Configuration Guide - IP Services(V300R007C00 02)[1]

HUAWEI NetEngine5000E Core RouterV300R007C00

Configuration Guide - IP Services

Issue 02

Date 2009-12-10

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2009. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 02 (2009-12-10) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://www.huawei.com

mailto:[email protected]

About This Document

PurposeThis document describes multiple IP services supported by the NE5000E and basicconfigurations of IP addresses, ARP, DNS, DHCP, IP performance, ACL, IPv6, ACL6, and IPv6over IPv4 tunnel.

CAUTIONFor the NE5000E, the interface is numbered as slot number/card number/interface number. Forthe NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interfacenumber. The slot number is chassis ID/slot ID.

Related VersionsThe following table lists the product versions related to this document.

Product Name Version

NE5000E Core Router V300R007C00

Intended AudienceThis document is intended for:

l Commissioning Engineer

l Data Configuration Engineer

l Network Monitoring Engineer

l System Maintenance Engineer

OrganizationThis document is organized as follows.

HUAWEI NetEngine5000E Core RouterConfiguration Guide - IP Services About This Document


iii

Chapter Description

1 IP AddressesConfiguration

This chapter describes the fundamentals of IP addresses,including its classes, methods and important characteristics.It also describes steps for configuring IP addresses andprovides typical configuration examples.

2 ARP Configuration This chapter describes the principle of ARP and steps forconfiguring ARP, and provides typical configurationexamples.

3 DNS Configuration This chapter describes the principle of DNS and steps forconfiguring DNS, and provides typical configurationexamples.

4 DHCP Configuration This chapter describes the principle of DHCP and steps forconfiguring DHCP, and provides typical configurationexamples.

5 IP PerformanceConfiguration

This chapter describes basic concepts about IP performanceand steps for configuring IP performance, and providestypical configuration examples.

6 ACL Configuration This chapter describes basic concepts about ACL and stepsfor configuring ACL, and provides typical configurationexamples.

7 Basic IPv6 Configuration This chapter describes basic concepts about IPv6 and stepsfor configuring IPv6, and provides typical configurationexamples.

8 IPv6 DNS Configuration This chapter describes basic IPv6 applications and steps forconfiguring IPv6 applications, and provides typicalconfiguration examples.

9 ACL6 Configuration This chapter describes basic concepts about ACL6 and stepsfor configuring ACL6, and provides typical configurationexamples.

10 IPv6 over IPv4 TunnelConfiguration

This chapter describes basic concepts about IPv6 over IPv4tunnels and steps for configuring IPv6 over IPv4 tunnels, andprovides typical configuration examples.

A Glossary This appendix collates frequently used glossaries in thisdocument.

B Acronyms andAbbreviations

This appendix collates frequently used acronyms andabbreviations in this document.

About This DocumentHUAWEI NetEngine5000E Core Router


iv Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2009-12-10)

Conventions

Symbol ConventionsThe symbols that may be found in this document are defined as follows.

Symbol Description

Indicates a hazard with a high level of risk that, ifnot avoided, will result in death or serious injury.

Indicates a hazard with a medium or low level of riskwhich, if not avoided, could result in minor ormoderate injury.

Indicates a potentially hazardous situation that, ifnot avoided, could cause device damage, data loss,and performance degradation, or unexpected results.

Provides additional information to emphasize orsupplement important points of the main text.

Indicates a tip that may help you solve a problem orsave your time.

General ConventionsThe general conventions that may be found in this document are defined as follows.

Convention Description

Times New Roman Normal paragraphs are in Times New Roman.

boldface Names of files, directories, folders, and users are inboldface. For example, log in as user root.

Italic Book titles are in italics.

Courier New Terminal display is in Courier New.

Command ConventionsThe command conventions that may be found in this document are defined as follows.


boldface The keywords of a command line are in boldface.

Italic Command arguments are in italic.



v


[ ] Items (keywords or arguments) in square brackets [ ] areoptional.

{ x | y | ... } Alternative items are grouped in braces and separated byvertical bars. One is selected.

[ x | y | ... ] Optional alternative items are grouped in square bracketsand separated by vertical bars. One or none is selected.

{ x | y | ... }* Alternative items are grouped in braces and separated byvertical bars. A minimum of one or a maximum of all canbe selected.

[ x | y | ... ]* Optional alternative items are grouped in square bracketsand separated by vertical bars. Many or none can beselected.

&<1-n> This parameter before the & sign can be repeated 1 to ntimes.

# A line starting with the # sign is comments.

GUI Conventions

The GUI conventions that may be found in this document are defined as follows.


boldface Buttons, menus, parameters, tabs, windows, and dialogtitles are in boldface. For example, click OK.

> Multi-level menus are in boldface and separated by the ">"signs. For example, choose File > Create > Folder.

Keyboard Operations

The keyboard operations that may be found in this document are defined as follows.

Format Description

Key Press the key. For example, press Enter and press Tab.

Key 1+Key 2 Press the keys concurrently. For example, pressing Ctrl+Alt+A means the three keys should be pressedconcurrently.

Key 1, Key 2 Press the keys in turn. For example, pressing Alt, A meansthe two keys should be pressed in turn.

About This DocumentHUAWEI NetEngine5000E Core Router


vi Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2009-12-10)

Mouse OperationsThe mouse operations that may be found in this document are defined as follows.

Action Description

Click Select and release the primary mouse button withoutmoving the pointer.

Double-click Press the primary mouse button twice continuously andquickly without moving the pointer.

Drag Press and hold the primary mouse button and move thepointer to a certain position.

Update HistoryUpdates between document issues are cumulative. Therefore, the latest document issue containsall updates made in previous issues.

Updates in Issue 02 (2009-12-10)Second commercial release.

Updates in Issue 01 (2009-09-05)Initial commercial release.



vii

Contents

About This Document...................................................................................................................iii

1 IP Addresses Configuration.....................................................................................................1-11.1 IP Addresses Overview...................................................................................................................................1-2

1.1.1 Introduction to IP Addresses..................................................................................................................1-21.1.2 Features of IP Addresses Supported by the NE5000E...........................................................................1-2

1.2 Configuring IP Addresses for Interfaces.........................................................................................................1-31.2.1 Establishing the Configuration Task......................................................................................................1-31.2.2 Configuring a Primary IP Address for an Interface............................................................................... 1-41.2.3 (Optional) Configuring a Secondary IP Address for an Interface..........................................................1-41.2.4 Checking the Configuration...................................................................................................................1-5

1.3 Configuring IP Address Negotiation on Interfaces.........................................................................................1-51.3.1 Establishing the Configuration Task......................................................................................................1-61.3.2 Configuring a Server to Assign an IP Address for a Client Through Negotiation.................................1-61.3.3 Configuring a Client to Obtain an IP Address Through Negotiation.....................................................1-81.3.4 Checking the Configuration...................................................................................................................1-9

1.4 Configuring IP Address Unnumbered for Interfaces....................................................................................1-101.4.1 Establishing the Configuration Task....................................................................................................1-101.4.2 Configuring the Primary IP Address of the Interface That Lends an IP Address................................1-111.4.3 Configuring an Interface That Borrows an IP Address from Another Interface..................................1-111.4.4 Checking the Configuration.................................................................................................................1-12

1.5 Maintaining IP Addresses.............................................................................................................................1-131.5.1 Monitoring Network Operation Status of IP Addresses.......................................................................1-13

1.6 Configuration Examples................................................................................................................................1-131.6.1 Example for Configuring Primary and Secondary IP Addresses.........................................................1-131.6.2 Example for Obtaining an IP Address Through Negotiation...............................................................1-151.6.3 Example for Configuring IP Address Unnumbered.............................................................................1-181.6.4 Example for Configuring IP Address Overlapping on the Same Device.............................................1-211.6.5 Example for Configuring an IP Address with a 31-bit Mask...............................................................1-25

2 ARP Configuration....................................................................................................................2-12.1 Introduction to ARP........................................................................................................................................2-3

2.1.1 Overview of ARP...................................................................................................................................2-32.1.2 Features of ARP Supported by the NE5000E........................................................................................2-3

HUAWEI NetEngine5000E Core RouterConfiguration Guide - IP Services Contents


ix

2.2 Configuring Static ARP.................................................................................................................................. 2-62.2.1 Establishing the Configuration Task......................................................................................................2-62.2.2 Configuring Common Static ARP Entries.............................................................................................2-72.2.3 Configuring Static ARP Entries in a VLAN..........................................................................................2-72.2.4 Configuring Static ARP Entries in a VPN Instance...............................................................................2-82.2.5 Checking the Configuration...................................................................................................................2-8

2.3 Optimizing Dynamic ARP..............................................................................................................................2-92.3.1 Establishing the Configuration Task......................................................................................................2-92.3.2 Modify the aging parameters of dynamic ARP....................................................................................2-102.3.3 Enabling ARP Suppression Function...................................................................................................2-102.3.4 Checking the Configuration.................................................................................................................2-11

2.4 Configuring Routed Proxy ARP...................................................................................................................2-122.4.1 Establishing the Configuration Task....................................................................................................2-122.4.2 Configure an IP Addresses for the Interface........................................................................................2-132.4.3 Enabling the Routed Proxy ARP Function..........................................................................................2-132.4.4 Checking the Configuration.................................................................................................................2-14

2.5 Configuring Proxy ARP Within a VLAN.....................................................................................................2-152.5.1 Establishing the Configuration Task....................................................................................................2-152.5.2 Configure an IP Addresses for the Interface........................................................................................2-162.5.3 Configuring the VLAN Associated with the Sub-interface.................................................................2-162.5.4 Enabling Proxy ARP Within a VLAN.................................................................................................2-172.5.5 Checking the Configuration.................................................................................................................2-17

2.6 Configuring Proxy ARP Between VLANs...................................................................................................2-192.6.1 Establishing the Configuration Task....................................................................................................2-192.6.2 Configuring an IP Addresses for the Interface.....................................................................................2-192.6.3 Configuring the VLAN Associated with the Sub-interface.................................................................2-202.6.4 Enabling Proxy ARP Between VLANs...............................................................................................2-212.6.5 Checking the Configuration.................................................................................................................2-21

2.7 Configuring ARPing-IP.................................................................................................................................2-222.7.1 Establishing the Configuration Task....................................................................................................2-222.7.2 Detecting the IP Address by Using the arp-ping ip Command............................................................2-23

2.8 Configuring ARPing-MAC...........................................................................................................................2-232.8.1 Establishing the Configuration Task....................................................................................................2-242.8.2 Detecting the MAC Address by Using the arp-ping mac Command...................................................2-24

2.9 Configuring the Association Between ARP and Interface Status.................................................................2-252.9.1 Establishing the Configuration Task....................................................................................................2-252.9.2 Configuring the Association Between ARP and Interface Status........................................................2-262.9.3 (Optional) Adjusting Parameters about the Association Between ARP and Interface Status..............2-27

2.10 Maintaining ARP.........................................................................................................................................2-282.10.1 Clearing ARP Statistics......................................................................................................................2-282.10.2 Monitoring Network Operation Status of ARP..................................................................................2-282.10.3 Debugging ARP.................................................................................................................................2-29

ContentsHUAWEI NetEngine5000E Core Router


x Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2009-12-10)

2.11 Configuration Examples..............................................................................................................................2-292.11.1 Example for Configuring Routed Proxy ARP....................................................................................2-292.11.2 Example for Configuring Proxy ARP Within a VLAN.....................................................................2-322.11.3 Example for Configuring the Association Between ARP and Interface Status.................................2-34

3 DNS Configuration....................................................................................................................3-13.1 DNS Overview................................................................................................................................................3-2

3.1.1 Introduction to DNS...............................................................................................................................3-23.1.2 DNS Supported by the NE5000E...........................................................................................................3-2

3.2 Configuring DNS............................................................................................................................................ 3-23.2.1 Establishing the Configuration Task......................................................................................................3-23.2.2 Configuring Static DNS Entries.............................................................................................................3-33.2.3 Configuring Dynamic DNS....................................................................................................................3-43.2.4 Checking the Configuration...................................................................................................................3-4

3.3 Maintaining DNS............................................................................................................................................ 3-53.3.1 Clearing DNS Entries.............................................................................................................................3-63.3.2 Monitoring Network Operation Status of DNS......................................................................................3-63.3.3 Debugging DNS.....................................................................................................................................3-6

3.4 Configuration Examples..................................................................................................................................3-73.4.1 Example for Configuring DNS.............................................................................................................. 3-7

4 DHCP Configuration.................................................................................................................4-14.1 DHCP Overview............................................................................................................................................. 4-3

4.1.1 Introduction to DHCP............................................................................................................................ 4-34.1.2 DHCP Supported by the NE5000E........................................................................................................4-3

4.2 Configuring the Global Address Pool-based DHCP Server............................................................................4-34.2.1 Establishing the Configuration Task......................................................................................................4-44.2.2 Configuring the DHCP Global Address Pool........................................................................................ 4-54.2.3 Configure Static IP Address Binding.....................................................................................................4-64.2.4 Configuring DNS Services for the DHCP Client...................................................................................4-74.2.5 Configuring NetBIOS Services for the DHCP Client............................................................................4-74.2.6 Configuring Egress Gateway for the DHCP Client............................................................................... 4-84.2.7 Configuring DHCP Self-Defined Options............................................................................................. 4-94.2.8 Assigning IP Addresses in the Global Address Pool to the DHCP Clients on the Specified Interface.......................................................................................................................................................................4-104.2.9 Checking the Configuration.................................................................................................................4-11

4.3 Configuring the Interface Address Pool-based DHCP Server......................................................................4-134.3.1 Establishing the Configuration Task....................................................................................................4-134.3.2 Configuring the Interface Address Pool...............................................................................................4-144.3.3 Configuring DNS on the Interface Address Pool.................................................................................4-154.3.4 Configuring NetBIOS on the Interface Address Pool..........................................................................4-164.3.5 Configuring DHCP Self-Defined Options...........................................................................................4-174.3.6 Checking the Configuration.................................................................................................................4-18

4.4 Configuring the Sub-interface Address Pool-based DHCP Server...............................................................4-20



xi

4.4.1 Establishing the Configuration Task....................................................................................................4-204.4.2 Enabling Address Pools on Sub-interfaces..........................................................................................4-214.4.3 Configuring Address Pools on Ethernet Sub-interfaces.......................................................................4-224.4.4 Configuring DNS on Address Pools of Sub-interfaces........................................................................4-234.4.5 Configuring NetBIOS on Address Pools of Sub-interfaces.................................................................4-244.4.6 Configuring the DHCP Self-Defined Options for Address Pools of Sub-interfaces...........................4-254.4.7 Checking the Configuration.................................................................................................................4-26

4.5 Configuring the Security Function for DHCP...............................................................................................4-284.5.1 Establishing the Configuration Task....................................................................................................4-284.5.2 Starting the Detection of the Pseudo DHCP Server on a DHCP Server..............................................4-294.5.3 Avoiding Repetitive IP Address Assignment.......................................................................................4-294.5.4 Saving DHCP Data...............................................................................................................................4-304.5.5 Restoring DHCP Data..........................................................................................................................4-304.5.6 Checking the Configuration.................................................................................................................4-31

4.6 Configuring DHCP Relay.............................................................................................................................4-314.6.1 Establishing the Configuration Task....................................................................................................4-324.6.2 Configuring Relay................................................................................................................................4-324.6.3 Checking the Configuration.................................................................................................................4-34

4.7 Maintaining DHCP........................................................................................................................................4-354.7.1 Resetting DHCP...................................................................................................................................4-354.7.2 Releasing Conflicting IP Addresses.....................................................................................................4-364.7.3 (Optional) Requesting the DHCP Server to Release IP Addresses of the Client.................................4-364.7.4 Clearing DHCP Statistics.....................................................................................................................4-374.7.5 Monitoring Network Operation Status of DHCP.................................................................................4-384.7.6 Debugging DHCP................................................................................................................................4-38

4.8 Configuration Examples................................................................................................................................4-394.8.1 Example for Configuring the Global Address Pool-based DHCP Server............................................4-394.8.2 Example for Configuring the Interface Address Pool-based DHCP Server........................................4-434.8.3 Example for Configuring the Sub-interface Address Pool-based DHCP Server.................................4-454.8.4 Example for Configuring DHCP Relay...............................................................................................4-484.8.5 Example for Configuring the DHCP Option Association....................................................................4-51

5 IP Performance Configuration.................................................................................................5-15.1 IP Performance Overview...............................................................................................................................5-2

5.1.1 Introduction to IP Performance..............................................................................................................5-25.1.2 IP Performance Supported by the NE5000E..........................................................................................5-2

5.2 Improving IP Performance..............................................................................................................................5-35.2.1 Establishing the Configuration Task......................................................................................................5-35.2.2 Configuring the Maximum Transmission Unit of the Interface.............................................................5-45.2.3 Configuring ICMP Attributes.................................................................................................................5-55.2.4 Checking the Configuration...................................................................................................................5-5

5.3 Configuring TCP.............................................................................................................................................5-75.3.1 Establishing the Configuration Task......................................................................................................5-7



xii Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2009-12-10)

5.3.2 Configuring TCP Timer.........................................................................................................................5-85.3.3 Specifying the Size of a TCP Sliding Window......................................................................................5-85.3.4 Checking the Configuration...................................................................................................................5-9

5.4 Configuring Load Balancing for IP Packet Forwarding...............................................................................5-105.4.1 Establishing the Configuration Task....................................................................................................5-105.4.2 Configuring the Load Balancing Mode of IP Packet Forwarding........................................................5-115.4.3 Configuring Interface Unequal-Cost Multiple Path During IP Packet Forwarding.............................5-115.4.4 Configuring Global Unequal-Cost Multiple Path During IP Packet Forwarding................................5-125.4.5 Checking the Configuration.................................................................................................................5-13

5.5 Maintaining IP Performance.........................................................................................................................5-145.5.1 Clearing IP Performance Statistics.......................................................................................................5-145.5.2 Monitoring Network Operation Status of IP Performance...................................................................5-155.5.3 Debugging IP Performance..................................................................................................................5-16

5.6 Configuration Examples................................................................................................................................5-175.6.1 Example for Limiting Transmission of ICMP Host-Unreachable Packets..........................................5-175.6.2 Example for Configuring Interface Unequal-Cost Multiple Path During IP Packet Forwarding........5-195.6.3 Example for Configuring Global Unequal-Cost Load Balancing for IP Packet Forwarding..............5-25

6 ACL Configuration....................................................................................................................6-16.1 ACL Overview................................................................................................................................................6-2

6.1.1 Introduction to ACL...............................................................................................................................6-26.1.2 ACL Supported by the NE5000E...........................................................................................................6-2

6.2 Configuring an Interface-based ACL..............................................................................................................6-26.2.1 Establishing the Configuration Task......................................................................................................6-36.2.2 (Optional) Creating a Time Range.........................................................................................................6-36.2.3 Creating an Interface-based ACL...........................................................................................................6-46.2.4 (Optional) Configuring ACL Descriptions............................................................................................6-46.2.5 (Optional) Configuring ACL Step..........................................................................................................6-56.2.6 Checking the Configuration...................................................................................................................6-5

6.3 Configuring a Basic ACL................................................................................................................................6-66.3.1 Establishing the Configuration Task......................................................................................................6-66.3.2 (Optional) Creating a Time Range.........................................................................................................6-76.3.3 Creating a Basic ACL............................................................................................................................6-76.3.4 (Optional) Configuring ACL Descriptions............................................................................................6-86.3.5 (Optional) Configuring ACL Step..........................................................................................................6-86.3.6 Checking the Configuration...................................................................................................................6-9

6.4 Configuring an Advanced ACL....................................................................................................................6-106.4.1 Establishing the Configuration Task....................................................................................................6-106.4.2 (Optional) Creating a Time Range.......................................................................................................6-116.4.3 Creating an Advanced ACL.................................................................................................................6-116.4.4 (Optional) Configuring ACL Descriptions..........................................................................................6-126.4.5 (Optional) Configuring ACL Step........................................................................................................6-136.4.6 Checking the Configuration.................................................................................................................6-13



xiii

6.5 Configuring an ACL Based on the Ethernet Frame Header..........................................................................6-146.5.1 Establishing the Configuration Task....................................................................................................6-146.5.2 Creating an ACL Based on the Ethernet Frame Header...................................................................... 6-156.5.3 (Optional) Configuring ACL Descriptions.......................................................................................... 6-156.5.4 (Optional) Configuring ACL Step........................................................................................................6-166.5.5 Checking the Configuration.................................................................................................................6-16

6.6 Configuring a Named ACL...........................................................................................................................6-176.6.1 Establishing the Configuration Task....................................................................................................6-176.6.2 (Optional) Creating a Time Range.......................................................................................................6-186.6.3 Creating a Named ACL........................................................................................................................6-186.6.4 (Optional) Configuring named ACL Descriptions...............................................................................6-196.6.5 (Optional) Configuring named ACL Step............................................................................................6-206.6.6 Checking the Configuration.................................................................................................................6-20

6.7 Maintaining an ACL......................................................................................................................................6-216.7.1 Clearing ACL Statistics........................................................................................................................6-216.7.2 Monitoring Network Operation Status of ACL....................................................................................6-22

6.8 Configuration Examples................................................................................................................................6-226.8.1 Example for Configuring a Traffic Policy Based on Complex Traffic Classification.........................6-226.8.2 Example for Configuring the Security Function of Access Devices....................................................6-316.8.3 Example for Configuring an ACL Rule that Is Based on the VPN Instance....................................... 6-34

7 Basic IPv6 Configuration..........................................................................................................7-17.1 Basic IPv6 Overview.......................................................................................................................................7-2

7.1.1 Introduction to IPv6...............................................................................................................................7-27.1.2 IPv6 Supported by the NE5000E...........................................................................................................7-2

7.2 Configuring an IPv6 Address for an Interface................................................................................................7-37.2.1 Establishing the Configuration Task......................................................................................................7-47.2.2 Enabling IPv6 Packet Forwarding Capability........................................................................................7-57.2.3 Configuring an IPv6 Link-Local Address for an Interface....................................................................7-67.2.4 Configuring an IPv6 Global Unicast Address for an Interface..............................................................7-67.2.5 Checking the Configuration...................................................................................................................7-7

7.3 Configuring IPv6 Neighbor Discovery...........................................................................................................7-87.3.1 Establishing the Configuration Task......................................................................................................7-87.3.2 Configuring Static Neighbors.................................................................................................................7-97.3.3 Enabling RA Message Advertising......................................................................................................7-107.3.4 Setting the Interval for Advertising RA Messages...............................................................................7-107.3.5 Enabling Stateful Auto Configuration..................................................................................................7-117.3.6 Configuring the Address Prefixes to Be Advertised............................................................................7-117.3.7 Configuring Other Information to Be Advertised................................................................................7-127.3.8 Checking the Configuration.................................................................................................................7-13

7.4 Configuring PMTU.......................................................................................................................................7-147.4.1 Establishing the Configuration Task....................................................................................................7-157.4.2 Creating Static PMTU Entries..............................................................................................................7-15



xiv Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2009-12-10)

7.4.3 Configuring PMTU Aging Time..........................................................................................................7-167.4.4 Checking the Configuration.................................................................................................................7-16

7.5 Enabling the FIB Cache................................................................................................................................7-177.5.1 Establishing the Configuration Task....................................................................................................7-177.5.2 Enabling the FIB Cache.......................................................................................................................7-177.5.3 Checking the Configuration.................................................................................................................7-18

7.6 Configuring TCP6.........................................................................................................................................7-197.6.1 Establishing the Configuration Task....................................................................................................7-197.6.2 Configuring TCP6 Timers....................................................................................................................7-207.6.3 Configuring the Size of the TCP6 Sliding Window.............................................................................7-207.6.4 Checking the Configuration.................................................................................................................7-21

7.7 Maintaining IPv6...........................................................................................................................................7-227.7.1 Resetting IPv6......................................................................................................................................7-237.7.2 Monitoring Network Operation Status of IPv6....................................................................................7-237.7.3 Debugging IPv6....................................................................................................................................7-24

7.8 Configuration Examples................................................................................................................................7-247.8.1 Example for Configuring an IPv6 Address for an Interface................................................................7-257.8.2 Example for Configuring IPv6 Neighbor Discovery...........................................................................7-28

8 IPv6 DNS Configuration..........................................................................................................8-18.1 IPv6 DNS Overview........................................................................................................................................8-2

8.1.1 Introduction to IPv6 DNS......................................................................................................................8-28.1.2 IPv6 DNS Supported by the NE5000E..................................................................................................8-2

8.2 Configuring IPv6 DNS....................................................................................................................................8-28.2.1 Establishing the Configuration Task......................................................................................................8-28.2.2 Configuring a Static IPv6 DNS Entry....................................................................................................8-38.2.3 Configuring the Dynamic IPv6 DNS Services.......................................................................................8-38.2.4 Checking the Configuration...................................................................................................................8-4

8.3 Maintaining IPv6 DNS....................................................................................................................................8-58.3.1 Clearing IPv6 DNS Entries....................................................................................................................8-68.3.2 Monitoring Network Operation Status of IPv6 DNS.............................................................................8-6

8.4 Configuration Examples..................................................................................................................................8-68.4.1 Example for Configuring IPv6 DNS......................................................................................................8-7

9 ACL6 Configuration..................................................................................................................9-19.1 ACL6 Overview..............................................................................................................................................9-2

9.1.1 Introduction to ACL6.............................................................................................................................9-29.1.2 ACL6 Supported by the NE5000E.........................................................................................................9-2

9.2 Configuring an Interfaced-based ACL6..........................................................................................................9-29.2.1 Establishing the Configuration Task......................................................................................................9-29.2.2 (Optional) Configuring the Valid Time Range of ACL6.......................................................................9-39.2.3 Creating an Interfaced-based ACL6.......................................................................................................9-39.2.4 Checking the Configuration...................................................................................................................9-4

9.3 Configuring a Basic ACL6..............................................................................................................................9-5



xv

9.3.1 Establishing the Configuration Task......................................................................................................9-59.3.2 (Optional) Configuring the Valid Time Range of ACL6.......................................................................9-59.3.3 Creating a Basic ACL6..........................................................................................................................9-69.3.4 Checking the Configuration...................................................................................................................9-6

9.4 Configuring an Advanced ACL6....................................................................................................................9-79.4.1 Establishing the Configuration Task......................................................................................................9-79.4.2 (Optional) Configuring the Valid Time Range of ACL6.......................................................................9-89.4.3 Creating an Advanced ACL6.................................................................................................................9-89.4.4 Checking the Configuration...................................................................................................................9-9

9.5 Configuring a Named ACL6.........................................................................................................................9-109.5.1 Establishing the Configuration Task....................................................................................................9-109.5.2 (Optional) Configuring the Valid Time Range of ACL6.....................................................................9-119.5.3 Creating a Named ACL6......................................................................................................................9-129.5.4 Checking the Configuration.................................................................................................................9-13

9.6 Maintaining ACL6........................................................................................................................................ 9-139.6.1 Clearing ACL6 Statistics......................................................................................................................9-149.6.2 Monitoring Network Operation Status of ACL6..................................................................................9-14

9.7 Configuration Examples................................................................................................................................9-149.7.1 Example for Configuring an ACL6 to Filter IPv6 Packets..................................................................9-14

10 IPv6 over IPv4 Tunnel Configuration................................................................................10-110.1 IPv6 over IPv4 Tunnel Overview................................................................................................................10-2

10.1.1 Introduction to IPv6 over IPv4...........................................................................................................10-210.1.2 IPv6 over IPv4 Supported by the NE5000E.......................................................................................10-2

10.2 Configuring IPv4/IPv6 Dual Stacks............................................................................................................10-710.2.1 Establishing the Configuration Task..................................................................................................10-710.2.2 Enabling IPv6 Packet Forwarding......................................................................................................10-710.2.3 Configuring IPv4 and IPv6 Addresses for the Interface.................................................................... 10-8

10.3 Configuring an IPv6 over IPv4 Tunnel.......................................................................................................10-910.3.1 Establishing the Configuration Task................................................................................................10-1010.3.2 Configuring an IPv6 over IPv4 Manual Tunnel...............................................................................10-1010.3.3 Configuring an IPv6 over IPv4 Automatic Tunnel..........................................................................10-1110.3.4 Configuring a 6to4 Tunnel...............................................................................................................10-1210.3.5 Configuring Routes in the Tunnel....................................................................................................10-1310.3.6 Checking the Configuration.............................................................................................................10-14

10.4 Configuring 6PE........................................................................................................................................10-1410.4.1 Establishing the Configuration Task................................................................................................10-1510.4.2 Configuring IPv4/IPv6 Dual Protocol Stacks..................................................................................10-1510.4.3 Configuring MPLS...........................................................................................................................10-1610.4.4 Enabling 6PE Peer............................................................................................................................10-17

10.5 Maintaining IPv6 over IPv4 Tunnels........................................................................................................10-1810.5.1 Monitoring the Running Status of IPv6 over IPv4 Tunnel..............................................................10-1810.5.2 Debugging IPv6 over IPv4 Tunnel...................................................................................................10-19



xvi Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2009-12-10)

10.6 Configuration Examples............................................................................................................................10-1910.6.1 Example for Configuring an IPv6 over IPv4 Manual Tunnel..........................................................10-1910.6.2 Example for Configuring an IPv6 over IPv4 Automatic Tunnel.....................................................10-2310.6.3 Example for Configuring a 6to4 Tunnel..........................................................................................10-2610.6.4 Example for Configuring 6to4 Relay...............................................................................................10-3010.6.5 Example for Configuring 6PE..........................................................................................................10-33

A Glossary.....................................................................................................................................A-1

B Acronyms and Abbreviations.................................................................................................B-1



xvii

Figures

Figure 1-1 Configuring primary and secondary IP addresses for an interface...................................................1-14Figure 1-2 Networking diagram of allocating IP address through negotiation..................................................1-16Figure 1-3 Networking diagram of an IP address unnumbered configuration...................................................1-19Figure 1-4 Networking diagram of configuring IP address overlapping on the same device............................1-21Figure 1-5 Networking diagram of configuring an IP address with a 31-bit mask............................................1-25Figure 2-1 Implementation procedure of ARP-Ping IP........................................................................................2-4Figure 2-2 Implementation procedure of ARP-Ping MAC..................................................................................2-5Figure 2-3 Schematic diagram of transmission device existing between devices..............................................2-25Figure 2-4 Networking diagram of configuring proxy ARP..............................................................................2-30Figure 2-5 Networking diagram of configuring proxy ARP in a VLAN...........................................................2-33Figure 2-6 Networking diagram of configuring the association between ARP and interface status................. 2-35Figure 3-1 Networking diagram of DNS..............................................................................................................3-7Figure 4-1 Networking diagram of the DHCP server and the client that are in the same network segment..... 4-40Figure 4-2 Networking diagram of the DHCP server based on the address pool on the interface.................... 4-43Figure 4-3 Networking diagram of the DCHP server based on the address pools on the sub-interfaces.......... 4-46Figure 4-4 Networking diagram for configuring DHCP relay...........................................................................4-49Figure 4-5 Networking diagram of configuring the DHCP option association..................................................4-52Figure 5-1 Networking diagram of configuring ICMP host unreachable packets............................................. 5-17Figure 5-2 Networking diagram of configuring UCMP.....................................................................................5-20Figure 5-3 Networking diagram of configuring unequal-cost load balancing...................................................5-26Figure 6-1 Diagram for configuring a traffic policy based on the complex traffic classification......................6-23Figure 6-2 Networking of configuring the security function of access devices.................................................6-31Figure 6-3 Typical networking of configuring an ACL rule..............................................................................6-34Figure 7-1 Networking diagram of configuring an IPv6 address for an interface............................................. 7-25Figure 7-2 Example for configuring IPv6 neighbor discovery.......................................................................... 7-28Figure 8-1 DNS server connecting IPv4 and IPv6 networks...............................................................................8-3Figure 8-2 Networking diagram of IPv6 DNS configurations.............................................................................8-7Figure 9-1 Networking diagram of configuring an ACL6 to filter IPv6 packets...............................................9-15Figure 10-1 Single stack and dual stack structures (Ethernet)...........................................................................10-2Figure 10-2 Schematic diagram of IPv6 over IPv4 tunnel.................................................................................10-3Figure 10-3 6to4 tunnel and 6to4 relay..............................................................................................................10-5Figure 10-4 Networking diagram of 6PE...........................................................................................................10-6Figure 10-5 Networking diagram of the IPv6 over IPv4 manual tunnel..........................................................10-20

HUAWEI NetEngine5000E Core RouterConfiguration Guide - IP Services Figures


xix

Figure 10-6 Networking diagram of the IPv6 over IPv4 automatic tunnel......................................................10-24Figure 10-7 Networking diagram of the 6to4 tunnel........................................................................................10-27Figure 10-8 Networking diagram of accessing the IPv6 network through 6to4 relay.....................................10-31Figure 10-9 Networking diagram of 6PE.........................................................................................................10-34

FiguresHUAWEI NetEngine5000E Core Router


xx Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2009-12-10)

1 IP Addresses Configuration

About This Chapter

This chapter describes the basic concepts and working mechanism of IP addresses. It alsodescribes the procedure for configuring IP addresses and provides typical configurationexamples.

1.1 IP Addresses OverviewThis section describes the concepts of IP addresses and how to use an IP address.

1.2 Configuring IP Addresses for InterfacesThis section describes how to configure IP addresses for interfaces.

1.3 Configuring IP Address Negotiation on InterfacesThis section describes how to configure the interface on the client to obtain the interface fromthe server through PPP negotiation.

1.4 Configuring IP Address Unnumbered for InterfacesThis section describes how to configure an interface to borrow the IP address from otherinterfaces.

1.5 Maintaining IP AddressesThis section describes how to view IP address configurations.

1.6 Configuration ExamplesThis section provides several examples for configuring IP addresses.

HUAWEI NetEngine5000E Core RouterConfiguration Guide - IP Services 1 IP Addresses Configuration


1-1

1.1 IP Addresses OverviewThis section describes the concepts of IP addresses and how to use an IP address.

1.1.1 Introduction to IP Addresses

1.1.2 Features of IP Addresses Supported by the NE5000E

1.1.1 Introduction to IP Addresses

To communicate with each other on Internet Protocol (IP) networks, each host must be assignedan IP address.

An IP address is a 32-bit number that is composed of two parts, namely, the network ID andhost ID.

The network ID identifies a network and the host ID identifies a host on the network. If thenetwork IDs of hosts are the same, it indicates that the hosts are on the same network regardlessof their physical locations.

1.1.2 Features of IP Addresses Supported by the NE5000E

The NE5000E supports IP address configuration through the following methods:

l Manually configuring an IP address for an interface

l Obtaining an IP address through negotiation

l Borrowing an IP address from other interfaces

The NE5000E supports the space overlapping of network segment addresses to save the addressspace.

l Different IP addresses in the overlapped network segments but not same can be configuredon different interfaces of the same device. For example, after an interface on a device isconfigured with the IP address 20.1.1.1/16, if another interface is configured with the IPaddress 20.1.1.2/24, the system prompts a message. However, the configuration is stillsuccessful; if another interface is configured with the IP address 20.1.1.2/16, the systemprompts an IP address conflict. The configuration fails.

l The primary IP address and the secondary IP address in the overlapped network segmentsbut not same can be configured on the same interface. For example, after the interface isconfigured with a primary IP address 20.1.1.1/24, if the secondary IP address is 20.1.1.2/16sub, the system prompts a message. However, the configuration is still successful.

l The primary IP address and the secondary IP address in the overlapped network segmentsbut not same can be configured on different interfaces of the same device. However, theprimary IP address and the secondary IP address cannot be the same. For example, after aninterface on a device is configured with the IP address 20.1.1.1/16, if another interface isconfigured with the IP address 20.1.1.2/24 sub, the system prompts a message. However,the configuration is still successful.

The NE5000E supports 31-bit IP address masks. Therefore, there are only two IP addresses ina network segment, that is, the network address and broadcast address. The two IP addressescan be used as host addresses.

1 IP Addresses ConfigurationHUAWEI NetEngine5000E Core Router


1-2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2009-12-10)

You can assign the IP addresses with 31-bit masks to Point-to-Point (P2P), broadcast, andloopback interfaces. For non-P2P interfaces, if a 31-bit mask is configured, the system promptsacknowledgement information to protect broadcast links. For example, if an Ethernet interfaceon a device is assigned an IP address with a 31-bit mask, this device can access only the host inthe directly connected subnet. It cannot access all hosts in the subnet. In the backbone networkof a broadcast link, if a P2P link exists, you can configure the IP addresses with 31-bit masks.

1.2 Configuring IP Addresses for InterfacesThis section describes how to configure IP addresses for interfaces.

1.2.1 Establishing the Configuration Task

1.2.2 Configuring a Primary IP Address for an Interface

1.2.3 (Optional) Configuring a Secondary IP Address for an Interface

1.2.4 Checking the Configuration


Applicable EnvironmentTo start IP services on an interface, configure the IP address for the interface. You can assignseveral IP addresses to each interface. Among them, one is the primary IP address and the othersare secondary IP addresses.

Generally, you need to configure only a primary IP address for an interface. Secondary IPaddresses, however, are required in some cases. For instance, when a device connects to aphysical network through an interface, and computers on this network belong to two Class Cnetworks, you need to configure a primary IP address and a secondary IP address for this interfaceto ensure that the device can communication with all computers on this network.

Pre-configuration TasksBefore configuring an IP addresses for an interface, complete the following tasks:

l Configuring the physical parameters for the interface and ensuring that the physical layerstatus of the interface is Up

l Configuring the link layer parameters for the interface and ensuring that the status of thelink layer protocol on the interface is Up

Data PreparationTo configure IP addresses for an interface, you need the following data.

No. Data

1 Interface number

2 Primary IP address and subnet mask of the interface

3 (Optional) Secondary IP address and subnet mask of the interface



1-3

1.2.2 Configuring a Primary IP Address for an Interface

ContextDo as follows on the router:

ProcedureStep 1 Run:

system-view

The system view is displayed.

Step 2 Run:interface interface-type interface-number

The interface view is displayed.

Step 3 Run:ip address ip-address { mask | mask-length }

A primary IP address is configured.

An interface has only one primary IP address. If the interface already has a primary IP address,the newly configured primary IP address replaces the original one.

----End

1.2.3 (Optional) Configuring a Secondary IP Address for anInterface



system-view




Step 3 Run:ip address ip-address { mask | mask-length } sub

A secondary IP address is configured.

A secondary IP address with a 31-bit mask can be configured for an interface.

You can configure a maximum of 255 secondary IP addresses on an interface.

----End




Issue 02 (2009-12-10)


PrerequisiteThe configurations of the IP addresses for the interface are complete.

Procedurel Run the display ip interface [ brief ] [ interface-type interface-number ] command to check

the IP configuration on the interface.l Run the display interface [ interface-type [ interface-number ] ] [ | { begin | exclude |

include } regular-expression ] command to check interface information.

----End

ExampleRun the display ip interface command to check that the physical status and link protocol statusof the interface are Up.<HUAWEI> display ip interface brief gigabitethernet 1/1/0*down: administratively down!down: FIB overload down(l): loopback(s): spoofingInterface IP Address/Mask Physical ProtocolGigabitEthernet1/1/0 172.16.13.2/24 up up

Run the display interface command to check information about the IP address and subnet maskof the interface.<HUAWEI> display interface gigabitethernet 1/1/0GigabitEthernet1/1/0 current state : UPLine protocol current state : UPLast line protocol up time : 2007-11-16, 12:26:17Description : GigabitEthernet1/1/0 InterfaceThe Maximum Transmit Unit is 1500 bytesInternet Address is 172.16.13.2/24Internet Address is 172.16.13.150/25 SubInternet Address is 172.16.13.200/28 SubIP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc08-2b73Media type is twisted pair, loopback not set, promiscuous mode not set100Mbps-speed mode, full-duplex mode, link type is autonegotiation Last 300 seconds input rate 338 bits/sec, 0 packets/sec Last 300 seconds output rate 514 bits/sec, 0 packets/sec Input: 1065 packets, 1571513 bytes 0 broadcasts, 1065 multicasts 0 errors, 0 runts, 0 giants, 0 CRC, 0 collisions, 0 align errors, 0 other errors Output:2866 packets, 2708571 bytes 0 broadcasts, 2866 multicasts 0 errors, 0 underruns, 0 collisions 0 packets had been deferred

1.3 Configuring IP Address Negotiation on InterfacesThis section describes how to configure the interface on the client to obtain the interface fromthe server through PPP negotiation.




1-5

1.3.2 Configuring a Server to Assign an IP Address for a Client Through Negotiation

1.3.3 Configuring a Client to Obtain an IP Address Through Negotiation



Applicable Environment

When devices are connected through the PPP link, the client interface can obtains the IP addressfrom the server through PPP negotiation. This is usually applicable to the situation when theclient connects to the Internet Service Provider (ISP) to access the Internet through the PPP linksuch as dial-up. In this case, the ISP device assigns an IP address to the client through PPPnegotiation.

Pre-configuration Tasks

Before configuring IP addresses for interfaces through PPP negotiation, complete the followingtasks:

l Configuring physical parameters of the interface and the link layer protocol PPP on theserver

l Configuring IP addresses for interfaces on the server and making the link layer protocolUp

l Configuring physical parameters on the interface and the link layer protocol PPP on theclient

Data Preparation

To configure IP addresses for interfaces through PPP negotiation, you need the following data.

No. Data

1 Number of the interface connecting the server to the client

2 ID of the address pool on the server or IP address assigned to the client

3 Range of IP addresses when an address pool is used

4 Number of the interface connecting the client to the server

1.3.2 Configuring a Server to Assign an IP Address for a ClientThrough Negotiation

Context

Do as follows on the router functioning as a server:




Issue 02 (2009-12-10)

Procedure

Step 1 Run:system-view


NOTE

If there is only one client, the address pool is unnecessary. In this case, skip Steps 2, 3, and 4, and do notuse the keyword pool in Step 6. Instead, directly assign the specified IP address to the client.

Step 2 (Optional) Run:aaa

The AAA view is displayed.

Step 3 (Optional) Run:ip pool pool-number start-address [ end-address ]

The local IP address pool is configured.

Step 4 (Optional) Run:

Quit the AAA view.



Obtaining an IP address through negotiation is applied to only the interface encapsulated withPPP.

Step 6 Run:remote address { ip-address | pool [ pool-number ] }

An IP address is assigned to the client.

Step 7 Run:restart

The interface is restarted.

----End

Postrequisite

During preceding configurations, the address pool can also be configured in the domain view.For details, see the HUAWEI NetEngine5000E Core Router Configuration Guide - Security.

l If the server authenticates the client, the address is selected from the address pool of thedomain that the client belongs to by default.

l If the server does not authenticate the client and needs to assign an IP address to the client,the address is selected from the system address pool.

The IP address or the address pool assigned to the peer must differ from the IP address of thelocal device.



1-7

1.3.3 Configuring a Client to Obtain an IP Address ThroughNegotiation

Context

Do as follows on the router working as a client:

Procedure





Obtaining an IP address through negotiation is applied to only the interface encapsulated withPPP.

Step 3 Run:ip address ppp-negotiate

The client is configured to obtain an IP address through negotiation.

----End

Postrequisite

If an interface without an IP address supports PPP while the remote peer is configured with anIP address, enable IP address negotiation on the local interface. This enables the local interfaceto obtain an IP address that is generated through PPP negotiation and is assigned by the remotepeer.

When you configure to obtain an IP address through negotiation on the interface, note thefollowing:

l You can configure IP address negotiation on only the PPP-encapsulated interface. Whenthe status of the PPP protocol is Down, the IP address generated through negotiation isdeleted.

l After IP address negotiation is configured on the interface, the configuration of IP addressfor this interface is not needed any more. You can obtain a new IP address throughnegotiation, and the original IP address configured before the IP address negotiation isdeleted.

l You cannot configure a secondary IP address for the interface configured with IP addressnegotiation.

l If you re-configure negotiation on this interface, the IP address generated through theprevious negotiation is deleted and a new IP address is obtained.

l If the address generated through negotiation is deleted, the interface is in the non-addressstate.




Issue 02 (2009-12-10)


PrerequisiteThe configurations of IP address negotiation on interfaces are complete.




----End

Example

Run the display ip interface command to check that the physical status and link protocol statusof the interface are Up.

<HUAWEI> display ip interface brief gigabitethernet 1/1/0*down: administratively down!down: FIB overload down(l): loopback(s): spoofingInterface IP Address/Mask Physical ProtocolGigabitEthernet1/1/0 192.168.1.10/24 up up

Run the display interface command to check information about the IP address and subnet maskof the interface.

<HUAWEI> display interface pos 1/0/0Pos1/0/0 current state : UPLine protocol current state : UPLast line protocol up time : 2007-11-07, 11:44:08 Description : Pos1/0/0 InterfaceRoute Port,The Maximum Transmit Unit is 4470 bytes, Hold timer is 10(sec)Internet Address is 192.168.1.10/24Link layer protocol is PPPLCP opened, IPCP openedThe Vendor PN is FTRJ1321P1BTLPort BW: 2.5G, Transceiver max BW: 2.5G, Transceiver Mode: SingleModeWaveLength: 1310nm, Transmission Distance: 5kmRx Power: -2.81dBm, Tx Power: -1.91dBm Physical layer is Packet Over SDHScramble enabled, clock master, CRC-32, loopback: noneFlag J0 "NetEngine "Flag J1 "NetEngine "Flag C2 22(0x16) SDH alarm: section layer: none line layer: none path layer: none SDH error: section layer: B1 61575 line layer: B2 12002824 REI 16835916 path layer: B3 65535Statistics last cleared:never Last 300 seconds input rate 16 bits/sec, 0 packets/sec Last 300 seconds output rate 40 bits/sec, 0 packets/sec Input: 3510 packets, 57372 bytes Input error: 0 shortpacket, 0 longpacket, 4 CRC, 0 lostpacket Output: 7270 packets, 344198 bytes



1-9

Output error: 0 lostpackets Output error: 0 overrunpackets, 0 underrunpackets

1.4 Configuring IP Address Unnumbered for InterfacesThis section describes how to configure an interface to borrow the IP address from otherinterfaces.


1.4.2 Configuring the Primary IP Address of the Interface That Lends an IP Address

1.4.3 Configuring an Interface That Borrows an IP Address from Another Interface



Applicable EnvironmentTo save IP address resources in some cases, configure the IP address unnumbered on theinterface. You can also perform this configuration for an interface that is occasionally used ratherthan making the interface occupy an IP address constantly.

Restrictions on configuring IP address unnumbered on an interface are as follows:

l The interface of IP address borrower can not be an Ethernet interface.

l The interface of IP address lender cannot be IP address from other.

l Multiple interfaces can borrow the IP address from the interface of IP address lender.

l If the interface of IP address lender has multiple IP addresses, the IP address lender canonly be the primary IP address.

l If the interface of IP address borrower borrows an IP address from the interface with no IPaddress, the IP address borrower gets the IP adderss 0.0.0.0.

l The IP address of the virtual loopback interface can be borrowed by other interfaces. Theloopback interface, however, cannot borrow the IP address from other interfaces.

Pre-configuration TasksBefore configuring IP address unnumbered on an interface, complete the following tasks:

l Configuring physical attributes for the IP address borrower and lender

l Configuring link layer protocols for the IP address borrower and lender

Data PreparationTo configure IP address unnumbered on an interface, you need the following data.

No. Data

1 Number, IP address, and mask of the interface that lends the IP address to otherinterfaces




Issue 02 (2009-12-10)

No. Data

2 Number of the interface that borrows an IP address from another interface

NOTE

The configuration here only describes how to configure an unnumbered interface to borrow an IP address.Dynamic routing protocols cannot be enabled on an interface without an IP address. Therefore, you needto manually configure a static route to the remote network segment to realize communication betweendevices.

1.4.2 Configuring the Primary IP Address of the Interface ThatLends an IP Address


Procedure






The primary IP address of the interface is configured.

An interface can also obtain the primary IP address through PPP negotiation.

----End

1.4.3 Configuring an Interface That Borrows an IP Address fromAnother Interface


Procedure




1-11




Step 3 Run:ip address unnumbered interface interface-type interface-number

The interface is configured to borrow an IP address from the specified interface.

The tunnel interface, and the interface encapsulated with PPP or HDLC can borrow the IP addressfrom an Ethernet interface or other interfaces.

----End


PrerequisiteThe configurations of IP address unnumbered are complete.




----End

ExampleRun the display ip interface command. If the physical status and link protocol status of theinterface are Up, it means that the configuration succeeds.

Run the display interface command. If information about the IP address and mask of theinterface is displayed, it means that the configuration succeeds. For example:

<HUAWEI> display interface pos 6/0/0Pos6/0/0 current state : UPLine protocol current state : UPLast line protocol up time : 2008-01-30, 12:06:08Description: Pos6/0/0 InterfaceRoute Port,The Maximum Transmit Unit is 4470, Hold timer is 10(sec)Internet Address is unnumbered, using address of GigabitEthernet3/0/9(120.1.1.1/24)Link layer protocol is PPPLCP opened, IPCP openedThe Vendor PN is FTRJ1321P1BTLPort BW: 2.5G, Transceiver max BW: 2.5G, Transceiver Mode: SingleModeWaveLength: 1310nm, Transmission Distance: 5kmRx Power: -7.19dBm, Tx Power: -5.76dBmPhysical layer is Packet Over SDHScramble enabled, clock master, CRC-32, loopback: noneFlag J0 "NetEngine "Flag J1 "NetEngine "Flag C2 22(0x16) SDH alarm: section layer: none




Issue 02 (2009-12-10)

line layer: none path layer: none SDH error: section layer: B1 0 line layer: B2 0 REI 1370245 path layer: B3 0 REI 56395Statistics last cleared:never Last 300 seconds input rate 24 bits/sec, 0 packets/sec Last 300 seconds output rate 24 bits/sec, 0 packets/sec Input: 1420 packets, 23131 bytes Input error: 2 shortpacket, 0 longpacket, 1 CRC, 0 lostpacket Output: 1421 packets, 23150 bytes Output error: 0 lostpackets Output error: 0 overrunpackets, 0 underrunpackets

1.5 Maintaining IP AddressesThis section describes how to view IP address configurations.

1.5.1 Monitoring Network Operation Status of IP Addresses

1.5.1 Monitoring Network Operation Status of IP Addresses

Context

In routine maintenance, you can run the following commands in any view to check the operationof IP addresses.

Procedurel Run the display ip interface [ brief ] [ interface-type interface-number ] command in any

view to check the IP address configuration on the interface.

l Run the display interface [ interface-type [ interface-number ] ] [ | { begin | exclude |include } regular-expression ] command in any view to check information about theinterface.

----End

1.6 Configuration ExamplesThis section provides several examples for configuring IP addresses.

1.6.1 Example for Configuring Primary and Secondary IP Addresses

1.6.2 Example for Obtaining an IP Address Through Negotiation

1.6.3 Example for Configuring IP Address Unnumbered

1.6.4 Example for Configuring IP Address Overlapping on the Same Device

1.6.5 Example for Configuring an IP Address with a 31-bit Mask

1.6.1 Example for Configuring Primary and Secondary IP Addresses



1-13

Networking Requirements

CAUTIONFor the NE5000E, the interface is numbered as slot number/card number/interface number. Forthe NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interfacenumber. The slot number must be specified along with the chassis ID.

As shown in Figure 1-1, GE 1/0/1 of the device connects to a LAN in which computers belongto one of the two network segments: 172.16.1.0/24 and 172.16.2.0/24. It is required that thedevice can communicate with the two network segments. At the same time, the hosts of the twonetwork segments cannot communicate with each other.

Figure 1-1 Configuring primary and secondary IP addresses for an interface

Router172.16.1.0/24

172.16.2.0/24

GE1/0/1172.16.1.1/24172.16.2.1/24 sub

Configuration Roadmap

The configuration roadmap is as follows:

1. Analyze the address of the network segment to which the interface connects.2. Configure the primary IP address for the interface and then configure one or more secondary

IP addresses for the interface.

NOTE

The primary IP address and the secondary IP address in the overlapped network segments but not samecan be configured on the same interface. The secondary IP addresses of an interface cannot be in the samenetwork segment.

Data Preparation

To complete the configuration, you need the following data:

l Primary IP address and subnet mask of the interface

l Secondary IP address and subnet mask of the interface




Issue 02 (2009-12-10)

Procedure

Step 1 Configure the device.

# Configure the primary and secondary IP addresses for GE 1/0/1 of the device.

<HUAWEI> system-view[HUAWEI] sysname Router[Router] interface gigabitethernet 1/0/1[Router-GigabitEthernet1/0/1] ip address 172.16.1.1 255.255.255.0[Router-GigabitEthernet1/0/1] ip address 172.16.2.1 255.255.255.0 sub[Router-GigabitEthernet1/0/1] undo shutdown[Router-GigabitEthernet1/0/1] quit

Step 2 Verify the configuration.

# Ping the host on the network segment 172.16.1.0 from the device. The ping succeeds.

[Router] ping 172.16.1.2 PING 172.16.1.2: 56 data bytes, press CTRL_C to break Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=128 time=25 ms Reply from 172.16.1.2: bytes=56 Sequence=2 ttl=128 time=27 ms Reply from 172.16.1.2: bytes=56 Sequence=3 ttl=128 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=4 ttl=128 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=128 time=26 ms --- 172.16.1.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/26/27 ms

# Ping the host on the segment 172.16.2.0 from the device. The ping succeeds.

[Router] ping 172.16.2.2 PING 172.16.2.2: 56 data bytes, press CTRL_C to break Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=128 time=25 ms Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=128 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=3 ttl=128 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=128 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=128 time=26 ms --- 172.16.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/25/26 ms

# The hosts of the two network segments cannot ping through each other.

----End

Configuration FilesThe following lists the configuration file of the device:

# sysname Router#interface GigabitEthernet1/0/1 undo shutdown ip address 172.16.1.1 255.255.255.0 ip address 172.16.2.1 255.255.255.0 sub#return

1.6.2 Example for Obtaining an IP Address Through Negotiation



1-15


CAUTIONFor the NE5000E, the interface is numbered as slot number/card number/interface number. Forthe NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interfacenumber. The chassis ID must be specified along with the slot number.

As shown in Figure 1-2, Router A allocates an IP address for POS 1/0/0 on Router B throughPPP negotiation.

Figure 1-2 Networking diagram of allocating IP address through negotiation

RouterA RouterB

POS 1/0/0192.168.1.1/24

POS 1/0/0Ethernet Ethernet

Configuration RoadmapThe configuration roadmap is as follows:

1. Configure a local IP address pool.2. Configure an IP address for the local interface.3. Specify an IP address or address pool for the remote end.4. Enable obtaining an IP address through negotiation on the remote end.

Data PreparationTo complete the configuration, you need the following data:

l IP address and subnet mask of the local interface

l The range of the IP address to be allocated to the remote end

Procedure

Step 1 Configure Router A.

# Configure a local IP address pool.

<HUAWEI> system-view[HUAWEI] sysname RouterA[RouterA] aaa[RouterA-aaa] ip pool 1 192.168.1.10 192.168.1.20[RouterA-aaa] quit

# Configure an IP address for POS 1/0/0.

[RouterA] interface pos 1/0/0




Issue 02 (2009-12-10)

[RouterA-Pos1/0/0] ip address 192.168.1.1 255.255.255.0

# Configure POS 1/0/0 to allocate an IP address to the remote end.

[RouterA-Pos1/0/0] remote address pool 1[RouterA-Pos1/0/0] shutdown[RouterA-Pos1/0/0] undo shutdown[RouterA-Pos1/0/0] quit

Step 2 Configure Router B.

# Enable obtaning an IP address of the interface through PPP negotiation.

<HUAWEI> system-view[HUAWEI] sysname RouterB[RouterB] interface pos 1/0/0[RouterB-Pos1/0/0] ip address ppp-negotiate[RouterB-Pos1/0/0] undo shutdown[RouterB-Pos1/0/0] quit


Router B can ping through POS 1/0/0 on Router A.

[RouterB] ping 192.168.1.1 PING 192.168.1.1: 56 data bytes, press CTRL_C to break Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=156 ms Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=255 time=63 ms Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=255 time=62 ms Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=255 time=63 ms Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=255 time=63 ms --- 192.168.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet lossround-trip min/avg/max = 62/81/156 ms

# View the status of POS 1/0/0 on Router B.

[RouterB] display interface pos 1/0/0Pos1/0/0 current state : UPLine protocol current state : UPLast line protocol up time : 2007-12-07, 17:12:39 Description : Pos1/0/0 InterfaceRoute Port,The Maximum Transmit Unit is 4470, Hold timer is 10(sec)Internet Address is negotiated, 192.168.1.10/32Link layer protocol is PPPLCP opened, IPCP openedThe Vendor PN is FTRJ1321P1BTLPort BW: 2.5G, Transceiver max BW: 2.5G, Transceiver Mode: SingleModeWaveLength: 1310nm, Transmission Distance: 5kmRx Power: -2.81dBm, Tx Power: -1.91dBm Physical layer is Packet Over SDHScramble enabled, clock master, CRC-32, loopback: noneFlag J0 "NetEngine "Flag J1 "NetEngine "Flag C2 22(0x16) SDH alarm: section layer: none line layer: none path layer: none SDH error: section layer: B1 61575 line layer: B2 12002824 REI 16835916 path layer: B3 65535Statistics last cleared:never Last 300 seconds input rate 16 bits/sec, 0 packets/sec Last 300 seconds output rate 40 bits/sec, 0 packets/sec Input: 3510 packets, 57372 bytes Input error: 0 shortpacket, 0 longpacket, 4 CRC, 0 lostpacket



1-17

Output: 7270 packets, 344198 bytes Output error: 0 lostpackets Output error: 0 overrunpackets, 0 underrunpackets

If the information "Internet Address is negotiated, 192.168.1.10/32" is displayed, it means thatthe address negotiation succeeds.

----End

Configuration Filesl Configuration file of Router A

# sysname RouterA#aaa ip pool 1 192.168.1.10 192.168.1.20#interface Pos1/0/0 link-protocol ppp undo shutdown remote address pool 1 ip address 192.168.1.1 255.255.255.0#return

l Configuration file of Router B# sysname RouterB#interface Pos1/0/0 link-protocol ppp undo shutdown ip address ppp-negotiate#return

1.6.3 Example for Configuring IP Address Unnumbered



As shown in Figure 1-3, an enterprise builds its intranet through the ISDN. Router A and RouterB connect to a local LAN through the GE interfaces. The devices connect to each other throughthe dialing ports. Each device connects to the LAN through GE 1/0/0 and connects to the ISDNthrough POS 2/0/0. To save IP address resources, the dialing ports are planed to borrow the IPaddresses from the GE interfaces.




Issue 02 (2009-12-10)

Figure 1-3 Networking diagram of an IP address unnumbered configuration

RouterA RouterB

POS 2/0/0 POS 2/0/0GE1/0/0172.16.10.1/24

GE1/0/0172.16.20.1/24

Ethernet EthernetISDN


1. Configure IP addresses to be borrowed.2. Configure the interfaces to borrow IP addresses from other interfaces.


l IP address of the interface that lends an IP address

l Number of the interface that lends an IP address

Procedure


# Configure an IP address for GE 1/0/0.

<HUAWEI> system-view[HUAWEI] sysname RouterA[RouterA] interface gigabitethernet 1/0/0[RouterA-GigabitEthernet1/0/0] ip address 172.16.10.1 255.255.255.0[RouterA-GigabitEthernet1/0/0] undo shutdown[RouterA-GigabitEthernet1/0/0] quit

# Configure the POS interface to borrow an IP address from the GE interface.

[RouterA] interface pos 2/0/0[RouterA-Pos2/0/0] ip address unnumbered interface gigabitethernet 1/0/0[RouterA-Pos2/0/0] link-protocol ppp[RouterA-Pos2/0/0] undo shutdown[RouterA-Pos2/0/0] quit

# Configure an Ethernet route to Router B.

[RouterA] ip route-static 172.16.20.0 255.255.255.0 pos 2/0/0



<HUAWEI> system-view[HUAWEI] sysname RouterB[RouterB] interface gigabitethernet 1/0/0[RouterB-GigabitEthernet1/0/0] ip address 172.16.20.1 255.255.255.0[RouterB-GigabitEthernet1/0/0] undo shutdown



1-19

[RouterB-GigabitEthernet1/0/0] quit

# Configure the POS interface to borrow an IP address from the GE interface.

[RouterB] interface pos 2/0/0[RouterB-Pos2/0/0] ip address unnumbered interface gigabitethernet 1/0/0[RouterB-Pos2/0/0] link-protocol ppp[RouterB-Pos2/0/0] undo shutdown[RouterB-Pos2/0/0] quit

# Configure an Ethernet route to Router A.

[RouterB] ip route-static 172.16.10.0 255.255.255.0 pos 2/0/0


# Router A can ping through the address of the host connected to Router B.

[RouterA] ping 172.16.20.2 PING 172.16.20.2: 56 data bytes, press CTRL_C to break Reply from 172.16.20.2: bytes=56 Sequence=1 ttl=254 time=25 ms Reply from 172.16.20.2: bytes=56 Sequence=2 ttl=254 time=25 ms Reply from 172.16.20.2: bytes=56 Sequence=3 ttl=254 time=26 ms Reply from 172.16.20.2: bytes=56 Sequence=4 ttl=254 time=26 ms Reply from 172.16.20.2: bytes=56 Sequence=5 ttl=254 time=26 ms --- 172.16.20.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet lossround-trip min/avg/max = 25/25/26 ms

----End


# sysname RouterA#interface Pos2/0/0 link-protocol ppp undo shutdown ip address unnumbered interface GigabitEthernet1/0/0#interface GigabitEthernet1/0/0 undo shutdown ip address 172.16.10.1 255.255.255.0#ip route-static 172.16.20.0 255.255.255.0 Pos2/0/0#return

l Configuration file of Router B# sysname RouterB#interface Pos2/0/0 link-protocol ppp undo shutdown ip address unnumbered interface GigabitEthernet1/0/0#interface GigabitEthernet1/0/0 undo shutdown ip address 172.16.20.1 255.255.255.0#ip route-static 172.16.10.0 255.255.255.0 Pos2/0/0#return




Issue 02 (2009-12-10)

1.6.4 Example for Configuring IP Address Overlapping on the SameDevice



As shown in Figure 1-4, Network A and Network B are independent from each other. Theyaccess the Internet through different paths. Using the same Layer 2 network provided by ISP 1,Network A and Network B can access each other.

It is required to use Router B to connect Network A and Network B to the Layer 2 networkprovided by ISP 1 by using the IP addresses 192.168.1.11/24 and 192.168.1.12/24.

Figure 1-4 Networking diagram of configuring IP address overlapping on the same device

ISP1 AS:200

GE1/0/0192.168.1.11/24

GE3/0/0192.168.1.12/24

POS2/0/010.1.1.1/24

POS4/0/020.1.1.1/24

GE1/0/0192.168.1.1/24

r1 r2

RouterB

Network B

RouterAAS:100

Network A

Layer2network

POS2/0/010.1.1.2/24

POS4/0/020.1.1.2/24

RouterC RouterD

Procedure

Step 1 Configure a VPN instance.

# On Router B, create a VPN instance for Network A, and bind the VPN instance to the upstreaminterface GE 1/0/0 and the downstream interface POS 2/0/0.

<HUAWEI> system-view[HUAWEI] sysname B



1-21

[RouterB] ip vpn-instance r1[RouterB-vpn-instance-r1] route-distinguisher 100:1[RouterB-vpn-instance-r1] quit[RouterB] interface gigabitethernet 1/0/0[RouterB-GigabitEthernet1/0/0] ip binding vpn-instance r1[RouterB-GigabitEthernet1/0/0] ip address 192.168.1.11 24[RouterB-GigabitEthernet1/0/0] undo shutdown[RouterB-GigabitEthernet1/0/0] quit[RouterB] interface pos 2/0/0[RouterB-Pos2/0/0] ip binding vpn-instance r1[RouterB-Pos2/0/0] ip address 10.1.1.1 24[RouterB-Pos2/0/0] undo shutdown[RouterB-Pos2/0/0] quit

# On Router B, create a VPN instance for Network B, and bind the VPN instance to the upstreaminterface GE 3/0/0 and the downstream interface POS 4/0/0.[RouterB] ip vpn-instance r2[RouterB-vpn-instance-r2] route-distinguisher 100:2[RouterB-vpn-instance-r2] quit[RouterB] interface gigabitethernet 3/0/0[RouterB-GigabitEthernet3/0/0] ip binding vpn-instance r2[RouterB-GigabitEthernet3/0/0] ip address 192.168.1.12 24[RouterB-GigabitEthernet3/0/0] undo shutdown[RouterB-GigabitEthernet3/0/0] quit[RouterB] interface pos 4/0/0[RouterB-Pos4/0/0] ip binding vpn-instance r2[RouterB-Pos4/0/0] ip address 20.1.1.1 24[RouterB-Pos4/0/0] undo shutdown[RouterB-Pos4/0/0] quit

# On Router B, configure static routes for the two VPN instances.[RouterB] ip route-static vpn-instance r1 0.0.0.0 0 192.168.1.1[RouterB] ip route-static vpn-instance r2 0.0.0.0 0 192.168.1.1

Step 2 Set up the EBGP neighbor relationship between Router A and the two upstream interfaces onRouter B respectively.

# Configure Router B.[RouterB] bgp 200[RouterB-bgp] router-id 100.1.1.1[RouterB-bgp] ipv4-family vpn-instance r1[RouterB-bgp-r1] peer 192.168.1.1 as-number 100[RouterB-bgp-r1] import-route direct[RouterB-bgp-r1] quit[RouterB-bgp] ipv4-family vpn-instance r2[RouterB-bgp-r2] peer 192.168.1.1 as-number 100[RouterB-bgp-r2] import-route direct[RouterB-bgp-r2] quit

# Configure Router A.<HUAWEI> system-view[HUAWEI] sysname RouterA[RouterA] interface gigabitethernet 1/0/0[RouterA-GigabitEthernet1/0/0] ip address 192.168.1.1 24[RouterA-GigabitEthernet1/0/0] undo shutdown[RouterA-GigabitEthernet1/0/0] quit[RouterA] bgp 100[RouterA-bgp] peer 192.168.1.11 as-number 200[RouterA-bgp] peer 192.168.1.12 as-number 200[RouterA-bgp] quit

Step 3 Configure IP addresses and static routes for Router C and Router D on the local network.

# Configure the IP address and static route for Router C.<HUAWEI> system-view




Issue 02 (2009-12-10)

[HUAWEI] sysname RouterC[RouterC] interface pos 2/0/0[RouterC-Pos2/0/0] ip address 10.1.1.2 24[RouterC-Pos2/0/0] undo shutdown[RouterC-Pos2/0/0] quit[RouterC] ip route-static 0.0.0.0 0 10.1.1.1

# Configure the IP address and static route for Router D.

<HUAWEI> system-view[HUAWEI] sysname RouterD[RouterD] interface pos 4/0/0[RouterD-Pos4/0/0] ip address 20.1.1.2 24[RouterD-Pos4/0/0] undo shutdown[RouterD-Pos4/0/0] quit[RouterD] ip route-static 0.0.0.0 0 20.1.1.1


# After the configurations, view the private routing table on Router B. The routes of the twolocal networks connected to Router B belong to two VPN instances (r1 and r2) respectively.This indicates that the routes are isolated.

[RouterB] display ip routing-table vpn-instance r1Route Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: r1 Destinations : 6 Routes : 6

Destination/Mask Proto Pre Cost Flags NextHop Interface

0.0.0.0/0 Static 60 0 RD 192.168.1.1 GigabitEthernet1/0/010.1.1.0/24 Direct 0 0 D 10.1.1.1 Pos2/0/010.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack010.1.1.2/32 Direct 0 0 D 10.1.1.2 Pos2/0/0192.168.1.0/24 Direct 0 0 D 192.168.1.11 GigabitEthernet1/0/0192.168.1.11/32 Direct 0 0 D 127.0.0.1 InLoopBack0

[RouterB] display ip routing-table vpn-instance r2Route Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: r2 Destinations : 6 Routes : 6


0.0.0.0/0 Static 60 0 RD 192.168.1.1 GigabitEthernet3/0/020.1.1.0/24 Direct 0 0 D 20.1.1.1 Pos4/0/020.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack020.1.1.2/32 Direct 0 0 D 20.1.1.2 Pos4/0/0192.168.1.0/24 Direct 0 0 D 192.168.1.12 GigabitEthernet3/0/0192.168.1.12/32 Direct 0 0 D 127.0.0.1 InLoopBack0

# Run the display ip routing-table command on Router A. The command output shows thatthe public routing table on Router A contains routes to the two local networks.

[RouterA] display ip routing-tableRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Public Destinations : 8 Routes : 8


10.1.1.0/24 BGP 255 0 D 192.168.1.11 GigabitEthernet1/0/010.1.1.2/32 BGP 255 0 D 192.168.1.11 GigabitEthernet1/0/020.1.1.0/24 BGP 255 0 D 192.168.1.12 GigabitEthernet1/0/020.1.1.2/32 BGP 255 0 D 192.168.1.12 GigabitEthernet1/0/0



1-23

127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0192.168.1.0/24 Direct 0 0 D 192.168.1.1 GigabitEthernet1/0/0192.168.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Network A and Network B can ping through each other.

----End


# sysname RouterA#interface GigabitEthernet1/0/0 undo shutdown ip address 192.168.1.1 255.255.255.0#bgp 100 peer 192.168.1.11 as-number 200 peer 192.168.1.12 as-number 200 # ipv4-family unicast undo synchronization peer 192.168.1.11 enable peer 192.168.1.12 enable#return

l Configuration file of Router B.# sysname RouterB#ip vpn-instance r1 route-distinguisher 100:1#ip vpn-instance r2 route-distinguisher 100:2#interface GigabitEthernet1/0/0 undo shutdown ip binding vpn-instance r1 ip address 192.168.1.11 255.255.255.0#interface GigabitEthernet3/0/0 undo shutdown ip binding vpn-instance r2 ip address 192.168.1.12 255.255.255.0#interface Pos2/0/0 link-protocol ppp undo shutdown ip binding vpn-instance r1 ip address 10.1.1.1 255.255.255.0#interface Pos4/0/0 link-protocol ppp undo shutdown ip binding vpn-instance r2 ip address 20.1.1.1 255.255.255.0#bgp 200 router-id 100.1.1.1 # ipv4-family unicast undo synchronization #




Issue 02 (2009-12-10)

ipv4-family vpn-instance r1 peer 192.168.1.1 as-number 100 import-route direct # ipv4-family vpn-instance r2 peer 192.168.1.1 as-number 100 import-route direct# ip route-static vpn-instance r1 0.0.0.0 0.0.0.0 192.168.1.1 ip route-static vpn-instance r2 0.0.0.0 0.0.0.0 192.168.1.1#return

l Configuration file of Router C# sysname RouterC#interface pos 2/0/0 link-protocol ppp undo shutdown ip address 10.1.1.2 255.255.255.0#ip route-static 0.0.0.0 0.0.0.0 10.1.1.1#return

l Configuration file of Route D# sysname RouterD#interface pos 4/0/0 link-protocol ppp undo shutdown ip address 20.1.1.2 255.255.255.0#ip route-static 0.0.0.0 0.0.0.0 20.1.1.1#Return

1.6.5 Example for Configuring an IP Address with a 31-bit Mask



As shown in Figure 1-5, Router A and Router B are connected through a PPP link.

Figure 1-5 Networking diagram of configuring an IP address with a 31-bit mask

RouterA

POS1/0/010.1.1.1/31

RouterB

POS1/0/010.1.1.0/31



1-25


1. Configure an IP address with a 31-bit mask for POS 1/0/0 on Router A.2. Configure an IP address with a 31-bit mask for POS 1/0/0 on Router B.


l IP address and mask of POS 1/0/0 on Router A

l IP address and mask of POS 1/0/0 on Router B

Procedure

Step 1 Configure an IP address for each interface.

# Configure an IP address for POS 1/0/0 on Router A.

<HUAWEI> system-view[HUAWEI] sysname RouterA[RouterA] interface pos 1/0/0[RouterA-Pos1/0/0] ip address 10.1.1.1 31[RouterA-Pos1/0/0] undo shutdown[RouterA-Pos1/0/0] quit

# Configure an IP address for POS 1/0/0 on Router B.

<HUAWEI> system-view[HUAWEI] sysname RouterB[RouterB] interface pos 1/0/0[RouterB-Pos1/0/0] ip address 10.1.1.0 31[RouterB-Pos1/0/0] undo shutdown[RouterB-Pos1/0/0] quit


# After the preceding configurations, you can check the routing table on Router A. You can findthat in the routing table, the network address and the broadcast address of the network segmentare both used as host addresses.

[RouterA] display ip routing-tableRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Public Destinations : 5 Routes : 5Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/31 Direct 0 0 D 10.1.1.1 Pos1/0/0 10.1.1.0/32 Direct 0 0 D 10.1.1.0 Pos1/0/0 10.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

# After the preceding configurations, you can check the routing table on Router B. You can findthat in the routing table, the network address and the broadcast address of the network segmentare both used as host addresses.

[RouterB] display ip routing-tableRoute Flags: R - relay, D - download to fib




Issue 02 (2009-12-10)

------------------------------------------------------------------------------Routing Tables: Public Destinations : 5 Routes : 5Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/31 Direct 0 0 D 10.1.1.0 Pos1/0/0 10.1.1.0/32 Direct 0 0 D 127.0.0.1 InLoopBack0 10.1.1.1/32 Direct 0 0 D 10.1.1.1 Pos1/0/0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

----End


# sysname RouterA#interface Pos1/0/0 link-protocol ppp undo shutdown ip address 10.1.1.1 255.255.255.254#return

l Configuration file of Router B# sysname RouterB#interface Pos1/0/0 link-protocol ppp undo shutdown ip address 10.1.1.0 255.255.255.254#return



1-27

2 ARP Configuration

About This Chapter

This chapter describes the principle of ARP and the procedure for configuring ARP, and providestypical configuration examples.

2.1 Introduction to ARPThis section describes the basic principle and concepts of the Address Resolution Protocol(ARP).

2.2 Configuring Static ARPThis section describes how to configure static ARP.

2.3 Optimizing Dynamic ARP

2.4 Configuring Routed Proxy ARPThis section describes how to configure routed proxy ARP to make different sub-networkscommunicate with each other.

2.5 Configuring Proxy ARP Within a VLANThis section describes how to implement communication between hosts in the same VLANconfigured with user isolation.

2.6 Configuring Proxy ARP Between VLANsThis section describes how to implement communication between hosts in different VLANs.

2.7 Configuring ARPing-IPThis section describes how to configure ARPing-IP.

2.8 Configuring ARPing-MACThis section describes how to configure ARPing-MAC.

2.9 Configuring the Association Between ARP and Interface StatusThis section describes how to control the protocol status of the interface through ARP probes.

2.10 Maintaining ARPThis section describes how to display ARP configurations, clear ARP statistics and debug ARP.

2.11 Configuration Examples

HUAWEI NetEngine5000E Core RouterConfiguration Guide - IP Services 2 ARP Configuration


2-1

This section provides some configurations example, such as Routed Proxy ARP, Proxy ARPWithin a VLAN and Proxy ARP Between VLANs.

2 ARP ConfigurationHUAWEI NetEngine5000E Core Router



Issue 02 (2009-12-10)

2.1 Introduction to ARPThis section describes the basic principle and concepts of the Address Resolution Protocol(ARP).

2.1.1 Overview of ARP

2.1.2 Features of ARP Supported by the NE5000E

2.1.1 Overview of ARP

Each host or device on the Local Area Network (LAN) has a 32-bit IP address to communicatewith others. The assigned IP address is independent of the hardware address.

On the Ethernet, a host or a device transmits and receives Ethernet frames according to a 48-bitMedium Access Control (MAC) address. The MAC address is also called the physical addressor the hardware address, which is assigned to an Ethernet interface when an equipment isproduced. Therefore, on an interconnected network, an address resolution mechanism is requiredto provide the mapping between MAC addresses and IP addresses.

The Address Resolution Protocol (ARP) maps an IP address to the corresponding MAC address.

2.1.2 Features of ARP Supported by the NE5000EARP is classified into dynamic ARP and static ARP. The NE5000E supports dynamic ARP,static ARP, and proxy ARP.

Introduction to ARPing

ARPing consists of ARP-Ping IP and ARP-Ping MAC. ARPing is developed to maintain thedeployed Layer 2 features.

Introduction to ARP-Ping IP

ARP-Ping IP uses ARP packets to check whether an IP address is used by another device on theLAN.

Before configuring an IP address for a device, you need to check that the IP address is not usedby another device on the network by sending ARP packets.

You can also run the ping command to check whether the IP address is used by another deviceon the network. If enabled with the firewall function that does not reply to Ping packets, thedestination host and device do not reply to Ping packets and think that the IP address is not inuse. ARP is a Layer 2 protocol. In most cases, ARP packets can pass through the firewall. Inthis way, the preceding situation does not occur.

Principles of ARP-Ping IP

ARP-Ping IP sends ARP Request packets. The following describes how to implement ARP-PingIP:



2-3

1. After setting the specified IP address through command lines, you can send ARP Requestpackets and start the timeout timer.

2. After receiving an ARP Request packet, each device or host on the LAN replies with anARP Reply packet.

3. After receiving the ARP Reply packet, the source device compares the source IP addresscontained in the Reply packet with the IP address input in the command line. If they areconsistent, the MAC address corresponding to the input IP address is displayed and thetimeout timer of ARP Reply packets is disabled. The operation finishes.

If the timeout timer of ARP Reply packets times out, it means that the IP address is not inuse.

As shown in Figure 2-1, Router A and Gigabitethernet A are directly connected. You can runthe arp-ping ip command on Router A to check whether the IP address 10.1.1.2 is in use.

Figure 2-1 Implementation procedure of ARP-Ping IP

Host B10.1.1.3/32

Host A10.1.1.2/32

GE1/0/010.1.1.1/24

RouterA

Gigabitethernet A

Run the arp-ping ip 10.1.1.2 command on Router A. After receiving the ARP Reply packetfrom Host A 10.1.1.2 on the network, Router A displays the MAC address of Host A.

Through the command output, you can know whether the IP address is used by another host onthe network.

NOTE

The arp-ping ip command is applicable to the outgoing interface in one of the following types: the GigabitEthernet interface, and Eth-Trunk interface.

Introduction to ARP-Ping MAC

ARP-Ping MAC uses ICMP packets to check whether a MAC address is used by another deviceon the LAN.

When you know a specific MAC address on a network segment but do not know thecorresponding IP address, you can obtain the IP address corresponding to the MAC address bysending the broadcast Internet Control Messages Protocol (ICMP) packets through ARP-PingMAC. In this way, you can query the IP address corresponding to the specific MAC address onthe network segment.




Issue 02 (2009-12-10)

Principles of ARP-Ping MAC

ARP-Ping MAC sends broadcast ICMP Echo Request packets. The following describes how toimplement ARP-Ping MAC:

1. After setting the specified MAC address through the command line, you can send broadcastICMP Echo Request packets and start the timeout timer.

2. After receiving an ICMP Echo Request packet, each device or host on the LAN replies withan ICMP Echo Reply packet.

3. After receiving the ICMP Echo Reply packet, the source device compares the source MACaddress contained in the Echo Reply packet with the MAC address input in the commandline. If they are consistent, the IP address of the Echo Reply packet is displayed. Then thesource device prompts you that the MAC address is in use and disables the timeout timer.The operation finishes.If the timeout timer of the ICMP Echo Reply packets times out, it means that the MACaddress is not in use.

NOTE

If the system denies the request for replying with the network segment address, the sender cannot receivethe ICMP Echo Reply packet.

As shown in Figure 2-2, Router A and Gigabitethernet A are directly connected. You can runthe arp-ping mac command on Router A to check whether the MAC address 0013-46E7-2EF5is in use.

Figure 2-2 Implementation procedure of ARP-Ping MAC

Host A0013-46E7-2EF5

GE1/0/010.1.1.1/24

RouterA

Gigabitethernet A

The following describes how to implement ARP-Ping MAC on Router A:

Run the arp-ping mac 0013-46E7-2EF5 10.1.1.0 or arp-ping mac 0013-46E7-2EF5gigabitethernet 1/0/0 command on Router A. After receiving the ICMP Reply packets repliedby all the hosts on the network, Router A displays the IP address of the host with the MACaddress 0013-46E7-2EF5.

Through the command output, you can obtain the IP address corresponding to the MAC address.

NOTE

The arp-ping mac command is applicable to the outgoing interface in one of the following types: GigabitEthernet interface, and Eth-Trunk interface.



2-5

2.2 Configuring Static ARPThis section describes how to configure static ARP.


2.2.2 Configuring Common Static ARP Entries

2.2.3 Configuring Static ARP Entries in a VLAN

2.2.4 Configuring Static ARP Entries in a VPN Instance



Applicable EnvironmentStatic ARP is used in the following situations:

l For the packets whose destination IP address is on another network segment, static ARPcan help these packets traverse a gateway of the local network segment so that the gatewaycan forward the packets to their destination.

l When you need to filter out some packets with illegitimate destination IP addresses, staticARP can bind these illegitimate addresses to a nonexistent MAC address.

Pre-configuration TasksBefore configuring ARP, complete the following tasks:

l Configuring physical parameters for the interface and ensuring that the status of the physicallayer of the interface is Up

l Configuring link layer protocol parameters for the interface and ensuring that the status ofthe link layer protocol on the interface is Up

l Configuring the network layer protocol for the interface

Data PreparationTo configure ARP, you need the following data.

No. Data

1 IP address and MAC address of the static ARP entry

2 VPN instance name and VLAN ID to which the static ARP entry belongs




Issue 02 (2009-12-10)

2.2.2 Configuring Common Static ARP Entries


Procedure



Step 2 Run:arp static ip-address mac-address

Configure common static ARP entries.

NOTE

Static ARP entries keep valid when a device works normally.

----End

2.2.3 Configuring Static ARP Entries in a VLAN


Procedure



Step 2 Configure static ARP entries in a Virtual Local Area Network (VLAN).

To configure static ARP entries in a Virtual Local Area Network (VLAN), do as follows:

l Run the arp static ip-address mac-address vid vlan-id interface interface-type interface-number command.If the interface corresponding to the VLAN is bound to a Virtual Private Network (VPN),the device can automatically associate the configured static ARP entry with the VPN. Thiscommand is applicable to port-based VLANs.

l Run the arp static ip-address mac-address [ vpn-instance vpn-instance-name ] vid vlan-id command.This command is applicable to the sub-interface that supports VLAN and can be bound tothe VPN.

NOTE


----End



2-7

2.2.4 Configuring Static ARP Entries in a VPN Instance


Procedure



Step 2 Run:arp static ip-address mac-address vpn-instance vpn-instance-name

Configure static ARP entries in a VPN instance.

NOTE


----End


PrerequisiteThe configurations of the ARP function are complete.

Procedurel Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlan-

id ] ] [ | { begin | exclude | include } regular-expression ] command to check informationabout ARP mapping tables based on interfaces.

l Run the display arp slot slot-id [ network net-number [ net-mask ] ] [ dynamic | static ][ | { begin | exclude | include } regular-expression] command to check information aboutARP mapping tables based on slots.

l Run the display arp vpn-instance vpn-instance-name slot slot-id [ dynamic | static ] [ |{ begin | exclude | include } regular-expression ] command to check information aboutARP mapping tables based on VPN instances.

l Run the display arp statistics { all | slot slot-id } command to check the statistics for ARPentries.

----End

ExampleRun the display arp interface command. If all the ARP entries of the interface are displayed,it means that the configuration succeeds. For example:

<HUAWEI> display arp interface gigabitethernet 1/0/0IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC------------------------------------------------------------------------------




Issue 02 (2009-12-10)

192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1192.168.1.1 0000-0a41-0200 15 D-6 GE1/0/0 r1------------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1

Run the display arp slot command. If all the ARP entries of the interface board are displayed,it means that the configuration succeeds. For example:

<HUAWEI> display arp slot 1IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC------------------------------------------------------------------------------192.168.1.12 0000-0a41-0202 I - GE1/0/1 r2192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/1 r2192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/0 r1------------------------------------------------------------------------------Total:4 Dynamic:2 Static:0 Interface:2

Run the display arp vpn-instance command. If all the ARP entries of the VPN instance aredisplayed, it means that the configuration succeeds. For example:

<HUAWEI> display arp vpn-instance r1 slot 1IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC------------------------------------------------------------------------------192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1192.168.1.1 0000-0a41-0200 12 D-6 GE1/0/0 r1------------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1

Run the display arp statistics { all | slot slot-id } command. If the statistics for ARP entries aredisplayed, it means that the configuration succeeds. For example:

<HUAWEI> display arp statistics allDynamic:20 Static:10

2.3 Optimizing Dynamic ARP


2.3.2 Modify the aging parameters of dynamic ARP

2.3.3 Enabling ARP Suppression Function




Dynamic ARP is one of functions owned by a device or host. You do not need to run a commandto enable dynamic ARP but you can modify some parameters of dynamic ARP.


None



2-9

Data Preparation

Optimizing dynamic ARP, you need the following data.

No. Data

1 ID of the Ethernet interface to which the dynamic ARP entry belongs

2 Aging detection times of the dynamic ARP entry

3 Aging time of the dynamic ARP entry

2.3.2 Modify the aging parameters of dynamic ARP

Context

Do as follows on the router:

Procedure




The Ethernet interface view is displayed.

Step 3 Run:arp detect-times detect-times

The number of aging detection times of the dynamic ARP entries is configured.

Step 4 Run:arp expire-time expire-times

The timeout period for aging dynamic ARP entries is configured.

By default, the aging detection times of the dynamic ARP entries is three, and the aging timeoutperiod is 1200 seconds.

----End

2.3.3 Enabling ARP Suppression Function

Context





Issue 02 (2009-12-10)

Procedure



Step 2 Run:arp-suppress enable

ARP suppression is enabled on the current device.

The ARP suppression function can be enabled only on the Eth-Trunk interface.

----End


PrerequisiteThe configurations of the ARP function are complete.





l Run the display arp statistics { all | slot slot-id } command to check the statistics for ARPentries.

----End


<HUAWEI> display arp interface gigabitethernet 1/0/0IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC------------------------------------------------------------------------------192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1192.168.1.1 0000-0a41-0200 15 D-6 GE1/0/0 r1------------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1


<HUAWEI> display arp slot 1IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC



2-11

------------------------------------------------------------------------------192.168.1.12 0000-0a41-0202 I - GE1/0/1 r2192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/1 r2192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/0 r1------------------------------------------------------------------------------Total:4 Dynamic:2 Static:0 Interface:2



Run the display arp statistics { all | slot slot-id } command. If the statistics for ARP entries aredisplayed, it means that the configuration succeeds. For example:


2.4 Configuring Routed Proxy ARPThis section describes how to configure routed proxy ARP to make different sub-networkscommunicate with each other.


2.4.2 Configure an IP Addresses for the Interface

2.4.3 Enabling the Routed Proxy ARP Function



Applicable EnvironmentThe two physical networks of an enterprise are in different subnets of the same IP network, andare separated by a device. You need to enable the proxy ARP on the device interface connectedto the physical networks. This enables communication between the two networks.

Network IDs of subnet hosts must be the same. You need not configure default gateways forhosts.

Pre-configuration TasksBefore configuring routed proxy ARP, complete the following tasks:

l Configuring the physical parameters for the interface and ensuring that the status of thephysical layer of the interface is Up





Issue 02 (2009-12-10)

Data PreparationTo configure routed proxy ARP, you need the following data.

No. Data

1 Number of the interface to be enabled with routed proxy ARP

2 IP address of the interface to be enabled with routed proxy ARP



Procedure





The interfaces supporting routed proxy ARP include GE interfaces, GE sub-interfaces, Eth-Trunk interfaces, and Eth-Trunk sub-interfaces.


The interface is configured with an IP address.

The IP address configured for the interface must be in the same network segment with that ofhosts in the LAN connected with this interface.

----End

2.4.3 Enabling the Routed Proxy ARP Function


Procedure




2-13




Step 3 Run:arp-proxy enable

The routed proxy ARP function is enabled on the interface.

After routed proxy ARP is enabled, you must reduce the aging time of ARP entries in the hostso that the number of packets received but cannot be forwarded by the device is decreased. Toconfigure the aging time of ARP entries, run the arp expire-time expire-time command.

----End


PrerequisiteThe configurations of the routed proxy ARP function are complete.





l Run the display arp statistics { all | slot slot-id } command to check statistics about ARPentries.

----End




<HUAWEI> display arp slot 1




Issue 02 (2009-12-10)

IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC------------------------------------------------------------------------------192.168.1.12 0000-0a41-0202 I - GE1/0/1 r2192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/1 r2192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/0 r1------------------------------------------------------------------------------Total:4 Dynamic:2 Static:0 Interface:2



Run the display arp statistics { all | slot slot-id } command. If statistics about ARP entries aredisplayed, it means that the configuration succeeds. For example:


2.5 Configuring Proxy ARP Within a VLANThis section describes how to implement communication between hosts in the same VLANconfigured with user isolation.



2.5.3 Configuring the VLAN Associated with the Sub-interface

2.5.4 Enabling Proxy ARP Within a VLAN




If two users are in the same VLAN but they are isolated from each other, to ensure the two userscan communicate, you need to enable proxy ARP within the VLAN on the interface associatedwith the VLAN.


Before configuring proxy ARP within a VLAN, complete the following tasks:

l Configuring physical attributes for the interface and ensuring that the status of the physicallayer of the interface is Up

l Configuring the VLAN



2-15

l Configuring user isolation in the VLAN

Data PreparationTo configure proxy ARP within a VLAN, you need the following data.

No. Data

1 Number of the interface to be enabled with proxy ARP in a VLAN

2 IP address of the interface to be enabled with proxy ARP in a VLAN

3 VLAN ID associated with the interface to be enabled with proxy ARP in a VLAN



Procedure



Step 2 Run:interface { gigabitethernet | eth-trunk } interface-number.sub-interface-number


The interfaces supporting routed proxy ARP in a VLAN include GE sub-interfaces, and Eth-Trunk sub-interfaces.



The IP address configured for the interface must be in the same network segment with that ofhosts in the VLAN associated with this interface.

----End


ContextNOTE

This step is required when you enable proxy ARP in a VLAN on the GE sub-interfaces, or Eth-Trunk sub-interfaces.




Issue 02 (2009-12-10)

Do as follows on the router that uses sub-interfaces to implement interworking in a VLAN:

Procedure




The sub-interface view is displayed.

Step 3 Run:vlan-type low-vid

The Ethernet sub-interface is encapsulated with 802.1Q and the VLAN ID associated with thesub-interface is configured.

In the NE5000E, one sub-interface can be associated with one VLAN.

By default, the sub-interface is not encapsulated and the associated VLAN ID is not configured.

----End

2.5.4 Enabling Proxy ARP Within a VLAN


Procedure





Step 3 Run:arp-proxy inner-sub-vlan-proxy enable

Proxy ARP within a VLAN is enabled.

----End


PrerequisiteThe configurations of the proxy ARP within a VLAN function are complete.



2-17






----End

Example

Run the display arp interface command. If all the ARP entries of the interface are displayed,it means that the configuration succeeds. For example:











Issue 02 (2009-12-10)

2.6 Configuring Proxy ARP Between VLANsThis section describes how to implement communication between hosts in different VLANs.


2.6.2 Configuring an IP Addresses for the Interface


2.6.4 Enabling Proxy ARP Between VLANs



Applicable EnvironmentIf two users belong to different VLANs and they need to communicate, you need to enable proxyARP between VLANs on the sub-interface associated with the VLAN.

IP addresses of hosts in a VLAN must be in the same network segment.

Pre-configuration TasksBefore configuring proxy ARP between VLANs, complete the following tasks:

l Configuring physical attributes for the interface and ensuring that the status of the physicallayer of the interface is Up

l Configuring VLAN aggregation

Data PreparationTo configure proxy ARP between VLANs, you need the following data.

No. Data

1 Number of the interface to be enabled with proxy ARP between VLANs

2 IP address of the interface to be enabled with proxy ARP between VLANs

3 VLAN ID associated with the interface to be enabled with proxy ARP betweenVLANs

2.6.2 Configuring an IP Addresses for the Interface




2-19

Procedure



Step 2 Run:interface { gigabitethernet } interface-number.sub-interface-number


The interfaces supporting routed proxy ARP between VLANs include GE sub-interfaces, andEth-Trunk sub-interfaces.



The IP address configured for the interface must be in the same network segment with that ofhosts in the VLAN associated with this interface.

----End


ContextNOTE

This step is required when you enable proxy ARP between VLANs on the GE sub-interfaces, or Eth-Trunksub-interfaces.

Do as follows on the router that uses sub-interfaces to implement interworking between VLANs:

Procedure




The sub-interface view is displayed.

Step 3 Run:vlan-type low-vid

The Ethernet sub-interface is encapsulated with 802.1Q and the VLAN ID associated with thesub-interface is configured.

In the NE5000E, one sub-interface can be associated with one VLAN.

By default, the sub-interface is not encapsulated and the associated VLAN ID is not configured.

----End




Issue 02 (2009-12-10)

2.6.4 Enabling Proxy ARP Between VLANs


Procedure



Step 2 Run:interface { gigabitethernet } interface-number.sub-interface-number


The interfaces supporting routed proxy ARP between VLANs include Eth-Trunk sub-interfaces,and GE sub-interfaces.

Step 3 Run:arp-proxy inter-sub-vlan-proxy enable

Proxy ARP between VLANs is enabled.

----End


PrerequisiteThe configurations of Proxy ARP Between VLANs are complete.



l Run the display arp slot slot-id [ network net-number [ net-mask ] ] [ dynamic | static ][ | { begin | exclude | include } regular-expression ] command to check information aboutARP mapping tables based on slots.



----End




2-21








2.7 Configuring ARPing-IPThis section describes how to configure ARPing-IP.


2.7.2 Detecting the IP Address by Using the arp-ping ip Command



In the LAN, to configure an IP address for a device, you need to use the arp-ping ip commandto check whether this IP address is used by another device in the network.


Before configuring ARPing-IP, complete the following tasks:




Issue 02 (2009-12-10)

l Configuring parameters of the link layer protocol and IP addresses for the interfaces andensuring that the status of the link layer protocol on the interfaces is Up.

Data Preparation

To configure ARPing-IP, you need the following data.

No. Data

1 IP address to be checked

2.7.2 Detecting the IP Address by Using the arp-ping ip Command

Context

Do as follows on the device:

Procedure

Step 1 Run:arp-ping ip ip-address [ interface interface-type interface-number ]

Check whether the IP address is in use.

The following information is displayed:

l If the following information is displayed, it means that the IP address is not in use.[HUAWEI] arp-ping ip 110.1.1.2 ARP-Pinging 110.1.1.2: Request timed out Request timed out Request timed out The IP address is not used by anyone!

l If the following information is displayed, it means that the IP address is in use.[HUAWEI] arp-ping ip 128.1.1.1 ARP-Pinging 128.1.1.1:128.1.1.1 is used by 00e0-517d-f202

----End

2.8 Configuring ARPing-MACThis section describes how to configure ARPing-MAC.


2.8.2 Detecting the MAC Address by Using the arp-ping mac Command



2-23


Applicable EnvironmentTo check whether a MAC address is in use or query the IP address through the MAC address,you can use the arp-ping mac command.

Pre-configuration TasksBefore configuring ARPing-MAC, complete the following tasks:

l Configuring parameters of the link layer protocol and IP addresses for the interfaces andensuring that the status of the link layer protocol on the interfaces is Up.

Data PreparationTo configure ARPing-MAC, you need the following data.

No. Data

1 MAC address to be checked

2.8.2 Detecting the MAC Address by Using the arp-ping macCommand

ContextDo as follows on the device:

Procedure

Step 1 Run:arp-ping mac mac-address { ip-address [ vpn-instance vpn-instance-name ] | interface interface-type interface-number }

Check whether the MAC address is in use. Alternatively, you can query the IP address throughthe MAC address.

The following information is displayed:

l If the following information is displayed, it means that the MAC address is not in use.[HUAWEI] arp-ping mac 00e0-517d-f201 interface gigabitethernet 1/0/0 OutInterface: GigabitEthernet1/0/0 MAC[00-E0-51-7D-F2-01], press CTRL_C to break Request timed out Request timed out Request timed out ----- ARP-Ping MAC statistics ----- 3 packet(s) transmitted 0 packet(s) received MAC[00-E0-51-7D-F2-01] not be used

l If the following information is displayed, it means that the MAC address is in use.




Issue 02 (2009-12-10)

[HUAWEI] arp-ping mac 00e0-517d-f202 interface gigabitethernet 1/0/0 OutInterface: GigabitEthernet1/0/0 MAC[00-E0-51-7D-F2-02], press CTRL_C to break ----- ARP-Ping MAC statistics ----- 1 packet(s) transmitted 1 packet(s) received IP ADDRESS MAC ADDRESS 128.1.1.1 00-E0-51-7D-F2-02

----End

2.9 Configuring the Association Between ARP and InterfaceStatus

This section describes how to control the protocol status of the interface through ARP probes.


2.9.2 Configuring the Association Between ARP and Interface Status

2.9.3 (Optional) Adjusting Parameters about the Association Between ARP and Interface Status


Applicable EnvironmentIf transmission devices exist over a link (between devices in the diagram), the actual physicalpath is segmented by the transmission devices although communication ends and transmissiondevices are directly connected at the network layer. In such a case, if the link or remote end fails,the local end must take a long time to detect the fault.

To solve the preceding problem, configure the association between the Bidirectional ForwardingDetection (BFD) status and the interface status. For details, refer to the chapter "BFDConfiguration" in the HUAWEI NetEngine5000E Core Router Configuration Guide -Reliability.

For the device that does not support the BFD function, the NE5000E provides the ARP andinterface status association function so that local interfaces can correctly judge the forwardingstatus of the remote end and change its protocol status accordingly (Up or Down). Fastconvergence of routes is thus triggered.

Figure 2-3 Schematic diagram of transmission device existing between devices

RouterA RouterB

Pre-configuration TaskBefore configuring the association between ARP and interface status, complete the followingtasks:



2-25

l Configuring physical parameters for interfaces to make the physical statuses of interfacesUp.

l Configuring link layer parameters and IP addresses for interfaces to make the link protocolstatus of interfaces Up.

Data PreparationTo configure the association between ARP and interface status, you need the following data.

No. Data

1 Destination IP address of an ARP probe packet

2 Interval for sending ARP probe packets

3 Maximum times that no response is received for the continually sent ARP probepackets before the protocol status of an interface turns Down

4 Probe mode

2.9.2 Configuring the Association Between ARP and InterfaceStatus

ContextDo as follows on the router to perform probes:

Procedure




The view of the interface to be enabled with the association between ARP and interface statusis displayed.

NOTE

The association between ARP and interface status can be configured only on Gigabit Ethernet interfaces,and Gigabit Ethernet sub-interfaces.

Step 3 Run:arp status-detect ip-address

The association between ARP and interface status and the destination IP address of the probeare configured. The probed IP address must be the IP address of the directly-connected device.

The device to be probed need not be configured.

----End




Issue 02 (2009-12-10)

2.9.3 (Optional) Adjusting Parameters about the AssociationBetween ARP and Interface Status

ContextDo as follows on the router to perform probes:


system-view



The view of the interface to be enabled with the association between ARP and interface statusis displayed.

Step 3 Run:arp status-detect interval detect-interval

The interval for sending ARP probe packets is set.

By default, the interval is 1000 ms.

Step 4 Run:arp status-detect times detect-times

The maximum times that no response is received for the continually sent ARP probe packetsbefore the protocol status of an interface turns Down are set.

By default, the maximum times are 3.

Step 5 Run:arp status-detect mode loose

The probe mode is set to loose.

By default, the probe mode is strict.

l In loose mode, probe packets are sent only when the protocol status turns Up. The remoteend declares the protocol to be Up when receiving any types of legal ARP packets.

l In strict mode, probe packets are sent no matter the protocol status is Up or Down. The devicedeclares the protocol to be Up only when receiving legal ARP response packets.NOTE

When you configure ARP probe on both ends, configure the strict mode at least on one end. That is, twoends cannot be configured with the loose mode concurrently. .This is because when the interface on oneend is Down, the protocol status of the remote end turns Down because of a timeout probe. If the probemode is set to loose, both ends never send probe packets actively, which results in the deadlock state.

----End

PostrequisiteThe device to be probed need not be configured.



2-27

2.10 Maintaining ARPThis section describes how to display ARP configurations, clear ARP statistics and debug ARP.

2.10.1 Clearing ARP Statistics

2.10.2 Monitoring Network Operation Status of ARP

2.10.3 Debugging ARP

2.10.1 Clearing ARP Statistics

Context

CAUTIONThe mapping between the IP and MAC addresses is deleted after you clear ARP statistics. So,confirm the action before you use the command.

Procedure

Step 1 Run the reset arp { all | dynamic | interface interface-type interface-number | slot slot-id |static } command in the user view to clear the ARP entries in the ARP mapping table.

----End

2.10.2 Monitoring Network Operation Status of ARP

Context

In routine maintenance, you can run the following command in any view to check the operationof ARP.


id ] ] [ | { begin | exclude | include } regular-expression ] command in any view to checkthe information about the ARP mapping table based on interfaces.

l Run the display arp slot slot-id [ network net-number [ net-mask ] ] [ dynamic | static ][ | { begin | exclude | include } regular-expression ] command in any view to check theinformation about ARP mapping tables based on slots.

l Run the display arp vpn-instance vpn-instance-name slot slot-id [ dynamic | static ] [ |{ begin | exclude | include } regular-expression ] command in any view to check theinformation about ARP mapping tables based on VPN instances.

----End




Issue 02 (2009-12-10)

2.10.3 Debugging ARP

Context

CAUTIONDebugging affects the performance of the system. Thus, after debugging, run the undodebugging all command to disable debugging immediately. When the CPU usage is close to100%, debugging ARP may cause the board resetting. So, confirm the action before you use thecommand.

When faults occur during ARP operation, run the following debugging command in the userview to debug ARP and locate the fault.

For more information, see chapter "Information Center Configuration" in the HUAWEINetEngine5000E Core Router Configuration Guide-System Management. For descriptionsabout the debugging commands, see the HUAWEI NetEngine5000E Core Router DebuggingReference.

Procedurel Run the debugging arp packet [ interface interface-type interface-number | slot slot-id ]

command in the user view to debug ARP.l Run the debugging arp-proxy [ inner-sub-vlan-proxy | inter-sub-vlan-proxy ]

[ interface interface-type interface-number ] command in the user view to debug proxyARP.

----End

2.11 Configuration ExamplesThis section provides some configurations example, such as Routed Proxy ARP, Proxy ARPWithin a VLAN and Proxy ARP Between VLANs.

2.11.1 Example for Configuring Routed Proxy ARP

2.11.2 Example for Configuring Proxy ARP Within a VLAN

2.11.3 Example for Configuring the Association Between ARP and Interface Status

2.11.1 Example for Configuring Routed Proxy ARP



2-29



As shown in Figure 2-4, two devices are connected through serial lines. Each device has a GE1/0/0 interface connecting with a local network. The network segment of the two local networksis 172.16.0.0/16. No default gateways are specified for Host A and Host B. The device shouldbe configured with proxy ARP, enabling hosts in two local networks to communicate with eachother.

Figure 2-4 Networking diagram of configuring proxy ARP

Host B

RouterA RouterB172.16.1.1/24 172.16.2.1/24GE1/0/0 GE1/0/0

POS2/0/0172.17.3.1/24

POS2/0/0172.17.3.2/24

172.16.2.2/16172.16.1.2/16Host A

Ethernet A Ethernet B

0000-5e33-ee20

00e0-fc39-80aa 00e0-fc39-80bb

0000-5e33-ee10


1. Configure IP addresses for interfaces.2. Enable proxy ARP on interfaces.3. Configure the default routes.


l IP address for related interfaces

l Default routes

l IP address of the host

ProcedureStep 1 Configure Router A.





Issue 02 (2009-12-10)

<HUAWEI> system-view[HUAWEI] sysname RouterA[RouterA] interface gigabitethernet 1/0/0[RouterA-GigabitEthernet1/0/0] ip address 172.16.1.1 255.255.255.0

# Enable proxy ARP.

[RouterA-GigabitEthernet1/0/0] arp-proxy enable[RouterA-GigabitEthernet1/0/0] undo shutdown[RouterA-GigabitEthernet1/0/0] quit

# Configure a static route.

[RouterA] ip route-static 0.0.0.0 0 pos 2/0/0 172.17.3.2


[RouterA] interface pos 2/0/0[RouterA-Pos2/0/0] ip address 172.17.3.1 255.255.0.0[RouterA-Pos2/0/0] undo shutdown[RouterA-Pos2/0/0] quit



<HUAWEI> system-view[HUAWEI] sysname RouterB[RouterB] interface gigabitethernet 1/0/0[RouterB-GigabitEthernet1/0/0] ip address 172.16.2.1 255.255.255.0

# Enable proxy ARP.

[RouterB-GigabitEthernet1/0/0] arp-proxy enable[RouterB-GigabitEthernet1/0/0] undo shutdown[RouterB-GigabitEthernet1/0/0] quit


[RouterB] ip route-static 0.0.0.0 0 pos 2/0/0 172.17.3.1


[RouterB] interface pos 2/0/0[RouterB-Pos2/0/0] ip address 172.17.3.2 255.255.0.0[RouterB-Pos2/0/0] undo shutdown[RouterB-Pos2/0/0] quit

Step 3 Configure the host.

# Configure the IP address of Host A to 172.16.1.2/16.

# Configure the IP address of Host B to 172.16.2.2/16.


# Host A can ping through Host B.

# The ARP table of Host A shows that the MAC address of Host B is the MAC address ofGE1/0/0 on Router A.

C:\Documents and Settings\Administrator> arp -aInterface: 172.16.1.2 --- 0x2 Internet Address Physical Address Type 172.16.2.2 00e0-fc39-80aa dynamic

----End



2-31


#sysname RouterA#interface GigabitEthernet1/0/0 undo shutdown ip address 172.16.1.1 255.255.255.0 arp-proxy enable#interface Pos2/0/0 link-protocol ppp undo shutdown ip address 172.17.3.1 255.255.255.0#ip route-static 0.0.0.0 0 Pos2/0/0 172.17.3.2#return

l Configuration file of Router B#sysname RouterB#interface GigabitEthernet1/0/0 undo shutdown ip address 172.16.2.1 255.255.255.0 arp-proxy enable#interface Pos2/0/0 link-protocol ppp undo shutdown ip address 172.17.3.2 255.255.255.0#ip route-static 0.0.0.0 0 Pos2/0/0 172.17.3.1#return

2.11.2 Example for Configuring Proxy ARP Within a VLAN



As shown in Figure 2-5, DSLAM is connected to the sub-interface Eth-Trunk1.10 of the device.Eth-Trunk1.10 is associated with VLAN 10.

PC A and PC B are two users connected with DSLAM. On DSLAM, the interfaces connectedwith PC A and PC B belong to the same VLAN. User isolation in a VLAN is configured onDSLAM.

To implement communication between PC A and PC B, enable proxy ARP within a VLAN onEth-Trunk1.10 of the device.




Issue 02 (2009-12-10)

Figure 2-5 Networking diagram of configuring proxy ARP in a VLAN

Router

DSLAM

PC A PC B

Eth-trunk 1.10(Proxy ARP)

VLAN 10

100.1.1.12/24


1. Configure an IP addresses for Eth-Trunk1.10.2. Configure the VLAN associated with the sub-interface.3. Enable proxy ARP in a VLAN on Eth-Trunk1.10.


l IP address of Eth-Trunk1.10

l VLAN ID associated with Eth-Trunk1.10

Procedure

Step 1 Configure an IP address for Eth-Trunk1.10.<HUAWEI> system-view[HUAWEI] sysname router[router] interface eth-trunk 1[router-Eth-Trunk] undo shutdown[router-Eth-Trunk] quit[router] interface eth-trunk 1.10[router-Eth-Trunk1.10] ip address 100.1.1.12 255.255.255.0[router-Eth-Trunk1.10] undo shutdown[router-Eth-Trunk1.10] quit

Step 2 Configure IP addresses for PCs.

# Configure IP addresses for PCs. The IP addresses must be in the same network segment withthe IP address of Eth-Trunk1.10.



2-33

# After the configurations, PCs and the device can ping through each other but PCs cannot pingthrough each other.

Step 3 Associate Eth-Trunk1.10 with VLAN 10.[router] interface eth-trunk 1.10[router-Eth-Trunk1.10] vlan-type dot1q 10

Step 4 Enable proxy ARP in VLAN 10 on Eth-Trunk1.10.[router-Eth-Trunk1.10] arp-proxy inner-sub-vlan-proxy enable[router-Eth-Trunk1.10] quit


# PC A and PC B can ping through each other.

----End

Configuration Files

The configuration file of the device is as follows:

#sysname router#interface Eth-Trunk1 undo shutdownmac-address 00e0-271e-f652#interface Eth-Trunk1.10 undo shutdown vlan-type dot1q 10 ip address 100.1.1.12 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable#return

2.11.3 Example for Configuring the Association Between ARP andInterface Status



As shown in Figure 2-6, two devices are connected through a Layer 2 switch. If a fault occurson the GE interface of Router A but the GE interface of Router B is Up because the link betweenthe switch and Router B works normally. The protocol status of the GE interface of Router B isalso Up. It is required to configure the association between ARP and interface status on RouterB to probe the status of the GE interface of Router A. Router B can then rapidly change itsprotocol status according to the interface status change of Router A.




Issue 02 (2009-12-10)

Figure 2-6 Networking diagram of configuring the association between ARP and interface status

RouterA RouterB

GE 1/0/010.1.1.1/24

GE 1/0/010.1.1.2/24

Switch


1. Configure an IP address for each interface.2. Enable the association between ARP and interface status on the interface.3. Adjust parameters about the association between ARP and interface status to optimize

performance.


l IP addresses of the interfaces

l Destination IP address of an ARP probe packet

l Interval for sending ARP probe packets

l Maximum times that no response is received for the continually sent ARP probe packetsbefore the protocol of an interface turns Down

Procedure

Step 1 Configuring an IP address for each interface

# Configure Router A.

<HUAWEI> system-view[HUAWEI] sysname RouterA[RouterA] interface gigabitethernet 1/0/0[RouterA-GigabitEthernet1/0/0] ip address 10.1.1.1 24[RouterA-GigabitEthernet1/0/0] undo shutdown[RouterA-GigabitEthernet1/0/0] quit

# Configure Router B.

<HUAWEI> system-view[HUAWEI] sysname RouterB[RouterB] interface gigabitethernet 1/0/0[RouterB-GigabitEthernet1/0/0] ip address 10.1.1.2 24[RouterB-GigabitEthernet1/0/0] undo shutdown[RouterB-GigabitEthernet1/0/0] quit

# Ping Router A on Router B. The ping succeeds. Run the display interface command on RouterA and Router B to view statuses of the GE interfaces. You can find that the physical status andprotocol status of the GE interfaces are Up.

[RouterB] ping 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=110 ms



2-35

Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=60 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=100 ms Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=70 ms Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=70 ms --- 10.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet lossround-trip min/avg/max = 60/82/110 ms[RouterA] display interface gigabitethernet 1/0/0GigabitEthernet1/0/0 current state : UPLine protocol current state : UPLast line protocol up time : 2007-12-22, 16:52:54Description : GigabitEthernet1/0/0 Interface, Route PortRoute Port,The Maximum Transmit Unit is 1500 bytesInternet Address is 10.1.1.1/24IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0000-5e13-0101The Vendor PN is SCP6F86-GL-CWH Port BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiMode WaveLength: 850nm, Transmission Distance: 300m Rx Power: -8.00dBm, Tx Power: -5.13dBm Loopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Receive Enable and Send Enable Last physical up time : 2007-12-22, 16:52:54 Last physical down time : 2007-12-22, 16:52:54 Statistics last cleared:never Last 300 seconds input rate: 208 bits/sec, 0 packets/sec Last 300 seconds output rate: 544 bits/sec, 1 packets/sec Input: 882114 bytes, 10877 packets Output: 2147780 bytes, 31585 packets Input: Unicast: 0 packets, Multicast: 7368 packets Broadcast: 3509 packets, JumboOctets: 0 packets CRC: 0 packets, Symbol: 0 packets Overrun: 0 packets InRangeLength: 0 packets LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets Fragment: 0 packets, Undersized Frame: 0 packets RxPause: 0 packets Output: Unicast: 0 packets, Multicast: 0 packets Broadcast: 31585 packets, JumboOctets: 0 packets Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets TxPause: 0 packets[RouterB] display interface gigabitethernet 1/0/0GigabitEthernet1/0/0 current state : UPLine protocol current state : UPLast line protocol up time : 2007-12-22, 16:53:41Description : GigabitEthernet1/0/0 Interface, Route PortRoute Port,The Maximum Transmit Unit is 1500 bytesInternet Address is 10.1.1.2/24IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0000-5e13-0100The Vendor PN is SCP6F86-GL-CWHPort BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiModeWaveLength: 850nm, Transmission Distance: 300mRx Power: -8.00dBm, Tx Power: -5.13dBmLoopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Receive Enable and Send EnableLast physical up time : 2007-12-22, 16:53:41Last physical down time : 2007-12-22, 16:53:41Statistics last cleared:never Last 300 seconds input rate: 208 bits/sec, 0 packets/sec Last 300 seconds output rate: 544 bits/sec, 1 packets/sec Input: 882114 bytes, 10877 packets Output: 2147780 bytes, 31585 packets Input: Unicast: 0 packets, Multicast: 7368 packets Broadcast: 3509 packets, JumboOctets: 0 packets CRC: 0 packets, Symbol: 0 packets




Issue 02 (2009-12-10)

Overrun: 0 packets InRangeLength: 0 packets LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets Fragment: 0 packets, Undersized Frame: 0 packets RxPause: 0 packets Output: Unicast: 0 packets, Multicast: 0 packets Broadcast: 31585 packets, JumboOctets: 0 packets Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets

Step 2 Run the shutdown command on the GE interface of Router A to simulate a fault.[RouterA] interface gigabitethernet 1/0/0[RouterA-GigabitEthernet1/0/0] shutdown

# Run the display interface command on Router B to view the status of the GE interfaces. Youcan find that the physical status and protocol status of the GE interfaces are Up. Router B,however, cannot ping through Router A.

[RouterB] display interface gigabitethernet 1/0/0GigabitEthernet1/0/0 current state : UPLine protocol current state : UPLast line protocol up time : 2007-12-22, 16:53:41Description : GigabitEthernet1/0/0 Interface, Route PortRoute Port,The Maximum Transmit Unit is 1500 bytesInternet Address is 10.1.1.2/24IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0000-5e13-0100The Vendor PN is SCP6F86-GL-CWHPort BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiModeWaveLength: 850nm, Transmission Distance: 300mRx Power: -8.00dBm, Tx Power: -5.13dBmLoopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Receive Enable and Send EnableLast physical up time : 2007-12-22, 16:53:41Last physical down time : 2007-12-22, 16:53:41Statistics last cleared:never Last 300 seconds input rate: 208 bits/sec, 0 packets/sec Last 300 seconds output rate: 544 bits/sec, 1 packets/sec Input: 882114 bytes, 10877 packets Output: 2147780 bytes, 31585 packets Input: Unicast: 0 packets, Multicast: 7368 packets Broadcast: 3509 packets, JumboOctets: 0 packets CRC: 0 packets, Symbol: 0 packets Overrun: 0 packets InRangeLength: 0 packets LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets Fragment: 0 packets, Undersized Frame: 0 packets RxPause: 0 packets Output: Unicast: 0 packets, Multicast: 0 packets Broadcast: 31585 packets, JumboOctets: 0 packets Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets [RouterB] ping 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.1.1.1 ping statistics --- 5 packet(s) transmitted 0 packet(s) received100.00% packet loss

Step 3 Enable the association between ARP and interface status on Router B.

# Specify the IP address of the GE interface of Router A as the destination IP address of theprobe.



2-37

[RouterB] interface gigabitethernet 1/0/0[RouterB-GigabitEthernet1/0/0] arp status-detect 10.1.1.1

Step 4 Adjust parameters about the association between ARP and interface status on Router B.

# Set the interval for sending ARP probe packets to 3 seconds.

[RouterB-GigabitEthernet1/0/0] arp status-detect interval 3000

# Set the probe times to five.

[RouterB-GigabitEthernet1/0/0] arp status-detect times 5[RouterB-GigabitEthernet1/0/0] quit

# After about 15 seconds (three seconds x five times), the GE interface status of Router B is Upand the protocol status turns Down.

[RouterB]Sep 16 2007 15:37:45 RouterB %%01IFNET/4/LINK_STATE(l): Line protocol on interface GigabitEthernet1/0/0 has turned into DOWN state.[RouterB] display interface gigabitethernet 1/0/0GigabitEthernet1/0/0 current state : UPLine protocol current state : DOWNDescription : GigabitEthernet1/0/0 Interface, Route PortRoute Port,The Maximum Transmit Unit is 1500 bytesInternet Address is 10.1.1.2/24IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0000-5e13-0100The Vendor PN is SCP6F86-GL-CWHPort BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiModeWaveLength: 850nm, Transmission Distance: 300mRx Power: -8.00dBm, Tx Power: -5.13dBmLoopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Receive Enable and Send EnableLast physical up time : 2007-12-22, 16:54:41Last physical down time : 2007-12-22, 16:53:41Statistics last cleared:never Last 300 seconds input rate: 208 bits/sec, 0 packets/sec Last 300 seconds output rate: 544 bits/sec, 1 packets/sec Input: 882114 bytes, 10877 packets Output: 2147780 bytes, 31585 packets Input: Unicast: 0 packets, Multicast: 7368 packets Broadcast: 3509 packets, JumboOctets: 0 packets CRC: 0 packets, Symbol: 0 packets Overrun: 0 packets InRangeLength: 0 packets LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets Fragment: 0 packets, Undersized Frame: 0 packets RxPause: 0 packets Output: Unicast: 0 packets, Multicast: 0 packets Broadcast: 31585 packets, JumboOctets: 0 packets Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets

----End


# sysname RouterA#interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.1.1 255.255.255.0#return




Issue 02 (2009-12-10)

l Configuration file of Router B# sysname RouterB#interface GigabitEthernet1/0/0 undo shutdown arp status-detect 10.1.1.1 arp status-detect times 5 arp status-detect interval 3000 ip address 10.1.1.2 255.255.255.0#return



2-39

3 DNS Configuration

About This Chapter

This chapter describes the static and dynamic DNS concepts and their configuration steps, alongwith typical examples.

3.1 DNS OverviewThis section describes the basic principle and concepts of Domain Name System (DNS).

3.2 Configuring DNSThis section describes how to use the domain name to communicate with other devices.

3.3 Maintaining DNSThis section describes how to clear DNS entries and debug DNS.

3.4 Configuration ExamplesThis section provides a configuration example of DNS.

HUAWEI NetEngine5000E Core RouterConfiguration Guide - IP Services 3 DNS Configuration


3-1

3.1 DNS OverviewThis section describes the basic principle and concepts of Domain Name System (DNS).

3.1.1 Introduction to DNS

3.1.2 DNS Supported by the NE5000E

3.1.1 Introduction to DNS

The Domain Name System (DNS) is a host naming mechanism provided by TCP/IP, with whichhosts can be named in the form of character string. This system assumes a hierarchical namingstructure. It designates a meaningful name for the device in the Internet and associates the namewith the IP address through a domain name resolution server. In this manner, you can use domainnames that are easy to remember instead of memorizing complex IP addresses.

3.1.2 DNS Supported by the NE5000E

DNS has two resolution modes: dynamic DNS resolution and static DNS resolution. To resolvea domain name, the system first uses static DNS resolution. If this mode fails, the system usesdynamic DNS resolution. To improve resolution efficiency, you can put common domain namesin a static domain name resolution table.

The NE5000E supports static resolution and dynamic resolution.

3.2 Configuring DNSThis section describes how to use the domain name to communicate with other devices.


3.2.2 Configuring Static DNS Entries

3.2.3 Configuring Dynamic DNS




If local users accessing devices need to communicate with other devices by using domain names,you can configure DNS on the device. An DNS entry is an mapping between a domain nameand an IP address.

If local users communicate with other devices hardly through the domain name or if the DNSserver is unavailable, configure static DNS. Prior to configuring static DNS, you must know themapping between the domain name and the IP address. In case of a change in the mapping, youmust modify the DNS entry manually.

3 DNS ConfigurationHUAWEI NetEngine5000E Core Router



Issue 02 (2009-12-10)

You can configure dynamic DNS on the device if local users frequently use domain names forcommunicating with other devices and the DNS server is available.

Pre-configuration TasksBefore configuring DNS, complete the following tasks:

l Configuring physical attributes of the interface and ensuring that the physical layer statusof the interface is Up

l Configuring parameters of the link layer protocol of the interface and ensuring that the linklayer protocol status of the interface is Up

l Configuring routes between the local device and the DNS server

l Configuring the DNS server

Data PreparationTo configure DNS, you need the following data.

No. Data

1 Domain name and the corresponding IP address in a static DNS entry

2 IP address of a DNS server

3 Domain name or the domain name list of a dynamic DNS entry

3.2.2 Configuring Static DNS Entries

ContextYou can configure a maximum of 50 static DNS entries.


Procedure



Step 2 Run:ip host host-name ip-address

The IP address corresponding to the host name is configured.

A host name corresponds to only one IP address. When you configure an IP address for a hostfor several times, only the IP address configured at the latest is valid. To resolve several hostnames, repeat Step 2.

----End



3-3

3.2.3 Configuring Dynamic DNS

Context


Procedure



Step 2 Run:dns resolve

Dynamic domain name resolution is enabled.

Step 3 Run:dns server ip-address

A DNS server is specified.

Step 4 (Optional) Run:dns server source-ip source-ip-address

The IP address of the local device is specified.

The local device uses the specified IP address to communicate with the DNS server, whichensures communication security.

Step 5 Run:dns domain domain-name

The suffix of the domain name is added.

----End

Postrequisite

The system supports the configuration of a maximum of 6 domain name servers, 1 sourceaddress, and 10 domain name suffixes.

To configure more than one domain name server, repeat Step 3.

To configure more than one domain name suffix, repeat Step 5.


PrerequisiteThe configurations of the DNS function are complete.




Issue 02 (2009-12-10)

Procedurel Run the display ip host command to check the information about the static DNS entry

table.l Run the display dns server command to check the configurations about DNS servers.l Run the display dns domain command to check the configurations about domain name

suffixes.l Run the display dns dynamic-host command to check the information about dynamic DNS

entries in the domain name cache.

----End

Example

Run the display ip host command. If static DNS entries including the mappings between hostnames and IP addresses, are displayed, it means that the configuration succeeds. For example:

<HUAWEI> display ip hostHost Age Flags Addresshw 0 static 10.1.1.1gww 0 static 192.168.1.1

Run the display dns server command. If IP addresses of all domain servers are displayed, itmeans that the configuration succeeds. For example:

<HUAWEI> display dns serverIPv4 Dns Servers :Domain-server IpAddress 1 172.16.1.1 2 172.16.1.2

IPv6 Dns Servers :No configured servers.

Run the display dns domain command. If the list of suffixes of domain names is displayed, itmeans that the configuration succeeds. For example:

<HUAWEI> display dns domainNo Domain-name1 com2 net

Run the display dns dynamic-host command. If information about the dynamic domain namecache is displayed, it means that the configuration succeeds. For example:

<HUAWEI> display dns dynamic-hostNo Domain-name IpAddress TTL Alias1 www.huawei.com 91.1.1.1 35212 www.huawei.com.cn 87.1.1.1 3000

3.3 Maintaining DNSThis section describes how to clear DNS entries and debug DNS.

3.3.1 Clearing DNS Entries

3.3.2 Monitoring Network Operation Status of DNS

3.3.3 Debugging DNS



3-5

3.3.1 Clearing DNS Entries

Context

CAUTIONDNS entries cannot be restored after being cleared. So, confirm the action before you use thiscommand.

Procedure

Step 1 Run the reset dns dynamic-host command in the user view to clear dynamic DNS entriesstatistics in the domain name cache.

----End

3.3.2 Monitoring Network Operation Status of DNS

ContextIn routine maintenance, you can run the following command in any view to check the operationof DNS.

Procedurel Run the display ip host command to check the information about the static DNS entry

table.l Run the display dns server command to check configurations about DNS servers.l Run the display dns domain command to check configurations about domain name

suffixes.l Run the display dns dynamic-host command to check the information about dynamic DNS

entries in the domain name cache.

----End

3.3.3 Debugging DNS

Context

CAUTIONDebugging affects the performance of the system. So after debugging, run the undo debuggingall command to disable it immediately.

Run the following debugging command in the user view to debug DNS and locate the fault.




Issue 02 (2009-12-10)

For more information, refer to the chapter "Information Center Configuration" in the HUAWEINetEngine5000E Core Router Configuration Guide - System Management. For descriptionsabout the debugging commands, refer to the HUAWEI NetEngine5000E Core RouterDebugging Reference.

Procedure

Step 1 Run the debugging dns command in the user view to debug dynamic DNS.

----End

3.4 Configuration ExamplesThis section provides a configuration example of DNS.

3.4.1 Example for Configuring DNS

3.4.1 Example for Configuring DNS



As shown in Figure 3-1, Router A acts as a DNS client, being required to access the host2.1.1.3/16 by using the domain name huawei.com. You need to configure domain name suffixes"com" and "net".

On Router A, configure static DNS entries of Router B and Router C so that Router A cancommunicate with them by using domain names.

Figure 3-1 Networking diagram of DNS

Loopback04.1.1.1/32

Loopback04.1.1.2/32

GE1/0/01.1.1.2/16

GE1/0/11.1.1.1/16 GE1/0/0

2.1.1.1/16GE1/0/02.1.1.2/16

GE1/0/13.1.1.1/16

RouterA

RouterB RouterC

huawei.com2.1.1.3/16

DNS Server3.1.1.2/16

DNS Client



3-7


1. Configure static DNS entries.2. Enable DNS resolution.3. Configure an IP address for the DNS server.4. Configure suffixes of domain names.


l Domain names of Router B and Router C

l IP address of the DNS server

l Suffixes of domain names

Procedure


# Configure static DNS entries.

<RouterA> system-view[RouterA] ip host RouterB 4.1.1.1[RouterA] ip host RouterC 4.1.1.2

# Enable DNS resolution.

[RouterA] dns resolve

# Configure an IP address for the DNS server.

[RouterA] dns server 3.1.1.2

# Configure a domain name suffix "net".

[RouterA] dns domain net

# Configure a domain name suffix "com".

[RouterA] dns domain com[RouterA] quit

NOTE

To complete DNS resolution, configuring routes from Router A to the DNS server is mandatory. Forprocedures for configuring routes, refer to the NE5000E Core Router Configuration Guide - IP Routing.


# Run the ping huawei command on Router A to ping the IP address 2.1.1.3. The ping succeeds.

<RouterA> ping huawei.comTrying DNS server (3.1.1.2) PING huawei.com (2.1.1.3): 56 data bytes, press CTRL_C to break Reply from 2.1.1.3: bytes=56 Sequence=1 ttl=126 time=6 ms Reply from 2.1.1.3: bytes=56 Sequence=2 ttl=126 time=4 ms Reply from 2.1.1.3: bytes=56 Sequence=3 ttl=126 time=4 ms Reply from 2.1.1.3: bytes=56 Sequence=4 ttl=126 time=4 ms




Issue 02 (2009-12-10)

Reply from 2.1.1.3: bytes=56 Sequence=5 ttl=126 time=4 ms --- huawei.com ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/4/6 ms

# Run the display ip host command on Router A to view static DNS entries, including mappingsbetween host names and IP addresses.

<RouterA> display ip hostHost Age Flags AddressRouterB 0 static 4.1.1.1RouterC 0 static 4.1.1.2

# Run the display dns dynamic-host command on Router A to view dynamic DNS entries inthe domain name cache.

<RouterA> display dns dynamic-hostNo Domain-name IpAddress TTL Alias1 huawei.com 2.1.1.3 3579

NOTE

TTL value in the above display indicates the lifetime of an entry. It is in seconds.

----End


# sysname RouterA# ip host RouterB 4.1.1.1 ip host RouterC 4.1.1.2# dns resolve dns server 3.1.1.2 dns domain net dns domain com#interface GigabitEthernet1/0/0 undo shutdown ip address 1.1.1.2 255.255.0.0#rip 1 network 1.0.0.0#return

l Configuration file of Router B# sysname RouterB#interface GigabitEthernet1/0/0 undo shutdown ip address 2.1.1.1 255.255.0.0#interface GigabitEthernet1/0/1 undo shutdown ip address 1.1.1.1 255.255.0.0#interface LoopBack0 ip address 4.1.1.1 255.255.255.255#rip 1 network 2.0.0.0



3-9

network 1.0.0.0 network 4.0.0.0#return

l Configuration file of Router C# sysname RouterC#interface GigabitEthernet1/0/0 undo shutdown ip address 2.1.1.2 255.255.0.0#interface GigabitEthernet1/0/1 undo shutdown ip address 3.1.1.1 255.255.0.0#interface LoopBack0 ip address 4.1.1.2 255.255.255.255#rip 1 network 2.0.0.0 network 3.0.0.0 network 4.0.0.0#return




Issue 02 (2009-12-10)

4 DHCP Configuration

About This Chapter

This chapter describes the DHCP fundamentals including DHCP service, DHCP server, andrelay agent. It also includes configuration steps for DHCP Server based on different parameters,DHCP relay agent, and security functions in DHCP service, along with typical examples.

4.1 DHCP OverviewThis section describes the principle and concepts of Dynamic Host Configuration Protocol(DHCP).

4.2 Configuring the Global Address Pool-based DHCP ServerIf a large number of clients need to be assigned with IP addresses, a global address pool-basedDHCP server is usually configured on the network segment where the clients reside. Configuringa relay agent on the same network segment to forward packets between the clients and DHCPservers is an alternative method of configuring a global address pool-based DHCP server. In thismanner, the communications between the clients and DHCP servers on other network segmentscan be realized. This saves bandwidths and facilitates the centralized management of IPaddresses by the DHCP server.

4.3 Configuring the Interface Address Pool-based DHCP ServerIf a few clients need to be assigned with IP addresses, an interface address pool-based DHCPserver is usually configured on the network segment where the clients reside.

4.4 Configuring the Sub-interface Address Pool-based DHCP ServerThis section describes how to assign IP addresses by using address pools on Ethernet sub-interfaces to reduce repeated configurations.

4.5 Configuring the Security Function for DHCPThis section describes how to enhance the security of the DHCP service.

4.6 Configuring DHCP RelayThis section describes how to enable DHCP relay so that DHCP relay can forward DHCPrequests from local clients to the DHCP server on other networks.

4.7 Maintaining DHCPThis section describes how to clear the statistics about DHCP and debug DHCP.

4.8 Configuration Examples

HUAWEI NetEngine5000E Core RouterConfiguration Guide - IP Services 4 DHCP Configuration


4-1

This section provides several configuration examples of the DHCP server and DHCP relay.

4 DHCP ConfigurationHUAWEI NetEngine5000E Core Router



Issue 02 (2009-12-10)

4.1 DHCP OverviewThis section describes the principle and concepts of Dynamic Host Configuration Protocol(DHCP).

4.1.1 Introduction to DHCP

4.1.2 DHCP Supported by the NE5000E

4.1.1 Introduction to DHCP

With the rapid growth in network scale and complexity, network configuration becomes moredifficult. The location of hosts changes (such as laptops and wireless network) and the numberof hosts has exceeded that of the available IP addresses. The Dynamic Host ConfigurationProtocol (DHCP) is developed to solve these problems.

4.1.2 DHCP Supported by the NE5000E

The NE5000E supports the following DHCP applications, ensures the security of DHCPservices, and provides the DHCP relay agent function.

l Global address pool

l Address pool on the physical interface

NOTE

The NE5000E supports the configuration of the DHCP address pools containing the IP addresses with 31-bit masks. This configuration, however, is not recommended because the IP addresses with 31-bit maskscurrently cannot be assigned to users.

4.2 Configuring the Global Address Pool-based DHCPServer

If a large number of clients need to be assigned with IP addresses, a global address pool-basedDHCP server is usually configured on the network segment where the clients reside. Configuringa relay agent on the same network segment to forward packets between the clients and DHCPservers is an alternative method of configuring a global address pool-based DHCP server. In thismanner, the communications between the clients and DHCP servers on other network segmentscan be realized. This saves bandwidths and facilitates the centralized management of IPaddresses by the DHCP server.


4.2.2 Configuring the DHCP Global Address Pool

4.2.3 Configure Static IP Address Binding

4.2.4 Configuring DNS Services for the DHCP Client

4.2.5 Configuring NetBIOS Services for the DHCP Client

4.2.6 Configuring Egress Gateway for the DHCP Client



4-3

4.2.7 Configuring DHCP Self-Defined Options

4.2.8 Assigning IP Addresses in the Global Address Pool to the DHCP Clients on the SpecifiedInterface




In a large network, hosts in the network may not be directly connected with the device throughEthernet interfaces. To obtain IP addresses from the device dynamically, you need to configurea global address pool-based DHCP server.

The global address pool-based DHCP server usually works together with the DHCP relay agent.


Before configuring the global address pool-based DHCP server, complete the following tasks:

l Configuring the interface of the device

l Configuring the egress gateway for the client

l (Optional) Configuring the DNS server

l (Optional) Configuring the NetBIOS server

l (If the DNS server and the NetBIOS server are not configured, you do not need to configurethe routes.) Configuring the routes to the DNS server and the NetBIOS server

l (Optional) Configuring the DHCP customized option

Data Preparation

To configure the global address pool-based DHCP server, you need the following data.

No. Data

1 Name and the address range of the address pool, which is configured based on thenumber of clients

2 Range of the IP addresses that cannot be dynamically assigned to hosts

3 IP addresses and the MAC addresses that need to be bound statically

4 Lease of the IP address

5 (Optional) IP address of the DNS server and the domain name of the DHCP client

6 (Optional) IP address of the NetBIOS server and the NetBIOS node type of the DHCPclient

7 (Optional) Coding of the DHCP self-defined options and the corresponding ASCIIstrings or hexadecimal number or IP address




Issue 02 (2009-12-10)

4.2.2 Configuring the DHCP Global Address Pool


Procedure



Step 2 Run:dhcp enable

DHCP is enabled.

Step 3 Run:dhcp server ip-pool pool-name

A DHCP address pool is created and the DHCP address pool view is displayed.

NOTE

Each DHCP server can be configured with a maximum of 128 global address pools.

Step 4 Run:network ip-address [ mask { mask | mask-length } ]

The address pool range is configured.

NOTE

Currently, an address pool can be configured with only one address segment and the address range is setthrough the mask.

NE5000E supports the configuration of the DHCP address pools containing the IP addresses with 31-bitmasks. This configuration, however, is not recommended because the IP addresses with 31-bit maskscurrently cannot be assigned to users.

Step 5 Run:expired { day day [ hour hour [ minute minute ] ] | unlimited }

The lease of the IP addresses dynamically assigned to hosts is configured. By default, the IPlease is one day.

NOTE

The DHCP server can specify the IP lease for each address pool. The IP lease may vary with address pools.The addresses in the same DHCP address pool, however, have the same IP lease.

Step 6 Run:quit

Back to the system view.

Step 7 Run:dhcp server forbidden-ip start-ip-address [ end-ip-address ]

The range of IP addresses that cannot be dynamically assigned is configured.



4-5

NOTEAfter repeatedly running the dhcp server forbidden-ip command, you can configure multiple IP addresssegments that cannot be automatically assigned. When using the undo dhcp server forbidden-ip commandto delete the setting, ensure that the specified parameters are consistent with the previously configuredparameters. That is, you cannot delete only partial originally configured addresses.

----End

4.2.3 Configure Static IP Address Binding

Context

Based on the clients' needs, you can adopt either static address binding or dynamic addressassignation. However, you cannot configure the same DHCP address pool with these two modesat the same time.

Dynamic address distribution needs specification of the address range for assignment, whilestatic address binding can be regarded as a special DHCP address pool with only one address.


Procedure




A DHCP address pool is created and the DHCP address pool view is displayed.

Step 3 Run:static-bind ip-address ip-address [ mask { mask | mask-length } ]

Certain IP addresses are statically bound.

NOTE

The NE5000E supports the statically bound address pools to be assigned the IP addresses with 31-bit masks.This configuration, however, is not recommended because the IP addresses with 31-bit masks currentlycannot be assigned to users.

Step 4 Run:static-bind mac-address mac-address

MAC addresses of certain clients are statically bound.

----End

Postrequisite

Some clients may need fixed IP addresses that are bound with their MAC addresses. When theclient with a specific MAC address uses DHCP to apply for an IP address, the DHCP serverfinds out the fixed IP address bound with the MAC address and assigns it to the client.




Issue 02 (2009-12-10)

NOTE

The static-bind ip-address command must be used together with the static-bind mac-address command.The new configuration supersedes the previous one when you use the two commands for several times

4.2.4 Configuring DNS Services for the DHCP Client

ContextThe configurition is optional.


Procedure




The DHCP address pool view is displayed.

Step 3 Run:domain-name domain-name

The domain name of the DHCP client is configured.

Step 4 Run:dns-list ip-address &<1-8>

The IP address of the DNS server of the DHCP client is configured.

----End

PostrequisiteOn the DHCP server, designate a domain name for the client per address pool basis.

When a host accesses the Internet by using the domain name, the DNS server resolves the domainname into an IP address. Therefore, to ensure that the client can successfully access the Internet,the DHCP server also needs to specify the DNS server address for the client when it assigns IPaddresses.

To perform load balancing and improve the network reliability, you can configure several DNSservers and egress gateways.

4.2.5 Configuring NetBIOS Services for the DHCP Client





4-7

Procedure





Step 3 Run:nbns-list ip-address &<1-8>

The IP address of the NetBIOS server of the DHCP client is configured.

Step 4 Run:netbios-type { b-node | h-node | m-node | p-node }

The NetBIOS node type of the DHCP client is configured.

By default, the node type of the DHCP client is not specified.

----End

PostrequisiteFor the client using the OS of Microsoft, Windows Internet Naming Service (WINS) serverprovides resolution from the host name to the IP address. This is given to the host that usesNetBIOS protocol for communication. Most of the Windows clients need to be configured withWINS.

When a DHCP client communicates in a WAN by adopting the NetBIOS protocol, a mappingbetween the host name and the IP address should be set up. The following lists the types ofNetBIOS nodes for obtaining mappings:

l Type b nodes (b-node): "b" stands for broadcast; that is, type b nodes obtain the mappingrelation by means of broadcast.

l Type p nodes (p-node): "p" stands for peer-to-peer, namely, type p nodes obtain themapping relation by means of communicating with NetBIOS servers.

l Type m nodes (m-node): "m" stands for mixed. Type m nodes are the type p nodes owningpart of the broadcasting features.

l Type h nodes (h-node): "h" stands for hybrid. Type h nodes are type b nodes owning the"peer-to-peer" communicating mechanism.

4.2.6 Configuring Egress Gateway for the DHCP Client


Procedure

Step 1 Run:




Issue 02 (2009-12-10)

system-view




Step 3 Run:gateway-list ip-address &<1-8>

The egress gateway of the DHCP client is configured.

When a DHCP client wants to access a server (or host) that is not on the local network, an egressgateway needs to be configured on the local network.

To perform load balancing and improve the network reliability, you can configure several DNSservers and egress gateways.

----End


ContextNOTE

Configuring DHCP self-defined options are optional. Services, such as DNS on the client, NETBIOS, andIP lease cannot be configured through this command but through the commands early mentioned.


Procedure





Step 3 Run:option code { ascii ascii-string | hex hex-string | ip-address ip-address &<1-8> }

The DHCP self-defined options are configured.

----End

PostrequisiteThe Option field in DHCP packets carries the control information and parameters that are notdefined in some common protocols. If the DHCP server is configured with Option, the DHCPclient gets the configuration information saved in the Option filed of DHCP response packets.

You need to add the options to the attribute tables of the DHCP servers. For example,



4-9

l To configure the IP address of a log server to 10.110.204.1, use the command option 7 ip-address 10.110.204.1.

l To configure the TTL of the client packet to 64, use the command option 23 hex 40.

NOTE

Using the option command, you can specify the options to be included in the DHCP response packets.

Before using this command, you need to know the function of each option: Option 77 identifies user typesor applications of DHCP client. Based on User Class in the Option field, the DHCP server selects the properaddress pool and configuration parameters. Option77 usually is configured on the client.

4.2.8 Assigning IP Addresses in the Global Address Pool to theDHCP Clients on the Specified Interface


Procedurel Assigning IP addresses to the clients on the current interface

1. Run:system-view

The system view is displayed.2. Perform the following as required.

– Run:interface interface-type interface-number

The interface view is displayed.– Run:

interface gigabitethernet interface-number.sub-interface-number

The sub-interface view is displayed.3. Run:

dhcp select global

The IP addresses in the global address pool are assigned.

NOTE

For the DHCP implementation on the NE5000E, the address pool specified for the Ethernetsub-interface is applied to allocating IP addresses for users in the VLAN.

l Assigning IP addresses to the clients on multiple interfaces1. Run:

system-view

The system view is displayed.2. Perform the following as required to specify a global address pool:

– Run:dhcp select global interface interface-type interface-number

The global address pool is specified for an interface.




Issue 02 (2009-12-10)

– Run:dhcp select global interface gigabitethernet interface-number.sub-interface-number1 [ to gigabitethernet interface-number.sub-interface-number2 ]The global address pool is specified for multiple Ethernet sub-interfaces.

NOTE

If multiple Ethernet sub-interfaces are specified, all sub-interfaces must be on the samephysical interface.

– Run:dhcp select global allThe global address pool is specified for all interfaces.This command is used to specify a global address pool for all the GE interface,and GE sub-interfaces that are configured with IP addresses.

----End


PrerequisiteThe configurations of the global address pool-based DHCP server are complete.

Procedurel Run the display dhcp server free-ip command to check the available address information

in the DHCP address pool.l Run the display dhcp server expired { all | interface [ interface-type interface-number ]

| ip ip-address | pool [ pool-name ] } command to check the expired lease in the DHCPaddress pool.

l Run the display dhcp server ip-in-use { all | interface [ interface-type interface-number ] | ip ip-address | pool [ pool-name ] } command to check the address bindinginformation.

l Run the display dhcp server statistics command to check the statistics of DHCP server.l Run the display dhcp server tree { all | interface [ interface-type interface-number ] |

pool [ pool-name ] } command to check the information on the tree-structure of the DHCPaddress pool.

----End

ExampleRun the display dhcp server free-ip command. If there are unused IP addresses in the addresspool, it means that the configuration succeeds.

<HUAWEI> display dhcp server free-ipIP Range from 5.5.5.1 to 5.5.5.254IP Range from 202.38.160.1 to 202.38.160.1IP Range from 202.38.160.4 to 202.38.160.126

Run the display dhcp server expired command. If information about the expired leases of IPaddresses in DHCP address pools is displayed, it means that the configuration succeeds.

<HUAWEI> display dhcp server expired allGlobal pool:



4-11

IP address Hardware address Lease expiration Type 2.2.2.2 44444-4444-4444 NOT Used ManualInterface pool: IP address Hardware address Lease expiration Type

Run the display dhcp server ip-in-use command. If the binding information of IP address, suchas the hardware address and the IP lease, is displayed, it means that the configuration succeeds.

<HUAWEI> display dhcp server ip-in-use allGlobal pool: IP address Hardware address Lease expiration Type 2.2.2.2 4444-4444-4444 NOT Used ManualInterface pool: IP address Hardware address Lease expiration Type 5.5.5.1 0050-ba28-930a Jul 5 2006 13: 00:10 PM Auto:COMMITED

Run the display dhcp server statistics command. If statistics of the DHCP server, includingthe number of DHCP address pools, the number of the automatic binding, the manual bindingand the expired binding and the number of DHCP packets is displayed, it means that theconfiguration succeeds.

<HUAWEI> display dhcp server statistics Global Pool:Pool Number: 5 BindingAuto: 0Manual: 1Expire: 0 Interface Pool: Pool Number: 1 Binding Auto: 1 Manual: 0 Expire: 0 Boot Request: 6 Dhcp Discover: 1 Dhcp Request: 4 Dhcp Decline: 0 Dhcp Release: 1 Dhcp Inform: 0 Boot Reply: 4 Dhcp Offer: 1 Dhcp Ack: 3 Dhcp Nak: 0 Bad Messages: 0 HA Message: BatchBackup send msg: 0 BatchBackup recv msg: 0 BatchBackup send lease: 0 BatchBackup recv lease: 0

Run the display dhcp server tree command. If the tree structure of the DHCP address pool,including DNS, the IP lease and Option parameters, is displayed, it means that the configurationsucceeds.

<HUAWEI> display dhcp server tree allGlobal pool: Pool name: 5 network 10.10.1.0 255.255.255.0 Child node:6 Sibling node:7 option 1 ip-address 255.0.0.0 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C Pool name: 6 host 10.10.1.2 255.0.0.0 hardware-address 1111.2222.3333 gigabitethernetParent node:5 option 1 ip-address 255.255.0.0




Issue 02 (2009-12-10)

expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C Interface pool: Pool name: GigabitEthernet11/2/0 network 5.5.5.0 mask 255.255.255.0 option 1 ip-address 255.255.255.0 gateway-list 5.5.5.5 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C

4.3 Configuring the Interface Address Pool-based DHCPServer

If a few clients need to be assigned with IP addresses, an interface address pool-based DHCPserver is usually configured on the network segment where the clients reside.


4.3.2 Configuring the Interface Address Pool

4.3.3 Configuring DNS on the Interface Address Pool

4.3.4 Configuring NetBIOS on the Interface Address Pool





In a small network, some hosts are connected to a device through the Ethernet interface. Youcan configure the DHCP server on the Ethernet interface of the device. This will enable the hoststo obtain IP addresses from the router dynamically.

For the interface address pool-based DHCP server, single address pool and egress gateway neednot be configured. After you configure an IP address on the Ethernet interface of the device, allthe addresses of the network segment which this IP address is on are assignable and this IPaddress is also the address of the egress gateway of this network segment.


Before configuring the interface address pool-based DHCP server, complete the following tasks:

l Configuring the Ethernet interface of the device







4-13

Data Preparation

To configure the interface address pool-based DHCP server, you need the following data.

No. Data

1 Number, IP address and the subnet mask of the Ethernet interface of the device


3 Lease of the IP address (It can be some days, hours, or minutes)




4.3.2 Configuring the Interface Address Pool

Context


Procedure




DHCP is enabled.


The Ethernet interface view is displayed.


The IP address of the interface is configured.

The address pool on an interface actually is the network segment to which the interface belongs,and such an interface address pool takes effect only on this interface.




Issue 02 (2009-12-10)

NOTE

You can configure address pools on GE interfaces, GE sub-interfaces, Eth-Trunk interfaces,NE5000Esupports the address pools on these interfaces to be assigned the IP addresses with 31-bit masks. Thisconfiguration, however, is not recommended because the IP addresses with 31-bit masks currently cannotbe assigned to users.

Step 5 Run:dhcp select interface

The interface address pool is enabled.

Step 6 Run:dhcp server static-bind ip-address ip-address mac-address mac-address

Certain IP addresses and MAC addresses are bound with the address pool.

Step 7 Perform the following as required.l To configure the IP lease, run:

dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited }

By default, the IP lease is one day.l To configure the IP lease of an interface, run the quit command to return to the system view.

Then run:dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited } interface interface-type interface-number

The lease of the IP address of an interface is configured.By default, the IP lease is one day.

----End

PostrequisiteThe interface address pool has a higher priority than the global address pool. If an address poolis configured on an interface, clients obtain IP addresses preferentially from the interface addresspool though a global address pool is configured.

Similarly, although a global address pool and the IP lease have been configured on a device andclients have obtained IP addresses from the global address pool, the leases of IP addresses in theglobal address pool are deleted once the interfaces connecting the device to the clients areconfigured with address pools in the same network segment with the global address pool. Thenafter the leases of the IP addresses obtained from the global address pool expire, the clientsobtain IP addresses preferentially from the interface address pool.

4.3.3 Configuring DNS on the Interface Address Pool



Procedure

Step 1 Run:



4-15

system-view




Step 3 Run:dhcp server domain-name domain-name

The domain name of the DHCP client is configured.

Step 4 Run:dhcp server dns-list ip-address &<1-8>

The IP address of the DNS server is specified for the DHCP client.

----End

4.3.4 Configuring NetBIOS on the Interface Address Pool

Context

The configurition is optional.


Procedure





Step 3 Run:dhcp server nbns-list ip-address &<1-8>

The IP address of the NetBIOS server is specified for the DHCP client.

Step 4 Run:dhcp server netbios-type { b-node | h-node | m-node | p-node }

The NetBIOS node type of the DHCP client is configured.

By default, the NetBIOS node type is not specified for the DHCP client.

----End




Issue 02 (2009-12-10)

PostrequisiteFor the client using the OS of Microsoft, WINS server provides the resolution from the hostname to the IP address for the host that uses the NetBIOS protocol to communicate. In this way,most of the Windows network clients need to be configured with WINS.

When a DHCP client communicates in a WAN, by adopting NetBIOS protocol, a mappingbetween the host name and the IP address should be set. The types of NetBIOS nodes forobtaining mappings are as follows:

l Type b nodes (b-node): "b" stands for broadcast; that is, type b nodes obtain the mappingrelation by means of broadcast.

l Type p nodes (p-node): "p" stands for peer-to-peer; that is, type p nodes obtain the mappingrelation by means of communicating with NetBIOS servers.




ContextNOTE

Configuring DHCP self-defined options is optional. Services, such as DNS on the client, NETBIOS andIP lease cannot be configured through this command but through the related command described above.


Procedure





Step 3 Run:dhcp server option code { ascii ascii-string | hex hex-string | ip-address ip-address &<1-8> }


----End

PostrequisiteThe Option field in DHCP packets carries the control information and parameters that are notdefined in some common protocols. If the DHCP server is configured with Option, the DHCPclient gets the configuration information saved in Option filed of DHCP response packets.



4-17

You can add new options to the attribute list of the DHCP server by manual definition. Forexample,

l To configure the IP address of the log server to 10.110.204.1, run the dhcp server option7 ip-address 10.110.204.1 command.

l To configure the TTL of the client packet to 64, run the dhcp server option 23 hex 40command.


PrerequisiteThe configurations of the interface address pool-based DHCP server are complete.







----End

ExampleRun the display dhcp server free-ip command. If there are unused IP addresses in the addresspool, it means that the configuration succeeds.

<HUAWEI> display dhcp server free-ipIP Range from 5.5.5.1 to 5.5.5.254IP Range from 202.38.160.1 to 202.38.160.1IP Range from 202.38.160.4 to 202.38.160.126


<HUAWEI> display dhcp server expired allGlobal pool: IP address Hardware address Lease expiration Type 2.2.2.2 44444-4444-4444 NOT Used ManualInterface pool: IP address Hardware address Lease expiration Type


<HUAWEI> display dhcp server ip-in-use allGlobal pool: IP address Hardware address Lease expiration Type 2.2.2.2 4444-4444-4444 NOT Used Manual




Issue 02 (2009-12-10)

Interface pool: IP address Hardware address Lease expiration Type 5.5.5.1 0050-ba28-930a Jul 5 2006 13: 00:10 PM Auto:COMMITED




<HUAWEI> display dhcp server tree allGlobal pool: Pool name: 5 network 10.10.1.0 255.255.255.0 Child node:6 Sibling node:7 option 1 ip-address 255.0.0.0 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C Pool name: 6 host 10.10.1.2 255.0.0.0 hardware-address 1111.2222.3333 gigabitethernetParent node:5 option 1 ip-address 255.255.0.0 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C Interface pool: Pool name: GigabitEthernet11/2/0 network 5.5.5.0 mask 255.255.255.0 option 1 ip-address 255.255.255.0 gateway-list 5.5.5.5 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C



4-19

4.4 Configuring the Sub-interface Address Pool-basedDHCP Server

This section describes how to assign IP addresses by using address pools on Ethernet sub-interfaces to reduce repeated configurations.


4.4.2 Enabling Address Pools on Sub-interfaces

4.4.3 Configuring Address Pools on Ethernet Sub-interfaces

4.4.4 Configuring DNS on Address Pools of Sub-interfaces

4.4.5 Configuring NetBIOS on Address Pools of Sub-interfaces

4.4.6 Configuring the DHCP Self-Defined Options for Address Pools of Sub-interfaces




For the interface address pool-based DHCP server, single address pool and egress gateway neednot be configured. After you configure an IP address on the Ethernet interface of the device, allthe addresses of the network segment which this IP address is on are assignable and this IPaddress is also the address of the egress gateway of this network segment.

In the NE5000E, Ethernet sub-interfaces are applied only to implementing communicationbetween different VLANs. Therefore, to configure a DHCP server that is based on the addresspool on the Ethernet sub-interface, encapsulate the sub-interface with 802.1Q first.


Before configuring the sub-interface address pool-based DHCP server, complete the followingtasks:

l Configuring the Ethernet sub-interfaces of the device





Data Preparation

To configure the sub-interface address pool-based DHCP server, you need the following data.




Issue 02 (2009-12-10)

No. Data

1 Number, IP address and the subnet mask of the Ethernet sub-interface of the device


3 Lease of the IP address (It can be some days, hours, or minutes)




4.4.2 Enabling Address Pools on Sub-interfaces

ContextDo as follows on the DHCP server:

Procedurel Enabling address pools in the sub-interface view

1. Run:system-view

The system view is displayed.2. Run:

interface interface-type interface-number.sub-interface-number

The Ethernet sub-interface view is displayed.3. Run:

ip address ip-address { mask | mask-length }

The IP address of the Ethernet sub-interface is displayed.4. Run:

dhcp select interface

The address pool on the sub-interface is enabled to allocate IP addresses to clients.l Enabling address pools on one sub-interface or multiple sub-interfaces in the system view

1. Run:system-view

The system view is displayed.2. Perform the following as required:

– Run:dhcp select interface interface interface-type interface-number.sub-interface-number



4-21

The address pool on one sub-interface is enabled to allocate IP addresses to clients.– Run:

dhcp select interface interface interface-type interface-number.sub-interface-number1 to interface-type interface-number.sub-interface-number2

The address pools on multiple sub-interfaces are enabled to allocate IP addressesto clients.

NOTE

Before configuring this command, you need to create sub-interfaces and configure IP addressesfor them.

Running this command in the system view equals configuring the dhcp select interfacecommand in each sub-interface view.

----End

4.4.3 Configuring Address Pools on Ethernet Sub-interfaces


Procedure




DHCP is enabled.

Step 3 Run:interface interface-type interface-number.sub-interface-number

The Ethernet sub-interface view is displayed.

Step 4 Run:vlan-type vlan-id1

The sub-interface is encapsulated with 802.1Q.

Step 5 Run:dhcp server static-bind ip-address ip-address mac-address mac-address

Certain IP addresses and MAC addresses are bound with the address pool.

Step 6 The following steps are optional, so perform them as required.

Run:

dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited }

The IP lease of the sub-interface is configured. By default, the IP lease is one day.

Or




Issue 02 (2009-12-10)

Run:

quit

Return to the system view.

Run:

dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited } { interface interface-type interface-number.sub-interface-number1 [ to interface-type interface-number.sub-interface-number2 ] | all }

The leases of the IP addresses of several sub-interfaces are configured. By default, the IP leaseis one day.

----End

PostrequisiteThe IP address and its mask of the Ethernet sub-interface determine the range of the sub-interfaceaddress pool. If you need to configure the address pool for multiple Ethernet sub-interfaces,repeat Steps 3, 4, 5, and 6.

4.4.4 Configuring DNS on Address Pools of Sub-interfaces


Do as follows on the DHCP server:

Procedurel Configuring DNS on sub-interfaces

1. Run:system-view



The Ethernet sub-interface view is displayed.3. Run:

dhcp server domain-name domain-name

Domain names are configured for the clients of the sub-interface.4. Run:

dhcp server dns-list ip-address &<1-8>

The IP address of the DNS server is specified for the clients of the sub-interface.l Configuring DNS on one or multiple sub-interfaces

1. Run:system-view




4-23

2. Run:dhcp server domain-name domain-name { all | interface interface-type interface-number sub-interface-number1 [ to interface-type interface-number.sub-interface-number2 ] }

The domain name of the DHCP client is configured.3. Run:

dhcp server dns-list ip-address &<1-8> { all | interface interface-type interface-number sub-interface-number1 [ to interface-type interface-number.sub-interface-number2 ] }

The IP address of the DNS server is specified for the DHCP client.

----End

4.4.5 Configuring NetBIOS on Address Pools of Sub-interfaces



Procedurel Configuring NetBIOS on sub-interfaces

1. Run:system-view



The sub-interface view is displayed.3. Run:

dhcp server nbns-list ip-address &<1-8>

The IP address of the NetBIOS server is specified for the DHCP clients of the sub-interface.

4. Run:dhcp server netbios-type { b-node | h-node | m-node | p-node }

The NetBIOS node type is specified for the DHCP clients of the sub-interface.l Configuring NetBIOS on one or multiple sub-interfaces

1. Run:system-view


dhcp server nbns-list ip-address &<1-8> { all | interface interface-type interface-number.sub-interface-number1 [ to interface-type interface-number.sub-interface-number2 ] }

The IP address of the NetBIOS server is specified on the DHCP client.




Issue 02 (2009-12-10)

3. Run:dhcp server netbios-type { b-node | h-node | m-node | p-node } { all | interface interface-type interface-number.sub-interface-number1 [ to interface-type interface-number.sub-interface-number2 ] }

The NetBIOS node type is specified for the DHCP client.

By default, the node type of the client is not specified.

----End

PostrequisiteFor the client using the OS of Microsoft, WINS server provides the resolution from the hostname to the IP address. This is given to the host that uses the NetBIOS protocol to communicate.Thus, most of the Windows network clients need to be configured with WINS.

When a DHCP client communicates in a WAN by adopting the NetBIOS protocol, a mappingbetween the host name and the IP address should be set up. There are four types of NetBIOSnodes for obtaining mappings:

l Type b nodes (b-node): "b" stands for broadcast; that is, type b nodes obtain the mappingby means of broadcast.

l Type p nodes (p-node): "p" stands for peer-to-peer; that is, type p nodes obtain the mappingrelation by means of communicating with NetBIOS servers.



4.4.6 Configuring the DHCP Self-Defined Options for AddressPools of Sub-interfaces

ContextNOTE

Configuring DHCP self-defined options is optional. Services, such as DNS on the client, NETBIOS andIP lease cannot be configured through this command but through the related command described above.



system-view


Step 2 Run:dhcp server option code { ascii ascii-string | hex hex-string | ip-address ip-address &<1-8>} { all | interface interface-type interface-number.sub-interface-number1 [ to interface-type interface-number.sub-interface-number2 ] }


----End



4-25

PostrequisiteThe Option field in DHCP packets carries the control information and parameters that are notdefined in some common protocols. If the DHCP server is configured with Option, the DHCPclient gets the configuration information saved in Option filed of DHCP response packets.

You can add new options to the attribute list of the DHCP server by manual definition. Forexample,

l To configure the IP address of the log server to 10.110.204.1, run the dhcp server option7 ip-address 10.110.204.1 command.

l To configure the TTL of the client packet to 64, run the dhcp server option 23 hex 40command.

NOTE

Using the option command, you can specify the options that need be included in the DHCP responsepackets.Before using this command, you need to know the function of each option: Option 77 identifies user typesor applications of the DHCP client. Based on User Class in the Option field, the DHCP server selects theproper address pool and configuration parameters. Option77 usually is configured on the client.


PrerequisiteThe configurations of the sub-interface address pool-based DHCP server are complete.







----End

ExampleRun the display dhcp server free-ip command. If there are unused IP addresses in the addresspool, it means that the configuration succeeds.<HUAWEI> display dhcp server free-ipIP Range from 5.5.5.1 to 5.5.5.254IP Range from 202.38.160.1 to 202.38.160.1IP Range from 202.38.160.4 to 202.38.160.126





Issue 02 (2009-12-10)

<HUAWEI> display dhcp server expired allGlobal pool: IP address Hardware address Lease expiration Type 2.2.2.2 44444-4444-4444 NOT Used ManualInterface pool: IP address Hardware address Lease expiration Type


<HUAWEI> display dhcp server ip-in-use allGlobal pool: IP address Hardware address Lease expiration Type 2.2.2.2 4444-4444-4444 NOT Used ManualInterface pool: IP address Hardware address Lease expiration Type 5.5.5.1 0050-ba28-930a Jul 5 2006 13: 00:10 PM Auto:COMMITED




<HUAWEI> display dhcp server tree allGlobal pool: Pool name: 5 network 10.10.1.0 255.255.255.0 Child node:6 Sibling node:7 option 1 ip-address 255.0.0.0 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C Pool name: 6 host 10.10.1.2 255.0.0.0 hardware-address 1111.2222.3333 gigabitethernet



4-27

Parent node:5 option 1 ip-address 255.255.0.0 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C Interface pool: Pool name: GigabitEthernet11/2/0 network 5.5.5.0 mask 255.255.255.0 option 1 ip-address 255.255.255.0 gateway-list 5.5.5.5 expired 1 0 0 option 58 hex 00 00 A8 C0 option 59 hex 00 00 00 3C

4.5 Configuring the Security Function for DHCPThis section describes how to enhance the security of the DHCP service.


4.5.2 Starting the Detection of the Pseudo DHCP Server on a DHCP Server

4.5.3 Avoiding Repetitive IP Address Assignment

4.5.4 Saving DHCP Data

4.5.5 Restoring DHCP Data




After configuring the DHCP server, you need configure the security function of the DHCPservice. This enhances security of the DHCP service and prevents other pseudo DHCP serversfrom allocating invalid IP addresses for clients. By viewing logs, the administrator determineswhether invalid DHCP servers allocate invalid IP addresses for clients.

Pre-configuration Tasksl Before configuring the security function of DHCP, complete the DHCP server

configuration.

Data Preparation

To configure the security function of DHCP service, you need the following data.

No. Data

1 Interval at which ping packets are sent and the number of ping packets

2 Interval for saving the DHCP data




Issue 02 (2009-12-10)

4.5.2 Starting the Detection of the Pseudo DHCP Server on a DHCPServer

Context

If a private DHCP server exists in the network, users cannot obtain correct IP addresses and thuscannot log in to the network because this private DHCP server will interact with the DHCP clientduring address application. Such a private DHCP server is called a pseudo DHCP server.

The logs contain IP addresses of all the DHCP servers that allocate IP addresses for clients. Byviewing these logs, the administrator can determine whether a pseudo DHCP servers exists.


Procedure



Step 2 Run:dhcp server detect

Detecting the pseudo DHCP server is enabled on the DHCP server.

By default, this function is disabled.

----End

4.5.3 Avoiding Repetitive IP Address Assignment

Context


Procedure



Step 2 Run:dhcp server ping timeout milliseconds

The time for waiting the response after the ping packets is sent by the DHCP server is configured.

Step 3 Run:dhcp server ping packets number

The maximum number of ping packets sent by the DHCP server is configured.



4-29

By default, the maximum number of ping packets being sent is 2 and the longest waiting timefor ping response packets is 500 ms.

----End

PostrequisiteBefore assigning addresses to a client, the DHCP server should detect the IP address to avoidaddress collision.

Using the ping command, you can check if there is a ping response of the address to be assignedwithin the specific time. If there is no response after a specific time, the DHCP server re-sendsping packets to this address until it reaches the maximum number of ping packets allowed to besent. If there is still no response, it indicates that the IP address is not in use. In this way, it isensured that a unique IP address is assigned to the client.

4.5.4 Saving DHCP Data


Procedure



Step 2 Run:dhcp server database enable

Saving the DHCP data to the hard disk is enabled.

Step 3 Run:dhcp server database write-delay seconds

The time delay for saving the data is set.

By default, DHCP data cannot be saved to the hard disk. If the function is enabled, the defaultinterval for saving the current DHCP data is 300 seconds, and the new data overwrites theprevious data.

----End

PostrequisiteThe system can save the current DHCP data to the hard disk and restore the data from the harddisk when the device fails.

The DHCP data is saved with a fixed file name on the hard disk. Normally, the IP leasinginformation is saved in lease.txt file and the address collision information is saved inconflict.txt file. Back up these two files to other directories because they are replaced regularly.

4.5.5 Restoring DHCP Data




Issue 02 (2009-12-10)


Procedure



Step 2 Run:dhcp server database recover

DHCP data is restored on the hard disk.

----End


PrerequisiteThe configurations of the security function for DHCP are complete.

Procedurel Run the display dhcp server conflict { all | ip ip-address } command to check the statistics

of DHCP address collisions.l Run the display dhcp server database command to check the storage path and file

information of the DHCP database.

----End

ExampleRun the display dhcp server conflict command. If the conflicted IP address and the time whenthe conflict occurs are displayed, it means that the configuration succeeds.

<HUAWEI> display dhcp server conflict allAddress Discover Time10.110.1.2 Jan 11 2003 11:57: 7 PM

Run the display dhcp server database command. If the saved path of the DHCP data isdisplayed, it means that the configuration succeeds.

<HUAWEI> display dhcp server database Status: disable Recover from files after reboot: disable File saving lease items: hda1:/dhcp/lease.txt File saving conflict items: hda1:/dhcp/conflict.txt Save Interval: 300 (seconds)

4.6 Configuring DHCP RelayThis section describes how to enable DHCP relay so that DHCP relay can forward DHCPrequests from local clients to the DHCP server on other networks.



4-31


4.6.2 Configuring Relay



Applicable EnvironmentWhen there is no DHCP server configured on the local network, enable the DHCP relay functionon the other devices in the network. Thus, the DHCP relay can forward the DHCP requests fromlocal clients to the DHCP server on the other network. To ensure that the client can normallyobtain the IP address, the server must be the DHCP server based on the global address pool.Thatis, the interface connecting the DHCP server to the DHCP relay must not be configured withany interface address pool.

NOTE

The relay between the server and the client cannot exceed four. Otherwise, the DHCP packet is discarded.

Pre-configuration TasksBefore configuring the DHCP relay, complete the following tasks:

l Configuring the DHCP server

l Configuring the interface of the relay

l Configuring the routes from the relay to the DHCP server

Data PreparationTo configure the DHCP relay, you need the following data.

No. Data

1 IP address of the DHCP server

2 Number of the interface to be enabled the DHCP relay function

3 Number of the VLAN to be enabled the DHCP relay function

4 (Option) IP address to be released and the corresponding MAC address

5 DHCP option that needs to be associated with the DHCP server address and the relayagent address.

4.6.2 Configuring Relay

ContextWhen a client and a DHCP server are not on the same network segment, you can configure theaddress of the interface that functions as the DHCP relay agent of the DHCP server. In this




Issue 02 (2009-12-10)

manner, the client can send a Request packet that is forwarded by the DHCP replay agent to theDHCP server, and then the client can be assigned with an IP address.

On the relay device, you can also configure the association between the DHCP option and theDHCP server address and the association between the DHCP option and the relay agent address.According to the option field in the DHCP Request packet, the relay agent can identify the typeof the client and thus forward the Request packet to the corresponding DHCP server. This helpsthe DHCP server assign the IP addresses of different network segments to the clients withdifferent services.

If no DHCP option is configured to associate with either the DHCP server address or the relayagent address, the relay device needs to check whether a DHCP server address is configured onthe interface (that is, the interface functions as the relay agent of the DHCP server). If theinterface is configured with the relay function, the relay agent forwards packets to thecorresponding DHCP server; otherwise, the packets are discarded.

You can configure relay in the interface view and system view.

NOTE

Because the DHCP client may send broadcast packets during DHCP configuration, the interface where IPrelay is enabled should support the broadcast mode. This IP address must be in the same network segmentwith the IP addresses in the address pool on the DHCP server. The number of address of the DHCP serverfor which the interface functions as the relay agent is up to 20.

Do as follows on the router acting as the DHCP relay:

Procedurel Configure DHCP relay function in the interface view.

1. Run:system-view


2. Run:interface interface-type interface-number


3. Run:ip address ip-address { mask | mask-length }

The primary IP address of the interface is configured.

4. (Optional) Run:ip address ip-address { mask | mask-length } sub

The secondary IP address of the interface is configured.

5. Run:dhcp select relay

The DHCP relay function is enabled.

6. Run:ip relay address ip-address [ dhcp-option { 60 [ option-text ] | code } ]



4-33

The address of the DHCP server for which the interface functions as the relay agentis configured. It is optional to associate the DHCP option with the DHCP serveraddress.

7. (Optional) Run:ip relay giaddr ip-address [ dhcp-option { 60 [ option-text ] | code } ]

The DHCP option is configured to associate with the primary or secondary IP addressof the interface.

By default, the primary IP address of the interface on the relay device functions as therelay agent address.

l Configuring the DHCP relay function in the system view.1. Run:

system-view


dhcp select relay { all | interface interface-type interface-number.sub-interface-number1 [ to interface-type interface-number.sub-interface-number2 ] | interfaceinterface-type interface-number &<1-10> }

The DHCP relay function is enabled globally.3. Run:

ip relay address ip-address { all | interface interface-type interface-number.sub-interface-number1 [ to interface-type interface-number.sub-interface-number2 ] |interface interface-type interface-number }

The IP address of the DHCP server for which the multiple interfaces function as therelay agent are configured.

----End


PrerequisiteThe configurations of the DHCP relay are complete.

Procedurel Run the display dhcp relay statistics command to check the related statistics of the DHCP

relay.l Run the display dhcp relay address { all | interfaceinterface-type interface-number }

command to check the DHCP configuration of the interface enabled with the DHCP relayfunction.

----End

ExampleRun the display dhcp relay address command to view the DHCP configurations of allinterfaces.

<HUAWEI> display dhcp relay address all




Issue 02 (2009-12-10)

** GigabitEthernet1/0/0 DHCP Relay Address ** *:option is none, (*):option-text is none Dhcp Option Relay Agent IP Server IP * 10.1.1.1 70.1.1.2 101.40.1.245 20.1.1.1 101.40.1.260(*) 30.1.1.1 202.40.1.260(abc) 40.1.1.1 202.40.1.2

Run the display dhcp relay statistics command. If statistics of DHCP relay, such as the numberof wrong DHCP packets and the number of various DHCP packet, is displayed, it means thatthe configuration succeeds.

<HUAWEI> display dhcp relay statistics Bad Packets received: 0 DHCP packets received from clients: 2 DHCP DISCOVER packets received: 1 DHCP REQUEST packets received: 1 DHCP INFORM packets received: 0 DHCP DECLINE packets received: 0 DHCP packets received from servers: 2 DHCP OFFER packets received: 1 DHCP ACK packets received: 1 DHCP NAK packets received: 0 DHCP packets sent to servers: 1 DHCP packets sent to clients: 1 Unicast packets sent to clients: 0 Broadcast packets sent to clients: 0

4.7 Maintaining DHCPThis section describes how to clear the statistics about DHCP and debug DHCP.

4.7.1 Resetting DHCP

4.7.2 Releasing Conflicting IP Addresses

4.7.3 (Optional) Requesting the DHCP Server to Release IP Addresses of the Client

4.7.4 Clearing DHCP Statistics

4.7.5 Monitoring Network Operation Status of DHCP

4.7.6 Debugging DHCP

4.7.1 Resetting DHCP

Context

CAUTIONResetting DHCP binding through the reset dhcp command interrupts the operation of the DHCPserver. Please confirm that before you want to clear the information of DHCP binding.



4-35

Procedurel Run the reset dhcp server ip-in-use ip-address command in the user view to reset the

information about the binding of the specified IP address.l Run the reset dhcp server ip-in-use pool [ pool-name ] command in the user view to reset

the information about the dynamic address bindings of the global address pool.l Run the reset dhcp server ip-in-use interface [ interface-type interface-number ]

command in the user view to reset the information about the dynamic address bindings ofthe interface address pool.

l Run the reset dhcp server ip-in-use all command in the user view to reset the informationabout the dynamic address bindings of all the address pools.

----End

4.7.2 Releasing Conflicting IP Addresses

ContextThe DHCP server detects the conflicting IP addresses through the ping command while theDHCP client detects the conflicting IP address through sending ARP packets.

CAUTIONAfter the conflicting IP addresses are released, they can be reallocated by the DHCP server.

Procedurel Run the reset dhcp server conflict ip ip-address command to release the conflicting IP

addresses in the specified address pool.l Run the reset dhcp server conflict all command to release all conflicting IP addresses.

----End

4.7.3 (Optional) Requesting the DHCP Server to Release IPAddresses of the Client

ContextDo as follows on the router acting as the DHCP relay:

Procedurel Requesting all the DHCP servers to release an IP address.

1. Run:system-view


dhcp relay release client-ip-address mac-address




Issue 02 (2009-12-10)

The DHCP servers are required to release the IP address which is applied by the client.

l Requesting the specified DHCP server to release an IP address.

1. Run:system-view


2. Run:dhcp relay release client-ip-address mac-address server-ip-address

The specified DHCP server is required to release the IP address which is applied bythe client.

l Requesting the DHCP server connected with the interface to release an IP address.

1. Run:system-view


2. Run:interface interface-type interface-number


3. Run:dhcp relay release client-ip-address mac-address [ server-ip-address ]

The DHCP server connected with the interface on the DHCP relay is required torelease the IP address which is applied by the client.

----End

4.7.4 Clearing DHCP Statistics

Context

CAUTIONDHCP statistics cannot be restored after you clear it. So, confirm the action before you use thecommand.

Procedurel Run the reset dhcp server statistics command in the user view to clear the DHCP server

statistics.

l Run the reset dhcp relay statistics command in the user view to clear the DHCP relaystatistics.

----End



4-37

4.7.5 Monitoring Network Operation Status of DHCP

Context

In routine maintenance, you can run the following command in any view to check the operationof DHCP.

Procedurel Run the display dhcp server free-ip command in any view to check the information about

available IP addresses in the DHCP address pool.l Run the display dhcp server expired { all | interface [ interface-type interface-number ]

| ip ip-address | pool [ pool-name ] } command in any view to check the information aboutthe IP addresses with expired leases in the DHCP address pool.

l Run the display dhcp server ip-in-use { all | interface [ interface-type interface-number ] | ip ip-address | pool [ pool-name ] } command in any view to check theinformation about address bindings.

l Run the display dhcp server statistics command in any view to check the statistics aboutthe DHCP server.

l Run the display dhcp server tree { all | interface [ interface-type interface-number ] |pool [ pool-name ] } command in any view to check the information about the tree structureof the DHCP address pool.

l Run the display dhcp server conflict { all | ip ip-address } command in any view to checkthe information about the conflict addresses in the DHCP address pool.

l Run the display dhcp server database command in any view to check the path at whichDHCP database is saved and file information about the database.

l Run the display interface [ interface-type interface-number ] command in any view tocheck the relay address of the interface.

l Run the display dhcp relay address { all | interface interface-type interface-number }command in any view to check configurations about the DHCP relay address.

----End

4.7.6 Debugging DHCP

Context


Run the following debugging commands in the user view to debug DHCP and locate the fault.

For the procedure for displaying the debugging information, refer to the chapter "InformationCenter Configuration" in the NE5000E Core Router Configuration Guide - SystemManagement.




Issue 02 (2009-12-10)

For descriptions about the debugging command, refer to the NE5000E Core Router DebuggingReference.

Procedurel Run the debugging dhcp server { all | error | event | packet } command in the user view

to debug DHCP server.

l Run the debugging dhcp relay { all | error | event | packet [ client mac mac-address ] }command in the user view to debug DHCP relay.

----End

4.8 Configuration ExamplesThis section provides several configuration examples of the DHCP server and DHCP relay.

4.8.1 Example for Configuring the Global Address Pool-based DHCP Server

4.8.2 Example for Configuring the Interface Address Pool-based DHCP Server

4.8.3 Example for Configuring the Sub-interface Address Pool-based DHCP Server

4.8.4 Example for Configuring DHCP Relay

4.8.5 Example for Configuring the DHCP Option Association

4.8.1 Example for Configuring the Global Address Pool-basedDHCP Server



As shown in Figure 4-1, a DHCP server dynamically assigns the IP addresses to a client in thesame network segment. The address pool segment 10.1.1.0/24 is divided into two segments:10.1.1.0/25 and 10.1.1.128/25. The IP addresses of the two Ethernet interfaces on the DHCPserver are 10.1.1.1/25 and 10.1.1.129/25.

The IP lease of the segment 10.1.1.0/25 is 10 days and 12 hours, with domain name ashuawei.com, DNS address as 10.1.1.2, egress device address as 10.1.1.126 and without theNetBIOS address.

The IP lease of the segment 10.1.1.128/25 is 5 days, with DNS address as 10.1.1.2, egress deviceaddress as 10.1.1.254, and NetBIOS address as 10.1.1.4.



4-39

Figure 4-1 Networking diagram of the DHCP server and the client that are in the same networksegment

DHCPclient

DHCPserver

NetBIOSserver

DHCPclient

DNSserver

DHCPclient

DHCPclient

DHCPclient

DHCPclient

GE1/0/010.1.1.1/25

GE1/0/110.1.1.129/25

Network: 10.1.1.0/25 Network: 10.1.1.128/25


1. Enable DHCP.2. Configure the IP addresses that need not be assigned automatically, such as IP addresses

of the DNS server, the NetBIOS server and the egress gateway.3. Configure an address pool, including the address range and the domain name, and configure

the IP address of the DNS server.4. Configure related attributes for the address pool, such as the address range, the egress

gateway, the IP address of the NetBIOS server and the IP lease.This example covers the configurations of three address pools. Address pool 0 is configuredwith the common attribute of all client; address pool 1 and address pool 2 are configuredwith different attributes of various clients.In this example, you can configure only address pool 1 and address pool 2. They cannotadopt configurations of the root address pool. You need to configure attributes for themrespectively.


l IP address that need not be assigned automatically

l Address pool number

Procedure

Step 1 Configure the DHCP server.




Issue 02 (2009-12-10)

# Enable DHCP on the device.

<HUAWEI> system-view[HUAWEI] sysname HUAWEI[HUAWEI] dhcp enable

# Configure the IP addresses that do not participate in auto-allocation, including addresses ofthe DNS server, the NetBIOS server and the egress gateway.

[HUAWEI] dhcp server forbidden-ip 10.1.1.2[HUAWEI] dhcp server forbidden-ip 10.1.1.4[HUAWEI] dhcp server forbidden-ip 10.1.1.126[HUAWEI] dhcp server forbidden-ip 10.1.1.254

# Configure general attributes of DHCP address pool 0, including the address pool range, domainname and the IP address of the DNS server.

[HUAWEI] dhcp server ip-pool 0[HUAWEI-dhcp-0] network 10.1.1.0 mask 255.255.255.0[HUAWEI-dhcp-0] domain-name huawei.com[HUAWEI-dhcp-0] dns-list 10.1.1.2[HUAWEI-dhcp-0] quit

# Configure attributes of DHCP address pool 1, including the address pool range, egress gatewayand the IP lease.

[HUAWEI] dhcp server ip-pool 1[HUAWEI-dhcp-1] network 10.1.1.0 mask 255.255.255.128[HUAWEI-dhcp-1] expired day 10 hour 12[HUAWEI-dhcp-1] gateway-list 10.1.1.126[HUAWEI-dhcp-1] quit

# Configure attributes of DHCP address pool 2, including the address pool range, egress gateway,the IP address of the NetBIOS server and the IP lease.

[HUAWEI] dhcp server ip-pool 2[HUAWEI-dhcp-2] network 10.1.1.128 mask 255.255.255.128[HUAWEI-dhcp-2] expired day 5[HUAWEI-dhcp-2] nbns-list 10.1.1.4[HUAWEI-dhcp-2] gateway-list 10.1.1.254[HUAWEI-dhcp-2] quit

# Configure the clients of the GE 1/0/0 to obtain their IP addresses from the global address pool.

[HUAWEI] interface gigabitethernet 1/0/0[HUAWEI-GigabitEthernet1/0/0] ip address 10.1.1.1 255.255.255.128[HUAWEI-GigabitEthernet1/0/0] dhcp select global[HUAWEI-GigabitEthernet1/0/0] undo shutdown[HUAWEI-GigabitEthernet1/0/0] quit

# Configure the clients of the GE 1/0/1 to obtain their IP addresses from the global address pool.

[HUAWEI] interface gigabitethernet 1/0/1[HUAWEI-GigabitEthernet1/0/1] ip address 10.1.1.129 255.255.255.128[HUAWEI-GigabitEthernet1/0/1] dhcp select global[HUAWEI-GigabitEthernet1/0/1] undo shutdown[HUAWEI-GigabitEthernet1/0/1] quit


After the configuration, run the display dhcp server tree command on the DHCP server. If thetree structure information of DHCP address pools, including DNS, IP lease, and Optionparameters, is displayed, it means that the configuration succeeds.

[HUAWEI] display dhcp server tree allGlobal pool:Pool name: 0Child node:1



4-41

network 10.1.1.0 mask 255.255.255.0 dns-list 10.1.1.2 domain-name huawei.com expired day 1 hour 0 minute 0Pool name: 1Parent node:0Sibling node:2 network 10.1.1.0 mask 255.255.255.128 gateway-list 10.1.1.126 dns-list 10.1.1.2 domain-name huawei.com expired day 10 hour 12 minute 0Pool name: 2Parent node:0PrevSibling node:1 network 10.1.1.128 mask 255.255.255.128 gateway-list 10.1.1.254 dns-list 10.1.1.2 domain-name huawei.com nbns-list 10.1.1.4 expired day 5 hour 0 minute 0

----End

Configuration FileThe configuration file of HUAWEI is as follows:

# sysname HUAWEI#dhcp server ip-pool 0 network 10.1.1.0 mask 255.255.255.0 dns-list 10.1.1.2 domain-name huawei.com#dhcp server ip-pool 1 network 10.1.1.0 mask 255.255.255.128 gateway-list 10.1.1.126 expired day 10 hour 12#dhcp server ip-pool 2 network 10.1.1.128 mask 255.255.255.128 gateway-list 10.1.1.254 nbns-list 10.1.1.4 expired day 5#interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.1.1 255.255.255.128 #interface GigabitEthernet1/0/1 undo shutdown ip address 10.1.1.129 255.255.255.128 # dhcp server forbidden-ip 10.1.1.2 dhcp server forbidden-ip 10.1.1.4 dhcp server forbidden-ip 10.1.1.126 dhcp server forbidden-ip 10.1.1.254#return

NOTE

By default, IP addresses in the global address pool are assigned. So, the configuration file does not containthe dhcp select global command.




Issue 02 (2009-12-10)

4.8.2 Example for Configuring the Interface Address Pool-basedDHCP Server



As shown in Figure 4-2, the network 10.1.1.0/24 is of a smaller size. GE 1/0/0 connects withtwo DHCP clients and two servers. To assign IP addresses for the clients dynamically, configurea DHCP server based on the address pool on GE 1/0/0. After GE 1/0/0 is configured with the IPaddress 10.1.1.1/24, addresses from 10.1.1.2/24 to 10.1.1.254/24 can be assigned to the clients.

Figure 4-2 Networking diagram of the DHCP server based on the address pool on the interface

DHCPclient

DHCPserver

NetBIOSserver

DHCPclient

DNSserver

Router

10.1.1.2/24

10.1.1.3/24

GE1/0/010.1.1.1/24



1. Enable DHCP.

2. Configure the IP addresses that need not be assigned automatically, such as IP addressesof the DNS server, the NetBIOS server and the egress gateway.

3. Configure IP address of the interfaces and the DNS server and the domain name.

4. Enable the address pool on the interface.

5. (Optional) Configure related attributes for the address pool, such as, the egress gateway,the IP address of the NetBIOS server, the IP lease, and the security function.



4-43



l IP Address of the interface

Procedure


# Enable DHCP on the device.

<HUAWEI> system-view[HUAWEI] sysname HUAWEI[HUAWEI] dhcp enable

# Configure the IP addresses that do not participate in auto-allocation, including IP addressesof the DNS server and the NetBIOS server.

[HUAWEI] dhcp server forbidden-ip 10.1.1.2[HUAWEI] dhcp server forbidden-ip 10.1.1.3

# Configure the IP address of GE 1 /0/0.

[HUAWEI] interface gigabitethernet 1/0/0[HUAWEI-GigabitEthernet1/0/0] ip address 10.1.1.1 24

# Enable the address pool on the interface.

[HUAWEI-GigabitEthernet1/0/0] dhcp select interface

# Configure the domain name and IP addresses of the DNS server and NetBIOS server.

[HUAWEI-GigabitEthernet1/0/0] dhcp server domain-name huawei.com[HUAWEI-GigabitEthernet1/0/0] dhcp server dns-list 10.1.1.2[HUAWEI-GigabitEthernet1/0/0] dhcp server nbns-list 10.1.1.3 [HUAWEI-GigabitEthernet1/0/0] dhcp server netbios-type b-node

# (optional) Configure the IP lease and detection of pseudo DHCP server.

[HUAWEI-GigabitEthernet1/0/0] dhcp server expired day 10 hour 12[HUAWEI-GigabitEthernet1/0/0] undo shutdown[HUAWEI-GigabitEthernet1/0/0] quit[HUAWEI] dhcp server detect



[HUAWEI] display dhcp server tree allInterface pool:Pool name: GigabitEthernet2/0/3 network 10.1.1.0 mask 255.255.255.0 gateway-list 10.1.1.1 dns-list 10.1.1.2 domain-name huawei.com nbns-list 10.1.1.3 netbios-type b-node expired day 10 hour 12 minute 0

----End




Issue 02 (2009-12-10)

Configuration FileThe configuration file of HUAWEI is as follows:

# sysname HUAWEI#interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.1.1 255.255.255.0 dhcp select interface dhcp server dns-list 10.1.1.2 dhcp server domain-name huawei.com dhcp server nbns-list 10.1.1.3 dhcp server netbios-type b-node dhcp server expired day 10 hour 12#dhcp server forbidden-ip 10.1.1.2dhcp server forbidden-ip 10.1.1.3dhcp server detect#return

4.8.3 Example for Configuring the Sub-interface Address Pool-based DHCP Server



As shown in Figure 4-3, GE 1/0/0 has two sub-interfaces. To be more effective, configureaddress pools on several sub-interfaces so that the PCs that are in the same VLAN with the sub-interfaces can dynamically obtain their IP addresses from the address pool.

VALN10 and VLAN20 are connected with the switch, as shown in the following diagram. Onthe switch, set GE0/0/4 that is connected with the device to be a Trunk interface. Configure theinterfaces on the device to allow frame from VLAN10 and VLAN20 to pass. Configure theinterfaces that connect the switch with PCs to join the corresponding default VLANs.



4-45

Figure 4-3 Networking diagram of the DCHP server based on the address pools on the sub-interfaces

DHCPclient

DHCPserver

NetBIOSserver

DHCPclient

DNSserver

10.1.2.2/24

10.1.1.3/24

GE1/0/0.110.1.1.1/24

GE1/0/0.210.1.2.1/24

VLAN 20

VLAN 10

GE0/0/4


1. Enable DHCP.2. Configure the IP addresses that need not be assigned automatically, such as IP addresses

of the DNS server, the NetBIOS server and the egress gateway.3. Create sub-interfaces, configure IP addresses for them and encapsulate them with 802.1Q.4. Enable the address pool for the sub-interfaces.5. Configure related attributes for the address pool, such as the domain name, IP addresses of

the NetBIOS server and the DNS server, and the IP lease.



l IP address of the interface

ProcedureStep 1 Configure the DHCP server.

# Enable DHCP on the device.<HUAWEI> system-view[HUAWEI] sysname HUAWEI[HUAWEI] dhcp enable

# Configure the IP addresses that do not participate in auto-allocation, including IP addressesof the DNS server and NetBIOS server.




Issue 02 (2009-12-10)

[HUAWEI] dhcp server forbidden-ip 10.1.2.2[HUAWEI] dhcp server forbidden-ip 10.1.1.3

# Create sub-interface GE 1/0/0.1, configure its IP address, and encapsulate it with 802.1Q.

[HUAWEI] interface gigabitethernet 1/0/0.1[HUAWEI-GigabitEthernet1/0/0.1] vlan-type dot1q 20[HUAWEI-GigabitEthernet1/0/0.1] ip address 10.1.1.1 24[HUAWEI-GigabitEthernet1/0/0.1] undo shutdown[HUAWEI-GigabitEthernet1/0/0.1] quit

# Create sub-interface GE 1/0/0.2, configure its IP address, and encapsulate it with 802.1Q.

[HUAWEI] interface gigabitethernet 1/0/0.2[HUAWEI-GigabitEthernet1/0/0.2] vlan-type dot1q 10[HUAWEI-GigabitEthernet1/0/0.2] ip address 10.1.2.1 24[HUAWEI-GigabitEthernet1/0/0.2] undo shutdown[HUAWEI-GigabitEthernet1/0/0.2] quit

# Enable the address pool that is based on sub-interfaces.

[HUAWEI] dhcp select interface interface gigabitethernet 1/0/0.1 to gigabitethernet 1/0/0.2

# Configure the domain name and IP addresses of the DNS server and NetBIOS server.

[HUAWEI] dhcp server domain-name huawei.com interface gigabitethernet 1/0/0.1 to gigabitethernet 1/0/0.2[HUAWEI] dhcp server dns-list 10.1.2.2 interface gigabitethernet 1/0/0.1 to gigabitethernet 1/0/0.2[HUAWEI] dhcp server nbns-list 10.1.1.3 interface gigabitethernet 1/0/0.1 to gigabitethernet 1/0/0.2[HUAWEI] dhcp server netbios-type b-node interface gigabitethernet 1/0/0.1 to gigabitethernet 1/0/0.2

# Configure the IP lease for the address pool.

[HUAWEI] dhcp server expired day 10 hour 12 interface gigabitethernet 1/0/0.1 to gigabitethernet 1/0/0.2



[HUAWEI] display dhcp server tree allInterface pool:Pool name: GigabitEthernet1/0/0.1 network 10.1.1.0 mask 255.255.255.0 gateway-list 10.1.1.1 dns-list 10.1.2.2 domain-name huawei.com nbns-list 10.1.1.3 netbios-type b-node expired day 10 hour 12 minute 0Pool name: GigabitEthernet1/0/0.2 network 10.1.2.0 mask 255.255.255.0 gateway-list 10.1.2.1 dns-list 10.1.2.2 domain-name huawei.com nbns-list 10.1.1.3 netbios-type b-node expired day 10 hour 12 minute 0

After the preceding configurations, PCs in VLAN 10 and VLAN 20 can obtain IP addresses inthe address pools of the sub-interfaces. PCs in two VLANs can ping through each other.

----End



4-47

Configuration FileThe configuration file of router is as follows:

#interface GigabitEthernet1/0/0.1 undo shutdown ip address 10.1.1.1 255.255.255.0vlan-type dot1q 20 dhcp select interface dhcp server dns-list 10.1.2.2 dhcp server domain-name huawei.com dhcp server nbns-list 10.1.1.3 dhcp server netbios-type b-node dhcp server expired day 10 hour 12#interface GigabitEthernet 1/0/0.2 undo shutdown ip address 10.1.2.1 255.255.255.0vlan-type dot1q 10 dhcp select interface dhcp server dns-list 10.1.2.2 dhcp server domain-name huawei.com dhcp server nbns-list 10.1.1.3 dhcp server netbios-type b-node dhcp server expired day 10 hour 12# dhcp server forbidden-ip 10.1.2.2 dhcp server forbidden-ip 10.1.1.3#return

4.8.4 Example for Configuring DHCP Relay



As shown in Figure 4-4, the DHCP client is in the network segment 10.110.0.0/16, while theDHCP server is in the network segment 202.40.0.0/16. A DHCP relay device is needed toforward DHCP packets so that the DHCP client obtains the IP addresses from the DHCP server.

The DHCP server is assigned with an address pool in the network segment 10.100.0.0/16. TheIP address of the DNS server is 10.100.1.2/16, the IP address of the NetBIOS server is10.100.1.3/16, and the IP address of the gateway is 10.100.1.4. On the DHCP server, the routingtable must contain at least one reachable a route to the network segment 10.110.0.0.




Issue 02 (2009-12-10)

Figure 4-4 Networking diagram for configuring DHCP relay

DNSserver

DHCPclient

DHCP RelayGE1/0/0

10.100.1.1/16

POS1/0/0202.40.1.2/16

RouterB

POS2/0/0202.40.1.1/16

NetBIOSserver

10.100.1.2/16 10.100.1.3/16

RouterADHCP server

DHCPclient


1. Enable DHCP on Router A that acts as the DHCP relay.2. Configure POS 2/0/0 that needs to implement the DHCP relay function.3. Configure the the address of the DHCP server for which the interface functions as the relay

agent for GE 1/0/0 and enable DHCP relay on GE 1/0/0.4. Configure a route from the DHCP server Router B to GE 1/0/0 of Router A.5. Enable DHCP on Router B.6. Configure the clients attached to POS 1/0/0 to obtain IP addresses through the global

address pool.7. Configure a global address pool on Router B.

Data PreparationTo complement the configuration, you need the following data:

l IP address of the interface that need to be enabled with DHCP relay

l IP address of the DHCP server

ProcedureStep 1 Configure the DHCP relay.

# Enable DHCP on the device.<HUAWEI> system-view[HUAWEI] sysname RouterA[RouterA] dhcp enable

# Configure an IP address for POS 2/0/0.[RouterA] interface pos 2/0/0



4-49

[RouterA-Pos2/0/0] ip address 202.40.1.1 255.255.0.0[RouterA-Pos2/0/0] undo shutdown[RouterA-Pos2/0/0] quit

# Enter the view of the interface that needs to be enabled with DHCP relay. Configure the IPaddress and mask of the interface, which should be in the same network segment with that ofthe DHCP client.

[RouterA] interface gigabitethernet 1/0/0[RouterA-GigabitEthernet1/0/0] ip address 10.100.1.1 255.255.0.0[RouterA-GigabitEthernet1/0/0] ip relay address 202.40.1.2[RouterA-GigabitEthernet1/0/0] dhcp select relay[RouterA-GigabitEthernet1/0/0] undo shutdown[RouterA-GigabitEthernet1/0/0] quit


# On Router B, configure routes to GE 1/0/0 that connects Router A and its client.

<HUAWEI> system-view[HUAWEI] sysname RouterB[RouterB] ip route-static 10.100.0.0 255.255.0.0 202.40.1.1

# Enable DHCP.

[RouterB] dhcp enable

# Configure the clients of POS 1/0/0 to obtain the IP addresses from the global address pool.

[RouterB] interface pos 1/0/0[RouterB-Pos1/0/0] ip address 202.40.1.2 255.255.0.0[RouterB-Pos1/0/0] dhcp select global[RouterB-Pos1/0/0] undo shutdown[RouterB-Pos1/0/0] quit

# Configure the IP addresses that do not participate in auto-allocation, including IP addressesof the DNS server, the NetBIOS server and the egress gateway.

[RouterB] dhcp server forbidden-ip 10.100.1.2[RouterB] dhcp server forbidden-ip 10.100.1.3[RouterB] dhcp server forbidden-ip 10.100.1.4

# Configure attributes of DHCP address pool 1, including the address pool range, domain name,egress gateway, the IP address of the DNS server and IP lease.

[RouterB] dhcp server ip-pool 1[RouterB-dhcp-1] network 10.100.0.0 mask 255.255.0.0[RouterB-dhcp-1] domain-name huawei.com[RouterB-dhcp-1] dns-list 10.100.1.2[RouterB-dhcp-1] nbns-list 10.100.1.3[RouterB-dhcp-1] gateway-list 10.100.1.4[RouterB-dhcp-1] expired day 10 hour 12[RouterB-dhcp-1] quit


Run the display dhcp server tree command on the DHCP server. If the tree structure informationof DHCP address pools, including DNS, IP lease, and Option parameters, is displayed, it meansthat the configuration succeeds.

[RouterB] display dhcp server tree allGlobal pool:Pool name: 1 network 10.100.0.0 mask 255.255.0.0 gateway-list 10.100.1.4 dns-list 10.100.1.2 domain-name huawei.com nbns-list 10.100.1.3




Issue 02 (2009-12-10)

expired day 10 hour 12 minute 0

Run the display dhcp relay address command on the DHCP relay device to view configurationsof the relay IP address.

[RouterA] display dhcp relay address all ** GigabitEthernet1/0/0 DHCP Relay Address ** Dhcp Option Relay Agent IP Server IP * - 202.40.1.2

----End


# sysname RouterA#interface GigabitEthernet1/0/0 undo shutdown ip address 10.100.1.1 255.255.0.0 ip relay address 202.40.1.2 dhcp select relay#interface Pos 2/0/0link-protocol pppundo shutdown ip address 202.40.1.1 255.255.0.0 #return

l Configuration file of Router B# sysname RouterB#dhcp server ip-pool 1 network 10.100.0.0 mask 255.255.0.0 gateway-list 10.100.1.4 dns-list 10.100.1.2 domain-name huawei.com nbns-list 10.100.1.3 expired day 10 hour 12 #interface Pos 1/0/0link-protocol pppundo shutdownip address 202.40.1.2 255.255.0.0#dhcp server forbidden-ip 10.100.1.2dhcp server forbidden-ip 10.100.1.3dhcp server forbidden-ip 10.100.1.4#ip route-static 10.100.0.0 255.255.0.0 202.40.1.1#return

4.8.5 Example for Configuring the DHCP Option Association

Networking RequirementsAs shown in Figure 4-5, the four DHCP clients transmit different types of services. After theDHCP option is configured to associate with the addresses of the DHCP server and relay agent,packets from clients can be forwarded to the corresponding DHCP server. In this manner,configuration information such as the IP address can be provided for different clients.



4-51

As a DHCP server, Router B is configured with two global address pools of two networksegments being 10.1.0.0/16 and 20.1.0.0/16 respectively. In addition, Router B is configuredwith the route to the relay device Router A. On the network segment 10.1.0.0/16, 10.1.1.1/16 isthe address of the DNS server, NetBIOS server, and egress gateway. On the network segment20.1.0.0/16, 20.1.1.1/16 is the address of the DNS server, NetBIOS server, and egress gateway.

As a DHCP server, Router C is configured with two global address pools of two networksegments being 30.1.0.0/16 and 40.1.0.0/16 respectively. In addition, Router C is configuredwith the route to the relay device Router A. On the network segment 30.1.0.0/16, 30.1.1.1/16 isthe address of the DNS server, NetBIOS server, and egress gateway. On the network segment40.1.0.0/16, 40.1.1.1/16 is the address of the DNS server, NetBIOS server, and egress gateway.

Figure 4-5 Networking diagram of configuring the DHCP option association

DHCPclientB

DHCP Relay

GE1/0/0 10.1.1.1/16

20.1.1.1/16 sub30.1.1.1/16 sub40.1.1.1/16 sub

POS2/0/0101.40.1.1/16

RouterA

DHCPclientA

POS1/0/0202.40.1.2/16

DHCP ServerRouterC

POS3/0/0202.40.1.1/16

DHCPclientC

DHCPclientD

DSLAM

POS1/0/0101.40.1.2/16

RouterBDHCP Server


1. Configure the association between the DHCP option and the IP address of each interfaceon Router A.

2. Configure the DHCP function and address pools on Router B.3. Configure the DHCP function and address pools on Router C.


l Primary and secondary IP addresses of the interface that functions as the DHCP relay agent

l IP address of each DHCP server




Issue 02 (2009-12-10)

l DHCP option

Procedure

Step 1 Do as follows on the relay device:

# Enable DHCP.

<HUAWEI> system-view[HUAWEI] sysname RouterA[RouterA] dhcp enable

# Configure the IP address of POS 2/0/0.


# Configure the IP address of POS 3/0/0.


# Enter the view of the interface to be configured with the DHCP relay function. Configure theIP address and DHCP option association for the interface.

[RouterA] interface gigabitethernet 1/0/0[RouterA-GigabitEthernet1/0/0] ip address 10.1.1.1 255.255.0.0[RouterA-GigabitEthernet1/0/0] ip address 20.1.1.1 255.255.0.0 sub[RouterA-GigabitEthernet1/0/0] ip address 30.1.1.1 255.255.0.0 sub[RouterA-GigabitEthernet1/0/0] ip address 40.1.1.1 255.255.0.0 sub[RouterA-GigabitEthernet1/0/0] ip relay address 101.40.1.2[RouterA-GigabitEthernet1/0/0] ip relay address 101.40.1.2 dhcp-option 45[RouterA-GigabitEthernet1/0/0] ip relay address 202.40.1.2 dhcp-option 60[RouterA-GigabitEthernet1/0/0] ip relay address 202.40.1.2 dhcp-option 60 abc[RouterA-GigabitEthernet1/0/0] ip relay giaddr 10.1.1.1[RouterA-GigabitEthernet1/0/0] ip relay giaddr 20.1.1.1 dhcp-option 45[RouterA-GigabitEthernet1/0/0] ip relay giaddr 30.1.1.1 dhcp-option 60[RouterA-GigabitEthernet1/0/0] ip relay giaddr 40.1.1.1 dhcp-option 60 abc[RouterA-GigabitEthernet1/0/0] dhcp select relay[RouterA-GigabitEthernet1/0/0] undo shutdown[RouterA-GigabitEthernet1/0/0] quit

Step 2 Do as follows on Router B functioning as a DHCP server:

# Configure the routes from Router B to Router A.

<HUAWEI> system-view[HUAWEI] sysname RouterB[RouterB] ip route-static 10.1.0.0 255.255.0.0 101.40.1.1[RouterB] ip route-static 20.1.0.0 255.255.0.0 101.40.1.1

# Enable DHCP on RouterB.

[RouterB] dhcp enable

# Configure the clients connected to POS 1/0/0 to obtain IP addresses from the global addresspool.

[RouterB] interface pos 1/0/0[RouterB-Pos1/0/0] ip address 101.40.1.2 255.255.0.0[RouterB-Pos1/0/0] dhcp select global[RouterB-Pos1/0/0] undo shutdown[RouterB-Pos1/0/0] quit



4-53

# Configure the IP addresses that cannot be automatically allocated, including the DNS serveraddress, NetBIOS address, and egress gateway address.

[RouterB] dhcp server forbidden-ip 10.1.1.1 10.1.1.2[RouterB] dhcp server forbidden-ip 20.1.1.1

# Configure the attributes for DHCP address pool 1, including the address pool range, domainname, egress gateway, DNS address, and address lease.

[RouterB] dhcp server ip-pool 1[RouterB-dhcp-1] network 10.1.0.0 mask 255.255.0.0[RouterB-dhcp-1] domain-name abc.com[RouterB-dhcp-1] dns-list 10.1.1.1[RouterB-dhcp-1] nbns-list 10.1.1.1[RouterB-dhcp-1] gateway-list 10.1.1.1[RouterB-dhcp-1] expired day 10 hour 12[RouterB-dhcp-1] quit


[RouterB] dhcp server ip-pool 2[RouterB-dhcp-2] network 20.1.0.0 mask 255.255.0.0[RouterB-dhcp-2] domain-name def.com[RouterB-dhcp-2] dns-list 20.1.1.1[RouterB-dhcp-2] nbns-list 20.1.1.1[RouterB-dhcp-2] gateway-list 20.1.1.1[RouterB-dhcp-2] expired day 10 hour 12[RouterB-dhcp-2] quit

Step 3 Do as follows on Router C functioning as a DHCP server:

# Configure the route from Router C to Router A.

<HUAWEI> system-view[HUAWEI] sysname RouterC[RouterC] ip route-static 30.1.0.0 255.255.0.0 202.40.1.1[RouterC] ip route-static 40.1.0.0 255.255.0.0 202.40.1.1

# Enable DHCP on RouterC.

[RouterC] dhcp enable

# Configure the clients connected to POS 1/0/0 to obtain IP addresses from the global addresspool.

[RouterC] interface pos 1/0/0[RouterC-Pos1/0/0] ip address 202.40.1.2 255.255.0.0[RouterC-Pos1/0/0] dhcp select global[RouterC-Pos1/0/0] undo shutdown[RouterC-Pos1/0/0] quit

# Configure the IP addresses that do not participate in the auto-allocation, including the DNSserver address, NetBIOS address, and egress gateway address.

[RouterC] dhcp server forbidden-ip 30.1.1.1[RouterC] dhcp server forbidden-ip 40.1.1.1


[RouterC] dhcp server ip-pool 1[RouterC-dhcp-1] network 30.1.0.0 mask 255.255.0.0[RouterC-dhcp-1] domain-name ghi.com[RouterC-dhcp-1] dns-list 30.1.1.1[RouterC-dhcp-1] nbns-list 30.1.1.1[RouterC-dhcp-1] gateway-list 30.1.1.1[RouterC-dhcp-1] expired day 10 hour 12




Issue 02 (2009-12-10)

[RouterC-dhcp-1] quit


[RouterC] dhcp server ip-pool 2[RouterC-dhcp-2] network 40.1.0.0 mask 255.255.0.0[RouterC-dhcp-2] domain-name jkl.com[RouterC-dhcp-2] dns-list 40.1.1.1[RouterC-dhcp-2] nbns-list 40.1.1.1[RouterC-dhcp-2] gateway-list 40.1.1.1[RouterC-dhcp-2] expired day 10 hour 12[RouterC-dhcp-2] quit


Run the display dhcp relay address all command on Router A. You can view the configurationof the interface enabled with the DHCP relay function.

[RouterA] display dhcp relay address all ** GigabitEthernet1/0/0 DHCP Relay Address **DHCP Option Relay Agent IP Server IP* 10.1.1.1 101.40.1.245 20.1.1.1 101.40.1.260(*) 30.1.1.1 202.40.1.260(abc) 40.1.1.1 202.40.1.2

Run the display dhcp server tree command on Router B. You can view information aboutDHCP address pools in a tree structure, including DNS, IP address lease, and parameters suchas the option.

[RouterB] display dhcp server tree allGlobal pool:Pool name: 1 network 10.1.0.0 mask 255.255.0.0 gateway-list 10.1.1.1 dns-list 10.1.1.1 domain-name abc.com nbns-list 10.1.1.1 expired day 10 hour 12 minute 0Pool name: 2 network 20.1.0.0 mask 255.255.0.0 gateway-list 20.1.1.1 dns-list 20.1.1.1 domain-name def.com nbns-list 20.1.1.1 expired day 10 hour 12 minute 0

Run the display dhcp server tree command on Router C. You can view information aboutDHCP address pools in a tree structure, including DNS, IP address lease, and parameters suchas the option.

[RouterC] display dhcp server tree allGlobal pool:Pool name: 1 network 30.1.0.0 mask 255.255.0.0 gateway-list 30.1.1.1 dns-list 30.1.1.1 domain-name ghi.com nbns-list 30.1.1.1 expired day 10 hour 12 minute 0Pool name: 2 network 40.1.0.0 mask 255.255.0.0 gateway-list 40.1.1.1 dns-list 40.1.1.1 domain-name jkl.com nbns-list 40.1.1.1 expired day 10 hour 12 minute 0



4-55

----End


# sysname RouterA#interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.1.1 255.255.0.0 ip address 20.1.1.1 255.255.0.0 sub ip address 30.1.1.1 255.255.0.0 sub ip address 40.1.1.1 255.255.0.0 sub ip relay address 101.40.1.2 ip relay address 101.40.1.2 dhcp-option 45 ip relay address 202.40.1.2 dhcp-option 60 ip relay address 202.40.1.2 dhcp-option 60 abc ip relay giaddr 10.1.1.1 ip relay giaddr 20.1.1.1 dhcp-option 45 ip relay giaddr 30.1.1.1 dhcp-option 60 ip relay giaddr 40.1.1.1 dhcp-option 60 abc dhcp select relay#interface Pos 1/0/0 undo shutdown ip address 101.40.1.1 255.255.0.0#return #interface Pos 2/0/0 undo shutdown ip address 202.40.1.1 255.255.0.0#return

l Configuration file of Router B# sysname RouterB#dhcp server ip-pool 1 network 10.1.0.0 mask 255.255.0.0 gateway-list 10.1.1.1 dns-list 10.1.1.1 domain-name abc.com nbns-list 10.1.1.1 expired day 10 hour 12 ##dhcp server ip-pool 2 network 20.1.0.0 mask 255.255.0.0 gateway-list 20.1.1.1 dns-list 20.1.1.1 domain-name def.com nbns-list 20.1.1.1 expired day 10 hour 12 #interface Pos 1/0/0 undo shutdownip address 101.40.1.2 255.255.0.0#dhcp server forbidden-ip 10.1.1.1 10.1.1.2dhcp server forbidden-ip 20.1.1.1#ip route-static 10.1.0.0 255.255.0.0 101.40.1.1ip route-static 20.1.0.0 255.255.0.0 101.40.1.1#




Issue 02 (2009-12-10)

returnl Configuration file of Router C

# sysname RouterC#dhcp server ip-pool 1 network 30.1.0.0 mask 255.255.0.0 gateway-list 30.1.1.1 dns-list 30.1.1.1 domain-name ghi.com nbns-list 30.1.1.1 expired day 10 hour 12 ##dhcp server ip-pool 2 network 40.1.0.0 mask 255.255.0.0 gateway-list 40.1.1.1 dns-list 40.1.1.1 domain-name jkl.com nbns-list 40.1.1.1 expired day 10 hour 12 #interface Pos 1/0/0 undo shutdownip address 202.40.1.2 255.255.0.0#dhcp server forbidden-ip 30.1.1.1dhcp server forbidden-ip 40.1.1.1#ip route-static 30.1.0.0 255.255.0.0 202.40.1.1ip route-static 40.1.0.0 255.255.0.0 202.40.1.1#return



4-57

5 IP Performance Configuration

About This Chapter

This chapter describes the parameters and function required for IP performance optimizationand provides procedures and examples for optimizing IP performance.

5.1 IP Performance OverviewThis section describes the parameters and concepts concerning IP performance.

5.2 Improving IP PerformanceThis section describes how to enhance the performance of a specified network through settingsome IP parameters.

5.3 Configuring TCPThis section describes how to configure a TCP timer and specify the size of a sliding window.

5.4 Configuring Load Balancing for IP Packet ForwardingThis section describes how to configure the load balancing mode for IP packet forwarding andhow to configure the Unequal Cost Multipath Protocol (UCMP).

5.5 Maintaining IP PerformanceThis section describes how to clear IP/TCP/UDP statistics and debug IP/TCP/UDP.

5.6 Configuration ExamplesThis section provides several configuration examples of the IP performance.

HUAWEI NetEngine5000E Core RouterConfiguration Guide - IP Services 5 IP Performance Configuration


5-1

5.1 IP Performance OverviewThis section describes the parameters and concepts concerning IP performance.

5.1.1 Introduction to IP Performance

5.1.2 IP Performance Supported by the NE5000E

5.1.1 Introduction to IP Performance

IP performance optimization should be performed on the basis of configurations of someparameters and enablement of related functions, for example, the interface MTU, ICMPattributes, and TCP attributes.

Internet Control Message Protocol (ICMP) messages are used by either the IP layer or the higherlayer protocol (TCP or UDP). ICMP communicates error messages or other information thatrequire attention.

5.1.2 IP Performance Supported by the NE5000E

ICMPl ICMP Host Unreachable messages

When forwarding packets, the device discards the packets and returns an ICMP hostunreachable message to the source to notify that the source must stop sending packets tothis destination if the device encounters the following situations:– There is no route to the destination.

– The packet is not for itself.

l ICMP Redirection messagesDuring packet forwarding, if the device finds the following situations, the device needs tosend an ICMP redirection message to the source device and notices the host to reselect acorrect device to send packets.– The interfaces to receive and forward packets are the same.

– The selected route is not created or modified by the ICMP redirection packet.

– The selected route is not the route destined for the destination 0.0.0.0.

– The subnet mask bit of the source address is the same as that of the outgoing interface.

l ICMP packet sending switchesIn normal circumstance, ICMP host unreachable and redirection messages can ensurenormal packet transmission. However, when devices encounter the preceding conditionsfrequently, network traffic becomes heavy because devices send a large number of ICMPmessages. This increases the traffic burden. In the case of malicious attacks, networkcongestion becomes worse.To solve this problem, the ICMP host unreachable function can be deployed on theoutbound interface. If this function is disabled, the device does not send out ICMP hostunreachable messages and as a result the traffic burden of the network is released andmalicious attacks to the network is prevented.

5 IP Performance ConfigurationHUAWEI NetEngine5000E Core Router



Issue 02 (2009-12-10)

Unequal-Cost Load BalancingThe NE5000E supports Unequal-Cost Multiple Path (UCMP) among all equal-cost routes to thesame destination.

UCMP supports only flow-based IP packet forwarding.

UCMP applies to only equal-cost routes. It is independent of routing protocols. That is, it doesnot concern whether the Interior Gateway Protocol (IGP) or the Border Gateway Protocol (BGP)is used.

Among the paths that perform UCMP, the bandwidth of each path must not be lower than 1/16of the total bandwidth; otherwise, the path does not participate in UCMP.

The unequal-cost load balancing is classified into interface unequal-cost load balancing andglobal unequal-cost load balancing. The differences between these two modes are described asfollows:

l For the interface unequal-cost load balancing, you need to enable the unequal-cost loadbalancing on all the outgoing interfaces that can forward packets. For the global unequal-cost load balancing, you need to enable the unequal-cost load balancing only in the systemview.

l After the interface unequal-cost load balancing is enabled, you need to restart any interfaceto trigger the delivery FIB entries. After the global unequal-cost load balancing is enabled,FIB entries can be delivered automatically.

The interface unequal-cost load balancing and the global unequal-cost load balancing aremutually exclusive. You cannot enable both of them.

5.2 Improving IP PerformanceThis section describes how to enhance the performance of a specified network through settingsome IP parameters.


5.2.2 Configuring the Maximum Transmission Unit of the Interface

5.2.3 Configuring ICMP Attributes



Applicable EnvironmentIn some special network environments, you must adjust the IP parameters to achieve the bestperformance. Improving IP performance involves configurations of a series of parameters.

Pre-configuration TasksBefore improving IP performance, complete the following tasks:

l Configuring the physical parameters for related interfaces and ensuring that the status ofthe physical layer of the interface is Up



5-3

l Configuring the link layer protocol for related interfaces and ensuring that the status of thelink layer protocol on the interface is Up

l Configuring the IP addresses for related interfaces

Data Preparation

To improve IP performance, you need the following data.

No. Data

1 Number and MTU value of the interface

2 Number of the interface which needs source address verification

3 Number of the interface which needs to forward broadcast packets and ACL number

4 Number of the interface which needs to clear the DF

5 Number of the interface which needs to configure ICMP host-unreachable

5.2.2 Configuring the Maximum Transmission Unit of the Interface

Context


Procedure





Step 3 Run:mtu mtu

The maximum transmission unit of the interface is configured.

----End

Postrequisite

The MTU of the interface has the effects on whether to fragment the packets on the interface.

The default MTU value varies with the interface type. Use the display interface command tofind out the value used.




Issue 02 (2009-12-10)

NOTE

After configuring the MTU on an interface, you must restart the interface; otherwise, the configurationcannot take effect. To restart the interface, run the restart command or the shutdown and then undoshutdown commands.

5.2.3 Configuring ICMP Attributes

ContextBy default, sending unreachable packets is enabled.

CAUTIONl If the transmission of ICMP host unreachable messages is disabled, the device no longer

sends the ICMP host unreachable message.


Procedure





Step 3 Run:icmp host-unreachable send

Sending ICMP host unreachable packets is enabled.

----End


PrerequisiteThe configurations of the improving IP performance function are complete.

Procedurel Run the display udp statistics command to check the UDP traffic statistics.l Run the display ip interface [ interface-type interface-number ] command or display ip

interface brief [ interface-type [ interface-number ] | slot slot-id [ card card-number ] ]command to check the table information of the IP layer interface.

l Run the display ip statistics [ slot slot-id ] command to check the IP traffic statistics.l Run the display icmp statistics [ slot slot-id ] command to check the ICMP traffic statistics.



5-5

l Run the display rawlink statistics command to check the Rawlink statistics.l Run the display ip socket [ monitor ] [ task-id task-id socket-id socket-id | sock-type

sock-type ] command to check all the current socket API information.

----End

ExampleRun the display udp statistics command. If the UDP traffic statistics are displayed, it meansthat the configuration succeeds. For example:<HUAWEI> display udp statisticsReceived packets:Total: 0Total(64bit high-capacity counter): 0checksum error: 0shorter than header: 0, data length larger than packet: 0unicast(no socket on port): 0broadcast/multicast(no socket on port): 0not delivered, input socket full: 0input packets missing pcb cache: 0

Sent packets:Total: 0Total(64bit high-capacity counter): 0

Run the display ip interface command. If the information about IP interfaces is displayed, itmeans that the configuration succeeds. For example:<HUAWEI> display ip interface gigabitethernet 2/0/2GigabitEthernet2/0/2 current state : UPLine protocol current state : UPThe Maximum Transmit Unit : 1500 bytesinput packets : 1338, bytes : 117744, multicasts : 1338output packets : 1336, bytes : 106884, multicasts : 1336Directed-broadcast packets: received packets: 0, sent packets: 0 forwarded packets: 0, dropped packets: 0ARP packet input number: 0 Request packet: 0 Reply packet: 0 Unknown packet: 0Internet Address is 120.1.1.1/24Broadcast address : 120.1.1.255TTL being 1 packet number: 0TTL invalid packet number: 0ICMP packet input number: 0 Echo reply: 0 Unreachable: 0 Source quench: 0 Routing redirect: 0 Echo request: 0 Router advert: 0 Router solicit: 0 Time exceed: 0 IP header bad: 0 Timestamp request: 0 Timestamp reply: 0 Information request: 0 Information reply: 0 Netmask request: 0 Netmask reply: 0 Unknown type: 0DHCP packet deal mode: global

Run the display ip statistics command. If the IP traffic statistics are displayed, it means that theconfiguration succeeds. For example:




Issue 02 (2009-12-10)

<HUAWEI> display ip statistics

Run the display icmp statistics command. If the ICMP traffic statistics are displayed, it meansthat the configuration succeeds. For example:

<HUAWEI> display icmp statistics Input: bad formats 0 bad checksum 0 echo 0 destination unreachable 0 source quench 0 redirects 0 echo reply 0 parameter problem 0 timestamp 0 information request 0 mask requests 0 mask replies 0 time exceeded 0 Mping request 0 Mping reply 0 Output:echo 0 destination unreachable 0 source quench 0 redirects 0 echo reply 0 parameter problem 0 timestamp 0 information reply 0 mask requests 0 mask replies 0 time exceeded 0 Mping request 0 Mping reply 0

Run the display rawlink statistics command. If the Rawlink statistics are displayed, it meansthat the configuration succeeds. For example:

<HUAWEI> display rawlink statisticsReceived packets:Total: 1771645ifnet is null: 0input packets missing pcb cache: 1181096not pass multicast: 0no join multicast: 0full sock and pstMBuf to be freed: 0full sock and nothing to be freed: 0full sock and other reason: 0

Send packets:Total: 125850

5.3 Configuring TCPThis section describes how to configure a TCP timer and specify the size of a sliding window.


5.3.2 Configuring TCP Timer

5.3.3 Specifying the Size of a TCP Sliding Window




None.


None.



5-7

Data Preparation

To configure TCP, you need the following data.

No. Data

1 SYN-WAIT timer, FIN-WAIT timer, receiving and sending buffer size of the socket

5.3.2 Configuring TCP Timer

Context

The types of TCP timers are shown as follows:

l The SYN-Wait timer: On sending SYN packets, the TCP starts the SYN-Wait timer. Ifresponse packets are not received before the SYN-Wait timer timeout, the TCP connectionis terminated. The SYN-Wait timer timeout ranges from 2 seconds to 600 seconds, and thedefault value is 75 seconds.

l The FIN-Wait timer: When the TCP connection status turns from FIN_WAIT_1 toFIN_WAIT_2, the FIN-Wait timer starts. If FIN packets are not received before the FIN-Wait timer timeout, the TCP connection is terminated. The FIN-Wait timer timeout rangesfrom 76 seconds to 3600 seconds, and the default value is 675 seconds.


Procedure



Step 2 Run:tcp timer syn-timeout interval

The SYN-Wait timer of setting up TCP connections is configured.

Step 3 Run:tcp timer fin-timeout interval

The FIN_WAIT_2 timer of setting TCP connections is configured.

----End

5.3.3 Specifying the Size of a TCP Sliding Window

Context





Issue 02 (2009-12-10)

Procedure



Step 2 Run:tcp window window-size

The receiving/sending buffer size of the TCP socket is configured.

The receiving and sending window-size of the connection-oriented socket: It ranges from 1Kbytes to 32K bytes, and the default value is 8K bytes.

----End


PrerequisiteThe configurations of TCP function are complete.

Procedurel Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipv4-

address ] [ local-port local-port-number ] [ remote-ip ipv4-address ] [ remote-portremote-port-number ] ] command to check the TCP connection status.

l Run the display tcp statistics command to check the TCP traffic statistics.

----End

ExampleRun the display tcp status command. If the information about the TCP connection status isdisplayed, it means that the configuration succeeds. For example:

<HUAWEI> display tcp statusTCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State0a5d560c 30 /1 0.0.0.0:23 0.0.0.0:0 14849 Listening

Run the display tcp statistics command. If the TCP traffic statistics are displayed, it means thatthe configuration succeeds. For example:

<HUAWEI> display tcp statisticsReceived packets:Total: 0Total(64bit high-capacity counter): 0packets in sequence: 0 (0 bytes)window probe packets: 0, window update packets: 0checksum error: 0, offset error: 0, short error: 0

duplicate packets: 0 (0 bytes),partially duplicate packets: 0 (0 bytes)out-of-order packets: 0 (0 bytes)packets of data after window: 0 (0 bytes)packets received after close: 0

ACK packets: 0 (0 bytes)duplicate ACK packets: 0, too much ACK packets: 0

Sent packets:



5-9

Total: 0Total(64bit high-capacity counter): 0urgent packets: 0control packets: 0 (including 0 RST)window probe packets: 0, window update packets: 0

data packets: 0 (0 bytes),data packets retransmitted: 0 (0 bytes)ACK-only packets: 0 (0 delayed)

Other information:Retransmitted timeout: 0, connections dropped in retransmitted timeout: 0Keep alive timeout: 0, keep alive probe: 0, Keep alive timeout, so connections disconnected : 0Initiated connections: 0, accepted connections: 0, established connections: 0Closed connections: 0 (dropped: 0, initiated dropped: 0)Packets dropped with MD5 authentication: 0Packets permitted with MD5 authentication: 0

5.4 Configuring Load Balancing for IP Packet ForwardingThis section describes how to configure the load balancing mode for IP packet forwarding andhow to configure the Unequal Cost Multipath Protocol (UCMP).


5.4.2 Configuring the Load Balancing Mode of IP Packet Forwarding

5.4.3 Configuring Interface Unequal-Cost Multiple Path During IP Packet Forwarding

5.4.4 Configuring Global Unequal-Cost Multiple Path During IP Packet Forwarding



Applicable EnvironmentThe Equal Cost Multipath Protocol (ECMP) involves evenly distributing traffic among multipleequal-cost paths, regardless of the difference in path bandwidth. This, however, usually leads tothe traffic congestion on the low-bandwidth path.

The Unequal Cost Multipath Protocol (UCMP) involves proportionally distributing trafficamong multiple equal-cost paths by considering the difference in path bandwidth. This canachieve more reasonable load balancing because traffic is proportionally distributed amongpaths.

Pre-configuration TasksBefore configuring load balancing for IP packet forwarding, complete the following tasks:

l Connecting interfaces and setting physical parameters for interfaces to ensure that thephysical layer status of each interface is Up

l Setting parameters of the link layer protocol for interfaces to ensure that the status of thelink layer protocol on each interface is Up

Data PreparationTo configure load balancing for IP packet forwarding, you need the following data.




Issue 02 (2009-12-10)

No. Data

1 Interface type and interface number

2 IP address and subnet mask for the interface

5.4.2 Configuring the Load Balancing Mode of IP PacketForwarding

Context

Load balancing can be enable during IP packet forwarding.

When flow-based load balancing is carried out, the device considers the protocol type, sourceIP address and mask, destination IP and mask, source port range, and destination port range andthen adopts the hash algorithm to calculate a value. Based on the calculated value, it chooses alink to forward the packets.

When packet-based load balancing is carried out, choose diverse links based on packets frommultiple links to forward packets.

By default, flow-based load balancing is adopted.


Procedure



Step 2 Run:l load-balance { flow | packet } [ all | slot slot-id ]

Packets on the device are load balanced.

l No operation is required if load balancing is performed on received packets. The deviceperforms load balancing in flow-by-flow mode on the received packets according to thesource and destination IP addresses.

----End

5.4.3 Configuring Interface Unequal-Cost Multiple Path During IPPacket Forwarding

Context

Do as follows on the router to implement the interface UCMP:



5-11

Procedure





NOTE

The interface must be outgoing interfaces of equal-cost routes. The interface UCMP can be realized amongpaths only after all outgoing interfaces of equal-cost routes on the device are enabled with UCMP and FIBentry delivery is triggered; if one outgoing interface is not enabled with UCMP, Equal-Cost Multiple Path(ECMP) is performed among paths though FIB entry delivery is triggered.

Interface UCMP cannot be enabled globally or on logical interfaces. It can be enabled only onphysical main interfaces.

Step 3 Run:load-balance unequal-cost enable

Interface UCMP is enabled for IP packet forwarding.

Route recalculation and FIB entry delivery are not triggered at once after UCMP is enabled ordisabled on the interface through command lines. FIB entry delivery is performed only afterUCMP configurations are validated.

Step 4 Run:shutdown

The interface where UCMP is enabled is shut down.

Step 5 Run:undo shutdown

The interface is restarted for validating UCMP configurations.

You can reset the interface where UCMP is enabled or disabled to trigger route recalculationand FIB entry delivery so that UCMP configurations can be validated.

NOTE

Restarting the interface is one method to trigger FIB entry delivery. You can also change the IP address ofthe interface to trigger FIB entry delivery and hence validate UCMP configurations.

----End

5.4.4 Configuring Global Unequal-Cost Multiple Path During IPPacket Forwarding

Context

Do as follows on the router to implement global UCMP:




Issue 02 (2009-12-10)

Procedure



Step 2 Run:load-balance unequal-cost enable

Global UCMP is enabled for IP packet forwarding.

By default, global UCMP is disabled.

NOTE

l The interfaces that support the UCMP function are Ethernet interfaces, Gigabit Ethernet interfaces,POS interfaces, Eth-Trunk interfaces, and IP-Trunk interfaces.

l Frequent enabling and then disabling UCMP on an interface greatly degrades the system performance.Therefore, the interval from enabling UCMP to disabling UCMP or from disabling UCMP to enablingUCMP must be equal to or longer than 5 minutes.

----End


PrerequisiteAll the load balancing configurations for IP packet forwarding are complete.

Procedurel Run the display fib [ slot-id ] command to check the FIB table of the interface board.l Run the display fib acl acl-number [ verbose ] command to check the filtered FIB

information.l Run the display fib [ slot-id ] destination-address1 [ desinationt-mask1 ] [ longer ]

[ verbose ] command to check the FIB entry which matches a destination address.l Run the display fib [ slot-id ] destination-address1 destination-mask1 destination-

address2 destination-mask2 [ verbose ] command to check the FIB entry whose destinationaddress is in the range of destination-address1 destination-mask1 to destination-address2destination-mask2.

l Run the display fib ip-prefix prefix-name [ verbose ] command to check the FIB entriesthat have passed filtering in a certain format according to the input IP prefix name.

l Run the display fib interface interface-type interface-number command to check the FIBentries that have passed filtering in a certain format according to the input interface typeand interface number.

l Run the display fib next-hop ip-address command to check the FIB entries that have passedfiltering in a certain format according to the input next hop address.

l Run the display fib [ slot-id ] statistics command to check the total number of FIB entries.l Run the display fib [ slot-id ] [ | { begin | exclude | include } regular-expression ] command

to check the summary of the FIB.

----End



5-13

Example

Run the display fib command. If the brief information about the FIB is displayed, it means thatthe configuration succeeds. For example:

<HUAWEI> display fib FIB Table: Total number of Routes : 3Destination/Mask Nexthop Flag TimeStamp Interface TunnelID169.254.0.0/16 2.1.1.1 U t[0] GE1/0/0 0x02.0.0.0/16 2.1.1.1 U t[0] GE1/0/0 0x0127.0.0.0/8 127.0.0.1 U t[0] InLoop0 0x0<HUAWEI> display fib acl 2010Route entry matched by access-list 2010:Summary counts: 1Destination/Mask Nexthop Flag TimeStamp Interface TunnelID127.0.0.0/8 127.0.0.1 U t[0] InLoop0 0x0

5.5 Maintaining IP PerformanceThis section describes how to clear IP/TCP/UDP statistics and debug IP/TCP/UDP.

5.5.1 Clearing IP Performance Statistics

5.5.2 Monitoring Network Operation Status of IP Performance

5.5.3 Debugging IP Performance

5.5.1 Clearing IP Performance Statistics

Context

CAUTIONIP/TCP/UDP statistics cannot be restored after you clear it. So, confirm the action before youuse the command.

Procedurel Run the reset ip statistics [ interface interface-type interface-number | slot slot-id ]

command in the user view to clear the IP statistics.

l Run the reset ip socket monitor [ task-id task-id socket-id socket-id ] command in theuser view to clear information on the socket monitor.

l Run the reset tcp statistics command in the user view to clear the TCP traffic statistics.

l Run the reset udp statistics command in the user view to clear the UDP traffic statistics.

l Run the reset rawlink statistics command in the user view to clear the Rawlink statistics.

----End




Issue 02 (2009-12-10)

5.5.2 Monitoring Network Operation Status of IP Performance

ContextIn routine maintenance, you can run the following command in any view to check the operationof IP performance.

Procedurel Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipv4-

address ] [ local-port local-port-number ] [ remote-ip ipv4-address ] [ remote-portremote-port-number ] ] command in any view to check TCP connection status.

l Run the display tcp statistics command in any view to check statistics about TCP traffic.l Run the display udp statistics command in any view to check statistics about UDP traffic.l Run the display ip interface [ interface-type interface-number ] command or display ip

interface brief [ interface-type [ interface-number ] | slot slot-id [ card card-number ] ]command in any view to check information about IP interfaces.

l Run the display ip statistics [ slot slot-id ] command in any view to check statistics aboutIP traffic.

l Run the display icmp statistics [ slot slot-id ] command in any view to check statisticsabout ICMP traffic.

l Run the display rawlink statistics command in any view to check statistics about Rawlink.l Run the display fib [ slot-id ] command in any view to check the FIB on the specified

interface board.l Run the display fib acl acl-number [ verbose ] command in any view to check the FIB

information selectively through filtering.l Run the display fib [ slot-id ] destination-address1 [ desinationt-mask1 ] [ longer ]

[ verbose ] command in any view to filter FIB entries by matching destination IP addresses.l Run the display fib [ slot-id ] destination-address1 destination-mask1 destination-

address2 destination-mask2 [ verbose ] command in any view to check the FIB entrieswith the destination IP addresses in the range from destination-address1 destination-mask1 to destination-address2 destination-mask2.

l Run the display fib ip-prefix prefix-name [ verbose ] command in any view to check theFIB entries that have passed filtering in a certain format according to the input IP prefixname.

l Run the display fib interface interface-type interface-number command in any view tocheck the FIB entries that have passed filtering in a certain format according to the inputinterface type and interface number.

l Run the display fib next-hop ip-address command in any view to check the FIB entriesthat have passed filtering in a certain format according to the input next hop address.

l Run the display fib [ slot-id ] statistics command in any view to check the total numberof FIB entries.

l Run the display fib [ slot-id ] [ | { begin | exclude | include } regular-expression ] commandin any view to check brief information about the forwarding table.

l Run the display ip socket [ monitor ] [ task-id task-id socket-id socket-id | sock-typesock-type ] command in any view to check information about all the socket interfaces ofthe system.

----End



5-15

5.5.3 Debugging IP Performance

Context


Run the following debugging commands in the user view to debug IP/TCP/UDP/RAWIP/RAWLINK and locate the fault.

For the procedure for displaying the debugging information, refer to chapter "Information CenterConfiguration" in the NE5000E Core Router Configuration Guide - System Management. Fordescriptions about the debugging commands, refer to the NE5000E Core Router DebuggingReference.

Procedurel Run the debugging ip packet [ error ] [ acl acl-number ] [ verbose ] command in the user

view to debug IP packets.

l Run the debugging ip icmp [ verbose ] command in the user view to debug ICMP.

l Run the debugging udp packet [ src-ip src-address ] [ src-port src-port ] [ dest-ip dest-address ] [ dest-port dest-port ] command or debugging udp packet [ task-id task-id ][ socket-id socket-id ] command in the user view to debug UDP packets.

l Run the debugging tcp packet [ src-ip src-address ] [ src-port src-port ] [ dest-ip dest-address ] [ dest-port dest-port ] [ flag flag-number ] command or debugging tcp packet[ task-id task-id ] [ socket-id socket-id ] [ flag flag-number ] command in the user view todebug TCP packets.

l Run the debugging tcp event [ local-ip local-address ] [ local-port local-port ] [ remote-ip remote-address ] [ remote-port remote-port ] command or debugging tcp event [ task-id task-id ] [ socket-id socket-id ] command in the user view to debug TCP event.

l Run the debugging tcp md5 [ src-ip src-address ] [ src-port src-port ] [ dest-ip dest-address ] [ dest-port dest-port ] command or debugging tcp md5 [ task-id task-id ][ socket-id socket-id ] command in the user view to debug TCP MD5 authentication.

l Run the debugging rawip packet [ src-ip src-address ] [ dest-ip dest-address ][ protocol protocol-number ] [ verbose verbose-number ] command or debugging rawippacket [ task-id task-id ] [ socket-id socket-id ] [ verbose verbose-number ] command inthe user view to debug RAWIP packets.

l Run the debugging rawlink packet [ src-mac src-mac ] [ dest-mac dest-mac ][ verbose verbose-number ] command or debugging rawlink packet [ task-id task-id ][ socket-id socket-id ] [ verbose verbose-number ] command in the user view to debugRAWLINK packets.

----End




Issue 02 (2009-12-10)

5.6 Configuration ExamplesThis section provides several configuration examples of the IP performance.

5.6.1 Example for Limiting Transmission of ICMP Host-Unreachable Packets

5.6.2 Example for Configuring Interface Unequal-Cost Multiple Path During IP PacketForwarding

5.6.3 Example for Configuring Global Unequal-Cost Load Balancing for IP Packet Forwarding

5.6.1 Example for Limiting Transmission of ICMP Host-Unreachable Packets



As shown in Figure 5-1, Router A, Router B and Router C are connected with each other throughtheir Ethernet ports to test limiting transmission of host-unreachable packets.

Figure 5-1 Networking diagram of configuring ICMP host unreachable packets

RouterA

Internet

RouterBRouterC

GE 1/0/01.1.1.1/24

GE 1/0/01.1.1.2/24

GE 1/0/02.2.2.2/24




5-17

1. Configure IP addresses for the interfaces on devices.2. Configure static routes between devices that are not directly connected.3. Enable limiting transmission of ICMP Host-unreachable packets.

Data Preparation


l Static routes between devices that are not directly connected

l IP addresses for the interfaces

Procedure


# Configure static routes on Router A.

<HUAWEI> system-view[HUAWEI] sysname RouterA[RouterA] ip route-static 2.2.2.2 24 1.1.1.2


[RouterA] interface gigabitethernet 1/0/0[RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 24[RouterA-GigabitEthernet1/0/0] undo shutdown[RouterA-GigabitEthernet1/0/0] quit


# Disable sending ICMP host unreachable packets on Router B and configure an IP address forGE 1/0/0.

<HUAWEI> system-view[HUAWEI] sysname RouterB[RouterB] interface gigabitethernet 1/0/0[RouterB-GigabitEthernet1/0/0] undo icmp host-unreachable send[RouterB-GigabitEthernet1/0/0] ip address 1.1.1.2 24[RouterB-GigabitEthernet1/0/0] undo shutdown[RouterB-GigabitEthernet1/0/0] quit[RouterB] quit

Step 3 Configure Router C.

# Configure an IP address for GE 1/0/0 on Router C.

<HUAWEI> system-view[HUAWEI] sysname RouterC[RouterC] interface gigabitethernet 1/0/0[RouterC-GigabitEthernet1/0/0] ip address 2.2.2.2 24[RouterC-GigabitEthernet1/0/0] undo shutdown[RouterC-GigabitEthernet1/0/0] quit


# Enable the debugging of the ICMP packets of Router B.

<RouterB> debugging ip icmp

# Run the ping 2.2.2.2 command on Router A. If you can view that Router B does not send thehost unreachable packets, it means that the configuration succeeds. For example:




Issue 02 (2009-12-10)

[RouterA] ping 2.2.2.2

----End


# sysname RouterA#interface GigabitEthernet1/0/0 undo shutdown ip address 1.1.1.1 255.255.255.0#ip route-static 2.2.2.0 255.255.255.0 1.1.1.2#return

l Configuration file of Router B# sysname RouterB#interface GigabitEthernet1/0/0 undo shutdown ip address 1.1.1.2 255.255.255.0 undo icmp host-unreachable send#return

l Configuration file of Router C# sysname RouterC#interface GigabitEthernet1/0/0 undo shutdown ip address 2.2.2.2 255.255.255.0#return

5.6.2 Example for Configuring Interface Unequal-Cost MultiplePath During IP Packet Forwarding



As shown in Figure 5-2, three paths exist between Router A and Router E. The three pathsrespectively travel through Router B, Router C, and Router D. It is required that the three pathsbetween Router A and Router E perform UCMP during IP packet forwarding. In the example,the unequal-cost load balancing refers to the interface unequal-cost load balancing.



5-19

Figure 5-2 Networking diagram of configuring UCMP

RouterA

RouterB

RouterC

RouterD

RouterE

POS1/0/0

POS4/0/0

GE3/0/0 GE1/0/0 GE2/0/0 GE3/0/0

POS2/0/0

POS4/0/0

GE2/0/0

GE1/0/0 GE2/0/0

GE2/0/0

GE1/0/010.1.1.1/24

GE1/0/020.1.1.1/24

router Interface IP addressRouterA POS4/0/0 30.1.1.1/24

GE3/0/0 40.1.1.1/24GE2/0/0 50.1.1.1/24

RouterB POS1/0/0 30.1.1.2/24POS2/0/0 60.1.1.2/24

RouterC GE1/0/0 40.1.1.2/24GE2/0/0 70.1.1.2/24

RouterD GE1/0/0 50.1.1.2/24GE2/0/0 80.1.1.2/24

RouterE POS4/0/0 60.1.1.1/24GE3/0/0 70.1.1.1/24GE2/0/0 80.1.1.1/24


1. Configure IGP on each device. Here, Intermediate System to Intermediate System (IS-IS)is taken as an example.

2. Enable the UCMP function on each interface of Router A so that the three paths betweenRouter A and Router E can perform UCMP during IP packet forwarding.


l Interface type and number

l IP address of the interface

l IS-IS area ID and IS-IS level of each device




Issue 02 (2009-12-10)

Procedure

Step 1 Configure an IP address for each interface. The detailed configuration procedure is notmentioned here.

Step 2 Configure basic IS-IS functions.


[RouterA] isis 1[RouterA-isis-1] is-level level-1[RouterA-isis-1] network-entity 10.0000.0000.0001.00[RouterA-isis-1] quit[RouterA] interface gigabitethernet 1/0/0[RouterA-GigabitEthernet1/0/0] isis enable 1[RouterA-GigabitEthernet1/0/0] quit[RouterA] interface gigabitethernet 2/0/0[RouterA-GigabitEthernet2/0/0] isis enable 1[RouterA-GigabitEthernet2/0/0] quit[RouterA] interface pos 4/0/0[RouterA-Pos4/0/0] isis enable 1[RouterA-Pos4/0/0] quit[RouterA] interface gigabitethernet 3/0/0[RouterA-GigabitEthernet3/0/0] isis enable 1[RouterA-GigabitEthernet3/0/0] quit


[RouterB] isis 1[RouterB-isis-1] is-level level-1[RouterB-isis-1] network-entity 10.0000.0000.0002.00[RouterB-isis-1] quit[RouterB] interface pos 1/0/0[RouterB-Pos1/0/0] isis enable 1[RouterB-Pos1/0/0] quit[RouterB] interface pos 2/0/0[RouterB-Pos2/0/0] isis enable 1[RouterB-Pos2/0/0] quit

# Configure Router C.

[RouterC] isis 1[RouterC-isis-1] is-level level-1[RouterC-isis-1] network-entity 10.0000.0000.0003.00[RouterC-isis-1] quit[RouterC] interface gigabitethernet 1/0/0[RouterC-GigabitEthernet1/0/0] isis enable 1[RouterC-GigabitEthernet1/0/0] quit[RouterC] interface gigabitethernet 2/0/0[RouterC-GigabitEthernet2/0/0] isis enable 1[RouterC-GigabitEthernet2/0/0] quit

# Configure Router D.

[RouterD] isis 1[RouterD-isis-1] is-level level-1[RouterD-isis-1] network-entity 10.0000.0000.0004.00[RouterD-isis-1] quit[RouterD] interface gigabitethernet 1/0/0[RouterD-GigabitEthernet1/0/0] isis enable 1[RouterD-GigabitEthernet1/0/0] quit[RouterD] interface gigabitethernet 2/0/0[RouterD-GigabitEthernet2/0/0] isis enable 1[RouterD-GigabitEthernet2/0/0] quit

# Configure Router E.

[RouterE] isis 1[RouterE-isis-1] is-level level-1



5-21

[RouterE-isis-1] network-entity 10.0000.0000.0005.00[RouterE-isis-1] quit[RouterE] interface gigabitethernet 1/0/0[RouterE-GigabitEthernet1/0/0] isis enable 1[RouterE-GigabitEthernet1/0/0] quit[RouterE] interface gigabitethernet 2/0/0[RouterE-GigabitEthernet2/0/0] isis enable 1[RouterE-GigabitEthernet2/0/0] quit[RouterE] interface pos 4/0/0[RouterE-Pos4/0/0] isis enable 1[RouterE-Pos4/0/0] quit[RouterE] interface gigabitethernet 3/0/0[RouterE-GigabitEthernet3/0/0] isis enable 1[RouterE-GigabitEthernet3/0/0] quit

Step 3 Check basic IS-IS configurations.

# View IS-IS routing information on Router A.

[RouterA] display isis route Route information for ISIS(1) -----------------------------

ISIS(1) Level-1 Forwarding Table --------------------------------

IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags-------------------------------------------------------------------------------- 10.1.1.0/24 10 NULL GE1/0/0 Direct D/-/L/-/- 20.1.1.0/24 30 NULL GE3/0/0 40.1.1.2 A/-/-/-/C GE2/0/0 50.1.1.2 Pos4/0/0 30.1.1.2 30.1.1.0/24 10 NULL Pos4/0/0 Direct D/L/- 40.1.1.0/24 10 NULL GE3/0/0 Direct D/L/- 50.1.1.0/24 10 NULL GE2/0/0 Direct D/L/- 60.1.1.0/24 20 NULL Pos4/0/0 30.1.1.2 R/-/- 70.1.1.0/24 20 NULL GE3/0/0 40.1.1.2 A/-/-/-/- 80.1.1.0/24 20 NULL GE2/0/0 50.1.1.2 R/-/- Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut, U-Up/Down Bit Set, C-In Computing

# Ping 20.1.1.1 from Router A. By viewing the display on the Network Management Station(NM Station), you can find that equal-cost load balancing is implemented among outgoinginterfaces.

<RouterA> ping 20.1.1.1 PING 20.1.1.1: 56 data bytes, press CTRL_C to break Reply from 20.1.1.1: bytes=56 Sequence=1 ttl=254 time=16 ms Reply from 20.1.1.1: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 20.1.1.1: bytes=56 Sequence=3 ttl=254 time=1 ms Reply from 20.1.1.1: bytes=56 Sequence=4 ttl=254 time=1 ms Reply from 20.1.1.1: bytes=56 Sequence=5 ttl=254 time=64 ms

--- 20.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/16/64 ms

Step 4 Enable UCMP on each outgoing interface of Router A.[RouterA] interface gigabitethernet 2/0/0[RouterA-GigabitEthernet2/0/0] load-balance unequal-cost enable[RouterA-GigabitEthernet2/0/0] quit[RouterA] interface pos 4/0/0[RouterA-Pos4/0/0] load-balance unequal-cost enable[RouterA-Pos4/0/0] quit




Issue 02 (2009-12-10)

[RouterA] interface gigabitethernet 3/0/0[RouterA-GigabitEthernet3/0/0] load-balance unequal-cost enable[RouterA-GigabitEthernet3/0/0] quit

Step 5 Re-enable GigabitEthernet2/0/0, GigabitEthernet3/0/0, and POS4/0/0 to validate UCMPconfigurations on Router A.[RouterA] interface gigabitethernet 2/0/0[RouterA-GigabitEthernet2/0/0] shutdown[RouterA-GigabitEthernet2/0/0] undo shutdown[RouterA-GigabitEthernet2/0/0] quit[RouterA] interface gigabitethernet 3/0/0[RouterA-GigabitEthernet3/0/0] shutdown[RouterA-GigabitEthernet3/0/0] undo shutdown[RouterA-GigabitEthernet3/0/0] quit[RouterA]interface pos 4/0/0[RouterA-Pos4/0/0] shutdown[RouterA-Pos4/0/0] undo shutdown


# Ping 20.1.1.1 from Router A. By viewing the display on the NM Station, you can find thatUCMP is realized among outgoing interfaces.

<RouterA> ping 20.1.1.1 PING 20.1.1.1: 56 data bytes, press CTRL_C to break Reply from 20.1.1.1: bytes=56 Sequence=1 ttl=254 time=16 ms Reply from 20.1.1.1: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 20.1.1.1: bytes=56 Sequence=3 ttl=254 time=1 ms Reply from 20.1.1.1: bytes=56 Sequence=4 ttl=254 time=1 ms Reply from 20.1.1.1: bytes=56 Sequence=5 ttl=254 time=64 ms

--- 20.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/16/64 ms

----End


# sysname RouterA#isis 1 is-level level-1 network-entity 10.0000.0000.0001.00#interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.1.1 255.255.255.0 isis enable 1#interface GigabitEthernet2/0/0 undo shutdown load-balance unequal-cost enable ip address 50.1.1.1 255.255.255.0 isis enable 1#interface GigabitEthernet3/0/0 undo shutdown load-balance unequal-cost enable ip address 40.1.1.1 255.255.255.0 isis enable 1#interface Pos4/0/0



5-23

link-protocol ppp undo shutdown load-balance unequal-cost enable ip address 30.1.1.1 255.255.255.0 isis enable 1#return

l Configuration file of Router B# sysname RouterB#isis 1 is-level level-1 network-entity 10.0000.0000.0002.00#interface Pos1/0/0 undo shutdown link-protocol ppp ip address 30.1.1.2 255.255.255.0 isis enable 1#interface Pos2/0/0 link-protocol ppp undo shutdown ip address 60.1.1.2 255.255.255.0 isis enable 1#return

l Configuration file of Router C# sysname RouterC#isis 1is-level level-1 network-entity 10.0000.0000.0003.00#interface GigabitEthernet1/0/0 undo shutdown ip address 40.1.1.2 255.255.255.0 isis enable 1#interface GigabitEthernet2/0/0 undo shutdownip address 70.1.1.2 255.255.255.0 isis enable 1#return

l Configuration file of Router D# sysname RouterD#isis 1 is-level level-1 network-entity 10.0000.0000.0004.00#interface GigabitEthernet1/0/0 undo shutdown ip address 50.1.1.2 255.255.255.0 isis enable 1#interface GigabitEthernet2/0/0 undo shutdown ip address 80.1.1.2 255.255.255.0 isis enable 1#return




Issue 02 (2009-12-10)

l Configuration file of Router E# sysname RouterE#isis 1 is-level level-1 network-entity 10.0000.0000.0005.00#interface GigabitEthernet1/0/0 undo shutdown ip address 20.1.1.1 255.255.255.0 isis enable 1#interface GigabitEthernet2/0/0 undo shutdown ip address 80.1.1.1 255.255.255.0 isis enable 1#interface GigabitEthernet3/0/0 undo shutdown ip address 70.1.1.1 255.255.255.0 isis enable 1#interface Pos4/0/0 link-protocol ppp undo shutdown ip address 60.1.1.1 255.255.255.0 isis enable 1#return

5.6.3 Example for Configuring Global Unequal-Cost LoadBalancing for IP Packet Forwarding


CAUTIONFor the NE5000E, an interface is numbered in the format of slot number/card number/interfacenumber. For the NE5000E cluster, an interface is numbered in the format of chassis ID/slotnumber/card number/interface number. If the slot number is specified, the chassis ID of the slotmust also be specified.

As shown in Figure 5-3, Router A and Router C are connected through two links.

l GE 2/0/0 on Router A and GE 2/0/0 on Router B are connected through a physical link.

l Eth-Trunk1 interface on Router A has two member interfaces, GE 3/0/0 and GE 4/0/0; Eth-Trunk1 interface on Router B has two member interfaces, GE 3/0/0 and GE 4/0/0.

Eth-Trunk1 interface has two GE interfaces, and thus the bandwidth of Eth-Trunk1 interface istwice that of a single physical link. It is aimed to perform unequal-cost load balancing for IPpacket forwarding in the two links between Router A and Router C. In the example, unequal-cost load balancing refers to global unequal-cost load balancing.



5-25

Figure 5-3 Networking diagram of configuring unequal-cost load balancing

RouterA RouterB RouterC

GE3/0/0GE2/0/0

GE4/0/0GE10/010.1.1.1/24

GE3/0/0

GE4/0/0

GE2/0/0

GE1/0/020.1.1.1/24

GE2/0/2

GE2/0/2

Eth-Trunk1

Device Name Interface Name IP AddressRouter A GE 2/0/0 30.1.1.1/24

Eth-Trunk1 40.1.1.1/24Router B GE 2/0/0 30.1.1.2/24

Eth-Trunk1 40.1.1.2/24GE 2/0/2 50.1.1.1/24

Router C GE 2/0/2 50.1.1.2/24


1. Configure a static route on each device.2. Enable unequal-cost load balancing on Router B so that the two links between Router A

and Router C can perform unequal-cost load balancing for IP packet forwarding.


l Interface type and number

l IP address of each interface

l Number of the Eth-Trunk

Procedure

Step 1 Configure an IP address for each interface. The configuration details are not mentioned here.

Step 2 Configure a static route.


[RouterA] ip route-static 20.1.1.0 255.255.255.0 gigabitethernet2/0/0 30.1.1.2[RouterA] ip route-static 20.1.1.0 255.255.255.0 eth-trunk1 40.1.1.2[RouterA] ip route-static 50.1.1.0 255.255.255.0 gigabitethernet2/0/0 30.1.1.2[RouterA] ip route-static 50.1.1.0 255.255.255.0 eth-trunk1 40.1.1.2


[RouterB] ip route-static 10.1.1.0 255.255.255.0 gigabitethernet2/0/0 30.1.1.1[RouterB] ip route-static 10.1.1.0 255.255.255.0 eth-trunk1 40.1.1.1[RouterB] ip route-static 20.1.1.0 255.255.255.0 gigabitethernet2/0/2 50.1.1.2

# Configure Router C.

[RouterC] ip route-static 10.1.1.0 255.255.255.0 gigabitethernet2/0/2 50.1.1.1




Issue 02 (2009-12-10)

[RouterC] ip route-static 30.1.1.0 255.255.255.0 gigabitethernet2/0/2 50.1.1.1[RouterC] ip route-static 40.1.1.0 255.255.255.0 GigabitEthernet2/0/2 50.1.1.1

Step 3 Enable unequal-cost load balancing on Router B.[RouterB] load-balance unequal-cost enable


# Router C can ping through 10.1.1.1. Run the display fib verbose command to view bandwidthinformation of the outbound interface. The command output shows that the bandwidth of Eth-Trunk1 interface is twice that of GE 2/0/0. This indicates that unequal-cost load balancing isenabled.[RouterC] ping -c 100 -t 10 -m 10 10.1.1.1PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=254 time=1 ms... --- 10.1.1.1 ping statistics --- 100 packet(s) transmitted 99 packet(s) received 1.00% packet loss round-trip min/avg/max = 1/1/6 ms[RouterB] display fib 10.1.1.1 verbose Route Entry Count: 2 Destination: 10.1.1.0 Mask : 255.255.255.0 Nexthop : 30.1.1.1 OutIf : GigabitEthernet2/0/2 LocalAddr : 30.1.1.2 LocalMask: 0.0.0.0 Flags : GSU Age : 11128sec ATIndex : 0 Slot : 2 LspFwdFlag : 0 LspToken : 0x0 InLabel : NULL OriginAs : 0 BGPNextHop : 0.0.0.0 PeerAs : 0 QosInfo : 0x0 OriginQos: 0x0 NexthopBak : 0.0.0.0 OutIfBak : [No Intf] LspTokenBak: 0x0 InLabelBak : NULL LspToken_ForInLabelBak : 0x0 EntryRefCount : 0 VlanId : 0x0 LspType : 0 Label_ForLspTokenBak : 0 MplsMtu : 0 Gateway_ForLspTokenBak : 0 NextToken : 0x0 IfIndex_ForLspTokenBak : 0 Label_NextToken : 0 Label : 0 LspBfdState : 0 OutIfSpeed(Kbits/sec) : 1000000

Destination: 10.1.1.0 Mask : 255.255.255.0 Nexthop : 40.1.1.1 OutIf : Eth-Trunk1 LocalAddr : 40.1.1.2 LocalMask: 0.0.0.0 Flags : GSU Age : 11128sec ATIndex : 0 Slot : 0 LspFwdFlag : 0 LspToken : 0x0 InLabel : NULL OriginAs : 0 BGPNextHop : 0.0.0.0 PeerAs : 0 QosInfo : 0x0 OriginQos: 0x0 NexthopBak : 0.0.0.0 OutIfBak : [No Intf] LspTokenBak: 0x0 InLabelBak : NULL LspToken_ForInLabelBak : 0x0 EntryRefCount : 0 VlanId : 0x0 LspType : 0 Label_ForLspTokenBak : 0 MplsMtu : 0 Gateway_ForLspTokenBak : 0 NextToken : 0x0 IfIndex_ForLspTokenBak : 0 Label_NextToken : 0 Label : 0 LspBfdState : 0 OutIfSpeed(Kbits/sec) : 2000000

----End



5-27


# sysname RouterA#interface Eth-Trunk1 ip address 40.1.1.1 255.255.255.0#interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.1.1 255.255.255.0#interface GigabitEthernet2/0/0 undo shutdown ip address 30.1.1.1 255.255.255.0#interface GigabitEthernet3/0/0 undo shutdown eth-trunk 1#interface GigabitEthernet4/0/0 undo shutdown eth-trunk 1# ip route-static 20.1.1.0 255.255.255.0 GigabitEthernet2/0/0 30.1.1.2 ip route-static 20.1.1.0 255.255.255.0 Eth-Trunk1 40.1.1.2 ip route-static 50.1.1.0 255.255.255.0 GigabitEthernet2/0/0 30.1.1.2 ip route-static 50.1.1.0 255.255.255.0 Eth-Trunk1 40.1.1.2#

l Configuration file of Router B# sysname RouterB#load-balance unequal-cost enable#interface Eth-Trunk1 ip address 40.1.1.2 255.255.255.0#interface GigabitEthernet2/0/0 undo shutdown ip address 30.1.1.2 255.255.255.0#interface GigabitEthernet2/0/2 undo shutdown ip address 50.1.1.1 255.255.255.0#interface GigabitEthernet3/0/0 undo shutdown eth-trunk 1#interface GigabitEthernet4/0/0 undo shutdown eth-trunk 1# ip route-static 10.1.1.0 255.255.255.0 GigabitEthernet2/0/0 30.1.1.1 ip route-static 10.1.1.0 255.255.255.0 Eth-Trunk1 40.1.1.1 ip route-static 20.1.1.0 255.255.255.0 GigabitEthernet2/0/2 50.1.1.2#return

l Configuration file of Router C# sysname RouterC# ip route-static 10.1.1.0 255.255.255.0 GigabitEthernet2/0/2 50.1.1.1 ip route-static 30.1.1.0 255.255.255.0 GigabitEthernet2/0/2 50.1.1.1 ip route-static 40.1.1.0 255.255.255.0 GigabitEthernet2/0/2 50.1.1.1




Issue 02 (2009-12-10)

#interface GigabitEthernet1/0/0 undo shutdown ip address 20.1.1.1 255.255.255.0#interface GigabitEthernet2/0/2 undo shutdown ip address 50.1.1.2 255.255.255.0#return



5-29

6 ACL Configuration

About This Chapter

This chapter describes the fundamentals of ACL along with its types such as basic, advancedand interface based ACL. It also includes basic ACL configuration steps, along with typicalexamples.

6.1 ACL OverviewThis section describes basic concepts and parameters of Access Control List (ACL).

6.2 Configuring an Interface-based ACLThis section describes how to configure an Interface-based ACL.

6.3 Configuring a Basic ACLThis section describes how to configure basic ACL.

6.4 Configuring an Advanced ACLThis section describes how to configure the Advanced ACL.

6.5 Configuring an ACL Based on the Ethernet Frame HeaderThis section describes how to configure the Ethernet frame header-based ACL.

6.6 Configuring a Named ACLThis section describes how to configure the Named ACL.

6.7 Maintaining an ACLThis section describes how to Maintain an ACL.

6.8 Configuration ExamplesThis section provides a configuration example of ACL.

HUAWEI NetEngine5000E Core RouterConfiguration Guide - IP Services 6 ACL Configuration


6-1

6.1 ACL OverviewThis section describes basic concepts and parameters of Access Control List (ACL).

6.1.1 Introduction to ACL

6.1.2 ACL Supported by the NE5000E

6.1.1 Introduction to ACLTo enable a device to filter the passing packets, you can configure a series of rules on the deviceto determine what kinds of packets can pass filtering. The rules configured on the device arecalled Access Control List (ACL) rules.

An ACL includes a group of orderly rules that consist of rule { deny | permit } clauses. Therules are described with some parameters, such as based on the source address, the destinationaddress, and the port number of data packets. The ACL classifies data packets according to theserules. After these rules are applied to the device, the device can determine whether to receive ordeny packets.

The ACL is classified into these types:

l Basic ACL: classifies packets based on the source address.

l Advanced ACL: classifies packets more detailedly based on the source address, destinationaddress, source port number, destination port number, and protocol type.

l Interface-based ACL: classifies packets based on the interface from which the packets arereceived.

l Ethernet Frame Header ACL: classifies packets more detailedly based on the source MACaddress and destination MAC address.

NOTE

Actually, an ACL is a group of rules used to define classes of packets. It cannot be used to filter packet.For detailed processing methods of packets, you need to import detailed functions of ACL. In theNE5000E, the ACL must be in conjunction with some functions, such as policy-based routing (PBR),firewall, and traffic classification to filter packets.The default action defined in the ACL rule is deny. Therefore, to allow the subsequent flows to pass, youneed to specify the action in the ACL rule to permit.

6.1.2 ACL Supported by the NE5000E

The NE5000E supports an interface-based ACLs, basic ACLs, advanced ACLs, Ethernet frameheader-based ACLs.

6.2 Configuring an Interface-based ACLThis section describes how to configure an Interface-based ACL.


6.2.2 (Optional) Creating a Time Range

6.2.3 Creating an Interface-based ACL

6 ACL ConfigurationHUAWEI NetEngine5000E Core Router



Issue 02 (2009-12-10)

6.2.4 (Optional) Configuring ACL Descriptions

6.2.5 (Optional) Configuring ACL Step



Applicable EnvironmentAn ACL can be applied to various services such as route policies and packet filtering. Itdistinguishes different kinds of packets for different processing.

Pre-configuration TasksNone.

Data PreparationTo configure an ACL, you need the following data.

No. Data

1 (Optional) Name of the time range in which the Interface-based ACL takes effectand the start time and end time of the time range

2 Rule ID of the Interface-based ACL, permit or deny rule

3 Interface type and Interface number of the interfac in which the Interface-based ACLtakes effect

4 (Optional) Description of the Interface-based ACL

5 (Optional) Step of the Interface-based ACL



Procedure



Step 2 Run:time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] }

An ACL time range is created.



6-3

You can configure multiple time ranges at the same name.

----End

6.2.3 Creating an Interface-based ACL

ContextThe range of acl-number of an interface-based ACL is 1000 to 1999.


Procedure



Step 2 Run:acl [ number ] acl-number [ match-order { auto | config } ]

An interface-based ACL is created.

Step 3 Run:rule [ rule-id ] { deny | permit } interface { interface-type interface-number | any } [ logging | time-range time-name ] *

ACL rules are defined.

interface-type interface-number indicates the specified interface type and interface number.any indicates any interface. logging takes effect on only software-based forwarding such as theapplication of a routing policy.

----End



Procedure



Step 2 Run:acl acl-number

The ACL view is displayed.

Step 3 Run:description text




Issue 02 (2009-12-10)

ACL description is created.

The ACL description covers the function of ACL rules. Its length should be less than 127characters.

----End


Context


Procedure





Step 3 Run:step step

ACL step is configured.

Note the following when modifying ACL configurations:

l The undo step command restores the step to the default and realigns ACL rules.

l The default step of the ACL rule is 5.

----End


PrerequisiteThe configurations of the ACL function are complete.

Procedurel Run the display acl { acl-number | all } command to check the configured ACL rule.

l Run the display statistics acl { acl-number | all }control-plane [ | { begin | include |exclude } regular-expression ] command to check the statistics about the packets matchingthe ACL rule in soft forwarding.

l Run the display time-range { time-name | all } command to check the time range.

----End



6-5

Example

Run the display acl command. If the ACL number, the number of rules, and detailed stepdescription, and ACL rules are displayed, it means that the configuration succeeds. For example:

<HUAWEI> display acl 1200Interface Based ACL 1200, 1 ruleAcl's step is 5 rule 5 permit interface Pos4/0/0

Using the display statistics acl control-plane command, you can view the statistics about thepackets matching the ACL rule in soft forwarding.

<HUAWEI> display statistics acl 1000 control-planeInterface Based ACL 1000, 1 ruleAcl's step is 5 rule 5 deny interface any (10 times matched)

Run the display time-range command. If the configuration and status of the current time rangeare displayed, it means that the configuration succeeds. For example:

<HUAWEI> display time-range allCurrent time is 14:19:16 3-15-2006 WednesdayTime-range : time1 ( Inactive ) 10:00 to 12:00 dailyTime-range : time2 ( Inactive ) from 13:00 2006/4/1 to 23:59 2099/12/31 Time-range : active1 ( Active ) 14:00 to 00:00 daily

6.3 Configuring a Basic ACLThis section describes how to configure basic ACL.



6.3.3 Creating a Basic ACL






An ACL can be applied to various services, such as routing policies and packet filtering, toimplement differentiated packet processing based on packet types. When defining rules for abasic ACL, you need to specify source IP addresses.


None.




Issue 02 (2009-12-10)

Data PreparationTo configure a basic ACL, you need the following data.

No. Data

1 (Optional) Name of the time range in which the basic ACL takes effect and the starttime and end time of the time range

2 Number of the basic ACL

3 Rule ID of the basic ACL, permit or deny rule, and source IP address

4 (Optional) Description of the basic ACL

5 (Optional) Step of the basic ACL



Procedure






----End

6.3.3 Creating a Basic ACL

ContextThe range of acl-number of a basic ACL is 2000 to 2999.


Procedure




6-7



A basic ACL is created.

Step 3 Run:rule [ rule-id ] { deny | permit } [ fragment-type fragment-type-name | source { source-ip-address soucer-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name ]*


----End



Procedure








----End



Procedure






Issue 02 (2009-12-10)








----End



Procedurel Run the display acl { acl-number | all } command to check the configured ACL rule.l Run the display statistics acl { acl-number | all }control-plane [ | { begin | include |

exclude } regular-expression ] command to check the statistics about the packets matchingthe ACL rule in soft forwarding.


----End

ExampleRun the display acl command. If the ACL number, the number of rules, and detailed stepdescription, and ACL rules are displayed, it means that the configuration succeeds. For example:

<HUAWEI> display acl 2000Basic ACL 2000, 1 rule Acl's step is 5 rule 5 deny source 10.1.1.1 0


<HUAWEI> display statistics acl 2000 control-planeBasic ACL 2000, 1 ruleAcl's step is 5 rule 5 deny source 10.1.1.1 0 (234 times matched)


<HUAWEI> display time-range allCurrent time is 14:19:16 3-15-2006 WednesdayTime-range : time1 ( Inactive ) 10:00 to 12:00 dailyTime-range : time2 ( Inactive ) from 13:00 2006/4/1 to 23:59 2099/12/31



6-9

Time-range : active1 ( Active ) 14:00 to 00:00 daily

6.4 Configuring an Advanced ACLThis section describes how to configure the Advanced ACL.



6.4.3 Creating an Advanced ACL





Application Environment

An ACL can be applied to various services, such as routing policies and packet filtering, toimplement differentiated packet processing based on packet types. When defining rules for anadvanced ACL, you need to specify the source IP address, destination IP address, IP bearerprotocol type, TCP source port, TCP destination port, or ICMP message type and code.


None.

Data Preparation

To configure an advanced ACL, you need the following data.

No. Data

1 (Optional) Name of the time range in which the advanced ACL takes effect and thestart time and end time of the time range

2 Number of the advanced ACL

3 Rule ID of the advanced ACL, permit or deny rule

4 IP bearer protocol type, source and destination ports, source and destination IPaddress, and source IP address fragmented or not, or ICMP message type and code,packet priority, ToS, and timeout period of the ACL rule

5 (Optional) Description of the advanced ACL

6 (Optional) Step of the advanced ACL




Issue 02 (2009-12-10)



Procedure






----End

6.4.3 Creating an Advanced ACL

ContextThe range of acl-number of an advanced ACL is 3000 to 3999.


Procedure




An advanced ACL is created.

Step 3 Perform the following as required.l When protocol is specified as TCP or UDP

Run:rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | destination-port operator port | fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | source-port operator port | syn-flag syn-flag | time-range time-name | | dscp dscp ] *rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | destination-port operator port | fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | source-port operator port | syn-flag syn-flag | time-range time-name | | precedence precedence | tos tos ] *



6-11

ACL rules are defined.syn-flag syn-flag applies to TCP only.

l When protocol is specified as ICMPRun:rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name | icmp-type icmp-code } | source { source-ip-address source-wildcard | any } | time-range time-name | | dscp dscp ] *rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name | icmp-type icmp-code } | source { source-ip-address source-wildcard | any } | time-range time-name | | precedence precedence | tos tos ] *

ACL rules are defined.l When protocol is specified as other protocol except TCP, UDP or ICMP

Run:rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | time-range time-name | | dscp dscp ] *rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | time-range time-name | | precedence precedence | tos tos ] *


Configure different advanced ACLs on the device for different protocols over IP. Differentprotocols have different parameters combination. For example, TCP and UDP have optionalparameter [ source-port operator port ] [ destination-port operator port ] while other protocolsdo not.

----End



Procedure










Issue 02 (2009-12-10)


----End



Procedure










----End



Procedurel Run the display acl { acl-number | all } command to check the configured ACL rule.l Run the display statistics acl { acl-number | all }control-plane [ | { begin | include |

exclude } regular-expression ] command to check the statistics about the packets matchingthe ACL rule in soft forwarding.


----End

ExampleRun the display acl command. If the ACL number, the number of rules, and detailed stepdescription, and ACL rules are displayed, it means that the configuration succeeds. For example:



6-13

<HUAWEI> display acl 3000Advanced ACL 3000, 1 ruleAcl's step is 5 rule 5 deny ip source 10.1.1.1 0


<HUAWEI> display statistics acl 3000 control-planeAdvanced ACL 3000, 1 ruleAcl's step is 5 rule 5 permit ip (1305 times matched)



6.5 Configuring an ACL Based on the Ethernet FrameHeader

This section describes how to configure the Ethernet frame header-based ACL.


6.5.2 Creating an ACL Based on the Ethernet Frame Header






An ACL can be applied to various services, such as routing policies and packet filtering, toimplement differentiated packet processing based on packet types.The rules of an ACL basedon the Ethernet frame header are defined on the basis of source MAC addresses, destinationMAC addresses, and protocol type of packets.


None.

Data Preparation

To configure an Ethernet frame header-based ACL, you need the following data.




Issue 02 (2009-12-10)

No. Data

1 Number of the Ethernet frame header-based ACL

2 Source MAC addresses, destination MAC addresses, and protocol type

3 (Optional) Description of the Ethernet frame header-based ACL

4 (Optional) Step of the Ethernet frame header-based ACL

6.5.2 Creating an ACL Based on the Ethernet Frame Header

ContextThe acl-number, based on the Ethernet frame header, ranges from 4000 to 4099.


Procedure




An Ethernet frame header-based ACL is created.

Step 3 Run:rule [ rule-id ] { deny | permit } [ type type type-mask | source-mac source-mac sourcemac-mask | dest-mac dest-mac destmac-mask ]


----End



Procedure






6-15





----End



Procedure










----End


PrerequisiteThe configurations of the Ethernet frame header-based ACL function are complete.

Procedurel Run the display acl { acl-number | all } command to check the configured ACL rule.l Run the display statistics acl control-plane { acl-number | all } control-plane [ |

{ begin | include | exclude } regular-expression ] command to check the statistics aboutthe packets matching the ACL rule in soft forwarding.

----End




Issue 02 (2009-12-10)

Example

Run the display aclcommand. If the ACL number, the number of rules, and detailed stepdescription, and ACL rules are displayed, it means that the configuration succeeds. For example:

<HUAWEI> display acl 4000Ethernet frame ACL 4000, 2 rulesAcl's step is 5 rule 5 deny source-mac 0000-0000-0000 0002-0002-0002 dest-mac 0002-0002-0002 0003-0003-0003 rule 10 deny type 0200 0222 dest-mac 0000-0000-0000 0002-0002-0002


<HUAWEI> display statistics acl 4000 control-planeEthernet frame ACL 4000, 2 rulesAcl's step is 5 rule 5 deny source-mac 0000-0000-0000 0002-0002-0002 dest-mac 0002-0002-0002 0003-0003-0003(45 times matched) rule 10 deny type 0200 0222 dest-mac 0000-0000-0000 0002-0002-0002(76 times matched)

6.6 Configuring a Named ACLThis section describes how to configure the Named ACL.



6.6.3 Creating a Named ACL

6.6.4 (Optional) Configuring named ACL Descriptions

6.6.5 (Optional) Configuring named ACL Step




An ACL can be applied to various services, such as routing policies and packet filtering, toimplement differentiated packet processing based on packet types. Named ACLs are advancedACLs because you need to define rules for the named ACLs by specifying the source IP address,destination IP address, IP bearer protocol type, TCP source port, TCP destination port, or ICMPprotocol type and code.


None.

Data Preparation

To configure a named ACL, you need the following data.



6-17

No. Data

1 (Optional) Name of the time range in which the named ACL takes effect and the starttime and end time of the time range

2 Rule ID of the named ACL, permit or deny rule, and source IP address

3 IP bearer protocol type, source and destination ports, destination IP address, or ICMPmessage type and code, packet priority, ToS, and timeout period of the ACL rule

4 (Optional) Description of the named ACL

5 (Optional) Step of the named ACL


Context


Procedure






----End

6.6.3 Creating a Named ACL

Context

A named ACL is an advanced ACL and its acl-number ranges from 42768 to 45767.


Procedure






Issue 02 (2009-12-10)

Step 2 Run:acl name acl-name [ number acl-number ] [ match-order { auto | config } ]

A named ACL is created and the named ACL view is displayed.

Step 3 Perform the following steps as required to configure rules for the named ACL. One ACL canbe configured with multiple rules.

l When protocol is TCP or UDP, run:

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | destination-port operator port | fragment-type fragment-type-name |source { source-ip-address source-wildcard | any } | source-port operator port | syn-flagsyn-flag time-range time-name | dscp dscp ] *

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | destination-port operator port | fragment-type fragment-type-name |source { source-ip-address source-wildcard | any } | source-port operator port | syn-flagsyn-flag time-range time-name | precedence precedence |tos tos ] *

syn-flagsyn-flag needs to be specified only when TCP is used.

l When protocol is ICMP, run:

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name | icmp-typeicmp-code } | source { source-ip-address source-wildcard | any } | time-range time-name |dscp dscp ] *

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name |icmp-typeicmp-code } |source { source-ip-address source-wildcard | any } | time-range time-name |precedence precedence | tos tos ] *

l When protocol is not TCP, UDP, or ICMP, run:

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | time-range time-name | dscp dscp ] *

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | time-range time-name | precedence precedence | tos tos ] *

Configure different advanced ACLs on the device for different protocols over IP. Differentprotocols have different parameters combination. For example, TCP and UDP have optionalparameter [ source-port operator port ] [ destination-port operator port ] while other protocolsdo not.

----End

6.6.4 (Optional) Configuring named ACL Descriptions

Context




6-19

Procedure



Step 2 Run:acl name acl-name

The named ACL view is displayed.


The named ACL description is created.


----End

6.6.5 (Optional) Configuring named ACL Step


Procedure



Step 2 Run:acl name acl-name

The named ACL view is displayed.



Note the following when modifying named ACL configurations:



----End






Issue 02 (2009-12-10)

Procedurel Run the display acl name acl-name command to check the configured ACL rule.

l Run the display statistics acl { acl-number | all | name acl-name }control-plane [ |{ begin | include | exclude } regular-expression ] command to check the statistics aboutthe packets matching the ACL rule in soft forwarding.

----End

Example

# Check the configurations of named ACL, whose name is test.

<HUAWEI> display acl name testAdvanced Name ACL test, 1 ruleAcl's step is 5 rule 5 permit ip

# View the statistics about the packets matching ACL named test in soft forwarding.

<HUAWEI> display statistics acl name test control-planeAdvanced ACL test, 2 rulesAcl's step is 5 rule 5 deny ip destination 1.1.5.0 0.0.0.255 (10 times matched) rule 10 deny ip destination 1.1.6.0 0.0.0.255 (23 times matched)

6.7 Maintaining an ACLThis section describes how to Maintain an ACL.

6.7.1 Clearing ACL Statistics

6.7.2 Monitoring Network Operation Status of ACL

6.7.1 Clearing ACL Statistics

Context

CAUTIONStatistics cannot restore after you clear it. So, confirm the action before you use the command.

Procedure

Step 1 Run the reset acl counter { acl-number | name acl-name | all } command in the user view toreset the ACL counter.

----End



6-21

6.7.2 Monitoring Network Operation Status of ACL

ContextIn routine maintenance, you can run the following command in any view to check the operationof ACL.

Procedurel Run the display acl { acl-number | name acl-name | all } command in any view to check

the operation of rules of the ACL.l Run the display statistics acl { acl-number | all | name acl-name }control-plane command

in any view to check the operation of the statistics about the packets matching the ACLrule in soft forwarding.

l Run the display time-range { time-name | all } command in any view to check the operationof the time range of the ACL.

----End

6.8 Configuration ExamplesThis section provides a configuration example of ACL.

6.8.1 Example for Configuring a Traffic Policy Based on Complex Traffic Classification

6.8.2 Example for Configuring the Security Function of Access Devices

6.8.3 Example for Configuring an ACL Rule that Is Based on the VPN Instance

6.8.1 Example for Configuring a Traffic Policy Based on ComplexTraffic Classification



As shown in Figure 6-1, PE1, P, and PE2 are routers on an MPLS backbone network; CE1 andCE2 are access routers on the edge of the backbone network. Three users from the local networkaccess the Internet through CE1.

l On CE1, the CIR of the users from the network segment 1.1.1.0 is limited to 10 Mbit/s andthe CBS is limited to 150000 bytes.





Issue 02 (2009-12-10)


l On CE1, the DSCP values of the service packets from the three network segments aremarked to 40, 26, and 0.

l PE1 accesses the MPLS backbone network at the CIR of 15 Mbit/s, the CBS of 300000bytes, the PIR of 20 Mbit/s, and the PBS of 500000 bytes.

l On CE1, the CIR of the UDP protocol packets (except DNS, SNMP, SNMP Trap, andSyslog packets) is limited to 5 Mbit/s, the CBS is limited to 100000 bytes, and the PIR islimited to 15 Mbit/s.

Figure 6-1 Diagram for configuring a traffic policy based on the complex traffic classification

GE4/0/0

GE3/0/0

GE1/0/0

GE2/0/0

PE1 PE2

GE1/0/020.1.1.2/24

11.11.11.11/32 22.22.22.22/32

POS2/0/0100.1.1.1/24

POS2/0/0110.1.1.1/24

10.1.1.1/24

PGE1/0/010.1.1.2/24

33.33.33.33/32

POS1/0/0100.1.1.2/24 POS2/0/0

110.1.1.2/24

1.1.1.0

2.1.1.0

3.1.1.0

CE1CE2

Loopback0 Loopback0 Loopback0

GE2/0/020.1.1.1/24


1. Configure ACL rules.2. Configure traffic classifiers.3. Configure traffic behaviors.4. Configure traffic policies.5. Apply policies to interfaces.




6-23

l ACL numbers, which are 2001, 2002, 2003, 3001, and 3002.

l The DSCP values of the packets from the three network segments, which are re-marked tobe 40, 26, and 0.

l The CIRs of the traffic of the three network segments, which are 10 Mbit/s, 5 Mbit/s, and2 Mbit/s; and their CBSs, which are 150000 bytes, 100000 bytes, and 100000 bytes.

l The CIR of the UDP protocol packets (except DNS, SNMP, SNMP Trap, and Syslogpackets) on CE1, which is 5 Mbit/s, the CBS, which is 100000 bytes, and the PIR, whichis 15 Mbit/s.

l The CIR of PE1, which is 15 Mbit/s; the CBS, which is 300000 bytes; and the PIR, whichis 20 Mbit/s, and the PBS of 500000 bytes.

l Names of traffic classifiers, traffic behaviors, and traffic policies; the numbers of interfacesto which traffic policies are applied.

Procedure

Step 1 Configure the IP addresses of the interfaces, the routes, and the basic MPLS functions (notmentioned here).

Step 2 Configure complex traffic classification on CE1 to control the traffic that accesses CE1 fromthe three local networks.

# Define ACL rules.

<CE1> system-view[CE1] acl number 2001[CE1-acl-basic-2001] rule permit source 1.1.1.0 0.0.0.255[CE1-acl-basic-2001] quit[CE1] acl number 2002[CE1-acl-basic-2002] rule permit source 2.1.1.0 0.0.0.255[CE1-acl-basic-2002] quit[CE1] acl number 2003[CE1-acl-basic-2003] rule permit source 3.1.1.0 0.0.0.255[CE1-acl-basic-2003] quit[CE1] acl number 3001[CE1-acl-basic-3001] rule 0 permit udp destination-port eq dns[CE1-acl-basic-3001] rule 1 permit udp destination-port eq snmp[CE1-acl-basic-3001] rule 2 permit udp destination-port eq snmptrap [CE1-acl-basic-3001] rule 3 permit udp destination-port eq syslog [CE1-acl-basic-3001] quit[CE1] acl number 3002[CE1-acl-basic-3002] rule 4 permit udp [CE1-acl-basic-3002] quit

# Configure traffic classifiers and define ACL-based matching rules.

[CE1] traffic classifier a[CE1-classifier-a] if-match acl 2001[CE1-classifier-a] quit[CE1] traffic classifier b[CE1-classifier-b] if-match acl 2002[CE1-classifier-b] quit[CE1] traffic classifier c[CE1-classifier-c] if-match acl 2003[CE1-classifier-c] quit[CE1]traffic classifier udplimit[CE1-classifier-udplimit] if-match acl 3001[CE1-classifier-udplimit] quit[CE1] traffic classifier udplimit1[CE1-classifier-udplimit1] if-match acl 3002[CE1-classifier-udplimit1] quit




Issue 02 (2009-12-10)

After the preceding configuration, you can run the following display traffic classifier commandto view the configuration of the traffic classifiers.

[CE1] display traffic classifier user-definedUser Defined Classifier Information: Classifier: a Operator: OR Rule(s): if-match acl 2001 Classifier: c Operator: OR Rule(s): if-match acl 2003 Classifier: b Operator: OR Rule(s): if-match acl 2002 Classifier: udplimit Operator: OR Rule(s) : if-match acl 3001 Classifier: udplimit1 Operator: OR Rule(s) : if-match acl 3002

# Define traffic behaviors; configure traffic policing, and DSCP values to be re-marked.

[CE1] traffic behavior e[CE1-behavior-e] car cir 10000 cbs 150000 pbs 0[CE1-behavior-e] remark dscp 40[CE1-behavior-e] quit[CE1] traffic behavior f[CE1-behavior-f] car cir 5000 cbs 100000 pbs 0[CE1-behavior-f] remark dscp 26[CE1-behavior-f] quit[CE1] traffic behavior g[CE1-behavior-g] car cir 2000 cbs 100000 pbs 0[CE1-behavior-g] remark dscp 0[CE1-behavior-g] quit[CE1] traffic behavior udplimit[CE1-behavior-udplimit] permit[CE1-behavior-udplimit] quit[CE1] traffic behavior udplimit1[CE1-behavior-udplimit1] car cir 5000 cbs 100000 pbs 150000 green pass yellow discard red discard[CE1-behavior-udplimit1] quit

# Define traffic policies and associate the traffic classifiers with the traffic behaviors.

[CE1] traffic policy 1[CE1-trafficpolicy-1] classifier a behavior e[CE1-trafficpolicy-1] quit[CE1] traffic policy 2[CE1-trafficpolicy-2] classifier b behavior f[CE1-trafficpolicy-2] quit[CE1] traffic policy 3[CE1-trafficpolicy-3] classifier c behavior g[CE1-trafficpolicy-3] quit[CE1] traffic policy udplimit[CE1-trafficpolicy-udplimit] classifier udplimit behavior udplimit[CE1-trafficpolicy-udplimit] classifier udplimit1 behavior udplimit1[CE1-trafficpolicy-3] quit

After the preceding configuration, run the display traffic policy command to view theconfiguration of the traffic policies, traffic classifiers defined in the traffic policies, and the trafficbehaviors associated with traffic classifiers.

[CE1] display traffic policy user-definedUser Defined Traffic Policy Information:Policy: 1 Classifier: default-class Behavior: be -none-



6-25

Classifier: a Behavior: e Committed Access Rate: CIR 10000 (Kbps), PIR 0 (Kbps), CBS 15000 (byte), PBS 0 (byte) Conform Action: pass Yellow Action: pass Exceed Action: discard Marking: Remark DSCP cs5Policy: 2 Classifier: default-class Behavior: be -none- Classifier: b Behavior: f Committed Access Rate: CIR 5000 (Kbps), PIR 0 (Kbps), CBS 100000 (byte), PBS 0 (byte) Conform Action: pass Yellow Action: pass Exceed Action: discard Marking: Remark DSCP af31 Policy: 3 Classifier: default-class Behavior: be -none- Classifier: c Behavior: g Committed Access Rate: CIR 2000 (Kbps), PIR 0 (Kbps), CBS 100000 (byte), PBS 0 (byte) Conform Action: pass Yellow Action: pass Exceed Action: discard Marking: Remark DSCP defaultPolicy: udplimit Classifier: default-class Behavior: be -none- Classifier: udplimit Behavior: udplimit Firewall: permit Classifier: udplimit1 Behavior: udplimit1 Committed Access Rate: CIR 5000 (Kbps), PIR 0 (Kbps), CBS 10000 (byte), PBS 15000 (byte) Conform Action: pass Yellow Action: discard Exceed Action: discard

# Apply the traffic policies to the inbound interfaces.[CE1] interface gigabitethernet 1/0/0[CE1-GigabitEthernet1/0/0] undo shutdown[CE1-GigabitEthernet1/0/0] traffic-policy 1 inbound[CE1-GigabitEthernet1/0/0] quit[CE1] interface gigabitethernet 3/0/0[CE1-GigabitEthernet3/0/0] undo shutdown[CE1-GigabitEthernet3/0/0] traffic-policy 2 inbound[CE1-GigabitEthernet3/0/0] quit[CE1] interface gigabitethernet 4/0/0[CE1-GigabitEthernet4/0/0] undo shutdown[CE1-GigabitEthernet4/0/0] traffic-policy 3 inbound[CE1] interface gigabitethernet 2/0/0[CE1-GigabitEthernet2/0/0] undo shutdown[CE1-GigabitEthernet2/0/0] traffic-policy udplimit outbound

Step 3 Configure complex traffic classification on PE1 to control the traffic that goes to the MPLSbackbone network.




Issue 02 (2009-12-10)

# Configure traffic classifiers and define matching rules.

<PE1> system-view[PE1] traffic classifier pe[PE1-classifier-pe] if-match any[PE1-classifier-pe] quit

After the preceding configuration, you can run the display traffic classifier command to viewthe configuration of the traffic classifiers.

[PE1] display traffic classifier user-definedUser Defined Classifier Information: Classifier: pe Operator: ORRule(s): if-match any

# Define traffic behaviors; configure traffic policing.

[PE1] traffic behavior pe[PE1-behavior-pe] car cir 15000 pir 20000 cbs 300000 pbs 500000[PE1-behavior-pe] quit

# Define traffic policies and associate the traffic classifiers with the traffic behaviors.

[PE1] traffic policy pe[PE1-trafficpolicy-pe] classifier pe behavior pe[PE1-trafficpolicy-pe] quit

After the preceding configuration, you can run the display traffic policy command to view theconfiguration of the traffic policies, traffic classifiers defined in the traffic policies, and the trafficbehaviors associated with traffic classifiers.

[PE1] display traffic policy user-definedUser Defined Traffic Policy Information:Policy: pe Classifier: default-class Behavior: be -none- Classifier: pe Behavior: pe Committed Access Rate:CIR 15000 (Kbps), PIR 20000 (Kbps), CBS 300000 (byte), PBS 500000 (byte) Conform Action: pass Yellow Action: pass Exceed Action: discard

# Apply the traffic policies to the inbound interfaces.

[PE1] interface gigabitethernet 1/0/0[PE1-GigabitEthernet1/0/0] undo shutdown[PE1-GigabitEthernet1/0/0] traffic-policy pe inbound[PE1-GigabitEthernet1/0/0] quit


Run the display interface command on CE1 and PE1. You can view that the traffic on theinterfaces are regulated according to the configured traffic policies.

----End

Configuration Filesl Configuration file of CE1

# sysname CE1#acl number 2001



6-27

rule 5 permit source 1.1.1.0 0.0.0.255acl number 2002 rule 5 permit source 2.1.1.0 0.0.0.255acl number 2003 rule 5 permit source 3.1.1.0 0.0.0.255acl number 3001 rule 0 permit udp destination-port eq dns rule 1 permit udp destination-port eq snmp rule 2 dpermit udp destination-port eq snmptrap rule 3 permit udp destination-port eq syslogacl number 3302 rule 4 permit udp #traffic classifier a operator or if-match acl 2001traffic classifier c operator or if-match acl 2003traffic classifier b operator or if-match acl 2002traffic classifier udp-limit operator or if-match acl 3001traffic classifier udp-limit1 operator or if-match acl 3002#traffic behavior e car cir 10000 cbs 150000 pbs 0 green pass red discard remark dscp cs5traffic behavior g car cir 2000 cbs 100000 pbs 0 green pass red discard remark dscp defaulttraffic behavior f car cir 5000 cbs 100000 pbs 0 green pass red discard remark dscp af31traffic behavior udp-limittraffic behavior udp-limit1 car cir 5000 cbs 100000 pbs 150000 green pass yellow discard red discard #traffic policy 3 classifier c behavior g traffic policy 2 classifier b behavior f traffic policy 1 classifier a behavior e traffic policy udp-limit classifier udp-limit behavior udp-limit classifier udp-limit1 behavior udp-limit1#interface GigabitEthernet1/0/0undo shutdownip address 1.1.1.1 255.255.255.0 traffic-policy 1 inbound#interface GigabitEthernet2/0/0undo shutdownip address 10.1.1.1 255.255.255.0traffic-policy udplimit outbound#interface GigabitEthernet3/0/0undo shutdownip address 2.1.1.1 255.255.255.0 traffic-policy 2 inbound#interface GigabitEthernet4/0/0undo shutdownip address 3.1.1.1 255.255.255.0 traffic-policy 3 inbound#ospf 1 area 0.0.0.0




Issue 02 (2009-12-10)

network 1.1.1.0 0.0.0.255 network 2.1.1.0 0.0.0.255 network 3.1.1.0 0.0.0.255 network 10.1.1.0 0.0.0.255#return

l Configuration file of PE1# sysname PE1#mpls lsr-id 11.11.11.11 mpls#mpls ldp#traffic classifier pe operator or if-match any#traffic behavior pe car cir 15000 pir 20000 cbs 300000 pbs 500000 green pass yellow pass red discard#traffic policy pe classifier pe behavior pe#interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.1.2 255.255.255.0 traffic-policy pe inbound#interface Pos2/0/0 undo shutdown ip address 100.1.1.1 255.255.255.0 mpls mpls ldp#interface LoopBack0 ip address 11.11.11.11 255.255.255.255#ospf 1 area 0.0.0.0 network 10.1.1.0 0.0.0.255 network 100.1.1.0 0.0.0.255 network 11.11.11.11 0.0.0.0#return

l Configuration file of P# sysname P# mpls lsr-id 33.33.33.33 mpls#mpls ldp#interface Pos1/0/0 link-protocol ppp ip address 100.1.1.2 255.255.255.0 mpls mpls ldp#interface Pos2/0/0 link-protocol ppp ip address 110.1.1.1 255.255.255.0 mpls mpls ldp#interface LoopBack0



6-29

ip address 33.33.33.33 255.255.255.255#ospf 1 area 0.0.0.0 network 100.1.1.0 0.0.0.255 network 110.1.1.0 0.0.0.255 network 33.33.33.33 0.0.0.0#return

l Configuration file of PE2# sysname PE2#mpls lsr-id 22.22.22.22mpls#mpls ldp#interface GigabitEthernet1/0/0 undo shutdown ip address 20.1.1.2 255.255.255.0#interface Pos2/0/0 undo shutdown ip address 110.1.1.1 255.255.255.0 mpls mpls ldp#interface LoopBack0 ip address 22.22.22.22 255.255.255.255#ospf 10 area 0.0.0.0 network 110.1.1.0 0.0.0.255 network 20.1.1.0 0.0.0.255 network 22.22.22.22 0.0.0.0#return

l Configuration file of CE2# sysname CE2#interface GigabitEthernet2/0/0 undo shutdown ip address 20.1.1.1 255.255.255.0#ospf 1 area 0.0.0.0 network 20.1.1.0 0.0.0.255 #return




Issue 02 (2009-12-10)

6.8.2 Example for Configuring the Security Function of AccessDevices


CAUTIONOn a single NE5000E, the interface is numbered in the format of slot number/card number/portnumber. Whereas in the multi-chassis scenario, the interface is numbered in the format of chassisID/slot number/card number/interface number. This requires the chassis ID to be specified alongwith the slot number.

As shown in Figure 6-2, Router A, Router B, Router C are access devices; Router D, Router E,and Router F are core devices; Access devices are connected to core devices by 10G interfaces.The network provides voice and 3G services. Security policies need to be configured on accessdevices to control the access of users and to guarantee the security of both the network anddevices.

Figure 6-2 Networking of configuring the security function of access devices

RouterA

RouterC

RouterD

RouterBRouterF RouterE

GE1/0/0

GE1/0/0

GE1/0/0

Internet

InternetInternet

NotesNone.


1. Set the passwords to be used for login in NMS and CLI modes.



6-31

2. Log information about login failures.3. Create an Access Control List (ACL) to deny specified services carried on TCP and UDP

interfaces (to defend virus).


l IP address of each interface

l Passwords to be used for login in NMS and CLI modes

Procedure

Step 1 Configure an IP address for each interface. The configuration details are not mentioned here.

Step 2 Set the passwords to be used for login in NMS and CLI modes.<RouterA> system-view[RouterA] user-interface console 0[RouterA-ui-con0] shell[RouterA-ui-con0] authentication mode password[RouterA-ui-con0] set authentication password cipher huawei[RouterA-ui-con0] idle-timeout 30 0[RouterA-ui-con0] quit[RouterA] user-interface maximum-vty 15[RouterA] user-interface vty 5 14[RouterA-ui-vty5-14] shell[RouterA-ui-vty5-14] authentication mode password[RouterA-ui-vty5-14] set authentication password cipher huawei[RouterA-ui-vty5-14] idle-timeout 30 0[RouterA-ui-vty5-14] quit

NOTE

Configurations for each access devices are similar. Take Router A for example.

Step 3 Set logs to be exported to the control console.[RouterA] info-center enable[RouterA] info-center source default channel 9 log level warnings[RouterA] info-center logfile channel channel9[RouterA] quit<RouterA> terminal logging

Step 4 Configure the ACL to prevent devices from being attacked from specified TCP and UDPinterfaces.

NOTE

Configuring the ACL must be performed on the access device interface that is on the access side.[RouterA] acl number 3001 [RouterA-acl-adv-3001] description anti-virus[RouterA-acl-adv-3001] rule 5 deny tcp destination-port eq 445[RouterA-acl-adv-3001] rule 10 deny udp destination-port eq 445[RouterA-acl-adv-3001] rule 15 deny tcp destination-port eq 135[RouterA-acl-adv-3001] rule 20 deny udp destination-port eq 135[RouterA-acl-adv-3001] rule 25 deny tcp destination-port eq 137[RouterA-acl-adv-3001] rule 30 deny udp destination-port eq netbios-ns[RouterA-acl-adv-3001] rule 35 deny tcp destination-port eq 139[RouterA-acl-adv-3001] rule 40 deny udp destination-port eq netbios-ssn[RouterA-acl-adv-3001] rule 45 deny udp destination-port eq 1433[RouterA-acl-adv-3001] rule 50 deny udp destination-port eq 1434[RouterA-acl-adv-3001] rule 55 deny tcp destination-port eq 4444[RouterA-acl-adv-3001] rule 60 deny tcp destination-port eq 5554[RouterA-acl-adv-3001] rule 65 deny udp destination-port eq 5554[RouterA-acl-adv-3001] rule 70 deny tcp destination-port eq 9996




Issue 02 (2009-12-10)

[RouterA-acl-adv-3001] rule 75 deny udp destination-port eq 9996[RouterA-acl-adv-3001] rule 110 permit ip[RouterA-acl-adv-3001] quit[RouterA] traffic classifier anti-virus operator or[RouterA-classifier-anti-virus] if-match acl 3001[RouterA-classifier-anti-virus] quit[RouterA] traffic behavior anti-virus[RouterA-behavior-anti-virus] quit[RouterA] traffic policy anti-virus[RouterA-trafficpolicy-anti-virus] classifier anti-virus behavior anti-virus[RouterA-trafficpolicy-anti-virus] quit[RouterA] interface gigabitethernet 1/0/0[RouterA-GigabitEthernet1/0/0] traffic-policy anti-virus inbound[RouterA-GigabitEthernet1/0/0] traffic-policy anti-virus outbound

----End

Configuration FilesNOTE

Only the configuration file on the Router A is provided.

l Configuration file of Router A# sysname RouterA# info-center source default channel 9 log level warning#acl number 3001 description anti-virus rule 5 deny tcp destination-port eq 445 rule 10 deny udp destination-port eq 445 rule 15 deny tcp destination-port eq 135 rule 20 deny udp destination-port eq 135 rule 25 deny tcp destination-port eq 137 rule 30 deny udp destination-port eq netbios-ns rule 35 deny tcp destination-port eq 139 rule 40 deny udp destination-port eq netbios-ssn rule 45 deny udp destination-port eq 1433 rule 50 deny udp destination-port eq 1434 rule 55 deny tcp destination-port eq 4444 rule 60 deny tcp destination-port eq 5554 rule 65 deny udp destination-port eq 5554 rule 70 deny tcp destination-port eq 9996 rule 75 deny udp destination-port eq 9996 rule 110 permit ip#traffic classifier anti-virus operator or if-match acl 3001#traffic behavior anti-virus#traffic policy anti-virus classifier anti-virus behavior anti-virus#interface GigabitEthernet1/0/0 undo shutdown traffic-policy anti-virus inbound traffic-policy anti-virus outbound#user-interface maximum-vty 15user-interface con 0 authentication-mode password set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!! idle-timeout 30 0user-interface vty 0 4user-interface vty 5 14 set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!



6-33

idle-timeout 30 0user-interface vty 16 20#return

6.8.3 Example for Configuring an ACL Rule that Is Based on theVPN Instance



As shown in Figure 6-3, two VPN instances are configured on the PE. CE1 belongs to VPN-A,whose VPN-target is 111:1; CE2 belongs to VPN-B, whose VPN-target is 222:2. An ACL ruleis configured on the PE to permit users in VPN-A to log in to the PE through Telnet and toprevent users in VPN-B from logging in to the PE. Users in different VPNs cannot communicatewith each other.

Figure 6-3 Typical networking of configuring an ACL rule

PE1 AS: 65420 VPN-B

CE2

AS: 65410VPN-A

CE1

GE1/0/010.1.1.2/24 GE2/0/0

11.1.1.1/24

AS: 100

GE1/0/011.1.1.2/24

GE1/0/010.1.1.1/24


1. Configure VPN instances.2. Define the ACL rule.3. Configure users in different VPNs with different authorities for logging into the PE.


l ACL number




Issue 02 (2009-12-10)

l VPN instance name

Procedure

Step 1 Configure VPN instances on the PE and connect CE1 and CE2 to the PE.

# Configure VPN-A.

<HUAWEI> system-view[HUAWEI] sysname PE[PE] ip vpn-instance vpna[PE-vpn-instance-vpna] route-distinguisher 100:1[PE-vpn-instance-vpna] vpn-target 111:1 both[PE-vpn-instance-vpna] quit[PE] interface gigabitethernet 1/0/0[PE-GigabitEthernet1/0/0] ip binding vpn-instance vpna[PE-GigabitEthernet1/0/0] ip address 10.1.1.1 24[PE-GigabitEthernet1/0/0] quit

# Configure VPN-B.

[PE] ip vpn-instance vpnb[PE-vpn-instance-vpnb] route-distinguisher 100:2[PE-vpn-instance-vpnb] vpn-target 222:2 both[PE-vpn-instance-vpnb] quit[PE] interface gigabitethernet 2/0/0[PE-GigabitEthernet2/0/0] ip binding vpn-instance vpnb[PE-GigabitEthernet2/0/0] ip address 11.1.1.1 24[PE-GigabitEthernet2/0/0] quit

Step 2 Configure an ACL rule and then apply the rule on the PE. After that, users in VPN-A can log into the PE through Telnet; whereas users in VPN-B cannot log in to the PE.[PE] acl number 2001[PE-acl-adv-2001] rule permit vpn-instance vpna[PE-acl-adv-2001] rule deny vpn-instance vpnb[PE-acl-adv-2001] quit

Step 3 Use the ACL rule configured on the PE to control the login of users to the PE through Telnet.[PE] user-interface vty 0 4[PE-ui-vty0-4] authentication-mode none[PE-ui-vty0-4] acl 2001 inbound


# Telnet CE1 to the PE.

<CE1> telnet 10.1.1.1Trying 10.1.1.1 ...Press CTRL+K to abortConnected to 10.1.1.1 ...************************************************************ Copyright (C) 2000-2009 Huawei Technologies Co., Ltd ** Without the owner's prior written consent, ** no decompiling or reverse-engineering shall be allowed. ** Notice: ** This is a private communication system. ** Unauthorized access or use may lead to prosecution. ************************************************************ Info: The max number of VTY users is 10, and the number of current VTY users on line is 1. <PE>

CE1 can log in to the PE through Telnet.

# Telnet CE2 to the PE.

<CE2> telnet 10.1.1.1



6-35

Trying 10.1.1.1 ...Press CTRL+K to abortError: Failed to connect to the remote host.

CE2 cannot log in to the PE through Telnet.

----End

Configuration Filesl Configuration file of the PE

# sysname PE#ip vpn-instance vpna route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunityip vpn-instance vpnb route-distinguisher 100:2 vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity#acl number 2001 rule 5 permit vpn-instance vpna rule 10 deny vpn-instance vpnb#aaa authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default ##interface Ethernet0/0/0 undo shutdown ip binding vpn-instance vpna ip address 10.1.1.1 255.255.255.0#interface Ethernet0/0/1 undo shutdown ip binding vpn-instance vpnb ip address 11.1.1.1 255.255.255.0# user-interface con 0user-interface vty 0 4 acl 2001 inbound authentication-mode noneuser-interface vty 16 20#return

l Configuration file of CE1# sysname CE1#aaa authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default #




Issue 02 (2009-12-10)

#interface Ethernet0/0/0 undo shutdown ip address 10.1.1.2 255.255.255.0#user-interface con 0user-interface vty 0 4user-interface vty 16 20#return

l Configuration file of CE2# sysname CE2#aaa authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default ##interface Ethernet0/0/0 undo shutdown ip address 11.1.1.2 255.255.255.0#user-interface con 0user-interface vty 0 4user-interface vty 16 20#return



6-37

7 Basic IPv6 Configuration

About This Chapter

This chapter describes the IPv6 features and IPv6 address overview. It also describesconfiguration steps for IPv6 ND, PMTU, TCP6, FIB cache configuration, along with typicalexamples.

7.1 Basic IPv6 OverviewThis section describes the basic concept of IPv6

7.2 Configuring an IPv6 Address for an InterfaceThis section describes how to configure an IPv6 address for an interface.

7.3 Configuring IPv6 Neighbor DiscoveryThis section describes how to configure IPv6 neighbor discovery.

7.4 Configuring PMTUThis section describes how to configure IPv6 PMTU.

7.5 Enabling the FIB CacheThis section describes how to enable the FIB cache capacity.

7.6 Configuring TCP6This section describes how to configure TCP connections.

7.7 Maintaining IPv6This section describes how to clear IPv6 statistics and debug IPv6.

7.8 Configuration ExamplesThis section provides a configuration example for the IPv6 address.

HUAWEI NetEngine5000E Core RouterConfiguration Guide - IP Services 7 Basic IPv6 Configuration


7-1

7.1 Basic IPv6 OverviewThis section describes the basic concept of IPv6

7.1.1 Introduction to IPv6

7.1.2 IPv6 Supported by the NE5000E

7.1.1 Introduction to IPv6

Internet Protocol Version 6 (IPv6), also called IP Next Generation (IPng), is the standard networkprotocol of the second generation. It is a set of specifications designed by the InternetEngineering Task Force (IETF). IPv6 is the upgraded version of IPv4. The most remarkabledifference between IPv6 and IPv4 is that the IP address lengthens from 32 bits to 128 bits.

7.1.2 IPv6 Supported by the NE5000E

The NE5000E supports the IPv6 protocol suite and TCP6 protocol suite.

IPv6 AddressA 128-bit IPv6 address has the following formats:

l X:X:X:X:X:X:X:XIn this format, a 128-bit IP address is divided into eight groups. The 16 bits of each groupare represented by four hexadecimal characters, that is, 0 to 9, and A to F. The groups areseparated by colons. Every "X" represents a group of hexadecimal values.

l X:X:X:X:X:X:d.d.d.dThis format is for the following types of addresses:– IPv4-compatible IPv6 address

– IPv4-mapped IPv6 address

IPv4-compatible IPv6 address is used to configure an IPv6 over IPv4 tunnel.In this type of address, "X" represents the first six groups of numbers. Each "X" stands for16 bits that are represented by hexadecimal numbers. "d" represents the subsequent fourgroup of numbers. Each "d" stands for eight bits that are represented by decimal numbers."d.d.d.d" is a standard IPv4 address.

An IPv6 address can be divided into two parts:

l Network prefix: equals the network ID of an IPv4 address. It is of n bits.

l Interface identifier: equals the host ID in an IPv4 address. It is of 128-n bits.

IPv6 Neighbor DiscoveryThe IPv6 neighbor discovery (ND) is a group of messages and processes that define therelationship between neighboring nodes. ND replaces the Address Resolution Protocol (ARP)messages and the Internet Control Message Protocol (ICMP) device discovery messages. It alsoprovides additional functions.

7 Basic IPv6 ConfigurationHUAWEI NetEngine5000E Core Router



Issue 02 (2009-12-10)

IPv6 PMTUGenerally, the problem that different networks have different Maximum Transmission Units(MTU) can be solved in the following ways:

l Devices fragment packets as required. The source host only needs to fragment packets;however, the intermediate router not only needs to fragment packets, but also to reassemblepackets.

l The source host sends packets based on a proper MTU so that packets need not befragmented on the intermediate router. In such a case, packet processing burden on theintermediate router can be reduced. During IPv6 packet transmission, only this way can beadopted because IPv6 intermediate routers do not support packet fragmentation.

The Path MTU (PMTU) Discovery mechanism aims at finding a proper MTU value on the pathfrom the source to the destination.

IPv6 FIBConnecting network topologies of different types needs the configuration of different routingprotocols. This brings about Routing Information Base (RIB). The RIB is a base of theForwarding Information Base (FIB). Guided by route management policies, a device extracts aminimum of necessary forwarding information from RIB and adds the information to the FIB.Through the route management module, you can also add static routes into the FIB.

A FIB contains a group of minimum information needed by a device during packet forwarding.An FIB entry usually contains the destination address, prefix length, transport port, next-hopaddress, route flag, and time stamp. A device forwards packets according to FIB entries.

The FIB mechanism consists of two parts: FIB agent (used on the control plane) and FIBcontainer (used on the forwarding plane). A FIB agent is responsible for interacting with theRM module for delivering FIB entries to the forwarding engine, and to the I/O board in adistributed system.

A FIB contains the following information:

l Destination address: indicates the network or host a packet is destined for.

l Prefix length: indicates the length of the destination address prefix. From the prefix length,you can infer that the destination address is a network address or a host address.

l Nexthop: indicates the address of the close next hop through which the packet reaches thedestination.

l Flag(s): identifies route features.

l Interface: indicates the outgoing interface of the packet.

l Timestamp: Indicates the time when an FIB entry is established.

7.2 Configuring an IPv6 Address for an InterfaceThis section describes how to configure an IPv6 address for an interface.


7.2.2 Enabling IPv6 Packet Forwarding Capability

7.2.3 Configuring an IPv6 Link-Local Address for an Interface



7-3

7.2.4 Configuring an IPv6 Global Unicast Address for an Interface



Applicable EnvironmentWhen a device communicates with an IPv6 device, you need to configure IPv6 address for theinterface. The NE5000E supports configuring IPv6 addresses for the following interfaces:

l Gigabit-Ethernet interfaces and sub-interfaces

l POS interfaces (Only the POS interfaces configured with PPP or HDLC as the link protocolsupport IPv6.)

l Tunnel interfaces

l Loopback interfaces

l Eth-Trunk interfaces, Eth-Trunk sub-interfaces, and IP-Trunk interfaces

You can configure 10 addresses for one interface. Addresses can be the link-local address andthe global unicast address.

The link-local address is used in ND, and in the communication between nodes on the local linkin the stateless address auto-configuration. The packets using the link-local address as the sourceor destination address are not forwarded to other links.

The link-local address can be automatically generated or manually configured. After beingenable with automatic address generation capability, the system automatically generates a link-local address. The link-local address configured manually must be a valid link-local address(FE80::/10).

It is recommended to automatically generate a link-local address because the link-local addressis used only for the communication between link-local nodes. Commonly, it is used to implementcommunication requirements of protocol and is not directly related to the communicationbetween users.

The global unicast address is equivalent to the IPv4 public address. It is used for data forwardingacross the pubic network, which is necessary for the communication between users.

An EUI-64 address has the same function as an global unicast address. The difference is thatonly the network bits need to be specified for the EUI-64 address and the host bits are transformedfrom the MAC addresses of the interface while a complete 128-bit address need to be specifiedfor the global unicast address. Note that the prefix length of the network bits in an EUI-64 addressmust not be longer than 64 bits.

The EUI-64 address and the global unicast address can be configured simultaneously oralternatively. However, the IP addresses configured for one interface cannot be in the samenetwork segment.

Pre-configuration TasksBefore configuring IPv6 addresses, complete the following tasks:

l Configuring the physical features of the interface and ensuring that the status of the physicallayer of the interface is Up




Issue 02 (2009-12-10)


Data PreparationTo configure IPv6 addresses for an interface, you need the following data.

No. Data

1 Number of the interface

2 Link-local address configured manually

3 Global unicast address and prefix length

7.2.2 Enabling IPv6 Packet Forwarding Capability

ContextTo enable a device to forward IPv6 packets, you must enable the IPv6 capability in both thesystem view and the interface view. This is because:

l If you run the ipv6 command only in the system view, only the IPv6 packet forwardingcapability is enabled on a device. The IPv6 function, however, is not enabled on the interfaceand hence you cannot perform any IPv6 configurations.

l If you run the ipv6 enable command only in the interface view, the IPv6 capability isenabled only on an interface but the IPv6 protocol status on the interface is Down.Therefore, the device cannot forward IPv6 data.


Procedure



Step 2 Run:ipv6

The IPv6 packet forwarding capability is enabled.

By default, the IPv6 packet forwarding capability is disabled.

To enable a device to forward IPv6 packets, you must run this command in the system view;otherwise, the IPv6 protocol status of the interface is Down and the device cannot forward IPv6packets although you enable IPv6 on the interface.


The view of the interface to be enabled with the IPv6 capability is displayed.



7-5

Step 4 Run:ipv6 enable

The IPv6 capability is enabled on the interface.

Before performing IPv6 configurations in the interface view, you must enable the IPv6 capabilityin the interface view.

By default, the IPv6 capability is disabled on the interface.

----End

7.2.3 Configuring an IPv6 Link-Local Address for an Interface


Procedure





Step 3 Perform the following as required.

Run:

ipv6 address auto link-local

Auto generation of the IPv6 link-local address is enabled.

Or

Run:

ipv6 address ipv6-address link-local

The IPv6 link-local address is manually configured.

Besides configuring a link-local address through the preceding two commands, you can alsoconfigure a global unicast IPv6 address for auto generating a link-local address. For details, seeConfiguring an IPv6 Global Unicast Address for an Interface.

----End

7.2.4 Configuring an IPv6 Global Unicast Address for an Interface





Issue 02 (2009-12-10)

Procedure





Step 3 Run:ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } or ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64

The global unicast address is configured on the interface.

----End


PrerequisiteThe configurations of the IPv6 addresses are complete.

Procedurel Run the display ipv6 interface [ interface-type interface-number | brief ] command to

check the IPv6 information of an interface.l Run the display ipv6 statistics [ slot slot-id | interface interface-type interface-number ]

command to check the IPv6 packet statistics.

----End

ExampleRun the display ipv6 interface command. If the IPv6 address of the interface is displayed, itmeans that the configuration succeeds. For example:

<HUAWEI> display ipv6 interface gigabitethernet 1/0/0GigabitEthernet1/0/0 current state : UP ,IPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::200:1FF:FE04:5D00 Global unicast address(es):2001::1, subnet is 2001::/64 Joined group address(es): FF02::1:FF00:1 FF02::1:FF04:5D00 FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

Run the display ipv6 interface command. If the configured IPv6 address and interface statusare displayed, it means that the configuration succeeds.

<HUAWEI> display ipv6 interface brief



7-7

*down: administratively down!down: FIB overload down(l): loopback(s): spoofingInterface Physical ProtocolGigabitEthernet2/0/2 up up[IPv6 Address] 2030::101:101GigabitEthernet2/0/3 up up[IPv6 Address] 2001::1LoopBack0 up up(s)[IPv6 Address] Unassigned

Run the display ipv6 statistics command. If the statistics on IPv6 packets is displayed, it meansthat the configuration succeeds.

<HUAWEI> display ipv6 statisticsIPv6 Protocol:

Sent packets: Total : 3630 Local sent out : 3630 Forwarded : 0 Raw packets : 0 Discarded : 0 Fragmented : 0 Fragments : 0 Fragments failed : 0 Multicast : 0 Received packets: Total : 3630 Local host : 3630 Hop count exceeded : 0 Header error : 0 Too big : 0 Routing failed : 0 Address error : 0 Protocol error : 0 Truncated : 0 Option error : 0 Fragments : 0 Reassembled : 0 Reassembly timeout : 0 Multicast : 0

7.3 Configuring IPv6 Neighbor DiscoveryThis section describes how to configure IPv6 neighbor discovery.


7.3.2 Configuring Static Neighbors

7.3.3 Enabling RA Message Advertising

7.3.4 Setting the Interval for Advertising RA Messages

7.3.5 Enabling Stateful Auto Configuration

7.3.6 Configuring the Address Prefixes to Be Advertised

7.3.7 Configuring Other Information to Be Advertised




Most of the ND configurations are implemented based on the interfaces.

The IPv6 ND configuration is supported on the following interfaces:




Issue 02 (2009-12-10)

l Gigabit-Ethernet interfaces and their sub-interfaces

l POS interfaces (Only the POS interfaces configured with PPP or HDLC as the link protocolsupport IPv6.)

l Tunnel interfaces

l Loopback interfaces

l Eth-Trunk interfaces, Eth-Trunk sub-interfaces, and IP-Trunk interfaces

NOTE

Though the POS interfaces can be configured with IPv6 ND-related commands, packet sending or packetforwarding on these interfaces actually do not require neighbor entries.


Before configuring IPv6 neighbor discovery, complete the following tasks:

l Configuring the physical features for the interface and ensuring that the status of thephysical layer of the interface is Up

l Configuring link layer parameters for the interface

l Configuring the IPv6 address for the interface

Data Preparation

To configure IPv6 neighbor discovery, you need the following data.

No. Data

1 Number of interface which needs to be configured with IPv6 ND

2 IPv6 address and MAC address of the static neighbor

3 Intervals, prefix, and life duration of RA messages

4 Flag bit of automatic configuration

5 Hop limit of ND

6 Sending times of DAD

7 Intervals for re-transmitting NS messages

8 NUD reachable time

9 Interface MTU

7.3.2 Configuring Static Neighbors

Context




7-9

Procedure





Step 3 Run:ipv6 neighbor ipv6-address mac-address

Static neighbors are configured.

Static neighbors can be configured for interfaces and their sub-interfaces. You can configure upto 300 neighbors on each interface.

----End

7.3.3 Enabling RA Message Advertising


Procedure





Step 3 Run:undo ipv6 nd ra halt

The function of advertising RA messages is enabled.

----End

7.3.4 Setting the Interval for Advertising RA Messages


Procedure

Step 1 Run:




Issue 02 (2009-12-10)

system-view




Step 3 Run:ipv6 nd ra { max-interval maximum-interval | min-interval minimum-interval }

The interval for advertising RA messages is configured.

By default, the maximum interval is 600 seconds and the minimum interval is 200 seconds.

The maximum interval can not be shorter than the minimum interval.

----End

7.3.5 Enabling Stateful Auto Configuration


Procedure





Step 3 Run:ipv6 nd autoconfig managed-address-flag

The flag bit for stateful auto configuration addresses is set.

If this flag is set, hosts use the stateful protocol for address auto-configuration in addition to anyaddresses auto-configured using stateless address auto-configuration.

Step 4 Run:ipv6 nd autoconfig other-flag

The flag bit for other stateful configurations is set.

When this flag is set, hosts use the stateful protocol for auto-configuration of other (non-address)information.

----End

7.3.6 Configuring the Address Prefixes to Be Advertised



7-11


Procedure





Step 3 Run:ipv6 nd ra prefix { ipv6-address prefix-length | ipv6-address/prefix-length } valid-lifetime preferred-lifetime [ no-autoconfig ] [ off-link ]

The prefix of RA messages is configured.

----End

7.3.7 Configuring Other Information to Be Advertised

ContextDuplicate Address Detect (DAD) is a process of IPv6 automatic address configuration. You canconfigure the number of DAD messages which are sent continuously.

Set the interval of sending Neighbor Solicitation (NS) messages on the device. By default, NSre-transmitting time interval is 1000ms.

NUD checks the reachability of neighbors. By default, NUD value is 30000ms.

The MTU of the interface determines whether to fragment IP packets on the interface. DefaultMTUs vary with interface types. The MTU on an GigabitEthernet interface defaults to be 1500bytes.


Procedure



Step 2 Run:ipv6 nd hop-limit limit

ND hop limit is configured.

The value of limit ranges from 1 to 255. By default, it is 64.





Issue 02 (2009-12-10)


Step 4 Run:ipv6 nd ra router-lifetime ra-lifetime

The life duration of RA messages is configured.

NOTE

l When the ipv6 nd ra command is run to set the interval for advertising RA messages, the interval mustbe less than or equal to the life duration.

l By default, the maximum interval is 600 seconds, and the minimum interval is 200 seconds.

l By default, the life duration of RA messages is 1800 seconds. If the prefix is configured, the durationis still 1800 seconds.

Step 5 Run:ipv6 nd dad attempts value

Times to send DAD messages are configured.

Step 6 Run:ipv6 nd ns retrans-timer value

The interval for re-sending NS messages is set.

Step 7 Run:ipv6 nd nud reachable-time value

The NUD reachable time is set.

Step 8 Run:ipv6 mtu mtu

MTU of the interface is configured.

----End

Postrequisite

If the IPv6 MTU value is changed, run the shutdown command and the undo shudowncommand orderly in the interface view to validate the configuration.


PrerequisiteThe configurations of the IPv6 neighbor discovery function are complete.

Procedurel Run the display ipv6 neighbors[ interface-type interface-number ] command to check the

neighbor information in the cache.l Run the display ipv6 interface [ interface-type interface-number | brief ] command to

check the IPv6 information of an interface.

----End



7-13

Example

Run the display ipv6 neighbors command. If the cache of the neighbor information containsneighbors' IPv6 addresses and the specified interfaces, it means that the configuration succeeds.

<HUAWEI> display ipv6 neighbors gigabitethernet 1/0/0--------------------------------------------------------IPv6 Address : 3003::2Link-layer : 00e0-fc89-fe6e State : STALEInterface : GE1/0/0 Age : 7VPN name : vpn1 VLAN : -

IPv6 Address : FE80::2E0:FCFF:FE89:FE6ELink-layer : 00e0-fc89-fe6e State : STALEInterface : GE1/0/0 Age : 7VPN name : vpn1 VLAN : ----------------------------------------------------------Total: 2 Dynamic: 2 Static: 0

Run the display ipv6 interface command. If information about the IPv6 address on the interfaceis displayed, it means that the configuration succeeds.

<HUAWEI> display ipv6 interface gigabitethernet 1/0/0GigabitEthernet1/0/0 current state : UP IPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::200:1FF:FE04:5D00 Global unicast address(es):2001::1, subnet is 2001::/64 Joined group address(es): FF02::1:FF00:1 FF02::1:FF04:5D00 FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

Run the display ipv6 interface brief command. If information about the IPv6 address on theinterface and interface status are displayed, it means that the configuration succeeds.

<HUAWEI> display ipv6 interface brief*down: administratively down!down: FIB overload down(l): loopback(s): spoofingInterface Physical ProtocolGigabitEthernet2/0/2 up up[IPv6 Address] 2030::101:101GigabitEthernet2/0/3 up up[IPv6 Address] 2001::1LoopBack0 up up(s)[IPv6 Address] Unassigned

7.4 Configuring PMTUThis section describes how to configure IPv6 PMTU.


7.4.2 Creating Static PMTU Entries

7.4.3 Configuring PMTU Aging Time




Issue 02 (2009-12-10)




By setting PMTUs on interfaces, you can enable devices to send packets based on proper MTUsacross the network. This avoids packet fragmentation, reduces the burden of the devices,implements efficient usage of network resources and achieves the best throughput.


Before configuring PMTUs, complete the following tasks:

l Configuring the physical features for the interface and ensuring that the status of thephysical layer of the interface is Up

l Configuring the link layer protocol for the interface

Data Preparation

To configure PMTUs, you need the following data.

No. Data

1 IPv6 address and PMTU value to be configured

2 PMTU aging time

7.4.2 Creating Static PMTU Entries

Context


Procedure



Step 2 Run:ipv6 pathmtu ipv6-address [ path-mtu ]

The PMTU value of a specified IPv6 address is configured.

By default, the PMTU of the IPv6 address is 1500 bytes.

----End



7-15

7.4.3 Configuring PMTU Aging Time


Procedure



Step 2 Run:ipv6 pathmtu age age-time

The aging time of PMTU is configured.

By default, the dynamic PMTU aging time is 10 minutes.

The PMTU aging time is used to change the lifetime of a dynamic PMTU entry in the cache. Ithas no effect on static PMTU entries because they cannot be aged.

If the static PMTU exist, the dynamic PMTU dose not take effect.

----End


PrerequisiteThe configurations of the PMTU are complete.

Procedurel Run the display ipv6 pathmtu { ipv6-address | all | dynamic | static } command to check

all PMTU items.l Run the display ipv6 interface [ interface-type interface-number | brief ] command to

check the current MTU of the interface.

----End

ExampleRun the display ipv6 pathmtu command. If the destination IPv6 address, the PMTU value, theaging time and type are displayed, it means that the configuration succeeds.

<HUAWEI> display ipv6 pathmtu allIPv6 Destination Address ZoneID PathMTU Age Typefe80::12 0 1300 40 Dynamic2222::3 0 1280 -- Static

Run the display ipv6 interface command. If the current MTU of the interface is displayed, itmeans that the configuration succeeds.

<HUAWEI> display ipv6 interface gigabitethernet 1/0/0GigabitEthernet1/0/0 current state : UP ,




Issue 02 (2009-12-10)

IPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::200:1FF:FE04:5D00 Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es): FF02::1:FF00:1 FF02::1:FF04:5D00 FF02::2 FF02::1MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

7.5 Enabling the FIB CacheThis section describes how to enable the FIB cache capacity.


7.5.2 Enabling the FIB Cache



Applicable EnvironmentNone.

Pre-configuration TasksBefore enabling the FIB cache capability of a device, complete the following tasks:

l Connecting the interface and configuring the physical features for the interface and ensuringthat the status of the physical layer of the interface is Up

l Configuring the link layer protocol parameters for the interface

Data PreparationTo enable the FIB cache capability, you need the following data.

No. Data

1 Slot ID

7.5.2 Enabling the FIB Cache




7-17

Procedure



Step 2 Run:ipv6 fibcache {slot-id | all }

FIB cache is enabled on the device.

By default, the FIB cache is disabled on the device.

----End


PrerequisiteThe configurations of the enabling the FIB cache are complete.

Procedurel Run the display ipv6 fib [ spt ] [ slot-id ] [ | { begin | include | exclude } regular-

expression ] command to check the FIB information.l Run the display ipv6 fibcache slot-id command to check total routes in FIB cache.

----End

ExampleRun the display ipv6 fib command. If the details of FIB are displayed, it means that theconfiguration succeeds.

<HUAWEI> display ipv6 fib FIB Table: Total number of Routes : 4 Destination: ::1 PrefixLength : 128 NextHop : ::1 Flag : HU Label : NULL Tunnel ID : 0 TimeStamp : Date- 14:8:2008, Time- 14:41:26 reference : 1 Interface : InLoopBack0 IP6Token : 0x0 Destination: FE80:: PrefixLength : 10 NextHop : :: Flag : BU Label : NULL Tunnel ID : 0 TimeStamp : Date- 14:8:2008, Time- 14:44:34 reference : 1 Interface : NULL0 IP6Token : 0x0 Destination: 2001::2 PrefixLength : 128 NextHop : ::1 Flag : HU Label : NULL Tunnel ID : 0 TimeStamp : Date- 14:8:2008, Time- 14:44:36 reference : 1 Interface : InLoopBack0 IP6Token : 0x0 Destination: 2001:: PrefixLength : 64 NextHop : 2001::2 Flag : U




Issue 02 (2009-12-10)

Label : NULL Tunnel ID : 0 TimeStamp : Date- 14:8:2008, Time- 14:44:36 reference : 1 Interface : GigabitEthernet6/0/0 IP6Token : 0x0

Run the display ipv6 fibcache command. If FIB cache contains the routing information, it meansthat the configuration succeeds.

<HUAWEI> display ipv6 fibcache 6FIB Cache: Total number of Routes : 2

Destination: 2001::1 FIB PrefixLength : 64NextHop : 2001::2 FIB Flag : ULabel : NULL Tunnel ID : 0TimeStamp : Date- 14:8:2008, Time- 14:44:45 reference : 0Interface : GigabitEthernet6/0/0IP6Token : 0x0

Destination: 2001::2 FIB PrefixLength : 128NextHop : ::1 FIB Flag : HULabel : NULL Tunnel ID : 0TimeStamp : Date- 14:8:2008, Time- 14:44:45 reference : 0Interface : InLoopBack0IP6Token : 0x0

7.6 Configuring TCP6This section describes how to configure TCP connections.


7.6.2 Configuring TCP6 Timers

7.6.3 Configuring the Size of the TCP6 Sliding Window



Applicable EnvironmentTo optimize network performance, you need to adjust the TCP6 parameters.

Pre-configuration TasksBefore configuring TCP6, complete the following tasks:

l Connecting and configuring the physical features for the interface and ensuring that thestatus of the physical layer of the interface is Up

l Configuring the link layer protocol parameters for the interface and ensuring that the statusof the link layer protocol on the interface is Up

Data PreparationTo configure TCP6, you need the following data.



7-19

No. Data

1 Value of TCP6 FIN-WAIT timer

2 Value of TCP6 SYN-WAIT timer

3 Size of TCP6 Sliding Window

7.6.2 Configuring TCP6 Timers



system-view


Step 2 Run:tcp ipv6 timer syn-timeout timer-value

The TCP6 SYN-WAIT timer is set.

By default, the SYN-WAIT timer is 75s.

Step 3 Run:tcp ipv6 timer fin-timeout timer-value

The TCP6 FIN-WAIT timer is set.

By default, the FIN-WAIT timer is 675s.

----End

7.6.3 Configuring the Size of the TCP6 Sliding Window



system-view


Step 2 Run:tcp ipv6 window window-size

The size of the TCP6 sliding window is configured.




Issue 02 (2009-12-10)

The size of the TCP6 sliding window ranges from 1 KB to 32 KB. By default, the size of theTCP6 sliding window is 8 KB.

----End


PrerequisiteThe configurations of the TCP6 function are complete.

Procedurel Run the display tcp ipv6 statistics command to check related TCP6 statistics.l Run the display tcp ipv6 status command to check the TCP6 connection status.l Run the display udp ipv6 statistics command to check related UDP6 statistics.l Run the display ipv6 socket [ socktype sock-type ] [ task-id sock-id ] command to check

the information of the specified socket.

----End

ExampleRun the display tcp ipv6 statistics, display tcp ipv6 status, and display udp ipv6 statisticscommands. If the connection status and statistic of TCP6 and UDP6 are displayed, it means thatthe configuration succeeds.

<HUAWEI> display tcp ipv6 statisticsReceived packets: total: 0 packets in sequence: 0 (0 bytes) window probe packets: 0 window update packets: 0 checksum error: 0 offset error: 0 short error: 0 duplicate packets: 0 (0 bytes) partially duplicate packets: 0 (0 bytes) out-of-order packets: 0 (0 bytes) packets with data after window: 0 (0 bytes) packets after close: 0 ACK packets: 0 (0 bytes) duplicate ACK packets: 0 too much ACK packets: 0 packets dropped due to MD5 authentication failure: 0 packets receieved with MD5 Signature Option: 0

Sent packets: total: 0 urgent packets: 0 control packets: 0 (including 0 RST) window probe packets: 0 window update packets: 0 data packets: 0 (0 bytes) data packets retransmitted: 0 (0 bytes) ACK only packets: 0 (0 delayed) packets sent with MD5 Signature Option: 0

Other Statistics: retransmitted timeout: 0 connections dropped in retransmitted timeout: 0 keepalive timeout: 0



7-21

keepalive probe: 0 keepalive timeout, so connections disconnected: 0 initiated connections: 0 accepted connections: 0 established connections: 0 closed connections: 0 (dropped: 0, initiated dropped: 0)<HUAWEI> display tcp ipv6 statusTCP6CB Local Address Foreign Address State09e39ae4 3000::2->179 3000::1->49158 Time_Wait09e36f24 3000::2->49152 3000::1->179 Established07da08f8 ::->179 ::->0 Listening07d96da8 ::->23 ::->0 Listening<HUAWEI> display udp ipv6 statisticsReceived packets: total: 0 total(64bit high-capacity counter): 0 checksum error: 0 shorter than header: 0 invalid message length: 0 no socket on port: 0 no multicast port: 0 not delivered, input socket full: 0 input packets missing pcb cache: 0 packets sent for external pre processing: 1Sent packets: total: 0 total(64bit high-capacity counter): 0

Run the display ipv6 socket command. If the related socket information is displayed, it meansthat the configuration succeeds.

<HUAWEI> display ipv6 socketSOCK_STREAM:Task = VTYD(14), socketid = 4, Proto = 6,LA = ::->22, FA = ::->0,sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,socket option = SO_ACCEPTCONN SO_REUSEPORT SO_SENDVPNID,socket state = SS_PRIV SS_ASYNCTask = VTYD(14), socketid = 3, Proto = 6,LA = ::->23, FA = ::->0,sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,socket option = SO_ACCEPTCONN SO_REUSEPORT SO_SENDVPNID,socket state = SS_PRIV SS_ASYNCSOCK_DGRAM:SOCK_RAW:

7.7 Maintaining IPv6This section describes how to clear IPv6 statistics and debug IPv6.

7.7.1 Resetting IPv6

7.7.2 Monitoring Network Operation Status of IPv6

7.7.3 Debugging IPv6




Issue 02 (2009-12-10)

7.7.1 Resetting IPv6

Context

CAUTIONIPv6 statistics cannot restore after you clear it. So, confirm the action before you use thecommand.

Procedurel Run the reset ipv6 statistics [ slot slot-id ] command in the user view to clear statistics of

processing IPv6 packets after you confirm it.l Run the reset ipv6 pathmtu { all | dynamic | static } command in the user view to clear

PMTU entries in the cache after you confirm it.l Run the reset ipv6 fibcache { slot-id | all } command in the user view to clear cached

entries in FIB after you confirm it.l Run the reset ipv6 neighbors { all | dynamic | static [ interface-type interface-number] |

interface-type interface-number } command in the user view to clear IPv6 neighbor entriesin the cache after you confirm it.

l Run the reset tcp ipv6 statistics command in the user view to clear all TCP6 statistics afteryou confirm it.

l Run the reset udp ipv6 statistics command in the user view to clear all UDP6 statisticsafter you confirm it.

----End

7.7.2 Monitoring Network Operation Status of IPv6

ContextIn routine maintenance, you can run the following command in any view to check the operationof IPv6.

Procedurel Run the display ipv6 interface [ interface-type interface-number | brief ] command in any

view to check the IPv6 information about the interface.l Run the display ipv6 statistics [ slot slot-id | interface interface-type interface-number ]

command in any view to check IPv6 packet statistics.l Run the display icmpv6 statistics [ slot slot-id | interface interface-type interface-

number ] command in any view to check the operation of ICMPv6 packet statistics.l Run the display ipv6 neighbors [ interface-type interface-number ] command in any view

to check contents about the neighbor cache.l Run the display ipv6 pathmtu { ipv6-address | all | dynamic | static } command in any

view to check all PMTU entries.l Run the display tcp ipv6 statistics command in any view to check TCP6 statistics.



7-23

l Run the display tcp ipv6 status command in any view to check TCP6 connection status.l Run the display udp ipv6 statistics command in any view to check UDP6 statistics.l Run the display ipv6 socket [ socktype sock-type ] [ task-id sock-id ] command in any

view to check information about the specified socket.l Run the display ipv6 fib [ spt ] [ slot-id ] [ | { begin | include | exclude } regular-

expression ] command in any view to check information about the FIB.l Run the display ipv6 fibcache slot-id command in any view to check the total number of

routes in the FIB cache.

----End

7.7.3 Debugging IPv6

Context

CAUTIONDebugging affects the performance of the system. So, after debugging, execute the undodebugging all command to disable it immediately.

Run the following debugging commands in the user view to debug IPv6 and locate the fault.

For the procedures of displaying the debugging information, refer to the chapter "InformationCenter Configuration" in the NE5000E Core Router Configuration Guide - SystemManagement. For descriptions about the debugging commands, refer to the NE5000E CoreRouter Debugging Reference.

Procedurel Run the debugging ipv6 icmpv6 command in the user view to debug ICMPv6.l Run the debugging ipv6 nd command in the user view to debug IPv6 neighbors status and

ND messages.l Run the debugging ipv6 packet [ error ] [ acl acl-number ] command in the user view to

debug IPv6 packet.l Run the debugging ipv6 pathmtu command in the user view to debug PMTU.l Run the debugging tcp ipv6 { event | packet } [ task-id socket-id ] command in the user

view to debug TCP6.l Run the debugging udp ipv6 packet [ task-id socket-id ] command in the user view to

debug UDP6.

----End

7.8 Configuration ExamplesThis section provides a configuration example for the IPv6 address.

7.8.1 Example for Configuring an IPv6 Address for an Interface




Issue 02 (2009-12-10)

7.8.2 Example for Configuring IPv6 Neighbor Discovery

7.8.1 Example for Configuring an IPv6 Address for an Interface

Networking Requirement


As shown in Figure 7-1, Router A and Router B are connected through POS interfaces. It isrequired to configure IPv6 global unicast addresses for the interfaces and test the connectivitybetween them.

The IPv6 global unicast addresses to be configured for the interfaces are 3001::1/64 and3001::2/64.

Figure 7-1 Networking diagram of configuring an IPv6 address for an interface

RouterA RouterB

POS 1/0/03001::1/64

POS 1/0/03001::2/64


1. Enable IPv6 forwarding capability on devices.2. Configure IPv6 global unicast addresses for the interfaces.

Data PreparationTo complement the configuration, you need the following data:

l Global unicast addresses of the interfaces

Procedure

Step 1 Enable IPv6 packet forwarding on Router A and Router B.

# Configure Router A

<HUAWEI> system-view[HUAWEI] sysname RouterA[RouterA] ipv6



7-25

# Configure Router B

<HUAWEI> system-view[HUAWEI] sysname RouterB[RouterB] ipv6

Step 2 Configure IPv6 global unicast addresses for the interfaces.


[RouterA] interface pos 1/0/0[RouterA-Pos1/0/0] ipv6 enable[RouterA-Pos1/0/0] ipv6 address 3001::1/64[RouterA-Pos1/0/0] undo shutdown[RouterA-Pos1/0/0] quit


[RouterB] interface pos 1/0/0[RouterB-Pos1/0/0] ipv6 enable[RouterB-Pos1/0/0] ipv6 address 3001::2/64[RouterB-Pos1/0/0] undo shutdown[RouterB-Pos1/0/0] quit


If the configuration succeeds, you can view the configured IPv6 global unicast addresses andstatus of the interface and the IPv6 protocol are both Up.

# Display interface information of Router A.

[RouterA] display ipv6 interface pos 1/0/0Pos1/0/0 current state : UPIPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::C964:0:B8B6:1 Global unicast address(es): 3001::1, subnet is 3001::/64 Joined group address(es): FF02::1:FF00:1 FF02::1:FFB6:1 FF02::2 FF02::1 MTU is 4470 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

# Display interface information of Router B.

[RouterB] display ipv6 interface pos 1/0/0Pos1/0/0 current state : UPIPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::2D6F:0:7AF3:1 Global unicast address(es): 3001::2, subnet is 3001::/64 Joined group address(es): FF02::1:FF00:2 FF02::1:FFF3:1 FF02::2 FF02::1 MTU is 4470 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

# On Router A, ping the link-local address of Router B. Note that you need to use the parameter-i to specify the interface.




Issue 02 (2009-12-10)

[RouterA] ping ipv6 fe80::2d6f:0:7af3:1 -i pos 1/0/0 PING FE80::2D6F:0:7AF3:1 : 56 data bytes, press CTRL_C to break Reply from FE80::2D6F:0:7AF3:1 bytes=56 Sequence=1 hop limit=64 time = 60 ms Reply from FE80::2D6F:0:7AF3:1 bytes=56 Sequence=2 hop limit=64 time = 50 ms Reply from FE80::2D6F:0:7AF3:1 bytes=56 Sequence=3 hop limit=64 time = 50 ms Reply from FE80::2D6F:0:7AF3:1 bytes=56 Sequence=4 hop limit=64 time = 30 ms Reply from FE80::2D6F:0:7AF3:1 bytes=56 Sequence=5 hop limit=64 time = 1 ms --- FE80::2D6F:0:7AF3:1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/38/60 ms

# On Router A, ping the global unicast IPv6 address of Router B.

[RouterA] ping ipv6 3001::2 PING 3001::2 : 56 data bytes, press CTRL_C to break Reply from 3001::2 bytes=56 Sequence=1 hop limit=64 time = 30 ms Reply from 3001::2 bytes=56 Sequence=2 hop limit=64 time = 50 ms Reply from 3001::2 bytes=56 Sequence=3 hop limit=64 time = 50 ms Reply from 3001::2 bytes=56 Sequence=4 hop limit=64 time = 20 ms Reply from 3001::2 bytes=56 Sequence=5 hop limit=64 time = 40 ms --- 3001::2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 20/38/50 ms

----End


# sysname RouterA#ipv6#interface pos1/0/0link-protocol pppundo shutdownipv6 enableipv6 address 3001::1/64#return

l Configuration file of Router B# sysname RouterB#ipv6#interface pos1/0/0link-protocol pppundo shutdownipv6 enableipv6 address 3001::2/64#



7-27

return

7.8.2 Example for Configuring IPv6 Neighbor Discovery



As shown in Figure 7-2, device is directly connected to the PC by GE 1/0/10. This PC runs theWindows XP operating system.

Figure 7-2 Example for configuring IPv6 neighbor discovery

Quidway PCGE1/0/10

3000::/64 eui-64

Notes

When configuring IPv6 neighbor discovery, pay attention to the following:

l A PC can automatically obtain the RA prefix message from devices only after the RouterAdvertisement (RA) prefix message to be advertised is configured and the advertisementof the RA prefix message is enabled on devices.



1. Configure the local unicast addresses of the link and EUI-64 site separately on GE 1/0/10.

2. Configure the RA prefix message to be advertised on GE 1/0/10 and enable theadvertisement of the RA prefix message.

Data Preparation


l Local unicast addresses of the link and EUI-64 site on GE 1/0/10

l RA prefix message to be advertised




Issue 02 (2009-12-10)

ProcedureStep 1 Enable the IPv6 forwarding on devices.

<HUAWEI> system-view[HUAWEI] sysname Router[Router] ipv6

Step 2 Configure the local unicast address of the link on GE 1/0/10.[Router] interface gigabitethernet 1/0/10[Router-GigabitEthernet1/0/10] undo shutdown[Router-GigabitEthernet1/0/10] ipv6 enable[Router-GigabitEthernet1/0/10] ipv6 address auto link-local

Step 3 Configure the local unicast address of the EUI-64 site on GE 1/0/10 and the prefix in the RAmessage.[Router-GigabitEthernet1/0/10] ipv6 address 3000::/64 eui-64[Router-GigabitEthernet1/0/10] ipv6 nd ra prefix 3000::/64 1000 1000[Router-GigabitEthernet1/0/10] undo ipv6 nd ra halt


If configurations are successful, you can view the configured local unicast address of the linkand the EUI-64 site and find that GE 1/0/10 is Up and IPv6 is Up.

# Display information about interfaces of devices.

[Router-GigabitEthernet1/0/10] display this ipv6 interfaceGigabitEthernet1/0/10 current state : UPIPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::2E0:FCFF:FE7D:A497 Global unicast address(es): 3000::2E0:FCFF:FE7D:A497, subnet is 3000::/64 Joined group address(es): FF02::1:FF7D:A497 FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisement max interval 600 seconds, min interval 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses

# Display information about PCs.

Ethernet adapter 1:

Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC #2 Physical Address. . . . . . . . . : 00-E0-4C-77-A1-B6 Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 110.1.1.33 Subnet Mask . . . . . . . . . . . : 255.0.0.0 IP Address. . . . . . . . . . . . : 3000::78b3:4397:c0c4:f078 IP Address. . . . . . . . . . . . : 3000::2e0:4cff:fe77:a1b6 IP Address. . . . . . . . . . . . : fe80::2e0:4cff:fe77:a1b6%6 Default Gateway . . . . . . . . . : fe80::288:ff:fe10:b%6 DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1

# Ping the local unicast address of the link on the PC from the device with the use of the parameter-i which specifies the interface corresponding to the local unicast address.



7-29

[Router-GigabitEthernet1/0/10] ping ipv6 fe80::2e0:4cff:fe77:a1b6 -i gigabitethernet1/0/10PING FE80::2E0:4CFF:FE77:A1B6: 56 data bytes, press CTRL_C to breakReply from FE80::2E0:4CFF:FE77:A1B6bytes=56 Sequence=1 hop limit=64 time = 60 msReply from FE80::2E0:4CFF:FE77:A1B6bytes=56 Sequence=2 hop limit=64 time = 50 msReply from FE80::2E0:4CFF:FE77:A1B6bytes=56 Sequence=3 hop limit=64 time = 50 msReply from FE80::2E0:4CFF:FE77:A1B6bytes=56 Sequence=4 hop limit=64 time = 30 msReply from FE80::2E0:4CFF:FE77:A1B6bytes=56 Sequence=5 hop limit=64 time = 1 ms--- FE80::2E0:4CFF:FE77:A1B6 ping statistics ---5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 1/38/60 ms

# Ping the local unicast address of the EUI-64 site of the PC from the device.

[Router-GigabitEthernet1/0/10] ping ipv6 3000::78b3:4397:c0c4:f078PING 3000::78B3:4397:C0C4:F078 : 56 data bytes, press CTRL_C to breakReply from 3000::78B3:4397:C0C4:F078bytes=56 Sequence=1 hop limit=64 time = 30 msReply from 3000::78B3:4397:C0C4:F078bytes=56 Sequence=2 hop limit=64 time = 50 msReply from 3000::78B3:4397:C0C4:F078bytes=56 Sequence=3 hop limit=64 time = 50 msReply from 3000::78B3:4397:C0C4:F078bytes=56 Sequence=4 hop limit=64 time = 20 msReply from 3000::78B3:4397:C0C4:F078bytes=56 Sequence=5 hop limit=64 time = 40 ms--- 3000::78B3:4397:C0C4:F078 ping statistics ---5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 20/38/50 ms

----End

Configuration FilesConfiguration file of Router

# sysname Router#ipv6#interface GigabitEthernet1/0/10 undo shutdown ipv6 enable ipv6 address 3000::/64 eui-64 ipv6 address auto link-local ipv6 nd ra prefix 3000::/64 1000 1000 undo ipv6 nd ra halt#return




Issue 02 (2009-12-10)

8 IPv6 DNS Configuration

About This Chapter

This chapter describes the basic principle, configuration procedures, and configuration examplesfor IPv6 DNS.

8.1 IPv6 DNS OverviewThis section describes the principle and concepts of IPv6 DNS.

8.2 Configuring IPv6 DNSThis section describes how to communicate with other devices using the domain name.

8.3 Maintaining IPv6 DNSThis section describes how to display IPv6 DNS configurations, clear IPv6 DNS statistics anddebug IPv6 DNS.

8.4 Configuration ExamplesThis section provides several configuration examples of IPv6 DNS.

HUAWEI NetEngine5000E Core RouterConfiguration Guide - IP Services 8 IPv6 DNS Configuration


8-1

8.1 IPv6 DNS OverviewThis section describes the principle and concepts of IPv6 DNS.

8.1.1 Introduction to IPv6 DNS

8.1.2 IPv6 DNS Supported by the NE5000E

8.1.1 Introduction to IPv6 DNS

IPv6 DNS has two resolution modes: dynamic IPv6 DNS resolution and static IPv6 DNSresolution. To resolve a domain name, the system first uses static IPv6 DNS resolution. If thismode fails, the system uses dynamic IPv6 DNS resolution. To improve resolution efficiency,you can put common domain names in a static domain name resolution table.

8.1.2 IPv6 DNS Supported by the NE5000E

IPv6 domain name system (DNS) is similar to IPv4 DNS. For configurations of IPv4 DNS, referto "DNS Configuration."

8.2 Configuring IPv6 DNSThis section describes how to communicate with other devices using the domain name.


8.2.2 Configuring a Static IPv6 DNS Entry

8.2.3 Configuring the Dynamic IPv6 DNS Services



Applicable EnvironmentDNS needs to be configured if the local users log on to a device using domain names tocommunicate with other devices. The IPv6 DNS entries show the mapping between domainnames and IPv6 addresses.

If users seldom use the domain name to access other devices, or if the DNS server is unavailable,a static DNS needs to be configured. To configure a static IPv6 DNS, the network administratorneeds to know the relation between domain names and IPv6 addresses, and manually modifythe IPv6 DNS entry when the relation changes.

If the users need to use the domain name to access many devices, and the DNS server is available,a dynamic DNS can be configured. The dynamic DNS needs to be supported by a DNS server.

Pre-configuration TasksBefore configuring IPv6 DNS, configure the route between a local device and a DNS server.

8 IPv6 DNS ConfigurationHUAWEI NetEngine5000E Core Router



Issue 02 (2009-12-10)

Data PreparationTo configure IPv6 DNS, you need the following data.

No. Data

1 Domain name of the static IPv6 DNS entry and the corresponding IPv6 address

2 IPv6 address of the IPv6 DNS server

3 Domain name of the dynamic IPv6 DNS or the domain name list

8.2.2 Configuring a Static IPv6 DNS Entry


Procedure



Step 2 Run:ipv6 host host-name ipv6-address

The host name and the corresponding IPv6 address are configured.

If the same host is configured with IPv6 addresses for several times, the IPv6 address configuredearliest is used when needing to find the host with the IPv6 address, such as ping this host.

----End

8.2.3 Configuring the Dynamic IPv6 DNS Services

ContextConfigure the IPv6 DNS server on a device. If the IPv6 DNS server is configured with a link-local address, the interface name should also be configured with the IPv6 address.

Figure 8-1 DNS server connecting IPv4 and IPv6 networks

IPv4 link

DNS serverDNS IPv4 client DNS IPv6 client

IPv6 link



8-3

CAUTIONIf multiple DNS servers are configured, the servers are queried in the order of configuration tillproper response is received. If both IPv4 and IPv6 servers are configured, the A query is firstsent to the IPv4 server, while AAAA query packets are first sent to the IPv6 server.

The DNS domains are configured on a device and the domain names can be searched. If theDNS fails in searching for a host name, it appends a domain name to the host name following a"." and continues the DNS search. You can configure some commonly used domain names like"com", and "net". For example, if the search for the host name "huawei" fails, the system thensearches for "huawei.com" or "huawei.net".


Procedure



Step 2 Run:dns resolve

The dynamic domain name resolution is enabled.

Step 3 Run:dns server ipv6 ipv6-address [ interface-type interface-number ]

The IPv6 DNS server is configured.

Step 4 Run:dns server ipv6 source-ip ipv6-address

The IPv6 address of the local device is specified.

Step 5 Run:dns domain domain-name

The suffix of domain names is added.

After the source IPv6 address is specified for the local device, the local device uses the specifiedsource IPv6 address to communicate with the IPv6 DNS server to ensure the security of check.

----End


PrerequisiteThe configurations of the IPv6 DNS function are complete.

Procedurel Run the display ipv6 host command to check the static IPv6 DNS table.




Issue 02 (2009-12-10)

l Run the display dns server command to check the configuration of the DNS server.l Run the display dns domain command to check the configuration of the suffix list of the

domain name.l Run the display dns ipv6 dynamic-host command to check the cache of the dynamic

domain name.

----End

ExampleRun the display ipv6 host command. If the static IPv6 DNS entries, including the host nameand the IPv6 address, are displayed, it means that the configuration succeeds. For example:

<HUAWEI> display ipv6 hostHost Age Flags IPv6Address (es)RTB 0 static 20::1RTA 0 static 20::2

Run the display dns server command. If the IPv6 addresses of all DNS servers are displayed,it means that the configuration succeeds. For example:

<HUAWEI> display dns serverIPv4 Dns Servers :Domain-server IpAddress 1 169.254.65.125IPv6 Dns Servers:Domain-server Ipv6Address (Interface Name) 1 3001::2 2 FE80::2 GigabitEthernet6/0/0

Run the display dns domain command. If the suffixes of the domain names are displayed, itmeans that the configuration succeeds. For example:

<HUAWEI> display dns domainNo Domain-name1 com2 net

Run the display dns ipv6 dynamic-host command. If information about the cache of thedynamic domain name is displayed, it means that the configuration succeeds. For example:

<HUAWEI> display dns ipv6 dynamic-hostNo Domain-name Ipv6address TTL1 huawei6 3001::2 6

8.3 Maintaining IPv6 DNSThis section describes how to display IPv6 DNS configurations, clear IPv6 DNS statistics anddebug IPv6 DNS.

8.3.1 Clearing IPv6 DNS Entries

8.3.2 Monitoring Network Operation Status of IPv6 DNS



8-5

8.3.1 Clearing IPv6 DNS Entries

Context

CAUTIONIPv6 DNS entries cannot be restored after being cleared. So, confirm the action before you usethis command.

Procedure

Step 1 Run the reset dns ipv6 dynamic-host command in the user view to clear dynamic IPv6 DNSentries statistics in the domain name cache.

----End

8.3.2 Monitoring Network Operation Status of IPv6 DNS

ContextIn routine maintenance, you can run the following commands in any view to check the operationof IPv6 DNS.

Procedurel Run:

display dns domain

Domain names are checked.l Run:

display dns server

Configurations of the DNS server are checked.l Run:

display dns ipv6 dynamic-host

Contents about the cache of the IPv6 dynamic domain names are checked.l Run:

display ipv6 host

The static DNS table is checked.

----End

8.4 Configuration ExamplesThis section provides several configuration examples of IPv6 DNS.

8.4.1 Example for Configuring IPv6 DNS




Issue 02 (2009-12-10)

8.4.1 Example for Configuring IPv6 DNS


CAUTIONIn the single-chassis scenario, the NE5000E numbers interfaces in three dimensions, that is, slotnumber, card number, and interface number. In the multi-chassis scenario, the NE5000Enumbers interfaces in four dimensions, that is, chassis ID, slot number, card number, andinterface number. As soon as the slot number is specified, the corresponding chassis ID must bespecified.

As shown in Figure 8-2, Router A, functioning as the IPv6 DNS client and working jointlywhose IPv6 DNS server, can access the host with the IP address as 2002::1/64 based on thedomain name huawei.com.

On Router A, the static IPv6 DNS entries of Router B and Router C are configured. This ensuresthat Router A can manage both the routers based on the domain names RouterB and RouterC.

Figure 8-2 Networking diagram of IPv6 DNS configurations

GE1/0/02001::1/64

GE1/0/12001::2/64 GE1/0/0

2002::2/64 GE1/0/02002::3/64

GE1/0/12003::1/64

RouterA

RouterB RouterC

huawei.com2002::1/64

DNS Server2003::2/64

DNS Client


1. Configure static IPv6 DNS entries.2. Enable the DNS resolution function.3. Configure IPv6 address of the IPv6 DNS server.4. Set the domain name suffix.


l Domain names of Router B and Router C



8-7

l IPv6 address of the IPv6 DNS server

l Domain name suffix

Procedure


# Configure static IPv6 DNS entries.

<RouterA> system-view[RouterA] ipv6 host RouterB 2001::2[RouterA] ipv6 host RouterC 2002::3

# Enable the DNS resolution function.

[RouterA] dns resolve

# Configure the IPv6 address of the IPv6 DNS server.

[RouterA] dns server ipv6 2003::2

# Set the domain name suffix to ".net".

[RouterA] dns domain net

# Set the domain name suffix to ".com".

[RouterA] dns domain com[RouterA] quit

NOTE

To resolve the domain name, you also need to configure the route from Router A to the IPv6 DNS server.For details of how to configure the route, refer to the NE5000E Core Router Configuration Guide - IPRouting.


# Run the ping ipv6 huawei.com command on Router A. You can find that the Ping operationsucceeds, and the destination IP address is 2002::1.

<RouterA> ping ipv6 huawei.com Resolved Host ( huawei.com -> 2002::1) PING huawei.com : 56 data bytes, press CTRL_C to break Reply from 2002::1: bytes=56 Sequence=1 ttl=126 time=6 ms Reply from 2002::1: bytes=56 Sequence=2 ttl=126 time=4 ms Reply from 2002::1: bytes=56 Sequence=3 ttl=126 time=4 ms Reply from 2002::1: bytes=56 Sequence=4 ttl=126 time=4 ms Reply from 2002::1: bytes=56 Sequence=5 ttl=126 time=4 ms --- huawei.com ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/4/6 ms

# Run the display ipv6 host command on Router A. You can view the mapping relationshipsbetween the host names in static IPv6 DNS entries and the IPv6 addresses.

<RouterA> display ipv6 hostHost Age Flags IPv6Address (es)RouterB 0 static 2001::2RouterC 0 static 2002::3

Run the display dns ipv6 dynamic-host command on Router A. You can view informationabout dynamic IPv6 DNS entries in the dynamic cache.

<RouterA> display dns ipv6 dynamic-host




Issue 02 (2009-12-10)

No Domain-name Ipv6address TTL 1 huawei.com 2002::1 3579

NOTE

TTL in the command output indicates the life time of the entry, in seconds.

----End

Configuration Filesl Configuration file of Router Al #

sysname RouterA# ipv6# ipv6 host RouterB 2001::2 ipv6 host RouterC 2002::3# dns resolve dns server ipv6 2003::2 dns domain net dns domain com#interface GigabitEthernet1/0/0 undo shutdown ipv6 enable ipv6 address 2001::1/64 ripng 1 enable#ripng 1#return

l Configuration file of Router B# sysname RouterB# ipv6#interface GigabitEthernet1/0/1 undo shutdown ipv6 enableipv6 address 2001::2/64ripng 1 enable#interface GigabitEthernet1/0/0 undo shutdown ipv6 enable ipv6 address 2002::2/64 ripng 1 enable#ripng 1#return

l Configuration file of Router C# sysname RouterC# ipv6#interface GigabitEthernet1/0/0 undo shutdown ipv6 address 2002::3/64 ripng 1 enable#



8-9

interface GigabitEthernet1/0/1 undo shutdown ipv6 address 2003::1/64 ripng 1 enable#ripng 1#return




Issue 02 (2009-12-10)

9 ACL6 Configuration

About This Chapter

This chapter describes the ACL6 fundamentals, classifications and configuration steps forACL6, and IPv6 packet filtering, along with typical examples.

9.1 ACL6 OverviewThis section describes basic concept and parameters of ACL6.

9.2 Configuring an Interfaced-based ACL6This section describes how to configure the interface-based ACL6.

9.3 Configuring a Basic ACL6This section describes how to configure a basic ACL6.

9.4 Configuring an Advanced ACL6This section describes how to configure an advanced ACL6.

9.5 Configuring a Named ACL6This section describes how to configure the Named ACL6.

9.6 Maintaining ACL6This section describes how to maintain ACL6.

9.7 Configuration ExamplesThis section provides several configuration examples of ACL6.

HUAWEI NetEngine5000E Core RouterConfiguration Guide - IP Services 9 ACL6 Configuration


9-1

9.1 ACL6 OverviewThis section describes basic concept and parameters of ACL6.

9.1.1 Introduction to ACL6

9.1.2 ACL6 Supported by the NE5000E

9.1.1 Introduction to ACL6

To filter data packets, you need to define a series of Access Control List (ACL) rules on thedevice. After ACL rules are applied to interfaces, the device classifies the received data packetsand determines whether to forward or discard packets.

NOTE

In this manual, ACL applies to filter IPv4 packets and ACL6 applies to filter IPv6 packets.

9.1.2 ACL6 Supported by the NE5000E

ACL6 is classified into the following types based on application goals:

l Basic ACL6: classifies data packets only based on the source IP addresses.

l Advanced ACL6: classifies data packets more detailedly based on the source anddestination IP addresses, source and destination port numbers, and protocol type.

l Interface-based ACL6: classifies data packets based on the interfaces that receive packets.

9.2 Configuring an Interfaced-based ACL6This section describes how to configure the interface-based ACL6.


9.2.2 (Optional) Configuring the Valid Time Range of ACL6

9.2.3 Creating an Interfaced-based ACL6




An ACL6 can be applied to the following tasks:

l Configuring the packet filtering policy

l Configuring the policy-based routing

l Configuring the routing policy

9 ACL6 ConfigurationHUAWEI NetEngine5000E Core Router



Issue 02 (2009-12-10)

Pre-configuration TasksBefore configuring ACL6, complete the following task:

l Starting the device normally

Data PreparationTo configure an ACL6, you need the following data:

No. Data

1 (Optional) Name of the time range in which the Interface-based ACL6 takes effectand the start time and end time of the time range

2 ACL6 number, permit or deny rules

3 Type and number of the interface where the ACL6 is applied



Procedure




A time rang is created.

----End

9.2.3 Creating an Interfaced-based ACL6

ContextThe range of acl6-number of a interface-based ACL6 is 1000 to 1999.


Procedure




9-3


Step 2 Run:acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]

The interface-based ACL6 is created and the corresponding view is displayed.

Step 3 Run:rule [ rule-id ] { deny | permit } interface { interface-type interface-number | any } [ logging | time-range time-name ]*

ACL6 rules are defined.

----End


PrerequisiteThe configurations of the interface-based ACL6 function are complete.

Procedurel Run the display acl ipv6 { acl6-number | all } command to check the ACL6 rules.l Run the display statistics acl ipv6 { acl-number | all } control-plane [ | { begin |

include | exclude } regular-expression ] command to check the statistics about the packetsmatching ACL6 in soft forwarding.


----End

ExampleAfter the configuration, run the preceding command. You can view ACL6 number, ACL6 step,contents of the rules, and matching times of the rules.

<HUAWEI> display acl ipv6 1000Interface Based IPv6 ACL 1000, 1 ruleAcl's step is 5 rule 5 permit interface Pos4/0/0

After the preceding configurations, the statistics about the packets matching ACL6 in softforwarding is displayed after the display statistics acl ipv6 control-plane command is used.

<HUAWEI> display statistics acl ipv6 1000 control-planeInterface Based IPv6 ACL 1000, 3 rules rule 0 deny interface any (1035 times matched) rule 1 permit interface Pos6/0/3 (586 times matched) rule 2 permit interface GigabitEthernet3/0/11 (103 times matched)






Issue 02 (2009-12-10)

9.3 Configuring a Basic ACL6This section describes how to configure a basic ACL6.



9.3.3 Creating a Basic ACL6









Before configuring an ACL6, start the device normally.

Data Preparation

To configure an ACL6, you need the following data.

No. Data

1 (Optional) Name of the time range in which the basic ACL takes effect and the starttime and end time of the time range

2 ACL6 number, permit or deny rules, source IP address


Context


Procedure




9-5




This configuration task is used to create a time range. Multiple time ranges with the same namecan be created.

----End

9.3.3 Creating a Basic ACL6

Context

The range of acl6-number of a basic ACL6 is 2000 to 2999.


Procedure




A basic ACL6 is created and the basic ACL6 view is displayed.

Step 3 Run:rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ipv6-addressprefix-length | source-ipv6-address/prefix-length | any } | time-range time-name | vpn6-instance vpn6-instance-name ] *


Defining ACL6 rules for the basic ACL6 is based only on the source IP address.

----End


PrerequisiteThe configurations of the Basic ACL6 function are complete.

Procedurel Run the display acl ipv6 { acl6-number | all } command to check the configured ACL6

rule.




Issue 02 (2009-12-10)

l Run the display statistics acl ipv6 { acl-number | all } control-plane [ | { begin |include | exclude } regular-expression ] command to check the statistics about the packetsmatching ACL6 in soft forwarding.


----End

Example

Run the display acl ipv6 command. If the ACL6 number, the number of rules, detailed stepdescription, and ACL6 rules are displayed, it means that the configuration succeeds. Forexample:

<HUAWEI> display acl ipv6 2200Basic IPv6 ACL 2200, 1 ruleAcl's step is 5 rule 5 permit


<HUAWEI> display statistics acl ipv6 2200 control-planeBasic IPv6 ACL 2200, 3 rulesrule 0 permit source 2030:5060::9050/64 (235 times matched)rule 1 deny source 4050:7080::4060/96 (560 times matched)rule 80 permit source FE80::9040/32 (729 times matched)



9.4 Configuring an Advanced ACL6This section describes how to configure an advanced ACL6.



9.4.3 Creating an Advanced ACL6








9-7




Before configuring an ACL6, complete the following task:

l Starting the device normally

Data Preparation

To configure an ACL6, you need the following data:

No. Data

1 (Optional) Name of the time range in which the advanced ACL takes effect and thestart time and end time of the time range

2 ACL6 number, permit or deny rules

3 Protocol type, source and destination port numbers, source and destination IP address,and source IP address fragment or not, ICMP message type and coding, priority, ToS,and valid time


Context


Procedure






----End

9.4.3 Creating an Advanced ACL6




Issue 02 (2009-12-10)

Context

The range of acl6-number of an advanced ACL6 is 3000 to 3999.


Procedure




The advance ACL6 is created and the advanced ACL6 view is displayed.

Step 3 Perform the following configuration as required.

l When protocol is specified as TCP or UDP

Run:rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-portoperator port | fragment | logging | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | source-port operator port | time-range time-name | tos tos | vpn6-instance vpn6-instance-name ] *


l When protocol is specified as ICMPv6

Run:rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | icmpv6-type { icmp6-type-name | icmp6-type icmp6-code } | logging | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name | tos tos | vpn6-instance vpn6-instance-name ] *


l When protocol is specified as other protocols except TCP, UDP, and ICMPv6

Run:rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | logging | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name | tos tos | vpn6-instance vpn6-instance-name ] *


----End


PrerequisiteThe configurations of the Advanced ACL6 function are complete.



9-9

Procedurel Run the display acl ipv6 { acl6-number | all } command to check the configured ACL6

rule.

l Run the display statistics acl ipv6 { acl-number | all } control-plane [ | { begin |include | exclude } regular-expression ] command to check the statistics about the packetsmatching ACL6 in soft forwarding.


----End

Example

Run the display acl ipv6 command. If the ACL6 number, the number of rules, detailed stepdescription, and ACL6 rules are displayed, it means that the configuration succeeds. Forexample:

<HUAWEI> display acl ipv6 3100Advanced IPv6 ACL 3100, 3 rules, rule 0 permit icmpv6 rule 1 permit ipv6 source 3001::/16 destination 4001::/16 rule 2 permit tcp source 5001::/16


<HUAWEI> display statistics acl ipv6 3000 control-planeAdvanced IPv6 ACL 3000, 1 rule rule 1 permit ipv6 source 4001::/16 (137 times matched)



9.5 Configuring a Named ACL6This section describes how to configure the Named ACL6.



9.5.3 Creating a Named ACL6






Issue 02 (2009-12-10)

Application EnvironmentAn ACL6 can be applied to various services, such as routing policies and packet filtering, toimplement differentiated packet processing based on packet types.. Named ACL6s are advancedACL6s because you need to define rules for the named ACL6s by specifying the source IPaddress, destination IP address, IP bearer protocol type, TCP source port, TCP destination port,or ICMP protocol type and code.

Pre-configuration TasksNone.

Data PreparationTo configure a named ACL6, you need the following data.

No. Data

1 (Optional) Name of the time range in which the named ACL6 takes effect and thestart time and end time of the time range

2 Rule ID of the named ACL6, permit or deny rule, and source IP address

3 IP bearer protocol type, source and destination ports, destination IP address, or ICMPmessage type and code, packet priority, ToS, and timeout period of the ACL rule

4 (Optional) Description of the named ACL6

5 (Optional) Step of the named ACL6



Procedure






----End



9-11

9.5.3 Creating a Named ACL6

ContextA named ACL6 is an advanced ACL6 and its acl-number ranges from 42768 to 45767.


Procedure



Step 2 Run:acl ipv6 name acl-name [ number acl-number ] [ match-order { auto | config } ]

A named ACL6 is created and the named ACL view is displayed.

Step 3 Perform the following steps as required to configure rules for the named ACL6:l When protocol is TCP or UDP, run:

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | destination-port operator port | fragment-type fragment-type-name |source { source-ip-address source-wildcard | any } | source-port operator port | syn-flagsyn-flag time-range time-name | dscp dscp ] *

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | destination-port operator port | fragment-type fragment-type-name |source { source-ip-address source-wildcard | any } | source-port operator port | syn-flagsyn-flag time-range time-name | precedence precedence |tos tos ] *

syn-flagsyn-flag needs to be specified only when TCP is used.l When protocol is ICMP, run:

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name | icmp-typeicmp-code } | source { source-ip-address source-wildcard | any } | time-range time-name |dscp dscp ] *

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name |icmp-typeicmp-code } |source { source-ip-address source-wildcard | any } | time-range time-name |precedence precedence | tos tos ] *

l When protocol is not TCP, UDP, or ICMP, run:rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | time-range time-name | dscp dscp ] *

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | time-range time-name | precedence precedence | tos tos ] *

Configure different advanced ACLs on the device for different protocols over IP. Differentprotocols have different parameters combination. For example, TCP and UDP have optional




Issue 02 (2009-12-10)

parameter [ source-port operator port ] [ destination-port operator port ] while other protocolsdo not.

----End


PrerequisiteThe configurations of the ACL6 function are complete.

Procedurel Run the display acl ipv6 name acl-name command to check the configured ACL6 rule.l Run the display statistics acl ipv6 { acl-number | all | name acl-name } control-plane [ |

{ begin | include | exclude } regular-expression ] command to check the statistics aboutthe packets matching ACL6 in soft forwarding.


----End

Example# Check the configurations of named ACL6, whose name is test.

<HUAWEI> display acl ipv6 name testAdvanced IPv6 Name ACL test, 1 ruleAcl's step is 5 rule 5 permit ip

# View the statistics about the packets matching ACL6 3000 in soft forwarding.

<HUAWEI> display statistics acl ipv6 3000 control-planeAdvanced IPv6 ACL 3000, 1 rule rule 0 permit ipv6 (335 times matched)

# View the statistics about the packets matching ACL6 named test in soft forwarding.

<HUAWEI> display statistics acl ipv6 name test control-planeAdvanced IPv6 ACL test, 2 rules, rule 0 permit 1 (10 times matched) rule 1 permit ipv6 (23 times matched)



9.6 Maintaining ACL6This section describes how to maintain ACL6.



9-13

9.6.1 Clearing ACL6 Statistics

9.6.2 Monitoring Network Operation Status of ACL6

9.6.1 Clearing ACL6 Statistics

Context

CAUTIONStatistics cannot be restored after you clear it. So, confirm the action before you use thecommand.

Procedure

Step 1 Run the reset acl ipv6 counter { acl6-number | name acl-name | all } command in the userview to clear the ACL6 counter.

----End

9.6.2 Monitoring Network Operation Status of ACL6

ContextIn routine maintenance, you can run the following command in any view to check the operationof ACL6.

Procedurel Run the display acl ipv6 { acl6-number | name acl-name | all } command in any view to

check the configured ACL6 rules.

l Run the display statistics acl ipv6 { acl-number | all | name acl-name } control-planecommand in any view to check the statistics about the packets matching ACL6 in softforwarding.

----End

9.7 Configuration ExamplesThis section provides several configuration examples of ACL6.

9.7.1 Example for Configuring an ACL6 to Filter IPv6 Packets

9.7.1 Example for Configuring an ACL6 to Filter IPv6 Packets




Issue 02 (2009-12-10)



As shown in Figure 9-1, Router A and Router B are connected through POS interfaces.Configure ACL6 rules on Router A to prevent the IPv6 packets with the source IP address 3001::2from entering POS1 /0/0 of Router A.

Figure 9-1 Networking diagram of configuring an ACL6 to filter IPv6 packets

RouterA RouterBPOS1/0/03001::1/64

POS1/0/03001::2/64 Loopback2

3002::2/64


1. Define an ACL6 number.2. Define rules in the ACL6.3. Set the traffic classifier, behavior, and policy.


l ACL6 number

l Source IPv6 address denied by the ACL6 rule

Procedure

Step 1 Enable IPv6 forwarding capabilities on Router A and Router B, configure interface parameters,and check connectivity between them.


<HUAWEI> system-view[HUAWEI] sysname RouterA[RouterA] ipv6[RouterA] interface pos 1/0/0[RouterA-Pos1/0/0] ipv6 enable[RouterA-Pos1/0/0] ipv6 address 3001::1 64[RouterA-Pos1/0/0] undo shutdown[RouterA-Pos1/0/0] quit

# Configure a static route on Router A.



9-15

[RouterA] ipv6 route-static 3002:: 64 3001::2


<HUAWEI> system-view[HUAWEI] sysname RouterB[RouterB] ipv6[RouterB] interface loopback 2[RouterB-LoopBack2] ipv6 enable[RouterB-LoopBack2] ipv6 address 3002::2 64[RouterB-LoopBack2] quit[RouterB] interface pos 1/0/0[RouterB-Pos1/0/0] ipv6 enable[RouterB-Pos1/0/0] ipv6 address 3001::2 64[RouterB-Pos1/0/0] undo shutdown[RouterB-Pos1/0/0] quit

# Ping POS 1/0/0 of Router A from POS 1/0/0 of Router B.

[RouterB] ping ipv6 -a 3001::2 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Reply from 3001::1 bytes=56 Sequence=1 hop limit=64 time = 80 ms Reply from 3001::1 bytes=56 Sequence=2 hop limit=64 time = 50 ms Reply from 3001::1 bytes=56 Sequence=3 hop limit=64 time = 40 ms Reply from 3001::1 bytes=56 Sequence=4 hop limit=64 time = 30 ms Reply from 3001::1 bytes=56 Sequence=5 hop limit=64 time = 1 ms --- 3001::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/40/80 ms

The ping succeeds without timeout or abnormal delay.

# Ping POS 1/0/0 of Router A from loopback2 of Router B.



Step 2 Create an ACL6 rule and apply the rule on the interface to prevent the IPv6 packets from 3001::2.


[RouterA] acl ipv6 number 3001[RouterA-acl6-adv-3001] rule deny ipv6 source 3001::2/128[RouterA-acl6-adv-3001] quit[RouterA] traffic classifier bb[RouterA-classifier-bb] if-match ipv6 acl 3001




Issue 02 (2009-12-10)

[RouterA-classifier-bb] quit[RouterA] traffic behavior aa[RouterA-behavior-aa] permit[RouterA-behavior-aa] quit[RouterA] traffic policy cc[RouterA-trafficpolicy-cc] classifier bb behavior aa[RouterA-trafficpolicy-cc] quit [RouterA] interface pos 1/0/0[RouterA-Pos1/0/0] traffic-policy cc inbound [RouterA-Pos1/0/0] quit


# Ping POS 1/0/0 of Router A from POS 1/0/0 of Router B.

[RouterB] ping ipv6 -a 3001::2 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 3001::1 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss round-trip min/avg/max = 0/0/0 ms

The ping fails.

# Ping POS 1/0/0 of Router A from loopback2 of Router B.



----End


# sysname RouterA# ipv6#acl ipv6 number 3001 rule 0 deny ipv6 source 3001::2/128#traffic classifier bb operator or if-match ipv6 acl 3001#



9-17

traffic behavior aa#traffic policy cc undo share-mode classifier bb behavior aa #interface pos1/0/0 link-protocol ppp undo shutdowntraffic-policy cc inbound ipv6 enable ipv6 address 3001::1/64# ipv6 route-static 3002:: 64 3001::2#return

l Configuration file of Router B# sysname RouterB# ipv6#interface pos1/0/0 link-protocol ppp undo shutdown ipv6 enable ipv6 address 3001::2/64#interface LoopBack2 ipv6 enable ipv6 address 3002::2/64#return




Issue 02 (2009-12-10)

10 IPv6 over IPv4 Tunnel Configuration

About This Chapter

This chapter describes the IPv6 over IPv4 tunnel fundamentals. It also describes configurationsteps for IPv6 over IPv4 tunnel configuration, along with typical examples.

10.1 IPv6 over IPv4 Tunnel OverviewThis section describes the basic principles and concepts of IPv6 over IPv4 tunnel.

10.2 Configuring IPv4/IPv6 Dual StacksThis section describes how to enable the IPv4/IPv6 dual protocol stacks.

10.3 Configuring an IPv6 over IPv4 TunnelThis section describes how users in IPv6 networks communicate across an IPv4 network.

10.4 Configuring 6PEThis section describes how users in IPv6 networks communicate across the existing MPLSnetwork.

10.5 Maintaining IPv6 over IPv4 TunnelsThis section describes how to debug the IPv6 tunnel.

10.6 Configuration ExamplesThis section provides several configuration examples of IPv6 over IPv4 tunnels.

HUAWEI NetEngine5000E Core RouterConfiguration Guide - IP Services 10 IPv6 over IPv4 Tunnel Configuration


10-1

10.1 IPv6 over IPv4 Tunnel OverviewThis section describes the basic principles and concepts of IPv6 over IPv4 tunnel.

10.1.1 Introduction to IPv6 over IPv4

10.1.2 IPv6 over IPv4 Supported by the NE5000E

10.1.1 Introduction to IPv6 over IPv4

During the transition from the IPv4 Internet to the IPv6 Internet, IPv4 networks have been widelydeployed while IPv6 domains are isolated and dispersed around the world. It is not economicalto connect these isolated sites with private lines.

The usual method is tunnel technology. This technology creates tunnels over IPv4 networks toconnect isolated IPv6 domains. This is similar to the situation where the tunnel technology isused to deploy VPNs on the IP networks.

The tunnel used to connect isolated IPv6 domains over IPv4 networks is called IPv6 over IPv4tunnel. To implement this tunnel, enable IPv4/IPv6 dual stacks on the devices at the border ofthe IPv4 network and the IPv6 network.

10.1.2 IPv6 over IPv4 Supported by the NE5000E

Dual StacksThe simplest way for an IPv6 node to remain compatible with an IPv4 node is to reserve acomplete IPv4 protocol stack. In this way, the IPv6 node maintains a dual-stack structure. Figure10-1 shows a single stack structure and a dual stack structure.

Figure 10-1 Single stack and dual stack structures (Ethernet)

IPv6

TCP UDP

IPv4/IPv6 Application

Ethernet

Protocol ID:0x0800

Protocol ID:0x86DD

IPv4

TCP UDP

IPv4 Application

Ethernet

Protocol ID:0x0800

IPv4 Stack Dual Stack

The characteristics of the dual-stack structure are as follows:

l Supported by multiple link layer protocols

10 IPv6 over IPv4 Tunnel ConfigurationHUAWEI NetEngine5000E Core Router



Issue 02 (2009-12-10)

Multiple link layer protocols, such as Ethernet, support dual stacks. The link layer in theabove diagram is the Ethernet. For an Ethernet frame with the protocol ID field value of0x0800 indicates that the network layer has IPv4 packets. The ID field value of 0x86DDindicates that the network has IPv6 packets.

l Supported by multiple applications

Multiple applications such as DNS, FTP and Telnet support dual stacks. The upperapplication, such as DNS, can select TCP or UDP as its transport layer protocol. However,it prefers the IPv6 protocol stack rather than IPv4 to be the network layer protocol.

IPv6 over IPv4 Tunnel

Figure 10-2 shows principles of the IPv6 over IPv4 tunnel technology.

1. Enabling IPv4/IPv6 dual stacks

Enable IPv4/IPv6 dual stacks on the border device.

2. Encapsulating IPv6 packets

After receiving a packet from the IPv6 network, the border device takes the received IPv6packet as the payload, adds an IPv4 packet header before the payload and encapsulates itinto an IPv4 packet if it finds that the destination of the packet is not for itself.

3. Transmitting the encapsulated packet

In the IPv4 network, the encapsulated packet is transmitted to the peer border device.

4. Decapsulating the packet

The peer border device decapsulates the packet, removes the IPv4 packet header, andforwards the resulting IPv6 packet to the remote IPv6 network.

Figure 10-2 Schematic diagram of IPv6 over IPv4 tunnel

IPv6 IPv6

IPv6 Header IPv6 Data IPv6 Header IPv6 Data

Dual StackRouter

IPv6 host IPv6 hostTunnel

Dual StackRouter

IPv4

IPv4 Header IPv6 Header IPv6 Data

The virtual tunnel that transmits IPv6 packets between the border devices is called the IPv6 overIPv4 tunnel. Tunnels can be classified according to their setup modes.

The common IPv6 over IPv4 tunnel modes include:

l IPv6 over IPv4 manual tunnels

l IPv6 over IPv4 tunnel automatic tunnels

l 6to4 tunnels



10-3

IPv6 over IPv4 Manual TunnelAn IPv6 over IPv4 manual tunnel is set up by configuring the border devices of two tunnel ends.The source IPv4 address and destination IPv4 address of such a tunnel must be configuredstatically.

A manual tunnel is equivalent to a permanent link between two IPv6 networks over an IPv4backbone network. It is the fixed channel for regular and secure communication between thetwo border devices.

The manual tunnel can be used between isolated IPv6 networks. It can also be used between aborder device and a host. In this case, the host and the device on both ends of the tunnel mustsupport the IPv4 and the IPv6 protocol stacks.

IPv6 over IPv4 Automatic TunnelTo create an IPv6 over IPv4 automatic tunnel, you need a special kind of IPv6 address, namelyan IPv4-compatible IPv6 address.

The format of IPv4-compatible IPv6 address is as follows:

0:0:0:0:0:0:IPv4-address

Its high-order 96 bits are all 0s, and its low-order 32 bits form an IPv4 address. This IPv4 addressmust be reachable in the IPv4 network, and cannot be a multicast address, a broadcast address,a loopback address or an unspecified address (0.0.0.0).

To configure an automatic tunnel, specify just the source address of the tunnel on a border deviceor a host. The destination address of the tunnel is automatically obtained from the destinationIP address field carried in the original IPv6 packet.

The IPv6 over IPv4 automatic tunnel is usually used when an isolated IPv4/IPv6 dual stack hostneeds to access a remote IPv6 network over an IPv4 network. The automatic tunnel needs to beconfigured between the isolated IPv4/IPv6 host and the IPv4/IPv6 device.

While setting up an automatic tunnel, configure the IPv4-compatible IPv6 address on both theends of the tunnel. The IPv4-compatible IPv6 address depends on the IPv4 address of the physicalinterface of the tunnel. It is limited to the shortage of the IPv4 address. Therefore, it has certainlimitations.

6to4 TunnelA 6to4 tunnel is a mechanism that connects several isolated IPv6 domains to each other over anIPv4 network. The 6to4 tunnel can be configured on the border device between the isolated IPv6network and the IPv4 network. The border device on both the ends of the 6to4 tunnel mustsupport the IPv4 and the IPv6 dual protocol stacks at the same time.

The key difference between the 6to4 tunnel and the manual tunnel is that the former can be apoint-to-multipoint connection, and the latter is only a point-to-point connection. Hence, thedevices of the 6to4 tunnel are not configured in pairs.

The 6to4 tunnel can automatically find another end of the tunnel, like the automatic tunnel. Youneed not specify the IPv4-compatible IPv6 address for it.

The 6to4 tunnel uses a kind of special IPv6 address, namely the 6to4 address with the followingformat:

2002:IPv4 address: subnet ID:interface ID




Issue 02 (2009-12-10)

The prefix of the 6to4 address is 2002:IPv4 address with the length of 48 bits. Of these, the IPv4address is a globally unique one requested for an isolated IPv6 domain. This IPv4 address mustbe configured on the IPv6/IPv4 border device's physical interface that is connected with the IPv4network. The length of the subnet ID is 16 bits, and that of the interface ID is 64 bits. Both thesubnet ID and the interface ID are allocated in the isolated IPv6 domains.

As shown in Figure 10-3, Site1 and Site2 are 6to4 networks, and hosts and devices in the 6to4network are allocated with 6to4 addresses. The IPv4 address contained in the 6to4 address ofthe host or device in Site1 is the IPv4 address of the interface through which Router A accessesthe IPv4 network. Similarly, the IPv4 address contained in the 6to4 address of the host or devicein Site2 is the IPv4 address of the interface through which Router B accesses the IPv4 network.Router A and Router B are both 6to4 devices.

Figure 10-3 6to4 tunnel and 6to4 relay

6to4NetworkSite1

IPv4Network

IPv6Internet

Site3

6to4Router

6to4Relay

RouterARouterC

6to4Network

Site2

6to4Router

RouterB

When the host in Site1 accesses the host in Site2, the process concerned is as follows:

1. The IPv6 packet is transmitted to Router A.2. Router A checks the destination address of the IPv6 packet and finds that the address is the

6to4 address, from which Router A obtains the remote IPv4 address of the 6to4 tunnel.3. Router A encapsulates this IPv6 packet into the IPv4 packet. The destination address of

IPv4 packet header is the remote IPv4 address of the tunnel, and its source address is thelocal IPv4 address of the tunnel.

4. Router A forwards the IPv4 packet in the IPv4 network to Router B.5. Router B decapsulates it to obtain the previous IPv6 packet, and then sends the IPv6 packet

to the destination host in Site2.

The above process implements the communication between the 6to4 networks. To implementthe communication between the 6to4 network and native IPv6 network, a 6to4 relay device isneeded. The so-called native IPv6 network means that both its internal host and device are notconfigured with the 6to4 address.

The 6to4 relay device is the gateway between the 6to4 network and the native IPv6 network.One side of the 6to4 relay device is connected to the native IPv6 network; the other side isconnected to the IPv4 network and creates the 6to4 tunnel with the 6to4 device.

As shown in Figure 10-3, when the host in the 6to4 network accesses the IPv6 Internet, theprocess concerned is as follows:



10-5

1. The IPv6 packet is routed to Router A.2. A 6to4 tunnel is created between Router A and Router C.3. The IPv6 packet is encapsulated into the IPv4 packet and is sent to Router C.4. Router C decapsulates the IPv4 packet to obtain the previous IPv6 packet, and sends the

IPv6 packet to the destination host in the IPv6 Internet.

6PE

On an IPv4 backbone network where the MPLS is deployed, the ISP can use the IPv6 ProviderEdge (6PE) technology to provide the interconnection capacity for the IPv6 networks ofdispersed users. 6PE is the PE with the IPv6 capacity.

Figure 10-4 shows the principle of interconnecting isolated IPv6 domains through 6PE.

1. When the 6PE device receives an IPv6 packet from the CE, it directly labels the packet totranslate the packet into an MPLS packet that can be transmitted over the IPv4 backbonenetwork.

2. The MPLS packet is forwarded to the remote 6PE through the LSP.3. The remote 6PE removes the label and finds the IPv6 routing table according to the

destination address in the resulting IPv6 packet header.4. The remote 6PE then sends the packet to the destination host in the remote IPv6 network

through the remote CE.

Figure 10-4 Networking diagram of 6PE

6PERouter

IPv6Customer

site

IPv6Customer

site

6PERouter

CE CE

IPv4/MPLSIBGP

PE

Note the following points when you connect isolated IPv6 sites through a 6PE tunnel:

l Enable IPv4, MPLS and IPv6 on 6PE.

l MP-BGP also needs to be enabled between 6PEs to receive or send IPv6 routes from/to theremote 6PE.

l The IGP over ISP's IPv4 backbone network can be OSPF or IS-IS.

l Static routing protocol, IGP or EBGP can work between CE and 6PE.

When ISPs tend to extend their IPv4 or MPLS networks with IPv6 traffic exchange capabilityon MPLS, they only need to update their PE devices.




Issue 02 (2009-12-10)

10.2 Configuring IPv4/IPv6 Dual StacksThis section describes how to enable the IPv4/IPv6 dual protocol stacks.


10.2.2 Enabling IPv6 Packet Forwarding

10.2.3 Configuring IPv4 and IPv6 Addresses for the Interface


Applicable EnvironmentIf a device has both IPv4 and IPv6 connections, the IPv4/IPv6 dual protocol stacks need to beenabled on the device.

Enabling the IPv4/IPv6 dual protocol stacks on the NE5000E is a simple process. Enable theIPv6 packet forwarding capacity in the system view and configure an IPv4 address or IPv6address on the corresponding interface. The device can then forward IPv4 and IPv6 packets onthe corresponding interface.

Pre-configuration TasksBefore configuring IPv6 tunnels, complete the following tasks:


l Configuring the link layer parameters for the interface

Data PreparationTo configure IPv4/IPv6 dual stacks, you need the following data.

No. Data

1 Type and number of the interface connected with the IPv4 network

2 IPv4 address and mask of the interface connected with the IPv4 network

3 Type and number of the interface connected with the IPv6 network

4 IPv6 address and prefix of the interface connected with the IPv6 network

10.2.2 Enabling IPv6 Packet Forwarding

ContextTo enable a device to forward IPv6 packets, you must enable the IPv6 capability in both thesystem view and the interface view. This is because:



10-7

l If you run the ipv6 command only in the system view, only the IPv6 packet forwardingcapability is enabled on a device. The interface on the device is not of the IPv6 capabilityand hence you cannot perform any IPv6 configurations.

l If you run the ipv6 enable command only in the interface view, the IPv6 capability isenabled only on an interface but the IPv6 protocol status on the interface is Down and thedevice cannot forward IPv6 data.


Procedure



Step 2 Run:ipv6

The IPv6 packet forwarding capability is enabled.

To enable a device to forward IPv6 packets, you must run this command in the system view;otherwise, the IPv6 protocol status on the interface is Down and the device cannot forward IPv6packets although the interface is configured with an IPv6 address.

By default, the IPv6 packet forwarding capability is disabled.


The view of the interface to be enabled with the IPv6 capability is displayed.


The IPv6 capability is enabled on the interface.

Before performing IPv6 configurations in the interface view, you must enable the IPv6 capabilityin the interface view.

By default, the IPv6 capability is disabled on the interface.

----End

10.2.3 Configuring IPv4 and IPv6 Addresses for the Interface


Procedure






Issue 02 (2009-12-10)


The interface view of the IPv4 network is displayed.


An IPv4 address is assigned to the interface.

Step 4 Run:quit




Step 6 Perform the following configuration as required.

l Run:ipv6 address auto link-local

The link-local address is set to be automatically generated.

l Run:ipv6 address ipv6-address link-local

The link-local address of the interface is configured.

l Run:ipv6 address { ipv6-address | prefix-length }

The global unicast address is configured.

l Run:ipv6 address ipv6-address/prefix-length [ eui-64 ]

The IPv6 EUI-64 address is configured.

----End

10.3 Configuring an IPv6 over IPv4 TunnelThis section describes how users in IPv6 networks communicate across an IPv4 network.


10.3.2 Configuring an IPv6 over IPv4 Manual Tunnel

10.3.3 Configuring an IPv6 over IPv4 Automatic Tunnel

10.3.4 Configuring a 6to4 Tunnel

10.3.5 Configuring Routes in the Tunnel




10-9


Applicable EnvironmentTo enable communication between two IPv6 networks over the IPv4 network, configure an IPv6over IPv4 tunnel on the border device of the IPv4 and IPv6 networks.

Pre-configuration TasksBefore configuring an IPv6 over IPv4 tunnel, complete the following tasks:


l Configuring the link layer protocol for the interface and ensuring that the status of the linklayer protocol on the interface is Up

l Configuring the IPv4/IPv6 dual-protocol stacks

Data PreparationTo configure an IPv6 over IPv4 tunnel, you need the following data.

No. Data

1 Number, IPv6 address and prefix length of the tunnel

2 Encapsulation mode of packets over the tunnel

3 Source IPv4 address or interface number of the tunnel

4 Destination IPv4 address of the tunnel

10.3.2 Configuring an IPv6 over IPv4 Manual Tunnel

ContextNote the following when configuring an IPv6 over IPv4 manual tunnel:

l Before configuring other parameters of an IPv6 tunnel, you must create a tunnel interface.

l The source interface of the tunnel must be specified by the address or number of theloopback interface on the local route.

l The destination interface of the tunnel must be specified by the address of the loopbackinterface on the peer device.

l You need to conduct the following configurations on the devices on both the ends of thetunnel. During the configuration, note that the source address of the local tunnel end is thedestination address set for the remote tunnel end; the destination address of the local tunnelend is the source address set for the remote tunnel end.

l To support dynamic routing protocol, you also need to configure the tunnel interface witha network address.





Issue 02 (2009-12-10)

Procedure



Step 2 Run:interface tunnel interface-number

The tunnel interface is created.

Step 3 Run:tunnel-protocol ipv6-ipv4

The tunnel is specified be an IPv6 over IPv4 manual tunnel.

Step 4 Run:source { ipv4-address | interface-type interface-number }

The source address or source interface of the tunnel is specified.

NOTEFor the actual implementation on the NE5000E, the source interface of the tunnel can only be a loopbackinterface but the source address of the tunnel can be either the address of a physical interface or the addressof a loopback interface.

Step 5 Run:destination ipv4-address

The destination address of the tunnel is specified.

NOTE

The destination address of the tunnel can be the address of a physical interface or the address of a loopbackinterface.


IPv6 is enabled on the interface.

Step 7 Run:ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }

The tunnel interface is configured with an IPv6 address.

----End

10.3.3 Configuring an IPv6 over IPv4 Automatic Tunnel

ContextNote the following when configuring an IPv6 over IPv4 automatic tunnel:

l Before configuring the other parameters of an IPv6 tunnel, you must create a tunnelinterface.

l The source interface of the tunnel must be specified by the address or number of theloopback interface on the local route.



10-11

l When configuring an IPv6 over IPv4 automatic tunnel, you can specify only the sourceaddress of the tunnel. The destination address of the tunnel is automatically obtained fromthe destination IP address field carried in the original IPv6 packet. Note that the sourceinterface of the IPv6 over IPv4 automatic tunnel must be unique.

l The IPv6 address configured for the automatic tunnel must be an IPv4-compatible IPv6address. That is, the high-order 96 bits are 0 and the low-order 32 bits represent an IPv4address of an interface in the IPv4 network.


Procedure




A tunnel interface is configured.

Step 3 Run:tunnel-protocol ipv6-ipv4 auto-tunnel

The tunnel is specified as an IPv6 over IPv4 automatic tunnel.






The tunnel interface is configured with an IPv6 address.

----End

10.3.4 Configuring a 6to4 Tunnel

ContextNote the following when configuring a 6to4 tunnel:

l Before configuring other parameters of the tunnel, create a tunnel interface.

l When the specified source interface of the tunnel is a physical interface, it is recommendedto set the tunnel ID to be the same as the number of the physical interface.

l The source tunnel interface must be specified by the address or number of the loopbackinterface on the local route.




Issue 02 (2009-12-10)

l When configuring a 6to4 tunnel, you need to specify only the source tunnel interface. Thedestination address of the tunnel is automatically obtained from the destination IP addressfield carried in the original IPv6 packet. Note that the source interface of the 6to4 tunnelmust be unique.

l On the border device, configure a 6to4 address on the interface that is connected with the6to4 network, and configure an IPv4 address on the interface that is connected with theIPv4 network. To make the tunnel support the routing protocol, configure an IP address forthe tunnel interface.


Procedure




A tunnel interface is created.

Step 3 Run:tunnel-protocol ipv6-ipv4 6to4

The tunnel is specified as a 6to4 tunnel.






The interface is configured with an IPv6 address.

NOTE

The prefix of the IPv6 address configured for the interface must be the same as the 6to4 network prefix ofthe border device.

----End

Postrequisite

The configuration of 6to4 relay needed to access the IPv6 network, is similar to the 6to4 tunnel.For the configuration example, see "Example for Configuring 6to4 Relay."

10.3.5 Configuring Routes in the Tunnel



10-13

ContextRoutes for forwarding must exist on the source device and the destination device of the tunnel,ensuring normal packet forwarding.

Configuring routes in the tunnel comprises configuring static routes and dynamic routes.

l To configure the static route, you need to configure the route from the IP address of thelocal loopback interface (the source address) to the destination address (IP address of thepeer loopback interface).

l You can enable dynamic routing protocol on the tunnel interface connected to the privatenetworks and on the device interface.


PrerequisiteThe configurations of the IPv6 over IPv4 Tunnel function are complete.

Procedure

Step 1 Run the display ipv6 interface tunnel interface-number command to check the IPv6 attributesof a tunnel interface.

----End

ExampleRun the display ipv6 interface tunnel command. If the IPv6 packets forwarding is enabled,you can see the state of tunnel interface is Up, the state of IPv6 protocol is Up, source addressand ND parameters.

<HUAWEI> display ipv6 interface tunnel 3/0/0Tunnel3/0/0 current state : UP ,IPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::201:102 Global unicast address(es): ::2.1.1.2, subnet is ::/96 Joined group address(es): FF02::1:FF01:102 FF02::2 FF02::1 MTU is 1500 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

10.4 Configuring 6PEThis section describes how users in IPv6 networks communicate across the existing MPLSnetwork.


10.4.2 Configuring IPv4/IPv6 Dual Protocol Stacks

10.4.3 Configuring MPLS




Issue 02 (2009-12-10)

10.4.4 Enabling 6PE Peer


Applicable EnvironmentTo interconnect IPv6 networks over the existing MPLS network, 6PE must be configured on thePE devices.

Pre-configuration TasksBefore configuring 6PE, complete the following tasks:

l Configuring the physical features of interfaces and ensuring that the status of the physicallayer of the interface is Up

l Configuring the link layer protocols on interface and ensuring that the status of the linklayer protocol on the interface is Up

l Configuring routes from 6PE to CE

l Configuring routes to the backbone network

Data PreparationTo configure 6PE, you need the following data.

No. Data

1 Interface number and IPv6 address of the 6PE's interface connected with CE devices

2 Interface number and IPv4 address of the 6PE's interface

3 Interface number and IPv4 address of the loopback interface to be created

4 LSP triggering policy

5 IPv4 address of the peer of the 6PE

10.4.2 Configuring IPv4/IPv6 Dual Protocol Stacks


Procedure



Step 2 Run:ipv6



10-15

The IPv6 packet forwarding is enabled.



Step 4 Run:ip address ipv4-address { mask | mask-length }


Step 5 Run:






Step 8 Run:ipv6 address ipv6-address/prefix-length [ eui-64 ]

Or

ipv6 address { ipv6-address | prefix-length }


Step 9 Run:


----End

10.4.3 Configuring MPLS


Procedure



Step 2 Run:mpls lsr-id ip-address

The LSR ID is specified.




Issue 02 (2009-12-10)

Step 3 Run:mpls

MPLS is enabled and the MPLS view is displayed.

Step 4 Run:lsp-trigger { all | host | ip-prefix prefix-name | none }

The LSP trigger policy is enabled.

Step 5 Run:quit


Step 6 Run:mpls ldp

MPLS LDP is enabled.

Step 7 Run:quit

Exit the system view.



Step 9 Run:mpls

MPLS is enabled on the interface.

Step 10 Run:mpls ldp

MPLS LDP is enabled on the interface.

----End

10.4.4 Enabling 6PE Peer


Procedure



Step 2 Run:bgp as-number

The BGP view is displayed.



10-17

Step 3 Run:peer peer-ipv4-address as-number as-number

The IP address and the AS number of a specified BGP peer are specified.

Step 4 Run:peer peer-ipv4-address connect-interface interface-type interface-number

PE peer is specified to connect with a specified interface.

Step 5 Run:ipv6-family

The BGP-IPv6 unicast address family view is displayed.

Step 6 Run:peer peer-ipv4-address enable

6PE peer is enabled.

Step 7 Run:peer peer-ipv4-address label-route-capability

Label routing capacity is enabled for 6PE.

----End

10.5 Maintaining IPv6 over IPv4 TunnelsThis section describes how to debug the IPv6 tunnel.

10.5.1 Monitoring the Running Status of IPv6 over IPv4 Tunnel

10.5.2 Debugging IPv6 over IPv4 Tunnel

10.5.1 Monitoring the Running Status of IPv6 over IPv4 Tunnel

ContextIn routine maintenance, you can run the following command in any view to check the operationof IPv6 over IPv4 tunnel.

Procedure

Step 1 Run the display ipv6 interface tunnel { interface-number } command in any view to check theoperation status of the tunnel interface.

----End




Issue 02 (2009-12-10)

10.5.2 Debugging IPv6 over IPv4 Tunnel

Context

CAUTIONDebugging affects the performance of the system. So, after debugging, run the undo debuggingall command to disable it immediately.

If an operation fault occurs on the IPv6 tunnel, run the following debugging commands in theuser view to debug the IPv6 tunnel. View information about debugging, locate the fault, andanalyze the cause.

For the procedure of displaying the debugging information, refer to the chapter "InformationCenter Configuration" in the NE5000E Core Router Configuration Guide - SystemManagement. For descriptions about the debugging commands, refer to the NE5000E CoreRouter Debugging Reference.

Procedure

Step 1 Run the debugging tunnel { all | control | error | keepalive | packet | timer } [ interfacetunnelinterface-type interface-number ] command in the user view to debug tunnel information.

----End

10.6 Configuration ExamplesThis section provides several configuration examples of IPv6 over IPv4 tunnels.

10.6.1 Example for Configuring an IPv6 over IPv4 Manual Tunnel

10.6.2 Example for Configuring an IPv6 over IPv4 Automatic Tunnel

10.6.3 Example for Configuring a 6to4 Tunnel

10.6.4 Example for Configuring 6to4 Relay

10.6.5 Example for Configuring 6PE

10.6.1 Example for Configuring an IPv6 over IPv4 Manual Tunnel





10-19

As shown in Figure 10-5, two IPv6 networks are connected to Router B in the IPv4 backbonenetwork respectively through Router A and Router C. To enable communication between twoIPv6 networks, configure an IPv6 over IPv4 manual tunnel between Router A and Router C.

NOTEIt is recommended that in an actual networking environment, the source address of the tunnel is specifiedas the IP address of the loopback interface of the local device or the source interface of the tunnel is specifiedas the loopback interface on the local device. It is also recommended that in an actual networkingenvironment, the destination address of the tunnel is specified as the IP address of the loopback interfaceof the peer device.

Figure 10-5 Networking diagram of the IPv6 over IPv4 manual tunnel

RouterA RouterC

DualStack

DualStack

GE1/0/0192.168.50.2/24

IPv4network

GE1/0/0192.168.51.2/24

IPv6 IPv6

GE1/0/0192.168.50.1/24

GE2/0/0192.168.51.1/24

Router B

Configuration RoadmapThe configuration roadmap of IPv6 over IPv4 manual tunnel is as follows:

1. Configure IP addresses for physical interfaces.2. Configure IPv6 addresses, the source interface, and the destination addresses for the tunnel

interfaces.3. Set the tunnel protocol as IPv6-IPv4.


l IP addresses of interfaces

l IPv6 addresses, the source interfaces and the destination addresses of the tunnel interfaces

Procedure


# Configure an IP address for the interface.

<HUAWEI> system-view[HUAWEI] sysname RouterA[RouterA] ipv6[RouterA] interface gigabitethernet 1/0/0[RouterA-GigabitEthernet1/0/0] ip address 192.168.50.2 255.255.255.0




Issue 02 (2009-12-10)

[RouterA-GigabitEthernet1/0/0] undo shutdown[RouterA-GigabitEthernet1/0/0] quit

# Set the tunnel protocol as IPv6-IPv4.

[RouterA] interface tunnel 1/0/0[RouterA-Tunnel1/0/0] tunnel-protocol ipv6-ipv4

# Configure the IPv6 address, source interface, and destination address for the tunnel interface.

[RouterA-Tunnel1/0/0] ipv6 enable[RouterA-Tunnel1/0/0] ipv6 address 3001::1/64[RouterA-Tunnel1/0/0] source 192.168.50.2[RouterA-Tunnel1/0/0] destination 192.168.51.2[RouterA-Tunnel1/0/0] quit

# Configure static routes.

[RouterA] ip route-static 192.168.51.2 255.255.255.0 192.168.50.1



<HUAWEI> system-view[HUAWEI] sysname RouterB[RouterB] interface gigabitethernet 1/0/0[RouterB-GigabitEthernet1/0/0] ip address 192.168.50.1 255.255.255.0[RouterB-GigabitEthernet1/0/0] undo shutdown[RouterB-GigabitEthernet1/0/0] quit[RouterB] interface gigabitethernet 2/0/0[RouterB-GigabitEthernet2/0/0] ip address 192.168.51.1 255.255.255.0[RouterB-GigabitEthernet2/0/0] undo shutdown[RouterB-GigabitEthernet2/0/0] quit

Step 3 Configure Router C.


<HUAWEI> system-view[HUAWEI] sysname RouterC[RouterC] ipv6[RouterC] interface gigabitethernet 1/0/0[RouterC-GigabitEthernet1/0/0] ip address 192.168.51.2 255.255.255.0[RouterC-GigabitEthernet1/0/0] undo shutdown[RouterC-GigabitEthernet1/0/0] quit

# Set the tunnel protocol as IPv6-IPv4.

[RouterC] interface tunnel 1/0/0[RouterC-Tunnel1/0/0] tunnel-protocol ipv6-ipv4

# Configure the IPv6 address, source interface, and destination address for the tunnel interface.

[RouterC-Tunnel1/0/0] ipv6 enable[RouterC-Tunnel1/0/0] ipv6 address 3001::2/64[RouterC-Tunnel1/0/0] source 192.168.51.2[RouterC-Tunnel1/0/0] destination 192.168.50.2[RouterC-Tunnel1/0/0] quit


[RouterC] ip route-static 192.168.50.2 255.255.255.0 192.168.51.1


# On Router C, ping the IPv4 address of the interface GE 1/0/0 of Router A. Router C can receiveresponse packets from Router A.

[RouterC] ping 192.168.50.2



10-21

PING 192.168.50.2: 56 data bytes, press CTRL_C to break Reply from 192.168.50.2: bytes=56 Sequence=1 ttl=255 time=84 ms Reply from 192.168.50.2: bytes=56 Sequence=2 ttl=255 time=27 ms Reply from 192.168.50.2: bytes=56 Sequence=3 ttl=255 time=25 ms Reply from 192.168.50.2: bytes=56 Sequence=4 ttl=255 time=3 ms Reply from 192.168.50.2: bytes=56 Sequence=5 ttl=255 time=24 ms --- 192.168.50.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/32/84 ms

# On Router C, ping the IPv6 address of Tunnel 1/0/0 of Router A. Router C can receive responsepackets from Router A.

[RouterC] ping ipv6 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Reply from 3001::1 bytes=56 Sequence=1 hop limit=255 time = 28 ms Reply from 3001::1 bytes=56 Sequence=2 hop limit=255 time = 27 ms Reply from 3001::1 bytes=56 Sequence=3 hop limit=255 time = 26 ms Reply from 3001::1 bytes=56 Sequence=4 hop limit=255 time = 27 ms Reply from 3001::1 bytes=56 Sequence=5 hop limit=255 time = 26 ms --- 3001::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet lossround-trip min/avg/max = 26/26/28 ms

----End

Configuration Filel Configuration file of Router A

# sysname RouterA#ipv6#interface GigabitEthernet1/0/0 undo shutdown ip address 192.168.50.2 255.255.255.0#interface Tunnel1/0/0 ipv6 enable ipv6 address 3001::1/64 tunnel-protocol ipv6-ipv4 source 192.168.50.2 destination 192.168.51.2#ip route-static 192.168.51.0 255.255.255.0 192.168.50.1#return

l Configuration file of Router B# sysname RouterB#interface GigabitEthernet1/0/0 undo shutdown ip address 192.168.50.1 255.255.255.0#interface GigabitEthernet2/0/0 undo shutdown




Issue 02 (2009-12-10)

ip address 192.168.51.1 255.255.255.0#return

l Configuration file of Router C# sysname RouterC#ipv6#interface GigabitEthernet1/0/0 undo shutdown ip address 192.168.51.2 255.255.255.0#interface Tunnel1/0/0 ipv6 enable ipv6 address 3001::2/64 tunnel-protocol ipv6-ipv4 source 192.168.51.2 destination 192.168.50.2#ip route-static 192.168.50.0 255.255.255.0 192.168.51.1#return

10.6.2 Example for Configuring an IPv6 over IPv4 AutomaticTunnel



As shown in Figure 10-6, two IPv6 networks are connected with the IPv4 backbone networkrespectively through Router A and Router B. To enable communication between the two IPv6networks, configure an IPv6 over IPv4 automatic tunnel between Router A and Router B.

Interfaces connecting Router A and the IPv4 backbone network and connecting Router B andthe IPv4 backbone network should be configured public IPv4 addresses.




10-23

Figure 10-6 Networking diagram of the IPv6 over IPv4 automatic tunnel

loopback13.3.3.3/32

loopback14.4.4.4/32

RouterA RouterBPOS1/0/02.1.1.1/8

IPv4

IPv6 IPv6

POS1/0/02.1.1.2/8Tunnel

1/0/0 ::2.1.1.1/96

Tunnel 1/0/0 ::2.1.1.

2/96

Dual Stack

Dual Stack


1. Configure IP addresses for interfaces.2. Configure the IPv6 addresses and source interface of the tunnel interface.3. Set the tunnel protocol as automatic tunnel protocol.



l IPv6 address and source interface of the tunnel interface

To configure an automatic tunnel, you need to specify only the source interface rather than thedestination interface of the tunnel.

Procedure


# Configure the IPv4/IPv6 dual protocol stacks.

<HUAWEI> system-view[HUAWEI] sysname RouterA[RouterA] ipv6[RouterA] interface pos 1/0/0[RouterA-pos1/0/0] ip address 2.1.1.1 255.0.0.0[RouterA-pos1/0/0] quit

# Create a loopback interface and assign an IPv4 address to it.

[RouterA] interface loopback 1 [RouterA-LoopBack1] ip address 3.3.3.3 32[RouterA-LoopBack1] quit

# Configure a static route from Router A to Router B.

[RouterA] ip route-static 2.1.1.2 255.0.0.0 2.1.1.2[RouterA] ip route-static 4.4.4.4 255.255.255.255 2.1.1.2




Issue 02 (2009-12-10)

# Configure an automatic tunnel.

[RouterA] interface tunnel 1/0/0[RouterA-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 auto-tunnel[RouterA-Tunnel1/0/0] ipv6 enable[RouterA-Tunnel1/0/0] ipv6 address ::3.3.3.3/96[RouterA-Tunnel1/0/0] source loopback 1[RouterA-Tunnel1/0/0] quit


# Configure the IPv4/IPv6 dual protocol stacks.

<HUAWEI> system-view[HUAWEI] sysname RouterB[RouterB] ipv6[RouterB] interface pos 1/0/0[RouterB-pos1/0/0] ip address 2.1.1.2 255.0.0.0[RouterB-Pos1/0/0] quit

# Create a loopback interface and assign an IPv4 address to it.

[RouterB] interface loopback 1 [RouterB-LoopBack1] ip address 4.4.4.4 32[RouterB-LoopBack1] quit

# Configure a static route from Router B to Router A.

[RouterB] ip route-static 2.1.1.1 255.0.0.0 2.1.1.1[RouterB] ip route-static 3.3.3.3 255.255.255.255 2.1.1.1

# Configure an automatic tunnel.

[RouterB] interface tunnel 1/0/0[RouterB-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 auto-tunnel[RouterB-Tunnel1/0/0] ipv6 enable[RouterB-Tunnel1/0/0] ipv6 address ::4.4.4.4/96 [RouterB-Tunnel1/0/0] source loopback 1[RouterB-Tunnel1/0/0] quit


# On Router A, view the status of Tunnel 1/0/0 and find it is Up.

[RouterA] display ipv6 interface tunnel 1/0/0Tunnel1/0/0 current state : UPIPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::201:101 Global unicast address(es): ::3.3.3.3, subnet is ::/96 Joined group address(es): FF02::1:FF01:101 FF02::2 FF02::1 MTU is 1500 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

# On Router A, ping the IPv4-compatible IPv6 address of tunnel peer.

[RouterA] ping ipv6 ::4.4.4.4 PING ::4.4.4.4 : 56 data bytes, press CTRL_C to break Reply from ::4.4.4.4 bytes=56 Sequence=1 hop limit=64 time = 30 ms Reply from ::4.4.4.4 bytes=56 Sequence=2 hop limit=64 time = 40 ms Reply from ::4.4.4.4 bytes=56 Sequence=3 hop limit=64 time = 50 ms Reply from ::4.4.4.4



10-25

bytes=56 Sequence=4 hop limit=64 time = 1 ms Reply from ::4.4.4.4 bytes=56 Sequence=5 hop limit=64 time = 50 ms --- ::4.4.4.4 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/34/50 ms

----End

Configuration Filel Configuration file of Router A

# sysname RouterA#ipv6#interface pos1/0/0 link-protocol ppp ip address 2.1.1.1 255.0.0.0#interface LoopBack1 ip address 3.3.3.3 255.255.255.255#interface Tunnel 1/0/0ipv6 enable ipv6 address ::3.3.3.3/96 tunnel-protocol ipv6-ipv4 auto-tunnelsource loopback 1#ip route-static 2.1.1.2 255.0.0.0 2.1.1.2ip route-static 4.4.4.4 255.255.255.255 2.1.1.2#return

l Configuration file of Router B# sysname RouterB#ipv6#interface pos1/0/0 link-protocol ppp ip address 2.1.1.2 255.0.0.0#interface LoopBack1 ip address 4.4.4.4 255.255.255.255#interface Tunnel 1/0/0ipv6 enableipv6 address ::4.4.4.4/96 tunnel-protocol ipv6-ipv4 auto-tunnel source loopback 1#ip route-static 2.1.1.1 255.0.0.0 2.1.1.1ip route-static 3.3.3.3 255.255.255.255 2.1.1.1#return

10.6.3 Example for Configuring a 6to4 Tunnel




Issue 02 (2009-12-10)



As shown in Figure 10-7, two IPv6 networks are both 6to4 networks. Router A and Router Bare connected with the 6to4 network and the IPv4 network. To enable communication betweenthe hosts in the two 6to4 network, it is required to set up a 6to4 tunnel between Router A andRouter B.

To enable communication between 6to4 networks, configure 6to4 addresses for the hosts in the6to4 network. A 6to4 address has a 48-bit prefix composed of 2002:IPv4 address:. As shownin Figure 10-7, the IPv4 address of the interface through which A is connected to the IPv4network is 2.1.1.1. Therefore, the 6to4 address of A in the 6to4 network should start with2002:0201:0101::.


Figure 10-7 Networking diagram of the 6to4 tunnel

RouterARouterB

POS1/0/02.1.1.1

POS1/0/02.1.1.2

Tunnel 1/0/02002:201:101::1/64

Tunnel 1/0/02002:201:102::1/642002:201:101:1::2PC1

IPv6 2002:201:102:1::2PC2

GE2/0/02002:201:102:1::1/64

IPv6

GE2/0/02002:201:101:1::1/64

6to4Router

6to4Router

IPv4



1. Configure IPv4/IPv6 dual-protocol stacks.2. Configure the tunnel protocol as 6to4.3. Configure related routes.



10-27


l IPv4 or IPv6 addresses of interfaces

l Source tunnel interface

Procedure


# Configure IPv4/IPv6 dual protocol stacks.

<HUAWEI> system-view[HUAWEI] sysname RouterA[RouterA] ipv6[RouterA] interface pos 1/0/0[RouterA-pos1/0/0] ip address 2.1.1.1 8[RouterA-pos1/0/0] undo shutdown[RouterA-pos1/0/0] quit[RouterA] interface gigabitethernet 2/0/0[RouterA-GigabitEthernet2/0/0] ipv6 enable[RouterA-GigabitEthernet2/0/0] ipv6 address 2002:0201:0101:1::1/64[RouterA-GigabitEthernet2/0/0] undo shutdown[RouterA-GigabitEthernet2/0/0] quit

# Configure a 6to4 tunnel.

[RouterA] interface tunnel 1/0/0[RouterA-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 6to4[RouterA-Tunnel1/0/0] ipv6 enable[RouterA-Tunnel1/0/0] ipv6 address 2002:0201:0101::1/64[RouterA-Tunnel1/0/0] source 2.1.1.1[RouterA-Tunnel1/0/0] quit

# Configure a route to other 6to4 networks.

[RouterA] ipv6 route-static 2002:: 16 tunnel 1/0/0



<HUAWEI> system-view[HUAWEI] sysname RouterB[RouterB] ipv6[RouterB] interface pos 1/0/0[RouterB-pos1/0/0] ip address 2.1.1.2 8[RouterB-pos1/0/0] undo shutdown[RouterB-pos1/0/0] quit[RouterB] interface gigabitethernet 2/0/0[RouterB-GigabitEthernet2/0/0] ipv6 enable[RouterB-GigabitEthernet2/0/0] ipv6 address 2002:0201:0102:1::1/64[RouterB-GigabitEthernet2/0/0] undo shutdown[RouterB-GigabitEthernet2/0/0] quit


[RouterB] interface tunnel 1/0/0[RouterB-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 6to4[RouterB-Tunnel1/0/0] ipv6 enable[RouterB-Tunnel1/0/0] ipv6 address 2002:0201:0102::1/64[RouterB-Tunnel1/0/0] source 2.1.1.2[RouterB-Tunnel1/0/0] quit

# Configure a route to other 6to4 networks.




Issue 02 (2009-12-10)

[RouterB] ipv6 route-static 2002:: 16 tunnel 1/0/0

NOTE

There must be an accessible route between Router A and Router B. In this example, both the devices aredirectly connected; therefore, no routing protocol needs to be configured.


# Check the IPv6 state of Tunnel 1/0/0 on Router A and find it is UP.

[RouterA] display ipv6 interface tunnel 1/0/0Tunnel1/0/0 current state : UPIPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::201:101 Global unicast address(es): 2002:201:101::1, subnet is 2002:201:101::/64 Joined group address(es): FF02::1:FF01:101 FF02::1:FF00:1 FF02::2 FF02::1 MTU is 1500 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

# Router A can ping through the 6to4 address of GE 2/0/0 of Router B.

[RouterA] ping ipv6 2002:0201:0102:1::1 PING 2002:0201:0102:1::1 : 56 data bytes, press CTRL_C to break Reply from 2002:201:102:1::1 bytes=56 Sequence=1 hop limit=255 time = 8 ms Reply from 2002:201:102:1::1 bytes=56 Sequence=2 hop limit=255 time = 25 ms Reply from 2002:201:102:1::1 bytes=56 Sequence=3 hop limit=255 time = 4 ms Reply from 2002:201:102:1::1 bytes=56 Sequence=4 hop limit=255 time = 5 ms Reply from 2002:201:102:1::1 bytes=56 Sequence=5 hop limit=255 time = 5 ms --- 2002:0201:0102:1::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet lossround-trip min/avg/max = 4/9/25 ms

----End


# sysname RouterA#ipv6#interface pos1/0/0 link-protocol ppp undo shutdown ip address 2.1.1.1 255.0.0.0#interface GigabitEthernet 2/0/0undo shutdown ipv6 enable ipv6 address 2002:201:101:1::1/64#interface Tunnel 1/0/0 ipv6 enable



10-29

ipv6 address 2002:201:101::1/64 tunnel-protocol ipv6-ipv4 6to4 source 2.1.1.1#ipv6 route-static 2002:: 16 Tunnel 1/0/0#return

l Configuration file of Router B# sysname RouterB#ipv6#interface pos1/0/0 link-protocol ppp undo shutdown ip address 2.1.1.2 255.0.0.0#interface GigabitEthernet2/0/0undo shutdown ipv6 enable ipv6 address 2002:201:102:1::1/64#interface Tunnel 1/0/0 ipv6 enable ipv6 address 2002:201:102::1/64 tunnel-protocol ipv6-ipv4 6to4 source 2.1.1.2#ipv6 route-static 2002:: 16 Tunnel 1/0/0#return

10.6.4 Example for Configuring 6to4 Relay



As shown in Figure 10-8, Router A is a 6to4 device and is connected with an IPv6 network. Asa 6to4 relay device, Router B is connected with the IPv6 Internet (2001::/64). To enablecommunication between the host in the 6to4 network and the host in the IPv6 Internet, configurea 6to4 tunnel between Router A and Router B.

The configuration of the tunnel between a 6to4 relay device and a common 6to4 device is similarto that between common 6to4 devices. A static route to the IPv6 Internet shall be configured onthe common 6to4 device so that the 6to4 network and the IPv6 network can communicate witheach other.





Issue 02 (2009-12-10)

Figure 10-8 Networking diagram of accessing the IPv6 network through 6to4 relay

RouterA RouterB

POS1/0/02.1.1.1

POS1/0/02.1.1.2

Tunnel 1/0/02002:201:101::1/64

Tunnel 1/0/02002:201:102::1/64

2002:201:101:1::2PC16to4 2001::2

PC2

GE2/0/02001::1/64

IPv6

GE2/0/02002:201:101:1::1/64

6to4Router

6to4Relay

IPv4


1. Configure IPv4/IPv6 dual protocol stacks.2. Configure a 6to4 tunnel.3. Configure related static routes.


l IPv4 or IPv6 addresses of interfaces

l Source tunnel interface

l Static routes to the devices that are not directly connected

Procedure



<HUAWEI> system-view[HUAWEI] sysname RouterA[RouterA] ipv6[RouterA] interface pos 1/0/0[RouterA-Pos1/0/0] ip address 2.1.1.1 255.0.0.0[RouterA-Pos1/0/0] undo shutdown[RouterA-Pos1/0/0] quit[RouterA] interface gigabitethernet 2/0/0[RouterA-GigabitEthernet2/0/0] ipv6 enable[RouterA-GigabitEthernet2/0/0] ipv6 address 2002:0201:0101:1::1/64[RouterA-GigabitEthernet2/0/0] undo shutdown[RouterA-GigabitEthernet2/0/0] quit




10-31

[RouterA] interface tunnel 1/0/0[RouterA-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 6to4[RouterA-Tunnel1/0/0] ipv6 enable[RouterA-Tunnel1/0/0] ipv6 address 2002:0201:0101::1/64[RouterA-Tunnel1/0/0] source 2.1.1.1[RouterA-Tunnel1/0/0] quit

# Configure a static route to 2002::/16.

[RouterA] ipv6 route-static 2002:: 16 tunnel 1/0/0

# Configure a default route to the IPv6 network.

[RouterA] ipv6 route-static :: 0 2002:0201:0102::1



<HUAWEI> system-view[HUAWEI] sysname RouterB[RouterB] ipv6[RouterB] interface pos 1/0/0[RouterB-Pos1/0/0] ip address 2.1.1.2 255.0.0.0[RouterB-Pos1/0/0] undo shutdown[RouterB-Pos1/0/0] quit[RouterB] interface gigabitethernet 2/0/0[RouterB-GigabitEthernet2/0/0] ipv6 enable[RouterB-GigabitEthernet2/0/0] ipv6 address 2001::1/64[RouterB-GigabitEthernet2/0/0] undo shutdown[RouterB-GigabitEthernet2/0/0] quit


[RouterB] interface tunnel 1/0/0[RouterB-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 6to4[RouterB-Tunnel1/0/0] ipv6 enable[RouterB-Tunnel1/0/0] ipv6 address 2002:0201:0102::1/64[RouterB-Tunnel1/0/0] source 2.1.1.2[RouterB-Tunnel1/0/0] quit

# Configure a static route to 2002::/16.

[RouterB] ipv6 route-static 2002:: 16 tunnel1/0/0


# Router A can ping through the IPv6 address of GE 2/0/0 on Router B.

[RouterA] ping ipv6 2001::1 PING 2001::1 : 56 data bytes, press CTRL_C to break Reply from 2001::1 bytes=56 Sequence=1 hop limit=255 time = 29 ms Reply from 2001::1 bytes=56 Sequence=2 hop limit=255 time = 5 ms Reply from 2001::1 bytes=56 Sequence=3 hop limit=255 time = 5 ms Reply from 2001::1 bytes=56 Sequence=4 hop limit=255 time = 5 ms Reply from 2001::1 bytes=56 Sequence=5 hop limit=255 time = 26 ms --- 2001::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet lossround-trip min/avg/max = 5/14/29 ms

----End




Issue 02 (2009-12-10)


#sysname RouterA#ipv6#interface pos1/0/0 link-protocol ppp undo shutdown ip address 2.1.1.1 255.0.0.0#interface GigabitEthernet2/0/0 undo shutdown ipv6 enable ipv6 address 2002:201:101:1::1/64#interface Tunnel 1/0/0 ipv6 enable ipv6 address 2002:201:101::1/64 tunnel-protocol ipv6-ipv4 6to4 source 2.1.1.1##ipv6 route-static :: 0 2002:201:102::1#ipv6 route-static 2002:: 16 Tunnel 1/0/0#return

l Configuration file of Router B#sysname RouterB#ipv6# source 2.1.1.2# link-protocol ppp undo shutdown ip address 2.1.1.2 255.0.0.0#interface GigabitEthernet2/0/0undo shutdown ipv6 enable ipv6 address 2001::1/64#interface Tunnel 1/0/0 ipv6 enable ipv6 address 2002:201:102::1/64 tunnel-protocol ipv6-ipv4 6to4 source Pos1/0/0#ipv6 route-static 2002:: 16 Tunnel 1/0/0#return

10.6.5 Example for Configuring 6PE



10-33



As shown in Figure 10-9, PE1 and PE2 support the 6PE features and CE1 and CE2 support theIPv6 protocol. IPv4 IBGP connections need to be established between PEs in the IPv4/MPLSnetwork. Run the OSPF protocol in the IPv4/MPLS network. CEs are in the IPv6 networks,Using the IPv6 address, CEs exchange the routing information with PEs along the static routes.

It is required to use the 6PE feature to connect the IPv6 networks of the user over the IPv4/MPLSnetwork of the ISP.

Figure 10-9 Networking diagram of 6PE

PE1POS1/0/0

3000:435::1/64

POS2/0/04.3.5.1/24

IPv6Customer

site

IPv6Customer

site

POS2/0/04.3.5.2/24

PE2

CE1 CE2POS1/0/03000:435::2/64

POS1/0/03000:1065::2/64

IPv4/MPLS

POS1/0/03000:1065::1/64



1. Configure 6PE, enable IPv6 capability, and configure IPv4/IPv6 dual protocol stacks.

2. Configure 6PE and enable MPLS capability.

3. Configure the 6PE peer.

4. Configure an IPv6 address for the interface and a static route on CE.

Data Preparation



l LSR ID




Issue 02 (2009-12-10)

Procedure

Step 1 Configure 6PE, enable IPv6 capability, and configure IPv4/IPv6 dual protocol stacks.

# Configure PE1 and enable its IPv6 capability.

<HUAWEI> system-view[HUAWEI] sysname PE1[PE1] ipv6

# Configure PE2 and enable its IPv6 capability.

<HUAWEI> system-view[HUAWEI] sysname PE2[PE2] ipv6

# Configure an IPv6 address for POS 1/0/0 on PE1 and an IP address for loopback0.

[PE1] interface pos 1/0/0[PE1-Pos1/0/0] ipv6 enable[PE1-Pos1/0/0] ipv6 address 3000:435::1 64[PE1-Pos1/0/0] undo shutdown[PE1-Pos1/0/0] quit[PE1] interface loopback 0[PE1-LoopBack0] ip address 1.1.1.9 255.255.255.255[PE1-LoopBack0] quit

# Configure an IPv6 address for POS 1/0/0 on PE2 and an IP address for loopback0.

[PE2] interface pos 1/0/0[PE2-Pos1/0/0] ipv6 enable[PE2-Pos1/0/0] ipv6 address 3000:1065::1 64[PE2-Pos1/0/0] undo shutdown[PE2-Pos1/0/0] quit[PE2] interface loopback 0[PE2-LoopBack0] ip address 2.2.2.9 255.255.255.255[PE2-LoopBack0] quit

Step 2 Configure 6PE and enable MPLS capability.

# Configure an IP address for POS 2/0/0 on PE1 and enable MPLS and LDP on it.

[PE1] mpls lsr-id 1.1.1.9[PE1] mplsMpls starting, please wait... OK![PE1-mpls] lsp-trigger all[PE1-mpls] quit[PE1] mpls ldp[PE1-mpls-ldp] quit[PE1] interface pos 2/0/0[PE1-Pos2/0/0] ip address 4.3.5.1 255.255.255.0[PE1-Pos2/0/0] mpls[PE1-Pos2/0/0] mpls ldp[PE1-Pos2/0/0] undo shutdown[PE1-Pos2/0/0] quit

# Configure an IP address for POS 2/0/0 on PE2 and enable MPLS and LDP on it.

[PE2] mpls lsr-id 2.2.2.9[PE2] mplsMpls starting, please wait... OK![PE2-mpls] lsp-trigger all[PE2-mpls] quit[PE2] mpls ldp[PE2-mpls-ldp] quit[PE2] interface pos 2/0/0[PE2-Pos2/0/0] ip address 4.3.5.2 255.255.255.0[PE2-Pos2/0/0] mpls[PE2-Pos2/0/0] mpls ldp



10-35

[PE2-Pos2/0/0] undo shutdown[PE2-Pos2/0/0] quit

# Configure OSPF on PE1 and trigger the setup of LSPs.

[PE1] ospf[PE1-ospf-1] area 0[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0[PE1-ospf-1-area-0.0.0.0] network 4.3.5.0 0.0.0.255[PE1-ospf-1-area-0.0.0.0] quit[PE1-ospf-1] quit

# Configure OSPF on PE2 and trigger the setup of LSPs.

[PE2] ospf[PE2-ospf-1] area 0[PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0[PE2-ospf-1-area-0.0.0.0] network 4.3.5.0 0.0.0.255[PE2-ospf-1-area-0.0.0.0] quit[PE2-ospf-1] quit

Step 3 Configure the 6PE peer.

# Configure IBGP on PE1 and enable 6PE capability on the peer and import IPv6 direct routesand static routes from each other.

[PE1] bgp 65100[PE1-bgp] peer 2.2.2.9 as-number 65100[PE1-bgp] peer 2.2.2.9 connect-interface loopback 0[PE1-bgp] ipv6-family[PE1-bgp-af-ipv6] import-route direct[PE1-bgp-af-ipv6] import-route static[PE1-bgp-af-ipv6] peer 2.2.2.9 enable[PE1-bgp-af-ipv6] peer 2.2.2.9 label-route-capability[PE1-bgp-af-ipv6] quit[PE1-bgp] quit

# Configure IBGP on PE2 and enable 6PE capability on the peer and import IPv6 direct routesand static routes from each other.

[PE2] bgp 65100[PE2-bgp] peer 1.1.1.9 as-number 65100[PE2-bgp] peer 1.1.1.9 connect-interface loopback 0[PE2-bgp] ipv6-family[PE2-bgp-af-ipv6] import-route direct[PE2-bgp-af-ipv6] import-route static[PE2-bgp-af-ipv6] peer 1.1.1.9 enable[PE2-bgp-af-ipv6] peer 1.1.1.9 label-route-capability[PE2-bgp-af-ipv6] quit[PE2-bgp] quit

Step 4 Configure an IPv6 address for the interface and a static route on CE.

# Configure CE1 and set up an IPv6 connection between CE1 and PE1.

<HUAWEI> system-view[HUAWEI] sysname CE1[CE1] ipv6[CE1] interface pos 1/0/0[CE1-Pos1/0/0] ipv6 enable[CE1-Pos1/0/0] ipv6 address 3000:435::2 64[CE1-Pos1/0/0] undo shutdown[CE1-Pos1/0/0] quit[CE1] ipv6 route-static :: 0 pos 1/0/0

# Configure CE2 and set up an IPv6 connection between CE2 and PE2.

<HUAWEI> system-view[HUAWEI] sysname CE2




Issue 02 (2009-12-10)

[CE2] ipv6[CE2] interface pos 1/0/0[CE2-Pos1/0/0] ipv6 enable[CE2-Pos1/0/0] ipv6 address 3000:1065::2 64[CE2-Pos1/0/0] undo shutdown[CE2-Pos1/0/0] quit[CE2] ipv6 route-static :: 0 pos 1/0/0


# Display the LSP information on PE1.

[PE1] display mpls lsp----------------------------------------------------------- LSP Information: LDP LSP-----------------------------------------------------------FEC In/Out Label In/Out IF Vrf Name2.2.2.9/32 NULL/3 -/Pos2/0/02.2.2.9/32 3/NULL -/------------------------------------------------------------ LSP Information: BGP IPV6 LSP----------------------------------------------------------- FEC : 3000:435::/64 In Label : 109568 Out Label : ----- In Interface : ----- OutInterface : ----- Vrf Name :

# Display the IPv6 routing information on PE1.

[PE1] display bgp ipv6 routing-table

Total Number of Routes: 5

BGP Local router ID is 1.1.1.9 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete

*> Network : ::1 PrefixLen : 128 NextHop : :: LocPrf : MED : 0 PrefVal : 0 Label : Path/Ogn : ?

*> Network : 3000:435:: PrefixLen : 64 NextHop : :: LocPrf : MED : 0 PrefVal : 0 Label : NULL/109568 Path/Ogn : ?

*> Network : 3000:435::1 PrefixLen : 128 NextHop : :: LocPrf : MED : 0 PrefVal : 0 Label : Path/Ogn : ?

*>i Network : 3000:1065:: PrefixLen : 64 NextHop : ::FFFF:2.2.2.9 LocPrf : 100 MED : 0 PrefVal : 0 Label : 109568/NULL Path/Ogn : ?

*> Network : FE80:: PrefixLen : 10 NextHop : :: LocPrf : MED : 0 PrefVal : 0 Label : Path/Ogn : ?

# CE1 can ping through the IPv6 address of CE2.



10-37

[CE1] ping ipv6 3000:1065::2PING 3000:1065::2 : 56 data bytes, press CTRL_C to break Reply from 3000:1065::2 bytes=56 Sequence=1 hop limit=63 time = 50 ms Reply from 3000:1065::2 bytes=56 Sequence=2 hop limit=63 time = 1 ms Reply from 3000:1065::2 bytes=56 Sequence=3 hop limit=63 time = 1 ms Reply from 3000:1065::2 bytes=56 Sequence=4 hop limit=63 time = 1 ms Reply from 3000:1065::2 bytes=56 Sequence=5 hop limit=63 time = 1 ms

--- 3000:1065::2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/10/50 ms

----End

Configuration Filesl Configuration file of PE1

# sysname PE1# ipv6#mpls lsr-id 1.1.1.9 mpls lsp-trigger all#mpls ldp#interface Pos1/0/0 link-protocol ppp undo shutdown ipv6 enable ipv6 address 3000:435::1#interface Pos2/0/0 link-protocol ppp undo shutdown ip address 4.3.5.1 255.255.255.0 mpls mpls ldp#interface LoopBack0 ip address 1.1.1.9 255.255.255.255#bgp 65100 peer 2.2.2.9 as-number 65100 peer 2.2.2.9 connect-interface LoopBack0 # ipv4-family unicast undo synchronization peer 2.2.2.9 enable # ipv6-family undo synchronization import-route direct import-route static peer 2.2.2.9 enable peer 2.2.2.9 label-route-capability#ospf 1 area 0.0.0.0




Issue 02 (2009-12-10)

network 1.1.1.9 0.0.0.0 network 4.3.5.0 0.0.0.255#return

l Configuration file of PE2# sysname PE2# ipv6#mpls lsr-id 2.2.2.9 mpls lsp-trigger all#mpls ldp#interface Pos1/0/0 link-protocol ppp undo shutdown ipv6 enable ipv6 address 3000:1065::1#interface Pos2/0/0 link-protocol ppp undo shutdown ip address 4.3.5.2 255.255.255.0 mpls mpls ldp#interface LoopBack0 ip address 2.2.2.9 255.255.255.255#bgp 65100 peer 1.1.1.9 as-number 65100 peer 1.1.1.9 connect-interface LoopBack0 # ipv4-family unicast undo synchronization peer 1.1.1.9 enable # ipv6-family undo synchronization import-route direct import-route static peer 1.1.1.9 enable peer 1.1.1.9 label-route-capability#ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 4.3.5.0 0.0.0.255#return

l Configuration file of CE1# sysname CE1# ipv6#interface Pos1/0/0 link-protocol ppp undo shutdown ipv6 enable ipv6 address 3000:435::2#ipv6 route-static :: 0 Pos1/0/0#



10-39

returnl Configuration file of CE2

# sysname CE2# ipv6#interface Pos1/0/0 link-protocol ppp undo shutdown ipv6 enable ipv6 address 3000:1065::2#ipv6 route-static :: 0 Pos1/0/0#return




Issue 02 (2009-12-10)

A Glossary

This appendix collates frequently used glossaries in this document.

A

Access Control List A list composed of multiple sequential permit/deny statements.In firewall, after ACL is applied to an interface on the device, thedevice decides which packet can be forwarded and which packetshould be denied. In QoS, ACL is used to classify traffic.

Acknowledge To confirm an action. The acknowledgement (ACK) message issent from one device to another.

Address ResolutionProtocol

A protocol used to map an IP Address to a MAC address, asdefined in RFC 826.

ATM An asynchronous Transfer Mode. It is a data transmissiontechnology in which data (files, voice and video) is transferred incells with a fixed length (53 Bytes). The fixed length makes thecell be processed by the hardware. The object of ATM is to makegood use of high-speed transmission medium such as E3, SONETand T3.

B

Broadcast To send packets to all ports of the nodes in the network.

D

Domain name A name composed of numbers or characters. Each domain namecorresponds to an IP address.

Dotted decimal notation A format of IP address. IP addresses in this format are separatedinto four parts by a dot "." with each part is in the decimal numeral.

E

HUAWEI NetEngine5000E Core RouterConfiguration Guide - IP Services A Glossary


A-1

Ethernet A technology complemented in LAN. It adopts Carrier SenseMultiple Access/Collision Detection. The speed of an Ethernetinterface can be 10 Mbit/s, 100 Mbit/s, 1000 Mbit/s or 10000Mbit/s. The Ethernet network features high reliability and easymaintaining..

F

File Transfer Protocol An application layer protocol based on TCP/IP. It is used totransfer large amounts of data reliably between the user and theremote host. FTP is implemented based on corresponding filesystem.

I

IPv6 A update version of IPv4. It is also called IP Next Generation(IPng). The specifications and standardizations provided by it areconsistent with the Internet Engineering Task Force(IETF).Internet Protocol Version 6 (IPv6) is also called. It is anew version of the Internet Protocol, designed as the successor toIPv4. The specifications and standardizations provided by it areconsistent with the Internet Engineering Task Force (IETF).Thedifference between IPv6 and IPv4 is that an IPv4 address has 32bits while an IPv6 address has 128 bits.

L

Local Area Network A network intended to serve a small geographic area, (few squarekilometers or less), a single office or building, or a small definedgroup of users. It features high speed and little errors. Ethernet,FDDI and Toke Ring are three technologies implemented in LAN.

M

MAC address A link layer address or physical address. It is six bytes long.

MTU A maximum size of packets that an interface can process. It is inbytes

N

Neighbor Discovery A process to discover neighboring modes.

P

Ping To test the reachablitly of a device in the network through ICMPEcho message.

A GlossaryHUAWEI NetEngine5000E Core Router


A-2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2009-12-10)

Policy-based Routing A routing mechanism based on user-defined policies. It canimplement secure communication and load balancing.

PPP A serial point to point link used for special transmission betweentwo devices.

R

Router A device running on the network layer. After receiving a packet,the device searches the routing table for a proper route and sendsthe packet to the next hop. The last hop device sends the packetto the host directly.

T

Telnet An application layer protocol based on TCP/IP. It implementsremote login and virtual terminal. It

Time Range A special time period.

Traffic A group of packets sent from the source to the destination andmatching certain classification.

Tunnel In VPN, it is a transport tunnel set up between two entities toprevent interior users from interrupting and ensure security.

U

Unicast To send packets to one destination network.

V

VPN Virtual Private Network (VPN). It implements an apparent singleprivate network (as seen by the user), over a number of separatepublic and private networks. Virtual indicates that this kind ofnetwork is a logical network.

NE5000E Versatile Routing Platform. It is a versatile operation systemplatform developed by Huawei.

W

Wide Area Network A network that covers a large geographic area, such as a countryor a state. Devices in this network are connected through certainprotocol or physical links.

X

HUAWEI NetEngine5000E Core RouterConfiguration Guide - IP Services A Glossary


A-3

X.25 A data link layer protocol. It defines the communication in thePublic Data Network (PDN) between a host and a remoteterminal.

A GlossaryHUAWEI NetEngine5000E Core Router


A-4 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2009-12-10)

B Acronyms and Abbreviations

This appendix collates frequently used acronyms and abbreviations in this document.

A

AAA Authentication, Authorization and Accounting

ACK Acknowledgement

ASCII American Standard Code for Information Interchange

ATM Asynchronous Transfer Mode

B

BGP Border Gateway Protocol

C

CIDR Classless Inter-Domain Routing

D

DHCP Dynamic Host Configuration Protocol

DLCI Data Link Control Identifier

DNS Domain Name System

DOS Denial of Service

DAD Duplicate Address Detect

E

EBGP External BGP

HUAWEI NetEngine5000E Core RouterConfiguration Guide - IP Services B Acronyms and Abbreviations


B-1

F

FEC Forward Error Correction

FIB Forward Information Base

G

GRE Generic Routing Encapsulation

H

HDLC High level Data Link Control

HTTP Hyper Text Transport Protocol

I

IBGP Internal BGP

ICMP Internet Control Message Protocol

IEEE Institute of Electrical and Electronics Engineers

IETF Internet Engineering Task Force

IGP Interior Gateway Protocol

IP Internet Protocol

IPoEoA IP over Ethernet over AAL5

IPSec Internet Protocol SECurity extensions

IS-IS Intermediate System-Intermediate System

ISP Internet Service Provider

L

LDP Label Distribution Protocol

LSP Label Switch Path

M

MAC Medium Access Control

MED Multi-Exit discrimination

MPLS Multi-Protocol Label Switching

N

B Acronyms and AbbreviationsHUAWEI NetEngine5000E Core Router


B-2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2009-12-10)

NAT Network Address Translation

NAT-PT Network Address Translation - Protocol Translation

NIC Network Information Center

O

OSPF Open Shortest Path First

P

PC Personal Computer

PE Provider Edge

POS Packet Over SDH/SONET

PPP Point-to-Point Protocol

PVC Permanent Virtual Circuit

Q

QoS Quality of Service

R

RIP Routing Information Protocol

RPR Resilient Packet Ring

S

SLIP Serial Line Internet Protocol

SNMP Simple Network Management Protocol

SVC Switched Virtual Channel

T

TCP Transmission Control Protocol

TFTP Trivial File Transfer Protocol

TOS Type of Service

TTL Time To Live

HUAWEI NetEngine5000E Core RouterConfiguration Guide - IP Services B Acronyms and Abbreviations


B-3

U

UDP User Datagram Protocol

URPF Unicast Reverse Path Forwarding

V

VLAN Virtual Local Area Network

VPN Virtual Private Network

NE5000E Versatile Routing Platform

VRRP Virtual Router Redundancy Protocol

VT Virtual-Template

W

WINS Windows Internet Name Service

WWW World Wide Web

B Acronyms and AbbreviationsHUAWEI NetEngine5000E Core Router


B-4 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2009-12-10)