Configuration Guide - IP Services(V600R003C00_01)

HUAWEI CX600 Metro Services PlatformV600R003C00

Configuration Guide - IP Services

Issue 01

Date 2011-05-30

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 01 (2011-05-30) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://www.huawei.com

mailto:[email protected]

About This Document

PurposeThis document describes multiple IP services supported by the CX600. It discusses basicconfigurations of IP addresses, ARP, DNS, COPS, ANCP, IP performance, ACL, IPv6, ACL6,IPv6 over IPv4 tunnels, and IPv4 over IPv6 tunnels.

NOTE

l This document takes interface numbers and link types of the CX600-X8 as an example. In workingsituations, the actual interface numbers and link types may be different from those used in thisdocument.

l On CX600 series excluding CX600-X1 and CX600-X2, line processing boards are called LineProcessing Units (LPUs) and switching fabric boards are called Switching Fabric Units (SFUs). Onthe CX600-X1 and CX600-X2, there are no LPUs and SFUs, and NPUs implement the same functionsof LPUs and SFUs to exchange and forward packets.

Intended AudienceThis document is intended for:

l Commissioning Engineer

l Data Configuration Engineer

l Network Monitoring Engineer

l System Maintenance Engineer

Symbol ConventionsThe symbols that may be found in this document are defined as follows.

Symbol Description

Indicates a hazard with a high level of risk that, ifnot avoided, will result in death or serious injury.

HUAWEI CX600 Metro Services PlatformConfiguration Guide - IP Services About This Document


iii

Symbol Description

Indicates a hazard with a medium or low level of riskwhich, if not avoided, could result in minor ormoderate injury.

Indicates a potentially hazardous situation that, ifnot avoided, could cause device damage, data loss,and performance degradation, or unexpected results.

Indicates a tip that may help you solve a problem orsave your time.

Provides additional information to emphasize orsupplement important points of the main text.

Change HistoryChanges between document issues are cumulative. The latest document issue contains all thechanges made in earlier issues.

Changes in Issue 01 (2011-05-16)Initial commercial release.

About This DocumentHUAWEI CX600 Metro Services Platform


iv Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

Contents

About This Document...................................................................................................................iii

1 IP Addresses Configuration.....................................................................................................1-11.1 IP Addresses Overview...................................................................................................................................1-2

1.1.1 Introduction to IP Addresses..................................................................................................................1-21.1.2 Features of IP Addresses Supported by the CX600...............................................................................1-2

1.2 Configuring IP Addresses for Interfaces.........................................................................................................1-31.2.1 Establishing the Configuration Task......................................................................................................1-31.2.2 Configuring a Primary IP Address for an Interface...............................................................................1-41.2.3 (Optional) Configuring a Secondary IP Address for an Interface..........................................................1-51.2.4 Checking the Configuration...................................................................................................................1-5

1.3 Configuring IP Address Negotiation on Interfaces.........................................................................................1-61.3.1 Establishing the Configuration Task......................................................................................................1-61.3.2 Configuring a Server to Assign an IP Address for a Client Through Negotiation.................................1-71.3.3 Configuring a Client to Obtain an IP Address Through Negotiation.....................................................1-81.3.4 Checking the Configuration...................................................................................................................1-9

1.4 Configuring IP Address Unnumbered for Interfaces....................................................................................1-101.4.1 Establishing the Configuration Task....................................................................................................1-111.4.2 Configuring the Primary IP Address of the Interface That Lends an IP Address................................1-121.4.3 Configuring an Interface That Borrows an IP Address from Another Interface..................................1-121.4.4 Checking the Configuration.................................................................................................................1-13

1.5 Maintaining IP Addresses.............................................................................................................................1-141.5.1 Monitoring Network Operation Status of IP Addresses.......................................................................1-14

1.6 Configuration Examples................................................................................................................................1-141.6.1 Example for Configuring Primary and Secondary IP Addresses.........................................................1-151.6.2 Example for Obtaining an IP Address Through Negotiation...............................................................1-161.6.3 Example for Configuring IP Address Unnumbered.............................................................................1-191.6.4 Example for Configuring IP Address Overlapping on the Same Device.............................................1-211.6.5 Example for Configuring an IP Address with a 31-bit Mask...............................................................1-26

2 ARP Configuration....................................................................................................................2-12.1 Introduction to ARP........................................................................................................................................2-3

2.1.1 Overview of ARP...................................................................................................................................2-32.1.2 Features of ARP Supported by the CX600............................................................................................2-3

HUAWEI CX600 Metro Services PlatformConfiguration Guide - IP Services Contents


v

2.2 Configuring Static ARP..................................................................................................................................2-62.2.1 Establishing the Configuration Task......................................................................................................2-62.2.2 Configuring Common Static ARP Entries.............................................................................................2-72.2.3 Configuring Static ARP Entries in a VLAN..........................................................................................2-72.2.4 Configuring Static ARP Entries in a VPN Instance...............................................................................2-82.2.5 Checking the Configuration...................................................................................................................2-9

2.3 Optimizing Dynamic ARP............................................................................................................................2-102.3.1 Establishing the Configuration Task....................................................................................................2-112.3.2 Modify the aging parameters of dynamic ARP....................................................................................2-112.3.3 Enabling ARP Suppression Function...................................................................................................2-122.3.4 Enabling Layer 2 Topology Detection Function..................................................................................2-122.3.5 Enabling ARP Check...........................................................................................................................2-132.3.6 Checking the Configuration.................................................................................................................2-14

2.4 Configuring Routed Proxy ARP...................................................................................................................2-152.4.1 Establishing the Configuration Task....................................................................................................2-152.4.2 Configure an IP Addresses for the Interface........................................................................................2-162.4.3 Enabling the Routed Proxy ARP Function..........................................................................................2-162.4.4 Checking the Configuration.................................................................................................................2-17

2.5 Configuring Proxy ARP Within a VLAN.....................................................................................................2-182.5.1 Establishing the Configuration Task....................................................................................................2-182.5.2 Configure an IP Addresses for the Interface........................................................................................2-192.5.3 Configuring the VLAN Associated with the Sub-interface.................................................................2-202.5.4 Enabling Proxy ARP Within a VLAN.................................................................................................2-202.5.5 Checking the Configuration.................................................................................................................2-21

2.6 Configuring Proxy ARP Between VLANs...................................................................................................2-222.6.1 Establishing the Configuration Task....................................................................................................2-222.6.2 Configuring an IP Addresses for the Interface.....................................................................................2-232.6.3 Configuring the VLAN Associated with the Sub-interface.................................................................2-242.6.4 Enabling Proxy ARP Between VLANs...............................................................................................2-242.6.5 Checking the Configuration.................................................................................................................2-25

2.7 Configuring ARP-Ping IP.............................................................................................................................2-262.7.1 Establishing the Configuration Task....................................................................................................2-262.7.2 Detecting the IP Address by Using the arp-ping ip Command............................................................2-27

2.8 Configuring ARP-Ping MAC........................................................................................................................2-272.8.1 Establishing the Configuration Task....................................................................................................2-282.8.2 Detecting the MAC Address by Using the arp-ping mac Command...................................................2-28

2.9 Configuring the Association Between ARP and Interface Status.................................................................2-292.9.1 Establishing the Configuration Task....................................................................................................2-292.9.2 Configuring the Association Between ARP and Interface Status........................................................2-302.9.3 (Optional) Adjusting Parameters about the Association Between ARP and Interface Status..............2-31

2.10 Maintaining ARP.........................................................................................................................................2-322.10.1 Clearing ARP Entries.........................................................................................................................2-32

ContentsHUAWEI CX600 Metro Services Platform


vi Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

2.10.2 Monitoring Network Operation Status of ARP..................................................................................2-322.11 Configuration Examples..............................................................................................................................2-33

2.11.1 Example for Configuring Routed Proxy ARP....................................................................................2-332.11.2 Example for Configuring Proxy ARP Within a VLAN.....................................................................2-362.11.3 Example for Configuring Proxy ARP Between VLANs...................................................................2-382.11.4 Example for Configuring the Association Between ARP and Interface Status.................................2-392.11.5 Example for Configuring Layer 2 Topology Detection.....................................................................2-44

3 DNS Configuration....................................................................................................................3-13.1 DNS Overview................................................................................................................................................3-2

3.1.1 Introduction to DNS...............................................................................................................................3-23.1.2 DNS Supported by the CX600...............................................................................................................3-2

3.2 Configuring DNS............................................................................................................................................3-23.2.1 Establishing the Configuration Task......................................................................................................3-33.2.2 Configuring Static DNS Entries.............................................................................................................3-33.2.3 Configuring Dynamic DNS....................................................................................................................3-43.2.4 Checking the Configuration...................................................................................................................3-5

3.3 Maintaining DNS............................................................................................................................................3-63.3.1 Clearing DNS Entries.............................................................................................................................3-63.3.2 Monitoring Network Operation Status of DNS......................................................................................3-6

3.4 Configuration Examples..................................................................................................................................3-73.4.1 Example for Configuring DNS..............................................................................................................3-7

4 COPS Configuration..................................................................................................................4-14.1 COPS Overview..............................................................................................................................................4-2

4.1.1 Introduction to COPS.............................................................................................................................4-24.1.2 COPS Features Supported by the CX600..............................................................................................4-3

4.2 Configuring the COPS Server Group..............................................................................................................4-44.2.1 Establishing the Configuration Task......................................................................................................4-54.2.2 Configuring the Global Parameters of COPS........................................................................................4-64.2.3 Creating a COPS Server Group..............................................................................................................4-74.2.4 Configuring the COPS Server................................................................................................................4-74.2.5 Setting the PEP ID for the COPS Server................................................................................................4-84.2.6 (Optional) Setting the Flow Keeping Time of the COPS Server...........................................................4-84.2.7 (Optional) Setting the Shared Key of the COPS Server.........................................................................4-94.2.8 Activating the COPS Server Group.......................................................................................................4-94.2.9 Checking the Configuration.................................................................................................................4-10

4.3 Configuration Examples................................................................................................................................4-114.3.1 Example for Configuring COPS Interfaces to Report Online and Offline Messages..........................4-11

5 ANCP Configuration.................................................................................................................5-15.1 ANCP Overview.............................................................................................................................................5-2

5.1.1 Introduction to the ANCP Protocol........................................................................................................5-25.1.2 Applicable Environment........................................................................................................................5-3



vii

5.2 Configuring the ANCP Server........................................................................................................................5-55.2.1 Establishing the Configuration Task......................................................................................................5-65.2.2 Enabling ANCP......................................................................................................................................5-75.2.3 Configuring the Source Interface of an ANCP Connection...................................................................5-85.2.4 (Optional) Configuring Parameters of ANCP Sessions.........................................................................5-85.2.5 Configuring ANCP Neighbor Profiles...................................................................................................5-95.2.6 (Optional) Configuring Bandwidth Adjustment Factors......................................................................5-105.2.7 (Optional) Configuring ANCP Message Damping..............................................................................5-115.2.8 (Optional) Configuring ANCP OAM Detection..................................................................................5-125.2.9 (Optional) Adjusting the Upstream and Downstream Bandwidths of a User Automatically..............5-125.2.10 Checking the Configuration...............................................................................................................5-13

5.3 Configuring the ANCP Proxy.......................................................................................................................5-155.3.1 Establishing the Configuration Task....................................................................................................5-155.3.2 Enabling ANCP....................................................................................................................................5-165.3.3 Configuring the Source Interface of an ANCP Connection.................................................................5-175.3.4 (Optional) Configuring Parameters of ANCP Sessions.......................................................................5-175.3.5 Configuring the ANCP Neighbor Profile.............................................................................................5-185.3.6 (Optional) Configuring Bandwidth Adjustment Factors......................................................................5-195.3.7 (Optional) Enabling the Function of Configuring ANCP Access Lines..............................................5-205.3.8 (Optional) Configuring ANCP Message Damping..............................................................................5-215.3.9 (Optional) Configuring ANCP OAM Detection..................................................................................5-225.3.10 Checking the Configuration...............................................................................................................5-23

5.4 Configuring the Association Between ANCP and HQoS in the ANCP Proxy Scenario..............................5-245.4.1 Establishing the Configuration Task....................................................................................................5-255.4.2 Configuring the Mode of the Association Between ANCP and HQoS................................................5-265.4.3 Configuring the QoS Profile and Scheduling Parameters....................................................................5-275.4.4 Configuring the BRAS to Deliver the QoS Policy Name....................................................................5-285.4.5 Applying the QoS Profile to the Interface............................................................................................5-285.4.6 Enabling ANCP on the Interface and Associating the Interface with the ANCP Neighbor Profile.......................................................................................................................................................................5-295.4.7 Checking the Configuration.................................................................................................................5-29

5.5 Maintaining ANCP........................................................................................................................................5-315.5.1 Clearing ANCP Running Information..................................................................................................5-31

5.6 Configuration Examples................................................................................................................................5-315.6.1 Example for Configuring the ANCP Server........................................................................................5-325.6.2 Configuring CX device as the ANCP Proxy and Configuring ANCP-HQoS Association..................5-35

6 IP Performance Configuration.................................................................................................6-16.1 IP Performance Overview...............................................................................................................................6-2

6.1.1 Introduction to IP Performance..............................................................................................................6-26.1.2 IP Performance Supported by the CX600..............................................................................................6-2

6.2 Improving IP Performance..............................................................................................................................6-36.2.1 Establishing the Configuration Task......................................................................................................6-4



viii Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

6.2.2 Configuring the Maximum Transmission Unit of the Interface.............................................................6-46.2.3 Configuring ICMP Attributes.................................................................................................................6-56.2.4 Checking the Configuration...................................................................................................................6-6

6.3 Configuring TCP.............................................................................................................................................6-86.3.1 Establishing the Configuration Task......................................................................................................6-86.3.2 Configuring TCP Timer.........................................................................................................................6-86.3.3 Specifying the Size of a TCP Sliding Window......................................................................................6-96.3.4 Checking the Configuration...................................................................................................................6-9

6.4 Configuring Load Balancing for IP Packet Forwarding...............................................................................6-106.4.1 Establishing the Configuration Task....................................................................................................6-116.4.2 Configuring the Load Balancing Mode of IP Packet Forwarding........................................................6-126.4.3 Configuring Interface Unequal-Cost Multiple Path During IP Packet Forwarding.............................6-136.4.4 Configuring Global Unequal-Cost Multiple Path During IP Packet Forwarding................................6-146.4.5 Checking the Configuration.................................................................................................................6-14

6.5 Maintaining IP Performance.........................................................................................................................6-156.5.1 Clearing IP Performance Statistics.......................................................................................................6-156.5.2 Monitoring Network Operation Status of IP Performance...................................................................6-16

6.6 Configuration Examples................................................................................................................................6-176.6.1 Example for Limiting Transmission of ICMP Host-Unreachable Packets..........................................6-176.6.2 Example for Configuring Interface Unequal-Cost Multiple Path During IP Packet Forwarding........6-206.6.3 Example for Configuring Global Unequal-Cost Load Balancing for IP Packet Forwarding..............6-25

7 ACL Configuration....................................................................................................................7-17.1 ACL Overview................................................................................................................................................7-2

7.1.1 Introduction to ACL...............................................................................................................................7-27.1.2 ACL Supported by the CX600...............................................................................................................7-2

7.2 Configuring an Interface-based ACL..............................................................................................................7-37.2.1 Establishing the Configuration Task......................................................................................................7-37.2.2 (Optional) Creating a Time Range.........................................................................................................7-47.2.3 Creating an Interface-based ACL...........................................................................................................7-47.2.4 (Optional) Configuring ACL Descriptions............................................................................................ 7-57.2.5 (Optional) Configuring ACL Step..........................................................................................................7-57.2.6 Checking the Configuration...................................................................................................................7-6

7.3 Configuring a Basic ACL................................................................................................................................7-67.3.1 Establishing the Configuration Task......................................................................................................7-77.3.2 (Optional) Creating a Time Range.........................................................................................................7-77.3.3 Creating a Basic ACL............................................................................................................................ 7-87.3.4 (Optional) Configuring ACL Descriptions............................................................................................ 7-87.3.5 (Optional) Configuring ACL Step..........................................................................................................7-97.3.6 Checking the Configuration...................................................................................................................7-9

7.4 Configuring an Advanced ACL....................................................................................................................7-107.4.1 Establishing the Configuration Task....................................................................................................7-117.4.2 (Optional) Creating a Time Range.......................................................................................................7-11



ix

7.4.3 Creating an Advanced ACL.................................................................................................................7-127.4.4 (Optional) Configuring ACL Descriptions..........................................................................................7-137.4.5 (Optional) Configuring ACL Step........................................................................................................7-137.4.6 Checking the Configuration.................................................................................................................7-14

7.5 Configuring an ACL Based on the Ethernet Frame Header..........................................................................7-157.5.1 Establishing the Configuration Task....................................................................................................7-157.5.2 Creating an ACL Based on the Ethernet Frame Header......................................................................7-157.5.3 (Optional) Configuring ACL Descriptions..........................................................................................7-167.5.4 (Optional) Configuring ACL Step........................................................................................................7-167.5.5 Checking the Configuration.................................................................................................................7-17

7.6 Configuring an UCL......................................................................................................................................7-187.6.1 Establishing the Configuration Task....................................................................................................7-187.6.2 (Optional) Creating a Time Range.......................................................................................................7-187.6.3 Creating an UCL..................................................................................................................................7-197.6.4 (Optional) Configuring ACL Descriptions..........................................................................................7-207.6.5 (Optional) Configuring ACL Step........................................................................................................7-217.6.6 Checking the Configuration.................................................................................................................7-21

7.7 Configuring a Named ACL...........................................................................................................................7-227.7.1 Establishing the Configuration Task....................................................................................................7-227.7.2 (Optional) Creating a Time Range.......................................................................................................7-237.7.3 Creating a Named ACL........................................................................................................................7-237.7.4 (Optional) Configuring named ACL Descriptions...............................................................................7-247.7.5 (Optional) Configuring named ACL Step............................................................................................7-257.7.6 Checking the Configuration.................................................................................................................7-25

7.8 Configuring a MPLS-based ACL..................................................................................................................7-267.8.1 Establishing the Configuration Task....................................................................................................7-267.8.2 Creating a MPLS-based ACL..............................................................................................................7-277.8.3 Configuring Rules for a MPLS-based ACL.........................................................................................7-277.8.4 Checking the Configuration.................................................................................................................7-28

7.9 Configuration Examples................................................................................................................................7-287.9.1 Example for Configuring a Traffic Policy Based on Complex Traffic Classification.........................7-287.9.2 Example for Configuring the Security Function of Access Devices....................................................7-377.9.3 Example for Configuring an ACL Rule that Is Based on the VPN Instance.......................................7-39

8 Basic IPv6 Configuration..........................................................................................................8-18.1 Basic IPv6 Overview.......................................................................................................................................8-3

8.1.1 Introduction to IPv6...............................................................................................................................8-38.1.2 IPv6 Supported by the CX600...............................................................................................................8-3

8.2 Configuring an IPv6 Address for an Interface................................................................................................8-58.2.1 Establishing the Configuration Task......................................................................................................8-58.2.2 Enabling IPv6 Packet Forwarding Capability........................................................................................8-78.2.3 Configuring an IPv6 Link-Local Address for an Interface....................................................................8-88.2.4 Configuring an IPv6 Global Unicast Address for an Interface..............................................................8-8



x Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

8.2.5 Configuring an IPv6 Anycast Address for an Interface.........................................................................8-98.2.6 Checking the Configuration.................................................................................................................8-10

8.3 Configuring an IPv6 Address Selection Policy Table...................................................................................8-118.4 Configuring IPv6 Neighbor Discovery.........................................................................................................8-13

8.4.1 Establishing the Configuration Task....................................................................................................8-138.4.2 Configuring Static Neighbors...............................................................................................................8-148.4.3 Enabling RA Message Advertising......................................................................................................8-158.4.4 Setting the Interval for Advertising RA Messages...............................................................................8-158.4.5 Enabling Stateful Auto Configuration..................................................................................................8-168.4.6 Configuring the Address Prefixes to Be Advertised............................................................................8-178.4.7 Configuring Other Information to Be Advertised................................................................................8-178.4.8 Configuring the Default Router Priority and Route Information.........................................................8-198.4.9 (Optional) Configuring Routed Proxy ND...........................................................................................8-198.4.10 Checking the Configuration...............................................................................................................8-20

8.5 Configuring IPv6 SEND...............................................................................................................................8-218.5.1 Establishing the Configuration Task....................................................................................................8-228.5.2 Configuring a CGA IPv6 Address.......................................................................................................8-238.5.3 Configuring Strict IPv6 SEND.............................................................................................................8-248.5.4 Checking the Configuration.................................................................................................................8-25

8.6 Configuring PMTU.......................................................................................................................................8-268.6.1 Establishing the Configuration Task....................................................................................................8-268.6.2 Creating Static PMTU Entries..............................................................................................................8-278.6.3 Configuring PMTU Aging Time..........................................................................................................8-278.6.4 Checking the Configuration.................................................................................................................8-28

8.7 Configuring TCP6.........................................................................................................................................8-298.7.1 Establishing the Configuration Task....................................................................................................8-298.7.2 Configuring TCP6 Timers....................................................................................................................8-308.7.3 Configuring the Size of the TCP6 Sliding Window.............................................................................8-308.7.4 Checking the Configuration.................................................................................................................8-30

8.8 Maintaining IPv6...........................................................................................................................................8-328.8.1 Resetting IPv6......................................................................................................................................8-328.8.2 Monitoring Network Operation Status of IPv6....................................................................................8-33

8.9 Configuration Examples................................................................................................................................8-348.9.1 Example for Configuring an IPv6 Address for an Interface................................................................8-348.9.2 Example for Configuring IPv6 Neighbor Discovery...........................................................................8-378.9.3 Example for Configuring IPv6 Address Selection Policy Table..........................................................8-408.9.4 Example for Configuring IPv6 SEND.................................................................................................8-438.9.5 Example for Configuring Default Router Priority and Route Information..........................................8-47

9 IPv6 DNS Configuration..........................................................................................................9-19.1 IPv6 DNS Overview........................................................................................................................................9-2

9.1.1 Introduction to IPv6 DNS...................................................................................................................... 9-29.1.2 IPv6 DNS Supported by the CX600...................................................................................................... 9-2



xi

9.2 Configuring IPv6 DNS....................................................................................................................................9-29.2.1 Establishing the Configuration Task......................................................................................................9-39.2.2 Configuring a Static IPv6 DNS Entry....................................................................................................9-39.2.3 Configuring the Dynamic IPv6 DNS Services.......................................................................................9-49.2.4 Checking the Configuration...................................................................................................................9-5

9.3 Maintaining IPv6 DNS....................................................................................................................................9-69.3.1 Clearing IPv6 DNS Entries....................................................................................................................9-69.3.2 Monitoring Network Operation Status of IPv6 DNS.............................................................................9-6

9.4 Configuration Examples..................................................................................................................................9-79.4.1 Example for Configuring IPv6 DNS......................................................................................................9-7

10 ACL6 Configuration.............................................................................................................. 10-110.1 ACL6 Overview..........................................................................................................................................10-2

10.1.1 Introduction to ACL6.........................................................................................................................10-210.1.2 ACL6 Supported by the CX600.........................................................................................................10-2

10.2 Configuring an Interfaced-based ACL6......................................................................................................10-210.2.1 Establishing the Configuration Task..................................................................................................10-310.2.2 (Optional) Configuring the Valid Time Range of ACL6...................................................................10-310.2.3 Creating an Interfaced-based ACL6...................................................................................................10-410.2.4 Checking the Configuration...............................................................................................................10-4

10.3 Configuring a Basic ACL6..........................................................................................................................10-510.3.1 Establishing the Configuration Task..................................................................................................10-510.3.2 (Optional) Configuring the Valid Time Range of ACL6...................................................................10-610.3.3 Creating a Basic ACL6......................................................................................................................10-610.3.4 Checking the Configuration...............................................................................................................10-7

10.4 Configuring an Advanced ACL6................................................................................................................10-710.4.1 Establishing the Configuration Task..................................................................................................10-810.4.2 (Optional) Configuring the Valid Time Range of ACL6...................................................................10-910.4.3 Creating an Advanced ACL6.............................................................................................................10-910.4.4 Checking the Configuration.............................................................................................................10-10

10.5 Configuring a Named ACL6.....................................................................................................................10-1110.5.1 Establishing the Configuration Task................................................................................................10-1110.5.2 (Optional) Configuring the Valid Time Range of ACL6.................................................................10-1210.5.3 Creating a Named ACL6..................................................................................................................10-1210.5.4 Checking the Configuration.............................................................................................................10-13

10.6 Maintaining ACL6....................................................................................................................................10-1410.6.1 Clearing ACL6 Statistics..................................................................................................................10-1510.6.2 Monitoring Network Operation Status of ACL6..............................................................................10-15

10.7 Configuration Examples............................................................................................................................10-1510.7.1 Example for Configuring an ACL6 to Filter IPv6 Packets..............................................................10-16

11 IPv6 over IPv4 Tunnel Configuration................................................................................11-111.1 IPv6 over IPv4 Tunnel Overview................................................................................................................11-2

11.1.1 Introduction to IPv6 over IPv4...........................................................................................................11-2



xii Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

11.1.2 IPv6 over IPv4 Supported by the CX600...........................................................................................11-211.2 Configuring IPv4/IPv6 Dual Stacks............................................................................................................11-8

11.2.1 Establishing the Configuration Task..................................................................................................11-811.2.2 Enabling IPv6 Packet Forwarding......................................................................................................11-911.2.3 Configuring IPv4 and IPv6 Addresses for the Interface..................................................................11-10

11.3 Configuring an IPv6 over IPv4 Tunnel.....................................................................................................11-1111.3.1 Establishing the Configuration Task................................................................................................11-1211.3.2 Configuring an IPv6 over IPv4 Manual Tunnel...............................................................................11-1211.3.3 Configuring an IPV6 over IPv4 GRE Tunnel..................................................................................11-1411.3.4 Configuring an IPv6 over IPv4 Automatic Tunnel..........................................................................11-1511.3.5 Configuring a 6to4 Tunnel...............................................................................................................11-1611.3.6 Configuring an ISATAP Tunnel......................................................................................................11-1711.3.7 Configuring Routes in the Tunnel....................................................................................................11-1811.3.8 Checking the Configuration.............................................................................................................11-19

11.4 Configuring 6PE........................................................................................................................................11-2011.4.1 Establishing the Configuration Task................................................................................................11-2011.4.2 Configuring IPv4/IPv6 Dual Protocol Stacks..................................................................................11-2111.4.3 Configuring MPLS...........................................................................................................................11-2211.4.4 Enabling 6PE Peer............................................................................................................................11-23

11.5 Maintaining IPv6 over IPv4 Tunnels........................................................................................................11-2311.5.1 Monitoring the Running Status of IPv6 over IPv4 Tunnel..............................................................11-24

11.6 Configuration Examples............................................................................................................................11-2411.6.1 Example for Configuring an IPv6 over IPv4 Manual Tunnel..........................................................11-2411.6.2 Example for Configuring an IPv6 over IPv4 GRE Tunnel..............................................................11-2811.6.3 Example for Configuring an IPv6 over IPv4 Automatic Tunnel.....................................................11-3211.6.4 Example for Configuring a 6to4 Tunnel..........................................................................................11-3611.6.5 Example for Configuring 6to4 Relay...............................................................................................11-3911.6.6 Example for Configuring an ISATAP Tunnel.................................................................................11-4211.6.7 Example for Configuring 6PE..........................................................................................................11-45

12 IPv4 over IPv6 Tunnel Configuration................................................................................12-112.1 IPv4 over IPv6 Tunnel Overview................................................................................................................12-2

12.1.1 Introduction to IPv4 over IPv6...........................................................................................................12-212.1.2 IPv4 over IPv6 Supported by the CX600...........................................................................................12-2

12.2 Configuring an IPv4 over IPv6 Tunnel.......................................................................................................12-312.2.1 Establishing the Configuration Task..................................................................................................12-312.2.2 Configuring a Tunnel Interface..........................................................................................................12-412.2.3 Configuring Routes in the Tunnel......................................................................................................12-512.2.4 Configuring Other Items for an IPv4 over IPv6 Tunnel....................................................................12-512.2.5 Checking the Configuration...............................................................................................................12-6

12.3 Maintaining IPv4 over IPv6 Tunnels..........................................................................................................12-812.3.1 Monitoring the Operation Status of IPv4 over IPv6 Tunnel..............................................................12-8

12.4 Configuration Examples..............................................................................................................................12-8



xiii

12.4.1 Example for Configuring an IPv4 over IPv6 Tunnel.........................................................................12-8

A Glossary.....................................................................................................................................A-1

B Acronyms and Abbreviations.................................................................................................B-1



xiv Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

Figures

Figure 1-1 Configuring primary and secondary IP addresses for an interface...................................................1-15Figure 1-2 Networking diagram of allocating IP address through negotiation..................................................1-17Figure 1-3 Networking diagram of an IP address unnumbered configuration...................................................1-19Figure 1-4 Networking diagram of configuring IP address overlapping on the same device............................1-22Figure 1-5 Networking diagram of configuring an IP address with a 31-bit mask............................................1-26Figure 2-1 Implementation procedure of ARP-Ping IP........................................................................................2-4Figure 2-2 Implementation procedure of ARP-Ping MAC..................................................................................2-5Figure 2-3 Schematic diagram of transmission device existing between devices..............................................2-30Figure 2-4 Networking diagram of configuring proxy ARP..............................................................................2-34Figure 2-5 Networking diagram of configuring proxy ARP in a VLAN...........................................................2-36Figure 2-6 Networking diagram of configuring proxy ARP between VLANs..................................................2-38Figure 2-7 Networking diagram of configuring the association between ARP and interface status.................2-40Figure 2-8 Networking diagram of configuring Layer 2 topology detection.....................................................2-44Figure 3-1 Networking diagram of DNS..............................................................................................................3-7Figure 4-1 Typical networking diagram of COPS configuration.......................................................................4-11Figure 5-1 Networking diagram of configuring an ANCP server........................................................................5-3Figure 5-2 Networking diagram of configuring an ANCP proxy........................................................................5-5Figure 5-3 Networking diagram of configuring the ANCP server.....................................................................5-33Figure 5-4 Networking diagram of configuring CX device as the ANCP proxy and configuring ANCP-HQoSassociation...........................................................................................................................................................5-36Figure 6-1 Networking diagram of configuring ICMP host unreachable packets.............................................6-18Figure 6-2 Networking diagram of configuring UCMP.....................................................................................6-20Figure 6-3 Networking diagram of configuring unequal-cost load balancing...................................................6-26Figure 7-1 Diagram for configuring a traffic policy based on complex traffic classification............................7-29Figure 7-2 Networking of configuring the security function of access devices.................................................7-37Figure 7-3 Typical networking of configuring an ACL rule..............................................................................7-40Figure 8-1 Networking diagram of configuring an IPv6 address for an interface.............................................8-35Figure 8-2 Example for configuring IPv6 neighbor discovery..........................................................................8-38Figure 8-3 Networking diagram for configuring an IPv6 address selection policy table..................................8-40Figure 8-4 Networking diagram for configuring IPv6 SEND............................................................................8-43Figure 8-5 Networking of Configuring Default Router Priorities and Route Information................................8-47Figure 9-1 DNS server connecting IPv4 and IPv6 networks...............................................................................9-4Figure 9-2 Networking diagram of IPv6 DNS configurations.............................................................................9-8Figure 10-1 Networking diagram of configuring an ACL6 to filter IPv6 packets...........................................10-16

HUAWEI CX600 Metro Services PlatformConfiguration Guide - IP Services Figures


xv

Figure 11-1 Single stack and dual stack structures (Ethernet)...........................................................................11-2Figure 11-2 Schematic diagram of IPv6 over IPv4 tunnel.................................................................................11-3Figure 11-3 6to4 tunnel and 6to4 relay..............................................................................................................11-5Figure 11-4 ISATAP tunnel...............................................................................................................................11-7Figure 11-5 Networking diagram of 6PE...........................................................................................................11-8Figure 11-6 Networking diagram of the IPv6 over IPv4 manual tunnel..........................................................11-25Figure 11-7 Networking diagram of the IPv6 over IPv4 GRE tunnel..............................................................11-28Figure 11-8 Networking diagram of the IPv6 over IPv4 automatic tunnel......................................................11-33Figure 11-9 Networking diagram of the 6to4 tunnel........................................................................................11-36Figure 11-10 Networking diagram of accessing the IPv6 network through 6to4 relay...................................11-40Figure 11-11 Networking diagram of the ISATAP tunnel...............................................................................11-43Figure 11-12 Networking diagram of 6PE.......................................................................................................11-46Figure 12-1 Networking diagram of an IPv4 over IPv6 tunnel..........................................................................12-2Figure 12-2 Networking diagram of an IPv4 over IPv6 tunnel..........................................................................12-9

FiguresHUAWEI CX600 Metro Services Platform


xvi Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

1 IP Addresses Configuration

About This Chapter

By assigning IP addresses to network devices, you can enable data communications betweenthe network devices.

1.1 IP Addresses OverviewAn IP address is also called a logical address. The IP address of a network device on the Internetis the unique identifier of the network device.

1.2 Configuring IP Addresses for InterfacesAssigning an IP address to a device on a network enables the device to communicate with theother devices on the network.

1.3 Configuring IP Address Negotiation on InterfacesIf users access the network in the Point-to-Point Protocol (PPP) mode, the server can assign IPaddresses to the clients through the address negotiation function of PPP.

1.4 Configuring IP Address Unnumbered for InterfacesIP address unnumbered refers to the situation that an interface that is not assigned an IP addressobtains an IP address by borrowing an IP address from another interface.

1.5 Maintaining IP AddressesMaintaining an IP address involves monitoring the operation of this IP address.

1.6 Configuration ExamplesThis section includes the networking requirements, precautions for configuration, andconfiguration roadmap.

HUAWEI CX600 Metro Services PlatformConfiguration Guide - IP Services 1 IP Addresses Configuration


1-1

1.1 IP Addresses OverviewAn IP address is also called a logical address. The IP address of a network device on the Internetis the unique identifier of the network device.

1.1.1 Introduction to IP AddressesIP is the core of the TCP/IP protocol suite. The packets of the Transmission Control Protocol(TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), and InternetGroup Membership Protocol (IGMP) are all transmitted in the format of IP datagrams. Deviceson different networks communicate with each other using their network layer addresses, namelyIP addresses.

1.1.2 Features of IP Addresses Supported by the CX600IP addresses can be obtained through static manual configuration, auto-negotiation, orborrowing.

1.1.1 Introduction to IP AddressesIP is the core of the TCP/IP protocol suite. The packets of the Transmission Control Protocol(TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), and InternetGroup Membership Protocol (IGMP) are all transmitted in the format of IP datagrams. Deviceson different networks communicate with each other using their network layer addresses, namelyIP addresses.

To communicate with each other on Internet Protocol (IP) networks, each host must be assignedan IP address.

An IP address is a 32-bit number that is composed of two parts, namely, the network ID andhost ID.

The network ID identifies a network and the host ID identifies a host on the network. If thenetwork IDs of hosts are the same, it indicates that the hosts are on the same network regardlessof their physical locations.

1.1.2 Features of IP Addresses Supported by the CX600IP addresses can be obtained through static manual configuration, auto-negotiation, orborrowing.

The CX600 supports IP address configuration through the following methods:

l Manually configuring an IP address for an interface

l Obtaining an IP address through negotiation

l Borrowing an IP address from other interfaces

The CX600 supports the space overlapping of network segment addresses to save the addressspace.

l Different IP addresses in the overlapped network segments but not same can be configuredon different interfaces of the same device. For example, after an interface on a device isconfigured with the IP address 20.1.1.1/16, if another interface is configured with the IPaddress 20.1.1.2/24, the system prompts a message. However, the configuration is still

1 IP Addresses ConfigurationHUAWEI CX600 Metro Services Platform


1-2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

successful; if another interface is configured with the IP address 20.1.1.2/16, the systemprompts an IP address conflict. The configuration fails.

l The primary IP address and the secondary IP address in the overlapped network segmentsbut not same can be configured on the same interface. For example, after the interface isconfigured with a primary IP address 20.1.1.1/24, if the secondary IP address is 20.1.1.2/16sub, the system prompts a message. However, the configuration is still successful.

l The primary IP address and the secondary IP address in the overlapped network segmentsbut not same can be configured on different interfaces of the same device. However, theprimary IP address and the secondary IP address cannot be the same. For example, after aninterface on a device is configured with the IP address 20.1.1.1/16, if another interface isconfigured with the IP address 20.1.1.2/24 sub, the system prompts a message. However,the configuration is still successful.

The CX600 supports 31-bit IP address masks. Therefore, there are only two IP addresses in anetwork segment, that is, the network address and broadcast address. The two IP addresses canbe used as host addresses.

You can assign the IP addresses with 31-bit masks to Point-to-Point (P2P), Point-to-Multipoint(P2MP), NBMA Address Resolution Protocol (NBMA),broadcast, and loopback interfaces. Fornon-P2P interfaces, if a 31-bit mask is configured, the system prompts acknowledgementinformation to protect P2MP orbroadcast links. For example, if an Ethernet interface on a deviceis assigned an IP address with a 31-bit mask, this device can access only the host in the directlyconnected subnet. It cannot access all hosts in the subnet. In the backbone network of a broadcastlink, if a P2P link exists, you can configure the IP addresses with 31-bit masks.

1.2 Configuring IP Addresses for InterfacesAssigning an IP address to a device on a network enables the device to communicate with theother devices on the network.

1.2.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for assigning an IP address to an interface.

1.2.2 Configuring a Primary IP Address for an InterfaceAn interface can have only one primary IP address.

1.2.3 (Optional) Configuring a Secondary IP Address for an InterfaceTo enable an interface to communicate with several networks with different network IDs, youneed to assign a secondary IP address to this interface.

1.2.4 Checking the ConfigurationYou can view the configuration of the IP address for an interface.

1.2.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for assigning an IP address to an interface.

Applicable EnvironmentTo start IP services on an interface, configure the IP address for the interface. You can assignseveral IP addresses to each interface. Among them, one is the primary IP address and the othersare secondary IP addresses.



1-3

Generally, you need to configure only a primary IP address for an interface. Secondary IPaddresses, however, are required in some cases. For instance, when a device connects to aphysical network through an interface, and computers on this network belong to two Class Cnetworks, you need to configure a primary IP address and a secondary IP address for this interfaceto ensure that the device can communication with all computers on this network.

Pre-configuration Tasks

Before configuring an IP addresses for an interface, complete the following tasks:

l Configuring the physical parameters for the interface and ensuring that the physical layerstatus of the interface is Up

l Configuring the link layer parameters for the interface and ensuring that the status of thelink layer protocol on the interface is Up

Data Preparation

To configure IP addresses for an interface, you need the following data.

No. Data

1 Interface number

2 Primary IP address and subnet mask of the interface

3 (Optional) Secondary IP address and subnet mask of the interface

1.2.2 Configuring a Primary IP Address for an InterfaceAn interface can have only one primary IP address.

Procedure

Step 1 Run:system-view

The system view is displayed.

Step 2 Run:interface interface-type interface-number

The interface view is displayed.

Step 3 Run:ip address ip-address { mask | mask-length }

A primary IP address is configured.

An interface has only one primary IP address. If the interface already has a primary IP address,the newly configured primary IP address replaces the original one.

----End




Issue 01 (2011-05-30)

1.2.3 (Optional) Configuring a Secondary IP Address for anInterface

To enable an interface to communicate with several networks with different network IDs, youneed to assign a secondary IP address to this interface.

Procedure





Step 3 Run:ip address ip-address { mask | mask-length } sub

A secondary IP address is configured.

A secondary IP address with a 31-bit mask can be configured for an interface.

You can configure a maximum of 255 secondary IP addresses on an interface.

----End

1.2.4 Checking the ConfigurationYou can view the configuration of the IP address for an interface.

PrerequisiteThe configurations of the IP addresses for the interface are complete.

Procedurel Run the display ip interface [ brief ] [ interface-type [ interface-number ] ] command to

check the IP configuration on the interface.l Run the display interface [ interface-type [ interface-number ] ] command to check

interface information.

----End

ExampleRun the display ip interface command to check that the physical status and link protocol statusof the interface are Up.

<HUAWEI> display ip interface brief gigabitethernet 1/1/0*down: administratively down!down: FIB overload down(l): loopback(s): spoofingInterface IP Address/Mask Physical ProtocolGigabitEthernet1/1/0 172.16.13.2/24 up up



1-5

Run the display interface command to check information about the IP address and subnet maskof the interface.

<HUAWEI> display interface gigabitethernet 1/1/0GigabitEthernet1/1/0 current state : UPLine protocol current state : UPLast line protocol up time : 2010-06-22, 19:33:19Description : GigabitEthernet1/1/0 InterfaceThe Maximum Transmit Unit is 1500 bytesInternet Address is 172.16.13.2/24Internet Address is 172.16.13.150/25 SubInternet Address is 172.16.13.200/28 SubIP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc08-2b73Media type is twisted pair, loopback not set, promiscuous mode not set100Mbps-speed mode, full-duplex mode, link type is autonegotiationCurrent system time: 2010-06-29 20:26:18 Last 300 seconds input rate 338 bits/sec, 0 packets/sec Last 300 seconds output rate 514 bits/sec, 0 packets/sec Input: 1065 packets, 1571513 bytes 0 broadcasts, 1065 multicasts 0 errors, 0 runts, 0 giants, 0 CRC, 0 collisions, 0 align errors, 0 other errors Output:2866 packets, 2708571 bytes 0 broadcasts, 2866 multicasts 0 errors, 0 underruns, 0 collisions 0 packets had been deferred

1.3 Configuring IP Address Negotiation on InterfacesIf users access the network in the Point-to-Point Protocol (PPP) mode, the server can assign IPaddresses to the clients through the address negotiation function of PPP.

ContextNOTE

IP Address Negotiation on Interfaces cannot be configured on the X1 and X2 models of the CX600.

1.3.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring IP address negotiation for an interface.

1.3.2 Configuring a Server to Assign an IP Address for a Client Through NegotiationAfter being assigned an IP address pool or an IP address, the server can assign IP addresses tothe clients.

1.3.3 Configuring a Client to Obtain an IP Address Through NegotiationAfter interface IP address negotiation is enabled on a client, the client can obtain an IP addressfrom the server.

1.3.4 Checking the ConfigurationYou can view the configuration of interface IP address negotiation.

1.3.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring IP address negotiation for an interface.




Issue 01 (2011-05-30)

Applicable EnvironmentWhen devices are connected through the PPP link, the client interface can obtains the IP addressfrom the server through PPP negotiation. This is usually applicable to the situation when theclient connects to the Internet Service Provider (ISP) to access the Internet through the PPP linksuch as dial-up. In this case, the ISP device assigns an IP address to the client through PPPnegotiation.

Pre-configuration TasksBefore configuring IP addresses for interfaces through PPP negotiation, complete the followingtasks:

l Configuring physical parameters of the interface and the link layer protocol PPP on theserver

l Configuring IP addresses for interfaces on the server and making the link layer protocolUp

l Configuring physical parameters on the interface and the link layer protocol PPP on theclient

Data PreparationTo configure IP addresses for interfaces through PPP negotiation, you need the following data.

No. Data

1 Number of the interface connecting the server to the client

2 ID of the address pool on the server or IP address assigned to the client

3 Range of IP addresses when an address pool is used

4 Number of the interface connecting the client to the server

1.3.2 Configuring a Server to Assign an IP Address for a ClientThrough Negotiation

After being assigned an IP address pool or an IP address, the server can assign IP addresses tothe clients.

Procedure



NOTE

If there is only one client, the address pool is unnecessary. In this case, skip Steps 2, 3, and 4, and do notuse the keyword pool in Step 6. Instead, directly assign the specified IP address to the client.

Step 2 (Optional) Run:



1-7

aaa

The AAA view is displayed.

Step 3 (Optional) Run:ip pool pool-number start-address [ end-address ]

The local IP address pool is configured.

Step 4 (Optional) Run:quit

Quit the AAA view.



Obtaining an IP address through negotiation is applied to only the interface encapsulated withPPP.

Step 6 Run:remote address { ip-address | pool [ pool-number ] }

An IP address is assigned to the client.

Step 7 Run:restart

The interface is restarted.

----End

Follow-up ProcedureDuring preceding configurations, the address pool can also be configured in the domain view.For details, see the HUAWEI CX600 Metro Services Platform Configuration Guide -Security.

l If the server authenticates the client, the address is selected from the address pool of thedomain that the client belongs to by default.

l If the server does not authenticate the client and needs to assign an IP address to the client,the address is selected from the system address pool.

The IP address or the address pool assigned to the peer must differ from the IP address of thelocal device.

1.3.3 Configuring a Client to Obtain an IP Address ThroughNegotiation

After interface IP address negotiation is enabled on a client, the client can obtain an IP addressfrom the server.

Procedure





Issue 01 (2011-05-30)




Obtaining an IP address through negotiation is applied to only the interface encapsulated withPPP.

Step 3 Run:ip address ppp-negotiate

The client is configured to obtain an IP address through negotiation.

----End

Follow-up Procedure

If an interface without an IP address supports PPP while the remote peer is configured with anIP address, enable IP address negotiation on the local interface. This enables the local interfaceto obtain an IP address that is generated through PPP negotiation and is assigned by the remotepeer.

When you configure to obtain an IP address through negotiation on the interface, note thefollowing:

l You can configure IP address negotiation on only the PPP-encapsulated interface. Whenthe status of the PPP protocol is Down, the IP address generated through negotiation isdeleted.

l After IP address negotiation is configured on the interface, the configuration of IP addressfor this interface is not needed any more. You can obtain a new IP address throughnegotiation, and the original IP address configured before the IP address negotiation isdeleted.

l You cannot configure a secondary IP address for the interface configured with IP addressnegotiation.

l If you re-configure negotiation on this interface, the IP address generated through theprevious negotiation is deleted and a new IP address is obtained.

l If the address generated through negotiation is deleted, the interface is in the non-addressstate.

1.3.4 Checking the ConfigurationYou can view the configuration of interface IP address negotiation.

PrerequisiteThe configurations of IP address negotiation on interfaces are complete.

Procedurel Run the display ip interface [ brief ] [ interface-type interface-number ] command to check

the IP configuration on the interface.



1-9

l Run the display interface [ interface-type [ interface-number ] ] command to checkinterface information.

----End

Example

Run the display ip interface command to check that the physical status and link protocol statusof the interface are Up.

<HUAWEI> display ip interface brief gigabitethernet 1/1/0*down: administratively down!down: FIB overload down(l): loopback(s): spoofingInterface IP Address/Mask Physical ProtocolGigabitEthernet1/1/0 192.168.1.10/24 up up

Run the display interface command to check information about the IP address and subnet maskof the interface.

<HUAWEI> display interface pos 1/0/0Pos1/0/0 current state : UPLine protocol current state : UPLast line protocol up time : 2010-06-22 19:33:19Description : Pos1/0/0 InterfaceRoute Port,The Maximum Transmit Unit is 4470 bytes, Hold timer is 10(sec)Internet Address is 192.168.1.10/24Link layer protocol is PPPLCP opened, IPCP openedThe Vendor PN is FTRJ1321P1BTLPort BW: 2.5G, Transceiver max BW: 2.5G, Transceiver Mode: SingleModeWaveLength: 1310nm, Transmission Distance: 5kmRx Power: -2.81dBm, Tx Power: -1.91dBm Physical layer is Packet Over SDHScramble enabled, clock master, CRC-32, loopback: noneFlag J0 "NetEngine "Flag J1 "NetEngine "Flag C2 22(0x16)Last physical up time : 2010-06-21 14:56:32Last physical down time : 2010-06-21 14:56:31Current system time: 2010-06-29 20:26:18 SDH alarm: section layer: none line layer: none path layer: none SDH error: section layer: B1 61575 line layer: B2 12002824 REI 16835916 path layer: B3 65535Statistics last cleared:never Last 300 seconds input rate 16 bits/sec, 0 packets/sec Last 300 seconds output rate 40 bits/sec, 0 packets/sec Input: 3510 packets, 57372 bytes Input error: 0 shortpacket, 0 longpacket, 4 CRC, 0 lostpacket Output: 7270 packets, 344198 bytes Output error: 0 lostpackets Output error: 0 overrunpackets, 0 underrunpackets

1.4 Configuring IP Address Unnumbered for InterfacesIP address unnumbered refers to the situation that an interface that is not assigned an IP addressobtains an IP address by borrowing an IP address from another interface.




Issue 01 (2011-05-30)

1.4.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring IP address unnumbered.

1.4.2 Configuring the Primary IP Address of the Interface That Lends an IP AddressOnly the primary IP address of an interface can be borrowed.

1.4.3 Configuring an Interface That Borrows an IP Address from Another InterfaceAn Ethernet interface cannot borrow the IP address of another interface.

1.4.4 Checking the ConfigurationYou can view the borrowed IP address of an interface.

1.4.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring IP address unnumbered.

Applicable EnvironmentTo save IP address resources in some cases, configure the IP address unnumbered on theinterface. You can also perform this configuration for an interface that is occasionally used ratherthan making the interface occupy an IP address constantly.

Restrictions on configuring IP address unnumbered on an interface are as follows:

l The interface of IP address borrower can not be an Ethernet interface.l The interface of IP address lender cannot be IP address from other.l Multiple interfaces can borrow the IP address from the interface of IP address lender.l If the interface of IP address lender has multiple IP addresses, the IP address lender can

only be the primary IP address.l If the interface of IP address borrower borrows an IP address from the interface with no IP

address, the IP address borrower gets the IP adderss 0.0.0.0.l The IP address of the virtual loopback interface can be borrowed by other interfaces. The

loopback interface, however, cannot borrow the IP address from other interfaces.

Pre-configuration TasksBefore configuring IP address unnumbered on an interface, complete the following tasks:

l Configuring physical attributes for the IP address borrower and lenderl Configuring link layer protocols for the IP address borrower and lender

Data PreparationTo configure IP address unnumbered on an interface, you need the following data.

No. Data

1 Number, IP address, and mask of the interface that lends the IP address to otherinterfaces

2 Number of the interface that borrows an IP address from another interface



1-11

NOTE

The configuration here only describes how to configure an unnumbered interface to borrow an IP address.Dynamic routing protocols cannot be enabled on an interface without an IP address. Therefore, you needto manually configure a static route to the remote network segment to realize communication betweendevices.

1.4.2 Configuring the Primary IP Address of the Interface ThatLends an IP Address

Only the primary IP address of an interface can be borrowed.

ProcedureStep 1 Run:

system-view





The primary IP address of the interface is configured.

An interface can also obtain the primary IP address through PPP negotiation.

----End

1.4.3 Configuring an Interface That Borrows an IP Address fromAnother Interface

An Ethernet interface cannot borrow the IP address of another interface.


system-view




Step 3 Run:ip address unnumbered interface interface-type interface-number

The interface is configured to borrow an IP address from the specified interface.

The ATM interface, tunnel interface, and the interface encapsulated with frame relay, PPP orHDLC can borrow the IP address from an Ethernet interface or other interfaces.

----End




Issue 01 (2011-05-30)

1.4.4 Checking the ConfigurationYou can view the borrowed IP address of an interface.

PrerequisiteThe configurations of IP address unnumbered are complete.

Procedurel Run the display ip interface [ brief ] [ interface-type [ interface-number ] ] command to

check the IP configuration on the interface.l Run the display interface [ interface-type [ interface-number ] ] command to check

interface information.

----End

ExampleRun the display ip interface command. If the physical status and link protocol status of theinterface are Up, it means that the configuration succeeds.

Run the display interface command. If information about the IP address and mask of theinterface is displayed, it means that the configuration succeeds. For example:

<HUAWEI> display interface pos 6/0/0Pos6/0/0 current state : UPLine protocol current state : UPLast line protocol up time : 2010-06-22 19:33:19Description: Pos6/0/0 InterfaceRoute Port,The Maximum Transmit Unit is 4470, Hold timer is 10(sec)Internet Address is unnumbered, using address of GigabitEthernet3/0/9(120.1.1.1/24)Link layer protocol is PPPLCP opened, IPCP openedThe Vendor PN is FTRJ1321P1BTLPort BW: 2.5G, Transceiver max BW: 2.5G, Transceiver Mode: SingleModeWaveLength: 1310nm, Transmission Distance: 5kmRx Power: -7.19dBm, Tx Power: -5.76dBmPhysical layer is Packet Over SDHScramble enabled, clock master, CRC-32, loopback: noneFlag J0 "NetEngine "Flag J1 "NetEngine "Flag C2 22(0x16)Last physical up time : 2010-06-21 14:56:32Last physical down time : 2010-06-21 14:56:31Current system time: 2010-06-29 20:26:18 SDH alarm: section layer: none line layer: none path layer: none SDH error: section layer: B1 0 line layer: B2 0 REI 1370245 path layer: B3 0 REI 56395Statistics last cleared:never Last 300 seconds input rate 24 bits/sec, 0 packets/sec Last 300 seconds output rate 24 bits/sec, 0 packets/sec Input: 1420 packets, 23131 bytes Input error: 2 shortpacket, 0 longpacket, 1 CRC, 0 lostpacket Output: 1421 packets, 23150 bytes Output error: 0 lostpackets Output error: 0 overrunpackets, 0 underrunpackets



1-13

1.5 Maintaining IP AddressesMaintaining an IP address involves monitoring the operation of this IP address.

1.5.1 Monitoring Network Operation Status of IP AddressesThis section describes IP address monitoring through the display command.

1.5.1 Monitoring Network Operation Status of IP AddressesThis section describes IP address monitoring through the display command.

Context

In routine maintenance, you can run the following commands in any view to check the operationof IP addresses.

Procedurel Run the display ip interface [ brief ] [ interface-type [ interface-number ] ] command in

any view to check the IP address configuration on the interface.

l Run the display interface [ interface-type [ interface-number ] ] command in any view tocheck information about the interface.

----End


ContextNOTE

This document takes interface numbers and link types of the CX600-X8 as an example. In workingsituations, the actual interface numbers and link types may be different from those used in this document.

1.6.1 Example for Configuring Primary and Secondary IP AddressesThis part describes how to configure a primary IP address and a secondary IP address for aninterface.

1.6.2 Example for Obtaining an IP Address Through NegotiationThis part describes how an interface obtains an IP address through negotiation.

1.6.3 Example for Configuring IP Address UnnumberedThis part describes how to configure IP address borrowing for an interface.

1.6.4 Example for Configuring IP Address Overlapping on the Same DeviceThis part describes how to configure IP address overlapping on a device.

1.6.5 Example for Configuring an IP Address with a 31-bit MaskThis part describes how to configure an IP address with a 31-bit mask.




Issue 01 (2011-05-30)

1.6.1 Example for Configuring Primary and Secondary IP AddressesThis part describes how to configure a primary IP address and a secondary IP address for aninterface.

Networking RequirementsAs shown in Figure 1-1, GE 1/0/1 of the device connects to a LAN in which computers belongto one of the two network segments: 172.16.1.0/24 and 172.16.2.0/24. It is required that thedevice can communicate with the two network segments. At the same time, the hosts of the twonetwork segments cannot communicate with each other.

Figure 1-1 Configuring primary and secondary IP addresses for an interface

CX600172.16.1.0/24

172.16.2.0/24

GE1/0/1172.16.1.1/24172.16.2.1/24 sub

Configuration RoadmapThe configuration roadmap is as follows:

1. Analyze the address of the network segment to which the interface connects.2. Configure the primary IP address for the interface and then configure one or more secondary

IP addresses for the interface.

NOTE

The primary IP address and the secondary IP address in the overlapped network segments but not samecan be configured on the same interface. The secondary IP addresses of an interface cannot be in the samenetwork segment.

Data PreparationTo complete the configuration, you need the following data:

l Primary IP address and subnet mask of the interfacel Secondary IP address and subnet mask of the interface

Procedure

Step 1 Configure the device.



1-15

# Configure the primary and secondary IP addresses for GE 1/0/1 of the device.

<HUAWEI> system-view[HUAWEI] sysname CX-[CX-] interface gigabitethernet 1/0/1[CX--GigabitEthernet1/0/1] ip address 172.16.1.1 255.255.255.0[CX--GigabitEthernet1/0/1] ip address 172.16.2.1 255.255.255.0 sub[CX--GigabitEthernet1/0/1] undo shutdown[CX--GigabitEthernet1/0/1] quit

Step 2 Verify the configuration.

# Ping the host on the network segment 172.16.1.0 from the device. The ping succeeds.

[CX-] ping 172.16.1.2 PING 172.16.1.2: 56 data bytes, press CTRL_C to break Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=128 time=25 ms Reply from 172.16.1.2: bytes=56 Sequence=2 ttl=128 time=27 ms Reply from 172.16.1.2: bytes=56 Sequence=3 ttl=128 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=4 ttl=128 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=128 time=26 ms --- 172.16.1.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/26/27 ms

# Ping the host on the segment 172.16.2.0 from the device. The ping succeeds.

[CX-] ping 172.16.2.2 PING 172.16.2.2: 56 data bytes, press CTRL_C to break Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=128 time=25 ms Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=128 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=3 ttl=128 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=128 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=128 time=26 ms --- 172.16.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/25/26 ms

# The hosts of the two network segments cannot ping through each other.

----End

Configuration Files

The following lists the configuration file of the CX-:

# sysname CX-#interface GigabitEthernet1/0/1 undo shutdown ip address 172.16.1.1 255.255.255.0 ip address 172.16.2.1 255.255.255.0 sub#return

1.6.2 Example for Obtaining an IP Address Through NegotiationThis part describes how an interface obtains an IP address through negotiation.




Issue 01 (2011-05-30)

Networking RequirementsNOTEObtaining an IP Address Through Negotiation on Interfaces cannot be configured on the X1 and X2 modelsof the CX600.

As shown in Figure 1-2, CX-A allocates an IP address for POS 1/0/0 on CX-B through PPPnegotiation.

Figure 1-2 Networking diagram of allocating IP address through negotiation

CX-A CX-B

POS 1/0/0192.168.1.1/24

POS 1/0/0Ethernet Ethernet


1. Configure a local IP address pool.2. Configure an IP address for the local interface.3. Specify an IP address or address pool for the remote end.4. Enable obtaining an IP address through negotiation on the remote end.


l IP address and subnet mask of the local interfacel The range of the IP address to be allocated to the remote end

Procedure

Step 1 Configure CX-A.

# Configure a local IP address pool.

<HUAWEI> system-view[HUAWEI] sysname CX-A[CX-A] aaa[CX-A-aaa] ip pool 1 192.168.1.10 192.168.1.20[CX-A-aaa] quit

# Configure an IP address for POS 1/0/0.

[CX-A] interface pos 1/0/0[CX-A-Pos1/0/0] ip address 192.168.1.1 255.255.255.0

# Configure POS 1/0/0 to allocate an IP address to the remote end.

[CX-A-Pos1/0/0] remote address pool 1[CX-A-Pos1/0/0] shutdown[CX-A-Pos1/0/0] undo shutdown



1-17

[CX-A-Pos1/0/0] quit

Step 2 Configure CX-B.

# Enable obtaning an IP address of the interface through PPP negotiation.

<HUAWEI> system-view[HUAWEI] sysname CX-B[CX-B] interface pos 1/0/0[CX-B-Pos1/0/0] ip address ppp-negotiate[CX-B-Pos1/0/0] undo shutdown[CX-B-Pos1/0/0] quit


CX-B can ping through POS 1/0/0 on CX-A.

[CX-B] ping 192.168.1.1 PING 192.168.1.1: 56 data bytes, press CTRL_C to break Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=156 ms Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=255 time=63 ms Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=255 time=62 ms Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=255 time=63 ms Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=255 time=63 ms --- 192.168.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet lossround-trip min/avg/max = 62/81/156 ms

# View the status of POS 1/0/0 on CX-B.

[CX-B] display interface pos 1/0/0Pos1/0/0 current state : UPLine protocol current state : UPLast line protocol up time : 2010-06-22 19:33:19Description : Pos1/0/0 InterfaceRoute Port,The Maximum Transmit Unit is 4470, Hold timer is 10(sec)Internet Address is negotiated, 192.168.1.10/32Link layer protocol is PPPLCP opened, IPCP openedThe Vendor PN is FTRJ1321P1BTLPort BW: 2.5G, Transceiver max BW: 2.5G, Transceiver Mode: SingleModeWaveLength: 1310nm, Transmission Distance: 5kmRx Power: -2.81dBm, Tx Power: -1.91dBm Physical layer is Packet Over SDHScramble enabled, clock master, CRC-32, loopback: noneFlag J0 "NetEngine "Flag J1 "NetEngine "Flag C2 22(0x16)Last physical up time : 2010-06-21 14:56:32Last physical down time : 2010-06-21 14:56:31Current system time: 2010-06-29 20:26:18 SDH alarm: section layer: none line layer: none path layer: none SDH error: section layer: B1 61575 line layer: B2 12002824 REI 16835916 path layer: B3 65535Statistics last cleared:never Last 300 seconds input rate 16 bits/sec, 0 packets/sec Last 300 seconds output rate 40 bits/sec, 0 packets/sec Input: 3510 packets, 57372 bytes Input error: 0 shortpacket, 0 longpacket, 4 CRC, 0 lostpacket Output: 7270 packets, 344198 bytes Output error: 0 lostpackets Output error: 0 overrunpackets, 0 underrunpackets




Issue 01 (2011-05-30)

If the information "Internet Address is negotiated, 192.168.1.10/32" is displayed, it means thatthe address negotiation succeeds.

----End

Configuration Filesl Configuration file of CX-A

# sysname CX-A#aaa ip pool 1 192.168.1.10 192.168.1.20#interface Pos1/0/0 link-protocol ppp undo shutdown remote address pool 1 ip address 192.168.1.1 255.255.255.0#return

l Configuration file of CX-B# sysname CX-B#interface Pos1/0/0 link-protocol ppp undo shutdown ip address ppp-negotiate#return

1.6.3 Example for Configuring IP Address UnnumberedThis part describes how to configure IP address borrowing for an interface.

Networking Requirements

As shown in Figure 1-3, an enterprise builds its intranet through the ISDN. CX-A and CX-Bconnect to a local LAN through the GE interfaces. The devices connect to each other throughthe dialing ports. Each device connects to the LAN through GE 1/0/0 and connects to the ISDNthrough POS 2/0/0. To save IP address resources, the dialing ports are planned to borrow the IPaddresses from the GE interfaces.

Figure 1-3 Networking diagram of an IP address unnumbered configuration

CX-A CX-B

POS 2/0/0 POS 2/0/0GE1/0/0172.16.10.1/24

GE1/0/0172.16.20.1/24

Ethernet EthernetISDN



1-19


1. Configure IP addresses to be borrowed.2. Configure the interfaces to borrow IP addresses from other interfaces.


l IP address of the interface that lends an IP addressl Number of the interface that lends an IP address

Procedure


# Configure an IP address for GE 1/0/0.

<HUAWEI> system-view[HUAWEI] sysname CX-A[CX-A] interface gigabitethernet 1/0/0[CX-A-GigabitEthernet1/0/0] ip address 172.16.10.1 255.255.255.0[CX-A-GigabitEthernet1/0/0] undo shutdown[CX-A-GigabitEthernet1/0/0] quit

# Configure the POS interface to borrow an IP address from the GE interface.

[CX-A] interface pos 2/0/0[CX-A-Pos2/0/0] ip address unnumbered interface gigabitethernet 1/0/0[CX-A-Pos2/0/0] link-protocol ppp[CX-A-Pos2/0/0] undo shutdown[CX-A-Pos2/0/0] quit

# Configure an Ethernet route to CX-B.

[CX-A] ip route-static 172.16.20.0 255.255.255.0 pos 2/0/0



<HUAWEI> system-view[HUAWEI] sysname CX-B[CX-B] interface gigabitethernet 1/0/0[CX-B-GigabitEthernet1/0/0] ip address 172.16.20.1 255.255.255.0[CX-B-GigabitEthernet1/0/0] undo shutdown[CX-B-GigabitEthernet1/0/0] quit

# Configure the POS interface to borrow an IP address from the GE interface.

[CX-B] interface pos 2/0/0[CX-B-Pos2/0/0] ip address unnumbered interface gigabitethernet 1/0/0[CX-B-Pos2/0/0] link-protocol ppp[CX-B-Pos2/0/0] undo shutdown[CX-B-Pos2/0/0] quit

# Configure an Ethernet route to CX-A.

[CX-B] ip route-static 172.16.10.0 255.255.255.0 pos 2/0/0


# CX-A can ping through the address of the host connected to CX-B.




Issue 01 (2011-05-30)

[CX-A] ping 172.16.20.2 PING 172.16.20.2: 56 data bytes, press CTRL_C to break Reply from 172.16.20.2: bytes=56 Sequence=1 ttl=254 time=25 ms Reply from 172.16.20.2: bytes=56 Sequence=2 ttl=254 time=25 ms Reply from 172.16.20.2: bytes=56 Sequence=3 ttl=254 time=26 ms Reply from 172.16.20.2: bytes=56 Sequence=4 ttl=254 time=26 ms Reply from 172.16.20.2: bytes=56 Sequence=5 ttl=254 time=26 ms --- 172.16.20.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet lossround-trip min/avg/max = 25/25/26 ms

----End


# sysname CX-A#interface Pos2/0/0 link-protocol ppp undo shutdown ip address unnumbered interface GigabitEthernet1/0/0#interface GigabitEthernet1/0/0 undo shutdown ip address 172.16.10.1 255.255.255.0#ip route-static 172.16.20.0 255.255.255.0 Pos2/0/0#return

l Configuration file of CX-B# sysname CX-B#interface Pos2/0/0 link-protocol ppp undo shutdown ip address unnumbered interface GigabitEthernet1/0/0#interface GigabitEthernet1/0/0 undo shutdown ip address 172.16.20.1 255.255.255.0#ip route-static 172.16.10.0 255.255.255.0 Pos2/0/0#return

1.6.4 Example for Configuring IP Address Overlapping on the SameDevice

This part describes how to configure IP address overlapping on a device.

Networking RequirementsAs shown in Figure 1-4, Network A and Network B are independent from each other. Theyaccess the Internet through different paths. Using the same Layer 2 network provided by ISP 1,Network A and Network B can access each other.

It is required to use CX-B to connect Network A and Network B to the Layer 2 network providedby ISP 1 by using the IP addresses 192.168.1.11/24 and 192.168.1.12/24.



1-21

Figure 1-4 Networking diagram of configuring IP address overlapping on the same device

ISP1 AS:200

GE1/0/0192.168.1.11/24

GE3/0/0192.168.1.12/24

POS2/0/010.1.1.1/24

POS4/0/020.1.1.1/24

GE1/0/0192.168.1.1/24

r1 r2

CX-B

Network B

CX-AAS:100

Network A

Layer2network

POS2/0/010.1.1.2/24

POS4/0/020.1.1.2/24

CX-C Cx-D

Procedure

Step 1 Configure a VPN instance.

# On CX-B, create a VPN instance for Network A, and bind the VPN instance to the upstreaminterface GE 1/0/0 and the downstream interface POS 2/0/0.

<HUAWEI> system-view[HUAWEI] sysname CX-B[CX-B] ip vpn-instance r1[CX-B-vpn-instance-r1] ipv4-family[CX-B-vpn-instance-r1-af-ipv4] route-distinguisher 100:1[CX-B-vpn-instance-r1-af-ipv4] quit[CX-B-vpn-instance-r1] quit[CX-B] interface gigabitethernet 1/0/0[CX-B-GigabitEthernet1/0/0] ip binding vpn-instance r1[CX-B-GigabitEthernet1/0/0] ip address 192.168.1.11 24[CX-B-GigabitEthernet1/0/0] undo shutdown[CX-B-GigabitEthernet1/0/0] quit[CX-B] interface pos 2/0/0[CX-B-Pos2/0/0] ip binding vpn-instance r1[CX-B-Pos2/0/0] ip address 10.1.1.1 24[CX-B-Pos2/0/0] undo shutdown[CX-B-Pos2/0/0] quit

# On CX-B, create a VPN instance for Network B, and bind the VPN instance to the upstreaminterface GE 3/0/0 and the downstream interface POS 4/0/0.

[CX-B] ip vpn-instance r2[CX-B-vpn-instance-r2] ipv4-family[CX-B-vpn-instance-r2-af-ipv4] route-distinguisher 100:2[CX-B-vpn-instance-r2-af-ipv4] quit[CX-B-vpn-instance-r2] quit[CX-B] interface gigabitethernet 3/0/0[CX-B-GigabitEthernet3/0/0] ip binding vpn-instance r2[CX-B-GigabitEthernet3/0/0] ip address 192.168.1.12 24[CX-B-GigabitEthernet3/0/0] undo shutdown




Issue 01 (2011-05-30)

[CX-B-GigabitEthernet3/0/0] quit[CX-B] interface pos 4/0/0[CX-B-Pos4/0/0] ip binding vpn-instance r2[CX-B-Pos4/0/0] ip address 20.1.1.1 24[CX-B-Pos4/0/0] undo shutdown[CX-B-Pos4/0/0] quit

# On CX-B, configure static routes for the two VPN instances.

[CX-B] ip route-static vpn-instance r1 0.0.0.0 0 192.168.1.1[CX-B] ip route-static vpn-instance r2 0.0.0.0 0 192.168.1.1

Step 2 Set up the EBGP neighbor relationship between CX-A and the two upstream interfaces on CX-B respectively.

# Configure CX-B.

[CX-B] bgp 200[CX-B-bgp] router-id 100.1.1.1[CX-B-bgp] ipv4-family vpn-instance r1[CX-B-bgp-r1] peer 192.168.1.1 as-number 100[CX-B-bgp-r1] import-route direct[CX-B-bgp-r1] quit[CX-B-bgp] ipv4-family vpn-instance r2[CX-B-bgp-r2] peer 192.168.1.1 as-number 100[CX-B-bgp-r2] import-route direct[CX-B-bgp-r2] quit[CX-B-bgp] quit

# Configure CX-A.

<HUAWEI> system-view[HUAWEI] sysname CX-A[CX-A] interface gigabitethernet 1/0/0[CX-A-GigabitEthernet1/0/0] ip address 192.168.1.1 24[CX-A-GigabitEthernet1/0/0] undo shutdown[CX-A-GigabitEthernet1/0/0] quit[CX-A] bgp 100[CX-A-bgp] peer 192.168.1.11 as-number 200[CX-A-bgp] peer 192.168.1.12 as-number 200[CX-A-bgp] quit

Step 3 Configure IP addresses and static routes for CX-C and CX-D on the local network.

# Configure the IP address and static route for CX-C.

<HUAWEI> system-view[HUAWEI] sysname CX-C[CX-C] interface pos 2/0/0[CX-C-Pos2/0/0] ip address 10.1.1.2 24[CX-C-Pos2/0/0] undo shutdown[CX-C-Pos2/0/0] quit[CX-C] ip route-static 0.0.0.0 0 10.1.1.1

# Configure the IP address and static route for CX-D.

<HUAWEI> system-view[HUAWEI] sysname CX-D[CX-D] interface pos 4/0/0[CX-D-Pos4/0/0] ip address 20.1.1.2 24[CX-D-Pos4/0/0] undo shutdown[CX-D-Pos4/0/0] quit[CX-D] ip route-static 0.0.0.0 0 20.1.1.1


# After the configurations, view the private routing table on CX-B. The routes of the two localnetworks connected to CX-B belong to two VPN instances (r1 and r2) respectively. Thisindicates that the routes are isolated.



1-23

[CX-B] display ip routing-table vpn-instance r1Route Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: r1 Destinations : 6 Routes : 6

Destination/Mask Proto Pre Cost Flags NextHop Interface

0.0.0.0/0 Static 60 0 RD 192.168.1.1 GigabitEthernet1/0/010.1.1.0/24 Direct 0 0 D 10.1.1.1 Pos2/0/010.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack010.1.1.2/32 Direct 0 0 D 10.1.1.2 Pos2/0/0192.168.1.0/24 Direct 0 0 D 192.168.1.11 GigabitEthernet1/0/0192.168.1.11/32 Direct 0 0 D 127.0.0.1 InLoopBack0

[CX-B] display ip routing-table vpn-instance r2Route Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: r2 Destinations : 6 Routes : 6


0.0.0.0/0 Static 60 0 RD 192.168.1.1 GigabitEthernet3/0/020.1.1.0/24 Direct 0 0 D 20.1.1.1 Pos4/0/020.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack020.1.1.2/32 Direct 0 0 D 20.1.1.2 Pos4/0/0192.168.1.0/24 Direct 0 0 D 192.168.1.12 GigabitEthernet3/0/0192.168.1.12/32 Direct 0 0 D 127.0.0.1 InLoopBack0

# Run the display ip routing-table command on CX-A. The command output shows that thepublic routing table on CX-A contains routes to the two local networks.

[CX-A] display ip routing-tableRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Public Destinations : 8 Routes : 8


10.1.1.0/24 EBGP 255 0 D 192.168.1.11 GigabitEthernet1/0/010.1.1.2/32 EBGP 255 0 D 192.168.1.11 GigabitEthernet1/0/020.1.1.0/24 EBGP 255 0 D 192.168.1.12 GigabitEthernet1/0/020.1.1.2/32 EBGP 255 0 D 192.168.1.12 GigabitEthernet1/0/0127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0192.168.1.0/24 Direct 0 0 D 192.168.1.1 GigabitEthernet1/0/0192.168.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Network A and Network B can ping through each other.

----End


# sysname CX-A#interface GigabitEthernet1/0/0 undo shutdown ip address 192.168.1.1 255.255.255.0




Issue 01 (2011-05-30)

#bgp 100 peer 192.168.1.11 as-number 200 peer 192.168.1.12 as-number 200 # ipv4-family unicast undo synchronization peer 192.168.1.11 enable peer 192.168.1.12 enable#return

l Configuration file of CX-B.# sysname CX-B#ip vpn-instance r1 ipv4-family route-distinguisher 100:1#ip vpn-instance r2 ipv4-family route-distinguisher 100:2#interface GigabitEthernet1/0/0 undo shutdown ip binding vpn-instance r1 ip address 192.168.1.11 255.255.255.0#interface GigabitEthernet3/0/0 undo shutdown ip binding vpn-instance r2 ip address 192.168.1.12 255.255.255.0#interface Pos2/0/0 link-protocol ppp undo shutdown ip binding vpn-instance r1 ip address 10.1.1.1 255.255.255.0#interface Pos4/0/0 link-protocol ppp undo shutdown ip binding vpn-instance r2 ip address 20.1.1.1 255.255.255.0#bgp 200 router-id 100.1.1.1 # ipv4-family unicast undo synchronization # ipv4-family vpn-instance r1 peer 192.168.1.1 as-number 100 import-route direct # ipv4-family vpn-instance r2 peer 192.168.1.1 as-number 100 import-route direct# ip route-static vpn-instance r1 0.0.0.0 0.0.0.0 192.168.1.1 ip route-static vpn-instance r2 0.0.0.0 0.0.0.0 192.168.1.1#return

l Configuration file of CX-C# sysname CX-C#interface pos 2/0/0



1-25

link-protocol ppp undo shutdown ip address 10.1.1.2 255.255.255.0#ip route-static 0.0.0.0 0.0.0.0 10.1.1.1#return

l Configuration file of CX-D# sysname CX-D#interface pos 4/0/0 link-protocol ppp undo shutdown ip address 20.1.1.2 255.255.255.0#ip route-static 0.0.0.0 0.0.0.0 20.1.1.1#Return

1.6.5 Example for Configuring an IP Address with a 31-bit MaskThis part describes how to configure an IP address with a 31-bit mask.

Networking RequirementsAs shown in Figure 1-5, CX-A and CX-B are connected through a PPP link.

Figure 1-5 Networking diagram of configuring an IP address with a 31-bit mask

CX-A

POS1/0/010.1.1.1/31

CX-B

POS1/0/010.1.1.0/31


1. Configure an IP address with a 31-bit mask for POS 1/0/0 on CX-A.2. Configure an IP address with a 31-bit mask for POS 1/0/0 on CX-B.


l IP address and mask of POS 1/0/0 on CX-Al IP address and mask of POS 1/0/0 on CX-B

ProcedureStep 1 Configure an IP address for each interface.

# Configure an IP address for POS 1/0/0 on CX-A.




Issue 01 (2011-05-30)

<HUAWEI> system-view[HUAWEI] sysname CX-A[CX-A] interface pos 1/0/0[CX-A-Pos1/0/0] ip address 10.1.1.1 255.255.255.254[CX-A-Pos1/0/0] undo shutdown[CX-A-Pos1/0/0] quit

# Configure an IP address for POS 1/0/0 on CX-B.

<HUAWEI> system-view[HUAWEI] sysname CX-B[CX-B] interface pos 1/0/0[CX-B-Pos1/0/0] ip address 10.1.1.0 255.255.255.254[CX-B-Pos1/0/0] undo shutdown[CX-B-Pos1/0/0] quit


# After the preceding configurations, you can check the routing table on CX-A. You can findthat in the routing table, the network address and the broadcast address of the network segmentare both used as host addresses.

[CX-A] display ip routing-tableRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Public Destinations : 5 Routes : 5Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/31 Direct 0 0 D 10.1.1.1 Pos1/0/0 10.1.1.0/32 Direct 0 0 D 10.1.1.0 Pos1/0/0 10.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

# After the preceding configurations, you can check the routing table on CX-B. You can findthat in the routing table, the network address and the broadcast address of the network segmentare both used as host addresses.

[CX-B] display ip routing-tableRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Public Destinations : 5 Routes : 5Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/31 Direct 0 0 D 10.1.1.0 Pos1/0/0 10.1.1.0/32 Direct 0 0 D 127.0.0.1 InLoopBack0 10.1.1.1/32 Direct 0 0 D 10.1.1.1 Pos1/0/0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

----End


# sysname CX-A#interface Pos1/0/0 link-protocol ppp undo shutdown ip address 10.1.1.1 255.255.255.254#return

l Configuration file of CX-B#



1-27

sysname CX-B#interface Pos1/0/0 link-protocol ppp undo shutdown ip address 10.1.1.0 255.255.255.254#return




Issue 01 (2011-05-30)

2 ARP Configuration

About This Chapter

ARP can map an IP address to a MAC address and implements transmission of Ethernet frames.

2.1 Introduction to ARPARP, acronym for Address Resolution Protocol, is at the link layer of the TCP/IP protocol suite.

2.2 Configuring Static ARPStatic ARP indicates that there is a fixed mapping between an IP address and a MAC address.Static ARP needs to be configured by an administrator.

2.3 Optimizing Dynamic ARPIf dynamic ARP is configured, the system automatically resolutes an IP address into an EthernetMAC address.

2.4 Configuring Routed Proxy ARPProxy ARP enables devices whose IP addresses belong to the same network segment butdifferent physical networks to communicate with each other.

2.5 Configuring Proxy ARP Within a VLANBy configuring proxy ARP on a VLAN, you can interconnect isolated hosts on a VLAN.

2.6 Configuring Proxy ARP Between VLANsBy configuring inter-VLAN proxy ARP, you can interconnect hosts on different VLANs.

2.7 Configuring ARP-Ping IPARP-Ping IP is a method of detecting whether an IP address is used by another device on a localarea network (LAN) by sending ARP packets.

2.8 Configuring ARP-Ping MACARP-Ping MAC is a method of detecting whether a MAC address is used by another device ona LAN by sending ICMP packets.

2.9 Configuring the Association Between ARP and Interface StatusBy configuring ARP and interface status association, you can determine whether the peer devicecan forward packets normally by checking whether the device receives a response to the ARPdetection packet sent to the peer device. In this manner, you can determine the protocol status(up or down) of the device and triggers fast route convergence.

HUAWEI CX600 Metro Services PlatformConfiguration Guide - IP Services 2 ARP Configuration


2-1

2.10 Maintaining ARPThe operations of ARP maintenance include clearing ARP statistics and monitoring ARPoperating status.


2 ARP ConfigurationHUAWEI CX600 Metro Services Platform



Issue 01 (2011-05-30)

2.1 Introduction to ARPARP, acronym for Address Resolution Protocol, is at the link layer of the TCP/IP protocol suite.

2.1.1 Overview of ARPAn Ethernet device must support ARP. ARP implements dynamic mapping between Layer 3 IPaddresses and Layer 2 MAC addresses.

2.1.2 Features of ARP Supported by the CX600ARP can operate in either of two modes: static and dynamic. The extensions of ARP includeproxy ARP, gratuitous ARP, association between ARP and interface status, and ARP-Ping.

2.1.1 Overview of ARPAn Ethernet device must support ARP. ARP implements dynamic mapping between Layer 3 IPaddresses and Layer 2 MAC addresses.

Each host or device on the Local Area Network (LAN) can be configured a 32-bit IP address tocommunicate with others. The assigned IP address is independent of the hardware address.

On the Ethernet, a host or a device transmits and receives Ethernet frames according to a 48-bitMedium Access Control (MAC) address. The MAC address is also called the physical addressor the hardware address, which is assigned to an Ethernet interface when equipment is produced.Therefore, on an interconnected network, an address resolution mechanism is required to providethe mapping between MAC addresses and IP addresses.

The Address Resolution Protocol (ARP) maps an IP address to the corresponding MAC address.

2.1.2 Features of ARP Supported by the CX600ARP can operate in either of two modes: static and dynamic. The extensions of ARP includeproxy ARP, gratuitous ARP, association between ARP and interface status, and ARP-Ping.

ARP is only used in the IPv4 environment and can only run on Ethernet links.

Introduction to ARP-PingARP-Ping consists of ARP-Ping IP and ARP-Ping MAC. ARP-Ping is developed to maintainthe deployed Layer 2 features.

Introduction to ARP-Ping IPARP-Ping IP uses ARP packets to check whether an IP address is used by another device on theLAN.

Before configuring an IP address for a device, you need to check that this IP address is not usedby another device on the network by sending the ARP packets. Then, you can take appropriateactions.

You can also run the ping command to check whether the IP address is used by another deviceon the network. If enabled with the firewall function that does not reply to Ping packets, thedestination host and device do not reply to Ping packets and think that the IP address is not inuse. ARP is a Layer 2 protocol. In most cases, ARP packets can pass through the firewall. Inthis way, the preceding situation does not occur.



2-3

Principles of ARP-Ping IPARP-Ping IP sends ARP Request packets. The following describes how to implement ARP-PingIP:

1. After setting the specified IP address through command lines, you can send ARP Requestpackets and start the timeout timer.

2. After receiving an ARP Request packet, each device or host on the LAN replies with anARP Reply packet.

3. After receiving the ARP Reply packet, the source device compares the source IP addresscontained in the Reply packet with the IP address input in the command line. If they areconsistent, the MAC address corresponding to the input IP address is displayed and thetimeout timer of ARP Reply packets is disabled. The operation finishes.If the timeout timer of ARP Reply packets times out, it means that the IP address is not inuse.

As shown in Figure 2-1, CX-A and Gigabitethernet A are directly connected. You can run thearp-ping ip command on CX-A to check whether the IP address 10.1.1.2 is in use.

Figure 2-1 Implementation procedure of ARP-Ping IP

Host B10.1.1.3/32

Host A10.1.1.2/32

GE1/0/010.1.1.1/24

CX-A

Ethernet A

Run the arp-ping ip 10.1.1.2 command on CX-A. After receiving the ARP Reply packet fromHost A 10.1.1.2 on the network, CX-A displays the MAC address of Host A.CX-A displays theMAC address of Node B.

Through the command output, you can know whether the IP address is used by another host onthe network.

NOTE

The arp-ping ip command is applicable to the outgoing interface in one of the following types: the GigabitEthernet interface, and Eth-Trunk interface, VLANIF interface, member interface of the VLANIF interface,Ethernet interface, (including the Layer 2 interfaces into which these interfaces are switched).

Introduction to ARP-Ping MACARP-Ping MAC uses ICMP packets to check whether a MAC address is used by another deviceon the LAN.

When you know a specific MAC address on a network segment but do not know thecorresponding IP address, you can obtain the IP address corresponding to the MAC address by




Issue 01 (2011-05-30)

sending the broadcast Internet Control Messages Protocol (ICMP) packets through ARP-PingMAC. In this way, you can query the IP address corresponding to the specific MAC address onthe network segment.

Principles of ARP-Ping MAC

ARP-Ping MAC sends broadcast ICMP Echo Request packets. The following describes how toimplement ARP-Ping MAC:

1. After setting the specified MAC address through the command line, you can send broadcastICMP Echo Request packets and start the timeout timer.

2. After receiving an ICMP Echo Request packet, each device or host on the LAN replies withan ICMP Echo Reply packet.

3. After receiving the ICMP Echo Reply packet, the source device compares the source MACaddress contained in the Echo Reply packet with the MAC address input in the commandline. If they are consistent, the IP address of the Echo Reply packet is displayed. Then thesource device prompts you that the MAC address is in use and disables the timeout timer.The operation finishes.If the timeout timer of the ICMP Echo Reply packets times out, it means that the MACaddress is not in use.

NOTE

If the system denies the request for replying with the network segment address, the sender cannot receivethe ICMP Echo Reply packet.

As shown in Figure 2-2, CX-A and Gigabitethernet A are directly connected. You can run thearp-ping mac command on CX-A to check whether the MAC address 0013-46E7-2EF5 is inuse.

Figure 2-2 Implementation procedure of ARP-Ping MAC

Host A0013-46E7-2EF5

GE1/0/010.1.1.0/24

CX-A

Ethernet A

The following describes how to implement ARP-Ping MAC on CX-A:

Run the arp-ping mac 0013-46E7-2EF5 10.1.1.0 or arp-ping mac 0013-46E7-2EF5gigabitethernet 1/0/0 command on CX-A. After receiving the ICMP Reply packets replied byall the hosts on the network, CX-A displays the IP address of the host with the MAC address0013-46E7-2EF5.

Through the command output, you can obtain the IP address corresponding to the MAC address.



2-5

NOTE

The arp-ping mac command is applicable to the outgoing interface in one of the following types: GigabitEthernet interface, VLANIF interface, the Ethernet interface, and Eth-Trunk interface.

2.2 Configuring Static ARPStatic ARP indicates that there is a fixed mapping between an IP address and a MAC address.Static ARP needs to be configured by an administrator.

2.2.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring static ARP.

2.2.2 Configuring Common Static ARP EntriesStatic ARP entries are required for the communication between common interfaces.

2.2.3 Configuring Static ARP Entries in a VLANIn the scenario where two users belong to the same VLAN but user isolation is configured inthe VLAN, to implement communications between the two users, you need to enable static ARPwithin the VLAN on the member interface of the VLAN.

2.2.4 Configuring Static ARP Entries in a VPN InstanceTo implement Layer 2 interworking of the devices in a VPN instance, you can configure staticARP in the VPN instance.

2.2.5 Checking the ConfigurationYou can view the configuration of static ARP.

2.2.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring static ARP.

Applicable Environment

Static ARP is used in the following situations:

l For the packets whose destination IP address is on another network segment, static ARPcan help these packets traverse a gateway of the local network segment so that the gatewaycan forward the packets to their destination.

l When you need to filter out some packets with illegitimate destination IP addresses, staticARP can bind these illegitimate addresses to a nonexistent MAC address.


Before configuring ARP, complete the following tasks:

l Configuring physical parameters for the interface and ensuring that the status of the physicallayer of the interface is Up

l Configuring link layer protocol parameters for the interface and ensuring that the status ofthe link layer protocol on the interface is Up

l Configuring the network layer protocol for the interface




Issue 01 (2011-05-30)

Data PreparationTo configure ARP, you need the following data.

No. Data

1 IP address and MAC address of the static ARP entry

2 VPN instance name and VLAN ID to which the static ARP entry belongs

2.2.2 Configuring Common Static ARP EntriesStatic ARP entries are required for the communication between common interfaces.

ContextIf static ARP and the Virtual Router Redundancy Protocol (VRRP) are enabled on a devicesimultaneously, the virtual IP address of the VRRP backup group configured on the Dot1qtermination sub-interface, QinQ termination sub-interface, or VLANIF interface cannot be theIP address contained in the static ARP entries; otherwise, incorrect host routes are generated andthus packets cannot be normally forwarded.

NOTE

To configure static ARP for the packets with double tags, run the arp static cevid command. For details,see the HUAWEI CX600 Metro Services Platform Command Reference - LAN Access and MAN Access.

Procedure



Step 2 Run:arp static ip-address mac-address

Configure common static ARP entries.

NOTE

Static ARP entries keep valid when a device works normally.

----End

2.2.3 Configuring Static ARP Entries in a VLANIn the scenario where two users belong to the same VLAN but user isolation is configured inthe VLAN, to implement communications between the two users, you need to enable static ARPwithin the VLAN on the member interface of the VLAN.

ContextIf static ARP and the Virtual Router Redundancy Protocol (VRRP) are enabled on a devicesimultaneously, the virtual IP address of the VRRP backup group configured on the Dot1q



2-7

termination sub-interface, QinQ termination sub-interface, or VLANIF interface cannot be theIP address contained in the static ARP entries; otherwise, incorrect host routes are generated andthus packets cannot be normally forwarded.

NOTE


Procedure



Step 2 Configure static ARP entries in a Virtual Local Area Network (VLAN).

To configure static ARP entries in a VLAN, do as follows:

l Run the arp static ip-address mac-address vid vlan-id interface interface-type interface-number command.

It is required to set parameters vid vlan-id and interface interface-type interface-number whenyou configure static ARP entries in the VLAN.

If the interface corresponding to the VLAN is bound to a Virtual Private Network (VPN),the device can automatically associate the configured static ARP entry with the VPN. Thiscommand is applicable to port-based VLANs.

l Run the arp static ip-address mac-address [ vpn-instance vpn-instance-name ] vid vlan-id command.

This command is applicable to the sub-interface that supports VLAN and can be bound tothe VPN.

NOTE


----End

2.2.4 Configuring Static ARP Entries in a VPN InstanceTo implement Layer 2 interworking of the devices in a VPN instance, you can configure staticARP in the VPN instance.

Context

If static ARP and the Virtual Router Redundancy Protocol (VRRP) are enabled on a devicesimultaneously, the virtual IP address of the VRRP backup group configured on the Dot1qtermination sub-interface, QinQ termination sub-interface, or VLANIF interface cannot be theIP address contained in the static ARP entries; otherwise, incorrect host routes are generated andthus packets cannot be normally forwarded.

NOTE





Issue 01 (2011-05-30)


system-view


Step 2 Run:arp static ip-address mac-address vpn-instance vpn-instance-name

Configure static ARP entries in a VPN instance.

NOTE


----End

2.2.5 Checking the ConfigurationYou can view the configuration of static ARP.

PrerequisiteThe configurations of the ARP function are complete.

Procedurel Run the display arp slot slot-id [ network net-number [ net-mask | mask-length ] ]

[ dynamic | static ] command to check information about ARP mapping tables based onslots.

l Run the display arp vlan vlan-id interface interface-type interface-number command tocheck information about ARP mapping tables based on VLANs.

l Run the display arp vpn-instance vpn-instance-name slot slot-id [ dynamic | static ]command to check information about ARP mapping tables based on VPN instances.

l Run the display arp statistics { all | slot slot-id } command to check the statistics for ARPentries.

----End

ExampleRun the display arp slot command. If all the ARP entries of the interface board are displayed,it means that the configuration succeeds. For example:

<HUAWEI> display arp slot 1IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC------------------------------------------------------------------------------192.168.1.12 0000-0a41-0202 S-- GE1/0/1 r2192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/1 r2192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/0 r1------------------------------------------------------------------------------Total:4 Dynamic:2 Static:1 Interface:1

Run the display arp vlancommand. If all the ARP mapping table of a specified VLAN aredisplayed, it means that the configuration succeeds. For example:

<HUAWEI> display arp vlan 10 interface gigabitethernet 1/0/1



2-9

IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC------------------------------------------------------------------------------1.1.1.3 0002-0002-0002 S-- GE1/0/1 10/-------------------------------------------------------------------------------Total:1 Dynamic:0 Static:1 Interface:0

Run the display arp vpn-instance command. If all the ARP entries of the VPN instance aredisplayed, it means that the configuration succeeds. For example:

<HUAWEI> display arp vpn-instance r1 slot 1IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC------------------------------------------------------------------------------192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1192.168.1.1 0000-0a41-0200 12 S-- GE1/0/0 r1------------------------------------------------------------------------------Total:2 Dynamic:0 Static:1 Interface:1

Run the display arp statistics { all | slot slot-id } command. If the statistics for ARP entries aredisplayed, it means that the configuration succeeds. For example:

<HUAWEI> display arp statistics allDynamic:20 Static:10

2.3 Optimizing Dynamic ARPIf dynamic ARP is configured, the system automatically resolutes an IP address into an EthernetMAC address.

2.3.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for optimizing dynamic ARP.

2.3.2 Modify the aging parameters of dynamic ARPIf the device needs to update ARP entries frequently, you can reduce the aging timeout periodof ARP entries, increase the number of aging detections for ARP entries, and reduce the agingdetection intervals of ARP entries.

2.3.3 Enabling ARP Suppression FunctionIf the system receives a great number of ARP packets from the same source at a time, the systemneeds to update ARP entries repeatedly. To ensure the performance of the system, you can enableARP suppression. In this manner, the system only responds to the ARP packets but does notupdate ARP entries.

2.3.4 Enabling Layer 2 Topology Detection FunctionAfter Layer 2 topology detection is enabled, the system updates all the ARP entriescorresponding to the VLANs to which a Layer 2 interface belongs, if this Layer 2 interface goesUp.

2.3.5 Enabling ARP CheckARP check can be enabled to ensure network security. In this case, when an interface receivesan ARP packet, it checks whether the source MAC address and destination MAC address in theEthernet packet header are the same as those in the Data field of the ARP packet.

2.3.6 Checking the ConfigurationYou can view the configuration of dynamic ARP.




Issue 01 (2011-05-30)

2.3.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for optimizing dynamic ARP.

Applicable EnvironmentDynamic ARP is one of functions owned by a device or host. You do not need to run a commandto enable dynamic ARP but you can modify some parameters of dynamic ARP.

Pre-configuration TasksNone

Data PreparationOptimizing dynamic ARP, you need the following data.

No. Data

1 ID of the Ethernet interface or the virtual Ethernet interface to which the dynamicARP entry belongs

2 Aging detection times of the dynamic ARP entry

3 Aging time of the dynamic ARP entry

2.3.2 Modify the aging parameters of dynamic ARPIf the device needs to update ARP entries frequently, you can reduce the aging timeout periodof ARP entries, increase the number of aging detections for ARP entries, and reduce the agingdetection intervals of ARP entries.

Procedure



Step 2 Run:interface interface-type interface-number [ .subinterface-number ]

The Ethernet interface view or the virtual Ethernet sub-interface view is displayed.

Step 3 Run:arp detect-times detect-times

The number of aging detection times of the dynamic ARP entries is configured.

Step 4 Run:arp expire-time expire-times

The timeout period for aging dynamic ARP entries is configured.



2-11

By default, the aging detection times of the dynamic ARP entries is three, and the aging timeoutperiod is 1200 seconds.

----End

2.3.3 Enabling ARP Suppression FunctionIf the system receives a great number of ARP packets from the same source at a time, the systemneeds to update ARP entries repeatedly. To ensure the performance of the system, you can enableARP suppression. In this manner, the system only responds to the ARP packets but does notupdate ARP entries.

Procedure



Step 2 Run:arp-suppress enable

ARP suppression is enabled on the current device.

The ARP suppression function can be enabled only on the Eth-Trunk interface, and VLANIFinterface.

The ARP suppression function can be enabled only on the Eth-Trunk interface, and VLANIFinterface.

By default, ARP suppression is disabled and only VLANIF interfaces are suppressed.

----End

2.3.4 Enabling Layer 2 Topology Detection FunctionAfter Layer 2 topology detection is enabled, the system updates all the ARP entriescorresponding to the VLANs to which a Layer 2 interface belongs, if this Layer 2 interface goesUp.

Procedure



Step 2 Run:l2-topology detect enable

The Layer 2 topology detection function is enabled.

By default, this function is not enabled.

----End




Issue 01 (2011-05-30)

2.3.5 Enabling ARP CheckARP check can be enabled to ensure network security. In this case, when an interface receivesan ARP packet, it checks whether the source MAC address and destination MAC address in theEthernet packet header are the same as those in the Data field of the ARP packet.

ContextOn the metro Ethernet, there are various ARP attacks. To protect the network, you need toconfigure ARP security features at the access layer or convergence layer of the network to protectagainst ARP attacks.

If there are ARP spoofing attacks on the network, you can run the arp validate command toenable an interface to check the received ARP packet to determine whether the source MACaddress and destination MAC address in the Ethernet packet header are respectively the sameas those in the Data field of the ARP packet. If they are not the same, the ARP packet is discarded.If they are the same, the ARP packet is forwarded.

NOTE

l ARP check cannot be configured on sub-interfaces. When a sub-interface receives an ARP packet, themain interface where the sub-interface is configured checks the ARP packet to determine whether thedestination MAC address in the Ethernet packet header is the same as that in the Data field of the ARPpacket. If they are the same, the sub-interface forwards the ARP packet. If they are not the same, thesub-interface discards the ARP packet.

l ARP check cannot be configured on VLANIF interfaces. When a VLANIF interface receives an ARPpacket, the physical interface that belongs to the VLAN for which the VLANIF interface is configuredchecks the ARP packet to determine whether the destination MAC address in the Ethernet packet headeris the same as that in the Data field of the ARP packet. If they are the same, the VLANIF interfaceforwards the ARP packet. If they are not the same, the VLANIF interface discards the ARP packet.

Do as follows on the devices on which ARP check needs to be enabled.

Procedure



Step 2 Run:interface { ethernet | gigabitethernet | eth-trunk } interface-number

The view of the Ethernet interface where ARP check needs to be enabled is displayed.

Step 3 Run:arp validate { source-mac | destination-mac } *

ARP check is enabled.

l If source-mac is specified:– After receiving an ARP Request packet, an interface only checks whether the source MAC

address in the Ethernet packet header is consistent with that in the Data field of the ARPpacket.

– After receiving an ARP Response packet, an interface only checks whether the sourceMAC address in the Ethernet packet header is consistent with that in the Data field of theARP packet.



2-13

l If destination-mac is specified:– After receiving an ARP Request packet, an interface does not check whether the

destination MAC address in the Ethernet packet header is consistent with that in the Datafield of the ARP packet because ARP packets are broadcast packets.

– After receiving an ARP Response packet, an interface only checks whether the destinationMAC address in the Ethernet packet header is consistent with that in the Data field of theARP packet.

l If both source-mac and destination-mac are specified:– After receiving an ARP Request packet, an interface only checks whether the source MAC

address in the Ethernet packet header is consistent with that in the Data field of the ARPpacket.

– After receiving an ARP Response packet, an interface checks whether both the sourceMAC address and destination MAC address in the Ethernet packet header are respectivelythe same as those in the Data field of the ARP packet.

----End

2.3.6 Checking the ConfigurationYou can view the configuration of dynamic ARP.

PrerequisiteThe configurations of the ARP function are complete.

Procedurel Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlan-

id ] ] command to check information about ARP mapping tables based on interfaces.l Run the display arp slot slot-id [ network net-number [ net-mask | mask-length ] ]



l Run the display arp statistics { all | slot slot-id } command to check the statistics for ARPentries.

----End

ExampleRun the display arp interface command. If all the ARP entries of the interface are displayed,it means that the configuration succeeds. For example:

<HUAWEI> display arp interface gigabitethernet 1/0/0IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC------------------------------------------------------------------------------192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1192.168.1.1 0000-0a41-0200 15 D-6 GE1/0/0 r1------------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1

Run the display arp slot command. If all the ARP entries of the interface board are displayed,it means that the configuration succeeds. For example:




Issue 01 (2011-05-30)

<HUAWEI> display arp slot 1IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC------------------------------------------------------------------------------192.168.1.12 0000-0a41-0202 I - GE1/0/1 r2192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/1 r2192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/0 r1------------------------------------------------------------------------------Total:4 Dynamic:2 Static:0 Interface:2


<HUAWEI> display arp vpn-instance r1 slot 1IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC------------------------------------------------------------------------------192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1192.168.1.1 0000-0a41-0200 12 D-6 GE1/0/0 r1------------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1

Run the display arp statistics { all | slot slot-id } command. If the statistics for ARP entries aredisplayed, it means that the configuration succeeds. For example:


2.4 Configuring Routed Proxy ARPProxy ARP enables devices whose IP addresses belong to the same network segment butdifferent physical networks to communicate with each other.

2.4.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring routed proxy ARP.

2.4.2 Configure an IP Addresses for the InterfaceThe IP address assigned to a routed proxy ARP-enabled interface must be on the same networksegment with the IP address of the host on the LAN to which this interface connects.

2.4.3 Enabling the Routed Proxy ARP FunctionTo interconnect the subnets in the same IP network, you need to enable routed proxy ARP.

2.4.4 Checking the ConfigurationYou can view the configuration of routed proxy ARP.

2.4.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring routed proxy ARP.


The two physical networks of an enterprise are in different subnets of the same IP network, andare separated by a device. You need to enable the proxy ARP on the device interface connectedto the physical networks. This enables communication between the two networks.



2-15

Network IDs of subnet hosts must be the same. You need not configure default gateways forhosts.

Pre-configuration TasksBefore configuring routed proxy ARP, complete the following tasks:

l Configuring the physical parameters for the interface and ensuring that the status of thephysical layer of the interface is Up


Data PreparationTo configure routed proxy ARP, you need the following data.

No. Data

1 Number of the interface to be enabled with routed proxy ARP

2 IP address of the interface to be enabled with routed proxy ARP

2.4.2 Configure an IP Addresses for the InterfaceThe IP address assigned to a routed proxy ARP-enabled interface must be on the same networksegment with the IP address of the host on the LAN to which this interface connects.


system-view


Step 2 Run:interface interface-type interface-number [ .subinterface-number ]


The interfaces supporting routed proxy ARP include GE interfaces, GE sub-interfaces, Virtual-Ethernet sub-interfaces,Eth-Trunk interfaces, and Eth-Trunk sub-interfaces.


The interface is configured with an IP address.

The IP address configured for the interface must be in the same network segment with that ofhosts in the LAN connected with this interface.

----End

2.4.3 Enabling the Routed Proxy ARP FunctionTo interconnect the subnets in the same IP network, you need to enable routed proxy ARP.




Issue 01 (2011-05-30)

Procedure





Step 3 Run:arp-proxy enable

By default, the routed proxy ARP function is disabled on the interface.

After routed proxy ARP is enabled, you must reduce the aging time of ARP entries in the devieceso that the number of packets received but cannot be forwarded by the device is decreased. Toconfigure the aging time of ARP entries.

----End

2.4.4 Checking the ConfigurationYou can view the configuration of routed proxy ARP.

PrerequisiteThe configurations of the routed proxy ARP function are complete.





l Run the display arp statistics { all | slot slot-id } command to check statistics about ARPentries.

----End





2-17




<HUAWEI> display arp vpn-instance r1 slot 1IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC------------------------------------------------------------------------------\192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1192.168.1.1 0000-0a41-0200 12 D-6 GE1/0/0 r1------------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1

Run the display arp statistics { all | slot slot-id } command. If statistics about ARP entries aredisplayed, it means that the configuration succeeds. For example:


2.5 Configuring Proxy ARP Within a VLANBy configuring proxy ARP on a VLAN, you can interconnect isolated hosts on a VLAN.

2.5.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring proxy ARP on a VLAN.

2.5.2 Configure an IP Addresses for the InterfaceThe IP address assigned to an interface needs to be in the same network segment with the IPaddresses of the users of the VLANs associated to this interface.

2.5.3 Configuring the VLAN Associated with the Sub-interfaceDo as follows on the CX device that uses sub-interfaces to implement interworking in a VLAN.

2.5.4 Enabling Proxy ARP Within a VLANTo interconnect isolated users on a VLAN, you need to enable intra-VLAN proxy ARP on theinterface associated to the VLAN.

2.5.5 Checking the ConfigurationYou can view the configuration of intra-VLAN proxy ARP.

2.5.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring proxy ARP on a VLAN.




Issue 01 (2011-05-30)

Applicable EnvironmentIf two users are in the same VLAN but they are isolated from each other, to ensure the two userscan communicate, you need to enable proxy ARP within the VLAN on the interface associatedwith the VLAN.

Pre-configuration TasksBefore configuring proxy ARP within a VLAN, complete the following tasks:

l Configuring physical attributes for the interface and ensuring that the status of the physicallayer of the interface is Up

l Configuring the VLANl Configuring user isolation in the VLAN

Data PreparationTo configure proxy ARP within a VLAN, you need the following data.

No. Data

1 Number of the interface to be enabled with proxy ARP in a VLAN

2 IP address of the interface to be enabled with proxy ARP in a VLAN

3 VLAN ID associated with the interface to be enabled with proxy ARP in a VLAN

2.5.2 Configure an IP Addresses for the InterfaceThe IP address assigned to an interface needs to be in the same network segment with the IPaddresses of the users of the VLANs associated to this interface.

Procedure



Step 2 Run:interface { ethernet | gigabitethernet | eth-trunk } interface-number.sub-interface-number

Or

interface vlanif vlan-id


The interfaces supporting routed proxy ARP in a VLAN include VLANIF interfaces, Ethernetsub-interfaces, GE sub-interfaces, and Eth-Trunk sub-interfaces.




2-19


The IP address configured for the interface must be in the same network segment with that ofhosts in the VLAN associated with this interface.

----End

2.5.3 Configuring the VLAN Associated with the Sub-interfaceDo as follows on the CX device that uses sub-interfaces to implement interworking in a VLAN.

ContextNOTE

This step is required when you enable proxy ARP in a VLAN on the Ethernet sub-interfaces, GE sub-interfaces, or Eth-Trunk sub-interfaces.To enable proxy ARP in a VLAN on the VLANIF interface, skipthis step.

Procedure




The sub-interface view is displayed.

Step 3 Run:vlan-type dot1q low-vid

The Ethernet sub-interface is encapsulated with 802.1Q and the VLAN ID associated with thesub-interface is configured.

In the CX600, one sub-interface can be associated with one VLAN.

By default, the sub-interface is not encapsulated and the associated VLAN ID is not configured.

----End

2.5.4 Enabling Proxy ARP Within a VLANTo interconnect isolated users on a VLAN, you need to enable intra-VLAN proxy ARP on theinterface associated to the VLAN.

Procedure







Issue 01 (2011-05-30)

Or



Step 3 Run:arp-proxy inner-sub-vlan-proxy enable

Proxy ARP within a VLAN is enabled.

----End

2.5.5 Checking the ConfigurationYou can view the configuration of intra-VLAN proxy ARP.

PrerequisiteThe configurations of the proxy ARP within a VLAN function are complete.






----End




<HUAWEI> display arp slot 1IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC------------------------------------------------------------------------------192.168.1.12 0000-0a41-0202 I - GE1/0/1 r2192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/1 r2192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/0 r1



2-21

------------------------------------------------------------------------------Total:4 Dynamic:2 Static:0 Interface:2





2.6 Configuring Proxy ARP Between VLANsBy configuring inter-VLAN proxy ARP, you can interconnect hosts on different VLANs.

2.6.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring inter-VLAN proxy ARP.

2.6.2 Configuring an IP Addresses for the InterfaceThe IP address assigned to an interface needs to be in the same network segment with the IPaddresses of the users of all the VLANs associated to this interface.

2.6.3 Configuring the VLAN Associated with the Sub-interfaceDo as follows on the device that uses sub-interfaces to implement interworking between VLANs.

2.6.4 Enabling Proxy ARP Between VLANsTo interconnect users on different VLANs, you need to enable inter-VLAN proxy ARP on thesub-interfaces associated to the VLANs.

2.6.5 Checking the ConfigurationYou can view the configuration of inter-VLAN proxy ARP.

2.6.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring inter-VLAN proxy ARP.

Applicable EnvironmentIf two users belong to different VLANs and they need to communicate, you need to enable proxyARP between VLANs on the sub-interface associated with the VLAN.

Sub-VLANs in a super-VLAN cannot communicate with each other. To solve this problem,enable proxy ARP between VLANs on the VLANIF interface corresponding to the super-VLAN.

Implementing communication between VLANs through proxy ARP occupies fewer resourcesthan through than through configuring a VLANIF interface for each sub-VLAN.




Issue 01 (2011-05-30)

IP addresses of hosts in a VLAN must be in the same network segment.

Pre-configuration TasksBefore configuring proxy ARP between VLANs, complete the following tasks:

l Configuring physical attributes for the interface and ensuring that the status of the physicallayer of the interface is Up

l Configuring VLAN aggregation

Data PreparationTo configure proxy ARP between VLANs, you need the following data.

No. Data

1 Number of the interface to be enabled with proxy ARP between VLANs

2 IP address of the interface to be enabled with proxy ARP between VLANs

3 VLAN ID associated with the interface to be enabled with proxy ARP betweenVLANs

2.6.2 Configuring an IP Addresses for the InterfaceThe IP address assigned to an interface needs to be in the same network segment with the IPaddresses of the users of all the VLANs associated to this interface.

Procedure



Step 2 Run:interface { ethernet | gigabitethernet } interface-number.sub-interface-number

Or



The interfaces supporting routed proxy ARP between VLANs include VLANIF interfaces,Ethernet sub-interfaces, GE sub-interfaces, and Eth-Trunk sub-interfaces.



The IP address configured for the interface must be in the same network segment with that ofhosts in the VLAN associated with this interface.

----End



2-23

2.6.3 Configuring the VLAN Associated with the Sub-interfaceDo as follows on the device that uses sub-interfaces to implement interworking between VLANs.

ContextNOTE

This step is required when you enable proxy ARP between VLANs on the Ethernet sub-interfaces, GE sub-interfaces, or Eth-Trunk sub-interfaces. To enable proxy ARP between VLANs on the VLANIF interface,skip this step.

Procedure




The sub-interface view is displayed.

Step 3 Run:vlan-type dot1q low-vid

The Ethernet sub-interface is encapsulated with 802.1Q and the VLAN ID associated with thesub-interface is configured.

In the CX600, one sub-interface can be associated with one VLAN.

By default, the sub-interface is not encapsulated and the associated VLAN ID is not configured.

----End

2.6.4 Enabling Proxy ARP Between VLANsTo interconnect users on different VLANs, you need to enable inter-VLAN proxy ARP on thesub-interfaces associated to the VLANs.

Procedure



Step 2 Run:interface { ethernet | gigabitethernet } interface-number.sub-interface-number

Or






Issue 01 (2011-05-30)

The interfaces supporting routed proxy ARP between VLANs include Eth-Trunk sub-interfaces,VLANIF interfaces, Ethernet sub-interfaces,and GE sub-interfaces.

Step 3 Run:arp-proxy inter-sub-vlan-proxy enable

Proxy ARP between VLANs is enabled.

----End

2.6.5 Checking the ConfigurationYou can view the configuration of inter-VLAN proxy ARP.

PrerequisiteThe configurations of Proxy ARP Between VLANs are complete.






----End







2-25





2.7 Configuring ARP-Ping IPARP-Ping IP is a method of detecting whether an IP address is used by another device on a localarea network (LAN) by sending ARP packets.

2.7.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring ARP-Ping IP.

2.7.2 Detecting the IP Address by Using the arp-ping ip CommandARP-Ping IP detects whether an IP address is used by a device on a LAN by sending ARPrequests.

2.7.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring ARP-Ping IP.

Applicable EnvironmentIn the LAN, to configure an IP address for a device, you need to use the arp-ping ip commandto check whether this IP address is used by another device in the network.

The arp-ping ip command is mainly used in the maintenance of the deployed Lay 2 features.For example, in the L2VPN networking, such as the virtual private LAN segment (VPLS) andvirtual private wire service (VPWS) that the Ethernet or VLAN is used to access, you can runthe arp-ping ip command on the PE or CE to check whether the IP address is used by the localor remote host.

You can also run the ping command to check whether the IP address is used by another deviceon the network. If enabled with the firewall function that does not reply to Ping packets, thedestination host and device do not reply to Ping packets and think that the IP address is not inuse. ARP is a Layer 2 protocol. In most cases, ARP packets can pass through the firewall. Inthis way, the preceding situation does not occur.

Pre-configuration TasksBefore configuring ARP-Ping IP, complete the following tasks:




Issue 01 (2011-05-30)

l Configuring parameters of the link layer protocol and IP addresses for the interfaces andensuring that the status of the link layer protocol on the interfaces is Up.

Data PreparationTo configure ARP-Ping IP, you need the following data.

No. Data

1 IP address to be checked

2.7.2 Detecting the IP Address by Using the arp-ping ip CommandARP-Ping IP detects whether an IP address is used by a device on a LAN by sending ARPrequests.

Procedure

Step 1 Run:arp-ping ip ip-address [ interface interface-type interface-number [ vlan-id vlan-id ] ]

Check whether the IP address is in use.

NOTE

When the specified outgoing interface is a Layer 2 interface, you need to configure vlan-id vlan-id; whenthe specified outgoing interface is a Layer 3 interface, you cannot configure vlan-id vlan-id.

The following information is displayed:

l If the following information is displayed, it means that the IP address is not in use.[HUAWEI] arp-ping ip 110.1.1.2 ARP-Pinging 110.1.1.2: Request timed out Request timed out Request timed out The IP address is not used by anyone!

l If the following information is displayed, it means that the IP address is in use.[HUAWEI] arp-ping ip 128.1.1.1 ARP-Pinging 128.1.1.1:128.1.1.1 is used by 00e0-517d-f202

----End

2.8 Configuring ARP-Ping MACARP-Ping MAC is a method of detecting whether a MAC address is used by another device ona LAN by sending ICMP packets.

2.8.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring ARP-Ping MAC.

2.8.2 Detecting the MAC Address by Using the arp-ping mac Command



2-27

ARP-Ping MAC detects whether an IP address is used by a device on a LAN by sending ICMPpackets.

2.8.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring ARP-Ping MAC.

Applicable EnvironmentTo check whether a MAC address is in use or query the IP address through the MAC address,you can use the arp-ping mac command.

Pre-configuration TasksBefore configuring ARP-Ping MAC, complete the following tasks:

l Configuring parameters of the link layer protocol and IP addresses for the interfaces andensuring that the status of the link layer protocol on the interfaces is Up.

Data PreparationTo configure ARP-Ping MAC, you need the following data.

No. Data

1 MAC address to be checked

2.8.2 Detecting the MAC Address by Using the arp-ping macCommand

ARP-Ping MAC detects whether an IP address is used by a device on a LAN by sending ICMPpackets.

Procedure

Step 1 Run:arp-ping mac mac-address { ip-address [ vpn-instance vpn-instance-name ] | interface interface-type interface-number }

Check whether the MAC address is in use. Alternatively, you can query the IP address throughthe MAC address.

The following information is displayed:

l If the following information is displayed, it means that the MAC address is not in use.[HUAWEI] arp-ping mac 00e0-517d-f201 interface gigabitethernet 1/0/0 OutInterface: GigabitEthernet1/0/0 MAC[00-E0-51-7D-F2-01], press CTRL_C to break Request timed out Request timed out Request timed out ----- ARP-Ping MAC statistics ----- 3 packet(s) transmitted




Issue 01 (2011-05-30)

0 packet(s) received MAC[00-E0-51-7D-F2-01] not be used

l If the following information is displayed, it means that the MAC address is in use.[HUAWEI] arp-ping mac 00e0-517d-f202 interface gigabitethernet 1/0/0 OutInterface: GigabitEthernet1/0/0 MAC[00-E0-51-7D-F2-02], press CTRL_C to break ----- ARP-Ping MAC statistics ----- 1 packet(s) transmitted 1 packet(s) received IP ADDRESS MAC ADDRESS 128.1.1.1 00-E0-51-7D-F2-02

----End

2.9 Configuring the Association Between ARP and InterfaceStatus

By configuring ARP and interface status association, you can determine whether the peer devicecan forward packets normally by checking whether the device receives a response to the ARPdetection packet sent to the peer device. In this manner, you can determine the protocol status(up or down) of the device and triggers fast route convergence.

2.9.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring ARP and interface status association.

2.9.2 Configuring the Association Between ARP and Interface StatusThrough ARP and interface status association, you can detect link status. Do as follows on theCX device to perform probes.

2.9.3 (Optional) Adjusting Parameters about the Association Between ARP and Interface StatusThe parameters include the intervals at which ARP detection packets are transmitted, maximumnumber of times that the device sends ARP detection packets but receives no response beforethe ARP protocol status is set to Down, and detection mode. Do as follows on the CX device toperform probes.

2.9.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring ARP and interface status association.

Applicable EnvironmentIf transmission devices exist over a link (between devices in the diagram), the actual physicalpath is segmented by the transmission devices although communication ends and transmissiondevices are directly connected at the network layer. In such a case, if the link or remote end fails,the local end must take a long time to detect the fault.

To solve the preceding problem, configure the association between the Bidirectional ForwardingDetection (BFD) status and the interface status. For details, refer to the chapter "BFDConfiguration" in the HUAWEI CX600 Metro Services Platform Configuration Guide -Reliability.

For the device that does not support the BFD function, the CX600 provides the ARP and interfacestatus association function so that local interfaces can correctly judge the forwarding status of



2-29

the remote end and change its protocol status accordingly (Up or Down). Fast convergence ofroutes is thus triggered.

Figure 2-3 Schematic diagram of transmission device existing between devices

CX-A CX-B

Pre-configuration TaskBefore configuring the association between ARP and interface status, complete the followingtasks:

l Configuring physical parameters for interfaces to make the physical statuses of interfacesUp.

l Configuring link layer parameters and IP addresses for interfaces to make the link protocolstatus of interfaces Up.

Data PreparationTo configure the association between ARP and interface status, you need the following data.

No. Data

1 Destination IP address of an ARP probe packet

2 Interval for sending ARP probe packets

3 Maximum times that no response is received for the continually sent ARP probepackets before the protocol status of an interface turns Down

4 Probe mode

2.9.2 Configuring the Association Between ARP and InterfaceStatus

Through ARP and interface status association, you can detect link status. Do as follows on theCX device to perform probes.

Procedure







Issue 01 (2011-05-30)

The view of the interface to be enabled with the association between ARP and interface statusis displayed.

NOTE

The association between ARP and interface status can be configured only on Ethernet interfaces, Ethernetsub-interfaces, Gigabit Ethernet interfaces, and Gigabit Ethernet sub-interfaces.

Step 3 Run:arp status-detect ip-address

The association between ARP and interface status and the destination IP address of the probeare configured. The probed IP address must be the IP address of the directly-connected device.

The device to be probed need not be configured.

----End

2.9.3 (Optional) Adjusting Parameters about the AssociationBetween ARP and Interface Status

The parameters include the intervals at which ARP detection packets are transmitted, maximumnumber of times that the device sends ARP detection packets but receives no response beforethe ARP protocol status is set to Down, and detection mode. Do as follows on the CX device toperform probes.

Procedure




The view of the interface to be enabled with the association between ARP and interface statusis displayed.

Step 3 Run:arp status-detect interval detect-interval

The interval for sending ARP probe packets is set.

By default, the interval is 1000 ms.

Step 4 Run:arp status-detect times detect-times

The maximum times that no response is received for the continually sent ARP probe packetsbefore the protocol status of an interface turns Down are set.

By default, the maximum times are 3.

Step 5 Run:arp status-detect mode loose

The probe mode is set to loose.

By default, the probe mode is strict.



2-31

l In loose mode, probe packets are sent only when the protocol status turns Up. The remoteend declares the protocol to be Up when receiving any types of legal ARP packets.

l In strict mode, probe packets are sent no matter the protocol status is Up or Down. The devicedeclares the protocol to be Up only when receiving legal ARP response packets.NOTE

When you configure ARP probe on both ends, configure the strict mode at least on one end. That is, twoends cannot be configured with the loose mode concurrently. .This is because when the interface on oneend is Down, the protocol status of the remote end turns Down because of a timeout probe. If the probemode is set to loose, both ends never send probe packets actively, which results in the deadlock state.

----End

Follow-up ProcedureThe device to be probed need not be configured.

2.10 Maintaining ARPThe operations of ARP maintenance include clearing ARP statistics and monitoring ARPoperating status.

2.10.1 Clearing ARP EntriesThis section describes ARP entries clearance through the reset command.

2.10.2 Monitoring Network Operation Status of ARPThis section describes ARP operation monitoring through the display command.

2.10.1 Clearing ARP EntriesThis section describes ARP entries clearance through the reset command.

Context

CAUTIONl The mapping between the IP and MAC addresses is deleted after you clear ARP entries. So,

confirm the action before you use the command.l The static ARP entries cannot restore after you clear it. So, confirm the action before you

use the command.

ProcedureStep 1 Run the reset arp { all | dynamic | interface interface-type interface-number | slot slot-id |

static } command in the user view to clear the ARP entries in the ARP mapping table.

----End

2.10.2 Monitoring Network Operation Status of ARPThis section describes ARP operation monitoring through the display command.




Issue 01 (2011-05-30)

ContextIn routine maintenance, you can run the following command in any view to check the operationof ARP.


id ] ] command in any view to check the information about the ARP mapping table basedon interfaces.

l Run the display arp slot slot-id [ network net-number [ net-mask ] ] [ dynamic | static ]command in any view to check the information about ARP mapping tables based on slots.

l Run the display arp vpn-instance vpn-instance-name slot slot-id [ dynamic | static ]command in any view to check the information about ARP mapping tables based on VPNinstances.

----End


ContextNOTE


2.11.1 Example for Configuring Routed Proxy ARPThis section provides an example of configuring routed proxy ARP.

2.11.2 Example for Configuring Proxy ARP Within a VLANThis section provides an example of configuring intra-VLAN proxy ARP.

2.11.3 Example for Configuring Proxy ARP Between VLANsThis section provides an example of configuring inter-VLAN proxy ARP.

2.11.4 Example for Configuring the Association Between ARP and Interface StatusThis section provides an example of configuring ARP and interface status association.

2.11.5 Example for Configuring Layer 2 Topology DetectionThis section provides an example of configuring Layer 2 topology detection.

2.11.1 Example for Configuring Routed Proxy ARPThis section provides an example of configuring routed proxy ARP.

Networking RequirementsAs shown in Figure 2-4, two devices are connected through serial lines. Each device has a GE1/0/0 interface connecting with a local network. The network segment of the two local networksis 172.16.0.0/16. No default gateways are specified for Host A and Host B. The device shouldbe configured with proxy ARP, enabling hosts in two local networks to communicate with eachother.



2-33

Figure 2-4 Networking diagram of configuring proxy ARP

Host B

CX-A CX-B172.16.1.1/24 172.16.2.1/24GE1/0/0 GE1/0/0

POS2/0/0172.17.3.1/24

POS2/0/0172.17.3.2/24

172.16.2.2/16172.16.1.2/16Host A

Ethernet A Ethernet B

0000-5e33-ee20

00e0-fc39-80aa 00e0-fc39-80bb

0000-5e33-ee10


1. Configure IP addresses for interfaces.2. Enable proxy ARP on interfaces.3. Configure the default routes.


l IP address for related interfacesl Default routesl IP address of the host

Procedure



<HUAWEI> system-view[HUAWEI] sysname CX-A[CX-A] interface gigabitethernet 1/0/0[CX-A-GigabitEthernet1/0/0] ip address 172.16.1.1 255.255.255.0

# Enable proxy ARP.

[CX-A-GigabitEthernet1/0/0] arp-proxy enable[CX-A-GigabitEthernet1/0/0] undo shutdown[CX-A-GigabitEthernet1/0/0] quit

# Configure a static route.

[CX-A] ip route-static 0.0.0.0 0 pos 2/0/0 172.17.3.2


[CX-A] interface pos 2/0/0[CX-A-Pos2/0/0] ip address 172.17.3.1 255.255.0.0[CX-A-Pos2/0/0] undo shutdown




Issue 01 (2011-05-30)

[CX-A-Pos2/0/0] quit



<HUAWEI> system-view[HUAWEI] sysname CX-B[CX-B] interface gigabitethernet 1/0/0[CX-B-GigabitEthernet1/0/0] ip address 172.16.2.1 255.255.255.0

# Enable proxy ARP.

[CX-B-GigabitEthernet1/0/0] arp-proxy enable[CX-B-GigabitEthernet1/0/0] undo shutdown[CX-B-GigabitEthernet1/0/0] quit


[CX-B] ip route-static 0.0.0.0 0 pos 2/0/0 172.17.3.1


[CX-B] interface pos 2/0/0[CX-B-Pos2/0/0] ip address 172.17.3.2 255.255.0.0[CX-B-Pos2/0/0] undo shutdown[CX-B-Pos2/0/0] quit

Step 3 Configure the host.

# Configure the IP address of Host A to 172.16.1.2/16.

# Configure the IP address of Host B to 172.16.2.2/16.


# Host A can ping through Host B.

# The ARP table of Host A shows that the MAC address of Host B is the MAC address ofGE1/0/0 on CX-A.

C:\Documents and Settings\Administrator> arp -aInterface: 172.16.1.2 --- 0x2 Internet Address Physical Address Type 172.16.2.2 00e0-fc39-80aa dynamic

----End


#sysname CX-A#interface GigabitEthernet1/0/0 undo shutdown ip address 172.16.1.1 255.255.255.0 arp-proxy enable#interface Pos2/0/0 link-protocol ppp undo shutdown ip address 172.17.3.1 255.255.255.0#ip route-static 0.0.0.0 0 Pos2/0/0 172.17.3.2#return



2-35

l Configuration file of CX-B#sysname CX-B#interface GigabitEthernet1/0/0 undo shutdown ip address 172.16.2.1 255.255.255.0 arp-proxy enable#interface Pos2/0/0 link-protocol ppp undo shutdown ip address 172.17.3.2 255.255.255.0#ip route-static 0.0.0.0 0 Pos2/0/0 172.17.3.1#return

2.11.2 Example for Configuring Proxy ARP Within a VLANThis section provides an example of configuring intra-VLAN proxy ARP.


As shown in Figure 2-5, DSLAM is connected to the sub-interface Eth-Trunk1.1 of the device.Eth-Trunk1.1 is associated with VLAN 10.

PC A and PC B are two users connected with DSLAM. On DSLAM, the interfaces connectedwith PC A and PC B belong to the same VLAN. User isolation in a VLAN is configured onDSLAM.

To implement communication between PC A and PC B, enable proxy ARP within a VLAN onEth-Trunk1.1 of the device.

Figure 2-5 Networking diagram of configuring proxy ARP in a VLAN

CX device

DSLAM

PC A PC B

Eth-trunk 1.1(Proxy ARP)

VLAN 10

10.10.10.1/24




Issue 01 (2011-05-30)


1. Configure an IP addresses for Eth-Trunk1.1.2. Configure the VLAN associated with the sub-interface.3. Enable proxy ARP in a VLAN on Eth-Trunk1.1.


l IP address of Eth-Trunk1.1l VLAN ID associated with Eth-Trunk1.1

Procedure

Step 1 Configure an IP address for Eth-Trunk1.1.<HUAWEI> system-view[HUAWEI] sysname CX-[CX device] interface eth-trunk 1[CX device-Eth-Trunk] undo shutdown[CX device-Eth-Trunk] quit[CX device] interface eth-trunk 1.1[CX device-Eth-Trunk1.1] ip address 10.10.10.1 255.255.255.0[CX device-Eth-Trunk1.1] undo shutdown[CX device-Eth-Trunk1.1] quit

Step 2 Configure IP addresses for PCs.

# Configure IP addresses for PCs. The IP addresses must be in the same network segment withthe IP address of Eth-Trunk1.1.

# After the configurations, PCs and the device can ping through each other but PCs cannot pingthrough each other.

Step 3 Associate Eth-Trunk1.1 with VLAN 10.[CX device] interface eth-trunk 1.1[CX device-Eth-Trunk1.1] vlan-type dot1q 10

Step 4 Enable proxy ARP in VLAN 10 on Eth-Trunk1.1.[CX device-Eth-Trunk1.1] arp-proxy inner-sub-vlan-proxy enable[CX device-Eth-Trunk1.1] quit


# PC A and PC B can ping through each other.

----End

Configuration FilesThe configuration file of the CX- is as follows:

#sysname CX-#interface Eth-Trunk1 undo shutdown mac-address 00e0-271e-f652



2-37

#interface Eth-Trunk1.1 undo shutdown vlan-type dot1q 10 ip address 10.10.10.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable#return

2.11.3 Example for Configuring Proxy ARP Between VLANsThis section provides an example of configuring inter-VLAN proxy ARP.


As shown in Figure 2-6, VLAN 2 and VLAN 3 compose a super-VLAN, VLAN 4.

The sub-VLANs (VLAN 2 and VLAN 3) cannot ping through each other.

To implement communication between VLAN 2 and VLAN 3, configure proxy ARP betweenVLANs.

Figure 2-6 Networking diagram of configuring proxy ARP between VLANs

VLAN2 VLAN3

VLAN4

CX-A

VLAN2 VLAN3

Configuration Roadmap

The configuration roadmap is as follows:

1. Configure an IP addresses for VLANIF4.

2. Enable proxy ARP between VLANs on VLANIF4.

Data Preparation

To complete the configuration, you need IP addresses of interfaces.




Issue 01 (2011-05-30)

ProcedureStep 1 Configure an IP address for the VLANIF interface.

<HUAWEI> system-view[HUAWEI] sysname CX-A[CX-A] interface vlanif 4[CX-A-Vlanif4] ip address 10.10.10.1 255.255.255.0[CX-A-Vlanif4] undo shutdown[CX-A-Vlanif4] quit

Step 2 Configure IP addresses for PCs.

# Configure IP addresses for PCs. The IP addresses must be in the same network segment withthe IP address of VLANIF4.

# After configurations, PCs and the device can ping through each other but PCs in VLAN 2 andPCs in VLAN 3 cannot ping through each other.

Step 3 Configure proxy ARP between VLANs.[CX-A] interface vlanif 4[CX-A-Vlanif4] arp-proxy inter-sub-vlan-proxy enable[CX-A-Vlanif4] quit

Step 4 Verify the configuration.l PCs in VLAN 2 and PCs in VLAN 3 can ping through each other.l Check the ARP table on the PC.

# You can find that in the ARP tables of PCs in VLAN 2, the MAC addresses of all PCs inVLAN 3 are the MAC address of VLANIF4 on the device.

----End

Configuration FilesThe configuration file of CX-A is as follows:#sysname CX-A# vlan batch 2 to 4#vlan 4 aggregate-vlan access-vlan 2 to 3#interface Vlanif4 undo shutdown ip address 10.10.10.1 255.255.255.0 arp-proxy inter-sub-vlan-proxy enable#Return

2.11.4 Example for Configuring the Association Between ARP andInterface Status

This section provides an example of configuring ARP and interface status association.

Networking RequirementsAs shown in Figure 2-7, two devices are connected through a Layer 2 switch. If a fault occurson the GE interface of CX-A but the GE interface of CX-B is Up because the link between the



2-39

switch and CX-B works normally. The protocol status of the GE interface of CX-B is also Up.It is required to configure the association between ARP and interface status on CX-B to probethe status of the GE interface of CX-A. CX-B can then rapidly change its protocol statusaccording to the interface status change of CX-A.

Figure 2-7 Networking diagram of configuring the association between ARP and interface status

CX-A CX-B

GE 1/0/010.1.1.1/24

GE 1/0/010.1.1.2/24

Switch



1. Configure an IP address for each interface.2. Enable the association between ARP and interface status on the interface.3. Adjust parameters about the association between ARP and interface status to optimize

performance.

Data Preparation

To complete the configuration, you need the following data:

l IP addresses of the interfacesl Destination IP address of an ARP probe packetl Interval for sending ARP probe packetsl Maximum times that no response is received for the continually sent ARP probe packets

before the protocol of an interface turns Down

Procedure

Step 1 Configuring an IP address for each interface

# Configure CX-A.

<HUAWEI> system-view[HUAWEI] sysname CX-A[CX-A] interface gigabitethernet 1/0/0[CX-A-GigabitEthernet1/0/0] ip address 10.1.1.1 255.255.255.0[CX-A-GigabitEthernet1/0/0] undo shutdown[CX-A-GigabitEthernet1/0/0] quit

# Configure CX-B.

<HUAWEI> system-view[HUAWEI] sysname CX-B[CX-B] interface gigabitethernet 1/0/0[CX-B-GigabitEthernet1/0/0] ip address 10.1.1.2 255.255.255.0[CX-B-GigabitEthernet1/0/0] undo shutdown[CX-B-GigabitEthernet1/0/0] quit




Issue 01 (2011-05-30)

# Ping CX-A on CX-B. The ping succeeds. Run the display interface command on CX-A andCX-B to view statuses of the GE interfaces. You can find that the physical status and protocolstatus of the GE interfaces are Up.

[CX-B] ping 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=110 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=60 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=100 ms Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=70 ms Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=70 ms --- 10.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet lossround-trip min/avg/max = 60/82/110 ms[CX-A] display interface gigabitethernet 1/0/0GigabitEthernet1/0/0 current state : UPLine protocol current state : UPLast line protocol up time : 2010-06-22, 16:52:54Description : GigabitEthernet1/0/0 Interface, Route PortRoute Port,The Maximum Transmit Unit is 1500 bytesInternet Address is 10.1.1.1/24IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0000-5e13-0101The Vendor PN is SCP6F86-GL-CWH Port BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiMode WaveLength: 850nm, Transmission Distance: 300m Rx Power: -8.00dBm, Tx Power: -5.13dBm Loopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Receive Enable and Send Enable Last physical up time : 2010-06-22, 16:52:54 Last physical down time : 2010-06-22, 16:52:53 Current system time: 2010-06-22 16:53:18 Statistics last cleared:never Last 300 seconds input rate: 208 bits/sec, 0 packets/sec Last 300 seconds output rate: 544 bits/sec, 1 packets/sec Input: 882114 bytes, 10877 packets Output: 2147780 bytes, 31585 packets Input: Unicast: 0 packets, Multicast: 7368 packets Broadcast: 3509 packets, JumboOctets: 0 packets CRC: 0 packets, Symbol: 0 packets Overrun: 0 packets InRangeLength: 0 packets LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets Fragment: 0 packets, Undersized Frame: 0 packets RxPause: 0 packets Output: Unicast: 0 packets, Multicast: 0 packets Broadcast: 31585 packets, JumboOctets: 0 packets Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets TxPause: 0 packets[CX-B] display interface gigabitethernet 1/0/0GigabitEthernet1/0/0 current state : UPLine protocol current state : UPLast line protocol up time : 2010-06-22 14:56:32Description : GigabitEthernet1/0/0 Interface, Route PortRoute Port,The Maximum Transmit Unit is 1500 bytesInternet Address is 10.1.1.2/24IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0000-5e13-0100The Vendor PN is SCP6F86-GL-CWHPort BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiModeWaveLength: 850nm, Transmission Distance: 300mRx Power: -8.00dBm, Tx Power: -5.13dBmLoopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Receive Enable and Send EnableLast physical up time : 2010-06-22 14:56:32Last physical down time : 2010-06-22 14:56:31Current system time: 2010-06-22 16:53:19



2-41

Statistics last cleared:never Last 300 seconds input rate: 208 bits/sec, 0 packets/sec Last 300 seconds output rate: 544 bits/sec, 1 packets/sec Input: 882114 bytes, 10877 packets Output: 2147780 bytes, 31585 packets Input: Unicast: 0 packets, Multicast: 7368 packets Broadcast: 3509 packets, JumboOctets: 0 packets CRC: 0 packets, Symbol: 0 packets Overrun: 0 packets InRangeLength: 0 packets LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets Fragment: 0 packets, Undersized Frame: 0 packets RxPause: 0 packets Output: Unicast: 0 packets, Multicast: 0 packets Broadcast: 31585 packets, JumboOctets: 0 packets Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets

Step 2 Run the shutdown command on the GE interface of CX-A to simulate a fault.[CX-A] interface gigabitethernet 1/0/0[CX-A-GigabitEthernet1/0/0] shutdown[CX-A-GigabitEthernet1/0/0] quit

# Run the display interface command on CX-B to view the status of the GE interfaces. Youcan find that the physical status and protocol status of the GE interfaces are Up. CX-B, however,cannot ping through CX-A.

[CX-B] display interface gigabitethernet 1/0/0GigabitEthernet1/0/0 current state : UPLine protocol current state : UPLast line protocol up time : 2010-06-22 14:56:32Description : GigabitEthernet1/0/0 Interface, Route PortRoute Port,The Maximum Transmit Unit is 1500 bytesInternet Address is 10.1.1.2/24IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0000-5e13-0100The Vendor PN is SCP6F86-GL-CWHPort BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiModeWaveLength: 850nm, Transmission Distance: 300mRx Power: -8.00dBm, Tx Power: -5.13dBmLoopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Receive Enable and Send EnableLast physical up time : 2010-06-22 14:56:32Last physical down time : 2010-06-22 14:56:31Current system time: 2010-06-22 16:53:19Statistics last cleared:never Last 300 seconds input rate: 208 bits/sec, 0 packets/sec Last 300 seconds output rate: 544 bits/sec, 1 packets/sec Input: 882114 bytes, 10877 packets Output: 2147780 bytes, 31585 packets Input: Unicast: 0 packets, Multicast: 7368 packets Broadcast: 3509 packets, JumboOctets: 0 packets CRC: 0 packets, Symbol: 0 packets Overrun: 0 packets InRangeLength: 0 packets LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets Fragment: 0 packets, Undersized Frame: 0 packets RxPause: 0 packets Output: Unicast: 0 packets, Multicast: 0 packets Broadcast: 31585 packets, JumboOctets: 0 packets Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets [CX-B] ping 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out




Issue 01 (2011-05-30)

Request time out --- 10.1.1.1 ping statistics --- 5 packet(s) transmitted 0 packet(s) received100.00% packet loss

Step 3 Enable the association between ARP and interface status on CX-B.

# Specify the IP address of the GE interface of CX-A as the destination IP address of the probe.

[CX-B] interface gigabitethernet 1/0/0[CX-B-GigabitEthernet1/0/0] arp status-detect 10.1.1.1

Step 4 Adjust parameters about the association between ARP and interface status on CX-B.

# Set the interval for sending ARP probe packets to 3 seconds.

[CX-B-GigabitEthernet1/0/0] arp status-detect interval 3000

# Set the probe times to five.

[CX-B-GigabitEthernet1/0/0] arp status-detect times 5[CX-B-GigabitEthernet1/0/0] quit

# After about 15 seconds (three seconds x five times), the GE interface status of CX-B is Upand the protocol status turns Down.

[CX-B]Sep 16 2007 15:37:45 CX-B %%01IFNET/4/LINK_STATE(l): Line protocol on interface GigabitEthernet1/0/0 has turned into DOWN state.[CX-B] display interface gigabitethernet 1/0/0GigabitEthernet1/0/0 current state : UPLine protocol current state : DOWNDescription : GigabitEthernet1/0/0 Interface, Route PortRoute Port,The Maximum Transmit Unit is 1500 bytesInternet Address is 10.1.1.2/24IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0000-5e13-0100The Vendor PN is SCP6F86-GL-CWHPort BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiModeWaveLength: 850nm, Transmission Distance: 300mRx Power: -8.00dBm, Tx Power: -5.13dBmLoopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Receive Enable and Send EnableLast physical up time : 2010-06-22 14:56:32Last physical down time : 2010-06-22 14:56:31Current system time: 2010-06-22 16:55:19Statistics last cleared:never Last 300 seconds input rate: 208 bits/sec, 0 packets/sec Last 300 seconds output rate: 544 bits/sec, 1 packets/sec Input: 882114 bytes, 10877 packets Output: 2147780 bytes, 31585 packets Input: Unicast: 0 packets, Multicast: 7368 packets Broadcast: 3509 packets, JumboOctets: 0 packets CRC: 0 packets, Symbol: 0 packets Overrun: 0 packets InRangeLength: 0 packets LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets Fragment: 0 packets, Undersized Frame: 0 packets RxPause: 0 packets Output: Unicast: 0 packets, Multicast: 0 packets Broadcast: 31585 packets, JumboOctets: 0 packets Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets

----End



2-43


# sysname CX-A#interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.1.1 255.255.255.0#return

l Configuration file of CX-B# sysname CX-B#interface GigabitEthernet1/0/0 undo shutdown arp status-detect 10.1.1.1 arp status-detect times 5 arp status-detect interval 3000 ip address 10.1.1.2 255.255.255.0#return

2.11.5 Example for Configuring Layer 2 Topology DetectionThis section provides an example of configuring Layer 2 topology detection.

Networking RequirementsAs shown in Figure 2-8, configure VLAN 100 as the default VLAN of the two GE interfaceson the device enabled with the portswitch function. Configure the IP addresses of the two GEinterfaces based on the figure.

Figure 2-8 Networking diagram of configuring Layer 2 topology detection

VLANIF10010.1.1.2/24

PC B10.1.1.3/24

PC A10.1.1.1/24

VLAN100

GE 1/0/1 GE 1/0/2

CX600





Issue 01 (2011-05-30)

1. Enable portswitch on two GE interfaces and configure them to join VLAN 100 by default.2. Enable Layer 2 topology detection and view changes of ARP entries.


l Types and numbers of the interfaces to be added to a VLANl IP addresses of the VLANIF interface and the PCs

ProcedureStep 1 Create VLAN 100 and configure VLAN 100 to be the default VLAN of the two GE interfaces

on the device.

# Create VLAN 100 and configure an IP address for the VLANIF interface.<HUAWEI> system-view[HUAWEI] sysname CX device[CX device] vlan 100[CX device-vlan100] quit[CX device] interface vlanif 100[CX device-vlanif100] undo shutdown[CX device-vlanif100] ip address 10.1.1.2 24[CX device-vlanif100] quit

# Configure the two GE interfaces to join VLAN 100 by default.[CX device] interface gigabitethernet 1/0/1[CX device-GigabitEthernet1/0/1] undo shutdown[CX device-GigabitEthernet1/0/1] portswitch[CX device-GigabitEthernet1/0/1] port default vlan 100[CX device-GigabitEthernet1/0/1] quit[CX device] interface gigabitethernet 1/0/2[CX device-GigabitEthernet1/0/2] undo shutdown[CX device-GigabitEthernet1/0/2] portswitch[CX device-GigabitEthernet1/0/2] port default vlan 100[CX device-GigabitEthernet1/0/2] quit

Step 2 Enable the Layer 2 topology detection function.[CX device] l2-topology detect enable

Step 3 Restart GE 1/0/1 and view changes of ARP entries and aging time.

# View ARP entries on the device. You can find that the device has learnt the MAC address ofthe PC.[CX device] display arp all IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC-----------------------------------------------------------------------------10.1.1.2 00e0-c01a-4900 I - Vlanif10010.1.1.1 00e0-c01a-4901 20 DF6 GE1/0/1100/-10.1.1.3 00e0-de24-bf04 20 DF6 GE1/0/2100/------------------------------------------------------------------------------Total:3 Dynamic:2 Static:0 Interface:1

# Run the shutdown command and then the undoshutdown command on GE 1/0/1 to view theaging time of ARP entries.[CX device] interface gigabitethernet 1/0/1[CX device-GigabitEthernet1/0/1] shutdown



2-45

[CX device-GigabitEthernet1/0/1] undo shutdown[CX device-GigabitEthernet1/0/1] display arp allIP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC----------------------------------------------------------------------------10.1.1.2 00e0-c01a-4900 I - Vlanif100 10.1.1.3 00e0-de24-bf04 0 DF6 GE1/0/2100/-------------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1

NOTE

From the preceding display, you can find that the ARP entries learnt from GE 1/0/1 are deleted after GE1/0/1 is shut down and the aging time of the ARP entries learnt from GE 1/0/2 changes to 0. When theaging time is 0, the device sends an ARP probe packet for updating ARP entries.

[CX device-GigabitEthernet1/0/1] display arp all IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC----------------------------------------------------------------------------10.1.1.2 00e0-c01a-4900 I - Vlanif100 10.1.1.3 00e0-de24-bf04 20 DF6 GE1/0/2100/-----------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1

NOTE

After the entry is updated, the aging time restores the default value, 20 minutes.

----End

Configuration FilesThe configuration file of CX device is as follows:

# sysname CX device#L2-topolgy detect enable# vlan 100#interface Vlanif100 undo shutdown ip address 10.1.1.2 255.255.255.0#interface GigabitEthernet1/0/1 undo shutdown portswitch port default vlan 100#interface GigabitEthernet1/0/2 undo shutdown portswitch port default vlan 100#return




Issue 01 (2011-05-30)

3 DNS Configuration

About This Chapter

By configuring the Domain Name System (DNS), you can enable network devices tocommunicate with other through their domain names.

3.1 DNS OverviewThe DNS is a host naming mechanism. It assigns a domain name, that is easy to memorize andis of significance, to each host on the Internet in a hierarchical manner.

3.2 Configuring DNSBy configuring the DNS, you can set up a mapping between a domain name and an IP address.In this manner, you can enable the device to communicate with other devices.

3.3 Maintaining DNSThe operations of DNS maintenance include clearing DNS statistics and monitoring the DNSoperating status.


HUAWEI CX600 Metro Services PlatformConfiguration Guide - IP Services 3 DNS Configuration


3-1

3.1 DNS OverviewThe DNS is a host naming mechanism. It assigns a domain name, that is easy to memorize andis of significance, to each host on the Internet in a hierarchical manner.

3.1.1 Introduction to DNSAfter each host on the Internet is assigned a domain name, you can set up a mapping betweenthe domain name and IP address of a host through. In this manner, you can use domain names,which are easy to memorize and are of significance, instead of complicated IP addresses.

3.1.2 DNS Supported by the CX600Domain name resolution can be performed in either dynamic mode or static mode.

3.1.1 Introduction to DNSAfter each host on the Internet is assigned a domain name, you can set up a mapping betweenthe domain name and IP address of a host through. In this manner, you can use domain names,which are easy to memorize and are of significance, instead of complicated IP addresses.

The Domain Name System (DNS) is a host naming mechanism provided by TCP/IP, with whichhosts can be named in the form of character string. This system assumes a hierarchical namingstructure. It designates a meaningful name for the device in the Internet and associates the namewith the IP address through a domain name resolution server. In this manner, you can use domainnames that are easy to remember instead of memorizing complex IP addresses.

3.1.2 DNS Supported by the CX600Domain name resolution can be performed in either dynamic mode or static mode.

DNS has two resolution modes: dynamic DNS resolution and static DNS resolution. To resolvea domain name, the system first uses static DNS resolution. If this mode fails, the system usesdynamic DNS resolution. To improve resolution efficiency, you can put common domain namesin a static domain name resolution table.

The CX600 supports static resolution and dynamic resolution.

3.2 Configuring DNSBy configuring the DNS, you can set up a mapping between a domain name and an IP address.In this manner, you can enable the device to communicate with other devices.

3.2.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring the DNS.

3.2.2 Configuring Static DNS EntriesYou can create a table of mappings between domain names and IP addresses and add commonly-used domain names to this table. When a client needs to use the IP address corresponding to adomain name, the client can search the table for the required IP address. This improves theefficiency of domain name resolution.

3.2.3 Configuring Dynamic DNS

3 DNS ConfigurationHUAWEI CX600 Metro Services Platform



Issue 01 (2011-05-30)

To perform dynamic domain name resolution, you need a special domain name resolution server,which runs a server program. This server provides mappings between domain names and IPaddresses and receives resolution requests from the client.

3.2.4 Checking the ConfigurationYou can view the configuration of the DNS.

3.2.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring the DNS.

Applicable EnvironmentIf local users accessing devices need to communicate with other devices by using domain names,you can configure DNS on the device. An DNS entry is an mapping between a domain nameand an IP address.

If local users communicate with other devices hardly through the domain name or if the DNSserver is unavailable, configure static DNS. Prior to configuring static DNS, you must know themapping between the domain name and the IP address. In case of a change in the mapping, youmust modify the DNS entry manually.

You can configure dynamic DNS on the device if local users frequently use domain names forcommunicating with other devices and the DNS server is available.

Pre-configuration TasksBefore configuring DNS, complete the following tasks:

l Configuring physical attributes of the interface and ensuring that the physical layer statusof the interface is Up

l Configuring parameters of the link layer protocol of the interface and ensuring that the linklayer protocol status of the interface is Up

l Configuring routes between the local device and the DNS serverl Configuring the DNS server

Data PreparationTo configure DNS, you need the following data.

No. Data

1 Domain name and the corresponding IP address in a static DNS entry

2 IP address of a DNS server

3 Domain name or the domain name list of a dynamic DNS entry

3.2.2 Configuring Static DNS EntriesYou can create a table of mappings between domain names and IP addresses and add commonly-used domain names to this table. When a client needs to use the IP address corresponding to a



3-3

domain name, the client can search the table for the required IP address. This improves theefficiency of domain name resolution.


system-view


Step 2 Run:ip host host-name ip-address

The IP address corresponding to the host name is configured.

A host name corresponds to only one IP address. When you configure an IP address for a hostfor several times, only the IP address configured at the latest is valid. To resolve several hostnames, repeat Step 2.

You can configure a maximum of 50 static DNS entries.

----End

3.2.3 Configuring Dynamic DNSTo perform dynamic domain name resolution, you need a special domain name resolution server,which runs a server program. This server provides mappings between domain names and IPaddresses and receives resolution requests from the client.


system-view


Step 2 Run:dns resolve

Dynamic domain name resolution is enabled.

Step 3 Run:dns server ip-address

A DNS server is specified.

Step 4 (Optional) Run:dns server source-ip source-ip-address

The IP address of the local device is specified.

The local device uses the specified IP address to communicate with the DNS server, whichensures communication security.

Step 5 Run:dns domain domain-name

The suffix of the domain name is added.

----End




Issue 01 (2011-05-30)

Follow-up ProcedureThe system supports the configuration of a maximum of 6 domain name servers, 1 sourceaddress, and 10 domain name suffixes.

To configure more than one domain name server, repeat Step 3.

To configure more than one domain name suffix, repeat Step 5.

3.2.4 Checking the ConfigurationYou can view the configuration of the DNS.

PrerequisiteThe configurations of the DNS function are complete.

Procedurel Run the display ip host command to check the information about the static DNS entry

table.l Run the display dns server command to check the configurations about DNS servers.l Run the display dns domain command to check the configurations about domain name

suffixes.l Run the display dns dynamic-host command to check the information about dynamic DNS

entries in the domain name cache.

----End

ExampleRun the display ip host command. If static DNS entries including the mappings between hostnames and IP addresses, are displayed, it means that the configuration succeeds. For example:<HUAWEI> display ip hostHost Age Flags Addresshw 0 static 10.1.1.1gww 0 static 192.168.1.1

Run the display dns server command. If IP addresses of all domain servers are displayed, itmeans that the configuration succeeds. For example:<HUAWEI> display dns serverIPv4 Dns Servers :Domain-server IpAddress 1 172.16.1.1 2 172.16.1.2

IPv6 Dns Servers :No configured servers.

Run the display dns domain command. If the list of suffixes of domain names is displayed, itmeans that the configuration succeeds. For example:<HUAWEI> display dns domainNo Domain-name1 com2 net

Run the display dns dynamic-host command. If information about the dynamic domain namecache is displayed, it means that the configuration succeeds. For example:



3-5

<HUAWEI> display dns dynamic-hostNo Domain-name IpAddress TTL Alias1 www.huawei.com 91.1.1.1 35212 www.huawei.com.cn 87.1.1.1 3000

3.3 Maintaining DNSThe operations of DNS maintenance include clearing DNS statistics and monitoring the DNSoperating status.

3.3.1 Clearing DNS EntriesThis section describes DNS entry clearance through the reset command.

3.3.2 Monitoring Network Operation Status of DNSThis section describes DNS operation monitoring through the display command.

3.3.1 Clearing DNS EntriesThis section describes DNS entry clearance through the reset command.

Context

CAUTIONDNS entries cannot be restored after being cleared. So, confirm the action before you use thiscommand.

Procedure

Step 1 Run the reset dns dynamic-host command in the user view to clear dynamic DNS entriesstatistics in the domain name cache.

----End

3.3.2 Monitoring Network Operation Status of DNSThis section describes DNS operation monitoring through the display command.

ContextIn routine maintenance, you can run the following command in any view to check the operationof DNS.

Procedurel Run the display ip host command to check the information about the static DNS entry

table.l Run the display dns server command to check configurations about DNS servers.l Run the display dns domain command to check configurations about domain name

suffixes.




Issue 01 (2011-05-30)

l Run the display dns dynamic-host command to check the information about dynamic DNSentries in the domain name cache.

----End


ContextNOTE

This document takes interface numbers and link types of the CX600 as an example. In working situations,the actual interface numbers and link types may be different from those used in this document.

3.4.1 Example for Configuring DNSThis section provides an example of configuring the DNS.

3.4.1 Example for Configuring DNSThis section provides an example of configuring the DNS.

Networking RequirementsAs shown in Figure 3-1, CX-A acts as a DNS client, being required to access the host 2.1.1.3/16by using the domain name huawei.com. You need to configure domain name suffixes "com"and "net".

On CX-A, configure static DNS entries of CX-B and CX-C so that CX-A can communicate withthem by using domain names.

Figure 3-1 Networking diagram of DNS

Loopback04.1.1.1/32

Loopback04.1.1.2/32

GE1/0/01.1.1.2/16

GE1/0/11.1.1.1/16 GE1/0/0

2.1.1.1/16GE1/0/02.1.1.2/16

GE1/0/13.1.1.1/16

CX-A

CX-B CX-C

huawei.com2.1.1.3/16

DNS Server3.1.1.2/16

DNS Client




3-7

1. Configure static DNS entries.2. Enable DNS resolution.3. Configure an IP address for the DNS server.4. Configure suffixes of domain names.


l Domain names of CX-B and CX-Cl IP address of the DNS serverl Suffixes of domain names

Procedure


# Configure static DNS entries.

<HUAWEI> system-view[HUAWEI] sysname CX-A[CX-A] ip host CX-B 4.1.1.1[CX-A] ip host CX-C 4.1.1.2

# Enable DNS resolution.

[CX-A] dns resolve

# Configure an IP address for the DNS server.

[CX-A] dns server 3.1.1.2

# Configure a domain name suffix "net".

[CX-A] dns domain net

# Configure a domain name suffix "com".

[CX-A] dns domain com[CX-A] quit

NOTE

To complete DNS resolution, configuring routes from CX-A to the DNS server is mandatory. Forprocedures for configuring routes, refer to the CX600 Metro Services Platform Configuration Guide - IPRouting.


# Run the ping huawei command on CX-A to ping the IP address 2.1.1.3. The ping succeeds.

<CX-A> ping huawei.comTrying DNS server (3.1.1.2) PING huawei.com (2.1.1.3): 56 data bytes, press CTRL_C to break Reply from 2.1.1.3: bytes=56 Sequence=1 ttl=126 time=6 ms Reply from 2.1.1.3: bytes=56 Sequence=2 ttl=126 time=4 ms Reply from 2.1.1.3: bytes=56 Sequence=3 ttl=126 time=4 ms Reply from 2.1.1.3: bytes=56 Sequence=4 ttl=126 time=4 ms Reply from 2.1.1.3: bytes=56 Sequence=5 ttl=126 time=4 ms --- huawei.com ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss




Issue 01 (2011-05-30)

round-trip min/avg/max = 4/4/6 ms

# Run the display ip host command on CX-A to view static DNS entries, including mappingsbetween host names and IP addresses.

<CX-A> display ip hostHost Age Flags AddressCX-B 0 static 4.1.1.1CX-C 0 static 4.1.1.2

# Run the display dns dynamic-host command on CX-A to view dynamic DNS entries in thedomain name cache.

<CX-A> display dns dynamic-hostNo Domain-name IpAddress TTL Alias1 huawei.com 2.1.1.3 3579

NOTE

TTL value in the above display indicates the lifetime of an entry. It is in seconds.

----End


# sysname CX-A# ip host CX-B 4.1.1.1 ip host CX-C 4.1.1.2# dns resolve dns server 3.1.1.2 dns domain net dns domain com#interface GigabitEthernet1/0/0 undo shutdown ip address 1.1.1.2 255.255.0.0#rip 1 network 1.0.0.0#return

l Configuration file of CX-B# sysname CX-B#interface GigabitEthernet1/0/0 undo shutdown ip address 2.1.1.1 255.255.0.0#interface GigabitEthernet1/0/1 undo shutdown ip address 1.1.1.1 255.255.0.0#interface LoopBack0 ip address 4.1.1.1 255.255.255.255#rip 1 network 2.0.0.0 network 1.0.0.0 network 4.0.0.0#return



3-9

l Configuration file of CX-C# sysname CX-C#interface GigabitEthernet1/0/0 undo shutdown ip address 2.1.1.2 255.255.0.0#interface GigabitEthernet1/0/1 undo shutdown ip address 3.1.1.1 255.255.0.0#interface LoopBack0 ip address 4.1.1.2 255.255.255.255#rip 1 network 2.0.0.0 network 3.0.0.0 network 4.0.0.0#return




Issue 01 (2011-05-30)

4 COPS Configuration

About This Chapter

The IPTN solution works to ensure end-to-end quality of service. COPS is used for exchanginginformation between servers and devices.

ContextNOTE

COPS cannot be configured on the X1 and X2 models of the CX600.

4.1 COPS OverviewThe IPTN solution not only improves the transmission efficiency of bearer networks, but alsoensures end-to-end quality of service. COPS is used for exchanging policies between RM serversand devices.

4.2 Configuring the COPS Server GroupA COPS server group brings together several COPS servers that have the same attributes andwork in load balancing mode. The device manages COPS servers as a group.

4.3 Configuration ExamplesThis section includes networking requirements, configuration precautions, and the configurationroadmap.

HUAWEI CX600 Metro Services PlatformConfiguration Guide - IP Services 4 COPS Configuration


4-1

4.1 COPS OverviewThe IPTN solution not only improves the transmission efficiency of bearer networks, but alsoensures end-to-end quality of service. COPS is used for exchanging policies between RM serversand devices.

4.1.1 Introduction to COPSCommon Open Policy Service (COPS) employs a simple query and response model. It is usedto exchange policy information between a policy server and its clients.

4.1.2 COPS Features Supported by the CX600The CX600 supports three types of controls on the number of users online at any given time. Itallows an ISP to configure a value for the number of users online that exceeds the networkbearing capacity. The CX600 also allows restrictions on the number of users who go online atthe same time, as well as security inspections and control of IPTN users.

4.1.1 Introduction to COPSCommon Open Policy Service (COPS) employs a simple query and response model. It is usedto exchange policy information between a policy server and its clients.

More people are using broadband Internet every day. The range of data services is growing asare the revenues of telecommunications service providers. IP services are replacing voicetelecommunications as packet networks develop. Broadband access is the core driver behind thedevelopment of IP services. As time goes on service providers are becoming more experiencedand adept at delivering an ever richer and more exciting selection of IP services.

When it comes to bearing services and operations, however, IP networks are far from perfect.Carriers are concerned that existing IP networks cannot bear all of the wide variety oftelecommunications services now available. Many data services like voice, video and othermultimedia services are very demanding when it comes to bandwidth needs, tolerance of delays,and packet loss ratio. Quality of service (QoS) takes a big hit when networks fail to meet thesedemands. Today the provision of Internet services is for the most part a "best effort" endeavor.Networks simply do not have resources in reserve. The only way for networks to reducecongestion in an effort to guarantee QoS is to discard packets.

Existing IP networks have many deficiencies as they work to bear carrier-class services. QoSfor IP networks has improved greatly, but this has been achieved mainly by focusing on singlenodes that prioritize and process packets in order of precedence. If, however, end to end qualityis to be ensured, service awareness and access control must be realized on the entire network,and especially on the access network.

IP bearer networks that can deliver services with an end-to-end QoS guarantee are urgentlyneeded. Today's Internet must be upgraded to provide those better quality data services. To thisend, Huawei has developed its IP telecommunication network (IPTN) solution. The IPTNsolution aims to provide end-to-end QoS on existing IP networks. IPTN introduces the conceptof a bearer control layer residing between the service control layer and the bearer layer. IPTNis designed to improve the transmission efficiency of a bearer network. Resources are appliedfor when needed, held only while they are in use, and released when they are no longer required.

IPTN guarantees end-to-end QoS on IP networks, adding value to networks and helping carriersto maximize return on investment. IPTN:

4 COPS ConfigurationHUAWEI CX600 Metro Services Platform



Issue 01 (2011-05-30)

l Works with existing IP networks and does not affect traditional services that have no QoSguarantee.

l Bears traditional telecommunication services as well as offering support for a wide rangeof other services.

l Applies for resources before a connection is set up, guarantees quality of service while theconnection is in use, and releases the resources after the connection is closed.

l Has a network structure with three layers: logical bearer layer, bearer control layer, andservice control layer.

l Has a bearer layer based on MPLS, which allows resources for IPTN services to beseparated from those for IP services.

COPS is an application protocol. It employs a simple query and response model and is used toexchange policies between a policy server and its clients.

COPS refers to a policy server as a Policy Decision Point (PDP). PDP clients are called PolicyEnforcement Points (PEPs).

IPTN uses COPS to exchange policies between an RM server and a CX device. The RM serverreceives messages from the Soft Switch and then uses the COPS protocol to send these messagesto the CX device.

4.1.2 COPS Features Supported by the CX600The CX600 supports three types of controls on the number of users online at any given time. Itallows an ISP to configure a value for the number of users online that exceeds the networkbearing capacity. The CX600 also allows restrictions on the number of users who go online atthe same time, as well as security inspections and control of IPTN users.

Three Levels of Limits of Number of UsersThe CX600 allows Internet Service Providers (ISPs) to configure a number of users exceedingthe network bearing capability and to limit the number of users who access the Internet at thesame time. To identify Digital Subscriber Line Access Multiplexers (DSLAMs) and users, a PEdevice provides IPTN services by using QinQ termination sub-interfaces.

The CX600 provides three levels of limits of number of users:

l VLAN-group: is a set of users that use the same statistics policies and queue policies.l QinQ termination sub-interface: is used for the access of users in the same IP network

segment. Multiple VLAN-groups can be configured on a sub-interface.l Primary interface: Multiple QinQ termination sub-interfaces can be configured on a

primary interface.

After the three levels of limits are configured, the CX600 can guarantee that the number of onlineusers satisfies requirements of any level.

Detection of Online and Offline of UsersWhen a user goes offline, a DHCP Release message was send to the DHCP server. If DHCPRelay is enabled on the PE, the PE can sense the message and notifies the COPS server aboutthe offline of the user. The COPS server then releases the network resources held by that user.

The CX600 detects users by using the Address Resolution Protocol (ARP). ARP sends ARPRequest messages at intervals according to IP addresses of users recorded on the local device.



4-3

When users are online, they send ARP Response messages. The PE knows that the users areonline based on the ARP Response messages. If the PE does not receive any ARP Responsemessage in several continuous periods from a user, it considers that the user goes offlineabnormally. Then, the PE sends DHCP Release messages to the DHCP server so that the DHCPserver releases the IP address of the user, which avoids waste of IP addresses. At the same time,the PE notifies the COPS server of the offline of the user.

Security Checking over UsersThe CX600 provides the DHCP security binding function. The CX600 saves the information onusers according to the combination of IP addresses, MAC addresses, access interfaces, andVLANs. Users can access the network only when they match all the information. The savedinformation is released with the release of IP addresses.

After the DHCP security binding function is enabled and the link for a user fails, the user canachieve Internet services only when the user resends DHCP packets to apply for a valid IPaddress.

Control over UsersThe CX600 can display information about online users and force users to go offline. Suchfunctions are used when user operations are found abnormal or when network resources needto be adjusted.

The CX600 can force users to go offline in either of the following modes:

l Force users to go offline by interfaces.l Force users to go offline by interface plus VLAN-group labels.

In the case that network configurations are not changed, the users that are forced to go offlinecan resend DHCP Request messages to use network resources again.

4.2 Configuring the COPS Server GroupA COPS server group brings together several COPS servers that have the same attributes andwork in load balancing mode. The device manages COPS servers as a group.

4.2.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring a COPS server group.

4.2.2 Configuring the Global Parameters of COPSThis section describes how to set global COPS parameters. These include setting the timeoutperiod for COPS Open messages, setting the source interface through which COPS messagesare sent, and binding the COPS server group to the IPTN service.

4.2.3 Creating a COPS Server GroupTo create a COPS server group, you must specify the name and client type for the COPS servergroup.

4.2.4 Configuring the COPS ServerTo configure a COPS server, you must specify the IP address, interface number, VPN instancefor the server, as well as the weight of the server and client interface number.

4.2.5 Setting the PEP ID for the COPS Server




Issue 01 (2011-05-30)

The COPS server uses a client identifier to identify a client. The default client identifier is huawei.

4.2.6 (Optional) Setting the Flow Keeping Time of the COPS ServerSetting the flow keeping time for a COPS server helps to prevent intermittent connectioninterruptions when the network becomes unstable. The flow keeping time refers to the durationin which connection information is kept after the COPS client is disconnected from the COPSserver. Flow keeping prevents the connection from being intermittently broken due to thenetwork instability.

4.2.7 (Optional) Setting the Shared Key of the COPS ServerEncrypting COPS packets improves the security of packet exchanges between a client and COPSserver group.

4.2.8 Activating the COPS Server GroupWhen a COPS server group is activated, the device attempts to set up a TCP connection witheach server in the COPS server group.

4.2.9 Checking the ConfigurationYou can view the configuration of the COPS server.

4.2.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring a COPS server group.


To send policies for value-added services using a COPS server, you must configure a COPSserver group on a device. A COPS server group is used to manage COPS servers. The serversin a COPS server group work in load balancing mode and share many of the same attributes.Each server in the group, however, has a unique IP address, VPN instance, port number, andweight value.


None.

Data Preparation

To configure a COPS server group, you need the following data.

No. Data

1 Name of the COPS server group

2 IP address, VPN instance, server port number, client port number, and weight of eachCOPS server to be included in the group

3 PEP ID of the COPS clients

4 (Optional) Flow keeping time after the COPS client and the COPS server aredisconnected

5 (Optional) Shared key of the COPS server



4-5

No. Data

6 (Optional) Timeout period for COPS Open messages and source interface of thedevice sending COPS messages

4.2.2 Configuring the Global Parameters of COPSThis section describes how to set global COPS parameters. These include setting the timeoutperiod for COPS Open messages, setting the source interface through which COPS messagesare sent, and binding the COPS server group to the IPTN service.

Procedure



Step 2 Run:cops-server open-timeout time

The timeout period for the COPS Open message is set.

This parameter defines the period of time the device waits for a response after it sends a COPSOpen message to the COPS server. If the device receives no response from the COPS serverwithin this period, it resends the Open message to the server. Be default, the timeout period forthe COPS Open message is 15 seconds.

NOTE

If the network is not stable, extending the timeout period for COPS Open messages is recommended.

Step 3 Run:cops-server source-interface interface-type interface-number

The source interface that sends the COPS message is configured.

This parameter defines the interface from which COPS messages are sent. A COPS session canbe established only after the source interface of the COPS messages is configured.

NOTE

Configuring a logical interface, such as a loopback interface, to be the source interface for COPS messagesis recommended. Physical interfaces may go Down, rendering the system incapable of receiving responsesfrom the COPS server.

Step 4 Run:cops-group iptn-binding group-name

The COPS server group is bound to IPTN services.

NOTE

A newly created COPS server group can implement IPTN services only after it is bound to the IPTNservices.

----End




Issue 01 (2011-05-30)

4.2.3 Creating a COPS Server GroupTo create a COPS server group, you must specify the name and client type for the COPS servergroup.

Procedure



Step 2 Run:cops-server group group-name [ client-type ssg ]

A COPS server group is created.

NOTE

When creating a COPS server group for the first time, you must specify the parameter client-type,indicating the type of service required from the COPS server.

----End

Follow-up ProcedureAfter a COPS server group is created, the view of the COPS server group is displayed. If thereis an existing COPS server group, run the preceding command to enter its view.

4.2.4 Configuring the COPS ServerTo configure a COPS server, you must specify the IP address, interface number, VPN instancefor the server, as well as the weight of the server and client interface number.

Procedure



Step 2 Run:cops-server group group-name

The view of the COPS server group is displayed.

Step 3 Run:cops-server ip-address [ server-port | client-port client-port | vpn-instance instance-name | weight value ] *

The COPS server is configured.

NOTE

l Modifying the port number of the COPS server is not recommended. The device cannot set up a TCPconnection with the COPS server if the modified port number is in use.

l Ensure that at least one reachable route exists between the device and the COPS server.

----End



4-7

4.2.5 Setting the PEP ID for the COPS ServerThe COPS server uses a client identifier to identify a client. The default client identifier is huawei.

ContextThe PEP ID is used by a COPS server to identify clients. Normally, the IP address of a loopbackinterface on the device can be specified as the PEP ID.

Procedure





Step 3 Run:cops-server pep-id client-id

The PEP ID is set for the COPS client.

----End

Follow-up ProcedureYou can set the PEP ID based on the COPS server group. If a device is a client of several differentCOPS server groups, it can have a different PEP ID for each of those server groups. The defaultPEP ID is huawei.

4.2.6 (Optional) Setting the Flow Keeping Time of the COPS ServerSetting the flow keeping time for a COPS server helps to prevent intermittent connectioninterruptions when the network becomes unstable. The flow keeping time refers to the durationin which connection information is kept after the COPS client is disconnected from the COPSserver. Flow keeping prevents the connection from being intermittently broken due to thenetwork instability.

Procedure





Step 3 Run:cops-server flow-keeping-time time




Issue 01 (2011-05-30)

The flow keeping time of the COPS server is set.

----End

Follow-up Procedure

After the cops-server flow-keeping-time command is run, the system can promptly restoreconnection information if a COPS client re-establishes a connection with the COPS server withinthe configured flow keeping time limit.

NOTE

l Setting a value for flow keeping time is recommended if the network is unstable and, especially, ifroutes to the COPS server frequently flap.

l By default, flow keeping time for the COPS server is 300 seconds.

4.2.7 (Optional) Setting the Shared Key of the COPS ServerEncrypting COPS packets improves the security of packet exchanges between a client and COPSserver group.

Procedure





Step 3 Run:cops-server shared-key key-string

The shared key of the COPS server is set.

----End

Follow-up Procedure

The shared key encrypts COPS messages. The device and the COPS server must be set with thesame shared key. Setting a shared key improves the security of message exchanges betweenclients and the COPS server group.

NOTE

If secure message exchange between the client and COPS server group is a high priority, setting a sharedkey for the COPS server is recommended.

4.2.8 Activating the COPS Server GroupWhen a COPS server group is activated, the device attempts to set up a TCP connection witheach server in the COPS server group.



4-9

Procedure





Step 3 Run:active

All the COPS servers in the COPS server group are activated.

NOTE

The device attempts to set up connections with the COPS servers only after the COPS server group isactivated.

----End

Follow-up ProcedureAfter the preceding configuration, the device attempts to set up TCP connections with all theCOPS servers in the COPS server group.

4.2.9 Checking the ConfigurationYou can view the configuration of the COPS server.

PrerequisiteThe configurations of the COPS Server Group are complete.

Procedure

Step 1 Run the display cops-server configuration [ groupgroup-name ] command to check theconfiguration of a specified COPS server group.

----End

ExampleCheck information about the COPS server group huawei.

<HUAWEI> display cops-server configuration group huawei-- Cops group table display ------------------------------------------------- Group index : 0 Group name : huawei Client type : ssg Group up or down flag : Down Group active state : Active Secret key : huawei Flow keeping time (second) : 500 PEP ID : client1 Group Source interface name : -- Group Reference number : 0




Issue 01 (2011-05-30)

[state][server IPv4 addr][server port][client port][weight][vpn name][server key] Down 202.40.2.2 3288 0 0 -- -- -- End cops group table -----------------------------------------------------

4.3 Configuration ExamplesThis section includes networking requirements, configuration precautions, and the configurationroadmap.

4.3.1 Example for Configuring COPS Interfaces to Report Online and Offline MessagesThis section provides an example for configuring COPS interface to report messages indicatingthat a user going online or offline.

4.3.1 Example for Configuring COPS Interfaces to Report Onlineand Offline Messages

This section provides an example for configuring COPS interface to report messages indicatingthat a user going online or offline.


As shown in Figure 4-1, a DHCP client accesses the PE through the DSLAM. The DHCP clientuses a DCHP relay to apply to a DHCP server for relevant configuration information, such asan IP address. After the DHCP server allocates an IP address to the DHCP client, the PE reportsthat the user has gone online to a COPS server. When the user goes offline and releases the IPaddress, the PE also reports this information to the COPS server so the user record can be updated.

Figure 4-1 Typical networking diagram of COPS configuration

DHCPRelay

GE2/0/0202.40.1.1/16

PE

DHCPserver

COPSserver

DSLAMDHCPclient

GE2/0/1202.40.2.1/16

202.40.2.2/16

202.40.1.2/16



4-11



1. Configure the parameters for the DHCP relay.2. Configure the global COPS parameters.3. Create a COPS server group and add COPS servers to it.4. Configure the PEP ID and other optional items for the COPS server.5. Activate the COPS server group.6. Bind the COPS server group to IPTN services.7. Verify the configuration.

Data Preparation


l Name, IP address, VPN instance, and port number of the COPS servers, port number ofthe COPS clients, and weights

l PEP IDl (Optional) Flow keeping time after a COPS client is disconnected from the COPS serverl (Optional) Shared key of the COPS serverl Timeout period for COPS Open messages and the source interface of the device sending

COPS messages

Procedure

Step 1 Configure the DHCP relay functions on the device.

For detailed configuration information, refer to the chapter "DHCPv4 Configuration" in theCX600 Metro Services Platform Configuration Guide - User Access.

Step 2 Configure the global parameters for COPS, including the timeout period for COPS Openmessages and the source interface for sending COPS messages.<PE> system-view[PE] cops-server open-timeout 30[PE] cops-server source-interface loopBack 0

Step 3 Create a COPS server group and add COPS servers to it.[PE] cops-server group huawei client-type ssg[PE-cops-huawei] cops-server 202.40.2.2

Step 4 Configure the COPS PEP ID and other optional items.[PE-cops-huawei] cops-server pep-id client1[PE-cops-huawei] cops-server flow-keeping-time 500[PE-cops-huawei] cops-server shared-key huawei

Step 5 Activate the COPS server group.[PE-cops-huawei] undo active[PE-cops-huawei] active[PE-cops-huawei] quit

Step 6 Bind the COPS server group to IPTN services.[PE] cops-group iptn-binding huawei




Issue 01 (2011-05-30)

Step 7 Verify the configuration.<PE> display cops-server configuration group huawei-- Cops group table display ------------------------------------------------- Group index : 0 Group name : huawei Client type : ssg Group up or down flag : Up Group active state : Active Secret key : huawei Flow keeping time (second) : 500 PEP ID : client1 Group Source interface name : -- Group Reference number : 0[state][server IPv4 addr][server port][client port][weight][vpn name][server key] Down 202.40.2.2 3288 0 0 -- -- -- End cops group table -----------------------------------------------------

----End

Configuration FilesThe configuration file of CX device is as follows:

# sysname PE1# cops-server open-timeout 30 cops-server source-interface LoopBack0 cops-group iptn-binding huawei#interface Gigabitethernet2/0/0 ip address 202.40.1.1 255.255.255.252ip relay address 202.40.3.2 dhcp select relay#interface Gigabitethernet2/0/1 ip address 202.40.2.1 255.255.255.252#interface Gigabitethernet2/0/2 ip address 202.40.3.1 255.255.255.252#interface LoopBack0 ip address 9.9.9.9 255.255.255.255#cops-server group huawei client-type ssg cops-server flow-keeping-time 500 cops-server shared-key huawei cops-server pep-id client1 cops-server 202.40.2.2 active#return



4-13

5 ANCP Configuration

About This Chapter

With ANCP, the CX device is able to transmit control messages between a BRAS and an accessnode.

ContextNOTE

ANCP cannot be configured on the X1 and X2 models of the CX600.

5.1 ANCP OverviewANCP provides a channel for transmitting control messages between a BRAS and an AN suchas a DSLAM.

5.2 Configuring the ANCP ServerWhen it is configured as an ANCP server, the CX device functions as a BRAS.

5.3 Configuring the ANCP ProxyAs an ANCP proxy, the CX device establish ANCP neighbor relationships with the DSLAMand the BRAS to aggregate ANCP lines.

5.4 Configuring the Association Between ANCP and HQoS in the ANCP Proxy ScenarioAfter ANCP is associated with HQoS, ANCP can be used to control the traffic rate fordownstream user lines and QoS parameters.

5.5 Maintaining ANCPYou may clear ANCP running information as part of ANCP maintenance.

5.6 Configuration ExamplesANCP configuration examples explain networking requirements and configuration proceduresand provide networking diagrams, configuration notes, and configuration roadmaps.

HUAWEI CX600 Metro Services PlatformConfiguration Guide - IP Services 5 ANCP Configuration


5-1

5.1 ANCP OverviewANCP provides a channel for transmitting control messages between a BRAS and an AN suchas a DSLAM.

5.1.1 Introduction to the ANCP ProtocolBefore configuring ANCP, familiarize yourself with how ANCP works. This will help youcomplete the configuration task rapidly and accurately.

5.1.2 Applicable EnvironmentANCP plays two roles, namely, ANCP server and ANCP proxy.

5.1.1 Introduction to the ANCP ProtocolBefore configuring ANCP, familiarize yourself with how ANCP works. This will help youcomplete the configuration task rapidly and accurately.

The Access Node Control Protocol (ANCP) provides a channel through which control messagescan be transmitted between a Broadband Remote Access Server (BRAS) and an access node(AN) such as a Digital Subscriber Line Access Multiplexer (DSLAM).

ANCP is both based on and an extension of General Switch Management Protocol Version 3(GSMPv3). It introduces a mechanism for establishing and maintaining neighbor relationships.

The ANCP protocol works as follows:

1. An AN initiates a TCP connection with the BRAS. The BRAS uses port 6068 to listen, andthe configured AN is powered on and then initiates a TCP connection with the listeningport on the BRAS. The BRAS functions as a TCP server while the AN functions as a TCPclient.

2. The AN sets up a GSMP neighbor relationship with the BRAS, and performs ANCPcapability negotiations. The capabilities defined in the ANCP protocol include:l Dynamic discovery of topologiesl Configuration of line parametersl Multicast controll Management of line detectionl Batch transactionsCurrently, the CX600 supports three capabilities, namely, dynamic discovery of topologies,configuration of line parameters, and management of line detection.

3. The ANCP protocol starts to work.After a neighbor relationship is established, the ANCP protocol works as follows:l Dynamically discovers topologies and updates line information.

The AN monitors the status of the access lines and uses ANCP to report informationabout the access lines to the BRAS. This information includes the IDs of active accesslines, the types of access lines, and upstream and downstream bandwidths. This Access-Loop-Circuit-ID as defined by ANCP is the same as the Option 82 field value in DHCPcontrol messages or the value of the PPPoE+ field in PPP control messages. If the lineinformation changes, the AN uses ANCP to notify the BRAS to update related lineinformation.

5 ANCP ConfigurationHUAWEI CX600 Metro Services Platform



Issue 01 (2011-05-30)

l Applies appropriate line parameters when users go online.When a user connected to the AN goes online, the connection request message from theuser carries Option 82 information or PPPoE+ information that is the same as that ofthe access line ID. The BRAS is able to map the relationship between users and accesslines, and then use this information to control bandwidth for services and perform trafficpolicing as needed.

l (Optional) The Remote Authentication Dial-In User Service (RADIUS) server deliversa line policy to the DSLAM.When a user goes online or customizes services, the RADIUS server delivers a linepolicy based on relevant line information to the BRAS. The BRAS delivers the policyto the DSLAM, which then applies the policy.

l Performs OAM detection on access lines.The BRAS uses ANCP to send OAM detection packets to the DSLAM. After receivingthe packets, the DSLAM performs loopback detection on Digital Subscriber Lines(DSLs) and then uses ANCP to report the test results to the BRAS through ANCP.

5.1.2 Applicable EnvironmentANCP plays two roles, namely, ANCP server and ANCP proxy.

ANCP Sever

Figure 5-1 Networking diagram of configuring an ANCP server

AccessLine

AccessLine

AccessLine

ISP ASP

NSP

PolicyServer

RADIUSServer

DSLAM CX

ANCPSession

As shown in Figure 5-1, the DSLAM supports ANCP, and the CX device, as an ANCP server,functions as the BRAS.

In this case, the CX device supports the following functions:

l Access line management– Dynamic discovery of topologies



5-3

The CX device supports Hierarchical QoS (HQoS) so as to minimize congestion in anaccess network. HQoS requires the BRAS to detect topologies in the access networkand the parameters of access lines. These parameters include the DSL link status, actualupstream and downstream rates for synchronized Digital Subscriber Line (DSL) links,and maximum upstream and downstream rates. All these can be reported dynamicallyto the BRAS by the DSLAM.Some parameters, such as the network rate for DSL links, are constantly changing. Theoperation and maintenance system cannot provide accurate information aboutparameters of this kind. Other parameters, such as the upstream bandwidth of theDSLAM, seldom change, but they still need to be strictly synchronized with theinformation stored on the BRAS. The operation and maintenance system, however,provides no reliable and scalable method for accomplishing this task. Dynamicdiscovery of topologies helps address this problem.

– Update of line informationWhen the DSLAM re-sychronizes access line status with the Integrated Access Device(IAD), the DSLAM detects status changes of access lines and updates line parameters.The DSLAM then sends a Port up message to the BRAS instructing it to update linebandwidth.

l Service managementAccess line parameters are generally fixed. When users need value-added services, suchas triple-play services, the DSL lines need to be processed specially by the DSLAM. Inaddition, when users subscribe to services on self-service networks, line parameters mustbe updated automatically without manual intervention.When users go online, the DSLAM listens to DHCP or PPPoE control messages, and addsOption 82 or PPPoE+ information to the messages. The CX device then matches the Option82 information in DHCP control messages or PPPoE+ information in PPPoE controlmessages with the access line IDs (defined as Access-Loop-Circuit-ID in ANCP). Thisallows the CX device to find the access line that is unique to a particular user.

l Adjustment of user bandwidths and queue scheduling modes on downstream linksThe DSLAM uses ANCP packets to report information about user bandwidths and the CXdevice delivers a QoS policy through ANCP packets.




Issue 01 (2011-05-30)

ANCP Proxy

Figure 5-2 Networking diagram of configuring an ANCP proxy

AccessLine

AccessLine

AccessLine

ISP ASP

NSP

PolicyServer RADIUS

Server

DSLAM CX BRAS

ANCPSession 1

ANCPSession 2

As shown in Figure 5-2, the DSLAM and the BRAS both support ANCP. As an ANCP proxy,the CX device sets up ANCP neighbor relationships with the DSLAM and the BRAS to aggregateANCP lines.

In this case, the CX device supports the following functions:

l Discovery of topologies

The DSLAM uses ANCP packets to report access line IDs and information about userbandwidths to the CX device. The CX device then sets up and maintains ANCP access lineentries. The CX device forwards the access line IDs reported by the DSLAM to the BRASthrough the ANCP neighbor.

l HQoS

QoS parameters can be adjusted by the CX device based on information about userbandwidths reported by the DSLAM. Alternatively, the BRAS can use ANCP packets todeliver a QoS policy to the CX device, and the QoS parameters can be adjusted accordingly.

l OAM detection

The CX device receives OAM detection packets sent by the BRAS and forwards thesepackets to the DSLAM. After a response from the DSLAM, the CX device sends thedetection results back to the BRAS.

5.2 Configuring the ANCP ServerWhen it is configured as an ANCP server, the CX device functions as a BRAS.

5.2.1 Establishing the Configuration Task



5-5

Before configuring the CX device as an ANCP server, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the data required for theconfiguration. This will help you complete the configuration task quickly and accurately.

5.2.2 Enabling ANCPThe system can perform socket interception and processes TCP connection requests from aDSLAM only after being enabled with ANCP.

5.2.3 Configuring the Source Interface of an ANCP ConnectionThe interface that is connected to a DSLAM to set up a TCP connection can only be a loopbackinterface.

5.2.4 (Optional) Configuring Parameters of ANCP SessionsYou can configure an interval at which the local end sends an SYN or SYN-ACK packet to thepeer and the maximum number of retransmissions.

5.2.5 Configuring ANCP Neighbor ProfilesConfiguring an ANCP neighbor profile for the CX device facilitates ANCP access linemanagement.

5.2.6 (Optional) Configuring Bandwidth Adjustment FactorsAfter bandwidth adjustment factors are configured, the ANCP neighbor profile adjustsbandwidth based on the configured link types.

5.2.7 (Optional) Configuring ANCP Message DampingPerformance is degraded if the CX device frequently responds to messages reporting userbandwidth changes. Configure ANCP message damping on the CX device to avoid this problem.

5.2.8 (Optional) Configuring ANCP OAM DetectionTo test access line connections from a remote location, configure ANCP OAM detection.

5.2.9 (Optional) Adjusting the Upstream and Downstream Bandwidths of a User AutomaticallyAutomatic adjustment of downstream bandwidth for a user must be enabled in the AAA domainview of the user.

5.2.10 Checking the ConfigurationAfter the CX device is configured as an ANCP server, you can check information about ANCPneighbors, the ANCP neighbor profile, and line entries in the ANCP neighbor profile, as wellas statistics about ANCP neighbors.

5.2.1 Establishing the Configuration TaskBefore configuring the CX device as an ANCP server, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the data required for theconfiguration. This will help you complete the configuration task quickly and accurately.


If the DSLAM supports ANCP and the CX device needs to function as a BRAS to manage usersand user services, and to detect the online or offline status of users, you must configure the CXdevice to function as an ANCP server.


Before configuring the CX device to function as an ANCP server, complete the following tasks:




Issue 01 (2011-05-30)

l Configure physical parameters and link attributes to ensure that interfaces work properly

l Configure IP addresses and route discovery for interfaces

Data Preparation

To configure the CX device to function as an ANCP server, you need the following data.

No. Data

1 Source interface on which the ANCP connection is set up

2 (Optional) Timeout period before an ANCP session is set up and the maximumnumber of packet retransmissions

3 Name of the ANCP neighbor profile

4 IP address of the ANCP neighbor

5 (Optional) Port number for TCP connection listening on the ANCP neighbor

6 (Optional) Maximum number of lines permitted by each ANCP neighbor

7 (Optional) Interval for sending Keepalive packets for ANCP sessions

8 (Optional) Aging time of line entries

9 (Optional) Timeout period to wait for a response to the delivered profile

10 (Optional) Percentage of ANCP messages subject to damping

11 (Optional) Number of OAM detections

12 (Optional) Timeout period to wait for a response to OAM detection


Procedure



Step 2 Run:ancp enable

ANCP is enabled.

The system performs socket listening and processes TCP connection requests from the DSLAMonly after ANCP is enabled. When ANCP is disabled, all ANCP TCP connections are severed,and socket listening is disabled.



5-7

By default, ANCP is disabled.

----End


Procedure



Step 2 Run:ancp

The ANCP view is displayed.

Step 3 Run:source-interface loopback interface-number

The source interface is configured for setting up an ANCP connection.

When the interface is connected to the DSLAM to set up a TCP connection, the source interfacecan only be a loopback interface. Changing the source-interface { loopback | virtual-ethernet | gigabitethernet } interface-number command or the IP address of the interface takeseffect only when ANCP is disabled and then enabled again.

----End


Procedure



Step 2 Run:ancp


Step 3 Run:session { interval interval-value | retransmit retransmit-value }*

The timeout period for ANCP sessions and the maximum number of ANCP packetretransmissions are configured.

After a TCP connection is established, CX device sends SYN packets to set up an ANCP session.If the local end does not receive the correct response, it resends SYN packets until an ANCP




Issue 01 (2011-05-30)

session is successfully established. If an ANCP session has not been established when the numberof SYN packet retransmissions reaches a preset upper threshold, the TCP connection will beclosed.

By default, the interval for sending SYN or SYN-ACK packets to the peer is 1 second, and themaximum number of retransmissions is 10.

----End

5.2.5 Configuring ANCP Neighbor ProfilesConfiguring an ANCP neighbor profile for the CX device facilitates ANCP access linemanagement.

Procedure



Step 2 Run:ancp


Step 3 Run:neighbor-profile neighbor-profile-name

An ANCP neighbor profile is created and the ANCP neighbor view is displayed.

ANCP neighbor profiles help the CX device to facilitate the management of ANCP access lines.Each neighbor profile can be configured with the IP address of a neighbor. If the IP address ina packet from a neighbor received by the CX device is the same as the configured IP address,the CX device associates the neighbor with the neighbor profile.

Before a neighbor profile is created, the system checks whether a neighbor view with the samename already exists. If one does, the neighbor view is displayed; if one does not, a neighborview is created and then displayed. A neighbor profile cannot be deleted when it is in use.

Step 4 (Optional) Run:tcp-listen port port-number

The port number for TCP connection listening is configured for the ANCP neighbor.

Before the tcp-listen port port-number command is run, if the ANCP neighbor has already setup a TCP connection, the TCP connection will be cut off, and the ANCP neighbor will use thenew listening port number to re-establish a TCP connection.

By default, the port number for TCP connection listening is 6068.

NOTEIf a global source interface is configured in the ANCP view, the configuration of the tcp-listen port port-number command is not supported.

Step 5 Run:peer-id peer-id

The ID of the ANCP neighbor is configured.



5-9

Step 6 (Optional) Run:max-access-loop value

The maximum number of access lines is configured for the ANCP neighbor.

This means that the maximum number of lines that can access the CX device is configured. Ifthe number of access lines configured in this command is smaller than the number of accesslines that actually exist, existing access line entries are not affected, but no new access line entriescan be created.

By default, a maximum of 65536 access lines can be configured in a neighbor profile.

Step 7 (Optional) Run:keep-alive interval interval-value

The interval for sending Keepalive packets is configured.

To detect the neighbor status (for example, whether the link is Up) after the ANCP session isset up, the CX device sends Keepalive packets to its neighbor (for example, the DSLAM) at afixed interval.

The default interval is 10 seconds.

Step 8 (Optional) Run:aging-time value

The aging time is set for line entries.

When the ANCP neighbor line goes Down, the system needs to delete the line entry to makesure system resources are efficiently utilized.

If the aging time of line entries is set to 0, the CX device deletes the line entry immediately whenthe neighbor line goes Down. If the aging time is set to a non-zero value, the line entry cannotbe deleted until the aging timer expires.

The default aging time of an ANCP neighbor line entry is 150 seconds.

NOTE

If the DSLAM needs to restart the lines after receiving service profile names from the CX device, then alonger aging time for ANCP line entries must be configured on the CX device.

----End


Procedure



Step 2 Run:ancp





Issue 01 (2011-05-30)

Step 3 Run:neighbor-profile neighbor-profile-name [ proxy ]


Step 4 Run:adjustment { adsl adjust-percentage | adsl2 adjust-percentage | adsl2plus adjust-percentage | vdsl1 adjust-percentage | vdsl2 adjust-percentage | sdsl adjust-percentage } *

The bandwidth adjustment percentages for different link types in the ANCP neighbor profile areconfigured.

NOTE

The types of physical links determine bandwidths reported to the CX device by the DSLAM. The CXdevice, however, uses the bandwidth of the Ethernet link as a basis for scheduling user traffic. This meansthat bandwidths need to be 'translated' to take account of the different types of physical links. Ethernet linkbandwidth is set at 100%. Then, for example, if the bandwidth adjustment factor for ADSL is set to 77%,this means that when a user reports the link type as ADSL, the actual bandwidth that HQoS holds for theuser is the reported bandwidth x 77%.

----End


ContextIf the DSLAM reports user bandwidth changes to the CX device, the CX device adjusts userbandwidth accordingly. If the DSLAM repeatedly sends such messages, CX device performanceis affected.

To prevent this problem, ANCP message damping needs to be configured on the CX device.


system-view


Step 2 Run:ancp



The neighbor view is displayed.

Step 4 Run:damping damping-percentage

ANCP message damping is configured.

After ANCP message damping is configured, the CX device adjusts user bandwidth and deliversnew configurations only when user bandwidth changes go beyond the specified percentage. The



5-11

CX device does not respond to ANCP messages that report user bandwidth changes within thespecified percentage. No adjustments to user bandwidth are made in such cases.

By default, ANCP messages are not damped.

----End


Procedure



Step 2 Run:ancp


Step 3 Run:oam [ count test-counter ] access-loop access-loop-circuit-id

OAM detection is configured for a specific access line. The number of times that OAM detectionwill be performed is also set.

By default, the number of times that OAM detection will be performed is 5.

Step 4 (Optional) Run:neighbor-profile neighbor-profile-name [ proxy ]

The ANCP neighbor view is displayed.

Step 5 (Optional) Run:oam timeout time

The timeout period for the response to OAM detection is configured.

ANCP OAM detection fails if the CX device receives no response to OAM detection during thetimeout period.

By default, the timeout period is 5s.

NOTE

The oam timeout command can be configured when the neighbor profile mode is server or proxy server.

----End

5.2.9 (Optional) Adjusting the Upstream and DownstreamBandwidths of a User Automatically

Automatic adjustment of downstream bandwidth for a user must be enabled in the AAA domainview of the user.




Issue 01 (2011-05-30)

Procedure



Step 2 Run:aaa

The AAA view is displayed.

Step 3 Run:domain domain-name

The domain view is displayed.

Step 4 Run:ancp auto-qos-adapt

Automatic adjustment of downstream bandwidth for a user is enabled.

By default, automatic adjustment of downstream bandwidth for a user is not enabled.

----End

5.2.10 Checking the ConfigurationAfter the CX device is configured as an ANCP server, you can check information about ANCPneighbors, the ANCP neighbor profile, and line entries in the ANCP neighbor profile, as wellas statistics about ANCP neighbors.

Procedure

Step 1 Run the display ancp neighbor [ profile neighbor-profile | id id-value ] command to viewinformation about an ANCP neighbor.

Step 2 Run the display ancp neighbor-profile [ neighbor-profile-name ] command to viewinformation about an ANCP neighbor profile.

Step 3 Run the display ancp access-loop [ access-loop-circuit- index | circuit-id circuit-id-text |circuit-id-include circuit-id-include-text | neighbor-profile neighbor-profile-name | neighbor-id neighbor-id ] command to view information about line entries in the ANCP neighbor profile.

Step 4 Run the display ancp statistic [ neighbor-id ] command to view the statistics of an ANCPneighbor.

----End

ExampleAfter running the display ancp neighbor command, you can view the status of an ANCPneighbor in a specified neighbor profile and the status of an ANCP neighbor with a specifiedneighbor ID. For example:<HUAWEI> display ancp neighbor --------------------------------------------------------------------------Index Peer-ID State Role Line-num Profile --------------------------------------------------------------------------0 1.1.1.1 ESTAB sever 0 bras



5-13

--------------------------------------------------------------------------The total is 1,printed is 1<HUAWEI> display ancp neighbor id 1.1.1.1 Neighbor Profile name :bras Neighbor state :ESTAB Peer ID :1.1.1.1 Peer port :51729 Neighbor capacity :discovery;line-cfg;oam;Bulk Transaction; Neighbor techtype :5(5 is DSL) Access loop circuit number :7 Session message interval :12(seconds) Session message retransmit :10 Max access loop number :65536 Access loop configure timeout :2(seconds) Access loop configure ack mandatory :false Access loop aging time :150(seconds) Access loop oam timeout :5(seconds) Keep-alive interval :10(seconds) Wait-ack timeout :30000(milliseconds) ANCP role :server

After running the display ancp neighbor-profile command, you can view the configuration ofthe specified neighbor profile. For example:<HUAWEI> display ancp neighbor-profile bras Index :3 Neighbor Profile name :bras Neighbor Used state :used ANCP role :server ANCP source interface :LoopBack1 TCP-listen port number :6068 Damping percentage :0 Peer ID :1.1.1.1 Max access loop number :65536 Access loop configure timeout :2(seconds) Access loop configure ack mandatory :false Access loop aging time :150(seconds) Access loop oam timeout :5(seconds) Keep-alive interval :10(seconds)

After running the display ancp access-loop command, you can view information about accessline entries. For example:<HUAWEI> display ancp access-loop neighbor-id 1.1.1.1 ---------------------------------------------------------------- Index State Peer-ID Circuit-ID ---------------------------------------------------------------- 80 UP 1.1.1.1 001882362CFF eth 1/3/1/5:5 81 UP 1.1.1.1 001882362CFF eth 1/3/0/1:1 ---------------------------------------------------------------- The total is 2,printed is 2

After running the display ancp statistic command, you can view the statistics of ANCPneighbors. For example:<HUAWEI> display ancp statistic 10.1.1.1 Received ack packet :307 Received syn packet :1 Received synack packet :1 Received reset ack packet :0 Received lineup packet :7 Received linedown packet :0 Received oam packet :0 Received line config packet :0 Received multicast packet :0 Received unknown packet :0 Send ack packet :307 Send synack packet :1 Send syn packet :1 Send reset ack packet :0 Send oam packet :0




Issue 01 (2011-05-30)

Send access loop config packet :2 Send multicast packet :0 Send failed packet :0

5.3 Configuring the ANCP ProxyAs an ANCP proxy, the CX device establish ANCP neighbor relationships with the DSLAMand the BRAS to aggregate ANCP lines.

5.3.1 Establishing the Configuration TaskBefore configuring the CX device as an ANCP proxy, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the data required for theconfiguration. This will help you complete the configuration task quickly and accurately.




5.3.5 Configuring the ANCP Neighbor ProfileTo make the CX device function as an ANCP proxy, you need to create an ANCP neighborprofile and establish neighbor relationships with the upstream BRAS and the downstreamDSLAM.


5.3.7 (Optional) Enabling the Function of Configuring ANCP Access LinesYou can configure ANCP access lines and enable the CX device to deliver a line profile nameto the peer DSLAM.



5.3.10 Checking the ConfigurationAfter the CX device is configured as an ANCP proxy, you can check information about ANCPneighbors, the ANCP neighbor profile, and line entries in the ANCP neighbor profile, as wellas the statistics about ANCP neighbors.

5.3.1 Establishing the Configuration TaskBefore configuring the CX device as an ANCP proxy, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the data required for theconfiguration. This will help you complete the configuration task quickly and accurately.



5-15

Applicable EnvironmentIf both the DSLAM and the BRAS support ANCP and the CX device functions as theconvergence device between them, , you must configure the CX device as an ANCP proxy. Inthis case, the CX device detects neither user services nor user login and logout.

Pre-configuration TasksBefore configuring the CX device to function as an ANCP proxy, complete the following tasks:

l Configuring physical parameters and link attributes to ensure that interfaces work properlyl Configuring IP addresses and routing protocols for interfaces

Data PreparationTo configure the CX device to function as an ANCP proxy, you need the following data.

No. Data

1 Source interface of the ANCP connection

2 (Optional) Timeout period for an attempt to set up an ANCP session and themaximum number of packet retransmissions



5 (Optional) Maximum number of lines permitted by each ANCP neighbor

6 (Optional) Interval for sending Keepalive packets for ANCP sessions

7 (Optional) Aging time of line entries

8 (Optional) Percentage of ANCP messages subject to damping

9 (Optional) Number of OAM detections

10 (Optional) Timeout period to wait for a response to OAM detection


Procedure



Step 2 Run:ancp enable




Issue 01 (2011-05-30)

ANCP is enabled.

The system performs socket listening and processes TCP connection requests from the DSLAMonly after ANCP is enabled. When ANCP is disabled, all ANCP TCP connections are severed,and socket listening is disabled.

By default, ANCP is disabled.

----End


Procedure



Step 2 Run:ancp


Step 3 Run:source-interface loopback interface-number

The source interface is configured for setting up an ANCP connection.

When the interface is connected to the DSLAM to set up a TCP connection, the source interfacecan only be a loopback interface. Changing the source-interface { loopback | virtual-ethernet | gigabitethernet } interface-number command or the IP address of the interface takeseffect only when ANCP is disabled and then enabled again.

----End


Procedure



Step 2 Run:ancp


Step 3 Run:session { interval interval-value | retransmit retransmit-value }*



5-17

The timeout period for ANCP sessions and the maximum number of ANCP packetretransmissions are configured.

After a TCP connection is established, CX device sends SYN packets to set up an ANCP session.If the local end does not receive the correct response, it resends SYN packets until an ANCPsession is successfully established. If an ANCP session has not been established when the numberof SYN packet retransmissions reaches a preset upper threshold, the TCP connection will beclosed.

By default, the interval for sending SYN or SYN-ACK packets to the peer is 1 second, and themaximum number of retransmissions is 10.

----End

5.3.5 Configuring the ANCP Neighbor ProfileTo make the CX device function as an ANCP proxy, you need to create an ANCP neighborprofile and establish neighbor relationships with the upstream BRAS and the downstreamDSLAM.

ContextTo facilitate management of ANCP access lines, the CX device uses ANCP neighbor profiles.Each neighbor profile can be configured with the IP address of a neighbor. If the IP address ofa packet from a neighbor is the same as the configured IP address, the neighbor is considered tobelong to the neighbor profile.

Before a neighbor profile is created, the system checks whether a neighbor profile with the samename exists. If one exists, the neighbor view is displayed; if one does not exist, a neighbor viewis created and then displayed. A neighbor profile cannot be deleted when it is in use.

Procedure



Step 2 Run:ancp


Step 3 Run:neighbor-profile neighbor-profile-name proxy [ client ]

An ANCP neighbor profile in proxy mode is created and the neighbor view is displayed.

If client is not specified, the neighbor profile works in proxy server mode and is used to set upa neighbor relationship with the downstream DSLAM.

If client is specified, the neighbor profile works in proxy client mode and is used to set up aneighbor relationship with the upstream BRAS.

NOTE

In proxy mode, only one neighbor profile can be configured to work in proxy client mode.




Issue 01 (2011-05-30)

Step 4 (Optional) Run:tcp-listen port port-number

The port number on an ANCP neighbor for TCP connection listening is configured.

If the ANCP neighbor has an existing TCP connection set up when the tcp-listen port commandis run, this TCP connection will be severed and the ANCP neighbor will use the new listeningport to establish a new TCP connection.

By default, the port number for TCP connection listening is 6068.

Step 5 Run:peer-id peer-id

The ID of the ANCP neighbor is configured.

Step 6 (Optional) Run:max-access-loop value

The maximum number of access lines is configured for the ANCP neighbor.

If the number of access lines configured in this command is smaller than the number of accesslines that actually exist, existing access line entries are not affected, but no new access line entriescan be created.

By default, a maximum of 65536 access lines can be configured in a neighbor profile.

Step 7 (Optional) Run:keep-alive interval interval-value

The interval for sending Keepalive packets is configured.

To detect the neighbor status (for example, to detect whether the link is Up), after an ANCPsession is set up, the CX device sends Keepalive packets to its neighbor (for example, theDSLAM) at a fixed interval.

The default interval time is 10 seconds.

Step 8 (Optional) Run:aging-time value

The aging time is set for line entries.

When an ANCP neighbor line goes Down, the system needs to delete the line entry to make suresystem resources are efficiently utilized.

If the aging time of a line entry is set to 0, the entry is deleted immediately when the line goesDown. If the aging time is set to a non-zero value, the line entry cannot be deleted until the agingtimer expires.

The default aging time of an ANCP neighbor line entry is 150 seconds.

----End




5-19

Procedure



Step 2 Run:ancp


Step 3 Run:neighbor-profile neighbor-profile-name [ proxy ]


Step 4 Run:adjustment { adsl adjust-percentage | adsl2 adjust-percentage | adsl2plus adjust-percentage | vdsl1 adjust-percentage | vdsl2 adjust-percentage | sdsl adjust-percentage } *

The bandwidth adjustment percentages for different link types in the ANCP neighbor profile areconfigured.

NOTE

The types of physical links determine bandwidths reported to the CX device by the DSLAM. The CXdevice, however, uses the bandwidth of the Ethernet link as a basis for scheduling user traffic. This meansthat bandwidths need to be 'translated' to take account of the different types of physical links. Ethernet linkbandwidth is set at 100%. Then, for example, if the bandwidth adjustment factor for ADSL is set to 77%,this means that when a user reports the link type as ADSL, the actual bandwidth that HQoS holds for theuser is the reported bandwidth x 77%.

----End

5.3.7 (Optional) Enabling the Function of Configuring ANCPAccess Lines

You can configure ANCP access lines and enable the CX device to deliver a line profile nameto the peer DSLAM.

Procedure



Step 2 Run:ancp


Step 3 Run:access-loop-configure { circuit-id circuit-id | index index } service-profile profile-name

The name of the profile delivered to the peer is configured and the configuration of ANCP accesslines is enabled.




Issue 01 (2011-05-30)

The access-loop-configure { circuit-id circuit-id | index index } service-profile profile-name command is used to enable ANCP access line configurations and to configure the CXdevice to deliver profile names to the DSLAM.

When the access-loop-configure { circuit-id circuit-id | index index } service-profile profile-name command is run on the ANCP server, the parameters in the profile, such as QoS parametersand bandwidths, need to be configured on the DSLAM. The parameters in the profile are validfor users that go online after the profile is delivered.

NOTE

If the DSLAM needs to restart a line after receiving a profile name from the CX device, you must run theaging-time command on the CX device to set a longer aging times for ANCP line entries.

Step 4 (Optional) Run either of the following commands as required.l Run the line-configure timeout time command and the timeout period for responses to

delivered profiles is configured.If the CX device receives no response during the timeout period, it assumes that the deliveryof the profile failed.

l Run the line-configure ack-mandatory command, and no response to the delivered profileis required.

By default, the timeout period is 5 seconds.

----End


ContextIf the DSLAM reports user bandwidth changes to the CX device, the CX device adjusts userbandwidth accordingly. If the DSLAM repeatedly sends such messages, CX device performanceis affected.

To prevent this problem, ANCP message damping needs to be configured on the CX device.

Procedure



Step 2 Run:ancp



The neighbor view is displayed.

Step 4 Run:



5-21

damping damping-percentage

ANCP message damping is configured.

After ANCP message damping is configured, the CX device adjusts user bandwidth and deliversnew configurations only when user bandwidth changes go beyond the specified percentage. TheCX device does not respond to ANCP messages that report user bandwidth changes within thespecified percentage. No adjustments to user bandwidth are made in such cases.

By default, ANCP messages are not damped.

----End


Procedure



Step 2 Run:ancp


Step 3 Run:oam [ count test-counter ] access-loop access-loop-circuit-id

OAM detection is configured for a specific access line. The number of times that OAM detectionwill be performed is also set.

By default, the number of times that OAM detection will be performed is 5.

Step 4 (Optional) Run:neighbor-profile neighbor-profile-name [ proxy ]

The ANCP neighbor view is displayed.

Step 5 (Optional) Run:oam timeout time

The timeout period for the response to OAM detection is configured.

ANCP OAM detection fails if the CX device receives no response to OAM detection during thetimeout period.

By default, the timeout period is 5s.

NOTE

The oam timeout command can be configured when the neighbor profile mode is server or proxy server.

----End




Issue 01 (2011-05-30)

5.3.10 Checking the ConfigurationAfter the CX device is configured as an ANCP proxy, you can check information about ANCPneighbors, the ANCP neighbor profile, and line entries in the ANCP neighbor profile, as wellas the statistics about ANCP neighbors.

Procedure

Step 1 Run the display ancp neighbor [ profile neighbor-profile | id id-value ] command to viewinformation about the ANCP neighbor.

Step 2 Run the display ancp neighbor-profile [ neighbor-profile-name ] command to view theconfiguration of the ANCP neighbor profile.

Step 3 Run the display ancp access-loop [ access-loop-circuit- index | circuit-id circuit-id-text |circuit-id-include circuit-id-include-text | neighbor-profile neighbor-profile-name | neighbor-id neighbor-id ] command to view information about line entries in the ANCP neighbor profile.

Step 4 Run the display ancp statistic [ neighbor-id ] command to view the ANCP statistics about theneighbor.

----End

ExampleAfter running the display ancp neighbor command, you can view the status of all ANCPneighbors, a neighbor with a specified neighbor profile, and a neighbor with a specified neighborID. For example:<HUAWEI> display ancp neighbor Index Peer-ID State Role Line-num Profile -------------------------------------------------------------------------- 0 123.1.3.1 ESTAB proxy client 0 bras 1 10.1.1.1 ESTAB proxy server 2 dslam -------------------------------------------------------------------------- The total is 2,printed is 2 <HUAWEI> display ancp neighbor id 10.1.1.1 Neighbor Profile name :dslam Neighbor state :ESTAB Peer ID :10.1.1.1 Peer port :49233 Neighbor capacity :discovery;line-cfg;oam; Neighbor techtype :5(5 is DSL) Access loop circuit number :2 Session message interval :20(seconds) Session message retransmit :5 Max access loop number :65536 Access loop configure timeout :5(seconds) Access loop configure ack mandatory :false Access loop aging time :47(seconds) Access loop oam timeout :50(seconds) Keep-alive interval :10(seconds) Wait-ack timeout :30000(milliseconds) ANCP role :proxy server

After running the display ancp neighbor-profile command, you can view the configuration ofthe specified neighbor profile. For example:<HUAWEI> display ancp neighbor-profile dslam1 Index :1 Neighbor Profile name :dslam Neighbor Used state :used ANCP role :proxy server Auto-qos-adapt attribute :both



5-23

TCP-listen port number :6068 Damping percentage :0 Peer ID :10.1.1.1 Max access loop number :65536 Access loop configure timeout :5(seconds) Access loop configure ack mandatory :false Access loop aging time :47(seconds) Access loop oam timeout :50(seconds) Keep-alive interval :10(seconds)

After running the display ancp access-loop command, you can view information about accessline entries. For example:<HUAWEI> display ancp access-loop neighbor-profile dslam ---------------------------------------------------------------- Index State Peer-ID Circuit-ID ---------------------------------------------------------------- 10 UP 10.1.1.1 001882362CFF eth 0/3/0/1:10 11 UP 10.1.1.1 001882362CFF eth 0/3/0/2:6 ---------------------------------------------------------------- The total is 2,printed is 2

After running the display ancp statistic command, you can view the ANCP statistics about aneighbor. For example:<HUAWEI> display ancp statistic 10.1.1.1 Received ack packet :96 Received syn packet :0 Received synack packet :1 Received reset ack packet :0 Received lineup packet :2 Received linedown packet :0 Received oam packet :0 Received line config packet :0 Received multicast packet :0 Received unknown packet :0 Send ack packet :96 Send synack packet :1 Send syn packet :1 Send reset ack packet :0 Send oam packet :0 Send access loop config packet :0 Send multicast packet :0 Send failed packet :0

5.4 Configuring the Association Between ANCP and HQoSin the ANCP Proxy Scenario

After ANCP is associated with HQoS, ANCP can be used to control the traffic rate fordownstream user lines and QoS parameters.

5.4.1 Establishing the Configuration TaskBefore associating ANCP with HQoS, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.

5.4.2 Configuring the Mode of the Association Between ANCP and HQoSThis configuration is applicable only to an ANCP neighbor whose attribute is proxy server.

5.4.3 Configuring the QoS Profile and Scheduling ParametersThis configuration is required only if ANCP is associated with HQoS on an ANCP neighborwhose attribute is proxy server.

5.4.4 Configuring the BRAS to Deliver the QoS Policy Name




Issue 01 (2011-05-30)

This configuration only applies to an ANCP neighbor whose attribute is proxy server.

5.4.5 Applying the QoS Profile to the InterfaceThis configuration is required only if a neighbor profile is configured with the proxy serverattribute and ANCP is associated with HQoS in DSLAM mode.

5.4.6 Enabling ANCP on the Interface and Associating the Interface with the ANCP NeighborProfileThis configuration is required only if ANCP is associated with HQoS on an ANCP neighborwhose attribute is proxy server.

5.4.7 Checking the ConfigurationAfter ANCP is associated with HQoS, you can check information about ANCP neighbors, theANCP neighbor profile, and line entries in the ANCP neighbor profile, as well as the statisticsabout ANCP neighbors.

5.4.1 Establishing the Configuration TaskBefore associating ANCP with HQoS, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.


When the CX device functions as an ANCP server or an ANCP proxy, you must configure ANCPto support HQoS if ANCP is required to control the traffic rate for downstream user lines andQoS scheduling parameters for various services.

l If the CX device functions as an ANCP server, only bandwidth adjustment factors need tobe configured.

l If the CX device functions as an ANCP proxy, you must configure bandwidth adjustmentfactors, association between ANCP and HQoS, and a QoS profile and schedulingparameters. You must enable ANCP on the interface, associate the interface with the ANCPneighbor profile, and apply the QoS profile.


Before configuring ANCP functions, complete the following tasks:

l Configuring the physical parameters and link attributes of interfaces to ensure that theinterfaces work properly

l Configuring IP addresses and routing protocols for interfaces

l Enabling ANCP and configuring ANCP neighbor profiles

Data Preparation

To configure ANCP support for HQoS, you need the following data.

No. Data

1 Source interface of the ANCP connection




5-25

No. Data


4 Bandwidth adjustment factor for the ANCP neighbor

5 ANCP-enabled sub-interface

6 Mode of the association between ANCP and HQoS

7 Scheduling parameter in the QoS profile

8 Interface to which the QoS profile is applied

5.4.2 Configuring the Mode of the Association Between ANCP andHQoS

This configuration is applicable only to an ANCP neighbor whose attribute is proxy server.

Context

If ANCP is associated with QoS and both the DSLAM and the BRAS report QoS messages, themode of the association between ANCP and HQoS determines which QoS messages are selectedby the device.

Procedure



Step 2 Run:ancp


Step 3 Run:neighbor-profile neighbor-profile-name proxy

The neighbor profile view is displayed.

Step 4 Run:auto-qos-adapt{ dslam | bras | both }

The mode of the association between ANCP and HQoS is configured.

If dslam is specified, apply the specified QoS profile name to the downstream interface for userservices. The CX device is then able to restrict the downstream bandwidth of user services basedon the actual physical bandwidth and the minimum value of HQoS reported by the ANCP line.

If bras is specified, the BRAS delivers a QoS profile name to a user, and the CX device receivesand applies the QoS policy.




Issue 01 (2011-05-30)

If both are specified, the BRAS needs to deliver a QoS profile name to a user, and the CXdevice receives and applies the QoS policy. If the DSLAM then reports line update messages,ANCP adjusts user bandwidth based on the new bandwidth information.

----End

5.4.3 Configuring the QoS Profile and Scheduling ParametersThis configuration is required only if ANCP is associated with HQoS on an ANCP neighborwhose attribute is proxy server.

Procedure



Step 2 Run:qos-profile qos-profile-name

A QoS profile is created and the QoS profile view is displayed.

Step 3 You may configure user queue scheduling parameters or traffic assurance for users, as required.l Run the user-queue cir cir-value [ pir pir-value] [ flow-queue flow-queue name ] [ flow-

mapping flow-mapping name ] [ user-group-queue user-group-queue name ] [ service-template service-template-name ]* [ inbound | outbound ] command to configure userqueue scheduling parameters to implement HQoS on user services.

l Run the car { cir cir-value [ pir pir-value] } [ cbs cbs-value pbs pbs-value ] [ green{ discard | pass } | yellow { discard | pass } | red { discard | pass } ]* [ inbound |outbound ] command to set a committed access rate (CAR) to ensure that user traffic canbe forwarded properly.

l Run the broadcast-suppression cir cir-value [ cbs cbs-value ] [ inbound | outbound ]command to set the suppression rate for broadcast packets in the QoS profile.

l Run the multicast-suppression cir cir-value [ cbs cbs-value ] [ inbound | outbound ]command to set a suppression rate for multicast packets in the QoS profile.

l Run the unknown-unicast-suppression cir cir-value [ cbs cbs-value ] [ inbound |outbound ] command to set a suppression rate for unknown unicast packets in the QoSprofile.

NOTE

l The car command and the user-queue command in the QoS profile are mutually exclusive. The twocommands cannot both be configured.

l If you have run the qos-profile command on an interface, you cannot run the user-queue command,run the car command, or enable the traffic suppression function on that interface.

If the commands in Step 3 specify the traffic direction and the configured direction is different fromthe traffic direction to which the QoS profile is applied on the interface, the profile does not take effect.If the commands do not specify the traffic direction, the QoS profile will take effect in the directionthat it is applied.

l If uni-directional user queue scheduling (for either incoming or outgoing traffic) is already configured,you cannot configure user queue scheduling without specifying the traffic direction. Conversely, ifdirectionless user queue scheduling is already configured, you cannot configure uni-directional userqueue scheduling.



5-27

For detailed QoS profile configurations, refer to the HUAWEI CX600 Configuration Guide -QoS.

----End

5.4.4 Configuring the BRAS to Deliver the QoS Policy NameThis configuration only applies to an ANCP neighbor whose attribute is proxy server.

Procedure



Step 2 Run:ancp


Step 3 Run:access-loop-configure { circuit-id circuit-id |index index } service-profile profile-name

Configure the BRAS to deliver the QoS policy name.

----End

5.4.5 Applying the QoS Profile to the InterfaceThis configuration is required only if a neighbor profile is configured with the proxy serverattribute and ANCP is associated with HQoS in DSLAM mode.

Procedure



Step 2 Run:interface interface-type interface-number [.sub-interface ]

The interface view for adjusting bandwidths is displayed.

Step 3 Choose the appropriate command line to apply QoS profiles on interfaces of different types.l Run the qos-profile qos-profile-name { inbound | outbound } [ group group-name ] [

before-layer2-encapsulation ] command on GE interfaces, Eth-Trunk interfaces, Ethernetinterfaces and their sub-interfaces to apply QoS profiles.

l Run the qos-profile qos-profile-name { inbound | outbound } vlan vlan-id1 [ to vlan-id2 ]identifier { vlan-id | none } [ group group-name ] [ before-layer2-encapsulation ]command on Layer 2 GE interfaces, Layer 2 Eth-Trunk interfaces, Dot1q termination sub-interfaces to apply QoS profiles.

l Run the qos-profile profile-name { inbound | outbound } pe-vid pe-vid ce-vid ce-vid1[ to ce-vid2 ] [ identifier { pe-vid | ce-vid | pe-ce-vid | none } ] [group group-name ] [




Issue 01 (2011-05-30)

before-layer2-encapsulation ] command on QinQ termination sub-interfaces and QinQmapping interfaces to apply QoS profiles.

----End

5.4.6 Enabling ANCP on the Interface and Associating the Interfacewith the ANCP Neighbor Profile

This configuration is required only if ANCP is associated with HQoS on an ANCP neighborwhose attribute is proxy server.

Procedure



Step 2 Run:interface interface-type interface-number [.subinterface-number]


Step 3 Run:ancp enable neighbor-profile-name

The ANCP function is enabled on the interface, and an ANCP neighbor profile is associatedwith the interface.

----End

5.4.7 Checking the ConfigurationAfter ANCP is associated with HQoS, you can check information about ANCP neighbors, theANCP neighbor profile, and line entries in the ANCP neighbor profile, as well as the statisticsabout ANCP neighbors.

Procedure

Step 1 Run the display ancp neighbor [ profile neighbor-profile | id id-value ] command to viewinformation about an ANCP neighbor.

Step 2 Run the display ancp neighbor-profile [ neighbor-profile-name ] command to view theconfiguration of an ANCP neighbor profile.

Step 3 Run the display ancp access-loop [ access-loop-circuit- index | circuit-idcircuit-id-text |circuit-id-include circuit-id-include-text | neighbor-profile neighbor-profile-name | neighbor-id neighbor-id ] command to view information about line entries in an ANCP neighbor profile.

Step 4 Run the display ancp statistic [ neighbor-id ] command to view the statistics of an ANCPneighbor.

----End



5-29

ExampleAfter running the display ancp neighbor command, you can view the status of all neighbors.For example:<HUAWEI> display ancp neighbor Index Peer-ID State Role Line-num Profile -------------------------------------------------------------------------- 0 123.1.3.1 ESTAB proxy client 0 bras 1 10.1.1.1 ESTAB proxy server 2 dslam -------------------------------------------------------------------------- The total is 2,printed is 2

After running the display ancp neighbor id 10.1.1.1 command, you can view the status of theneighbor whose ID is 10.1.1.1.<HUAWEI> display ancp neighbor id 10.1.1.1 Neighbor Profile name :dslam Neighbor state :ESTAB Peer ID :10.1.1.1 Peer port :49233 Neighbor capacity :discovery;line-cfg;oam; Neighbor techtype :5(5 is DSL) Access loop circuit number :2 Session message interval :20(seconds) Session message retransmit :5 Max access loop number :65536 Access loop configure timeout :5(seconds) Access loop configure ack mandatory :false Access loop aging time :47(seconds) Access loop oam timeout :50(seconds) Keep-alive interval :10(seconds) Wait-ack timeout :30000(milliseconds) ANCP role :proxy server

After running the display ancp neighbor-profile command, you can view the configuration ofthe specified neighbor profile. For example:<HUAWEI> display ancp neighbor-profile dslam1 Index :1 Neighbor Profile name :dslam1 Neighbor Used state :used ANCP role :proxy server Auto-qos-adapt attribute :both TCP-listen port number :6068 Damping percentage :0 Peer ID :10.1.1.1 Max access loop number :65536 Access loop configure timeout :5(seconds) Access loop configure ack mandatory :false Access loop aging time :47(seconds) Access loop oam timeout :50(seconds) Keep-alive interval :10(seconds)

After running the display ancp access-loop command, you can view information about accessline entries. For example:<HUAWEI> display ancp access-loop neighbor-profile dslam ---------------------------------------------------------------- Index State Peer-ID Circuit-ID ---------------------------------------------------------------- 10 UP 10.1.1.1 001882362CFF eth 0/3/0/1:10 11 UP 10.1.1.1 001882362CFF eth 0/3/0/2:6 ---------------------------------------------------------------- The total is 2,printed is 2

After running the display ancp statistic command, you can view the ANCP statistics of aneighbor. For example:<HUAWEI> display ancp statistic 10.1.1.1 Received ack packet :96




Issue 01 (2011-05-30)

Received syn packet :0 Received synack packet :1 Received reset ack packet :0 Received lineup packet :2 Received linedown packet :0 Received oam packet :0 Received line config packet :0 Received multicast packet :0 Received unknown packet :0 Send ack packet :96 Send synack packet :1 Send syn packet :1 Send reset ack packet :0 Send oam packet :0 Send access loop config packet :0 Send multicast packet :0 Send failed packet :0

5.5 Maintaining ANCPYou may clear ANCP running information as part of ANCP maintenance.

5.5.1 Clearing ANCP Running InformationTo clear ANCP running information, run the reset commands in the ANCP view.

5.5.1 Clearing ANCP Running InformationTo clear ANCP running information, run the reset commands in the ANCP view.

CAUTIONANCP running information cannot be restored after it is cleared. Excercise caution when runningthe commands.

To clear ANCP running information, run the following reset commands in the ANCP view.

Action Command

Clear information about ANCP accessline entries.

reset ancp access-loop [ circuit-id access-loop-circuit-id | neighbor-profile neighbor-profile-name | neighbor-id neighbor-id ]

Clear information about ANCPneighbor entries.

reset ancp neighbor [ profile neighbor-profile-name | id neighbor-id-value ]

Clear statistics about ANCP . reset ancp statistic [ neighbor-id ]

5.6 Configuration ExamplesANCP configuration examples explain networking requirements and configuration proceduresand provide networking diagrams, configuration notes, and configuration roadmaps.

5.6.1 Example for Configuring the ANCP Server



5-31

When configured as an ANCP server, the CX device functions as both a BRAS and an SR. Asan SR, the CX device can sense the topology of the access network and the parameters of accessline. This allows it to prevent congestion on the access network. As a BRAS, the CX device canautomatically adjust policies on the DSLAM by updating user services on the ANCP.

5.6.2 Configuring CX device as the ANCP Proxy and Configuring ANCP-HQoS AssociationWhen configured as an ANCP proxy, the CX device can aggregate ANCP connections.Aggregation prevents too many DSLAMs from being connected to the BRAS. The ANCP-HQoSassociation can reduce the need for manual configuration. By automatically adjusting userbandwidths, the ANCP-HQoS association prevents traffic congestion on a DSLAM.

5.6.1 Example for Configuring the ANCP ServerWhen configured as an ANCP server, the CX device functions as both a BRAS and an SR. Asan SR, the CX device can sense the topology of the access network and the parameters of accessline. This allows it to prevent congestion on the access network. As a BRAS, the CX device canautomatically adjust policies on the DSLAM by updating user services on the ANCP.

PrerequisiteBefore configuring the ANCP server, routes between connected devices must be completelyconfigured.

Networking RequirementsNetworking requirements are changing as networks converge and tri-play services develop. Asshown in Figure 5-3, the CX device needs to be deployed on the convergence layer at the edgeof a broadband MAN. In this location, the CX device acts as the service control gateway as wellas the authentication and accounting gateway for various types of broadband access users. TheCX device is positioned to provide users with a wide range of both broadband access servicesand value added services. In addition, the CX device is able to implement bandwidth control,traffic policing, and QoS enforcement for user services.

The DSLAM supports ANCP and the CX device functions as the BRAS to manage users. Itdetects user services and user login and logout. Other requirements are as follows:

l The maximum number of access lines for the DSLAM with IP address 10.1.1.1 is 3000.l Lines accessed by the DSLAM can be configured on the CX device.l When users log in, the CX device is able to use information about access lines to

automatically adjust the downstream bandwidth for these users.l The CX device is able to configure bandwidth adjustment factors based on the types of user

services.




Issue 01 (2011-05-30)

Figure 5-3 Networking diagram of configuring the ANCP server

IP/MPLSbackbone

DSLAM CX

phone

PC

IPTV

phone

PC

IPTV

ADSL/VDSLModem 1

ADSL/VDSLModem 2



1. Enable ANCP.

2. Configure the source interface of the ANCP connection.

3. Configure the ANCP session parameters.

4. Configure the ANCP neighbor profile and parameters.

5. Configure bandwidth adjustment factors.

Data Preparation


l IP address of the source interface of the ANCP connection

l ANCP neighbor name and IP address

l ANCP session parameter

l Maximum number of access lines, handshaking interval, and the timeout period to wait fora response to an access line configuration request for an ANCP neighbor

l Bandwidth adjustment factor

NOTE

The following describes the configuration of the CX device. For configurations of the ADSL/VDSL modemand DSLAM, see the relevant configuration guides.



5-33

Procedure

Step 1 Configure ANCP.

# Enable ANCP.

<HUAWEI> system-view[HUAWEI] ancp enable

# Configure the source interface of the ANCP connection.

[HUAWEI] interface loopback 1[HUAWEI-LoopBack1] ip address 1.1.1.1 24[HUAWEI-LoopBack1] quit[HUAWEI] ospf 82[HUAWEI-ospf-82]area 0[HUAWEI-ospf-82-area-0.0.0.0] network 1.1.1.1 0.0.0.0[HUAWEI-ospf-82-area-0.0.0.0] quit[HUAWEI-ospf-82] quit[HUAWEI] ancp[HUAWEI-ancp] source-interface loopback 1

# Configure the ANCP session parameters.

[HUAWEI-ancp] session interval 10 retransmit 20

# Configure the ANCP neighbor profile and bandwidth adjustment factors.

[HUAWEI-ancp] neighbor-profile dslam1[HUAWEI-ancp-neighbor-dslam1] peer-id 10.1.1.1[HUAWEI-ancp-neighbor-dslam1] max-access-loop 3000[HUAWEI-ancp-neighbor-dslam1] line-configure timeout 10[HUAWEI-ancp-neighbor-dslam1] keep-alive interval 20[HUAWEI-ancp-neighbor-dslam1] adjustment adsl 77 vdsl1 90[HUAWEI-ancp-neighbor-dslam1] quit

NOTEThe IP address specified in peer-id must be the same as the IP address that is used by the peer to set up theTCP connection.


# Check the configurations of the ANCP neighbor profile named dslam1.

<HUAWEI> display ancp neighbor-profile dslam1

Index :0 Neighbor Profile name :dslam1 Neighbor Used state :unused ANCP role :server TCP-listen port number :6068 Damping percentage :0 Adjustment :adsl 77 vdsl1 90 Peer ID :10.1.1.1 Max access loop number :3000 Access loop configure timeout :10(seconds) Access loop configure ack mandatory :false Access loop aging time :150(seconds) Access loop oam timeout :20(seconds) Keep-alive interval :20(seconds)

# Check the entry information about the access line named access1.

<HUAWEI> display ancp access-loop Circuit index :1 Circuit ID :access1 Peer ID :10.1.1.1 Dsl type :ADSL2 Actual datarate upstream :143(Kbps)




Issue 01 (2011-05-30)

Actual datarate downstream :153(Kbps)The total is 1,printed is 1

When traffic flows on the network, forwarding of traffic on access line 1 is based on the QoSprofile named test. This profile is configured by the DSLAM.

----End

Configuration Files# sysname HUAWEI# ancp enable#interface LoopBack1 ip address 1.1.1.1 255.255.255.0#ospf 82area 0network 1.1.1.1 0.0.0.0#ancp source-interface LoopBack1 session interval 10 retransmit 20 neighbor-profile dslam1 peer-id 10.1.1.1 adjustment adsl 77 vdsl1 90 keep-alive interval 20 line-configure timeout 10 max-access-loop 3000#return

5.6.2 Configuring CX device as the ANCP Proxy and ConfiguringANCP-HQoS Association

When configured as an ANCP proxy, the CX device can aggregate ANCP connections.Aggregation prevents too many DSLAMs from being connected to the BRAS. The ANCP-HQoSassociation can reduce the need for manual configuration. By automatically adjusting userbandwidths, the ANCP-HQoS association prevents traffic congestion on a DSLAM.

PrerequisiteBefore configuring the CX device as the ANCP proxy and configuring the ANCP-HQoSassociation, routes between connected devices must be completely configured.

Networking RequirementsTo implement automatic topology discovery and automatic link configuration in the accessnetwork, you must configure ANCP between the DSLAM and BRAS. One BRAS can normallyhave hundreds of ANCP peers. If, however, too many DSLAMs are connected to a BRAS, theANCP proxy needs to be configured on the CX device to aggregate ANCP connections.

When a user customizes new services, ANCP-HQoS association automatically adjusts the userbandwidth on the CX device. This prevents traffic congestion on the DSLAM.

As shown in Figure 5-4, both the DSLAM and the BRAS support ANCP. Functioning as theaggregation device, the CX device sets up ANCP neighbor relationships with the DSLAM andthe BRAS. Other requirements are as follows:



5-35

l The maximum number of access lines for the DSLAM with IP address 10.1.1.1 is 3000.l Lines accessed by the DSLAM can be configured on the CX device.l The CX device is able to configure bandwidth adjustment factors based on the types of user

services.l Traffic flows of different user services enter different QinQ sub-interfaces for QoS

scheduling.l Downstream traffic of the CX device is scheduled through ANCP based on the QoS policy

delivered by the BRAS.

Figure 5-4 Networking diagram of configuring CX device as the ANCP proxy and configuringANCP-HQoS association

IP/MPLSbackbone

DSLAM

phone

PC

IPTV

phone

PC

IPTV

ADSL/VDSLModem 1

ADSL/VDSLModem 2

BRAS

GE1/0/0

CX



1. Enable ANCP.2. Configure the source interface of the ANCP connection.3. Configure the ANCP session parameters.4. Configure the ANCP neighbor profile and parameters.5. Configure bandwidth adjustment factors.6. Configure the mode of the association between ANCP and HQoS.7. Enable ANCP on the interface and associate the ANCP neighbor with the interface.8. Configure the QoS profile and schedule parameters.




Issue 01 (2011-05-30)

9. (Optional) Configure the name of the QoS policy delivered by the BRAS.10. Apply the QoS profile to the interface.

Data Preparation


l IP address of the source interface of the ANCP connectionl ANCP neighbor name and IP addressl ANCP session parameterl Maximum number of access lines, handshaking interval, and the timeout period to wait for

a response to an access line configuration request for an ANCP neighborl Bandwidth adjustment factors

Procedure

Step 1 Configure ANCP.

# Enable ANCP.

<HUAWEI> system-view[HUAWEI] ancp enable

# Configure the source interface of an ANCP connection.

[HUAWEI] interface loopback 1[HUAWEI-LoopBack1] ip address 1.1.1.1 24[HUAWEI-LoopBack1] quit[HUAWEI] ospf 82[HUAWEI-ospf-82]area 0[HUAWEI-ospf-82-area-0.0.0.0] network 1.1.1.1 0.0.0.0[HUAWEI-ospf-82-area-0.0.0.0] quit[HUAWEI-ospf-82] quit[HUAWEI] ancp[HUAWEI-ancp] source-interface loopback 1

# Configure the ANCP session parameters.

[HUAWEI-ancp] session interval 10 retransmit 20

# Configure profile parameters and bandwidth adjustment factors for the ANCP neighborconnected to the DSLAM.

[HUAWEI-ancp] neighbor-profile dslam1 proxy[HUAWEI-ancp-neighbor-dslam1] peer-id 10.1.1.1[HUAWEI-ancp-neighbor-dslam1] max-access-loop 3000[HUAWEI-ancp-neighbor-dslam1] line-configure timeout 10[HUAWEI-ancp-neighbor-dslam1] keep-alive interval 20[HUAWEI-ancp-neighbor-dslam1] adjustment adsl 77 vdsl1 90[HUAWEI-ancp-neighbor-dslam1] quit

# Configure profile parameters and bandwidth adjustment factors for the ANCP neighborconnected to the BRAS.

[HUAWEI-ancp] neighbor-profile bras proxy client[HUAWEI-ancp-neighbor-bras] peer-id 10.1.1.2[HUAWEI-ancp-neighbor-bras] quit

Step 2 Configure the mode of the association between ANCP and HQoS.[HUAWEI-ancp] auto-qos-adapt bras



5-37

Step 3 Configure parameters in the QoS profile.

For detailed configurations of parameters in the QoS profile, refer to the HUAWEI CX600 MetroServices Platform Configuration Guide - QoS.

Step 4 (Optional) Configure the name of the QoS policy delivered by the BRAS.<HUAWEI> system-view[HUAWEI] ancp[HUAWEI-ancp] access-loop-configure circuit-id "text" service-profile test

Step 5 Apply the QoS profile to the interface and associate the ANCP neighbor with the interface.<HUAWEI> system-view[HUAWEI] interface gigabitethernet 1/0/0[HUAWEI-GigabitEthernet1/0/0] qos-profile test outbound pe-vid 1 ce-vid 1 to 100[HUAWEI-GigabitEthernet1/0/0] ancp enable dslam1[HUAWEI-GigabitEthernet1/0/0] quit

After the preceding configurations are completed, you can run the display qos-profileconfiguration test and display qos-profile application test slot 1 inbound commands to viewthe configurations of the QoS profile and its applications.

<HUAWEI> display qos-profile configuration testqos-profile : test user-queue cir 100000 flow-queue test flow-mapping test user-group-queue test broadcast-suppression cir 2000multicast-suppression cir 2000unknown-unicast-suppression cir 2000Reference relationships: GigabitEthernet1/0/0<HUAWEI> display qos-profile application test slot 1 inboundqos-profile : test intaface GigabitEthernet1/0/0, pe-vid 1, ce-vid 1 to 100


# Check basic information about the ANCP neighbor profile.

<HUAWEI> display ancp neighbor-profile---------------------------------------------------------------- Index Peer-ID State Role Profile-name ---------------------------------------------------------------- 1 1.1.1.2 used proxy server dslam1 2 10.1.1.2 used proxy client bras ---------------------------------------------------------------- The total is 1,printed is 1

# Check the configurations of the ANCP neighbor profile named dslam1.

<HUAWEI> display ancp neighbor-profile dslam1 Index :1 Neighbor Profile name :dslam1 Neighbor Used state :used ANCP role :proxy server ANCP source interface :LoopBack1 TCP-listen port number :6068 Damping percentage :0 Peer ID :10.1.1.1 Max access loop number :3000 Access loop configure timeout :5(seconds) Access loop configure ack mandatory :false Access loop aging time :30(seconds) Access loop oam timeout :5(seconds) Keep-alive interval :20(seconds)

----End




Issue 01 (2011-05-30)

Configuration Files# sysname HUAWEI# ancp enable# ancp source-interface LoopBack1 session interval 10 retransmit 20 neighbor-profile bras proxy client peer-id 10.1.1.2 neighbor-profile dslam1 proxy peer-id 10.1.1.1 max-access-loop 3000 line-configure timeout 10 keep-alive interval 20 adjustment adsl 77 vdsl1 90 auto-qos-adapt bras#flow-wred test color green low-limit 70 high-limit 100 discard-percentage 100 color yellow low-limit 60 high-limit 90 discard-percentage 100 color red low-limit 50 high-limit 80 discard-percentage 100#flow-mapping test map flow-queue af1 to port-queue ef#flow-queue test queue af1 lpq shaping 10000 flow-wred test queue ef pq shaping 30000 flow-wred test#user-group-queue test shaping 500000 inbound#service-template test network-header-length 12 inbound#qos-profile test user-queue cir 100000 pir 100000 flow-queue test flow-mapping test user-group -queue test service-template test #port-wred test color green low-limit 70 high-limit 100 discard-percentage 100 color yellow low-limit 60 high-limit 90 discard-percentage 100 color red low-limit 50 high-limit 80 discard-percentage 100#interface GigabitEthernet1/0/0 undo shutdown control-vid 1 qinq-termination qinq termination l2 symmetry user-mode qinq termination pe-vid 1 ce-vid 1 to 1000 qos-profile test outbound pe-vid 1 ce-vid 1 to 1000 ancp enable dslam1#interface LoopBack1 ip address 1.1.1.1 255.255.255.0#ospf 82 area 0 network 1.1.1.1 0.0.0.0#return



5-39

6 IP Performance Configuration

About This Chapter

By configuring IP performance, you can improve the performance of the device.

6.1 IP Performance OverviewBy configuring IP performance, you can improve the IP packet forwarding capability of thedevice.

6.2 Improving IP PerformanceBy setting parameters for IP packets, you can optimize the performance of the network.

6.3 Configuring TCPBy setting IP packets, you can improve the performance of the network.

6.4 Configuring Load Balancing for IP Packet ForwardingBy configuring Equal-Cost Multiple Path (ECMP) or Unequal-Cost Multiple Path (UCMP), youcan improve the packet forwarding capability of the network.

6.5 Maintaining IP PerformanceYou can maintain IP performance by deleting IP performance statistics and monitoring theoperation of IP performance.


HUAWEI CX600 Metro Services PlatformConfiguration Guide - IP Services 6 IP Performance Configuration


6-1

6.1 IP Performance OverviewBy configuring IP performance, you can improve the IP packet forwarding capability of thedevice.

6.1.1 Introduction to IP PerformanceBy configuring certain parameters and functions, you can improve the IP performance of thedevice.

6.1.2 IP Performance Supported by the CX600By setting IP, TCP, and ICMP packets, you can improve the performance of the network.

6.1.1 Introduction to IP PerformanceBy configuring certain parameters and functions, you can improve the IP performance of thedevice.

IP performance optimization should be performed on the basis of configurations of someparameters and enablement of related functions, for example, the interface MTU, ICMPattributes, and TCP attributes.

Internet Control Message Protocol (ICMP) messages are used by either the IP layer or the higherlayer protocol (TCP or UDP). ICMP communicates error messages or other information thatrequire attention.

6.1.2 IP Performance Supported by the CX600By setting IP, TCP, and ICMP packets, you can improve the performance of the network.

ICMPl ICMP Host Unreachable messages

When forwarding packets, the device discards the packets and returns an ICMP hostunreachable message to the source to notify that the source must stop sending packets tothis destination if the device encounters the following situations:– There is no route to the destination.– The packet is not for itself.

l ICMP Redirection messagesDuring packet forwarding, if the device finds the following situations, the device needs tosend an ICMP redirection message to the source device and notices the host to reselect acorrect device to send packets.– The interfaces to receive and forward packets are the same.– The selected route is not created or modified by the ICMP redirection packet.– The selected route is not the route destined for the destination 0.0.0.0.– The subnet mask bit of the source address is the same as that of the outgoing interface.

l ICMP packet sending switchesIn normal circumstance, ICMP host unreachable and redirection messages can ensurenormal packet transmission. However, when devices encounter the preceding conditionsfrequently, network traffic becomes heavy because devices send a large number of ICMP

6 IP Performance ConfigurationHUAWEI CX600 Metro Services Platform



Issue 01 (2011-05-30)

messages. This increases the traffic burden. In the case of malicious attacks, networkcongestion becomes worse.To solve this problem, the ICMP host unreachable function can be deployed on theoutbound interface. If this function is disabled, the device does not send out ICMP hostunreachable messages and as a result the traffic burden of the network is released andmalicious attacks to the network is prevented.

Unequal-Cost Load Balancing

The CX600 supports Unequal-Cost Multiple Path (UCMP) among all equal-cost routes to thesame destination.

UCMP supports only flow-based IP packet forwarding.

UCMP applies to only equal-cost routes. It is independent of routing protocols. That is, it doesnot concern whether the Interior Gateway Protocol (IGP) or the Border Gateway Protocol (BGP)is used.

Among the paths that perform UCMP, the bandwidth of each path must not be lower than 1/16of the total bandwidth; otherwise, the path does not participate in UCMP.

The unequal-cost load balancing is classified into interface unequal-cost load balancing andglobal unequal-cost load balancing. The differences between these two modes are described asfollows:

l For the interface unequal-cost load balancing, you need to enable the unequal-cost loadbalancing on all the outgoing interfaces that can forward packets. For the global unequal-cost load balancing, you need to enable the unequal-cost load balancing only in the systemview.

l After the interface unequal-cost load balancing is enabled, you need to restart any interfaceto trigger the delivery FIB entries. After the global unequal-cost load balancing is enabled,FIB entries can be delivered automatically.

The interface unequal-cost load balancing and the global unequal-cost load balancing aremutually exclusive. You cannot enable both of them.

6.2 Improving IP PerformanceBy setting parameters for IP packets, you can optimize the performance of the network.

6.2.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring IP performance optimization.

6.2.2 Configuring the Maximum Transmission Unit of the InterfaceThe MTU of an interface determines whether a packet needs to be fragmented when passingthrough this interface.

6.2.3 Configuring ICMP AttributesControlling the sending and receiving ICMP messages can protect ICMP messages againstattacks.

6.2.4 Checking the ConfigurationYou can view the configuration of IP performance optimization.



6-3

6.2.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring IP performance optimization.

Applicable EnvironmentIn some special network environments, you must adjust the IP parameters to achieve the bestperformance. Improving IP performance involves configurations of a series of parameters.

Pre-configuration TasksBefore improving IP performance, complete the following tasks:

l Configuring the physical parameters for related interfaces and ensuring that the status ofthe physical layer of the interface is Up

l Configuring the link layer protocol for related interfaces and ensuring that the status of thelink layer protocol on the interface is Up

l Configuring the IP addresses for related interfaces

Data PreparationTo improve IP performance, you need the following data.

No. Data

1 Number and MTU value of the interface

2 Number of the interface which needs source address verification

3 Number of the interface which needs to forward broadcast packets and ACL number

4 Number of the interface which needs to clear the DF

5 Number of the interface which needs to configure ICMP host-unreachable

6.2.2 Configuring the Maximum Transmission Unit of the InterfaceThe MTU of an interface determines whether a packet needs to be fragmented when passingthrough this interface.

Procedure








Issue 01 (2011-05-30)

Step 3 Run:mtu mtu

The maximum transmission unit of the interface is configured.

----End

Follow-up ProcedureThe default MTU value varies with the interface type. Use the display interface command tofind out the value used.

NOTE

After configuring the MTU on an interface, you must restart the interface; otherwise, the configurationcannot take effect. To restart the interface, run the restart command or the shutdown and then undoshutdown commands.

6.2.3 Configuring ICMP AttributesControlling the sending and receiving ICMP messages can protect ICMP messages againstattacks.

ContextBy default, receiving ICMP messages, and sending ICMP host unreachable messages areenabled.

CAUTIONl If sending ICMP host unreachable messages is disabled, the device no longer sends the ICMP

host unreachable message.l If receiving ICMP messages is disabled, the CX device does not receive ICMP messages in

any condition.

Do as follows on the CX device:

Procedure



Step 2 Run:icmp receive

Receiving ICMP messages is enabled.





6-5

Step 4 Run:icmp host-unreachable send

Sending ICMP host unreachable messages is enabled.

----End

6.2.4 Checking the ConfigurationYou can view the configuration of IP performance optimization.

PrerequisiteThe configurations of the improving IP performance function are complete.

Procedurel Run the display udp statistics command to check the UDP traffic statistics.l Run the display ip interface [ interface-type interface-number ] command or display ip

interface brief [ interface-type [ interface-number ] | slot slot-number [ card card-number ] ] command to check the table information of the IP layer interface.

l Run the display ip statistics [ slot slot-id ] command to check the IP traffic statistics.l Run the display icmp statistics [ slot slot-id ] command to check the ICMP traffic statistics.l Run the display rawlink statistics command to check the Rawlink statistics.l Run the display ip socket [ monitor ] [ task-id task-id socket-id socket-id | socket-type

socket-type ] command to check all the current socket API information.

----End

ExampleRun the display udp statistics command. If the UDP traffic statistics are displayed, it meansthat the configuration succeeds. For example:

<HUAWEI> display udp statisticsReceived packets:Total: 0Total(64bit high-capacity counter): 0checksum error: 0shorter than header: 0, data length larger than packet: 0unicast(no socket on port): 0broadcast/multicast(no socket on port): 0not delivered, input socket full: 0input packets missing pcb cache: 0

Sent packets:Total: 0Total(64bit high-capacity counter): 0

Run the display ip interface command. If the information about IP interfaces is displayed, itmeans that the configuration succeeds. For example:

<HUAWEI> display ip interface gigabitethernet 2/0/2GigabitEthernet2/0/2 current state : UPLine protocol current state : UPThe Maximum Transmit Unit : 1500 bytesinput packets : 1338, bytes : 117744, multicasts : 1338output packets : 1336, bytes : 106884, multicasts : 1336Directed-broadcast packets:




Issue 01 (2011-05-30)

received packets: 0, sent packets: 0 forwarded packets: 0, dropped packets: 0ARP packet input number: 0 Request packet: 0 Reply packet: 0 Unknown packet: 0Internet Address is 120.1.1.1/24Broadcast address : 120.1.1.255TTL being 1 packet number: 0TTL invalid packet number: 0ICMP packet input number: 0 Echo reply: 0 Unreachable: 0 Source quench: 0 Routing redirect: 0 Echo request: 0 Router advert: 0 Router solicit: 0 Time exceed: 0 IP header bad: 0 Timestamp request: 0 Timestamp reply: 0 Information request: 0 Information reply: 0 Netmask request: 0 Netmask reply: 0 Unknown type: 0DHCP packet deal mode: global

Run the display ip statistics command. If the IP traffic statistics are displayed, it means that theconfiguration succeeds. For example:<HUAWEI> display ip statistics

Run the display icmp statistics command. If the ICMP traffic statistics are displayed, it meansthat the configuration succeeds. For example:<HUAWEI> display icmp statistics Input: bad formats 0 bad checksum 0 echo 0 destination unreachable 0 source quench 0 redirects 0 echo reply 0 parameter problem 0 timestamp 0 information request 0 mask requests 0 mask replies 0 time exceeded 0 Mping request 0 Mping reply 0 Output:echo 0 destination unreachable 0 source quench 0 redirects 0 echo reply 0 parameter problem 0 timestamp 0 information reply 0 mask requests 0 mask replies 0 time exceeded 0 Mping request 0 Mping reply 0

Run the display rawlink statistics command. If the Rawlink statistics are displayed, it meansthat the configuration succeeds. For example:<HUAWEI> display rawlink statisticsReceived packets:Total: 1771645ifnet is null: 0input packets missing pcb cache: 1181096not pass multicast: 0no join multicast: 0full sock and pstMBuf to be freed: 0full sock and nothing to be freed: 0full sock and other reason: 0

Send packets:Total: 125850



6-7

6.3 Configuring TCPBy setting IP packets, you can improve the performance of the network.

6.3.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring TCP.

6.3.2 Configuring TCP TimerBy setting two TCP timers, you can control TCP connection time.

6.3.3 Specifying the Size of a TCP Sliding WindowBy setting the sliding window size for TCP, you can set the sizes of the receiving buffer andtransmitting buffer in the socket. In this manner, you can improve the security of the network.

6.3.4 Checking the ConfigurationYou can view the configuration of TCP.

6.3.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring TCP.


None.


None.

Data Preparation

To configure TCP, you need the following data.

No. Data

1 SYN-WAIT timer, FIN-WAIT timer, receiving and sending buffer size of the socket

6.3.2 Configuring TCP TimerBy setting two TCP timers, you can control TCP connection time.

Context

The types of TCP timers are shown as follows:

l The SYN-Wait timer: On sending SYN packets, the TCP starts the SYN-Wait timer. Ifresponse packets are not received before the SYN-Wait timer timeout, the TCP connection




Issue 01 (2011-05-30)

is terminated. The SYN-Wait timer timeout ranges from 2 seconds to 600 seconds, and thedefault value is 75 seconds.

l The FIN-Wait timer: When the TCP connection status turns from FIN_WAIT_1 toFIN_WAIT_2, the FIN-Wait timer starts. If FIN packets are not received before the FIN-Wait timer timeout, the TCP connection is terminated. The FIN-Wait timer timeout rangesfrom 76 seconds to 3600 seconds, and the default value is 675 seconds.


Procedure



Step 2 Run:tcp timer syn-timeout interval

The SYN-Wait timer of setting up TCP connections is configured.

Step 3 Run:tcp timer fin-timeout interval

The FIN_WAIT_2 timer of setting TCP connections is configured.

----End

6.3.3 Specifying the Size of a TCP Sliding WindowBy setting the sliding window size for TCP, you can set the sizes of the receiving buffer andtransmitting buffer in the socket. In this manner, you can improve the security of the network.

Procedure



Step 2 Run:tcp window window-size

The receiving/sending buffer size of the TCP socket is configured.

The receiving and sending window-size of the connection-oriented socket: It ranges from 1Kbytes to 32K bytes, and the default value is 8K bytes.

----End

6.3.4 Checking the ConfigurationYou can view the configuration of TCP.

PrerequisiteThe configurations of TCP function are complete.



6-9

Procedurel Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipv4-

address ] [ local-port local-port-number ] [ remote-ip ipv4-address ] [ remote-portremote-port-number ] ] command to check the TCP connection status.

l Run the display tcp statistics command to check the TCP traffic statistics.

----End

ExampleRun the display tcp status command. If the information about the TCP connection status isdisplayed, it means that the configuration succeeds. For example:<HUAWEI> display tcp statusTCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State0a5d560c 30 /1 0.0.0.0:23 0.0.0.0:0 14849 Listening

Run the display tcp statistics command. If the TCP traffic statistics are displayed, it means thatthe configuration succeeds. For example:<HUAWEI> display tcp statisticsReceived packets: Total: 0 Total(64bit high-capacity counter): 0 packets in sequence: 0 (0 bytes) window probe packets: 0, window update packets: 0 checksum error: 0, offset error: 0, short error: 0

duplicate packets: 0 (0 bytes), partially duplicate packets: 0 (0 bytes) out-of-order packets: 0 (0 bytes) packets of data after window: 0 (0 bytes) packets received after close: 0

ACK packets: 0 (0 bytes) duplicate ACK packets: 0, too much ACK packets: 0

Sent packets: Total: 0 Total(64bit high-capacity counter): 0 urgent packets: 0 control packets: 0 (including 0 RST) window probe packets: 0, window update packets: 0

data packets: 0 (0 bytes), data packets retransmitted: 0 (0 bytes) ACK-only packets: 0 (0 delayed)

Other information: Retransmitted timeout: 0, connections dropped in retransmitted timeout: 0 Keep alive timeout: 0, keep alive probe: 0, Keep alive timeout, so connections disconnected : 0 Initiated connections: 0, accepted connections: 0, established connections: 0 Closed connections: 0 ( dropped: 0, initiated dropped: 0) Packets dropped with MD5 authentication: 0 Packets permitted with MD5 authentication: 0 Send Packets permitted with Keychain authentication: 0 Receive Packets permitted with Keychain authentication: 0 Receive Packets Dropped with Keychain authentication: 0

6.4 Configuring Load Balancing for IP Packet ForwardingBy configuring Equal-Cost Multiple Path (ECMP) or Unequal-Cost Multiple Path (UCMP), youcan improve the packet forwarding capability of the network.




Issue 01 (2011-05-30)

6.4.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for sharing loads of IP packet forwarding.

6.4.2 Configuring the Load Balancing Mode of IP Packet ForwardingLoad balancing can be performed in either of two modes: per-flow and per-packet. Traffic isbalanced on equal-cost routes evenly regardless of the difference in link bandwidths.

6.4.3 Configuring Interface Unequal-Cost Multiple Path During IP Packet ForwardingIf several equal-cost physical links with different bandwidths lead to the same destination, trafficis balanced among the physical links according to their bandwidths. In this manner, all linksbear different amount of traffic depending on their bandwidths and optimal load balancing isachieved. After enabling UCMP on an interface, you have to shut down and reenable thisinterface. This causes traffic interruption. Therefore, you are recommended to enable UCMPglobally.

6.4.4 Configuring Global Unequal-Cost Multiple Path During IP Packet ForwardingIf several equal-cost physical links with different bandwidths lead to the same destination, trafficis balanced among the physical links according to their bandwidths. In this manner, all linksbear different amount of traffic depending on their bandwidths and optimal load balancing isachieved. After load balancing is enabled globally, traffic is not interrupted because no interfaceneeds to be shut down and then enabled again.

6.4.5 Checking the ConfigurationYou can view the configuration of load balancing for IP packet forwarding.

6.4.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for sharing loads of IP packet forwarding.


The Equal Cost Multipath Path (ECMP) involves evenly distributing traffic among multipleequal-cost paths, regardless of the difference in path bandwidth. This, however, usually leads tothe traffic congestion on the low-bandwidth path.

The Unequal Cost Multipath Path (UCMP) involves proportionally distributing traffic amongmultiple equal-cost paths by considering the difference in path bandwidth. This can achievemore reasonable load balancing because traffic is proportionally distributed among paths.


Before configuring load balancing for IP packet forwarding, complete the following tasks:

l Connecting interfaces and setting physical parameters for interfaces to ensure that thephysical layer status of each interface is Up

l Setting parameters of the link layer protocol for interfaces to ensure that the status of thelink layer protocol on each interface is Up

Data Preparation

To configure load balancing for IP packet forwarding, you need the following data.



6-11

No. Data

1 Interface type and interface number

2 IP address and subnet mask for the interface

6.4.2 Configuring the Load Balancing Mode of IP PacketForwarding

Load balancing can be performed in either of two modes: per-flow and per-packet. Traffic isbalanced on equal-cost routes evenly regardless of the difference in link bandwidths.

Context

Load balancing can be enable during IP packet forwarding.

When flow-based load balancing is carried out, the device considers the protocol type, sourceIP address and mask, destination IP and mask, source port range, and destination port range andthen adopts the hash algorithm to calculate a value. Based on the calculated value, it chooses alink to forward the packets.

When packet-based load balancing is carried out, choose diverse links based on packets frommultiple links to forward packets.

By default, flow-based load balancing is adopted.

Procedure



Step 2 Run:

l load-balance { flow | packet } [ all | slot slot-id ]

Packets on the device are load balanced.

l load-balance ip-enhance { all | slot slot-id }

Packets received on the device are load balanced.

After the load-balance ip-enhance command is run, the device load balances the receivedpackets based on the quintuple: the protocol type, the source IP address, the destination IPaddress, the source port, and the destination port. If the command is not run, the device loadbalances the received packets according to the source IP address, the destination IP address,the source port, and the destination port of the IP packet in flow-by-flow mode.

NOTEWhen the outgoing interfaces are MP interfaces, the load-balance packet [ all | slot slot-id ] commandcannot be run to implement packet-based load balancing among the interfaces. In this case, you canconfigure policy-based routing to implement packet-based load balancing.

----End




Issue 01 (2011-05-30)

6.4.3 Configuring Interface Unequal-Cost Multiple Path During IPPacket Forwarding

If several equal-cost physical links with different bandwidths lead to the same destination, trafficis balanced among the physical links according to their bandwidths. In this manner, all linksbear different amount of traffic depending on their bandwidths and optimal load balancing isachieved. After enabling UCMP on an interface, you have to shut down and reenable thisinterface. This causes traffic interruption. Therefore, you are recommended to enable UCMPglobally.

Procedure





NOTE

The interface must be outgoing interfaces of equal-cost routes. The interface UCMP can be realized amongpaths only after all outgoing interfaces of equal-cost routes on the device are enabled with UCMP and FIBentry delivery is triggered; if one outgoing interface is not enabled with UCMP, Equal-Cost Multiple Path(ECMP) is performed among paths though FIB entry delivery is triggered.

Interface UCMP cannot be enabled globally or on logical interfaces. It can be enabled only onphysical main interfaces.

Step 3 Run:load-balance unequal-cost enable

Interface UCMP is enabled for IP packet forwarding.

Route recalculation and FIB entry delivery are not triggered at once after UCMP is enabled ordisabled on the interface through command lines. FIB entry delivery is performed only afterUCMP configurations are validated.

Step 4 Run:shutdown

The interface where UCMP is enabled is shut down.

Step 5 Run:undo shutdown

The interface is restarted for validating UCMP configurations.

You can reset the interface where UCMP is enabled or disabled to trigger route recalculationand FIB entry delivery so that UCMP configurations can be validated.

NOTE

Restarting the interface is one method to trigger FIB entry delivery. You can also change the IP address ofthe interface to trigger FIB entry delivery and hence validate UCMP configurations.

----End



6-13

6.4.4 Configuring Global Unequal-Cost Multiple Path During IPPacket Forwarding

If several equal-cost physical links with different bandwidths lead to the same destination, trafficis balanced among the physical links according to their bandwidths. In this manner, all linksbear different amount of traffic depending on their bandwidths and optimal load balancing isachieved. After load balancing is enabled globally, traffic is not interrupted because no interfaceneeds to be shut down and then enabled again.

ContextDo as follows on the CX device to implement global UCMP:

Procedure



Step 2 Run:load-balance unequal-cost enable

Global UCMP is enabled for IP packet forwarding.

By default, global UCMP is disabled.

NOTE

l The interfaces that support the UCMP function are Ethernet interfaces, Gigabit Ethernet interfaces,POS interfaces, ATM interfaces, serial interfaces, MP interfaces, Eth-Trunk interfaces, and IP-Trunkinterfaces and TE Tunnel interfaces.

If UCMP is enabled on a TE tunnel interface, the bandwidth value cannot be changed between 0 anda non-zero value, but the bandwidth value can be changed between non-zero values.

l Frequent enabling and then disabling UCMP on an interface greatly degrades the system performance.Therefore, the interval from enabling UCMP to disabling UCMP or from disabling UCMP to enablingUCMP must be equal to or longer than 5 minutes.

----End

6.4.5 Checking the ConfigurationYou can view the configuration of load balancing for IP packet forwarding.

PrerequisiteAll the load balancing configurations for IP packet forwarding are complete.

Procedurel Run the display fib [ slot-id ] command to check the FIB table of the interface board.l Run the display fib acl acl-number [ verbose ] command to check the filtered FIB

information.l Run the display fib [ slot-id ] destination-address1 [ desinationt-mask1 ] [ longer ]

[ verbose ] command to check the FIB entry which matches a destination address.




Issue 01 (2011-05-30)

l Run the display fib [ slot-id ] destination-address1 destination-mask1 destination-address2 destination-mask2 [ verbose ] command to check the FIB entry whose destinationaddress is in the range of destination-address1 destination-mask1 to destination-address2destination-mask2.

l Run the display fib ip-prefix prefix-name [ verbose ] command to check the FIB entriesthat have passed filtering in a certain format according to the input IP prefix name.

l Run the display fib interface interface-type interface-number command to check the FIBentries that have passed filtering in a certain format according to the input interface typeand interface number.

l Run the display fib next-hop ip-address command to check the FIB entries that have passedfiltering in a certain format according to the input next hop address.

l Run the display fib [ slot-id ] statistics command to check the total number of FIB entries.l Run the display fib [ slot-id ] command to check the summary of the FIB.

----End

ExampleRun the display fib command. If the brief information about the FIB is displayed, it means thatthe configuration succeeds. For example:

<HUAWEI> display fibRoute Flags: G - Gateway Route, H - Host Route, U - Up Route S - Static Route, D - Dynamic Route, B - Black Hole Route------------------------------------------------------------------------------Destination/Mask Nexthop Flag TimeStamp Interface TunnelID169.254.0.0/16 2.1.1.1 U t[0] GE1/0/0 0x02.0.0.0/16 2.1.1.1 U t[0] GE1/0/0 0x0127.0.0.0/8 127.0.0.1 U t[0] InLoop0 0x0<HUAWEI> display fib acl 2010Route entry matched by access-list 2010:Summary counts: 1Destination/Mask Nexthop Flag TimeStamp Interface TunnelID127.0.0.0/8 127.0.0.1 U t[0] InLoop0 0x0

6.5 Maintaining IP PerformanceYou can maintain IP performance by deleting IP performance statistics and monitoring theoperation of IP performance.

6.5.1 Clearing IP Performance StatisticsBy running the reset command, you can delete IP performance statistics.

6.5.2 Monitoring Network Operation Status of IP PerformanceBy running the display command, you can monitor the operation of IP performance.

6.5.1 Clearing IP Performance StatisticsBy running the reset command, you can delete IP performance statistics.



6-15

Context

CAUTIONIP/TCP/UDP statistics cannot be restored after you clear it. So, confirm the action before youuse the command.

Procedurel Run the reset ip statistics [ interface interface-type interface-number | slot slot-id ]

command in the user view to clear the IP statistics.l Run the reset ip socket monitor [ task-id task-id socket-id socket-id ] command in the

user view to clear information on the socket monitor.l Run the reset tcp statistics command in the user view to clear the TCP traffic statistics.l Run the reset udp statistics command in the user view to clear the UDP traffic statistics.l Run the reset rawlink statistics command in the user view to clear the Rawlink statistics.l Run the reset rawip statistics command in the user view to clear the RawIP statistics.

----End

6.5.2 Monitoring Network Operation Status of IP PerformanceBy running the display command, you can monitor the operation of IP performance.

ContextIn routine maintenance, you can run the following command in any view to check the operationof IP performance.

Procedurel Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipv4-

address ] [ local-port local-port-number ] [ remote-ip ipv4-address ] [ remote-portremote-port-number ] ] command in any view to check TCP connection status.

l Run the display tcp statistics command in any view to check statistics about TCP traffic.l Run the display udp statistics command in any view to check statistics about UDP traffic.l Run the display ip interface [ interface-type interface-number ] command or display ip

interface brief [ interface-type [ interface-number ] | slot slot-number [ card card-number ] ] command in any view to check information about IP interfaces.

l Run the display ip statistics [ slot slot-id ] command in any view to check statistics aboutIP traffic.

l Run the display icmp statistics [ slot slot-id ] command in any view to check statisticsabout ICMP traffic.

l Run the display rawlink statistics command in any view to check statistics about Rawlink.l Run the display rawip statistics command in any view to check statistics about RawIP.l Run the display fib [ slot-id ] command in any view to check the FIB on the specified

interface board.




Issue 01 (2011-05-30)

l Run the display fib acl acl-number [ verbose ] command in any view to check the FIBinformation selectively through filtering.

l Run the display fib [ slot-id ] destination-address1 [ desinationt-mask1 ] [ longer ][ verbose ] command in any view to filter FIB entries by matching destination IP addresses.

l Run the display fib [ slot-id ] destination-address1 destination-mask1 destination-address2 destination-mask2 [ verbose ] command in any view to check the FIB entrieswith the destination IP addresses in the range from destination-address1 destination-mask1 to destination-address2 destination-mask2.

l Run the display fib ip-prefix prefix-name [ verbose ] command in any view to check theFIB entries that have passed filtering in a certain format according to the input IP prefixname.

l Run the display fib interface interface-type interface-number command in any view tocheck the FIB entries that have passed filtering in a certain format according to the inputinterface type and interface number.

l Run the display fib next-hop ip-address command in any view to check the FIB entriesthat have passed filtering in a certain format according to the input next hop address.

l Run the display fib [ slot-id ] statistics command in any view to check the total numberof FIB entries.

l Run the display fib [ slot-id ] command in any view to check brief information about theforwarding table.

l Run the display ip socket [ monitor ] [ task-id task-id socket-id socket-id | socket-typesocket-type ] command in any view to check information about all the socket interfaces ofthe system.

----End


ContextNOTE


6.6.1 Example for Limiting Transmission of ICMP Host-Unreachable PacketsThis part provides an example for configuring ICMP host-unreachable packets.

6.6.2 Example for Configuring Interface Unequal-Cost Multiple Path During IP PacketForwardingThis part provides an example for configuring interface UCMP for IP packet forwarding.

6.6.3 Example for Configuring Global Unequal-Cost Load Balancing for IP Packet ForwardingThis part provides an example for configuring global UCMP for IP packet forwarding.

6.6.1 Example for Limiting Transmission of ICMP Host-Unreachable Packets

This part provides an example for configuring ICMP host-unreachable packets.



6-17

Networking RequirementsAs shown in Figure 6-1, CX-A, CX-B and CX-C are connected with each other through theirEthernet ports to test limiting transmission of host-unreachable packets.

Figure 6-1 Networking diagram of configuring ICMP host unreachable packets

CX-A

Internet

CX-BCX-C

GE 1/0/01.1.1.1/24

GE 1/0/01.1.1.2/24

GE 1/0/02.2.2.2/24


1. Configure IP addresses for the interfaces on devices.2. Configure static routes between devices that are not directly connected.3. Enable limiting transmission of ICMP Host-unreachable packets.


l Static routes between devices that are not directly connectedl IP addresses for the interfaces

Procedure


# Configure static routes on CX-A.

<HUAWEI> system-view[HUAWEI] sysname CX-A[CX-A] ip route-static 2.2.2.2 24 1.1.1.2


[CX-A] interface gigabitethernet 1/0/0[CX-A-GigabitEthernet1/0/0] ip address 1.1.1.1 24[CX-A-GigabitEthernet1/0/0] undo shutdown




Issue 01 (2011-05-30)

[CX-A-GigabitEthernet1/0/0] quit


# Disable sending ICMP host unreachable packets on CX-B and configure an IP address for GE1/0/0.

<HUAWEI> system-view[HUAWEI] sysname CX-B[CX-B] interface gigabitethernet 1/0/0[CX-B-GigabitEthernet1/0/0] undo icmp host-unreachable send[CX-B-GigabitEthernet1/0/0] ip address 1.1.1.2 24[CX-B-GigabitEthernet1/0/0] undo shutdown[CX-B-GigabitEthernet1/0/0] quit[CX-B] quit

Step 3 Configure CX-C.

# Configure an IP address for GE 1/0/0 on CX-C.

<HUAWEI> system-view[HUAWEI] sysname CX-C[CX-C] interface gigabitethernet 1/0/0[CX-C-GigabitEthernet1/0/0] ip address 2.2.2.2 24[CX-C-GigabitEthernet1/0/0] undo shutdown[CX-C-GigabitEthernet1/0/0] quit


# Enable the debugging of the ICMP packets of CX-B.

<CX-B> debugging ip icmp

# Run the ping 2.2.2.2 command on CX-A. If you can view that CX-B does not send the hostunreachable packets, it means that the configuration succeeds. For example:

[CX-A] ping 2.2.2.2

----End


# sysname CX-A#interface GigabitEthernet1/0/0 undo shutdown ip address 1.1.1.1 255.255.255.0#ip route-static 2.2.2.0 255.255.255.0 1.1.1.2#return

l Configuration file of CX-B# sysname CX-B#interface GigabitEthernet1/0/0 undo shutdown ip address 1.1.1.2 255.255.255.0 undo icmp host-unreachable send#return

l Configuration file of CX-C#



6-19

sysname CX-C#interface GigabitEthernet1/0/0 undo shutdown ip address 2.2.2.2 255.255.255.0#return

6.6.2 Example for Configuring Interface Unequal-Cost MultiplePath During IP Packet Forwarding

This part provides an example for configuring interface UCMP for IP packet forwarding.


As shown in Figure 6-2, three paths exist between CX-A and CX-E. The three paths respectivelytravel through CX-B, CX-C, and CX-D. It is required that the three paths between CX-A andCX-E perform UCMP during IP packet forwarding. In the example, the unequal-cost loadbalancing refers to the interface unequal-cost load balancing.

Figure 6-2 Networking diagram of configuring UCMP

CX-A

CX-B

CX-C

CX-D

CX-E

POS1/0/0

POS4/0/0

GE3/0/0 GE1/0/0 GE2/0/0 GE3/0/0

POS2/0/0

POS4/0/0

GE2/0/0

GE1/0/0 GE2/0/0

GE2/0/0

GE1/0/010.1.1.1/24

GE1/0/020.1.1.1/24

CX device Interface IP addressCX-A POS4/0/0 30.1.1.1/24

GE3/0/0 40.1.1.1/24GE2/0/0 50.1.1.1/24

CX-B POS1/0/0 30.1.1.2/24POS2/0/0 60.1.1.2/24

CX-C GE1/0/0 40.1.1.2/24GE2/0/0 70.1.1.2/24

CX-D GE1/0/0 50.1.1.2/24GE2/0/0 80.1.1.2/24

CX-E POS4/0/0 60.1.1.1/24GE3/0/0 70.1.1.1/24GE2/0/0 80.1.1.1/24




Issue 01 (2011-05-30)


1. Configure IGP on each device. Here, Intermediate System to Intermediate System (IS-IS)is taken as an example.

2. Enable the UCMP function on each interface of CX-A so that the three paths between CX-A and CX-E can perform UCMP during IP packet forwarding.


l Interface type and numberl IP address of the interfacel IS-IS area ID and IS-IS level of each device

Procedure

Step 1 Configure an IP address for each interface. The detailed configuration procedure is notmentioned here.

Step 2 Configure basic IS-IS functions.

# Configure CX-A.

[CX-A] isis 1[CX-A-isis-1] is-level level-1[CX-A-isis-1] network-entity 10.0000.0000.0001.00[CX-A-isis-1] quit[CX-A] interface gigabitethernet 1/0/0[CX-A-GigabitEthernet1/0/0] isis enable 1[CX-A-GigabitEthernet1/0/0] quit[CX-A] interface gigabitethernet 2/0/0[CX-A-GigabitEthernet2/0/0] isis enable 1[CX-A-GigabitEthernet2/0/0] quit[CX-A] interface pos 4/0/0[CX-A-Pos4/0/0] isis enable 1[CX-A-Pos4/0/0] quit[CX-A] interface gigabitethernet 3/0/0[CX-A-GigabitEthernet3/0/0] isis enable 1[CX-A-GigabitEthernet3/0/0] quit

# Configure CX-B.

[CX-B] isis 1[CX-B-isis-1] is-level level-1[CX-B-isis-1] network-entity 10.0000.0000.0002.00[CX-B-isis-1] quit[CX-B] interface pos 1/0/0[CX-B-Pos1/0/0] isis enable 1[CX-B-Pos1/0/0] quit[CX-B] interface pos 2/0/0[CX-B-Pos2/0/0] isis enable 1[CX-B-Pos2/0/0] quit

# Configure CX-C.

[CX-C] isis 1[CX-C-isis-1] is-level level-1[CX-C-isis-1] network-entity 10.0000.0000.0003.00[CX-C-isis-1] quit[CX-C] interface gigabitethernet 1/0/0



6-21

[CX-C-GigabitEthernet1/0/0] isis enable 1[CX-C-GigabitEthernet1/0/0] quit[CX-C] interface gigabitethernet 2/0/0[CX-C-GigabitEthernet2/0/0] isis enable 1[CX-C-GigabitEthernet2/0/0] quit

# Configure CX-D.

[CX-D] isis 1[CX-D-isis-1] is-level level-1[CX-D-isis-1] network-entity 10.0000.0000.0004.00[CX-D-isis-1] quit[CX-D] interface gigabitethernet 1/0/0[CX-D-GigabitEthernet1/0/0] isis enable 1[CX-D-GigabitEthernet1/0/0] quit[CX-D] interface gigabitethernet 2/0/0[CX-D-GigabitEthernet2/0/0] isis enable 1[CX-D-GigabitEthernet2/0/0] quit

# Configure CX-E.

[CX-E] isis 1[CX-E-isis-1] is-level level-1[CX-E-isis-1] network-entity 10.0000.0000.0005.00[CX-E-isis-1] quit[CX-E] interface gigabitethernet 1/0/0[CX-E-GigabitEthernet1/0/0] isis enable 1[CX-E-GigabitEthernet1/0/0] quit[CX-E] interface gigabitethernet 2/0/0[CX-E-GigabitEthernet2/0/0] isis enable 1[CX-E-GigabitEthernet2/0/0] quit[CX-E] interface pos 4/0/0[CX-E-Pos4/0/0] isis enable 1[CX-E-Pos4/0/0] quit[CX-E] interface gigabitethernet 3/0/0[CX-E-GigabitEthernet3/0/0] isis enable 1[CX-E-GigabitEthernet3/0/0] quit

Step 3 Check basic IS-IS configurations.

# View IS-IS routing information on CX-A.

[CX-A] display isis route Route information for ISIS(1) -----------------------------

ISIS(1) Level-1 Forwarding Table --------------------------------

IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags-------------------------------------------------------------------------------- 10.1.1.0/24 10 NULL GE1/0/0 Direct D/-/L/-/- 20.1.1.0/24 30 NULL GE3/0/0 40.1.1.2 A/-/-/-/C GE2/0/0 50.1.1.2 Pos4/0/0 30.1.1.2 30.1.1.0/24 10 NULL Pos4/0/0 Direct D/L/- 40.1.1.0/24 10 NULL GE3/0/0 Direct D/L/- 50.1.1.0/24 10 NULL GE2/0/0 Direct D/L/- 60.1.1.0/24 20 NULL Pos4/0/0 30.1.1.2 R/-/- 70.1.1.0/24 20 NULL GE3/0/0 40.1.1.2 A/-/-/-/- 80.1.1.0/24 20 NULL GE2/0/0 50.1.1.2 R/-/- Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut, U-Up/Down Bit Set, C-In Computing

# Ping 20.1.1.1 from CX-A. By viewing the display on the Network Management Station (NMStation), you can find that equal-cost load balancing is implemented among outgoing interfaces.




Issue 01 (2011-05-30)

[CX-A] ping 20.1.1.1 PING 20.1.1.1: 56 data bytes, press CTRL_C to break Reply from 20.1.1.1: bytes=56 Sequence=1 ttl=254 time=16 ms Reply from 20.1.1.1: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 20.1.1.1: bytes=56 Sequence=3 ttl=254 time=1 ms Reply from 20.1.1.1: bytes=56 Sequence=4 ttl=254 time=1 ms Reply from 20.1.1.1: bytes=56 Sequence=5 ttl=254 time=64 ms

--- 20.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/16/64 ms

Step 4 Enable UCMP on each outgoing interface of CX-A.[CX-A] interface gigabitethernet 2/0/0[CX-A-GigabitEthernet2/0/0] load-balance unequal-cost enable[CX-A-GigabitEthernet2/0/0] quit[CX-A] interface pos 4/0/0[CX-A-Pos4/0/0] load-balance unequal-cost enable[CX-A-Pos4/0/0] quit[CX-A] interface gigabitethernet 3/0/0[CX-A-GigabitEthernet3/0/0] load-balance unequal-cost enable[CX-A-GigabitEthernet3/0/0] quit

Step 5 Re-enable GigabitEthernet2/0/0, GigabitEthernet3/0/0, and POS4/0/0 to validate UCMPconfigurations on CX-A.[CX-A] interface gigabitethernet 2/0/0[CX-A-GigabitEthernet2/0/0] shutdown[CX-A-GigabitEthernet2/0/0] undo shutdown[CX-A-GigabitEthernet2/0/0] quit[CX-A] interface gigabitethernet 3/0/0[CX-A-GigabitEthernet3/0/0] shutdown[CX-A-GigabitEthernet3/0/0] undo shutdown[CX-A-GigabitEthernet3/0/0] quit[CX-A]interface pos 4/0/0[CX-A-Pos4/0/0] shutdown[CX-A-Pos4/0/0] undo shutdown


# Ping 20.1.1.1 from CX-A. By viewing the display on the NM Station, you can find that UCMPis realized among outgoing interfaces.

[CX-A] ping 20.1.1.1 PING 20.1.1.1: 56 data bytes, press CTRL_C to break Reply from 20.1.1.1: bytes=56 Sequence=1 ttl=254 time=16 ms Reply from 20.1.1.1: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 20.1.1.1: bytes=56 Sequence=3 ttl=254 time=1 ms Reply from 20.1.1.1: bytes=56 Sequence=4 ttl=254 time=1 ms Reply from 20.1.1.1: bytes=56 Sequence=5 ttl=254 time=64 ms

--- 20.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/16/64 ms

----End


# sysname CX-A#isis 1



6-23

is-level level-1 network-entity 10.0000.0000.0001.00#interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.1.1 255.255.255.0 isis enable 1#interface GigabitEthernet2/0/0 undo shutdown load-balance unequal-cost enable ip address 50.1.1.1 255.255.255.0 isis enable 1#interface GigabitEthernet3/0/0 undo shutdown load-balance unequal-cost enable ip address 40.1.1.1 255.255.255.0 isis enable 1#interface Pos4/0/0 link-protocol ppp undo shutdown load-balance unequal-cost enable ip address 30.1.1.1 255.255.255.0 isis enable 1#return

l Configuration file of CX-B# sysname CX-B#isis 1 is-level level-1 network-entity 10.0000.0000.0002.00#interface Pos1/0/0 undo shutdown link-protocol ppp ip address 30.1.1.2 255.255.255.0 isis enable 1#interface Pos2/0/0 link-protocol ppp undo shutdown ip address 60.1.1.2 255.255.255.0 isis enable 1#return

l Configuration file of CX-C# sysname CX-C#isis 1is-level level-1 network-entity 10.0000.0000.0003.00#interface GigabitEthernet1/0/0 undo shutdown ip address 40.1.1.2 255.255.255.0 isis enable 1#interface GigabitEthernet2/0/0 undo shutdownip address 70.1.1.2 255.255.255.0 isis enable 1




Issue 01 (2011-05-30)

#return

l Configuration file of CX-D# sysname CX-D#isis 1 is-level level-1 network-entity 10.0000.0000.0004.00#interface GigabitEthernet1/0/0 undo shutdown ip address 50.1.1.2 255.255.255.0 isis enable 1#interface GigabitEthernet2/0/0 undo shutdown ip address 80.1.1.2 255.255.255.0 isis enable 1#return

l Configuration file of CX-E# sysname CX-E#isis 1 is-level level-1 network-entity 10.0000.0000.0005.00#interface GigabitEthernet1/0/0 undo shutdown ip address 20.1.1.1 255.255.255.0 isis enable 1#interface GigabitEthernet2/0/0 undo shutdown ip address 80.1.1.1 255.255.255.0 isis enable 1#interface GigabitEthernet3/0/0 undo shutdown ip address 70.1.1.1 255.255.255.0 isis enable 1#interface Pos4/0/0 link-protocol ppp undo shutdown ip address 60.1.1.1 255.255.255.0 isis enable 1#return

6.6.3 Example for Configuring Global Unequal-Cost LoadBalancing for IP Packet Forwarding

This part provides an example for configuring global UCMP for IP packet forwarding.


As shown in Figure 6-3, CX-A and CX-C are connected through two links.

l GE 2/0/0 on CX-A and GE 2/0/0 on CX-B are connected through a physical link.



6-25

l Eth-Trunk1 interface on CX-A has two member interfaces, GE 3/0/0 and GE 4/0/0; Eth-Trunk1 interface on CX-B has two member interfaces, GE 3/0/0 and GE 4/0/0.

Eth-Trunk1 interface has two GE interfaces, and thus the bandwidth of Eth-Trunk1 interface istwice that of a single physical link. It is aimed to perform unequal-cost load balancing for IPpacket forwarding in the two links between CX-A and CX-C. In the example, unequal-cost loadbalancing refers to global unequal-cost load balancing.

Figure 6-3 Networking diagram of configuring unequal-cost load balancing

CX-A CX-B CX-C

GE3/0/0GE2/0/0

GE4/0/0GE10/010.1.1.1/24

GE3/0/0

GE4/0/0

GE2/0/0

GE1/0/020.1.1.1/24

GE2/0/2

GE2/0/2Eth-

Trunk1

Device Name Interface Name IP AddressCX-A GE 2/0/0 30.1.1.1/24

Eth-Trunk1 40.1.1.1/24CX-B GE 2/0/0 30.1.1.2/24

Eth-Trunk1 40.1.1.2/24GE 2/0/2 50.1.1.1/24

CX-C GE 2/0/2 50.1.1.2/24


1. Configure a static route on each device.2. Enable unequal-cost load balancing on CX-B so that the two links between CX-A and CX-

C can perform unequal-cost load balancing for IP packet forwarding.


l Interface type and numberl IP address of each interfacel Number of the Eth-Trunk

Procedure

Step 1 Configure an IP address for each interface. The configuration details are not mentioned here.

Step 2 Configure a static route.

# Configure CX-A.

[CX-A] ip route-static 20.1.1.0 255.255.255.0 gigabitethernet2/0/0 30.1.1.2[CX-A] ip route-static 20.1.1.0 255.255.255.0 eth-trunk1 40.1.1.2[CX-A] ip route-static 50.1.1.0 255.255.255.0 gigabitethernet2/0/0 30.1.1.2[CX-A] ip route-static 50.1.1.0 255.255.255.0 eth-trunk1 40.1.1.2




Issue 01 (2011-05-30)

# Configure CX- B.

[CX-B] ip route-static 10.1.1.0 255.255.255.0 gigabitethernet2/0/0 30.1.1.1[CX-B] ip route-static 10.1.1.0 255.255.255.0 eth-trunk1 40.1.1.1[CX-B] ip route-static 20.1.1.0 255.255.255.0 gigabitethernet2/0/2 50.1.1.2

# Configure CX- C.

[CX-C] ip route-static 10.1.1.0 255.255.255.0 gigabitethernet2/0/2 50.1.1.1[CX-C] ip route-static 30.1.1.0 255.255.255.0 gigabitethernet2/0/2 50.1.1.1[CX-C] ip route-static 40.1.1.0 255.255.255.0 GigabitEthernet2/0/2 50.1.1.1

Step 3 Enable unequal-cost load balancing on CX-B.[CX-B] load-balance unequal-cost enable


# CX-C can ping through 10.1.1.1. Run the display fib verbose command to view bandwidthinformation of the outbound interface. The command output shows that the bandwidth of Eth-Trunk1 interface is twice that of GE 2/0/0. This indicates that unequal-cost load balancing isenabled.

[CX-C] ping -c 100 -t 10 -m 10 10.1.1.1PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=254 time=1 ms... --- 10.1.1.1 ping statistics --- 100 packet(s) transmitted 99 packet(s) received 1.00% packet loss round-trip min/avg/max = 1/1/6 ms[CX-B] display fib 10.1.1.1 verbose Route Entry Count: 2 Destination: 10.1.1.0 Mask : 255.255.255.0 Nexthop : 30.1.1.1 OutIf : GigabitEthernet2/0/2 LocalAddr : 30.1.1.2 LocalMask: 0.0.0.0 Flags : GSU Age : 11128sec ATIndex : 0 Slot : 2 LspFwdFlag : 0 LspToken : 0x0 InLabel : NULL OriginAs : 0 BGPNextHop : 0.0.0.0 PeerAs : 0 QosInfo : 0x0 OriginQos: 0x0 NexthopBak : 0.0.0.0 OutIfBak : [No Intf] LspTokenBak: 0x0 InLabelBak : NULL LspToken_ForInLabelBak : 0x0 EntryRefCount : 0 VlanId : 0x0 LspType : 0 Label_ForLspTokenBak : 0 MplsMtu : 0 Gateway_ForLspTokenBak : 0 NextToken : 0x0 IfIndex_ForLspTokenBak : 0 Label_NextToken : 0 Label : 0 LspBfdState : 0 OutIfSpeed(Kbits/sec) : 1000000

Destination: 10.1.1.0 Mask : 255.255.255.0 Nexthop : 40.1.1.1 OutIf : Eth-Trunk1 LocalAddr : 40.1.1.2 LocalMask: 0.0.0.0 Flags : GSU Age : 11128sec ATIndex : 0 Slot : 0 LspFwdFlag : 0 LspToken : 0x0 InLabel : NULL OriginAs : 0 BGPNextHop : 0.0.0.0 PeerAs : 0 QosInfo : 0x0 OriginQos: 0x0 NexthopBak : 0.0.0.0 OutIfBak : [No Intf] LspTokenBak: 0x0 InLabelBak : NULL LspToken_ForInLabelBak : 0x0



6-27

EntryRefCount : 0 VlanId : 0x0 LspType : 0 Label_ForLspTokenBak : 0 MplsMtu : 0 Gateway_ForLspTokenBak : 0 NextToken : 0x0 IfIndex_ForLspTokenBak : 0 Label_NextToken : 0 Label : 0 LspBfdState : 0 OutIfSpeed(Kbits/sec) : 2000000

----End


# sysname CX-A#interface Eth-Trunk1 ip address 40.1.1.1 255.255.255.0#interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.1.1 255.255.255.0#interface GigabitEthernet2/0/0 undo shutdown ip address 30.1.1.1 255.255.255.0#interface GigabitEthernet3/0/0 undo shutdown eth-trunk 1#interface GigabitEthernet4/0/0 undo shutdown eth-trunk 1# ip route-static 20.1.1.0 255.255.255.0 GigabitEthernet2/0/0 30.1.1.2 ip route-static 20.1.1.0 255.255.255.0 Eth-Trunk1 40.1.1.2 ip route-static 50.1.1.0 255.255.255.0 GigabitEthernet2/0/0 30.1.1.2 ip route-static 50.1.1.0 255.255.255.0 Eth-Trunk1 40.1.1.2#return

l Configuration file of CX-B# sysname CX-B#load-balance unequal-cost enable#interface Eth-Trunk1 ip address 40.1.1.2 255.255.255.0#interface GigabitEthernet2/0/0 undo shutdown ip address 30.1.1.2 255.255.255.0#interface GigabitEthernet2/0/2 undo shutdown ip address 50.1.1.1 255.255.255.0#interface GigabitEthernet3/0/0 undo shutdown eth-trunk 1#interface GigabitEthernet4/0/0 undo shutdown eth-trunk 1#




Issue 01 (2011-05-30)

ip route-static 10.1.1.0 255.255.255.0 GigabitEthernet2/0/0 30.1.1.1 ip route-static 10.1.1.0 255.255.255.0 Eth-Trunk1 40.1.1.1 ip route-static 20.1.1.0 255.255.255.0 GigabitEthernet2/0/2 50.1.1.2#return

l Configuration file of CX-C# sysname CX-C# ip route-static 10.1.1.0 255.255.255.0 GigabitEthernet2/0/2 50.1.1.1 ip route-static 30.1.1.0 255.255.255.0 GigabitEthernet2/0/2 50.1.1.1 ip route-static 40.1.1.0 255.255.255.0 GigabitEthernet2/0/2 50.1.1.1#interface GigabitEthernet1/0/0 undo shutdown ip address 20.1.1.1 255.255.255.0#interface GigabitEthernet2/0/2 undo shutdown ip address 50.1.1.2 255.255.255.0#return



6-29

7 ACL Configuration

About This Chapter

You can distinguish packets through an ACL and process them in different manners.

7.1 ACL OverviewAn ACL can be applied to multiple purposes, including PBR and packet filtering.

7.2 Configuring an Interface-based ACLAn interface-based ACL is an ACL that specifies rules according to interfaces that receivepackets.

7.3 Configuring a Basic ACLWhen defining rules in a basic ACL, you can specify only source IP addresses.

7.4 Configuring an Advanced ACLAn advanced ACL defines rules based on the source address, destination address, type of theprotocol over IP, and protocol features, for example, the source port and destination port of TCPand the type and code of ICMP.

7.5 Configuring an ACL Based on the Ethernet Frame HeaderThis section describes how to configure an Ethernet frame header-based ACL.

7.6 Configuring an UCLThis section describes how to configure a UCL.

7.7 Configuring a Named ACLA named ACL is an advanced ACL. A named ACL defines rules based on the source address,destination address, type of the protocol over IP, and protocol features, for example, the sourceport and destination port of TCP and the type and code of ICMP.

7.8 Configuring a MPLS-based ACLMPLS-based ACL defines rules to filter packets based on the Exp value, Label value, and TTLvalue of MPLS packets.


HUAWEI CX600 Metro Services PlatformConfiguration Guide - IP Services 7 ACL Configuration


7-1

7.1 ACL OverviewAn ACL can be applied to multiple purposes, including PBR and packet filtering.

7.1.1 Introduction to ACLAn ACL is a list of rules. An ACL classifies packets according to ACL rules, and then a devicedetermines whether to accept the classified packets according to the rules in the ACL.

7.1.2 ACL Supported by the CX600According to the differences in filtering rules, ACLs can be categorized into interface-basedACLs, basic ACLs, and advanced ACLs.

7.1.1 Introduction to ACLAn ACL is a list of rules. An ACL classifies packets according to ACL rules, and then a devicedetermines whether to accept the classified packets according to the rules in the ACL.

An ACL includes a group of orderly rules that consist of rule { deny | permit } clauses. Therules are described with some parameters, such as based on the source address, the destinationaddress, and the port number of data packets. The ACL classifies data packets according to theserules. After these rules are applied to the device, the device can determine whether to receive ordeny packets.

The ACL is classified into these types:

l Basic ACL: classifies packets based on the source address.

l Advanced ACL: classifies packets more detailedly based on the source address, destinationaddress, source port number, destination port number, and protocol type.

l Interface-based ACL: classifies packets based on the interface from which the packets arereceived.

l Ethernet Frame Header ACL: classifies packets more detailedly based on the source MACaddress and destination MAC address.

l User ACL: classifies packets more detailedly based on user groups.

NOTE

Actually, an ACL is a group of rules used to define classes of packets. It cannot be used to filter packet.For detailed processing methods of packets, you need to import detailed functions of ACL. In theCX600, the ACL must be in conjunction with some functions, such as policy-based routing (PBR), firewall,and traffic classification to filter packets.

The default action defined in the ACL rule is deny. Therefore, to allow the subsequent flows to pass, youneed to specify the action in the ACL rule to permit.

7.1.2 ACL Supported by the CX600According to the differences in filtering rules, ACLs can be categorized into interface-basedACLs, basic ACLs, and advanced ACLs.

The CX600 supports an interface-based ACLs, basic ACLs, advanced ACLs, Ethernet frameheader-based ACLs, and ACL-based users (UCLs).

7 ACL ConfigurationHUAWEI CX600 Metro Services Platform



Issue 01 (2011-05-30)

7.2 Configuring an Interface-based ACLAn interface-based ACL is an ACL that specifies rules according to interfaces that receivepackets.

7.2.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring an interface-based ACL.

7.2.2 (Optional) Creating a Time RangeBy performing this configuration task, you can specify the time range when an ACL remainsvalid.

7.2.3 Creating an Interface-based ACLThis part describes how to create an interface-based ACL, whose number ranges from 1000 to1999, and specify filtering rules according to the packet-receiving interface.

7.2.4 (Optional) Configuring ACL DescriptionsBy configuring ACL descriptions, you can know the purpose of an ACL when viewing theconfiguration of the ACL.

7.2.5 (Optional) Configuring ACL StepAn ACL step is the difference between two adjacent automatically-assigned ACL numbers.

7.2.6 Checking the ConfigurationYou can view the configuration of an interface-based ACL.

7.2.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring an interface-based ACL.


An ACL can be applied to various services such as route policies and packet filtering. Itdistinguishes different kinds of packets for different processing.


None.

Data Preparation

To configure an ACL, you need the following data.

No. Data

1 (Optional) Name of the time range in which the Interface-based ACL takes effectand the start time and end time of the time range

2 Rule ID of the Interface-based ACL, permit or deny rule



7-3

No. Data

3 Interface type and Interface number of the interface in which the Interface-basedACL takes effect

4 (Optional) Description of the Interface-based ACL

5 (Optional) Step of the Interface-based ACL


Procedure



Step 2 Run:time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2 ] }

An ACL time range is created.

You can configure multiple time ranges at the same name.

----End

7.2.3 Creating an Interface-based ACLThis part describes how to create an interface-based ACL, whose number ranges from 1000 to1999, and specify filtering rules according to the packet-receiving interface.

Procedure



Step 2 Run:acl [ number ] acl-number [ match-order { auto | config } ]

An interface-based ACL is created.

Step 3 Run:rule [ rule-id ] { deny | permit } interface { interface-type interface-number | any } [ logging | time-range time-name ] *

ACL rules are defined.




Issue 01 (2011-05-30)

interface-type interface-number indicates the specified interface type and interface number.any indicates any interface. logging takes effect on only software-based forwarding such as theapplication of a routing policy.

----End


Procedure



Step 2 Run:acl acl-number

The ACL view is displayed.

Step 3 Run:description text

ACL description is created.

The ACL description covers the function of ACL rules. Its length should be less than 127characters.

----End


Procedure





Step 3 Run:step step

ACL step is configured.

Note the following when modifying ACL configurations:

l The undo step command restores the step to the default and realigns ACL rules.



7-5

l The default step of the ACL rule is 5.

----End

7.2.6 Checking the ConfigurationYou can view the configuration of an interface-based ACL.

PrerequisiteThe configurations of the ACL function are complete.

Procedurel Run the display acl { acl-number | all } command to check the configured ACL rule.l Run the display statistics acl { acl-number | all }control-plane command to check the

statistics about the packets matching the ACL rule in soft forwarding.l Run the display time-range { time-name | all } command to check the time range.

----End

ExampleRun the display acl command. If the ACL number, the number of rules, and detailed stepdescription, and ACL rules are displayed, it means that the configuration succeeds. For example:

<HUAWEI> display acl 1200Interface Based ACL 1200, 1 ruleAcl's step is 5 rule 5 permit interface Pos4/0/0

Using the display statistics acl control-plane command, you can view the statistics about thepackets matching the ACL rule in soft forwarding.

<HUAWEI> display statistics acl 1000 control-planeInterface Based ACL 1000, 1 ruleAcl's step is 5 rule 5 deny interface any (10 times matched)

Run the display time-range command. If the configuration and status of the current time rangeare displayed, it means that the configuration succeeds. For example:

<HUAWEI> display time-range allCurrent time is 14:19:16 3-15-2006 WednesdayTime-range : time1 ( Inactive ) 10:00 to 12:00 dailyTime-range : time2 ( Inactive ) from 13:00 2006/4/1 to 23:59 2099/12/31 Time-range : active1 ( Active ) 14:00 to 00:00 daily

7.3 Configuring a Basic ACLWhen defining rules in a basic ACL, you can specify only source IP addresses.

7.3.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring a basic ACL.




Issue 01 (2011-05-30)


7.3.3 Creating a Basic ACLThis part describes how to create a basic ACL, whose number ranges from 2000 to 2999, andspecify filtering rules according to source interfaces.



7.3.6 Checking the ConfigurationYou can view the configuration of a basic ACL.

7.3.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring a basic ACL.

Applicable EnvironmentAn ACL can be applied to various services, such as routing policies and packet filtering, toimplement differentiated packet processing based on packet types. When defining rules for abasic ACL, you need to specify source IP addresses.

Pre-configuration TasksNone.

Data PreparationTo configure a basic ACL, you need the following data.

No. Data

1 (Optional) Name of the time range in which the basic ACL takes effect and the starttime and end time of the time range

2 Number of the basic ACL

3 Rule ID of the basic ACL, permit or deny rule, and source IP address

4 (Optional) Description of the basic ACL

5 (Optional) Step of the basic ACL




7-7

Procedure






----End

7.3.3 Creating a Basic ACLThis part describes how to create a basic ACL, whose number ranges from 2000 to 2999, andspecify filtering rules according to source interfaces.

Procedure




A basic ACL is created.

Step 3 Run:rule [ rule-id ] { deny | permit } [ fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name ]*


----End


Procedure







Issue 01 (2011-05-30)





----End


Procedure








l The undo step command restores the step to the default and realigns ACL rules.l The default step of the ACL rule is 5.

----End

7.3.6 Checking the ConfigurationYou can view the configuration of a basic ACL.




----End



7-9

Example

Run the display acl command. If the ACL number, the number of rules, and detailed stepdescription, and ACL rules are displayed, it means that the configuration succeeds. For example:

<HUAWEI> display acl 2000Basic ACL 2000, 1 rule Acl's step is 5 rule 5 deny source 10.1.1.1 0


<HUAWEI> display statistics acl 2000 control-planeBasic ACL 2000, 1 ruleAcl's step is 5 rule 5 deny source 10.1.1.1 0 (234 times matched)



7.4 Configuring an Advanced ACLAn advanced ACL defines rules based on the source address, destination address, type of theprotocol over IP, and protocol features, for example, the source port and destination port of TCPand the type and code of ICMP.

7.4.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring an advanced ACL.


7.4.3 Creating an Advanced ACLThis part describes how to create an advanced ACL, whose number ranges from 3000 to 3999,and specify filtering rules according to the source address, destination address, type of theprotocol over IP, for example, the source port and destination port of TCP and the type of ICMP.



7.4.6 Checking the ConfigurationYou can view the configuration of an advanced ACL.




Issue 01 (2011-05-30)

7.4.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring an advanced ACL.

Application EnvironmentAn ACL can be applied to various services, such as routing policies and packet filtering, toimplement differentiated packet processing based on packet types. When defining rules for anadvanced ACL, you need to specify the source IP address, destination IP address, IP bearerprotocol type, TCP source port, TCP destination port, or ICMP message type and code.


Data PreparationTo configure an advanced ACL, you need the following data.

No. Data

1 (Optional) Name of the time range in which the advanced ACL takes effect and thestart time and end time of the time range

2 Number of the advanced ACL

3 Rule ID of the advanced ACL, permit or deny rule

4 IP bearer protocol type, source and destination ports, source and destination IPaddress, and source IP address fragmented or not, or ICMP message type and code,packet priority, ToS, and timeout period of the ACL rule

5 (Optional) Description of the advanced ACL

6 (Optional) Step of the advanced ACL


Procedure







7-11


----End

7.4.3 Creating an Advanced ACLThis part describes how to create an advanced ACL, whose number ranges from 3000 to 3999,and specify filtering rules according to the source address, destination address, type of theprotocol over IP, for example, the source port and destination port of TCP and the type of ICMP.

Procedure




An advanced ACL is created.

Step 3 Perform the following as required.l When protocol is specified as TCP or UDP

Run:rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | destination-port operator port | fragment-type fragment-type-name |source { source-ip-address source-wildcard | any } | source-port operator port | syn-flagsyn-flag | time-range time-name | vpn-instance vpn-instance-name | dscp dscp ] *

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | destination-port operator port | fragment-type fragment-type-name |source { source-ip-address source-wildcard | any } | source-port operator port | syn-flagsyn-flag | time-range time-name | vpn-instance vpn-instance-name | dscp dscp |precedence precedence |tos tos ] *

ACL rules are defined.syn-flag syn-flag applies to TCP only.

l When protocol is specified as ICMPRun:rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name | icmp-typeicmp-code } | source { source-ip-address source-wildcard | any } | time-range time-name |vpn-instance vpn-instance-name | dscp dscp ] *

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name |icmp-typeicmp-code } |source { source-ip-address source-wildcard | any } | time-range time-name |vpn-instance vpn-instance-name | precedence precedence | tos tos ] *

ACL rules are defined.l When protocol is specified as other protocol except TCP, UDP or ICMP

Run:




Issue 01 (2011-05-30)

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name | dscp dscp ] *

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name | precedenceprecedence | tos tos ] *


Configure different advanced ACLs on the device for different protocols over IP. Differentprotocols have different parameters combination. For example, TCP and UDP have optionalparameter [ source-port operator port ] [ destination-port operator port ] while other protocolsdo not.

----End


Procedure








----End


Procedure






7-13






----End

7.4.6 Checking the ConfigurationYou can view the configuration of an advanced ACL.




----End

ExampleRun the display acl command. If the ACL number, the number of rules, and detailed stepdescription, and ACL rules are displayed, it means that the configuration succeeds. For example:

<HUAWEI> display acl 3000Advanced ACL 3000, 1 ruleAcl's step is 5 rule 5 deny ip source 10.1.1.1 0


<HUAWEI> display statistics acl 3000 control-planeAdvanced ACL 3000, 1 ruleAcl's step is 5 rule 5 permit ip (1305 times matched)






Issue 01 (2011-05-30)

7.5 Configuring an ACL Based on the Ethernet FrameHeader

This section describes how to configure an Ethernet frame header-based ACL.


7.5.2 Creating an ACL Based on the Ethernet Frame Header



7.5.5 Checking the Configuration


Application EnvironmentAn ACL can be applied to various services, such as routing policies and packet filtering, toimplement differentiated packet processing based on packet types. The rules for an ACL basedon the Ethernet frame header are defined on the basis of source MAC addresses, destinationMAC addresses, and protocol types of packets.


Data PreparationTo configure an Ethernet frame header-based ACL, you need the following data.

No. Data

1 Number of the Ethernet frame header-based ACL

2 Source MAC addresses, destination MAC addresses, and protocol types

3 (Optional) Description of the Ethernet frame header-based ACL

4 (Optional) Step of the Ethernet frame header-based ACL

7.5.2 Creating an ACL Based on the Ethernet Frame Header

ContextThe acl-number, based on an Ethernet frame header, ranges from 4000 to 4099.



7-15


Procedure




An Ethernet frame header-based ACL is created.

Step 3 Run:rule [ rule-id ] { deny | permit } [ type type type-mask | source-mac source-mac sourcemac-mask | dest-mac dest-mac destmac-mask ]


----End


Procedure








----End


Procedure





Issue 01 (2011-05-30)







l The undo step command restores the step to the default and realigns ACL rules.

l The default step of the ACL rule is 5.

----End


PrerequisiteThe configurations of an Ethernet frame header-based ACL function are complete.

Procedurel Run the display acl { acl-number | all } command to check the configured ACL rule.

l Run the display statistics acl control-plane { acl-number | all } control-plane [ |{ begin | include | exclude } regular-expression ] command to check the statistics for thepackets matching the ACL rule in soft forwarding.

----End

Example

Run the display aclcommand. If the ACL number, the number of rules, step description, andACL rules are displayed, then the configuration has succeeded. For example:

<HUAWEI> display acl 4000Ethernet frame ACL 4000, 2 rulesAcl's step is 5 rule 5 deny source-mac 0000-0000-0000 0002-0002-0002 dest-mac 0002-0002-0002 0003-0003-0003 rule 10 deny type 0200 0222 dest-mac 0000-0000-0000 0002-0002-0002

Using the display statistics acl control-plane command, you can view the statistics for thepackets matching the ACL rule in soft forwarding.

<HUAWEI> display statistics acl 4000 control-planeEthernet frame ACL 4000, 2 rulesAcl's step is 5 rule 5 deny source-mac 0000-0000-0000 0002-0002-0002 dest-mac 0002-0002-0002 0003-0003-0003(45 times matched) rule 10 deny type 0200 0222 dest-mac 0000-0000-0000 0002-0002-0002(76 times matched)



7-17

7.6 Configuring an UCLThis section describes how to configure a UCL.


7.6.2 (Optional) Creating a Time Range

7.6.3 Creating an UCL

7.6.4 (Optional) Configuring ACL Descriptions

7.6.5 (Optional) Configuring ACL Step



Application EnvironmentAfter being configured with the user-based ACL (UCL), the device can provide different servicesto different user groups. Similar to the configuration for advanced ACL, you need to specifyeither the source IP address, destination IP address, IP bearer protocol type, TCP source port,TCP destination port, or the ICMP message type and code for the UCL.


Data PreparationTo configure an UCL, you need the following data.

No. Data

1 (Optional) Name of the time range during which the advanced UCL takes effect andthe start time and end time of the time range

2 Number of the UCL

3 Rule ID of the UCL, permit or deny rule

4 Either IP bearer protocol type, source and destination ports, source and destinationIP address, and source IP address whether fragmented or not, or the ICMP messagetype and code, packet priority, ToS, and timeout period of the ACL rule

5 (Optional) Description of the UCL

6 (Optional) Step of the UCL

7.6.2 (Optional) Creating a Time Range




Issue 01 (2011-05-30)

ContextDo as follows on the CX device:

Procedure





You can configure multiple time ranges with the same name.

----End

7.6.3 Creating an UCL

ContextThe range of acl-number for a UCL is 6000 to 9999.


Procedure




A UCL is created.

Step 3 Perform the following as required.l If protocol is specified as TCP or UDP

rule [ rule-id ] { deny | permit } protocol source user-group source-group-name[ destination { any | ip-address { destination-ip-address destination-wildcard | any } } |destination-port operator port | fragment-type fragment-type-name | logging | source-port operator port | syn-flag syn-flag | time-range time-name | vpn-instance vpn-instance-name | dscp dscp ] *

rule [ rule-id ] { deny | permit } protocol source user-group source-group-name[ destination { any | ip-address { destination-ip-address destination-wildcard | any } } |destination-port operator port | fragment-type fragment-type-name | logging | source-port operator port | syn-flag syn-flag | time-range time-name | vpn-instance vpn-instance-name | precedence precedence | tos tos ] *

syn-flag syn-flag applies to TCP only.



7-19

l If protocol is specified as ICMP

rule [ rule-id ] { deny | permit } protocol source user-group source-group-name[ destination { any | ip-address { destination-ip-address destination-wildcard | any } } |fragment-type fragment-type-name | icmp-type { icmp-name | icmp-type icmp-code } |logging | time-range time-name | dscp dscp ] *

rule [ rule-id ] { deny | permit } protocol source user-group source-group-name[ destination { any | ip-address { destination-ip-address destination-wildcard | any } } |fragment-type fragment-type-name | icmp-type { icmp-name | icmp-type icmp-code } |logging | time-range time-name | precedence precedence | tos tos ] *

l If protocolis specified as a protocol other than TCP, UDP or ICMP

rule [ rule-id ] { deny | permit } protocol source user-group source-group-name[ destination { any | ip-address { destination-ip-address destination-wildcard | any } } |fragment-type fragment-type-name } | logging | time-range time-name | dscp dscp ] *

rule [ rule-id ] { deny | permit } protocol source user-group source-group-name[ destination { any | ip-address { destination-ip-address destination-wildcard | any } } |fragment-type fragment-type-name } | logging | time-range time-name | precedenceprecedence | tos tos ] *

Configure different UCLs on the device for different IP protocols. Different protocols havedifferent combinations of parameters. For example, TCP and UDP have the optional parameter[ source-port operator port ] [ destination-port operator port ] while other protocols do not.

----End

7.6.4 (Optional) Configuring ACL Descriptions

Context


Procedure






An ACL description is created.

The ACL description covers the functions of ACL rules. Its length should be less than 127characters.

----End




Issue 01 (2011-05-30)

7.6.5 (Optional) Configuring ACL Step

ContextDo as follows on the CX device:

Procedure








l The undo step command restores the step to the default and realigns ACL rules.l The default step for ACL rules is 5.

----End


PrerequisiteThe configurations of the UCL function are complete.

Procedurel Run the display acl { acl-number | all } command to check the configured ACL rule.l Run the display time-range { time-name | all } command to check the time range.

----End

ExampleRun the display acl command. If the ACL number, the number of rules, step description, andACL rules are displayed, then the configuration has succeeded. For example:

<HUAWEI> display acl 6000Ucl ACL 6000, 1 ruleAcl's step is 5 rule 5 deny tcp source user-group 1

Run the display time-rangecommand. If the configuration and status of the current time rangeare displayed, then the configuration has succeeded. For example:

<HUAWEI> display time-range all



7-21

Current time is 14:19:16 3-15-2006 WednesdayTime-range : time1 ( Inactive ) 10:00 to 12:00 dailyTime-range : time2 ( Inactive ) from 13:00 2006/4/1 to 23:59 2099/12/31 Time-range : active1 ( Active ) 14:00 to 00:00 daily

7.7 Configuring a Named ACLA named ACL is an advanced ACL. A named ACL defines rules based on the source address,destination address, type of the protocol over IP, and protocol features, for example, the sourceport and destination port of TCP and the type and code of ICMP.

7.7.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring a named ACL.


7.7.3 Creating a Named ACLThis part describes how to create an ACL whose name is a character string and how to specifyfiltering rules according to the source address, destination address, type of the protocol over IP,for example, the source port and destination port of TCP and the type of ICMP.

7.7.4 (Optional) Configuring named ACL DescriptionsBy configuring ACL descriptions, you can know the purpose of an ACL when viewing theconfiguration of the ACL.

7.7.5 (Optional) Configuring named ACL StepAn ACL step is the difference between two adjacent automatically-assigned ACL numbers.

7.7.6 Checking the ConfigurationYou can view the configuration of a named ACL.

7.7.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring a named ACL.

Application Environment

An ACL can be applied to various services, such as routing policies and packet filtering, toimplement differentiated packet processing based on packet types. Named ACLs are advancedACLs because you need to define rules for the named ACLs by specifying the source IP address,destination IP address, IP bearer protocol type, TCP source port, TCP destination port, or ICMPprotocol type and code.


None.




Issue 01 (2011-05-30)

Data PreparationTo configure a named ACL, you need the following data.

No. Data

1 (Optional) Name of the time range in which the named ACL takes effect and the starttime and end time of the time range

2 Rule ID of the named ACL, permit or deny rule, and source IP address

3 IP bearer protocol type, source and destination ports, destination IP address, or ICMPmessage type and code, packet priority, ToS, and timeout period of the ACL rule

4 (Optional) Description of the named ACL

5 (Optional) Step of the named ACL


Procedure






----End

7.7.3 Creating a Named ACLThis part describes how to create an ACL whose name is a character string and how to specifyfiltering rules according to the source address, destination address, type of the protocol over IP,for example, the source port and destination port of TCP and the type of ICMP.

Procedure



Step 2 Run:acl name acl-name [ number acl-number ] [ match-order { auto | config } ]



7-23

A named ACL is created and the named ACL view is displayed.

Step 3 Perform the following steps as required to configure rules for the named ACL. One ACL canbe configured with multiple rules.

l When protocol is TCP or UDP, run:

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | destination-port operator port | fragment-type fragment-type-name |source { source-ip-address source-wildcard | any } | source-port operator port | vpn-instance vpn-instance-name | syn-flag syn-flag time-range time-name | dscp dscp ] *

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | destination-port operator port | fragment-type fragment-type-name |source { source-ip-address source-wildcard | any } | source-port operator port | syn-flagsyn-flag time-range time-name | vpn-instance vpn-instance-name | precedenceprecedence |tos tos ] *

syn-flagsyn-flag needs to be specified only when TCP is used.

l When protocol is ICMP, run:

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name | icmp-typeicmp-code } | source { source-ip-address source-wildcard | any } | time-range time-name |vpn-instance vpn-instance-name | dscp dscp ] *

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name |icmp-typeicmp-code } |source { source-ip-address source-wildcard | any } | time-range time-name |vpn-instance vpn-instance-name | precedence precedence | tos tos ] *

l When protocol is not TCP, UDP, or ICMP, run:

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name | dscp dscp ] *

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name | precedenceprecedence | tos tos ] *


----End

7.7.4 (Optional) Configuring named ACL DescriptionsBy configuring ACL descriptions, you can know the purpose of an ACL when viewing theconfiguration of the ACL.

Procedure





Issue 01 (2011-05-30)


Step 2 Run:acl name acl-name

The named ACL view is displayed.


The named ACL description is created.


----End

7.7.5 (Optional) Configuring named ACL StepAn ACL step is the difference between two adjacent automatically-assigned ACL numbers.

Procedure



Step 2 Run:acl name acl-name

The named ACL view is displayed.



Note the following when modifying named ACL configurations:


----End

7.7.6 Checking the ConfigurationYou can view the configuration of a named ACL.


Procedurel Run the display acl name acl-name command to check the configured ACL rule.



7-25

l Run the display statistics acl { acl-number | all | name acl-name }control-plane commandto check the statistics about the packets matching the ACL rule in soft forwarding.

----End

Example

# Check the configurations of named ACL, whose name is test.

<HUAWEI> display acl name testAdvanced Name ACL test, 1 ruleAcl's step is 5 rule 5 permit ip

# View the statistics about the packets matching ACL named test in soft forwarding.

<HUAWEI> display statistics acl name test control-planeAdvanced ACL test, 2 rulesAcl's step is 5 rule 5 deny ip destination 1.1.5.0 0.0.0.255 (10 times matched) rule 10 deny ip destination 1.1.6.0 0.0.0.255 (23 times matched)

7.8 Configuring a MPLS-based ACLMPLS-based ACL defines rules to filter packets based on the Exp value, Label value, and TTLvalue of MPLS packets.

7.8.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring a MPLS-based ACL.

7.8.2 Creating a MPLS-based ACLThis part describes how to create a MPLS-based ACL, whose number ranges from 10000 to10999.

7.8.3 Configuring Rules for a MPLS-based ACLMPLS-based ACL defines rules to filter packets based on the Exp value, Label value, and TTLvalue of MPLS packets.

7.8.4 Checking the ConfigurationYou can view the configuration of a MPLS-based ACL.

7.8.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring a MPLS-based ACL.

Application Environment

An MPLS-based ACL can be applied to QoS service, defines rules to filter packets based on theExp value, Label value, and TTL value of MPLS packets.


None.




Issue 01 (2011-05-30)

Data Preparation

To configure a MPLS-based ACL, you need the following data.

No. Data

1 Rule ID of the MPLS ACL, rules that are defined to deny or permit packets.

2 Exp value, Label value, and TTL value of MPLS packets.

7.8.2 Creating a MPLS-based ACLThis part describes how to create a MPLS-based ACL, whose number ranges from 10000 to10999.

Procedure



Step 2 Run:acl [ number ] acl-number

A MPLS-based ACL is created.

----End

7.8.3 Configuring Rules for a MPLS-based ACLMPLS-based ACL defines rules to filter packets based on the Exp value, Label value, and TTLvalue of MPLS packets.

Procedure



Step 2 Run:acl [ number ] acl-number

The MPLS-based ACL view is displayed.

Step 3 Run:rule [ rule-id ] { deny | permit } [ exp { exp-value | any } &<1-4> | label { label-value | any } &<1-4> | ttl { ttl-operator ttl-value | any } &<1-3> ] *

Rules for the MPLS-based ACL are configured.

----End



7-27

7.8.4 Checking the ConfigurationYou can view the configuration of a MPLS-based ACL.

PrerequisiteThe configuration of the MPLS-based ACL is complete.

Procedurel Run the display acl { acl-number | all } command to check the configured ACL rule.

----End

Example

After running the preceding command, you can view the ACL number, number of ACL rules,and rule contents.

<HUAWEI> display acl 10001Mpls ACL 10001, 2 rulesAcl's step is 5 rule 5 permit exp 2 any any any (0 times matched) rule 10 permit ttl gt 2 any any (0 times matched)


ContextNOTE


7.9.1 Example for Configuring a Traffic Policy Based on Complex Traffic ClassificationThis section provides an example for configuring traffic classifiers and traffic behaviors andapplying them in complex traffic classification.

7.9.2 Example for Configuring the Security Function of Access DevicesThis section provides an example of configuring the security function of access devices.

7.9.3 Example for Configuring an ACL Rule that Is Based on the VPN InstanceThis section provides an example of configuring an ACL rule that is based on the VPN instance.

7.9.1 Example for Configuring a Traffic Policy Based on ComplexTraffic Classification

This section provides an example for configuring traffic classifiers and traffic behaviors andapplying them in complex traffic classification.




Issue 01 (2011-05-30)

Networking RequirementsAs shown in Figure 7-1, PE1, P, and PE2 are CX devices on an MPLS backbone network; CE1and CE2 are access CX devices on the edge of the backbone network. Three users from the localnetwork access the Internet through CE1.

l On CE1, the CIR of the users from the network segment 1.1.1.0 is limited to 10 Mbit/s andthe CBS is limited to 150000 bytes.



l On CE1, the DSCP values of the service packets from the three network segments aremarked to 40, 26, and 0.

l PE1 accesses the MPLS backbone network at the CIR of 15 Mbit/s, the CBS of 300000bytes, the PIR of 20 Mbit/s, and the PBS of 500000 bytes.

l On CE1, the CIR of the UDP packets (except DNS, SNMP, SNMP Trap, and Syslogpackets) is limited to 5 Mbit/s, the CBS is limited to 100000 bytes, and the PIR is limitedto 15 Mbit/s.

Figure 7-1 Diagram for configuring a traffic policy based on complex traffic classification

GE4/0/0

GE3/0/0

GE1/0/0

GE2/0/0

PE1 PE2

GE1/0/020.1.1.2/24

11.11.11.11/32 22.22.22.22/32

POS2/0/0100.1.1.1/24

POS2/0/0110.1.1.1/24

10.1.1.1/24

PGE1/0/010.1.1.2/24

33.33.33.33/32

POS1/0/0100.1.1.2/24

POS2/0/0110.1.1.2/24

1.1.1.0

2.1.1.0

3.1.1.0

CE1CE2

Loopback0 Loopback0 Loopback0

GE2/0/020.1.1.1/24




7-29

1. Configure ACL rules.2. Configure traffic classifiers.3. Configure traffic behaviors.4. Configure traffic policies.5. Apply traffic policies to interfaces.


l ACL numbers 2001, 2002, 2003, 3001, and 3002l DSCP values of the packets from the three network segments, which are re-marked to be

40, 26, and 0 respectivelyl CIRs (10 Mbit/s, 5 Mbit/s, and 2 Mbit/s) and CBSs (150000 bytes, 100000 bytes, and

100000 bytes) of the traffic from the three network segmentsl CIR (5 Mbit/s), CBS (100000 bytes), and PIR (15 Mbit/s) of the UDP packets (except DNS,

SNMP, SNMP Trap, and Syslog packets) on CE1l CIR (15 Mbit/s), CBS (300000 bytes), PIR (20 Mbit/s), and PBS (500000 bytes) of traffic

on PE1l Names of traffic classifiers, traffic behaviors, and traffic policies, and numbers of interfaces

to which traffic policies are applied

Procedure

Step 1 Configure IP addresses of interfaces, routes, and basic MPLS functions. The detailedconfigurations are not mentioned.

Step 2 Configure complex traffic classification on CE1 to control the traffic that accesses CE1 fromthe three local networks.

# Define ACL rules.

<CE1> system-view[CE1] acl number 2001[CE1-acl-basic-2001] rule permit source 1.1.1.0 0.0.0.255[CE1-acl-basic-2001] quit[CE1] acl number 2002[CE1-acl-basic-2002] rule permit source 2.1.1.0 0.0.0.255[CE1-acl-basic-2002] quit[CE1] acl number 2003[CE1-acl-basic-2003] rule permit source 3.1.1.0 0.0.0.255[CE1-acl-basic-2003] quit[CE1] acl number 3001[CE1-acl-basic-3001] rule 0 permit udp destination-port eq dns[CE1-acl-basic-3001] rule 1 permit udp destination-port eq snmp[CE1-acl-basic-3001] rule 2 permit udp destination-port eq snmptrap [CE1-acl-basic-3001] rule 3 permit udp destination-port eq syslog [CE1-acl-basic-3001] quit[CE1] acl number 3002[CE1-acl-basic-3002] rule 4 permit udp [CE1-acl-basic-3002] quit

# Configure traffic classifiers and define ACL-based matching rules.

[CE1] traffic classifier a[CE1-classifier-a] if-match acl 2001[CE1-classifier-a] quit[CE1] traffic classifier b




Issue 01 (2011-05-30)

[CE1-classifier-b] if-match acl 2002[CE1-classifier-b] quit[CE1] traffic classifier c[CE1-classifier-c] if-match acl 2003[CE1-classifier-c] quit[CE1]traffic classifier udplimit[CE1-classifier-udplimit] if-match acl 3001[CE1-classifier-udplimit] quit[CE1] traffic classifier udplimit1[CE1-classifier-udplimit1] if-match acl 3002[CE1-classifier-udplimit1] quit

After the preceding configuration, you can run the display traffic classifier command to viewthe configuration of the traffic classifiers.

[CE1] display traffic classifier user-definedUser Defined Classifier Information: Classifier: a Operator: OR Rule(s): if-match acl 2001 Classifier: c Operator: OR Rule(s): if-match acl 2003 Classifier: b Operator: OR Rule(s): if-match acl 2002 Classifier: udplimit Operator: OR Rule(s) : if-match acl 3001 Classifier: udplimit1 Operator: OR Rule(s) : if-match acl 3002

# Define traffic behaviors, configure traffic policing, and re-mark DSCP values.

[CE1] traffic behavior e[CE1-behavior-e] car cir 10000 cbs 150000 pbs 0[CE1-behavior-e] remark dscp 40[CE1-behavior-e] quit[CE1] traffic behavior f[CE1-behavior-f] car cir 5000 cbs 100000 pbs 0[CE1-behavior-f] remark dscp 26[CE1-behavior-f] quit[CE1] traffic behavior g[CE1-behavior-g] car cir 2000 cbs 100000 pbs 0[CE1-behavior-g] remark dscp 0[CE1-behavior-g] quit[CE1] traffic behavior udplimit[CE1-behavior-udplimit] permit[CE1-behavior-udplimit] quit[CE1] traffic behavior udplimit1[CE1-behavior-udplimit1] car cir 5000 cbs 100000 pbs 150000 green pass yellow discard red discard[CE1-behavior-udplimit1] quit

# Define traffic policies and associate the traffic classifiers with the traffic behaviors.

[CE1] traffic policy 1[CE1-trafficpolicy-1] classifier a behavior e[CE1-trafficpolicy-1] quit[CE1] traffic policy 2[CE1-trafficpolicy-2] classifier b behavior f[CE1-trafficpolicy-2] quit[CE1] traffic policy 3[CE1-trafficpolicy-3] classifier c behavior g[CE1-trafficpolicy-3] quit[CE1] traffic policy udplimit[CE1-trafficpolicy-udplimit] classifier udplimit behavior udplimit[CE1-trafficpolicy-udplimit] classifier udplimit1 behavior udplimit1[CE1-trafficpolicy-3] quit



7-31

After the preceding configuration, run the display traffic policy command to view theconfiguration of the traffic policies, traffic classifiers defined in the traffic policies, and the trafficbehaviors associated with traffic classifiers.

[CE1] display traffic policy user-definedUser Defined Traffic Policy Information:Policy: 1 Classifier: default-class Behavior: be -none- Classifier: a Behavior: e Committed Access Rate: CIR 10000 (Kbps), PIR 0 (Kbps), CBS 15000 (byte), PBS 0 (byte) Conform Action: pass Yellow Action: pass Exceed Action: discard Marking: Remark DSCP cs5Policy: 2 Classifier: default-class Behavior: be -none- Classifier: b Behavior: f Committed Access Rate: CIR 5000 (Kbps), PIR 0 (Kbps), CBS 100000 (byte), PBS 0 (byte) Conform Action: pass Yellow Action: pass Exceed Action: discard Marking: Remark DSCP af31 Policy: 3 Classifier: default-class Behavior: be -none- Classifier: c Behavior: g Committed Access Rate: CIR 2000 (Kbps), PIR 0 (Kbps), CBS 100000 (byte), PBS 0 (byte) Conform Action: pass Yellow Action: pass Exceed Action: discard Marking: Remark DSCP defaultPolicy: udplimit Classifier: default-class Behavior: be -none- Classifier: udplimit Behavior: udplimit Firewall: permit Classifier: udplimit1 Behavior: udplimit1 Committed Access Rate: CIR 5000 (Kbps), PIR 0 (Kbps), CBS 10000 (byte), PBS 15000 (byte) Conform Action: pass Yellow Action: discard Exceed Action: discard

# Apply the traffic policies to the inbound interfaces.

[CE1] interface gigabitethernet 1/0/0[CE1-GigabitEthernet1/0/0] undo shutdown[CE1-GigabitEthernet1/0/0] traffic-policy 1 inbound[CE1-GigabitEthernet1/0/0] quit[CE1] interface gigabitethernet 3/0/0[CE1-GigabitEthernet3/0/0] undo shutdown




Issue 01 (2011-05-30)

[CE1-GigabitEthernet3/0/0] traffic-policy 2 inbound[CE1-GigabitEthernet3/0/0] quit[CE1] interface gigabitethernet 4/0/0[CE1-GigabitEthernet4/0/0] undo shutdown[CE1-GigabitEthernet4/0/0] traffic-policy 3 inbound[CE1] interface gigabitethernet 2/0/0[CE1-GigabitEthernet2/0/0] undo shutdown[CE1-GigabitEthernet2/0/0] traffic-policy udplimit outbound

Step 3 Configure complex traffic classification on PE1 to control the traffic that goes to the MPLSbackbone network.

# Configure traffic classifiers and define matching rules.

<PE1> system-view[PE1] traffic classifier pe[PE1-classifier-pe] if-match any[PE1-classifier-pe] quit

After the preceding configuration, you can run the display traffic classifier command to viewthe configuration of the traffic classifiers.

[PE1] display traffic classifier user-definedUser Defined Classifier Information: Classifier: pe Operator: ORRule(s): if-match any

# Define traffic behaviors and configure traffic policing.

[PE1] traffic behavior pe[PE1-behavior-pe] car cir 15000 pir 20000 cbs 300000 pbs 500000[PE1-behavior-pe] quit

# Define traffic policies and associate the traffic classifiers with the traffic behaviors.

[PE1] traffic policy pe[PE1-trafficpolicy-pe] classifier pe behavior pe[PE1-trafficpolicy-pe] quit

After the preceding configuration, you can run the display traffic policy command to view theconfiguration of the traffic policies, traffic classifiers defined in the traffic policies, and the trafficbehaviors associated with the traffic classifiers.

[PE1] display traffic policy user-definedUser Defined Traffic Policy Information:Policy: pe Classifier: default-class Behavior: be -none- Classifier: pe Behavior: pe Committed Access Rate:CIR 15000 (Kbps), PIR 20000 (Kbps), CBS 300000 (byte), PBS 500000 (byte) Conform Action: pass Yellow Action: pass Exceed Action: discard

# Apply the traffic policies to the inbound interfaces.

[PE1] interface gigabitethernet 1/0/0[PE1-GigabitEthernet1/0/0] undo shutdown[PE1-GigabitEthernet1/0/0] traffic-policy pe inbound[PE1-GigabitEthernet1/0/0] quit




7-33

Run the display interface command on CE1 and PE1. You can view that the traffic on theinterfaces is controlled according to the configured traffic policies.

----End

Configuration Filesl Configuration file of CE1

# sysname CE1#acl number 2001 rule 5 permit source 1.1.1.0 0.0.0.255acl number 2002 rule 5 permit source 2.1.1.0 0.0.0.255acl number 2003 rule 5 permit source 3.1.1.0 0.0.0.255acl number 3001 rule 0 permit udp destination-port eq dns rule 1 permit udp destination-port eq snmp rule 2 permit udp destination-port eq snmptrap rule 3 permit udp destination-port eq syslogacl number 3302 rule 4 permit udp #traffic classifier a operator or if-match acl 2001traffic classifier c operator or if-match acl 2003traffic classifier b operator or if-match acl 2002traffic classifier udp-limit operator or if-match acl 3001traffic classifier udp-limit1 operator or if-match acl 3002#traffic behavior e car cir 10000 cbs 150000 pbs 0 green pass red discard remark dscp cs5traffic behavior g car cir 2000 cbs 100000 pbs 0 green pass red discard remark dscp defaulttraffic behavior f car cir 5000 cbs 100000 pbs 0 green pass red discard remark dscp af31traffic behavior udp-limittraffic behavior udp-limit1 car cir 5000 cbs 100000 pbs 150000 green pass yellow discard red discard #traffic policy 3 classifier c behavior g traffic policy 2 classifier b behavior f traffic policy 1 classifier a behavior e traffic policy udp-limit classifier udp-limit behavior udp-limit classifier udp-limit1 behavior udp-limit1#interface GigabitEthernet1/0/0undo shutdownip address 1.1.1.1 255.255.255.0 traffic-policy 1 inbound#interface GigabitEthernet2/0/0undo shutdownip address 10.1.1.1 255.255.255.0traffic-policy udplimit outbound




Issue 01 (2011-05-30)

#interface GigabitEthernet3/0/0undo shutdownip address 2.1.1.1 255.255.255.0 traffic-policy 2 inbound#interface GigabitEthernet4/0/0undo shutdownip address 3.1.1.1 255.255.255.0 traffic-policy 3 inbound#ospf 1 area 0.0.0.0 network 1.1.1.0 0.0.0.255 network 2.1.1.0 0.0.0.255 network 3.1.1.0 0.0.0.255 network 10.1.1.0 0.0.0.255#return

l Configuration file of PE1# sysname PE1#mpls lsr-id 11.11.11.11 mpls#mpls ldp#traffic classifier pe operator or if-match any#traffic behavior pe car cir 15000 pir 20000 cbs 300000 pbs 500000 green pass yellow pass red discard#traffic policy pe classifier pe behavior pe#interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.1.2 255.255.255.0 traffic-policy pe inbound#interface Pos2/0/0 undo shutdown ip address 100.1.1.1 255.255.255.0 mpls mpls ldp#interface LoopBack0 ip address 11.11.11.11 255.255.255.255#ospf 1 area 0.0.0.0 network 10.1.1.0 0.0.0.255 network 100.1.1.0 0.0.0.255 network 11.11.11.11 0.0.0.0#return

l Configuration file of P# sysname P# mpls lsr-id 33.33.33.33 mpls#mpls ldp#



7-35

interface Pos1/0/0 link-protocol ppp ip address 100.1.1.2 255.255.255.0 mpls mpls ldp#interface Pos2/0/0 link-protocol ppp ip address 110.1.1.1 255.255.255.0 mpls mpls ldp#interface LoopBack0 ip address 33.33.33.33 255.255.255.255#ospf 1 area 0.0.0.0 network 100.1.1.0 0.0.0.255 network 110.1.1.0 0.0.0.255 network 33.33.33.33 0.0.0.0#return

l Configuration file of PE2# sysname PE2#mpls lsr-id 22.22.22.22mpls#mpls ldp#interface GigabitEthernet1/0/0 undo shutdown ip address 20.1.1.2 255.255.255.0#interface Pos2/0/0 undo shutdown ip address 110.1.1.1 255.255.255.0 mpls mpls ldp#interface LoopBack0 ip address 22.22.22.22 255.255.255.255#ospf 10 area 0.0.0.0 network 110.1.1.0 0.0.0.255 network 20.1.1.0 0.0.0.255 network 22.22.22.22 0.0.0.0#return

l Configuration file of CE2# sysname CE2#interface GigabitEthernet2/0/0 undo shutdown ip address 20.1.1.1 255.255.255.0#ospf 1 area 0.0.0.0 network 20.1.1.0 0.0.0.255 #return




Issue 01 (2011-05-30)

7.9.2 Example for Configuring the Security Function of AccessDevices

This section provides an example of configuring the security function of access devices.


As shown in Figure 7-2, CX-A, CX-B, CX-C are access devices; CX-D, CX-E, and CX-F arecore devices; Access devices are connected to core devices by 10G interfaces. The networkprovides voice and 3G services. Security policies need to be configured on access devices tocontrol the access of users and to guarantee the security of both the network and devices.

Figure 7-2 Networking of configuring the security function of access devices

CX-A

CX-C

CX-D

CX-BCX-F CX-E

GE1/0/0

GE1/0/0

GE1/0/0

Internet

InternetInternet



1. Set the passwords to be used for login in NMS and CLI modes.

2. Log information about login failures.

3. Create an Access Control List (ACL) to deny specified services carried on TCP and UDPinterfaces (to defend virus).

Data Preparation


l IP address of each interface

l Passwords to be used for login in NMS and CLI modes



7-37

Procedure

Step 1 Configure an IP address for each interface. The configuration details are not mentioned here.

Step 2 Set the passwords to be used for login in NMS and CLI modes.<CX-A> system-view[CX-A] user-interface console 0[CX-A-ui-con0] shell[CX-A-ui-con0] authentication mode password[CX-A-ui-con0] set authentication password cipher huawei[CX-A-ui-con0] idle-timeout 30 0[CX-A-ui-con0] quit[CX-A] user-interface maximum-vty 15[CX-A] user-interface vty 5 14[CX-A-ui-vty5-14] shell[CX-A-ui-vty5-14] authentication mode password[CX-A-ui-vty5-14] set authentication password cipher huawei[CX-A-ui-vty5-14] idle-timeout 30 0[CX-A-ui-vty5-14] quit

NOTE

Configurations for each access devices are similar. Take CX-A for example.

Step 3 Set logs to be exported to the control console.[CX-A] info-center enable[CX-A] info-center source default channel 9 log level warnings[CX-A] info-center logfile channel channel9[CX-A] quit<CX-A> terminal logging

Step 4 Configure the ACL to prevent devices from being attacked from specified TCP and UDPinterfaces.

NOTE

Configuring the ACL must be performed on the access device interface that is on the access side.<CX-A> system-view[CX-A] acl number 3001[CX-A-acl-adv-3001] description anti-virus[CX-A-acl-adv-3001] rule 5 deny tcp destination-port eq 445[CX-A-acl-adv-3001] rule 10 deny udp destination-port eq 445[CX-A-acl-adv-3001] rule 15 deny tcp destination-port eq 135[CX-A-acl-adv-3001] rule 20 deny udp destination-port eq 135[CX-A-acl-adv-3001] rule 25 deny tcp destination-port eq 137[CX-A-acl-adv-3001] rule 30 deny udp destination-port eq netbios-ns[CX-A-acl-adv-3001] rule 35 deny tcp destination-port eq 139[CX-A-acl-adv-3001] rule 40 deny udp destination-port eq netbios-ssn[CX-A-acl-adv-3001] rule 45 deny udp destination-port eq 1433[CX-A-acl-adv-3001] rule 50 deny udp destination-port eq 1434[CX-A-acl-adv-3001] rule 55 deny tcp destination-port eq 4444[CX-A-acl-adv-3001] rule 60 deny tcp destination-port eq 5554[CX-A-acl-adv-3001] rule 65 deny udp destination-port eq 5554[CX-A-acl-adv-3001] rule 70 deny tcp destination-port eq 9996[CX-A-acl-adv-3001] rule 75 deny udp destination-port eq 9996[CX-A-acl-adv-3001] rule 110 permit ip[CX-A-acl-adv-3001] quit[CX-A] traffic classifier anti-virus operator or[CX-A-classifier-anti-virus] if-match acl 3001[CX-A-classifier-anti-virus] quit[CX-A] traffic behavior anti-virus[CX-A-behavior-anti-virus] quit[CX-A] traffic policy anti-virus[CX-A-trafficpolicy-anti-virus] classifier anti-virus behavior anti-virus[CX-A-trafficpolicy-anti-virus] quit[CX-A] interface gigabitethernet 1/0/0




Issue 01 (2011-05-30)

[CX-A-GigabitEthernet1/0/0] traffic-policy anti-virus inbound[CX-A-GigabitEthernet1/0/0] traffic-policy anti-virus outbound

----End

Configuration FilesNOTE

Only the configuration file on the CX-A is provided.

l Configuration file of CX-A# sysname CX-A# info-center source default channel 9 log level warning#acl number 3001 description anti-virus rule 5 deny tcp destination-port eq 445 rule 10 deny udp destination-port eq 445 rule 15 deny tcp destination-port eq 135 rule 20 deny udp destination-port eq 135 rule 25 deny tcp destination-port eq 137 rule 30 deny udp destination-port eq netbios-ns rule 35 deny tcp destination-port eq 139 rule 40 deny udp destination-port eq netbios-ssn rule 45 deny udp destination-port eq 1433 rule 50 deny udp destination-port eq 1434 rule 55 deny tcp destination-port eq 4444 rule 60 deny tcp destination-port eq 5554 rule 65 deny udp destination-port eq 5554 rule 70 deny tcp destination-port eq 9996 rule 75 deny udp destination-port eq 9996 rule 110 permit ip#traffic classifier anti-virus operator or if-match acl 3001#traffic behavior anti-virus#traffic policy anti-virus classifier anti-virus behavior anti-virus#interface GigabitEthernet1/0/0 undo shutdown traffic-policy anti-virus inbound traffic-policy anti-virus outbound#user-interface maximum-vty 15user-interface con 0 authentication-mode password set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!! idle-timeout 30 0user-interface vty 0 4user-interface vty 5 14 set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!! idle-timeout 30 0user-interface vty 16 20#return

7.9.3 Example for Configuring an ACL Rule that Is Based on theVPN Instance

This section provides an example of configuring an ACL rule that is based on the VPN instance.



7-39

Networking RequirementsAs shown in Figure 7-3, two VPN instances are configured on the PE. CE1 belongs to VPN-A,whose VPN-target is 111:1; CE2 belongs to VPN-B, whose VPN-target is 222:2. An ACL ruleis configured on the PE to permit users in VPN-A to log in to the PE through Telnet and toprevent users in VPN-B from logging in to the PE. Users in different VPNs cannot communicatewith each other.

Figure 7-3 Typical networking of configuring an ACL rule

PE1 AS: 65420 VPN-B

CE2

AS: 65410VPN-A

CE1

GE1/0/010.1.1.2/24 GE2/0/0

11.1.1.1/24

AS: 100

GE1/0/011.1.1.2/24

GE1/0/010.1.1.1/24


1. Configure VPN instances.2. Define the ACL rule.3. Configure users in different VPNs with different authorities for logging into the PE.


l ACL numberl VPN instance name

ProcedureStep 1 Configure VPN instances on the PE and connect CE1 and CE2 to the PE.

# Configure VPN-A.

<HUAWEI> system-view[HUAWEI] sysname PE[PE] ip vpn-instance vpna[PE-vpn-instance-vpna] route-distinguisher 100:1[PE-vpn-instance-vpna] vpn-target 111:1 both[PE-vpn-instance-vpna] quit[PE] interface gigabitethernet 1/0/0[PE-GigabitEthernet1/0/0] ip binding vpn-instance vpna[PE-GigabitEthernet1/0/0] ip address 10.1.1.1 24[PE-GigabitEthernet1/0/0] quit

# Configure VPN-B.

[PE] ip vpn-instance vpnb




Issue 01 (2011-05-30)

[PE-vpn-instance-vpnb] route-distinguisher 100:2[PE-vpn-instance-vpnb] vpn-target 222:2 both[PE-vpn-instance-vpnb] quit[PE] interface gigabitethernet 2/0/0[PE-GigabitEthernet2/0/0] ip binding vpn-instance vpnb[PE-GigabitEthernet2/0/0] ip address 11.1.1.1 24[PE-GigabitEthernet2/0/0] quit

Step 2 Configure an ACL rule and then apply the rule on the PE. After that, users in VPN-A can log into the PE through Telnet; whereas users in VPN-B cannot log in to the PE.[PE] acl number 2001[PE-acl-adv-2001] rule permit vpn-instance vpna[PE-acl-adv-2001] rule deny vpn-instance vpnb[PE-acl-adv-2001] quit

Step 3 Use the ACL rule configured on the PE to control the login of users to the PE through Telnet.[PE] user-interface vty 0 4[PE-ui-vty0-4] authentication-mode none[PE-ui-vty0-4] acl 2001 inbound


# Telnet CE1 to the PE.

<CE1> telnet 10.1.1.1Trying 10.1.1.1 ...Press CTRL+K to abortConnected to 10.1.1.1 ...************************************************************ Copyright (C) 2000-2009 Huawei Technologies Co., Ltd ** Without the owner's prior written consent, ** no decompiling or reverse-engineering shall be allowed. ** Notice: ** This is a private communication system. ** Unauthorized access or use may lead to prosecution. ************************************************************ Info: The max number of VTY users is 10, and the number of current VTY users on line is 1. <PE>

CE1 can log in to the PE through Telnet.

# Telnet CE2 to the PE.

<CE2> telnet 10.1.1.1Trying 10.1.1.1 ...Press CTRL+K to abortError: Failed to connect to the remote host.

CE2 cannot log in to the PE through Telnet.

----End

Configuration Filesl Configuration file of the PE

# sysname PE#ip vpn-instance vpna route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunityip vpn-instance vpnb route-distinguisher 100:2 vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity



7-41

#acl number 2001 rule 5 permit vpn-instance vpna rule 10 deny vpn-instance vpnb#aaa authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default ##interface GigabitEthernet1/0/0 undo shutdown ip binding vpn-instance vpna ip address 10.1.1.1 255.255.255.0#interface GigabitEthernet2/0/0 undo shutdown ip binding vpn-instance vpnb ip address 11.1.1.1 255.255.255.0# user-interface con 0user-interface vty 0 4 acl 2001 inbound authentication-mode noneuser-interface vty 16 20#return

l Configuration file of CE1# sysname CE1#aaa authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default ##interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.1.2 255.255.255.0#user-interface con 0user-interface vty 0 4user-interface vty 16 20#return

l Configuration file of CE2# sysname CE2#aaa authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default #




Issue 01 (2011-05-30)

#interface GigabitEthernet1/0/0 undo shutdown ip address 11.1.1.2 255.255.255.0#user-interface con 0user-interface vty 0 4user-interface vty 16 20#return



7-43

8 Basic IPv6 Configuration

About This Chapter

The IPv6 protocol stack is a support for routing protocols and application protocols on an IPv6network.

8.1 Basic IPv6 OverviewInternet Protocol version 6 (IPv6) is a proposed next generation for the Internet Protocol, whichwas introduced by the Internet Engineering Task Force (IETF) and formerly known as IPng.

8.2 Configuring an IPv6 Address for an InterfaceAssigning an IPv6 address to a device on a network enables the device to communicate with theother devices on the network.

8.3 Configuring an IPv6 Address Selection Policy TableIf multiple addresses are configured on an interface of the device, the IPv6 address selectionpolicy table can be used to select source and destination addresses for packets.

8.4 Configuring IPv6 Neighbor DiscoveryIPv6 neighbor discovery (ND) is a packet transmission process to identify the relationshipbetween neighboring nodes. The Neighbor Discovery Protocol (NDP) replaces the AddressResolution Protocol (ARP), ICMP Router Discovery messages, and ICMP Redirect messages,and introduces neighbor reachability detection.

8.5 Configuring IPv6 SENDThe SEcure Neighbor Discovery (SEND) protocol is a security extension of the NeighborDiscovery Protocol (NDP) in IPv6.

8.6 Configuring PMTUBy setting the PMTU, you can select a proper MTU for packet transmission. In this manner,packets do not have to be fragmented during transmission and loads on intermediate devices arereduced. In addition, network resources are used more efficiently and the network throughputreaches the optimal value.

8.7 Configuring TCP6By setting TCP6 packets, you can improve the performance of the network.

8.8 Maintaining IPv6This section describes how to maintain IPv6. Detailed operations include deleting informationabout IPv6 operation and monitoring IPv6 operation.

HUAWEI CX600 Metro Services PlatformConfiguration Guide - IP Services 8 Basic IPv6 Configuration


8-1


8 Basic IPv6 ConfigurationHUAWEI CX600 Metro Services Platform



Issue 01 (2011-05-30)

8.1 Basic IPv6 OverviewInternet Protocol version 6 (IPv6) is a proposed next generation for the Internet Protocol, whichwas introduced by the Internet Engineering Task Force (IETF) and formerly known as IPng.

8.1.1 Introduction to IPv6IPv6 is an upgraded version of IPv4 and solves many problems with IPv4.

8.1.2 IPv6 Supported by the CX600The basic functions of IPv6 include IPv6 address configuration, IPv6 neighbor discovery,duplicate address detection, router advertisement, ICMPv6 packet control, and Path MTU(PMTU) configuration. The IPv6 protocol stack is a support for routing protocols and applicationprotocols.

8.1.1 Introduction to IPv6IPv6 is an upgraded version of IPv4 and solves many problems with IPv4.

Internet Protocol Version 6 (IPv6), also called IP Next Generation (IPng), is the standard networkprotocol of the second generation. It is a set of specifications designed by the InternetEngineering Task Force (IETF). IPv6 is the upgraded version of IPv4. The most remarkabledifference between IPv6 and IPv4 is that the IP address lengthens from 32 bits to 128 bits.

8.1.2 IPv6 Supported by the CX600The basic functions of IPv6 include IPv6 address configuration, IPv6 neighbor discovery,duplicate address detection, router advertisement, ICMPv6 packet control, and Path MTU(PMTU) configuration. The IPv6 protocol stack is a support for routing protocols and applicationprotocols.

The CX600 supports the IPv6 protocol suite and TCP6 protocol suite.

IPv6 AddressA 128-bit IPv6 address has the following formats:

l X:X:X:X:X:X:X:XIn this format, a 128-bit IP address is divided into eight groups. The 16 bits of each groupare represented by four hexadecimal characters, that is, 0 to 9, and A to F. The groups areseparated by colons. Every "X" represents a group of hexadecimal values.

l X:X:X:X:X:X:d.d.d.dThis format is for the following types of addresses:– IPv4-compatible IPv6 address– IPv4-mapped IPv6 addressIPv4-compatible IPv6 address is used to configure an IPv6 over IPv4 tunnel.In this type of address, "X" represents the first six groups of numbers. Each "X" stands for16 bits that are represented by hexadecimal numbers. "d" represents the subsequent fourgroup of numbers. Each "d" stands for eight bits that are represented by decimal numbers."d.d.d.d" is a standard IPv4 address.

An IPv6 address can be divided into two parts:



8-3

l Network prefix: equals the network ID of an IPv4 address. It is of n bits.l Interface identifier: equals the host ID in an IPv4 address. It is of 128-n bits.

Selection of Source and Destination AddressesWhen network administrators need to specify or plan a source and a destination addresses, theycan define a group of address selection rules. An address selection policy table can be createdbased on these rules. Similar to a routing table, this table can be queried based on the longestmatch rule. The address is selected based on a source and a destination addresses.

IPv6 Neighbor DiscoveryThe IPv6 neighbor discovery (ND) is a group of messages and processes that define therelationship between neighboring nodes. ND replaces the Address Resolution Protocol (ARP)messages and the Internet Control Message Protocol (ICMP) device discovery messages. It alsoprovides additional functions.

IPv6 SENDThe SEcure Neighbor Discovery (SEND) protocol is a security extension of the NeighborDiscovery Protocol (NDP) in IPv6.

IPv6 PMTUGenerally, the problem that different networks have different Maximum Transmission Units(MTU) can be solved in the following ways:

l Devices fragment packets as required. The source host only needs to fragment packets;however, the intermediate CX device not only needs to fragment packets, but also toreassemble packets.

l The source host sends packets based on a proper MTU so that packets need not befragmented on the intermediate CX device. In such a case, packet processing burden on theintermediate CX device can be reduced. During IPv6 packet transmission, only this waycan be adopted because IPv6 intermediate CX devices do not support packet fragmentation.

The Path MTU (PMTU) Discovery mechanism aims at finding a proper MTU value on the pathfrom the source to the destination.

IPv6 FIBConnecting network topologies of different types needs the configuration of different routingprotocols. This brings about Routing Information Base (RIB). The RIB is a base of theForwarding Information Base (FIB). Guided by route management policies, a device extracts aminimum of necessary forwarding information from RIB and adds the information to the FIB.Through the route management module, you can also add static routes into the FIB.

A FIB contains a group of minimum information needed by a device during packet forwarding.An FIB entry usually contains the destination address, prefix length, transport port, next-hopaddress, route flag, and time stamp. A device forwards packets according to FIB entries.

The FIB mechanism consists of two parts: FIB agent (used on the control plane) and FIBcontainer (used on the forwarding plane). A FIB agent is responsible for interacting with theRM module for delivering FIB entries to the forwarding engine, and to the I/O board in adistributed system.




Issue 01 (2011-05-30)

A FIB contains the following information:

l Destination address: indicates the network or host a packet is destined for.

l Prefix length: indicates the length of the destination address prefix. From the prefix length,you can infer that the destination address is a network address or a host address.

l Nexthop: indicates the address of the close next hop through which the packet reaches thedestination.

l Flag(s): identifies route features.

l Interface: indicates the outgoing interface of the packet.

l Timestamp: Indicates the time when an FIB entry is established.

8.2 Configuring an IPv6 Address for an InterfaceAssigning an IPv6 address to a device on a network enables the device to communicate with theother devices on the network.

8.2.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for assigning an IPv6 address to an interface.

8.2.2 Enabling IPv6 Packet Forwarding CapabilityYou can perform other IPv6 configurations on an interface only when IPv6 is enabled in theinterface view. To enable IPv6 packet forwarding on an interface, you must configure IPv6 inthe system view.

8.2.3 Configuring an IPv6 Link-Local Address for an InterfaceThe local address of a link is used in the neighbor discovery protocol, and in the communicationsbetween nodes on the local end of the link in stateless address auto-configuration. The localaddress of a link is valid only for the link. A packet with a link-local address as the source ordestination address is forwarded only along the local link.

8.2.4 Configuring an IPv6 Global Unicast Address for an InterfaceA global unicast IP address is equal to an Internet IPv4 address and can be used for links whoseroute prefixes can be aggregated. In this manner, routing entries can be reduced.

8.2.5 Configuring an IPv6 Anycast Address for an InterfaceAn anycast address is used to identify a group of interfaces.

8.2.6 Checking the ConfigurationYou can view the configuration of the IPv6 address for an interface.

8.2.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for assigning an IPv6 address to an interface.


When a device communicates with an IPv6 device, you need to configure IPv6 address for theinterface. The CX600 supports configuring IPv6 addresses for the following interfaces:

l Gigabit-Ethernet interfaces and sub-interfaces



8-5

l POS interfaces (Only the POS interfaces configured with PPP or HDLC as the link protocolsupport IPv6.)

l Tunnel interfacesl Loopback interfacesl Eth-Trunk interfaces, Eth-Trunk sub-interfaces, and IP-Trunk interfacesl VLANIF interfaces

You can configure 10 addresses for one interface. Addresses can be the link-local address andthe global unicast address.

The link-local address is used in ND, and in the communication between nodes on the local linkin the stateless address auto-configuration. The packets using the link-local address as the sourceor destination address are not forwarded to other links.

The link-local address can be automatically generated or manually configured. After beingenable with automatic address generation capability, the system automatically generates a link-local address. The link-local address configured manually must be a valid link-local address(FE80::/10).

It is recommended to automatically generate a link-local address because the link-local addressis used only for the communication between link-local nodes. Commonly, it is used to implementcommunication requirements of protocol and is not directly related to the communicationbetween users.

The global unicast address is equivalent to the IPv4 public address. It is used for data forwardingacross the pubic network, which is necessary for the communication between users.

An EUI-64 address has the same function as an global unicast address. The difference is thatonly the network bits need to be specified for the EUI-64 address and the host bits are transformedfrom the MAC addresses of the interface while a complete 128-bit address need to be specifiedfor the global unicast address. Note that the prefix length of the network bits in an EUI-64 addressmust not be longer than 64 bits.

The EUI-64 address and the global unicast address can be configured simultaneously oralternatively. However, the IP addresses configured for one interface cannot be in the samenetwork segment.


Before configuring IPv6 addresses, complete the following tasks:

l Configuring the physical features of the interface and ensuring that the status of the physicallayer of the interface is Up


Data Preparation

To configure IPv6 addresses for an interface, you need the following data.

No. Data

1 Number of the interface




Issue 01 (2011-05-30)

No. Data

2 Link-local address configured manually

3 Global unicast address and prefix length

8.2.2 Enabling IPv6 Packet Forwarding CapabilityYou can perform other IPv6 configurations on an interface only when IPv6 is enabled in theinterface view. To enable IPv6 packet forwarding on an interface, you must configure IPv6 inthe system view.

ContextTo enable a device to forward IPv6 packets, you must enable the IPv6 capability in both thesystem view and the interface view. This is because:

l If you run the ipv6 command only in the system view, only the IPv6 packet forwardingcapability is enabled on a device. The IPv6 function, however, is not enabled on the interfaceand hence you cannot perform any IPv6 configurations.

l If you run the ipv6 enable command only in the interface view, the IPv6 capability isenabled only on an interface but the IPv6 protocol status on the interface is Down.Therefore, the device cannot forward IPv6 data.

Procedure



Step 2 Run:ipv6

The IPv6 packet forwarding capability is enabled.

By default, the IPv6 packet forwarding capability is disabled.

To enable a device to forward IPv6 packets, you must run this command in the system view;otherwise, the IPv6 protocol status of the interface is Down and the device cannot forward IPv6packets although you enable IPv6 on the interface.


The view of the interface to be enabled with the IPv6 capability is displayed.

Step 4 Run:ipv6 enable

The IPv6 capability is enabled on the interface.

Before performing IPv6 configurations in the interface view, you must enable the IPv6 capabilityin the interface view.



8-7

By default, the IPv6 capability is disabled on the interface.

----End

8.2.3 Configuring an IPv6 Link-Local Address for an InterfaceThe local address of a link is used in the neighbor discovery protocol, and in the communicationsbetween nodes on the local end of the link in stateless address auto-configuration. The localaddress of a link is valid only for the link. A packet with a link-local address as the source ordestination address is forwarded only along the local link.

Procedure





Step 3 Perform the following as required.

Run:

ipv6 address auto link-local

Auto generation of the IPv6 link-local address is enabled.

Or

Run:

ipv6 address ipv6-address link-local

The IPv6 link-local address is manually configured.

Besides configuring a link-local address through the preceding two commands, you can alsoconfigure a global unicast IPv6 address for auto generating a link-local address. For details, seeConfiguring an IPv6 Global Unicast Address for an Interface.

----End

8.2.4 Configuring an IPv6 Global Unicast Address for an InterfaceA global unicast IP address is equal to an Internet IPv4 address and can be used for links whoseroute prefixes can be aggregated. In this manner, routing entries can be reduced.

Procedure







Issue 01 (2011-05-30)


Step 3 Run:ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } or ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64

The global unicast address is configured on the interface.

----End

8.2.5 Configuring an IPv6 Anycast Address for an InterfaceAn anycast address is used to identify a group of interfaces.

ContextAnycast addresses and unicast addresses are in the same address range. An anycast address isused to identify a group of interfaces on different nodes.

l Similar to a multicast address, an anycast address is listened to by multiple nodes.Therefore, it is only used as a destination address.

l The packets destined for an anycast address are transmitted to an interface that is in theinterface group identified by the anycast address and is closest to the source node. (Thedistance between an interface and the source node is calculated based on the routingprotocol). The packets destined for a multicast address are transmitted to a group ofinterfaces with the multicast address.

When the 6to4 tunnel is used for the communication between the 6to4 network and the nativeIPv6 network, the CX600 supports the configuration of an anycast address with the prefix of2002:c058:6301:: on the tunnel interface of the 6to4 relay route device.

Alternatively, you can configure a 6to4 address on the tunnel interface of the 6to4 relay routedevice. When multiple 6to4 relay route devices are configured on the network, the differencebetween the two methods is as follows:

l If an 6to4 address is used, you need to configure different addresses for tunnel interfacesof all devices.

l If an anycast address is used, you need to configure the same address for the tunnelinterfaces of all devices. In this manner, the number of addresses is reduced.


system-view




Step 3 Run:ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } anycast

An IPv6 anycast address is assigned to an interface.

----End



8-9

8.2.6 Checking the ConfigurationYou can view the configuration of the IPv6 address for an interface.

PrerequisiteThe configurations of the IPv6 addresses are complete.

Procedurel Run the display ipv6 interface [ interface-type interface-number | brief ] command to

check the IPv6 information of an interface.l Run the display ipv6 statistics [ slot slot-id | interface interface-type interface-number ]

command to check the IPv6 packet statistics.

----End

ExampleRun the display ipv6 interface command. If the IPv6 address of the interface is displayed, itmeans that the configuration succeeds. For example:

<HUAWEI> display ipv6 interface gigabitethernet 1/0/0GigabitEthernet1/0/0 current state : UP ,IPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::200:1FF:FE04:5D00 Global unicast address(es):2001::1, subnet is 2001::/64 Joined group address(es): FF02::1:FF00:1 FF02::1:FF04:5D00 FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

Run the display ipv6 interface command. If the configured IPv6 address and interface statusare displayed, it means that the configuration succeeds.

<HUAWEI> display ipv6 interface brief*down: administratively down!down: FIB overload down(l): loopback(s): spoofingInterface Physical ProtocolGigabitEthernet2/0/2 up up[IPv6 Address] 2030::101:101GigabitEthernet2/0/3 up up[IPv6 Address] 2001::1LoopBack0 up up(s)[IPv6 Address] Unassigned

Run the display ipv6 statistics command. If the statistics on IPv6 packets is displayed, it meansthat the configuration succeeds.

<HUAWEI> display ipv6 statisticsIPv6 Protocol:

Sent packets: Total : 3630




Issue 01 (2011-05-30)

Local sent out : 3630 Forwarded : 0 Raw packets : 0 Discarded : 0 Fragmented : 0 Fragments : 0 Fragments failed : 0 Multicast : 0 Received packets: Total : 3630 Local host : 3630 Hop count exceeded : 0 Header error : 0 Too big : 0 Routing failed : 0 Address error : 0 Protocol error : 0 Truncated : 0 Option error : 0 Fragments : 0 Reassembled : 0 Reassembly timeout : 0 Multicast : 0

8.3 Configuring an IPv6 Address Selection Policy TableIf multiple addresses are configured on an interface of the device, the IPv6 address selectionpolicy table can be used to select source and destination addresses for packets.


IPv6 addresses can be classified into different types based on different applications.

l Link local addresses and global unicast addresses based on the effective range of the IPv6addresses

l Temporary addresses and public addresses based on security levels

l Home addresses and care-of addresses based on the application in the mobile IPv6 field

l Physical interface addresses and logical interface addresses based on the interface attributes

The preceding IPv6 addresses can be configured on the same interface of the CX device. In thiscase, the device must select a source address or a destination addresses from multiple addresseson the interface. If the device supports the IPv4/IPv6 dual-stack, it also must select IPv4addresses or IPv6 addresses for communication. For example, if a domain name maps both anIPv4 address and an IPv6 address, the system must select an address to respond to the DNSrequest of the client.

An IPv6 address selection policy table solves the preceding problems. It defines a group ofaddress selection rules. The source and destination addresses of packets can be specified orplanned based on these rules. This table, similar to a routing table, can be queried by using thelongest matching rule. The address is selected based on the source and destination addresses.

l The label parameter can be used to determine the result of source address selection. Theaddress whose label value is the same as the label value of the destination address is selectedpreferably as the source address.

l The destination address is selected based on both the label and the precedence parameters.If label values of the candidate addresses are the same, the address whose precedence valueis largest is selected preferably as the destination address.


None.



8-11

Procedure



Step 2 Run:ipv6 address-policy [ vpn-instance vpn-instance-name ] ipv6-address prefix-length precedence label

The source or destination address selection policies are configured.

By default, only default address selection policy entries are contained. These entries are prefixedwith ::1, ::, 2002::, FC00::, and ::ffff:0:0.

A maximum of 50 address selection policy entries are supported by the system.

----End

Checking the Configuration

Run the following commands to check the previous configuration.

l Run the display ipv6 address-policy [ vpn-instance vpn-instance-name ] { all | ipv6-address prefix-length } command to check address selection policy entries.

Run the display ipv6 address-policy all command, and you can check all address selectionpolicy entries, including the default address selection policy entries and the address selectionpolicy entry configured by ipv6 address-policy command whose prefix is 3::.

<HUAWEI> display ipv6 address-policy allPolicy Table : Total:6------------------------------------------------------------------------------- Prefix : :: PrefixLength : 0 Precedence : 40 Label : 1 Default : Yes

Prefix : ::1 PrefixLength : 128 Precedence : 50 Label : 0 Default : Yes

Prefix : ::FFFF:0.0.0.0 PrefixLength : 96 Precedence : 10 Label : 4 Default : Yes

Prefix : 3:: PrefixLength : 64 Precedence : 40 Label : 20 Default : No

Prefix : 2002:: PrefixLength : 16 Precedence : 30 Label : 2 Default : Yes

Prefix : FC00:: PrefixLength : 7 Precedence : 20 Label : 3 Default : Yes

-------------------------------------------------------------------------------




Issue 01 (2011-05-30)

8.4 Configuring IPv6 Neighbor DiscoveryIPv6 neighbor discovery (ND) is a packet transmission process to identify the relationshipbetween neighboring nodes. The Neighbor Discovery Protocol (NDP) replaces the AddressResolution Protocol (ARP), ICMP Router Discovery messages, and ICMP Redirect messages,and introduces neighbor reachability detection.

8.4.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for IPv6 neighbor discovery.

8.4.2 Configuring Static NeighborsBy configuring a static neighbor, you can obtain the mapping of the IPv6 address and MACaddress of the neighbor.

8.4.3 Enabling RA Message AdvertisingAfter being enabled with CX device advertisement, the device can send router advertisementmessages, providing prefixes for hosts.

8.4.4 Setting the Interval for Advertising RA MessagesThe device periodically sends router advertisement messages containing information such asprefixes and flag bits.

8.4.5 Enabling Stateful Auto ConfigurationAfter being enabled with stateful auto-configuration, the host can obtain an IPv6 address throughstateful auto-configuration, for example, the DHCP server.

8.4.6 Configuring the Address Prefixes to Be AdvertisedNodes of the local links can perform address auto-configuration by using prefixes of theseaddresses.

8.4.7 Configuring Other Information to Be AdvertisedA router advertisement message carries information such as the maximum number of hops,prefix option, neighbor hold time, and keepalive time.

8.4.8 Configuring the Default Router Priority and Route InformationRA packets that carry the default router priority and route information can be transmitted overthe local link. In this manner, a proper CX device can be selected to forward packets of a host.

8.4.9 (Optional) Configuring Routed Proxy NDThis configuration can be used if an enterprise has two physical networks in different subnetsof the same IP network, but separated by a device. You must enable the proxy ND on the deviceinterface connected to the physical networks for the two networks to communicate.

8.4.10 Checking the ConfigurationYou can view the configuration of IPv6 neighbor discovery.

8.4.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for IPv6 neighbor discovery.

Applicable EnvironmentMost of the ND configurations are implemented based on the interfaces.



8-13

The IPv6 ND configuration is supported on the following interfaces:

l Gigabit-Ethernet interfaces and their sub-interfaces

l POS interfaces (Only the POS interfaces configured with PPP or HDLC as the link protocolsupport IPv6.)

l Tunnel interfaces

l Loopback interfaces

l Eth-Trunk interfaces, Eth-Trunk sub-interfaces, and IP-Trunk interfaces

l VLANIF interfaces

NOTE

Though the POS interfaces can be configured with IPv6 ND-related commands, packet sending or packetforwarding on these interfaces actually do not require neighbor entries.


Before configuring IPv6 neighbor discovery, complete the following tasks:

l Configuring the physical features for the interface and ensuring that the status of thephysical layer of the interface is Up

l Configuring link layer parameters for the interface

l Configuring the IPv6 address for the interface

Data Preparation

To configure IPv6 neighbor discovery, you need the following data.

No. Data

1 Number of interface which needs to be configured with IPv6 ND

2 IPv6 address and MAC address of the static neighbor

3 Intervals, prefix, and life duration of RA messages

4 Flag bit of automatic configuration

5 Hop limit of ND

6 Sending times of DAD

7 Intervals for re-transmitting NS messages

8 NUD reachable time

9 Interface MTU

8.4.2 Configuring Static NeighborsBy configuring a static neighbor, you can obtain the mapping of the IPv6 address and MACaddress of the neighbor.




Issue 01 (2011-05-30)

Procedure





Step 3 Run one of the following commands as required:l To configure a static neighbor entry on a common Layer 3 interface, run the ipv6

neighbor ipv6-address mac-address command.l To configure a static neighbor entry on a VLANIF interface, run the ipv6 neighbor ipv6-

address mac-address vid vlan-id interface-type interface-number command.l To configure a static neighbor entry on a sub-interface for QinQ VLAN tag termination, run

the ipv6 neighbor ipv6-address mac-address vid vid [ cevid cevid ] command.

NOTEIf an interface is configured with dynamic QinQ, you cannot configure a static neighbor entry on it.

Static neighbors can be configured for interfaces and their sub-interfaces. You can configure upto 300 neighbors on each interface.

----End

8.4.3 Enabling RA Message AdvertisingAfter being enabled with CX device advertisement, the device can send router advertisementmessages, providing prefixes for hosts.

Procedure





Step 3 Run:undo ipv6 nd ra halt

The function of advertising RA messages is enabled.

----End

8.4.4 Setting the Interval for Advertising RA MessagesThe device periodically sends router advertisement messages containing information such asprefixes and flag bits.



8-15

Procedure





Step 3 Run:ipv6 nd ra { max-interval maximum-interval | min-interval minimum-interval }

The interval for advertising RA messages is configured.

By default, the maximum interval is 600 seconds and the minimum interval is 200 seconds.

The maximum interval can not be shorter than the minimum interval.

When the maximum interval is less than 9 seconds, the minimum interval is set to the same valueas the maximum interval.

----End

8.4.5 Enabling Stateful Auto ConfigurationAfter being enabled with stateful auto-configuration, the host can obtain an IPv6 address throughstateful auto-configuration, for example, the DHCP server.

Procedure





Step 3 Run:ipv6 nd autoconfig managed-address-flag

The flag bit for stateful auto configuration addresses is set.

If this flag is set, hosts use the stateful protocol for address auto-configuration in addition to anyaddresses auto-configured using stateless address auto-configuration.

Step 4 Run:ipv6 nd autoconfig other-flag

The flag bit for other stateful configurations is set.

When this flag is set, hosts use the stateful protocol for auto-configuration of other (non-address)information.

----End




Issue 01 (2011-05-30)

8.4.6 Configuring the Address Prefixes to Be AdvertisedNodes of the local links can perform address auto-configuration by using prefixes of theseaddresses.

Procedure





Step 3 Run:ipv6 nd ra prefix { ipv6-address ipv6-prefix-length | ipv6-prefix/ipv6-prefix-length } valid-lifetime preferred-lifetime [ no-autoconfig ] [ off-link ]

The prefix of RA messages is configured.

----End

8.4.7 Configuring Other Information to Be AdvertisedA router advertisement message carries information such as the maximum number of hops,prefix option, neighbor hold time, and keepalive time.

ContextDuplicate Address Detect (DAD) is a process of IPv6 automatic address configuration. You canconfigure the number of DAD messages which are sent continuously.

Set the interval of sending Neighbor Solicitation (NS) messages on the device. By default, NSre-transmitting time interval is 1000ms.

Neighbor Unreachability Detection (NUD) checks the reachability of neighbors. By default,NUD value is 30000ms.

The MTU of the interface determines whether to fragment IP packets on the interface. DefaultMTUs vary with interface types. The MTU on an GigabitEthernet interface defaults to be 1500bytes.

Procedure



Step 2 Run:ipv6 nd hop-limit limit

ND hop limit is configured.



8-17

The value of limit ranges from 1 to 255. By default, it is 64.



Step 4 Run:ipv6 nd ra hop-limit limit

ND hop limit is configured.

The value of limit ranges from 0 to 255. By default, it is 64.

NOTE

l If the ipv6 nd ra hop-limit command has been run on an interface, the hop limit for an RA messageuses the value configured on the interface.

l If the ipv6 nd ra hop-limit command has not been run on an interface, the hop limit for an RA messageuses the value configured globally, that is, the value configured in the ipv6 nd hop-limit command.

Step 5 Run:ipv6 nd ra router-lifetime ra-lifetime

The life duration of RA messages is configured.

NOTE

l When the ipv6 nd ra command is run to set the interval for advertising RA messages, the interval mustbe less than or equal to the life duration.

l By default, the maximum interval is 600 seconds, and the minimum interval is 200 seconds.l By default, the life duration of RA messages is 1800 seconds. If the prefix is configured, the duration

is still 1800 seconds.

Step 6 Run:ipv6 nd dad attempts value

Times to send DAD messages are configured.

Step 7 Run:ipv6 nd ns retrans-timer interval

The interval for re-sending NS messages is set.

Step 8 Run:ipv6 nd nud reachable-time value

The NUD reachable time is set.

Step 9 Run:ipv6 mtu mtu

MTU of the interface is configured.

The IPv6 MTU should be smaller than 9600 bytes on the GigabitEthernet of the LPUF-20.

----End

Follow-up ProcedureIf the IPv6 MTU value is changed, run the shutdown command and the undo shudowncommand orderly in the interface view to validate the configuration.




Issue 01 (2011-05-30)

8.4.8 Configuring the Default Router Priority and RouteInformation

RA packets that carry the default router priority and route information can be transmitted overthe local link. In this manner, a proper CX device can be selected to forward packets of a host.

Context

If a host is connected to multiple CX devices, the host must select a CX device to forward packetsbased on the destination addresses of packets. The CX device can advertise the default routerpriority and specified route information to the host so that the host can select a proper forwardingCX device based on the destination addresses of packets.

After receiving the RA packets carrying the route information, the host updates its routing table.When sending packets to another device, the host queries the routing table and selects a properroute to send packets.

When receiving the RA packets that carry the priority of default routers, the host updates itsdefault router table. When sending packets to another device, if there is no route to be selected,the host queries the default router table. Then, the host selects a CX device with the highestpriority on the local link to send packets. If the CX device is faulty, the host selects another CXdevice in descending order of priority.

Procedure





Step 3 Run:ipv6 nd ra preference { high | medium | low }

The default router priority is configured in RA packets.

Step 4 Run:ipv6 nd ra route-information ipv6-address prefix-length lifetime route-lifetime [ preference { high | medium | low } ]

Route information is configured in RA packets.

----End

8.4.9 (Optional) Configuring Routed Proxy NDThis configuration can be used if an enterprise has two physical networks in different subnetsof the same IP network, but separated by a device. You must enable the proxy ND on the deviceinterface connected to the physical networks for the two networks to communicate.



8-19

Procedure





Step 3 Run:bas

A BAS interface is created and the BAS interface view is displayed.

Step 4 Run:nd-proxy enable

Routed proxy ND is enabled.

----End

8.4.10 Checking the ConfigurationYou can view the configuration of IPv6 neighbor discovery.

PrerequisiteThe configurations of the IPv6 neighbor discovery function are complete.

Procedurel Run the display ipv6 neighbors [ ipv6-address | [ vid vlan-id ] interface-type interface-

number | vpn-instance vpn-instance-name ], display ipv6 neighbors [ interface-typeinterface-number [ vid vid [ cevid cevid ] ] ], or display ipv6 neighbors slot slot-id[ verbose ] [ [vid vlan-id ] [ interface-type interface-number ] ] command to check theneighbor information in the cache.

l Run the display ipv6 neighbors[ [ vid vlan-id] interface-type interface-number ] commandto check the neighbor information in the cache.

l Run the display ipv6 interface [ interface-type interface-number | brief ] command tocheck the IPv6 information of an interface.

----End

ExampleRun the display ipv6 neighbors command. If the cache of the neighbor information containsneighbors' IPv6 addresses and the specified interfaces, it means that the configuration succeeds.

<HUAWEI> display ipv6 neighbors gigabitEthernet1/0/0--------------------------------------------------------IPv6 Address : 3003::2Link-layer : 00e0-fc89-fe6e State : STALEInterface : GE1/0/0 Age : 7VLAN : - CEVLAN: -VPN name : vpn1 Is Router: TRUESecure FLAG : UN-SECURE




Issue 01 (2011-05-30)

IPv6 Address : FE80::2E0:FCFF:FE89:FE6ELink-layer : 00e0-fc89-fe6e State : STALEInterface : GE1/0/0 Age : 7VLAN : - CEVLAN: -VPN name : vpn1 Is Router: TRUESecure FLAG : UN-SECURE---------------------------------------------------------Total: 2 Dynamic: 2 Static: 0

Run the display ipv6 interface command. If information about the IPv6 address on the interfaceis displayed, it means that the configuration succeeds.

<HUAWEI> display ipv6 interface gigabitethernet 1/0/0GigabitEthernet1/0/0 current state : UP IPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::200:1FF:FE04:5D00 Global unicast address(es):2001::1, subnet is 2001::/64 Joined group address(es): FF02::1:FF00:1 FF02::1:FF04:5D00 FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

Run the display ipv6 interface brief command. If information about the IPv6 address on theinterface and interface status are displayed, it means that the configuration succeeds.

<HUAWEI> display ipv6 interface brief*down: administratively down!down: FIB overload down(l): loopback(s): spoofingInterface Physical ProtocolGigabitEthernet2/0/2 up up[IPv6 Address] 2030::101:101GigabitEthernet2/0/3 up up[IPv6 Address] 2001::1LoopBack0 up up(s)[IPv6 Address] Unassigned

8.5 Configuring IPv6 SENDThe SEcure Neighbor Discovery (SEND) protocol is a security extension of the NeighborDiscovery Protocol (NDP) in IPv6.

8.5.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure of IPv6 SEND.

8.5.2 Configuring a CGA IPv6 AddressTo enable IPv6 SEND to protect ND messages that carry CGA and RSA options, you need toconfigure a CGA IPv6 address on an interface that sends ND messages.

8.5.3 Configuring Strict IPv6 SENDAfter the rate limit for processing received ND messages, the key length allowed on the interface,and the timestamp in the ND messages are set, the system considers the received ND messagesthat do not meet these requirements invalid.



8-21

8.5.4 Checking the ConfigurationThe IPv6 SEND configurations can be checked.

8.5.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure of IPv6 SEND.


IPv6 nodes use the Neighbor Discovery Protocol (NDP) to discover other nodes on the link andto ensure reachability between neighbors. Therefore, NDP must be secured. IPSec can protectNDP, but this requires too many complicated configurations. Therefore, IPv6 SEND can beconfigured to protect NDP.

The SEND protocol is designed to address the following attacks to NDP:

l Redirect attack: Neighbor Solicitation (NS) or Neighbor Advertisement (NA) spoofing,malicious last hop router, spoofed redirect message, and replay attackAn attacking node causes packets of legitimate nodes to be sent to some other link-layeraddresses. This can be done by either sending an NS message with a different source link-layer address option, or sending an NA message with a different destination link-layeraddress option.

l Denial-of-Service (DoS) attack: Neighbor Unreachability Detection (NUD) failure,Duplicate Address Detection (DAD) attack, bogus address configuration prefix, andparameter spoofingAn attacker keeps sending fabricated NA messages in response to NUD NS messages. Afterhaving failed to send NS messages for several times, a host deletes the neighbor entries ofthe attacked node, which causes the attacked node to fail to communicate with the host. Anattacker can also respond to every DAD attempt, simulating that it (the attacker) has alreadytaken the address claimed by the attacked node into use. In this case, the attacked node maybe unable to obtain an IP address and fail to work properly.

To counter the preceding security threats, SEND introduces two new options: aCryptographically Generated Addresses (CGA) option and a Rivest Shamir Adleman (RSA)option.

l CGAs are used to make sure that the sender of a Neighbor Discovery (ND) message is the"owner" of the claimed address. (The address is the source address of the ND message.)

l RSA is a digital signature of an ND message, and is used to verify the integrity of the NDmessage and the validity of the ND message sender.

To encounter the threats to NDP, SEND also defines two options in an ND message:

l Nonce option: used to prevent replay attacks by assuring that a particular NA message islinked to the NS message that triggered it. For example, during the exchange of NS andNA messages, both the NS and NA messages carry a Nonce option. The NS message senderthen determines whether the received NA message is valid based on the carried Nonceoption.

l Timestamp option: used to protect unsolicited advertisement and redirect messages. Asender must ensure that each received message contains a latest timestamp.

Currently, IPv6 SEND is supported on the following types of interfaces:




Issue 01 (2011-05-30)

l Ethernet interface and its sub-interfaces

l GigabitEthernet interface and its sub-interfaces

l Serial interface whose link protocol is PPP or HDLC

l POS interface whose link protocol is PPP or HDLC

l Eth-Trunk interface, Eth-Trunk sub-interfaces, and IP-Trunk interface

l VLANIF interface

NOTE

IPv6 ND related commands can be run on serial and POS interfaces, and no neighbor entries are neededwhen packets are being sent or forwarded from these interfaces.


Before configuring IPv6 SEND, complete the following tasks:

l Setting parameters for the link layer protocols on the interfaces to ensure that the link layerprotocols are Up

l Configuring IPv6 ND

Data Preparation

To configure IPv6 SEND, you need the following data.

No. Data

1 RSA key pair name and associated parameter

2 Number of the interface where IPv6 SEND is configured

3 Modifier value and security level of a CGA address

4 CGA IPv6 address

5 Rate limit for processing received ND messages

6 Key length allowed on an interface

7 Timestamp parameters in an ND message

8.5.2 Configuring a CGA IPv6 AddressTo enable IPv6 SEND to protect ND messages that carry CGA and RSA options, you need toconfigure a CGA IPv6 address on an interface that sends ND messages.

Context

If a CGA IPv6 address is configured on an interface, the ND message sent by the interface willcarry CGA and RSA options. After receiving the ND message, the remote interface checks thevalidity of the ND message sender and the integrity of the ND message based on the CGA andRSA options.



8-23

Procedure



Step 2 Run:rsa key-pair label label-name modulus modulus-bits

An RSA key pair is created.


The view of the interface where a CGA IPv6 address needs to be configured is displayed.

Step 4 Run:ipv6 security rsakey-pair key-label

The RSA key pair is bound to the interface to generate a CGA address.

Step 5 Run:ipv6 security modifier sec-level sec-value [ modifier-value ]

The modifier value and security level are configured for the CGA address.

The modifier value can be manually configured only when the security level of the CGA addressis 0.

Step 6 Run:ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } cga

Or

ipv6 address ipv6-address link-local cga

A CGA IPv6 address is configured.

----End

Follow-up ProcedureRun the ipv6 nd security strict command to enable the strict security mode on the interface.

NOTE

If a local device is enabled with the strict security mode whereas the remote device is not, the local deviceconsiders the messages sent by the remote device invalid and discards them.

8.5.3 Configuring Strict IPv6 SENDAfter the rate limit for processing received ND messages, the key length allowed on the interface,and the timestamp in the ND messages are set, the system considers the received ND messagesthat do not meet these requirements invalid.

ContextWhen working in strict security mode, an interface regards the received ND message insecureand discards it in the following cases:




Issue 01 (2011-05-30)

l The rate of processing the received ND message exceeds the rate limit of the system.l The key length in the received ND message is out of the length range allowed on the

interface.l The difference between the receive time and the send time of the ND message is out of the

time range allowed on the interface.NOTE

On a link, device A is configured with strict IPv6 SEND whereas device B is not. In this case, device Aregards the ND messages sent from device B insecure and rejects them.


system-view


Step 2 (Optional) Run:ipv6 nd security rate-limit ratelimit-value

The rate limit for processing received ND messages is set.



Step 4 (Optional) Run:ipv6 nd security key-length { minimum keylen-value | maximum keylen-value } *

The key length allowed on the interface is set.

Step 5 (Optional) Run:ipv6 nd security timestamp { fuzz-factor fuzz-value | delta delta-value | drift drift-value } *

The timestamp configuration parameters are set

Step 6 Run:ipv6 nd security strict

The strict security mode is enabled on the interface.

----End

8.5.4 Checking the ConfigurationThe IPv6 SEND configurations can be checked.

PrerequisiteThe configurations of IPv6 SEND are complete.

Procedurel Run the display ipv6 security interface interface-type interface-number command to

check the IPv6 SEND configurations.

----End



8-25

Example

Run the display ipv6 security interface interface-type interface-number command, and youcan check the IPv6 SEND configurations.

<HUAWEI> display ipv6 security gigabitethernet 1/0/0 (L) : Link local address SEND information for the interface : GigabitEthernet1/0/0---------------------------------------------------------------------------- IPv6 address PrefixLength Collision Count---------------------------------------------------------------------------- FE80::18A8:19F0:C5A4:7A52 (L) 10 0 1::18F5:E2FA:63CF:31DE 64 0---------------------------------------------------------------------------- SEND sec value : 0 SEND security modifier value : 1::1 SEND RSA key label bound : huawei SEND ND minimum key length value : 1280 SEND ND maximum key length value : 2000 SEND ND Timestamp delta value : 100 SEND ND Timestamp fuzz value : 2 SEND ND Timestamp drift value : 2 SEND ND fully secured mode : enabled

8.6 Configuring PMTUBy setting the PMTU, you can select a proper MTU for packet transmission. In this manner,packets do not have to be fragmented during transmission and loads on intermediate devices arereduced. In addition, network resources are used more efficiently and the network throughputreaches the optimal value.

8.6.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring the PMTU.

8.6.2 Creating Static PMTU EntriesYou can configure a static PMTU according to the lowest MTU of the path that a packet is totraverse. This speeds up packet transmission.

8.6.3 Configuring PMTU Aging TimeBy setting the PMTU aging time, you can change the keepalive time of dynamic PMTU entriesin the cache. A static PMTU entry never ages.

8.6.4 Checking the ConfigurationYou can view the configuration of a PMTU.

8.6.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring the PMTU.


By setting PMTUs on interfaces, you can enable devices to send packets based on proper MTUsacross the network. This avoids packet fragmentation, reduces the burden of the devices,implements efficient usage of network resources and achieves the best throughput.




Issue 01 (2011-05-30)

Pre-configuration TasksBefore configuring PMTUs, complete the following tasks:

l Configuring the physical features for the interface and ensuring that the status of thephysical layer of the interface is Up

l Configuring the link layer protocol for the interface

Data PreparationTo configure PMTUs, you need the following data.

No. Data

1 IPv6 address and PMTU value to be configured

2 PMTU aging time

8.6.2 Creating Static PMTU EntriesYou can configure a static PMTU according to the lowest MTU of the path that a packet is totraverse. This speeds up packet transmission.

Procedure



Step 2 Run:ipv6 pathmtu ipv6-address [ path-mtu ]

The PMTU value of a specified IPv6 address is configured.

By default, the PMTU of the IPv6 address is 1500 bytes.

l The maximum number of static PMTU entries is 300.l The maximum number of static PMTU entries of each VPN instance is 32.l The maximum number of dynamic and static PMTU entries on the public network is 1024.l The maximum number of PMTU entries in all VPN instances is 50000.

----End

8.6.3 Configuring PMTU Aging TimeBy setting the PMTU aging time, you can change the keepalive time of dynamic PMTU entriesin the cache. A static PMTU entry never ages.

Procedure




8-27


Step 2 Run:ipv6 pathmtu age age-time

The aging time of PMTU is configured.

By default, the dynamic PMTU aging time is 10 minutes.

If the static PMTU exist, the dynamic PMTU dose not take effect.

----End

8.6.4 Checking the ConfigurationYou can view the configuration of a PMTU.

PrerequisiteThe configurations of the PMTU are complete.

Procedurel Run the display ipv6 pathmtu { ipv6-address | all | dynamic | static } command to check

all PMTU items.

l Run the display ipv6 interface [ interface-type interface-number | brief ] command tocheck the current MTU of the interface.

----End

Example

Run the display ipv6 pathmtu command. If the destination IPv6 address, the PMTU value, theaging time and type are displayed, it means that the configuration succeeds.

<HUAWEI> display ipv6 pathmtu allIPv6 Destination Address ZoneID PathMTU Age Typefe80::12 0 1300 40 Dynamic2222::3 0 1280 -- Static

Run the display ipv6 interface command. If the current MTU of the interface is displayed, itmeans that the configuration succeeds.

<HUAWEI> display ipv6 interface gigabitethernet 1/0/0GigabitEthernet1/0/0 current state : UP ,IPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::200:1FF:FE04:5D00 Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es): FF02::1:FF00:1 FF02::1:FF04:5D00 FF02::2 FF02::1MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses




Issue 01 (2011-05-30)

8.7 Configuring TCP6By setting TCP6 packets, you can improve the performance of the network.

8.7.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring TCP6.

8.7.2 Configuring TCP6 TimersBy setting two TCP6 timers, you can control the TCP connection time.

8.7.3 Configuring the Size of the TCP6 Sliding WindowBy setting the sliding window size for TCP6, you can set the sizes of the receiving buffer andtransmitting buffer in the socket. In this manner, you can improve the performance of thenetwork.

8.7.4 Checking the ConfigurationYou can view the configuration of TCP6.

8.7.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring TCP6.


To optimize network performance, you need to adjust the TCP6 parameters.


Before configuring TCP6, complete the following tasks:

l Connecting and configuring the physical features for the interface and ensuring that thestatus of the physical layer of the interface is Up

l Configuring the link layer protocol parameters for the interface and ensuring that the statusof the link layer protocol on the interface is Up

Data Preparation

To configure TCP6, you need the following data.

No. Data

1 Value of TCP6 FIN-WAIT timer

2 Value of TCP6 SYN-WAIT timer

3 Size of TCP6 Sliding Window



8-29

8.7.2 Configuring TCP6 TimersBy setting two TCP6 timers, you can control the TCP connection time.

Procedure



Step 2 Run:tcp ipv6 timer syn-timeout timer-value

The TCP6 SYN-WAIT timer is set.

By default, the SYN-WAIT timer is 75s.

Step 3 Run:tcp ipv6 timer fin-timeout timer-value

The TCP6 FIN-WAIT timer is set.

By default, the FIN-WAIT timer is 675s.

----End

8.7.3 Configuring the Size of the TCP6 Sliding WindowBy setting the sliding window size for TCP6, you can set the sizes of the receiving buffer andtransmitting buffer in the socket. In this manner, you can improve the performance of thenetwork.

Procedure



Step 2 Run:tcp ipv6 window window-size

The size of the TCP6 sliding window is configured.

The size of the TCP6 sliding window ranges from 1 KB to 32 KB. By default, the size of theTCP6 sliding window is 8 KB.

----End

8.7.4 Checking the ConfigurationYou can view the configuration of TCP6.

PrerequisiteThe configurations of the TCP6 function are complete.




Issue 01 (2011-05-30)

Procedurel Run the display tcp ipv6 statistics command to check related TCP6 statistics.l Run the display tcp ipv6 status command to check the TCP6 connection status.l Run the display udp ipv6 statistics command to check related UDP6 statistics.l Run the display ipv6 socket [ socktype socket-type ] [ task-id task-id socket-id socket-

id ] command to check the information of the specified socket.

----End

ExampleRun the display tcp ipv6 statistics, display tcp ipv6 status, and display udp ipv6 statisticscommands. If the connection status and statistic of TCP6 and UDP6 are displayed, it means thatthe configuration succeeds.

<HUAWEI> display tcp ipv6 statisticsReceived packets: total: 0 packets in sequence: 0 (0 bytes) window probe packets: 0 window update packets: 0 checksum error: 0 offset error: 0 short error: 0 duplicate packets: 0 (0 bytes) partially duplicate packets: 0 (0 bytes) out-of-order packets: 0 (0 bytes) packets with data after window: 0 (0 bytes) packets after close: 0 ACK packets: 0 (0 bytes) duplicate ACK packets: 0 too much ACK packets: 0 packets dropped due to MD5 authentication failure: 0 packets receieved with MD5 Signature Option: 0

Sent packets: total: 0 urgent packets: 0 control packets: 0 (including 0 RST) window probe packets: 0 window update packets: 0 data packets: 0 (0 bytes) data packets retransmitted: 0 (0 bytes) ACK only packets: 0 (0 delayed) packets sent with MD5 Signature Option: 0

Other Statistics: retransmitted timeout: 0 connections dropped in retransmitted timeout: 0 keepalive timeout: 0 keepalive probe: 0 keepalive timeout, so connections disconnected: 0 initiated connections: 0 accepted connections: 0 established connections: 0 closed connections: 0 (dropped: 0, initiated dropped: 0)<HUAWEI> display tcp ipv6 statusTCP6CB Local Address Foreign Address State09e39ae4 3000::2->179 3000::1->49158 Time_Wait09e36f24 3000::2->49152 3000::1->179 Established07da08f8 ::->179 ::->0 Listening07d96da8 ::->23 ::->0 Listening<HUAWEI> display udp ipv6 statisticsReceived packets:



8-31

total: 0 total(64bit high-capacity counter): 0 checksum error: 0 shorter than header: 0 invalid message length: 0 no socket on port: 0 no multicast port: 0 not delivered, input socket full: 0 input packets missing pcb cache: 0 packets sent for external pre processing: 1Sent packets: total: 0 total(64bit high-capacity counter): 0

Run the display ipv6 socket command. If the related socket information is displayed, it meansthat the configuration succeeds.

<HUAWEI> display ipv6 socketSOCK_STREAM:Task = VTYD(14), socketid = 4, Proto = 6,LA = ::->22, FA = ::->0,sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,socket option = SO_ACCEPTCONN SO_REUSEPORT SO_SENDVPNID,socket state = SS_PRIV SS_ASYNCTask = VTYD(14), socketid = 3, Proto = 6,LA = ::->23, FA = ::->0,sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,socket option = SO_ACCEPTCONN SO_REUSEPORT SO_SENDVPNID,socket state = SS_PRIV SS_ASYNCSOCK_DGRAM:SOCK_RAW:

8.8 Maintaining IPv6This section describes how to maintain IPv6. Detailed operations include deleting informationabout IPv6 operation and monitoring IPv6 operation.

8.8.1 Resetting IPv6This section describes clearance of information about IPv6 operation through the reset command.

8.8.2 Monitoring Network Operation Status of IPv6This section describes IPv6 operation monitoring through the display command.

8.8.1 Resetting IPv6This section describes clearance of information about IPv6 operation through the reset command.

Context

CAUTIONIPv6 statistics cannot restore after you clear it. So, confirm the action before you use thecommand.




Issue 01 (2011-05-30)

Procedurel Run the reset ipv6 statistics [ slot slot-id ] command in the user view to clear statistics of

processing IPv6 packets after you confirm it.

l Run the reset ipv6 pathmtu { all | dynamic | static } command in the user view to clearPMTU entries in the cache after you confirm it.

l Run the reset ipv6 address-policy [ vpn-instance vpn-instance-name ] command in theuser view to clear address selection policy entries.

l Run the reset ipv6 nd security statistics interface-type interface-number command in theuser view to clear statistics on IPv6 SEND messages on a specified interface.

l Run the reset ipv6 nd security timestamp interface-type interface-number command inthe user view to clear the timestamp of an IPv6 SEND message on a specified interface.

l Run the reset ipv6 nd security nonce interface-type interface-number command in theuser view to clear the Nonce value of an IPv6 SEND message on a specified interface.

l Run the reset ipv6 neighbors { all | dynamic | static | vid vlan-id [ interface-type interface-number] | interface-type interface-number [ dynamic | static ] } command in the user viewto clear IPv6 neighbor entries in the cache after you confirm it.

l Run the reset tcp ipv6 statistics command in the user view to clear all TCP6 statistics afteryou confirm it.

l Run the reset udp ipv6 statistics command in the user view to clear all UDP6 statisticsafter you confirm it.

----End

8.8.2 Monitoring Network Operation Status of IPv6This section describes IPv6 operation monitoring through the display command.

ContextIn routine maintenance, you can run the following command in any view to check the operationof IPv6.

Procedurel Run the display ipv6 interface [ interface-type interface-number | brief ] command in any

view to check the IPv6 information about the interface.

l Run the display ipv6 statistics [ slot slot-id | interface interface-type interface-number ]command in any view to check IPv6 packet statistics.

l Run the display icmpv6 statistics [ slot slot-id | interface interface-type interface-number ] command in any view to check the operation of ICMPv6 packet statistics.

l Run the display ipv6 neighbors [ ipv6-address | [ vid vlan-id ] interface-type interface-number ], display ipv6 neighbors [ interface-type interface-number [ vid vid [ cevidcevid ] ] ], or display ipv6 neighbors slot slot-id [ verbose ] [ [vid vlan-id ] [ interface-type interface-number ] ] command in any view to check contents about the neighbor cache.

l Run the display ipv6 address-policy [ vpn-instance vpn-instance-name ] { all | ipv6-address prefix-length } command in any view to check address selection policy entries.

l Run the display ipv6 security interface interface-type interface-number command in anyview to check the IPv6 SEND configuration on a specified interface.



8-33

l Run the display ipv6 nd security timestamp interface-type interface-number commandin any view to check the timestamp of an IPv6 SEND message.

l Run the display ipv6 nd security nonce interface-type interface-number command in anyview to check the Nonce value of an IPv6 SEND message.

l Run the display ipv6 nd security statistics interface-type interface-number command inany view to check the statistics on IPv6 SEND messages.

l Run the display ipv6 neighbors [ [ vid vlan-id ] interface-type interface-number ]command in any view to check contents about the neighbor cache.

l Run the display ipv6 pathmtu { ipv6-address | all | dynamic | static } command in anyview to check all PMTU entries.

l Run the display tcp ipv6 statistics command in any view to check TCP6 statistics.

l Run the display tcp ipv6 status command in any view to check TCP6 connection status.

l Run the display udp ipv6 statistics command in any view to check UDP6 statistics.

l Run the display ipv6 socket [ socktype socket-type ] [ task-id task-id socket-id socket-id ] command in any view to check information about the specified socket.

l Run the display ipv6 fib [ spt ] [ slot-id ] command in any view to check information aboutthe FIB.

----End


ContextNOTE


8.9.1 Example for Configuring an IPv6 Address for an InterfaceThis part provides an example for configuring the IPv6 address of an interface.

8.9.2 Example for Configuring IPv6 Neighbor DiscoveryThis section provides an example of configuring IPv6 Neighbor Discovery.

8.9.3 Example for Configuring IPv6 Address Selection Policy TableThis part describes how to configure IPv6 address selection policy table.

8.9.4 Example for Configuring IPv6 SENDThis section provides examples for configuring IPv6 SEND.

8.9.5 Example for Configuring Default Router Priority and Route InformationThis part describes how to configure default router priorities and route information.

8.9.1 Example for Configuring an IPv6 Address for an InterfaceThis part provides an example for configuring the IPv6 address of an interface.




Issue 01 (2011-05-30)

Networking RequirementAs shown in Figure 8-1, CX-A and CX-B are connected through POS interfaces. It is requiredto configure IPv6 global unicast addresses for the interfaces and test the connectivity betweenthem.

The IPv6 global unicast addresses to be configured for the interfaces are 3001::1/64 and3001::2/64.

Figure 8-1 Networking diagram of configuring an IPv6 address for an interface

CX-A CX-B

POS 1/0/03001::1/64

POS 1/0/03001::2/64


1. Enable IPv6 forwarding capability on devices.2. Configure IPv6 global unicast addresses for the interfaces.

Data PreparationTo complement the configuration, you need the following data:

l Global unicast addresses of the interfaces

Procedure

Step 1 Enable IPv6 packet forwarding on CX-A and CX-B.

# Configure CX-A

<HUAWEI> system-view[HUAWEI] sysname CX-A[CX-A] ipv6

# Configure CX-B

<HUAWEI> system-view[HUAWEI] sysname CX-B[CX-B] ipv6

Step 2 Configure IPv6 global unicast addresses for the interfaces.

# Configure CX-A.

[CX-A] interface pos 1/0/0[CX-A-Pos1/0/0] ipv6 enable[CX-A-Pos1/0/0] ipv6 address 3001::1/64[CX-A-Pos1/0/0] undo shutdown[CX-A-Pos1/0/0] quit

# Configure CX-B.



8-35

[CX-B] interface pos 1/0/0[CX-B-Pos1/0/0] ipv6 enable[CX-B-Pos1/0/0] ipv6 address 3001::2/64[CX-B-Pos1/0/0] undo shutdown[CX-B-Pos1/0/0] quit


If the configuration succeeds, you can view the configured IPv6 global unicast addresses andstatus of the interface and the IPv6 protocol are both Up.

# Display interface information of CX-A.

[CX-A] display ipv6 interface pos 1/0/0Pos1/0/0 current state : UPIPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::C964:0:B8B6:1 Global unicast address(es): 3001::1, subnet is 3001::/64 Joined group address(es): FF02::1:FF00:1 FF02::1:FFB6:1 FF02::2 FF02::1 MTU is 4470 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

# Display interface information of CX-B.

[CX-B] display ipv6 interface pos 1/0/0Pos1/0/0 current state : UPIPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::2D6F:0:7AF3:1 Global unicast address(es): 3001::2, subnet is 3001::/64 Joined group address(es): FF02::1:FF00:2 FF02::1:FFF3:1 FF02::2 FF02::1 MTU is 4470 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

# On CX-A, ping the link-local address of CX-B. Note that you need to use the parameter -i tospecify the interface.

[CX-A] ping ipv6 fe80::2d6f:0:7af3:1 -i pos 1/0/0 PING FE80::2D6F:0:7AF3:1 : 56 data bytes, press CTRL_C to break Reply from FE80::2D6F:0:7AF3:1 bytes=56 Sequence=1 hop limit=64 time = 60 ms Reply from FE80::2D6F:0:7AF3:1 bytes=56 Sequence=2 hop limit=64 time = 50 ms Reply from FE80::2D6F:0:7AF3:1 bytes=56 Sequence=3 hop limit=64 time = 50 ms Reply from FE80::2D6F:0:7AF3:1 bytes=56 Sequence=4 hop limit=64 time = 30 ms Reply from FE80::2D6F:0:7AF3:1 bytes=56 Sequence=5 hop limit=64 time = 1 ms --- FE80::2D6F:0:7AF3:1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/38/60 ms




Issue 01 (2011-05-30)

# On CX-A, ping the global unicast IPv6 address of CX-B.

[CX-A] ping ipv6 3001::2 PING 3001::2 : 56 data bytes, press CTRL_C to break Reply from 3001::2 bytes=56 Sequence=1 hop limit=64 time = 30 ms Reply from 3001::2 bytes=56 Sequence=2 hop limit=64 time = 50 ms Reply from 3001::2 bytes=56 Sequence=3 hop limit=64 time = 50 ms Reply from 3001::2 bytes=56 Sequence=4 hop limit=64 time = 20 ms Reply from 3001::2 bytes=56 Sequence=5 hop limit=64 time = 40 ms --- 3001::2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 20/38/50 ms

----End


# sysname CX-A#ipv6#interface pos1/0/0link-protocol pppundo shutdownipv6 enableipv6 address 3001::1/64#return

l Configuration file of CX-B# sysname CX-B#ipv6#interface pos1/0/0link-protocol pppundo shutdownipv6 enableipv6 address 3001::2/64#return

8.9.2 Example for Configuring IPv6 Neighbor DiscoveryThis section provides an example of configuring IPv6 Neighbor Discovery.

Networking RequirementsAs shown in Figure 8-2, device is directly connected to the PC by GE 1/0/10. This PC runs theWindows XP operating system.



8-37

Figure 8-2 Example for configuring IPv6 neighbor discovery

CX600 PCGE1/0/10

3000::/64 eui-64


1. Configure the local unicast addresses of the link and EUI-64 site separately on GE 1/0/10.2. Configure the RA prefix message to be advertised on GE 1/0/10 and enable the

advertisement of the RA prefix message.


l Local unicast addresses of the link and EUI-64 site on GE 1/0/10l RA prefix message to be advertised

Procedure

Step 1 Enable the IPv6 forwarding on devices.<HUAWEI> system-view[HUAWEI] ipv6

Step 2 Configure the local unicast address of the link on GE 1/0/10.[HUAWEI] interface gigabitethernet 1/0/10[HUAWEI-GigabitEthernet1/0/10] undo shutdown[HUAWEI-GigabitEthernet1/0/10] ipv6 enable[HUAWEI-GigabitEthernet1/0/10] ipv6 address auto link-local

Step 3 Configure the local unicast address of the EUI-64 site on GE 1/0/10 and the prefix in the RAmessage.

NOTEA PC can automatically obtain the RA prefix message from devices only after the Router Advertisement(RA) prefix message to be advertised is configured and the advertisement of the RA prefix message isenabled on devices.

[HUAWEI-GigabitEthernet1/0/10] ipv6 address 3000::/64 eui-64[HUAWEI-GigabitEthernet1/0/10] ipv6 nd ra prefix 3000::/64 1000 1000[HUAWEI-GigabitEthernet1/0/10] undo ipv6 nd ra halt


If configurations are successful, you can view the configured local unicast address of the linkand the EUI-64 site and find that GE 1/0/10 is Up and IPv6 is Up.

# Display information about interfaces of devices.

[HUAWEI-GigabitEthernet1/0/10] display this ipv6 interfaceGigabitEthernet1/0/10 current state : UPIPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::2E0:FCFF:FE7D:A497




Issue 01 (2011-05-30)

Global unicast address(es): 3000::2E0:FCFF:FE7D:A497, subnet is 3000::/64 Joined group address(es): FF02::1:FF7D:A497 FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisement max interval 600 seconds, min interval 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses

# Display information about PCs.

Ethernet adapter 1:

Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC #2 Physical Address. . . . . . . . . : 00-E0-4C-77-A1-B6 Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 110.1.1.33 Subnet Mask . . . . . . . . . . . : 255.0.0.0 IP Address. . . . . . . . . . . . : 3000::78b3:4397:c0c4:f078 IP Address. . . . . . . . . . . . : 3000::2e0:4cff:fe77:a1b6 IP Address. . . . . . . . . . . . : fe80::2e0:4cff:fe77:a1b6%6 Default Gateway . . . . . . . . . : fe80::288:ff:fe10:b%6 DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1

# Ping the local unicast address of the link on the PC from the device with the use of the parameter-i which specifies the interface corresponding to the local unicast address.

[HUAWEI-GigabitEthernet1/0/10] ping ipv6 fe80::2e0:4cff:fe77:a1b6 -i gigabitethernet1/0/10PING FE80::2E0:4CFF:FE77:A1B6: 56 data bytes, press CTRL_C to breakReply from FE80::2E0:4CFF:FE77:A1B6bytes=56 Sequence=1 hop limit=64 time = 60 msReply from FE80::2E0:4CFF:FE77:A1B6bytes=56 Sequence=2 hop limit=64 time = 50 msReply from FE80::2E0:4CFF:FE77:A1B6bytes=56 Sequence=3 hop limit=64 time = 50 msReply from FE80::2E0:4CFF:FE77:A1B6bytes=56 Sequence=4 hop limit=64 time = 30 msReply from FE80::2E0:4CFF:FE77:A1B6bytes=56 Sequence=5 hop limit=64 time = 1 ms--- FE80::2E0:4CFF:FE77:A1B6 ping statistics ---5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 1/38/60 ms

# Ping the local unicast address of the EUI-64 site of the PC from the device.

[HUAWEI-GigabitEthernet1/0/10] ping ipv6 3000::78b3:4397:c0c4:f078PING 3000::78B3:4397:C0C4:F078 : 56 data bytes, press CTRL_C to breakReply from 3000::78B3:4397:C0C4:F078bytes=56 Sequence=1 hop limit=64 time = 30 msReply from 3000::78B3:4397:C0C4:F078bytes=56 Sequence=2 hop limit=64 time = 50 msReply from 3000::78B3:4397:C0C4:F078bytes=56 Sequence=3 hop limit=64 time = 50 msReply from 3000::78B3:4397:C0C4:F078bytes=56 Sequence=4 hop limit=64 time = 20 msReply from 3000::78B3:4397:C0C4:F078



8-39

bytes=56 Sequence=5 hop limit=64 time = 40 ms--- 3000::78B3:4397:C0C4:F078 ping statistics ---5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 20/38/50 ms

----End

Configuration FilesConfiguration file of HUAWEI# sysname HUAWEI#ipv6#interface GigabitEthernet1/0/10 undo shutdown ipv6 enable ipv6 address 3000::/64 eui-64 ipv6 address auto link-local ipv6 nd ra prefix 3000::/64 1000 1000 undo ipv6 nd ra halt#return

8.9.3 Example for Configuring IPv6 Address Selection Policy TableThis part describes how to configure IPv6 address selection policy table.

Networking RequirementsAs shown in Figure 8-3, the domain name (huawei.com) of Server A maps multiple IPv6addresses. When CX-A, as an IPv6 DNS client, accesses Server A by using the domain name(huawei.com), the DNS Server sends all IPv6 addresses of Server A to CX-A. Then,CX-Aqueries the IPv6 address selection policy table to select a proper IPv6 address as the destinationaddress of Server A.

Figure 8-3 Networking diagram for configuring an IPv6 address selection policy table

GE1/0/0

CX-A

huawei.com

b::1/64

DNS Server

abcd::1234/64DNS Client

2001::1/64

a::1/64

Server A

fed0:1::2/642001:2::2/64

abcd::7764

Ethernet




Issue 01 (2011-05-30)

Configuration NotesNone


1. Configure IPv6 address selection policy entries.2. Configure dynamic IPv6 DNS services.


l IPv6 addresses on the interface of CX-Al Addresses, label values and precedence values of IPv6 address selection policy entriesl IPv6 addresses of the DNS server

Procedure

Step 1 Configure IPv6 address selection policy entries

# Configure IPv6 addresses for the interface.

<HUAWEI> system-view[HUAWEI] sysname CX-A[CX-A] ipv6[CX-A] interface gigabitethernet 1/0/0[CX-A-GigabitEthernet1/0/0] undo shutdown[CX-A-GigabitEthernet1/0/0] ipv6 enable[CX-A-GigabitEthernet1/0/0] ipv6 address fe80::1 link-local[CX-A-GigabitEthernet1/0/0] ipv6 address fed0:1::2 64[CX-A-GigabitEthernet1/0/0] ipv6 address 2001:2::2 64[CX-A-GigabitEthernet1/0/0] ipv6 address abcd::77 64[CX-A-GigabitEthernet1/0/0] quit

# Configure destination address selection policies.

[CX-A] ipv6 address-policy fed0:1::2 128 100 100[CX-A] ipv6 address-policy 2001::1 128 100 100

Step 2 Configure dynamic IPv6 DNS services.[CX-A] dns resolve[CX-A] dns server ipv6 abcd::1234[CX-A] dns domain com[CX-A] quit


# Run the ping ipv6 huawei.com command on CX-A, and you can find that Server A can bepinged successfully, with the destination IP address being 2001::1.

<CX-A> ping ipv6 huawei.com Resolved Host (huawei.com -> 2001::1) PING huawei.com : 56 data bytes, press CTRL_C to break Reply from 2001::1: bytes=56 Sequence=1 ttl=126 time=6 ms Reply from 2001::1: bytes=56 Sequence=2 ttl=126 time=4 ms Reply from 2001::1: bytes=56 Sequence=3 ttl=126 time=4 ms



8-41

Reply from 2001::1: bytes=56 Sequence=4 ttl=126 time=4 ms Reply from 2001::1: bytes=56 Sequence=5 ttl=126 time=4 ms --- huawei.com ping statistics ---

5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/4/6 ms

# Run the display ipv6 interface gigabitethernet 1/0/0 command on CX-A, and you can viewinformation about the IPv6 address of GigabitEthernet 1/0/0.

<CX-A> display ipv6 interface gigabitethernet 1/0/0GigabitEthernet1/0/0 current state : UP IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::1 Global unicast address(es): FED0:1::2, subnet is FED0:1::/64 2001:2::2, subnet is 2001:2::/64 ABCD::77, subnet is ABCD::/64 Joined group address(es): FF02::1:FF00:77 FF02::2 FF02::1 FF02::1:FF00:2 FF02::1:FF00:1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

# Run the display ipv6 address-policy all command on CX-A, and you can view informationabout address selection policy entries.

<CX-A> display ipv6 address-policy allPolicy Table : Total:7------------------------------------------------------------------------------- Prefix : :: PrefixLength : 0 Precedence : 40 Label : 1 Default : Yes

Prefix : ::1 PrefixLength : 128 Precedence : 50 Label : 0 Default : Yes

Prefix : ::FFFF:0.0.0.0 PrefixLength : 96 Precedence : 10 Label : 4 Default : Yes

Prefix : 2001::1 PrefixLength : 128 Precedence : 100 Label : 100 Default : No

Prefix : 2002:: PrefixLength : 16 Precedence : 30 Label : 2 Default : Yes

Prefix : FC00:: PrefixLength : 7 Precedence : 20 Label : 3 Default : Yes

Prefix : FED0:1::2 PrefixLength : 128 Precedence : 100 Label : 100 Default : No




Issue 01 (2011-05-30)

-------------------------------------------------------------------------------

----End


# sysname CX-A# ipv6# dns resolve dns server ipv6 abcd::1234 dns domain com#interface GigabitEthernet1/0/0 undo shutdown ipv6 enable ipv6 address FED0:1::2/64 ipv6 address 2001:2::2/64 ipv6 address 1001::1/64 ipv6 address FE80::1 link-local # ipv6 address-policy 2001::1 128 100 100 ipv6 address-policy FED0:1::2 128 100 100#return

8.9.4 Example for Configuring IPv6 SENDThis section provides examples for configuring IPv6 SEND.

Networking RequirementsAs shown in Figure 8-4, IPv6 SEND is configured on CX-A. Assume that CX-B is an attacker.When CX-B sends messages to CX-A, CX-A regards them invalid and discards them.

Figure 8-4 Networking diagram for configuring IPv6 SEND

CX-B

GE 1/0/0 GE 1/0/0

CX-A

SEND enabled Attacker

3000::/64 cga1::1/64 1::2/64

3000::2/64

Configuration NotesNone.


1. Configure a CGA IPv6 address and a common IPv6 address on CX-A.2. Enable the strict security mode on an interface of CX-A.



8-43

3. Configure an IPv6 address for an interface on CX-B.


l RSA key pair namel Modifier value and security level of a CGA addressl CGA IPv6 addressl IPv6 address of CX-B

Procedure

Step 1 Configure a CGA IPv6 address on CX-A.<HUAWEIA> system-view[HUAWEIA] sysname CX-A[CX-A] ipv6[CX-A] rsa key-pair label huawei NOTES: If the key modulus is greater than 512, It may take few minutes. Pleasewait

Key Successfully Created[CX-A] interface gigabitethernet 1/0/0[CX-A-GigabitEthernet1/0/0] undo shutdown[CX-A-GigabitEthernet1/0/0] ipv6 enable[CX-A-GigabitEthernet1/0/0] ipv6 security rsakey-pair huawei[CX-A-GigabitEthernet1/0/0] ipv6 security modifier sec-level 1[CX-A-GigabitEthernet1/0/0] ipv6 address fe80::3 link-local cga[CX-A-GigabitEthernet1/0/0] ipv6 address 3000::2/64 cga[CX-A-GigabitEthernet1/0/0] ipv6 address 1::1/64

Step 2 Enable the strict security mode on an interface of CX-A.[CX-A-GigabitEthernet1/0/0] ipv6 nd security strict

Step 3 Configure an IPv6 address of CX-B.<HUAWEIB> system-view[HUAWEIB] sysname CX-B[CX-B] ipv6[CX-B] interface gigabitethernet 1/0/0[CX-B-GigabitEthernet1/0/0] undo shutdown[CX-B-GigabitEthernet1/0/0] ipv6 enable[CX-B-GigabitEthernet1/0/0] ipv6 address auto link-local[CX-B-GigabitEthernet1/0/1] ipv6 address 3000::2/64[CX-B-GigabitEthernet1/0/1] ipv6 address 1::2/64


If the configuration is successful, you can view that the IPv6 address and IPv6 SEND have beenconfigured and the interface status and IPv6 protocol status are Up.

# View information about GE 1/0/0 on CX-A.

[CX-A-GigabitEthernet1/0/0] display this ipv6 interfaceGigabitEthernet1/0/0 current state : UPIPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::3057:B5D6:6BD6:6CA8 Global unicast address(es): 3000::2092:84CE:827B:D5A4, subnet is 3000::/64 1::1, subnet is 1::/64 Joined group address(es): FF02::1:FF7B:D5A4 FF02::2 FF02::1




Issue 01 (2011-05-30)

FF02::1:FFD6:6CA8 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

# View the IPv6 SEND configuration on GE 1/0/0 of CX-A.

[CX-A-GigabitEthernet1/0/0] display ipv6 security interface gigabitethernet 1/0/0 (L) : Link local address SEND information for the interface : GigabitEthernet1/0/0---------------------------------------------------------------------------- IPv6 address PrefixLength Collision Count---------------------------------------------------------------------------- FE80::3057:B5D6:6BD6:6CA8 (L) 10 0 3000::2092:84CE:827B:D5A4 64 0---------------------------------------------------------------------------- SEND sec value : 1 SEND security modifier value : 585D:9EA0:328:2792:B763:1DE3:BBC4:D22D SEND RSA key label bound : huawei SEND ND minimum key length value : 512 SEND ND maximum key length value : 2048 SEND ND Timestamp delta value : 300 SEND ND Timestamp fuzz value : 1 SEND ND Timestamp drift value : 1 SEND ND fully secured mode : enabled

# View information about GE 1/0/0 on CX-B.

[CX-B-GigabitEthernet1/0/0] display this ipv6 interfaceGigabitEthernet1/0/0 current state : UPIPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::2E0:E6FF:FE13:8100 Global unicast address(es): 3000::2, subnet is 3000::/64 1::2, subnet is 1::/64 Joined group address(es): FF02::1:FF00:2 FF02::2 FF02::1 FF02::1:FF13:8100 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

# Ping the CGA link-local address of CX-A from CX-B. The ping fails because IPv6 SEND isconfigured on CX-A.

[CX- B-GigabitEthernet1/0/0] ping ipv6 FE80::3057:B5D6:6BD6:6CA8 -i gigabitethernet 1/0/0 PING FE80::3057:B5D6:6BD6:6CA8 : 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out

--- FE80::3057:B5D6:6BD6:6CA8 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss round-trip min/avg/max = 0/0/0 ms

# Ping the CGA global unicast address of CX-A from CX-B. The ping fails because IPv6 SENDis configured on CX-A.



8-45

[CX- B-GigabitEthernet1/0/0] ping ipv6 3000::2092:84CE:827B:D5A4 PING 3000::2092:84CE:827B:D5A4 : 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out

--- 3000::2092:84CE:827B:D5A4 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss round-trip min/avg/max = 0/0/0 ms

# Ping the common global unicast address of CX-A from CX-B. The ping fails because IPv6SEND is configured on CX-A.

[CX- B-GigabitEthernet1/0/0] ping ipv6 1::1 PING 1::1 : 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out


# Disable IPv6 SEND on CX-A. The ping from CX-B to CX-A is successful. The following partprovides an example of pinging the CGA global unicast address of CX-A.

[CX-A-GigabitEthernet1/0/0] undo ipv6 nd security strict[CX- B-GigabitEthernet1/0/0] ping ipv6 3000::2092:84CE:827B:D5A4 PING 3000::2092:84CE:827B:D5A4 : 56 data bytes, press CTRL_C to break Reply from 3000::2092:84CE:827B:D5A4 bytes=56 Sequence=1 hop limit=64 time = 1 ms Reply from 3000::2092:84CE:827B:D5A4 bytes=56 Sequence=2 hop limit=64 time = 20 ms Reply from 3000::2092:84CE:827B:D5A4 bytes=56 Sequence=3 hop limit=64 time = 1 ms Reply from 3000::2092:84CE:827B:D5A4 bytes=56 Sequence=4 hop limit=64 time = 1 ms Reply from 3000::2092:84CE:827B:D5A4 bytes=56 Sequence=5 hop limit=64 time = 1 ms


----End


# sysname CX-A#ipv6#rsa key-pair label huawei




Issue 01 (2011-05-30)

#interface GigabitEthernet1/0/0 undo shutdown ipv6 enable ipv6 security rsakey-pair huawei ipv6 security modifier sec-level 1 585D:9EA0:328:2792:B763:1DE3:BBC4:D22D ipv6 address 3000::/64 cga ipv6 address 1::1/64 ipv6 address FE80::3057:B5D6:6BD6:6CA8 link-local cga ipv6 nd security strict#return

l Configuration file of CX-B# sysname CX-B#ipv6#interface GigabitEthernet1/0/0 undo shutdown ipv6 enable ipv6 address 3000::2/64 ipv6 address 1::2/64 ipv6 address auto link-local#return

8.9.5 Example for Configuring Default Router Priority and RouteInformation

This part describes how to configure default router priorities and route information.


As shown in Figure 8-5, a PC is connected to CX-A and CX-B by using Switch A. The PCselects a proper CX device to forward packets based on destination addresses of packets.

Figure 8-5 Networking of Configuring Default Router Priorities and Route Information

CX-A

PC

GE1/0/02002::2/64

CX-B

GE1/0/04004::2/64

4004::1/642002::1/64

SwitchA



8-47

Configuration NotesThe PC supports RFC 4191, by which it can learn the default router priorities and routeinformation in RA packets.


1. Configure default router priorities and route information on CX-A and CX-B.


l IPv6 addresses of interfaces on CX-A and CX-Bl Default router priorities and route information

Procedure

Step 1 Configure default router priorities and route information.

# Configure CX-A.

<HUAWEI> system-view[HUAWEI] sysname CX-A[CX-A] ipv6[CX-A] interface gigabitethernet 1/0/0[CX-A-GigabitEthernet1/0/0] undo shutdown[CX-A-GigabitEthernet1/0/0] ipv6 enable[CX-A-GigabitEthernet1/0/0] undo ipv6 nd ra halt[CX-A-GigabitEthernet1/0/0] ipv6 address fe80::1 link-local[CX-A-GigabitEthernet1/0/0] ipv6 address 2002::2/64[CX-A-GigabitEthernet1/0/0] ipv6 nd ra preference high[CX-A-GigabitEthernet1/0/0] ipv6 nd ra route-information 2002:: 64 lifetime 2000 preference high[CX-A-GigabitEthernet1/0/0] quit

# Configure CX-B.

<HUAWEI> system-view[HUAWEI] sysname CX-B[CX-B] ipv6[CX-B] interface gigabitethernet 1/0/0[CX-B-GigabitEthernet1/0/0] undo shutdown[CX-B-GigabitEthernet1/0/0] ipv6 enable[CX-B-GigabitEthernet1/0/0] undo ipv6 nd ra halt[CX-B-GigabitEthernet1/0/0] ipv6 address fe80::2 link-local[CX-B-GigabitEthernet1/0/0] ipv6 address 4004::2/64[CX-B-GigabitEthernet1/0/0] ipv6 nd ra preference low[CX-B-GigabitEthernet1/0/0] ipv6 nd ra route-information 4004:: 64 lifetime 2000 preference high[CX-A-GigabitEthernet1/0/0] quit


# Check the configuration of the PC, and you can find that the default gateway of the PC is CX-A.

C:\Documents and Settings\Administrator>ipconfig /allEthernet adapter 1:

Connection-specific DNS Suffix . :




Issue 01 (2011-05-30)

Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC #2 Physical Address. . . . . . . . . : 00-E0-4C-77-A1-B6 Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 110.1.1.33 Subnet Mask . . . . . . . . . . . : 255.0.0.0 IP Address. . . . . . . . . . . . : 3000::78b3:4397:c0c4:f078 IP Address. . . . . . . . . . . . : 3000::2e0:4cff:fe77:a1b6 IP Address. . . . . . . . . . . . : 2002::1 IP Address. . . . . . . . . . . . : 4004::1 IP Address. . . . . . . . . . . . : fe80::2e0:4cff:fe77:a1b6%6 Default Gateway . . . . . . . . . : 2002::2 DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1

# Check the routing table of the PC, and you can find the routing entries learned by the PC.

C:\Documents and Settings\Administrator>netshnetsh>interface ipv6netsh interface ipv6>show routeQuerying active state...

Publish Type Met Prefix Idx Gateway/Interface Name------- -------- ---- ------------------------ --- ---------------------no Manual 3 4004::/64 4 fe80::2no Manual 3 2002::/64 4 fe80::1yes Manual 3 1414::/64 4 Local Area Connectionyes Manual 3 1212::/64 4 Local Area Connection

----End


# sysname CX-A# ipv6#interface GigabitEthernet1/0/0 undo shutdown ipv6 enable ipv6 address 2002::2/64 ipv6 address FE80::1 link-local ipv6 nd ra preference high ipv6 nd ra route-information 2002:: 64 lifetime 2000 preference high undo ipv6 nd ra halt#return

l Configuration file of CX-B# sysname CX-B# ipv6#interface GigabitEthernet1/0/0 undo shutdown ipv6 enable ipv6 address 4004::2/64 ipv6 address FE80::2 link-local ipv6 nd ra preference low ipv6 nd ra route-information 4004:: 64 lifetime 2000 preference high undo ipv6 nd ra halt#return



8-49

9 IPv6 DNS Configuration

About This Chapter

By configuring the IPv6 Domain Name System (DNS), you can enable network devices tocommunicate with other through their domain names.

9.1 IPv6 DNS OverviewThe DNS is a host naming mechanism. It assigns an easy-to-memorize name of significance toeach host on the Internet in a hierarchical manner.

9.2 Configuring IPv6 DNSBy configuring the IPv6 DNS, you can set up a mapping between a domain name and an IPv6address. In this manner, you can enable the device to communicate with other devices.

9.3 Maintaining IPv6 DNSThis section describes how to maintain the IPv6 DNS. Detailed operations include deleting IPv6DNS entries and monitoring IPv6 DNS operation.


HUAWEI CX600 Metro Services PlatformConfiguration Guide - IP Services 9 IPv6 DNS Configuration


9-1

9.1 IPv6 DNS OverviewThe DNS is a host naming mechanism. It assigns an easy-to-memorize name of significance toeach host on the Internet in a hierarchical manner.

9.1.1 Introduction to IPv6 DNSAfter each host on the Internet is assigned a domain name, you can set up mapping between thedomain name and IP address of a host. In this manner, you can use domain names, which areeasy to memorize and are of significance, instead of complicated IP addresses.

9.1.2 IPv6 DNS Supported by the CX600IPv6 domain name resolution can be performed in either dynamic mode or static mode.

9.1.1 Introduction to IPv6 DNSAfter each host on the Internet is assigned a domain name, you can set up mapping between thedomain name and IP address of a host. In this manner, you can use domain names, which areeasy to memorize and are of significance, instead of complicated IP addresses.

IPv6 DNS has two resolution modes: dynamic IPv6 DNS resolution and static IPv6 DNSresolution. To resolve a domain name, the system first uses static IPv6 DNS resolution. If thismode fails, the system uses dynamic IPv6 DNS resolution. To improve resolution efficiency,you can put common domain names in a static domain name resolution table.

9.1.2 IPv6 DNS Supported by the CX600IPv6 domain name resolution can be performed in either dynamic mode or static mode.

IPv6 domain name system (DNS) is similar to IPv4 DNS. For configurations of IPv4 DNS, referto "DNS Configuration."

9.2 Configuring IPv6 DNSBy configuring the IPv6 DNS, you can set up a mapping between a domain name and an IPv6address. In this manner, you can enable the device to communicate with other devices.

9.2.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring the IPv6 DNS.

9.2.2 Configuring a Static IPv6 DNS EntryYou can create a table of mappings between domain names and IPv6 addresses and add commondomain names to this table. When a client needs to use the IPv6 address corresponding to adomain name, the client can search the table for the required IPv6 address. This improves theefficiency of domain name resolution.

9.2.3 Configuring the Dynamic IPv6 DNS ServicesTo perform dynamic domain name resolution, you need a special domain name resolution server,which runs a server program. This server provides mappings between domain names and IPv6addresses and receives resolution requests from the client.


9 IPv6 DNS ConfigurationHUAWEI CX600 Metro Services Platform



Issue 01 (2011-05-30)

You can view the configuration of the IPv6 DNS.

9.2.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring the IPv6 DNS.

Applicable EnvironmentDNS needs to be configured if the local users log on to a device using domain names tocommunicate with other devices. The IPv6 DNS entries show the mapping between domainnames and IPv6 addresses.

If users seldom use the domain name to access other devices, or if the DNS server is unavailable,a static DNS needs to be configured. To configure a static IPv6 DNS, the network administratorneeds to know the relation between domain names and IPv6 addresses, and manually modifythe IPv6 DNS entry when the relation changes.

If the users need to use the domain name to access many devices, and the DNS server is available,a dynamic DNS can be configured. The dynamic DNS needs to be supported by a DNS server.

Pre-configuration TasksBefore configuring IPv6 DNS, configure the route between a local device and a DNS server.

Data PreparationTo configure IPv6 DNS, you need the following data.

No. Data

1 Domain name of the static IPv6 DNS entry and the corresponding IPv6 address

2 IPv6 address of the IPv6 DNS server

3 Domain name of the dynamic IPv6 DNS or the domain name list

9.2.2 Configuring a Static IPv6 DNS EntryYou can create a table of mappings between domain names and IPv6 addresses and add commondomain names to this table. When a client needs to use the IPv6 address corresponding to adomain name, the client can search the table for the required IPv6 address. This improves theefficiency of domain name resolution.

Procedure



Step 2 Run:ipv6 host host-name ipv6-address



9-3

The host name and the corresponding IPv6 address are configured.

If the same host is configured with IPv6 addresses for several times, the IPv6 address configuredearliest is used when needing to find the host with the IPv6 address, such as ping this host.

----End

9.2.3 Configuring the Dynamic IPv6 DNS ServicesTo perform dynamic domain name resolution, you need a special domain name resolution server,which runs a server program. This server provides mappings between domain names and IPv6addresses and receives resolution requests from the client.

ContextIf the IPv6 DNS server is configured with a link-local address, the interface name should alsobe configured with the IPv6 address.

Figure 9-1 DNS server connecting IPv4 and IPv6 networks

IPv4 link

DNS serverDNS IPv4 client DNS IPv6 client

IPv6 link

CAUTIONIf multiple DNS servers are configured, the servers are queried in the order of configuration tillproper response is received. If both IPv4 and IPv6 servers are configured, the A query is firstsent to the IPv4 server, while AAAA query packets are first sent to the IPv6 server.

The DNS domains are configured on a device and the domain names can be searched. If theDNS fails in searching for a host name, it appends a domain name to the host name following a"." and continues the DNS search. You can configure some commonly used domain names like"com", and "net". For example, if the search for the host name "huawei" fails, the system thensearches for "huawei.com" or "huawei.net".


Procedure



Step 2 Run:dns resolve

The dynamic domain name resolution is enabled.




Issue 01 (2011-05-30)

Step 3 Run:dns server ipv6 ipv6-address [ interface-type interface-number ]

The IPv6 DNS server is configured.

Step 4 Run:dns server ipv6 source-ip ipv6-address

The IPv6 address of the local device is specified.

After the source IPv6 address is specified for the local device, the local device uses the specifiedsource IPv6 address to communicate with the IPv6 DNS server to ensure the security of check.

Step 5 Run:dns domain domain-name

The suffix of domain names is added.

----End

9.2.4 Checking the ConfigurationYou can view the configuration of the IPv6 DNS.

PrerequisiteThe configurations of the IPv6 DNS function are complete.

Procedurel Run the display ipv6 host command to check the static IPv6 DNS table.l Run the display dns server command to check the configuration of the DNS server.l Run the display dns domain command to check the configuration of the suffix list of the

domain name.l Run the display dns ipv6 dynamic-host command to check the cache of the dynamic

domain name.

----End

ExampleRun the display ipv6 host command. If the static IPv6 DNS entries, including the host nameand the IPv6 address, are displayed, it means that the configuration succeeds. For example:

<HUAWEI> display ipv6 hostHost Age Flags IPv6Address (es)RTB 0 static 20::1RTA 0 static 20::2

Run the display dns server command. If the IPv6 addresses of all DNS servers are displayed,it means that the configuration succeeds. For example:

<HUAWEI> display dns serverIPv4 Dns Servers :Domain-server IpAddress 1 169.254.65.125IPv6 Dns Servers:Domain-server Ipv6Address (Interface Name) 1 3001::2 2 FE80::2 GigabitEthernet6/0/0



9-5

Run the display dns domain command. If the suffixes of the domain names are displayed, itmeans that the configuration succeeds. For example:

<HUAWEI> display dns domainNo Domain-name1 com2 net

Run the display dns ipv6 dynamic-host command. If information about the cache of thedynamic domain name is displayed, it means that the configuration succeeds. For example:

<HUAWEI> display dns ipv6 dynamic-hostNo Domain-name Ipv6address TTL1 huawei6 3001::2 6

9.3 Maintaining IPv6 DNSThis section describes how to maintain the IPv6 DNS. Detailed operations include deleting IPv6DNS entries and monitoring IPv6 DNS operation.

9.3.1 Clearing IPv6 DNS EntriesThis section describes IPv6 DNS entry clearance through the reset command.

9.3.2 Monitoring Network Operation Status of IPv6 DNSThis section describes IPv6 DNS operation monitoring through the display command.

9.3.1 Clearing IPv6 DNS EntriesThis section describes IPv6 DNS entry clearance through the reset command.

Context

CAUTIONIPv6 DNS entries cannot be restored after being cleared. So, confirm the action before you usethis command.

Procedure

Step 1 Run the reset dns ipv6 dynamic-host command in the user view to clear dynamic IPv6 DNSentries statistics in the domain name cache.

----End

9.3.2 Monitoring Network Operation Status of IPv6 DNSThis section describes IPv6 DNS operation monitoring through the display command.

ContextIn routine maintenance, you can run the following commands in any view to check the operationof IPv6 DNS.




Issue 01 (2011-05-30)

Procedurel Run:

display dns domain

Domain names are checked.l Run:

display dns server

Configurations of the DNS server are checked.l Run:

display dns ipv6 dynamic-host

Contents about the cache of the IPv6 dynamic domain names are checked.l Run:

display ipv6 host

The static DNS table is checked.

----End


ContextNOTE


9.4.1 Example for Configuring IPv6 DNSThis section provides an example of configuring the IPv6 DNS.

9.4.1 Example for Configuring IPv6 DNSThis section provides an example of configuring the IPv6 DNS.

Networking RequirementsAs shown in Figure 9-2, CX- A, functioning as the IPv6 DNS client and working jointly whoseIPv6 DNS server, can access the host with the IP address as 2002::1/64 based on the domainname huawei.com.

On CX-A, the static IPv6 DNS entries of CX- B and CX- C are configured. This ensures thatCX- A can manage both the routers based on the domain names CX-B and CX-C.



9-7

Figure 9-2 Networking diagram of IPv6 DNS configurations

GE1/0/02001::1/64

GE1/0/12001::2/64 GE1/0/0

2002::2/64 GE1/0/02002::3/64

GE1/0/12003::1/64

CX- A

CX- B CX- C

huawei.com2002::1/64

DNS Server2003::2/64

DNS Client


1. Configure static IPv6 DNS entries.2. Enable the DNS resolution function.3. Configure IPv6 address of the IPv6 DNS server.4. Set the domain name suffix.


l Domain names of CX- B and CX- Cl IPv6 address of the IPv6 DNS serverl Domain name suffix

Procedure

Step 1 Configure CX- A.

# Configure static IPv6 DNS entries.

<CX-A> system-view[CX-A] ipv6 host CX-B 2001::2[CX-A] ipv6 host CX-C 2002::3

# Enable the DNS resolution function.

[CX-A] dns resolve

# Configure the IPv6 address of the IPv6 DNS server.

[CX-A] dns server ipv6 2003::2

# Set the domain name suffix to ".net".

[CX-A] dns domain net

# Set the domain name suffix to ".com".




Issue 01 (2011-05-30)

[CX-A] dns domain com[CX-A] quit

NOTE

To resolve the domain name, you also need to configure the route from CX- A to the IPv6 DNS server.For details of how to configure the route, refer to the CX600 Metro Services Platform Configuration Guide- IP Routing.


# Run the ping ipv6 huawei.com command on CX- A. You can find that the Ping operationsucceeds, and the destination IP address is 2002::1.

<CX-A> ping ipv6 huawei.com Resolved Host ( huawei.com -> 2002::1) PING huawei.com : 56 data bytes, press CTRL_C to break Reply from 2002::1: bytes=56 Sequence=1 ttl=126 time=6 ms Reply from 2002::1: bytes=56 Sequence=2 ttl=126 time=4 ms Reply from 2002::1: bytes=56 Sequence=3 ttl=126 time=4 ms Reply from 2002::1: bytes=56 Sequence=4 ttl=126 time=4 ms Reply from 2002::1: bytes=56 Sequence=5 ttl=126 time=4 ms --- huawei.com ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/4/6 ms

# Run the display ipv6 host command on CX- A. You can view the mapping relationshipsbetween the host names in static IPv6 DNS entries and the IPv6 addresses.

<CX-A> display ipv6 hostHost Age Flags IPv6Address (es)CX-B 0 static 2001::2CX-C 0 static 2002::3

Run the display dns ipv6 dynamic-host command on CX- A. You can view information aboutdynamic IPv6 DNS entries in the dynamic cache.

<CX-A> display dns ipv6 dynamic-hostNo Domain-name Ipv6address TTL 1 huawei.com 2002::1 3579

NOTE

TTL in the command output indicates the life time of the entry, in seconds.

----End

Configuration Filesl Configuration file of CX- A

# sysname CX-A# ipv6# ipv6 host CX-B 2001::2 ipv6 host CX-C 2002::3# dns resolve dns server ipv6 2003::2 dns domain net dns domain com#interface GigabitEthernet1/0/0 undo shutdown ipv6 enable



9-9

ipv6 address 2001::1/64 ripng 1 enable#ripng 1#return

l Configuration file of CX- B# sysname CX-B# ipv6#interface GigabitEthernet1/0/1 undo shutdown ipv6 enableipv6 address 2001::2/64ripng 1 enable#interface GigabitEthernet1/0/0 undo shutdown ipv6 enable ipv6 address 2002::2/64 ripng 1 enable#ripng 1#return

l Configuration file of CX- C# sysname CX-C# ipv6#interface GigabitEthernet1/0/0 undo shutdown ipv6 address 2002::3/64 ripng 1 enable#interface GigabitEthernet1/0/1 undo shutdown ipv6 address 2003::1/64 ripng 1 enable#ripng 1#return




Issue 01 (2011-05-30)

10 ACL6 Configuration

About This Chapter

You can distinguish packets through an ACL6 and process them in different manners.

10.1 ACL6 OverviewAn ACL can be applied to multiple purposes, including PBR and packet filtering.

10.2 Configuring an Interfaced-based ACL6An interface-based ACL6 is an ACL that specifies rules according to interfaces that receivepackets.

10.3 Configuring a Basic ACL6When defining rules in a basic ACL6, you can specify only source IP addresses.

10.4 Configuring an Advanced ACL6An advanced ACL6 defines rules based on the source address, destination address, type of theprotocol over IP, and protocol features, for example, the source port and destination port of TCPand the type and code of ICMP.

10.5 Configuring a Named ACL6A named ACL is an advanced ACL6. A named ACL defines rules based on the source address,destination address, type of the protocol over IP, and protocol features, for example, the sourceport and destination port of TCP and the type and code of ICMP.

10.6 Maintaining ACL6This section describes how to maintain an ACL6. Detailed operations include deleting ACL6statistics and monitoring the ACL6 operation.

10.7 Configuration ExamplesFamiliarize yourself with the configuration procedures against the networking diagram. Eachconfiguration example consists of the networking requirements, configuration precautions,configuration roadmap, configuration procedures, and configuration files.

HUAWEI CX600 Metro Services PlatformConfiguration Guide - IP Services 10 ACL6 Configuration


10-1

10.1 ACL6 OverviewAn ACL can be applied to multiple purposes, including PBR and packet filtering.

10.1.1 Introduction to ACL6An ACL is a list of rules. An IPv6 ACL classifies packets according to ACL rules, and then arouter determines whether to accept the classified packets according to these ACL rules.

10.1.2 ACL6 Supported by the CX600According to the differences in filtering rules, ACLs can be categorized into interface-basedACL6s, basic ACL6s, and advanced ACL6s.

10.1.1 Introduction to ACL6An ACL is a list of rules. An IPv6 ACL classifies packets according to ACL rules, and then arouter determines whether to accept the classified packets according to these ACL rules.

NOTE

In this manual, ACL applies to filter IPv4 packets and ACL6 applies to filter IPv6 packets.

10.1.2 ACL6 Supported by the CX600According to the differences in filtering rules, ACLs can be categorized into interface-basedACL6s, basic ACL6s, and advanced ACL6s.

ACL6 is classified into the following types based on application goals:

l Basic ACL6: classifies data packets only based on the source IP addresses.l Advanced ACL6: classifies data packets more detailedly based on the source and

destination IP addresses, source and destination port numbers, and protocol type.l Interface-based ACL6: classifies data packets based on the interfaces that receive packets.

10.2 Configuring an Interfaced-based ACL6An interface-based ACL6 is an ACL that specifies rules according to interfaces that receivepackets.

10.2.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring an interface-based ACL6.

10.2.2 (Optional) Configuring the Valid Time Range of ACL6By performing this configuration task, you can specify the time range when an ACL6 remainsvalid.

10.2.3 Creating an Interfaced-based ACL6This part describes how to create an interface-based ACL6, whose number ranges from 1000 to1999, and specify filtering rules according to the packet-receiving interface.

10.2.4 Checking the ConfigurationYou can view the configuration of an interface-based ACL6.

10 ACL6 ConfigurationHUAWEI CX600 Metro Services Platform



Issue 01 (2011-05-30)

10.2.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring an interface-based ACL6.


An ACL6 can be applied to the following tasks:

l Configuring the packet filtering policy

l Configuring the policy-based routing

l Configuring the routing policy


Before configuring ACL6, complete the following task:

l Starting the device normally

Data Preparation

To configure an ACL6, you need the following data:

No. Data

1 (Optional) Name of the time range in which the Interface-based ACL6 takes effectand the start time and end time of the time range

2 ACL6 number, permit or deny rules

3 Type and number of the interface where the ACL6 is applied


Procedure




A time rang is created.

----End



10-3

10.2.3 Creating an Interfaced-based ACL6This part describes how to create an interface-based ACL6, whose number ranges from 1000 to1999, and specify filtering rules according to the packet-receiving interface.

Procedure



Step 2 Run:acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]

The interface-based ACL6 is created and the corresponding view is displayed.

Step 3 Run:rule [ rule-id ] { deny | permit } interface { interface-type interface-number | any } [ logging | time-range time-name ]*

ACL6 rules are defined.

----End

10.2.4 Checking the ConfigurationYou can view the configuration of an interface-based ACL6.

PrerequisiteThe configurations of the interface-based ACL6 function are complete.

Procedurel Run the display acl ipv6 { acl6-number | all } command to check the ACL6 rules.l Run the display statistics acl ipv6 { acl-number | all } control-plane command to check

the statistics about the packets matching ACL6 in soft forwarding.l Run the display time-range { time-name | all } command to check the time range.

----End

ExampleAfter the configuration, run the preceding command. You can view ACL6 number, ACL6 step,contents of the rules, and matching times of the rules.

<HUAWEI> display acl ipv6 1000Interface Based IPv6 ACL 1000, 1 ruleAcl's step is 5 rule 5 permit interface Pos4/0/0

After the preceding configurations, the statistics about the packets matching ACL6 in softforwarding is displayed after the display statistics acl ipv6 control-plane command is used.

<HUAWEI> display statistics acl ipv6 1000 control-planeInterface Based IPv6 ACL 1000, 3 rules rule 0 deny interface any (1035 times matched)




Issue 01 (2011-05-30)

rule 1 permit interface Pos6/0/3 (586 times matched) rule 2 permit interface GigabitEthernet3/0/11 (103 times matched)



10.3 Configuring a Basic ACL6When defining rules in a basic ACL6, you can specify only source IP addresses.

10.3.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring a basic ACL6.


10.3.3 Creating a Basic ACL6This part describes how to create a basic ACL6, whose number ranges from 2000 to 2999, andspecify filtering rules according to source interfaces.

10.3.4 Checking the ConfigurationYou can view the configuration of a basic ACL6.

10.3.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring a basic ACL6.







Before configuring an ACL6, start the device normally.

Data Preparation

To configure an ACL6, you need the following data.



10-5

No. Data

1 (Optional) Name of the time range in which the basic ACL takes effect and the starttime and end time of the time range

2 ACL6 number, permit or deny rules, source IP address


Procedure





This configuration task is used to create a time range. Multiple time ranges with the same namecan be created.

----End

10.3.3 Creating a Basic ACL6This part describes how to create a basic ACL6, whose number ranges from 2000 to 2999, andspecify filtering rules according to source interfaces.

Procedure




A basic ACL6 is created and the basic ACL6 view is displayed.

Step 3 Run:rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *





Issue 01 (2011-05-30)

Defining ACL6 rules for the basic ACL6 is based only on the source IP address.

----End

10.3.4 Checking the ConfigurationYou can view the configuration of a basic ACL6.

PrerequisiteThe configurations of the Basic ACL6 function are complete.

Procedurel Run the display acl ipv6 { acl6-number | all } command to check the configured ACL6

rule.l Run the display statistics acl ipv6 { acl-number | all } control-plane command to check


----End

ExampleRun the display acl ipv6 command. If the ACL6 number, the number of rules, detailed stepdescription, and ACL6 rules are displayed, it means that the configuration succeeds. Forexample:

<HUAWEI> display acl ipv6 2200Basic IPv6 ACL 2200, 1 ruleAcl's step is 5 rule 5 permit


<HUAWEI> display statistics acl ipv6 2200 control-planeBasic IPv6 ACL 2200, 3 rulesrule 0 permit source 2030:5060::9050/64 (235 times matched)rule 1 deny source 4050:7080::4060/96 (560 times matched)rule 80 permit source FE80::9040/32 (729 times matched)



10.4 Configuring an Advanced ACL6An advanced ACL6 defines rules based on the source address, destination address, type of theprotocol over IP, and protocol features, for example, the source port and destination port of TCPand the type and code of ICMP.



10-7

10.4.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring an advanced ACL6.


10.4.3 Creating an Advanced ACL6This part describes how to create an advanced ACL6, whose number ranges from 3000 to 3999,and specify filtering rules according to the source address, destination address, type of theprotocol over IP, for example, the source port and destination port of TCP and the type of ICMP.

10.4.4 Checking the ConfigurationYou can view the configuration of an advanced ACL6.

10.4.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring an advanced ACL6.







Before configuring an ACL6, complete the following task:

l Starting the device normally

Data Preparation

To configure an ACL6, you need the following data:

No. Data

1 (Optional) Name of the time range in which the advanced ACL takes effect and thestart time and end time of the time range

2 ACL6 number, permit or deny rules

3 Protocol type, source and destination port numbers, source and destination IP address,and source IP address fragment or not, ICMP message type and coding, priority, ToS,and valid time




Issue 01 (2011-05-30)


Procedure






----End

10.4.3 Creating an Advanced ACL6This part describes how to create an advanced ACL6, whose number ranges from 3000 to 3999,and specify filtering rules according to the source address, destination address, type of theprotocol over IP, for example, the source port and destination port of TCP and the type of ICMP.

Procedure




The advance ACL6 is created and the advanced ACL6 view is displayed.

Step 3 Perform the following configuration as required.l When protocol is specified as TCP or UDP

Run:rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port operator port |fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | source-port operator port | time-range time-name | vpn-instancevpn-instance-name | precedence precedence | tos tos ] *

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port operator port |fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | source-port operator port | time-range time-name | vpn-instancevpn-instance-name | dscp dscp ] *



10-9

ACL6 rules are defined.l When protocol is specified as ICMPv6

Run:rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | icmpv6-type { icmp6-type-name | icmp6-type icmp6-code } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name | vpn-instancevpn-instance-name | precedence precedence | tos tos ] *

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | icmpv6-type { icmp6-type-name | icmp6-type icmp6-code } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name | vpn-instancevpn-instance-name | dscp dscp ] *

ACL6 rules are defined.l When protocol is specified as other protocols except TCP, UDP, and ICMPv6

Run:rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name | vpn-instance vpn-instance-name | precedence precedence | tos tos ] *

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name | vpn-instance vpn-instance-name | dscp dscp ] *


----End

10.4.4 Checking the ConfigurationYou can view the configuration of an advanced ACL6.

PrerequisiteThe configurations of the Advanced ACL6 function are complete.

Procedurel Run the display acl ipv6 { acl6-number | all } command to check the configured ACL6

rule.l Run the display statistics acl ipv6 { acl-number | all } control-plane command to check


----End

ExampleRun the display acl ipv6 command. If the ACL6 number, the number of rules, detailed stepdescription, and ACL6 rules are displayed, it means that the configuration succeeds. Forexample:




Issue 01 (2011-05-30)

<HUAWEI> display acl ipv6 3100Advanced IPv6 ACL 3100, 3 rules, rule 0 permit icmpv6 rule 1 permit ipv6 source 3001::/16 destination 4001::/16 rule 2 permit tcp source 5001::/16


<HUAWEI> display statistics acl ipv6 3000 control-planeAdvanced IPv6 ACL 3000, 1 rule rule 1 permit ipv6 source 4001::/16 (137 times matched)



10.5 Configuring a Named ACL6A named ACL is an advanced ACL6. A named ACL defines rules based on the source address,destination address, type of the protocol over IP, and protocol features, for example, the sourceport and destination port of TCP and the type and code of ICMP.

10.5.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring a named ACL6.


10.5.3 Creating a Named ACL6This part describes how to create an ACL6 whose name is a character string and how to specifyfiltering rules according to the source address, destination address, type of the protocol over IP,for example, the source port and destination port of TCP and the type of ICMP.

10.5.4 Checking the ConfigurationYou can view the configuration of a named ACL6.

10.5.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring a named ACL6.

Application EnvironmentAn ACL6 can be applied to various services, such as routing policies and packet filtering, toimplement differentiated packet processing based on packet types.. Named ACL6s are advancedACL6s because you need to define rules for the named ACL6s by specifying the source IPaddress, destination IP address, IP bearer protocol type, TCP source port, TCP destination port,or ICMP protocol type and code.



10-11


Data PreparationTo configure a named ACL6, you need the following data.

No. Data

1 (Optional) Name of the time range in which the named ACL6 takes effect and thestart time and end time of the time range

2 Rule ID of the named ACL6, permit or deny rule, and source IP address

3 IP bearer protocol type, source and destination ports, destination IP address, or ICMPmessage type and code, packet priority, ToS, and timeout period of the ACL rule

4 (Optional) Description of the named ACL6

5 (Optional) Step of the named ACL6


Procedure






----End

10.5.3 Creating a Named ACL6This part describes how to create an ACL6 whose name is a character string and how to specifyfiltering rules according to the source address, destination address, type of the protocol over IP,for example, the source port and destination port of TCP and the type of ICMP.

ContextA named ACL6 is an advanced ACL6 and its acl-number ranges from 42768 to 45767.




Issue 01 (2011-05-30)



system-view


Step 2 Run:acl ipv6 name acl-name [ number acl-number ] [ match-order { auto | config } ]

A named ACL6 is created and the named ACL view is displayed.

Step 3 Perform the following steps as required to configure rules for the named ACL6:l When protocol is TCP or UDP, run:

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | destination-port operator port | fragment-type fragment-type-name |source { source-ip-address source-wildcard | any } | source-port operator port | syn-flagsyn-flag time-range time-name | dscp dscp ] *

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | destination-port operator port | fragment-type fragment-type-name |source { source-ip-address source-wildcard | any } | source-port operator port | syn-flagsyn-flag time-range time-name | precedence precedence |tos tos ] *

syn-flagsyn-flag needs to be specified only when TCP is used.l When protocol is ICMPv6, run:

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name | icmp-typeicmp-code } | source { source-ip-address source-wildcard | any } | time-range time-name |dscp dscp ] *

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name |icmp-typeicmp-code } |source { source-ip-address source-wildcard | any } | time-range time-name |precedence precedence | tos tos ] *

l When protocol is not TCP, UDP, or ICMPv6, run:rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | time-range time-name | dscp dscp ] *

rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | fragment-type fragment-type-name | source { source-ip-address source-wildcard | any } | time-range time-name | precedence precedence | tos tos ] *


----End

10.5.4 Checking the ConfigurationYou can view the configuration of a named ACL6.



10-13

PrerequisiteThe configurations of the ACL6 function are complete.

Procedurel Run the display acl ipv6 name acl-name command to check the configured ACL6 rule.

l Run the display statistics acl ipv6 { acl-number | all | name acl-name } control-planecommand to check the statistics about the packets matching ACL6 in soft forwarding.

l Run the display time-range { time-name | all } command to check the time range.

----End

Example

# Check the configurations of named ACL6, whose name is test.

<HUAWEI> display acl ipv6 name testAdvanced IPv6 Name ACL test, 1 ruleAcl's step is 5 rule 5 permit ip

# View the statistics about the packets matching ACL6 3000 in soft forwarding.

<HUAWEI> display statistics acl ipv6 3000 control-planeAdvanced IPv6 ACL 3000, 1 rule rule 0 permit ipv6 (335 times matched)

# View the statistics about the packets matching ACL6 named test in soft forwarding.

<HUAWEI> display statistics acl ipv6 name test control-planeAdvanced IPv6 ACL test, 2 rules, rule 0 permit 1 (10 times matched) rule 1 permit ipv6 (23 times matched)



10.6 Maintaining ACL6This section describes how to maintain an ACL6. Detailed operations include deleting ACL6statistics and monitoring the ACL6 operation.

10.6.1 Clearing ACL6 StatisticsThis section describes clearance of ACL6 statistics through the reset command.

10.6.2 Monitoring Network Operation Status of ACL6This section describes ACL6 operation monitoring through the display command.




Issue 01 (2011-05-30)

10.6.1 Clearing ACL6 StatisticsThis section describes clearance of ACL6 statistics through the reset command.

Context

CAUTIONStatistics cannot be restored after you clear it. So, confirm the action before you use thecommand.

Procedure

Step 1 Run the reset acl ipv6 counter { acl6-number | name acl-name | all } command in the userview to clear the ACL6 counter.

----End

10.6.2 Monitoring Network Operation Status of ACL6This section describes ACL6 operation monitoring through the display command.

ContextIn routine maintenance, you can run the following command in any view to check the operationof ACL6.

Procedurel Run the display acl ipv6 { acl6-number | name acl-name | all } command in any view to

check the configured ACL6 rules.l Run the display statistics acl ipv6 { acl6-number | all | name acl-name } control-plane

command in any view to check the statistics about the packets matching ACL6 in softforwarding.

----End

10.7 Configuration ExamplesFamiliarize yourself with the configuration procedures against the networking diagram. Eachconfiguration example consists of the networking requirements, configuration precautions,configuration roadmap, configuration procedures, and configuration files.

ContextNOTE


10.7.1 Example for Configuring an ACL6 to Filter IPv6 Packets



10-15

This section provides an example for configuring an ACL6 and IPv6 packet filtering.

10.7.1 Example for Configuring an ACL6 to Filter IPv6 PacketsThis section provides an example for configuring an ACL6 and IPv6 packet filtering.

Networking RequirementsAs shown in Figure 10-1, CX-A and CX-B are connected through POS interfaces. ConfigureACL6 rules on CX-A to prevent the IPv6 packets with the source IP address 3001::2 fromentering POS1 /0/0 of CX-A.

Figure 10-1 Networking diagram of configuring an ACL6 to filter IPv6 packets

CX-A CX-BPOS1/0/03001::1/64

POS1/0/03001::2/64 Loopback2

3002::2/64


1. Define an ACL6 number.2. Define rules in the ACL6.3. Set the traffic classifier, behavior, and policy.


l ACL6 numberl Source IPv6 address denied by the ACL6 rule

Procedure

Step 1 Enable IPv6 forwarding capabilities on CX-A and CX-B, configure interface parameters, andcheck connectivity between them.

# Configure CX-A.

<HUAWEI> system-view[HUAWEI] sysname CX-A[CX-A] ipv6[CX-A] interface pos 1/0/0[CX-A-Pos1/0/0] ipv6 enable[CX-A-Pos1/0/0] ipv6 address 3001::1 64[CX-A-Pos1/0/0] undo shutdown[CX-A-Pos1/0/0] quit

# Configure a static route on CX-A.

[CX-A] ipv6 route-static 3002:: 64 3001::2

# Configure CX-B.




Issue 01 (2011-05-30)

<HUAWEI> system-view[HUAWEI] sysname CX-B[CX-B] ipv6[CX-B] interface loopback 2[CX-B-LoopBack2] ipv6 enable[CX-B-LoopBack2] ipv6 address 3002::2 64[CX-B-LoopBack2] quit[CX-B] interface pos 1/0/0[CX-B-Pos1/0/0] ipv6 enable[CX-B-Pos1/0/0] ipv6 address 3001::2 64[CX-B-Pos1/0/0] undo shutdown[CX-B-Pos1/0/0] quit

# Ping POS 1/0/0 of CX-A from POS 1/0/0 of CX-B.

[CX-B] ping ipv6 -a 3001::2 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Reply from 3001::1 bytes=56 Sequence=1 hop limit=64 time = 80 ms Reply from 3001::1 bytes=56 Sequence=2 hop limit=64 time = 50 ms Reply from 3001::1 bytes=56 Sequence=3 hop limit=64 time = 40 ms Reply from 3001::1 bytes=56 Sequence=4 hop limit=64 time = 30 ms Reply from 3001::1 bytes=56 Sequence=5 hop limit=64 time = 1 ms --- 3001::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/40/80 ms

The ping succeeds without timeout or abnormal delay.

# Ping POS 1/0/0 of CX-A from loopback2 of CX-B.

[CX-B] ping ipv6 -a 3002::2 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Reply from 3001::1 bytes=56 Sequence=1 hop limit=64 time = 60 ms Reply from 3001::1 bytes=56 Sequence=2 hop limit=64 time = 30 ms Reply from 3001::1 bytes=56 Sequence=3 hop limit=64 time = 20 ms Reply from 3001::1 bytes=56 Sequence=4 hop limit=64 time = 50 ms Reply from 3001::1 bytes=56 Sequence=5 hop limit=64 time = 20 ms --- 3001::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 20/36/60 ms


Step 2 Create an ACL6 rule and apply the rule on the interface to prevent the IPv6 packets from 3001::2.

# Configure CX-A.

[CX-A] acl ipv6 number 3001[CX-A-acl6-adv-3001] rule deny ipv6 source 3001::2/128[CX-A-acl6-adv-3001] quit[CX-A] traffic classifier bb[CX-A-classifier-bb] if-match ipv6 acl 3001[CX-A-classifier-bb] quit[CX-A] traffic behavior aa[CX-A-behavior-aa] permit[CX-A-behavior-aa] quit



10-17

[CX-A] traffic policy cc[CX-A-trafficpolicy-cc] classifier bb behavior aa[CX-A-trafficpolicy-cc] quit [CX-A] interface pos 1/0/0[CX-A-Pos1/0/0] traffic-policy cc inbound [CX-A-Pos1/0/0] quit


# Ping POS 1/0/0 of CX-A from POS 1/0/0 of CX-B.[CX-B] ping ipv6 -a 3001::2 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 3001::1 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss round-trip min/avg/max = 0/0/0 ms

The ping fails.

# Ping POS 1/0/0 of CX-A from loopback2 of CX-B.[CX-B] ping ipv6 -a 3002::2 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Reply from 3001::1 bytes=56 Sequence=1 hop limit=64 time = 80 ms Reply from 3001::1 bytes=56 Sequence=2 hop limit=64 time = 50 ms Reply from 3001::1 bytes=56 Sequence=3 hop limit=64 time = 40 ms Reply from 3001::1 bytes=56 Sequence=4 hop limit=64 time = 40 ms Reply from 3001::1 bytes=56 Sequence=5 hop limit=64 time = 30 ms --- 3001::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 30/48/80 ms


----End


# sysname CX-A# ipv6#acl ipv6 number 3001 rule 0 deny ipv6 source 3001::2/128#traffic classifier bb operator or if-match ipv6 acl 3001#traffic behavior aa#traffic policy cc undo share-mode classifier bb behavior aa




Issue 01 (2011-05-30)

#interface pos1/0/0 link-protocol ppp undo shutdowntraffic-policy cc inbound ipv6 enable ipv6 address 3001::1/64# ipv6 route-static 3002:: 64 3001::2#return

l Configuration file of CX-B# sysname CX-B# ipv6#interface pos1/0/0 link-protocol ppp undo shutdown ipv6 enable ipv6 address 3001::2/64#interface LoopBack2 ipv6 enable ipv6 address 3002::2/64#return



10-19

11 IPv6 over IPv4 Tunnel Configuration

About This Chapter

The IPv6 over IPv4 tunnel technology is developed to address the problem in the transition fromIPv4 networks to IPv6 networks.

11.1 IPv6 over IPv4 Tunnel OverviewThe IPv6 over IPv4 tunnel technology provides connectivity for isolated IPv6 networks by usingexisting IPv4 networks.

11.2 Configuring IPv4/IPv6 Dual StacksTo establish an IPv6 over IPv4 tunnel, you need to configure both the IPv4 protocol suite andthe IPv6 protocol suite on the devices where an IPv4 network borders an IPv6 network.

11.3 Configuring an IPv6 over IPv4 TunnelYou can interconnect IPv6 networks by using IPv4 networks.

11.4 Configuring 6PEBy performing this configuration task, you can interconnect IPv6 networks through the existingMPLS network.

11.5 Maintaining IPv6 over IPv4 TunnelsThis section describes how to maintain an IPv6 over IPv4 tunnel, including how to monitor anIPv6 over IPv4 tunnel.

11.6 Configuration ExamplesThis section includes the networking requirements, configuration notes, and configurationroadmap.

HUAWEI CX600 Metro Services PlatformConfiguration Guide - IP Services 11 IPv6 over IPv4 Tunnel Configuration


11-1

11.1 IPv6 over IPv4 Tunnel OverviewThe IPv6 over IPv4 tunnel technology provides connectivity for isolated IPv6 networks by usingexisting IPv4 networks.

11.1.1 Introduction to IPv6 over IPv4An IPv6 packet is transparently transmitted after being encapsulated into an IPv4 packet.11.1.2 IPv6 over IPv4 Supported by the CX600You can configure manual IPv6 over IPv4 tunnels or 6to4 tunnels to interconnect IPv6 networks.

11.1.1 Introduction to IPv6 over IPv4An IPv6 packet is transparently transmitted after being encapsulated into an IPv4 packet.

During the transition from the IPv4 Internet to the IPv6 Internet, IPv4 networks have been widelydeployed while IPv6 domains are isolated and dispersed around the world. It is not economicalto connect these isolated sites with private lines.

The usual method is tunnel technology. This technology creates tunnels over IPv4 networks toconnect isolated IPv6 domains. This is similar to the situation where the tunnel technology isused to deploy VPNs on the IP networks.

The tunnel used to connect isolated IPv6 domains over IPv4 networks is called IPv6 over IPv4tunnel. To implement this tunnel, enable IPv4/IPv6 dual stacks on the devices at the border ofthe IPv4 network and the IPv6 network.

11.1.2 IPv6 over IPv4 Supported by the CX600You can configure manual IPv6 over IPv4 tunnels or 6to4 tunnels to interconnect IPv6 networks.

NOTE

Configuring an IPV6 over IPv4 GRE Tunnel cannot be configured on the X1 and X2 models of theCX600.

Dual StacksThe simplest way for an IPv6 node to remain compatible with an IPv4 node is to reserve acomplete IPv4 protocol stack. In this way, the IPv6 node maintains a dual-stack structure. Figure11-1 shows a single stack structure and a dual stack structure.

Figure 11-1 Single stack and dual stack structures (Ethernet)

IPv4 IPv6

TCP UDP

IPv4/IPv6 Application

Ethernet

Protocol ID:0x0800

Protocol ID:0x86DD

IPv4

TCP UDP

IPv4 Application

Ethernet

Protocol ID:0x0800

IPv4 Stack Dual Stack

11 IPv6 over IPv4 Tunnel ConfigurationHUAWEI CX600 Metro Services Platform



Issue 01 (2011-05-30)

The characteristics of the dual-stack structure are as follows:

l Supported by multiple link layer protocolsMultiple link layer protocols, such as Ethernet, support dual stacks. The link layer in theabove diagram is the Ethernet. For an Ethernet frame with the protocol ID field value of0x0800 indicates that the network layer has IPv4 packets. The ID field value of 0x86DDindicates that the network has IPv6 packets.

l Supported by multiple applicationsMultiple applications such as DNS, FTP and Telnet support dual stacks. The upperapplication, such as DNS, can select TCP or UDP as its transport layer protocol. However,it prefers the IPv6 protocol stack rather than IPv4 to be the network layer protocol.

IPv6 over IPv4 Tunnel

Figure 11-2 shows principles of the IPv6 over IPv4 tunnel technology.

1. Enabling IPv4/IPv6 dual stacksEnable IPv4/IPv6 dual stacks on the border device.

2. Encapsulating IPv6 packetsAfter receiving a packet from the IPv6 network, the border device takes the received IPv6packet as the payload, adds an IPv4 packet header before the payload and encapsulates itinto an IPv4 packet if it finds that the destination of the packet is not for itself.

3. Transmitting the encapsulated packetIn the IPv4 network, the encapsulated packet is transmitted to the peer border device.

4. Decapsulating the packetThe peer border device decapsulates the packet, removes the IPv4 packet header, andforwards the resulting IPv6 packet to the remote IPv6 network.

Figure 11-2 Schematic diagram of IPv6 over IPv4 tunnel

TunnelIPv6 IPv6

IPv6 Header IPv6 Data IPv6 Header IPv6 Data

Dual StackCX600

IPv6 host IPv6 host

Dual StackCX600

IPv4

IPv4 Header IPv6 Header IPv6 Data

The virtual tunnel that transmits IPv6 packets between the border devices is called the IPv6 overIPv4 tunnel. Tunnels can be classified according to their setup modes.

The common IPv6 over IPv4 tunnel modes include:

l IPv6 over IPv4 manual tunnelsl IPv6 over IPv4 GRE tunnels (GRE tunnels)



11-3

l IPv6 over IPv4 tunnel automatic tunnelsl 6to4 tunnelsl Intrasite Automatic Tunnel Addressing Protocol (ISATAP) tunnels

IPv6 over IPv4 Manual TunnelAn IPv6 over IPv4 manual tunnel is set up by configuring the border devices of two tunnel ends.The source IPv4 address and destination IPv4 address of such a tunnel must be configuredstatically.

A manual tunnel is equivalent to a permanent link between two IPv6 networks over an IPv4backbone network. It is the fixed channel for regular and secure communication between thetwo border devices.

The manual tunnel can be used between isolated IPv6 networks. It can also be used between aborder device and a host. In this case, the host and the device on both ends of the tunnel mustsupport the IPv4 and the IPv6 protocol stacks.

IPv6 over IPv4 GRE TunnelThe IPv6 traffic can be carried over the IPv4 GRE tunnels. When carrying the IPv6 traffic, theIPv4 GRE tunnels are called IPv6 over IPv4 GRE tunnels (GRE tunnel for short). Like the IPv6over IPv4 manual tunnel, a GRE tunnel is a link between two nodes, with a separate tunnel foreach link. The tunnels are not tied to a specific passenger or transport protocol, and only carryIPv6 as the passenger protocol and GRE as the carrier protocol.

The GRE tunnel is also manually created on the border devices at the tunnels. You need tostatically specify the source IPv4 address and destination IPv4 address of the GRE tunnel. Unlikethe manual tunnel, the GRE tunnel can be set to check the GRE packet header and to authenticatethe tunnel keyword to enhance the tunnel security.

The GRE tunnel is used to connect border devices, or connect a border device and a host system.Both the host and the device on both the ends of the tunnel must support the IPv4 and the IPv6protocol stacks.

IPv6 over IPv4 Automatic TunnelTo create an IPv6 over IPv4 automatic tunnel, you need a special kind of IPv6 address, namelyan IPv4-compatible IPv6 address.

The format of IPv4-compatible IPv6 address is as follows:

0:0:0:0:0:0:IPv4-address

Its high-order 96 bits are all 0s, and its low-order 32 bits form an IPv4 address. This IPv4 addressmust be reachable in the IPv4 network, and cannot be a multicast address, a broadcast address,a loopback address or an unspecified address (0.0.0.0).

To configure an automatic tunnel, specify just the source address of the tunnel on a border deviceor a host. The destination address of the tunnel is automatically obtained from the destinationIP address field carried in the original IPv6 packet.

The IPv6 over IPv4 automatic tunnel is usually used when an isolated IPv4/IPv6 dual stack hostneeds to access a remote IPv6 network over an IPv4 network. The automatic tunnel needs to beconfigured between the isolated IPv4/IPv6 host and the IPv4/IPv6 device.




Issue 01 (2011-05-30)

While setting up an automatic tunnel, configure the IPv4-compatible IPv6 address on both theends of the tunnel. The IPv4-compatible IPv6 address depends on the IPv4 address of the physicalinterface of the tunnel. It is limited to the shortage of the IPv4 address. Therefore, it has certainlimitations.

6to4 Tunnel

A 6to4 tunnel is a mechanism that connects several isolated IPv6 domains to each other over anIPv4 network. The 6to4 tunnel can be configured on the border device between the isolated IPv6network and the IPv4 network. The border device on both the ends of the 6to4 tunnel mustsupport the IPv4 and the IPv6 dual protocol stacks at the same time.

The key difference between the 6to4 tunnel and the manual tunnel is that the former can be apoint-to-multipoint connection, and the latter is only a point-to-point connection. Hence, thedevices of the 6to4 tunnel are not configured in pairs.

The 6to4 tunnel can automatically find another end of the tunnel, like the automatic tunnel. Youneed not specify the IPv4-compatible IPv6 address for it.

The 6to4 tunnel uses a kind of special IPv6 address, namely the 6to4 address with the followingformat:

2002:IPv4 address: subnet ID:interface ID

The prefix of the 6to4 address is 2002:IPv4 address with the length of 48 bits. Of these, the IPv4address is a globally unique one requested for an isolated IPv6 domain. This IPv4 address mustbe configured on the IPv6/IPv4 border device's physical interface that is connected with the IPv4network. The length of the subnet ID is 16 bits, and that of the interface ID is 64 bits. Both thesubnet ID and the interface ID are allocated in the isolated IPv6 domains.

As shown in Figure 11-3, Site1 and Site2 are 6to4 networks, and hosts and devices in the 6to4network are allocated with 6to4 addresses. The IPv4 address contained in the 6to4 address ofthe host or device in Site1 is the IPv4 address of the interface through which CX-A accesses theIPv4 network. Similarly, the IPv4 address contained in the 6to4 address of the host or device inSite2 is the IPv4 address of the interface through which CX-B accesses the IPv4 network. CX-A and CX-B are both 6to4 devices.

Figure 11-3 6to4 tunnel and 6to4 relay

6to4NetworkSite1

IPv4Network

IPv6Internet

Site3

6to4CX600

6to4Relay

CX-ACX-C

6to4Network

Site2

6to4CX600

CX-B



11-5

When the host in Site1 accesses the host in Site2, the process concerned is as follows:

1. The IPv6 packet is transmitted to CX-A.2. CX-A checks the destination address of the IPv6 packet and finds that the address is the

6to4 address, from which CX-A obtains the remote IPv4 address of the 6to4 tunnel.3. CX-A encapsulates this IPv6 packet into the IPv4 packet. The destination address of IPv4

packet header is the remote IPv4 address of the tunnel, and its source address is the localIPv4 address of the tunnel.

4. CX-A forwards the IPv4 packet in the IPv4 network to CX-B.5. CX-B decapsulates it to obtain the previous IPv6 packet, and then sends the IPv6 packet

to the destination host in Site2.

The above process implements the communication between the 6to4 networks. To implementthe communication between the 6to4 network and native IPv6 network, a 6to4 relay device isneeded. The so-called native IPv6 network means that both its internal host and device are notconfigured with the 6to4 address.

The 6to4 relay device is the gateway between the 6to4 network and the native IPv6 network.One side of the 6to4 relay device is connected to the native IPv6 network; the other side isconnected to the IPv4 network and creates the 6to4 tunnel with the 6to4 device.

As shown in Figure 11-3, when the host in the 6to4 network accesses the IPv6 Internet, theprocess concerned is as follows:

1. The IPv6 packet is routed to CX-A.2. A 6to4 tunnel is created between CX-A and CX-C.3. The IPv6 packet is encapsulated into the IPv4 packet and is sent to CX-C.4. CX-C decapsulates the IPv4 packet to obtain the previous IPv6 packet, and sends the IPv6

packet to the destination host in the IPv6 Internet.

ISATAP TunnelThe ISATAP tunnel is used when the IPv4/IPv6 host in an IPv4 network accesses an IPv6network. The ISATAP tunnel can be created between an ISATAP host and an ISATAP device.

The ISATAP format address is needed to create the ISATAP tunnel. Its structure is as follows:

Prefix (64bit)::5EFE:IPv4-Address

When the ISATAP tunnel is created (since the IPv4/IPv6 host and the ISATAP device are in asame IPv4 network), the IPv4 address embedded into the ISATAP address can be either a publicnetwork address or a private network address.

As shown in Figure 11-4, the process for an IPv4/IPv6 host to obtain an IPv6 address is asfollows:

1. The IPv4/IPv6 host sends a request message to a device.The IPv4/IPv6 host uses the link-local address in the ISATAP format to send a routerrequest message to the ISATAP device. It encapsulates the message into the IPv4 packet.

2. The ISATAP device responds to the request message.The ISATAP device uses a router notification message to respond to the request. The routernotification message contains the ISATAP prefix, which is manually configured on thedevice.




Issue 01 (2011-05-30)

3. The IPv4/IPv6 host obtains its IPv6 address.The IPv4/IPv6 host obtains its own IPv6 address by combining the ISATAP prefix with5EFE:IPv4-Address, and uses this address to access the IPv6 host.

Figure 11-4 ISATAP tunnel

IPv6Network

IPv4/IPv6 Host

IPv6 Host

ISATAP Tunnel

IPv4Network

ISATAPCX600 2.1.1.1

FE80::5EFE:0201:01013FFE::5EFE:0201:0101

The principle of an IPv4 or IPv6 host accessing an IPv6 network is as follows:

1. The IPv4 or IPv6 host in the IPv4 network obtains an IPv6 address based on the steps givenabove.

2. The IPv4 or IPv6 host sends packets that are encapsulated in an IPv4 packet to the host inthe IPv6 network.

3. An ISATAP device decapsulates the IPv4 packet and sends the IPv6 packets to the IPv6host.

6PEOn an IPv4 backbone network where the MPLS is deployed, the ISP can use the IPv6 ProviderEdge (6PE) technology to provide the interconnection capacity for the IPv6 networks ofdispersed users. 6PE is the PE with the IPv6 capacity.

Figure 11-5 shows the principle of interconnecting isolated IPv6 domains through 6PE.

1. When the 6PE device receives an IPv6 packet from the CE, it directly labels the packet totranslate the packet into an MPLS packet that can be transmitted over the IPv4 backbonenetwork.

2. The MPLS packet is forwarded to the remote 6PE through the LSP.3. The remote 6PE removes the label and finds the IPv6 routing table according to the

destination address in the resulting IPv6 packet header.4. The remote 6PE then sends the packet to the destination host in the remote IPv6 network

through the remote CE.



11-7

Figure 11-5 Networking diagram of 6PE

6PECX600

IPv6Customer

site

IPv6Customer

site

6PECX600

CE CE

IPv4/MPLS

IBGP

PE

Note the following points when you connect isolated IPv6 sites through a 6PE tunnel:

l Enable IPv4, MPLS and IPv6 on 6PE.l MP-BGP also needs to be enabled between 6PEs to receive or send IPv6 routes from/to the

remote 6PE.l The IGP over ISP's IPv4 backbone network can be OSPF or IS-IS.l Static routing protocol, IGP or EBGP can work between CE and 6PE.

When ISPs tend to extend their IPv4 or MPLS networks with IPv6 traffic exchange capabilityon MPLS, they only need to update their PE devices.

11.2 Configuring IPv4/IPv6 Dual StacksTo establish an IPv6 over IPv4 tunnel, you need to configure both the IPv4 protocol suite andthe IPv6 protocol suite on the devices where an IPv4 network borders an IPv6 network.

11.2.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for the IPv4/IPv6 dual protocol stack.

11.2.2 Enabling IPv6 Packet ForwardingTo enable IPv6 packet forwarding, you need to enable IPv6 in both the interface view and thesystem view.

11.2.3 Configuring IPv4 and IPv6 Addresses for the InterfaceYou need to configure IPv4 and IPv6 addresses separately on the IPv4 and IPv6 networks.

11.2.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for the IPv4/IPv6 dual protocol stack.

Applicable EnvironmentIf a device has both IPv4 and IPv6 connections, the IPv4/IPv6 dual protocol stacks need to beenabled on the device.




Issue 01 (2011-05-30)

Enabling the IPv4/IPv6 dual protocol stacks on the CX600 is a simple process. Enable the IPv6packet forwarding capacity in the system view and configure an IPv4 address or IPv6 addresson the corresponding interface. The device can then forward IPv4 and IPv6 packets on thecorresponding interface.

Pre-configuration TasksBefore configuring IPv6 tunnels, complete the following tasks:


l Configuring the link layer parameters for the interface

Data PreparationTo configure IPv4/IPv6 dual stacks, you need the following data.

No. Data

1 Type and number of the interface connected with the IPv4 network

2 IPv4 address and mask of the interface connected with the IPv4 network

3 Type and number of the interface connected with the IPv6 network

4 IPv6 address and prefix of the interface connected with the IPv6 network

11.2.2 Enabling IPv6 Packet ForwardingTo enable IPv6 packet forwarding, you need to enable IPv6 in both the interface view and thesystem view.

ContextTo enable a device to forward IPv6 packets, you must enable the IPv6 capability in both thesystem view and the interface view. This is because:

l If you run the ipv6 command only in the system view, only the IPv6 packet forwardingcapability is enabled on a device. The interface on the device is not of the IPv6 capabilityand hence you cannot perform any IPv6 configurations.

l If you run the ipv6 enable command only in the interface view, the IPv6 capability isenabled only on an interface but the IPv6 protocol status on the interface is Down and thedevice cannot forward IPv6 data.

Procedure



Step 2 Run:ipv6



11-9

The IPv6 packet forwarding capability is enabled.

To enable a device to forward IPv6 packets, you must run this command in the system view;otherwise, the IPv6 protocol status on the interface is Down and the device cannot forward IPv6packets although the interface is configured with an IPv6 address.

By default, the IPv6 packet forwarding capability is disabled.


The view of the interface to be enabled with the IPv6 capability is displayed.


The IPv6 capability is enabled on the interface.

Before performing IPv6 configurations in the interface view, you must enable the IPv6 capabilityin the interface view.

By default, the IPv6 capability is disabled on the interface.

----End

11.2.3 Configuring IPv4 and IPv6 Addresses for the InterfaceYou need to configure IPv4 and IPv6 addresses separately on the IPv4 and IPv6 networks.

Procedure




The interface view of the IPv4 network is displayed.


An IPv4 address is assigned to the interface.

Step 4 Run:quit

Return to the system view.



Step 6 Perform the following configuration as required.l Run:

ipv6 address auto link-local




Issue 01 (2011-05-30)

The link-local address is set to be automatically generated.l Run:

ipv6 address ipv6-address link-localThe link-local address of the interface is configured.

l Run:ipv6 address { ipv6-address | prefix-length }The global unicast address is configured.

l Run:ipv6 address { ipv6-address | prefix-length } eui-64The IPv6 EUI-64 address is configured.

----End

11.3 Configuring an IPv6 over IPv4 TunnelYou can interconnect IPv6 networks by using IPv4 networks.

ContextNOTE

Configuring an IPV6 over IPv4 GRE Tunnel cannot be configured on the X1 and X2 models of theCX600.

11.3.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring an IPv6 over IPv4 tunnel.

11.3.2 Configuring an IPv6 over IPv4 Manual TunnelA manual IPv6 over IPv4 tunnel is a P2P tunnel. The source address and destination address ofa manual IPv6 over IPv4 tunnel are both manually assigned. The source address and destinationaddress of a manual IPv6 over IPv4 tunnel on the same device must be unique. A manual IPv6over IPv4 tunnel acts as a permanent link that crosses an IPv4 network and connects two IPv6networks. Border devices can communicate with each other securely and regularly throughmanual IPv6 over IPv4 tunnels.

11.3.3 Configuring an IPV6 over IPv4 GRE TunnelThrough the IPv6 over IPv4 GRE technology, the IPv6 traffic can be carried over the IPv4 GREtunnels.

11.3.4 Configuring an IPv6 over IPv4 Automatic TunnelBy configuring an automatic IPv6 over IPv4 tunnel, you can enable an isolated IPv4/IPv6 dualstack host to access a remote IPv6 network through an IPv4 network. IPv6 over IPv4 automatictunnels do not support IPv6 packet forwarding.

11.3.5 Configuring a 6to4 TunnelA 6to4 tunnel is a P2MP tunnel and can interconnect IPv6 networks which are isolated fromeach other through an IPv4 network.

11.3.6 Configuring an ISATAP TunnelIntra-site Automatic Tunnel Addressing Protocol (ISATAP) tunnels are used in the situationwhere IPv4/IPv6 hosts in an IPv4 network need to access an IPv6 network. An ISATAP tunnelcan be established between an ISATAP host and an ISATAP device.

11.3.7 Configuring Routes in the Tunnel



11-11

Packets can be normally forwarded only when routes exist on both the source device anddestination device of the tunnel.

11.3.8 Checking the ConfigurationYou can view the configuration of an IPv6 over IPv4 tunnel.



To enable communication between two IPv6 networks over the IPv4 network, configure an IPv6over IPv4 tunnel on the border device of the IPv4 and IPv6 networks.


Before configuring an IPv6 over IPv4 tunnel, complete the following tasks:


l Configuring the link layer protocol for the interface and ensuring that the status of the linklayer protocol on the interface is Up

l Configuring the IPv4/IPv6 dual-protocol stacks

Data Preparation

To configure an IPv6 over IPv4 tunnel, you need the following data.

No. Data

1 Number, IPv6 address and prefix length of the tunnel

2 Encapsulation mode of packets over the tunnel

3 Source IPv4 address or interface number of the tunnel

4 Destination IPv4 address of the tunnel

5 Authentication word of the GRE tunnel (only for the GRE tunnel)

11.3.2 Configuring an IPv6 over IPv4 Manual TunnelA manual IPv6 over IPv4 tunnel is a P2P tunnel. The source address and destination address ofa manual IPv6 over IPv4 tunnel are both manually assigned. The source address and destinationaddress of a manual IPv6 over IPv4 tunnel on the same device must be unique. A manual IPv6over IPv4 tunnel acts as a permanent link that crosses an IPv4 network and connects two IPv6networks. Border devices can communicate with each other securely and regularly throughmanual IPv6 over IPv4 tunnels.




Issue 01 (2011-05-30)

ContextNote the following when configuring an IPv6 over IPv4 manual tunnel:

l Before configuring other parameters of an IPv6 tunnel, you must create a tunnel interface.l The source interface of the tunnel must be specified by the address or number of the

loopback interface on the local route.l The destination interface of the tunnel must be specified by the address of the loopback

interface on the peer device.l You need to conduct the following configurations on the devices on both the ends of the

tunnel. During the configuration, note that the source address of the local tunnel end is thedestination address set for the remote tunnel end; the destination address of the local tunnelend is the source address set for the remote tunnel end.

l To support dynamic routing protocol, you also need to configure the tunnel interface witha network address.

Procedure



Step 2 Run:interface tunnel interface-number

The tunnel interface is created.

Step 3 Run:tunnel-protocol ipv6-ipv4

The tunnel is specified be an IPv6 over IPv4 manual tunnel.

Step 4 Run:source { ip-address | interface-type interface-number }

The source address or source interface of the tunnel is specified.

NOTEFor the actual implementation on the CX600, the source interface of the tunnel can only be a loopbackinterface but the source address of the tunnel can be either the address of a physical interface or the addressof a loopback interface.

Step 5 Run:destination dest-ip-address

The destination address of the tunnel is specified.

NOTE

The destination address of the tunnel can be the address of a physical interface or the address of a loopbackinterface.


IPv6 is enabled on the interface.



11-13

Step 7 Run:ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }

The tunnel interface is configured with an IPv6 address.

----End

11.3.3 Configuring an IPV6 over IPv4 GRE TunnelThrough the IPv6 over IPv4 GRE technology, the IPv6 traffic can be carried over the IPv4 GREtunnels.

Contextl Note the following when configuring an IPv6 over IPv4 GRE tunnel:

– Before configuring other parameters of an IPv6 tunnel, you must create a tunnelinterface.

– The slot number of the created tunnel interface must be the same as that of the SPUC.

– You need to create the loopback interface and assign an IP address to it.

– The source interface of the tunnel must be specified by the address or number of theloopback interface on the local route.

– The destination interface of the tunnel must be specified by the address of the loopbackinterface on the peer device.

– You need to conduct the following configurations on the devices on both the ends ofthe tunnel. During the configuration, note that the source address of the local tunnel endis the destination address set for the remote tunnel end; the destination address of thelocal tunnel end is the source address set for the remote tunnel end.

– To make the tunnel support the routing protocol, configure an IP address for the tunnelinterface.

l Setting the key word of the GRE packet headerThe configuration of key word of GRE packet header is also optional. If the key word isconfigured, the receiver checks the KEY field in the GRE packet header. If the key wordin the packet header is similar to the one configured locally, the receiver continues to processthe packet. Otherwise, it discards the packet.

Procedure

Step 1 Run:set board-type slot slot-id tunnel

The service mode of the SPUC is set to Tunnel.




The tunnel interface is created.




Issue 01 (2011-05-30)

The slot number of the created tunnel interface must be the same as that of the SPUC. Forinstance, when the SPUC is inserted in slot 2, the slot number of the tunnel interface must be 2.

Step 4 Run:tunnel-protocol gre

The tunnel is specified as a GRE tunnel.

When you configure an IPv6 over IPv4 GRE tunnel, you must run the target-boardslot-number and binding tunnel gre commands respectively on the loopback interface to bind theSPUC to GRE.



The source address specified by sourceipv4-address must be the IPv4 address of the loopbackinterface bound to the SPUC through the target-board command; the source interface specifiedby sourceinterface-type interface-number must be the loopback interface bound to the SPUCthrough the target-board command.

Step 6 Run:destination dest-ip-address

The destination address of the tunnel is specified.

Step 7 (Optional) Run:gre key key-number

The key word of the GRE packets header is set.




The IPv6 address of the tunnel interface is configured.

----End

11.3.4 Configuring an IPv6 over IPv4 Automatic TunnelBy configuring an automatic IPv6 over IPv4 tunnel, you can enable an isolated IPv4/IPv6 dualstack host to access a remote IPv6 network through an IPv4 network. IPv6 over IPv4 automatictunnels do not support IPv6 packet forwarding.

ContextNote the following when configuring an IPv6 over IPv4 automatic tunnel:

l Before configuring the other parameters of an IPv6 tunnel, you must create a tunnelinterface.

l The source interface of the tunnel must be specified by the address or number of theloopback interface on the local route.



11-15

l When configuring an IPv6 over IPv4 automatic tunnel, you can specify only the sourceaddress of the tunnel. The destination address of the tunnel is automatically obtained fromthe destination IP address field carried in the original IPv6 packet. Note that the sourceinterface of the IPv6 over IPv4 automatic tunnel must be unique.

l The IPv6 address configured for the automatic tunnel must be an IPv4-compatible IPv6address. That is, the high-order 96 bits are 0 and the low-order 32 bits represent an IPv4address of an interface in the IPv4 network.

Procedure




A tunnel interface is configured.

Step 3 Run:tunnel-protocol ipv6-ipv4 auto-tunnel

The tunnel is specified as an IPv6 over IPv4 automatic tunnel.







----End

11.3.5 Configuring a 6to4 TunnelA 6to4 tunnel is a P2MP tunnel and can interconnect IPv6 networks which are isolated fromeach other through an IPv4 network.

ContextNote the following when configuring a 6to4 tunnel:

l Before configuring other parameters of the tunnel, create a tunnel interface.l When the specified source interface of the tunnel is a physical interface, it is recommended

to set the tunnel ID to be the same as the number of the physical interface.l The source tunnel interface must be specified by the address or number of the loopback

interface on the local route.




Issue 01 (2011-05-30)

l When configuring a 6to4 tunnel, you need to specify only the source tunnel interface. Thedestination address of the tunnel is automatically obtained from the destination IP addressfield carried in the original IPv6 packet. Note that the source interface of the 6to4 tunnelmust be unique.

l On the border device, configure a 6to4 address on the interface that is connected with the6to4 network, and configure an IPv4 address on the interface that is connected with theIPv4 network. To make the tunnel support the routing protocol, configure an IP address forthe tunnel interface.

Procedure




A tunnel interface is created.

Step 3 Run:tunnel-protocol ipv6-ipv4 6to4

The tunnel is specified as a 6to4 tunnel.






The interface is configured with an IPv6 address.

NOTE

The prefix of the IPv6 address configured for the interface must be the same as the 6to4 network prefix ofthe border device.

----End

Follow-up ProcedureThe configuration of 6to4 relay needed to access the IPv6 network, is similar to the 6to4 tunnel.For the configuration example, see "Example for Configuring 6to4 Relay."

11.3.6 Configuring an ISATAP TunnelIntra-site Automatic Tunnel Addressing Protocol (ISATAP) tunnels are used in the situationwhere IPv4/IPv6 hosts in an IPv4 network need to access an IPv6 network. An ISATAP tunnelcan be established between an ISATAP host and an ISATAP device.



11-17

ContextNote the following when configuring an ISATAP tunnel:

l Before configuring other parameters of the tunnel, create a tunnel interface.l When the specified source interface of the tunnel is a physical interface, it is recommended

to set the tunnel ID to be the same as the number of the physical interface.l When configuring an ISATAP tunnel, you need to specify only the source address of the

tunnel. The destination address of the tunnel is automatically obtained from the destinationIP address field carried in the original IPv6 packet. Note that the source interface of theISATAP tunnel must be unique.

l The IPv6 address configured on the tunnel interface is an ISATAP address with a prefixlength of 64 bits.

Procedure




A tunnel interface is created.

Step 3 Run:tunnel-protocol ipv6-ipv4 isatap

The tunnel is specified as an ISATAP tunnel.





Step 6 Run:undo ipv6 nd ra halt

The device is allowed to advertise routes.

----End

11.3.7 Configuring Routes in the TunnelPackets can be normally forwarded only when routes exist on both the source device anddestination device of the tunnel.

ContextConfiguring routes in the tunnel comprises configuring static routes and dynamic routes.




Issue 01 (2011-05-30)

l To configure the static route, you need to configure the route from the IP address of thelocal loopback interface (the source address) to the destination address (IP address of thepeer loopback interface).

l You can enable dynamic routing protocol on the tunnel interface connected to the privatenetworks and on the device interface.


PrerequisiteThe configurations of the IPv6 over IPv4 Tunnel function are complete.

Procedure

Step 1 Run the display device slot-id command to check whether the service mode of the SPUC isTunnel.

Step 2 Run the display ipv6 interface tunnel interface-number command to check the IPv6 attributesof a tunnel interface.

----End

ExampleIf the service mode of the SPUC is Tunnel, run the display device 3 command, and you canview that the type of the SPUC on the CX device is displayed as General.

<HUAWEI> display device 3SPU3's detail information:- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Description: Line Processing Unit - General Board status: Normal Register: Registered Uptime: 2009/02/26 18:33:23 CPU Utilization(%): 3% Mem Usage(%): 19%Clock information: State item State Current syn-clock: 17 Current line-clock: 23 Syn-clock state: Locked VCXO_OK REF_OK Syn-clock 17 state: Actived Syn-clock 18 state: Inactived Line-clock 23 state: Inactived Line-clock 24 state: InactivedStatistic information: Statistic item Statistic number SERDES interface link lost: 0 Mpu switchs: 0 Syn-clock switchs: 0- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Run the display ipv6 interface tunnel command. If the IPv6 packets forwarding is enabled,you can see the state of tunnel interface is Up, the state of IPv6 protocol is Up, source addressand ND parameters.

<HUAWEI> display ipv6 interface tunnel 3/0/0Tunnel3/0/0 current state : UP ,IPv6 protocol current state : UP



11-19

IPv6 is enabled, link-local address is FE80::201:102 Global unicast address(es): ::2.1.1.2, subnet is ::/96 Joined group address(es): FF02::1:FF01:102 FF02::2 FF02::1 MTU is 1500 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

11.4 Configuring 6PEBy performing this configuration task, you can interconnect IPv6 networks through the existingMPLS network.

11.4.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring 6PE.

11.4.2 Configuring IPv4/IPv6 Dual Protocol StacksYou need to enable the IPv4/IPv6 dual stack on the border device of the IPv4 and IPv6 networks.

11.4.3 Configuring MPLSThis section describes how to configure the basic functions of MPLS including LSP setup andLDP enabling.

11.4.4 Enabling 6PE PeerBy configuring a particular 6PE peer, you can configure a particular 6PE peer to exchangerouting information with the peer configured in the IPv6 view.

11.4.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring 6PE.

Applicable EnvironmentTo interconnect IPv6 networks over the existing MPLS network, 6PE must be configured on thePE devices.

Pre-configuration TasksBefore configuring 6PE, complete the following tasks:

l Configuring the physical features of interfaces and ensuring that the status of the physicallayer of the interface is Up

l Configuring the link layer protocols on interface and ensuring that the status of the linklayer protocol on the interface is Up

l Configuring routes from 6PE to CEl Configuring routes to the backbone network

Data PreparationTo configure 6PE, you need the following data.




Issue 01 (2011-05-30)

No. Data

1 Interface number and IPv6 address of the 6PE's interface connected with CE devices

2 Interface number and IPv4 address of the 6PE's interface

3 Interface number and IPv4 address of the loopback interface to be created

4 LSP triggering policy

5 IPv4 address of the peer of the 6PE

11.4.2 Configuring IPv4/IPv6 Dual Protocol StacksYou need to enable the IPv4/IPv6 dual stack on the border device of the IPv4 and IPv6 networks.

Procedure



Step 2 Run:ipv6

The IPv6 packet forwarding is enabled.





Step 5 Run:quit






Step 8 Run:ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64

Or



11-21

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }


Step 9 Run:quit


----End

11.4.3 Configuring MPLSThis section describes how to configure the basic functions of MPLS including LSP setup andLDP enabling.

Procedure



Step 2 Run:mpls lsr-id ip-address

The LSR ID is specified.

Step 3 Run:mpls

MPLS is enabled and the MPLS view is displayed.

Step 4 Run:quit


Step 5 Run:mpls ldp

MPLS LDP is enabled.

Step 6 Run:quit

Exit the system view.



Step 8 Run:mpls

MPLS is enabled on the interface.

Step 9 Run:mpls ldp




Issue 01 (2011-05-30)

MPLS LDP is enabled on the interface.

----End

11.4.4 Enabling 6PE PeerBy configuring a particular 6PE peer, you can configure a particular 6PE peer to exchangerouting information with the peer configured in the IPv6 view.

Procedure



Step 2 Run:bgp as-number

The BGP view is displayed.

Step 3 Run:peer ipv4-address as-number as-number

The IP address and the AS number of a specified BGP peer are specified.

Step 4 Run:peer ipv4-address connect-interface interface-type interface-number

PE peer is specified to connect with a specified interface.

Step 5 Run:ipv6-family

The BGP-IPv6 unicast address family view is displayed.

Step 6 Run:peer peer-ipv4-address enable

6PE peer is enabled.

Step 7 Run:peer peer-ipv4-address label-route-capability

Label routing capacity is enabled for 6PE.

----End


11.5.1 Monitoring the Running Status of IPv6 over IPv4 TunnelThis section describes how to monitor an IPv6 over IPv4 tunnel.



11-23

11.5.1 Monitoring the Running Status of IPv6 over IPv4 TunnelThis section describes how to monitor an IPv6 over IPv4 tunnel.

ContextIn routine maintenance, you can run the following command in any view to check the operationof IPv6 over IPv4 tunnel.

Procedure

Step 1 Run the display ipv6 interface tunnel { interface-number } command in any view to check theoperation status of the tunnel interface.

----End


ContextNOTE


11.6.1 Example for Configuring an IPv6 over IPv4 Manual TunnelThis section provides an example for configuring a manual IPv6 over IPv4 tunnel.

11.6.2 Example for Configuring an IPv6 over IPv4 GRE Tunnel

11.6.3 Example for Configuring an IPv6 over IPv4 Automatic Tunnel

11.6.4 Example for Configuring a 6to4 TunnelThis section provides an example for configuring a 6to4 tunnel.

11.6.5 Example for Configuring 6to4 RelayThis section provides an example for configuring 6to4 relay.

11.6.6 Example for Configuring an ISATAP TunnelThis section provides an example for configuring an ISATAP tunnel.

11.6.7 Example for Configuring 6PEThis section provides an example of configuring the 6PE.

11.6.1 Example for Configuring an IPv6 over IPv4 Manual TunnelThis section provides an example for configuring a manual IPv6 over IPv4 tunnel.

Networking RequirementsAs shown in Figure 11-6, two IPv6 networks are connected to CX-B in the IPv4 backbonenetwork respectively through CX-A and CX-C. To enable communication between two IPv6networks, configure an IPv6 over IPv4 manual tunnel between CX-A and CX-C.




Issue 01 (2011-05-30)

NOTEIt is recommended that in an actual networking environment, the source address of the tunnel is specifiedas the IP address of the loopback interface of the local device or the source interface of the tunnel is specifiedas the loopback interface on the local device. It is also recommended that in an actual networkingenvironment, the destination address of the tunnel is specified as the IP address of the loopback interfaceof the peer device.

Figure 11-6 Networking diagram of the IPv6 over IPv4 manual tunnel

CX-A CX-CDualStack

DualStack

GE1/0/0192.168.50.2/24

IPv4 network

GE1/0/0192.168.51.2/24

IPv6 IPv6

CX-BGE1/0/0

192.168.50.1/24GE2/0/0192.168.51.1/24

Configuration RoadmapThe configuration roadmap of IPv6 over IPv4 manual tunnel is as follows:

1. Configure IP addresses for physical interfaces.2. Configure IPv6 addresses, the source interface, and the destination addresses for the tunnel

interfaces.3. Set the tunnel protocol as IPv6-IPv4.


l IP addresses of interfacesl IPv6 addresses, the source interfaces and the destination addresses of the tunnel interfaces

Procedure


# Configure an IP address for the interface.

<HUAWEI> system-view[HUAWEI] sysname CX-A[CX-A] ipv6[CX-A] interface gigabitethernet 1/0/0[CX-A-GigabitEthernet1/0/0] ip address 192.168.50.2 255.255.255.0[CX-A-GigabitEthernet1/0/0] undo shutdown[CX-A-GigabitEthernet1/0/0] quit

# Set the tunnel protocol as IPv6-IPv4.



11-25

[CX-A] interface tunnel 1/0/0[CX-A-Tunnel1/0/0] tunnel-protocol ipv6-ipv4

# Configure the IPv6 address, source interface, and destination address for the tunnel interface.

[CX-A-Tunnel1/0/0] ipv6 enable[CX-A-Tunnel1/0/0] ipv6 address 3001::1/64[CX-A-Tunnel1/0/0] source 192.168.50.2[CX-A-Tunnel1/0/0] destination 192.168.51.2[CX-A-Tunnel1/0/0] quit

# Configure static routes.

[CX-A] ip route-static 192.168.51.2 255.255.255.0 192.168.50.1



<HUAWEI> system-view[HUAWEI] sysname CX-B[CX-B] interface gigabitethernet 1/0/0[CX-B-GigabitEthernet1/0/0] ip address 192.168.50.1 255.255.255.0[CX-B-GigabitEthernet1/0/0] undo shutdown[CX-B-GigabitEthernet1/0/0] quit[CX-B] interface gigabitethernet 2/0/0[CX-B-GigabitEthernet2/0/0] ip address 192.168.51.1 255.255.255.0[CX-B-GigabitEthernet2/0/0] undo shutdown[CX-B-GigabitEthernet2/0/0] quit



<HUAWEI> system-view[HUAWEI] sysname CX-C[CX-C] ipv6[CX-C] interface gigabitethernet 1/0/0[CX-C-GigabitEthernet1/0/0] ip address 192.168.51.2 255.255.255.0[CX-C-GigabitEthernet1/0/0] undo shutdown[CX-C-GigabitEthernet1/0/0] quit

# Set the tunnel protocol as IPv6-IPv4.

[CX-C] interface tunnel 1/0/0[CX-C-Tunnel1/0/0] tunnel-protocol ipv6-ipv4

# Configure the IPv6 address, source interface, and destination address for the tunnel interface.

[CX-C-Tunnel1/0/0] ipv6 enable[CX-C-Tunnel1/0/0] ipv6 address 3001::2/64[CX-C-Tunnel1/0/0] source 192.168.51.2[CX-C-Tunnel1/0/0] destination 192.168.50.2[CX-C-Tunnel1/0/0] quit


[CX-C] ip route-static 192.168.50.2 255.255.255.0 192.168.51.1


# On CX-C, ping the IPv4 address of the interface GE 1/0/0 of CX-A. CX-C can receive responsepackets from CX-A.

[CX-C] ping 192.168.50.2 PING 192.168.50.2: 56 data bytes, press CTRL_C to break Reply from 192.168.50.2: bytes=56 Sequence=1 ttl=255 time=84 ms Reply from 192.168.50.2: bytes=56 Sequence=2 ttl=255 time=27 ms Reply from 192.168.50.2: bytes=56 Sequence=3 ttl=255 time=25 ms




Issue 01 (2011-05-30)

Reply from 192.168.50.2: bytes=56 Sequence=4 ttl=255 time=3 ms Reply from 192.168.50.2: bytes=56 Sequence=5 ttl=255 time=24 ms --- 192.168.50.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/32/84 ms

# On CX-C, ping the IPv6 address of Tunnel 1/0/0 of CX-A. CX-C can receive response packetsfrom CX-A.

[CX-C] ping ipv6 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Reply from 3001::1 bytes=56 Sequence=1 hop limit=255 time = 28 ms Reply from 3001::1 bytes=56 Sequence=2 hop limit=255 time = 27 ms Reply from 3001::1 bytes=56 Sequence=3 hop limit=255 time = 26 ms Reply from 3001::1 bytes=56 Sequence=4 hop limit=255 time = 27 ms Reply from 3001::1 bytes=56 Sequence=5 hop limit=255 time = 26 ms --- 3001::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet lossround-trip min/avg/max = 26/26/28 ms

----End

Configuration Filel Configuration file of CX-A

# sysname CX-A#ipv6#interface GigabitEthernet1/0/0 undo shutdown ip address 192.168.50.2 255.255.255.0#interface Tunnel1/0/0 ipv6 enable ipv6 address 3001::1/64 tunnel-protocol ipv6-ipv4 source 192.168.50.2 destination 192.168.51.2#ip route-static 192.168.51.0 255.255.255.0 192.168.50.1#return

l Configuration file of CX-B# sysname CX-B#interface GigabitEthernet1/0/0 undo shutdown ip address 192.168.50.1 255.255.255.0#interface GigabitEthernet2/0/0 undo shutdown ip address 192.168.51.1 255.255.255.0#return



11-27

l Configuration file of CX-C# sysname CX-C#ipv6#interface GigabitEthernet1/0/0 undo shutdown ip address 192.168.51.2 255.255.255.0#interface Tunnel1/0/0 ipv6 enable ipv6 address 3001::2/64 tunnel-protocol ipv6-ipv4 source 192.168.51.2 destination 192.168.50.2#ip route-static 192.168.50.0 255.255.255.0 192.168.51.1#return

11.6.2 Example for Configuring an IPv6 over IPv4 GRE Tunnel

Networking RequirementsNOTE

An IPV6 over IPv4 GRE Tunnel cannot be configured on the X1 and X2 models of the CX600.

As shown in Figure 11-7, two IPv6 networks are connected to CX-B in the IPv4 network throughCX-A and CX-C, respectively. To allow the two IPv6 networks to communicate with each other,configure an IPv6 over IPv4 GRE tunnel between CX-A and CX-C.

NOTEWhen configuring an IPv6 over IPv4 GRE tunnel, you must set the service mode of the SPUC to Tunneland bind the SPUC to the tunnel.

Figure 11-7 Networking diagram of the IPv6 over IPv4 GRE tunnel

Loopback11.1.1.1/32

Loopback12.2.2.2/32

CX-A CX-C

DualStack

DualStack

GE1/0/0192.168.50.2/24

IPv4network

GE1/0/0192.168.51.2/24

IPv6 IPv6

GE1/0/0192.168.50.1/24

GE2/0/0192.168.51.1/24

CX-B




Issue 01 (2011-05-30)


1. Configure IP addresses for interfaces.2. Configure IPv6 addresses, the source interface, and the destination address of the tunnel

interfaces.3. Set the tunnel protocol as GRE.


l IP addresses of interfacesl IPv6 addresses and the source interface, and the destination address

Procedure



<HUAWEI> system-view[HUAWEI] sysname CX-A[CX-A] ipv6[CX-A] interface pos 1/0/0[CX-A-Pos1/0/0] ip address 192.168.50.2 255.255.255.0[CX-A-Pos1/0/0] undo shutdown[CX-A-Pos1/0/0] quit

# Create a loopback interface and assign an IPv4 address to it.

[CX-A] interface Loopback 1[CX-A-LoopBack1] ip address 1.1.1.1 32[CX-A-LoopBack1] quit

# Configure a static route from CX-A to CX-C.

[CX-A] ip route-static 192.168.51.2 255.255.255.0 192.168.50.1 [CX-A] ip route-static 2.2.2.2 255.255.255.255 192.168.50.1[CX-A] quit

# Set the service mode of the SPUC to Tunnel and the tunnel protocol mode to GRE.

<CX-A> set board-type slot 6 tunnel[CX-A] system-view[CX-A] interface tunnel 6/0/0[CX-A-Tunnel6/0/0] tunnel-protocol gre

# Configure the IPv6 address, source interface, and destination address for the tunnel interface.Bind the tunnel to the SPUC.

[CX-A] interface Loopback 1 [CX-A-LoopBack1] target-board 6 [CX-A-LoopBack1] binding tunnel gre [CX-A-LoopBack1] quit [CX-A] interface Tunnel 6/0/0[CX-A-Tunnel6/0/0] ipv6 enable [CX-A-Tunnel6/0/0] ipv6 address 3001::1 64 [CX-A-Tunnel6/0/0] source loopback 1 [CX-A-Tunnel6/0/0] destination 2.2.2.2 [CX-A-Tunnel6/0/0] quit



11-29

NOTEThe device supports tunnel binding only on the loopback interface.



<HUAWEI> system-view[HUAWEI] sysname CX-B[CX-B] interface pos 1/0/0[CX-B-Pos1/0/0] ip address 192.168.50.1 255.255.255.0[CX-B-Pos1/0/0] undo shutdown[CX-B-Pos1/0/0] quit[CX-B] interface pos 2/0/0[CX-B-Pos2/0/0] ip address 192.168.51.1 255.255.255.0[CX-B-Pos2/0/0] undo shutdown[CX-B-Pos2/0/0] quit



<HUAWEI> system-view[HUAWEI] sysname CX-C[CX-C] ipv6[CX-C] interface pos 1/0/0[CX-C-Pos1/0/0] ip address 192.168.51.2 255.255.255.0[CX-C-Pos1/0/0] undo shutdown[CX-C-Pos1/0/0] quit


[CX-C] interface Loopback 1[CX-C-LoopBack1] ip address 2.2.2.2 32[CX-C-LoopBack1] quit

# Configure a static route from CX-C to CX-A.

[CX-C] ip route-static 192.168.50.2 255.255.255.0 192.168.51.1 [CX-C] ip route-static 1.1.1.1 255.255.255.255 192.168.51.1[CX-C] quit

On CX-C, ping the IPv4 address of POS 1/0/0 on CX-A. CX-C receives the response packetsfrom CX-A.

[CX-C] ping 192.168.50.2 PING 192.168.50.2: 56 data bytes, press CTRL_C to break Reply from 192.168.50.2: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 192.168.50.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 192.168.50.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 192.168.50.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 192.168.50.2: bytes=56 Sequence=5 ttl=255 time=1 ms

--- 192.168.50.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms[CX-C] ping 1.1.1.1 PING 1.1.1.1.2: 56 data bytes, press CTRL_C to break Reply from 1.1.1.1: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 1.1.1.1: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 1.1.1.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 1.1.1.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 1.1.1.1: bytes=56 Sequence=5 ttl=255 time=1 ms

--- 1.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received




Issue 01 (2011-05-30)

0.00% packet loss round-trip min/avg/max = 1/1/1 ms

This indicates that a reachable route exists between CX-A and CX-C.

# Set the service mode of the SPUC to Tunnel and the tunnel protocol mode to GRE.

<CX-C> set board-type slot 6 tunnel[CX-C] system-view[CX-C] interface tunnel 6/0/0[CX-C-Tunnel6/0/0] tunnel-protocol gre

# Configure the IPv6 address, source interface, and destination IP address of the tunnel interface.Bind the tunnel to the SPUC.

[CX-C] interface Loopback 1 [CX-C-LoopBack1] target-board 6 [CX-C-LoopBack1] binding tunnel gre [CX-C-LoopBack1] quit [CX-C] interface Tunnel 6/0/0[CX-C-Tunnel6/0/0] ipv6 enable [CX-C-Tunnel6/0/0] ipv6 address 3001::2 64 [CX-C-Tunnel6/0/0] source loopback 1 [CX-C-Tunnel6/0/0] destination 1.1.1.1 [CX-C-Tunnel6/0/0] quit


Step 4 Verify the configuration

# On CX-C, ping the IPv6 address of Tunnel 1/0/0 on CX-A. CX-C receives the response packetsfrom CX-A.

[CX-C] ping ipv6 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Reply from 3001::1 bytes=56 Sequence=1 hop limit=255 time = 28 ms Reply from 3001::1 bytes=56 Sequence=2 hop limit=255 time = 27 ms Reply from 3001::1 bytes=56 Sequence=3 hop limit=255 time = 26 ms Reply from 3001::1 bytes=56 Sequence=4 hop limit=255 time = 27 ms Reply from 3001::1 bytes=56 Sequence=5 hop limit=255 time = 26 ms --- 3001::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet lossround-trip min/avg/max = 26/26/28 ms

----End


# sysname CX-A#ipv6#interface pos1/0/0 link-protocol ppp ip address 192.168.50.2 255.255.255.0#interface LoopBack1



11-31

ip address 1.1.1.1 255.255.255.255 target-board 6 binding tunnel gre #interface Tunnel6/0/0ipv6 enable ipv6 address 3001::1/64tunnel-protocol gre source loopback 1 destination 2.2.2.2#ip route-static 192.168.51.2 255.255.255.0 192.168.50.1ip route-static 2.2.2.2 255.255.255.255 192.168.50.1#return

l Configuration file of CX-B# sysname CX-B#interface Pos1/0/0link-protocol ppp ip address 192.168.50.1 255.255.255.0#interface Pos2/0/0link-protocol ppp ip address 192.168.51.1 255.255.255.0#return

l Configuration file of CX-C# sysname CX-C#ipv6#interface pos1/0/0 link-protocol ppp ip address 192.168.51.2 255.255.255.0#interface LoopBack1 ip address 2.2.2.2 255.255.255.255 target-board 6 binding tunnel gre #interface Tunnel6/0/0ipv6 enable ipv6 address 3001::2/64tunnel-protocol gre source loopback 1 destination 1.1.1.1#ip route-static 192.168.50.0 255.255.255.0 192.168.51.1ip route-static 1.1.1.1 255.255.255.255 192.168.51.1#return

11.6.3 Example for Configuring an IPv6 over IPv4 AutomaticTunnel

Networking RequirementsAs shown in Figure 11-8, two IPv6 networks are connected with the IPv4 backbone networkthrough CX-A and CX-B, respectively. To enable communications between the two IPv6networks, configure an IPv6 over IPv4 automatic tunnel between CX-A and CX-B.




Issue 01 (2011-05-30)

The interfaces connecting CX-A and CX-B to the IPv4 backbone network should be configuredwith public IPv4 addresses.

NOTEOne of the following choices is recommended for real world networking environments. The source addressof the tunnel should be specified as the IP address of the loopback interface of the local device or the sourceinterface of the tunnel should be specified as the loopback interface on the local device. It is alsorecommended that the destination address of the tunnel be specified as the IP address of the loopbackinterface of the peer device in a real world networking environment.

Figure 11-8 Networking diagram of the IPv6 over IPv4 automatic tunnel

loopback13.3.3.3/32

loopback14.4.4.4/32

CX-A CX-BPOS1/0/02.1.1.1/8

IPv4

IPv6 IPv6

POS1/0/02.1.1.2/8

Tunnel 1/0/0::2.1.1.1/96

Tunnel 1/0/0::2.1.1.2/96

DualStack

DualStack


1. Configure IP addresses for interfaces.2. Configure the IPv6 addresses and source interface of the tunnel interface.3. Set the tunnel protocol as automatic tunnel protocol.


l IP addresses of interfacesl IPv6 address and source interface of the tunnel interface

To configure an automatic tunnel, the source interface of the tunnel rather than the destinationinterface must be specified.

ProcedureStep 1 Configure CX-A.

# Configure the IPv4/IPv6 dual protocol stacks.<HUAWEI> system-view[HUAWEI] sysname CX-A[CX-A] ipv6[CX-A] interface pos 1/0/0[CX-A-pos1/0/0] ip address 2.1.1.1 255.0.0.0[CX-A-pos1/0/0] quit




11-33

[CX-A] interface loopback 1 [CX-A-LoopBack1] ip address 3.3.3.3 32[CX-A-LoopBack1] quit

# Configure a static route from CX-A to CX-B.

[CX-A] ip route-static 2.1.1.2 255.0.0.0 2.1.1.2[CX-A] ip route-static 4.4.4.4 255.255.255.255 2.1.1.2

# Configure an automatic tunnel.

[CX-A] interface tunnel 1/0/0[CX-A-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 auto-tunnel[CX-A-Tunnel1/0/0] ipv6 enable[CX-A-Tunnel1/0/0] ipv6 address ::3.3.3.3/96[CX-A-Tunnel1/0/0] source loopback 1[CX-A-Tunnel1/0/0] quit


# Configure the IPv4/IPv6 dual protocol stacks.

<HUAWEI> system-view[HUAWEI] sysname CX-B[CX-B] ipv6[CX-B] interface pos 1/0/0[CX-B-pos1/0/0] ip address 2.1.1.2 255.0.0.0[CX-B-Pos1/0/0] quit


[CX-B] interface loopback 1 [CX-B-LoopBack1] ip address 4.4.4.4 32[CX-B-LoopBack1] quit

# Configure a static route from CX-B to CX-A.

[CX-B] ip route-static 2.1.1.1 255.0.0.0 2.1.1.1[CX-B] ip route-static 3.3.3.3 255.255.255.255 2.1.1.1

# Configure an automatic tunnel.

[CX-B] interface tunnel 1/0/0[CX-B-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 auto-tunnel[CX-B-Tunnel1/0/0] ipv6 enable[CX-B-Tunnel1/0/0] ipv6 address ::4.4.4.4/96 [CX-B-Tunnel1/0/0] source loopback 1[CX-B-Tunnel1/0/0] quit


# On CX-A, view the status of Tunnel 1/0/0 and find it is Up.

[CX-A] display ipv6 interface tunnel 1/0/0Tunnel1/0/0 current state : UPIPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::201:101 Global unicast address(es): ::3.3.3.3, subnet is ::/96 Joined group address(es): FF02::1:FF01:101 FF02::2 FF02::1 MTU is 1500 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

# On CX-A, ping the IPv4-compatible IPv6 address of tunnel peer.




Issue 01 (2011-05-30)

[CX-A] ping ipv6 ::4.4.4.4 PING ::4.4.4.4 : 56 data bytes, press CTRL_C to break Reply from ::4.4.4.4 bytes=56 Sequence=1 hop limit=64 time = 30 ms Reply from ::4.4.4.4 bytes=56 Sequence=2 hop limit=64 time = 40 ms Reply from ::4.4.4.4 bytes=56 Sequence=3 hop limit=64 time = 50 ms Reply from ::4.4.4.4 bytes=56 Sequence=4 hop limit=64 time = 1 ms Reply from ::4.4.4.4 bytes=56 Sequence=5 hop limit=64 time = 50 ms --- ::4.4.4.4 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/34/50 ms

----End

Configuration Filel Configuration file of CX-A

# sysname CX-A#ipv6#interface pos1/0/0 link-protocol ppp ip address 2.1.1.1 255.0.0.0#interface LoopBack1 ip address 3.3.3.3 255.255.255.255#interface Tunnel 1/0/0ipv6 enable ipv6 address ::3.3.3.3/96 tunnel-protocol ipv6-ipv4 auto-tunnelsource loopback 1#ip route-static 2.1.1.2 255.0.0.0 2.1.1.2ip route-static 4.4.4.4 255.255.255.255 2.1.1.2#return

l Configuration file of CX-B# sysname CX-B#ipv6#interface pos1/0/0 link-protocol ppp ip address 2.1.1.2 255.0.0.0#interface LoopBack1 ip address 4.4.4.4 255.255.255.255#interface Tunnel 1/0/0ipv6 enableipv6 address ::4.4.4.4/96 tunnel-protocol ipv6-ipv4 auto-tunnel source loopback 1#ip route-static 2.1.1.1 255.0.0.0 2.1.1.1ip route-static 3.3.3.3 255.255.255.255 2.1.1.1



11-35

#return

11.6.4 Example for Configuring a 6to4 TunnelThis section provides an example for configuring a 6to4 tunnel.

Networking RequirementsAs shown in Figure 11-9, two IPv6 networks are both 6to4 networks. CX-A and CX-B areconnected with the 6to4 network and the IPv4 network. To enable communication between thehosts in the two 6to4 network, it is required to set up a 6to4 tunnel between CX-A and CX-B.

To enable communication between 6to4 networks, configure 6to4 addresses for the hosts in the6to4 network. A 6to4 address has a 48-bit prefix composed of 2002:IPv4 address:. As shownin Figure 11-9, the IPv4 address of the interface through which A is connected to the IPv4network is 2.1.1.1. Therefore, the 6to4 address of A in the 6to4 network should start with2002:0201:0101::.


Figure 11-9 Networking diagram of the 6to4 tunnel

CX-ACX-B

POS1/0/02.1.1.1

POS1/0/02.1.1.2

Tunnel 1/0/02002:201:101::1/64

Tunnel 1/0/02002:201:102::1/64

2002:201:101:1::2PC1IPv6

2002:201:102:1::2PC2

GE2/0/02002:201:102:1::1/64

IPv6

GE2/0/02002:201:101:1::1/64

6to4CX600

6to4CX600

IPv4


1. Configure IPv4/IPv6 dual-protocol stacks.2. Configure the tunnel protocol as 6to4.3. Configure related routes.





Issue 01 (2011-05-30)

l IPv4 or IPv6 addresses of interfaces

l Source tunnel interface

Procedure


# Configure IPv4/IPv6 dual protocol stacks.

<HUAWEI> system-view[HUAWEI] sysname CX-A[CX-A] ipv6[CX-A] interface pos 1/0/0[CX-A-pos1/0/0] ip address 2.1.1.1 8[CX-A-pos1/0/0] undo shutdown[CX-A-pos1/0/0] quit[CX-A] interface gigabitethernet 2/0/0[CX-A-GigabitEthernet2/0/0] ipv6 enable[CX-A-GigabitEthernet2/0/0] ipv6 address 2002:0201:0101:1::1/64[CX-A-GigabitEthernet2/0/0] undo shutdown[CX-A-GigabitEthernet2/0/0] quit

# Configure a 6to4 tunnel.

[CX-A] interface tunnel 1/0/0[CX-A-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 6to4[CX-A-Tunnel1/0/0] ipv6 enable[CX-A-Tunnel1/0/0] ipv6 address 2002:0201:0101::1/64[CX-A-Tunnel1/0/0] source 2.1.1.1[CX-A-Tunnel1/0/0] quit

# Configure a route to other 6to4 networks.

[CX-A] ipv6 route-static 2002:: 16 tunnel 1/0/0



<HUAWEI> system-view[HUAWEI] sysname CX-B[CX-B] ipv6[CX-B] interface pos 1/0/0[CX-B-pos1/0/0] ip address 2.1.1.2 8[CX-B-pos1/0/0] undo shutdown[CX-B-pos1/0/0] quit[CX-B] interface gigabitethernet 2/0/0[CX-B-GigabitEthernet2/0/0] ipv6 enable[CX-B-GigabitEthernet2/0/0] ipv6 address 2002:0201:0102:1::1/64[CX-B-GigabitEthernet2/0/0] undo shutdown[CX-B-GigabitEthernet2/0/0] quit


[CX-B] interface tunnel 1/0/0[CX-B-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 6to4[CX-B-Tunnel1/0/0] ipv6 enable[CX-B-Tunnel1/0/0] ipv6 address 2002:0201:0102::1/64[CX-B-Tunnel1/0/0] source 2.1.1.2[CX-B-Tunnel1/0/0] quit

# Configure a route to other 6to4 networks.

[CX-B] ipv6 route-static 2002:: 16 tunnel 1/0/0



11-37

NOTE

There must be an accessible route between CX-A and CX-B. In this example, both the devices are directlyconnected; therefore, no routing protocol needs to be configured.


# Check the IPv6 state of Tunnel 1/0/0 on CX-A and find it is UP.

[CX-A] display ipv6 interface tunnel 1/0/0Tunnel1/0/0 current state : UPIPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::201:101 Global unicast address(es): 2002:201:101::1, subnet is 2002:201:101::/64 Joined group address(es): FF02::1:FF01:101 FF02::1:FF00:1 FF02::2 FF02::1 MTU is 1500 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

# CX-A can ping through the 6to4 address of GE 2/0/0 of CX-B.

[CX-A] ping ipv6 2002:0201:0102:1::1 PING 2002:0201:0102:1::1 : 56 data bytes, press CTRL_C to break Reply from 2002:201:102:1::1 bytes=56 Sequence=1 hop limit=255 time = 8 ms Reply from 2002:201:102:1::1 bytes=56 Sequence=2 hop limit=255 time = 25 ms Reply from 2002:201:102:1::1 bytes=56 Sequence=3 hop limit=255 time = 4 ms Reply from 2002:201:102:1::1 bytes=56 Sequence=4 hop limit=255 time = 5 ms Reply from 2002:201:102:1::1 bytes=56 Sequence=5 hop limit=255 time = 5 ms --- 2002:0201:0102:1::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet lossround-trip min/avg/max = 4/9/25 ms

----End


# sysname CX-A#ipv6#interface pos1/0/0 link-protocol ppp undo shutdown ip address 2.1.1.1 255.0.0.0#interface GigabitEthernet 2/0/0undo shutdown ipv6 enable ipv6 address 2002:201:101:1::1/64#interface Tunnel 1/0/0 ipv6 enable ipv6 address 2002:201:101::1/64




Issue 01 (2011-05-30)

tunnel-protocol ipv6-ipv4 6to4 source 2.1.1.1#ipv6 route-static 2002:: 16 Tunnel 1/0/0#return

l Configuration file of CX-B# sysname CX-B#ipv6#interface pos1/0/0 link-protocol ppp undo shutdown ip address 2.1.1.2 255.0.0.0#interface GigabitEthernet2/0/0undo shutdown ipv6 enable ipv6 address 2002:201:102:1::1/64#interface Tunnel 1/0/0 ipv6 enable ipv6 address 2002:201:102::1/64 tunnel-protocol ipv6-ipv4 6to4 source 2.1.1.2#ipv6 route-static 2002:: 16 Tunnel 1/0/0#return

11.6.5 Example for Configuring 6to4 RelayThis section provides an example for configuring 6to4 relay.

Networking RequirementsAs shown in Figure 11-10, CX-A is a 6to4 device and is connected with an IPv6 network. Asa 6to4 relay device, CX-B is connected with the IPv6 Internet (2001::/64). To enablecommunication between the host in the 6to4 network and the host in the IPv6 Internet, configurea 6to4 tunnel between CX-A and CX-B.

The configuration of the tunnel between a 6to4 relay device and a common 6to4 device is similarto that between common 6to4 devices. A static route to the IPv6 Internet shall be configured onthe common 6to4 device so that the 6to4 network and the IPv6 network can communicate witheach other.




11-39

Figure 11-10 Networking diagram of accessing the IPv6 network through 6to4 relay

CX-A CX-B

POS1/0/02.1.1.1

POS1/0/02.1.1.2

Tunnel 1/0/02002:201:101::1/64

Tunnel 1/0/02002:201:102::1/64

2002:201:101:1::2PC16to4 2001::2

PC2

GE2/0/02001::1/64

IPv6

GE2/0/02002:201:101:1::1/64

6to4CX600

6to4Relay

IPv4


1. Configure IPv4/IPv6 dual protocol stacks.2. Configure a 6to4 tunnel.3. Configure related static routes.


l IPv4 or IPv6 addresses of interfacesl Source tunnel interfacel Static routes to the devices that are not directly connected

ProcedureStep 1 Configure CX-A.


<HUAWEI> system-view[HUAWEI] sysname CX-A[CX-A] ipv6[CX-A] interface pos 1/0/0[CX-A-Pos1/0/0] ip address 2.1.1.1 255.0.0.0[CX-A-Pos1/0/0] undo shutdown[CX-A-Pos1/0/0] quit[CX-A] interface gigabitethernet 2/0/0[CX-A-GigabitEthernet2/0/0] ipv6 enable[CX-A-GigabitEthernet2/0/0] ipv6 address 2002:0201:0101:1::1/64[CX-A-GigabitEthernet2/0/0] undo shutdown[CX-A-GigabitEthernet2/0/0] quit


[CX-A] interface tunnel 1/0/0




Issue 01 (2011-05-30)

[CX-A-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 6to4[CX-A-Tunnel1/0/0] ipv6 enable[CX-A-Tunnel1/0/0] ipv6 address 2002:0201:0101::1/64[CX-A-Tunnel1/0/0] source 2.1.1.1[CX-A-Tunnel1/0/0] quit

# Configure a static route to 2002::/16.

[CX-A] ipv6 route-static 2002:: 16 tunnel 1/0/0

# Configure a default route to the IPv6 network.

[CX-A] ipv6 route-static :: 0 2002:0201:0102::1



<HUAWEI> system-view[HUAWEI] sysname CX-B[CX-B] ipv6[CX-B] interface pos 1/0/0[CX-B-Pos1/0/0] ip address 2.1.1.2 255.0.0.0[CX-B-Pos1/0/0] undo shutdown[CX-B-Pos1/0/0] quit[CX-B] interface gigabitethernet 2/0/0[CX-B-GigabitEthernet2/0/0] ipv6 enable[CX-B-GigabitEthernet2/0/0] ipv6 address 2001::1/64[CX-B-GigabitEthernet2/0/0] undo shutdown[CX-B-GigabitEthernet2/0/0] quit


[CX-B] interface tunnel 1/0/0[CX-B-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 6to4[CX-B-Tunnel1/0/0] ipv6 enable[CX-B-Tunnel1/0/0] ipv6 address 2002:0201:0102::1/64[CX-B-Tunnel1/0/0] source 2.1.1.2[CX-B-Tunnel1/0/0] quit

# Configure a static route to 2002::/16.

[CX-B] ipv6 route-static 2002:: 16 tunnel1/0/0


# CX-A can ping through the IPv6 address of GE 2/0/0 on CX-B.

[CX-A] ping ipv6 2001::1 PING 2001::1 : 56 data bytes, press CTRL_C to break Reply from 2001::1 bytes=56 Sequence=1 hop limit=255 time = 29 ms Reply from 2001::1 bytes=56 Sequence=2 hop limit=255 time = 5 ms Reply from 2001::1 bytes=56 Sequence=3 hop limit=255 time = 5 ms Reply from 2001::1 bytes=56 Sequence=4 hop limit=255 time = 5 ms Reply from 2001::1 bytes=56 Sequence=5 hop limit=255 time = 26 ms --- 2001::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet lossround-trip min/avg/max = 5/14/29 ms

----End



11-41


#sysname CX-A#ipv6#interface pos1/0/0 link-protocol ppp undo shutdown ip address 2.1.1.1 255.0.0.0#interface GigabitEthernet2/0/0 undo shutdown ipv6 enable ipv6 address 2002:201:101:1::1/64#interface Tunnel 1/0/0 ipv6 enable ipv6 address 2002:201:101::1/64 tunnel-protocol ipv6-ipv4 6to4 source 2.1.1.1##ipv6 route-static :: 0 2002:201:102::1#ipv6 route-static 2002:: 16 Tunnel 1/0/0#return

l Configuration file of CX-B#sysname CX-B#ipv6# source 2.1.1.2# link-protocol ppp undo shutdown ip address 2.1.1.2 255.0.0.0#interface GigabitEthernet2/0/0undo shutdown ipv6 enable ipv6 address 2001::1/64#interface Tunnel 1/0/0 ipv6 enable ipv6 address 2002:201:102::1/64 tunnel-protocol ipv6-ipv4 6to4 source Pos1/0/0#ipv6 route-static 2002:: 16 Tunnel 1/0/0#return

11.6.6 Example for Configuring an ISATAP TunnelThis section provides an example for configuring an ISATAP tunnel.

Network RequirementsAs shown in Figure 11-11, an IPv6 host in the IPv4 network running the Windows XP systemneeds to access the IPv6 network through a border device. Both the IPv6 host and the border




Issue 01 (2011-05-30)

device support ISATAP. Then you need to set up an ISATAP tunnel between the IPv6 host andthe border device.

Figure 11-11 Networking diagram of the ISATAP tunnel

IPv4network

IPv6network

ISATAP HostIPv6 Host

2.1.1.2FE80::5EFE:0201:0102

2001::5EFE:0201:0102

ISATAPCX600

GE2/0/02.1.1.1/8

GE1/0/03001::1/64

3001::2


1. Configure IPv4/IPv6 dual protocol stacks.2. Configure an ISATAP tunnel.3. Configure static routes from the IPv6 host to the ISATAP host.


l IPv4 or IPv6 addresses of interfacesl Source interface of the tunnel

Procedure

Step 1 Configure the ISATAP device.

# Enable IPv4/IPv6 dual protocol stacks and configure an IP address for each interface.

<HUAWEI> system-view[HUAWEI] sysname Router[Router] ipv6[Router] interface gigabitethernet 1/0/0[Router-GigabitEthernet1/0/0] ipv6 enable[Router-GigabitEthernet1/0/0] ipv6 address 3001::1/64[Router-GigabitEthernet1/0/0] undo shutdown[Router-GigabitEthernet1/0/0] quit[Router] interface gigabitethernet 2/0/0[Router-GigabitEthernet2/0/0] ip address 2.1.1.1 255.0.0.0[Router-GigabitEthernet2/0/0] undo shutdown[Router-GigabitEthernet2/0/0] quit

# Configure an ISATAP tunnel.

[Router] interface tunnel 2/0/0[Router-Tunnel2/0/0] tunnel-protocol ipv6-ipv4 isatap[Router-Tunnel2/0/0] ipv6 enable[Router-Tunnel2/0/0] ipv6 address 2001::/64 eui-64[HUAWEI-Tunnel2/0/0] source 2.1.1.1



11-43

[Router-Tunnel2/0/0] undo ipv6 nd ra halt[Router-Tunnel2/0/0] quit

Step 2 Configure the ISATAP host.

# Configure a static route to the border device. (The pseudo interface number of the host is 2.You can run the ipv6 if command to view the interface corresponding to the automatic tunnelingpseudo interface.

C:\> ipv6 rlu 2 2.1.1.1

Step 3 Configure the IPv6 host.

# Configure a static route on the IPv6 host to the border device, so hosts in different networkscan communicate through the ISATAP tunnel.

C:\> ipv6 rtu 2001::/64 6/3001::1


Check the status of the Tunnel 2/0/0 on the ISATAP device and find it is Up.

[Router] display ipv6 interface tunnel 2/0/0Tunnel2/0/0 current state : UPIPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::5EFE:201:101 Global unicast address(es): 2001::5EFE:201:101, subnet is 2001::/64 Joined group address(es): FF02::1:FF01:101 FF02::2 FF02::1 MTU is 1500 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisement max interval 600 seconds, min interval 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses

# On the ISATAP device, ping the global unicast IP address of the tunnel interface on theISATAP host.

[Router] ping ipv6 2001::5efe:2.1.1.2 PING 2001::5efe:2.1.1.2 : 56 data bytes, press CTRL_C to break Reply from 2001::5EFE:201:102 bytes=56 Sequence=1 hop limit=64 time = 4 ms Reply from 2001::5EFE:201:102 bytes=56 Sequence=2 hop limit=64 time = 3 ms Reply from 2001::5EFE:201:102 bytes=56 Sequence=3 hop limit=64 time = 2 ms Reply from 2001::5EFE:201:102 bytes=56 Sequence=4 hop limit=64 time = 2 ms Reply from 2001::5EFE:201:102 bytes=56 Sequence=5 hop limit=64 time = 2 ms --- 2001::5efe:2.1.1.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/4 ms

# On the ISATAP host, ping the global unicast IP address of the ISATAP device.

C:\> ping6 2001::5efe:2.1.1.1Pinging 2001::5efe:2.1.1.1from 2001::5efe:2.1.1.2 with 32 bytes of data:Reply from 2001::5efe:2.1.1.1: bytes=32 time=1ms




Issue 01 (2011-05-30)

Reply from 2001::5efe:2.1.1.1: bytes=32 time=1msReply from 2001::5efe:2.1.1.1: bytes=32 time=1msReply from 2001::5efe:2.1.1.1: bytes=32 time=1msPing statistics for 2001::5efe:2.1.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms

# The ISATAP host can ping through the IPv6 host.

C:\> ping6 3001::2Pinging 3001::2 with 32 bytes of data:Reply from 3001::2: time<1msReply from 3001::2: time<1msReply from 3001::2: time<1msReply from 3001::2: time<1msPing statistics for 3001::2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms

----End

Configuration Files

The configuration file of the ISATAP device is as follows:

# sysname ISATAP#ipv6#interface GigabitEthernet1/0/0undo shutdown ipv6 enable ipv6 address 3001::1/64#interface GigabitEthernet2/0/0 undo shutdown ip address 2.1.1.1 255.0.0.0#interface Tunnel2/0/0 ipv6 enableipv6 address 2001::/64 eui-64undo ipv6 nd ra halttunnel-protocol ipv6-ipv4 isatapsource 2.1.1.1#return

11.6.7 Example for Configuring 6PEThis section provides an example of configuring the 6PE.


As shown in Figure 11-12, PE1 and PE2 support the 6PE features and CE1 and CE2 supportthe IPv6 protocol. IPv4 IBGP connections need to be established between PEs in the IPv4/MPLSnetwork. Run the OSPF protocol in the IPv4/MPLS network. CEs are in the IPv6 networks,Using the IPv6 address, CEs exchange the routing information with PEs along the static routes.

It is required to use the 6PE feature to connect the IPv6 networks of the user over the IPv4/MPLSnetwork of the ISP.



11-45

Figure 11-12 Networking diagram of 6PE

PE1

POS1/0/03000:435::1/64

POS2/0/04.3.5.1/24

IPv6Customer

site

IPv6Customer

site

POS2/0/04.3.5.2/24

PE2

CE1 CE2POS1/0/03000:435::2/64

POS1/0/03000:1065::2/64

IPv4/MPLS

POS1/0/03000:1065::1/64


1. Configure 6PE, enable IPv6 capability, and configure IPv4/IPv6 dual protocol stacks.2. Configure 6PE and enable MPLS capability.3. Configure the 6PE peer.4. Configure an IPv6 address for the interface and a static route on CE.


l IP addresses of interfacesl LSR ID

Procedure

Step 1 Configure 6PE, enable IPv6 capability, and configure IPv4/IPv6 dual protocol stacks.

# Configure PE1 and enable its IPv6 capability.

<HUAWEI> system-view[HUAWEI] sysname PE1[PE1] ipv6

# Configure PE2 and enable its IPv6 capability.

<HUAWEI> system-view[HUAWEI] sysname PE2[PE2] ipv6

# Configure an IPv6 address for POS 1/0/0 on PE1 and an IP address for loopback0.

[PE1] interface pos 1/0/0[PE1-Pos1/0/0] ipv6 enable[PE1-Pos1/0/0] ipv6 address 3000:435::1 64[PE1-Pos1/0/0] undo shutdown[PE1-Pos1/0/0] quit[PE1] interface loopback 0




Issue 01 (2011-05-30)

[PE1-LoopBack0] ip address 1.1.1.9 255.255.255.255[PE1-LoopBack0] quit

# Configure an IPv6 address for POS 1/0/0 on PE2 and an IP address for loopback0.

[PE2] interface pos 1/0/0[PE2-Pos1/0/0] ipv6 enable[PE2-Pos1/0/0] ipv6 address 3000:1065::1 64[PE2-Pos1/0/0] undo shutdown[PE2-Pos1/0/0] quit[PE2] interface loopback 0[PE2-LoopBack0] ip address 2.2.2.9 255.255.255.255[PE2-LoopBack0] quit

Step 2 Configure 6PE and enable MPLS capability.

# Configure an IP address for POS 2/0/0 on PE1 and enable MPLS and LDP on it.

[PE1] mpls lsr-id 1.1.1.9[PE1] mplsMpls starting, please wait... OK![PE1-mpls] quit[PE1] mpls ldp[PE1-mpls-ldp] quit[PE1] interface pos 2/0/0[PE1-Pos2/0/0] ip address 4.3.5.1 255.255.255.0[PE1-Pos2/0/0] mpls[PE1-Pos2/0/0] mpls ldp[PE1-Pos2/0/0] undo shutdown[PE1-Pos2/0/0] quit

# Configure an IP address for POS 2/0/0 on PE2 and enable MPLS and LDP on it.

[PE2] mpls lsr-id 2.2.2.9[PE2] mplsMpls starting, please wait... OK![PE2-mpls] quit[PE2] mpls ldp[PE2-mpls-ldp] quit[PE2] interface pos 2/0/0[PE2-Pos2/0/0] ip address 4.3.5.2 255.255.255.0[PE2-Pos2/0/0] mpls[PE2-Pos2/0/0] mpls ldp[PE2-Pos2/0/0] undo shutdown[PE2-Pos2/0/0] quit

# Configure OSPF on PE1 and trigger the setup of LSPs.

[PE1] ospf[PE1-ospf-1] area 0[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0[PE1-ospf-1-area-0.0.0.0] network 4.3.5.0 0.0.0.255[PE1-ospf-1-area-0.0.0.0] quit[PE1-ospf-1] quit

# Configure OSPF on PE2 and trigger the setup of LSPs.

[PE2] ospf[PE2-ospf-1] area 0[PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0[PE2-ospf-1-area-0.0.0.0] network 4.3.5.0 0.0.0.255[PE2-ospf-1-area-0.0.0.0] quit[PE2-ospf-1] quit

Step 3 Configure the 6PE peer.

# Configure IBGP on PE1 and enable 6PE capability on the peer and import IPv6 direct routesand static routes from each other.

[PE1] bgp 65100



11-47

[PE1-bgp] peer 2.2.2.9 as-number 65100[PE1-bgp] peer 2.2.2.9 connect-interface loopback 0[PE1-bgp] ipv6-family[PE1-bgp-af-ipv6] import-route direct[PE1-bgp-af-ipv6] import-route static[PE1-bgp-af-ipv6] peer 2.2.2.9 enable[PE1-bgp-af-ipv6] peer 2.2.2.9 label-route-capability[PE1-bgp-af-ipv6] quit[PE1-bgp] quit

# Configure IBGP on PE2 and enable 6PE capability on the peer and import IPv6 direct routesand static routes from each other.[PE2] bgp 65100[PE2-bgp] peer 1.1.1.9 as-number 65100[PE2-bgp] peer 1.1.1.9 connect-interface loopback 0[PE2-bgp] ipv6-family[PE2-bgp-af-ipv6] import-route direct[PE2-bgp-af-ipv6] import-route static[PE2-bgp-af-ipv6] peer 1.1.1.9 enable[PE2-bgp-af-ipv6] peer 1.1.1.9 label-route-capability[PE2-bgp-af-ipv6] quit[PE2-bgp] quit

Step 4 Configure an IPv6 address for the interface and a static route on CE.

# Configure CE1 and set up an IPv6 connection between CE1 and PE1.<HUAWEI> system-view[HUAWEI] sysname CE1[CE1] ipv6[CE1] interface pos 1/0/0[CE1-Pos1/0/0] ipv6 enable[CE1-Pos1/0/0] ipv6 address 3000:435::2 64[CE1-Pos1/0/0] undo shutdown[CE1-Pos1/0/0] quit[CE1] ipv6 route-static :: 0 pos 1/0/0

# Configure CE2 and set up an IPv6 connection between CE2 and PE2.<HUAWEI> system-view[HUAWEI] sysname CE2[CE2] ipv6[CE2] interface pos 1/0/0[CE2-Pos1/0/0] ipv6 enable[CE2-Pos1/0/0] ipv6 address 3000:1065::2 64[CE2-Pos1/0/0] undo shutdown[CE2-Pos1/0/0] quit[CE2] ipv6 route-static :: 0 pos 1/0/0


# Display the LSP information on PE1.[PE1] display mpls lsp----------------------------------------------------------- LSP Information: LDP LSP-----------------------------------------------------------FEC In/Out Label In/Out IF Vrf Name2.2.2.9/32 NULL/3 -/Pos2/0/02.2.2.9/32 3/NULL -/------------------------------------------------------------ LSP Information: BGP IPV6 LSP----------------------------------------------------------- FEC : 3000:435::/64 In Label : 109568 Out Label : ----- In Interface : ----- OutInterface : ----- Vrf Name :

# Display the IPv6 routing information on PE1.




Issue 01 (2011-05-30)

[PE1] display bgp ipv6 routing-table

Total Number of Routes: 5

BGP Local router ID is 1.1.1.9 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete

*> Network : ::1 PrefixLen : 128 NextHop : :: LocPrf : MED : 0 PrefVal : 0 Label : Path/Ogn : ?

*> Network : 3000:435:: PrefixLen : 64 NextHop : :: LocPrf : MED : 0 PrefVal : 0 Label : NULL/109568 Path/Ogn : ?

*> Network : 3000:435::1 PrefixLen : 128 NextHop : :: LocPrf : MED : 0 PrefVal : 0 Label : Path/Ogn : ?

*>i Network : 3000:1065:: PrefixLen : 64 NextHop : ::FFFF:2.2.2.9 LocPrf : 100 MED : 0 PrefVal : 0 Label : 109568/NULL Path/Ogn : ?

*> Network : FE80:: PrefixLen : 10 NextHop : :: LocPrf : MED : 0 PrefVal : 0 Label : Path/Ogn : ?

# CE1 can ping through the IPv6 address of CE2.

[CE1] ping ipv6 3000:1065::2PING 3000:1065::2 : 56 data bytes, press CTRL_C to break Reply from 3000:1065::2 bytes=56 Sequence=1 hop limit=63 time = 50 ms Reply from 3000:1065::2 bytes=56 Sequence=2 hop limit=63 time = 1 ms Reply from 3000:1065::2 bytes=56 Sequence=3 hop limit=63 time = 1 ms Reply from 3000:1065::2 bytes=56 Sequence=4 hop limit=63 time = 1 ms Reply from 3000:1065::2 bytes=56 Sequence=5 hop limit=63 time = 1 ms

--- 3000:1065::2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/10/50 ms

----End

Configuration Filesl Configuration file of PE1

# sysname PE1#



11-49

ipv6#mpls lsr-id 1.1.1.9 mpls#mpls ldp#interface Pos1/0/0 link-protocol ppp undo shutdown ipv6 enable ipv6 address 3000:435::1#interface Pos2/0/0 link-protocol ppp undo shutdown ip address 4.3.5.1 255.255.255.0 mpls mpls ldp#interface LoopBack0 ip address 1.1.1.9 255.255.255.255#bgp 65100 peer 2.2.2.9 as-number 65100 peer 2.2.2.9 connect-interface LoopBack0 # ipv4-family unicast undo synchronization peer 2.2.2.9 enable # ipv6-family undo synchronization import-route direct import-route static peer 2.2.2.9 enable peer 2.2.2.9 label-route-capability#ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 4.3.5.0 0.0.0.255#return

l Configuration file of PE2# sysname PE2# ipv6#mpls lsr-id 2.2.2.9 mpls#mpls ldp#interface Pos1/0/0 link-protocol ppp undo shutdown ipv6 enable ipv6 address 3000:1065::1#interface Pos2/0/0 link-protocol ppp undo shutdown ip address 4.3.5.2 255.255.255.0 mpls mpls ldp#interface LoopBack0




Issue 01 (2011-05-30)

ip address 2.2.2.9 255.255.255.255#bgp 65100 peer 1.1.1.9 as-number 65100 peer 1.1.1.9 connect-interface LoopBack0 # ipv4-family unicast undo synchronization peer 1.1.1.9 enable # ipv6-family undo synchronization import-route direct import-route static peer 1.1.1.9 enable peer 1.1.1.9 label-route-capability#ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 4.3.5.0 0.0.0.255#return

l Configuration file of CE1# sysname CE1# ipv6#interface Pos1/0/0 link-protocol ppp undo shutdown ipv6 enable ipv6 address 3000:435::2#ipv6 route-static :: 0 Pos1/0/0#return

l Configuration file of CE2# sysname CE2# ipv6#interface Pos1/0/0 link-protocol ppp undo shutdown ipv6 enable ipv6 address 3000:1065::2#ipv6 route-static :: 0 Pos1/0/0#return



11-51

12 IPv4 over IPv6 Tunnel Configuration

About This Chapter

The IPv4 over IPv6 tunnel technology is used to interconnect isolated IPv4 networks during thetransition from IPv4 Internet into the IPv6 Internet.

ContextNOTE

IPv4 over IPv6 Tunnel cannot be configured on the X1 and X2 models of the CX600.

12.1 IPv4 over IPv6 Tunnel OverviewThe principle of the IPv4 over IPv6 tunnel technology is that IPv4 packets are encapsulated intoIPv6 packets at the ingress of the tunnel.

12.2 Configuring an IPv4 over IPv6 TunnelThis configuration task enables transmission of an IPv4 packet added with an IPv6 header onthe device configured with the IPv4/IPv6 dual stack.





12-1

12.1 IPv4 over IPv6 Tunnel OverviewThe principle of the IPv4 over IPv6 tunnel technology is that IPv4 packets are encapsulated intoIPv6 packets at the ingress of the tunnel.

12.1.1 Introduction to IPv4 over IPv6You can create tunnels on the IPv6 networks to connect IPv4 isolated sites so that IPv4 isolatedsites can access other IPv4 networks through the IPv6 Internet.

12.1.2 IPv4 over IPv6 Supported by the CX600This section describes how to interconnect IPv4 networks through IPv6 networks.

12.1.1 Introduction to IPv4 over IPv6You can create tunnels on the IPv6 networks to connect IPv4 isolated sites so that IPv4 isolatedsites can access other IPv4 networks through the IPv6 Internet.

During the transition from the IPv4 Internet to the IPv6 Internet, IPv6 networks have been widelydeployed, whereas IPv4 networks are isolated. The tunnel technology can be adopted to establishtunnels over IPv6 networks to connect isolated IPv4 networks. This is similar to the situationwhere the tunnel technology is used to deploy VPNs on IP networks. The tunnel used to connectisolated IPv4 networks over IPv6 networks is called an IPv4 over IPv6 tunnel.

12.1.2 IPv4 over IPv6 Supported by the CX600This section describes how to interconnect IPv4 networks through IPv6 networks.

The CX600 supports the enabling of IPv4 and IPv6 protocol stacks on the devices at the borderof IPv6 and IPv4 networks.

Figure 12-1 Networking diagram of an IPv4 over IPv6 tunnel

IPv4Host

IPv4network IPv6

network

IPv4network

Dual StackCX600

Dual StackCX600

IPv4HostIPv4 over IPv6 Tunnel

IPv4Payload

IPv6Header

IPv4Header

IPv4Payload

IPv4Header

IPv4Payload

IPv4Header




Issue 01 (2011-05-30)

Figure 12-1 shows the principles of the IPv4 over IPv6 tunnel technology.

1. Enabling IPv4/IPv6 dual stacksEnable IPv4 and IPv6 protocol stacks on the border device.

2. Encapsulating IPv6 packetsAfter receiving a packet from the IPv4 network, the border device takes the received IPv4packet as the payload, adds an IPv6 packet header before the payload, and encapsulates itinto an IPv6 packet if the device finds that the destination of the packet is not itself.

3. Transmitting the encapsulated packetIn the IPv6 network, the encapsulated packet is transmitted to the peer border device.

4. Decapsulating the packetThe peer border device decapsulates the packet, removes the IPv6 packet header, andforwards the decapsulated IPv4 packet to the remote IPv4 network.

12.2 Configuring an IPv4 over IPv6 TunnelThis configuration task enables transmission of an IPv4 packet added with an IPv6 header onthe device configured with the IPv4/IPv6 dual stack.


12.2.2 Configuring a Tunnel InterfaceTo configure a tunnel interface, you need to configure the source and destination addresses ofthe tunnel.

12.2.3 Configuring Routes in the TunnelPackets can be normally forwarded only when routes exist on both the source device anddestination device of the tunnel. Do as follows on the devices on both ends of the tunnel.

12.2.4 Configuring Other Items for an IPv4 over IPv6 TunnelThe other configurations of an IPv4 over IPv6 tunnel include the number of times that IPv6encapsulation is performed for an IPv4 packet, traffic flag, maximum hops, and traffic class. Doas follows on the devices on both ends of the tunnel.



Applicable EnvironmentTo implement communication between IPv4 networks over the IPv6 network, configure an IPv4over IPv6 tunnel on the border device of IPv4 and IPv6 networks.

Pre-configuration TasksBefore configuring an IPv4 over IPv6 tunnel, complete the following tasks:



12-3

l Implementing the IP connectivity between the source and destination interfacesl Configuring IPv4 and IPv6 protocol stacks

Data PreparationTo configure an IPv4 over IPv6 tunnel, you need the following data.

No. Data

1 Number of the tunnel interface

2 Source IPv6 address or source interface of the tunnel interface

3 Destination IPv6 address of the tunnel interface

4 IPv4 address of the tunnel interface or the interface from which the IPv4 address isborrowed

12.2.2 Configuring a Tunnel InterfaceTo configure a tunnel interface, you need to configure the source and destination addresses ofthe tunnel.

Procedure

Step 1 Run:set board-type slot slot slot-id tunnel

The service mode of the SPUC is set to Tunnel.




The tunnel interface is created and the tunnel interface view is displayed.

The slot number of the created tunnel interface must be the same as that of the SPUC. Forinstance, when the SPUC is inserted in slot 2, the slot number of the tunnel interface must be 2.

Step 4 Run:tunnel-protocol ipv4-ipv6

The tunnel is specified as an IPv4 over IPv6 tunnel.

When you configure an IPv4 over IPv6 GRE tunnel, you must run the target-board slot-number command on the loopback interface to bind the SPUC to 4 over 6 protocol.

Step 5 Run:source { source-ip-address | interface-type interface-number }

The source IPv6 address or source interface of the tunnel interface is specified.




Issue 01 (2011-05-30)

The source address specified by sourceip-address must be the IPv6 address of the loopbackinterface bound to the SPUC through the target-board command; the source interface specifiedby sourceinterface-type must be the loopback interface bound to the SPUC through the target-board command.

Step 6 Run:destination ip-address

The destination IPv6 address of the Tunnel interface is configured.

Step 7 Run one of the following commands to specify the IP address of the tunnel interface:

l Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IPv4address of the tunnel interface.

l Run the ip address unnumbered interface interface-type interface-number command toconfigure the tunnel interface to borrow an IPv4 address.

----End

12.2.3 Configuring Routes in the TunnelPackets can be normally forwarded only when routes exist on both the source device anddestination device of the tunnel. Do as follows on the devices on both ends of the tunnel.

Procedure



Step 2 Choose one of the following methods to configure the route with the outgoing interface as thetunnel interface:

l Run the ip route-static ip-address { mask | mask-length } tunnel interface-number commandto configure static routes. When configuring the static routes, you must configure the bothends of the tunnel. Note that the destination address is the destination IPv4 address of thepacket to be encapsulated with the IPv4 over IPv6 tunnel; the next hop is the local tunnelinterface.

l Configure dynamic routes. You can use the Border Gateway Protocol (BGP) or the InteriorGateway Protocol (IGP), excluding Intermediate System-to-Intermediate System (IS-IS).Detailed configurations are not mentioned here.

When configuring a dynamic routing protocol, you must enable it on the tunnel interface andthe interface on the link through which the IPv4 network is connected to the IPv6 network.

----End

12.2.4 Configuring Other Items for an IPv4 over IPv6 TunnelThe other configurations of an IPv4 over IPv6 tunnel include the number of times that IPv6encapsulation is performed for an IPv4 packet, traffic flag, maximum hops, and traffic class. Doas follows on the devices on both ends of the tunnel.



12-5

Procedure




The tunnel interface view is displayed.

Step 3 Run:tunnel ipv4-ipv6 flow-label label-value

The flow label value is set.

By default, the flow label value is 0.

Step 4 Run:tunnel ipv4-ipv6 hop-limit hop-limit

The hop limit is set.

By default, the hop limit is set to 64.

Step 5 Run:tunnel ipv4-ipv6 traffic-class { original | class-value }

The traffic level is set.

By default, the traffic level is 0.

----End


PrerequisiteThe configurations of the IPv4 over IPv6 Tunnel function are complete.

Procedurel Run the display device slot-id command to check whether the service mode of the SPUC

is Tunnel.l Run the display interface tunnel [ interface-number ] command to check the working

status of the tunnel interface.l Run the display ip routing-table command to check the routing table.

----End

ExampleIf the service mode of the SPUC is Tunnel, run the display device 3 command, and you canview that the type of the SPUC on the CX device is displayed as General.

<HUAWEI> display device 3




Issue 01 (2011-05-30)

SPU3's detail information:- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Description: Line Processing Unit - General Board status: Normal Register: Registered Uptime: 2009/02/26 18:33:23 CPU Utilization(%): 3% Mem Usage(%): 19%Clock information: State item State Current syn-clock: 17 Current line-clock: 23 Syn-clock state: Locked VCXO_OK REF_OK Syn-clock 17 state: Actived Syn-clock 18 state: Inactived Line-clock 23 state: Inactived Line-clock 24 state: InactivedStatistic information: Statistic item Statistic number SERDES interface link lost: 0 Mpu switchs: 0 Syn-clock switchs: 0- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Run the display interface tunnel command. If the status of the tunnel interface is Up, it meansthat the configuration succeeds. For example:

<HUAWEI> display interface tunnel 2/0/0Tunnel2/0/0 current state : UPLine protocol current state : UPLast line protocol up time : 2010-06-22, 19:33:19Description : Tunnel2/0/0 Interface, Route PortRoute Port,The Maximum Transmit Unit is 1452 bytesInternet Address is 10.1.1.1/30Encapsulation is TUNNEL6, loopback not setTunnel protocol/transport (IPv6 or IPV4) over IPv6Tunnel Source 2001::1 (Pos2/0/0)Tunnel Destination 2002::2Tunnel Encapsulation limit 4Tunnel Traffic class not setTunnel Flow label not setTunnel Hop limit 64Current system time: 2010-06-29 20:26:18 5 minutes input rate 10 bits/sec, 0 packets/sec 5 minutes output rate 14 bits/sec, 0 packets/sec 493 packets input, 38480 bytes 0 input error 447 packets output, 53144 bytes 0 output error

Run the display ip routing-table command. If the route with the outgoing interface as the tunnelinterface is displayed in the IPv4 routing table, it means that the configuration succeeds. Forexample:

<HUAWEI> display ip routing-tableRouting Tables: Public Destinations : 11 Routes : 11Destination/Mask Proto Pre Cost NextHop Interface 10.1.1.0/24 Direct 0 0 10.1.1.2 GigabitEthernet2/0/0 10.1.1.2/32 Direct 0 0 127.0.0.1 InLoopBack0 10.2.1.0/24 Static 60 0 40.1.1.1 Tunnel2/0/0 20.1.1.0/24 Direct 0 0 20.1.1.1 Pos2/0/0 20.1.1.1/32 Direct 0 0 127.0.0.1 InLoopBack0 20.1.1.2/32 Direct 0 0 20.1.1.2 Pos1/0/0 30.1.1.0/24 OSPF 10 3124 20.1.1.2 Pos1/0/0 40.1.1.0/24 Direct 0 0 40.1.1.1 Tunnel2/0/0 40.1.1.1/32 Direct 0 0 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoopBack0



12-7

Run the ping -a source-ipv4-address dest-ipv4-address command. The local tunnel interfacecan ping through the destination tunnel interface.


12.3.1 Monitoring the Operation Status of IPv4 over IPv6 TunnelThis section describes how to monitor an IPv4 over IPv6 tunnel.

12.3.1 Monitoring the Operation Status of IPv4 over IPv6 TunnelThis section describes how to monitor an IPv4 over IPv6 tunnel.

ContextIn routine maintenance, you can run the following command in any view to check the operationof IPv4 over IPv6 tunnel.

Procedurel Run the display interface tunnel [ interface-number ] command in any view to check the

operation status of the tunnel interface.l Run the display interface tunnel interface-number command in any view to check the

IPv4 attributes of the tunnel interface.

----End


12.4.1 Example for Configuring an IPv4 over IPv6 Tunnel

12.4.1 Example for Configuring an IPv4 over IPv6 Tunnel




Issue 01 (2011-05-30)


Figure 12-2 Networking diagram of an IPv4 over IPv6 tunnel

IPv6 networkIPv4

network

IPv4 network

CX-1

CX-5

CX-2 CX-3 CX-4

POS1/0/010.1.2.2/30

POS1/0/010.1.2.1/30

POS2/0/010.1.3.1/30

POS1/0/010.1.3.2/30

POS2/0/02001::1/64

POS1/0/02001::2/64

POS1/0/02002::2/64

POS2/0/02002::1/64

As shown in Figure 12-2, two IPv4 networks are connected to an IPv6 network through CX-1and CX-5, respectively. Border devices CX-2 and CX-4 of the IPv6 network support IPv4 andIPv6 dual stacks. To enable communications between the two IPv4 networks, configure an IPv4over IPv6 tunnel between CX-2 and CX-4.

NOTE

l An IPv4 over IPv6 tunnel does not support IS-IS.

l When configuring an IPv4 over IPv6 tunnel, you must set the service mode of the SPUC to Tunnel. Inaddition, you must bind the SPUC to the tunnel.


1. Configure an IPv4 over IPv6 tunnel on the border devices at both ends of the IPv6 network.2. Use a dynamic routing protocol to configure the route with the outgoing interface as the

tunnel interface.


l Routing protocols applied to the IPv6 and IPv4 networksl Source and destination IPv6 addresses of the tunnell IPv4 address of the tunnel interface



12-9

Procedure

Step 1 Configure the IPv6 address of the physical interface and IS-ISv6 of the IPv6 network toimplement the connectivity of the IPv6 network.

# Configure CX-2.

<HUAWEI> system-view[HUAWEI] sysname CX-2[CX-2] ipv6[CX-2] interface pos 2/0/0[CX-2-Pos2/0/0] ipv6 enable[CX-2-Pos2/0/0] ipv6 address 2001::1 64[CX-2-Pos2/0/0] undo shutdown[CX-2-Pos2/0/0] quit[CX-2] isis 1[CX-2-isis-1] network-entity 10.0000.0000.0001.00[CX-2-isis-1] ipv6 enable topology standard[CX-2-isis-1] quit[CX-2] interface pos 2/0/0[CX-2-Pos2/0/0] isis ipv6 enable 1[CX-2-Pos2/0/0] quit

# Create a loopback interface, assign an IPv6 address to it, and enable IS-ISv6.

[CX-2] interface Loopback 1[CX-2-LoopBack1] ipv6 enable[CX-2-LoopBack1] ipv6 address 2::2 64[CX-2-LoopBack1] isis ipv6 enable 1[CX-2-LoopBack1] quit

# Configure CX-3.

<HUAWEI> system-view[HUAWEI] sysname CX-3[CX-3] ipv6[CX-3] interface pos 1/0/0[CX-3-Pos1/0/0] ipv6 enable[CX-3-Pos1/0/0] ipv6 address 2001::2 64[CX-3-Pos1/0/0] undo shutdown[CX-3-Pos1/0/0] quit[CX-3] interface pos 2/0/0[CX-3-Pos2/0/0] ipv6 enable[CX-3-Pos2/0/0] ipv6 address 2002::1 64[CX-3-Pos2/0/0] undo shutdown[CX-3-Pos2/0/0] quit[CX-3] isis 1[CX-3-isis-1] network-entity 10.0000.0000.0002.00[CX-3-isis-1] ipv6 enable topology standard[CX-3-isis-1] quit[CX-3] interface pos 1/0/0[CX-3-Pos1/0/0] isis ipv6 enable 1[CX-3-Pos1/0/0] quit[CX-3] interface pos 2/0/0[CX-3-Pos2/0/0] isis ipv6 enable 1[CX-3-Pos2/0/0] quit

# Configure CX-4.

<HUAWEI> system-view[HUAWEI] sysname CX-4[CX-4] ipv6[CX-4] interface pos 1/0/0[CX-4-Pos1/0/0] ipv6 enable[CX-4-Pos1/0/0] ipv6 address 2002::2 64[CX-4-Pos1/0/0] undo shutdown[CX-4-Pos1/0/0] quit[CX-4] isis 1[CX-4-isis-1] network-entity 10.0000.0000.0003.00




Issue 01 (2011-05-30)

[CX-4-isis-1] ipv6 enable topology standard[CX-4-isis-1] quit[CX-4] interface pos 1/0/0[CX-4-Pos1/0/0] isis ipv6 enable 1[CX-4-Pos1/0/0] quit

# Create a loopback interface, assign an IPv6 address to it, and enable IS-ISv6.

[CX-4] interface Loopback 1[CX-4-LoopBack1] ipv6 enable[CX-4-LoopBack1] ipv6 address 4::4 64[CX-4-LoopBack1] isis ipv6 enable 1[CX-4-LoopBack1] quit

Step 2 Configure the IPv4 address and OSPF of the physical interfaces for the IPv4 networks toimplement the connectivity of the IPv4 networks.

# Configure CX-1.

<HUAWEI> system-view[HUAWEI] sysname CX-1[CX-1] interface pos 1/0/0[CX-1-Pos1/0/0] ip address 10.1.2.2 30[CX-1-Pos1/0/0] undo shutdown[CX-1-Pos1/0/0] quit[CX-1] ospf 1[CX-1-ospf-1] area 0[CX-1-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.3

# Configure CX-2.

<CX-2> system-view[CX-2] interface pos 1/0/0[CX-2-Pos1/0/0] ip address 10.1.2.1 30[CX-2-Pos1/0/0] undo shutdown[CX-2-Pos1/0/0] quit[CX-2] ospf 1[CX-2-ospf-1] area 0[CX-2-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.3

# Configure CX-4.

<CX-4> system-view[CX-4] interface pos 1/0/0[CX-4-Pos1/0/0] ip address 10.1.3.1 30[CX-4-Pos1/0/0] quit[CX-4] ospf 1[CX-4-ospf-1] area 0[CX-4-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.3

# Configure CX-5.

<HUAWEI> system-view[HUAWEI] sysname CX-5[CX-5] interface pos 1/0/0[CX-5-Pos1/0/0] ip address 10.1.3.2 30[CX-5-Pos1/0/0] undo shutdown[CX-5-Pos1/0/0] quit[CX-5] ospf 1[CX-5-ospf-1] area 0[CX-5-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.3

Step 3 Configure the tunnel interface.

# Create a tunnel interface and configure the IPv4 address, source IPv6 address (or sourceinterface), and destination IPv6 address of the tunnel interface. Bind the SPUC to the tunnel.



12-11


# Configure CX-2.

<CX-2> set board-type slot 6 tunnel<CX-2> system-view[CX-2] interface Loopback 1[CX-2-LoopBack1] target-board 6[CX-2-LoopBack1] binding tunnel ipv4-ipv6[CX-2-LoopBack1] quit[CX-2] interface tunnel 6/0/0[CX-2-Tunnel6/0/0] tunnel-protocol ipv4-ipv6[CX-2-Tunnel6/0/0] ip address 10.1.1.1 30[CX-2-Tunnel6/0/0] source loopback1[CX-2-Tunnel6/0/0] destination 4::4

# Configure CX-4.

<CX-4> set board-type slot 6 tunnel<CX-4> system-view[CX-4] interface Loopback 1[CX-4-LoopBack1] target-board 6[CX-4-LoopBack1] binding tunnel ipv4-ipv6[CX-4-LoopBack1] quit[CX-4] interface tunnel 6/0/0[CX-4-Tunnel6/0/0] tunnel-protocol ipv4-ipv6[CX-4-Tunnel6/0/0] ip address 10.1.1.2 30[CX-4-Tunnel6/0/0] source loopback1[CX-4-Tunnel6/0/0] destination 2::2

Step 4 Configure the route with the outgoing interface as the tunnel interface.

# Configure CX-2.

<CX-2> system-view[CX-2] ospf 1[CX-2-ospf-1] area 0[CX-2-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.3[CX-2-ospf-1-area-0.0.0.0] quit[CX-2-ospf-1] quit

# Configure CX-4.

<CX-4> system-view[CX-4] ospf 1[CX-4-ospf-1] area 0[CX-4-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.3


After the configuration is completed, view the tunnel interface on CX-2 and CX-4. You canview that the protocol status of the tunnel interface is Up.

[CX-2] display interface tunnel 6/0/0Tunnel6/0/0 current state : UPLine protocol current state : UPLast up time: 2007-11-16, 12:26:17Description : Tunnel2/0/0 Interface, Route PortThe Maximum Transmit Unit is 1452 bytesInternet Address is 10.1.1.1/30Encapsulation is TUNNEL6, loopback not setTunnel protocol/transport (IPv6 or IPV4) over IPv6Tunnel Source 2001::1 (Pos2/0/0)Tunnel Destination 2002::2Tunnel Encapsulation limit 4Tunnel Traffic class not set




Issue 01 (2011-05-30)

Tunnel Flow label not setTunnel Hop limit 64 5 minutes input rate 10 bits/sec, 0 packets/sec 5 minutes output rate 14 bits/sec, 0 packets/sec 493 packets input, 38480 bytes 0 input error 447 packets output, 53144 bytes 0 output error

On CX-2 and CX-4, view the IPv4 routing table. You can view that the outgoing interfaces tothe remote IPv4 network are tunnel interfaces.

[CX-2] display ip routing-tableRouting Tables: Public Destinations : 9 Routes : 9Destination/Mask Proto Pre Cost NextHop Interface 1.1.1.1/32 Direct 0 0 127.0.0.1 InLoopBack0 10.1.1.0/30 Direct 0 0 10.1.1.1 Tunnel2/0/0 10.1.1.1/32 Direct 0 0 127.0.0.1 InLoopBack0 10.1.2.0/30 Direct 0 0 10.1.2.1 Pos1/0/0 10.1.2.1/32 Direct 0 0 127.0.0.1 InLoopBack0 10.1.2.2/32 Direct 0 0 10.1.2.2 Pos1/0/0 10.1.3.0/24 OSPF 10 2 10.1.1.2 Tunnel2/0/0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoopBack0

CX-1 and CX-5 can ping through each other.

----End

Configuration Filesl Configuration file of CX-1

# sysname CX-1#interface Pos1/0/0 link-protocol ppp undo shutdown ip address 10.1.2.2 255.255.255.252#ospf 1 area 0.0.0.0 network 10.1.2.0 0.0.0.3#return

l Configuration file of CX-2# sysname CX-2# ipv6#isis 1 network-entity 10.0000.0000.0001.00 # ipv6 enable topology standard#interface Pos1/0/0 link-protocol ppp ip address 10.1.2.1 255.255.255.252#interface Pos2/0/0 link-protocol ppp ipv6 enable ipv6 address 2001::1/64isis ipv6 enable 1#



12-13

interface LoopBack1 ipv6 enable ipv6 address 2::2 64 isis ipv6 enable 1 target-board 6binding tunnel ipv4-ipv6#interface Tunnel6/0/0 ip address 10.1.1.1 255.255.255.252 tunnel-protocol ipv4-ipv6 source loopback 1 destination 4::4#ospf 1 area 0.0.0.0 network 10.1.2.0 0.0.0.3 network 10.1.1.0 0.0.0.3#return

l Configuration file of CX-3# sysname CX-3# ipv6#isis 1 network-entity 10.0000.0000.0002.00 # ipv6 enable topology standard#interface Pos1/0/0 link-protocol ppp undo shutdown ivp6 enable ipv6 address 2001::2/64 isis ipv6 enable 1#interface Pos2/0/0 link-protocol ppp undo shutdown ipv6 enable ipv6 address 2002::1/64 isis ipv6 enable 1#return

l Configuration file of CX-4# sysname CX-4# ipv6#isis 1 network-entity 10.0000.0000.0003.00 # ipv6 enable topology standard ##interface Pos1/0/0 link-protocol pppipv6 enable ipv6 address 2002::2/64 isis ipv6 enable 1#interface Pos2/0/0 link-protocol ppp ip address 10.1.3.1 255.255.255.252#interface LoopBack1




Issue 01 (2011-05-30)

ipv6 enable ipv6 address 4::4 64 isis ipv6 enable 1 target-board 6 binding tunnel ipv4-ipv6#interface Tunnel6/0/0 ip address 10.1.1.2 255.255.255.252 tunnel-protocol ipv4-ipv6 source loopback 1 destination 2::2#ospf 1 area 0.0.0.0 network 10.1.1.0 0.0.0.3 network 10.1.3.0 0.0.0.3#return

l Configuration file of CX-5# sysname CX-1#interface Pos1/0/0 link-protocol ppp undo shutdown ip address 10.1.3.2 255.255.255.252#ospf 1 area 0.0.0.0 network 10.1.3.0 0.0.0.3#return



12-15

A Glossary

This appendix collates frequently used glossaries in this document.

A

Access Control List A list composed of multiple sequential permit/deny statements.In firewall, after ACL is applied to an interface on the device, thedevice decides which packet can be forwarded and which packetshould be denied. In QoS, ACL is used to classify traffic.

Acknowledge To confirm an action. The acknowledgement (ACK) message issent from one device to another.

Address ResolutionProtocol

A protocol used to map an IP Address to a MAC address, asdefined in RFC 826.

ATM An asynchronous Transfer Mode. It is a data transmissiontechnology in which data (files, voice and video) is transferred incells with a fixed length (53 Bytes). The fixed length makes thecell be processed by the hardware. The object of ATM is to makegood use of high-speed transmission medium such as E3, SONETand T3.

B

Broadcast To send packets to all ports of the nodes in the network.

D

Domain name A name composed of numbers or characters. Each domain namecorresponds to an IP address.

Dotted decimal notation A format of IP address. IP addresses in this format are separatedinto four parts by a dot "." with each part is in the decimal numeral.

E

HUAWEI CX600 Metro Services PlatformConfiguration Guide - IP Services A Glossary


A-1

Ethernet A technology complemented in LAN. It adopts Carrier SenseMultiple Access/Collision Detection. The speed of an Ethernetinterface can be 10 Mbit/s, 100 Mbit/s, 1000 Mbit/s or 10000Mbit/s. The Ethernet network features high reliability and easymaintaining..

F

File Transfer Protocol An application layer protocol based on TCP/IP. It is used totransfer large amounts of data reliably between the user and theremote host. FTP is implemented based on corresponding filesystem.

I

IPv6 A update version of IPv4. It is also called IP Next Generation(IPng). The specifications and standardizations provided by it areconsistent with the Internet Engineering Task Force(IETF).Internet Protocol Version 6 (IPv6) is also called. It is anew version of the Internet Protocol, designed as the successor toIPv4. The specifications and standardizations provided by it areconsistent with the Internet Engineering Task Force (IETF).Thedifference between IPv6 and IPv4 is that an IPv4 address has 32bits while an IPv6 address has 128 bits.

L

Local Area Network A network intended to serve a small geographic area, (few squarekilometers or less), a single office or building, or a small definedgroup of users. It features high speed and little errors. Ethernet,FDDI and Toke Ring are three technologies implemented in LAN.

M

MAC address A link layer address or physical address. It is six bytes long.

MTU A maximum size of packets that an interface can process. It is inbytes

N

Neighbor Discovery A process to discover neighboring modes.

P

Ping To test the reachablitly of a device in the network through ICMPEcho message.

A GlossaryHUAWEI CX600 Metro Services Platform


A-2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

Policy-based Routing A routing mechanism based on user-defined policies. It canimplement secure communication and load balancing.

PPP A serial point to point link used for special transmission betweentwo devices.

R

Router A device running on the network layer. After receiving a packet,the device searches the routing table for a proper route and sendsthe packet to the next hop. The last hop device sends the packetto the host directly.

T

Telnet An application layer protocol based on TCP/IP. It implementsremote login and virtual terminal. It

Time Range A special time period.

Traffic A group of packets sent from the source to the destination andmatching certain classification.

Tunnel In VPN, it is a transport tunnel set up between two entities toprevent interior users from interrupting and ensure security.

U

Unicast To send packets to one destination network.

V

VPN Virtual Private Network (VPN). It implements an apparent singleprivate network (as seen by the user), over a number of separatepublic and private networks. Virtual indicates that this kind ofnetwork is a logical network.

VRP Versatile Routing Platform. It is a versatile operating systemplatform developed by Huawei.

W

Wide Area Network A network that covers a large geographic area, such as a countryor a state. Devices in this network are connected through certainprotocol or physical links.

X

HUAWEI CX600 Metro Services PlatformConfiguration Guide - IP Services A Glossary


A-3

X.25 A data link layer protocol. It defines the communication in thePublic Data Network (PDN) between a host and a remoteterminal.

A GlossaryHUAWEI CX600 Metro Services Platform


A-4 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

B Acronyms and Abbreviations

This appendix collates frequently used acronyms and abbreviations in this document.

A

AAA Authentication, Authorization and Accounting

ACK Acknowledgement

ASCII American Standard Code for Information Interchange

ATM Asynchronous Transfer Mode

B

BGP Border Gateway Protocol

C

CIDR Classless Inter-Domain Routing

D

DHCP Dynamic Host Configuration Protocol

DLCI Data Link Control Identifier

DNS Domain Name System

DOS Denial of Service

DAD Duplicate Address Detect

E

EBGP External BGP

HUAWEI CX600 Metro Services PlatformConfiguration Guide - IP Services B Acronyms and Abbreviations


B-1

F

FEC Forward Error Correction

FIB Forward Information Base

G

GRE Generic Routing Encapsulation

H

HDLC High level Data Link Control

HTTP Hyper Text Transport Protocol

I

IBGP Internal BGP

ICMP Internet Control Message Protocol

IEEE Institute of Electrical and Electronics Engineers

IETF Internet Engineering Task Force

IGP Interior Gateway Protocol

IP Internet Protocol

IPoEoA IP over Ethernet over AAL5

IPSec Internet Protocol SECurity extensions

IS-IS Intermediate System-Intermediate System

ISP Internet Service Provider

L

LDP Label Distribution Protocol

LSP Label Switch Path

M

MAC Medium Access Control

MED Multi-Exit discrimination

MPLS Multi-Protocol Label Switching

N

B Acronyms and AbbreviationsHUAWEI CX600 Metro Services Platform


B-2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)

NAT Network Address Translation

NAT-PT Network Address Translation - Protocol Translation

NIC Network Information Center

O

OSPF Open Shortest Path First

P

PC Personal Computer

PE Provider Edge

POS Packet Over SDH/SONET

PPP Point-to-Point Protocol

PVC Permanent Virtual Circuit

Q

QoS Quality of Service

R

RIP Routing Information Protocol

RPR Resilient Packet Ring

S

SLIP Serial Line Internet Protocol

SNMP Simple Network Management Protocol

SVC Switched Virtual Channel

T

TCP Transmission Control Protocol

TFTP Trivial File Transfer Protocol

TOS Type of Service

TTL Time To Live

HUAWEI CX600 Metro Services PlatformConfiguration Guide - IP Services B Acronyms and Abbreviations


B-3

U

UDP User Datagram Protocol

URPF Unicast Reverse Path Forwarding

V

VLAN Virtual Local Area Network

VPN Virtual Private Network

VRP Versatile Routing Platform

VRRP Virtual Router Redundancy Protocol

VT Virtual-Template

W

WINS Windows Internet Name Service

WWW World Wide Web

B Acronyms and AbbreviationsHUAWEI CX600 Metro Services Platform


B-4 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2011-05-30)