ] Clear statistics about ANCP . reset ancp statistic [ neighbor-id ] 6.6 Configuration Examples This section provides examples for ANCP configurations. 6.6.1 Example for Configuring the ANCP Server As an ANCP server, the router functions as both a BRAS and an SR. As an SR, the router can sense the topology of the access network and parameters of the access links, and can therefore help prevent the access network from being congested. As a BRAS, the router can achieve automatic adjustment of policies on the DSLAM through the update of user services on the ANCP. 6.6.2 Configuring router as the ANCP Proxy and Configuring ANCP-HQoS Association As an ANCP proxy, the router can aggregate ANCP connections. This prevents too many DSLAMs from being connected to the BRAS. The ANCP-HQoS association can reduce the need for manual configuration. By automatically adjusting user bandwidths, the ANCP-HQoS association prevents traffic congestion on a DSLAM. 6-30 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration 6.6.1 Example for Configuring the ANCP Server As an ANCP server, the router functions as both a BRAS and an SR. As an SR, the router can sense the topology of the access network and parameters of the access links, and can therefore help prevent the access network from being congested. As a BRAS, the router can achieve automatic adjustment of policies on the DSLAM through the update of user services on the ANCP. Prerequisite Before configuration the ANCP server, configurations of routes between the connected devices must be completed. Networking Requirements The trend of network convergence and development of Triplay services have posed new networking requirements. As shown in Figure 6-3, the router needs to be deployed on the convergence layer at the edge of a broadband MAN. Here, the router acts as the service control gateway as well as the authentication and accounting gateway for various types of broadband access users. In this scenario, the router can provide various types of broadband access services and extensive value added services for users. In addition, the router is also able to implement bandwidth control, traffic policing, and QoS enforcement on the services of users. The DSLAM supports ANCP and the router functions as the BRAS to manage users, that is, detects user services and user logon and logout. Other requirements are as follows: l The maximum number of access lines for the DSLAM whose IP address is 10.1.1.1 is 3000. l Lines accessed by the DSLAM can be configured on the router. l For subsequent login users, the router is able to automatically adjust the downstream bandwidth for the users according to information about the access lines. l The router is able to configure bandwidth adjustment factors according to the types of user services. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6-31 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration Figure 6-3 Networking diagram of configuring the ANCP server phone PC ADSL/VDSL Modem 1 IP/MPLS backbone IPTV phone DSLAM Router PC ADSL/VDSL Modem 2 IPTV Configuration Roadmap The configuration roadmap is as follows: 1. Enable ANCP. 2. Configure the source interface of the ANCP connection. 3. Configure the ANCP session parameters. 4. Configure the ANCP neighbor profile and parameters. 5. Configure bandwidth adjustment factors. Data Preparation To complete the configuration, you need the following data: l IP address of the source interface of the ANCP connection l ANCP neighbor name and IP address l ANCP session parameter l Maximum number of access lines, handshaking interval, and timeout period of waiting for the response to the access line configuration for the ANCP neighbor l Bandwidth adjustment factor NOTE The following describes the configuration of the router. For configurations of the ADSL/VDSL modem and DSLAM, see the corresponding configuration guides. 6-32 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration Procedure Step 1 Configure ANCP. # Enable ANCP. <HUAWEI> system-view [HUAWEI] ancp enable # Configure the source interface of the ANCP connection. [HUAWEI] interface loopback 1 [HUAWEI-LoopBack1] ip address 1.1.1.1 24 [HUAWEI-LoopBack1] quit [HUAWEI] ospf 82 [HUAWEI-ospf-82]area 0 [HUAWEI-ospf-82-area-0.0.0.0] network 1.1.1.1 0.0.0.0 [HUAWEI-ospf-82-area-0.0.0.0] quit [HUAWEI-ospf-82] quit [HUAWEI] ancp [HUAWEI-ancp] source-interface loopback 1 # Configure the ANCP session parameters. [HUAWEI-ancp] session interval 10 retransmit 20 # Configure the ANCP neighbor profile and bandwidth adjustment factors. [HUAWEI-ancp] neighbor-profile dslam1 [HUAWEI-ancp-neighbor-dslam1] peer-id 10.1.1.1 [HUAWEI-ancp-neighbor-dslam1] max-access-loop 3000 [HUAWEI-ancp-neighbor-dslam1] line-configure timeout 10 [HUAWEI-ancp-neighbor-dslam1] keep-alive interval 20 [HUAWEI-ancp-neighbor-dslam1] adjustment adsl 77 vdsl1 90 [HUAWEI-ancp-neighbor-dslam1] quit NOTE The IP address specified in peer-id must be the same as the IP address that is used by the peer to set up the TCP connection. Step 2 Verify the configuration. # Check the configurations of the ANCP neighbor profile named dslam1. <HUAWEI> display ancp neighbor-profile dslam1 Index Neighbor Profile name Neighbor Used state ANCP role TCP-listen port number Damping percentage Adjustment Peer ID Max access loop number Access loop configure timeout Access loop configure ack mandatory Access loop aging time Access loop oam timeout Keep-alive interval :0 :dslam1 :unused :server :6068 :0 :adsl 77 vdsl1 90 :10.1.1.1 :3000 :10(seconds) :false :150(seconds) :20(seconds) :20(seconds) # Check the entry information of the access line named access1. <HUAWEI> display ancp access-loop Circuit index Circuit ID Peer ID Dsl type Actual datarate upstream Issue 03 (2010-03-31) :1 :access1 :10.1.1.1 :ADSL2 :143(Kbps) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6-33 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration Actual datarate downstream The total is 1,printed is 1 :153(Kbps) When traffic flows on the network, it is found that traffic of access line 1 is forwarded according to the QoS profile named test that is configured by the DSLAM. ----End Configuration Files # sysname HUAWEI # ancp enable # interface LoopBack1 ip address 1.1.1.1 255.255.255.0 # ospf 82 area 0 network 1.1.1.1 0.0.0.0 # ancp source-interface LoopBack1 session interval 10 retransmit 20 neighbor-profile dslam1 peer-id 10.1.1.1 adjustment adsl 77 vdsl1 90 keep-alive interval 20 line-configure timeout 10 max-access-loop 3000 # return 6.6.2 Configuring router as the ANCP Proxy and Configuring ANCP-HQoS Association As an ANCP proxy, the router can aggregate ANCP connections. This prevents too many DSLAMs from being connected to the BRAS. The ANCP-HQoS association can reduce the need for manual configuration. By automatically adjusting user bandwidths, the ANCP-HQoS association prevents traffic congestion on a DSLAM. Prerequisite Before configuring the router as the ANCP proxy and configuring the ANCP-HQoS association, configurations of routes between the connected devices must be completed. Networking Requirements To implement automatic topology discovery and automatic link configuration in the access network, you need to configure ANCP between the DSLAM and BRAS. Usually, one BRAS can have hundreds of ANCP peers. If too many DSLAMs are connected to a BRAS, the ANCP proxy needs to be configured on the router to aggregate ANCP connections. When a user customizes new services, ANCP-HQoS association automatically adjusts the user bandwidth on the router. This prevents traffic congestion on the DSLAM. As shown in Figure 6-4, both the DSLAM and the BRAS support ANCP. Functioning as the convergence device, the router sets up ANCP neighbor relationships with the DSLAM and the BRAS. Other requirements are described as follows: 6-34 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration l The maximum number of access lines for the DSLAM whose IP address is 10.1.1.1 is 3000. l Lines accessed by the DSLAM can be configured on the router. l The router is able to configure bandwidth adjustment factors according to the types of user services. l Traffic flows of different user services enter different QinQ sub-interfaces for QoS scheduling. l Downstream traffic of the router is scheduled through ANCP according to the QoS policy delivered by the BRAS. Figure 6-4 Networking diagram of configuring router as the ANCP proxy and configuring ANCP-HQoS association phone PC ADSL/VDSL Modem 1 GE1/0/0 IP/MPLS backbone IPTV phone DSLAM Router BRAS PC ADSL/VDSL Modem 2 IPTV Configuration Roadmap The configuration roadmap is as follows: 1. Enable ANCP. 2. Configure the source interface of the ANCP connection 3. Configure the ANCP session parameters. 4. Configure the ANCP neighbor profile and parameters. 5. Configure bandwidth adjustment factors. 6. Configure the mode of the association between ANCP and HQoS. 7. Enable ANCP on the interface and associate the ANCP neighbor with the interface 8. Configure the QoS profile and schedule parameters 9. (Optional) Configure the name of the QoS policy delivered by the BRAS. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6-35 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration 10. Apply the QoS profile to the interface. Data Preparation To complete the configuration, you need the following data: l IP address of the source interface of the ANCP connection l ANCP neighbor name and IP address l ANCP session parameter l Maximum number of access lines, handshaking interval, and timeout period of waiting for the response to the access line configuration for the ANCP neighbor l Bandwidth adjustment factors Procedure Step 1 Configure ANCP. # Enable ANCP. <HUAWEI> system-view [HUAWEI] ancp enable # Configure the source interface of an ANCP connection. [HUAWEI] interface loopback 1 [HUAWEI-LoopBack1] ip address 1.1.1.1 24 [HUAWEI-LoopBack1] quit [HUAWEI] ospf 82 [HUAWEI-ospf-82]area 0 [HUAWEI-ospf-82-area-0.0.0.0] network 1.1.1.1 0.0.0.0 [HUAWEI-ospf-82-area-0.0.0.0] quit [HUAWEI-ospf-82] quit [HUAWEI] ancp [HUAWEI-ancp] source-interface loopback 1 # Configure the ANCP session parameters. [HUAWEI-ancp] session interval 10 retransmit 20 # Configure profile parameters and bandwidth adjustment factors for the ANCP neighbor connected to the DSLAM. [HUAWEI-ancp] neighbor-profile dslam1 proxy [HUAWEI-ancp-neighbor-dslam1] peer-id 10.1.1.1 [HUAWEI-ancp-neighbor-dslam1] max-access-loop 3000 [HUAWEI-ancp-neighbor-dslam1] line-configure timeout 10 [HUAWEI-ancp-neighbor-dslam1] keep-alive interval 20 [HUAWEI-ancp-neighbor-dslam1] adjustment adsl 77 vdsl1 90 [HUAWEI-ancp-neighbor-dslam1] quit # Configure profile parameters and bandwidth adjustment factors for the ANCP neighbor connected to the BRAS. [HUAWEI-ancp] neighbor-profile bras proxy client [HUAWEI-ancp-neighbor-bras] peer-id 10.1.1.2 [HUAWEI-ancp-neighbor-bras] quit Step 2 Configure the mode of the association between ANCP and HQoS. [HUAWEI-ancp] auto-qos-adapt bras Step 3 Configure parameters in the QoS profile. 6-36 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration For detailed configurations of parameters in the QoS profile, refer to the HUAWEI NetEngine80E/40E Router Configuration Guide - QoS. Step 4 (Optional) Configure the name of the QoS policy delivered by the BRAS. <HUAWEI> system-view [HUAWEI] ancp [HUAWEI-ancp] access-loop-configure circuit-id "text" service-profile test Step 5 Apply the QoS profile to the interface and associate the ANCP neighbor with the interface. <HUAWEI> system-view [HUAWEI] interface gigabitethernet 1/0/0 [HUAWEI-GigabitEthernet1/0/0] qos-profile test outbound pe-vid 1 ce-vid 1 to 100 [HUAWEI-GigabitEthernet1/0/0] ancp enable dslam1 [HUAWEI-GigabitEthernet1/0/0] quit After the preceding configurations, you can run the display qos-profile configuration test and display qos-profile application test slot 1 inbound commands to view the configurations of the QoS profile and its applications. <HUAWEI> display qos-profile configuration test qos-profile : test user-queue cir 100000 flow-queue test flow-mapping test user-group-queue test broadcast-suppression cir 2000 multicast-suppression cir 2000 unknown-unicast-suppression cir 2000 Reference relationships: GigabitEthernet1/0/0 <HUAWEI> display qos-profile application test slot 1 inbound qos-profile : test intaface GigabitEthernet1/0/0, pe-vid 1, ce-vid 1 to 100 Step 6 Verify the configuration. # Check basic information about the ANCP neighbor profile. <HUAWEI> display ancp neighbor-profile ---------------------------------------------------------------Index Peer-ID State Role Profile-name ---------------------------------------------------------------1 1.1.1.2 used proxy server dslam1 2 10.1.1.2 used proxy client bras ---------------------------------------------------------------The total is 1,printed is 1 # Check the configurations of the ANCP neighbor profile named dslam1. <HUAWEI> display ancp neighbor-profile dslam1 Index :1 Neighbor Profile name :dslam1 Neighbor Used state :used ANCP role :proxy server ANCP source interface :LoopBack1 TCP-listen port number :6068 Damping percentage :0 Peer ID :10.1.1.1 Max access loop number :3000 Access loop configure timeout :5(seconds) Access loop configure ack mandatory :false Access loop aging time :30(seconds) Access loop oam timeout :5(seconds) Keep-alive interval :20(seconds) ----End Configuration Files # sysname HUAWEI Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6-37 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 6 ANCP Configuration # ancp enable # ancp source-interface LoopBack1 session interval 10 retransmit 20 neighbor-profile bras proxy client peer-id 10.1.1.2 neighbor-profile dslam1 proxy peer-id 10.1.1.1 max-access-loop 3000 line-configure timeout 10 keep-alive interval 20 adjustment adsl 77 vdsl1 90 auto-qos-adapt bras # flow-wred test color green low-limit 70 high-limit 100 discard-percentage 100 color yellow low-limit 60 high-limit 90 discard-percentage 100 color red low-limit 50 high-limit 80 discard-percentage 100 # flow-mapping test map flow-queue af1 to port-queue ef # flow-queue test queue af1 lpq shaping 10000 flow-wred test queue ef pq shaping 30000 flow-wred test # user-group-queue test shaping 500000 inbound # service-template test network-header-length 12 inbound # qos-profile test user-queue cir 100000 pir 100000 flow-queue test flow-mapping test user-group queue test service-template test # port-wred test color green low-limit 70 high-limit 100 discard-percentage 100 color yellow low-limit 60 high-limit 90 discard-percentage 100 color red low-limit 50 high-limit 80 discard-percentage 100 # interface GigabitEthernet1/0/0 undo shutdown control-vid 1 qinq-termination qinq termination l2 symmetry user-mode qinq termination pe-vid 1 ce-vid 1 to 1000 qos-profile test outbound pe-vid 1 ce-vid 1 to 1000 ancp enable dslam1 # interface LoopBack1 ip address 1.1.1.1 255.255.255.0 # ospf 82 area 0 network 1.1.1.1 0.0.0.0 # return 6-38 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration 7 IP Performance Configuration About This Chapter This chapter describes the parameters and function required for IP performance optimization and provides procedures and examples for optimizing IP performance. 7.1 IP Performance Overview This section describes the parameters and concepts concerning IP performance. 7.2 Improving IP Performance This section describes how to enhance the performance of a specified network through setting some IP parameters. 7.3 Configuring TCP This section describes how to configure a TCP timer and specify the size of a sliding window. 7.4 Configuring Load Balancing for IP Packet Forwarding This section describes how to configure the load balancing mode for IP packet forwarding and how to configure the Unequal Cost Multipath Path (UCMP). 7.5 Maintaining IP Performance This section describes how to clear IP/TCP/UDP statistics and debug IP/TCP/UDP. 7.6 Configuration Examples This section provides several configuration examples of the IP performance. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 7-1 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration 7.1 IP Performance Overview This section describes the parameters and concepts concerning IP performance. 7.1.1 Introduction to IP Performance 7.1.2 IP Performance Supported by the NE80E/40E 7.1.1 Introduction to IP Performance IP performance optimization should be performed on the basis of configurations of some parameters and enablement of related functions, for example, the interface MTU, ICMP attributes, and TCP attributes. Internet Control Message Protocol (ICMP) messages are used by either the IP layer or the higher layer protocol (TCP or UDP). ICMP communicates error messages or other information that require attention. 7.1.2 IP Performance Supported by the NE80E/40E ICMP l ICMP Host Unreachable messages When forwarding packets, the device discards the packets and returns an ICMP host unreachable message to the source to notify that the source must stop sending packets to this destination if the device encounters the following situations: l – There is no route to the destination. – The packet is not for itself. ICMP Redirection messages During packet forwarding, if the device finds the following situations, the device needs to send an ICMP redirection message to the source device and notices the host to reselect a correct device to send packets. l – The interfaces to receive and forward packets are the same. – The selected route is not created or modified by the ICMP redirection packet. – The selected route is not the route destined for the destination 0.0.0.0. – The subnet mask bit of the source address is the same as that of the outgoing interface. ICMP packet sending switches In normal circumstance, ICMP host unreachable and redirection messages can ensure normal packet transmission. However, when devices encounter the preceding conditions frequently, network traffic becomes heavy because devices send a large number of ICMP messages. This increases the traffic burden. In the case of malicious attacks, network congestion becomes worse. To solve this problem, the ICMP host unreachable function can be deployed on the outbound interface. If this function is disabled, the device does not send out ICMP host unreachable messages and as a result the traffic burden of the network is released and malicious attacks to the network is prevented. 7-2 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration Unequal-Cost Load Balancing The NE80E/40E supports Unequal-Cost Multiple Path (UCMP) among all equal-cost routes to the same destination. UCMP supports only flow-based IP packet forwarding. UCMP applies to only equal-cost routes. It is independent of routing protocols. That is, it does not concern whether the Interior Gateway Protocol (IGP) or the Border Gateway Protocol (BGP) is used. Among the paths that perform UCMP, the bandwidth of each path must not be lower than 1/16 of the total bandwidth; otherwise, the path does not participate in UCMP. The unequal-cost load balancing is classified into interface unequal-cost load balancing and global unequal-cost load balancing. The differences between these two modes are described as follows: l For the interface unequal-cost load balancing, you need to enable the unequal-cost load balancing on all the outgoing interfaces that can forward packets. For the global unequalcost load balancing, you need to enable the unequal-cost load balancing only in the system view. l After the interface unequal-cost load balancing is enabled, you need to restart any interface to trigger the delivery FIB entries. After the global unequal-cost load balancing is enabled, FIB entries can be delivered automatically. The interface unequal-cost load balancing and the global unequal-cost load balancing are mutually exclusive. You cannot enable both of them. 7.2 Improving IP Performance This section describes how to enhance the performance of a specified network through setting some IP parameters. 7.2.1 Establishing the Configuration Task 7.2.2 Configuring the Maximum Transmission Unit of the Interface 7.2.3 Configuring ICMP Attributes 7.2.4 Checking the Configuration 7.2.1 Establishing the Configuration Task Applicable Environment In some special network environments, you must adjust the IP parameters to achieve the best performance. Improving IP performance involves configurations of a series of parameters. Pre-configuration Tasks Before improving IP performance, complete the following tasks: l Issue 03 (2010-03-31) Configuring the physical parameters for related interfaces and ensuring that the status of the physical layer of the interface is Up Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 7-3 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration l Configuring the link layer protocol for related interfaces and ensuring that the status of the link layer protocol on the interface is Up l Configuring the IP addresses for related interfaces Data Preparation To improve IP performance, you need the following data. No. Data 1 Number and MTU value of the interface 2 Number of the interface which needs source address verification 3 Number of the interface which needs to forward broadcast packets and ACL number 4 Number of the interface which needs to clear the DF 5 Number of the interface which needs to configure ICMP host-unreachable 7.2.2 Configuring the Maximum Transmission Unit of the Interface Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 Run: mtu mtu The maximum transmission unit of the interface is configured. ----End Postrequisite The MTU of the interface has the effects on whether to fragment the packets on the interface. The default MTU value varies with the interface type. Use the display interface command to find out the value used. 7-4 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration NOTE After configuring the MTU on an interface, you must restart the interface; otherwise, the configuration cannot take effect. To restart the interface, run the restart command or the shutdown and then undo shutdown commands. 7.2.3 Configuring ICMP Attributes Context By default, sending unreachable packets is enabled. CAUTION l If the transmission of ICMP host unreachable messages is disabled, the device no longer sends the ICMP host unreachable message. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 Run: icmp host-unreachable send Sending ICMP host unreachable packets is enabled. ----End 7.2.4 Checking the Configuration Prerequisite The configurations of the improving IP performance function are complete. Procedure l Run the display udp statistics command to check the UDP traffic statistics. l Run the display ip interface [ interface-type interface-number ] command or display ip interface brief [ interface-type [ interface-number ] | slot slot-id [ card card-number ] ] command to check the table information of the IP layer interface. l Run the display ip statistics [ slot slot-id ] command to check the IP traffic statistics. l Run the display icmp statistics [ slot slot-id ] command to check the ICMP traffic statistics. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 7-5 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration l Run the display rawlink statistics command to check the Rawlink statistics. l Run the display ip socket [ monitor ] [ task-id task-id socket-id socket-id | sock-type sock-type ] command to check all the current socket API information. ----End Example Run the display udp statistics command. If the UDP traffic statistics are displayed, it means that the configuration succeeds. For example: <HUAWEI> display udp statistics Received packets: Total: 0 Total(64bit high-capacity counter): 0 checksum error: 0 shorter than header: 0, data length larger than packet: 0 unicast(no socket on port): 0 broadcast/multicast(no socket on port): 0 not delivered, input socket full: 0 input packets missing pcb cache: 0 Sent packets: Total: 0 Total(64bit high-capacity counter): 0 Run the display ip interface command. If the information about IP interfaces is displayed, it means that the configuration succeeds. For example: <HUAWEI> display ip interface gigabitethernet 2/0/2 GigabitEthernet2/0/2 current state : UP Line protocol current state : UP The Maximum Transmit Unit : 1500 bytes input packets : 1338, bytes : 117744, multicasts : 1338 output packets : 1336, bytes : 106884, multicasts : 1336 Directed-broadcast packets: received packets: 0, sent packets: forwarded packets: 0, dropped packets: ARP packet input number: 0 Request packet: 0 Reply packet: 0 Unknown packet: 0 Internet Address is 120.1.1.1/24 Broadcast address : 120.1.1.255 TTL being 1 packet number: 0 TTL invalid packet number: 0 ICMP packet input number: 0 Echo reply: 0 Unreachable: 0 Source quench: 0 Routing redirect: 0 Echo request: 0 Router advert: 0 Router solicit: 0 Time exceed: 0 IP header bad: 0 Timestamp request: 0 Timestamp reply: 0 Information request: 0 Information reply: 0 Netmask request: 0 Netmask reply: 0 Unknown type: 0 DHCP packet deal mode: global 0 0 Run the display ip statistics command. If the IP traffic statistics are displayed, it means that the configuration succeeds. For example: 7-6 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration <HUAWEI> display ip statistics Run the display icmp statistics command. If the ICMP traffic statistics are displayed, it means that the configuration succeeds. For example: <HUAWEI> display icmp statistics Input: bad formats 0 echo 0 source quench 0 echo reply 0 timestamp 0 mask requests 0 time exceeded 0 Mping request 0 Output:echo 0 source quench 0 echo reply 0 timestamp 0 mask requests 0 time exceeded 0 Mping request 0 bad checksum destination unreachable redirects parameter problem information request mask replies 0 0 0 0 0 0 Mping reply destination unreachable redirects parameter problem information reply mask replies 0 0 0 0 0 0 Mping reply 0 Run the display rawlink statistics command. If the Rawlink statistics are displayed, it means that the configuration succeeds. For example: <HUAWEI> display rawlink statistics Received packets: Total: 1771645 ifnet is null: 0 input packets missing pcb cache: 1181096 not pass multicast: 0 no join multicast: 0 full sock and pstMBuf to be freed: 0 full sock and nothing to be freed: 0 full sock and other reason: 0 Send packets: Total: 125850 7.3 Configuring TCP This section describes how to configure a TCP timer and specify the size of a sliding window. 7.3.1 Establishing the Configuration Task 7.3.2 Configuring TCP Timer 7.3.3 Specifying the Size of a TCP Sliding Window 7.3.4 Checking the Configuration 7.3.1 Establishing the Configuration Task Applicable Environment None. Pre-configuration Tasks None. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 7-7 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration Data Preparation To configure TCP, you need the following data. No. Data 1 SYN-WAIT timer, FIN-WAIT timer, receiving and sending buffer size of the socket 7.3.2 Configuring TCP Timer Context The types of TCP timers are shown as follows: l The SYN-Wait timer: On sending SYN packets, the TCP starts the SYN-Wait timer. If response packets are not received before the SYN-Wait timer timeout, the TCP connection is terminated. The SYN-Wait timer timeout ranges from 2 seconds to 600 seconds, and the default value is 75 seconds. l The FIN-Wait timer: When the TCP connection status turns from FIN_WAIT_1 to FIN_WAIT_2, the FIN-Wait timer starts. If FIN packets are not received before the FINWait timer timeout, the TCP connection is terminated. The FIN-Wait timer timeout ranges from 76 seconds to 3600 seconds, and the default value is 675 seconds. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: tcp timer syn-timeout interval The SYN-Wait timer of setting up TCP connections is configured. Step 3 Run: tcp timer fin-timeout interval The FIN_WAIT_2 timer of setting TCP connections is configured. ----End 7.3.3 Specifying the Size of a TCP Sliding Window Context Do as follows on the router: 7-8 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: tcp window window-size The receiving/sending buffer size of the TCP socket is configured. The receiving and sending window-size of the connection-oriented socket: It ranges from 1K bytes to 32K bytes, and the default value is 8K bytes. ----End 7.3.4 Checking the Configuration Prerequisite The configurations of TCP function are complete. Procedure l Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipv4address ] [ local-port local-port-number ] [ remote-ip ipv4-address ] [ remote-port remote-port-number ] ] command to check the TCP connection status. l Run the display tcp statistics command to check the TCP traffic statistics. ----End Example Run the display tcp status command. If the information about the TCP connection status is displayed, it means that the configuration succeeds. For example: <HUAWEI> display tcp status TCPCB Tid/Soid Local Add:port 0a5d560c 30 /1 0.0.0.0:23 Foreign Add:port 0.0.0.0:0 VPNID State 14849 Listening Run the display tcp statistics command. If the TCP traffic statistics are displayed, it means that the configuration succeeds. For example: <HUAWEI> display tcp statistics Received packets: Total: 0 Total(64bit high-capacity counter): 0 packets in sequence: 0 (0 bytes) window probe packets: 0, window update packets: 0 checksum error: 0, offset error: 0, short error: 0 duplicate packets: 0 (0 bytes),partially duplicate packets: 0 (0 bytes) out-of-order packets: 0 (0 bytes) packets of data after window: 0 (0 bytes) packets received after close: 0 ACK packets: 0 (0 bytes) duplicate ACK packets: 0, too much ACK packets: 0 Sent packets: Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 7-9 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration Total: 0 Total(64bit high-capacity counter): 0 urgent packets: 0 control packets: 0 (including 0 RST) window probe packets: 0, window update packets: 0 data packets: 0 (0 bytes),data packets retransmitted: 0 (0 bytes) ACK-only packets: 0 (0 delayed) Other information: Retransmitted timeout: 0, connections dropped in retransmitted timeout: 0 Keep alive timeout: 0, keep alive probe: 0, Keep alive timeout, so connections d isconnected : 0 Initiated connections: 0, accepted connections: 0, established connections: 0 Closed connections: 0 (dropped: 0, initiated dropped: 0) Packets dropped with MD5 authentication: 0 Packets permitted with MD5 authentication: 0 7.4 Configuring Load Balancing for IP Packet Forwarding This section describes how to configure the load balancing mode for IP packet forwarding and how to configure the Unequal Cost Multipath Path (UCMP). 7.4.1 Establishing the Configuration Task 7.4.2 Configuring the Load Balancing Mode of IP Packet Forwarding 7.4.3 Configuring Interface Unequal-Cost Multiple Path During IP Packet Forwarding 7.4.4 Configuring Global Unequal-Cost Multiple Path During IP Packet Forwarding 7.4.5 Checking the Configuration 7.4.1 Establishing the Configuration Task Applicable Environment The Equal Cost Multipath Path (ECMP) involves evenly distributing traffic among multiple equal-cost paths, regardless of the difference in path bandwidth. This, however, usually leads to the traffic congestion on the low-bandwidth path. The Unequal Cost Multipath Path (UCMP) involves proportionally distributing traffic among multiple equal-cost paths by considering the difference in path bandwidth. This can achieve more reasonable load balancing because traffic is proportionally distributed among paths. Pre-configuration Tasks Before configuring load balancing for IP packet forwarding, complete the following tasks: l Connecting interfaces and setting physical parameters for interfaces to ensure that the physical layer status of each interface is Up l Setting parameters of the link layer protocol for interfaces to ensure that the status of the link layer protocol on each interface is Up Data Preparation To configure load balancing for IP packet forwarding, you need the following data. 7-10 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration No. Data 1 Interface type and interface number 2 IP address and subnet mask for the interface 7.4.2 Configuring the Load Balancing Mode of IP Packet Forwarding Context Load balancing can be enable during IP packet forwarding. When flow-based load balancing is carried out, the device considers the protocol type, source IP address and mask, destination IP and mask, source port range, and destination port range and then adopts the hash algorithm to calculate a value. Based on the calculated value, it chooses a link to forward the packets. When packet-based load balancing is carried out, choose diverse links based on packets from multiple links to forward packets. By default, flow-based load balancing is adopted. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: l load-balance { flow | packet } [ all | slot slot-id ] Packets on the device are load balanced. l load-balance ip-enhance { all | slot slot-id } Packets received on the device are load balanced. After the load-balance ip-enhance command is run, the device load balances the received packets based on the quintuple: the protocol type, the source IP address, the destination IP address, the source port, and the destination port. If the command is not run, the device load balances the received packets according to the source IP address, the destination IP address, the source port, and the destination port of the IP packet in flow-by-flow mode. NOTE When the outgoing interfaces are MP interfaces, the load-balance packet [ all | slot slot-id ] command cannot be run to implement packet-based load balancing among the interfaces. In this case, you can configure policy-based routing to implement packet-based load balancing. ----End Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 7-11 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration 7.4.3 Configuring Interface Unequal-Cost Multiple Path During IP Packet Forwarding Context Do as follows on the router to implement the interface UCMP: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. NOTE The interface must be outgoing interfaces of equal-cost routes. The interface UCMP can be realized among paths only after all outgoing interfaces of equal-cost routes on the device are enabled with UCMP and FIB entry delivery is triggered; if one outgoing interface is not enabled with UCMP, Equal-Cost Multiple Path (ECMP) is performed among paths though FIB entry delivery is triggered. Interface UCMP cannot be enabled globally or on logical interfaces. It can be enabled only on physical main interfaces. Step 3 Run: load-balance unequal-cost enable Interface UCMP is enabled for IP packet forwarding. Route recalculation and FIB entry delivery are not triggered at once after UCMP is enabled or disabled on the interface through command lines. FIB entry delivery is performed only after UCMP configurations are validated. Step 4 Run: shutdown The interface where UCMP is enabled is shut down. Step 5 Run: undo shutdown The interface is restarted for validating UCMP configurations. You can reset the interface where UCMP is enabled or disabled to trigger route recalculation and FIB entry delivery so that UCMP configurations can be validated. NOTE Restarting the interface is one method to trigger FIB entry delivery. You can also change the IP address of the interface to trigger FIB entry delivery and hence validate UCMP configurations. ----End 7-12 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration 7.4.4 Configuring Global Unequal-Cost Multiple Path During IP Packet Forwarding Context Do as follows on the router to implement global UCMP: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: load-balance unequal-cost enable Global UCMP is enabled for IP packet forwarding. By default, global UCMP is disabled. NOTE l The interfaces that support the UCMP function are ATM interfaces, serial interfaces, MFR interfaces, MP interfaces, Gigabit Ethernet interfaces, POS interfaces, Eth-Trunk interfaces, and IP-Trunk interfaces. l Frequent enabling and then disabling UCMP on an interface greatly degrades the system performance. Therefore, the interval from enabling UCMP to disabling UCMP or from disabling UCMP to enabling UCMP must be equal to or longer than 5 minutes. ----End 7.4.5 Checking the Configuration Prerequisite All the load balancing configurations for IP packet forwarding are complete. Procedure l Run the display fib [ slot-id ] command to check the FIB table of the interface board. l Run the display fib acl acl-number [ verbose ] command to check the filtered FIB information. l Run the display fib [ slot-id ] destination-address1 [ desinationt-mask1 ] [ longer ] [ verbose ] command to check the FIB entry which matches a destination address. l Run the display fib [ slot-id ] destination-address1 destination-mask1 destinationaddress2 destination-mask2 [ verbose ] command to check the FIB entry whose destination address is in the range of destination-address1 destination-mask1 to destination-address2 destination-mask2. l Run the display fib ip-prefix prefix-name [ verbose ] command to check the FIB entries that have passed filtering in a certain format according to the input IP prefix name. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 7-13 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration l Run the display fib interface interface-type interface-number command to check the FIB entries that have passed filtering in a certain format according to the input interface type and interface number. l Run the display fib next-hop ip-address command to check the FIB entries that have passed filtering in a certain format according to the input next hop address. l Run the display fib [ slot-id ] statistics command to check the total number of FIB entries. l Run the display fib [ slot-id ] [ | { begin | exclude | include } regular-expression ] command to check the summary of the FIB. ----End Example Run the display fib command. If the brief information about the FIB is displayed, it means that the configuration succeeds. For example: <HUAWEI> display fib FIB Table: Total number of Routes : 3 Destination/Mask Nexthop Flag 169.254.0.0/16 2.1.1.1 U 2.0.0.0/16 2.1.1.1 U 127.0.0.0/8 127.0.0.1 U <HUAWEI> display fib acl 2010 Route entry matched by access-list 2010: Summary counts: 1 Destination/Mask Nexthop Flag 127.0.0.0/8 127.0.0.1 U TimeStamp t[0] t[0] t[0] Interface GE1/0/0 GE1/0/0 InLoop0 TimeStamp t[0] TunnelID 0x0 0x0 0x0 Interface InLoop0 TunnelID 0x0 7.5 Maintaining IP Performance This section describes how to clear IP/TCP/UDP statistics and debug IP/TCP/UDP. 7.5.1 Clearing IP Performance Statistics 7.5.2 Monitoring Network Operation Status of IP Performance 7.5.1 Clearing IP Performance Statistics Context CAUTION IP/TCP/UDP statistics cannot be restored after you clear it. So, confirm the action before you use the command. Procedure l 7-14 Run the reset ip statistics [ interface interface-type interface-number | slot slot-id ] command in the user view to clear the IP statistics. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration l Run the reset ip socket monitor [ task-id task-id socket-id socket-id ] command in the user view to clear information on the socket monitor. l Run the reset tcp statistics command in the user view to clear the TCP traffic statistics. l Run the reset udp statistics command in the user view to clear the UDP traffic statistics. l Run the reset rawlink statistics command in the user view to clear the Rawlink statistics. ----End 7.5.2 Monitoring Network Operation Status of IP Performance Context In routine maintenance, you can run the following command in any view to check the operation of IP performance. Procedure l Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipv4address ] [ local-port local-port-number ] [ remote-ip ipv4-address ] [ remote-port remote-port-number ] ] command in any view to check TCP connection status. l Run the display tcp statistics command in any view to check statistics about TCP traffic. l Run the display udp statistics command in any view to check statistics about UDP traffic. l Run the display ip interface [ interface-type interface-number ] command or display ip interface brief [ interface-type [ interface-number ] | slot slot-id [ card card-number ] ] command in any view to check information about IP interfaces. l Run the display ip statistics [ slot slot-id ] command in any view to check statistics about IP traffic. l Run the display icmp statistics [ slot slot-id ] command in any view to check statistics about ICMP traffic. l Run the display rawlink statistics command in any view to check statistics about Rawlink. l Run the display fib [ slot-id ] command in any view to check the FIB on the specified interface board. l Run the display fib acl acl-number [ verbose ] command in any view to check the FIB information selectively through filtering. l Run the display fib [ slot-id ] destination-address1 [ desinationt-mask1 ] [ longer ] [ verbose ] command in any view to filter FIB entries by matching destination IP addresses. l Run the display fib [ slot-id ] destination-address1 destination-mask1 destinationaddress2 destination-mask2 [ verbose ] command in any view to check the FIB entries with the destination IP addresses in the range from destination-address1 destinationmask1 to destination-address2 destination-mask2. l Run the display fib ip-prefix prefix-name [ verbose ] command in any view to check the FIB entries that have passed filtering in a certain format according to the input IP prefix name. l Run the display fib interface interface-type interface-number command in any view to check the FIB entries that have passed filtering in a certain format according to the input interface type and interface number. l Run the display fib next-hop ip-address command in any view to check the FIB entries that have passed filtering in a certain format according to the input next hop address. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 7-15 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration l Run the display fib [ slot-id ] statistics command in any view to check the total number of FIB entries. l Run the display fib [ slot-id ] [ | { begin | exclude | include } regular-expression ] command in any view to check brief information about the forwarding table. l Run the display ip socket [ monitor ] [ task-id task-id socket-id socket-id | sock-type sock-type ] command in any view to check information about all the socket interfaces of the system. ----End 7.6 Configuration Examples This section provides several configuration examples of the IP performance. 7.6.1 Example for Limiting Transmission of ICMP Host-Unreachable Packets 7.6.2 Example for Configuring Interface Unequal-Cost Multiple Path During IP Packet Forwarding 7.6.3 Example for Configuring Global Unequal-Cost Load Balancing for IP Packet Forwarding 7.6.1 Example for Limiting Transmission of ICMP HostUnreachable Packets Networking Requirements As shown in Figure 7-1, Router A, Router B and Router C are connected with each other through their Ethernet ports to test limiting transmission of host-unreachable packets. Figure 7-1 Networking diagram of configuring ICMP host unreachable packets RouterA GE 1/0/0 1.1.1.1/24 Internet GE 1/0/0 2.2.2.2/24 RouterC 7-16 GE 1/0/0 1.1.1.2/24 RouterB Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration Configuration Roadmap The configuration roadmap is as follows: 1. Configure IP addresses for the interfaces on devices. 2. Configure static routes between devices that are not directly connected. 3. Enable limiting transmission of ICMP Host-unreachable packets. Data Preparation To complete the configuration, you need the following data: l Static routes between devices that are not directly connected l IP addresses for the interfaces Procedure Step 1 Configure Router A. # Configure static routes on Router A. <HUAWEI> system-view [HUAWEI] sysname RouterA [RouterA] ip route-static 2.2.2.2 24 1.1.1.2 # Configure an IP address for GE 1/0/0. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 24 [RouterA-GigabitEthernet1/0/0] undo shutdown [RouterA-GigabitEthernet1/0/0] quit Step 2 Configure Router B. # Disable sending ICMP host unreachable packets on Router B and configure an IP address for GE 1/0/0. <HUAWEI> system-view [HUAWEI] sysname RouterB [RouterB] interface gigabitethernet 1/0/0 [RouterB-GigabitEthernet1/0/0] undo icmp host-unreachable send [RouterB-GigabitEthernet1/0/0] ip address 1.1.1.2 24 [RouterB-GigabitEthernet1/0/0] undo shutdown [RouterB-GigabitEthernet1/0/0] quit [RouterB] quit Step 3 Configure Router C. # Configure an IP address for GE 1/0/0 on Router C. <HUAWEI> system-view [HUAWEI] sysname RouterC [RouterC] interface gigabitethernet 1/0/0 [RouterC-GigabitEthernet1/0/0] ip address 2.2.2.2 24 [RouterC-GigabitEthernet1/0/0] undo shutdown [RouterC-GigabitEthernet1/0/0] quit Step 4 Verify the configuration. # Enable the debugging of the ICMP packets of Router B. <RouterB> debugging ip icmp Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 7-17 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration # Run the ping 2.2.2.2 command on Router A. If you can view that Router B does not send the host unreachable packets, it means that the configuration succeeds. For example: [RouterA] ping 2.2.2.2 ----End Configuration Files l Configuration file of Router A # sysname RouterA # interface GigabitEthernet1/0/0 undo shutdown ip address 1.1.1.1 255.255.255.0 # ip route-static 2.2.2.0 255.255.255.0 1.1.1.2 # return l Configuration file of Router B # sysname RouterB # interface GigabitEthernet1/0/0 undo shutdown ip address 1.1.1.2 255.255.255.0 undo icmp host-unreachable send # return l Configuration file of Router C # sysname RouterC # interface GigabitEthernet1/0/0 undo shutdown ip address 2.2.2.2 255.255.255.0 # return 7.6.2 Example for Configuring Interface Unequal-Cost Multiple Path During IP Packet Forwarding Networking Requirements As shown in Figure 7-2, three paths exist between Router A and Router E. The three paths respectively travel through Router B, Router C, and Router D. It is required that the three paths between Router A and Router E perform UCMP during IP packet forwarding. In the example, the unequal-cost load balancing refers to the interface unequal-cost load balancing. 7-18 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration Figure 7-2 Networking diagram of configuring UCMP RouterB POS1/0/0 POS2/0/0 POS4/0/0 POS4/0/0 RouterC RouterA RouterE GE3/0/0 GE1/0/0 GE2/0/0 GE3/0/0 GE1/0/0 GE1/0/0 10.1.1.1/24 20.1.1.1/24 GE2/0/0 GE2/0/0 RouterD GE1/0/0 GE2/0/0 router Interface IP address RouterA POS4/0/0 30.1.1.1/24 GE3/0/0 40.1.1.1/24 GE2/0/0 50.1.1.1/24 POS1/0/0 30.1.1.2/24 POS2/0/0 60.1.1.2/24 GE1/0/0 40.1.1.2/24 GE2/0/0 70.1.1.2/24 GE1/0/0 50.1.1.2/24 GE2/0/0 80.1.1.2/24 POS4/0/0 60.1.1.1/24 GE3/0/0 70.1.1.1/24 GE2/0/0 80.1.1.1/24 RouterB RouterC RouterD RouterE Configuration Roadmap The configuration roadmap is as follows: 1. Configure IGP on each device. Here, Intermediate System to Intermediate System (IS-IS) is taken as an example. 2. Enable the UCMP function on each interface of Router A so that the three paths between Router A and Router E can perform UCMP during IP packet forwarding. Data Preparation To complete the configuration, you need the following data: l Interface type and number l IP address of the interface l IS-IS area ID and IS-IS level of each device Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 7-19 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration Procedure Step 1 Configure an IP address for each interface. The detailed configuration procedure is not mentioned here. Step 2 Configure basic IS-IS functions. # Configure Router A. [RouterA] isis 1 [RouterA-isis-1] is-level level-1 [RouterA-isis-1] network-entity 10.0000.0000.0001.00 [RouterA-isis-1] quit [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] isis enable 1 [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] isis enable 1 [RouterA-GigabitEthernet2/0/0] quit [RouterA] interface pos 4/0/0 [RouterA-Pos4/0/0] isis enable 1 [RouterA-Pos4/0/0] quit [RouterA] interface gigabitethernet 3/0/0 [RouterA-GigabitEthernet3/0/0] isis enable 1 [RouterA-GigabitEthernet3/0/0] quit # Configure Router B. [RouterB] isis 1 [RouterB-isis-1] is-level level-1 [RouterB-isis-1] network-entity 10.0000.0000.0002.00 [RouterB-isis-1] quit [RouterB] interface pos 1/0/0 [RouterB-Pos1/0/0] isis enable 1 [RouterB-Pos1/0/0] quit [RouterB] interface pos 2/0/0 [RouterB-Pos2/0/0] isis enable 1 [RouterB-Pos2/0/0] quit # Configure Router C. [RouterC] isis 1 [RouterC-isis-1] is-level level-1 [RouterC-isis-1] network-entity 10.0000.0000.0003.00 [RouterC-isis-1] quit [RouterC] interface gigabitethernet 1/0/0 [RouterC-GigabitEthernet1/0/0] isis enable 1 [RouterC-GigabitEthernet1/0/0] quit [RouterC] interface gigabitethernet 2/0/0 [RouterC-GigabitEthernet2/0/0] isis enable 1 [RouterC-GigabitEthernet2/0/0] quit # Configure Router D. [RouterD] isis 1 [RouterD-isis-1] is-level level-1 [RouterD-isis-1] network-entity 10.0000.0000.0004.00 [RouterD-isis-1] quit [RouterD] interface gigabitethernet 1/0/0 [RouterD-GigabitEthernet1/0/0] isis enable 1 [RouterD-GigabitEthernet1/0/0] quit [RouterD] interface gigabitethernet 2/0/0 [RouterD-GigabitEthernet2/0/0] isis enable 1 [RouterD-GigabitEthernet2/0/0] quit # Configure Router E. [RouterE] isis 1 [RouterE-isis-1] is-level level-1 7-20 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration [RouterE-isis-1] network-entity 10.0000.0000.0005.00 [RouterE-isis-1] quit [RouterE] interface gigabitethernet 1/0/0 [RouterE-GigabitEthernet1/0/0] isis enable 1 [RouterE-GigabitEthernet1/0/0] quit [RouterE] interface gigabitethernet 2/0/0 [RouterE-GigabitEthernet2/0/0] isis enable 1 [RouterE-GigabitEthernet2/0/0] quit [RouterE] interface pos 4/0/0 [RouterE-Pos4/0/0] isis enable 1 [RouterE-Pos4/0/0] quit [RouterE] interface gigabitethernet 3/0/0 [RouterE-GigabitEthernet3/0/0] isis enable 1 [RouterE-GigabitEthernet3/0/0] quit Step 3 Check basic IS-IS configurations. # View IS-IS routing information on Router A. [RouterA] display isis route Route information for ISIS(1) ----------------------------ISIS(1) Level-1 Forwarding Table -------------------------------IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags -------------------------------------------------------------------------------10.1.1.0/24 10 NULL GE1/0/0 Direct D/-/ L/-/20.1.1.0/24 30 NULL GE3/0/0 40.1.1.2 A/-/-/-/ C GE2/0/0 50.1.1.2 Pos4/0/0 30.1.1.2 30.1.1.0/24 10 NULL Pos4/0/0 Direct D/L/40.1.1.0/24 10 NULL GE3/0/0 Direct D/L/50.1.1.0/24 10 NULL GE2/0/0 Direct D/L/60.1.1.0/24 20 NULL Pos4/0/0 30.1.1.2 R/-/70.1.1.0/24 20 NULL GE3/0/0 40.1.1.2 A/-/-/-/80.1.1.0/24 20 NULL GE2/0/0 50.1.1.2 R/-/Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut, U-Up/Down Bit Set, C-In Computing # Ping 20.1.1.1 from Router A. By viewing the display on the Network Management Station (NM Station), you can find that equal-cost load balancing is implemented among outgoing interfaces. <RouterA> ping 20.1.1.1 PING 20.1.1.1: 56 data bytes, press CTRL_C to break Reply from 20.1.1.1: bytes=56 Sequence=1 ttl=254 time=16 ms Reply from 20.1.1.1: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 20.1.1.1: bytes=56 Sequence=3 ttl=254 time=1 ms Reply from 20.1.1.1: bytes=56 Sequence=4 ttl=254 time=1 ms Reply from 20.1.1.1: bytes=56 Sequence=5 ttl=254 time=64 ms --- 20.1.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/16/64 ms Step 4 Enable UCMP on each outgoing interface of Router A. [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] load-balance unequal-cost enable [RouterA-GigabitEthernet2/0/0] quit [RouterA] interface pos 4/0/0 [RouterA-Pos4/0/0] load-balance unequal-cost enable [RouterA-Pos4/0/0] quit Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 7-21 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration [RouterA] interface gigabitethernet 3/0/0 [RouterA-GigabitEthernet3/0/0] load-balance unequal-cost enable [RouterA-GigabitEthernet3/0/0] quit Step 5 Re-enable GigabitEthernet2/0/0, GigabitEthernet3/0/0, and POS4/0/0 to validate UCMP configurations on Router A. [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] shutdown [RouterA-GigabitEthernet2/0/0] undo shutdown [RouterA-GigabitEthernet2/0/0] quit [RouterA] interface gigabitethernet 3/0/0 [RouterA-GigabitEthernet3/0/0] shutdown [RouterA-GigabitEthernet3/0/0] undo shutdown [RouterA-GigabitEthernet3/0/0] quit [RouterA]interface pos 4/0/0 [RouterA-Pos4/0/0] shutdown [RouterA-Pos4/0/0] undo shutdown Step 6 Verify the configuration. # Ping 20.1.1.1 from Router A. By viewing the display on the NM Station, you can find that UCMP is realized among outgoing interfaces. <RouterA> ping 20.1.1.1 PING 20.1.1.1: 56 data bytes, press CTRL_C to break Reply from 20.1.1.1: bytes=56 Sequence=1 ttl=254 time=16 ms Reply from 20.1.1.1: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 20.1.1.1: bytes=56 Sequence=3 ttl=254 time=1 ms Reply from 20.1.1.1: bytes=56 Sequence=4 ttl=254 time=1 ms Reply from 20.1.1.1: bytes=56 Sequence=5 ttl=254 time=64 ms --- 20.1.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/16/64 ms ----End Configuration Files l Configuration file of Router A # sysname RouterA # isis 1 is-level level-1 network-entity 10.0000.0000.0001.00 # interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.1.1 255.255.255.0 isis enable 1 # interface GigabitEthernet2/0/0 undo shutdown load-balance unequal-cost enable ip address 50.1.1.1 255.255.255.0 isis enable 1 # interface GigabitEthernet3/0/0 undo shutdown load-balance unequal-cost enable ip address 40.1.1.1 255.255.255.0 isis enable 1 # interface Pos4/0/0 7-22 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration link-protocol ppp undo shutdown load-balance unequal-cost enable ip address 30.1.1.1 255.255.255.0 isis enable 1 # return l Configuration file of Router B # sysname RouterB # isis 1 is-level level-1 network-entity 10.0000.0000.0002.00 # interface Pos1/0/0 undo shutdown link-protocol ppp ip address 30.1.1.2 255.255.255.0 isis enable 1 # interface Pos2/0/0 link-protocol ppp undo shutdown ip address 60.1.1.2 255.255.255.0 isis enable 1 # return l Configuration file of Router C # sysname RouterC # isis 1 is-level level-1 network-entity 10.0000.0000.0003.00 # interface GigabitEthernet1/0/0 undo shutdown ip address 40.1.1.2 255.255.255.0 isis enable 1 # interface GigabitEthernet2/0/0 undo shutdown ip address 70.1.1.2 255.255.255.0 isis enable 1 # return l Configuration file of Router D # sysname RouterD # isis 1 is-level level-1 network-entity 10.0000.0000.0004.00 # interface GigabitEthernet1/0/0 undo shutdown ip address 50.1.1.2 255.255.255.0 isis enable 1 # interface GigabitEthernet2/0/0 undo shutdown ip address 80.1.1.2 255.255.255.0 isis enable 1 # return Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 7-23 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration l Configuration file of Router E # sysname RouterE # isis 1 is-level level-1 network-entity 10.0000.0000.0005.00 # interface GigabitEthernet1/0/0 undo shutdown ip address 20.1.1.1 255.255.255.0 isis enable 1 # interface GigabitEthernet2/0/0 undo shutdown ip address 80.1.1.1 255.255.255.0 isis enable 1 # interface GigabitEthernet3/0/0 undo shutdown ip address 70.1.1.1 255.255.255.0 isis enable 1 # interface Pos4/0/0 link-protocol ppp undo shutdown ip address 60.1.1.1 255.255.255.0 isis enable 1 # return 7.6.3 Example for Configuring Global Unequal-Cost Load Balancing for IP Packet Forwarding Networking Requirements As shown in Figure 7-3, Router A and Router C are connected through two links. l GE 2/0/0 on Router A and GE 2/0/0 on Router B are connected through a physical link. l Eth-Trunk1 interface on Router A has two member interfaces, GE 3/0/0 and GE 4/0/0; EthTrunk1 interface on Router B has two member interfaces, GE 3/0/0 and GE 4/0/0. Eth-Trunk1 interface has two GE interfaces, and thus the bandwidth of Eth-Trunk1 interface is twice that of a single physical link. It is aimed to perform unequal-cost load balancing for IP packet forwarding in the two links between Router A and Router C. In the example, unequalcost load balancing refers to global unequal-cost load balancing. Figure 7-3 Networking diagram of configuring unequal-cost load balancing RouterA GE2/0/0 GE3/0/0 GE10/0 10.1.1.1/24 7-24 RouterB Eth-Trunk1 GE4/0/0 GE2/0/0 GE3/0/0 GE4/0/0 RouterC GE2/0/2 GE2/0/2 Device Name Interface Name IP Address Router A GE 2/0/0 30.1.1.1/24 Eth-Trunk1 40.1.1.1/24 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. GE1/0/0 20.1.1.1/24 Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration Router B Router C GE 2/0/0 30.1.1.2/24 Eth-Trunk1 40.1.1.2/24 GE 2/0/2 50.1.1.1/24 GE 2/0/2 50.1.1.2/24 Configuration Roadmap The configuration roadmap is as follows: 1. Configure a static route on each device. 2. Enable unequal-cost load balancing on Router B so that the two links between Router A and Router C can perform unequal-cost load balancing for IP packet forwarding. Data Preparation To complete the configuration, you need the following data: l Interface type and number l IP address of each interface l Number of the Eth-Trunk Procedure Step 1 Configure an IP address for each interface. The configuration details are not mentioned here. Step 2 Configure a static route. # Configure Router A. [RouterA] [RouterA] [RouterA] [RouterA] ip ip ip ip route-static route-static route-static route-static 20.1.1.0 20.1.1.0 50.1.1.0 50.1.1.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 gigabitethernet2/0/0 30.1.1.2 eth-trunk1 40.1.1.2 gigabitethernet2/0/0 30.1.1.2 eth-trunk1 40.1.1.2 # Configure Router B. [RouterB] ip route-static 10.1.1.0 255.255.255.0 gigabitethernet2/0/0 30.1.1.1 [RouterB] ip route-static 10.1.1.0 255.255.255.0 eth-trunk1 40.1.1.1 [RouterB] ip route-static 20.1.1.0 255.255.255.0 gigabitethernet2/0/2 50.1.1.2 # Configure Router C. [RouterC] ip route-static 10.1.1.0 255.255.255.0 gigabitethernet2/0/2 50.1.1.1 [RouterC] ip route-static 30.1.1.0 255.255.255.0 gigabitethernet2/0/2 50.1.1.1 [RouterC] ip route-static 40.1.1.0 255.255.255.0 GigabitEthernet2/0/2 50.1.1.1 Step 3 Enable unequal-cost load balancing on Router B. [RouterB] load-balance unequal-cost enable Step 4 Verify the configuration. # Router C can ping through 10.1.1.1. Run the display fib verbose command to view bandwidth information of the outbound interface. The command output shows that the bandwidth of EthTrunk1 interface is twice that of GE 2/0/0. This indicates that unequal-cost load balancing is enabled. [RouterC] ping -c 100 -t 10 -m 10 10.1.1.1 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 7-25 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=254 time=1 ms ... --- 10.1.1.1 ping statistics --100 packet(s) transmitted 99 packet(s) received 1.00% packet loss round-trip min/avg/max = 1/1/6 ms [RouterB] display fib 10.1.1.1 verbose Route Entry Count: 2 Destination: 10.1.1.0 Mask : 255.255.255.0 Nexthop : 30.1.1.1 OutIf : GigabitEthernet2/0/2 LocalAddr : 30.1.1.2 LocalMask: 0.0.0.0 Flags : GSU Age : 11128sec ATIndex : 0 Slot : 2 LspFwdFlag : 0 LspToken : 0x0 InLabel : NULL OriginAs : 0 BGPNextHop : 0.0.0.0 PeerAs : 0 QosInfo : 0x0 OriginQos: 0x0 NexthopBak : 0.0.0.0 OutIfBak : [No Intf] LspTokenBak: 0x0 InLabelBak : NULL LspToken_ForInLabelBak : 0x0 EntryRefCount : 0 VlanId : 0x0 LspType : 0 Label_ForLspTokenBak : 0 MplsMtu : 0 Gateway_ForLspTokenBak : 0 NextToken : 0x0 IfIndex_ForLspTokenBak : 0 Label_NextToken : 0 Label : 0 LspBfdState : 0 OutIfSpeed(Kbits/sec) : 1000000 Destination: 10.1.1.0 Nexthop : 40.1.1.1 LocalAddr : 40.1.1.2 Flags : GSU ATIndex : 0 LspFwdFlag : 0 InLabel : NULL BGPNextHop : 0.0.0.0 QosInfo : 0x0 NexthopBak : 0.0.0.0 LspTokenBak: 0x0 LspToken_ForInLabelBak : 0x0 EntryRefCount : 0 VlanId : 0x0 LspType : 0 MplsMtu : 0 NextToken : 0x0 Label_NextToken : 0 LspBfdState : 0 OutIfSpeed(Kbits/sec) : 2000000 Mask : OutIf : LocalMask: Age : Slot : LspToken : OriginAs : PeerAs : OriginQos: OutIfBak : InLabelBak 255.255.255.0 Eth-Trunk1 0.0.0.0 11128sec 0 0x0 0 0 0x0 [No Intf] : NULL Label_ForLspTokenBak : 0 Gateway_ForLspTokenBak : 0 IfIndex_ForLspTokenBak : 0 Label : 0 ----End Configuration Files l Configuration file of Router A # sysname RouterA # interface Eth-Trunk1 ip address 40.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.1.1 255.255.255.0 7-26 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 7 IP Performance Configuration # interface GigabitEthernet2/0/0 undo shutdown ip address 30.1.1.1 255.255.255.0 # interface GigabitEthernet3/0/0 undo shutdown eth-trunk 1 # interface GigabitEthernet4/0/0 undo shutdown eth-trunk 1 # ip route-static 20.1.1.0 255.255.255.0 ip route-static 20.1.1.0 255.255.255.0 ip route-static 50.1.1.0 255.255.255.0 ip route-static 50.1.1.0 255.255.255.0 # l GigabitEthernet2/0/0 30.1.1.2 Eth-Trunk1 40.1.1.2 GigabitEthernet2/0/0 30.1.1.2 Eth-Trunk1 40.1.1.2 Configuration file of Router B # sysname RouterB # load-balance unequal-cost enable # interface Eth-Trunk1 ip address 40.1.1.2 255.255.255.0 # interface GigabitEthernet2/0/0 undo shutdown ip address 30.1.1.2 255.255.255.0 # interface GigabitEthernet2/0/2 undo shutdown ip address 50.1.1.1 255.255.255.0 # interface GigabitEthernet3/0/0 undo shutdown eth-trunk 1 # interface GigabitEthernet4/0/0 undo shutdown eth-trunk 1 # ip route-static 10.1.1.0 255.255.255.0 GigabitEthernet2/0/0 30.1.1.1 ip route-static 10.1.1.0 255.255.255.0 Eth-Trunk1 40.1.1.1 ip route-static 20.1.1.0 255.255.255.0 GigabitEthernet2/0/2 50.1.1.2 # return l Configuration file of Router C # sysname RouterC # ip route-static 10.1.1.0 255.255.255.0 GigabitEthernet2/0/2 50.1.1.1 ip route-static 30.1.1.0 255.255.255.0 GigabitEthernet2/0/2 50.1.1.1 ip route-static 40.1.1.0 255.255.255.0 GigabitEthernet2/0/2 50.1.1.1 # interface GigabitEthernet1/0/0 undo shutdown ip address 20.1.1.1 255.255.255.0 # interface GigabitEthernet2/0/2 undo shutdown ip address 50.1.1.2 255.255.255.0 # return Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 7-27 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration 8 ACL Configuration About This Chapter This chapter describes the fundamentals of ACL along with its types such as basic, advanced and interface based ACL. It also includes basic ACL configuration steps, along with typical examples. 8.1 ACL Overview This section describes basic concepts and parameters of Access Control List (ACL). 8.2 Configuring an Interface-based ACL This section describes how to configure an Interface-based ACL. 8.3 Configuring a Basic ACL This section describes how to configure basic ACL. 8.4 Configuring an Advanced ACL This section describes how to configure the Advanced ACL. 8.5 Configuring an ACL Based on the Ethernet Frame Header This section describes how to configure the Ethernet frame header-based ACL. 8.6 Configuring an UCL This section describes how to configure the UCL. 8.7 Configuring a Named ACL This section describes how to configure the Named ACL. 8.8 Maintaining an ACL This section describes how to Maintain an ACL. 8.9 Configuration Examples This section provides a configuration example of ACL. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8-1 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration 8.1 ACL Overview This section describes basic concepts and parameters of Access Control List (ACL). 8.1.1 Introduction to ACL 8.1.2 ACL Supported by the NE80E/40E 8.1.1 Introduction to ACL To enable a device to filter the passing packets, you can configure a series of rules on the device to determine what kinds of packets can pass filtering. The rules configured on the device are called Access Control List (ACL) rules. An ACL includes a group of orderly rules that consist of rule { deny | permit } clauses. The rules are described with some parameters, such as based on the source address, the destination address, and the port number of data packets. The ACL classifies data packets according to these rules. After these rules are applied to the device, the device can determine whether to receive or deny packets. The ACL is classified into these types: l Basic ACL: classifies packets based on the source address. l Advanced ACL: classifies packets more detailedly based on the source address, destination address, source port number, destination port number, and protocol type. l Interface-based ACL: classifies packets based on the interface from which the packets are received. l Ethernet Frame Header ACL: classifies packets more detailedly based on the source MAC address and destination MAC address. l User ACL: classifies packets more detailedly based on user groups. NOTE Actually, an ACL is a group of rules used to define classes of packets. It cannot be used to filter packet. For detailed processing methods of packets, you need to import detailed functions of ACL. In the NE80E/ 40E, the ACL must be in conjunction with some functions, such as policy-based routing (PBR), firewall, and traffic classification to filter packets. The default action defined in the ACL rule is deny. Therefore, to allow the subsequent flows to pass, you need to specify the action in the ACL rule to permit. 8.1.2 ACL Supported by the NE80E/40E The NE80E/40E supports an interface-based ACLs, basic ACLs, advanced ACLs, Ethernet frame header-based ACLs, and ACL-based users (UCLs). 8.2 Configuring an Interface-based ACL This section describes how to configure an Interface-based ACL. 8.2.1 Establishing the Configuration Task 8.2.2 (Optional) Creating a Time Range 8-2 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration 8.2.3 Creating an Interface-based ACL 8.2.4 (Optional) Configuring ACL Descriptions 8.2.5 (Optional) Configuring ACL Step 8.2.6 Checking the Configuration 8.2.1 Establishing the Configuration Task Applicable Environment An ACL can be applied to various services such as route policies and packet filtering. It distinguishes different kinds of packets for different processing. Pre-configuration Tasks None. Data Preparation To configure an ACL, you need the following data. No. Data 1 (Optional) Name of the time range in which the Interface-based ACL takes effect and the start time and end time of the time range 2 Rule ID of the Interface-based ACL, permit or deny rule 3 Interface type and Interface number of the interfac in which the Interface-based ACL takes effect 4 (Optional) Description of the Interface-based ACL 5 (Optional) Step of the Interface-based ACL 8.2.2 (Optional) Creating a Time Range Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] } Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8-3 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration An ACL time range is created. You can configure multiple time ranges at the same name. ----End 8.2.3 Creating an Interface-based ACL Context The range of acl-number of an interface-based ACL is 1000 to 1999. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl [ number ] acl-number [ match-order { auto | config } ] An interface-based ACL is created. Step 3 Run: rule [ rule-id ] { deny | permit } interface { interface-type interface-number | any } [ logging | time-range time-name ] * ACL rules are defined. interface-type interface-number indicates the specified interface type and interface number. any indicates any interface. logging takes effect on only software-based forwarding such as the application of a routing policy. ----End 8.2.4 (Optional) Configuring ACL Descriptions Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl acl-number The ACL view is displayed. 8-4 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration Step 3 Run: description text ACL description is created. The ACL description covers the function of ACL rules. Its length should be less than 127 characters. ----End 8.2.5 (Optional) Configuring ACL Step Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl [ number ] acl-number [ match-order { auto | config } ] The ACL view is displayed. Step 3 Run: step step ACL step is configured. Note the following when modifying ACL configurations: l The undo step command restores the step to the default and realigns ACL rules. l The default step of the ACL rule is 5. ----End 8.2.6 Checking the Configuration Prerequisite The configurations of the ACL function are complete. Procedure l Run the display acl { acl-number | all } command to check the configured ACL rule. l Run the display statistics acl { acl-number | all }control-plane [ | { begin | include | exclude } regular-expression ] command to check the statistics about the packets matching the ACL rule in soft forwarding. l Run the display time-range { time-name | all } command to check the time range. ----End Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8-5 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration Example Run the display acl command. If the ACL number, the number of rules, and detailed step description, and ACL rules are displayed, it means that the configuration succeeds. For example: <HUAWEI> display acl 1200 Interface Based ACL 1200, 1 rule Acl's step is 5 rule 5 permit interface Pos4/0/0 Using the display statistics acl control-plane command, you can view the statistics about the packets matching the ACL rule in soft forwarding. <HUAWEI> display statistics acl 1000 control-plane Interface Based ACL 1000, 1 rule Acl's step is 5 rule 5 deny interface any (10 times matched) Run the display time-range command. If the configuration and status of the current time range are displayed, it means that the configuration succeeds. For example: <HUAWEI> display time-range all Current time is 14:19:16 3-15-2006 Wednesday Time-range : time1 ( Inactive ) 10:00 to 12:00 daily Time-range : time2 ( Inactive ) from 13:00 2006/4/1 to 23:59 2099/12/31 Time-range : active1 ( Active ) 14:00 to 00:00 daily 8.3 Configuring a Basic ACL This section describes how to configure basic ACL. 8.3.1 Establishing the Configuration Task 8.3.2 (Optional) Creating a Time Range 8.3.3 Creating a Basic ACL 8.3.4 (Optional) Configuring ACL Descriptions 8.3.5 (Optional) Configuring ACL Step 8.3.6 Checking the Configuration 8.3.1 Establishing the Configuration Task Applicable Environment An ACL can be applied to various services, such as routing policies and packet filtering, to implement differentiated packet processing based on packet types. When defining rules for a basic ACL, you need to specify source IP addresses. Pre-configuration Tasks None. 8-6 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration Data Preparation To configure a basic ACL, you need the following data. No. Data 1 (Optional) Name of the time range in which the basic ACL takes effect and the start time and end time of the time range 2 Number of the basic ACL 3 Rule ID of the basic ACL, permit or deny rule, and source IP address 4 (Optional) Description of the basic ACL 5 (Optional) Step of the basic ACL 8.3.2 (Optional) Creating a Time Range Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] } An ACL time range is created. You can configure multiple time ranges at the same name. ----End 8.3.3 Creating a Basic ACL Context The range of acl-number of a basic ACL is 2000 to 2999. Do as follows on the router: Procedure Step 1 Run: system-view Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8-7 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration The system view is displayed. Step 2 Run: acl [ number ] acl-number [ match-order { auto | config } ] A basic ACL is created. Step 3 Run: rule [ rule-id ] { deny | permit } [ fragment-type fragment-type-name | source { source-ip-address soucer-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name ]* ACL rules are defined. ----End 8.3.4 (Optional) Configuring ACL Descriptions Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl acl-number The ACL view is displayed. Step 3 Run: description text ACL description is created. The ACL description covers the function of ACL rules. Its length should be less than 127 characters. ----End 8.3.5 (Optional) Configuring ACL Step Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. 8-8 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration Step 2 Run: acl [ number ] acl-number [ match-order { auto | config } ] The ACL view is displayed. Step 3 Run: step step ACL step is configured. Note the following when modifying ACL configurations: l The undo step command restores the step to the default and realigns ACL rules. l The default step of the ACL rule is 5. ----End 8.3.6 Checking the Configuration Prerequisite The configurations of the ACL function are complete. Procedure l Run the display acl { acl-number | all } command to check the configured ACL rule. l Run the display statistics acl { acl-number | all }control-plane [ | { begin | include | exclude } regular-expression ] command to check the statistics about the packets matching the ACL rule in soft forwarding. l Run the display time-range { time-name | all } command to check the time range. ----End Example Run the display acl command. If the ACL number, the number of rules, and detailed step description, and ACL rules are displayed, it means that the configuration succeeds. For example: <HUAWEI> display acl 2000 Basic ACL 2000, 1 rule Acl's step is 5 rule 5 deny source 10.1.1.1 0 Using the display statistics acl control-plane command, you can view the statistics about the packets matching the ACL rule in soft forwarding. <HUAWEI> display statistics acl 2000 control-plane Basic ACL 2000, 1 rule Acl's step is 5 rule 5 deny source 10.1.1.1 0 (234 times matched) Run the display time-range command. If the configuration and status of the current time range are displayed, it means that the configuration succeeds. For example: <HUAWEI> display time-range all Current time is 14:19:16 3-15-2006 Wednesday Time-range : time1 ( Inactive ) 10:00 to 12:00 daily Time-range : time2 ( Inactive ) from 13:00 2006/4/1 to 23:59 2099/12/31 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8-9 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration Time-range : active1 ( Active ) 14:00 to 00:00 daily 8.4 Configuring an Advanced ACL This section describes how to configure the Advanced ACL. 8.4.1 Establishing the Configuration Task 8.4.2 (Optional) Creating a Time Range 8.4.3 Creating an Advanced ACL 8.4.4 (Optional) Configuring ACL Descriptions 8.4.5 (Optional) Configuring ACL Step 8.4.6 Checking the Configuration 8.4.1 Establishing the Configuration Task Application Environment An ACL can be applied to various services, such as routing policies and packet filtering, to implement differentiated packet processing based on packet types. When defining rules for an advanced ACL, you need to specify the source IP address, destination IP address, IP bearer protocol type, TCP source port, TCP destination port, or ICMP message type and code. Pre-configuration Tasks None. Data Preparation To configure an advanced ACL, you need the following data. 8-10 No. Data 1 (Optional) Name of the time range in which the advanced ACL takes effect and the start time and end time of the time range 2 Number of the advanced ACL 3 Rule ID of the advanced ACL, permit or deny rule 4 IP bearer protocol type, source and destination ports, source and destination IP address, and source IP address fragmented or not, or ICMP message type and code, packet priority, ToS, and timeout period of the ACL rule 5 (Optional) Description of the advanced ACL 6 (Optional) Step of the advanced ACL Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration 8.4.2 (Optional) Creating a Time Range Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] } An ACL time range is created. You can configure multiple time ranges at the same name. ----End 8.4.3 Creating an Advanced ACL Context The range of acl-number of an advanced ACL is 3000 to 3999. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl [ number ] acl-number [ match-order { auto | config } ] An advanced ACL is created. Step 3 Perform the following as required. l When protocol is specified as TCP or UDP Run: rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipaddress destination-wildcard | any } | destination-port operator port | fragmenttype fragment-type-name | source { source-ip-address source-wildcard | any } | source-port operator port | syn-flag syn-flag | time-range time-name | | dscp dscp ] * rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipaddress destination-wildcard | any } | destination-port operator port | fragmenttype fragment-type-name | source { source-ip-address source-wildcard | any } | source-port operator port | syn-flag syn-flag | time-range time-name | | precedence precedence | tos tos ] * Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8-11 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration ACL rules are defined. syn-flag syn-flag applies to TCP only. l When protocol is specified as ICMP Run: rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipaddress destination-wildcard | any } | fragment-type fragment-type-name | icmptype { icmp-name | icmp-type icmp-code } | source { source-ip-address sourcewildcard | any } | time-range time-name | | dscp dscp ] * rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipaddress destination-wildcard | any } | fragment-type fragment-type-name | icmptype { icmp-name | icmp-type icmp-code } | source { source-ip-address sourcewildcard | any } | time-range time-name | | precedence precedence | tos tos ] * ACL rules are defined. l When protocol is specified as other protocol except TCP, UDP or ICMP Run: rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipaddress destination-wildcard | any } | fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | time-range time-name | dscp dscp ] * rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipaddress destination-wildcard | any } | fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | time-range time-name | precedence precedence | tos tos ] * | | ACL rules are defined. Configure different advanced ACLs on the device for different protocols over IP. Different protocols have different parameters combination. For example, TCP and UDP have optional parameter [ source-port operator port ] [ destination-port operator port ] while other protocols do not. ----End 8.4.4 (Optional) Configuring ACL Descriptions Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl acl-number The ACL view is displayed. Step 3 Run: description text ACL description is created. 8-12 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration The ACL description covers the function of ACL rules. Its length should be less than 127 characters. ----End 8.4.5 (Optional) Configuring ACL Step Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl [ number ] acl-number [ match-order { auto | config } ] The ACL view is displayed. Step 3 Run: step step ACL step is configured. Note the following when modifying ACL configurations: l The undo step command restores the step to the default and realigns ACL rules. l The default step of the ACL rule is 5. ----End 8.4.6 Checking the Configuration Prerequisite The configurations of the ACL function are complete. Procedure l Run the display acl { acl-number | all } command to check the configured ACL rule. l Run the display statistics acl { acl-number | all }control-plane [ | { begin | include | exclude } regular-expression ] command to check the statistics about the packets matching the ACL rule in soft forwarding. l Run the display time-range { time-name | all } command to check the time range. ----End Example Run the display acl command. If the ACL number, the number of rules, and detailed step description, and ACL rules are displayed, it means that the configuration succeeds. For example: Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8-13 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration <HUAWEI> display acl 3000 Advanced ACL 3000, 1 rule Acl's step is 5 rule 5 deny ip source 10.1.1.1 0 Using the display statistics acl control-plane command, you can view the statistics about the packets matching the ACL rule in soft forwarding. <HUAWEI> display statistics acl 3000 control-plane Advanced ACL 3000, 1 rule Acl's step is 5 rule 5 permit ip (1305 times matched) Run the display time-range command. If the configuration and status of the current time range are displayed, it means that the configuration succeeds. For example: <HUAWEI> display time-range all Current time is 14:19:16 3-15-2006 Wednesday Time-range : time1 ( Inactive ) 10:00 to 12:00 daily Time-range : time2 ( Inactive ) from 13:00 2006/4/1 to 23:59 2099/12/31 Time-range : active1 ( Active ) 14:00 to 00:00 daily 8.5 Configuring an ACL Based on the Ethernet Frame Header This section describes how to configure the Ethernet frame header-based ACL. 8.5.1 Establishing the Configuration Task 8.5.2 Creating an ACL Based on the Ethernet Frame Header 8.5.3 (Optional) Configuring ACL Descriptions 8.5.4 (Optional) Configuring ACL Step 8.5.5 Checking the Configuration 8.5.1 Establishing the Configuration Task Application Environment An ACL can be applied to various services, such as routing policies and packet filtering, to implement differentiated packet processing based on packet types.The rules of an ACL based on the Ethernet frame header are defined on the basis of source MAC addresses, destination MAC addresses, and protocol type of packets. Pre-configuration Tasks None. Data Preparation To configure an Ethernet frame header-based ACL, you need the following data. 8-14 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration No. Data 1 Number of the Ethernet frame header-based ACL 2 Source MAC addresses, destination MAC addresses, and protocol type 3 (Optional) Description of the Ethernet frame header-based ACL 4 (Optional) Step of the Ethernet frame header-based ACL 8.5.2 Creating an ACL Based on the Ethernet Frame Header Context The acl-number, based on the Ethernet frame header, ranges from 4000 to 4099. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl [ number ] acl-number [ match-order { auto | config } ] An Ethernet frame header-based ACL is created. Step 3 Run: rule [ rule-id ] { deny | permit } [ type type type-mask | source-mac source-mac sourcemac-mask | dest-mac dest-mac destmac-mask ] ACL rules are defined. ----End 8.5.3 (Optional) Configuring ACL Descriptions Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl acl-number Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8-15 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration The ACL view is displayed. Step 3 Run: description text ACL description is created. The ACL description covers the function of ACL rules. Its length should be less than 127 characters. ----End 8.5.4 (Optional) Configuring ACL Step Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl [ number ] acl-number [ match-order { auto | config } ] The ACL view is displayed. Step 3 Run: step step ACL step is configured. Note the following when modifying ACL configurations: l The undo step command restores the step to the default and realigns ACL rules. l The default step of the ACL rule is 5. ----End 8.5.5 Checking the Configuration Prerequisite The configurations of the Ethernet frame header-based ACL function are complete. Procedure l Run the display acl { acl-number | all } command to check the configured ACL rule. l Run the display statistics acl control-plane { acl-number | all } control-plane [ | { begin | include | exclude } regular-expression ] command to check the statistics about the packets matching the ACL rule in soft forwarding. ----End 8-16 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration Example Run the display aclcommand. If the ACL number, the number of rules, and detailed step description, and ACL rules are displayed, it means that the configuration succeeds. For example: <HUAWEI> display acl 4000 Ethernet frame ACL 4000, 2 rules Acl's step is 5 rule 5 deny source-mac 0000-0000-0000 0002-0002-0002 dest-mac 0002-0002-0002 00 03-0003-0003 rule 10 deny type 0200 0222 dest-mac 0000-0000-0000 0002-0002-0002 Using the display statistics acl control-plane command, you can view the statistics about the packets matching the ACL rule in soft forwarding. <HUAWEI> display statistics acl 4000 control-plane Ethernet frame ACL 4000, 2 rules Acl's step is 5 rule 5 deny source-mac 0000-0000-0000 0002-0002-0002 dest-mac 0002-0002-0002 0003-0003-0003(45 times matched) rule 10 deny type 0200 0222 dest-mac 0000-0000-0000 0002-0002-0002(76 times matched) 8.6 Configuring an UCL This section describes how to configure the UCL. 8.6.1 Establishing the Configuration Task 8.6.2 (Optional) Creating a Time Range 8.6.3 Creating an UCL 8.6.4 (Optional) Configuring ACL Descriptions 8.6.5 (Optional) Configuring ACL Step 8.6.6 Checking the Configuration 8.6.1 Establishing the Configuration Task Application Environment After being configured with the user-based ACL (UCL), the device can provide different user groups with different services. Similar to the configuration of the advanced ACL, you need to specify the source IP address, destination IP address, IP bearer protocol type, TCP source port, TCP destination port, or ICMP message type and code for the UCL. Pre-configuration Tasks None. Data Preparation To configure an UCL, you need the following data. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8-17 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration No. Data 1 (Optional) Name of the time range in which the advanced UCL takes effect and the start time and end time of the time range 2 Number of the UCL 3 Rule ID of the UCL, permit or deny rule 4 IP bearer protocol type, source and destination ports, source and destination IP address, and source IP address fragmented or not, or ICMP message type and code, packet priority, ToS, and timeout period of the ACL rule 5 (Optional) Description of the UCL 6 (Optional) Step of the UCL 8.6.2 (Optional) Creating a Time Range Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] } An ACL time range is created. You can configure multiple time ranges at the same name. ----End 8.6.3 Creating an UCL Context The range of acl-number of an UCL is 6000 to 9999. Do as follows on the router: Procedure Step 1 Run: system-view 8-18 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration The system view is displayed. Step 2 Run: acl [ number ] acl-number [ match-order { auto | config } ] An UCL is created. Step 3 Perform the following as required. l When protocol is specified as TCP or UDP rule [ rule-id ] { deny | permit } protocol source user-group source-group-name [ destination { any | ip-address { destination-ip-address destination-wildcard | any } } | destination-port operator port | fragment-type fragment-type-name | logging | sourceport operator port | syn-flag syn-flag | time-range time-name | dscp dscp ] * rule [ rule-id ] { deny | permit } protocol source user-group source-group-name [ destination { any | ip-address { destination-ip-address destination-wildcard | any } } | destination-port operator port | fragment-type fragment-type-name | logging | sourceport operator port | syn-flag syn-flag | time-range time-name | precedence precedence | tos tos ] * syn-flag syn-flag applies to TCP only. l When protocol is specified as ICMP rule [ rule-id ] { deny | permit } protocol source user-group source-group-name [ destination { any | ip-address { destination-ip-address destination-wildcard | any } } | fragment-type fragment-type-name | icmp-type { icmp-name | icmp-type icmp-code } | logging | time-range time-name | dscp dscp ] * rule [ rule-id ] { deny | permit } protocol source user-group source-group-name [ destination { any | ip-address { destination-ip-address destination-wildcard | any } } | fragment-type fragment-type-name | icmp-type { icmp-name | icmp-type icmp-code } | logging | time-range time-name | precedence precedence | tos tos ] * l When protocolis specified as other protocol except TCP, UDP or ICMP rule [ rule-id ] { deny | permit } protocol source user-group source-group-name [ destination { any | ip-address { destination-ip-address destination-wildcard | any } } | fragment-type fragment-type-name } | logging | time-range time-name | dscp dscp ] * rule [ rule-id ] { deny | permit } protocol source user-group source-group-name [ destination { any | ip-address { destination-ip-address destination-wildcard | any } } | fragment-type fragment-type-name } | logging | time-range time-name | precedence precedence | tos tos ] * Configure different UCLs on the device for different protocols over IP. Different protocols have different parameters combination. For example, TCP and UDP have optional parameter [ sourceport operator port ] [ destination-port operator port ] while other protocols do not. ----End 8.6.4 (Optional) Configuring ACL Descriptions Context Do as follows on the router: Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8-19 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl acl-number The ACL view is displayed. Step 3 Run: description text ACL description is created. The ACL description covers the function of ACL rules. Its length should be less than 127 characters. ----End 8.6.5 (Optional) Configuring ACL Step Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl [ number ] acl-number [ match-order { auto | config } ] The ACL view is displayed. Step 3 Run: step step ACL step is configured. Note the following when modifying ACL configurations: l The undo step command restores the step to the default and realigns ACL rules. l The default step of the ACL rule is 5. ----End 8.6.6 Checking the Configuration Prerequisite The configurations of the UCL function are complete. 8-20 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration Procedure l Run the display acl { acl-number | all } command to check the configured ACL rule. l Run the display time-range { time-name | all } command to check the time range. ----End Example Run the display aclcommand. If the ACL number, the number of rules, and detailed step description, and ACL rules are displayed, it means that the configuration succeeds. For example: <HUAWEI> display acl 6000 Ucl ACL 6000, 1 rule Acl's step is 5 rule 5 deny tcp source user-group 1 Run the display time-rangecommand. If the configuration and status of the current time range are displayed, it means that the configuration succeeds. For example: <HUAWEI> display time-range all Current time is 14:19:16 3-15-2006 Wednesday Time-range : time1 ( Inactive ) 10:00 to 12:00 daily Time-range : time2 ( Inactive ) from 13:00 2006/4/1 to 23:59 2099/12/31 Time-range : active1 ( Active ) 14:00 to 00:00 daily 8.7 Configuring a Named ACL This section describes how to configure the Named ACL. 8.7.1 Establishing the Configuration Task 8.7.2 (Optional) Creating a Time Range 8.7.3 Creating a Named ACL 8.7.4 (Optional) Configuring named ACL Descriptions 8.7.5 (Optional) Configuring named ACL Step 8.7.6 Checking the Configuration 8.7.1 Establishing the Configuration Task Application Environment An ACL can be applied to various services, such as routing policies and packet filtering, to implement differentiated packet processing based on packet types. Named ACLs are advanced ACLs because you need to define rules for the named ACLs by specifying the source IP address, destination IP address, IP bearer protocol type, TCP source port, TCP destination port, or ICMP protocol type and code. Pre-configuration Tasks None. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8-21 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration Data Preparation To configure a named ACL, you need the following data. No. Data 1 (Optional) Name of the time range in which the named ACL takes effect and the start time and end time of the time range 2 Rule ID of the named ACL, permit or deny rule, and source IP address 3 IP bearer protocol type, source and destination ports, destination IP address, or ICMP message type and code, packet priority, ToS, and timeout period of the ACL rule 4 (Optional) Description of the named ACL 5 (Optional) Step of the named ACL 8.7.2 (Optional) Creating a Time Range Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] } An ACL time range is created. You can configure multiple time ranges at the same name. ----End 8.7.3 Creating a Named ACL Context A named ACL is an advanced ACL and its acl-number ranges from 42768 to 45767. Do as follows on the router: Procedure Step 1 Run: system-view 8-22 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration The system view is displayed. Step 2 Run: acl name acl-name [ number acl-number ] [ match-order { auto | config } ] A named ACL is created and the named ACL view is displayed. Step 3 Perform the following steps as required to configure rules for the named ACL. One ACL can be configured with multiple rules. l When protocol is TCP or UDP, run: rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destinationwildcard | any } | destination-port operator port | fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | source-port operator port | syn-flag syn-flag time-range time-name | dscp dscp ] * rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destinationwildcard | any } | destination-port operator port | fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | source-port operator port | syn-flag syn-flag time-range time-name | precedence precedence |tos tos ] * syn-flagsyn-flag needs to be specified only when TCP is used. l When protocol is ICMP, run: rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destinationwildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name | icmp-type icmp-code } | source { source-ip-address source-wildcard | any } | time-range time-name | dscp dscp ] * rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destinationwildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name |icmp-type icmp-code } |source { source-ip-address source-wildcard | any } | time-range time-name | precedence precedence | tos tos ] * l When protocol is not TCP, UDP, or ICMP, run: rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destinationwildcard | any } | fragment-type fragment-type-name | source { source-ip-address sourcewildcard | any } | time-range time-name | dscp dscp ] * rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destinationwildcard | any } | fragment-type fragment-type-name | source { source-ip-address sourcewildcard | any } | time-range time-name | precedence precedence | tos tos ] * Configure different advanced ACLs on the device for different protocols over IP. Different protocols have different parameters combination. For example, TCP and UDP have optional parameter [ source-port operator port ] [ destination-port operator port ] while other protocols do not. ----End 8.7.4 (Optional) Configuring named ACL Descriptions Context Do as follows on the router: Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8-23 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl name acl-name The named ACL view is displayed. Step 3 Run: description text The named ACL description is created. The ACL description covers the function of ACL rules. Its length should be less than 127 characters. ----End 8.7.5 (Optional) Configuring named ACL Step Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl name acl-name The named ACL view is displayed. Step 3 Run: step step ACL step is configured. Note the following when modifying named ACL configurations: l The undo step command restores the step to the default and realigns ACL rules. l The default step of the ACL rule is 5. ----End 8.7.6 Checking the Configuration Prerequisite The configurations of the ACL function are complete. 8-24 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration Procedure l Run the display acl name acl-name command to check the configured ACL rule. l Run the display statistics acl { acl-number | all | name acl-name }control-plane [ | { begin | include | exclude } regular-expression ] command to check the statistics about the packets matching the ACL rule in soft forwarding. ----End Example # Check the configurations of named ACL, whose name is test. <HUAWEI> display acl name test Advanced Name ACL test, 1 rule Acl's step is 5 rule 5 permit ip # View the statistics about the packets matching ACL named test in soft forwarding. <HUAWEI> display statistics acl name test control-plane Advanced ACL test, 2 rules Acl's step is 5 rule 5 deny ip destination 1.1.5.0 0.0.0.255 (10 times matched) rule 10 deny ip destination 1.1.6.0 0.0.0.255 (23 times matched) 8.8 Maintaining an ACL This section describes how to Maintain an ACL. 8.8.1 Clearing ACL Statistics 8.8.2 Monitoring Network Operation Status of ACL 8.8.1 Clearing ACL Statistics Context CAUTION Statistics cannot restore after you clear it. So, confirm the action before you use the command. Procedure Step 1 Run the reset acl counter { acl-number | name acl-name | all } command in the user view to reset the ACL counter. ----End Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8-25 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration 8.8.2 Monitoring Network Operation Status of ACL Context In routine maintenance, you can run the following command in any view to check the operation of ACL. Procedure l Run the display acl { acl-number | name acl-name | all } command in any view to check the operation of rules of the ACL. l Run the display statistics acl { acl-number | all | name acl-name }control-plane command in any view to check the operation of the statistics about the packets matching the ACL rule in soft forwarding. l Run the display time-range { time-name | all } command in any view to check the operation of the time range of the ACL. ----End 8.9 Configuration Examples This section provides a configuration example of ACL. 8.9.1 Example for Configuring a Traffic Policy Based on Complex Traffic Classification 8.9.2 Example for Configuring the Security Function of Access Devices 8.9.3 Example for Configuring an ACL Rule that Is Based on the VPN Instance 8.9.1 Example for Configuring a Traffic Policy Based on Complex Traffic Classification Networking Requirements As shown in Figure 8-1, PE1, P, and PE2 are routers on an MPLS backbone network; CE1 and CE2 are access routers on the edge of the backbone network. Three users from the local network access the Internet through CE1. 8-26 l On CE1, the CIR of the users from the network segment 1.1.1.0 is limited to 10 Mbit/s and the CBS is limited to 150000 bytes. l On CE1, the CIR of the users from the network segment 2.1.1.0 is limited to 5 Mbit/s and the CBS is limited to 100000 bytes. l On CE1, the CIR of the users from the network segment 3.1.1.0 is limited to 2 Mbit/s and the CBS is limited to 100000 bytes. l On CE1, the DSCP values of the service packets from the three network segments are marked to 40, 26, and 0. l PE1 accesses the MPLS backbone network at the CIR of 15 Mbit/s, the CBS of 300000 bytes, the PIR of 20 Mbit/s, and the PBS of 500000 bytes. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services l 8 ACL Configuration On CE1, the CIR of the UDP protocol packets (except DNS, SNMP, SNMP Trap, and Syslog packets) is limited to 5 Mbit/s, the CBS is limited to 100000 bytes, and the PIR is limited to 15 Mbit/s. Figure 8-1 Diagram for configuring a traffic policy based on the complex traffic classification Loopback0 11.11.11.11/32 POS2/0/0 100.1.1.1/24 POS1/0/0 100.1.1.2/24 PE1 GE1/0/0 10.1.1.2/24 CE1 Loopback0 33.33.33.33/32 Loopback0 22.22.22.22/32 POS2/0/0 110.1.1.1/24 P POS2/0/0 110.1.1.2/24 GE1/0/0 20.1.1.2/24 GE2/0/0 20.1.1.1/24 GE2/0/0 10.1.1.1/24 GE1/0/0 PE2 GE4/0/0 CE2 GE3/0/0 1.1.1.0 3.1.1.0 2.1.1.0 Configuration Roadmap The configuration roadmap is as follows: 1. Configure ACL rules. 2. Configure traffic classifiers. 3. Configure traffic behaviors. 4. Configure traffic policies. 5. Apply policies to interfaces. Data Preparation To complete the configuration, you need the following data: l ACL numbers, which are 2001, 2002, 2003, 3001, and 3002. l The DSCP values of the packets from the three network segments, which are re-marked to be 40, 26, and 0. l The CIRs of the traffic of the three network segments, which are 10 Mbit/s, 5 Mbit/s, and 2 Mbit/s; and their CBSs, which are 150000 bytes, 100000 bytes, and 100000 bytes. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8-27 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration l The CIR of the UDP protocol packets (except DNS, SNMP, SNMP Trap, and Syslog packets) on CE1, which is 5 Mbit/s, the CBS, which is 100000 bytes, and the PIR, which is 15 Mbit/s. l The CIR of PE1, which is 15 Mbit/s; the CBS, which is 300000 bytes; and the PIR, which is 20 Mbit/s, and the PBS of 500000 bytes. l Names of traffic classifiers, traffic behaviors, and traffic policies; the numbers of interfaces to which traffic policies are applied. Procedure Step 1 Configure the IP addresses of the interfaces, the routes, and the basic MPLS functions (not mentioned here). Step 2 Configure complex traffic classification on CE1 to control the traffic that accesses CE1 from the three local networks. # Define ACL rules. <CE1> system-view [CE1] acl number 2001 [CE1-acl-basic-2001] rule [CE1-acl-basic-2001] quit [CE1] acl number 2002 [CE1-acl-basic-2002] rule [CE1-acl-basic-2002] quit [CE1] acl number 2003 [CE1-acl-basic-2003] rule [CE1-acl-basic-2003] quit [CE1] acl number 3001 [CE1-acl-basic-3001] rule [CE1-acl-basic-3001] rule [CE1-acl-basic-3001] rule [CE1-acl-basic-3001] rule [CE1-acl-basic-3001] quit [CE1] acl number 3002 [CE1-acl-basic-3002] rule [CE1-acl-basic-3002] quit permit source 1.1.1.0 0.0.0.255 permit source 2.1.1.0 0.0.0.255 permit source 3.1.1.0 0.0.0.255 0 1 2 3 permit permit permit permit udp udp udp udp destination-port destination-port destination-port destination-port eq eq eq eq dns snmp snmptrap syslog 4 permit udp # Configure traffic classifiers and define ACL-based matching rules. [CE1] traffic classifier a [CE1-classifier-a] if-match acl 2001 [CE1-classifier-a] quit [CE1] traffic classifier b [CE1-classifier-b] if-match acl 2002 [CE1-classifier-b] quit [CE1] traffic classifier c [CE1-classifier-c] if-match acl 2003 [CE1-classifier-c] quit [CE1]traffic classifier udplimit [CE1-classifier-udplimit] if-match acl 3001 [CE1-classifier-udplimit] quit [CE1] traffic classifier udplimit1 [CE1-classifier-udplimit1] if-match acl 3002 [CE1-classifier-udplimit1] quit After the preceding configuration, you can run the following display traffic classifier command to view the configuration of the traffic classifiers. [CE1] display traffic classifier user-defined User Defined Classifier Information: Classifier: a Operator: OR Rule(s): if-match acl 2001 Classifier: c 8-28 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration Operator: OR Rule(s): if-match acl 2003 Classifier: b Operator: OR Rule(s): if-match acl 2002 Classifier: udplimit Operator: OR Rule(s) : if-match acl 3001 Classifier: udplimit1 Operator: OR Rule(s) : if-match acl 3002 # Define traffic behaviors; configure traffic policing, and DSCP values to be re-marked. [CE1] traffic behavior e [CE1-behavior-e] car cir 10000 cbs 150000 pbs 0 [CE1-behavior-e] remark dscp 40 [CE1-behavior-e] quit [CE1] traffic behavior f [CE1-behavior-f] car cir 5000 cbs 100000 pbs 0 [CE1-behavior-f] remark dscp 26 [CE1-behavior-f] quit [CE1] traffic behavior g [CE1-behavior-g] car cir 2000 cbs 100000 pbs 0 [CE1-behavior-g] remark dscp 0 [CE1-behavior-g] quit [CE1] traffic behavior udplimit [CE1-behavior-udplimit] permit [CE1-behavior-udplimit] quit [CE1] traffic behavior udplimit1 [CE1-behavior-udplimit1] car cir 5000 cbs 100000 pbs 150000 green pass yellow discard red discard [CE1-behavior-udplimit1] quit # Define traffic policies and associate the traffic classifiers with the traffic behaviors. [CE1] traffic policy 1 [CE1-trafficpolicy-1] classifier a behavior e [CE1-trafficpolicy-1] quit [CE1] traffic policy 2 [CE1-trafficpolicy-2] classifier b behavior f [CE1-trafficpolicy-2] quit [CE1] traffic policy 3 [CE1-trafficpolicy-3] classifier c behavior g [CE1-trafficpolicy-3] quit [CE1] traffic policy udplimit [CE1-trafficpolicy-udplimit] classifier udplimit behavior udplimit [CE1-trafficpolicy-udplimit] classifier udplimit1 behavior udplimit1 [CE1-trafficpolicy-3] quit After the preceding configuration, run the display traffic policy command to view the configuration of the traffic policies, traffic classifiers defined in the traffic policies, and the traffic behaviors associated with traffic classifiers. [CE1] display traffic policy user-defined User Defined Traffic Policy Information: Policy: 1 Classifier: default-class Behavior: be -noneClassifier: a Behavior: e Committed Access Rate: CIR 10000 (Kbps), PIR 0 (Kbps), CBS 15000 (byte), PBS 0 (byte) Conform Action: pass Yellow Action: pass Exceed Action: discard Marking: Remark DSCP cs5 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8-29 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration Policy: 2 Classifier: default-class Behavior: be -noneClassifier: b Behavior: f Committed Access Rate: CIR 5000 (Kbps), PIR 0 (Kbps), CBS 100000 (byte), PBS 0 (byte) Conform Action: pass Yellow Action: pass Exceed Action: discard Marking: Remark DSCP af31 Policy: 3 Classifier: default-class Behavior: be -noneClassifier: c Behavior: g Committed Access Rate: CIR 2000 (Kbps), PIR 0 (Kbps), CBS 100000 (byte), PBS 0 (byte) Conform Action: pass Yellow Action: pass Exceed Action: discard Marking: Remark DSCP default Policy: udplimit Classifier: default-class Behavior: be -noneClassifier: udplimit Behavior: udplimit Firewall: permit Classifier: udplimit1 Behavior: udplimit1 Committed Access Rate: CIR 5000 (Kbps), PIR 0 (Kbps), CBS 10000 (byte), PBS 15000 (byte) Conform Action: pass Yellow Action: discard Exceed Action: discard # Apply the traffic policies to the inbound interfaces. [CE1] interface gigabitethernet 1/0/0 [CE1-GigabitEthernet1/0/0] undo shutdown [CE1-GigabitEthernet1/0/0] traffic-policy [CE1-GigabitEthernet1/0/0] quit [CE1] interface gigabitethernet 3/0/0 [CE1-GigabitEthernet3/0/0] undo shutdown [CE1-GigabitEthernet3/0/0] traffic-policy [CE1-GigabitEthernet3/0/0] quit [CE1] interface gigabitethernet 4/0/0 [CE1-GigabitEthernet4/0/0] undo shutdown [CE1-GigabitEthernet4/0/0] traffic-policy [CE1] interface gigabitethernet 2/0/0 [CE1-GigabitEthernet2/0/0] undo shutdown [CE1-GigabitEthernet2/0/0] traffic-policy 1 inbound 2 inbound 3 inbound udplimit outbound Step 3 Configure complex traffic classification on PE1 to control the traffic that goes to the MPLS backbone network. # Configure traffic classifiers and define matching rules. <PE1> system-view [PE1] traffic classifier pe [PE1-classifier-pe] if-match any [PE1-classifier-pe] quit 8-30 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration After the preceding configuration, you can run the display traffic classifier command to view the configuration of the traffic classifiers. [PE1] display traffic classifier user-defined User Defined Classifier Information: Classifier: pe Operator: OR Rule(s): if-match any # Define traffic behaviors; configure traffic policing. [PE1] traffic behavior pe [PE1-behavior-pe] car cir 15000 pir 20000 cbs 300000 pbs 500000 [PE1-behavior-pe] quit # Define traffic policies and associate the traffic classifiers with the traffic behaviors. [PE1] traffic policy pe [PE1-trafficpolicy-pe] classifier pe behavior pe [PE1-trafficpolicy-pe] quit After the preceding configuration, you can run the display traffic policy command to view the configuration of the traffic policies, traffic classifiers defined in the traffic policies, and the traffic behaviors associated with traffic classifiers. [PE1] display traffic policy user-defined User Defined Traffic Policy Information: Policy: pe Classifier: default-class Behavior: be -noneClassifier: pe Behavior: pe Committed Access Rate: CIR 15000 (Kbps), PIR 20000 (Kbps), CBS 300000 (byte), PBS 500000 (byte) Conform Action: pass Yellow Action: pass Exceed Action: discard # Apply the traffic policies to the inbound interfaces. [PE1] interface gigabitethernet 1/0/0 [PE1-GigabitEthernet1/0/0] undo shutdown [PE1-GigabitEthernet1/0/0] traffic-policy pe inbound [PE1-GigabitEthernet1/0/0] quit Step 4 Verify the configuration. Run the display interface command on CE1 and PE1. You can view that the traffic on the interfaces are regulated according to the configured traffic policies. ----End Configuration Files l Configuration file of CE1 # sysname CE1 # acl number 2001 rule 5 permit source 1.1.1.0 0.0.0.255 acl number 2002 rule 5 permit source 2.1.1.0 0.0.0.255 acl number 2003 rule 5 permit source 3.1.1.0 0.0.0.255 acl number 3001 rule 0 permit udp destination-port eq dns Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8-31 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration rule 1 permit udp destination-port eq snmp rule 2 dpermit udp destination-port eq snmptrap rule 3 permit udp destination-port eq syslog acl number 3302 rule 4 permit udp # traffic classifier a operator or if-match acl 2001 traffic classifier c operator or if-match acl 2003 traffic classifier b operator or if-match acl 2002 traffic classifier udp-limit operator or if-match acl 3001 traffic classifier udp-limit1 operator or if-match acl 3002 # traffic behavior e car cir 10000 cbs 150000 pbs 0 green pass red discard remark dscp cs5 traffic behavior g car cir 2000 cbs 100000 pbs 0 green pass red discard remark dscp default traffic behavior f car cir 5000 cbs 100000 pbs 0 green pass red discard remark dscp af31 traffic behavior udp-limit traffic behavior udp-limit1 car cir 5000 cbs 100000 pbs 150000 green pass yellow discard red discard # traffic policy 3 classifier c behavior g traffic policy 2 classifier b behavior f traffic policy 1 classifier a behavior e traffic policy udp-limit classifier udp-limit behavior udp-limit classifier udp-limit1 behavior udp-limit1 # interface GigabitEthernet1/0/0 undo shutdown ip address 1.1.1.1 255.255.255.0 traffic-policy 1 inbound # interface GigabitEthernet2/0/0 undo shutdown ip address 10.1.1.1 255.255.255.0 traffic-policy udplimit outbound # interface GigabitEthernet3/0/0 undo shutdown ip address 2.1.1.1 255.255.255.0 traffic-policy 2 inbound # interface GigabitEthernet4/0/0 undo shutdown ip address 3.1.1.1 255.255.255.0 traffic-policy 3 inbound # ospf 1 area 0.0.0.0 network 1.1.1.0 0.0.0.255 network 2.1.1.0 0.0.0.255 network 3.1.1.0 0.0.0.255 network 10.1.1.0 0.0.0.255 # return l 8-32 Configuration file of PE1 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration # sysname PE1 # mpls lsr-id 11.11.11.11 mpls # mpls ldp # traffic classifier pe operator or if-match any # traffic behavior pe car cir 15000 pir 20000 cbs 300000 pbs 500000 green pass yellow pass red discard # traffic policy pe classifier pe behavior pe # interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.1.2 255.255.255.0 traffic-policy pe inbound # interface Pos2/0/0 undo shutdown ip address 100.1.1.1 255.255.255.0 mpls mpls ldp # interface LoopBack0 ip address 11.11.11.11 255.255.255.255 # ospf 1 area 0.0.0.0 network 10.1.1.0 0.0.0.255 network 100.1.1.0 0.0.0.255 network 11.11.11.11 0.0.0.0 # return l Configuration file of P # sysname P # mpls lsr-id 33.33.33.33 mpls # mpls ldp # interface Pos1/0/0 link-protocol ppp ip address 100.1.1.2 255.255.255.0 mpls mpls ldp # interface Pos2/0/0 link-protocol ppp ip address 110.1.1.1 255.255.255.0 mpls mpls ldp # interface LoopBack0 ip address 33.33.33.33 255.255.255.255 # ospf 1 area 0.0.0.0 network 100.1.1.0 0.0.0.255 network 110.1.1.0 0.0.0.255 network 33.33.33.33 0.0.0.0 # Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8-33 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration return l Configuration file of PE2 # sysname PE2 # mpls lsr-id 22.22.22.22 mpls # mpls ldp # interface GigabitEthernet1/0/0 undo shutdown ip address 20.1.1.2 255.255.255.0 # interface Pos2/0/0 undo shutdown ip address 110.1.1.1 255.255.255.0 mpls mpls ldp # interface LoopBack0 ip address 22.22.22.22 255.255.255.255 # ospf 10 area 0.0.0.0 network 110.1.1.0 0.0.0.255 network 20.1.1.0 0.0.0.255 network 22.22.22.22 0.0.0.0 # return l Configuration file of CE2 # sysname CE2 # interface GigabitEthernet2/0/0 undo shutdown ip address 20.1.1.1 255.255.255.0 # ospf 1 area 0.0.0.0 network 20.1.1.0 0.0.0.255 # return 8.9.2 Example for Configuring the Security Function of Access Devices Networking Requirements As shown in Figure 8-2, Router A, Router B, Router C are access devices; Router D, Router E, and Router F are core devices; Access devices are connected to core devices by 10G interfaces. The network provides voice and 3G services. Security policies need to be configured on access devices to control the access of users and to guarantee the security of both the network and devices. 8-34 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration Figure 8-2 Networking of configuring the security function of access devices Internet GE1/0/0 RouterC RouterD GE1/0/0 GE1/0/0 Internet Internet RouterF RouterE RouterA RouterB Configuration Roadmap The configuration roadmap is as follows: 1. Set the passwords to be used for login in NMS and CLI modes. 2. Log information about login failures. 3. Create an Access Control List (ACL) to deny specified services carried on TCP and UDP interfaces (to defend virus). Data Preparation To complete the configuration, you need the following data: l IP address of each interface l Passwords to be used for login in NMS and CLI modes Procedure Step 1 Configure an IP address for each interface. The configuration details are not mentioned here. Step 2 Set the passwords to be used for login in NMS and CLI modes. <RouterA> system-view [RouterA] user-interface console 0 [RouterA-ui-con0] shell [RouterA-ui-con0] authentication mode password [RouterA-ui-con0] set authentication password cipher huawei [RouterA-ui-con0] idle-timeout 30 0 [RouterA-ui-con0] quit [RouterA] user-interface maximum-vty 15 [RouterA] user-interface vty 5 14 [RouterA-ui-vty5-14] shell [RouterA-ui-vty5-14] authentication mode password [RouterA-ui-vty5-14] set authentication password cipher huawei Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8-35 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration [RouterA-ui-vty5-14] idle-timeout 30 0 [RouterA-ui-vty5-14] quit NOTE Configurations for each access devices are similar. Take Router A for example. Step 3 Set logs to be exported to the control console. [RouterA] [RouterA] [RouterA] [RouterA] <RouterA> info-center enable info-center source default channel 9 log level warnings info-center logfile channel channel9 quit terminal logging Step 4 Configure the ACL to prevent devices from being attacked from specified TCP and UDP interfaces. NOTE Configuring the ACL must be performed on the access device interface that is on the access side. [RouterA] acl number 3001 [RouterA-acl-adv-3001] description anti-virus [RouterA-acl-adv-3001] rule 5 deny tcp destination-port eq 445 [RouterA-acl-adv-3001] rule 10 deny udp destination-port eq 445 [RouterA-acl-adv-3001] rule 15 deny tcp destination-port eq 135 [RouterA-acl-adv-3001] rule 20 deny udp destination-port eq 135 [RouterA-acl-adv-3001] rule 25 deny tcp destination-port eq 137 [RouterA-acl-adv-3001] rule 30 deny udp destination-port eq netbios-ns [RouterA-acl-adv-3001] rule 35 deny tcp destination-port eq 139 [RouterA-acl-adv-3001] rule 40 deny udp destination-port eq netbios-ssn [RouterA-acl-adv-3001] rule 45 deny udp destination-port eq 1433 [RouterA-acl-adv-3001] rule 50 deny udp destination-port eq 1434 [RouterA-acl-adv-3001] rule 55 deny tcp destination-port eq 4444 [RouterA-acl-adv-3001] rule 60 deny tcp destination-port eq 5554 [RouterA-acl-adv-3001] rule 65 deny udp destination-port eq 5554 [RouterA-acl-adv-3001] rule 70 deny tcp destination-port eq 9996 [RouterA-acl-adv-3001] rule 75 deny udp destination-port eq 9996 [RouterA-acl-adv-3001] rule 110 permit ip [RouterA-acl-adv-3001] quit [RouterA] traffic classifier anti-virus operator or [RouterA-classifier-anti-virus] if-match acl 3001 [RouterA-classifier-anti-virus] quit [RouterA] traffic behavior anti-virus [RouterA-behavior-anti-virus] quit [RouterA] traffic policy anti-virus [RouterA-trafficpolicy-anti-virus] classifier anti-virus behavior anti-virus [RouterA-trafficpolicy-anti-virus] quit [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] traffic-policy anti-virus inbound [RouterA-GigabitEthernet1/0/0] traffic-policy anti-virus outbound ----End Configuration Files NOTE Only the configuration file on the Router A is provided. l Configuration file of Router A # sysname RouterA # info-center source default channel 9 log level warning # acl number 3001 description anti-virus rule 5 deny tcp destination-port eq 445 8-36 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration rule 10 deny udp destination-port eq 445 rule 15 deny tcp destination-port eq 135 rule 20 deny udp destination-port eq 135 rule 25 deny tcp destination-port eq 137 rule 30 deny udp destination-port eq netbios-ns rule 35 deny tcp destination-port eq 139 rule 40 deny udp destination-port eq netbios-ssn rule 45 deny udp destination-port eq 1433 rule 50 deny udp destination-port eq 1434 rule 55 deny tcp destination-port eq 4444 rule 60 deny tcp destination-port eq 5554 rule 65 deny udp destination-port eq 5554 rule 70 deny tcp destination-port eq 9996 rule 75 deny udp destination-port eq 9996 rule 110 permit ip # traffic classifier anti-virus operator or if-match acl 3001 # traffic behavior anti-virus # traffic policy anti-virus classifier anti-virus behavior anti-virus # interface GigabitEthernet1/0/0 undo shutdown traffic-policy anti-virus inbound traffic-policy anti-virus outbound # user-interface maximum-vty 15 user-interface con 0 authentication-mode password set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!! idle-timeout 30 0 user-interface vty 0 4 user-interface vty 5 14 set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!! idle-timeout 30 0 user-interface vty 16 20 # return 8.9.3 Example for Configuring an ACL Rule that Is Based on the VPN Instance Networking Requirements As shown in Figure 8-3, two VPN instances are configured on the PE. CE1 belongs to VPN-A, whose VPN-target is 111:1; CE2 belongs to VPN-B, whose VPN-target is 222:2. An ACL rule is configured on the PE to permit users in VPN-A to log in to the PE through Telnet and to prevent users in VPN-B from logging in to the PE. Users in different VPNs cannot communicate with each other. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8-37 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration Figure 8-3 Typical networking of configuring an ACL rule AS: 65410 PE1 VPN-A AS: 65420 CE1 VPN-B CE2 GE1/0/0 10.1.1.2/24 GE1/0/0 10.1.1.1/24 GE2/0/0 11.1.1.1/24 GE1/0/0 11.1.1.2/24 AS: 100 Configuration Roadmap The configuration roadmap is as follows: 1. Configure VPN instances. 2. Define the ACL rule. 3. Configure users in different VPNs with different authorities for logging into the PE. Data Preparation To complete the configuration, you need the following data: l ACL number l VPN instance name Procedure Step 1 Configure VPN instances on the PE and connect CE1 and CE2 to the PE. # Configure VPN-A. <HUAWEI> system-view [HUAWEI] sysname PE [PE] ip vpn-instance vpna [PE-vpn-instance-vpna] route-distinguisher 100:1 [PE-vpn-instance-vpna] vpn-target 111:1 both [PE-vpn-instance-vpna] quit [PE] interface gigabitethernet 1/0/0 [PE-GigabitEthernet1/0/0] ip binding vpn-instance vpna [PE-GigabitEthernet1/0/0] ip address 10.1.1.1 24 [PE-GigabitEthernet1/0/0] quit # Configure VPN-B. [PE] ip vpn-instance vpnb [PE-vpn-instance-vpnb] route-distinguisher 100:2 [PE-vpn-instance-vpnb] vpn-target 222:2 both [PE-vpn-instance-vpnb] quit [PE] interface gigabitethernet 2/0/0 [PE-GigabitEthernet2/0/0] ip binding vpn-instance vpnb [PE-GigabitEthernet2/0/0] ip address 11.1.1.1 24 [PE-GigabitEthernet2/0/0] quit Step 2 Configure an ACL rule and then apply the rule on the PE. After that, users in VPN-A can log in to the PE through Telnet; whereas users in VPN-B cannot log in to the PE. 8-38 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration [PE] acl number 2001 [PE-acl-adv-2001] rule permit vpn-instance vpna [PE-acl-adv-2001] rule deny vpn-instance vpnb [PE-acl-adv-2001] quit Step 3 Use the ACL rule configured on the PE to control the login of users to the PE through Telnet. [PE] user-interface vty 0 4 [PE-ui-vty0-4] authentication-mode none [PE-ui-vty0-4] acl 2001 inbound Step 4 Verify the configuration. # Telnet CE1 to the PE. <CE1> telnet 10.1.1.1 Trying 10.1.1.1 ... Press CTRL+K to abort Connected to 10.1.1.1 ... *********************************************************** * Copyright (C) 2000-2009 Huawei Technologies Co., Ltd * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * * Notice: * * This is a private communication system. * * Unauthorized access or use may lead to prosecution. * *********************************************************** Info: The max number of VTY users is 10, and the number of current VTY users on line is 1. <PE> CE1 can log in to the PE through Telnet. # Telnet CE2 to the PE. <CE2> telnet 10.1.1.1 Trying 10.1.1.1 ... Press CTRL+K to abort Error: Failed to connect to the remote host. CE2 cannot log in to the PE through Telnet. ----End Configuration Files l Configuration file of the PE # sysname PE # ip vpn-instance vpna route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity ip vpn-instance vpnb route-distinguisher 100:2 vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity # acl number 2001 rule 5 permit vpn-instance vpna rule 10 deny vpn-instance vpnb # aaa authentication-scheme default # authorization-scheme default # accounting-scheme default Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8-39 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 8 ACL Configuration # domain default # # interface Ethernet0/0/0 undo shutdown ip binding vpn-instance vpna ip address 10.1.1.1 255.255.255.0 # interface Ethernet0/0/1 undo shutdown ip binding vpn-instance vpnb ip address 11.1.1.1 255.255.255.0 # user-interface con 0 user-interface vty 0 4 acl 2001 inbound authentication-mode none user-interface vty 16 20 # return l Configuration file of CE1 # sysname CE1 # aaa authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # # interface Ethernet0/0/0 undo shutdown ip address 10.1.1.2 255.255.255.0 # user-interface con 0 user-interface vty 0 4 user-interface vty 16 20 # return l Configuration file of CE2 # sysname CE2 # aaa authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # # interface Ethernet0/0/0 undo shutdown ip address 11.1.1.2 255.255.255.0 # user-interface con 0 user-interface vty 0 4 user-interface vty 16 20 # return 8-40 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration 9 Basic IPv6 Configuration About This Chapter This chapter describes the IPv6 features and IPv6 address overview. It also describes configuration steps for IPv6 ND, PMTU, TCP6, FIB cache configuration, along with typical examples. 9.1 Basic IPv6 Overview This section describes the basic concept of IPv6 9.2 Configuring an IPv6 Address for an Interface This section describes how to configure an IPv6 address for an interface. 9.3 Configuring IPv6 Neighbor Discovery This section describes how to configure IPv6 neighbor discovery. 9.4 Configuring PMTU This section describes how to configure IPv6 PMTU. 9.5 Enabling the FIB Cache This section describes how to enable the FIB cache capacity. 9.6 Configuring TCP6 This section describes how to configure TCP connections. 9.7 Maintaining IPv6 This section describes how to clear IPv6 statistics and debug IPv6. 9.8 Configuration Examples This section provides a configuration example for the IPv6 address. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 9-1 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration 9.1 Basic IPv6 Overview This section describes the basic concept of IPv6 9.1.1 Introduction to IPv6 9.1.2 IPv6 Supported by the NE80E/40E 9.1.1 Introduction to IPv6 Internet Protocol Version 6 (IPv6), also called IP Next Generation (IPng), is the standard network protocol of the second generation. It is a set of specifications designed by the Internet Engineering Task Force (IETF). IPv6 is the upgraded version of IPv4. The most remarkable difference between IPv6 and IPv4 is that the IP address lengthens from 32 bits to 128 bits. 9.1.2 IPv6 Supported by the NE80E/40E The NE80E/40E supports the IPv6 protocol suite and TCP6 protocol suite. IPv6 Address A 128-bit IPv6 address has the following formats: l X:X:X:X:X:X:X:X In this format, a 128-bit IP address is divided into eight groups. The 16 bits of each group are represented by four hexadecimal characters, that is, 0 to 9, and A to F. The groups are separated by colons. Every "X" represents a group of hexadecimal values. l X:X:X:X:X:X:d.d.d.d This format is for the following types of addresses: – IPv4-compatible IPv6 address – IPv4-mapped IPv6 address IPv4-compatible IPv6 address is used to configure an IPv6 over IPv4 tunnel. In this type of address, "X" represents the first six groups of numbers. Each "X" stands for 16 bits that are represented by hexadecimal numbers. "d" represents the subsequent four group of numbers. Each "d" stands for eight bits that are represented by decimal numbers. "d.d.d.d" is a standard IPv4 address. An IPv6 address can be divided into two parts: l Network prefix: equals the network ID of an IPv4 address. It is of n bits. l Interface identifier: equals the host ID in an IPv4 address. It is of 128-n bits. IPv6 Neighbor Discovery The IPv6 neighbor discovery (ND) is a group of messages and processes that define the relationship between neighboring nodes. ND replaces the Address Resolution Protocol (ARP) messages and the Internet Control Message Protocol (ICMP) device discovery messages. It also provides additional functions. 9-2 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration IPv6 PMTU Generally, the problem that different networks have different Maximum Transmission Units (MTU) can be solved in the following ways: l Devices fragment packets as required. The source host only needs to fragment packets; however, the intermediate router not only needs to fragment packets, but also to reassemble packets. l The source host sends packets based on a proper MTU so that packets need not be fragmented on the intermediate router. In such a case, packet processing burden on the intermediate router can be reduced. During IPv6 packet transmission, only this way can be adopted because IPv6 intermediate routers do not support packet fragmentation. The Path MTU (PMTU) Discovery mechanism aims at finding a proper MTU value on the path from the source to the destination. IPv6 FIB Connecting network topologies of different types needs the configuration of different routing protocols. This brings about Routing Information Base (RIB). The RIB is a base of the Forwarding Information Base (FIB). Guided by route management policies, a device extracts a minimum of necessary forwarding information from RIB and adds the information to the FIB. Through the route management module, you can also add static routes into the FIB. A FIB contains a group of minimum information needed by a device during packet forwarding. An FIB entry usually contains the destination address, prefix length, transport port, next-hop address, route flag, and time stamp. A device forwards packets according to FIB entries. The FIB mechanism consists of two parts: FIB agent (used on the control plane) and FIB container (used on the forwarding plane). A FIB agent is responsible for interacting with the RM module for delivering FIB entries to the forwarding engine, and to the I/O board in a distributed system. A FIB contains the following information: l Destination address: indicates the network or host a packet is destined for. l Prefix length: indicates the length of the destination address prefix. From the prefix length, you can infer that the destination address is a network address or a host address. l Nexthop: indicates the address of the close next hop through which the packet reaches the destination. l Flag(s): identifies route features. l Interface: indicates the outgoing interface of the packet. l Timestamp: Indicates the time when an FIB entry is established. 9.2 Configuring an IPv6 Address for an Interface This section describes how to configure an IPv6 address for an interface. 9.2.1 Establishing the Configuration Task 9.2.2 Enabling IPv6 Packet Forwarding Capability 9.2.3 Configuring an IPv6 Link-Local Address for an Interface Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 9-3 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration 9.2.4 Configuring an IPv6 Global Unicast Address for an Interface 9.2.5 Checking the Configuration 9.2.1 Establishing the Configuration Task Applicable Environment When a device communicates with an IPv6 device, you need to configure IPv6 address for the interface. The NE80E/40E supports configuring IPv6 addresses for the following interfaces: l Gigabit-Ethernet interfaces and sub-interfaces l POS interfaces (Only the POS interfaces configured with PPP or HDLC as the link protocol support IPv6.) l Tunnel interfaces l Loopback interfaces l Eth-Trunk interfaces, Eth-Trunk sub-interfaces, and IP-Trunk interfaces You can configure 10 addresses for one interface. Addresses can be the link-local address and the global unicast address. The link-local address is used in ND, and in the communication between nodes on the local link in the stateless address auto-configuration. The packets using the link-local address as the source or destination address are not forwarded to other links. The link-local address can be automatically generated or manually configured. After being enable with automatic address generation capability, the system automatically generates a linklocal address. The link-local address configured manually must be a valid link-local address (FE80::/10). It is recommended to automatically generate a link-local address because the link-local address is used only for the communication between link-local nodes. Commonly, it is used to implement communication requirements of protocol and is not directly related to the communication between users. The global unicast address is equivalent to the IPv4 public address. It is used for data forwarding across the pubic network, which is necessary for the communication between users. An EUI-64 address has the same function as an global unicast address. The difference is that only the network bits need to be specified for the EUI-64 address and the host bits are transformed from the MAC addresses of the interface while a complete 128-bit address need to be specified for the global unicast address. Note that the prefix length of the network bits in an EUI-64 address must not be longer than 64 bits. The EUI-64 address and the global unicast address can be configured simultaneously or alternatively. However, the IP addresses configured for one interface cannot be in the same network segment. Pre-configuration Tasks Before configuring IPv6 addresses, complete the following tasks: l 9-4 Configuring the physical features of the interface and ensuring that the status of the physical layer of the interface is Up Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services l 9 Basic IPv6 Configuration Configuring the link layer parameters for the interface and ensuring that the status of the link layer protocol on the interface is Up Data Preparation To configure IPv6 addresses for an interface, you need the following data. No. Data 1 Number of the interface 2 Link-local address configured manually 3 Global unicast address and prefix length 9.2.2 Enabling IPv6 Packet Forwarding Capability Context To enable a device to forward IPv6 packets, you must enable the IPv6 capability in both the system view and the interface view. This is because: l If you run the ipv6 command only in the system view, only the IPv6 packet forwarding capability is enabled on a device. The IPv6 function, however, is not enabled on the interface and hence you cannot perform any IPv6 configurations. l If you run the ipv6 enable command only in the interface view, the IPv6 capability is enabled only on an interface but the IPv6 protocol status on the interface is Down. Therefore, the device cannot forward IPv6 data. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ipv6 The IPv6 packet forwarding capability is enabled. By default, the IPv6 packet forwarding capability is disabled. To enable a device to forward IPv6 packets, you must run this command in the system view; otherwise, the IPv6 protocol status of the interface is Down and the device cannot forward IPv6 packets although you enable IPv6 on the interface. Step 3 Run: interface interface-type interface-number The view of the interface to be enabled with the IPv6 capability is displayed. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 9-5 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration Step 4 Run: ipv6 enable The IPv6 capability is enabled on the interface. Before performing IPv6 configurations in the interface view, you must enable the IPv6 capability in the interface view. By default, the IPv6 capability is disabled on the interface. ----End 9.2.3 Configuring an IPv6 Link-Local Address for an Interface Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 Perform the following as required. Run: ipv6 address auto link-local Auto generation of the IPv6 link-local address is enabled. Or Run: ipv6 address ipv6-address link-local The IPv6 link-local address is manually configured. Besides configuring a link-local address through the preceding two commands, you can also configure a global unicast IPv6 address for auto generating a link-local address. For details, see Configuring an IPv6 Global Unicast Address for an Interface. ----End 9.2.4 Configuring an IPv6 Global Unicast Address for an Interface Context Do as follows on the router: 9-6 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 Run: ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } [ eui-64 ] The global unicast address is configured on the interface. ----End 9.2.5 Checking the Configuration Prerequisite The configurations of the IPv6 addresses are complete. Procedure l Run the display ipv6 interface [ interface-type interface-number | brief ] command to check the IPv6 information of an interface. l Run the display ipv6 statistics [ slot slot-id | interface interface-type interface-number ] command to check the IPv6 packet statistics. ----End Example Run the display ipv6 interface command. If the IPv6 address of the interface is displayed, it means that the configuration succeeds. For example: <HUAWEI> display ipv6 interface gigabitethernet 1/0/0 GigabitEthernet1/0/0 current state : UP , IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::200:1FF:FE04:5D00 Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es): FF02::1:FF00:1 FF02::1:FF04:5D00 FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses Run the display ipv6 interface command. If the configured IPv6 address and interface status are displayed, it means that the configuration succeeds. <HUAWEI> display ipv6 interface brief *down: administratively down !down: FIB overload down Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 9-7 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration (l): loopback (s): spoofing Interface GigabitEthernet2/0/2 [IPv6 Address] 2030::101:101 GigabitEthernet2/0/3 [IPv6 Address] 2001::1 LoopBack0 [IPv6 Address] Unassigned Physical up Protocol up up up up up(s) Run the display ipv6 statistics command. If the statistics on IPv6 packets is displayed, it means that the configuration succeeds. <HUAWEI> display ipv6 statistics IPv6 Protocol: Sent packets: Total Local sent out Raw packets Fragmented Fragments failed : : : : : 3630 3630 0 0 0 Forwarded Discarded Fragments Multicast : : : : 0 0 0 0 Received packets: Total Hop count exceeded Too big Address error Truncated Fragments Reassembly timeout : : : : : : : 3630 0 0 0 0 0 0 Local host Header error Routing failed Protocol error Option error Reassembled Multicast : : : : : : : 3630 0 0 0 0 0 0 9.3 Configuring IPv6 Neighbor Discovery This section describes how to configure IPv6 neighbor discovery. 9.3.1 Establishing the Configuration Task 9.3.2 Configuring Static Neighbors 9.3.3 Enabling RA Message Advertising 9.3.4 Setting the Interval for Advertising RA Messages 9.3.5 Enabling Stateful Auto Configuration 9.3.6 Configuring the Address Prefixes to Be Advertised 9.3.7 Configuring Other Information to Be Advertised 9.3.8 Checking the Configuration 9.3.1 Establishing the Configuration Task Applicable Environment Most of the ND configurations are implemented based on the interfaces. The IPv6 ND configuration is supported on the following interfaces: l 9-8 Gigabit-Ethernet interfaces and their sub-interfaces Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration l POS interfaces (Only the POS interfaces configured with PPP or HDLC as the link protocol support IPv6.) l Tunnel interfaces l Loopback interfaces l Eth-Trunk interfaces, Eth-Trunk sub-interfaces, and IP-Trunk interfaces NOTE Though the POS interfaces can be configured with IPv6 ND-related commands, packet sending or packet forwarding on these interfaces actually do not require neighbor entries. Pre-configuration Tasks Before configuring IPv6 neighbor discovery, complete the following tasks: l Configuring the physical features for the interface and ensuring that the status of the physical layer of the interface is Up l Configuring link layer parameters for the interface l Configuring the IPv6 address for the interface Data Preparation To configure IPv6 neighbor discovery, you need the following data. No. Data 1 Number of interface which needs to be configured with IPv6 ND 2 IPv6 address and MAC address of the static neighbor 3 Intervals, prefix, and life duration of RA messages 4 Flag bit of automatic configuration 5 Hop limit of ND 6 Sending times of DAD 7 Intervals for re-transmitting NS messages 8 NUD reachable time 9 Interface MTU 9.3.2 Configuring Static Neighbors Context Do as follows on the router: Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 9-9 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 Run: ipv6 neighbor ipv6-address mac-address Static neighbors are configured. Static neighbors can be configured for interfaces and their sub-interfaces. You can configure up to 300 neighbors on each interface. ----End 9.3.3 Enabling RA Message Advertising Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 Run: undo ipv6 nd ra halt The function of advertising RA messages is enabled. ----End 9.3.4 Setting the Interval for Advertising RA Messages Context Do as follows on the router: Procedure Step 1 Run: 9-10 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 Run: ipv6 nd ra { max-interval maximum-interval | min-interval minimum-interval } The interval for advertising RA messages is configured. By default, the maximum interval is 600 seconds and the minimum interval is 200 seconds. The maximum interval can not be shorter than the minimum interval. ----End 9.3.5 Enabling Stateful Auto Configuration Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 Run: ipv6 nd autoconfig managed-address-flag The flag bit for stateful auto configuration addresses is set. If this flag is set, hosts use the stateful protocol for address auto-configuration in addition to any addresses auto-configured using stateless address auto-configuration. Step 4 Run: ipv6 nd autoconfig other-flag The flag bit for other stateful configurations is set. When this flag is set, hosts use the stateful protocol for auto-configuration of other (non-address) information. ----End 9.3.6 Configuring the Address Prefixes to Be Advertised Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 9-11 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 Run: ipv6 nd ra prefix { ipv6-address prefix-length | ipv6-address/prefix-length } validlifetime preferred-lifetime [ no-autoconfig ] [ off-link ] The prefix of RA messages is configured. ----End 9.3.7 Configuring Other Information to Be Advertised Context Duplicate Address Detect (DAD) is a process of IPv6 automatic address configuration. You can configure the number of DAD messages which are sent continuously. Set the interval of sending Neighbor Solicitation (NS) messages on the device. By default, NS re-transmitting time interval is 1000ms. NUD checks the reachability of neighbors. By default, NUD value is 30000ms. The MTU of the interface determines whether to fragment IP packets on the interface. Default MTUs vary with interface types. The MTU on an GigabitEthernet interface defaults to be 1500 bytes. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ipv6 nd hop-limit limit ND hop limit is configured. The value of limit ranges from 1 to 255. By default, it is 64. Step 3 Run: interface interface-type interface-number 9-12 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration The interface view is displayed. Step 4 Run: ipv6 nd ra router-lifetime ra-lifetime The life duration of RA messages is configured. NOTE l When the ipv6 nd ra command is run to set the interval for advertising RA messages, the interval must be less than or equal to the life duration. l By default, the maximum interval is 600 seconds, and the minimum interval is 200 seconds. l By default, the life duration of RA messages is 1800 seconds. If the prefix is configured, the duration is still 1800 seconds. Step 5 Run: ipv6 nd dad attempts value Times to send DAD messages are configured. Step 6 Run: ipv6 nd ns retrans-timer value The interval for re-sending NS messages is set. Step 7 Run: ipv6 nd nud reachable-time value The NUD reachable time is set. Step 8 Run: ipv6 mtu mtu MTU of the interface is configured. The IPv6 MTU should be smaller than 9600 bytes on the GigabitEthernet of the LPUF-20. ----End Postrequisite If the IPv6 MTU value is changed, run the shutdown command and the undo shudown command orderly in the interface view to validate the configuration. 9.3.8 Checking the Configuration Prerequisite The configurations of the IPv6 neighbor discovery function are complete. Procedure l Run the display ipv6 neighbors[ [ vid vlan-id] interface-type interface-number ] command to check the neighbor information in the cache. l Run the display ipv6 interface [ interface-type interface-number | brief ] command to check the IPv6 information of an interface. ----End Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 9-13 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration Example Run the display ipv6 neighbors command. If the cache of the neighbor information contains neighbors' IPv6 addresses and the specified interfaces, it means that the configuration succeeds. <HUAWEI> display ipv6 neighbors gigabitethernet 1/0/0 -------------------------------------------------------IPv6 Address : 3003::2 Link-layer : 00e0-fc89-fe6e State : STALE Interface : GE1/0/0 Age : 7 VPN name : vpn1 VLAN : IPv6 Address : FE80::2E0:FCFF:FE89:FE6E Link-layer : 00e0-fc89-fe6e State : STALE Interface : GE1/0/0 Age : 7 VPN name : vpn1 VLAN : --------------------------------------------------------Total: 2 Dynamic: 2 Static: 0 Run the display ipv6 interface command. If information about the IPv6 address on the interface is displayed, it means that the configuration succeeds. <HUAWEI> display ipv6 interface gigabitethernet 1/0/0 GigabitEthernet1/0/0 current state : UP IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::200:1FF:FE04:5D00 Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es): FF02::1:FF00:1 FF02::1:FF04:5D00 FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses Run the display ipv6 interface brief command. If information about the IPv6 address on the interface and interface status are displayed, it means that the configuration succeeds. <HUAWEI> display ipv6 interface brief *down: administratively down !down: FIB overload down (l): loopback (s): spoofing Interface Physical GigabitEthernet2/0/2 up [IPv6 Address] 2030::101:101 GigabitEthernet2/0/3 up [IPv6 Address] 2001::1 LoopBack0 up [IPv6 Address] Unassigned Protocol up up up(s) 9.4 Configuring PMTU This section describes how to configure IPv6 PMTU. 9.4.1 Establishing the Configuration Task 9.4.2 Creating Static PMTU Entries 9.4.3 Configuring PMTU Aging Time 9-14 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration 9.4.4 Checking the Configuration 9.4.1 Establishing the Configuration Task Applicable Environment By setting PMTUs on interfaces, you can enable devices to send packets based on proper MTUs across the network. This avoids packet fragmentation, reduces the burden of the devices, implements efficient usage of network resources and achieves the best throughput. Pre-configuration Tasks Before configuring PMTUs, complete the following tasks: l Configuring the physical features for the interface and ensuring that the status of the physical layer of the interface is Up l Configuring the link layer protocol for the interface Data Preparation To configure PMTUs, you need the following data. No. Data 1 IPv6 address and PMTU value to be configured 2 PMTU aging time 9.4.2 Creating Static PMTU Entries Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ipv6 pathmtu ipv6-address [ path-mtu ] The PMTU value of a specified IPv6 address is configured. By default, the PMTU of the IPv6 address is 1500 bytes. ----End Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 9-15 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration 9.4.3 Configuring PMTU Aging Time Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ipv6 pathmtu age age-time The aging time of PMTU is configured. By default, the dynamic PMTU aging time is 10 minutes. The PMTU aging time is used to change the lifetime of a dynamic PMTU entry in the cache. It has no effect on static PMTU entries because they cannot be aged. If the static PMTU exist, the dynamic PMTU dose not take effect. ----End 9.4.4 Checking the Configuration Prerequisite The configurations of the PMTU are complete. Procedure l Run the display ipv6 pathmtu { ipv6-address | all | dynamic | static } command to check all PMTU items. l Run the display ipv6 interface [ interface-type interface-number | brief ] command to check the current MTU of the interface. ----End Example Run the display ipv6 pathmtu command. If the destination IPv6 address, the PMTU value, the aging time and type are displayed, it means that the configuration succeeds. <HUAWEI> display ipv6 pathmtu all IPv6 Destination Address ZoneID fe80::12 0 2222::3 0 PathMTU 1300 1280 Age 40 -- Type Dynamic Static Run the display ipv6 interface command. If the current MTU of the interface is displayed, it means that the configuration succeeds. <HUAWEI> display ipv6 interface gigabitethernet 1/0/0 GigabitEthernet1/0/0 current state : UP , 9-16 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::200:1FF:FE04:5D00 Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es): FF02::1:FF00:1 FF02::1:FF04:5D00 FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses 9.5 Enabling the FIB Cache This section describes how to enable the FIB cache capacity. 9.5.1 Establishing the Configuration Task 9.5.2 Enabling the FIB Cache 9.5.3 Checking the Configuration 9.5.1 Establishing the Configuration Task Applicable Environment None. Pre-configuration Tasks Before enabling the FIB cache capability of a device, complete the following tasks: l Connecting the interface and configuring the physical features for the interface and ensuring that the status of the physical layer of the interface is Up l Configuring the link layer protocol parameters for the interface Data Preparation To enable the FIB cache capability, you need the following data. No. Data 1 Slot ID 9.5.2 Enabling the FIB Cache Context Do as follows on the router: Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 9-17 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ipv6 fibcache {slot-id | all } FIB cache is enabled on the device. By default, the FIB cache is disabled on the device. ----End 9.5.3 Checking the Configuration Prerequisite The configurations of the enabling the FIB cache are complete. Procedure l Run the display ipv6 fib [ spt ] [ slot-id ] [ | { begin | include | exclude } regularexpression ] command to check the FIB information. l Run the display ipv6 fibcache slot-id command to check total routes in FIB cache. ----End Example Run the display ipv6 fib command. If the details of FIB are displayed, it means that the configuration succeeds. <HUAWEI> display ipv6 fib FIB Table: Total number of Routes : 4 9-18 Destination: NextHop : Label : TimeStamp : Interface : IP6Token : ::1 ::1 NULL Date- 14:8:2008, Time- 14:41:26 InLoopBack0 0x0 PrefixLength Flag Tunnel ID reference : : : : 128 HU 0 1 Destination: NextHop : Label : TimeStamp : Interface : IP6Token : FE80:: :: NULL Date- 14:8:2008, Time- 14:44:34 NULL0 0x0 PrefixLength Flag Tunnel ID reference : : : : 10 BU 0 1 Destination: NextHop : Label : TimeStamp : Interface : IP6Token : 2001::2 ::1 NULL Date- 14:8:2008, Time- 14:44:36 InLoopBack0 0x0 PrefixLength Flag Tunnel ID reference : : : : 128 HU 0 1 Destination: NextHop : 2001:: 2001::2 PrefixLength : 64 Flag : U Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration Label : NULL TimeStamp : Date- 14:8:2008, Time- 14:44:36 Interface : GigabitEthernet6/0/0 IP6Token : 0x0 Tunnel ID reference : 0 : 1 Run the display ipv6 fibcache command. If FIB cache contains the routing information, it means that the configuration succeeds. <HUAWEI> display ipv6 fibcache 6 FIB Cache: Total number of Routes : 2 Destination: NextHop : Label : TimeStamp : Interface : IP6Token : 2001::1 2001::2 NULL Date- 14:8:2008, Time- 14:44:45 GigabitEthernet6/0/0 0x0 FIB PrefixLength : 64 FIB Flag : U Tunnel ID : 0 reference : 0 Destination: NextHop : Label : TimeStamp : Interface : IP6Token : 2001::2 ::1 NULL Date- 14:8:2008, Time- 14:44:45 InLoopBack0 0x0 FIB PrefixLength : 128 FIB Flag : HU Tunnel ID : 0 reference : 0 9.6 Configuring TCP6 This section describes how to configure TCP connections. 9.6.1 Establishing the Configuration Task 9.6.2 Configuring TCP6 Timers 9.6.3 Configuring the Size of the TCP6 Sliding Window 9.6.4 Checking the Configuration 9.6.1 Establishing the Configuration Task Applicable Environment To optimize network performance, you need to adjust the TCP6 parameters. Pre-configuration Tasks Before configuring TCP6, complete the following tasks: l Connecting and configuring the physical features for the interface and ensuring that the status of the physical layer of the interface is Up l Configuring the link layer protocol parameters for the interface and ensuring that the status of the link layer protocol on the interface is Up Data Preparation To configure TCP6, you need the following data. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 9-19 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration No. Data 1 Value of TCP6 FIN-WAIT timer 2 Value of TCP6 SYN-WAIT timer 3 Size of TCP6 Sliding Window 9.6.2 Configuring TCP6 Timers Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: tcp ipv6 timer syn-timeout timer-value The TCP6 SYN-WAIT timer is set. By default, the SYN-WAIT timer is 75s. Step 3 Run: tcp ipv6 timer fin-timeout timer-value The TCP6 FIN-WAIT timer is set. By default, the FIN-WAIT timer is 675s. ----End 9.6.3 Configuring the Size of the TCP6 Sliding Window Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: tcp ipv6 window window-size The size of the TCP6 sliding window is configured. 9-20 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration The size of the TCP6 sliding window ranges from 1 KB to 32 KB. By default, the size of the TCP6 sliding window is 8 KB. ----End 9.6.4 Checking the Configuration Prerequisite The configurations of the TCP6 function are complete. Procedure l Run the display tcp ipv6 statistics command to check related TCP6 statistics. l Run the display tcp ipv6 status command to check the TCP6 connection status. l Run the display udp ipv6 statistics command to check related UDP6 statistics. l Run the display ipv6 socket [ socktype sock-type ] [ task-id sock-id ] command to check the information of the specified socket. ----End Example Run the display tcp ipv6 statistics, display tcp ipv6 status, and display udp ipv6 statistics commands. If the connection status and statistic of TCP6 and UDP6 are displayed, it means that the configuration succeeds. <HUAWEI> display tcp ipv6 statistics Received packets: total: 0 packets in sequence: 0 (0 bytes) window probe packets: 0 window update packets: 0 checksum error: 0 offset error: 0 short error: 0 duplicate packets: 0 (0 bytes) partially duplicate packets: 0 (0 bytes) out-of-order packets: 0 (0 bytes) packets with data after window: 0 (0 bytes) packets after close: 0 ACK packets: 0 (0 bytes) duplicate ACK packets: 0 too much ACK packets: 0 packets dropped due to MD5 authentication failure: 0 packets receieved with MD5 Signature Option: 0 Sent packets: total: 0 urgent packets: 0 control packets: 0 (including 0 RST) window probe packets: 0 window update packets: 0 data packets: 0 (0 bytes) data packets retransmitted: 0 (0 bytes) ACK only packets: 0 (0 delayed) packets sent with MD5 Signature Option: 0 Other Statistics: retransmitted timeout: 0 connections dropped in retransmitted timeout: 0 keepalive timeout: 0 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 9-21 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration keepalive probe: 0 keepalive timeout, so connections disconnected: 0 initiated connections: 0 accepted connections: 0 established connections: 0 closed connections: 0 (dropped: 0, initiated dropped: 0) <HUAWEI> display tcp ipv6 status TCP6CB Local Address Foreign Address State 09e39ae4 3000::2->179 3000::1->49158 Time_Wait 09e36f24 3000::2->49152 3000::1->179 Established 07da08f8 ::->179 ::->0 Listening 07d96da8 ::->23 ::->0 Listening <HUAWEI> display udp ipv6 statistics Received packets: total: 0 total(64bit high-capacity counter): 0 checksum error: 0 shorter than header: 0 invalid message length: 0 no socket on port: 0 no multicast port: 0 not delivered, input socket full: 0 input packets missing pcb cache: 0 packets sent for external pre processing: 1 Sent packets: total: 0 total(64bit high-capacity counter): 0 Run the display ipv6 socket command. If the related socket information is displayed, it means that the configuration succeeds. <HUAWEI> display ipv6 socket SOCK_STREAM: Task = VTYD(14), socketid = 4, Proto = 6, LA = ::->22, FA = ::->0, sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0, socket option = SO_ACCEPTCONN SO_REUSEPORT SO_SENDVPNID, socket state = SS_PRIV SS_ASYNC Task = VTYD(14), socketid = 3, Proto = 6, LA = ::->23, FA = ::->0, sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0, socket option = SO_ACCEPTCONN SO_REUSEPORT SO_SENDVPNID, socket state = SS_PRIV SS_ASYNC SOCK_DGRAM: SOCK_RAW: 9.7 Maintaining IPv6 This section describes how to clear IPv6 statistics and debug IPv6. 9.7.1 Resetting IPv6 9.7.2 Monitoring Network Operation Status of IPv6 9-22 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration 9.7.1 Resetting IPv6 Context CAUTION IPv6 statistics cannot restore after you clear it. So, confirm the action before you use the command. Procedure l Run the reset ipv6 statistics [ slot slot-id ] command in the user view to clear statistics of processing IPv6 packets after you confirm it. l Run the reset ipv6 pathmtu { all | dynamic | static } command in the user view to clear PMTU entries in the cache after you confirm it. l Run the reset ipv6 fibcache { slot-id | all } command in the user view to clear cached entries in FIB after you confirm it. l Run the reset ipv6 neighbors { all | dynamic | static | vid vlan-id [ interface-type interfacenumber] | interface-type interface-number } command in the user view to clear IPv6 neighbor entries in the cache after you confirm it. l Run the reset tcp ipv6 statistics command in the user view to clear all TCP6 statistics after you confirm it. l Run the reset udp ipv6 statistics command in the user view to clear all UDP6 statistics after you confirm it. ----End 9.7.2 Monitoring Network Operation Status of IPv6 Context In routine maintenance, you can run the following command in any view to check the operation of IPv6. Procedure l Run the display ipv6 interface [ interface-type interface-number | brief ] command in any view to check the IPv6 information about the interface. l Run the display ipv6 statistics [ slot slot-id | interface interface-type interface-number ] command in any view to check IPv6 packet statistics. l Run the display icmpv6 statistics [ slot slot-id | interface interface-type interfacenumber ] command in any view to check the operation of ICMPv6 packet statistics. l Run the display ipv6 neighbors [ [ vid vlan-id ] interface-type interface-number ] command in any view to check contents about the neighbor cache. l Run the display ipv6 pathmtu { ipv6-address | all | dynamic | static } command in any view to check all PMTU entries. l Run the display tcp ipv6 statistics command in any view to check TCP6 statistics. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 9-23 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration l Run the display tcp ipv6 status command in any view to check TCP6 connection status. l Run the display udp ipv6 statistics command in any view to check UDP6 statistics. l Run the display ipv6 socket [ socktype sock-type ] [ task-id sock-id ] command in any view to check information about the specified socket. l Run the display ipv6 fib [ spt ] [ slot-id ] [ | { begin | include | exclude } regularexpression ] command in any view to check information about the FIB. l Run the display ipv6 fibcache slot-id command in any view to check the total number of routes in the FIB cache. ----End 9.8 Configuration Examples This section provides a configuration example for the IPv6 address. 9.8.1 Example for Configuring an IPv6 Address for an Interface 9.8.2 Example for Configuring IPv6 Neighbor Discovery 9.8.1 Example for Configuring an IPv6 Address for an Interface Networking Requirement As shown in Figure 9-1, Router A and Router B are connected through POS interfaces. It is required to configure IPv6 global unicast addresses for the interfaces and test the connectivity between them. The IPv6 global unicast addresses to be configured for the interfaces are 3001::1/64 and 3001::2/64. Figure 9-1 Networking diagram of configuring an IPv6 address for an interface POS 1/0/0 3001::1/64 RouterA POS 1/0/0 3001::2/64 RouterB Configuration Roadmap The configuration roadmap is as follows: 1. Enable IPv6 forwarding capability on devices. 2. Configure IPv6 global unicast addresses for the interfaces. Data Preparation To complement the configuration, you need the following data: 9-24 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services l 9 Basic IPv6 Configuration Global unicast addresses of the interfaces Procedure Step 1 Enable IPv6 packet forwarding on Router A and Router B. # Configure Router A <HUAWEI> system-view [HUAWEI] sysname RouterA [RouterA] ipv6 # Configure Router B <HUAWEI> system-view [HUAWEI] sysname RouterB [RouterB] ipv6 Step 2 Configure IPv6 global unicast addresses for the interfaces. # Configure Router A. [RouterA] interface pos [RouterA-Pos1/0/0] ipv6 [RouterA-Pos1/0/0] ipv6 [RouterA-Pos1/0/0] undo [RouterA-Pos1/0/0] quit 1/0/0 enable address 3001::1/64 shutdown # Configure Router B. [RouterB] interface pos [RouterB-Pos1/0/0] ipv6 [RouterB-Pos1/0/0] ipv6 [RouterB-Pos1/0/0] undo [RouterB-Pos1/0/0] quit 1/0/0 enable address 3001::2/64 shutdown Step 3 Verify the configuration. If the configuration succeeds, you can view the configured IPv6 global unicast addresses and status of the interface and the IPv6 protocol are both Up. # Display interface information of Router A. [RouterA] display ipv6 interface pos 1/0/0 Pos1/0/0 current state : UP IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::C964:0:B8B6:1 Global unicast address(es): 3001::1, subnet is 3001::/64 Joined group address(es): FF02::1:FF00:1 FF02::1:FFB6:1 FF02::2 FF02::1 MTU is 4470 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses # Display interface information of Router B. [RouterB] display ipv6 interface pos 1/0/0 Pos1/0/0 current state : UP IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::2D6F:0:7AF3:1 Global unicast address(es): 3001::2, subnet is 3001::/64 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 9-25 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration Joined group address(es): FF02::1:FF00:2 FF02::1:FFF3:1 FF02::2 FF02::1 MTU is 4470 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses # On Router A, ping the link-local address of Router B. Note that you need to use the parameter -i to specify the interface. [RouterA] ping ipv6 fe80::2d6f:0:7af3:1 -i pos 1/0/0 PING FE80::2D6F:0:7AF3:1 : 56 data bytes, press CTRL_C to break Reply from FE80::2D6F:0:7AF3:1 bytes=56 Sequence=1 hop limit=64 time = 60 ms Reply from FE80::2D6F:0:7AF3:1 bytes=56 Sequence=2 hop limit=64 time = 50 ms Reply from FE80::2D6F:0:7AF3:1 bytes=56 Sequence=3 hop limit=64 time = 50 ms Reply from FE80::2D6F:0:7AF3:1 bytes=56 Sequence=4 hop limit=64 time = 30 ms Reply from FE80::2D6F:0:7AF3:1 bytes=56 Sequence=5 hop limit=64 time = 1 ms --- FE80::2D6F:0:7AF3:1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/38/60 ms # On Router A, ping the global unicast IPv6 address of Router B. [RouterA] ping ipv6 3001::2 PING 3001::2 : 56 data bytes, press CTRL_C to break Reply from 3001::2 bytes=56 Sequence=1 hop limit=64 time = 30 ms Reply from 3001::2 bytes=56 Sequence=2 hop limit=64 time = 50 ms Reply from 3001::2 bytes=56 Sequence=3 hop limit=64 time = 50 ms Reply from 3001::2 bytes=56 Sequence=4 hop limit=64 time = 20 ms Reply from 3001::2 bytes=56 Sequence=5 hop limit=64 time = 40 ms --- 3001::2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 20/38/50 ms ----End Configuration Files l Configuration file of Router A # sysname RouterA # ipv6 # interface pos1/0/0 link-protocol ppp undo shutdown ipv6 enable ipv6 address 3001::1/64 # 9-26 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration return l Configuration file of Router B # sysname RouterB # ipv6 # interface pos1/0/0 link-protocol ppp undo shutdown ipv6 enable ipv6 address 3001::2/64 # return 9.8.2 Example for Configuring IPv6 Neighbor Discovery Networking Requirements As shown in Figure 9-2, device is directly connected to the PC by GE 1/0/10. This PC runs the Windows XP operating system. Figure 9-2 Example for configuring IPv6 neighbor discovery Router PC GE1/0/10 3000::/64 eui-64 Configuration Roadmap The configuration roadmap is as follows: 1. Configure the local unicast addresses of the link and EUI-64 site separately on GE 1/0/10. 2. Configure the RA prefix message to be advertised on GE 1/0/10 and enable the advertisement of the RA prefix message. Data Preparation To complete the configuration, you need the following data: l Local unicast addresses of the link and EUI-64 site on GE 1/0/10 l RA prefix message to be advertised Procedure Step 1 Enable the IPv6 forwarding on devices. <HUAWEI> system-view [HUAWEI] sysname Router [Router] ipv6 Step 2 Configure the local unicast address of the link on GE 1/0/10. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 9-27 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration [Router] interface gigabitethernet 1/0/10 [Router-GigabitEthernet1/0/10] undo shutdown [Router-GigabitEthernet1/0/10] ipv6 enable [Router-GigabitEthernet1/0/10] ipv6 address auto link-local Step 3 Configure the local unicast address of the EUI-64 site on GE 1/0/10 and the prefix in the RA message. [Router-GigabitEthernet1/0/10] ipv6 address 3000::/64 eui-64 [Router-GigabitEthernet1/0/10] ipv6 nd ra prefix 3000::/64 1000 1000 [Router-GigabitEthernet1/0/10] undo ipv6 nd ra halt Step 4 Verify the configuration. If configurations are successful, you can view the configured local unicast address of the link and the EUI-64 site and find that GE 1/0/10 is Up and IPv6 is Up. # Display information about interfaces of devices. [Router-GigabitEthernet1/0/10] display this ipv6 interface GigabitEthernet1/0/10 current state : UP IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::2E0:FCFF:FE7D:A497 Global unicast address(es): 3000::2E0:FCFF:FE7D:A497, subnet is 3000::/64 Joined group address(es): FF02::1:FF7D:A497 FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisement max interval 600 seconds, min interval 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses # Display information about PCs. Ethernet adapter 1: Connection-specific Description . . . . rnet NIC #2 Physical Address. . Dhcp Enabled. . . . IP Address. . . . . Subnet Mask . . . . IP Address. . . . . IP Address. . . . . IP Address. . . . . Default Gateway . . DNS Servers . . . . DNS Suffix . : . . . . . . . : Realtek RTL8139 Family PCI Fast Ethe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : : : : : : : : : 00-E0-4C-77-A1-B6 No 110.1.1.33 255.0.0.0 3000::78b3:4397:c0c4:f078 3000::2e0:4cff:fe77:a1b6 fe80::2e0:4cff:fe77:a1b6%6 fe80::288:ff:fe10:b%6 fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1 # Ping the local unicast address of the link on the PC from the device with the use of the parameter -i which specifies the interface corresponding to the local unicast address. [Router-GigabitEthernet1/0/10] ping ipv6 fe80::2e0:4cff:fe77:a1b6 -i gigabitethernet1/0/10 PING FE80::2E0:4CFF:FE77:A1B6: 56 data bytes, press CTRL_C to break Reply from FE80::2E0:4CFF:FE77:A1B6 bytes=56 Sequence=1 hop limit=64 time = 60 ms Reply from FE80::2E0:4CFF:FE77:A1B6 bytes=56 Sequence=2 hop limit=64 time = 50 ms Reply from FE80::2E0:4CFF:FE77:A1B6 9-28 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 9 Basic IPv6 Configuration bytes=56 Sequence=3 hop limit=64 time = 50 ms Reply from FE80::2E0:4CFF:FE77:A1B6 bytes=56 Sequence=4 hop limit=64 time = 30 ms Reply from FE80::2E0:4CFF:FE77:A1B6 bytes=56 Sequence=5 hop limit=64 time = 1 ms --- FE80::2E0:4CFF:FE77:A1B6 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/38/60 ms # Ping the local unicast address of the EUI-64 site of the PC from the device. [Router-GigabitEthernet1/0/10] ping ipv6 3000::78b3:4397:c0c4:f078 PING 3000::78B3:4397:C0C4:F078 : 56 data bytes, press CTRL_C to break Reply from 3000::78B3:4397:C0C4:F078 bytes=56 Sequence=1 hop limit=64 time = 30 ms Reply from 3000::78B3:4397:C0C4:F078 bytes=56 Sequence=2 hop limit=64 time = 50 ms Reply from 3000::78B3:4397:C0C4:F078 bytes=56 Sequence=3 hop limit=64 time = 50 ms Reply from 3000::78B3:4397:C0C4:F078 bytes=56 Sequence=4 hop limit=64 time = 20 ms Reply from 3000::78B3:4397:C0C4:F078 bytes=56 Sequence=5 hop limit=64 time = 40 ms --- 3000::78B3:4397:C0C4:F078 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 20/38/50 ms ----End Configuration Files Configuration file of Router # sysname Router # ipv6 # interface GigabitEthernet1/0/10 undo shutdown ipv6 enable ipv6 address 3000::/64 eui-64 ipv6 address auto link-local ipv6 nd ra prefix 3000::/64 1000 1000 undo ipv6 nd ra halt # return Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 9-29 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 10 IPv6 DNS Configuration 10 IPv6 DNS Configuration About This Chapter This chapter describes the basic principle, configuration procedures, and configuration examples for IPv6 DNS. 10.1 IPv6 DNS Overview This section describes the principle and concepts of IPv6 DNS. 10.2 Configuring IPv6 DNS This section describes how to communicate with other devices using the domain name. 10.3 Maintaining IPv6 DNS This section describes how to display IPv6 DNS configurations, clear IPv6 DNS statistics and debug IPv6 DNS. 10.4 Configuration Examples This section provides several configuration examples of IPv6 DNS. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 10-1 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 10 IPv6 DNS Configuration 10.1 IPv6 DNS Overview This section describes the principle and concepts of IPv6 DNS. 10.1.1 Introduction to IPv6 DNS 10.1.2 IPv6 DNS Supported by the NE80E/40E 10.1.1 Introduction to IPv6 DNS IPv6 DNS has two resolution modes: dynamic IPv6 DNS resolution and static IPv6 DNS resolution. To resolve a domain name, the system first uses static IPv6 DNS resolution. If this mode fails, the system uses dynamic IPv6 DNS resolution. To improve resolution efficiency, you can put common domain names in a static domain name resolution table. 10.1.2 IPv6 DNS Supported by the NE80E/40E IPv6 domain name system (DNS) is similar to IPv4 DNS. For configurations of IPv4 DNS, refer to "DNS Configuration." 10.2 Configuring IPv6 DNS This section describes how to communicate with other devices using the domain name. 10.2.1 Establishing the Configuration Task 10.2.2 Configuring a Static IPv6 DNS Entry 10.2.3 Configuring the Dynamic IPv6 DNS Services 10.2.4 Checking the Configuration 10.2.1 Establishing the Configuration Task Applicable Environment DNS needs to be configured if the local users log on to a device using domain names to communicate with other devices. The IPv6 DNS entries show the mapping between domain names and IPv6 addresses. If users seldom use the domain name to access other devices, or if the DNS server is unavailable, a static DNS needs to be configured. To configure a static IPv6 DNS, the network administrator needs to know the relation between domain names and IPv6 addresses, and manually modify the IPv6 DNS entry when the relation changes. If the users need to use the domain name to access many devices, and the DNS server is available, a dynamic DNS can be configured. The dynamic DNS needs to be supported by a DNS server. Pre-configuration Tasks Before configuring IPv6 DNS, configure the route between a local device and a DNS server. 10-2 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 10 IPv6 DNS Configuration Data Preparation To configure IPv6 DNS, you need the following data. No. Data 1 Domain name of the static IPv6 DNS entry and the corresponding IPv6 address 2 IPv6 address of the IPv6 DNS server 3 Domain name of the dynamic IPv6 DNS or the domain name list 10.2.2 Configuring a Static IPv6 DNS Entry Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ipv6 host host-name ipv6-address The host name and the corresponding IPv6 address are configured. If the same host is configured with IPv6 addresses for several times, the IPv6 address configured earliest is used when needing to find the host with the IPv6 address, such as ping this host. ----End 10.2.3 Configuring the Dynamic IPv6 DNS Services Context Configure the IPv6 DNS server on a device. If the IPv6 DNS server is configured with a linklocal address, the interface name should also be configured with the IPv6 address. Figure 10-1 DNS server connecting IPv4 and IPv6 networks DNS IPv4 client DNS server IPv4 link Issue 03 (2010-03-31) DNS IPv6 client IPv6 link Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 10-3 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 10 IPv6 DNS Configuration CAUTION If multiple DNS servers are configured, the servers are queried in the order of configuration till proper response is received. If both IPv4 and IPv6 servers are configured, the A query is first sent to the IPv4 server, while AAAA query packets are first sent to the IPv6 server. The DNS domains are configured on a device and the domain names can be searched. If the DNS fails in searching for a host name, it appends a domain name to the host name following a "." and continues the DNS search. You can configure some commonly used domain names like "com", and "net". For example, if the search for the host name "huawei" fails, the system then searches for "huawei.com" or "huawei.net". Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: dns resolve The dynamic domain name resolution is enabled. Step 3 Run: dns server ipv6 ipv6-address [ interface-type interface-number ] The IPv6 DNS server is configured. Step 4 Run: dns server ipv6 source-ip ipv6-address The IPv6 address of the local device is specified. Step 5 Run: dns domain domain-name The suffix of domain names is added. After the source IPv6 address is specified for the local device, the local device uses the specified source IPv6 address to communicate with the IPv6 DNS server to ensure the security of check. ----End 10.2.4 Checking the Configuration Prerequisite The configurations of the IPv6 DNS function are complete. Procedure l 10-4 Run the display ipv6 host command to check the static IPv6 DNS table. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 10 IPv6 DNS Configuration l Run the display dns server command to check the configuration of the DNS server. l Run the display dns domain command to check the configuration of the suffix list of the domain name. l Run the display dns ipv6 dynamic-host command to check the cache of the dynamic domain name. ----End Example Run the display ipv6 host command. If the static IPv6 DNS entries, including the host name and the IPv6 address, are displayed, it means that the configuration succeeds. For example: <HUAWEI> display ipv6 host Host Age RTB 0 RTA 0 Flags static static IPv6Address (es) 20::1 20::2 Run the display dns server command. If the IPv6 addresses of all DNS servers are displayed, it means that the configuration succeeds. For example: <HUAWEI> display dns server IPv4 Dns Servers : Domain-server IpAddress 1 169.254.65.125 IPv6 Dns Servers: Domain-server Ipv6Address 1 3001::2 2 FE80::2 (Interface Name) GigabitEthernet6/0/0 Run the display dns domain command. If the suffixes of the domain names are displayed, it means that the configuration succeeds. For example: <HUAWEI> display dns domain No Domain-name 1 com 2 net Run the display dns ipv6 dynamic-host command. If information about the cache of the dynamic domain name is displayed, it means that the configuration succeeds. For example: <HUAWEI> display dns ipv6 dynamic-host No Domain-name Ipv6address TTL 1 huawei6 3001::2 6 10.3 Maintaining IPv6 DNS This section describes how to display IPv6 DNS configurations, clear IPv6 DNS statistics and debug IPv6 DNS. 10.3.1 Clearing IPv6 DNS Entries 10.3.2 Monitoring Network Operation Status of IPv6 DNS Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 10-5 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 10 IPv6 DNS Configuration 10.3.1 Clearing IPv6 DNS Entries Context CAUTION IPv6 DNS entries cannot be restored after being cleared. So, confirm the action before you use this command. Procedure Step 1 Run the reset dns ipv6 dynamic-host command in the user view to clear dynamic IPv6 DNS entries statistics in the domain name cache. ----End 10.3.2 Monitoring Network Operation Status of IPv6 DNS Context In routine maintenance, you can run the following commands in any view to check the operation of IPv6 DNS. Procedure l Run: display dns domain Domain names are checked. l Run: display dns server Configurations of the DNS server are checked. l Run: display dns ipv6 dynamic-host Contents about the cache of the IPv6 dynamic domain names are checked. l Run: display ipv6 host The static DNS table is checked. ----End 10.4 Configuration Examples This section provides several configuration examples of IPv6 DNS. 10.4.1 Example for Configuring IPv6 DNS 10-6 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 10 IPv6 DNS Configuration 10.4.1 Example for Configuring IPv6 DNS Networking Requirements As shown in Figure 10-2, Router A, functioning as the IPv6 DNS client and working jointly whose IPv6 DNS server, can access the host with the IP address as 2002::1/64 based on the domain name huawei.com. On Router A, the static IPv6 DNS entries of Router B and Router C are configured. This ensures that Router A can manage both the routers based on the domain names RouterB and RouterC. Figure 10-2 Networking diagram of IPv6 DNS configurations GE1/0/0 2001::1/64 DNS Client RouterA RouterB GE1/0/1 2001::2/64 RouterC GE1/0/1 2003::1/64 GE1/0/0 2002::2/64 GE1/0/0 DNS Server 2002::3/64 2003::2/64 huawei.com 2002::1/64 Configuration Roadmap The configuration roadmap is as follows: 1. Configure static IPv6 DNS entries. 2. Enable the DNS resolution function. 3. Configure IPv6 address of the IPv6 DNS server. 4. Set the domain name suffix. Data Preparation To complete the configuration, you need the following data: l Domain names of Router B and Router C l IPv6 address of the IPv6 DNS server l Domain name suffix Procedure Step 1 Configure Router A. # Configure static IPv6 DNS entries. <RouterA> system-view [RouterA] ipv6 host RouterB 2001::2 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 10-7 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 10 IPv6 DNS Configuration [RouterA] ipv6 host RouterC 2002::3 # Enable the DNS resolution function. [RouterA] dns resolve # Configure the IPv6 address of the IPv6 DNS server. [RouterA] dns server ipv6 2003::2 # Set the domain name suffix to ".net". [RouterA] dns domain net # Set the domain name suffix to ".com". [RouterA] dns domain com [RouterA] quit NOTE To resolve the domain name, you also need to configure the route from Router A to the IPv6 DNS server. For details of how to configure the route, refer to the NE80E/40E Router Configuration Guide - IP Routing. Step 2 Verify the configuration. # Run the ping ipv6 huawei.com command on Router A. You can find that the Ping operation succeeds, and the destination IP address is 2002::1. <RouterA> ping ipv6 huawei.com Resolved Host ( huawei.com -> 2002::1) PING huawei.com : 56 data bytes, press CTRL_C to Reply from 2002::1: bytes=56 Sequence=1 ttl=126 Reply from 2002::1: bytes=56 Sequence=2 ttl=126 Reply from 2002::1: bytes=56 Sequence=3 ttl=126 Reply from 2002::1: bytes=56 Sequence=4 ttl=126 Reply from 2002::1: bytes=56 Sequence=5 ttl=126 --- huawei.com ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/4/6 ms break time=6 time=4 time=4 time=4 time=4 ms ms ms ms ms # Run the display ipv6 host command on Router A. You can view the mapping relationships between the host names in static IPv6 DNS entries and the IPv6 addresses. <RouterA> display ipv6 host Host Age RouterB 0 RouterC 0 Flags static static IPv6Address (es) 2001::2 2002::3 Run the display dns ipv6 dynamic-host command on Router A. You can view information about dynamic IPv6 DNS entries in the dynamic cache. <RouterA> display dns ipv6 dynamic-host No Domain-name Ipv6address 1 huawei.com 2002::1 TTL 3579 NOTE TTL in the command output indicates the life time of the entry, in seconds. ----End Configuration Files l 10-8 Configuration file of Router A Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 10 IPv6 DNS Configuration l # sysname RouterA # ipv6 # ipv6 host RouterB 2001::2 ipv6 host RouterC 2002::3 # dns resolve dns server ipv6 2003::2 dns domain net dns domain com # interface GigabitEthernet1/0/0 undo shutdown ipv6 enable ipv6 address 2001::1/64 ripng 1 enable # ripng 1 # return l Configuration file of Router B # sysname RouterB # ipv6 # interface GigabitEthernet1/0/1 undo shutdown ipv6 enable ipv6 address 2001::2/64 ripng 1 enable # interface GigabitEthernet1/0/0 undo shutdown ipv6 enable ipv6 address 2002::2/64 ripng 1 enable # ripng 1 # return l Configuration file of Router C # sysname RouterC # ipv6 # interface GigabitEthernet1/0/0 undo shutdown ipv6 address 2002::3/64 ripng 1 enable # interface GigabitEthernet1/0/1 undo shutdown ipv6 address 2003::1/64 ripng 1 enable # ripng 1 # return Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 10-9 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 11 ACL6 Configuration 11 ACL6 Configuration About This Chapter This chapter describes the ACL6 fundamentals, classifications and configuration steps for ACL6, and IPv6 packet filtering, along with typical examples. 11.1 ACL6 Overview This section describes basic concept and parameters of ACL6. 11.2 Configuring an Interfaced-based ACL6 This section describes how to configure the interface-based ACL6. 11.3 Configuring a Basic ACL6 This section describes how to configure a basic ACL6. 11.4 Configuring an Advanced ACL6 This section describes how to configure an advanced ACL6. 11.5 Configuring a Named ACL6 This section describes how to configure the Named ACL6. 11.6 Maintaining ACL6 This section describes how to maintain ACL6. 11.7 Configuration Examples This section provides several configuration examples of ACL6. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 11-1 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 11 ACL6 Configuration 11.1 ACL6 Overview This section describes basic concept and parameters of ACL6. 11.1.1 Introduction to ACL6 11.1.2 ACL6 Supported by the NE80E/40E 11.1.1 Introduction to ACL6 To filter data packets, you need to define a series of Access Control List (ACL) rules on the device. After ACL rules are applied to interfaces, the device classifies the received data packets and determines whether to forward or discard packets. NOTE In this manual, ACL applies to filter IPv4 packets and ACL6 applies to filter IPv6 packets. 11.1.2 ACL6 Supported by the NE80E/40E ACL6 is classified into the following types based on application goals: l Basic ACL6: classifies data packets only based on the source IP addresses. l Advanced ACL6: classifies data packets more detailedly based on the source and destination IP addresses, source and destination port numbers, and protocol type. l Interface-based ACL6: classifies data packets based on the interfaces that receive packets. 11.2 Configuring an Interfaced-based ACL6 This section describes how to configure the interface-based ACL6. 11.2.1 Establishing the Configuration Task 11.2.2 (Optional) Configuring the Valid Time Range of ACL6 11.2.3 Creating an Interfaced-based ACL6 11.2.4 Checking the Configuration 11.2.1 Establishing the Configuration Task Applicable Environment An ACL6 can be applied to the following tasks: 11-2 l Configuring the packet filtering policy l Configuring the policy-based routing l Configuring the routing policy Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 11 ACL6 Configuration Pre-configuration Tasks Before configuring ACL6, complete the following task: l Starting the device normally Data Preparation To configure an ACL6, you need the following data: No. Data 1 (Optional) Name of the time range in which the Interface-based ACL6 takes effect and the start time and end time of the time range 2 ACL6 number, permit or deny rules 3 Type and number of the interface where the ACL6 is applied 11.2.2 (Optional) Configuring the Valid Time Range of ACL6 Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] } A time rang is created. ----End 11.2.3 Creating an Interfaced-based ACL6 Context The range of acl6-number of a interface-based ACL6 is 1000 to 1999. Do as follows on the router: Procedure Step 1 Run: system-view Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 11-3 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 11 ACL6 Configuration The system view is displayed. Step 2 Run: acl ipv6 [ number ] acl6-number [ match-order { auto | config } ] The interface-based ACL6 is created and the corresponding view is displayed. Step 3 Run: rule [ rule-id ] { deny | permit } interface { interface-type interface-number | any } [ logging | time-range time-name ]* ACL6 rules are defined. ----End 11.2.4 Checking the Configuration Prerequisite The configurations of the interface-based ACL6 function are complete. Procedure l Run the display acl ipv6 { acl6-number | all } command to check the ACL6 rules. l Run the display statistics acl ipv6 { acl-number | all } control-plane [ | { begin | include | exclude } regular-expression ] command to check the statistics about the packets matching ACL6 in soft forwarding. l Run the display time-range { time-name | all } command to check the time range. ----End Example After the configuration, run the preceding command. You can view ACL6 number, ACL6 step, contents of the rules, and matching times of the rules. <HUAWEI> display acl ipv6 1000 Interface Based IPv6 ACL 1000, 1 rule Acl's step is 5 rule 5 permit interface Pos4/0/0 After the preceding configurations, the statistics about the packets matching ACL6 in soft forwarding is displayed after the display statistics acl ipv6 control-plane command is used. <HUAWEI> display statistics acl ipv6 1000 control-plane Interface Based IPv6 ACL 1000, 3 rules rule 0 deny interface any (1035 times matched) rule 1 permit interface Pos6/0/3 (586 times matched) rule 2 permit interface GigabitEthernet3/0/11 (103 times matched) Run the display time-range command. If the configuration and status of the current time range are displayed, it means that the configuration succeeds. For example: <HUAWEI> display time-range all Current time is 14:19:16 3-15-2006 Wednesday Time-range : time1 ( Inactive ) 10:00 to 12:00 daily Time-range : time2 ( Inactive ) from 13:00 2006/4/1 to 23:59 2099/12/31 Time-range : active1 ( Active ) 14:00 to 00:00 daily 11-4 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 11 ACL6 Configuration 11.3 Configuring a Basic ACL6 This section describes how to configure a basic ACL6. 11.3.1 Establishing the Configuration Task 11.3.2 (Optional) Configuring the Valid Time Range of ACL6 11.3.3 Creating a Basic ACL6 11.3.4 Checking the Configuration 11.3.1 Establishing the Configuration Task Applicable Environment An ACL6 can be applied to the following tasks: l Configuring the packet filtering policy l Configuring the policy-based routing l Configuring the routing policy Pre-configuration Tasks Before configuring an ACL6, start the device normally. Data Preparation To configure an ACL6, you need the following data. No. Data 1 (Optional) Name of the time range in which the basic ACL takes effect and the start time and end time of the time range 2 ACL6 number, permit or deny rules, source IP address 11.3.2 (Optional) Configuring the Valid Time Range of ACL6 Context Do as follows on the router: Procedure Step 1 Run: system-view Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 11-5 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 11 ACL6 Configuration The system view is displayed. Step 2 Run: time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] } A time rang is created. This configuration task is used to create a time range. Multiple time ranges with the same name can be created. ----End 11.3.3 Creating a Basic ACL6 Context The range of acl6-number of a basic ACL6 is 2000 to 2999. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl ipv6 [ number ] acl6-number [ match-order { auto | config } ] A basic ACL6 is created and the basic ACL6 view is displayed. Step 3 Run: rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ipv6addressprefix-length | source-ipv6-address/prefix-length | any } | time-range timename | vpn6-instance vpn6-instance-name ] * ACL6 rules are defined. Defining ACL6 rules for the basic ACL6 is based only on the source IP address. ----End 11.3.4 Checking the Configuration Prerequisite The configurations of the Basic ACL6 function are complete. Procedure l 11-6 Run the display acl ipv6 { acl6-number | all } command to check the configured ACL6 rule. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 11 ACL6 Configuration l Run the display statistics acl ipv6 { acl-number | all } control-plane [ | { begin | include | exclude } regular-expression ] command to check the statistics about the packets matching ACL6 in soft forwarding. l Run the display time-range { time-name | all } command to check the time range. ----End Example Run the display acl ipv6 command. If the ACL6 number, the number of rules, detailed step description, and ACL6 rules are displayed, it means that the configuration succeeds. For example: <HUAWEI> display acl ipv6 2200 Basic IPv6 ACL 2200, 1 rule Acl's step is 5 rule 5 permit After the preceding configurations, the statistics about the packets matching ACL6 in soft forwarding is displayed after the display statistics acl ipv6 control-plane command is used. <HUAWEI> display statistics acl ipv6 2200 control-plane Basic IPv6 ACL 2200, 3 rules rule 0 permit source 2030:5060::9050/64 (235 times matched) rule 1 deny source 4050:7080::4060/96 (560 times matched) rule 80 permit source FE80::9040/32 (729 times matched) Run the display time-range command. If the configuration and status of the current time range are displayed, it means that the configuration succeeds. For example: <HUAWEI> display time-range all Current time is 14:19:16 3-15-2006 Wednesday Time-range : time1 ( Inactive ) 10:00 to 12:00 daily Time-range : time2 ( Inactive ) from 13:00 2006/4/1 to 23:59 2099/12/31 Time-range : active1 ( Active ) 14:00 to 00:00 daily 11.4 Configuring an Advanced ACL6 This section describes how to configure an advanced ACL6. 11.4.1 Establishing the Configuration Task 11.4.2 (Optional) Configuring the Valid Time Range of ACL6 11.4.3 Creating an Advanced ACL6 11.4.4 Checking the Configuration 11.4.1 Establishing the Configuration Task Applicable Environment An ACL6 can be applied to the following tasks: l Issue 03 (2010-03-31) Configuring the packet filtering policy Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 11-7 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 11 ACL6 Configuration l Configuring the policy-based routing l Configuring the routing policy Pre-configuration Tasks Before configuring an ACL6, complete the following task: l Starting the device normally Data Preparation To configure an ACL6, you need the following data: No. Data 1 (Optional) Name of the time range in which the advanced ACL takes effect and the start time and end time of the time range 2 ACL6 number, permit or deny rules 3 Protocol type, source and destination port numbers, source and destination IP address, and source IP address fragment or not, ICMP message type and coding, priority, ToS, and valid time 11.4.2 (Optional) Configuring the Valid Time Range of ACL6 Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] } A time rang is created. This configuration task is used to create a time range. Multiple time ranges with the same name can be created. ----End 11.4.3 Creating an Advanced ACL6 11-8 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 11 ACL6 Configuration Context The range of acl6-number of an advanced ACL6 is 3000 to 3999. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl ipv6 [ number ] acl6-number [ match-order { auto | config } ] The advance ACL6 is created and the advanced ACL6 view is displayed. Step 3 Perform the following configuration as required. l When protocol is specified as TCP or UDP Run: rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6address prefix-length | destination-ipv6-address/prefix-length | any } | destination-portoperator port | fragment | logging | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | source-port operator port | time-range time-name | tos tos | vpn6instance vpn6-instance-name ] * ACL6 rules are defined. l When protocol is specified as ICMPv6 Run: rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | icmpv6-type { icmp6-type-name | icmp6-type icmp6-code } | logging | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6address/prefix-length | any } | time-range time-name | tos tos | vpn6-instance vpn6-instance-name ] * ACL6 rules are defined. l When protocol is specified as other protocols except TCP, UDP, and ICMPv6 Run: rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | logging | precedence precedence | source { source-ipv6-address prefixlength | source-ipv6-address/prefix-length | any } | time-range time-name | tos tos | vpn6-instance vpn6-instance-name ] * ACL6 rules are defined. ----End 11.4.4 Checking the Configuration Prerequisite The configurations of the Advanced ACL6 function are complete. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 11-9 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 11 ACL6 Configuration Procedure l Run the display acl ipv6 { acl6-number | all } command to check the configured ACL6 rule. l Run the display statistics acl ipv6 { acl-number | all } control-plane [ | { begin | include | exclude } regular-expression ] command to check the statistics about the packets matching ACL6 in soft forwarding. l Run the display time-range { time-name | all } command to check the time range. ----End Example Run the display acl ipv6 command. If the ACL6 number, the number of rules, detailed step description, and ACL6 rules are displayed, it means that the configuration succeeds. For example: <HUAWEI> display acl ipv6 3100 Advanced IPv6 ACL 3100, 3 rules, rule 0 permit icmpv6 rule 1 permit ipv6 source 3001::/16 destination 4001::/16 rule 2 permit tcp source 5001::/16 After the preceding configurations, the statistics about the packets matching ACL6 in soft forwarding is displayed after the display statistics acl ipv6 control-plane command is used. <HUAWEI> display statistics acl ipv6 3000 control-plane Advanced IPv6 ACL 3000, 1 rule rule 1 permit ipv6 source 4001::/16 (137 times matched) Run the display time-range command. If the configuration and status of the current time range are displayed, it means that the configuration succeeds. For example: <HUAWEI> display time-range all Current time is 14:19:16 3-15-2006 Wednesday Time-range : time1 ( Inactive ) 10:00 to 12:00 daily Time-range : time2 ( Inactive ) from 13:00 2006/4/1 to 23:59 2099/12/31 Time-range : active1 ( Active ) 14:00 to 00:00 daily 11.5 Configuring a Named ACL6 This section describes how to configure the Named ACL6. 11.5.1 Establishing the Configuration Task 11.5.2 (Optional) Configuring the Valid Time Range of ACL6 11.5.3 Creating a Named ACL6 11.5.4 Checking the Configuration 11.5.1 Establishing the Configuration Task 11-10 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 11 ACL6 Configuration Application Environment An ACL6 can be applied to various services, such as routing policies and packet filtering, to implement differentiated packet processing based on packet types.. Named ACL6s are advanced ACL6s because you need to define rules for the named ACL6s by specifying the source IP address, destination IP address, IP bearer protocol type, TCP source port, TCP destination port, or ICMP protocol type and code. Pre-configuration Tasks None. Data Preparation To configure a named ACL6, you need the following data. No. Data 1 (Optional) Name of the time range in which the named ACL6 takes effect and the start time and end time of the time range 2 Rule ID of the named ACL6, permit or deny rule, and source IP address 3 IP bearer protocol type, source and destination ports, destination IP address, or ICMP message type and code, packet priority, ToS, and timeout period of the ACL rule 4 (Optional) Description of the named ACL6 5 (Optional) Step of the named ACL6 11.5.2 (Optional) Configuring the Valid Time Range of ACL6 Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] } A time rang is created. This configuration task is used to create a time range. Multiple time ranges with the same name can be created. ----End Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 11-11 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 11 ACL6 Configuration 11.5.3 Creating a Named ACL6 Context A named ACL6 is an advanced ACL6 and its acl-number ranges from 42768 to 45767. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: acl ipv6 name acl-name [ number acl-number ] [ match-order { auto | config } ] A named ACL6 is created and the named ACL view is displayed. Step 3 Perform the following steps as required to configure rules for the named ACL6: l When protocol is TCP or UDP, run: rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destinationwildcard | any } | destination-port operator port | fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | source-port operator port | syn-flag syn-flag time-range time-name | dscp dscp ] * rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destinationwildcard | any } | destination-port operator port | fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | source-port operator port | syn-flag syn-flag time-range time-name | precedence precedence |tos tos ] * syn-flagsyn-flag needs to be specified only when TCP is used. l When protocol is ICMP, run: rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destinationwildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name | icmp-type icmp-code } | source { source-ip-address source-wildcard | any } | time-range time-name | dscp dscp ] * rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destinationwildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name |icmp-type icmp-code } |source { source-ip-address source-wildcard | any } | time-range time-name | precedence precedence | tos tos ] * l When protocol is not TCP, UDP, or ICMP, run: rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destinationwildcard | any } | fragment-type fragment-type-name | source { source-ip-address sourcewildcard | any } | time-range time-name | dscp dscp ] * rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destinationwildcard | any } | fragment-type fragment-type-name | source { source-ip-address sourcewildcard | any } | time-range time-name | precedence precedence | tos tos ] * Configure different advanced ACLs on the device for different protocols over IP. Different protocols have different parameters combination. For example, TCP and UDP have optional 11-12 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 11 ACL6 Configuration parameter [ source-port operator port ] [ destination-port operator port ] while other protocols do not. ----End 11.5.4 Checking the Configuration Prerequisite The configurations of the ACL6 function are complete. Procedure l Run the display acl ipv6 name acl-name command to check the configured ACL6 rule. l Run the display statistics acl ipv6 { acl-number | all | name acl-name } control-plane [ | { begin | include | exclude } regular-expression ] command to check the statistics about the packets matching ACL6 in soft forwarding. l Run the display time-range { time-name | all } command to check the time range. ----End Example # Check the configurations of named ACL6, whose name is test. <HUAWEI> display acl ipv6 name test Advanced IPv6 Name ACL test, 1 rule Acl's step is 5 rule 5 permit ip # View the statistics about the packets matching ACL6 3000 in soft forwarding. <HUAWEI> display statistics acl ipv6 3000 control-plane Advanced IPv6 ACL 3000, 1 rule rule 0 permit ipv6 (335 times matched) # View the statistics about the packets matching ACL6 named test in soft forwarding. <HUAWEI> display statistics acl ipv6 name test control-plane Advanced IPv6 ACL test, 2 rules, rule 0 permit 1 (10 times matched) rule 1 permit ipv6 (23 times matched) Run the display time-range command. If the configuration and status of the current time range are displayed, it means that the configuration succeeds. For example: <HUAWEI> display time-range all Current time is 14:19:16 3-15-2006 Wednesday Time-range : time1 ( Inactive ) 10:00 to 12:00 daily Time-range : time2 ( Inactive ) from 13:00 2006/4/1 to 23:59 2099/12/31 Time-range : active1 ( Active ) 14:00 to 00:00 daily 11.6 Maintaining ACL6 This section describes how to maintain ACL6. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 11-13 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 11 ACL6 Configuration 11.6.1 Clearing ACL6 Statistics 11.6.2 Monitoring Network Operation Status of ACL6 11.6.1 Clearing ACL6 Statistics Context CAUTION Statistics cannot be restored after you clear it. So, confirm the action before you use the command. Procedure Step 1 Run the reset acl ipv6 counter { acl6-number | name acl-name | all } command in the user view to clear the ACL6 counter. ----End 11.6.2 Monitoring Network Operation Status of ACL6 Context In routine maintenance, you can run the following command in any view to check the operation of ACL6. Procedure l Run the display acl ipv6 { acl6-number | name acl-name | all } command in any view to check the configured ACL6 rules. l Run the display statistics acl ipv6 { acl-number | all | name acl-name } control-plane command in any view to check the statistics about the packets matching ACL6 in soft forwarding. ----End 11.7 Configuration Examples This section provides several configuration examples of ACL6. 11.7.1 Example for Configuring an ACL6 to Filter IPv6 Packets 11.7.1 Example for Configuring an ACL6 to Filter IPv6 Packets 11-14 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 11 ACL6 Configuration Networking Requirements As shown in Figure 11-1, Router A and Router B are connected through POS interfaces. Configure ACL6 rules on Router A to prevent the IPv6 packets with the source IP address 3001::2 from entering POS1 /0/0 of Router A. Figure 11-1 Networking diagram of configuring an ACL6 to filter IPv6 packets RouterA POS1/0/0 3001::1/64 RouterB POS1/0/0 3001::2/64 Loopback2 3002::2/64 Configuration Roadmap The configuration roadmap is as follows: 1. Define an ACL6 number. 2. Define rules in the ACL6. 3. Set the traffic classifier, behavior, and policy. Data Preparation To complete the configuration, you need the following data: l ACL6 number l Source IPv6 address denied by the ACL6 rule Procedure Step 1 Enable IPv6 forwarding capabilities on Router A and Router B, configure interface parameters, and check connectivity between them. # Configure Router A. <HUAWEI> system-view [HUAWEI] sysname RouterA [RouterA] ipv6 [RouterA] interface pos 1/0/0 [RouterA-Pos1/0/0] ipv6 enable [RouterA-Pos1/0/0] ipv6 address 3001::1 64 [RouterA-Pos1/0/0] undo shutdown [RouterA-Pos1/0/0] quit # Configure a static route on Router A. [RouterA] ipv6 route-static 3002:: 64 3001::2 # Configure Router B. <HUAWEI> system-view [HUAWEI] sysname RouterB [RouterB] ipv6 [RouterB] interface loopback 2 [RouterB-LoopBack2] ipv6 enable [RouterB-LoopBack2] ipv6 address 3002::2 64 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 11-15 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 11 ACL6 Configuration [RouterB-LoopBack2] quit [RouterB] interface pos 1/0/0 [RouterB-Pos1/0/0] ipv6 enable [RouterB-Pos1/0/0] ipv6 address 3001::2 64 [RouterB-Pos1/0/0] undo shutdown [RouterB-Pos1/0/0] quit # Ping POS 1/0/0 of Router A from POS 1/0/0 of Router B. [RouterB] ping ipv6 -a 3001::2 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Reply from 3001::1 bytes=56 Sequence=1 hop limit=64 time = 80 ms Reply from 3001::1 bytes=56 Sequence=2 hop limit=64 time = 50 ms Reply from 3001::1 bytes=56 Sequence=3 hop limit=64 time = 40 ms Reply from 3001::1 bytes=56 Sequence=4 hop limit=64 time = 30 ms Reply from 3001::1 bytes=56 Sequence=5 hop limit=64 time = 1 ms --- 3001::1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/40/80 ms The ping succeeds without timeout or abnormal delay. # Ping POS 1/0/0 of Router A from loopback2 of Router B. [RouterB] ping ipv6 -a 3002::2 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Reply from 3001::1 bytes=56 Sequence=1 hop limit=64 time = 60 ms Reply from 3001::1 bytes=56 Sequence=2 hop limit=64 time = 30 ms Reply from 3001::1 bytes=56 Sequence=3 hop limit=64 time = 20 ms Reply from 3001::1 bytes=56 Sequence=4 hop limit=64 time = 50 ms Reply from 3001::1 bytes=56 Sequence=5 hop limit=64 time = 20 ms --- 3001::1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 20/36/60 ms The ping succeeds without timeout or abnormal delay. Step 2 Create an ACL6 rule and apply the rule on the interface to prevent the IPv6 packets from 3001::2. # Configure Router A. [RouterA] acl ipv6 number 3001 [RouterA-acl6-adv-3001] rule deny ipv6 source 3001::2/128 [RouterA-acl6-adv-3001] quit [RouterA] traffic classifier bb [RouterA-classifier-bb] if-match ipv6 acl 3001 [RouterA-classifier-bb] quit [RouterA] traffic behavior aa [RouterA-behavior-aa] permit [RouterA-behavior-aa] quit [RouterA] traffic policy cc [RouterA-trafficpolicy-cc] classifier bb behavior aa [RouterA-trafficpolicy-cc] quit [RouterA] interface pos 1/0/0 11-16 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 11 ACL6 Configuration [RouterA-Pos1/0/0] traffic-policy cc inbound [RouterA-Pos1/0/0] quit Step 3 Verify the configuration. # Ping POS 1/0/0 of Router A from POS 1/0/0 of Router B. [RouterB] ping ipv6 -a 3001::2 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 3001::1 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss round-trip min/avg/max = 0/0/0 ms The ping fails. # Ping POS 1/0/0 of Router A from loopback2 of Router B. [RouterB] ping ipv6 -a 3002::2 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Reply from 3001::1 bytes=56 Sequence=1 hop limit=64 time = 80 ms Reply from 3001::1 bytes=56 Sequence=2 hop limit=64 time = 50 ms Reply from 3001::1 bytes=56 Sequence=3 hop limit=64 time = 40 ms Reply from 3001::1 bytes=56 Sequence=4 hop limit=64 time = 40 ms Reply from 3001::1 bytes=56 Sequence=5 hop limit=64 time = 30 ms --- 3001::1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 30/48/80 ms The ping succeeds without timeout or abnormal delay. ----End Configuration Files l Configuration file of Router A # sysname RouterA # ipv6 # acl ipv6 number 3001 rule 0 deny ipv6 source 3001::2/128 # traffic classifier bb operator or if-match ipv6 acl 3001 # traffic behavior aa # traffic policy cc undo share-mode classifier bb behavior aa # interface pos1/0/0 link-protocol ppp Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 11-17 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 11 ACL6 Configuration undo shutdown traffic-policy cc inbound ipv6 enable ipv6 address 3001::1/64 # ipv6 route-static 3002:: 64 3001::2 # return l Configuration file of Router B # sysname RouterB # ipv6 # interface pos1/0/0 link-protocol ppp undo shutdown ipv6 enable ipv6 address 3001::2/64 # interface LoopBack2 ipv6 enable ipv6 address 3002::2/64 # return 11-18 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 12 IPv6 over IPv4 Tunnel Configuration IPv6 over IPv4 Tunnel Configuration About This Chapter This chapter describes the IPv6 over IPv4 tunnel fundamentals. It also describes configuration steps for IPv6 over IPv4 tunnel configuration, along with typical examples. 12.1 IPv6 over IPv4 Tunnel Overview This section describes the basic principles and concepts of IPv6 over IPv4 tunnel. 12.2 Configuring IPv4/IPv6 Dual Stacks This section describes how to enable the IPv4/IPv6 dual protocol stacks. 12.3 Configuring an IPv6 over IPv4 Tunnel This section describes how users in IPv6 networks communicate across an IPv4 network. 12.4 Configuring 6PE This section describes how users in IPv6 networks communicate across the existing MPLS network. 12.5 Maintaining IPv6 over IPv4 Tunnels This section describes how to debug the IPv6 tunnel. 12.6 Configuration Examples This section provides several configuration examples of IPv6 over IPv4 tunnels. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-1 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration 12.1 IPv6 over IPv4 Tunnel Overview This section describes the basic principles and concepts of IPv6 over IPv4 tunnel. 12.1.1 Introduction to IPv6 over IPv4 12.1.2 IPv6 over IPv4 Supported by the NE80E/40E 12.1.1 Introduction to IPv6 over IPv4 During the transition from the IPv4 Internet to the IPv6 Internet, IPv4 networks have been widely deployed while IPv6 domains are isolated and dispersed around the world. It is not economical to connect these isolated sites with private lines. The usual method is tunnel technology. This technology creates tunnels over IPv4 networks to connect isolated IPv6 domains. This is similar to the situation where the tunnel technology is used to deploy VPNs on the IP networks. The tunnel used to connect isolated IPv6 domains over IPv4 networks is called IPv6 over IPv4 tunnel. To implement this tunnel, enable IPv4/IPv6 dual stacks on the devices at the border of the IPv4 network and the IPv6 network. 12.1.2 IPv6 over IPv4 Supported by the NE80E/40E Dual Stacks The simplest way for an IPv6 node to remain compatible with an IPv4 node is to reserve a complete IPv4 protocol stack. In this way, the IPv6 node maintains a dual-stack structure. Figure 12-1 shows a single stack structure and a dual stack structure. Figure 12-1 Single stack and dual stack structures (Ethernet) IPv4 Application UDP TCP IPv4 Protocol ID: 0x0800 Ethernet IPv4/IPv6 Application TCP UDP IPv6 Protocol ID: Protocol ID: 0x86DD 0x0800 Ethernet IPv4 Stack Dual Stack The characteristics of the dual-stack structure are as follows: l 12-2 Supported by multiple link layer protocols Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration Multiple link layer protocols, such as Ethernet, support dual stacks. The link layer in the above diagram is the Ethernet. For an Ethernet frame with the protocol ID field value of 0x0800 indicates that the network layer has IPv4 packets. The ID field value of 0x86DD indicates that the network has IPv6 packets. Supported by multiple applications l Multiple applications such as DNS, FTP and Telnet support dual stacks. The upper application, such as DNS, can select TCP or UDP as its transport layer protocol. However, it prefers the IPv6 protocol stack rather than IPv4 to be the network layer protocol. IPv6 over IPv4 Tunnel Figure 12-2 shows principles of the IPv6 over IPv4 tunnel technology. 1. Enabling IPv4/IPv6 dual stacks Enable IPv4/IPv6 dual stacks on the border device. 2. Encapsulating IPv6 packets After receiving a packet from the IPv6 network, the border device takes the received IPv6 packet as the payload, adds an IPv4 packet header before the payload and encapsulates it into an IPv4 packet if it finds that the destination of the packet is not for itself. 3. Transmitting the encapsulated packet In the IPv4 network, the encapsulated packet is transmitted to the peer border device. 4. Decapsulating the packet The peer border device decapsulates the packet, removes the IPv4 packet header, and forwards the resulting IPv6 packet to the remote IPv6 network. Figure 12-2 Schematic diagram of IPv6 over IPv4 tunnel Dual Stack Router IPv6 IPv4 Tunnel Dual Stack Router IPv6 IPv6 host IPv6 host IPv6 Header IPv6 Header IPv6 Data IPv4 Header IPv6 Data IPv6 Header IPv6 Data The virtual tunnel that transmits IPv6 packets between the border devices is called the IPv6 over IPv4 tunnel. Tunnels can be classified according to their setup modes. The common IPv6 over IPv4 tunnel modes include: l IPv6 over IPv4 manual tunnels l IPv6 over IPv4 GRE tunnels (GRE tunnels) l IPv6 over IPv4 tunnel automatic tunnels l 6to4 tunnels l Intrasite Automatic Tunnel Addressing Protocol (ISATAP) tunnels Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-3 12 IPv6 over IPv4 Tunnel Configuration HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services IPv6 over IPv4 Manual Tunnel An IPv6 over IPv4 manual tunnel is set up by configuring the border devices of two tunnel ends. The source IPv4 address and destination IPv4 address of such a tunnel must be configured statically. A manual tunnel is equivalent to a permanent link between two IPv6 networks over an IPv4 backbone network. It is the fixed channel for regular and secure communication between the two border devices. The manual tunnel can be used between isolated IPv6 networks. It can also be used between a border device and a host. In this case, the host and the device on both ends of the tunnel must support the IPv4 and the IPv6 protocol stacks. IPv6 over IPv4 GRE Tunnel The IPv6 traffic can be carried over the IPv4 GRE tunnels. When carrying the IPv6 traffic, the IPv4 GRE tunnels are called IPv6 over IPv4 GRE tunnels (GRE tunnel for short). Like the IPv6 over IPv4 manual tunnel, a GRE tunnel is a link between two nodes, with a separate tunnel for each link. The tunnels are not tied to a specific passenger or transport protocol, and only carry IPv6 as the passenger protocol and GRE as the carrier protocol. The GRE tunnel is also manually created on the border devices at the tunnels. You need to statically specify the source IPv4 address and destination IPv4 address of the GRE tunnel. Unlike the manual tunnel, the GRE tunnel can be set to check the GRE packet header and to authenticate the tunnel keyword to enhance the tunnel security. The GRE tunnel is used to connect border devices, or connect a border device and a host system. Both the host and the device on both the ends of the tunnel must support the IPv4 and the IPv6 protocol stacks. IPv6 over IPv4 Automatic Tunnel To create an IPv6 over IPv4 automatic tunnel, you need a special kind of IPv6 address, namely an IPv4-compatible IPv6 address. The format of IPv4-compatible IPv6 address is as follows: 0:0:0:0:0:0:IPv4-address Its high-order 96 bits are all 0s, and its low-order 32 bits form an IPv4 address. This IPv4 address must be reachable in the IPv4 network, and cannot be a multicast address, a broadcast address, a loopback address or an unspecified address (0.0.0.0). To configure an automatic tunnel, specify just the source address of the tunnel on a border device or a host. The destination address of the tunnel is automatically obtained from the destination IP address field carried in the original IPv6 packet. The IPv6 over IPv4 automatic tunnel is usually used when an isolated IPv4/IPv6 dual stack host needs to access a remote IPv6 network over an IPv4 network. The automatic tunnel needs to be configured between the isolated IPv4/IPv6 host and the IPv4/IPv6 device. While setting up an automatic tunnel, configure the IPv4-compatible IPv6 address on both the ends of the tunnel. The IPv4-compatible IPv6 address depends on the IPv4 address of the physical interface of the tunnel. It is limited to the shortage of the IPv4 address. Therefore, it has certain limitations. 12-4 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration 6to4 Tunnel A 6to4 tunnel is a mechanism that connects several isolated IPv6 domains to each other over an IPv4 network. The 6to4 tunnel can be configured on the border device between the isolated IPv6 network and the IPv4 network. The border device on both the ends of the 6to4 tunnel must support the IPv4 and the IPv6 dual protocol stacks at the same time. The key difference between the 6to4 tunnel and the manual tunnel is that the former can be a point-to-multipoint connection, and the latter is only a point-to-point connection. Hence, the devices of the 6to4 tunnel are not configured in pairs. The 6to4 tunnel can automatically find another end of the tunnel, like the automatic tunnel. You need not specify the IPv4-compatible IPv6 address for it. The 6to4 tunnel uses a kind of special IPv6 address, namely the 6to4 address with the following format: 2002:IPv4 address: subnet ID:interface ID The prefix of the 6to4 address is 2002:IPv4 address with the length of 48 bits. Of these, the IPv4 address is a globally unique one requested for an isolated IPv6 domain. This IPv4 address must be configured on the IPv6/IPv4 border device's physical interface that is connected with the IPv4 network. The length of the subnet ID is 16 bits, and that of the interface ID is 64 bits. Both the subnet ID and the interface ID are allocated in the isolated IPv6 domains. As shown in Figure 12-3, Site1 and Site2 are 6to4 networks, and hosts and devices in the 6to4 network are allocated with 6to4 addresses. The IPv4 address contained in the 6to4 address of the host or device in Site1 is the IPv4 address of the interface through which Router A accesses the IPv4 network. Similarly, the IPv4 address contained in the 6to4 address of the host or device in Site2 is the IPv4 address of the interface through which Router B accesses the IPv4 network. Router A and Router B are both 6to4 devices. Figure 12-3 6to4 tunnel and 6to4 relay 6to4 Router 6to4 Network Site1 6to4 Router 6to4 Network Site2 RouterB IPv4 Network RouterA 6to4 Relay RouterC IPv6 Internet Site3 When the host in Site1 accesses the host in Site2, the process concerned is as follows: 1. The IPv6 packet is transmitted to Router A. 2. Router A checks the destination address of the IPv6 packet and finds that the address is the 6to4 address, from which Router A obtains the remote IPv4 address of the 6to4 tunnel. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-5 12 IPv6 over IPv4 Tunnel Configuration HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 3. Router A encapsulates this IPv6 packet into the IPv4 packet. The destination address of IPv4 packet header is the remote IPv4 address of the tunnel, and its source address is the local IPv4 address of the tunnel. 4. Router A forwards the IPv4 packet in the IPv4 network to Router B. 5. Router B decapsulates it to obtain the previous IPv6 packet, and then sends the IPv6 packet to the destination host in Site2. The above process implements the communication between the 6to4 networks. To implement the communication between the 6to4 network and native IPv6 network, a 6to4 relay device is needed. The so-called native IPv6 network means that both its internal host and device are not configured with the 6to4 address. The 6to4 relay device is the gateway between the 6to4 network and the native IPv6 network. One side of the 6to4 relay device is connected to the native IPv6 network; the other side is connected to the IPv4 network and creates the 6to4 tunnel with the 6to4 device. As shown in Figure 12-3, when the host in the 6to4 network accesses the IPv6 Internet, the process concerned is as follows: 1. The IPv6 packet is routed to Router A. 2. A 6to4 tunnel is created between Router A and Router C. 3. The IPv6 packet is encapsulated into the IPv4 packet and is sent to Router C. 4. Router C decapsulates the IPv4 packet to obtain the previous IPv6 packet, and sends the IPv6 packet to the destination host in the IPv6 Internet. ISATAP Tunnel The ISATAP tunnel is used when the IPv4/IPv6 host in an IPv4 network accesses an IPv6 network. The ISATAP tunnel can be created between an ISATAP host and an ISATAP device. The ISATAP format address is needed to create the ISATAP tunnel. Its structure is as follows: Prefix (64bit)::5EFE:IPv4-Address When the ISATAP tunnel is created (since the IPv4/IPv6 host and the ISATAP device are in a same IPv4 network), the IPv4 address embedded into the ISATAP address can be either a public network address or a private network address. As shown in Figure 12-4, the process for an IPv4/IPv6 host to obtain an IPv6 address is as follows: 1. The IPv4/IPv6 host sends a request message to a device. The IPv4/IPv6 host uses the link-local address in the ISATAP format to send a router request message to the ISATAP device. It encapsulates the message into the IPv4 packet. 2. The ISATAP device responds to the request message. The ISATAP device uses a router notification message to respond to the request. The router notification message contains the ISATAP prefix, which is manually configured on the device. 3. The IPv4/IPv6 host obtains its IPv6 address. The IPv4/IPv6 host obtains its own IPv6 address by combining the ISATAP prefix with 5EFE:IPv4-Address, and uses this address to access the IPv6 host. 12-6 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration Figure 12-4 ISATAP tunnel IPv4 Network ISATAP Tunnel IPv6 Network IPv4/IPv6 Host 2.1.1.1 FE80::5EFE:0201:0101 3FFE::5EFE:0201:0101 ISATAP Router IPv6 Host The principle of an IPv4 or IPv6 host accessing an IPv6 network is as follows: 1. 2. 3. The IPv4 or IPv6 host in the IPv4 network obtains an IPv6 address based on the steps given above. The IPv4 or IPv6 host sends packets that are encapsulated in an IPv4 packet to the host in the IPv6 network. An ISATAP device decapsulates the IPv4 packet and sends the IPv6 packets to the IPv6 host. 6PE On an IPv4 backbone network where the MPLS is deployed, the ISP can use the IPv6 Provider Edge (6PE) technology to provide the interconnection capacity for the IPv6 networks of dispersed users. 6PE is the PE with the IPv6 capacity. Figure 12-5 shows the principle of interconnecting isolated IPv6 domains through 6PE. 1. 2. 3. 4. When the 6PE device receives an IPv6 packet from the CE, it directly labels the packet to translate the packet into an MPLS packet that can be transmitted over the IPv4 backbone network. The MPLS packet is forwarded to the remote 6PE through the LSP. The remote 6PE removes the label and finds the IPv6 routing table according to the destination address in the resulting IPv6 packet header. The remote 6PE then sends the packet to the destination host in the remote IPv6 network through the remote CE. Figure 12-5 Networking diagram of 6PE 6PE Router IPv4/MPLS 6PE Router IBGP CE CE PE IPv6 Customer site Issue 03 (2010-03-31) IPv6 Customer site Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-7 12 IPv6 over IPv4 Tunnel Configuration HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services Note the following points when you connect isolated IPv6 sites through a 6PE tunnel: l Enable IPv4, MPLS and IPv6 on 6PE. l MP-BGP also needs to be enabled between 6PEs to receive or send IPv6 routes from/to the remote 6PE. l The IGP over ISP's IPv4 backbone network can be OSPF or IS-IS. l Static routing protocol, IGP or EBGP can work between CE and 6PE. When ISPs tend to extend their IPv4 or MPLS networks with IPv6 traffic exchange capability on MPLS, they only need to update their PE devices. 12.2 Configuring IPv4/IPv6 Dual Stacks This section describes how to enable the IPv4/IPv6 dual protocol stacks. 12.2.1 Establishing the Configuration Task 12.2.2 Enabling IPv6 Packet Forwarding 12.2.3 Configuring IPv4 and IPv6 Addresses for the Interface 12.2.1 Establishing the Configuration Task Applicable Environment If a device has both IPv4 and IPv6 connections, the IPv4/IPv6 dual protocol stacks need to be enabled on the device. Enabling the IPv4/IPv6 dual protocol stacks on the NE80E/40E is a simple process. Enable the IPv6 packet forwarding capacity in the system view and configure an IPv4 address or IPv6 address on the corresponding interface. The device can then forward IPv4 and IPv6 packets on the corresponding interface. Pre-configuration Tasks Before configuring IPv6 tunnels, complete the following tasks: l Configuring the physical parameters for the interface and ensuring that the status of the physical layer of the interface is Up l Configuring the link layer parameters for the interface Data Preparation To configure IPv4/IPv6 dual stacks, you need the following data. 12-8 No. Data 1 Type and number of the interface connected with the IPv4 network 2 IPv4 address and mask of the interface connected with the IPv4 network Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration No. Data 3 Type and number of the interface connected with the IPv6 network 4 IPv6 address and prefix of the interface connected with the IPv6 network 12.2.2 Enabling IPv6 Packet Forwarding Context To enable a device to forward IPv6 packets, you must enable the IPv6 capability in both the system view and the interface view. This is because: l If you run the ipv6 command only in the system view, only the IPv6 packet forwarding capability is enabled on a device. The interface on the device is not of the IPv6 capability and hence you cannot perform any IPv6 configurations. l If you run the ipv6 enable command only in the interface view, the IPv6 capability is enabled only on an interface but the IPv6 protocol status on the interface is Down and the device cannot forward IPv6 data. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ipv6 The IPv6 packet forwarding capability is enabled. To enable a device to forward IPv6 packets, you must run this command in the system view; otherwise, the IPv6 protocol status on the interface is Down and the device cannot forward IPv6 packets although the interface is configured with an IPv6 address. By default, the IPv6 packet forwarding capability is disabled. Step 3 Run: interface interface-type interface-number The view of the interface to be enabled with the IPv6 capability is displayed. Step 4 Run: ipv6 enable The IPv6 capability is enabled on the interface. Before performing IPv6 configurations in the interface view, you must enable the IPv6 capability in the interface view. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-9 12 IPv6 over IPv4 Tunnel Configuration HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services By default, the IPv6 capability is disabled on the interface. ----End 12.2.3 Configuring IPv4 and IPv6 Addresses for the Interface Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view of the IPv4 network is displayed. Step 3 Run: ip address ip-address { mask | mask-length } An IPv4 address is assigned to the interface. Step 4 Run: quit Return to the system view. Step 5 Run: interface interface-type interface-number The interface view of the IPv6 network is displayed. Step 6 Perform the following configuration as required. l Run: ipv6 address auto link-local The link-local address is set to be automatically generated. l Run: ipv6 address ipv6-address link-local The link-local address of the interface is configured. l Run: ipv6 address { ipv6-address | prefix-length } The global unicast address is configured. l Run: ipv6 address ipv6-address/prefix-length [ eui-64 ] The IPv6 EUI-64 address is configured. ----End 12-10 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration 12.3 Configuring an IPv6 over IPv4 Tunnel This section describes how users in IPv6 networks communicate across an IPv4 network. 12.3.1 Establishing the Configuration Task 12.3.2 Configuring an IPv6 over IPv4 Manual Tunnel 12.3.3 Configuring an IPV6 over IPv4 GRE Tunnel 12.3.4 Configuring an IPv6 over IPv4 Automatic Tunnel 12.3.5 Configuring a 6to4 Tunnel 12.3.6 Configuring an ISATAP Tunnel 12.3.7 Configuring Routes in the Tunnel 12.3.8 Checking the Configuration 12.3.1 Establishing the Configuration Task Applicable Environment To enable communication between two IPv6 networks over the IPv4 network, configure an IPv6 over IPv4 tunnel on the border device of the IPv4 and IPv6 networks. Pre-configuration Tasks Before configuring an IPv6 over IPv4 tunnel, complete the following tasks: l Configuring the physical parameters for the interface and ensuring that the status of the physical layer of the interface is Up l Configuring the link layer protocol for the interface and ensuring that the status of the link layer protocol on the interface is Up l Configuring the IPv4/IPv6 dual-protocol stacks Data Preparation To configure an IPv6 over IPv4 tunnel, you need the following data. Issue 03 (2010-03-31) No. Data 1 Number, IPv6 address and prefix length of the tunnel 2 Encapsulation mode of packets over the tunnel 3 Source IPv4 address or interface number of the tunnel 4 Destination IPv4 address of the tunnel 5 Authentication word of the GRE tunnel (only for the GRE tunnel) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-11 12 IPv6 over IPv4 Tunnel Configuration HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12.3.2 Configuring an IPv6 over IPv4 Manual Tunnel Context Note the following when configuring an IPv6 over IPv4 manual tunnel: l Before configuring other parameters of an IPv6 tunnel, you must create a tunnel interface. l The source interface of the tunnel must be specified by the address or number of the loopback interface on the local route. l The destination interface of the tunnel must be specified by the address of the loopback interface on the peer device. l You need to conduct the following configurations on the devices on both the ends of the tunnel. During the configuration, note that the source address of the local tunnel end is the destination address set for the remote tunnel end; the destination address of the local tunnel end is the source address set for the remote tunnel end. l To support dynamic routing protocol, you also need to configure the tunnel interface with a network address. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface tunnel interface-number The tunnel interface is created. Step 3 Run: tunnel-protocol ipv6-ipv4 The tunnel is specified be an IPv6 over IPv4 manual tunnel. Step 4 Run: source { ipv4-address | interface-type interface-number } The source address or source interface of the tunnel is specified. NOTE For the actual implementation on the NE80E/40E, the source interface of the tunnel can only be a loopback interface but the source address of the tunnel can be either the address of a physical interface or the address of a loopback interface. Step 5 Run: destination ipv4-address The destination address of the tunnel is specified. NOTE The destination address of the tunnel can be the address of a physical interface or the address of a loopback interface. 12-12 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration Step 6 Run: ipv6 enable IPv6 is enabled on the interface. Step 7 Run: ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } The tunnel interface is configured with an IPv6 address. ----End 12.3.3 Configuring an IPV6 over IPv4 GRE Tunnel Context l l Note the following when configuring an IPv6 over IPv4 GRE tunnel: – Before configuring other parameters of an IPv6 tunnel, you must create a tunnel interface. – The slot number of the created tunnel interface must be the same as that of the SPUC. – You need to create the loopback interface and assign an IP address to it. – The source interface of the tunnel must be specified by the address or number of the loopback interface on the local route. – The destination interface of the tunnel must be specified by the address of the loopback interface on the peer device. – You need to conduct the following configurations on the devices on both the ends of the tunnel. During the configuration, note that the source address of the local tunnel end is the destination address set for the remote tunnel end; the destination address of the local tunnel end is the source address set for the remote tunnel end. – To make the tunnel support the routing protocol, configure an IP address for the tunnel interface. Setting the key word of the GRE packet header The configuration of key word of GRE packet header is also optional. If the key word is configured, the receiver checks the KEY field in the GRE packet header. If the key word in the packet header is similar to the one configured locally, the receiver continues to process the packet. Otherwise, it discards the packet. Do as follows on the router: Procedure Step 1 Run: set board-type slot slot-id tunnel The service mode of the SPUC is set to Tunnel. Step 2 Run: system-view The system view is displayed. Step 3 Run: interface tunnel interface-number Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-13 12 IPv6 over IPv4 Tunnel Configuration HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services The tunnel interface is created. The slot number of the created tunnel interface must be the same as that of the SPUC. For instance, when the SPUC is inserted in slot 2, the slot number of the tunnel interface must be 2. Step 4 Run: tunnel-protocol gre The tunnel is specified as a GRE tunnel. When you configure an IPv6 over IPv4 GRE tunnel, you must run the target-boardslotnumber and binding tunnel gre commands respectively on the loopback interface to bind the SPUC to GRE. Step 5 Run: source { ipv4-address | interface-type interface-number } The source address or source interface of the tunnel is specified. The source address specified by sourceipv4-address must be the IPv4 address of the loopback interface bound to the SPUC through the target-board command; the source interface specified by sourceinterface-type interface-number must be the loopback interface bound to the SPUC through the target-board command. Step 6 Run: destination ipv4-address The destination address of the tunnel is specified. Step 7 (Optional) Run: gre key key-number The key word of the GRE packets header is set. Step 8 Run: ipv6 enable IPv6 is enabled on the interface. Step 9 Run: ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } The IPv6 address of the tunnel interface is configured. ----End 12.3.4 Configuring an IPv6 over IPv4 Automatic Tunnel Context Note the following when configuring an IPv6 over IPv4 automatic tunnel: 12-14 l Before configuring the other parameters of an IPv6 tunnel, you must create a tunnel interface. l The source interface of the tunnel must be specified by the address or number of the loopback interface on the local route. l When configuring an IPv6 over IPv4 automatic tunnel, you can specify only the source address of the tunnel. The destination address of the tunnel is automatically obtained from Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration the destination IP address field carried in the original IPv6 packet. Note that the source interface of the IPv6 over IPv4 automatic tunnel must be unique. l The IPv6 address configured for the automatic tunnel must be an IPv4-compatible IPv6 address. That is, the high-order 96 bits are 0 and the low-order 32 bits represent an IPv4 address of an interface in the IPv4 network. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface tunnel interface-number A tunnel interface is configured. Step 3 Run: tunnel-protocol ipv6-ipv4 auto-tunnel The tunnel is specified as an IPv6 over IPv4 automatic tunnel. Step 4 Run: source { ipv4-address | interface-type interface-number } The source address or source interface of the tunnel is specified. Step 5 Run: ipv6 enable IPv6 is enabled on the interface. Step 6 Run: ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } The tunnel interface is configured with an IPv6 address. ----End 12.3.5 Configuring a 6to4 Tunnel Context Note the following when configuring a 6to4 tunnel: l Before configuring other parameters of the tunnel, create a tunnel interface. l When the specified source interface of the tunnel is a physical interface, it is recommended to set the tunnel ID to be the same as the number of the physical interface. l The source tunnel interface must be specified by the address or number of the loopback interface on the local route. l When configuring a 6to4 tunnel, you need to specify only the source tunnel interface. The destination address of the tunnel is automatically obtained from the destination IP address Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-15 12 IPv6 over IPv4 Tunnel Configuration HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services field carried in the original IPv6 packet. Note that the source interface of the 6to4 tunnel must be unique. On the border device, configure a 6to4 address on the interface that is connected with the 6to4 network, and configure an IPv4 address on the interface that is connected with the IPv4 network. To make the tunnel support the routing protocol, configure an IP address for the tunnel interface. l Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface tunnel interface-number A tunnel interface is created. Step 3 Run: tunnel-protocol ipv6-ipv4 6to4 The tunnel is specified as a 6to4 tunnel. Step 4 Run: source { ipv4-address | interface-type interface-number } The source address or source interface of the tunnel is specified. Step 5 Run: ipv6 enable IPv6 is enabled on the interface. Step 6 Run: ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } The interface is configured with an IPv6 address. NOTE The prefix of the IPv6 address configured for the interface must be the same as the 6to4 network prefix of the border device. ----End Postrequisite The configuration of 6to4 relay needed to access the IPv6 network, is similar to the 6to4 tunnel. For the configuration example, see "Example for Configuring 6to4 Relay." 12.3.6 Configuring an ISATAP Tunnel Context Note the following when configuring an ISATAP tunnel: 12-16 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration l Before configuring other parameters of the tunnel, create a tunnel interface. l When the specified source interface of the tunnel is a physical interface, it is recommended to set the tunnel ID to be the same as the number of the physical interface. l When configuring an ISATAP tunnel, you need to specify only the source address of the tunnel. The destination address of the tunnel is automatically obtained from the destination IP address field carried in the original IPv6 packet. Note that the source interface of the ISATAP tunnel must be unique. l The IPv6 address configured on the tunnel interface is an ISATAP address with a prefix length of 64 bits. Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface tunnel interface-number A tunnel interface is created. Step 3 Run: tunnel-protocol ipv6-ipv4 isatap The tunnel is specified as an ISATAP tunnel. Step 4 Run: source { ipv4-address | interface-type interface-number } The source address or source interface of the tunnel is specified. Step 5 Run: ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } The tunnel interface is configured with an IPv6 address. Step 6 Run: undo ipv6 nd ra halt The device is allowed to advertise routes. ----End 12.3.7 Configuring Routes in the Tunnel Context Routes for forwarding must exist on the source device and the destination device of the tunnel, ensuring normal packet forwarding. Configuring routes in the tunnel comprises configuring static routes and dynamic routes. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-17 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration l To configure the static route, you need to configure the route from the IP address of the local loopback interface (the source address) to the destination address (IP address of the peer loopback interface). l You can enable dynamic routing protocol on the tunnel interface connected to the private networks and on the device interface. 12.3.8 Checking the Configuration Prerequisite The configurations of the IPv6 over IPv4 Tunnel function are complete. Procedure Step 1 Run the display device slot-id command to check whether the service mode of the SPUC is Tunnel. Step 2 Run the display ipv6 interface tunnel interface-number command to check the IPv6 attributes of a tunnel interface. ----End Example If the service mode of the SPUC is Tunnel, run the display device 3 command, and you can view that the type of the SPUC on the router is displayed as General. <HUAWEI> display device 3 SPU3's detail information: - - - - - - - - - - - - - - - - - - - - Description: Board status: Register: Uptime: CPU Utilization(%): Mem Usage(%): Clock information: State item Current syn-clock: Current line-clock: Syn-clock state: Syn-clock 17 state: Syn-clock 18 state: Line-clock 23 state: Line-clock 24 state: Statistic information: Statistic item SERDES interface link lost: Mpu switchs: Syn-clock switchs: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Line Processing Unit - General Normal Registered 2009/02/26 18:33:23 3% 19% State 17 23 Locked Actived Inactived Inactived Inactived VCXO_OK REF_OK Statistic number 0 0 0 - - - - - - - - - - - - - - - - - Run the display ipv6 interface tunnel command. If the IPv6 packets forwarding is enabled, you can see the state of tunnel interface is Up, the state of IPv6 protocol is Up, source address and ND parameters. <HUAWEI> display ipv6 interface tunnel 3/0/0 Tunnel3/0/0 current state : UP , IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::201:102 Global unicast address(es): ::2.1.1.2, subnet is ::/96 12-18 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration Joined group address(es): FF02::1:FF01:102 FF02::2 FF02::1 MTU is 1500 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses 12.4 Configuring 6PE This section describes how users in IPv6 networks communicate across the existing MPLS network. 12.4.1 Establishing the Configuration Task 12.4.2 Configuring IPv4/IPv6 Dual Protocol Stacks 12.4.3 Configuring MPLS 12.4.4 Enabling 6PE Peer 12.4.1 Establishing the Configuration Task Applicable Environment To interconnect IPv6 networks over the existing MPLS network, 6PE must be configured on the PE devices. Pre-configuration Tasks Before configuring 6PE, complete the following tasks: l Configuring the physical features of interfaces and ensuring that the status of the physical layer of the interface is Up l Configuring the link layer protocols on interface and ensuring that the status of the link layer protocol on the interface is Up l Configuring routes from 6PE to CE l Configuring routes to the backbone network Data Preparation To configure 6PE, you need the following data. Issue 03 (2010-03-31) No. Data 1 Interface number and IPv6 address of the 6PE's interface connected with CE devices 2 Interface number and IPv4 address of the 6PE's interface 3 Interface number and IPv4 address of the loopback interface to be created 4 LSP triggering policy 5 IPv4 address of the peer of the 6PE Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-19 12 IPv6 over IPv4 Tunnel Configuration HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12.4.2 Configuring IPv4/IPv6 Dual Protocol Stacks Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ipv6 The IPv6 packet forwarding is enabled. Step 3 Run: interface interface-type interface-number The interface view of the IPv4 network is displayed. Step 4 Run: ip address ipv4-address { mask | mask-length } The interface is configured with an IPv4 address. Step 5 Run: quit Return to the system view. Step 6 Run: interface interface-type interface-number The interface view of the IPv6 network is displayed. Step 7 Run: ipv6 enable IPv6 is enabled on the interface. Step 8 Run: ipv6 address ipv6-address/prefix-length [ eui-64 ] Or ipv6 address { ipv6-address | prefix-length } The interface is configured with an IPv6 address. Step 9 Run: quit 12-20 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration Return to the system view. ----End 12.4.3 Configuring MPLS Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: mpls lsr-id ip-address The LSR ID is specified. Step 3 Run: mpls MPLS is enabled and the MPLS view is displayed. Step 4 Run: lsp-trigger { all | host | ip-prefix prefix-name | none } The LSP trigger policy is enabled. Step 5 Run: quit Return to the system view. Step 6 Run: mpls ldp MPLS LDP is enabled. Step 7 Run: quit Exit the system view. Step 8 Run: interface interface-type interface-number The interface view of the IPv4 network is displayed. Step 9 Run: mpls MPLS is enabled on the interface. Step 10 Run: mpls ldp Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-21 12 IPv6 over IPv4 Tunnel Configuration HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services MPLS LDP is enabled on the interface. ----End 12.4.4 Enabling 6PE Peer Context Do as follows on the router: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: bgp as-number The BGP view is displayed. Step 3 Run: peer peer-ipv4-address as-number as-number The IP address and the AS number of a specified BGP peer are specified. Step 4 Run: peer peer-ipv4-address connect-interface interface-type interface-number PE peer is specified to connect with a specified interface. Step 5 Run: ipv6-family The BGP-IPv6 unicast address family view is displayed. Step 6 Run: peer peer-ipv4-address enable 6PE peer is enabled. Step 7 Run: peer peer-ipv4-address label-route-capability Label routing capacity is enabled for 6PE. ----End 12.5 Maintaining IPv6 over IPv4 Tunnels This section describes how to debug the IPv6 tunnel. 12.5.1 Monitoring the Running Status of IPv6 over IPv4 Tunnel 12-22 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration 12.5.1 Monitoring the Running Status of IPv6 over IPv4 Tunnel Context In routine maintenance, you can run the following command in any view to check the operation of IPv6 over IPv4 tunnel. Procedure Step 1 Run the display ipv6 interface tunnel { interface-number } command in any view to check the operation status of the tunnel interface. ----End 12.6 Configuration Examples This section provides several configuration examples of IPv6 over IPv4 tunnels. 12.6.1 Example for Configuring an IPv6 over IPv4 Manual Tunnel 12.6.2 Example for Configuring an IPv6 over IPv4 GRE Tunnel 12.6.3 Example for Configuring an IPv6 over IPv4 Automatic Tunnel 12.6.4 Example for Configuring a 6to4 Tunnel 12.6.5 Example for Configuring 6to4 Relay 12.6.6 Example for Configuring an ISATAP Tunnel 12.6.7 Example for Configuring 6PE 12.6.1 Example for Configuring an IPv6 over IPv4 Manual Tunnel Networking Requirements As shown in Figure 12-6, two IPv6 networks are connected to Router B in the IPv4 backbone network respectively through Router A and Router C. To enable communication between two IPv6 networks, configure an IPv6 over IPv4 manual tunnel between Router A and Router C. NOTE It is recommended that in an actual networking environment, the source address of the tunnel is specified as the IP address of the loopback interface of the local device or the source interface of the tunnel is specified as the loopback interface on the local device. It is also recommended that in an actual networking environment, the destination address of the tunnel is specified as the IP address of the loopback interface of the peer device. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-23 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration Figure 12-6 Networking diagram of the IPv6 over IPv4 manual tunnel IPv4 network GE1/0/0 GE2/0/0 192.168.50.1/24 192.168.51.1/24 GE1/0/0 GE1/0/0 192.168.50.2/24 192.168.51.2/24 Router B Dual Dual Stack Stack IPv6 RouterA RouterC IPv6 Configuration Roadmap The configuration roadmap of IPv6 over IPv4 manual tunnel is as follows: 1. Configure IP addresses for physical interfaces. 2. Configure IPv6 addresses, the source interface, and the destination addresses for the tunnel interfaces. 3. Set the tunnel protocol as IPv6-IPv4. Data Preparation To complete the configuration, you need the following data: l IP addresses of interfaces l IPv6 addresses, the source interfaces and the destination addresses of the tunnel interfaces Procedure Step 1 Configure Router A. # Configure an IP address for the interface. <HUAWEI> system-view [HUAWEI] sysname RouterA [RouterA] ipv6 [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 192.168.50.2 255.255.255.0 [RouterA-GigabitEthernet1/0/0] undo shutdown [RouterA-GigabitEthernet1/0/0] quit # Set the tunnel protocol as IPv6-IPv4. [RouterA] interface tunnel 1/0/0 [RouterA-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 # Configure the IPv6 address, source interface, and destination address for the tunnel interface. [RouterA-Tunnel1/0/0] ipv6 enable [RouterA-Tunnel1/0/0] ipv6 address 3001::1/64 [RouterA-Tunnel1/0/0] source 192.168.50.2 12-24 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration [RouterA-Tunnel1/0/0] destination 192.168.51.2 [RouterA-Tunnel1/0/0] quit # Configure static routes. [RouterA] ip route-static 192.168.51.2 255.255.255.0 192.168.50.1 Step 2 Configure Router B. # Configure an IP address for the interface. <HUAWEI> system-view [HUAWEI] sysname RouterB [RouterB] interface gigabitethernet 1/0/0 [RouterB-GigabitEthernet1/0/0] ip address 192.168.50.1 255.255.255.0 [RouterB-GigabitEthernet1/0/0] undo shutdown [RouterB-GigabitEthernet1/0/0] quit [RouterB] interface gigabitethernet 2/0/0 [RouterB-GigabitEthernet2/0/0] ip address 192.168.51.1 255.255.255.0 [RouterB-GigabitEthernet2/0/0] undo shutdown [RouterB-GigabitEthernet2/0/0] quit Step 3 Configure Router C. # Configure an IP address for the interface. <HUAWEI> system-view [HUAWEI] sysname RouterC [RouterC] ipv6 [RouterC] interface gigabitethernet 1/0/0 [RouterC-GigabitEthernet1/0/0] ip address 192.168.51.2 255.255.255.0 [RouterC-GigabitEthernet1/0/0] undo shutdown [RouterC-GigabitEthernet1/0/0] quit # Set the tunnel protocol as IPv6-IPv4. [RouterC] interface tunnel 1/0/0 [RouterC-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 # Configure the IPv6 address, source interface, and destination address for the tunnel interface. [RouterC-Tunnel1/0/0] [RouterC-Tunnel1/0/0] [RouterC-Tunnel1/0/0] [RouterC-Tunnel1/0/0] [RouterC-Tunnel1/0/0] ipv6 enable ipv6 address 3001::2/64 source 192.168.51.2 destination 192.168.50.2 quit # Configure a static route. [RouterC] ip route-static 192.168.50.2 255.255.255.0 192.168.51.1 Step 4 Verify the configuration. # On Router C, ping the IPv4 address of the interface GE 1/0/0 of Router A. Router C can receive response packets from Router A. [RouterC] ping 192.168.50.2 PING 192.168.50.2: 56 data bytes, press CTRL_C to break Reply from 192.168.50.2: bytes=56 Sequence=1 ttl=255 time=84 ms Reply from 192.168.50.2: bytes=56 Sequence=2 ttl=255 time=27 ms Reply from 192.168.50.2: bytes=56 Sequence=3 ttl=255 time=25 ms Reply from 192.168.50.2: bytes=56 Sequence=4 ttl=255 time=3 ms Reply from 192.168.50.2: bytes=56 Sequence=5 ttl=255 time=24 ms --- 192.168.50.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/32/84 ms Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-25 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration # On Router C, ping the IPv6 address of Tunnel 1/0/0 of Router A. Router C can receive response packets from Router A. [RouterC] ping ipv6 3001::1 PING 3001::1 : 56 data bytes, press Reply from 3001::1 bytes=56 Sequence=1 hop limit=255 Reply from 3001::1 bytes=56 Sequence=2 hop limit=255 Reply from 3001::1 bytes=56 Sequence=3 hop limit=255 Reply from 3001::1 bytes=56 Sequence=4 hop limit=255 Reply from 3001::1 bytes=56 Sequence=5 hop limit=255 --- 3001::1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 26/26/28 ms CTRL_C to break time = 28 ms time = 27 ms time = 26 ms time = 27 ms time = 26 ms ----End Configuration File l Configuration file of Router A # sysname RouterA # ipv6 # interface GigabitEthernet1/0/0 undo shutdown ip address 192.168.50.2 255.255.255.0 # interface Tunnel1/0/0 ipv6 enable ipv6 address 3001::1/64 tunnel-protocol ipv6-ipv4 source 192.168.50.2 destination 192.168.51.2 # ip route-static 192.168.51.0 255.255.255.0 192.168.50.1 # return l Configuration file of Router B # sysname RouterB # interface GigabitEthernet1/0/0 undo shutdown ip address 192.168.50.1 255.255.255.0 # interface GigabitEthernet2/0/0 undo shutdown ip address 192.168.51.1 255.255.255.0 # return l Configuration file of Router C # sysname RouterC # ipv6 # interface GigabitEthernet1/0/0 undo shutdown 12-26 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration ip address 192.168.51.2 255.255.255.0 # interface Tunnel1/0/0 ipv6 enable ipv6 address 3001::2/64 tunnel-protocol ipv6-ipv4 source 192.168.51.2 destination 192.168.50.2 # ip route-static 192.168.50.0 255.255.255.0 192.168.51.1 # return 12.6.2 Example for Configuring an IPv6 over IPv4 GRE Tunnel Networking Requirements As shown in Figure 12-7, two IPv6 networks are connected to Router B in the IPv4 network respectively through Router A and Router C. To make two IPv6 networks communicate with each other, configure an IPv6 over IPv4 GRE tunnel between Router A and Router C. NOTE When configuring an IPv6 over IPv4 GRE tunnel, you must set the service mode of the SPUC to Tunnel and bind the SPUC to the tunnel. Figure 12-7 Networking diagram of the IPv6 over IPv4 GRE tunnel IPv4 network POS1/0/0 POS2/0/0 192.168.50.1/24 192.168.51.1/24 POS1/0/0 POS1/0/0 192.168.50.2/24 RouterB 192.168.51.2/24 Dual Dual Stack Stack IPv6 RouterA Loopback1 1.1.1.1/32 IPv6 RouterC Loopback1 2.2.2.2/32 Configuration Roadmap The configuration roadmap is as follows: 1. Configure IP addresses for interfaces. 2. Configure IPv6 addresses, the source interface, and the destination address of the tunnel interfaces. 3. Set the tunnel protocol as GRE. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-27 12 IPv6 over IPv4 Tunnel Configuration HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services Data Preparation To complete the configuration, you need the following data: l IP addresses of interfaces l IPv6 addresses and the source interface, and the destination address Procedure Step 1 Configure Router A. # Configure an IP address for the interface. <HUAWEI> system-view [HUAWEI] sysname RouterA [RouterA] ipv6 [RouterA] interface pos 1/0/0 [RouterA-Pos1/0/0] ip address 192.168.50.2 255.255.255.0 [RouterA-Pos1/0/0] undo shutdown [RouterA-Pos1/0/0] quit # Create a loopback interface and assign an IPv4 address to it. [RouterA] interface Loopback 1 [RouterA-LoopBack1] ip address 1.1.1.1 32 [RouterA-LoopBack1] quit # Configure a static route from Router A to Router C. [RouterA] ip route-static 192.168.51.2 255.255.255.0 192.168.50.1 [RouterA] ip route-static 2.2.2.2 255.255.255.255 192.168.50.1 [RouterA] quit # Set the service mode of the SPUC to Tunnel and the tunnel protocol mode to GRE. <RouterA> set board-type slot 6 tunnel [RouterA] system-view [RouterA] interface tunnel 6/0/0 [RouterA-Tunnel6/0/0] tunnel-protocol gre # Configure the IPv6 address, source interface, and destination address for the tunnel interface. Bind the tunnel to the SPUC. [RouterA] interface Loopback 1 [RouterA-LoopBack1] target-board 6 [RouterA-LoopBack1] binding tunnel gre [RouterA-LoopBack1] quit [RouterA] interface Tunnel 6/0/0 [RouterA-Tunnel6/0/0] ipv6 enable [RouterA-Tunnel6/0/0] ipv6 address 3001::1 64 [RouterA-Tunnel6/0/0] source loopback 1 [RouterA-Tunnel6/0/0] destination 2.2.2.2 [RouterA-Tunnel6/0/0] quit NOTE The device supports the tunnel binding only on the loopback interface. Step 2 Configure Router B. # Configure an IP address for the interface. <HUAWEI> system-view [HUAWEI] sysname RouterB [RouterB] interface pos 1/0/0 [RouterB-Pos1/0/0] ip address 192.168.50.1 255.255.255.0 [RouterB-Pos1/0/0] undo shutdown 12-28 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration [RouterB-Pos1/0/0] quit [RouterB] interface pos 2/0/0 [RouterB-Pos2/0/0] ip address 192.168.51.1 255.255.255.0 [RouterB-Pos2/0/0] undo shutdown [RouterB-Pos2/0/0] quit Step 3 Configure Router C. # Configure an IP address for the interface. <HUAWEI> system-view [HUAWEI] sysname RouterC [RouterC] ipv6 [RouterC] interface pos 1/0/0 [RouterC-Pos1/0/0] ip address 192.168.51.2 255.255.255.0 [RouterC-Pos1/0/0] undo shutdown [RouterC-Pos1/0/0] quit # Create a loopback interface and assign an IPv4 address to it. [RouterC] interface Loopback 1 [RouterC-LoopBack1] ip address 2.2.2.2 32 [RouterC-LoopBack1] quit # Configure a static route from Router C to Router A. [RouterC] ip route-static 192.168.50.2 255.255.255.0 192.168.51.1 [RouterC] ip route-static 1.1.1.1 255.255.255.255 192.168.51.1 [RouterC] quit On Router C, ping the IPv4 address of POS 1/0/0 on Router A. Router C receives the response packets from Router A. [RouterC] ping 192.168.50.2 PING 192.168.50.2: 56 data bytes, press CTRL_C to break Reply from 192.168.50.2: bytes=56 Sequence=1 ttl=255 time=1 Reply from 192.168.50.2: bytes=56 Sequence=2 ttl=255 time=1 Reply from 192.168.50.2: bytes=56 Sequence=3 ttl=255 time=1 Reply from 192.168.50.2: bytes=56 Sequence=4 ttl=255 time=1 Reply from 192.168.50.2: bytes=56 Sequence=5 ttl=255 time=1 --- 192.168.50.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms [RouterC] ping 1.1.1.1 PING 1.1.1.1.2: 56 data bytes, press CTRL_C to break Reply from 1.1.1.1: bytes=56 Sequence=1 ttl=255 time=1 Reply from 1.1.1.1: bytes=56 Sequence=2 ttl=255 time=1 Reply from 1.1.1.1: bytes=56 Sequence=3 ttl=255 time=1 Reply from 1.1.1.1: bytes=56 Sequence=4 ttl=255 time=1 Reply from 1.1.1.1: bytes=56 Sequence=5 ttl=255 time=1 ms ms ms ms ms ms ms ms ms ms --- 1.1.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms It indicates that a reachable route exists between Router A and Router C. # Set the service mode of the SPUC to Tunnel and the tunnel protocol mode to GRE. <RouterC> set board-type slot 6 tunnel [RouterC] system-view [RouterC] interface tunnel 6/0/0 [RouterC-Tunnel6/0/0] tunnel-protocol gre Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-29 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration # Configure the IPv6 address, source interface, and destination IP address of the tunnel interface. Bind the tunnel to the SPUC. [RouterC] interface Loopback 1 [RouterC-LoopBack1] target-board 6 [RouterC-LoopBack1] binding tunnel gre [RouterC-LoopBack1] quit [RouterC] interface Tunnel 6/0/0 [RouterC-Tunnel6/0/0] ipv6 enable [RouterC-Tunnel6/0/0] ipv6 address 3001::2 64 [RouterC-Tunnel6/0/0] source loopback 1 [RouterC-Tunnel6/0/0] destination 1.1.1.1 [RouterC-Tunnel6/0/0] quit NOTE The device supports the tunnel binding only on the loopback interface. Step 4 Verify the configuration # On Router C, ping the IPv6 address of Tunnel 1/0/0 on Router A. Router C receives the response packets from Router A. [RouterC] ping ipv6 3001::1 PING 3001::1 : 56 data bytes, press Reply from 3001::1 bytes=56 Sequence=1 hop limit=255 Reply from 3001::1 bytes=56 Sequence=2 hop limit=255 Reply from 3001::1 bytes=56 Sequence=3 hop limit=255 Reply from 3001::1 bytes=56 Sequence=4 hop limit=255 Reply from 3001::1 bytes=56 Sequence=5 hop limit=255 --- 3001::1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 26/26/28 ms CTRL_C to break time = 28 ms time = 27 ms time = 26 ms time = 27 ms time = 26 ms ----End Configuration Files l Configuration file of Router A # sysname RouterA # ipv6 # interface pos1/0/0 link-protocol ppp ip address 192.168.50.2 255.255.255.0 # interface LoopBack1 ip address 1.1.1.1 255.255.255.255 target-board 6 binding tunnel gre # interface Tunnel6/0/0 ipv6 enable ipv6 address 3001::1/64 tunnel-protocol gre source loopback 1 destination 2.2.2.2 # ip route-static 192.168.51.2 255.255.255.0 192.168.50.1 12-30 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration ip route-static 2.2.2.2 255.255.255.255 192.168.50.1 # return l Configuration file of Router B # sysname RouterB # interface Pos1/0/0 link-protocol ppp ip address 192.168.50.1 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 192.168.51.1 255.255.255.0 # return l Configuration file of Router C # sysname RouterC # ipv6 # interface pos1/0/0 link-protocol ppp ip address 192.168.51.2 255.255.255.0 # interface LoopBack1 ip address 2.2.2.2 255.255.255.255 target-board 6 binding tunnel gre # interface Tunnel6/0/0 ipv6 enable ipv6 address 3001::2/64 tunnel-protocol gre source loopback 1 destination 1.1.1.1 # ip route-static 192.168.50.0 255.255.255.0 192.168.51.1 ip route-static 1.1.1.1 255.255.255.255 192.168.51.1 # return 12.6.3 Example for Configuring an IPv6 over IPv4 Automatic Tunnel Networking Requirements As shown in Figure 12-8, two IPv6 networks are connected with the IPv4 backbone network respectively through Router A and Router B. To enable communication between the two IPv6 networks, configure an IPv6 over IPv4 automatic tunnel between Router A and Router B. Interfaces connecting Router A and the IPv4 backbone network and connecting Router B and the IPv4 backbone network should be configured public IPv4 addresses. NOTE It is recommended that in an actual networking environment, the source address of the tunnel is specified as the IP address of the loopback interface of the local device or the source interface of the tunnel is specified as the loopback interface on the local device. It is also recommended that in an actual networking environment, the destination address of the tunnel is specified as the IP address of the loopback interface of the peer device. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-31 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration Figure 12-8 Networking diagram of the IPv6 over IPv4 automatic tunnel loopback1 3.3.3.3/32 Dual Stack RouterA IPv6 POS1/0/0 2.1.1.1/8 Tunnel 1/0/0 ::2.1.1.1/96 IPv4 loopback1 4.4.4.4/32 Dual Stack POS1/0/0 2.1.1.2/8 Tunnel 1/0/0 ::2.1.1.2/96 RouterB IPv6 Configuration Roadmap The configuration roadmap is as follows: 1. Configure IP addresses for interfaces. 2. Configure the IPv6 addresses and source interface of the tunnel interface. 3. Set the tunnel protocol as automatic tunnel protocol. Data Preparation To complete the configuration, you need the following data: l IP addresses of interfaces l IPv6 address and source interface of the tunnel interface To configure an automatic tunnel, you need to specify only the source interface rather than the destination interface of the tunnel. Procedure Step 1 Configure Router A. # Configure the IPv4/IPv6 dual protocol stacks. <HUAWEI> system-view [HUAWEI] sysname RouterA [RouterA] ipv6 [RouterA] interface pos 1/0/0 [RouterA-pos1/0/0] ip address 2.1.1.1 255.0.0.0 [RouterA-pos1/0/0] quit # Create a loopback interface and assign an IPv4 address to it. [RouterA] interface loopback 1 [RouterA-LoopBack1] ip address 3.3.3.3 32 [RouterA-LoopBack1] quit # Configure a static route from Router A to Router B. [RouterA] ip route-static 2.1.1.2 255.0.0.0 2.1.1.2 [RouterA] ip route-static 4.4.4.4 255.255.255.255 2.1.1.2 # Configure an automatic tunnel. 12-32 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration [RouterA] interface tunnel 1/0/0 [RouterA-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 auto-tunnel [RouterA-Tunnel1/0/0] ipv6 enable [RouterA-Tunnel1/0/0] ipv6 address ::3.3.3.3/96 [RouterA-Tunnel1/0/0] source loopback 1 [RouterA-Tunnel1/0/0] quit Step 2 Configure Router B. # Configure the IPv4/IPv6 dual protocol stacks. <HUAWEI> system-view [HUAWEI] sysname RouterB [RouterB] ipv6 [RouterB] interface pos 1/0/0 [RouterB-pos1/0/0] ip address 2.1.1.2 255.0.0.0 [RouterB-Pos1/0/0] quit # Create a loopback interface and assign an IPv4 address to it. [RouterB] interface loopback 1 [RouterB-LoopBack1] ip address 4.4.4.4 32 [RouterB-LoopBack1] quit # Configure a static route from Router B to Router A. [RouterB] ip route-static 2.1.1.1 255.0.0.0 2.1.1.1 [RouterB] ip route-static 3.3.3.3 255.255.255.255 2.1.1.1 # Configure an automatic tunnel. [RouterB] interface tunnel 1/0/0 [RouterB-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 auto-tunnel [RouterB-Tunnel1/0/0] ipv6 enable [RouterB-Tunnel1/0/0] ipv6 address ::4.4.4.4/96 [RouterB-Tunnel1/0/0] source loopback 1 [RouterB-Tunnel1/0/0] quit Step 3 Verify the configuration. # On Router A, view the status of Tunnel 1/0/0 and find it is Up. [RouterA] display ipv6 interface tunnel 1/0/0 Tunnel1/0/0 current state : UP IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::201:101 Global unicast address(es): ::3.3.3.3, subnet is ::/96 Joined group address(es): FF02::1:FF01:101 FF02::2 FF02::1 MTU is 1500 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses # On Router A, ping the IPv4-compatible IPv6 address of tunnel peer. [RouterA] ping ipv6 ::4.4.4.4 PING ::4.4.4.4 : 56 data bytes, press CTRL_C to break Reply from ::4.4.4.4 bytes=56 Sequence=1 hop limit=64 time = 30 ms Reply from ::4.4.4.4 bytes=56 Sequence=2 hop limit=64 time = 40 ms Reply from ::4.4.4.4 bytes=56 Sequence=3 hop limit=64 time = 50 ms Reply from ::4.4.4.4 bytes=56 Sequence=4 hop limit=64 time = 1 ms Reply from ::4.4.4.4 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-33 12 IPv6 over IPv4 Tunnel Configuration HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services bytes=56 Sequence=5 hop limit=64 time = 50 ms --- ::4.4.4.4 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/34/50 ms ----End Configuration File l Configuration file of Router A # sysname RouterA # ipv6 # interface pos1/0/0 link-protocol ppp ip address 2.1.1.1 255.0.0.0 # interface LoopBack1 ip address 3.3.3.3 255.255.255.255 # interface Tunnel 1/0/0 ipv6 enable ipv6 address ::3.3.3.3/96 tunnel-protocol ipv6-ipv4 auto-tunnel source loopback 1 # ip route-static 2.1.1.2 255.0.0.0 2.1.1.2 ip route-static 4.4.4.4 255.255.255.255 2.1.1.2 # return l Configuration file of Router B # sysname RouterB # ipv6 # interface pos1/0/0 link-protocol ppp ip address 2.1.1.2 255.0.0.0 # interface LoopBack1 ip address 4.4.4.4 255.255.255.255 # interface Tunnel 1/0/0 ipv6 enable ipv6 address ::4.4.4.4/96 tunnel-protocol ipv6-ipv4 auto-tunnel source loopback 1 # ip route-static 2.1.1.1 255.0.0.0 2.1.1.1 ip route-static 3.3.3.3 255.255.255.255 2.1.1.1 # return 12.6.4 Example for Configuring a 6to4 Tunnel Networking Requirements As shown in Figure 12-9, two IPv6 networks are both 6to4 networks. Router A and Router B are connected with the 6to4 network and the IPv4 network. To enable communication between 12-34 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration the hosts in the two 6to4 network, it is required to set up a 6to4 tunnel between Router A and Router B. To enable communication between 6to4 networks, configure 6to4 addresses for the hosts in the 6to4 network. A 6to4 address has a 48-bit prefix composed of 2002:IPv4 address:. As shown in Figure 12-9, the IPv4 address of the interface through which A is connected to the IPv4 network is 2.1.1.1. Therefore, the 6to4 address of A in the 6to4 network should start with 2002:0201:0101::. NOTE It is recommended that in an actual networking environment, the source address of the tunnel is specified as the IP address of the loopback interface of the local device or the source interface of the tunnel is specified as the loopback interface on the local device. It is also recommended that in an actual networking environment, the destination address of the tunnel is specified as the IP address of the loopback interface of the peer device. Figure 12-9 Networking diagram of the 6to4 tunnel IPv4 POS1/0/0 POS1/0/0 2.1.1.1 2.1.1.2 RouterA RouterB GE2/0/0 6to4 6to4 2002:201:101:1::1/64 GE2/0/0 Router Router 2002:201:102:1::1/64 Tunnel 1/0/0 Tunnel 1/0/0 2002:201:101::1/64 P C1 2002:201:101:1::2 2002:201:102::1/64 IPv6 2002:201:102:1::2 IPv6 P C2 Configuration Roadmap The configuration roadmap is as follows: 1. Configure IPv4/IPv6 dual-protocol stacks. 2. Configure the tunnel protocol as 6to4. 3. Configure related routes. Data Preparation To complete the configuration, you need the following data: l IPv4 or IPv6 addresses of interfaces l Source tunnel interface Procedure Step 1 Configure Router A. # Configure IPv4/IPv6 dual protocol stacks. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-35 12 IPv6 over IPv4 Tunnel Configuration HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services <HUAWEI> system-view [HUAWEI] sysname RouterA [RouterA] ipv6 [RouterA] interface pos 1/0/0 [RouterA-pos1/0/0] ip address 2.1.1.1 8 [RouterA-pos1/0/0] undo shutdown [RouterA-pos1/0/0] quit [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] ipv6 enable [RouterA-GigabitEthernet2/0/0] ipv6 address 2002:0201:0101:1::1/64 [RouterA-GigabitEthernet2/0/0] undo shutdown [RouterA-GigabitEthernet2/0/0] quit # Configure a 6to4 tunnel. [RouterA] interface tunnel 1/0/0 [RouterA-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 6to4 [RouterA-Tunnel1/0/0] ipv6 enable [RouterA-Tunnel1/0/0] ipv6 address 2002:0201:0101::1/64 [RouterA-Tunnel1/0/0] source 2.1.1.1 [RouterA-Tunnel1/0/0] quit # Configure a route to other 6to4 networks. [RouterA] ipv6 route-static 2002:: 16 tunnel 1/0/0 Step 2 Configure Router B. # Configure IPv4/IPv6 dual protocol stacks. <HUAWEI> system-view [HUAWEI] sysname RouterB [RouterB] ipv6 [RouterB] interface pos 1/0/0 [RouterB-pos1/0/0] ip address 2.1.1.2 8 [RouterB-pos1/0/0] undo shutdown [RouterB-pos1/0/0] quit [RouterB] interface gigabitethernet 2/0/0 [RouterB-GigabitEthernet2/0/0] ipv6 enable [RouterB-GigabitEthernet2/0/0] ipv6 address 2002:0201:0102:1::1/64 [RouterB-GigabitEthernet2/0/0] undo shutdown [RouterB-GigabitEthernet2/0/0] quit # Configure a 6to4 tunnel. [RouterB] interface tunnel 1/0/0 [RouterB-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 6to4 [RouterB-Tunnel1/0/0] ipv6 enable [RouterB-Tunnel1/0/0] ipv6 address 2002:0201:0102::1/64 [RouterB-Tunnel1/0/0] source 2.1.1.2 [RouterB-Tunnel1/0/0] quit # Configure a route to other 6to4 networks. [RouterB] ipv6 route-static 2002:: 16 tunnel 1/0/0 NOTE There must be an accessible route between Router A and Router B. In this example, both the devices are directly connected; therefore, no routing protocol needs to be configured. Step 3 Verify the configuration. # Check the IPv6 state of Tunnel 1/0/0 on Router A and find it is UP. [RouterA] display ipv6 interface tunnel 1/0/0 Tunnel1/0/0 current state : UP IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::201:101 Global unicast address(es): 12-36 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration 2002:201:101::1, subnet is 2002:201:101::/64 Joined group address(es): FF02::1:FF01:101 FF02::1:FF00:1 FF02::2 FF02::1 MTU is 1500 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses # Router A can ping through the 6to4 address of GE 2/0/0 of Router B. [RouterA] ping ipv6 2002:0201:0102:1::1 PING 2002:0201:0102:1::1 : 56 data bytes, press CTRL_C to break Reply from 2002:201:102:1::1 bytes=56 Sequence=1 hop limit=255 time = 8 ms Reply from 2002:201:102:1::1 bytes=56 Sequence=2 hop limit=255 time = 25 ms Reply from 2002:201:102:1::1 bytes=56 Sequence=3 hop limit=255 time = 4 ms Reply from 2002:201:102:1::1 bytes=56 Sequence=4 hop limit=255 time = 5 ms Reply from 2002:201:102:1::1 bytes=56 Sequence=5 hop limit=255 time = 5 ms --- 2002:0201:0102:1::1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/9/25 ms ----End Configuration Files l Configuration file of Router A # sysname RouterA # ipv6 # interface pos1/0/0 link-protocol ppp undo shutdown ip address 2.1.1.1 255.0.0.0 # interface GigabitEthernet 2/0/0 undo shutdown ipv6 enable ipv6 address 2002:201:101:1::1/64 # interface Tunnel 1/0/0 ipv6 enable ipv6 address 2002:201:101::1/64 tunnel-protocol ipv6-ipv4 6to4 source 2.1.1.1 # ipv6 route-static 2002:: 16 Tunnel 1/0/0 # return l Configuration file of Router B # sysname RouterB # ipv6 # interface pos1/0/0 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-37 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration link-protocol ppp undo shutdown ip address 2.1.1.2 255.0.0.0 # interface GigabitEthernet2/0/0 undo shutdown ipv6 enable ipv6 address 2002:201:102:1::1/64 # interface Tunnel 1/0/0 ipv6 enable ipv6 address 2002:201:102::1/64 tunnel-protocol ipv6-ipv4 6to4 source 2.1.1.2 # ipv6 route-static 2002:: 16 Tunnel 1/0/0 # return 12.6.5 Example for Configuring 6to4 Relay Networking Requirements As shown in Figure 12-10, Router A is a 6to4 device and is connected with an IPv6 network. As a 6to4 relay device, Router B is connected with the IPv6 Internet (2001::/64). To enable communication between the host in the 6to4 network and the host in the IPv6 Internet, configure a 6to4 tunnel between Router A and Router B. The configuration of the tunnel between a 6to4 relay device and a common 6to4 device is similar to that between common 6to4 devices. A static route to the IPv6 Internet shall be configured on the common 6to4 device so that the 6to4 network and the IPv6 network can communicate with each other. NOTE It is recommended that in an actual networking environment, the source address of the tunnel is specified as the IP address of the loopback interface of the local device or the source interface of the tunnel is specified as the loopback interface on the local device. It is also recommended that in an actual networking environment, the destination address of the tunnel is specified as the IP address of the loopback interface of the peer device. Figure 12-10 Networking diagram of accessing the IPv6 network through 6to4 relay POS1/0/0 2.1.1.1 RouterA GE2/0/0 2002:201:101:1::1/64 PC1 6to4 12-38 IPv4 6to4 Router Tunnel 1/0/0 2002:201:101::1/64 POS1/0/0 2.1.1.2 6to4 Relay RouterB GE2/0/0 2001::1/64 Tunnel 1/0/0 2002:201:102::1/64 2002:201:101:1::2 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2001::2 PC2 IPv6 Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration Configuration Roadmap The configuration roadmap is as follows: 1. Configure IPv4/IPv6 dual protocol stacks. 2. Configure a 6to4 tunnel. 3. Configure related static routes. Data Preparation To complete the configuration, you need the following data: l IPv4 or IPv6 addresses of interfaces l Source tunnel interface l Static routes to the devices that are not directly connected Procedure Step 1 Configure Router A. # Configure IPv4/IPv6 dual protocol stacks. <HUAWEI> system-view [HUAWEI] sysname RouterA [RouterA] ipv6 [RouterA] interface pos 1/0/0 [RouterA-Pos1/0/0] ip address 2.1.1.1 255.0.0.0 [RouterA-Pos1/0/0] undo shutdown [RouterA-Pos1/0/0] quit [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] ipv6 enable [RouterA-GigabitEthernet2/0/0] ipv6 address 2002:0201:0101:1::1/64 [RouterA-GigabitEthernet2/0/0] undo shutdown [RouterA-GigabitEthernet2/0/0] quit # Configure a 6to4 tunnel. [RouterA] interface tunnel 1/0/0 [RouterA-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 6to4 [RouterA-Tunnel1/0/0] ipv6 enable [RouterA-Tunnel1/0/0] ipv6 address 2002:0201:0101::1/64 [RouterA-Tunnel1/0/0] source 2.1.1.1 [RouterA-Tunnel1/0/0] quit # Configure a static route to 2002::/16. [RouterA] ipv6 route-static 2002:: 16 tunnel 1/0/0 # Configure a default route to the IPv6 network. [RouterA] ipv6 route-static :: 0 2002:0201:0102::1 Step 2 Configure Router B. # Configure IPv4/IPv6 dual protocol stacks. <HUAWEI> system-view [HUAWEI] sysname RouterB [RouterB] ipv6 [RouterB] interface pos 1/0/0 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-39 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration [RouterB-Pos1/0/0] ip address 2.1.1.2 255.0.0.0 [RouterB-Pos1/0/0] undo shutdown [RouterB-Pos1/0/0] quit [RouterB] interface gigabitethernet 2/0/0 [RouterB-GigabitEthernet2/0/0] ipv6 enable [RouterB-GigabitEthernet2/0/0] ipv6 address 2001::1/64 [RouterB-GigabitEthernet2/0/0] undo shutdown [RouterB-GigabitEthernet2/0/0] quit # Configure a 6to4 tunnel. [RouterB] interface tunnel 1/0/0 [RouterB-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 6to4 [RouterB-Tunnel1/0/0] ipv6 enable [RouterB-Tunnel1/0/0] ipv6 address 2002:0201:0102::1/64 [RouterB-Tunnel1/0/0] source 2.1.1.2 [RouterB-Tunnel1/0/0] quit # Configure a static route to 2002::/16. [RouterB] ipv6 route-static 2002:: 16 tunnel1/0/0 Step 3 Verify the configuration. # Router A can ping through the IPv6 address of GE 2/0/0 on Router B. [RouterA] ping ipv6 2001::1 PING 2001::1 : 56 data bytes, press Reply from 2001::1 bytes=56 Sequence=1 hop limit=255 Reply from 2001::1 bytes=56 Sequence=2 hop limit=255 Reply from 2001::1 bytes=56 Sequence=3 hop limit=255 Reply from 2001::1 bytes=56 Sequence=4 hop limit=255 Reply from 2001::1 bytes=56 Sequence=5 hop limit=255 --- 2001::1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 5/14/29 ms CTRL_C to break time = 29 ms time = 5 ms time = 5 ms time = 5 ms time = 26 ms ----End Configuration Files l Configuration file of Router A # sysname RouterA # ipv6 # interface pos1/0/0 link-protocol ppp undo shutdown ip address 2.1.1.1 255.0.0.0 # interface GigabitEthernet2/0/0 undo shutdown ipv6 enable ipv6 address 2002:201:101:1::1/64 # interface Tunnel 1/0/0 ipv6 enable ipv6 address 2002:201:101::1/64 tunnel-protocol ipv6-ipv4 6to4 12-40 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration source 2.1.1.1 # # ipv6 route-static :: 0 2002:201:102::1 # ipv6 route-static 2002:: 16 Tunnel 1/0/0 # return l Configuration file of Router B # sysname RouterB # ipv6 # source 2.1.1.2 # link-protocol ppp undo shutdown ip address 2.1.1.2 255.0.0.0 # interface GigabitEthernet2/0/0 undo shutdown ipv6 enable ipv6 address 2001::1/64 # interface Tunnel 1/0/0 ipv6 enable ipv6 address 2002:201:102::1/64 tunnel-protocol ipv6-ipv4 6to4 source Pos1/0/0 # ipv6 route-static 2002:: 16 Tunnel 1/0/0 # return 12.6.6 Example for Configuring an ISATAP Tunnel Network Requirements As shown in Figure 12-11, an IPv6 host in the IPv4 network running the Windows XP system needs to access the IPv6 network through a border device. Both the IPv6 host and the border device support ISATAP. Then you need to set up an ISATAP tunnel between the IPv6 host and the border device. Figure 12-11 Networking diagram of the ISATAP tunnel IPv6 network IPv6 Host 3001::2 Issue 03 (2010-03-31) ISATAP Router IPv4 network GE1/0/0 GE2/0/0 3001::1/64 2.1.1.1/8 ISATAP Host FE80::5EFE:0201:0102 2.1.1.2 2001::5EFE:0201:0102 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-41 12 IPv6 over IPv4 Tunnel Configuration HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services Configuration Roadmap The configuration roadmap is as follows: 1. Configure IPv4/IPv6 dual protocol stacks. 2. Configure an ISATAP tunnel. 3. Configure static routes from the IPv6 host to the ISATAP host. Data Preparation To complete the configuration, you need the following data: l IPv4 or IPv6 addresses of interfaces l Source interface of the tunnel Procedure Step 1 Configure the ISATAP device. # Enable IPv4/IPv6 dual protocol stacks and configure an IP address for each interface. <HUAWEI> system-view [HUAWEI] sysname Router [Router] ipv6 [Router] interface gigabitethernet 1/0/0 [Router-GigabitEthernet1/0/0] ipv6 enable [Router-GigabitEthernet1/0/0] ipv6 address 3001::1/64 [Router-GigabitEthernet1/0/0] undo shutdown [Router-GigabitEthernet1/0/0] quit [Router] interface gigabitethernet 2/0/0 [Router-GigabitEthernet2/0/0] ip address 2.1.1.1 255.0.0.0 [Router-GigabitEthernet2/0/0] undo shutdown [Router-GigabitEthernet2/0/0] quit # Configure an ISATAP tunnel. [Router] interface tunnel 2/0/0 [Router-Tunnel2/0/0] tunnel-protocol ipv6-ipv4 isatap [Router-Tunnel2/0/0] ipv6 enable [Router-Tunnel2/0/0] ipv6 address 2001::/64 eui-64 [HUAWEI-Tunnel2/0/0] source 2.1.1.1 [Router-Tunnel2/0/0] undo ipv6 nd ra halt [Router-Tunnel2/0/0] quit Step 2 Configure the ISATAP host. # Configure a static route to the border device. (The pseudo interface number of the host is 2. You can run the ipv6 if command to view the interface corresponding to the automatic tunneling pseudo interface. C:\> ipv6 rlu 2 2.1.1.1 Step 3 Configure the IPv6 host. # Configure a static route on the IPv6 host to the border device, so hosts in different networks can communicate through the ISATAP tunnel. C:\> ipv6 rtu 2001::/64 6/3001::1 Step 4 Verify the configuration. Check the status of the Tunnel 2/0/0 on the ISATAP device and find it is Up. 12-42 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration [Router] display ipv6 interface tunnel 2/0/0 Tunnel2/0/0 current state : UP IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::5EFE:201:101 Global unicast address(es): 2001::5EFE:201:101, subnet is 2001::/64 Joined group address(es): FF02::1:FF01:101 FF02::2 FF02::1 MTU is 1500 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisement max interval 600 seconds, min interval 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses # On the ISATAP device, ping the global unicast IP address of the tunnel interface on the ISATAP host. [Router] ping ipv6 2001::5efe:2.1.1.2 PING 2001::5efe:2.1.1.2 : 56 data bytes, press CTRL_C to break Reply from 2001::5EFE:201:102 bytes=56 Sequence=1 hop limit=64 time = 4 ms Reply from 2001::5EFE:201:102 bytes=56 Sequence=2 hop limit=64 time = 3 ms Reply from 2001::5EFE:201:102 bytes=56 Sequence=3 hop limit=64 time = 2 ms Reply from 2001::5EFE:201:102 bytes=56 Sequence=4 hop limit=64 time = 2 ms Reply from 2001::5EFE:201:102 bytes=56 Sequence=5 hop limit=64 time = 2 ms --- 2001::5efe:2.1.1.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/4 ms # On the ISATAP host, ping the global unicast IP address of the ISATAP device. C:\> ping6 2001::5efe:2.1.1.1 Pinging 2001::5efe:2.1.1.1 from 2001::5efe:2.1.1.2 with 32 bytes of data: Reply from 2001::5efe:2.1.1.1: bytes=32 time=1ms Reply from 2001::5efe:2.1.1.1: bytes=32 time=1ms Reply from 2001::5efe:2.1.1.1: bytes=32 time=1ms Reply from 2001::5efe:2.1.1.1: bytes=32 time=1ms Ping statistics for 2001::5efe:2.1.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms # The ISATAP host can ping through the IPv6 host. C:\> ping6 3001::2 Pinging 3001::2 with 32 bytes of data: Reply from 3001::2: time<1ms Reply from 3001::2: time<1ms Reply from 3001::2: time<1ms Reply from 3001::2: time<1ms Ping statistics for 3001::2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms ----End Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-43 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration Configuration Files The configuration file of the ISATAP device is as follows: # sysname ISATAP # ipv6 # interface GigabitEthernet1/0/0 undo shutdown ipv6 enable ipv6 address 3001::1/64 # interface GigabitEthernet2/0/0 undo shutdown ip address 2.1.1.1 255.0.0.0 # interface Tunnel2/0/0 ipv6 enable ipv6 address 2001::/64 eui-64 undo ipv6 nd ra halt tunnel-protocol ipv6-ipv4 isatap source 2.1.1.1 # return 12.6.7 Example for Configuring 6PE Networking Requirements As shown in Figure 12-12, PE1 and PE2 support the 6PE features and CE1 and CE2 support the IPv6 protocol. IPv4 IBGP connections need to be established between PEs in the IPv4/MPLS network. Run the OSPF protocol in the IPv4/MPLS network. CEs are in the IPv6 networks, Using the IPv6 address, CEs exchange the routing information with PEs along the static routes. It is required to use the 6PE feature to connect the IPv6 networks of the user over the IPv4/MPLS network of the ISP. Figure 12-12 Networking diagram of 6PE IPv4/MPLS PE1 POS2/0/0 POS1/0/0 3000:435::1/64 CE1 IPv6 Customer site PE2 4.3.5.1/24 POS2/0/0 4.3.5.2/24 POS1/0/0 3000:435::2/64 POS1/0/0 3000:1065::1/64 POS1/0/0 3000:1065::2/64 CE2 IPv6 Customer site Configuration Roadmap The configuration roadmap is as follows: 12-44 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration 1. Configure 6PE, enable IPv6 capability, and configure IPv4/IPv6 dual protocol stacks. 2. Configure 6PE and enable MPLS capability. 3. Configure the 6PE peer. 4. Configure an IPv6 address for the interface and a static route on CE. Data Preparation To complete the configuration, you need the following data: l IP addresses of interfaces l LSR ID Procedure Step 1 Configure 6PE, enable IPv6 capability, and configure IPv4/IPv6 dual protocol stacks. # Configure PE1 and enable its IPv6 capability. <HUAWEI> system-view [HUAWEI] sysname PE1 [PE1] ipv6 # Configure PE2 and enable its IPv6 capability. <HUAWEI> system-view [HUAWEI] sysname PE2 [PE2] ipv6 # Configure an IPv6 address for POS 1/0/0 on PE1 and an IP address for loopback0. [PE1] interface pos 1/0/0 [PE1-Pos1/0/0] ipv6 enable [PE1-Pos1/0/0] ipv6 address 3000:435::1 64 [PE1-Pos1/0/0] undo shutdown [PE1-Pos1/0/0] quit [PE1] interface loopback 0 [PE1-LoopBack0] ip address 1.1.1.9 255.255.255.255 [PE1-LoopBack0] quit # Configure an IPv6 address for POS 1/0/0 on PE2 and an IP address for loopback0. [PE2] interface pos 1/0/0 [PE2-Pos1/0/0] ipv6 enable [PE2-Pos1/0/0] ipv6 address 3000:1065::1 64 [PE2-Pos1/0/0] undo shutdown [PE2-Pos1/0/0] quit [PE2] interface loopback 0 [PE2-LoopBack0] ip address 2.2.2.9 255.255.255.255 [PE2-LoopBack0] quit Step 2 Configure 6PE and enable MPLS capability. # Configure an IP address for POS 2/0/0 on PE1 and enable MPLS and LDP on it. [PE1] mpls lsr-id 1.1.1.9 [PE1] mpls Mpls starting, please wait... OK! [PE1-mpls] lsp-trigger all [PE1-mpls] quit [PE1] mpls ldp [PE1-mpls-ldp] quit [PE1] interface pos 2/0/0 [PE1-Pos2/0/0] ip address 4.3.5.1 255.255.255.0 [PE1-Pos2/0/0] mpls Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-45 12 IPv6 over IPv4 Tunnel Configuration HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services [PE1-Pos2/0/0] mpls ldp [PE1-Pos2/0/0] undo shutdown [PE1-Pos2/0/0] quit # Configure an IP address for POS 2/0/0 on PE2 and enable MPLS and LDP on it. [PE2] mpls lsr-id 2.2.2.9 [PE2] mpls Mpls starting, please wait... OK! [PE2-mpls] lsp-trigger all [PE2-mpls] quit [PE2] mpls ldp [PE2-mpls-ldp] quit [PE2] interface pos 2/0/0 [PE2-Pos2/0/0] ip address 4.3.5.2 255.255.255.0 [PE2-Pos2/0/0] mpls [PE2-Pos2/0/0] mpls ldp [PE2-Pos2/0/0] undo shutdown [PE2-Pos2/0/0] quit # Configure OSPF on PE1 and trigger the setup of LSPs. [PE1] ospf [PE1-ospf-1] area 0 [PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0 [PE1-ospf-1-area-0.0.0.0] network 4.3.5.0 0.0.0.255 [PE1-ospf-1-area-0.0.0.0] quit [PE1-ospf-1] quit # Configure OSPF on PE2 and trigger the setup of LSPs. [PE2] ospf [PE2-ospf-1] area 0 [PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0 [PE2-ospf-1-area-0.0.0.0] network 4.3.5.0 0.0.0.255 [PE2-ospf-1-area-0.0.0.0] quit [PE2-ospf-1] quit Step 3 Configure the 6PE peer. # Configure IBGP on PE1 and enable 6PE capability on the peer and import IPv6 direct routes and static routes from each other. [PE1] bgp 65100 [PE1-bgp] peer 2.2.2.9 as-number 65100 [PE1-bgp] peer 2.2.2.9 connect-interface loopback 0 [PE1-bgp] ipv6-family [PE1-bgp-af-ipv6] import-route direct [PE1-bgp-af-ipv6] import-route static [PE1-bgp-af-ipv6] peer 2.2.2.9 enable [PE1-bgp-af-ipv6] peer 2.2.2.9 label-route-capability [PE1-bgp-af-ipv6] quit [PE1-bgp] quit # Configure IBGP on PE2 and enable 6PE capability on the peer and import IPv6 direct routes and static routes from each other. [PE2] bgp 65100 [PE2-bgp] peer 1.1.1.9 as-number 65100 [PE2-bgp] peer 1.1.1.9 connect-interface loopback 0 [PE2-bgp] ipv6-family [PE2-bgp-af-ipv6] import-route direct [PE2-bgp-af-ipv6] import-route static [PE2-bgp-af-ipv6] peer 1.1.1.9 enable [PE2-bgp-af-ipv6] peer 1.1.1.9 label-route-capability [PE2-bgp-af-ipv6] quit [PE2-bgp] quit Step 4 Configure an IPv6 address for the interface and a static route on CE. 12-46 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration # Configure CE1 and set up an IPv6 connection between CE1 and PE1. <HUAWEI> system-view [HUAWEI] sysname CE1 [CE1] ipv6 [CE1] interface pos 1/0/0 [CE1-Pos1/0/0] ipv6 enable [CE1-Pos1/0/0] ipv6 address 3000:435::2 64 [CE1-Pos1/0/0] undo shutdown [CE1-Pos1/0/0] quit [CE1] ipv6 route-static :: 0 pos 1/0/0 # Configure CE2 and set up an IPv6 connection between CE2 and PE2. <HUAWEI> system-view [HUAWEI] sysname CE2 [CE2] ipv6 [CE2] interface pos 1/0/0 [CE2-Pos1/0/0] ipv6 enable [CE2-Pos1/0/0] ipv6 address 3000:1065::2 64 [CE2-Pos1/0/0] undo shutdown [CE2-Pos1/0/0] quit [CE2] ipv6 route-static :: 0 pos 1/0/0 Step 5 Verify the configuration. # Display the LSP information on PE1. [PE1] display mpls lsp ----------------------------------------------------------LSP Information: LDP LSP ----------------------------------------------------------FEC In/Out Label In/Out IF Vrf Name 2.2.2.9/32 NULL/3 -/Pos2/0/0 2.2.2.9/32 3/NULL -/----------------------------------------------------------LSP Information: BGP IPV6 LSP ----------------------------------------------------------FEC : 3000:435::/64 In Label : 109568 Out Label : ----In Interface : ----OutInterface : ----Vrf Name : # Display the IPv6 routing information on PE1. [PE1] display bgp ipv6 routing-table Total Number of Routes: 5 BGP Local router ID is 1.1.1.9 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete *> Issue 03 (2010-03-31) Network NextHop MED Label Path/Ogn : : : : : ::1 :: 0 *> Network NextHop MED Label Path/Ogn : : : : : 3000:435:: :: 0 NULL/109568 ? *> Network NextHop MED Label : 3000:435::1 : :: : 0 : PrefixLen : 128 LocPrf : PrefVal : 0 ? Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. PrefixLen : 64 LocPrf : PrefVal : 0 PrefixLen : 128 LocPrf : PrefVal : 0 12-47 12 IPv6 over IPv4 Tunnel Configuration HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services Path/Ogn : ? *>i Network NextHop MED Label Path/Ogn : : : : : 3000:1065:: ::FFFF:2.2.2.9 0 109568/NULL ? PrefixLen : 64 LocPrf : 100 PrefVal : 0 *> : : : : : FE80:: :: 0 PrefixLen : 10 LocPrf : PrefVal : 0 Network NextHop MED Label Path/Ogn ? # CE1 can ping through the IPv6 address of CE2. [CE1] ping ipv6 3000:1065::2 PING 3000:1065::2 : 56 data bytes, press CTRL_C to break Reply from 3000:1065::2 bytes=56 Sequence=1 hop limit=63 time = 50 ms Reply from 3000:1065::2 bytes=56 Sequence=2 hop limit=63 time = 1 ms Reply from 3000:1065::2 bytes=56 Sequence=3 hop limit=63 time = 1 ms Reply from 3000:1065::2 bytes=56 Sequence=4 hop limit=63 time = 1 ms Reply from 3000:1065::2 bytes=56 Sequence=5 hop limit=63 time = 1 ms --- 3000:1065::2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/10/50 ms ----End Configuration Files l Configuration file of PE1 # sysname PE1 # ipv6 # mpls lsr-id 1.1.1.9 mpls lsp-trigger all # mpls ldp # interface Pos1/0/0 link-protocol ppp undo shutdown ipv6 enable ipv6 address 3000:435::1 # interface Pos2/0/0 link-protocol ppp undo shutdown ip address 4.3.5.1 255.255.255.0 mpls mpls ldp # interface LoopBack0 ip address 1.1.1.9 255.255.255.255 # bgp 65100 12-48 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 12 IPv6 over IPv4 Tunnel Configuration peer 2.2.2.9 as-number 65100 peer 2.2.2.9 connect-interface LoopBack0 # ipv4-family unicast undo synchronization peer 2.2.2.9 enable # ipv6-family undo synchronization import-route direct import-route static peer 2.2.2.9 enable peer 2.2.2.9 label-route-capability # ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 4.3.5.0 0.0.0.255 # return l Configuration file of PE2 # sysname PE2 # ipv6 # mpls lsr-id 2.2.2.9 mpls lsp-trigger all # mpls ldp # interface Pos1/0/0 link-protocol ppp undo shutdown ipv6 enable ipv6 address 3000:1065::1 # interface Pos2/0/0 link-protocol ppp undo shutdown ip address 4.3.5.2 255.255.255.0 mpls mpls ldp # interface LoopBack0 ip address 2.2.2.9 255.255.255.255 # bgp 65100 peer 1.1.1.9 as-number 65100 peer 1.1.1.9 connect-interface LoopBack0 # ipv4-family unicast undo synchronization peer 1.1.1.9 enable # ipv6-family undo synchronization import-route direct import-route static peer 1.1.1.9 enable peer 1.1.1.9 label-route-capability # ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 4.3.5.0 0.0.0.255 # Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12-49 12 IPv6 over IPv4 Tunnel Configuration HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services return l Configuration file of CE1 # sysname CE1 # ipv6 # interface Pos1/0/0 link-protocol ppp undo shutdown ipv6 enable ipv6 address 3000:435::2 # ipv6 route-static :: 0 Pos1/0/0 # return l Configuration file of CE2 # sysname CE2 # ipv6 # interface Pos1/0/0 link-protocol ppp undo shutdown ipv6 enable ipv6 address 3000:1065::2 # ipv6 route-static :: 0 Pos1/0/0 # return 12-50 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 13 13 IPv4 over IPv6 Tunnel Configuration IPv4 over IPv6 Tunnel Configuration About This Chapter This chapter describes the fundamentals, configuration steps, and typical examples of IPv4 over IPv6 tunnel. 13.1 IPv4 over IPv6 Tunnel Overview This section describes the basic principles and concepts of IPv4 over IPv6. 13.2 Configuring an IPv4 over IPv6 Tunnel This section describes how to configure an IPv4 over IPv6 tunnel. 13.3 Maintaining IPv4 over IPv6 Tunnels This section describes how to debug IPv4 over IPv6 tunnels. 13.4 Configuration Examples This section provides a configuration example of IPv4 over IPv6 tunnels. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 13-1 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 13 IPv4 over IPv6 Tunnel Configuration 13.1 IPv4 over IPv6 Tunnel Overview This section describes the basic principles and concepts of IPv4 over IPv6. 13.1.1 Introduction to IPv4 over IPv6 13.1.2 IPv4 over IPv6 Supported by the NE80E/40E 13.1.1 Introduction to IPv4 over IPv6 During the transition from the IPv4 Internet to the IPv6 Internet, IPv6 networks have been widely deployed, whereas IPv4 networks are isolated. The tunnel technology can be adopted to establish tunnels over IPv6 networks to connect isolated IPv4 networks. This is similar to the situation where the tunnel technology is used to deploy VPNs on IP networks. The tunnel used to connect isolated IPv4 networks over IPv6 networks is called an IPv4 over IPv6 tunnel. 13.1.2 IPv4 over IPv6 Supported by the NE80E/40E The NE80E/40E supports the enabling of IPv4 and IPv6 protocol stacks on the devices at the border of IPv6 and IPv4 networks. Figure 13-1 Networking diagram of an IPv4 over IPv6 tunnel Dual Stack Router IPv4 network IPv4 Host Dual Stack Router IPv6 network IPv4 network IPv4 Host IPv4 over IPv6 Tunnel IPv4 Header IPv4 Payload IPv6 Header IPv4 Header IPv4 Payload IPv4 Header IPv4 Payload Figure 13-1 shows the principles of the IPv4 over IPv6 tunnel technology. 1. Enabling IPv4/IPv6 dual stacks Enable IPv4 and IPv6 protocol stacks on the border device. 2. 13-2 Encapsulating IPv6 packets Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 13 IPv4 over IPv6 Tunnel Configuration After receiving a packet from the IPv4 network, the border device takes the received IPv4 packet as the payload, adds an IPv6 packet header before the payload, and encapsulates it into an IPv6 packet if the device finds that the destination of the packet is not itself. 3. Transmitting the encapsulated packet In the IPv6 network, the encapsulated packet is transmitted to the peer border device. 4. Decapsulating the packet The peer border device decapsulates the packet, removes the IPv6 packet header, and forwards the decapsulated IPv4 packet to the remote IPv4 network. 13.2 Configuring an IPv4 over IPv6 Tunnel This section describes how to configure an IPv4 over IPv6 tunnel. 13.2.1 Establishing the Configuration Task 13.2.2 Configuring a Tunnel Interface 13.2.3 Configuring Routes in the Tunnel 13.2.4 Configuring Other Items for an IPv4 over IPv6 Tunnel 13.2.5 Checking the Configuration 13.2.1 Establishing the Configuration Task Applicable Environment To implement communication between IPv4 networks over the IPv6 network, configure an IPv4 over IPv6 tunnel on the border device of IPv4 and IPv6 networks. Pre-configuration Tasks Before configuring an IPv4 over IPv6 tunnel, complete the following tasks: l Implementing the IP connectivity between the source and destination interfaces l Configuring IPv4 and IPv6 protocol stacks Data Preparation To configure an IPv4 over IPv6 tunnel, you need the following data. Issue 03 (2010-03-31) No. Data 1 Number of the tunnel interface 2 Source IPv6 address or source interface of the tunnel interface 3 Destination IPv6 address of the tunnel interface 4 IPv4 address of the tunnel interface or the interface from which the IPv4 address is borrowed Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 13-3 13 IPv4 over IPv6 Tunnel Configuration HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 13.2.2 Configuring a Tunnel Interface Context Do as follows on the routers on both ends of the tunnel: Procedure Step 1 Run: set board-type slot slot slot-id tunnel The service mode of the SPUC is set to Tunnel. Step 2 Run: system-view The system view is displayed. Step 3 Run: interface tunnel interface-number The tunnel interface is created and the tunnel interface view is displayed. The slot number of the created tunnel interface must be the same as that of the SPUC. For instance, when the SPUC is inserted in slot 2, the slot number of the tunnel interface must be 2. Step 4 Run: tunnel-protocol ipv4-ipv6 The tunnel is specified as an IPv4 over IPv6 tunnel. When you configure an IPv4 over IPv6 GRE tunnel, you must run the target-board slotnumber command on the loopback interface to bind the SPUC to 4 over 6 protocol. Step 5 Run: source { source-ipv6-address | interface-type interface-number } The source IPv6 address or source interface of the tunnel interface is specified. The source address specified by sourceipv6-address must be the IPv6 address of the loopback interface bound to the SPUC through the target-board command; the source interface specified by sourceinterface-type must be the loopback interface bound to the SPUC through the targetboard command. Step 6 Run: destination ipv6-address The destination IPv6 address of the Tunnel interface is configured. Step 7 Run one of the following commands to specify the IP address of the tunnel interface: l Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IPv4 address of the tunnel interface. l Run the ip address unnumbered interface interface-type interface-number command to configure the tunnel interface to borrow an IPv4 address. ----End 13-4 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 13 IPv4 over IPv6 Tunnel Configuration 13.2.3 Configuring Routes in the Tunnel Context The route with the outgoing interface as the tunnel interface must exist on the source and destination devices. This ensures that the packets to be encapsulated with the IPv4 over IPv6 tunnel can be correctly forwarded. Do as follows on the routers on both ends of the tunnel: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Choose one of the following methods to configure the route with the outgoing interface as the tunnel interface: l Run the ip route-static dest-ipv4-address { mask | mask-length } tunnel interface-number command to configure static routes. When configuring the static routes, you must configure the both ends of the tunnel. Note that the destination address is the destination IPv4 address of the packet to be encapsulated with the IPv4 over IPv6 tunnel; the next hop is the local tunnel interface. l Configure dynamic routes. You can use the Border Gateway Protocol (BGP) or the Interior Gateway Protocol (IGP), excluding Intermediate System-to-Intermediate System (IS-IS). Detailed configurations are not mentioned here. When configuring a dynamic routing protocol, you must enable it on the tunnel interface and the interface on the link through which the IPv4 network is connected to the IPv6 network. ----End 13.2.4 Configuring Other Items for an IPv4 over IPv6 Tunnel Context Do as follows on the routers on both ends of the tunnel: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface tunnel interface-number The tunnel interface view is displayed. Step 3 Run: tunnel ipv4-ipv6 flow-label label-value Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 13-5 13 IPv4 over IPv6 Tunnel Configuration HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services The flow label value is set. By default, the flow label value is 0. Step 4 Run: tunnel ipv4-ipv6 hop-limit hop-limit The hop limit is set. By default, the hop limit is set to 64. Step 5 Run: tunnel ipv4-ipv6 traffic-class { original | class-value } The traffic level is set. By default, the traffic level is 0. ----End 13.2.5 Checking the Configuration Prerequisite The configurations of the IPv4 over IPv6 Tunnel function are complete. Procedure l Run the display device slot-id command to check whether the service mode of the SPUC is Tunnel. l Run the display interface tunnel [ interface-number ] command to check the working status of the tunnel interface. l Run the display ip routing-table command to check the routing table. ----End Example If the service mode of the SPUC is Tunnel, run the display device 3 command, and you can view that the type of the SPUC on the router is displayed as General. <HUAWEI> display device 3 SPU3's detail information: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Description: Line Processing Unit - General Board status: Normal Register: Registered Uptime: 2009/02/26 18:33:23 CPU Utilization(%): 3% Mem Usage(%): 19% Clock information: State item State Current syn-clock: 17 Current line-clock: 23 Syn-clock state: Locked VCXO_OK REF_OK Syn-clock 17 state: Actived Syn-clock 18 state: Inactived Line-clock 23 state: Inactived Line-clock 24 state: Inactived Statistic information: Statistic item Statistic number 13-6 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 13 IPv4 over IPv6 Tunnel Configuration SERDES interface link lost: Mpu switchs: Syn-clock switchs: - - - - - - - - - - - - - - - - - - - - - 0 0 0 - - - - - - - - - - - - - - - - - Run the display interface tunnel command. If the status of the tunnel interface is Up, it means that the configuration succeeds. For example: <HUAWEI> display interface tunnel 2/0/0 Tunnel2/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2007-11-16, 12:26:17 Description : Tunnel2/0/0 Interface, Route Port Route Port,The Maximum Transmit Unit is 1452 bytes Internet Address is 10.1.1.1/30 Encapsulation is TUNNEL6, loopback not set Tunnel protocol/transport (IPv6 or IPV4) over IPv6 Tunnel Source 2001::1 (Pos2/0/0) Tunnel Destination 2002::2 Tunnel Encapsulation limit 4 Tunnel Traffic class not set Tunnel Flow label not set Tunnel Hop limit 64 5 minutes input rate 10 bits/sec, 0 packets/sec 5 minutes output rate 14 bits/sec, 0 packets/sec 493 packets input, 38480 bytes 0 input error 447 packets output, 53144 bytes 0 output error Run the display ip routing-table command. If the route with the outgoing interface as the tunnel interface is displayed in the IPv4 routing table, it means that the configuration succeeds. For example: <HUAWEI> display ip routing-table Routing Tables: Public Destinations : 11 Routes : 11 Destination/Mask Proto Pre Cost NextHop 10.1.1.0/24 Direct 0 0 10.1.1.2 10.1.1.2/32 Direct 0 0 127.0.0.1 10.2.1.0/24 Static 60 0 40.1.1.1 20.1.1.0/24 Direct 0 0 20.1.1.1 20.1.1.1/32 Direct 0 0 127.0.0.1 20.1.1.2/32 Direct 0 0 20.1.1.2 30.1.1.0/24 OSPF 10 3124 20.1.1.2 40.1.1.0/24 Direct 0 0 40.1.1.1 40.1.1.1/32 Direct 0 0 127.0.0.1 127.0.0.0/8 Direct 0 0 127.0.0.1 127.0.0.1/32 Direct 0 0 127.0.0.1 Interface GigabitEthernet2/0/0 InLoopBack0 Tunnel2/0/0 Pos2/0/0 InLoopBack0 Pos1/0/0 Pos1/0/0 Tunnel2/0/0 InLoopBack0 InLoopBack0 InLoopBack0 Run the ping -a source-ipv4-address dest-ipv4-address command. The local tunnel interface can ping through the destination tunnel interface. 13.3 Maintaining IPv4 over IPv6 Tunnels This section describes how to debug IPv4 over IPv6 tunnels. 13.3.1 Monitoring the Operation Status of IPv4 over IPv6 Tunnel Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 13-7 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 13 IPv4 over IPv6 Tunnel Configuration 13.3.1 Monitoring the Operation Status of IPv4 over IPv6 Tunnel Context In routine maintenance, you can run the following command in any view to check the operation of IPv4 over IPv6 tunnel. Procedure l Run the display interface tunnel [ interface-number ] [ | { begin | exclude | include } regular-expression ] command in any view to check the operation status of the tunnel interface. l Run the display interface tunnel interface-number command in any view to check the IPv4 attributes of the tunnel interface. ----End 13.4 Configuration Examples This section provides a configuration example of IPv4 over IPv6 tunnels. 13.4.1 Example for Configuring an IPv4 over IPv6 Tunnel 13.4.1 Example for Configuring an IPv4 over IPv6 Tunnel Networking Requirements Figure 13-2 Networking diagram of an IPv4 over IPv6 tunnel IPv4 network RT1 IPv6 network RT2 POS1/0/0 RT3 POS1/0/0 POS1/0/0 2001::2/64 2002::2/64 10.1.2.1/30 POS1/0/0 POS2/0/0 POS2/0/0 10.1.2.2/30 2001::1/64 2002::1/64 RT4 POS2/0/0 10.1.3.1/30 POS1/0/0 10.1.3.2/30 RT5 IPv4 network 13-8 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 13 IPv4 over IPv6 Tunnel Configuration As shown in Figure 13-2, two IPv4 networks are connected to the IPv6 network respectively through Router 1 and Router 5. Border devices Router 2 and Router 4 of the IPv6 network support IPv4 and IPv6 dual stacks. To enable communication between the two IPv4 networks, configure an IPv4 over IPv6 tunnel between Router 2 and Router 4. NOTE l An IPv4 over IPv6 tunnel does not support IS-IS. l When configuring an IPv4 over IPv6 tunnel, you must set the service mode of the SPUC to Tunnel. In addition, you must bind the SPUC to the tunnel. Configuration Roadmap The configuration roadmap is as follows: 1. Configure an IPv4 over IPv6 tunnel on the border devices on both ends of the IPv6 network. 2. Configure the route with the outgoing interface as the tunnel interface by adopting the dynamic routing protocol. Data Preparation To complete the configuration, you need the following data: l Routing protocols applied to the IPv6 and IPv4 networks l Source and destination IPv6 addresses of the tunnel l IPv4 address of the tunnel interface Procedure Step 1 Configure the IPv6 address of the physical interface and IS-ISv6 of the IPv6 network to implement the connectivity of the IPv6 network. # Configure Router 2. <HUAWEI> system-view [HUAWEI] sysname Router2 [Router2] ipv6 [Router2] interface pos 2/0/0 [Router2-Pos2/0/0] ipv6 enable [Router2-Pos2/0/0] ipv6 address 2001::1 64 [Router2-Pos2/0/0] undo shutdown [Router2-Pos2/0/0] quit [Router2] isis 1 [Router2-isis-1] network-entity 10.0000.0000.0001.00 [Router2-isis-1] ipv6 enable topology standard [Router2-isis-1] quit [Router2] interface pos 2/0/0 [Router2-Pos2/0/0] isis ipv6 enable 1 [Router2-Pos2/0/0] quit # Create a loopback interface, assign an IPv6 address to it, and enable IS-ISv6. [Router2] interface [Router2-LoopBack1] [Router2-LoopBack1] [Router2-LoopBack1] [Router2-LoopBack1] Loopback 1 ipv6 enable ipv6 address 2::2 64 isis ipv6 enable 1 quit # Configure Router 3. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 13-9 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 13 IPv4 over IPv6 Tunnel Configuration <HUAWEI> system-view [HUAWEI] sysname Router3 [Router3] ipv6 [Router3] interface pos 1/0/0 [Router3-Pos1/0/0] ipv6 enable [Router3-Pos1/0/0] ipv6 address 2001::2 64 [Router3-Pos1/0/0] undo shutdown [Router3-Pos1/0/0] quit [Router3] interface pos 2/0/0 [Router3-Pos2/0/0] ipv6 enable [Router3-Pos2/0/0] ipv6 address 2002::1 64 [Router3-Pos2/0/0] undo shutdown [Router3-Pos2/0/0] quit [Router3] isis 1 [Router3-isis-1] network-entity 10.0000.0000.0002.00 [Router3-isis-1] ipv6 enable topology standard [Router3-isis-1] quit [Router3] interface pos 1/0/0 [Router3-Pos1/0/0] isis ipv6 enable 1 [Router3-Pos1/0/0] quit [Router3] interface pos 2/0/0 [Router3-Pos2/0/0] isis ipv6 enable 1 [Router3-Pos2/0/0] quit # Configure Router 4. <HUAWEI> system-view [HUAWEI] sysname Router4 [Router4] ipv6 [Router4] interface pos 1/0/0 [Router4-Pos1/0/0] ipv6 enable [Router4-Pos1/0/0] ipv6 address 2002::2 64 [Router4-Pos1/0/0] undo shutdown [Router4-Pos1/0/0] quit [Router4] isis 1 [Router4-isis-1] network-entity 10.0000.0000.0003.00 [Router4-isis-1] ipv6 enable topology standard [Router4-isis-1] quit [Router4] interface pos 1/0/0 [Router4-Pos1/0/0] isis ipv6 enable 1 [Router4-Pos1/0/0] quit # Create a loopback interface, assign an IPv6 address to it, and enable IS-ISv6. [Router4] interface [Router4-LoopBack1] [Router4-LoopBack1] [Router4-LoopBack1] [Router4-LoopBack1] Loopback 1 ipv6 enable ipv6 address 4::4 64 isis ipv6 enable 1 quit Step 2 Configure the IPv4 address and OSPF of the physical interfaces of the IPv4 network to implement the connectivity of the IPv4 network. # Configure Router 1. <HUAWEI> system-view [HUAWEI] sysname Router1 [Router1] interface pos 1/0/0 [Router1-Pos1/0/0] ip address 10.1.2.2 30 [Router1-Pos1/0/0] undo shutdown [Router1-Pos1/0/0] quit [Router1] ospf 1 [Router1-ospf-1] area 0 [Router1-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.3 # Configure Router 2. <Router2> system-view [Router2] interface pos 1/0/0 13-10 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 13 IPv4 over IPv6 Tunnel Configuration [Router2-Pos1/0/0] ip address 10.1.2.1 30 [Router2-Pos1/0/0] undo shutdown [Router2-Pos1/0/0] quit [Router2] ospf 1 [Router2-ospf-1] area 0 [Router2-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.3 # Configure Router 4. <Router4> system-view [Router4] interface pos 1/0/0 [Router4-Pos1/0/0] ip address 10.1.3.1 30 [Router4-Pos1/0/0] quit [Router4] ospf 1 [Router4-ospf-1] area 0 [Router4-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.3 # Configure Router 5. <HUAWEI> system-view [HUAWEI] sysname Router5 [Router5] interface pos 1/0/0 [Router5-Pos1/0/0] ip address 10.1.3.2 30 [Router5-Pos1/0/0] undo shutdown [Router5-Pos1/0/0] quit [Router5] ospf 1 [Router5-ospf-1] area 0 [Router5-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.3 Step 3 Configure the tunnel interface. # Create a tunnel interface and configure the IPv4 address, source IPv6 address (or source interface), and destination IPv6 address of the tunnel interface. Bind the SPUC to the tunnel. NOTE The device supports the tunnel binding only on the loopback interface. # Configure Router 2. <Router2> set board-type slot 6 tunnel <Router2> system-view [Router2] interface Loopback 1 [Router2-LoopBack1] target-board 6 [Router2-LoopBack1] binding tunnel ipv4-ipv6 [Router2-LoopBack1] quit [Router2] interface tunnel 6/0/0 [Router2-Tunnel6/0/0] tunnel-protocol ipv4-ipv6 [Router2-Tunnel6/0/0] ip address 10.1.1.1 30 [Router2-Tunnel6/0/0] source loopback1 [Router2-Tunnel6/0/0] destination 4::4 # Configure Router 4. <Router4> set board-type slot 6 tunnel <Router4> system-view [Router4] interface Loopback 1 [Router4-LoopBack1] target-board 6 [Router4-LoopBack1] binding tunnel ipv4-ipv6 [Router4-LoopBack1] quit [Router4] interface tunnel 6/0/0 [Router4-Tunnel6/0/0] tunnel-protocol ipv4-ipv6 [Router4-Tunnel6/0/0] ip address 10.1.1.2 30 [Router4-Tunnel6/0/0] source loopback1 [Router4-Tunnel6/0/0] destination 2::2 Step 4 Configure the route with the outgoing interface as the tunnel interface. Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 13-11 13 IPv4 over IPv6 Tunnel Configuration HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services # Configure Router 2. <Router2> system-view [Router2] ospf 1 [Router2-ospf-1] area 0 [Router2-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.3 [Router2-ospf-1-area-0.0.0.0] quit [Router2-ospf-1] quit # Configure Router 4. <Router4> system-view [Router4] ospf 1 [Router4-ospf-1] area 0 [Router4-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.3 Step 5 Verify the configuration. After the configuration, view the tunnel interface on Router 2 and Router 4. You can view that the protocol status of the tunnel interface is Up. [Router2] display interface tunnel 6/0/0 Tunnel6/0/0 current state : UP Line protocol current state : UP Last up time: 2007-11-16, 12:26:17 Description : Tunnel2/0/0 Interface, Route Port The Maximum Transmit Unit is 1452 bytes Internet Address is 10.1.1.1/30 Encapsulation is TUNNEL6, loopback not set Tunnel protocol/transport (IPv6 or IPV4) over IPv6 Tunnel Source 2001::1 (Pos2/0/0) Tunnel Destination 2002::2 Tunnel Encapsulation limit 4 Tunnel Traffic class not set Tunnel Flow label not set Tunnel Hop limit 64 5 minutes input rate 10 bits/sec, 0 packets/sec 5 minutes output rate 14 bits/sec, 0 packets/sec 493 packets input, 38480 bytes 0 input error 447 packets output, 53144 bytes 0 output error On Router 2 and Router 4, view the IPv4 routing table. You can view that the outgoing interfaces to the remote IPv4 network are tunnel interfaces. [Router2] display ip routing-table Routing Tables: Public Destinations : 9 Routes : 9 Destination/Mask Proto Pre Cost NextHop 1.1.1.1/32 Direct 0 0 127.0.0.1 10.1.1.0/30 Direct 0 0 10.1.1.1 10.1.1.1/32 Direct 0 0 127.0.0.1 10.1.2.0/30 Direct 0 0 10.1.2.1 10.1.2.1/32 Direct 0 0 127.0.0.1 10.1.2.2/32 Direct 0 0 10.1.2.2 10.1.3.0/24 OSPF 10 2 10.1.1.2 127.0.0.0/8 Direct 0 0 127.0.0.1 127.0.0.1/32 Direct 0 0 127.0.0.1 Interface InLoopBack0 Tunnel2/0/0 InLoopBack0 Pos1/0/0 InLoopBack0 Pos1/0/0 Tunnel2/0/0 InLoopBack0 InLoopBack0 Router 1 and Router 5 can ping through each other. ----End Configuration Files l Configuration file of Router 1 # 13-12 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services 13 IPv4 over IPv6 Tunnel Configuration sysname Router1 # interface Pos1/0/0 link-protocol ppp undo shutdown ip address 10.1.2.2 255.255.255.252 # ospf 1 area 0.0.0.0 network 10.1.2.0 0.0.0.3 # return l Configuration file of Router 2 # sysname Router2 # ipv6 # isis 1 network-entity 10.0000.0000.0001.00 # ipv6 enable topology standard # interface Pos1/0/0 link-protocol ppp ip address 10.1.2.1 255.255.255.252 # interface Pos2/0/0 link-protocol ppp ipv6 enable ipv6 address 2001::1/64 isis ipv6 enable 1 # interface LoopBack1 ipv6 enable ipv6 address 2::2 64 isis ipv6 enable 1 target-board 6 binding tunnel ipv4-ipv6 # interface Tunnel6/0/0 ip address 10.1.1.1 255.255.255.252 tunnel-protocol ipv4-ipv6 source loopback 1 destination 4::4 # ospf 1 area 0.0.0.0 network 10.1.2.0 0.0.0.3 network 10.1.1.0 0.0.0.3 # return l Configuration file of Router 3 # sysname Router3 # ipv6 # isis 1 network-entity 10.0000.0000.0002.00 # ipv6 enable topology standard # interface Pos1/0/0 link-protocol ppp undo shutdown ivp6 enable ipv6 address 2001::2/64 Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 13-13 13 IPv4 over IPv6 Tunnel Configuration HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services isis ipv6 enable 1 # interface Pos2/0/0 link-protocol ppp undo shutdown ipv6 enable ipv6 address 2002::1/64 isis ipv6 enable 1 # return l Configuration file of Router 4 # sysname Router4 # ipv6 # isis 1 network-entity 10.0000.0000.0003.00 # ipv6 enable topology standard # # interface Pos1/0/0 link-protocol ppp ipv6 enable ipv6 address 2002::2/64 isis ipv6 enable 1 # interface Pos2/0/0 link-protocol ppp ip address 10.1.3.1 255.255.255.252 # interface LoopBack1 ipv6 enable ipv6 address 4::4 64 isis ipv6 enable 1 target-board 6 binding tunnel ipv4-ipv6 # interface Tunnel6/0/0 ip address 10.1.1.2 255.255.255.252 tunnel-protocol ipv4-ipv6 source loopback 1 destination 2::2 # ospf 1 area 0.0.0.0 network 10.1.1.0 0.0.0.3 network 10.1.3.0 0.0.0.3 # return l Configuration file of Router 5 # sysname Router1 # interface Pos1/0/0 link-protocol ppp undo shutdown ip address 10.1.3.2 255.255.255.252 # ospf 1 area 0.0.0.0 network 10.1.3.0 0.0.0.3 # return 13-14 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services A Glossary A Glossary This appendix collates frequently used glossaries in this document. A Access Control List A list composed of multiple sequential permit/deny statements. In firewall, after ACL is applied to an interface on the device, the device decides which packet can be forwarded and which packet should be denied. In QoS, ACL is used to classify traffic. Acknowledge To confirm an action. The acknowledgement (ACK) message is sent from one device to another. Address Resolution Protocol A protocol used to map an IP Address to a MAC address, as defined in RFC 826. ATM An asynchronous Transfer Mode. It is a data transmission technology in which data (files, voice and video) is transferred in cells with a fixed length (53 Bytes). The fixed length makes the cell be processed by the hardware. The object of ATM is to make good use of high-speed transmission medium such as E3, SONET and T3. B Broadcast To send packets to all ports of the nodes in the network. D Domain name A name composed of numbers or characters. Each domain name corresponds to an IP address. Dotted decimal notation A format of IP address. IP addresses in this format are separated into four parts by a dot "." with each part is in the decimal numeral. E Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. A-1 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services A Glossary Ethernet A technology complemented in LAN. It adopts Carrier Sense Multiple Access/Collision Detection. The speed of an Ethernet interface can be 10 Mbit/s, 100 Mbit/s, 1000 Mbit/s or 10000 Mbit/s. The Ethernet network features high reliability and easy maintaining.. F File Transfer Protocol An application layer protocol based on TCP/IP. It is used to transfer large amounts of data reliably between the user and the remote host. FTP is implemented based on corresponding file system. I IPv6 A update version of IPv4. It is also called IP Next Generation (IPng). The specifications and standardizations provided by it are consistent with the Internet Engineering Task Force (IETF).Internet Protocol Version 6 (IPv6) is also called. It is a new version of the Internet Protocol, designed as the successor to IPv4. The specifications and standardizations provided by it are consistent with the Internet Engineering Task Force (IETF).The difference between IPv6 and IPv4 is that an IPv4 address has 32 bits while an IPv6 address has 128 bits. L Local Area Network A network intended to serve a small geographic area, (few square kilometers or less), a single office or building, or a small defined group of users. It features high speed and little errors. Ethernet, FDDI and Toke Ring are three technologies implemented in LAN. M MAC address A link layer address or physical address. It is six bytes long. MTU A maximum size of packets that an interface can process. It is in bytes N Neighbor Discovery A process to discover neighboring modes. P Ping A-2 To test the reachablitly of a device in the network through ICMP Echo message. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services A Glossary Policy-based Routing A routing mechanism based on user-defined policies. It can implement secure communication and load balancing. PPP A serial point to point link used for special transmission between two devices. R Router A device running on the network layer. After receiving a packet, the device searches the routing table for a proper route and sends the packet to the next hop. The last hop device sends the packet to the host directly. T Telnet An application layer protocol based on TCP/IP. It implements remote login and virtual terminal. It Time Range A special time period. Traffic A group of packets sent from the source to the destination and matching certain classification. Tunnel In VPN, it is a transport tunnel set up between two entities to prevent interior users from interrupting and ensure security. U Unicast To send packets to one destination network. V VPN Virtual Private Network (VPN). It implements an apparent single private network (as seen by the user), over a number of separate public and private networks. Virtual indicates that this kind of network is a logical network. NE80E/40E Versatile Routing Platform. It is a versatile operation system platform developed by Huawei. W Wide Area Network A network that covers a large geographic area, such as a country or a state. Devices in this network are connected through certain protocol or physical links. X Issue 03 (2010-03-31) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. A-3 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services A Glossary X.25 A-4 A data link layer protocol. It defines the communication in the Public Data Network (PDN) between a host and a remote terminal. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services B Acronyms and Abbreviations B Acronyms and Abbreviations This appendix collates frequently used acronyms and abbreviations in this document. A AAA Authentication, Authorization and Accounting ACK Acknowledgement ASCII American Standard Code for Information Interchange ATM Asynchronous Transfer Mode B BGP Border Gateway Protocol C CIDR Classless Inter-Domain Routing D DHCP Dynamic Host Configuration Protocol DLCI Data Link Control Identifier DNS Domain Name System DOS Denial of Service DAD Duplicate Address Detect E EBGP Issue 03 (2010-03-31) External BGP Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. B-1 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services B Acronyms and Abbreviations F FEC Forward Error Correction FIB Forward Information Base G GRE Generic Routing Encapsulation H HDLC High level Data Link Control HTTP Hyper Text Transport Protocol I IBGP Internal BGP ICMP Internet Control Message Protocol IEEE Institute of Electrical and Electronics Engineers IETF Internet Engineering Task Force IGP Interior Gateway Protocol IP Internet Protocol IPoEoA IP over Ethernet over AAL5 IPSec Internet Protocol SECurity extensions IS-IS Intermediate System-Intermediate System ISP Internet Service Provider L LDP Label Distribution Protocol LSP Label Switch Path M MAC Medium Access Control MED Multi-Exit discrimination MPLS Multi-Protocol Label Switching N B-2 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31) HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services B Acronyms and Abbreviations NAT Network Address Translation NAT-PT Network Address Translation - Protocol Translation NIC Network Information Center O OSPF Open Shortest Path First P PC Personal Computer PE Provider Edge POS Packet Over SDH/SONET PPP Point-to-Point Protocol PVC Permanent Virtual Circuit Q QoS Quality of Service R RIP Routing Information Protocol RPR Resilient Packet Ring S SLIP Serial Line Internet Protocol SNMP Simple Network Management Protocol SVC Switched Virtual Channel T Issue 03 (2010-03-31) TCP Transmission Control Protocol TFTP Trivial File Transfer Protocol TOS Type of Service TTL Time To Live Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. B-3 HUAWEI NetEngine80E/40E Router Configuration Guide - IP Services B Acronyms and Abbreviations U UDP User Datagram Protocol URPF Unicast Reverse Path Forwarding V VLAN Virtual Local Area Network VPN Virtual Private Network NE80E/40E Versatile Routing Platform VRRP Virtual Router Redundancy Protocol VT Virtual-Template W B-4 WINS Windows Internet Name Service WWW World Wide Web Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 03 (2010-03-31)