Configuration Guide - IP Service(V200R002C00_02)

Huawei AR150&200 Series Enterprise RoutersV200R002C00

Configuration Guide - IP Service

Issue 02

Date 2012-03-30

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2012. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 02 (2012-03-30) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://www.huawei.com

mailto:[email protected]

About This Document

Intended AudienceThis document provides the basic concepts, configuration procedures, and configurationexamples in different application scenarios of the IP service feature supported by theAR150/200.

This document describes how to configure the IP service feature.

This document is intended for:

l Data configuration engineers

l Commissioning engineers

l Network monitoring engineers

l System maintenance engineers

Symbol ConventionsThe symbols that may be found in this document are defined as follows.

Symbol Description

DANGERIndicates a hazard with a high level of risk, which if notavoided, will result in death or serious injury.

WARNINGIndicates a hazard with a medium or low level of risk, whichif not avoided, could result in minor or moderate injury.

CAUTIONIndicates a potentially hazardous situation, which if notavoided, could result in equipment damage, data loss,performance degradation, or unexpected results.

TIP Indicates a tip that may help you solve a problem or savetime.

NOTE Provides additional information to emphasize or supplementimportant points of the main text.

Huawei AR150&200 Series Enterprise RoutersConfiguration Guide - IP Service About This Document


ii

Command ConventionsThe command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated byvertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated byvertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated byvertical bars. A minimum of one item or a maximum of allitems can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated byvertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

Interface Numbering ConventionsInterface numbers used in this manual are examples. In device configuration, use the existinginterface numbers on devices.

Change HistoryUpdates between document issues are cumulative. Therefore, the latest document issue containsall updates made in previous issues.

Changes in Issue 02 (2012-03-30)

Based on issue 01 (2011-12-30), the document is updated as follows:

The following information is added:

l Disabling the Routing and Forwarding Function on High-end LAN Cards

The following information is modified:

l 6.6.3 Enabling the DHCP/BOOTP Client



iii

Changes in Issue 01 (2011-12-30)Initial commercial release.



iv

Contents

About This Document.....................................................................................................................ii

1 ARP Configuration........................................................................................................................11.1 ARP Overview....................................................................................................................................................31.2 ARP Features Supported by the AR150/200......................................................................................................31.3 Configuring Static ARP......................................................................................................................................4

1.3.1 Establishing the Configuration Task.........................................................................................................41.3.2 Configuring a Static ARP Entry................................................................................................................51.3.3 Configuring a Static ARP Entry in a VLAN.............................................................................................51.3.4 Configuring a Static ARP Entry in a VPN Instance..................................................................................61.3.5 Checking the Configuration.......................................................................................................................6

1.4 Optimizing Dynamic ARP..................................................................................................................................71.4.1 Establishing the Configuration Task.........................................................................................................71.4.2 Adjusting Parameters of Dynamic ARP Entries........................................................................................81.4.3 Enabling ARP Suppression.......................................................................................................................91.4.4 Enabling Layer 2 Topology Detection......................................................................................................91.4.5 Checking the Configuration.......................................................................................................................9

1.5 Configuring Routed Proxy ARP.......................................................................................................................101.5.1 Establishing the Configuration Task.......................................................................................................101.5.2 Configuring an IP Addresses for an Interface.........................................................................................111.5.3 Configuring Routed Proxy ARP..............................................................................................................121.5.4 Checking the Configuration.....................................................................................................................12

1.6 Configuring Intra-VLAN Proxy ARP..............................................................................................................131.6.1 Establishing the Configuration Task.......................................................................................................131.6.2 Configuring an IP Address for an Interface.............................................................................................141.6.3 (Optional) Configuring the VLAN ID of a Sub-interface.......................................................................141.6.4 Enabling Intra-VLAN Proxy ARP..........................................................................................................151.6.5 Checking the Configuration.....................................................................................................................15

1.7 Configuring Inter-VLAN Proxy ARP..............................................................................................................161.7.1 Establishing the Configuration Task.......................................................................................................161.7.2 Configuring an IP Addresses for an Interface.........................................................................................171.7.3 (Optional) Configuring the VLAN ID of the Sub-interface....................................................................181.7.4 Enabling Inter-VLAN Proxy ARP..........................................................................................................181.7.5 Checking the Configuration.....................................................................................................................19

Huawei AR150&200 Series Enterprise RoutersConfiguration Guide - IP Service Contents


v

1.8 Configuring ARP-Ping IP.................................................................................................................................191.8.1 Establishing the Configuration Task.......................................................................................................201.8.2 Checking an IP Address by Using ARP-Ping IP.....................................................................................20

1.9 Configuring ARP-Ping MAC...........................................................................................................................211.9.1 Establishing the Configuration Task.......................................................................................................211.9.2 Checking a MAC Address by Using ARP-Ping MAC............................................................................22

1.10 Maintaining ARP............................................................................................................................................221.10.1 Deleting ARP Entries............................................................................................................................221.10.2 Monitoring the ARP Running Status.....................................................................................................23

1.11 Configuration Examples.................................................................................................................................241.11.1 Example for Configuring Static ARP....................................................................................................241.11.2 Example for Configuring Routed Proxy ARP.......................................................................................271.11.3 Example for Configuring Intra-VLAN Proxy ARP..............................................................................291.11.4 Example for Configuring Inter-VLAN Proxy ARP..............................................................................321.11.5 Example for Configuring Layer 2 Topology Detection........................................................................34

2 IP Address Configuration..........................................................................................................382.1 IP Address Overview........................................................................................................................................392.2 IP Addresses Supported by the AR150/200.....................................................................................................392.3 Configuring IP Addresses for an Interface.......................................................................................................39

2.3.1 Establishing the Configuration Task.......................................................................................................392.3.2 Configuring a Primary IP Address for an Interface.................................................................................402.3.3 (Optional) Configuring a Secondary IP Address for an Interface...........................................................412.3.4 Checking the Configuration.....................................................................................................................41

2.4 Configuring IP Address Unnumbered on an Interface.....................................................................................422.4.1 Establishing the Configuration Task.......................................................................................................422.4.2 Configuring a Primary IP Address for the Interface from Which an IP Address Will Be Borrowed..........................................................................................................................................................................432.4.3 Configuring IP Address Unnumbered on an Interface............................................................................432.4.4 Checking the Configuration.....................................................................................................................44

2.5 Configuration Examples...................................................................................................................................452.5.1 Example for Configuring Primary and Secondary IP Addresses for an Interface...................................452.5.2 Example for Configuring IP Address Unnumbered on an Interface.......................................................46

3 Basic IPv6 Configuration...........................................................................................................503.1 Introduction to IPv6..........................................................................................................................................523.2 IPv6 Supported by the AR150/200...................................................................................................................523.3 Configuring an IPv6 Address for an Interface..................................................................................................54

3.3.1 Establishing the Configuration Task.......................................................................................................543.3.2 Enabling IPv6 Packet Forwarding Capability.........................................................................................553.3.3 Configuring an IPv6 Link-Local Address for an Interface......................................................................563.3.4 Configuring an IPv6 Global Unicast Address for an Interface................................................................573.3.5 Configuring an IPv6 Anycast Address for an Interface...........................................................................573.3.6 Checking the Configuration.....................................................................................................................58



vi

3.4 Configuring IPv6 Neighbor Discovery.............................................................................................................593.4.1 Establishing the Configuration Task.......................................................................................................603.4.2 Configuring Static Neighbors..................................................................................................................613.4.3 Enabling RA Message Advertising.........................................................................................................613.4.4 Setting the Interval for Advertising RA Messages..................................................................................623.4.5 Configuring the Address Prefixes to Be Advertised...............................................................................623.4.6 Configuring Other Information to Be Advertised...................................................................................633.4.7 Configuring the Default Router Priority and Route Information............................................................643.4.8 Checking the Configuration.....................................................................................................................65

3.5 Configuring IPv4/IPv6 Dual Stacks.................................................................................................................663.5.1 Establishing the Configuration Task.......................................................................................................663.5.2 Enabling IPv6 Packet Forwarding...........................................................................................................673.5.3 Configuring IPv4 and IPv6 Addresses for the Interface..........................................................................683.5.4 Checking the Configuration.....................................................................................................................69

3.6 Configuring PMTU...........................................................................................................................................693.6.1 Establishing the Configuration Task.......................................................................................................693.6.2 Creating Static PMTU Entries.................................................................................................................703.6.3 Configuring PMTU Aging Time.............................................................................................................703.6.4 Checking the Configuration.....................................................................................................................71

3.7 Configuring TCP6............................................................................................................................................723.7.1 Establishing the Configuration Task.......................................................................................................723.7.2 Configuring TCP6 Timers.......................................................................................................................723.7.3 Configuring the Size of the TCP6 Sliding Window................................................................................733.7.4 Checking the Configuration.....................................................................................................................73

3.8 Maintaining IPv6..............................................................................................................................................753.8.1 Resetting IPv6..........................................................................................................................................75

3.9 Configuration Examples...................................................................................................................................763.9.1 Example for Configuring an IPv6 Address for an Interface....................................................................763.9.2 Example for Configuring IPv6 Neighbor Discovery...............................................................................78

4 DNS Configuration.....................................................................................................................824.1 DNS Overview.................................................................................................................................................834.2 DNS Features Supported by the AR150/200....................................................................................................834.3 Configuring a DNS Client................................................................................................................................84

4.3.1 Establishing the Configuration Task.......................................................................................................844.3.2 Configuring Static DNS...........................................................................................................................854.3.3 Configuring Dynamic DNS.....................................................................................................................854.3.4 Checking the Configuration.....................................................................................................................86

4.4 Configuring DNS Proxy or Relay....................................................................................................................874.4.1 Establishing the Configuration Task.......................................................................................................874.4.2 Configuring a DNS Server......................................................................................................................884.4.3 (Optional) Configuring DNS Spoofing...................................................................................................884.4.4 (Optional) Setting the Aging Time of DNS Entries................................................................................89



vii

4.4.5 Checking the Configuration.....................................................................................................................904.5 Configuring a DDNS Client.............................................................................................................................90

4.5.1 Establishing the Configuration Task.......................................................................................................904.5.2 Creating a DDNS Policy..........................................................................................................................914.5.3 Configuring a DDNS Policy....................................................................................................................914.5.4 Binding a DDNS Policy to an Interface..................................................................................................924.5.5 Checking the Configuration.....................................................................................................................93

4.6 Maintaining DNS..............................................................................................................................................934.6.1 Deleting Dynamic DNS Entries of DNS Clients.....................................................................................934.6.2 Deleting DNS Entries of the DNS Proxy or Relay..................................................................................944.6.3 Manually Updating a DDNS Policy........................................................................................................94

4.7 Configuration Examples...................................................................................................................................944.7.1 Example for Configuring a DNS Client..................................................................................................944.7.2 Example for Configuring DNS Proxy.....................................................................................................984.7.3 Example for Configuring a DDNS Client.............................................................................................100

5 NAT Configuration...................................................................................................................1045.1 NAT Overview...............................................................................................................................................1055.2 NAT Features Supported by the AR150/200.................................................................................................1065.3 Configuring NAT...........................................................................................................................................109

5.3.1 Establishing the Configuration Task.....................................................................................................1095.3.2 Configuring an Address Pool................................................................................................................1105.3.3 Associating an ACL with an Address Pool...........................................................................................1115.3.4 Configuring Easy IP..............................................................................................................................1115.3.5 Configuring an Internal Server..............................................................................................................1125.3.6 Configuring Static NAT........................................................................................................................1125.3.7 Enabling NAT ALG..............................................................................................................................1135.3.8 Configuring NAT Filtering....................................................................................................................1135.3.9 Configuring NAT Mapping...................................................................................................................1145.3.10 Configuring DNS Mapping.................................................................................................................1155.3.11 Configuring Twice NAT.....................................................................................................................1155.3.12 Checking the Configuration.................................................................................................................116

5.4 Configuration Examples.................................................................................................................................1175.4.1 Example for Configuring the NAT Server............................................................................................1175.4.2 Example for Configuring Outbound NAT.............................................................................................1195.4.3 Example for Configuring Twice NAT...................................................................................................122

6 DHCP Configuration................................................................................................................1256.1 DHCP Overview.............................................................................................................................................1276.2 DHCP Features Supported by the AR150/200...............................................................................................1276.3 Configuring a DHCP Server Based on a Global Address Pool......................................................................128

6.3.1 Establishing the Configuration Task.....................................................................................................1286.3.2 Configuring an Interface to Select a Global Address Pool for IP Address Allocation..........................1306.3.3 Configuring Global Address Pool Attributes........................................................................................130



viii

6.3.4 (Optional) Configuring the DNS Service and NetBIOS Service Dynamically on the DHCP Client........................................................................................................................................................................1326.3.5 (Optional) Configuring the Static DNS Service on a DHCP Client......................................................1336.3.6 (Optional) Configuring the Static NetBIOS Service on a DHCP Client...............................................1336.3.7 (Optional) Configuring User-Defined DHCP Options of the Global Address Pool.............................1346.3.8 (Optional) Configuring the Function That Prevents Identical IP Addresses.........................................1356.3.9 Checking the Configuration...................................................................................................................136

6.4 Configuring a DHCP Server Based on an Interface Address Pool.................................................................1376.4.1 Establishing the Configuration Task.....................................................................................................1376.4.2 Configuring Interface Address Pool Attributes.....................................................................................1386.4.3 (Optional) Configuring the DNS Service and NetBIOS Service Dynamically on the DHCP Client........................................................................................................................................................................1396.4.4 (Optional) Configuring the Static DNS Service on a DHCP Client......................................................1406.4.5 (Optional) Configuring the Static NetBIOS Service on a DHCP Client...............................................1416.4.6 (Optional) Configuring User-Defined DHCP Options of the Interface Address Pool..........................1426.4.7 (Optional) Configuring the Function That Prevents Identical IP Addresses.........................................1436.4.8 Checking the Configuration...................................................................................................................143

6.5 Configuring a DHCP Relay Agent.................................................................................................................1446.5.1 Establishing the Configuration Task.....................................................................................................1446.5.2 Configuring an Interface to Function as a DHCP Relay Agent.............................................................1466.5.3 Specifying a Server Group on the DHCP Relay Agent.........................................................................1476.5.4 Binding a DHCP Server Group to a DHCP Relay Interface.................................................................1476.5.5 (Optional) Configuring the DHCP Relay Agent to Instruct the DHCP Server to Reclaim the Client IPaddress............................................................................................................................................................1486.5.6 Checking the Configuration...................................................................................................................148

6.6 Configuring a DHCP/BOOTP Client.............................................................................................................1496.6.1 Establishing the Configuration Task.....................................................................................................1496.6.2 (Optional) Configuring the DHCP/BOOTP Client Attributes..............................................................1506.6.3 Enabling the DHCP/BOOTP Client......................................................................................................1516.6.4 Checking the Configuration...................................................................................................................152

6.7 Configuring the DHCP Rate Limit Function..................................................................................................1536.8 Maintaining DHCP.........................................................................................................................................156

6.8.1 Clearing DHCP Statistics......................................................................................................................1566.8.2 Monitoring the Operating Status of DHCP...........................................................................................156

6.9 Configuration Examples.................................................................................................................................1576.9.1 Example for Configuring a DHCP Server Based on a Global Address Pool in the Scenario Where DHCPClients and the DHCP Server Are on the Same Network Segment...............................................................1576.9.2 Example for Configuring a DHCP Server Based on an Interface Address Pool in the Scenario WhereDHCP Clients and the Server Are on the Same Network Segment...............................................................1606.9.3 Example for Configuring a DHCP Server and a DHCP Relay Agent When the DHCP Server and ClientsAre on Different Network Segments..............................................................................................................1646.9.4 Example for Configuring the DHCP and BOOTP Clients....................................................................1676.9.5 Example for Configuring DHCP Rate Limit.........................................................................................172

7 IP Performance Configuration................................................................................................174



ix

7.1 IP Performance Overview..............................................................................................................................1757.2 IP Performance Features Supported by the AR150/200.................................................................................1757.3 Optimizing IP Performance............................................................................................................................175

7.3.1 Establishing the Configuration Task.....................................................................................................1757.3.2 Checking Validity of Source IP Addresses of Received Packets..........................................................1767.3.3 Controlling IP packets with Source Route Options...............................................................................1767.3.4 Configuring an Interface to Forward Broadcast Packets.......................................................................1777.3.5 Configuring an Outbound Interface to Fragment IP Packets.................................................................1777.3.6 Configuring an Interface to Send ICMP Redirection Packets...............................................................1787.3.7 Setting the Mode in Which Protocol Packets Are Sent.........................................................................1787.3.8 Checking the Configuration...................................................................................................................179

7.4 Configuring Load Balancing for IP Packet Forwarding.................................................................................1817.4.1 Establishing the Configuration Task.....................................................................................................1817.4.2 Configuring the Unequal-Cost Multiple Path During IP Packet Forwarding.......................................1827.4.3 Checking the Configuration...................................................................................................................183

7.5 Configuring TCP Attributes...........................................................................................................................1847.5.1 Establishing the Configuration Task.....................................................................................................1847.5.2 Setting Values of TCP Timers...............................................................................................................1847.5.3 Setting the Aging Time of the PMTU...................................................................................................1857.5.4 Setting the Size of the TCP Sliding Window........................................................................................1857.5.5 Setting the MSS of TCP Packets on an Interface..................................................................................1867.5.6 Checking the Configuration...................................................................................................................186

7.6 Maintaining IP Performance...........................................................................................................................1877.6.1 Clearing IP Performance Statistics........................................................................................................1877.6.2 Monitoring the IP Running Status.........................................................................................................188

7.7 Configuration Examples.................................................................................................................................1897.7.1 Example for Disabling the Sending of ICMP Redirection Packets.......................................................189

8 IP Unicast PBR Configuration................................................................................................1928.1 PBR Overview................................................................................................................................................1938.2 PBR Supported by the AR150/200.................................................................................................................1938.3 Configuring IP Policy-based Routing.............................................................................................................193

8.3.1 Establishing the Configuration Task.....................................................................................................1938.3.2 Defining the Matching Rule of PBR.....................................................................................................1948.3.3 Defining Actions of PBR.......................................................................................................................1958.3.4 Applying PBR........................................................................................................................................1978.3.5 Checking the Configuration...................................................................................................................197

8.4 Configuration Examples.................................................................................................................................1988.4.1 Example for Configuring IP Unicast PBR............................................................................................198

9 UDP Helper Configuration......................................................................................................2029.1 UDP Helper Overview....................................................................................................................................2039.2 UDP Helper Features Supported by the AR150/200......................................................................................2039.3 Configuring UDP Helper................................................................................................................................204



x

9.3.1 Establishing the Configuration Task.....................................................................................................2049.3.2 Enabling UDP Helper............................................................................................................................2049.3.3 (Optional) Configuring a UDP Port for Packets to Be Relayed............................................................2059.3.4 Configuring a Destination Server..........................................................................................................2059.3.5 Checking the Configuration...................................................................................................................206

9.4 Maintaining UDP Helper................................................................................................................................2079.4.1 Clearing the UDP Helper Statistics.......................................................................................................207

9.5 Configuration Examples.................................................................................................................................2079.5.1 Example for Configuring UDP Helper..................................................................................................207



xi

1 ARP Configuration

About This Chapter

ARP can map an IP address to a MAC address and implements transmission of Ethernet frames.

1.1 ARP OverviewARP dynamically maps Layer 3 IP addresses to Layer 2 MAC addresses. An Ethernet devicemust support ARP.

1.2 ARP Features Supported by the AR150/200This section describes ARP Features supported by the AR150/200.

1.3 Configuring Static ARPStatic ARP entries record fixed mappings between IP addresses and MAC addresses. They areconfigured manually by network administrators.

1.4 Optimizing Dynamic ARPIf dynamic ARP is configured, the system resolves an IP address into an Ethernet MAC address.Dynamic ARP entries are maintained dynamically by the ARP protocol. You can adjustparameters of dynamic ARP entries such as the number of ARP probes and the aging time ofdynamic ARP entries to optimize forwarding performance of the AR150/200.

1.5 Configuring Routed Proxy ARPRouted proxy ARP implements communication between devices on the same network segmentbut on different physical networks.

1.6 Configuring Intra-VLAN Proxy ARPIntra-VLAN proxy ARP enables hosts that are isolated at Layer 2 in a VLAN to communicatewith each other.

1.7 Configuring Inter-VLAN Proxy ARPInter-VLAN proxy ARP enables hosts in different sub-VLANs of a super-VLAN tocommunicate with each other.

1.8 Configuring ARP-Ping IPARP-Ping IP checks whether an IP address on a LAN is in use by sending ARP packets.

1.9 Configuring ARP-Ping MACARP-Ping MAC checks whether a MAC address on a LAN is in use by sending Internet ControlManagement Protocol (ICMP) packets.

Huawei AR150&200 Series Enterprise RoutersConfiguration Guide - IP Service 1 ARP Configuration


1

1.10 Maintaining ARPThis section describes how to maintain ARP.

1.11 Configuration Examples



2

1.1 ARP OverviewARP dynamically maps Layer 3 IP addresses to Layer 2 MAC addresses. An Ethernet devicemust support ARP.

On a LAN, a host or a network device must know the IP address of another host or networkdevice to send data to it. In addition, the physical address of the destination device must also beknown because IP packets are encapsulated in frames for transmission across a physical network.Therefore, the mapping from an IP address to a physical address is required. ARP maps IPaddresses to physical addresses.

1.2 ARP Features Supported by the AR150/200This section describes ARP Features supported by the AR150/200.

The AR150/200 supports dynamic ARP, static ARP, proxy ARP, and ARPing.

ARP

ARP is classified into the following types:l Static ARP: Mappings between IP addresses and MAC addresses are configured manually.l Dynamic ARP: Dynamic ARP entries are maintained by the ARP protocol.

Proxy ARP

The AR150/200 supports the following types of proxy ARP:l Routed proxy ARP

Routed proxy ARP implements communication between devices on the same networksegment but on different physical networks.If a device connected to the AR150/200 is not configured with a default gateway address(that is, the device does not know how to reach the intermediate system of the network),the device cannot forward data packets.Routed proxy ARP solves this problem. A device sends an ARP Request packet to requestthe MAC address of the destination host. After receiving the packet, the AR150/200 enabledwith proxy ARP replies with its own MAC address. The AR150/200 then functions as thegateway to route packets to the actual destination.Proxy ARP can also shield topologies of physical networks so that internal hosts of EthernetA and Ethernet B on different physical networks but on the same network segment cancommunicate.

l Intra-VLAN proxy ARPIf two users belong to the same VLAN but port isolation is configured in the VLAN, toenable the two users to communicate, you must enable intra-VLAN proxy ARP on aninterface associated with the VLAN.If an interface on the AR150/200 is enabled with intra-VLAN proxy ARP, it does notdiscard the ARP request packet that is destined for another interface. Instead, it searchesfor the corresponding ARP entry of the interface. If the ARP entry is found, the interfacesends the MAC address of the AR150/200 to the sender of the ARP request.



3

Proxy ARP within a VLAN implements the interworking between isolated users in thesame VLAN.

l Inter-VLAN proxy ARPIf two users belong to different VLANs, to implement communication between the twousers, you must enable inter-VLAN proxy ARP on an interface associated with the VLANs.If an interface on the AR150/200 is enabled with inter-VLAN proxy ARP, it does notdiscard the ARP request packet that is destined for another interface. Instead, it searchesfor the corresponding ARP entry of the interface. If the ARP entry is found, the interfacesends the MAC address of the AR150/200 to the sender of the ARP request.Inter-VLAN proxy ARP implements the following functions:

– Layer 3 communication between users in different VLANs

– Communication between users in sub-VLANs (you must enable inter-VLAN proxyARP on the VLANIF interface corresponding to the super-VLAN)

ARPing

ARPing is classified into ARP-Ping IP and ARP-Ping MAC. ARPing facilitates maintenance ofdeployed Layer 2 features.

ARP-Ping IP checks whether an IP address on a LAN is in use by sending ARP packets.

ARP-Ping MAC checks whether a MAC address on a LAN is in use by sending Internet ControlManagement Protocol (ICMP) packets.

1.3 Configuring Static ARPStatic ARP entries record fixed mappings between IP addresses and MAC addresses. They areconfigured manually by network administrators.

1.3.1 Establishing the Configuration TaskBefore configuring static ARP, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the data required for the configuration. This will helpyou complete the configuration task quickly and accurately.

Applicable Environment

Static ARP entries ensure communication between the local device and another specified device.They use the specified MAC address to keep attackers from modifying mappings between IPaddresses and MAC addresses in static ARP entries.

When static ARP and the Virtual Router Redundancy Protocol (VRRP) are configured on therouter, the IP address in a static ARP entry cannot be set to the VRRP virtual IP address on asub-interface for dot1q VLAN tag termination, a sub-interface for VLAN tag termination, or aVLANIF interface. Otherwise, an incorrect host route is generated, causing forwarding errors.

Pre-configuration Tasks

Before configuring static ARP, complete the following tasks:



4

l Connecting interfaces and setting physical parameters for the interfaces to ensure that thephysical layer status of the interfaces is Up

l Setting link layer protocol parameters for interfaces to ensure that the link layer protocolstatus on the interfaces is Up

l Setting network layer protocol parameters for the interfaces to ensure that the routingprotocol status on the interfaces is Up

Data PreparationTo configure static ARP, you need the following data.

No. Data

1 IP address and MAC address in a static ARP entry

2 Name of the VPN instance and ID of the VLAN that a static ARP entrybelongs to

3 Outbound interface of ARP packets

1.3.2 Configuring a Static ARP EntryStatic ARP entries are valid as long as the AR150/200 works properly.

ContextNOTE

To configure static ARP entries for double-tagged packets, run the arp static cevid command.

Procedure

Step 1 Run:system-view

The system view is displayed.

Step 2 Run:arp static ip-address mac-address

A static ARP entry is configured.

----End

1.3.3 Configuring a Static ARP Entry in a VLANThis section describes how to configure a static ARP entry in a VLAN.

ContextNOTE




5

Procedure



Step 2 Run:arp static ip-address mac-address vid vlan-id interface interface-type interface-number

A static ARP entry is configured in a VLAN.

When configuring a static ARP entry in a VLAN, you must specify the outbound interface sothat the packets are sent out from the specified outbound interface.

----End

1.3.4 Configuring a Static ARP Entry in a VPN InstanceTo implement Layer 2 communication between devices in a VPN instance, you can configurestatic ARP entries in the VPN instance.

ContextNOTE


Procedure



Step 2 Run:arp static ip-address mac-address vpn-instance vpn-instance-name

A static ARP entry is configured for a VPN instance.

----End

1.3.5 Checking the Configuration

Procedurel Run the display arp [ all ] command to check all ARP entries, including static ARP entries

and dynamic ARP entries.l Run the display arp network net-number net-mask [ dynamic | static ] command to check

ARP entries on the specified network segment.l Run the display arp static command to check static ARP entries.l Run the display arp statistics { all | interface interface-type interface-number } command

to check statistics on ARP entries on the AR150/200 or the specified interface.

----End



6

Example

# Display all the static ARP entries.<Huawei> display arp staticIP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC ------------------------------------------------------------------------------ 1.1.1.1 0efc-0505-86e3 S-- 10/- 129.102.0.1 0e00-fc01-0000 S-- 11.0.0.1 aa00-fcc0-1200 S-- 3/- ------------------------------------------------------------------------------ Total:3 Dynamic:0 Static:3 Interface:0

# Display all the ARP entries.<Huawei> display arp allIP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC------------------------------------------------------------------------------129.102.0.1 00e0-fc01-0000 S--118.118.118.1 0018-2000-0083 I - Vlanif11 vpna10.1.1.1 0018-2000-0083 I - Vlanif10100.1.1.116 0018-2000-0083 I - Eth100.1.1.118 0001-0c01-3401 14 D-0 Eth100.1.1.4 0016-ecb7-a879 18 D-0 Eth------------------------------------------------------------------------------Total:6 Dynamic:2 Static:1 Interface:3

1.4 Optimizing Dynamic ARPIf dynamic ARP is configured, the system resolves an IP address into an Ethernet MAC address.Dynamic ARP entries are maintained dynamically by the ARP protocol. You can adjustparameters of dynamic ARP entries such as the number of ARP probes and the aging time ofdynamic ARP entries to optimize forwarding performance of the AR150/200.

1.4.1 Establishing the Configuration TaskBefore optimizing Dynamic ARP, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.


Dynamic ARP entries are maintained dynamically by the ARP protocol. They can be aged out,updated, or overridden by static ARP entries. When the aging time is reached or the interface isDown, corresponding dynamic ARP entries are deleted.

The AR150/200 can dynamically create dynamic ARP entries. You can adjust parameters ofdynamic ARP entries to optimize forwarding performance of the AR150/200.


Before optimizing Dynamic ARP, complete the following tasks:




7


l Configuring the network layer protocol on the interfaces

Data PreparationTo optimize Dynamic ARP, you need the following data.

No. Data

1 Number of the interface where dynamic ARP entries are created

2 Maximum number of ARP probes

3 Aging time of dynamic ARP entries

1.4.2 Adjusting Parameters of Dynamic ARP EntriesWhen the AR150/200 frequently updates ARP entries, you can shorten the aging time of dynamicARP entries and the interval for ARP probes and increase the number of ARP probes.

Procedure



Step 2 Run:interface interface-type interface-number

The interface view is displayed.

On the AR150/200, you can adjust the parameters of parameters of dynamic ARP entries onEthernet interfaces, Eth-Trunk interfaces, VLANIF interfaces, and VE interfaces.

Step 3 Run:arp expire-time expire-time

The aging time of dynamic ARP entries is set.

By default, the aging time is 1200s.

Step 4 Run:arp detect-times detect-times

The number of ARP probes is set.

By default, the maximum number of ARP probes is 3. When the aging time of a dynamic ARPentry is reached, the AR150/200 sends an ARP probe packet to the peer device periodically. Ifthe AR150/200 does not receive an ARP Reply packet from the peer device after the specifiednumber of ARP probes, it deletes the ARP entry.

Step 5 (Optional) Run:arp detect-mode unicast



8

An interface is configured to send ARP probe packets in unicast mode.

By default, an interface broadcasts ARP probe packets.

----End

1.4.3 Enabling ARP SuppressionIf the system receives a great number of ARP packets from the same source at a time, it has toupdate ARP entries repeatedly, causing performance deterioration. To ensure systemperformance, you can enable ARP suppression. The system then only responds to the ARPpackets but does not update ARP entries.

Procedure



Step 2 Run:arp-suppress enable

ARP suppression is enabled.

By default, ARP suppression is disabled in the system but is enabled on VLANIF interfaces.

After ARP suppression is enabled, it takes effect for only Eth-Trunk interfaces and VLANIFinterfaces.

----End

1.4.4 Enabling Layer 2 Topology DetectionLayer 2 topology detection enables the system to update all the ARP entries in the VLAN thata Layer 2 interface belongs to when the Layer 2 interface status changes from Down to Up.

Procedure



Step 2 Run:l2-topology detect enable

Layer 2 topology detection is enabled.

By default, Layer 2 topology detection is disabled.

----End

1.4.5 Checking the ConfigurationYou can view the dynamic ARP configuration.



9


and dynamic ARP entries.l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlan-

id ] ] command to check ARP entries on the specified interface.l Run the display arp network net-number net-mask [ dynamic | static ] command to check

ARP entries on the specified network segment.l Run the display arp dynamic command to check dynamic ARP entries.l Run the display arp statistics { all | interface interface-type interface-number } command


----End

Example# Run the display arp interface command, and you can view ARP entries on Eth1/0/0.

<Huawei> display arp interface ethernet 1/0/0IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC------------------------------------------------------------------------------192.168.1.11 0000-0a41-0201 I - Eth1/0/0 r1192.168.1.1 0000-0a41-0200 15 D-6 Eth1/0/0 r1------------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1

# Display all the dynamic ARP entries.<Huawei> display arp dynamicIP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC ------------------------------------------------------------------------------ 10.137.217.210 00e0-fc01-0203 I - Eth1/0/0 10.137.216.1 0025-9e38-a09e 20 D-0 Eth1/0/0 10.137.217.208 00e0-fc01-0205 16 D-0 Eth1/0/0 10.2.2.1 00e0-fc99-9999 I - Eth-Trunk0 10.6.3.34 00e0-fc01-0204 I - Eth2/0/0.1 192.168.20.1 00e0-fc99-9999 I - Vlanif100 10.0.0.1 00e0-fc99-9999 I - Vlanif200 ------------------------------------------------------------------------------ Total:7 Dynamic:2 Static:0 Interface:5

1.5 Configuring Routed Proxy ARPRouted proxy ARP implements communication between devices on the same network segmentbut on different physical networks.

1.5.1 Establishing the Configuration TaskBefore configuring routed proxy ARP, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.



10

Applicable EnvironmentIf two hosts on different network segments are not configured with the default gateways, youcan enable routed proxy ARP to on a routing device connecting the two hosts to resolve IPaddresses between the two hosts.

Pre-configuration TasksBefore configuring routed proxy ARP, complete the following tasks:



Data PreparationTo configure routed proxy ARP, you need the following data.

No. Data

1 Number of the interface where routed proxy ARP is to be enabled

2 IP address of the interface where routed proxy ARP is to be enabled

1.5.2 Configuring an IP Addresses for an InterfaceThe IP address of the interface enabled with routed proxy ARP must be on the same networksegment as the IP address of the connected host on a LAN.

ProcedureStep 1 Run:

system-view


Step 2 Run:interface interface-type interface-number [.subinterface-number ]


Routed proxy ARP can be enabled on Ethernet interfaces, Ethernet sub-interfaces, VE interfaces,Eth-Trunk interfaces, Eth-Trunk sub-interfaces, and VLANIF interfaces. The precedinginterfaces and sub-interfaces are Layer 3 interfaces and sub-interfaces.

Step 3 Run:ip address ip-address { mask | mask-length }

An IP address is configured for the interface.

The IP address of the interface enabled with routed proxy ARP must be on the same networksegment as the IP address of the connected host on a LAN.

----End



11

1.5.3 Configuring Routed Proxy ARPRouted proxy ARP implements communication between devices on different subnets.

Procedure





Routed proxy ARP can be enabled on Ethernet interfaces, Ethernet sub-interfaces, VE interfaces,Eth-Trunk interfaces, Eth-Trunk sub-interfaces, and VLANIF interfaces. The precedinginterfaces and sub-interfaces are Layer 3 interfaces and sub-interfaces.

Step 3 Run:arp-proxy enable

Routed proxy ARP is enabled on the interface.

By default, routed proxy ARP is disabled on an interface.

----End

1.5.4 Checking the ConfigurationAfter configuring routed proxy ARP, you can view the configuration.

Procedurel Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlan-

id ] ] command to check ARP entries on the specified interface.l Run the display arp vpn-instance vpn-instance-name [ dynamic | static ] command to

check ARP entries in the specified VPN instance.l Run the display arp dynamic command to check dynamic ARP entries.l Run the display arp statistics { all | interface interface-type interface-number } command


----End





12

# Run the display arp vpn-instance command, and you can view all the ARP entries in theVPN instance r1.

<Huawei> display arp vpn-instance r1IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC------------------------------------------------------------------------------10.10.20.9 0018-2000-0083 I - Vlanif88810.10.10.6 0018-2000-0083 I - Vlanif833------------------------------------------------------------------------------Total:2 Dynamic:0 Static:0 Interface:2

# Run the display arp statistics command, and you can view the statistics on ARP entries.

<Huawei> display arp statistics allDynamic:1 Static:0

1.6 Configuring Intra-VLAN Proxy ARPIntra-VLAN proxy ARP enables hosts that are isolated at Layer 2 in a VLAN to communicatewith each other.

1.6.1 Establishing the Configuration TaskBefore configuring intra-VLAN proxy ARP, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This will helpyou complete the configuration task quickly and accurately.


If two users are connected to Layer 2 isolated interfaces in the same VLAN, you can enableintra-VLAN proxy ARP to implement Layer 3 communication between the two users.


Before configuring intra-VLAN proxy ARP, complete the following tasks:


l Configuring a VLANl Configuring port isolation in a VLAN

Data Preparation

To configure intra-VLAN proxy ARP, you need the following data.

No. Data

1 Number of the interface where intra-VLAN proxy ARP is to be enabled

2 IP address of the interface where intra-VLAN proxy ARP is to be enabled

3 VLAN ID associated with the interface to be enabled with proxy ARP in a VLAN



13

1.6.2 Configuring an IP Address for an InterfaceThe IP address of the interface must be on the same network segment as the IP addresses in theassociated VLAN.

Procedure



Step 2 Run:interface { ethernet | eth-trunk } interface-number.sub-interface-number

The sub-interface view is displayed.

Or, run:

interface vlanif vlan-id

The VLANIF interface view is displayed.

Intra-VLAN proxy ARP can be enabled on VLANIF interfaces, Ethernet sub-interfaces, andEth-Trunk sub-interfaces.



The IP address of the interface must be on the same network segment as the IP addresses in theassociated VLAN.

----End

1.6.3 (Optional) Configuring the VLAN ID of a Sub-interfaceThis section describes how to configure the VLAN ID of a sub-interface.

ContextNOTE

You must complete this task before you enable intra-VLAN proxy ARP on Ethernet sub-interfaces, or Eth-Trunk sub-interfaces. You can skip step when you are enabling intra-VLAN proxy ARP on the VLANIFinterface.

Procedure







14

Step 3 Run:control-vid vid dot1q-termination

The control VLAN and encapsulation mode of the sub-interface are configured.

Step 4 Run:dot1q termination vid vid

The single VLAN ID for dot1q encapsulation on a sub-interface is configured.

----End

1.6.4 Enabling Intra-VLAN Proxy ARPIntra-VLAN proxy ARP implements Layer 3 communication between isolated users in a VLAN.


system-view




Or, run:



Step 3 Run:arp-proxy inner-sub-vlan-proxy enable

Intra-VLAN proxy ARP is enabled.

By default, intra-VLAN proxy ARP is disabled.

----End

1.6.5 Checking the ConfigurationAfter configuring intra-VLAN proxy ARP, you can view the intra-VLAN proxy ARPconfiguration.





----End



15

Example

# Run the display arp interface command, and you can view ARP entries on Eth1/0/0.






1.7 Configuring Inter-VLAN Proxy ARPInter-VLAN proxy ARP enables hosts in different sub-VLANs of a super-VLAN tocommunicate with each other.

1.7.1 Establishing the Configuration TaskBefore configuring inter-VLAN proxy ARP, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the data required for theconfiguration. This will help you complete the configuration task quickly and accurately.


The VLAN aggregation technology isolates broadcast domain by using multiple VLANs on aphysical network so that different VLANs belong to the same subnet. This technology introducesthe super-VLAN and sub-VLAN. A super-VLAN contains one or more sub-VLANs in differentbroadcast domains. A sub-VLAN does not occupy an independent subnet segment. In a super-VLAN, IP addresses of hosts in different sub-VLANs are on the subnet segment correspondingto the super-VLAN.

Sub-VLANs use the same Layer 3 interface to communicate. This reduces subnet IDs and subnetdefault gateway addresses. The VLAN aggregation function allows different broadcast domainsto use the same subnet address, implements flexible addressing, and saves IP addresses.

Hosts in different sub-VLANs of a super-VLAN cannot communicate with each other. To enablethese hosts to communicate with each other, you can enable inter-VLAN proxy ARP on the sub-interface or VLANIF interface corresponding to the super-VLAN.



16

Pre-configuration TasksBefore configuring inter-VLAN proxy ARP, complete the following tasks:


l Configuring VLAN aggregation

Data PreparationTo configure inter-VLAN proxy ARP, you need the following data.

No. Data

1 Number of the interface where inter-VLAN proxy ARP is to be enabled

2 IP address of the interface where inter-VLAN proxy ARP is to be enabled

3 VLAN ID associated with the interface to be enabled with proxy ARP betweenVLANs

1.7.2 Configuring an IP Addresses for an InterfaceThe IP address of the interface must be on the same network segment as the IP address of theuser in a VLAN that the interface belongs to.

Procedure





Or, run:



Inter-VLAN proxy ARP can be enabled on VLANIF interfaces, Ethernet sub-interfaces, andEth-Trunk sub-interfaces.



The IP address of the interface must be on the same network segment as the IP address of theuser in a VLAN that the interface belongs to.

----End



17

1.7.3 (Optional) Configuring the VLAN ID of the Sub-interfaceThis section describes how to configure the VLAN ID of the sub-interface.

ContextNOTE

You must complete this task before you enable inter-VLAN proxy ARP on Ethernet sub-interfaces, or Eth-Trunk sub-interfaces. You can skip this task if you are enabling inter-VLAN proxy ARP on the VLANIFinterface.

Procedure





Step 3 Run:control-vid vid dot1q-termination

The control VLAN and encapsulation mode of the sub-interface are configured.

Step 4 Run:dot1q termination vid vid

The single VLAN ID for dot1q encapsulation on a sub-interface is configured.

----End

1.7.4 Enabling Inter-VLAN Proxy ARPTo implement communication between users in different sub-VLANs, enable inter-VLAN proxyARP on the sub-interface corresponding to the super-VLAN.

Procedure





Or, run:





18

Step 3 Run:arp-proxy inter-sub-vlan-proxy enable

Inter-VLAN proxy ARP is enabled.

By default, inter-VLAN proxy ARP is disabled.

----End

1.7.5 Checking the ConfigurationAfter configuring inter-VLAN proxy ARP, you can view the inter-VLAN proxy ARPconfiguration.





----End







1.8 Configuring ARP-Ping IPARP-Ping IP checks whether an IP address on a LAN is in use by sending ARP packets.



19

1.8.1 Establishing the Configuration TaskBefore configuring ARP-Ping IP, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.

Applicable EnvironmentARP-Ping IP checks whether an IP address on a LAN is in use by sending ARP packets.

Before configuring an IP address for a device, ensure that this IP address is not in use by sendingARP packets. You can configure ARP-Ping IP on the device.

Pre-configuration TasksBefore configuring ARP-Ping IP, complete the following task:


Data PreparationTo configure ARP-Ping IP, you need the following data.

No. Data

1 IP address to be checked

1.8.2 Checking an IP Address by Using ARP-Ping IPARP-Ping IP checks whether an IP address on a LAN is in use by sending ARP Request packets.

ContextARP-Ping IP checks whether an IP address on a LAN is in use by sending ARP packets. Youcan also use the ping command to check whether an IP address is in use, but the result of thismethod may be inaccurate. The ping command uses Layer 3 packets as ICMP Echo Requestpackets. If the destination host or the routing device enabled with the firewall function isconfigured not to respond to the ICMP Echo Request packets, the destination host or the routingdevice does not send ICMP Reply packets. Consequently, the IP address is considered unused.ARP packets, which are Layer 2 protocol packets, can pass through the firewall that is configurednot to reply to ICMP Echo Request packets; therefore, the result of ARP-Ping IP is accurate.

Procedure

Step 1 Run:arp-ping ip ip-address [ interface interface-type interface-number [ vlan-id vlan-id ] ]

The AR150/200 is configured to check whether the IP address is in use on a LAN.

----End



20

Examplel If the following information is displayed, the IP address is not used.

[Huawei] arp-ping ip 110.1.1.2 ARP-Pinging 110.1.1.2: Error: Request timed out. Error: Request timed out. Error: Request timed out. Info: The IP address is not used by anyone!

l If the following information is displayed, the IP address is used.[Huawei] arp-ping ip 128.1.1.1 ARP-Pinging 128.1.1.1:

128.1.1.1 is used by 00e0-517d-f202

1.9 Configuring ARP-Ping MACARP-Ping MAC checks whether a MAC address on a LAN is in use by sending Internet ControlManagement Protocol (ICMP) packets.

1.9.1 Establishing the Configuration TaskBefore configuring ARP-Ping MAC, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.


If you know the specific MAC address but not the corresponding IP address on a networksegment, you can obtain the corresponding IP address by using ARP-Ping MAC to broadcastICMP packets. In this way, you can obtain the IP address mapping the MAC address on thenetwork segment.


Before configuring ARP-Ping MAC, complete the following task:


Data Preparation

To configure ARP-Ping MAC, you need the following data.

No. Data

1 MAC address to be checked



21

1.9.2 Checking a MAC Address by Using ARP-Ping MACARP-Ping MAC checks whether a MAC address on a LAN is in use by sending ICMP packets.

Procedure

Step 1 Run:arp-ping mac mac-address { ip-address [ vpn-instance vpn-instance-name ] | interface interface-type interface-number }

The AR150/200 is configured to check whether the MAC address is in use on a LAN.

----End

Example

l If the following information is displayed, the MAC address is not used.<Huawei> arp-ping mac 0013-46e7-2ef5 interface Eth-Trunk 0 OutInterface: Eth-Trunk0 MAC[00-13-46-E7-2E-F5], press CTRL_C to break Error: Request timed out Error: Request timed out Error: Request timed out ----- ARP-Ping MAC statistics ----- 3 packet(s) transmitted 0 packet(s) received MAC[00-13-46-E7-2E-F5] not be used

l If the following information is displayed, the MAC address is used.<Huawei> arp-ping mac 00e0-fc03-0201 interface Vlanif 5 OutInterface: Vlanif5 MAC[00-E0-FC-03-02-01], press CTRL_C to break

----- ARP-Ping MAC statistics ----- 1 packet(s) transmitted 1 packet(s) received

IP ADDRESS MAC ADDRESS 50.1.1.2 00-E0-FC-03-02-01

1.10 Maintaining ARPThis section describes how to maintain ARP.

1.10.1 Deleting ARP EntriesThis section describes how to delete ARP entries.



22

Context

CAUTIONl After ARP entries are deleted, mappings between IP addresses and MAC addresses are

deleted. As a result, users may fail to access some devices. Exercise caution when you deleteARP entries.

l Static ARP entries cannot be restored after being deleted. Exercise caution when you deletestatic ARP entries.

Procedure

Step 1 Run the reset arp { all | dynamic | interface interface-type interface-number | packetstatistics | static } command in the user view to delete ARP entries.

----End

1.10.2 Monitoring the ARP Running StatusYou can monitor the ARP running status by running display commands.

ContextTo check the ARP running status during routine maintenance, run the following displaycommands in any view.


and dynamic ARP entries.l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlan-

id ] ] command to check ARP entries on the specified interface.l Run the display arp network net-number net-mask [ dynamic | static ] command to check

ARP entries on the specified network segment.l Run the display arp static command to check static ARP entries.l Run the display arp dynamic command to check dynamic ARP entries.l Run the display arp statistics { all | interface interface-type interface-number } command


----End


<Huawei> display arp interface ethernet 1/0/0IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC------------------------------------------------------------------------------192.168.1.11 0000-0a41-0201 I - Eth1/0/0 r1192.168.1.1 0000-0a41-0200 15 D-6 Eth1/0/0 r1



23

------------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1

# Run the display arp dynamic command, and you can view all the dynamic ARP entries.<Huawei> display arp dynamicIP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC ------------------------------------------------------------------------------ 10.137.217.210 00e0-fc01-0203 I - Eth1/0/0 10.137.216.1 0025-9e38-a09e 20 D-0 Eth1/0/0 10.137.217.208 00e0-fc01-0205 16 D-0 Eth1/0/0 10.2.2.1 00e0-fc99-9999 I - Eth-Trunk0 10.6.3.34 00e0-fc01-0204 I - Eth2/0/0.1 192.168.20.1 00e0-fc99-9999 I - Vlanif100 10.0.0.1 00e0-fc99-9999 I - Vlanif200 ------------------------------------------------------------------------------ Total:7 Dynamic:2 Static:0 Interface:5

1.11 Configuration Examples

1.11.1 Example for Configuring Static ARPStatic ARP is configured to ensure communication security between enterprise departments.

Networking RequirementsAs shown in Figure 1-1, the Router connects departments of a company and each departmentjoins different VLANs. Hosts in the headquarters office and the file backup server are allocatedmanually configured IP addresses, and hosts in departments dynamically obtain IP addresses byusing DHCP. Hosts in the marketing department can access the Internet and are often attackedby ARP packets. Attackers attack the Router and modify dynamic ARP entries on the Router.As a result, communication between hosts in the headquarters office and external devices isinterrupted and hosts in departments fail to access the file backup server. The company requiresthat static ARP entries be configured on the Router so that hosts in the headquarters office cancommunicate with external devices and hosts in departments can access the file backup server.



24

Figure 1-1 Network diagram for configuring static ARP entries

Etherent0/0/1

Etherent0/0/2

Etherent0/0/0

Ethernet2/0/0

R&D department

Marketing department Headquarters office

Router

10.164.2.0/24

10.164.3.0/24

10.164.1.0/24

10.164.10.1/24

VLAN 20

VLAN 30

VLAN 10

PC A

0df0-fc01-003a 10.164.1.1/2400e0-fc01-0001

File backup server

Configuration Roadmap

The configuration roadmap is as follows:

1. Configure static ARP entries for hosts in the headquarters office on the Router to preventARP entries of the hosts in the headquarters office from being modified in ARP attackpackets.

2. Configure a static ARP entry for the file backup server on the Router to prevent the ARPentry of the file backup server from being modified in ARP attack packets.

Data Preparation

To complete the configuration, you need the following data:

l Interface connecting the Router and hosts in the headquarters office: Ethernet0/0/0

l ID of the VLAN that Ethernet0/0/0 joins: VLAN 10

l IP address of VLANIF10: 10.164.1.20/24

l Network segment where the IP addresses of hosts in the headquarters office are located:10.164.1.0/24 (PC A with IP address 10.164.1.1 is used as an example. The IP address10.164.1.1 maps the MAC address 00e0-fc01-0001.)

l Interface connecting the Router and the file backup server: Ethernet2/0/0

l IP address of Ethernet2/0/0: 10.164.10.10/24

l IP address of the file backup server: 10.164.10.1/24 (corresponding MAC address 0df0-fc01-003a)



25

Procedure

Step 1 Configure static ARP entries for the host in the headquarters office on the Router.

# Create VLAN 10.

<Huawei> system-view[Huawei] sysname Router[Router] vlan 10[Router-vlan10] quit

# Add Ethernet0/0/0 to VLAN 10.

[Router] interface ethernet 0/0/0[Router-Ethernet0/0/0] port hybrid tagged vlan 10

# Configure an IP address for VLANIF 10.

[Router] interface vlanif 10[Router-Vlanif10] ip address 10.164.1.20 255.255.255.0[Router-Vlanif10] quit

# Configure static ARP entries for hosts in the headquarters office. Configuring a static ARPentry for PC A is used as an example. In the static ARP entry, PCA IP address 10.164.1.1 mapsthe MAC address 00e0-fc01-0001, and the VLAN ID is 10 and the outbound interface isEthernet0/0/0.

[Router] arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface ethernet 0/0/0

# Configure static ARP entries for other hosts in the headquarters office. The configurationmethod is similar to that of PC A.

Step 2 Configure a static ARP entry for the file backup server on the Router.

# Configure an IP address for Ethernet2/0/0.

[Router] interface ethernet 2/0/0[Router-Ethernet2/0/0] ip address 10.164.10.10 255.255.255.0[Router-Ethernet2/0/0] quit

# Configure a static ARP entry for the file backup server: The IP address 10.164.10.1/24 mapsthe MAC address 0df0-fc01-003a.

[Router] arp static 10.164.10.1 0df0-fc01-003a

Step 3 Verify the configuration.

# Run the display current-configuration command to view static ARP entries.

<Router> display current-configuration | include arp arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface ethernet 0/0/0 arp static 10.164.1.2 00e0-fc01-0002 vid 10 interface ethernet 0/0/0 arp static 10.164.1.3 00e0-fc01-0003 vid 10 interface ethernet 0/0/0 arp static 10.164.10.1 0df0-fc01-003a

----End

ExampleThe following lists the configuration file of the Router.

# sysname Router#vlan batch 10 20 30



26

#interface Ethernet 0/0/0 port hybrid tagged vlan 10#interface Ethernet 0/0/1 port hybrid tagged vlan 20#interface Ethernet 0/0/2 port hybrid tagged vlan 30##interface Vlanif 10 ip address 10.2.2.2 255.255.255.0#interface Ethernet 2/0/0 ip address 10.164.10.10 255.255.255.0# arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface ethernet 0/0/0 arp static 10.164.1.2 00e0-fc01-0002 vid 10 interface ethernet 0/0/0 arp static 10.164.1.3 00e0-fc01-0003 vid 10 interface ethernet 0/0/0 arp static 10.164.10.1 0df0-fc01-003a#return

1.11.2 Example for Configuring Routed Proxy ARPRouted proxy ARP implements communication between the two branches on the same networksegment but on different physical networks.

Networking RequirementsAs shown in Figure 1-2, branch A and branch B of a company are located in different cities;multiple routing devices are deployed between branches and routes are reachable; IP addressesof the routing devices are on the same network segment 172.16.0.0/16. Branch A and branch Bbelong to different broadcast domains; therefore, they cannot communicate on a LAN. Hosts ofbranches are not configured with default gateway addresses; therefore, they cannot communicateacross network segments. The company requires that branch A and branch B communicatewithout changing the host configurations.

NOTEAR150/200 is RouterA or RouterB.

Figure 1-2 Network diagram for configuring routed proxy ARP

Branch A

RouterA RouterBRouterC RouterD

VLAN10VLAN20

Internet

Host A172.16.1.2/160000-5e33-ee20

Host B172.16.2.2/160000-5e33-ee10

Etherent0/0/0 Etherent0/0/0

Branch B



27

Configuration RoadmapThe configuration roadmap is as follows:

1. Add the interface connecting RouterA and branch A to VLAN 10 and add the interfaceconnecting RouterB and branch B to VLAN 20.

2. Enable routed proxy ARP on VLANIF interfaces of branch A and branch B to implementcommunication between the two branches.

Data PreparationTo complete the configuration, you need the following data:

l Ethernet0/0/0 connecting RouterA and branch Al Ethernet0/0/0 connecting RouterB and branch Bl IP address 172.16.1.1/24 of VLANIF 10l MAC address 00e0-fc39-80aa of VLANIF 10l IP address 172.16.2.1/24 of VLANIF 20l MAC address 00e0-fc39-80bb of VLANIF 20

Procedure

Step 1 Configure RouterA.

# Create VLAN 10.

<Huawei> system-view[Huawei] sysname RouterA[RouterA] vlan 10[RouterA-vlan10] quit


[RouterA] interface ethernet 0/0/0[RouterA-Ethernet0/0/0] port link-type access[RouterA-Ethernet0/0/0] port default vlan 10[RouterA-Ethernet0/0/0] quit


[RouterA] interface vlanif 10[RouterA-Vlanif10] ip address 172.16.1.1 255.255.255.0

# Enable routed proxy ARP on VLANIF 10.

[RouterA-Vlanif10] arp-proxy enable[RouterA-Vlanif10] quit

Step 2 Configure RouterB.

The configuration of RouterB is similar to that of RouterA.


# Select host A at 172.16.1.2/16 in branch A and select host B at 172.16.2.2/16 in branch B.Ping the IP address of host B from host A.

C:\Documents and Settings\Administrator>ping 172.16.2.2 PING 172.16.2.2: 56 data bytes, press CTRL_C to break Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=255 time=10 ms



28

Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=255 time=10 ms Reply from 172.16.2.2: bytes=56 Sequence=3 ttl=255 time=10 ms Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=255 time=10 ms Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=255 time=10 ms --- 172.16.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 10/10/10 ms

# View the ARP table of host A. You can see that the MAC address of host B is the MAC addressof VLANIF 10.

C:\Documents and Settings\Administrator>arp -aInterface: 172.16.1.2 --- 0x2 Internet Address Physical Address Type 172.16.2.2 00e0-fc39-80aa dynamic

----End

Configuration Files

Configuration file of RouterA

# sysname RouterA#vlan batch 10#interface Vlanif 10 ip address 172.16.1.1 255.255.255.0 arp-proxy enable#interface ethernet 0/0/0 port link-type access port default vlan 10#return

Configuration file of RouterB

# sysname RouterB#vlan batch 20#interface Vlanif 20 ip address 172.16.2.1 255.255.255.0 arp-proxy enable#interface ethernet 0/0/0 port link-type access port default vlan 20#return

1.11.3 Example for Configuring Intra-VLAN Proxy ARPIntra-VLAN proxy ARP implements Layer 3 communication between enterprise departmentsin a VLAN to prevent broadcast storms.



29

Networking RequirementsAs shown in Figure 1-3, hosts of the accounting department are located in a VLAN. Hosts ofthe accounting department are attacked by viruses when they access the Internet. The attackedhosts send a large number of broadcast packets, causing broadcast storms in the VLAN. Evenhosts cannot communicate. The company requires that broadcast storms be prevented to ensurecommunication between hosts and information security.

Figure 1-3 Networking diagram of intra-VLAN proxy ARP

PC APC B

VLAN 10

Ethernet0/0/0

Router

100.1.1.100/24 100.1.1.10/24

Accounting Department


1. Configure port isolation on the downstream interface of the Router to forbid Layer 2communication and remove broadcast storms.

2. Enable intra-VLAN proxy ARP on the VLANIF interface to prevent broadcast storms andLayer 3 communication between hosts in the accounting department.


l Interface connecting the Router and the accounting department: Ethernet0/0/0l ID of the VLAN that Ethernet0/0/0 joins: VLAN 10l IP address of VLANIF10: 100.1.1.12/24

Procedure

Step 1 Add Ethernet0/0/0 to VLAN 10.

# Create VLAN 10.

<Huawei> system-view[Huawei] sysname Router[Router] vlan 10



30

[Router-vlan10] quit


[Router] interface ethernet 0/0/0[Router-Ethernet0/0/0] port hybrid tagged vlan 10


[Router] interface vlanif 10[Router-Vlanif10] ip address 100.1.1.12 255.255.255.0[Router-Vlanif10] quit

Step 2 Configure the Router.

Create VLAN 10 on the Router and add all interfaces to VLAN 10. Configure isolation fordownstream interfaces connected to users. The configuration details are not mentioned here.

Step 3 Configure IP addresses for PCs.

# Configure IP addresses for PCs and ensure that their IP addresses and the IP address ofVLANIF10 are on the same network segment.

# After the configuration is complete, each PC and the Router can be pinged successfully. PCs,however, cannot be pinged.

Step 4 Enable intra-VLAN proxy ARP on VLANIF 10.[Router] interface vlanif 10[Router-Vlanif10] arp-proxy inner-sub-vlan-proxy enable[Router-Vlanif10] quit


# Ping PC A and PC B. They can be pinged successfully.

[Router] ping 100.1.1.100 PING 100.1.1.100: 56 data bytes, press CTRL_C to break Reply from 100.1.1.100: bytes=56 Sequence=1 ttl=255 time=10 ms Reply from 100.1.1.100: bytes=56 Sequence=2 ttl=255 time=10 ms Reply from 100.1.1.100: bytes=56 Sequence=3 ttl=255 time=10 ms Reply from 100.1.1.100: bytes=56 Sequence=4 ttl=255 time=10 ms Reply from 100.1.1.100: bytes=56 Sequence=5 ttl=255 time=10 ms --- 100.1.1.100 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 10/10/10 ms

----End

Configuration FilesConfiguration file of the Router

# sysname Router#vlan batch 10#interface Vlanif 10 ip address 100.1.1.12 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable#interface ethernet 0/0/0 port hybrid tagged vlan 10



31

#return

1.11.4 Example for Configuring Inter-VLAN Proxy ARP

Networking RequirementsAs shown in Figure 1-4, sub-VLANs VLAN 2 and VLAN 3 compose super-VLAN 4.

Hosts in VLAN 2 and VLAN 3 cannot ping each other.

To implement communication between hosts in VLAN 2 and VLAN 3, configure inter-VLANproxy ARP.

Figure 1-4 Network diagram for configuring inter-VLAN proxy ARP

VLAN2 VLAN3

VLAN4

Router

VLAN2 VLAN3


1. Create and configure the super-VLAN and sub-VLANs.2. Add interfaces to the sub-VLANs.3. Create a VLANIF interface corresponding to the super-VLAN and assign an IP address to

the VLANIF interface.4. Enable inter-VLAN proxy ARP.


l IDs of the super-VLAN and sub-VLANsl Sub-VLAN 2 that Ethernet0/0/0 and Ethernet0/0/1 belong tol Sub-VLAN 3 that Ethernet0/0/2 and Ethernet0/0/3 belong to



32

l IP address 10.10.10.1 and mask 255.255.255.0 of the VLANIF interface corresponding tothe super-VLAN

Procedure

Step 1 Create and configure the super-VLAN and sub-VLANs.

# Create sub-VLAN 2.<Huawei> system-view[Huawei] sysname Router[Router] vlan 2[Router-vlan2] quit

# Add Ethernet0/0/0 and Ethernet0/0/1 to sub-VLAN 2.[Router] interface ethernet 0/0/0[Router-Ethernet0/0/0] port link-type access[Router-Ethernet0/0/0] port default vlan 2[Router-Ethernet0/0/0] quit[Router] interface ethernet 0/0/1[Router-Ethernet0/0/1] port link-type access[Router-Ethernet0/0/1] port default vlan 2[Router-Ethernet0/0/1] quit

# Create sub-VLAN 3.

[Router] vlan 3[Router-vlan3] quit

# Add Ethernet0/0/2 and Ethernet0/0/3 to sub-VLAN 3.[Router] interface ethernet 0/0/2[Router-Ethernet0/0/2] port link-type access[Router-Ethernet0/0/2] port default vlan 3[Router-Ethernet0/0/2] quit[Router] interface ethernet 0/0/3[Router-Ethernet0/0/3] port link-type access[Router-Ethernet0/0/3] port default vlan 3[Router-Ethernet0/0/3] quit

# Create super-VLAN 4 and add sub-VLAN 2 and sub-VLAN 3 to super-VLAN 4.[Router] vlan 4[Router-vlan4] aggregate-vlan[Router-vlan4] access-vlan 2[Router-vlan4] access-vlan 3[Router-vlan4] quit

Step 2 Create and configure VLANIF 4.

# Create VLANIF 4.

[Router] interface vlanif 4


[Router-Vlanif4] ip address 10.10.10.1 24

Step 3 Enable inter-VLAN proxy ARP on VLANIF 4.

[Router-Vlanif4] arp-proxy inter-sub-vlan-proxy enable[Router-Vlanif4] quit


# Run the display current-configuration command, and you can view the configuration of thesuper-VLAN, sub-VLANs, and VLANIF interface.

# Run the display arp command, and you can view all the ARP entries.



33

<Router> display arpIP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN------------------------------------------------------------------------------10.10.10.1 0018-2000-0083 I - Vlanif410.10.10.2 00e0-fc00-0002 19 D-0 Ethernet0/0/0 2/-10.10.10.3 00e0-fc00-0003 19 D-0 Ethernet0/0/1 2/-10.10.10.4 00e0-fc00-0004 19 D-0 Ethernet0/0/2 3/-10.10.10.5 00e0-fc00-0005 19 D-0 Ethernet0/0/3 3/-------------------------------------------------------------------------------Total:5 Dynamic:4 Static:0 Interface:1

----End

ExampleThe following lists only the configuration file of the Router.

# sysname Router# vlan batch 2 to 4 #vlan 4 aggregate-vlan access-vlan 2 to 3 #interface Vlanif4 ip address 10.10.10.1 255.255.255.0 arp-proxy inter-sub-vlan-proxy enable#interface ethernet 0/0/0 port link-type access port default vlan 2#interface ethernet 0/0/1 port link-type access port default vlan 2#interface ethernet 0/0/2 port link-type access port default vlan 3#interface ethernet 0/0/3 port link-type access port default vlan 3#return

1.11.5 Example for Configuring Layer 2 Topology Detection

Networking RequirementsAs shown in Figure 1-5, two Ethernet interfaces are added to VLAN 100 in default mode. Toview changes of ARP entries, configure Layer 2 topology detection.



34

Figure 1-5 Network diagram for configuring Layer 2 topology detection

PC A PC B

VLANIF10010.1.1.2/24

Router

VLAN10010.1.1.1/24 10.1.1.3/24

Etherent 0/0/0 Etherent 0/0/1



1. Add two Ethernet interfaces to VLAN 100 in default mode.2. Enable Layer 2 topology detection to view changes of ARP entries.

Data Preparation


l Types and numbers of the interfaces to be added to a VLAN

l IP addresses of the VLANIF interface and the PCs

Procedure

Step 1 Create VLAN 100 and add the two Ethernet interfaces on the Router to VLAN 100 in defaultmode.

# Create VLAN 100 and configure an IP addresses for the VLANIF interface.

<Huawei> system-view[Huawei] sysname Router[Router] vlan 100[Router-vlan100] quit[Router] interface vlanif 100[Router-vlanif100] ip address 10.1.1.2 24[Router-vlanif100] quit

# Add the two Ethernet interfaces to VLAN 100 in default mode.

[Router] interface ethernet 0/0/0[Router-Ethernet0/0/0] port link-type access[Router-Ethernet0/0/0] port default vlan 100[Router-Ethernet0/0/0] quit[Router] interface ethernet 0/0/1[Router-Ethernet0/0/1] port link-type access[Router-Ethernet0/0/1] port default vlan 100[Router-Ethernet0/0/1] quit



35

Step 2 Enable Layer 2 topology detection.[Router] l2-topology detect enable

Step 3 Restart Ethernet 0/0/0 and view changes of ARP entries and aging time.

# View ARP entries on the Router. You can see that the Router has learned the MAC addressof the PC.

[Router] display arp allIP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC-----------------------------------------------------------------------------10.1.1.2 00e0-c01a-4900 I - Vlanif10010.1.1.1 00e0-c01a-4901 20 D-0 Ethernet0/0/010.1.1.3 00e0-de24-bf04 20 D-0 Ethernet0/0/1-----------------------------------------------------------------------------Total:3 Dynamic:2 Static:0 Interface:1

# Run the shutdown and undo shutdown commands on Ethernet0/0/0 and view the aging timeof ARP entries.

[Router] interface ethernet 0/0/0[Router-Ethernet0/0/0] shutdown[Router-Ethernet0/0/0] undo shutdown[Router-Ethernet0/0/0] display arp allIP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC----------------------------------------------------------------------------10.1.1.2 00e0-c01a-4900 I - Vlanif100 10.1.1.3 00e0-de24-bf04 0 D-0 Ethernet0/0/1------------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1

NOTE

According to the preceding information, the ARP entries learned from Ethernet0/0/1 are deleted afterEthernet0/0/0 is shut down. After Ethernet0/0/0 is enabled and becomes Up, the aging time of ARP entrieslearned from Ethernet0/0/1 changes to 0.

# When the aging time is 0, the Router sends an ARP probe packet for updating ARP entries.

[Router-Ethernet0/0/0] display arp allIP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN----------------------------------------------------------------------------10.1.1.2 00e0-c01a-4900 I - Vlanif100 10.1.1.3 00e0-de24-bf04 20 D-0 Ethernet0/0/1----------------------------------------------------------------------------Total:2 Dynamic:1 Static:0 Interface:1

NOTE

After ARP entries are updated, the aging time is restored to be the default value, 1200s.

----End


# sysname Router#l2-topolgy detect enable



36

# vlan batch 100#interface Vlanif100 ip address 10.1.1.2 255.255.255.0#interface Ethernet 0/0/0 port link-type access port default vlan 100#interface Ethernet 0/0/1 port link-type access port default vlan 100#return



37

2 IP Address Configuration

About This Chapter

This chapter describes how to configure Internet protocol (IP) addresses for network devices sothat they can communicate.

2.1 IP Address OverviewThis section describes the concept of IP addresses.

2.2 IP Addresses Supported by the AR150/200This section describes the methods for setting IP addresses for the AR150/200.

2.3 Configuring IP Addresses for an InterfaceThis section describes how to configure IP addresses for an interface.

2.4 Configuring IP Address Unnumbered on an InterfaceThis section describes how to configure IP address unnumbered.

2.5 Configuration ExamplesThis section provides several IP address configuration examples.

Huawei AR150&200 Series Enterprise RoutersConfiguration Guide - IP Service 2 IP Address Configuration


38

2.1 IP Address OverviewThis section describes the concept of IP addresses.

Hosts on an IP network use IP addresses to communicate with each other.

An IP address is a 32-bit address that identifies every computer or web server on the Internet. Itconsists of a network ID and a host ID.

The network ID identifies a network and the host ID identifies a specific network device on thenetwork. If multiple network devices have the same network ID, they reside on the same networkregardless of their physical locations.

2.2 IP Addresses Supported by the AR150/200This section describes the methods for setting IP addresses for the AR150/200.

NOTE

IP addresses refer to IPv4 addresses in this document.

The AR150/200 supports the following methods for setting IP addresses:

l Setting static IP addresses for interfaces manuallyl Configuring an interface to borrow an IP address from another interfacel Using the IP address negotiation function of PPP to assign IP addresses to interfaces

To save IP addresses, the AR150/200 supports the 31-bit address mask on a P2P interface. Aftera 31-bit address mask is configured, there are two IP addresses on a subnet: the subnet addressand the broadcast address of the subnet. Both the addresses are called host addresses.

The AR150/200 supports the 32-bit address mask on a loopback interface.

2.3 Configuring IP Addresses for an InterfaceThis section describes how to configure IP addresses for an interface.

2.3.1 Establishing the Configuration TaskBefore configuring IP addresses for an interface, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the data required for theconfiguration. This will help you complete the configuration task quickly and accurately.

Applicable EnvironmentTo run IP services on an interface, you must configure IP addresses for the interface. Eachinterface of the AR150/200 can be allocated multiple IP addresses, one of which is the primaryIP address and the others are secondary IP addresses.

Generally, an interface needs only the primary IP address. In special cases, the secondary IPaddresses need to be configured for the interface. For example, an interface of the AR150/200is connects to a physical network, and hosts on this physical network belong to two network



39

segments. To allow the AR150/200 to communicate with all the hosts on the physical network,configure a primary IP address and a secondary IP address for the interface.

NOTE

Layer 2 interfaces on the AR150/200 cannot be allocated IP addresses.

Pre-configuration TasksBefore configuring IP addresses for an interface, complete the following tasks:

l Connecting interfaces and setting physical parameters of each interface so that the physicalstatus of the interfaces is Up


Data PreparationTo configure IP addresses for an interface, you need the following data.

No. Data

1 Number of the interface

2 Primary IP address and subnet mask of theinterface

3 (Optional) Secondary IP address and subnetmask of the interface

2.3.2 Configuring a Primary IP Address for an InterfaceAn interface has only one primary IP address.

Procedure






A primary IP address is configured for the interface.

An interface has only one primary IP address. If you configure a new primary address on aninterface that already has a primary IP address, the new IP address overrides the original one.

----End



40

2.3.3 (Optional) Configuring a Secondary IP Address for anInterface

If an interface needs to communicate with hosts on different network segments, configuresecondary IP addresses for the interface.

Procedure





Step 3 Run:ip address ip-address { mask | mask-length } sub

A secondary IP address is configured for the interface.

To configure multiple secondary IP addresses for an interface, repeat this step. Each interfacecan be configured with a maximum of 31 secondary IP addresses.

----End


Procedurel Run the display ip interface [ interface-type interface-number ] command to check

information about the interface IP address.l Run the display ip interface brief [ interface-type [ interface-number ] ] command to check

brief information about the interface IP address.

----End

Example# Run the display ip interface command to view information about the IP address onEthernet1/0/0.

<Huawei> display ip interface ethernet 1/0/0Ethernet1/0/0 current state : UP Line protocol current state : UP The Maximum Transmit Unit : 1500 bytes input packets : 11022, bytes : 660443, multicasts : 0 output packets : 9634, bytes : 533292, multicasts : 0 Directed-broadcast packets: received packets: 1796, sent packets: 0 forwarded packets: 0, dropped packets: 0 ARP packet input number: 52872 Request packet: 52852 Reply packet: 20 Unknown packet: 0 Internet Address is 10.137.217.210/23 Broadcast address : 10.137.217.255



41

TTL being 1 packet number: 0 TTL invalid packet number: 0 ICMP packet input number: 0 Echo reply: 0 Unreachable: 0 Source quench: 0 Routing redirect: 0 Echo request: 0 Router advert: 0 Router solicit: 0 Time exceed: 0 IP header bad: 0 Timestamp request: 0 Timestamp reply: 0 Information request: 0 Information reply: 0 Netmask request: 0 Netmask reply: 0 Unknown type: 0

# Run the display ip interface brief command to view brief information about the IP addresson Ethernet1/0/0.

<Huawei> display ip interface brief ethernet 1/0/0*down: administratively down (l): loopback (s): spoofing Interface IP Address/Mask Physical Protocol Ethernet1/0/0 10.137.217.210/23 up up

2.4 Configuring IP Address Unnumbered on an InterfaceThis section describes how to configure IP address unnumbered.

2.4.1 Establishing the Configuration TaskBefore configuring IP address unnumbered, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the data required for theconfiguration. This will help you complete the configuration task quickly and accurately.

Applicable EnvironmentIn some application environments, an interface needs to be configured to borrow an IP addressfrom another interface to save IP addresses. If an interface is seldom used, a fixed IP address isunnecessary. You can configure the interface to borrow an IP address from another interface.

Pre-configuration TasksBefore configuring IP address unnumbered on an interface, complete the following tasks:

l Setting physical attributes of the IP unnumbered interface and the interface from which anIP address will be borrowed

l Setting link layer protocols of the IP unnumbered interface and the interface from whichan IP address will be borrowed

Data PreparationTo configure IP address unnumbered on an interface, you need the following data.



42

No. Data

1 Number, IP address, and mask of the interfacefrom which an IP address will be borrowed

2 Number of the IP unnumbered interface

NOTE

Only the configurations related to IP address unnumbered are described here. The procedure for configuringa static route to the peer device is not mentioned here.

The IP unnumbered interface cannot be enabled with dynamic routing protocols because it does not havean IP address itself. To implement communication between the AR150/200 and the peer device, configurea static route to the peer device.

2.4.2 Configuring a Primary IP Address for the Interface fromWhich an IP Address Will Be Borrowed

Procedure




The view of the interface from which an IP address will be borrowed is displayed.

The interface can be an Ethernet interface, a loopback interface, an Eth-Trunk interface, or aVLANIF interface.


A primary IP address is configured for the interface from which an IP address will be borrowed.

An interface has only one primary IP address. If you configure a new primary address on aninterface that already has a primary IP address, the new IP address overrides the original one.

----End

2.4.3 Configuring IP Address Unnumbered on an Interface

Procedure



Step 2 Run:



43

interface interface-type interface-number

The IP unnumbered interface view is displayed.

ATM interfaces, tunnel interfaces, and interfaces encapsulated with the Point-to-Point Protocol(PPP) or High-level Data Link Control (HDLC) can borrow IP addresses from other types ofinterfaces.

P2P sub-interfaces encapsulated with frame relay (FR) can borrow IP addresses from other typesof interfaces.

Ethernet interfaces can borrow IP addresses from loopback interfaces.

Step 3 Run:ip address unnumbered interface interface-type interface-number

The IP unnumbered interface is configured to borrow an IP address from the specified interface.

----End


Procedurel Run the display ip interface [ interface-type interface-number ] command to check

information about the interface IP address.l Run the display ip interface brief [ interface-type [ interface-number ] ] command to check

brief information about the interface IP address.

----End

Example# Run the display ip interface command to view information about Eth2/0/0 borrowing an IPaddress from LoopBack0.

<Huawei> display ip interface ethernet 2/0/0

Ethernet2/0/0 is standby, Line protocol current state : DOWN The Maximum Transmit Unit : 1500 bytes input packets : 0, bytes : 0, multicasts : 0 output packets : 0, bytes : 0, multicasts : 0 Directed-broadcast packets: received packets: 0, sent packets: 0 forwarded packets: 0, dropped packets: 0 ARP packet input number: 0 Request packet: 0 Reply packet: 0 Unknown packet: 0 Internet Address is unnumbered, using address of LoopBack0(202.117.23.45/24)Broadcast address : 202.117.23.255 TTL being 1 packet number: 0 TTL invalid packet number: 0 ICMP packet input number: 0 Echo reply: 0 Unreachable: 0 Source quench: 0 Routing redirect: 0 Echo request: 0 Router advert: 0 Router solicit: 0



44

Time exceed: 0 IP header bad: 0 Timestamp request: 0 Timestamp reply: 0 Information request: 0 Information reply: 0 Netmask request: 0 Netmask reply: 0 Unknown type: 0

2.5 Configuration ExamplesThis section provides several IP address configuration examples.

2.5.1 Example for Configuring Primary and Secondary IP Addressesfor an Interface

Networking RequirementsAs shown in Figure 2-1, Ethernet0/0/0 on the Router is connected to a LAN. On the LAN, twohosts belong to network segment 172.16.1.0/24 and another two hosts belong to network segment172.16.2.0/24. The Router is required to access the two network segments.

Figure 2-1 Network diagram for configuring IP addresses

172.16.1.0/24

172.16.2.0/24

Router

Ethernet 0/0/0172.16.1.1/24

172.16.2.1/24 sub


1. Plan IP addresses for interfaces.2. Configure the primary and secondary IP addresses for an interface.




45

l Primary IP address and subnet mask of the interfacel Secondary IP address and subnet mask of the interface

Procedure

Step 1 Configure primary and secondary IP addresses for Ethernet0/0/0 on Router.<Huawei> system-view[Huawei] sysname Router[Router] interface ethernet 0/0/0[Router-Ethernet0/0/0] ip address 172.16.1.1 24[Router-Ethernet0/0/0] ip address 172.16.2.1 24 sub


# Ping a host on network segment 172.16.1.0 from the Router. The ping operation succeeds.

<Router> ping 172.16.1.2 PING 172.16.1.2: 56 data bytes, press CTRL_C to break Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=128 time=25 ms Reply from 172.16.1.2: bytes=56 Sequence=2 ttl=128 time=27 ms Reply from 172.16.1.2: bytes=56 Sequence=3 ttl=128 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=4 ttl=128 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=128 time=26 ms --- 172.16.1.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/26/27 ms

Ping a host on network segment 172.16.2.0 from the Router. The ping operation succeeds.

<Router> ping 172.16.2.2 PING 172.16.2.2: 56 data bytes, press CTRL_C to break Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=128 time=25 ms Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=128 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=3 ttl=128 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=128 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=128 time=26 ms --- 172.16.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/25/26 ms

----End


# sysname Router#interface 0/0/0 ip address 172.16.1.1 255.255.255.0 ip address 172.16.2.1 255.255.255.0 sub#return

2.5.2 Example for Configuring IP Address Unnumbered on anInterface



46

ContextAs shown in Figure 2-2, Tunnel0/0/1 of RouterA connects to RouterC by a tunnel. Tunnel0/0/1of RouterA and Tunnel0/0/1 of RouterC are seldom used. To save IP addresses, Tunnel0/0/1 ofRouterA is required to borrow the IP address of Loopback0 on RouterA, and Tunnel0/0/1 ofRouterC is required to borrow the IP address of Loopback0 on RouterC.

Figure 2-2 Network diagram of IP address unnumbered

LoopBack 09.9.9.9/32

RouterB

RouterA RouterC

Tunnel

PC 1 PC 2

Loop

Back

06.

6.6.

6/32

Tunnel 0/0/1 Tunnel 0/0/1


l Configure IP addresses for Loopback0 interfaces on RouterA and RouterC.l Configure OSPF.l On RouterA, configure Tunnel0/0/1 to borrow the IP address of Loopback0.l On RouterC, configure Tunnel0/0/1 to borrow the IP address of Loopback0.


l IP address of Loopback0 on RouterAl IP address of Loopback0 on RouterC

NOTE

This example provides only the configurations of IP address unnumbered.

Procedure


# Configure an IP address for Loopback0.

<Huawei> system-view[Huawei] sysname RouterA



47

[RouterA] interface loopback 0[RouterA-LoopBack0] ip address 6.6.6.6 32[RouterA-LoopBack0] quit

# Configure OSPF.

[RouterA] ospf[RouterA-ospf-1] area 0[RouterA-ospf-1-area-0.0.0.0] network 6.6.6.6 0.0.0.0[RouterA-ospf-1-area-0.0.0.0] quit[RouterA-ospf-1] quit

# Configure Tunnel0/0/1 to borrow the IP address of Loopback0.

[RouterA] interface tunnel 0/0/1[RouterA-Tunnel0/0/1] ip address unnumbered interface loopback 0[RouterA-Tunnel0/0/1] quit

Step 2 Configure RouterC.

The configuration of RouterC is similar to that of RouterA, and is not mentioned here.


# Check the configuration on Tunnel0/0/1 of RouterA.

<RouterA> display ip interface Tunnel 0/0/1Tunnel0/0/1 current state : UP Line protocol current state : DOWN The Maximum Transmit Unit : 1500 bytes input packets : 0, bytes : 0, multicasts : 0 output packets : 0, bytes : 0, multicasts : 0 Directed-broadcast packets: received packets: 0, sent packets: 0 forwarded packets: 0, dropped packets: 0 Internet Address is unnumbered, using address of LoopBack0(6.6.6.6/32) Broadcast address : 6.6.6.6 TTL being 1 packet number: 0 TTL invalid packet number: 0 ICMP packet input number: 0 Echo reply: 0 Unreachable: 0 Source quench: 0 Routing redirect: 0 Echo request: 0 Router advert: 0 Router solicit: 0 Time exceed: 0 IP header bad: 0 Timestamp request: 0 Timestamp reply: 0 Information request: 0 Information reply: 0 Netmask request: 0 Netmask reply: 0 Unknown type: 0

----End

Configuration Filesl Configuration file of RouterA

# sysname RouterA#interface LoopBack0 ip address 6.6.6.6 255.255.225.255



48

#interface Tunnel 0/0/1 ip address unnumbered interface LoopBack0#ospf 1 area 0.0.0.0 network 6.6.6.6 0.0.0.0#return

l Configuration file of RouterC

# sysname RouterC#interface LoopBack0 ip address 9.9.9.9 255.255.225.255#interface Tunnel 0/0/1 ip address unnumbered interface LoopBack0#ospf 1 area 0.0.0.0 network 9.9.9.9 0.0.0.0#return



49

3 Basic IPv6 Configuration

About This Chapter

The IPv6 protocol stack is a support for routing protocols and application protocols on an IPv6network.

3.1 Introduction to IPv6IPv6 is an upgraded version of IPv4 and solves many problems with IPv4.

3.2 IPv6 Supported by the AR150/200The basic functions of IPv6 include IPv6 address configuration, IPv6 neighbor discovery, routeradvertisement, ICMPv6 packet control, and Path MTU (PMTU) configuration. The IPv6protocol stack is a support for routing protocols and application protocols.

3.3 Configuring an IPv6 Address for an InterfaceAssigning an IPv6 address to a device on a network enables the device to communicate with theother devices on the network.

3.4 Configuring IPv6 Neighbor DiscoveryIPv6 neighbor discovery (ND) is a packet transmission process to identify the relationshipbetween neighboring nodes. The Neighbor Discovery Protocol (NDP) replaces the AddressResolution Protocol (ARP), ICMP Router Discovery messages, and ICMP Redirect messages,and introduces neighbor reachability detection.

3.5 Configuring IPv4/IPv6 Dual StacksTo establish an IPv6 over IPv4 tunnel, you need to configure both the IPv4 protocol suite andthe IPv6 protocol suite on the devices where an IPv4 network borders an IPv6 network.

3.6 Configuring PMTUBy setting the PMTU, you can select a proper MTU for packet transmission. In this manner,packets do not have to be fragmented during transmission and loads on intermediate devices arereduced. In addition, network resources are used more efficiently and the network throughputreaches the optimal value.

3.7 Configuring TCP6By setting TCP6 packets, you can improve the performance of the network.

3.8 Maintaining IPv6This section describes how to maintain IPv6. Detailed operations include deleting informationabout IPv6 operation and monitoring IPv6 operation.

Huawei AR150&200 Series Enterprise RoutersConfiguration Guide - IP Service 3 Basic IPv6 Configuration


50

3.9 Configuration ExamplesThis section includes the networking requirements, precautions for configuration, andconfiguration roadmap. An example is used to describe how to configure an IPv6 address andNeighbor Discovery Protocol for an interface.



51

3.1 Introduction to IPv6IPv6 is an upgraded version of IPv4 and solves many problems with IPv4.

Internet Protocol Version 6 (IPv6), also called IP Next Generation (IPng), is the standard networkprotocol of the second generation. It is a set of specifications designed by the InternetEngineering Task Force (IETF). IPv6 is the upgraded version of IPv4. The most remarkabledifference between IPv6 and IPv4 is that the IP address lengthens from 32 bits to 128 bits.

3.2 IPv6 Supported by the AR150/200The basic functions of IPv6 include IPv6 address configuration, IPv6 neighbor discovery, routeradvertisement, ICMPv6 packet control, and Path MTU (PMTU) configuration. The IPv6protocol stack is a support for routing protocols and application protocols.

The AR150/200 supports the IPv6 protocol suite and TCP6 protocol suite.

AR150/200 supports IPv6 on the following interfaces:l Ethernet interfaces and sub-interfacesl Gigabit-Ethernet interfaces and sub-interfacesl Serial interfaces (Only the Serial interfaces configured with PPP or HDLC as the link

protocol support IPv6.)l POS interfaces (Only the POS interfaces configured with PPP or HDLC as the link protocol

support IPv6.)l Tunnel interfacesl Loopback interfacesl Eth-Trunk interfaces, Eth-Trunk sub-interfaces, and IP-Trunk interfacesl VLANIF interfaces

IPv6 AddressA 128-bit IPv6 address has the following formats:

l X:X:X:X:X:X:X:XIn this format, a 128-bit IP address is divided into eight groups. The 16 bits of each groupare represented by four hexadecimal characters, that is, 0 to 9, and A to F. The groups areseparated by colons. Every "X" represents a group of hexadecimal values.

l X:X:X:X:X:X:d.d.d.dThis format is for the following types of addresses:– IPv4-compatible IPv6 address– IPv4-mapped IPv6 addressIn this type of address, "X" represents the first six groups of numbers. Each "X" stands for16 bits that are represented by hexadecimal numbers. "d" represents the subsequent fourgroup of numbers. Each "d" stands for eight bits that are represented by decimal numbers."d.d.d.d" is a standard IPv4 address.

An IPv6 address can be divided into two parts:



52

l Network prefix: equals the network ID of an IPv4 address. It is of n bits.

l Interface identifier: equals the host ID in an IPv4 address. It is of 128-n bits.

Selection of Source and Destination Addresses

When network administrators need to specify or plan a source and a destination addresses, theycan define a group of address selection rules. An address selection policy table can be createdbased on these rules. Similar to a routing table, this table can be queried based on the longestmatch rule. The address is selected based on a source and a destination addresses.

IPv6 Neighbor Discovery

The IPv6 neighbor discovery (ND) is a group of messages and processes that define therelationship between neighboring nodes. ND replaces the Address Resolution Protocol (ARP)messages and the Internet Control Message Protocol (ICMP) device discovery messages. It alsoprovides additional functions.

IPv6 PMTU

Generally, the problem that different networks have different Maximum Transmission Units(MTU) can be solved in the following ways:

l Devices fragment packets as required. The source host only needs to fragment packets;however, the intermediate router not only needs to fragment packets, but also to reassemblepackets.

l The source host sends packets based on a proper MTU so that packets need not befragmented on the intermediate router. In such a case, packet processing burden on theintermediate router can be reduced. During IPv6 packet transmission, only this way can beadopted because IPv6 intermediate routers do not support packet fragmentation.

The Path MTU (PMTU) Discovery mechanism aims at finding a proper MTU value on the pathfrom the source to the destination.

IPv6 FIB

Connecting network topologies of different types needs the configuration of different routingprotocols. This brings about Routing Information Base (RIB). The RIB is a base of theForwarding Information Base (FIB). Guided by route management policies, a device extracts aminimum of necessary forwarding information from RIB and adds the information to the FIB.Through the route management module, you can also add static routes into the FIB.

A FIB contains a group of minimum information needed by a device during packet forwarding.An FIB entry usually contains the destination address, prefix length, transport port, next-hopaddress, route flag, and time stamp. A device forwards packets according to FIB entries.

The FIB mechanism consists of two parts: FIB agent (used on the control plane) and FIBcontainer (used on the forwarding plane). A FIB agent is responsible for interacting with theRM module for delivering FIB entries to the forwarding engine, and to the I/O board in adistributed system.

A FIB contains the following information:

l Destination address: indicates the network or host a packet is destined for.



53

l Prefix length: indicates the length of the destination address prefix. From the prefix length,you can infer that the destination address is a network address or a host address.

l Nexthop: indicates the address of the close next hop through which the packet reaches thedestination.

l Flag(s): identifies route features.l Interface: indicates the outgoing interface of the packet.l Timestamp: Indicates the time when an FIB entry is established.l Tunnel ID: Indicates the ID of VPN Tunnel.

NOTE

The IPv6 function is used with a license. To use the IPv6 function, apply for and purchase the followinglicense from the Huawei local office:

l AR150&200 Value-Added Data Package

3.3 Configuring an IPv6 Address for an InterfaceAssigning an IPv6 address to a device on a network enables the device to communicate with theother devices on the network.

3.3.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for assigning an IPv6 address to an interface.

Applicable EnvironmentWhen a device communicates with an IPv6 device, you need to configure IPv6 address for theinterface. The AR150/200 supports configuring IPv6 addresses for the following interfaces:

l Ethernet interfaces and sub-interfacesl Tunnel interfacesl Loopback interfacesl Eth-Trunk interfaces, Eth-Trunk sub-interfaces(support IPv6 only when they work in Layer

3 mode)l VLANIF interfacesl VE interfacesl VT interfaces

You can configure 10 addresses for one interface. Addresses can be the link-local address andthe global unicast address.

The link-local address is used in ND, and in the communication between nodes on the local linkin the stateless address auto-configuration. The packets using the link-local address as the sourceor destination address are not forwarded to other links.

The link-local address can be automatically generated or manually configured. After beingenable with automatic address generation capability, the system automatically generates a link-local address. The link-local address configured manually must be a valid link-local address(FE80::/10).



54

It is recommended to automatically generate a link-local address because the link-local addressis used only for the communication between link-local nodes. Commonly, it is used to implementcommunication requirements of protocol and is not directly related to the communicationbetween users.

The global unicast address is equivalent to the IPv4 public address. It is used for data forwardingacross the pubic network, which is necessary for the communication between users.

An EUI-64 address has the same function as an global unicast address. The difference is thatonly the network bits need to be specified for the EUI-64 address and the host bits are transformedfrom the MAC addresses of the interface while a complete 128-bit address need to be specifiedfor the global unicast address. Note that the prefix length of the network bits in an EUI-64 addressmust not be longer than 64 bits.

The EUI-64 address and the global unicast address can be configured simultaneously oralternatively. However, the IP addresses configured for one interface cannot be in the samenetwork segment.

Pre-configuration TasksBefore configuring IPv6 addresses, complete the following tasks:

l Configuring the physical features of the interface and ensuring that the status of the physicallayer of the interface is Up

l Configuring the link layer parameters for the interface and ensuring that the status of thelink layer protocol on the interface is Up

Data PreparationTo configure IPv6 addresses for an interface, you need the following data.

No. Data

1 Number of the interface

2 Link-local address configured manually

3 Global unicast address and prefix length

3.3.2 Enabling IPv6 Packet Forwarding CapabilityYou can perform other IPv6 configurations on an interface only when IPv6 is enabled in theinterface view. To enable IPv6 packet forwarding on an interface, you must configure IPv6 inthe system view.

ContextTo enable a device to forward IPv6 packets, you must enable the IPv6 capability in both thesystem view and the interface view. This is because:

l If you run the ipv6 command only in the system view, only the IPv6 packet forwardingcapability is enabled on a device. The IPv6 function, however, is not enabled on the interfaceand hence you cannot perform any IPv6 configurations.



55

l If you run the ipv6 enable command only in the interface view, the IPv6 capability isenabled only on an interface. Therefore, the device cannot forward IPv6 data.

Procedure



Step 2 Run:ipv6

The IPv6 packet forwarding capability is enabled.

By default, the IPv6 packet forwarding capability is disabled.

To enable a device to forward IPv6 packets, you must run this command in the system view;otherwise, the device cannot forward IPv6 packets although you enable IPv6 on the interface.


The view of the interface to be enabled with the IPv6 capability is displayed.

Step 4 Run:ipv6 enable

The IPv6 capability is enabled on the interface.

Before performing IPv6 configurations in the interface view, you must enable the IPv6 capabilityin the interface view.

By default, the IPv6 capability is disabled on the interface.

----End

3.3.3 Configuring an IPv6 Link-Local Address for an InterfaceThe local address of a link is used in the neighbor discovery protocol, and in the communicationsbetween nodes on the local end of the link in stateless address auto-configuration. The localaddress of a link is valid only for the link. A packet with a link-local address as the source ordestination address is forwarded only along the local link.

Procedure





Step 3 Perform the following as required.

Run:



56

ipv6 address auto link-local

Auto generation of the IPv6 link-local address is enabled.

Or

Run:

ipv6 address ipv6-address link-local

The IPv6 link-local address is manually configured.

Besides configuring a link-local address through the preceding two commands, you can alsoconfigure a global unicast IPv6 address for auto generating a link-local address. For details, seeConfiguring an IPv6 Global Unicast Address for an Interface.

----End

3.3.4 Configuring an IPv6 Global Unicast Address for an InterfaceA global unicast IP address is equal to an Internet IPv4 address and can be used for links whoseroute prefixes can be aggregated. In this manner, routing entries can be reduced.

Procedure





Step 3 Run:ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } or ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64

The global unicast address is configured on the interface.

----End

3.3.5 Configuring an IPv6 Anycast Address for an InterfaceAn anycast address is used to identify a group of interfaces.

Context

Anycast addresses and unicast addresses are in the same address range. An anycast address isused to identify a group of interfaces on different nodes.

l Similar to a multicast address, an anycast address is listened to by multiple nodes.Therefore, it is only used as a destination address.

l The packets destined for an anycast address are transmitted to an interface that is in theinterface group identified by the anycast address and is closest to the source node. (Thedistance between an interface and the source node is calculated based on the routing



57

protocol). The packets destined for a multicast address are transmitted to a group ofinterfaces with the multicast address.

When the 6to4 tunnel is used for the communication between the 6to4 network and the nativeIPv6 network, the AR150/200 supports the configuration of an anycast address with the prefixof 2002:c058:6301:: on the tunnel interface of the 6to4 relay route device.

Alternatively, you can configure a 6to4 address on the tunnel interface of the 6to4 relay routedevice. When multiple 6to4 relay route devices are configured on the network, the differencebetween the two methods is as follows:

l If an 6to4 address is used, you need to configure different addresses for tunnel interfacesof all devices.

l If an anycast address is used, you need to configure the same address for the tunnelinterfaces of all devices. In this manner, the number of addresses is reduced.

Procedure





Step 3 Run:ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } anycast

An IPv6 anycast address is assigned to an interface.

----End

3.3.6 Checking the ConfigurationYou can view the configuration of the IPv6 address for an interface.

PrerequisitesThe configurations of the IPv6 addresses are complete.

Procedurel Run the display ipv6 interface [ interface-type interface-number | brief ] command to

check the IPv6 information of an interface.l Run the display ipv6 statistics command to check the IPv6 packet statistics.

----End

ExampleRun the display ipv6 interface command. If the IPv6 address of the interface is displayed, itmeans that the configuration succeeds. For example:

<Huawei> display ipv6 interface ethernet 1/0/0



58

Ethernet1/0/0 current state : UP IPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::200:1FF:FE04:5D00 [TENTATIVE] Global unicast address(es):2001::1, subnet is 2001::/64 [TENTATIVE] Joined group address(es): FF02::1:FF00:1 FF02::1:FF04:5D00 FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

Run the display ipv6 interface command. If the configured IPv6 address and interface statusare displayed, it means that the configuration succeeds.

<Huawei> display ipv6 interface brief*down: administratively down(l): loopback(s): spoofingInterface Physical ProtocolEthernet2/0/0 up up[IPv6 Address] 2030::101:101Ethernet2/0/1 up up[IPv6 Address] 2001::1LoopBack0 up up(s)[IPv6 Address] Unassigned

Run the display ipv6 statistics command. If the statistics on IPv6 packets is displayed, it meansthat the configuration succeeds.

<Huawei> display ipv6 statisticsIPv6 Protocol:

Sent packets: Total : 3630 Local sent out : 3630 Forwarded : 0 Raw packets : 0 Discarded : 0 Fragmented : 0 Fragments : 0 Fragments failed : 0 Multicast : 0 Received packets: Total : 3630 Local host : 3630 Hop count exceeded : 0 Header error : 0 Too big : 0 Routing failed : 0 Address error : 0 Protocol error : 0 Truncated : 0 Option error : 0 Fragments : 0 Reassembled : 0 Reassembly timeout : 0 Multicast : 0

3.4 Configuring IPv6 Neighbor DiscoveryIPv6 neighbor discovery (ND) is a packet transmission process to identify the relationshipbetween neighboring nodes. The Neighbor Discovery Protocol (NDP) replaces the AddressResolution Protocol (ARP), ICMP Router Discovery messages, and ICMP Redirect messages,and introduces neighbor reachability detection.



59

3.4.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for IPv6 neighbor discovery.

Applicable EnvironmentAfter an IPv6 address is configured for a node, the node checks whether this address can be usedand does not conflict with any other address. If a node is a host, a router needs to notify the hostof the optimal next hop address of a packet to be sent by the host to a specific destination. If anode is a router, it needs to advertise its address, address prefix, and other configurationparameters to instruct hosts to configure parameters. During IPv6 packet forwarding, a nodeneeds to know the neighboring nodes' link-layer addresses and check their reachability. TheNeighbor Discovery (ND) function can be used to meet the requirements.

Most of the ND configurations are implemented based on the interfaces.

The IPv6 ND configuration is supported on the following interfaces:

l Ethernet interface sand sub-interfacesl Tunnel interfacesl Eth-Trunk interfaces, Eth-Trunk sub-interfacesl VLANIF interfaces

Pre-configuration TasksBefore configuring IPv6 neighbor discovery, complete the following tasks:

l Configuring the physical features for the interface and ensuring that the status of thephysical layer of the interface is Up

l Configuring link layer parameters for the interfacel Configuring the IPv6 address for the interface

Data PreparationTo configure IPv6 neighbor discovery, you need the following data.

No. Data

1 Number of interface which needs to be configured with IPv6 ND

2 IPv6 address and MAC address of the static neighbor

3 Intervals, prefix, and life duration of RA messages

4 Flag bit of automatic configuration

5 Hop limit of ND

6 Sending times of DAD

7 Intervals for re-transmitting NS messages

8 NUD reachable time



60

No. Data

9 Interface MTU

3.4.2 Configuring Static NeighborsBy configuring a static neighbor, you can obtain the mapping of the IPv6 address and MACaddress of the neighbor.

Procedure





Step 3 Run one of the following commands as required:l To configure a static neighbor entry on a common Layer 3 interface, run the ipv6

neighbor ipv6-address mac-address command.l To configure a static neighbor entry on a VLANIF interface, run the ipv6 neighbor ipv6-

address mac-address vid vlan-id interface-type interface-number command.l To configure a static neighbor entry on a sub-interface for QinQ VLAN tag termination, run

the ipv6 neighbor ipv6-address mac-address vid vid [ cevid cevid ] command.

NOTEIf an interface is configured with dynamic QinQ, you cannot configure a static neighbor entry on it.

Static neighbors can be configured for interfaces and their sub-interfaces. You can configure upto 300 neighbors on each interface.

----End

3.4.3 Enabling RA Message AdvertisingAfter being enabled with router advertisement, the device can send router advertisementmessages, providing prefixes for hosts.

Procedure







61

Step 3 Run:(Optional)undo ipv6 nd ra halt

The function of advertising RA messages is enabled.

----End

3.4.4 Setting the Interval for Advertising RA MessagesThe device periodically sends router advertisement messages containing information such asprefixes and flag bits.

Procedure





Step 3 Run:ipv6 nd ra { max-interval maximum-interval | min-interval minimum-interval }

The interval for advertising RA messages is configured.

By default, the maximum interval is 600 seconds and the minimum interval is 200 seconds.

The maximum interval can not be shorter than the minimum interval.

When the maximum interval is less than 9 seconds, the minimum interval is set to the same valueas the maximum interval.

----End

3.4.5 Configuring the Address Prefixes to Be AdvertisedNodes of the local links can perform address auto-configuration by using prefixes of theseaddresses.

Procedure





Step 3 Run:ipv6 nd ra prefix { ipv6-address ipv6-prefix-length | ipv6-prefix/ipv6-prefix-length } valid-lifetime preferred-lifetime [ no-autoconfig ] [ off-link ]



62

The prefix of RA messages is configured.

----End

3.4.6 Configuring Other Information to Be AdvertisedA router advertisement message carries information such as the maximum number of hops,prefix option, neighbor hold time, and keepalive time.

ContextDuplicate Address Detect (DAD) is a process of IPv6 automatic address configuration. You canconfigure the number of DAD messages which are sent continuously.

Set the interval of sending Neighbor Solicitation (NS) messages on the device. By default, NSre-transmitting time interval is 1000ms.

Neighbor Unreachability Detection (NUD) checks the reachability of neighbors. By default,NUD value is 30000ms.

The MTU of the interface determines whether to fragment IP packets on the interface. DefaultMTUs vary with interface types. The MTU on an Ethernet defaults to be 1500 bytes.

Procedure



Step 2 Run:ipv6 nd hop-limit limit

ND hop limit is configured.

The value of limit ranges from 1 to 255. By default, it is 64.



Step 4 Run:ipv6 nd ra hop-limit limit

ND hop limit is configured.

The value of limit ranges from 0 to 255. By default, it is 64.

NOTE

l If the ipv6 nd ra hop-limit command has been run on an interface, the hop limit for an RA messageuses the value configured on the interface.

l If the ipv6 nd ra hop-limit command has not been run on an interface, the hop limit for an RA messageuses the value configured globally, that is, the value configured in the ipv6 nd hop-limit command.

Step 5 Run:ipv6 nd ra router-lifetime ra-lifetime

The life duration of RA messages is configured.



63

NOTE

l When the ipv6 nd ra command is run to set the interval for advertising RA messages, the interval mustbe less than or equal to the life duration.

l By default, the maximum interval is 600 seconds, and the minimum interval is 200 seconds.

l By default, the life duration of RA messages is 1800 seconds. If the prefix is configured, the durationis still 1800 seconds.

Step 6 Run:ipv6 nd dad attempts value

Times to send DAD messages are configured.

Step 7 Run:ipv6 nd ns retrans-timer interval

The interval for re-sending NS messages is set.

Step 8 Run:ipv6 nd nud reachable-time value

The NUD reachable time is set.

Step 9 Run:ipv6 mtu mtu

MTU of the interface is configured.

----End

Follow-up ProcedureIf the IPv6 MTU value is changed, run the shutdown command and the undo shutdowncommand orderly in the interface view to validate the configuration.

3.4.7 Configuring the Default Router Priority and RouteInformation

RA packets that carry the default router priority and route information can be transmitted overthe local link. In this manner, a proper router can be selected to forward packets of a host.

ContextIf a host is connected to multiple routers, the host must select a router to forward packets basedon the destination addresses of packets. The router can advertise the default router priority andspecified route information to the host so that the host can select a proper forwarding routerbased on the destination addresses of packets.

After receiving the RA packets carrying the route information, the host updates its routing table.When sending packets to another device, the host queries the routing table and selects a properroute to send packets.

When receiving the RA packets that carry the priority of default routers, the host updates itsdefault router table. When sending packets to another device, if there is no route to be selected,the host queries the default router table. Then, the host selects a router with the highest priorityon the local link to send packets. If the router is faulty, the host selects another router indescending order of priority.



64

Procedure





Step 3 Run:ipv6 nd ra preference { high | medium | low }

The default router priority is configured in RA packets.

Step 4 Run:ipv6 nd ra route-information ipv6-address prefix-length lifetime route-lifetime [ preference { high | medium | low } ]

Route information is configured in RA packets.

----End

3.4.8 Checking the ConfigurationYou can view the configuration of IPv6 neighbor discovery.

PrerequisitesThe configurations of the IPv6 neighbor discovery function are complete.

Procedurel Run the display ipv6 neighbors [ ipv6-address | [ vid vlan-id ] interface-type interface-

number | vpn-instance vpn-instance-name ]display ipv6 neighbors interface-typeinterface-number| [vid vid ] | [cevid cevid] command to check the neighbor information inthe cache.

l Run the display ipv6 interface [ interface-type interface-number | brief ] command tocheck the IPv6 information of an interface. If the interface is in the Up state, theconfiguration is successful.

----End

ExampleRun the display ipv6 neighbors command. If the cache of the neighbor information containsneighbors' IPv6 addresses and the specified interfaces, it means that the configuration succeeds.

<Huawei> display ipv6 neighbors ethernet 1/0/0--------------------------------------------------------IPv6 Address : 3003::2Link-layer : 00e0-fc89-fe6e State : STALEInterface : Eth1/0/0 Age : 7VLAN : 10 CEVLAN: -VPN name : vpn1 Is Router: TRUESecure FLAG : UN-SECURE

IPv6 Address : FE80::2E0:FCFF:FE89:FE6E



65

Link-layer : 00e0-fc89-fe6e State : STALEInterface : Eth1/0/0 Age : 7VLAN : 10 CEVLAN: -Is Router: TRUESecure FLAG : UN-SECURE---------------------------------------------------------Total: 2 Dynamic: 2 Static: 0

Run the display ipv6 interface command. If information about the IPv6 address on the interfaceis displayed, it means that the configuration succeeds.

<Huawei> display ipv6 interface ethernet 1/0/0Ethernet1/0/0 current state : UP IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::1 Global unicast address(es): 2001::1, subnet is 2001::/64 5000::A19:A6FF:FECE:7D4B, subnet is 5000::/63 Joined group address(es): FF02::1:FFCE:7D4B FF02::2 FF02::1 FF02::1:FF00:1 MTU is 1280 bytes ND DAD is disabled ND reachable time is 10000 milliseconds ND retransmit interval is 10000 milliseconds Hosts use DHCP to obtain routable addresses.

Run the display ipv6 interface brief command. If information about the IPv6 address on theinterface and interface status are displayed, it means that the configuration succeeds.

<Huawei> display ipv6 interface brief*down: administratively down(l): loopback(s): spoofingInterface Physical ProtocolEthernet2/0/2 up up[IPv6 Address] 2030::101:101Ethernet2/0/3 up up[IPv6 Address] 2001::1LoopBack0 up up(s)[IPv6 Address] Unassigned

3.5 Configuring IPv4/IPv6 Dual StacksTo establish an IPv6 over IPv4 tunnel, you need to configure both the IPv4 protocol suite andthe IPv6 protocol suite on the devices where an IPv4 network borders an IPv6 network.

3.5.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for the IPv4/IPv6 dual protocol stack.


If a device has both IPv4 and IPv6 connections, the IPv4/IPv6 dual protocol stacks need to beenabled on the device.

Enabling the IPv4/IPv6 dual protocol stacks on the AR150/200 is a simple process. Enable theIPv6 packet forwarding capacity in the system view and configure an IPv4 address or IPv6



66

address on the corresponding interface. The device can then forward IPv4 and IPv6 packets onthe corresponding interface.

Pre-configuration TasksBefore configuring IPv6 tunnels, complete the following tasks:

l Configuring the physical parameters for the interface and ensuring that the status of thephysical layer of the interface is Up

l Configuring the link layer parameters for the interface

Data PreparationTo configure IPv4/IPv6 dual stacks, you need the following data.

No. Data

1 Type and number of the interface connected with the IPv4 network

2 IPv4 address and mask of the interface connected with the IPv4 network

3 Type and number of the interface connected with the IPv6 network

4 IPv6 address and prefix of the interface connected with the IPv6 network

3.5.2 Enabling IPv6 Packet ForwardingTo enable IPv6 packet forwarding, you need to enable IPv6 in both the interface view and thesystem view.

ContextTo enable a device to forward IPv6 packets, you must enable the IPv6 capability in both thesystem view and the interface view. This is because:

l If you run the ipv6 command only in the system view, only the IPv6 packet forwardingcapability is enabled on a device. The interface on the device is not of the IPv6 capabilityand hence you cannot perform any IPv6 configurations.

l If you run the ipv6 enable command only in the interface view, the IPv6 capability isenabled only on an interface but the device cannot forward IPv6 data.

Procedure



Step 2 Run:ipv6

The IPv6 packet forwarding capability is enabled.



67

To enable a device to forward IPv6 packets, you must run this command in the system view;otherwise, the device cannot forward IPv6 packets although the interface is configured with anIPv6 address.

By default, the IPv6 packet forwarding capability is disabled.


The view of the interface to be enabled with the IPv6 capability is displayed.

Step 4 Run:ipv6 enable

The IPv6 capability is enabled on the interface.

Before performing IPv6 configurations in the interface view, you must enable the IPv6 capabilityin the interface view.

By default, the IPv6 capability is disabled on the interface.

----End

3.5.3 Configuring IPv4 and IPv6 Addresses for the InterfaceYou need to configure IPv4 and IPv6 addresses separately on the IPv4 and IPv6 networks.

Procedure




The interface view of the IPv4 network is displayed.


An IPv4 address is assigned to the interface.

Step 4 Run:quit

Return to the system view.


The interface view of the IPv6 network is displayed.

Step 6 Perform the following configuration as required.l Run:

ipv6 address auto link-local

The link-local address is set to be automatically generated.



68

l Run:ipv6 address ipv6-address link-local

The link-local address of the interface is configured.l Run:

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }

The global unicast address is configured.l Run:

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64

The IPv6 EUI-64 address is configured.

----End

3.5.4 Checking the ConfigurationYou can check the configuration of the IPv4/IPv6 stack.

PrerequisitesThe IPv4/IPv6 stack has been configured.

Procedurel Run the display this command in the interface view to view the information about the IPv4/

IPv6 stack.

----End

ExampleEthRun the display this command to view information about the IPv4/IPv6 stack.

[Huawei-Ethernet1/0/0] display this[V200R002C00] # interface GigabitEthernet0/0/1 ipv6 enable ip address 20.1.1.1 255.255.255.0 ipv6 address 1002::1/64 ospfv3 1 area 0.0.0.0 # return

3.6 Configuring PMTUBy setting the PMTU, you can select a proper MTU for packet transmission. In this manner,packets do not have to be fragmented during transmission and loads on intermediate devices arereduced. In addition, network resources are used more efficiently and the network throughputreaches the optimal value.

3.6.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring the PMTU.



69

Applicable EnvironmentBy setting PMTUs on interfaces, you can enable devices to send packets based on proper MTUsacross the network. This avoids packet fragmentation, reduces the burden of the devices,implements efficient usage of network resources and achieves the best throughput.

Pre-configuration TasksBefore configuring PMTUs, complete the following tasks:

l Configuring the physical features for the interface and ensuring that the status of thephysical layer of the interface is Up

l Configuring the link layer protocol for the interface

Data PreparationTo configure PMTUs, you need the following data.

No. Data

1 IPv6 address and PMTU value to be configured

2 PMTU aging time

3.6.2 Creating Static PMTU EntriesYou can configure a static PMTU according to the lowest MTU of the path that a packet is totraverse. This speeds up packet transmission.

Procedure



Step 2 Run:ipv6 pathmtu ipv6-address [ path-mtu ]

The PMTU value of a specified IPv6 address is configured.

By default, the PMTU of the IPv6 address is 1500 bytes.

l The maximum number of static PMTU entries is 300.l The maximum number of dynamic and static PMTU entries on the public network is 512 for

the AR200 or AR1200, and 1024 for the AR2200 or AR3200.

----End

3.6.3 Configuring PMTU Aging TimeBy setting the PMTU aging time, you can change the keepalive time of dynamic PMTU entriesin the cache. A static PMTU entry never ages.



70

Procedure



Step 2 Run:ipv6 pathmtu age age-time

The aging time of PMTU is configured.

By default, the dynamic PMTU aging time is 10 minutes.

If the static PMTU exist, the dynamic PMTU dose not take effect.

----End

3.6.4 Checking the ConfigurationYou can view the configuration of a PMTU.

PrerequisitesThe configurations of the PMTU are complete.

Procedurel Run the display ipv6 pathmtu { ipv6-address | all | dynamic | static } command to check

all PMTU items.l Run the display ipv6 interface [ interface-type interface-number | brief ] command to

check the current MTU of the interface.

----End

ExampleRun the display ipv6 pathmtu command. If the destination IPv6 address, the PMTU value, theaging time and type are displayed, it means that the configuration succeeds.

<Huawei> display ipv6 pathmtu allIPv6 Destination Address ZoneID PathMTU LifeTime(M) Typefe80::12 0 1300 40 Dynamic2222::3 0 1280 -- Static-------------------------------------------------------------------------------Total: 2 Dynamic: 1 Static: 1

Run the display ipv6 interface command. If the current MTU of the interface is displayed, itmeans that the configuration succeeds.

<Huawei> display ipv6 interface ethernet 1/0/0Ethernet1/0/0 current state : UP IPv6 protocol current state : UPIPv6 is enabled, link-local address is FE80::200:1FF:FE04:5D00 Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es): FF02::1:FF00:1 FF02::1:FF04:5D00 FF02::2 FF02::1



71

MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

3.7 Configuring TCP6By setting TCP6 packets, you can improve the performance of the network.

3.7.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring TCP6.


To optimize network performance, you need to adjust the TCP6 parameters.


Before configuring TCP6, complete the following tasks:

l Connecting and configuring the physical features for the interface and ensuring that thestatus of the physical layer of the interface is Up

l Configuring the link layer protocol parameters for the interface and ensuring that the statusof the link layer protocol on the interface is Up

Data Preparation

To configure TCP6, you need the following data.

No. Data

1 Value of TCP6 FIN-WAIT timer

2 Value of TCP6 SYN-WAIT timer

3 Size of TCP6 Sliding Window

3.7.2 Configuring TCP6 TimersBy setting two TCP6 timers, you can control the TCP connection time.

Procedure





72

Step 2 Run:tcp ipv6 timer syn-timeout timer-value

The TCP6 SYN-WAIT timer is set.

By default, the SYN-WAIT timer is 75s.

Step 3 Run:tcp ipv6 timer fin-timeout timer-value

The TCP6 FIN-WAIT timer is set.

By default, the FIN-WAIT timer is 600s.

----End

3.7.3 Configuring the Size of the TCP6 Sliding WindowBy setting the sliding window size for TCP6, you can set the sizes of the receiving buffer andtransmitting buffer in the socket. In this manner, you can improve the performance of thenetwork.

Procedure



Step 2 Run:tcp ipv6 window window-size

The size of the TCP6 sliding window is configured.

The size of the TCP6 sliding window ranges from 1 KB to 32 KB. By default, the size of theTCP6 sliding window is 8 KB.

----End

3.7.4 Checking the ConfigurationYou can view the configuration of TCP6.

PrerequisitesThe configurations of the TCP6 function are complete.

Procedurel Run the display tcp ipv6 statistics command to check related TCP6 statistics.l Run the display tcp ipv6 status command to check the TCP6 connection status.l Run the display udp ipv6 statistics command to check related UDP6 statistics.l Run the display ipv6 socket [ socktype socket-type | task-id task-id socket-id socket-id ]

command to check the information of the specified socket.

----End



73

ExampleRun the display tcp ipv6 statistics, display tcp ipv6 status, and display udp ipv6 statisticscommands. If the connection status and statistic of TCP6 and UDP6 are displayed, it means thatthe configuration succeeds.<Huawei> display tcp ipv6 statisticsReceived packets: total: 0 total(64bit high-capacity counter): 0 packets in sequence: 0 (0 bytes) window probe packets: 0 window update packets: 0 checksum error: 0 offset error: 0 short error: 0 duplicate packets: 0 (0 bytes) partially duplicate packets: 0 (0 bytes) out-of-order packets: 0 (0 bytes) packets with data after window: 0 (0 bytes) packets after close: 0 ACK packets: 0 (0 bytes) duplicate ACK packets: 0 too much ACK packets: 0 packets dropped due to MD5 authentication failure: 0 packets dropped due to absence of MSO: 0 packets dropped due to presence of MSO: 0 packets received with MD5 Signature Option: 0 Sent packets: total: 0 urgent packets: 0 total(64bit high-capacity counter): 0 control packets: 0 (including 0 RST) window probe packets: 0 window update packets: 0 data packets: 0 (0 bytes) data packets retransmitted: 0 (0 bytes) ACK only packets: 0 (0 delayed) packets sent with MD5 Signature Option: 0 Other Statistics: retransmitted timeout: 0 connections dropped in retransmitted timeout: 0 keepalive timeout: 0 keepalive probe: 0 keepalive timeout, so connections disconnected: 0 initiated connections: 0 accepted connections: 0 established connections: 0 closed connections: 0 (dropped: 0, initiated dropped: 0) <Huawei> display tcp ipv6 status* - MD5 Authentication is enabled. TCP6CB TID/SoID Local Address Foreign Address State VPNID 19df05d0 9/3 ::->23 ::->0 Listening 0 <Huawei> display udp ipv6 statisticsReceived packets: total: 0 total(64bit high-capacity counter): 0 checksum error: 0 shorter than header: 0 invalid message length: 0 no socket on port: 0 no multicast port: 0 not delivered, input socket full: 0 input packets missing pcb cache: 0 packets sent for external pre processing: 1



74

Sent packets: total: 0 total(64bit high-capacity counter): 0

Run the display ipv6 socket command. If the related socket information is displayed, it meansthat the configuration succeeds.

<Huawei> display ipv6 socketSOCK_STREAM:Task = VTYD(14), socketid = 4, Proto = 6,LA = ::->22, FA = ::->0,sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,socket option = SO_ACCEPTCONN SO_REUSEPORT SO_SENDVPNID,socket state = SS_PRIV SS_ASYNC SOCK_DGRAM:Task = VTYD(14), socketid = 3, Proto = 6,LA = ::->23, FA = ::->0,sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,socket option = SO_ACCEPTCONN SO_REUSEPORT SO_SENDVPNID,socket state = SS_PRIV SS_ASYNC SOCK_RAW:

3.8 Maintaining IPv6This section describes how to maintain IPv6. Detailed operations include deleting informationabout IPv6 operation and monitoring IPv6 operation.

3.8.1 Resetting IPv6This section describes clearance of information about IPv6 operation through the reset command.

Context

CAUTIONIPv6 statistics cannot restore after you clear it. So, confirm the action before you use thecommand.

Procedurel Run the reset ipv6 statistics command in the user view to clear statistics of processing

IPv6 packets after you confirm it.

l Run the reset ipv6 pathmtu { all | dynamic | static } command in the user view to clearPMTU entries in the cache after you confirm it.

l Run the reset ipv6 neighbors { all | dynamic | static | vid vlan-id [ interface-type interface-number] | interface-type interface-number [ dynamic | static ] } command in the user viewto clear IPv6 neighbor entries in the cache after you confirm it.

l Run the reset ipv6 address-policy command in the user view to clear address selectionpolicy entries.



75

l Run the reset tcp ipv6 statistics command in the user view to clear all TCP6 statistics afteryou confirm it.

l Run the reset udp ipv6 statistics command in the user view to clear all UDP6 statisticsafter you confirm it.

----End

3.9 Configuration ExamplesThis section includes the networking requirements, precautions for configuration, andconfiguration roadmap. An example is used to describe how to configure an IPv6 address andNeighbor Discovery Protocol for an interface.

3.9.1 Example for Configuring an IPv6 Address for an InterfaceThis part provides an example for configuring the IPv6 address of an interface.

Networking Requirement

As shown in Figure 3-1, Router A and Router B are connected through GE interfaces. It isrequired to configure IPv6 global unicast addresses for the interfaces and test the connectivitybetween them.

The IPv6 global unicast addresses to be configured for the interfaces are 3001::1/64 and3001::2/64.

Figure 3-1 Networking diagram of configuring an IPv6 address for an interface

RouterA RouterB

Eth 1/0/03001::1/64

Eth 1/0/03001::2/64



1. Enable IPv6 forwarding capability on devices.

2. Configure IPv6 global unicast addresses for the interfaces.

Data Preparation

To complement the configuration, you need the following data:

l Global unicast addresses of the interfaces



76

Procedure

Step 1 Enable IPv6 packet forwarding on Router A and Router B.

# Configure Router A

<Huawei> system-view[Huawei] sysname RouterA[RouterA] ipv6

# Configure Router B

<Huawei> system-view[Huawei] sysname RouterB[RouterB] ipv6

Step 2 Configure IPv6 global unicast addresses for the interfaces.

# Configure Router A.

[RouterA] interface ethernet 1/0/0[RouterA-Ethernet1/0/0] ipv6 enable[RouterA-Ethernet1/0/0] ipv6 address 3001::1/64[RouterA-Ethernet1/0/0] quit

# Configure Router B.

[RouterB] interface ethernet 1/0/0[RouterB-Ethernet1/0/0] ipv6 enable[RouterB-Ethernet1/0/0] ipv6 address 3001::2/64[RouterB-Ethernet1/0/0] quit


If the configuration succeeds, you can view the configured IPv6 global unicast addresses andstatus of the interface and the IPv6 protocol are both Up.

# Display interface information of Router A.

[RouterA] display ipv6 interface ethernet 1/0/0Ethernet1/0/0 current state : UP IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::2E0:FCFF:FE01:E3 Global unicast address(es): 3001::1, subnet is 3001::/64 Joined group address(es): FF02::1:FF00:1 FF02::2 FF02::1 FF02::1:FF01:E3 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

# Display interface information of Router B.

[RouterB] display ipv6 interface ethernet 1/0/0Ethernet1/0/0 current state : UP IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::A19:A6FF:FE9B:6D3B Global unicast address(es): 3001::2, subnet is 3001::/64 Joined group address(es): FF02::1:FF00:2 FF02::2 FF02::1



77

FF02::1:FF9B:6D3B MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses

# On Router A, ping the global unicast IPv6 address of Router B.

[RouterA] ping ipv6 3001::2 PING 3001::2 : 56 data bytes, press CTRL_C to break Reply from 3001::2 bytes=56 Sequence=1 hop limit=64 time = 2 ms Reply from 3001::2 bytes=56 Sequence=2 hop limit=64 time = 2 ms Reply from 3001::2 bytes=56 Sequence=3 hop limit=64 time = 2 ms Reply from 3001::2 bytes=56 Sequence=4 hop limit=64 time = 2 ms Reply from 3001::2 bytes=56 Sequence=5 hop limit=64 time = 2 ms --- 3001::2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/2 ms

----End

Configuration Filesl Configuration file of Router A

# sysname RouterA#ipv6#interface ethernet1/0/0ipv6 enableipv6 address 3001::1/64#return

l Configuration file of Router B# sysname RouterB#ipv6#interface ethernet1/0/0ipv6 enableipv6 address 3001::2/64#return

3.9.2 Example for Configuring IPv6 Neighbor DiscoveryThis section describes how to configure IPv6 neighbor discovery.

Networking RequirementsAs shown in Figure 3-2, two routers are connected through GE interfaces. Configure IPv6 link-local address for the GE interfaces and enable the routers to send RA messages.



78

Figure 3-2 Networking diagram for IPv6 neighbor discovery

RouterA RouterB

Eth1/0/0 Eth 1/0/0


1. Enable IPv6 forwarding capability on the router.2. Configure the link-local unicast address on Ethernet 1/0/0.3. Enable the routers to send RA messages on Ethernet 1/0/0.


l IPv6 link-local address for an interface.

Procedure

Step 1 Enable the IPv6 forwarding capability on the routers.

# Configure RouterA.

<Huawei> system-view[Huawei] sysname RouterA[RouterA] ipv6

# Configure RouterB.

<Huawei> system-view[Huawei] sysname RouterB[RouterB] ipv6

Step 2 Configure the link-local unicast address.


[RouterA] interface ethernet 1/0/0[RouterA-Ethernet1/0/0] ipv6 enable[RouterA-Ethernet1/0/0] ipv6 address auto link-local


[RouterB] interface ethernet 1/0/0[RouterB-Ethernet1/0/0] ipv6 enable[RouterB-Ethernet1/0/0] ipv6 address auto link-local

Step 3 Enable the routers to send RA messages.

# Enable RouterA to send RA messages.

[RouterA] interface ethernet 1/0/0[RouterA-Ethernet1/0/0] undo ipv6 nd ra halt

# Enable RouterB to send RA messages.



79

[RouterB] interface ethernet 1/0/0[RouterB-Ethernet1/0/0] undo ipv6 nd ra halt


If the configuration succeeds, you can view the configured link-local unicast addresses. Thestatus of the interfaces and the IPv6 protocol are Up.

# Display information about Ethernet1/0/0 on RouterA.[RouterA-Ethernet1/0/0] display this ipv6 interfaceEthernet1/0/0 current state : UP IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::2E0:FCFF:FE01:E3 No global unicast address configured Joined group address(es): FF02::1:FF01:E3 FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisement max interval 600 seconds, min interval 200 seconds ND router advertisements live for 1800 seconds ND router advertisements hop-limit 64 ND default router preference medium Hosts use stateless autoconfig for addresses

# Display information about GE 1/0/0 on RouterB.[RouterB-Ethernet1/0/0] display this ipv6 interfaceEthernet1/0/0 current state : UP IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::A19:A6FF:FE9B:6D3B No global unicast address configured Joined group address(es): FF02::1:FF9B:6D3B FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisement max interval 600 seconds, min interval 200 seconds ND router advertisements live for 1800 seconds ND router advertisements hop-limit 64 ND default router preference medium Hosts use stateless autoconfig for addresses

# Display the neighbor entries of RouterA.[RouterA] display ipv6 neighbors----------------------------------------------------------------------------- IPv6 Address : FE80::A19:A6FF:FE9B:6D3B Link-layer : 0819-a69b-6d3b State : STALE Interface : Eth1/0/0 Age : 27 VLAN : - CEVLAN: - Is Router : TRUE Secure FLAG : UN-SECURE ----------------------------------------------------------------------------- Total: 1 Dynamic: 1 Static: 0

# Display information about IPv6 neighbors of RouterB.



80

[RouterB] display ipv6 neighbors----------------------------------------------------------------------------- IPv6 Address : FE80::2E0:FCFF:FE01:E3 Link-layer : 00e0-fc01-00e3 State : STALE Interface : Eth1/0/0 Age : 39 VLAN : - CEVLAN: - Is Router : TRUE Secure FLAG : UN-SECURE ----------------------------------------------------------------------------- Total: 1 Dynamic: 1 Static: 0

----End


# sysname RouterA#ipv6#interface Ethernet1/0/0 ipv6 enable ipv6 address auto link-local undo ipv6 nd ra halt#return

l Configuration file of RouterB# sysname RouterB#ipv6#interface Ethernet1/0/0 ipv6 enable ipv6 address auto link-local undo ipv6 nd ra halt#return



81

4 DNS Configuration

About This Chapter

This chapter describes the principles and configuration procedures of the Domain Name System(DNS) on the AR150/200, and provides configuration examples.

4.1 DNS OverviewThis section describes the DNS concept.

4.2 DNS Features Supported by the AR150/200The AR150/200 can function as the DNS client, DNS proxy/relay, or dynamic DNS (DDNS)client.

4.3 Configuring a DNS ClientA DNS client uses domain names to communicate with other devices.

4.4 Configuring DNS Proxy or RelayThis section describes how to configure DNS proxy or relay.

4.5 Configuring a DDNS ClientThe AR150/200 can function as the DDNS client to dynamically obtain latest mappings betweendomain names of web sites and IP addresses on the DNS server. This allows your organizationto use domain names to access web sites.

4.6 Maintaining DNSThis section describes how to maintain DNS.

4.7 Configuration ExamplesThis section provides DNS configuration examples.

Huawei AR150&200 Series Enterprise RoutersConfiguration Guide - IP Service 4 DNS Configuration


82

4.1 DNS OverviewThis section describes the DNS concept.

TCP/IP defines IP addresses to locate devices. It is difficult to remember the IP address of adevice; therefore, host names are designed in the form of strings. These host names are in one-to-one mapping with IP addresses. Therefore, DNS is developed to provide a translation andquery mechanism between IP addresses and host names.

The DNS is a hierarchical naming system that designates meaningful names for devices on thenetwork and sets a DNS server to associate domain names with IP addresses. In this manner,you can use the simple and meaningful domain names instead of the complicated IP addresses.

4.2 DNS Features Supported by the AR150/200The AR150/200 can function as the DNS client, DNS proxy/relay, or dynamic DNS (DDNS)client.

AR150/200 Functioning as a DNS ClientThe AR150/200 can be used as a DNS Client. A DNS client provides the following functions:

l Static DNS resolution. Mappings between domain names and IP addresses are configuredmanually. When a DNS client requests the IP address mapping a domain name, it searchesfor the specified domain name in the static DNS table to obtain the mapping IP address.

l Dynamic DNS resolution. A DNS server searches for the IP address mapping a domainname. When the DNS server receives a query message from a DNS client, it searches forthe IP address mapping the domain name in its DNS database. If no matching entry is found,it sends a query message to an upper-level DNS server. This process continues until theDNS server finds the corresponding IP address or detecting that the domain name does notexist. The DNS server then sends a response to the DNS client.

AR150/200 Functioning as a DNS Proxy/RelayThe AR150/200 supports the DNS Proxy/Relay function. If no DNS server is deployed on aLAN, a DNS client on the LAN can connect to an external DNS server through theAR150/200 enabled with DNS proxy or relay. After the external DNS server translates thedomain name of the DNS client to an IP address, the DNS client can access the Internet.

DNS relay is similar to DNS proxy. The difference is that the DNS proxy searches for DNSentries saved in the local cache after receiving DNS query messages from DNS clients. The DNSrelay, however, directly forwards DNS query messages to the DNS server, reducing theworkload.

AR150/200 Functioning as a DDNS ClientThe AR150/200 can function as the DDNS client. After a Layer 3 interface or a VLANIFinterface of the AR150/200 is configured as a DDNS client, the AR150/200 notifies the DDNSserver about the new IP address when the IP address of the interface enabled with DDNS clientchanges. The DDNS server dynamically updates the mapping between the domain name andthe IP address on the DNS server to ensure that the IP address can be resolved correctly.



83

4.3 Configuring a DNS ClientA DNS client uses domain names to communicate with other devices.

4.3.1 Establishing the Configuration TaskBefore configuring a DNS client, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the data required for the configuration. This will helpyou complete the configuration task quickly and accurately.

Applicable EnvironmentIP addresses such as 202.112.131.109 are difficult to remember; therefore, most organizationsuse abbreviations or meaningful names (also called domain names) such as www.sina.com.cnto identify devices. Name resolvers or domain servers resolve mappings between IP addressesand domain names.

A DNS client provides functions of a name resolver and completes resolution between IPaddresses and domain names.

If your organization seldom uses domain names to access other devices or there are no availableDNS servers, you must configure static DNS entries. To configure static DNS entries, you mustknow mappings between domain names and IP addresses. When mappings between domainnames and IP addresses change, you must manually modify DNS entries.

If your organization uses domain names to access many devices and DNS servers are available,you can configure dynamic DNS entries.

Pre-configuration TasksBefore configuring a DNS client, complete the following tasks:l Connecting interfaces and setting physical parameters for the interfaces to ensure that the

physical layer status of the interfaces is Upl Setting link layer protocol parameters for interfaces to ensure that the link layer protocol

status on the interfaces is Upl Configuring a DNS serverl Configuring a route between the local routing device and the DNS server

Data PreparationTo configure a DNS client, you need the following data.

No. Data

1 Domain name and corresponding IP address in a static DNS entry

2 (Optional) IP address of a DNS server

3 (Optional) IP address of the local routing device

4 (Optional) Domain name suffix list



84

4.3.2 Configuring Static DNSThis section describes how to configure static DNS.

Procedure



Step 2 Run:ip host host-name ip-address

A static DNS entry is configured.

Each host name can be mapped to only one IP address. When multiple IP addresses are mappedto a host name, only the latest configuration takes effect. If multiple host names need to beresolved, repeat step 2.

----End

4.3.3 Configuring Dynamic DNSThis section describes how to configure dynamic DNS.

ContextTo implement dynamic DNS, you need to enable dynamic DNS resolution, configure a DNSserver, and configure a source IP address for the local routing device and a domain name suffix.If the local routing device uses an IP address allocated by the DHCP server and the informationdelivered by the DHCP server to the local routing device contains the DNS server address andthe domain name suffix list, you only need to enable dynamic DNS resolution.

Procedure



Step 2 Run:dns resolve

Dynamic DNS resolution is enabled.

Step 3 (Optional) Run:dns server ip-address

The IP address of the DNS server is configured.

Step 4 (Optional) Run:dns server source-ip ip-address



85

The source IP address is specified for the local routing device to communicate with the DNSclient.

The local routing device uses the specified address to communicate with the DNS server. Thisensures communication security.

Step 5 (Optional) Run:dns domain domain-name

A domain name suffix is configured.

----End

Follow-up ProcedureThe system supports a maximum of six DNS servers, one specified source address, and 10domain name suffixes. If multiple DNS servers are required, repeat step 3. If multiple domainname suffixes are required, repeat step 5.

4.3.4 Checking the ConfigurationAfter completing the DNS client configuration, you can view the configuration.

Procedurel Run the display ip host command to check static DNS entries.l Run the display dns server command to check the DNS server configuration.l Run the display dns domain command to check the domain name suffix configuration.l Run the display dns dynamic-host command to check dynamic DNS entries.

----End

Example# Run the display ip host command to view static DNS entries.

<Huawei> display ip hostHost Age Flags Address www.3322.org 0 static 10.138.90.34 members.3322.org 0 static 10.138.90.51 checkip.dyndns.com 0 static 10.138.90.51 members.dyndns.org 0 static 10.138.90.51

# Run the display dns server command to view the DNS server configuration.

<Huawei> display dns serverType: D:Dynamic S:Static DNS Server Type IP Address 1 S 10.10.1.1 2 S 10.10.1.2

# Run the display dns domain command to view the domain name suffix configuration.

<Huawei> display dns domainNo Domain-name1 com2 net



86

# Run the display dns dynamic-host command to view dynamic DNS entries saved in thedomain name cache.

<Huawei> display dns dynamic-hostHost TTL Type Address(es) sipx.autosrv.com 114 IP 192.168.2.18 sip.autosrv.com 237 IP 192.168.2.61 sip.autonaptr.com 117 IP 192.168.2.19 _sip._tcp.autosrv.com 55 SRV 0 0 0 sipx.autosrv.com 0 0 0 sip.autosrv.com autonaptr.com 0 NAPTR 101 10 A SIP+D2T sip.autona

4.4 Configuring DNS Proxy or RelayThis section describes how to configure DNS proxy or relay.

4.4.1 Establishing the Configuration TaskBefore configuring DNS proxy or relay, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.


If no DNS server is deployed on a LAN, a DNS client on the LAN can connect to an externalDNS server through the AR150/200 enabled with DNS proxy or relay. After the external DNSserver translates the domain name of the DNS client to an IP address, the DNS client can accessthe Internet.

DNS proxy or relay reduces network management costs. Changing the IP address of the DNSserver requires that you change only the configuration on the DNS proxy or relay.


Before configuring DNS proxy or relay, complete the following tasks:l Connecting interfaces and setting physical parameters for the interfaces to ensure that the


status on the interfaces is Upl Configuring a DNS serverl Configuring routes between the local routing device and the DNS client and between the

local routing device and the DNS server

Data PreparationNo. Data

1 IP address of a DNS server

2 (Optional) IP address in response messages for DNS spoofing



87

No. Data

3 (Optional) Aging time of DNS entries

4.4.2 Configuring a DNS ServerThis section describes how to configure a DNS server.

Procedure



Step 2 Run:dns resolve

Dynamic DNS resolution is enabled.

Step 3 Run:dns server ip-address

The IP address of the DNS server that the DNS proxy or relay access is configured.

----End

4.4.3 (Optional) Configuring DNS SpoofingThis section describes how to configure DNS spoofing.

ContextIf the AR150/200 is enabled with DNS proxy or relay but is not configured with a DNS serveraddress or has no route to the DNS server, it does not forward or respond to DNS query messagesfrom DNS clients. If DNS spoofing is enabled, the AR150/200 uses the configured IP addressto respond to all DNS query messages.

In addition to enabling DNS proxy or relay, one of the following conditions must be met to makeDNS spoofing take effect:l No DNS server is configured.l A DNS server is configured, but dynamic DNS resolution is disabled.l There is no route to the DNS server.l There is no source IP address on the outbound interface connected to the DNS server.

If one of the preceding conditions is met, when the DNS proxy or relay receives an addressrecord query, it spoofs reply messages to any DNS query messages using the configured IPaddress.

Procedure

Step 1 Run:



88

system-view


Step 2 Run:dns proxy enable

DNS proxy is enabled.

Or, run:

dns relay enable

DNS relay is enabled.


Step 3 Run:dns spoofing ip-address

DNS spoofing is enabled and an IP address in response messages is specified.

----End

4.4.4 (Optional) Setting the Aging Time of DNS EntriesThis section describes how to set the Aging Time of DNS Entries.

ContextWhen the DNS proxy or relay is attacked, the DNS table becomes full. As a result, the DNSproxy or relay cannot resolve new domain names into IP addresses. To solve the problem, youcan set the aging time of DNS entries so that the local routing device can delete expired DNSentries.

Procedure



Step 2 Run:dns proxy enable

DNS proxy is enabled.

Or run:

dns relay enable

DNS relay is enabled.




89

Step 3 Run:dns forward expire-time time

The aging time is set for DNS entries on the DNS proxy or relay.

By default, the aging time of DNS entries is 60s.

----End

4.4.5 Checking the ConfigurationAfter configuring DNS proxy/relay, you can view the DNS table.

Procedurel Run the display dns forward table [ source-ip ip-address ] command to check the DNS

table.

----End

Example# Run the display dns forward table [ source-ip ip-address ] command to view the DNS tableof the DNS proxy or relay.

<Huawei> display dns forward table Domain name : ma.huawei.comSource IP : 1.1.1.3Source port : 33025Source packet id : 42564Forward packet id : 1Retry count : 2Query type : 1

4.5 Configuring a DDNS ClientThe AR150/200 can function as the DDNS client to dynamically obtain latest mappings betweendomain names of web sites and IP addresses on the DNS server. This allows your organizationto use domain names to access web sites.

4.5.1 Establishing the Configuration TaskBefore configuring a DDNS client, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.

Applicable EnvironmentDNS can resolve domain names into IP addresses so that you can use domain names to accessnetwork nodes. DNS just provides static mappings between domain names and IP addresses. Itcannot dynamically update the mapping when the IP address of a node changes. If you use theoriginal domain name to access the node, you cannot access the node because the IP addressmapping the domain name is incorrect.

The AR150/200 can function as the DDNS client. The AR150/200 notifies the DDNS serverabout the new IP address when the IP address of the interface that provides web services changes.



90

The DDNS server dynamically updates the mapping between the domain name and the IPaddress on the DNS server to ensure that the IP address can be resolved correctly.

Pre-configuration TasksBefore configuring a DDNS client, complete the following tasks:l Connecting interfaces and setting physical parameters for the interfaces to ensure that the


status on the interfaces is Upl Registering routes on the DDNS server Web sitel Configuring a route between the local routing device and the DDNS server

Data PreparationNo. Data

1 URL in the DDNS server

2 (Optional) Interval for sending DDNS update requests

3 Number of the interface bound to a DDNS policy

4.5.2 Creating a DDNS PolicyBefore using DDNS functions, you must create a DDNS policy in the system view.

Procedure



Step 2 Run:ddns policy policy-name

A DDNS policy is created and the DDNS policy view is displayed.

----End

4.5.3 Configuring a DDNS PolicyThis section describes how to configure a DDNS policy.

Procedure





91

Step 2 Run:ddns policy policy-name

A DDNS policy is created and the DDNS policy view is displayed.

Step 3 Run:url request-url

The Uniform Resource Location (URL) in DDNS update requests is specified.

After a DDNS policy is created, enter the URL and specify a DDNS server in the URL. Theprocesses for the AR150/200 to request DDNS updates from different DDNS servers aredifferent; therefore, the URL configuration of DDNS servers is different.

l When the AR150/200 uses HTTP to communicate with the DDNS server provided by thevendor at www.3322.org, the URL in a DDNS update request is:

http://username:[email protected]/dyndns/update'system=dyndns&hostname=<h>&ip=<a>

l When the AR150/200 uses TCP to communicate with the DDNS server provided by thevendor at www.oray.cn, the URL in a DDNS update request is:

oray://username:[email protected]

Step 4 Run:interval interval-time

The interval for sending DDNS update requests is set.

After the interval for sending DDNS update requests is set in the configured DDNS policy, theAR150/200 sends DDNS update requests at intervals. By default, the interval for sending DDNSupdate requests is 3600s.

----End

4.5.4 Binding a DDNS Policy to an InterfaceYou can bind a DDNS policy to an interface to update the mapping between the specified fullyqualified domain name (FQDN) and an IP address.

Procedure





Step 3 Run:ddns apply policy policy-name fqdn domain-name

The DDNS policy is bound to the interface.



92

On the AR150/200, DDNS policies can only be bound to Layer 3 interfaces and VLANIFinterfaces.

----End

4.5.5 Checking the ConfigurationAfter configuring a DDNS client, you can view the DDNS client configuration.

Procedurel Run the display ddns policy policy-name command to view DDNS policy information.l Run the display ddns interface interface-type interface-number command to view DDNS

policy information on the interface.

----End

Example# Run the display ddns policy command to view information about the DDNS policyJackPolicy.

<Huawei> display ddns policy JackPolicyPolicy name : JackPolicy Policy interval time : 3600 Policy URL : oray://Jack:[email protected] Policy bind count : 1 ===== interface Ethernet1/0/0 ====== Statuses: START Refresh: enable

# Run the display ddns interface command to view the DDNS policy information on VLANIF100.

<Huawei> display ddns interface Vlanif 100===== Policy JackPolicy ======= URL: oray://Jack:[email protected] Statuses: START Refresh: enable

4.6 Maintaining DNSThis section describes how to maintain DNS.

4.6.1 Deleting Dynamic DNS Entries of DNS ClientsThis section describes how to delete dynamic DNS entries of DNS clients.

Procedure

Step 1 Run the reset dns dynamic-host command to delete dynamic DNS entries of DNS clients.

Dynamic DNS entries cannot be restored after being deleted. Exercise caution when you run thecommand.

----End



93

4.6.2 Deleting DNS Entries of the DNS Proxy or RelayWhen the DNS proxy or relay is attacked, the DNS table becomes full. The reset dns forwardtable command can delete all DNS entries.

Procedure

Step 1 Run the reset dns forward table [ ip-address ] command to delete DNS entries of the DNSproxy or relay.

----End

4.6.3 Manually Updating a DDNS PolicyThis section describes how to manually update a DDNS policy.

Procedure

Step 1 Run the reset ddns policy policy-name [ interface-type interface-num ] command to updatemappings between all the IP addresses and host names in the DDNS policy are updated.

----End

4.7 Configuration ExamplesThis section provides DNS configuration examples.

4.7.1 Example for Configuring a DNS Client

Networking RequirementsAs shown in Figure 4-1, RouterA functions as a DNS client and cooperates with the DNS server.RouterA can access the host at 2.1.1.3/16 by domain name huawei.com. The domain namesuffixes are configured as com and net.

Static DNS entries of RouterB and RouterC are configured on RouterA so that RouterA canmanage RouterB and RouterC.

NOTEAR150/200 is RouterA.



94

Figure 4-1 Network diagram

Loopback04.1.1.1/32

Loopback04.1.1.2/32

Eth1/0/0

1.1.1.2/16

1.1.1.1/16 2.1.1.1/16 2.1.1.2/16

3.1.1.1/16

RouterA

RouterB RouterC

huawei.com2.1.1.3/16

DNS Server3.1.1.2/16

DNS Client Eth2/0/0 Eth2/0/0

Eth1/0/0


1. Create static DNS entries.2. Enable DNS resolution.3. Configure an IP address for the DNS server.4. Configure a domain name suffix.5. Configure OSPF.


l Number and IP address of the interface connecting RouterA and RouterB.l Domain names of RouterB and RouterC.l IP address of the DNS server.l Domain name suffix.

Procedure


# Configure an IP address for Eth1/0/0.

<Huawei> system-view[Huawei] sysname RouterA[RouterA] interface Ethernet 1/0/0[RouterA-Ethernet1/0/0] ip address 1.1.1.2 255.255.0.0[RouterA-Ethernet1/0/0] quit

# Configure OSPF.

[RouterA] ospf[RouterA-ospf-1] area 0[RouterA-ospf-1-area-0.0.0.0] network 1.1.0.0 0.0.255.255



95

[RouterA-ospf-1-area-0.0.0.0] quit[RouterA-ospf-1] quit

# Create static DNS entries.

[RouterA] ip host DeviceB 4.1.1.1[RouterA] ip host DeviceC 4.1.1.2

# Enable DNS resolution.

[RouterA] dns resolve

# Configure an IP address for the DNS server.

[RouterA] dns server 3.1.1.2

# Configure a domain name suffix as net.

[RouterA] dns domain net

# Configure a domain name suffix as com.

[RouterA] dns domain com

NOTE

You must configure OSPF on RouterB and RouterC so that a route between RouterA and the DNS servercan be generated. For details about OSPF configurations on RouterB and RouterC, see the configurationfiles.


# Run the ping huawei.com command on RouterA. You can see that the ping operation succeedsand the destination IP address is 2.1.1.3.

<RouterA> ping huawei.comTrying DNS server (3.1.1.2) PING huawei.com (2.1.1.3): 56 data bytes, press CTRL_C to break Reply from 2.1.1.3: bytes=56 Sequence=1 ttl=126 time=6 ms Reply from 2.1.1.3: bytes=56 Sequence=2 ttl=126 time=4 ms Reply from 2.1.1.3: bytes=56 Sequence=3 ttl=126 time=4 ms Reply from 2.1.1.3: bytes=56 Sequence=4 ttl=126 time=4 ms Reply from 2.1.1.3: bytes=56 Sequence=5 ttl=126 time=4 ms

--- huawei.com ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/4/6 ms

Run the display ip host command on RouterA. You can view mappings between host namesand IP addresses in static DNS entries.

<RouterA> display ip hostHost Age Flags AddressDeviceB 0 static 4.1.1.1DeviceC 0 static 4.1.1.2

# Run the display dns dynamic-host command on RouterA. You can view information aboutdynamic DNS entries in the domain name cache.

<RouterA> display dns dynamic-hostHost TTL Type Address(es) huawei.com 114 IP 2.1.1.3



96

NOTE

The TTL field in the command output indicates the time left before a DNS entry is aged out, in seconds.

----End

Configuration FilesConfiguration file of RouterA

# sysname RouterA# ip host DeviceB 4.1.1.1 ip host DeviceC 4.1.1.2# dns resolve dns server 3.1.1.2 dns domain net dns domain com#interface Ethernet 1/0/0 ip address 1.1.1.2 255.255.0.0#ospf 1 area 0.0.0.0 network 1.1.0.0 0.0.255.255#return


# sysname RouterB#interface LoopBack0 ip address 4.1.1.1 255.255.255.255#interface Ethernet 1/0/0 ip address 1.1.1.1 255.255.0.0#interface Ethernet 2/0/0 ip address 2.1.1.1 255.255.0.0#ospf 1 area 0.0.0.0 network 1.1.0.0 0.0.255.255 network 2.1.0.0 0.0.255.255 network 4.1.1.1 0.0.0.0#return

Configuration file of RouterC

# sysname RouterC#interface LoopBack0 ip address 4.1.1.2 255.255.255.255#interface Ethernet 1/0/0 ip address 3.1.1.1 255.255.0.0#interface Ethernet 2/0/0 ip address 2.1.1.2 255.255.0.0



97

#ospf 1 area 0.0.0.0 network 2.1.0.0 0.0.255.255 network 3.1.0.0 0.0.255.255 network 4.1.1.2 0.0.0.0#return

4.7.2 Example for Configuring DNS Proxy

Networking RequirementsAs shown in Figure 4-2, no DNS server is deployed on NetworkA. Users on NetworkA accessthe external DNS server to resolve domain names through RouterA enabled with DNS proxy.If the route between RouterA and the DNS server is unreachable, the IP address configured forDNS spoofing is returned.


Figure 4-2 Network diagram for configuring DNS proxy

RouterA

DNS Server

DNS Proxy

2.1.1.1/16

RouterB1.1.1.1/16Eth1/0/0

1.1.1.2/16Eth2/0/02.1.1.2/16

Eth1/0/0

NetworkA


1. Configure a DNS server.2. Configure DNS spoofing.


l IP address of the DNS server.l Aging time of DNS entries.l IP address configured by DNS spoofing.

Procedure

Step 1 Configure an IP address for Eth1/0/0.<Huawei> system-view[Huawei] sysname RouterA[RouterA] interface ethernet 1/0/0



98

[RouterA-Ethernet1/0/0] ip address 1.1.1.1 255.255.0.0[RouterA-Ethernet1/0/0] quit

Step 2 Configure a DNS server.

# Enable dynamic DNS resolution.


# Configure a DNS server that the DNS proxy or relay access.


# Enable DNS proxy.

[RouterA] dns proxy enable

# Set the aging time of DNS entries to 150s on the DNS proxy or relay.

[RouterA] dns forward expire-time 150

Step 3 Enable DNS spoofing and specify the IP address in response messages as 10.1.1.3.[RouterA] dns spoofing 10.1.1.3

Step 4 Configure OSPF.[RouterA] ospf[RouterA-ospf-1] area 0[RouterA-ospf-1-area-0.0.0.0] network 1.1.0.0 0.0.255.255[RouterA-ospf-1-area-0.0.0.0] quit[RouterA-ospf-1] quit

NOTE

You must configure OSPF on RouterB so that a route between RouterA and the DNS server can begenerated. For details about OSPF configurations on RouterB, see the configuration file.


# Run the display current-configuration command on RouterA to view the DNS proxyconfiguration.

<RouterA> display current-configuration | include dns dns resolve dns server 2.1.1.1 dns proxy enable dns spoofing 10.1.1.3 dns forward expire-time 150

----End


# sysname RouterA#interface Ethernet 1/0/0 ip address 1.1.1.1 255.255.0.0# dns resolve dns server 2.1.1.1 dns proxy enable dns forward expire-time 150# dns spoofing 10.1.1.3



99

#ospf 1 area 0.0.0.0 network 1.1.0.0 0.0.255.255#return


# sysname RouterB#interface Ethernet 1/0/0 ip address 1.1.1.2 255.255.0.0#interface Ethernet 2/0/0 ip address 2.1.1.2 255.255.0.0#ospf 1 area 0.0.0.0 network 1.1.0.0 0.0.255.255 network 2.1.0.0 0.0.255.255#return

4.7.3 Example for Configuring a DDNS Client

Networking RequirementsAs shown in Figure 4-3, the domain name of RouterA is www.abc.com. RouterA obtains an IPaddress from the DHCP server; therefore, the IP address may change. In this case, you mustenable the DDNS client function to obtain the latest mapping between the domain name and theIP address. The DDNS service provider www.oray.com is used as the DDNS server. RouterAfunctions as the DDNS client to send a request to the DDNS server when the IP address ofRouterA changes. Then the DDNS server instructs the DNS server to reconfigure the mappingbetween the domain name and the IP address.


Figure 4-3 Network diagram

Loopback04.1.1.1/32

Loopback04.1.1.2/32

Eth1/0/01.1.1.2/16

1.1.1.1/16 2.1.1.1/16 2.1.1.2/16

3.1.1.1/16

RouterA RouterB RouterC

2.1.1.3/16

DNS Server3.1.1.2/16

DDNS ClientEth2/0/0 Eth2/0/0

DDNS Server

Eth1/0/0

Eth1/0/0



100


1. Create a DDNS policy.2. Configure the URL for the DDNS server.3. Set the interval for sending DDNS update requests.4. Bind a DDNS policy to an interface.


l Domain name of RouterAl URL of the DDNS serverl User name and password for the DDNS client to log in to the DDNS serverl Interval for sending DDNS update requests

Procedure


# Create a DDNS policy.

<Huawei> system-view[Huawei] sysname RouterA[RouterA] ddns policy mypolicy

# Configure the URL of the DDNS server.

[RouterA-ddns-policy-mypolicy] url oray://steven:[email protected]

# Set the interval for sending DDNS update requests.

[RouterA-ddns-policy-mypolicy] interval 3600[RouterA-ddns-policy-mypolicy] quit

# Enable DNS resolution.


# Configure an IP address for the DNS server.


# Bind the DDNS policy to Eth1/0/0.

[RouterA] interface ethernet 1/0/0[RouterA-Ethernet1/0/0] ip address 1.1.1.2 255.255.0.0[RouterA-Ethernet1/0/0] ddns apply policy mypolicy fqdn www.abc.com[RouterA-Ethernet1/0/0] quit

After the configuration is complete, when the IP address of Eth1/0/0 changes, RouterA instructsthe DNS server to establish a mapping between the domain name www.abc.com and the new IPaddress through the DDNS server. By doing this, users on the Internet can resolve a new IPaddress mapping the domain name www.abc.com.

# Configure OSPF.

[RouterA] ospf[RouterA-ospf-1] area 0



101

[RouterA-ospf-1-area-0.0.0.0] network 1.1.0.0 0.0.255.255[RouterA-ospf-1-area-0.0.0.0] quit[RouterA-ospf-1] quit

NOTE

To implement communication between the DDNS client, DDNS server, and the DNS server, configureOSPF on RouterB and RouterC. For details about OSPF configurations on RouterB and RouterC, see theconfiguration files.


# Run the display ddns policy mypolicy command on RouterA, and you can view informationabout the DDNS policy named mypolicy.

<RouterA> display ddns policy mypolicyPolicy name : mypolicy Policy interval time : 3600 Policy URL : oray://steven:[email protected] Policy bind count : 1 ===== interface Ethernet1/0/0 ====== Statuses: ESTABLISH Refresh: enable

# Run the display ddns interface ethernet 1/0/0 command on RouterA, and you can viewinformation about the DDNS policy on Eth1/0/0.

<RouterA> display ddns interface ethernet 1/0/0===== Policy mypolicy ======= URL: oray://steven:[email protected] Statuses: ESTABLISH Refresh: enable

----End


# sysname RouterA#ddns policy mypolicy url oray://steven:[email protected]#interface Ethernet1/0/0 ip address 1.1.1.2 255.255.0.0 ddns apply policy mypolicy fqdn www.abc.com#ospf 1 area 0.0.0.0 network 1.1.0.0 0.0.255.255#return


# sysname RouterB#interface LoopBack0 ip address 4.1.1.1 255.255.255.255



102

#interface Ethernet1/0/0 ip address 1.1.1.1 255.255.0.0#interface Ethernet2/0/0 ip address 2.1.1.1 255.255.0.0#ospf 1 area 0.0.0.0 network 1.1.0.0 0.0.255.255 network 2.1.0.0 0.0.255.255 network 4.1.1.1 0.0.0.0#return

Configuration file of RouterC

# sysname RouterC#interface LoopBack0 ip address 4.1.1.2 255.255.255.255#interface Ethernet1/0/0 ip address 3.1.1.1 255.255.0.0#interface Ethernet2/0/0 ip address 2.1.1.2 255.255.0.0#ospf 1 area 0.0.0.0 network 2.1.0.0 0.0.255.255 network 3.1.0.0 0.0.255.255 network 4.1.1.2 0.0.0.0#return



103

5 NAT Configuration

About This Chapter

Network Address Translation (NAT) translates private addresses into public addresses. Itconserves IPv4 addresses and improves network security by shielding the private networktopology.

5.1 NAT OverviewNAT enables hosts on a private network to access the public network.

5.2 NAT Features Supported by the AR150/200The AR150/200 supports the following NAT features: static NAT, port address translation(PAT), internal server, NAT Application Level Gateway (ALG), NAT filtering, NAT mapping,Easy IP, twice NAT, and NAT multi-instance.

5.3 Configuring NATTo implement communication between the private network and the public network throughNAT, use Easy IP for a single user and an address pool for multiple users.

5.4 Configuration ExamplesThis section provides several configuration examples of NAT.

Huawei AR150&200 Series Enterprise RoutersConfiguration Guide - IP Service 5 NAT Configuration


104

5.1 NAT OverviewNAT enables hosts on a private network to access the public network.

Private Network Address and Public Network AddressA private network address, which is also called a private address, is the IP address of an internalnetwork or host. A public network address, which is also called a public address, is a unique IPaddress on the Internet. The Internet Assigned Number Authority (IANA) defines the followingIP addresses as private addresses:

l Class A: 10.0.0.0-10.255.255.255l Class B: 172.16.0.0-172.31.255.255l Class C: 192.168.0.0-192.168.255.255

After planning the scale of the intranet, an enterprise chooses the proper private address segment.The private address segments of enterprises can overlap each other. If an intranet does not usethe IP address in the defined private address segments, errors may occur during communicationwith other networks.

Principle of NATAs shown in Figure 5-1, the private address must be translated when a host on a private networkaccesses the Internet or interworks with the hosts on a public network.

Figure 5-1 Networking of NAT

PC WWW client PC10.1.1.10 10.1.1.48 ........

Internal network

External network203.196.3.23

WWW Server

202.18.245.251

Router

The private network uses network segment 10.0.0.0 and its public address is 203.196.3.23. Thehost 10.1.1.48 on the private network accesses the server 202.18.245.251 on the public networkin Web mode.

The host sends a data packet, and uses port 6084 as the source port and port 80 as the destinationport. After the address is translated, the source address/port of the packet is changed to203.196.3.23:32814, and the destination address/port remains unchanged. The AR150/200maintains a mapping table between addresses and ports.



105

After the web server responds to the host, the AR150/200 translates the destination IP address/port in the returned data packet to 10.1.1.48:6084. In this way, the host on the private networkcan access the server on the public network.

5.2 NAT Features Supported by the AR150/200The AR150/200 supports the following NAT features: static NAT, port address translation(PAT), internal server, NAT Application Level Gateway (ALG), NAT filtering, NAT mapping,Easy IP, twice NAT, and NAT multi-instance.

Static NATStatic NAT maps a private address to a public address. That is, the number of private addressesis equal to the number of public addresses. Static NAT cannot save public addresses, but canshield the topology of the private network.

When a packet is sent from a private network to the public network, static NAT translates thesource IP address of the packet to a public address. When the public network returns a response,static NAT translates the destination IP address of the response packet to the private address.

PATPort address translation (PAT), which is also called network address port translation (NAPT),maps a public address to multiple private addresses. Therefore, public addresses are saved. PATtranslates source IP addresses of packets from hosts that reside on the private network to a publicaddress. The translated port numbers of these packets are different, and the private addressescan share a public address.

A mapping table between private addresses and ports is configured for PAT. Before packetsfrom different private addresses are sent to the public network, the PAT-enabled device replacesthe source addresses with the same public address. The source port numbers of the packets,however, are replaced with different port numbers. When the public network returns responsepackets to private networks, the PAT-enabled device translates the destination IP addresses toprivate addresses according to the port numbers. Figure 5-2 shows how PAT translates IPaddresses and port numbers.



106

Figure 5-2 PAT working process

192.168.1.2

Datagram 1Src IP:192.168.1.3Src Port:23

Datagram 2Src IP: 192.168.1.3

Src Port:80

Datagram 1Src IP: 202.169.10.1Src Port:10023






192.168.1.3 Router

PAT

Internal Server

NAT can shield internal hosts. In applications, users on the public network may need to accessthe internal hosts. For example, users on the public network need to access a Web server or afile transfer protocol (FTP) server.

NAT allows you to flexibly configure IP addresses for internal servers. For example, you canuse 202.110.10.10 or even 202.110.10.12:8080 as the public address of a Web server, and use202.110.10.11 as the public address of an FTP server. Multiple servers (Web servers forexample) can be provided for external user.

You can configure an internal server and map the public address and port to the internal server.In this way, hosts on the public network can access the internal server.

NAT Mapping

The NAT function saves IPv4 addresses and improves network security. NAT implementationof different vendors may be different; therefore, the applications using the simple traversal ofUDP through NAT (STUN), traversal using relay NAT (TURN), and Interactive ConnectivityEstablishment (ICE) technologies may fail to traverse the NAT devices of these vendors. Thesetechnologies are commonly used on the SIP proxy. NAT mapping enables these applications totraverse the NAT devices.

NAT Filtering

A NAT device filters the traffic from external network to internal network. After a host on theinternal network sends an access request to a host on the external network, the host on the external



107

network transmits traffic to the internal host. The NAT device filters the traffic sent to the internalhost.

Easy IPEasy IP takes the public IP address of the interface as the source address after NAT is performed.In addition, it uses the Access Control List (ACL) to control the private addresses to be translated.

NAT ALGSome protocols are sensitive to the NAT function and cannot work correctly without specialprocessing. Packets of these protocols contain the IP address and/or port number in the payload,which affects protocol interaction.

The NAT ALG function allows such protocol packets to traverse NAT devices. It replaces theIP address and port number in the payload to implement transparent transmission and relay ofprotocol packets. The NAT ALG of the AR150/200 supports the domain name system (DNS),FTP, Real-Time Streaming Protocol (RTSP) and Session Initiation Protocol (SIP).

Twice NATBasic NAT translates only the source or destination address of packets, whereas twice NATtranslates both the source and destination addresses. The twice NAT technology applies to thescenario where IP addresses of hosts on private and public networks overlap. As shown in Figure5-3, the IP address of PC1 on the private network is the same as the IP address of PC3 on thepublic network. If PC2 on the private network sends a packet to PC3, the packet will be forwardedto PC1. Twice NAT translates the overlapping IP address into a unique temporary address (basedon basic NAT) according to the mapping between the overlapping address pool and thetemporary address pool. In this way, packets can be forwarded correctly.

Figure 5-3 Networking of twice NAT

PC 110.0.0.1/24

PC 210.0.0.1/24

Router

DNS Server

PC 3

www.web.com10.0.0.1/24

You can configure twice NAT on the AR150/200 as follows:

1. Configure basic NAT (many-to-many NAT): Configure an NAT address pool that containsIP addresses 200.0.0.1 to 200.0.0.100 and apply it to the interface connecting to the WAN.

2. Configure the mapping from overlapping addresses to temporary addresses: 10.0.0.0 to3.0.0.0.



108

The mapping indicates that one overlapping address pool maps one temporary address pool. Thetranslation rules are as follows:

Temporary address = Start IP address in the temporary address pool + (Overlapping IP address- Start IP address in the overlapping address pool)

Overlapping address = Start IP address in the overlapping address pool + (Temporary IP address- Start IP address in the temporary address pool)

When PC2 on the private network accesses PC3 on the public network using the domain name,packets are processed as follows:

1. PC2 sends a DNS request for resolving the domain name www.web.com of the web server.After the DNS server resolves the DNS request, the AR150/200 receives the responsepacket from the DNS server. The AR150/200 resolves the address 10.0.0.1 in the payloadof the response packet and detects that the address is an overlapping address (it is in theoverlapping address pool). The AR150/200 translates the address 10.0.0.1 into thetemporary address 3.0.0.1, and translates the destination address of the response packetusing basic NAT. Then the AR150/200 sends the packet to PC2.

2. PC2 sends an access request packet with the temporary address 3.0.0.1 corresponding towww.web.com to access the public network. When the packet reaches the AR150/200, theAR150/200 translates the source address of the packet using basic NAT and then translatesthe destination address (temporary address) to the overlapping address 10.0.0.1.

3. The AR150/200 sends the packet to the WAN-side outbound interface. The packet is thenforwarded to PC3 hop by hop.

4. When the packet sent from PC3 to PC2 reaches the AR150/200, the AR150/200 checks thesource address 10.0.0.1, which is the overlapping address (it is in the overlapping addresspool). The AR150/200 translates the source address to the temporary address 3.0.0.1, andtranslates the destination address using basic NAT. Then the AR150/200 sends it to PC2.

Source Address Associated with the VPN Before NAT Is Performed

The NAT-enabled AR150/200 allows users on private networks to access the public networkand allows users in different VPNs to access the public network through the same egress. Inaddition, users in the VPNs with the same IP address can access the public network.

NAT Server Associated with VPNs

The NAT-enabled AR150/200 supports association between VPNs and NAT server, and allowsusers on the public network to access hosts in the VPNs. This function is applicable when IPaddresses of multiple VPNs overlap.

5.3 Configuring NATTo implement communication between the private network and the public network throughNAT, use Easy IP for a single user and an address pool for multiple users.

5.3.1 Establishing the Configuration TaskBefore configuring NAT, familiarize yourself with the applicable environment, complete thepre-configuration tasks, and obtain the required data.



109

Applicable EnvironmentNAT must be configured at the boundary between the private network and the public networkso that it can translate private and public addresses.

Pre-configuration TasksBefore configuring NAT, complete the following task:

l Creating a basic ACL or an advanced ACL and configuring ACL rules

Data PreparationTo configure NAT, you need the following data.

No. Data

1 Number of the public address pool, start IP address, and end IP address

2 Number of the basic ACL or advanced ACL

3 Information about the internal server, including the protocol type, public address,public port number, private address (the VPN instance may be included), and(optional) private port number

4 Information about static NAT, including the protocol type, public address, publicport number, private address (the VPN instance may be included), (optional)private port number, and subnet mask

5 Index of the overlapping address pool and temporary address pool, start IPaddress, address pool length, and (optional) VPN instance

6 Domain name, public address, and public port number

5.3.2 Configuring an Address PoolConfigure a NAT address pool when multiple users on the private network need to access thepublic network.

Procedure



Step 2 Run:nat address-group group-index start-address end-address

A public address pool is configured.

A public address pool is a set of public addresses. When performing NAT on data packets fromthe private network, the AR150/200 selects an IP address from the address pool as the sourceaddress.



110

The public address pool IDs are numerals. Up to 8 address pools can be configured.

By default, no public address pool is configured on the AR150/200.

----End

5.3.3 Associating an ACL with an Address PoolNetwork administrators can use ACLs to control which users can access public networks usingNAT.

Procedure





Step 3 Run:nat outbound acl-number [ address-group group-index [ no-pat ] | interface loopback interface-number ]

An ACL is associated with an address pool.

After an ACL is associated with an address pool, the AR150/200 translates source addresses ofdata packets matching the ACL to an IP address in the address pool. Different IP addresstranslation entries can be configured on an interface.

In the command, no-pat indicates one-to-one NAT, that is, only the IP address is translated andthe port number is not translated

----End

5.3.4 Configuring Easy IPEasy IP uses an interface IP address as the source address of data packets matching an ACL.

Procedure





Step 3 Run:nat outbound acl-number [ address-group group-index [ no-pat ] | interface loopback interface-number ]



111

Easy IP is configured.

----End

5.3.5 Configuring an Internal ServerDeploying a server on the private network improves security of the server and prevents attacksfrom the public network. Users on the private and public networks can access the server.

Procedure





Step 3 Run:l nat server protocol { tcp | udp } global { global-address | current-interface } global-

port inside host-address [ host-port ] [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description description ]

l nat server protocol { tcp | udp } global interface loopback interface-number global-port [ vpn-instance vpn-instance-name ] inside host-address [ host-port ] [ vpn-instancevpn-instance-name ] [ acl acl-number ] [ description description ]

l nat server [ protocol { protocol-number | icmp | tcp | udp } ] global global-addressinside host-address [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ descriptiondescription ]

An internal server is configured.

Users on the public network can access the configured internal server. When a host on the publicnetwork sends a connection request to the public address (global-address) of the internal server,NAT translates the destination address of the request to a private address (host-address). TheAR150/200 then forwards the request the server.

NOTE

When configuring an internal server, ensure that global-address and host-address are different frominterface IP addresses and IP addresses in the user address pool.

----End

5.3.6 Configuring Static NATStatic NAT maps a private address to a public address. Static NAT does not save public addressesbut shields the private network topology.

Procedure




112




Step 3 Run:l nat static protocol { tcp | udp } global { global-address | current-interface } global-

port inside host-address [ host-port ] [ vpn-instance vpn-instance-name ] [ netmaskmask ] [ acl acl-number ] [ description description ]

l nat static protocol { tcp | udp } global interface loopback interface-number global-port[ vpn-instance vpn-instance-name ]inside host-address [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ description description ]

l nat static [ protocol { protocol-number | icmp | tcp | udp } ] global global-addressinside host-address [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ description description ]

Static NAT is configured.

NOTE

When configuring static NAT, ensure that global-address and host-address are different from interface IPaddresses and IP addresses in the user address pool.

----End

5.3.7 Enabling NAT ALGErrors may occur when NAT translates protocol packets encapsulated in IP data packets. TheNAT ALG function ensures that the protocol packets are translated successfully.


system-view


Step 2 Run:nat alg { all | dns | ftp | rtsp | sip } enable

The NAT ALG function is enabled.

After the NAT ALG function is enabled for an application protocol, packets of the applicationprotocol can traverse the NAT server. The application protocol cannot work without the NATALG function.

In the command, all indicates that NAT traversal applies to the DNS, FTP, SIP, and RTSPprotocols.

----End

5.3.8 Configuring NAT FilteringA NAT device filters the traffic from external network to internal network. After an internal hostsends an access request to an external host, the external host transmits traffic to the internal host.The NAT device filters the traffic sent to the internal host.



113

ContextNAT filtering has the following modes:

l Endpoint-independent filteringl Address-dependent filteringl Address and port-dependent filtering

Procedure



Step 2 Run:nat filter-mode { endpoint-dependent | endpoint-independent | endpoint-and-port-dependent }

The NAT filtering mode is set.

NAT filtering applies to the traffic from an external network to an internal network. The defaultmode is endpoint-and-port-dependent. In this mode, the system uses the source IP address,source port, destination IP address, destination port, and protocol number as the index to searchthe NAT mapping table.

----End

5.3.9 Configuring NAT MappingNAT mapping allows applications using the STUN, TURN, and ICE technologies to traversethe NAT server.

ContextThe NAT function saves IPv4 addresses and improves network security. NAT mapping has thefollowing modes:

l Endpoint-independent mapping: reuses the port mapping for subsequent packets sent fromthe same internal IP address and port to any external IP address and port.

l Address-dependent mapping: reuses the port mapping for subsequent packets sent from thesame internal IP address and port to the same external IP address, regardless of the externalport.

l Address and port-dependent mapping: reuses the port mapping for subsequent packets sentfrom the same internal IP address and port to the same external IP address and port whilethe mapping is still active.

Procedure



Step 2 Run:



114

nat mapping-mode endpoint-independent [ tcp | udp ] [ dest-port port-number ]

The NAT mapping mode is set.

NAT mapping applies to the traffic from an internal network to an external network. The defaultmode is address and port-dependent mapping.

----End

5.3.10 Configuring DNS MappingA private network may deploy different servers such as FTP servers and web servers, but hasno DNS server deployed. If hosts on the private network need to differentiate and access serversusing domain names, configure DNS mapping.

Procedure



Step 2 Run:nat dns-map domain-name global-address global-port { tcp | udp }

The mapping from a domain name to a public IP address, port number, and protocol type isconfigured.

Up to 32 mapping entries can be configured on the AR150/200.

Step 3 Run:nat alg { all | dns | ftp | rtsp | sip } enable

The NAT ALG function is enabled for DNS.

CAUTIONThe NAT ALG function allows hosts on a private network to access servers on the privatenetwork through the external DNS server.

----End

5.3.11 Configuring Twice NATTwice NAT translates both the source and destination IP addresses of a data packet. It appliesto the situation where IP addresses of internal hosts and external hosts overlap.

Context

When IP addresses of internal hosts and external hosts overlap, configure the mapping betweenthe overlapping address pool and the temporary address pool. Then the overlapping address istranslated to a unique temporary address and packets can be forwarded correctly. In addition,configure outbound NAT to implement twice NAT.



115

Procedure



Step 2 Run:nat overlap-address map-index overlappool-startaddress temppool-startaddress pool-length length [ inside-vpn-instance inside-vpn-instance-name ]

Twice NAT is configured.

The overlapping address pool and temporary address pool contain consecutive IP addresses. Thelengths of the two address pools are the same, and up to 255 IP addresses can be configured ineach of the two address pools.

Up to 8 mapping entries between the overlapping address pool and the temporary address poolcan be configured.

When the VPN instance in the NAT mapping is deleted, the twice NAT configuration is alsodeleted.

----End

5.3.12 Checking the ConfigurationAfter NAT is configured, you can view information about NAT.

Procedurel Run the display nat alg command to check whether the NAT ALG function is enabled.

l Run the display nat address-group [ group-index ] [ verbose ] command to check theconfiguration of the NAT address pool.

l Run the display nat dns-map [ domain-name ] command to check information about DNSmapping.

l Run the display nat outbound [ acl acl-number | address-group group-index |interface { Ethernet } interface-number.subnumber ] command to check informationabout outbound NAT.

l Run the display nat overlap-address { map-index | all | inside-vpn-instance inside-vpn-instance-name } command to check information about twice NAT.

l Run the display nat server [ global global-address | inside host-address [ vpn-instancevpn-instance-name ] | interface interface-type interface-number.subnumber ] command tocheck the configuration of the NAT server.

l Run the display nat static [ global global-address | inside host-address [ vpn-instancevpn-instance-name ] | interface interface-type interface-name ] command to check theconfiguration of static NAT.

l Run the display nat mapping table { all | number } command to view the NAT mappingtable information or number of entries in the table.

----End



116

5.4 Configuration ExamplesThis section provides several configuration examples of NAT.

5.4.1 Example for Configuring the NAT Server

Networking Requirements

As shown in Figure 5-4, a company is connected to the wide area network (WAN) through theAR150/200 enabled with the network address translation (NAT) function. The companyprovides the web server and FTP server for users on the public network to access. The privateIP address of the web server is 192.168.20.2:8080 and its public address is 202.169.10.5/24. Theprivate IP address of the FTP server is 10.0.0.3/24 and its public address is 202.169.10.33/24.andthe interface address of the AR150/200 connected to the carrier device is 202.169.10.2/24.

Figure 5-4 Network diagram for configuring the NAT server

Eth2/0/0

Router

FTP Server10.0.0.3/24

WWW Server192.168.20.2:8080

Eth0/0/0

Eth0/0/1 Host



1. Configure IP addresses for interfaces and configure the NAT servers on the WAN-sideinterface to allow external users to access the internal servers.

2. Configure a default route.

3. Enable the FTP NAT ALG function to allow the external FTP packets to traverse the NATservers.



117

Procedure

Step 1 Configure IP addresses for the interfaces on the AR150/200 and configure the NAT server onthe WAN-side interface.<Huawei> system-view[Huawei] vlan 100 [Huawei-vlan100] quit[Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 192.168.20.1 24 [Huawei-Vlanif100] quit [Huawei] interface Ethernet 0/0/0 [Huawei-Ethernet0/0/0] port link-type access [Huawei-Ethernet0/0/0] port default vlan 100 [Huawei-Ethernet0/0/0] quit [Huawei] vlan 200 [Huawei-vlan200] quit[Huawei] interface vlanif 200 [Huawei-Vlanif200] ip address 10.0.0.1 24 [Huawei-Vlanif200] quit[Huawei] interface Ethernet 0/0/1 [Huawei-Ethernet0/0/1] port link-type access [Huawei-Ethernet0/0/1] port default vlan 200[Huawei-Ethernet0/0/1] quit [Huawei] interface ethernet 2/0/0[Huawei-Ethernet2/0/0] ip address 202.169.10.1 24 [Huawei-Ethernet2/0/0] nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080 [Huawei-Ethernet2/0/0] nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp[Huawei-Ethernet2/0/0] quit

Step 2 On the AR150/200, configure a static route with the next hop address 202.169.10.2[Huawei] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2

Step 3 Enable the NAT ALG function for FTP packets on the AR150/200.[Huawei] nat alg ftp enable


Run the display nat server command on the AR150/200 to view the NAT server configuration.

[Huawei] display nat server Nat Server Information: Interface : Ethernet2/0/0 Global IP/Port : 202.169.10.5/80(www) Inside IP/Port : 192.168.20.2/8080 Protocol : 6(tcp) VPN instance-name : ---- Acl number : ---- Global IP/Port : 202.169.10.33/21(ftp) Inside IP/Port : 10.0.0.3/21(ftp) Protocol : 6(tcp) VPN instance-name : ---- Acl number : ---- Total : 2

Run the display nat alg command on the AR150/200, and the command output is as follows:

[Huawei] display nat algNAT Application Level Gateway Information: ---------------------------------- Application Status ---------------------------------- dns Disabled



118

ftp Enabled rtsp Disabled sip Disabled ----------------------------------

Verify that external users can access the web server and FTP server.

----End

Configuration Files# vlan batch 100 200 # nat alg ftp enable # interface Vlanif100 ip address 192.168.20.1 255.255.255.0 # interface Vlanif200 ip address 10.0.0.1 255.255.255.0 # interface Ethernet0/0/0 port link-type access port default vlan 100 # interface Ethernet0/0/1 port link-type access port default vlan 200 # interface Ethernet2/0/1 ip address 202.169.10.1 255.255.255.0 nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080 nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp # ip route-static 0.0.0.0 0.0.0.0 Ethernet 2/0/0 # return

5.4.2 Example for Configuring Outbound NAT


As shown in Figure 5-5, the intranet of area A is connected to the wide area network (WAN)through the AR150/200. The network address translation (NAT) function is enabled on theAR150/200. To ensure the security of company A's intranet, you need to use the IP addressesin the public address pool (202.169.10.100-202.169.10.200) to replace the host addresses of areaA on the network segment 192.168.20.0/24. The hosts of area A then can access servers on theWAN.

The intranet of area B is also connected to the WAN through the AR150/200. Only a few publicIP addresses are allocated to area B. To save the public IP addresses and improve the securityof company B's intranet, you need to use the IP addresses in the public address pool(202.169.10.80-202.169.10.83) to replace the host addresses of area B on the network segment10.0.0.0/24. The hosts of company B then can access servers on the WAN.

On the AR150/200, the public address of Ethernet2/0/0 on the AR150/200 is 202.169.10.1/24and the interface address of the AR150/200 connected to the carrier device is 202.169.10.2/24.



119

Figure 5-5 Network diagram for configuring outbound NAT

Eth0/0/0 Eth2/0/0

Area BPC 1...PC n

10.0.0.0/24

Eth0/0/1

Area APC 1...PC n

192.168.20.0/24

Router



1. Configure IP addresses for interfaces.2. Configure a default route.3. Configure outbound NAT on the WAN-side interface to allow internal hosts to access

external networks.

Procedure

Step 1 Configure IP addresses for the interfaces of the AR150/200.<Huawei> system-view[Huawei] vlan 100 [Huawei-vlan100] quit[Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 192.168.20.1 24 [Huawei-Vlanif100] quit [Huawei] interface Ethernet 0/0/0[Huawei-Ethernet0/0/0] port link-type access [Huawei-Ethernet0/0/0] port default vlan 100 [Huawei-Ethernet0/0/0] quit [Huawei] vlan 200 [Huawei-vlan200] quit[Huawei] interface vlanif 200 [Huawei-Vlanif200] ip address 10.0.0.1 24 [Huawei-Vlanif200] quit[Huawei] interface Ethernet 0/0/1 [Huawei-Ethernet0/0/1] port link-type access [Huawei-Ethernet0/0/1] port default vlan 200[Huawei-Ethernet0/0/1] quit [Huawei] interface ethernet 2/0/0[Huawei-Ethernet2/0/0] ip address 202.169.10.1 24 [Huawei-Ethernet2/0/0] quit



120

Step 2 On the AR150/200, configure a static route with the next hop address 202.169.10.2.[Huawei] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2

Step 3 Configure outbound NAT on the AR150/200.[Huawei] nat address-group 1 202.169.10.100 202.169.10.200 [Huawei] nat address-group 2 202.169.10.80 202.169.10.83 [Huawei] acl 2000[Huawei-acl-basic-2000] rule 5 permit source 192.168.20.0 0.0.0.255[Huawei-acl-basic-2000] quit[Huawei] acl 2001[Huawei-acl-basic-2001] rule 5 permit source 10.0.0.0 0.0.0.255[Huawei-acl-basic-2001] quit[Huawei] interface ethernet 2/0/0[Huawei-Ethernet2/0/0] nat outbound 2000 address-group 1 no-pat[Huawei-Ethernet2/0/0] nat outbound 2001 address-group 2 [Huawei-Ethernet2/0/0] quit


Run the display nat outbound command on the AR150/200, and the command output is asfollows:

[Huawei] display nat outbound NAT Outbound Information: ----------------------------------------------------------------- Interface Acl Address-group/IP/Interface Type ----------------------------------------------------------------- Ethernet2/0/0 2000 1 no-pat Ethernet2/0/0 2001 2 pat ----------------------------------------------------------------- Total : 2

Perform the ping operation on the AR150/200.

<Huawei> ping -a 192.168.20.1 202.169.10.2 PING 202.169.10.2: 56 data bytes, press CTRL_C to break Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 202.169.10.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 202.169.10.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 202.169.10.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 202.169.10.2: bytes=56 Sequence=5 ttl=255 time=1 ms <Huawei> ping -a 10.0.0.1 202.169.10.2 PING 202.169.10.2: 56 data bytes, press CTRL_C to break Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 202.169.10.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 202.169.10.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 202.169.10.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 202.169.10.2: bytes=56 Sequence=5 ttl=255 time=1 ms

----End

Configuration Files# vlan batch 100 200 # acl number 2000 rule 5 permit source 192.168.20.0 0.0.0.255 # acl number 2001 rule 5 permit source 10.0.0.0 0.0.0.255 # interface Vlanif100 ip address 192.168.20.1 255.255.255.0 # interface Vlanif200 ip address 10.0.0.1 255.255.255.0



121

# interface Ethernet0/0/0 port link-type access port default vlan 100 # interface Ethernet0/0/1 port link-type access port default vlan 200 # interface Ethernet2/0/0 ip address 202.169.10.1 255.255.255.0 nat outbound 2000 address-group 1 no-pat nat outbound 2001 address-group 2# nat address-group 1 202.169.10.100 202.169.10.200 nat address-group 2 202.169.10.80 202.169.10.83 # ip route-static 0.0.0.0 0.0.0.0 Ethernet 2/0/0 # return

5.4.3 Example for Configuring Twice NAT

Networking RequirementsAs shown in Figure 5-6, the IP address of PC1 on the private network is the same as the IPaddress of host A on the public network. When PC2 sends a packet to host A, the packet maybe forwarded to PC1. In addition to the network address translation function, twice NAT of theAR150/200 specifies the mapping between the overlapping address pool and the temporaryaddress pool. The overlapping IP address is translated to a unique temporary address so thatpackets can be forwarded correctly.

Figure 5-6 Networking diagram for twice NAT configuration

PC 1

Eth0/0/0 Eth2/0/0

Company BPC 2

10.0.0.3/24

Eth0/0/1

Company A192.168.20.2/24

PC 1

Router

Host A 192.168.20.2/24

DNS Server

www.Server.com

202.169.10.2



122


1. Configure IP addresses for interfaces.2. Configure DNS mappings to allow users to access servers by using domain names.3. Map the overlapping address pool to the temporary address pool.4. Configure outbound NAT to allow internal users to access external networks.

Procedure

Step 1 Configure IP addresses for the interfaces of the AR150/200.<Huawei> system-view[Huawei] vlan 100 [Huawei-vlan100] quit[Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 192.168.20.1 24 [Huawei-Vlanif100] quit [Huawei] interface Ethernet 0/0/0 [Huawei-Ethernet0/0/0] port link-type access [Huawei-Ethernet0/0/0] port default vlan 100 [Huawei-Ethernet0/0/0] quit [Huawei] vlan 200 [Huawei-vlan200] quit[Huawei] interface vlanif 200 [Huawei-Vlanif200] ip address 10.0.0.1 24 [Huawei-Vlanif200] quit[Huawei] interface Ethernet 0/0/1 [Huawei-Ethernet0/0/1] port link-type access [Huawei-Ethernet0/0/1] port default vlan 200[Huawei-Ethernet0/0/1] quit [Huawei] interface ethernet 2/0/0[Huawei-Ethernet2/0/0] ip address 202.169.10.2 24 [Huawei-Ethernet2/0/0] quit

Step 2 Configure DNS mappings on the AR150/200.[Huawei] nat alg dns enable [Huawei] nat dns-map www.Server.com 192.168.20.2 80 tcp

Step 3 Configure the mapping between the overlapping address pool and the temporary address poolon the AR150/200.[Huawei] nat overlap-address 0 192.168.20.2 202.169.100.2 pool-length 254

Step 4 Configure a static route on the AR150/200 from the temporary address pool to outbound interfaceEthernet2/0/0.[Huawei] ip route-static 202.169.100.2 32 ethernet 2/0/0 202.169.10.2

Step 5 Configure outbound NAT on outbound interface Ethernet2/0/0 of the AR150/200.1. Create an ACL and configure an ACL rule to permit the packets of host A.

[Huawei] acl 3180 [Huawei-acl-adv-3180] rule permit ip source 192.168.20.0 0.0.0.255[Huawei-acl-adv-3180] quit

2. Configure the NAT address pool for outbound NAT.[Huawei] nat address-group 1 160.160.0.2 160.160.0.254

3. Configure outbound NAT on outbound interface Ethernet2/0/0.[Huawei] interface ethernet 2/0/0[Huawei-Ethernet2/0/0] nat outbound 3180 address-group 1 [Huawei-Ethernet2/0/0] quit



123


Run the display nat overlap-address all command on the AR150/200 to view the mappingbetween address pools.

[Huawei] display nat overlap-address allNat Overlap Address Pool To Temp Address Pool Map Information: ------------------------------------------------------------------------------- Id Overlap-Address Temp-Address Pool-Length Inside-VPN-Instance-Name ------------------------------------------------------------------------------- 0 192.168.20.2 202.169.100.2 254 ------------------------------------------------------------------------------- Total : 1

Run the display nat outbound command on the AR150/200 to view outbound NAT information.

[Huawei] display nat outbound NAT Outbound Information: ----------------------------------------------------------------- Interface Acl Address-group/IP/Interface Type ----------------------------------------------------------------- Ethernet2/0/0 3180 1 pat ----------------------------------------------------------------- Total : 1

----End

Configuration Files# vlan batch 100 200 # acl number 3180 rule 5 permit ip source 192.168.20.0 0.0.0.255 # nat alg dns enable# nat address-group 1 160.160.0.2 160.160.0.254 # nat dns-map www.server.com 192.168.20.2 80 tcp # nat overlap-address 0 192.168.20.2 202.169.100.2 pool-length 254 #ip route-static 202.169.100.2 255.255.255.255 Ethernet2/0/0 202.169.10.2# interface Vlanif100 ip address 192.168.20.1 255.255.255.0 # interface Vlanif200 ip address 10.0.0.1 255.255.255.0 # interface Ethernet0/0/0 port link-type access port default vlan 100 # interface Ethernet0/0/1 port link-type access port default vlan 200 # interface Ethernet2/0/0 ip address 202.169.10.1 255.255.255.0 nat outbound 3180 address-group 1 # return



124

6 DHCP Configuration

About This Chapter

The Dynamic Host Configuration Protocol (DHCP) dynamically assigns and manages IPaddresses and other configuration parameters from specified address pools to clients, ensuringreasonable IP address allocation and high usage.

6.1 DHCP OverviewDHCP dynamically assigns IP addresses to users and manages configuration information in acentralized manner.

6.2 DHCP Features Supported by the AR150/200This section describes the DHCP features supported by the AR150/200

6.3 Configuring a DHCP Server Based on a Global Address PoolAfter a DHCP server based on a global address pool is configured, all online users of the servercan obtain IP addresses from this address pool.

6.4 Configuring a DHCP Server Based on an Interface Address PoolThis section describes how to configure a DHCP server based on an interface address pool. Afterthe configuration, users that get online from this interface can obtain IP addresses and otherconfiguration information from the address pool.

6.5 Configuring a DHCP Relay AgentThis section describes how a DHCP client communicates with a DHCP server on anothernetwork segment by using a DHCP relay agent to obtain an IP address and other configurations.

6.6 Configuring a DHCP/BOOTP ClientAfter a Layer 3 interface of the AR150/200 is specified to function as a DHCP/BOOTP client,the interface can dynamically obtain an IP address and other configurations from the DHCPserver by using the DHCP/BOOTP protocol.

6.7 Configuring the DHCP Rate Limit FunctionYou can configure the highest rate at which DHCP packets are sent to the protocol stack in thesystem view, VLAN view, or interface view. If different rates are configured in these views, therate configured in the interface view takes effect. If this rate does not take effect, the rateconfigured in the VLAN view takes effect. If the rate configured in the VLAN view also doesnot takes effect, the rate configured in the system view takes effect.

6.8 Maintaining DHCP

Huawei AR150&200 Series Enterprise RoutersConfiguration Guide - IP Service 6 DHCP Configuration


125

This section describes how to clear DHCP statistics and monitor DHCP status.

6.9 Configuration ExamplesThe DHCP configuration examples provide networking requirements, networking diagram,precautions, configuration roadmaps, and configuration procedures.



126

6.1 DHCP OverviewDHCP dynamically assigns IP addresses to users and manages configuration information in acentralized manner.

As the network expands and becomes complex, the number of hosts often exceeds the numberof available IP addresses. As portable computers and wireless networks are widely used, thepositions of computers often change, causing IP addresses of the computers to be changedaccordingly. As a result, network configurations become increasingly complex. DHCP isdeveloped to solve the preceding problems.

DHCP uses the client/server model. A client sends a configuration request to the server, and theserver replies with requested configurations, such as an IP address to the client. This allowsdynamic configuration for clients.

The early DHCP protocol is applicable only to the scenario where the DHCP clients and DHCPserver reside on the same subnet. This requires that each subnet be configured with a DHCPserver, wasting resources. The DHCP relay function is used to solve this problem.

6.2 DHCP Features Supported by the AR150/200This section describes the DHCP features supported by the AR150/200

AR150/200 Functioning as a DHCP Server

The AR150/200 can be used as a DHCP server to assign IP addresses to online users. After aDHCP client sends a packet to the server to apply for configuration parameters such as an IPaddress, a subnet mask, and a default gateway, the server responds with a packet carrying therequested configurations according to a certain policy. Both the request packet and the responsepacket are encapsulated as UDP packets.

When the AR150/200 functions as a server, create an address pool on the AR150/200 to provideIP addresses to DHCP clients. The address pool can be a global address pool or an interfaceaddress pool.

l After a DHCP server based on a global address pool is configured, all online users of theserver can obtain IP addresses from this address pool.

l After a DHCP server based on an interface address pool is configured, only users that getonline from this specified interface can obtain IP addresses from this address pool.

The AR150/200 allocates IP addresses to clients by using the global address pool or an interfaceaddress pool.

AR150/200 Functioning as a DHCP Relay Agent

The AR150/200 supports the DHCP relay function. When the AR150/200 functions as a DHCPrelay agent, the client can communicate with a DHCP server on another network segment byusing the AR150/200, and obtain an IP address and other configuration parameters from theglobal address pool of the DHCP server. In this manner, DHCP clients on multiple networksegments can share one DHCP server. This reduces costs and facilitates centralized management.



127

AR150/200 Functioning as a DHCP/BOOTP ClientThe AR150/200 supports the DHCP/BOOTP client function. After a Layer 3 interface of theAR150/200 is configured as a DHCP/BOOTP client, the interface can dynamically obtain an IPaddress and other configurations from a DHCP server by using the DHCP/BOOTP protocol.This facilitates configuration and centralized management.

DHCP Rate LimitThe AR150/200 supports DHCP rate limit. This protects the DHCP protocol stack against attacksby sending a large number of DHCP packets.

6.3 Configuring a DHCP Server Based on a Global AddressPool

After a DHCP server based on a global address pool is configured, all online users of the servercan obtain IP addresses from this address pool.

6.3.1 Establishing the Configuration TaskBefore configuring a DHCP server based on a global address pool, familiarize yourself with theapplicable environment, complete the pre-configuration tasks, and obtain the data required forthe configuration. This will help you complete the configuration task quickly and accurately.

Applicable EnvironmentWhen the AR150/200 functions as a DHCP server, you can configure a global address pool onthe AR150/200. The AR150/200 then allocates IP addresses and configuration parameters toclients from the global address pool.

The global address pool applies to the following scenarios:

DHCP clients and the AR150/200 used as a DHCP server are on the same network segment.DHCP clients can obtain IP addresses and other configuration parameters from a global addresspool. Figure 6-1 shows the networking.

Figure 6-1 Application scenario 1 of a global address pool

DHCP ClientDHCP Server

DHCP clients and the AR150/200 functioning as a DHCP server are on different networksegments. DHCP clients can obtain IP addresses and other configuration parameters from aglobal address pool through a DHCP relay agent. Figure 6-2 shows the networking.



128

Figure 6-2 Application scenario 2 of a global address pool

DHCP Client

DHCP Relay

Internet

DHCP Server


Before configuring a DHCP server based on a global address pool, complete the following tasks:

l Ensuring that the link between the DHCP client and the AR150/200 works properly

l (Optional) Configuring the DNS service on a DHCP client

l (Optional) Configuring the NetBIOS service on a DHCP client

l Configuring the routes destined to the DNS server and the NetBIOS server on theAR150/200 (The routes are configured only after the DNS and NetBIOS servers areconfigured.)

l (Optional) Configuring user-defined DHCP options on the DHCP server

Data Preparation

To configure the DHCP server based on a global address pool, you need the following data.

No. Data

1 Name of a global address pool, IP address range and lease, (optional) range of IPaddresses that cannot be assigned dynamically, and (optional) IP and MAC addressentries that need to be statically bound

2 Egress gateway of a DHCP client

3 (Optional) IP address of the DNS server and domain name of a DHCP client

4 (Optional) IP address of the NetBIOS server and the NetBIOS node type of a DHCPclient

5 (Optional) Code of a user-defined DHCP option, and ASCII string, hexadecimalnumber, or IP address of the option



129

6.3.2 Configuring an Interface to Select a Global Address Pool forIP Address Allocation

This section describes how to configure an interface to select a global address pool for IP addressallocation. After the configuration is complete, users who get online from this interface canobtain IP addresses and other configuration parameters from a global address pool.

Procedure



Step 2 Run:dhcp enable

The DHCP service is enabled.



On the AR150/200, a Layer 3 Ethernet interface or its sub-interface, a Layer 3 Eth-trunk interfaceor its sub-interface, or a VLANIF interface can be configured to select a global address pool forIP address allocation.

Step 4 Run:ip address ip address { mask | mask-length }


l If a DHCP client and the AR150/200 functioning as the DHCP server are on the same networksegment, and no relay agent is deployed between them, the AR150/200 assigns IP addresseson the same network segment as the interface to users who get online from the interface. Ifno IP address is configured for the interface, or there is no address pool having the samenetwork segment as the interface, users cannot get online.

l If a DHCP client and the AR150/200 functioning as a DHCP server are on different networksegments, and a DHCP relay agent is deployed between them, the AR150/200 parses thegiaddr field of a DHCP request packet to obtain an IP address. If the IP address does notmatch the corresponding address pool, the user cannot get online.

Step 5 Run:dhcp select global

The interface is configured to select a global address pool for IP address allocation. After theconfiguration, users who get online from this interface can obtain IP addresses and otherconfiguration parameters from a global address pool.

----End

6.3.3 Configuring Global Address Pool AttributesThis section describes how to configure attributes for a global address pool, including the IPaddress range and lease, IP addresses that cannot be assigned dynamically, and IP addresses that



130

are bound manually. IP addresses in the global address pool can be assigned dynamically orbound manually as required.

Procedure



Step 2 Run:ip pool ip-pool-name

The view of the global address pool is displayed.

By default, no global address pool is created on the AR150/200.

Step 3 Run:network ip-address [ mask { mask | mask-length } ]

The range of dynamically assignable IP addresses in the global address pool is configured.

Only one address segment can be specified for an address pool. A mask can be used to set theaddress range of the address pool.

NOTE

When configuring the range of dynamically assignable IP addresses in the global address pool, ensure that therange is that same as the network segment on which the DHCP server interface address or the DHCP relay agentinterface address resides. This avoids incorrect assignment of IP addresses.

Step 4 (Optional) Run:lease { day day [ hour hour [ minute minute ] ] | unlimited }

An IP address lease is configured.

By default, the IP address lease is one day.

The DHCP server can specify different IP address leases for different address pools. All IPaddresses in an address pool must have the same lease.

Step 5 (Optional) Run:excluded-ip-address start-ip-address [ end-ip-address ]

The range of the IP addresses that cannot be dynamically assigned in the global address pool isconfigured.

If an IP address has been assigned to a server, such as a DNS server, it cannot be assigned to aDHCP client. You can run the excluded-ip-address command for one time to configure an IPaddress that cannot be assigned dynamically. Running the excluded-ip-address commandmultiple times specifies multiple IP addresses that cannot be dynamically assigned.

Step 6 Run:gateway-list ip-address &<1-8>

The IP address of the gateway for the DHCP client is configured.



131

NOTE

When a DHCP client is communicating with a server or a host outside the local network segment, the datatransmitted between them is forwarded or received by using the gateway.

To perform load balancing for traffic and improve network reliability, you can configure multiple gateways.An address pool can be configured with a maximum of eight gateway addresses. Gateway addresses cannotbe subnet broadcast addresses.

Step 7 (Optional) Run:static-bind ip-address ip-address mac-address mac-address

An IP address in the global address pool is statically bound to a MAC address.

If a user requires a fixed IP address, you can bind an unused IP address to the MAC address ofthe user device.

NOTE

Before binding the IP address to a MAC address, ensure that the IP address is one of IP addresses that can bedynamically assigned.

Step 8 (Optional) Run:recycle start-ip-address [ end-ip-address ]

IP addresses that cannot be released from the IP address pool are recycled.

----End

6.3.4 (Optional) Configuring the DNS Service and NetBIOS ServiceDynamically on the DHCP Client

When functioning as the DHCP server, the AR150/200 is configured to dynamically allocatecarrier-provided DNS and NetBIOS configurations to the DHCP clients.

Context

The DNS and NetBIOS configurations have been specified before the DHPC server allocatesIP addresses to the DHCP client. If you do not have the configurations allocated by the carrier,dynamically allocate the DNS and NetBIOS configurations to the DHCP client.

NOTE

If the static DNS, NetBIOS, and domain name are available in the address pool, use the static configurations.

Procedure




The IP address pool view is displayed.

Step 3 Run:import all



132

The DHCP client is dynamically allocated the DNS and NetBIOS configurations.

----End

6.3.5 (Optional) Configuring the Static DNS Service on a DHCPClient

This section describes how to specify the DNS domain name used by the DHCP client on thenetwork and the IP address of the DNS server.

Context

When a host accesses the Internet through the domain name, the domain name needs to beresolved to the IP address. This is implemented by the DNS. To ensure that a DHCP client cansuccessfully connect to the Internet, the DHCP server needs to specify the DNS server addresswhen allocating the IP address to the client.

Procedure




The IP address view is displayed.

Step 3 Run:domain-name domain-name

The DNS domain name that is assigned to the DHCP client is configured.

On the DHCP server, you can specify a DNS domain name used by the client for each addresspool.

Step 4 Run:dns-list ip-address &<1-8>

The IP address of the DNS server connected to the DHCP client is configured.

To perform load balancing on traffic and improve network reliability, you can configure multipleDNS servers. An address pool can be configured with a maximum of eight DNS server addresses.

----End

6.3.6 (Optional) Configuring the Static NetBIOS Service on a DHCPClient

The NetBIOS server parses host names into IP addresses for the hosts that communicate basedon NetBIOS and runs the Windows operating system.



133

ContextNOTE

NetBIOS is short for the Network Basic Input/Output System.

Before a DHCP client communicates with hosts by using NetBIOS, the mapping between thehost names and IP addresses of the client and host needs to be established. The DHCP client canbe specified as one of the following NetBIOS nodes based on mappings between host namesand IP addresses:

l B-node: b indicates broadcast. B-nodes obtain mappings between host names and IPaddresses in broadcast mode.

l P-node: p indicates peer-to-peer. P-nodes obtain mappings between host names and IPaddresses from the NetBIOS server.

l M-node: m indicates mixed. M-nodes are the p-nodes that have some broadcast features.l H-node: h indicates hybrid. H-nodes are the b-nodes that provide the peer-to-peer

communication mechanism.


system-view




Step 3 Run:nbns-list ip-address &<1-8>

The IP address of the NetBIOS server connected to the DHCP client is configured.

An address pool can be configured with a maximum of eight NetBIOS server addresses.

Step 4 Run:netbios-type { b-node | h-node | m-node | p-node }

A NetBIOS node type is specified for the DHCP client.

By default, the client is not specified to be any NetBIOS node type.

----End

6.3.7 (Optional) Configuring User-Defined DHCP Options of theGlobal Address Pool

As DHCP develops, new DHCP options continue to be created. They can be manually added tothe attribute list of the DHCP server.

ContextIf the Option attribute has been configured on the DHCP server and a DHCP client applies foran IP address, the client can obtain the configurations in the Option field of the DHCPREPLYpacket from the server.



134

NOTE

The DNS service, NetBIOS service, and IP address lease can be configured by commands. If thesecommands are not supported by the device, you can run the option command to configure values for theoptions corresponding to the DNS service, NetBIOS service, and IP address lease.

The related commands are as follows:

l DNS service: domain-name and dns-list

l Configuration command of the NetBIOS service: nbns-list and netbios-type

l IP address lease: lease

Procedure





Step 3 Run:option code [ sub-option sub-code ] { ascii ascii-string | hex hex-string | ip-address ip-address &<1-8> }

User-defined DHCP options are configured.

The option command specifies the options that are sent in the DHCP packet by the server to theclient. Learn about the functions of options before running the option command. For descriptionsof common DHCP options, see RFC 2132.

----End

6.3.8 (Optional) Configuring the Function That Prevents IdenticalIP Addresses

Before assigning an IP address to a client, the AR150/200 functioning as a DHCP server mustping the IP address to prevent address conflicts.

ContextYou can use the dhcp server ping command to check whether a response to the ping packet isreceived within a specified period. If the AR150/200 does not receive a response packet withinthe specified period, it sends ping packets continuously until the number of sent ping packetsreaches the upper limit. If the AR150/200 still does not receive a response packet, the IP addressis not used on the local network segment. This ensures that the IP address to be assigned isunique.

Procedure





135

Step 2 Run:dhcp server ping packet number

The maximum number of ping packets that the AR150/200 can send to the same destination isconfigured.

The default value is 0. The AR150/200 sends no ping packet and does not perform a ping.

Step 3 Run:dhcp server ping timeout milliseconds

The timeout period to wait for a response packet is set for the AR150/200.

By default, the timeout period is 500 milliseconds.

----End

6.3.9 Checking the ConfigurationThis section describes how to check the configurations of the DHCP server based on the globaladdress pool.

PrerequisitesThe configurations of the DHCP server based on the global address pool are complete.

Procedurel Run the display dhcp server statistics command to check the statistics on the DHCP

server.l Run the display ip pool name ip-pool-name [ low-ip-address high-ip-address | all |

expired | conflict | used ] command to check information about the configured globaladdress pool.

----End

ExampleRun the display dhcp server statistics command to view statistics on the DHCP server.

<Huawei> display dhcp server statistics DHCP Server Statistics:

Client Request: 6 Dhcp Discover: 1 Dhcp Request: 4 Dhcp Decline: 0 Dhcp Release: 1 Dhcp Inform: 0 Server Reply: 4 Dhcp Offer: 1 Dhcp Ack: 3 Dhcp Nak: 0 Bad Messages: 0

Run the display ip pool name ip-pool-name command to view information about the IP addresspool named pool1.

<Huawei> display ip pool name pool1

Pool-Name : pool1



136

Pool-No : 2 Lease : 3 Days 0 Hours 0 Minutes Domain-name : - DNS-Server0 : 10.10.10.5 DNS-Server1 : 10.10.10.6 NBNS-Server0 : 20.20.20.5 Netbios-type : - Position : Local Status : Unlocked Gateway-0 : 10.10.10.10 Mask : 255.255.255.0 Vpn instance : -- -------------------------------------------------------------------------- Start End Total Used Idle(Expired) Conflict Disable -------------------------------------------------------------------------- 10.10.10.1 10.10.10.254 253 0 253 0 0 --------------------------------------------------------------------------

6.4 Configuring a DHCP Server Based on an InterfaceAddress Pool

This section describes how to configure a DHCP server based on an interface address pool. Afterthe configuration, users that get online from this interface can obtain IP addresses and otherconfiguration information from the address pool.

6.4.1 Establishing the Configuration TaskBefore configuring a DHCP server based on an interface address pool, familiarize yourself withthe applicable environment, complete the pre-configuration tasks, and obtain the data requiredfor the configuration. This will help you complete the configuration task quickly and accurately.


On the AR150/200 functioning as a DHCP server, you can configure an interface address pool.As shown in Figure 6-3, interface address pools are applicable only to the scenario where aDHCP client and a server are on the same network segment.

Figure 6-3 Application scenario of an interface address pool

DHCP ClientDHCP Server


Before configuring a DHCP server based on an interface address pool, complete the followingtasks:



137

l Ensuring that the link between a DHCP client and the AR150/200 works properlyl (Optional) Configuring the DNS serverl (Optional) Configuring the NetBIOS serverl Configuring the routes destined to the DNS server and the NetBIOS server on the

AR150/200 (The routes can be configured only after the DNS and NetBIOS servers areconfigured.)

Data Preparation

To configure a DHCP server based on an interface address pool, you need the following data.

No. Data

1 Number of the interface on which the interface address pool is enabled, IP addressrange and lease, (optional) range of IP addresses that cannot be assigned dynamically,and (optional) IP and MAC address entries that need to be bound statically

2 (Optional) IP address of the DNS server and domain name of a DHCP client

3 (Optional) IP address of the NetBIOS server and NetBIOS node type of a DHCPclient

4 (Optional) Code of a user-defined DHCP option, and ASCII string, hexadecimalnumber, or IP address of the option

6.4.2 Configuring Interface Address Pool AttributesThis section describes how to configure the attributes for an interface address pool, includingIP address lease, IP addresses that cannot be assigned dynamically, and IP addresses that arebound manually. IP addresses in the interface address pool can be assigned dynamically or boundmanually as required.

Procedure







On the AR150/200, a Layer 3 Ethernet interface or its sub-interface, a Layer 3 Eth-trunk interfaceor its sub-interface, or a VLANIF interface can be configured to select an interface address poolfor IP address allocation.



138



Step 5 Run:dhcp select interface

The AR150/200 is configured to select an interface address pool for IP address allocation.

The range of dynamically assignable IP addresses in the interface address pool is the networksegment to which the address of the interface belongs. The users whose IP addresses are in thisnetwork segment can get online only from this interface.

Step 6 (Optional) Run:dhcp server lease { day day [ hour hour [ minute minute ] ] | unlimited }

An IP address lease is configured.

By default, the IP address lease is one day.

Step 7 (Optional) Run:dhcp server excluded-ip-address start-ip-address [ end-ip-address ]

The IP address that cannot be assigned dynamically in the interface address pool is specified.

If an IP address has been assigned to a server, such as a DNS server, it cannot be assigned to aDHCP client. You can run the dhcp server excluded-ip-address command at one time toconfigure an IP address that cannot be assigned dynamically. Running the dhcp serverexcluded-ip-address command multiple times specifies multiple IP addresses that cannot bedynamically assigned.

Step 8 (Optional) Run:dhcp server static-bind ip-address ip-address mac-address mac-address

An IP address in the interface address pool is bound to a MAC address manually.

If a user requires a fixed IP address, you can bind an unused IP address in the interface addresspool to the MAC address of the user device.

NOTE

Before binding the IP address to the MAC address, ensure that the IP address is dynamically assignable in theinterface address pool.

----End

6.4.3 (Optional) Configuring the DNS Service and NetBIOS ServiceDynamically on the DHCP Client

When functioning as the DHCP server, the AR150/200 is configured to dynamically allocatecarrier-provided DNS and NetBIOS configurations to the DHCP clients.

ContextThe DNS and NetBIOS configurations have been specified before the DHPC server allocatesIP addresses to the DHCP client. If you do not have the configurations allocated by the carrier,dynamically allocate the DNS and NetBIOS configurations to the DHCP client.



139

NOTE

If the static DNS, NetBIOS, and domain name are available in the address pool, use the static configurations.

Procedure





Interfaces on the AR150/200 that can work in the interface address pool mode are Ethernetinterfaces and sub-interfaces, Eth-trunk interfaces and sub-interfaces, and VLANIF interfaces.

Step 3 Run:dhcp select interface

DHCP is enabled on the interface.

Step 4 Run:dhcp server import all

The DHCP client is dynamically allocated the DNS and NetBIOS configurations.

----End

6.4.4 (Optional) Configuring the Static DNS Service on a DHCPClient

This section describes how to specify the DNS domain name used by the DHCP client on thenetwork and the IP address of the DNS server.

Context

When a host accesses the Internet through the domain name, the domain name needs to beresolved to the IP address. This is implemented by the DNS. To ensure that a DHCP client cansuccessfully connect to the Internet, the DHCP server needs to specify the DNS server addresswhen allocating the IP address to the client.

Procedure







140

On the AR150/200, a Layer 3 Ethernet interface or its sub-interface, a Layer 3 Eth-trunk interfaceor its sub-interface, and a VLANIF interface can be configured to select an interface addresspool for IP address allocation.

Step 3 Run:dhcp server domain-name domain-name

The DNS domain name that is assigned to the DHCP client is configured.

Step 4 Run:dhcp server dns-list ip-address &<1-8>

The IP address of the DNS server used by the DHCP client is configured.

To perform load balancing on traffic and improve network reliability, you can configure multipleDNS servers. An address pool can be configured with a maximum of eight DNS server addresses.

----End

6.4.5 (Optional) Configuring the Static NetBIOS Service on a DHCPClient

The NetBIOS server parses host names into IP addresses for the hosts that communicate by usingNetBIOS and run Windows Microsoft operating systems.

ContextBefore a host on the DHCP client communicates with another host by using NetBIOS, themappings between the host names and IP addresses need to be established. The DHCP clientcan be specified as one of the following NetBIOS nodes based on mappings between host namesand IP addresses:

l B-node: b indicates broadcast. B-nodes obtain mappings between host names and IPaddresses in broadcast mode.

l P-node: p indicates peer-to-peer. P-nodes obtain mappings between host names and IPaddresses from the NetBIOS server.

l M-node: m indicates mixed. M-nodes are the p-nodes that have some broadcast features.l H-node: h indicates hybrid. H-nodes are the b-nodes that provide the peer-to-peer

communication mechanism.

Procedure








141

Step 3 Run:dhcp server nbns-list ip-address &<1-8>

The IP address of the NetBIOS server used by the DHCP client is configured.

An address pool can be configured with a maximum of eight NetBIOS server addresses.

Step 4 Run:dhcp server netbios-type { b-node | h-node | m-node | p-node }

A NetBIOS node type is specified for the DHCP client.

By default, the client is not specified to be a NetBIOS node.

----End

6.4.6 (Optional) Configuring User-Defined DHCP Options of theInterface Address Pool

As DHCP develops, new DHCP options continue to be created. You can add new optionsmanually to the attribute list of the DHCP server.

ContextIf the Option attribute has been configured on the DHCP server and the DHCP client applies foran IP address, the client can obtain the configurations in the Option field of the DHCP packetfrom the server.

NOTE

The DNS service, NetBIOS service, and IP address lease can be configured by using commands. If thesecommands are not supported by the device, you can run the option command to configure values for theoptions corresponding to the DNS service, NetBIOS service, and IP address lease.

The related commands are as follows:

l DNS service: dhcp server domain-name and dhcp server dns-listl NetBIOS service: dhcp server nbns-list and dhcp server netbios-typel IP address lease: dhcp server lease

Procedure






Step 3 Run:dhcp server option code [ sub-option sub-code ] { ascii ascii-string | hex hex-string | ip-address ip-address &<1-8> }



142

A user-defined DHCP option is configured.

The dhcp server option command specifies the options that are sent in the DHCPREPLY packetby the server to the client. Learn about the functions of options before running the optioncommand. For descriptions of common DHCP options, see RFC 2132.

----End

6.4.7 (Optional) Configuring the Function That Prevents IdenticalIP Addresses

Before assigning an IP address to a client, the AR150/200 functioning as a DHCP server mustping the IP address to prevent address conflicts.

ContextYou can use the dhcp server ping command to check whether a response to the ping packet isreceived within a specified period. If the AR150/200 does not receive a response packet withinthe specified period, it sends ping packets continuously until the number of sent ping packetsreaches the upper limit. If the AR150/200 still does not receive a response packet, the IP addressis not used on the local network segment. This ensures that the IP address to be assigned isunique.

Procedure



Step 2 Run:dhcp server ping packet number

The maximum number of ping packets that the AR150/200 can send to the same destination isconfigured.

The default value is 0. The AR150/200 sends no ping packet and does not perform a ping.

Step 3 Run:dhcp server ping timeout milliseconds

The timeout period to wait for a response packet is set for the AR150/200.

By default, the timeout period is 500 milliseconds.

----End

6.4.8 Checking the ConfigurationThis section describes how to check the configurations of a DHCP server based on an interfaceaddress pool.

ContextThe configurations of a DHCP server based on an interface address pool are complete.



143

Procedurel Run the display dhcp server statistics command to check the statistics on the DHCP

server.l Run the display ip pool interface interface-name [ low-ip-address high-ip-address | all |

expired | conflict | used ] command to check information about the configured interfaceaddress pool.

----End

ExampleRun the display dhcp server statistics command to view the statistics on the DHCP server.<Huawei> display dhcp server statistics

DHCP Server Statistics:

Client Request: 6 Dhcp Discover: 1 Dhcp Request: 4 Dhcp Decline: 0 Dhcp Release: 1 Dhcp Inform: 0 Server Reply: 4 Dhcp Offer: 1 Dhcp Ack: 3 Dhcp Nak: 0 Bad Messages: 0

Run the display ip pool interface ip-pool-name command to view information about theinterface address pool on VLANIF 10.<Huawei> display ip pool interface VLANIF10

Pool-name : vlanif10 Pool-No : 2 Lease : 1 Days 0 Hours 0 Minutes Domain-name : - DNS-server0 : - NBNS-server0 : - Netbios-type : - Position : Interface Status : Unlocked Gateway-0 : 192.168.10.2 Mask : 255.255.255.0 VPN instance : -- ----------------------------------------------------------------------------- Start End Total Used Idle(Expired) Conflict Disable ----------------------------------------------------------------------------- 192.168.10.1 192.168.10.254 253 0 253 0 0 0 -----------------------------------------------------------------------------

6.5 Configuring a DHCP Relay AgentThis section describes how a DHCP client communicates with a DHCP server on anothernetwork segment by using a DHCP relay agent to obtain an IP address and other configurations.

6.5.1 Establishing the Configuration TaskBefore configuring a DHCP relay agent, familiarize yourself with the applicable environment,complete pre-configuration tasks, and obtain the data required for the configuration. This willhelp you complete the configuration task quickly and accurately.



144

Applicable EnvironmentA DHCP client can communicate with a DHCP server on another network segment by using theAR150/200 functioning as a DHCP relay agent to obtain an IP address and other configurationsfrom the global address pool of the DHCP server. In this manner, DHCP clients on multiplenetwork segments can share one DHCP server. This reduces costs and facilitates centralizedmanagement. Figure 6-4 shows the application scenario of a DHCP relay agent.

Figure 6-4 Application scenario of a DHCP relay agent

DHCP Client

DHCP Relay

Internet

DHCP Server

NOTEAR150/200WAN-side Ethernet interfaces do not support DHCP relay.

Pre-configuration TasksBefore configuring a DHCP relay agent, complete the following tasks:

l Configuring a DHCP serverl Configuring a route destined to the DHCP server on the AR150/200

Data PreparationTo configure a DHCP relay agent, you need the following data.

No. Data

1 Name of a DHCP server group

2 IP address of a DHCP server in the DHCP server group

3 Number and IP address of the interface on which the DHCP relay function is enabled



145

6.5.2 Configuring an Interface to Function as a DHCP Relay AgentThis section describes how to configure an interface to function as a DHCP relay agent. Afterthe configuration, the interface enabled with the DHCP relay function can forward the client'srequest to the DHCP though the client and the server are on different network segments.

ContextNOTE

A DHCP packet can be relayed for a maximum of 16 times from a DHCP client to a DHCP server. A DHCPpacket that has been relayed more than 16 times is dropped.

A super VLAN interface that has been enabled with the DHCP relay function cannot be enabled with theDHCP snooping function.

Procedure




The DHCP function is enabled.



On the AR150/200, a Layer 3 Ethernet interface or its sub-interface, a Layer 3 Eth-trunk interfaceor its sub-interface, or a VLANIF interface can be configured to function as a DHCP relay agent.



NOTE

The IP address of the egress gateway that is configured in the IP address pool of the server must be consistentwith the IP address of the DHCP relay.

Step 5 Run:dhcp select relay

The DHCP relay function is enabled on the interface.

----End

Follow-up ProcedureWhen the AR150/200 functions as a DHCP relay agent, it can forward the client's DHCP requeststo the DHCP server. Configure the IP address of the DHCP server on the interface that has beenenabled with the DHCP relay function. The AR150/200 supports the following methods bywhich the IP address of the DHCP server is specified on the interface that functions as a DHCPrelay agent:



146

l 6.5.3 Specifying a Server Group on the DHCP Relay Agent and 6.5.4 Binding a DHCPServer Group to a DHCP Relay Interface.

l Run the dhcp relay server-ip ip-address command in the interface view to configure theIP address of the DHCP server connected to the DHCP relay agent.

6.5.3 Specifying a Server Group on the DHCP Relay AgentThis section describes how to configure a DHCP server group and add server IP addresses tothe group.

Procedure



Step 2 Run:dhcp server group group-name

A DHCP server group is created and the DHCP server group view is displayed.

The AR150/200 supports a maximum of 64 DHCP server groups.

Step 3 Run:dhcp-server ip-address [ ip-address-index ]

The IP address of a server is added to the DHCP server group.

A DHCP server group comprises a maximum of eight DHCP servers. If no indexes are specifiedfor the DHCP group servers, the system automatically assigns idle indexes to them.

----End

6.5.4 Binding a DHCP Server Group to a DHCP Relay InterfaceThis section describes how to bind a DHCP server group to an interface enabled with the DHCPrelay function. After this configuration, DHCP clients can access the DHCP server in the boundserver group.

Procedure






Step 3 Run:dhcp relay server-select group-name



147

A DHCP server group is bound to the interface.

----End

6.5.5 (Optional) Configuring the DHCP Relay Agent to Instruct theDHCP Server to Reclaim the Client IP address

In some situations, a DHCP relay agent must send a request to the DHCP server to instruct theserver to reclaim the IP address of a client, for example, to log out a user.

ContextWhen a DHCP relay agent is configured to instruct the DHCP server to reclaim the IP addressof a DHCP client, the relay agent sends a DHCP Release packet to the DHCP server. Afterreceiving the packet, the DHCP server reclaims the lease of the IP address.

Procedure



Step 2 (Optional) Run:interface interface-type interface-number



Step 3 Run:dhcp relay release client-ip-address mac-address server-ip-address

A request packet is sent to the DHCP server to instruct the server to reclaim the IP address thatis obtained by a DHCP client.

----End

6.5.6 Checking the ConfigurationThis section describes how to check DHCP relay configurations.

PrerequisitesThe DHCP relay configurations are complete.

Procedurel Run the display dhcp relay { all | interface interface-type interface-number } command

to check the DHCP server group that is bound to the interface and information about theDHCP group servers.

l Run the display dhcp relay statistics command to check the statistics on the DHCP relayagent.



148

l Run the display dhcp server group group-name command to check the configurations ofthe DHCP server group.

----End

ExampleRun the display dhcp relay interface interface-type interface-number command to view theDHCP server group bound to VLANIF 100 and information about the DHCP group servers.

<Huawei> display dhcp relay interface vlanif 100

** Vlanif100 DHCP Relay Configuration ** DHCP server group name : group1 DHCP server IP [0] :10.10.10.10 DHCP server IP [1] :10.10.10.11 DHCP server IP [2] :10.10.10.12

Run the display dhcp relay statistics command to view the statistics on the DHCP relay agent.

<Huawei> display dhcp relay statisticsThe statistics of DHCP RELAY: DHCP packets received from clients : 0 DHCP DISCOVER packets received : 0 DHCP REQUEST packets received : 0 DHCP RELEASE packets received : 0 DHCP INFORM packets received : 0 DHCP DECLINE packets received : 0 DHCP packets sent to clients : 0 Unicast packets sent to clients : 0 Broadcast packets sent to clients : 0 DHCP packets received from servers : 0 DHCP OFFER packets received : 0 DHCP ACK packets received : 0 DHCP NAK packets received : 0 DHCP packets sent to servers : 0 DHCP Bad packets received : 0

Run the display dhcp server group group-name command to view the configurations of DHCPserver group 1.

<Huawei> display dhcp server group group1 Group-name : group1 Group-type : -- (0) Server-IP : 100.10.10.1 (1) Server-IP : 100.10.10.2 Gateway : -- VPN instance : -- 1 DHCP server group(s) in total

6.6 Configuring a DHCP/BOOTP ClientAfter a Layer 3 interface of the AR150/200 is specified to function as a DHCP/BOOTP client,the interface can dynamically obtain an IP address and other configurations from the DHCPserver by using the DHCP/BOOTP protocol.

6.6.1 Establishing the Configuration TaskBefore configuring a DHCP/BOOTP client, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the data required for theconfiguration. This will help you complete the configuration task quickly and accurately.



149

Applicable EnvironmentAfter a Layer 3 interface on the AR150/200 is configured to function as a DHCP/BOOTP client,the interface can use the DHCP/BOOTP protocol to dynamically obtain an IP address and otherconfigurations from a DHCP server. This facilitates the configuration for users and centralizedmanagement.

NOTE

After the DHCP/BOOTP client is configured, the DHCP server can assign an IP address to the DHCP/BOOTPclient. Therefore, a BOOTP server is not necessary.

Pre-configuration TasksBefore configuring a DHCP/BOOTP client, complete the following tasks:

l Configuring a DHCP serverl (Optional) Configuring a DHCP relay agentl Configuring a route destined to the DHCP relay agent or the DHCP server on the

AR150/200

Data PreparationTo configure a DHCP/BOOTP client, you need the following data.

No. Data

1 Name of a DHCP server group

2 IP addresses of DHCP servers in the DHCP server group

3 Number and IP address of the interface on which the DHCP relay function is enabled

6.6.2 (Optional) Configuring the DHCP/BOOTP Client AttributesThe DHCP/BOOTP client attributes can be used to establish the communication between theDHCP/BOOTP client and the DHCP server.

Procedurel Configure DHCP client attributes.

1. Run:system-view

The system view is displayed.2. Run:

dhcp enable

The DHCP service is enabled.3. Run:





150

On the AR150/200, a Layer 3 Ethernet interface or its sub-interface, a Layer 3 Eth-trunk interface or its sub-interface, or a VE interface can be configured to function asa DHCP client.

4. Run:ip address dhcp client hostname hostname

A host name is configured for the DHCP client.5. Run:

ip address dhcp client option61 client-name

An identifier is configured for the DHCP client.6. Run:

ip address dhcp client request-option { dhcp-file-name | dns-domain | ftp-user-ip | ftp-user-name | ftp-user-password | route | tftp-server-ip | tftp-server-name }*

The list of options attributes is configured for the DHCP client.l Configure BOOTP client attributes.

1. Run:system-view


dhcp enable

The DHCP service is enabled.3. Run:



On the AR150/200, a Layer 3 Ethernet interface or its sub-interface, a Layer 3 Eth-trunk interface or its sub-interface, or a VE interface can be configured to function asa BOOTP client.

4. Run:ip address bootp client hostname hostname

A host name is configured for the BOOTP client.

----End

6.6.3 Enabling the DHCP/BOOTP ClientAfter the DHCP/BOOTP client function is enabled on an interface, the interface can obtain anIP address and other configurations from the DHCP server.

Procedurel Enable the DHCP client.

1. Run:system-view




151

dhcp enable


3. Run:interface interface-type interface-number


On the AR150/200, a Layer 3 Ethernet interface or its sub-interface, a Layer 3 Eth-trunk interface or its sub-interface, or a VE interface can be configured to function asa DHCP client.

4. Run:ip address dhcp-alloc

The DHCP client function is enabled on the AR150/200.

l Enable the BOOTP client.

1. Run:system-view


2. Run:dhcp enable


3. Run:interface interface-type interface-number


On the AR150/200, a Layer 3 Ethernet interface or its sub-interface, a Layer 3 Eth-trunk interface or its sub-interface, or a VE interface can be configured to function asa BOOTP client.

4. Run:ip address bootp-alloc

The BOOTP client function is enabled on the AR150/200.

----End

6.6.4 Checking the ConfigurationThis section describes how to check the configurations of the DHCP/BOOTP client.

Prerequisites

The DHCP/BOOTP client configurations are complete.

Procedurel Run the display current-configuration command to check the configurations of the

DHCP/BOOTP client.

----End



152

Example# Run the display current-configuration command to view the configurations of the DHCPclient.[Huawei] display current-configuration...# interface Ethernet1/0/0 ip address dhcp-alloc#...

# Run the display interface command to view the IP address that is obtained by the interface.[Huawei] display interface ethernet 1/0/0 Ethernet1/0/0 current state : DOWN Line protocol current state : DOWN Description:HUAWEI, Huawei Series, Ethernet1/0/0 Interface Route Port,The Maximum Transmit Unit is 1500 Internet Address is allocated by DHCP, 22.22.22.222/24 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc11-000a Last physical up time : 2007-12-01 10:48:50 Last physical down time : 2007-12-01 10:52:56 Current system time: 2007-12-01 16:52:01 Port Mode: COMMON COPPER Speed : 100, Loopback: NONE Duplex: FULL, Negotiation: ENABLE Mdi : AUTO Last 300 seconds input rate 0 bits/sec, 0 packets/sec Last 300 seconds output rate 0 bits/sec, 0 packets/sec Input peak rate 1928 bits/sec,Record time: 2007-11-30 14:57:22 Output peak rate 7384 bits/sec,Record time: 2007-11-30 10:13:15 Input: 833 packets, 72696 bytes Unicast: 59, Multicast: 757 Broadcast: 17, Jumbo: 0 Discard: 0, Total Error: 0

6.7 Configuring the DHCP Rate Limit FunctionYou can configure the highest rate at which DHCP packets are sent to the protocol stack in thesystem view, VLAN view, or interface view. If different rates are configured in these views, therate configured in the interface view takes effect. If this rate does not take effect, the rateconfigured in the VLAN view takes effect. If the rate configured in the VLAN view also doesnot takes effect, the rate configured in the system view takes effect.

Applicable EnvironmentIf network attackers send DHCP packets continuously, the DHCP protocol stack of theAR150/200 is affected.

To protect the AR150/200 against the attacks by sending a large number of DHCP packets, youcan configure the highest rate at which DHCP packets are sent to the protocol stack on theAR150/200. After the configuration is complete, the AR150/200 checks the rates at which DHCPpackets are sent to the AR150/200. Only a specific number of packets can be sent to the protocolstack in a specified period and excess packets are discarded.

Procedurel Configure the highest rate at which DHCP packets are sent to the protocol stack in the

system view.



153

1. Run:system-view


dhcp enable

The DHCP function is enabled.3. Run:

dhcp check dhcp-rate enable

The DHCP message checking is enabled.

By default, this function is disabled.4. Run:

dhcp check dhcp-rate rate

The checking rate of DHCP messages sent to the DHCP protocol stack is configured.

By default, the rate does not exceed 100 pps. The DHCP messages that exceed therate are discarded.

5. (Optional) Run:dhcp check dhcp-rate alarm enable

The DHCP message checking alarm is enabled.

By default, this function is disabled.6. (Optional) Run:

dhcp check dhcp-rate alarm threshold threshold

The alarm threshold for the DHCP message checking is configured.

By default, the threshold is 100. If the number of packets that are discarded becausetheir sending rates exceed the upper limit is larger than the threshold, an alarm isgenerated.

l Configure the highest rate at which DHCP packets are sent to the protocol stack in theVLAN view.1. Run:

system-view


dhcp enable

The DHCP function is enabled.3. Run:

vlan vlan-id

The VLAN view is displayed.4. Run:



By default, this function is disabled.



154

5. Run:dhcp check dhcp-rate rate



l Configure the highest rate at which DHCP packets are sent to the protocol stack in theinterface view.1. Run:

system-view



The interface view is displayed.3. Run:



By default, this function is disabled.4. Run:

dhcp check dhcp-rate rate



5. (Optional) Run:dhcp alarm dhcp-rate enable

The DHCP message checking alarm on an interface is enabled.

By default, this function is disabled.6. (Optional) Run:

dhcp alarm dhcp-rate threshold threshold

The alarm threshold for the DHCP message checking on an interface is configured.

By default, the threshold is 100. When the number of packets that are discardedbecause their sending rates exceed the upper limit is larger than the threshold, an alarmis generated.

----End

Checking the Configuration# Run the display current-configuration | include dhcp command to check information aboutthe rate limit for DHCP packets in the system view.

<Huawei> display current-configuration | include dhcp It will take a long time if the content you search is too much or the string youinput is too long, you can press CTRL_C to break dhcp enable dhcp check dhcp-rate enable



155

dhcp check dhcp-rate 90 dhcp check dhcp-rate alarm enable dhcp check dhcp-rate alarm threshold 80

6.8 Maintaining DHCPThis section describes how to clear DHCP statistics and monitor DHCP status.

6.8.1 Clearing DHCP StatisticsThis section describes how to clear statistics of a specified DHCP server group in routinemaintenance.

Context

CAUTIONDHCP statistics cannot be restored after you clear them. Exercise caution when running resetcommands.

Procedurel Run the reset dhcp server statistics command in the user view to clear the statistics on a

DHCP server.

l Run the reset dhcp relay statistics command in the user view to clear the statistics on aDHCP relay agent.

----End

6.8.2 Monitoring the Operating Status of DHCPThis section describes how to check the operating status of DHCP in any view for routinemaintenance.

Procedurel Run the display dhcp relay { all | interface interface-type interface-number } command

to check the DHCP server group that is bound to the relay interface and information aboutthe group servers.

l Run the display dhcp relay statistics command to check the statistics on a DHCP relayagent.

l Run the display dhcp server group [ group-name ] command to check the configurationsof the servers in the DHCP server group.

----End



156

6.9 Configuration ExamplesThe DHCP configuration examples provide networking requirements, networking diagram,precautions, configuration roadmaps, and configuration procedures.

6.9.1 Example for Configuring a DHCP Server Based on a GlobalAddress Pool in the Scenario Where DHCP Clients and the DHCPServer Are on the Same Network Segment

This section describes how to configure a DHCP server based on a global address pool in thescenario where DHCP clients and the DHCP server are on the same network segment. After theconfiguration is complete, the DHCP server can assign IP addresses in the global address poolto DHCP clients.

Networking RequirementsAs shown in Figure 6-5, the two offices of a company are deployed on the same network. Tosave resources, all hosts in the two offices are assigned IP addresses by the Router that functionsas a DHCP server.

Office 1 belongs to the network segment 10.1.1.0/25, and all hosts in Office 1 are added to VLAN10. These hosts use the DNS service but not the NetBIOS service. Office 2 belongs to the networksegment 10.1.1.128/25, and all hosts in Office 2 are added to VLAN 20. These hosts use bothDNS and NetBIOS services.

A global address pool needs to be configured on the Router. In addition, IP addresses need tobe dynamically assigned to the hosts in the two offices.

Figure 6-5 Networking diagram for configuring a DHCP server based on a global address pool

DHCP client

Router

NetBIOS server

DHCP client

DNS server

DHCP client

DHCP client

DHCP client

DHCP client

VLANIF1010.1.1.1/25

VLANIF2010.1.1.129/25

Network: 10.1.1.0/25 Network: 10.1.1.128/25

Etherent0/0/0

DHCP server

Office1 Office2

Etherent0/0/1



157



1. Enable the DHCP function on the Router.2. Create a global address pool for Office 1 and another for Office 2, and configure related

attributes for each address pool, such as the address range, egress gateway, NetBIOS serveraddress, and IP address lease.

3. Configure the address assignment method for VLANIF interfaces of the local DHCP server,that is, configure the DHCP server to assign IP addresses in global address pools to clients.

Data Preparation


1. Names of the global address pools created for Office 1 and Office 2: pool1 and pool2respectively

2. Address ranges of pool1 and pool2: 10.1.1.0/25 and 10.1.1.128/25 respectively3. IP addresses of egress gateways configured for Office 1 and Office 2: 10.1.1.1 and

10.1.1.129 respectively4. IP address leases for Office 1 and Office 2: 10 days and 2 days respectively5. IP address of the DNS server: 10.1.1.26. IP address of the NetBIOS server: 10.1.1.47. IP addresses of VLANIF 10 and VLANIF 20: 10.1.1.1 and 10.1.1.129 respectively

Procedure

Step 1 # Enable the DHCP function.<Huawei> system-view[Huawei] sysname Router[Router] dhcp enable

Step 2 Create IP address pools and configure related attributes.

# Create pool1 and configure attributes for pool1, including address range, DNS server address,egress gateway, and IP address lease.

[Router] ip pool pool1[Router-ip-pool-pool1] network 10.1.1.0 mask 255.255.255.128[Router-ip-pool-pool1] dns-list 10.1.1.2[Router-ip-pool-pool1] gateway-list 10.1.1.1[Router-ip-pool-pool1] excluded-ip-address 10.1.1.2[Router-ip-pool-pool1] excluded-ip-address 10.1.1.4[Router-ip-pool-pool1] lease day 10[Router-ip-pool-pool1] quit

# Create pool2 and configure attributes for pool2, including address range of pool2, DNS serveraddress, egress gateway, and IP address lease.

[Router] ip pool pool2[Router-ip-pool-pool2] network 10.1.1.128 mask 255.255.255.128[Router-ip-pool-pool2] dns-list 10.1.1.2[Router-ip-pool-pool2] nbns-list 10.1.1.4[Router-ip-pool-pool2] gateway-list 10.1.1.129[Router-ip-pool-pool2] lease day 2[Router-ip-pool-pool2] quit



158

Step 3 Configure the address assignment method for VLANIF interfaces.

# Adds Ethernet 0/0/0 and Ethernet 0/0/1 to the corresponding VLANs.

[Router] vlan batch 10 20[Router] interface ethernet 0/0/0[Router-Ethernet0/0/0] port hybrid pvid vlan 10[Router-Ethernet0/0/0] port hybrid untagged vlan 10[Router-Ethernet0/0/0] quit[Router] interface ethernet 0/0/1[Router-Ethernet0/0/1] port hybrid pvid vlan 20[Router-Ethernet0/0/1] port hybrid untagged vlan 20[Router-Ethernet0/0/1] quit

# Configure the clients connected to VLANIF 10 to obtain IP addresses from the global addresspool.

[Router] interface vlanif 10[Router-Vlanif10] ip address 10.1.1.1 255.255.255.128[Router-Vlanif10] dhcp select global[Router-Vlanif10] quit

# Configure the clients connected to VLANIF 20 to obtain IP addresses from the global addresspool.

[Router] interface vlanif 20[Router-Vlanif20] ip address 10.1.1.129 255.255.255.128[Router-Vlanif20] dhcp select global[Router-Vlanif20] quit


Run the display ip pool command on the Router. You can view the configurations of the IPaddress pool.

[Router] display ip pool ----------------------------------------------------------------------- Pool-name : pool1 Pool-No : 0 Position : Local Status : Unlocked Gateway-0 : 10.1.1.1 Mask : 255.255.255.128 Vpn instance : --

----------------------------------------------------------------------- Pool-name : pool2 Pool-No : 1 Position : Local Status : Unlocked Gateway-0 : 10.1.1.129 Mask : 255.255.255.128 Vpn instance : --

IP address Statistic Total :250 Used :0 Idle :248 Expired :0 Conflict :0 Disable :2

----End


# sysname Router



159

# vlan batch 10 20#dhcp enable# ip pool pool1 ip pool pool2 #ip pool pool1 gateway-list 10.1.1.1 network 10.1.1.0 mask 255.255.255.128 excluded-ip-address 10.1.1.2 excluded-ip-address 10.1.1.4 dns-list 10.1.1.2 lease day 10 hour 0 minute 0#ip pool pool2 gateway-list 10.1.1.254 network 10.1.1.128 mask 255.255.255.128 dns-list 10.1.1.2 nbns-list 10.1.1.4 lease day 2 hour 0 minute 0#interface Vlanif10 ip address 10.1.1.1 255.255.255.128 dhcp select global#interface Vlanif20 ip address 10.1.1.129 255.255.255.128 dhcp select global #interface Ethernet 0/0/0 port hybrid pvid vlan 10 port hybrid untagged vlan 10 #interface Ethernet 0/0/1 port hybrid pvid vlan 20 port hybrid untagged vlan 20 #return

6.9.2 Example for Configuring a DHCP Server Based on an InterfaceAddress Pool in the Scenario Where DHCP Clients and the ServerAre on the Same Network Segment

This section describes how to configure a DHCP server based on an interface address pool. Afterthe configuration is complete, the clients can obtain IP address from the server that is on thenetwork of the DHCP client.


As shown in Figure 6-6, the two offices of a company are deployed on the same network. Tosave resources, all hosts in the two offices are assigned IP addresses by the Router that functionsas a DHCP server.

Office 1 belongs to the network segment 10.1.1.0/24, and all hosts in Office 1 are added to VLAN10. These hosts use the DNS and NetBIOS services. Office 2 belongs to the network segment10.1.2.0/24, and all host in Office 2 are added to VLAN 20. These hosts do not use DNS andNetBIOS services.

An interface address pool needs to be configured on the Router. In addition, IP addresses needto be dynamically assigned to the hosts in the two offices.



160

Figure 6-6 Networking diagram for configuring a DHCP server based on an interface addresspool

DHCP Client

DHCP Server

NetBIOS Server DNS Server 10.1.1.2/2410.1.1.3/24

VLANIF1010.1.1.1/24

VLANIF2010.1.2.1/24

DHCP Client

DHCP Client

DHCP Client

RouterEtherent0/0/0

Etherent0/0/1

Office1

Office2


1. Enable the DHCP function on the Router.2. Configure two VLANIF interfaces, and configure IP addresses for the VLANIF interfaces

so that the interface address pool range can be determined.3. Enable the interface address pool.4. Configure address pool attributes for the clients, including the DNS server address,

NetBOIS server address, and IP address leases.


1. IP addresses of VLANIF 10 and VLANIF 20: 10.1.1.1 and 10.1.2.1 respectively2. IP address leases for Office 1 and Office 2: 30 days and 20 days respectively3. IP address of the DNS server: 10.1.1.24. IP address of the NetBIOS server: 10.1.1.3

ProcedureStep 1 Enable the DHCP service.

<Huawei> system-view[Huawei] sysname Router



161

[Router] dhcp enable

Step 2 Configure the address assignment method for the VLANIF interfaces.

# Add Ethernet 0/0/0 and Ethernet 0/0/1 to the corresponding VLANs respectively.

[Router] vlan batch 10 20[Router] interface ethernet 0/0/0[Router-Ethernet0/0/0] port hybrid pvid vlan 10[Router-Ethernet0/0/0] port hybrid untagged vlan 10[Router-Ethernet0/0/0] quit[Router] interface ethernet 0/0/1[Router-Ethernet0/0/1] port hybrid pvid vlan 20[Router-Ethernet0/0/1] port hybrid untagged vlan 20[Router-Ethernet0/0/1] quit

# Configure the clients connected to VLANIF 10 to obtain IP addresses from the interface addresspool.

[Router] interface vlanif 10[Router-Vlanif10] ip address 10.1.1.1 255.255.255.0[Router-Vlanif10] dhcp select interface[Router-Vlanif10] quit

# Configure the clients connected to VLANIF 20 to obtain IP addresses from the interface addresspool.

[Router] interface vlanif 20[Router-Vlanif20] ip address 10.1.2.1 255.255.255.0[Router-Vlanif20] dhcp select interface[Router-Vlanif20] quit

Step 3 Configure the attributes related to DNS and NetBOIS services for the interface address pool.

# Configure the DNS and NetBOIS services for VLANIF 10 address pool.

[Router] interface vlanif 10[Router-Vlanif10] dhcp server domain-name huawei.com[Router-Vlanif10] dhcp server dns-list 10.1.1.2[Router-Vlanif10] dhcp server nbns-list 10.1.1.3[Router-Vlanif10] dhcp server excluded-ip-address 10.1.1.2[Router-Vlanif10] dhcp server excluded-ip-address 10.1.1.3[Router-Vlanif10] dhcp server netbios-type b-node

Step 4 Configure the IP address lease for the interface address pool.

# Set the IP address lease for Office 1 to 30 days.

[Router] interface vlanif 10[Router-Vlanif10] dhcp server lease day 30[Router-Vlanif10] quit

# Set the IP address lease for Office 2 to 20 days.

[Router] interface vlanif 20[Router-Vlanif20] dhcp server lease day 20[Router-Vlanif20] quit


Run the display ip pool interface command on the Router. You can view the configurations ofthe interface address pool.

[Router] display ip pool interface vlanif10 Pool-name : vlanif10 Pool-No : 0 Lease : 30 Days 0 Hours 0 Minutes Domain-name : huawei.com DNS-Server0 : 10.1.1.2



162

NBNS-Server0 : 10.1.1.3 Netbios-type : b-node Position : Interface Status : Unlocked Gateway-0 : 10.1.1.1 Mask : 255.255.255.0 VPN instance : -- ----------------------------------------------------------------------------- Start End Total Used Idle(Expired) Conflict Disable ----------------------------------------------------------------------------- 10.1.1.1 10.1.1.254 253 0 251 0 0 2 -----------------------------------------------------------------------------[Router] display ip pool interface vlanif20 Pool-name : vlanif20 Pool-No : 1 Lease : 20 Days 0 Hours 0 Minutes Domain-name : - DNS-Server0 : - NBNS-Server0 : - Netbios-type : - Position : Interface Status : Unlocked Gateway-0 : 10.1.2.1 Mask : 255.255.255.0 VPN instance : -- ----------------------------------------------------------------------------- Start End Total Used Idle(Expired) Conflict Disable ----------------------------------------------------------------------------- 10.1.2.1 10.1.2.254 253 0 253 0 0 0 -----------------------------------------------------------------------------

----End

ExampleConfiguration file of the Router# sysname Router# vlan batch 10 to 20#dhcp enable#interface Vlanif10 ip address 10.1.1.1 255.255.255.0 dhcp select interface dhcp server dns-list 10.1.1.2 dhcp server netbios-type b-node dhcp server nbns-list 10.1.1.3 dhcp server excluded-ip-address 10.1.1.2 10.1.1.3 dhcp server lease day 30 hour 0 minute 0 dhcp server domain-name huawei.com#interface Vlanif20 ip address 10.1.2.1 255.255.255.0 dhcp select interface dhcp server lease day 20 hour 0 minute 0#interface Ethernet 0/0/0 port hybrid pvid vlan 10 port hybrid untagged vlan 10#interface Ethernet 0/0/1 port hybrid pvid vlan 20 port hybrid untagged vlan 20 #return



163

6.9.3 Example for Configuring a DHCP Server and a DHCP RelayAgent When the DHCP Server and Clients Are on DifferentNetwork Segments

This section describes how to configure a DHCP server and a DHCP relay agent when the DHCPclients and DHCP server are on different network segments.

Networking RequirementsAs shown in Figure 6-7, multiple offices of a company are in different commercial buildings,and the hosts in one office are on the same VLAN. RouterB that functions as a DHCP server isrequired to assign IP addresses to hosts in different offices.

Hosts in Office A of the company are on the network segment 20.20.20.0/24, and the DHCPserver is on the network segment 100.10.10.0/24. RouterA must be configured to function as aDHCP relay agent to forward DHCP packets so that the DHCP clients can obtain IP addressesand other configurations from the DHCP server.

On RouterA, the public address of Ethernet0/0/8 is 100.10.20.1/24 and the interface address ofRouterA connected to the carrier device is 100.10.20.2/24.

On RouterB, the public address of Ethernet3/0/0 is 100.10.10.1/24 and the interface address ofRouterB connected to the carrier device is 100.10.10.2/24.

Figure 6-7 Networking diagram for configuring the DHCP relay

RouterA

DHCP ServerInternet

DHCP Client

DHCP Client

DHCP Client

VLANIF10020.20.20.1/24

VLAN100

Etherent2/0/0

DHCP Relay

RouterB

100.10.10.1/24

Etherent3/0/0

OFFICE A

Etherent0/0/8100.10.20.1/24



164


1. Configure the DHCP relay function on RouterA. RouterA can forward DHCP packetsbetween the hosts in Office A and hosts in other network segments.

2. Configure a global address pool 20.20.20.0/24 on RouterB. RouterB can assign IP addressesin the global address pool to hosts in Office A on a different network segment.


1. Name of the DHCP server group: dhcpgroup12. IP address of the DHCP server: 100.10.10.13. VLAN that Office A belongs to: VLAN 1004. IP address of VLANIF 100: 20.20.20.15. Name of the global address pool: pool16. Address range of pool1: 20.20.20.0/247. IP address of the egress gateway configured for Office A: 20.20.20.1

Procedurel Configure the DHCP relay function on RouterA.

1. Create a DHCP server group and add a DHCP server to the group.

# Create a DHCP server group.

<Huawei> system-view[Huawei] sysname RouterA[RouterA] dhcp server group dhcpgroup1

# Add a DHCP server to the DHCP server group.

[RouterA-dhcp-server-group-dhcpgroup1] dhcp-server 100.10.10.1[RouterA-dhcp-server-group-dhcpgroup1] quit

2. Enable the DHCP relay function on VLANIF 100.

# Create a VLAN and add Ethernet 2/0/0 to the VLAN.

[RouterA] vlan batch 100[RouterA] interface ethernet 2/0/0[RouterA-Ethernet2/0/0] port hybrid pvid vlan 100[RouterA-Ethernet2/0/0] port hybrid untagged vlan 100[RouterA-Ethernet2/0/0] quit

# Enable the DHCP function globally and the DHCP relay function on VLANIF 100.

[RouterA] dhcp enable[RouterA] interface vlanif 100[RouterA-Vlanif100] dhcp select relay [RouterA-Vlanif100] quit

3. Bind the DHCP server group to VLANIF 100.


[RouterA] interface vlanif 100[RouterA-Vlanif100] ip address 20.20.20.1 24



165

# Bind the DHCP server group to VLANIF 100.

[RouterA-Vlanif100] dhcp relay server-select dhcpgroup1[RouterA-Vlanif100] quit

l Configure a default route on RouterA.[RouterA] ip route-static 0.0.0.0 0.0.0.0 100.10.20.2

l Configure RouterB to function as a DHCP server based on a global address pool.1. Enable the DHCP service.

<Huawei> system-view[Huawei] sysname RouterB[RouterB] dhcp enable

2. Configure Ethernet3/0/0 to select a global address pool for address allocation.[RouterB] interface ethernet 3/0/0[RouterB-Ethernet3/0/0] ip address 100.10.10.1 24[RouterB-Ethernet3/0/0] dhcp select global[RouterB-Ethernet3/0/0] quit

3. Create an address pool and configure related attributes.[RouterB] ip pool pool1[RouterB-ip-pool-pool1] network 20.20.20.0 mask 24[RouterB-ip-pool-pool1] gateway-list 20.20.20.1[RouterB-ip-pool-pool1] quit

4. Configure a static route from the DHCP server to RouterA. This ensures that the routefrom the DHCP server to the network segment 20.20.20.0/24 is reachable. (Theconfiguration details are not provided here.)

l Configure a default route on RouterB.[RouterA] ip route-static 0.0.0.0 0.0.0.0 100.10.10.2

l Verify the configuration.

# Run the display dhcp relay command on RouterA. You can view the DHCP relayconfigurations on VLANIF 100.

[RouterA] display dhcp relay interface vlanif 100 ** Vlanif100 DHCP Relay Configuration ** DHCP server group name : dhcpgroup1 DHCP server IP [0] :100.10.10.1

# Run the display ip pool command on RouterB. You can view the configurations of theIP address pool.

[RouterB] display ip pool ----------------------------------------------------------------------- Pool-name : pool1 Pool-No : 0 Position : Local Status : Unlocked Gateway-0 : 10.1.1.1 Mask : 255.255.255.0 Vpn instance : --


----End




166

# sysname RouterA# vlan 100# dhcp enable#dhcp server group dhcpgroup1 dhcp-server 100.10.10.1#interface Vlanif100 ip address 20.20.20.1 255.255.255.0 dhcp select relay dhcp relay server-select dhcpgroup1#interface Ethernet 2/0/0 port hybrid pvid vlan 100 port hybrid untagged vlan 100# ip route-static 0.0.0.0 0.0.0.0 100.10.20.2 # return

Configuration file of RouterB# sysname RouterB# vlan batch 20# dhcp enable#ip pool pool1 network 20.20.20.0 mask 255.255.255.0 gateway-list 20.20.20.1#interface Ethernet3/0/0 ip address 100.10.10.1 255.255.255.0 dhcp select global # ip route-static 0.0.0.0 0.0.0.0 100.10.10.2 # return

6.9.4 Example for Configuring the DHCP and BOOTP ClientsThis section describes how to configure the DHCP and BOOTP clients.

Networking RequirementsAs shown in Figure 6-8, Router A functions as a DHCP client; Router B functions as a BOOTPclient; Router C functions as a DHCP server. Router A dynamically obtains an IP address, aDNS server address, and a gateway address from Router C. Router B obtains an IP address froman IP-MAC binding entry, a DNS server address, and a gateway address from Router Cfunctioning as a DHCP server.

NOTEAR150/200 is RouterA, RouterC, or RouterD.



167

Figure 6-8 Networking diagram for configuring DHCP and BOOTP clients

RouterC RouterB RouterA

Gateway

10.1.1.126/24

10.1.1.1/24Eth1/0/0

Eth1/0/0 Eth1/0/0

DNS Server

10.1.1.2/24

DHCP Server DHCP ClientBOOTP Client


1. Enable the DHCP client function on Router A.2. Enable the BOOTP client function on Router B.3. Create a global address pool on Router C and configure related attributes.


1. MAC address of Eth 1/0/0 on Router B: a234-e211-a2562. IP address of Eth1/0/0 on Router C: 10.1.1.13. IP address of the egress gateway configured for the DHCP client: 10.1.1.1264. IP address of the DNS server connected to the DHCP client: 10.1.1.2

Procedurel Configure the DHCP client function on Router A.

# Enable the DHCP service.

<Huawei> system-view[Huawei] sysname RouterA[RouterA] dhcp enable

# Enable the DHCP client function on Eth 1/0/0.

[RouterA] interface ethernet 1/0/0[RouterA-Ethernet1/0/0] ip address dhcp-alloc

l Configure the BOOTP client function on Router B.

# Enable the DHCP service.

<Huawei> system-view[Huawei] sysname RouterB[RouterB] dhcp enable



168

# Enable the BOOTP client function on Eth 1/0/0.

[RouterB] interface ethernet 1/0/0[RouterB-Ethernet1/0/0] ip address bootp-alloc

l Create a global address pool on Router C and configure related attributes.1. Enable the DHCP service.

<Huawei> system-view[Huawei] sysname RouterC[RouterC] dhcp enable

2. Configure Eth 1/0/0 to select a global address pool for IP address allocation.[RouterC] interface Ethernet 1/0/0[RouterC-Ethernet1/0/0] ip address 10.1.1.1 24[RouterC-Ethernet1/0/0] dhcp select global[RouterC-Ethernet1/0/0] quit

3. Create an address pool and configure related attributes.[RouterC] ip pool pool1[RouterC-ip-pool-pool1] network 10.1.1.0 mask 24[RouterC-ip-pool-pool1] gateway-list 10.1.1.126[RouterC-ip-pool-pool1] static-bind ip-address 10.1.1.3 mac-address a234-e211-a256 [RouterC-ip-pool-pool1] dns-list 10.1.1.2[RouterC-ip-pool-pool1] quit

l Verify the configuration.

# Run the display current-configuration command on Router A. You can view theconfigurations of the DHCP client function.

[RouterA] display current-configuration...# interface Ethernet1/0/0 ip address dhcp-alloc#...

# Run the display interface command on Router A after the interface obtains an IP address.You can view the IP address of the interface.

[RouterA] display interface ethernet 1/0/0 Ethernet1/0/0 current state : DOWN Line protocol current state : DOWN Description:HUAWEI, Huawei Series, Ethernet1/0/0 Interface Route Port,The Maximum Transmit Unit is 1500 Internet Address is allocated by DHCP,10.1.1.11/24 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc11-000a Last physical up time : 2007-12-01 10:48:50 Last physical down time : 2007-12-01 10:52:56 Current system time: 2007-12-01 16:52:01 Port Mode: COMMON COPPER Speed : 100, Loopback: NONE Duplex: FULL, Negotiation: ENABLE Mdi : AUTO Last 300 seconds input rate 0 bits/sec, 0 packets/sec Last 300 seconds output rate 0 bits/sec, 0 packets/



169

sec Input peak rate 1928 bits/sec,Record time: 2007-11-30 14:57:22 Output peak rate 7384 bits/sec,Record time: 2007-11-30 10:13:15 Input: 833 packets, 72696 bytes Unicast: 59, Multicast: 757 Broadcast: 17, Jumbo: 0 Discard: 0, Total Error: 0

# Run the display current-configuration command on Router B. You can view theconfigurations of the BOOTP client function.

[RouterB] display current-configuration...# interface Ethernet1/0/0 ip address bootp-alloc#...

# Run the display interface command on Router B after the interface obtains an IP address.You can view the IP address of the interface.

[RouterB] display interface ethernet 1/0/0 Ethernet1/0/0 current state : DOWN Line protocol current state : DOWN Description:HUAWEI, Huawei Series, Ethernet1/0/0 Interface Route Port,The Maximum Transmit Unit is 1500 Internet Address is allocated by DHCP,10.1.1.22/24 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc11-000a Last physical up time : 2007-12-01 10:48:50 Last physical down time : 2007-12-01 10:52:56 Current system time: 2007-12-01 16:52:01 Port Mode: COMMON COPPER Speed : 100, Loopback: NONE Duplex: FULL, Negotiation: ENABLE Mdi : AUTO Last 300 seconds input rate 0 bits/sec, 0 packets/sec Last 300 seconds output rate 0 bits/sec, 0 packets/sec Input peak rate 1928 bits/sec,Record time: 2007-11-30 14:57:22 Output peak rate 7384 bits/sec,Record time: 2007-11-30 10:13:15 Input: 833 packets, 72696 bytes Unicast: 59, Multicast: 757 Broadcast: 17, Jumbo: 0 Discard: 0, Total Error: 0



170

# Run the display ip pool command on Router C. You can view the configuration aboutthe IP address pool of Router C.

[RouterB] display ip pool ----------------------------------------------------------------------- Pool-name : pool1 Pool-No : 0 Position : Local Status : Unlocked Gateway-0 : 10.1.1.126 Mask : 255.255.255.0 Vpn instance : --


----End

ExampleConfiguration file of Router A

# sysname RouterA# dhcp enable#interface Ethernet 1/0/0 ip address dhcp-alloc#return

Configuration file of Router B

# sysname RouterB# dhcp enable#interface Ethernet 1/0/0 ip address bootp-alloc#return

Configuration file of Router C

# sysname RouterC# dhcp enable#ip pool pool1 network 10.1.1.0 mask 24 gateway-list 10.1.1.126 static-bind ip-address 10.1.1.3 mac-address a234-e211-a256 dns-list 10.1.1.2#interface Ethernet 1/0/0 ip address 10.1.1.1 24 dhcp select global#return



171

6.9.5 Example for Configuring DHCP Rate LimitThis section describes how to configure the highest rate at which DHCP packets are sent to theprotocol stack and the alarm function of DHCP rate limit.


As shown in Figure 6-9, a department uses Router A to directly connect the client. Hosts in thisdepartment function as DHCP clients and are assigned IP addresses by the DHCP server. If theattacker sends a large number of DHCP packets to Router A, the CPU resources of Router Awill become insufficient. As a result, the requests of authorized users cannot be processed intime. To avoid this problem, network administrators limit the rate at which DHCP packets aresent to Router A. This allows Router A to effectively defend against DHCP attack packets, andto process requests of authorized users in time.

Figure 6-9 Networking diagram for configuring the DHCP relay

DHCP ServerInternet

DHCPClient

DHCPClient Attacker

DHCP RelayRouterB

RouterA



l Configure the highest rate at which DHCP packets are sent to Router A in the system view.This allows Router A to limit the rate at which DHCP packets are received within a normalrange.

Data Preparation1. Highest rate at which DHCP packets are sent to the protocol stack: 90 pps

2. Alarm threshold: 80



172

Procedure

Step 1 Enable the DHCP service.<Huawei> system-view[Huawei] sysname RouterA[RouterA] dhcp enable

Step 2 Configure the highest rate at which DHCP packets are sent to the protocol stack.

# Enable the system to check the rate at which DHCP packets are sent to the protocol stack.

[RouterA] dhcp check dhcp-rate enable

# Configure the highest rate at which DHCP packets are sent to the protocol stack.

[RouterA] dhcp check dhcp-rate 90

Step 3 Configure the alarm function.

# Enable the alarm function.

[RouterA] dhcp check dhcp-rate alarm enable

# Configure an alarm threshold.

[RouterA] dhcp check dhcp-rate alarm threshold 80


# Run the display current-configuration | include dhcp command on Router A. You can viewthe DHCP function and DHCP rate limit have been enabled in the global view.

[RouterB] display current-configuration | include dhcp It will take a long time if the content you search is too much or the string youinput is too long, you can press CTRL_C to break dhcp enable dhcp check dhcp-rate enable dhcp check dhcp-rate 90 dhcp check dhcp-rate alarm enable dhcp check dhcp-rate alarm threshold 80

----End

Configuration FilesConfiguration file of Router A

# sysname RouterA# dhcp enable dhcp check dhcp-rate enable dhcp check dhcp-rate 90 dhcp check dhcp-rate alarm enable dhcp check dhcp-rate alarm threshold 80# return



173

7 IP Performance Configuration

About This Chapter

You can set parameters for IP packets to improve network performance.

7.1 IP Performance OverviewYou can set parameters for IP packets to improve network performance.

7.2 IP Performance Features Supported by the AR150/200This section describes IP performance features supported by the AR150/200.

7.3 Optimizing IP PerformanceYou can set parameters for IP packets to optimize network performance.

7.4 Configuring Load Balancing for IP Packet ForwardingUnequal-Cost Multiple Path (UCMP) improves packet forwarding performance on a network.

7.5 Configuring TCP AttributesYou can configure TCP attributes to improve network performance.

7.6 Maintaining IP PerformanceYou can maintain IP performance by clearing IP performance statistics, and monitoring the IPrunning status.

7.7 Configuration ExamplesThis section provides IP performance configuration examples.

Huawei AR150&200 Series Enterprise RoutersConfiguration Guide - IP Service 7 IP Performance Configuration


174

7.1 IP Performance OverviewYou can set parameters for IP packets to improve network performance.

7.2 IP Performance Features Supported by the AR150/200This section describes IP performance features supported by the AR150/200.

The AR150/200 supports the following IP performance features:

l Sending ICMP redirection packets

l Setting the TCP FIN-Wait timer

l Setting the TCP SYN-Wait timer

l Setting the packet receive or transmit buffer of a connection-oriented socket

l Configuring flow-based Equal-Cost Multipath Path during IP packet forwarding

l Collecting and displaying TCP traffic, IP traffic, UDP traffic, and socket monitor statistics

l Checking validity of source IP addresses

l Forwarding broadcast packets

l Controlling IP packets with source route options

l Fragmenting IP packets

l Setting the Aging Time of the PMTU

l Setting the MSS of TCP Packets on an Interface

7.3 Optimizing IP PerformanceYou can set parameters for IP packets to optimize network performance.

7.3.1 Establishing the Configuration TaskBefore optimizing IP performance, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.


On certain networks, you need to modify parameters for IP packets to optimize networkperformance.


Before optimizing IP performance, complete the following tasks:




175


l Configuring IP addresses for interfacesl Configuring an ACL

Data PreparationTo optimize IP performance, you need the following data.

No. Data

1 Number of the interface where validity of source addresses of received packets willbe checked

2 Number of an ACL and number of the interface that will forward broadcast packets

3 Number of the interface that will reset the DF field of packets

4 Number of the interface where ICMP redirection will be configured

7.3.2 Checking Validity of Source IP Addresses of Received PacketsYou can enable an interface to check validity of source IP addresses of received packets. Thisimproves network security.

Procedure





Step 3 Run:ip verify source-address

The interface is enabled to check validity of source IP addresses of received packets.

By default, an interface does not check validity of source IP addresses of received packets.

The AR150/200 only checks validity of source IP addresses of packets forwarded from aninterface to the CPU.

----End

7.3.3 Controlling IP packets with Source Route OptionsBy controlling IP packets with source route options, the AR150/200 can prevent maliciousattackers from detecting network topologies by using source route options. This improvesnetwork security.



176

Procedure





Step 3 Run:discard srr

The interface is configured to discard IP packets with source route options.

----End

7.3.4 Configuring an Interface to Forward Broadcast PacketsBy configuring an interface to forward broadcast packets, you can improve networkperformance.

Procedure





Step 3 Run:ip forward-broadcast [ acl acl-number ]

The interface is configured to forward broadcast packets.

By default, an interface does not forward broadcast packets.

----End

7.3.5 Configuring an Outbound Interface to Fragment IP PacketsYou can configure an outbound interface to fragment IP packets.

Procedure






177


NOTE

The function that resets the DF field is valid for outgoing packets; therefore, this function must beconfigured on the outbound interface.

Step 3 Run:clear ip df

The interface is configured to fragment outgoing IP packets.

By default, an interface does not fragment outgoing IP packets.

----End

7.3.6 Configuring an Interface to Send ICMP Redirection PacketsBy configuring an interface to send ICMP redirection packets, the router can defend againstattacks by using ICMP packets.

Context

By default, an interface is enabled to send ICMP redirection packets.

CAUTIONIf an interface is not enabled to send ICMP redirection packets, the router does not send ICMPredirection packets.

Procedure





Step 3 Run:icmp redirect send

The interface is enabled to send ICMP redirection packets.

----End

7.3.7 Setting the Mode in Which Protocol Packets Are SentYou can set the mode in which protocol packets are sent to control IP unicast protocol packets.



178

ContextBy default, IP unicast protocol packets generated by the AR150/200 are scheduled first and canpreempt all the bandwidth.

You can change the priority of IP unicast protocol packets generated by the AR150/200 toimplement proper bandwidth allocation.

Procedure



Step 2 Run:ip soft-forward enhance enable

The enhanced IP forwarding function is enabled on the AR150/200.

Step 3 Run:set priority

The DSCP priority of IP unicast protocol packets is set.

----End

7.3.8 Checking the ConfigurationAfter optimizing IP performance, you can view the IP performance configuration.

Procedurel Run the display udp statistics command to check the UDP traffic statistics.l Run the display ip interface [ interface-type interface-number ] or display ip interface

brief [ interface-type interface-number ] command to check information about theinterface.

l Run the display ip statistics command to check the IP traffic statistics.l Run the display icmp statistics command to check the ICMP traffic statistics.l Run the display ip socket [ monitor ] [ task-id task-id socket-id socket-id | socket-type

socket-type ] command to check the IP socket information.

----End

Example# Run the display udp statistics command, and you can view the UDP traffic statistics.

<Huawei> display udp statisticsReceived packets:Total: 13228Total(64bit high-capacity counter): 13228checksum error: 0shorter than header: 0, data length larger than packet: 0unicast(no socket on port): 0broadcast/multicast(no socket on port): 954not delivered, input socket full: 0input packets missing pcb cache: 0



179

Sent packets:Total: 11904Total(64bit high-capacity counter): 11904

# Run the display ip interface command, and you can view information about the interface.

<Huawei> display ip interface ethernet 1/0/0Ethernet1/0/0 current state : UP Line protocol current state : DOWN The Maximum Transmit Unit : 1500 bytes input packets : 0, bytes : 0, multicasts : 0 output packets : 0, bytes : 0, multicasts : 0 Directed-broadcast packets: received packets: 0, sent packets: 0 forwarded packets: 0, dropped packets: 0 ARP packet input number: 0 Request packet: 0 Reply packet: 0 Unknown packet: 0 Internet protocol processing : disabled Broadcast address : 0.0.0.0 TTL being 1 packet number: 0 TTL invalid packet number: 0 ICMP packet input number: 0 Echo reply: 0 Unreachable: 0 Source quench: 0 Routing redirect: 0 Echo request: 0 Router advert: 0 Router solicit: 0 Time exceed: 0 IP header bad: 0 Timestamp request: 0 Timestamp reply: 0 Information request: 0 Information reply: 0 Netmask request: 0 Netmask reply: 0 Unknown type: 0

# Run the display ip statistics command, and you can view the IP traffic statistics.

<Huawei> display ip statistics Input: sum 31786 local 31786 bad protocol 0 bad format 0 bad checksum 0 bad options discard srr 0 TTL exceeded 0 Output: forwarding 0 local 41289 dropped 0 no route 1 Fragment: input 0 output 0 dropped 0 fragmented 0 couldn't fragment 0 Reassembling:sum 0 timeouts 0

# Run the display icmp statistics command, and you can view the ICMP traffic statistics.

<Huawei> display icmp statistics Input: bad formats 0 bad checksum 0 echo 0 destination unreachable 0 source quench 0 redirects 0 echo reply 0 parameter problem 0 timestamp 0 information request 0 mask requests 0 mask replies 0 time exceeded 0 Mping request 0 Mping reply 0 Output:echo 0 destination unreachable 168 source quench 0 redirects 0 echo reply 0 parameter problem 0



180

timestamp 0 information reply 0 mask requests 0 mask replies 0 time exceeded 0 Mping request 0 Mping reply 0

7.4 Configuring Load Balancing for IP Packet ForwardingUnequal-Cost Multiple Path (UCMP) improves packet forwarding performance on a network.

7.4.1 Establishing the Configuration TaskBefore configuring load balancing for IP packet forwarding, familiarize yourself with theapplicable environment, complete the pre-configuration tasks, and obtain the data required forthe configuration. This will help you complete the configuration task quickly and accurately.

Applicable EnvironmentOn the AR150/200, there are multiple equal-cost routes over multiple equal-cost links to adestination. Among the equal-cost links, there are high-speed links and low-speed links.

NOTE

If multiple routes to the same destination have the same preference, the same number of hops, and the samecost, these routes are equal-cost routes.

By default, the AR150/200 uses the flow-based ECMP mode, in which traffic is evenly loadbalanced among equal-cost links regardless of the bandwidth. In this mode, congestion mayoccur on low-speed links and bandwidth of high-speed links cannot be used efficiently.

ECMP evenly load balances traffic over multiple equal-cost links, regardless of the bandwidth.Consequently, traffic congestion may occur on low-speed links and bandwidth of high-speedlinks cannot be used efficiently. To load balance traffic on the equal-cost links based onbandwidth, configure UCMP.

Pre-configuration TasksBefore configuring load balancing for IP packet forwarding, complete the following tasks:

l Connecting interfaces and setting physical parameters for the interfaces to ensure that thephysical status of the interfaces is Up

l Setting parameters for data link layer protocols on interfaces to ensure that the data linklayer protocol status of the interfaces is Up

Data PreparationTo configure load balancing for IP packet forwarding, you need the following data.

No. Data

1 Number of the interface where UCMP will be enabled

2 (Optional) Number of the interface where the bandwidth will be configured manually

3 (Optional) Manually configured bandwidth



181

7.4.2 Configuring the Unequal-Cost Multiple Path During IP PacketForwarding

UCMP load balances traffic among equal-cost links based on bandwidth.

ContextECMP evenly load balances traffic over multiple equal-cost links, regardless of the bandwidth.Consequently, traffic congestion may occur on low-speed links and bandwidth of high-speedlinks cannot be used efficiently. To load balance traffic on the equal-cost links based onbandwidth, configure UCMP.

When configuring the UCMP function, manually set the bandwidth of an interface in thefollowing scenarios:

l Users need to adjust the bandwidth of equal-cost links so that the equal-cost links loadbalance traffic based on the configured bandwidth.

l The outbound interface of the equal-cost route is a logical interface.

Procedure





NOTE

To configure UCMP on a logical interface, you must perform step 3.

Step 3 (Optional) Run:load-balance bandwidth bandwidth

The bandwidth is manually configured for the interface.

Step 4 Run:load-balance unequal-cost enable

UCMP is enabled on the interface.

By default, UCMP is disabled on an interface.

Step 5 Run:shutdown

The interface is shut down.

Step 6 Run:undo shutdown

The interface is started.

Step 7 Run:quit



182

Return to the system view.

To configure UCMP on other interfaces, repeat steps 2 through 7.

NOTE

Traffic is load balanced based on bandwidth only when UCMP is enabled on outbound interfaces of all theequal-cost links and FIB entry updating is triggered. If UCMP is not enabled on any outbound interface,the equal-cost links evenly load balance traffic even though FIB entry updating is triggered.

----End

7.4.3 Checking the ConfigurationAfter setting the load balancing mode for IP packet forwarding, you can view the load balancingconfiguration.

Procedurel Run the display fib [ slot-id ] command to check the FIB table on a specified LPU.

l Run the display fib acl acl-number [ verbose ] command to check FIB entries matchingan ACL.

l Run the display fib [ slot-id ] destination-address1 [ destination-mask1 ] [ longer ][ verbose ] command to check FIB entries matching destination addresses.

l Run the display fib [ slot-id ] destination-address1 destination-mask1 destination-address2 destination-mask2 [ verbose ] command to check FIB entries matchingdestination addresses in the range of destination-address1 destination-mask1 todestination-address2 destination-mask2.

l Run the display fib ip-prefix prefix-name [ verbose ] command to check FIB entriesmatching the specified IP prefix list.

l Run the display fib interface interface-type interface-number command to check FIBentries matching a specified interface.

l Run the display fib next-hop ip-address command to check FIB entries matching aspecified next hop address.

l Run the display fib [ slot-id ] statistics command to check the total number of FIB entries.

----End

Example

# Run the display fib command to view the summary of the FIB table.

<Huawei> display fibRoute Flags: G - Gateway Route, H - Host Route, U - Up Route S - Static Route, D - Dynamic Route, B - Black Hole Route ------------------------------------------------------------------------------ FIB Table: Total number of Routes : 4Destination/Mask Nexthop Flag TimeStamp Interface TunnelID127.0.0.1/32 127.0.0.1 HU t[49] InLoop0 0x0127.0.0.0/8 127.0.0.1 U t[49] InLoop0 0x0127.255.255.255/32 127.0.0.1 HU t[49] InLoop0 0x0255.255.255.255/32 127.0.0.1 HU t[49] InLoop0 0x0



183

7.5 Configuring TCP AttributesYou can configure TCP attributes to improve network performance.

7.5.1 Establishing the Configuration TaskBefore configuring TCP attributes, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration. Thiswill help you complete the configuration task quickly and accurately.


On certain networks, you need to adjust TCP parameters to improve network performance.


Before configuring TCP attributes, complete the following tasks:



l Setting network layer protocol parameters for interfaces to ensure that the routing protocolstatus on the interfaces is Up

Data Preparation

To configure TCP attributes, you need the following data.

No. Data

1 Values of the SYN-Wait timer and FIN-Wait timer, and packet receive or transmitbuffer size of a connection-oriented socket

7.5.2 Setting Values of TCP TimersYou can set values of the SYN-Wait timer and FIN-Wait timer to control TCP connections.

Context

TCP uses the following timers:

l SYN-Wait timer: When SYN packets are sent, the SYN-Wait timer is started. If no responsepacket is received after the SYN-Wait timer expires, the TCP connection is closed. Thevalue of the SYN-Wait timer ranges from 2 to 600, in seconds. The default value is 75s.

l FIN-Wait timer: When the TCP connection status changes from FIN_WAIT_1 toFIN_WAIT_2, the FIN-Wait timer is started. If no response packet is received after the



184

FIN-Wait timer expires, the TCP connection is closed. The value of the FIN-Wait timerranges from 76 to 3600, in seconds. The default value is 675s.

Procedure



Step 2 Run:tcp timer syn-timeout interval

The value of the SYN-Wait timer is set.

Step 3 Run:tcp timer fin-timeout interval

The value of the FIN-Wait (FIN_WAIT_2) timer is set.

----End

7.5.3 Setting the Aging Time of the PMTUYou can set a proper aging time of the path MTU (PMTU) to improve transmission efficiencyand network performance.

ContextWhen hosts on the same network communicate with each other, the MTU of the network isimportant for the hosts. When hosts communicate with each other across multiple networks, itis important to determine the minimum MTU on the network path because the MTUs of the linklayers on different networks are different. The minimum MTU on the network path is called thePMTU.

Procedure



Step 2 Run:tcp timer pathmtu-age age-time

The aging time of the PMTU is set.

The aging time of an IPv4 PMTU is an integer ranging from 10 to 100, in minutes. The defaultvalue is 0 minutes, that is, the PMTU never ages..

----End

7.5.4 Setting the Size of the TCP Sliding WindowYou can set the size of the TCP sliding window, that is, the packet receive or transmit buffersize of a connection-oriented socket, to improve network performance.



185

Procedure



Step 2 Run:tcp window window-size

The packet receive or transmit buffer size of a connection-oriented socket is set.

The value of window-size ranges from 1 to 32, in K bytes. The default value is 8K bytes.

----End

7.5.5 Setting the MSS of TCP Packets on an InterfaceAfter the maximum segment size (MSS) of TCP packets on an interface is set, the size of receivedor sent TCP packets is limited within the MSS so that network performance is improved.

Procedure





Step 3 Run:tcp adjust-mss value

The MSS of TCP packets is set on the interface.

The MSS of TCP packets on an interface is an integer that ranges from 128 to 2048, in bytes.

----End

7.5.6 Checking the ConfigurationAfter configuring TCP attributes, you can view the configuration.

Procedurel Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipv4-

address ] [ local-port local-port-number ] [ remote-ip ipv4-address ] [ remote-portremote-port-number ] ] command to check the TCP connection status.

l Run the display tcp statistics command to check the TCP traffic statistics.

----End

Example# Run the display tcp status command to view the TCP connection status.



186

<Huawei> display tcp statusTCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State0b148a24 90 /1 0.0.0.0:23 0.0.0.0:0 14849 Listening0ba8fb2c 90 /11 100.1.1.116:23 100.1.1.4:1334 0 Established0ba91254 90 /12 100.1.1.116:23 100.1.1.4:2266 0 Established

# Run the display tcp statistics command to view the TCP traffic statistics.

<Huawei> display tcp statisticsReceived packets: Total: 34574 Total(64bit high-capacity counter): 34574 packets in sequence: 2852 (3242 bytes) window probe packets: 0, window update packets: 0 checksum error: 0, offset error: 0, short error: 0 duplicate packets: 6 (6 bytes), partially duplicate packets: 0 (0 bytes) out-of-order packets: 0 (0 bytes) packets of data after window: 0 (0 bytes) packets received after close: 0 ACK packets: 3757 (126230 bytes) duplicate ACK packets: 29083, too much ACK packets: 0 Sent packets: Total: 35094 Total(64bit high-capacity counter): 35094 urgent packets: 0 control packets: 0 (including 1 RST) window probe packets: 0, window update packets: 0 data packets: 5364 (126736 bytes), data packets retransmitted: 0 (0 bytes) ACK-only packets: 657 (626 delayed) Other information: Retransmitted timeout: 0, connections dropped in retransmitted timeout: 0 Keep alive timeout: 29072, keep alive probe: 29072, Keep alive timeout, so connections disconnected : 0 Initiated connections: 0, accepted connections: 16, established connections: 16 Closed connections: 13 ( dropped: 10, initiated dropped: 0) Packets dropped with MD5 authentication: 0 Packets permitted with MD5 authentication: 0 Send Packets permitted with Keychain authentication: 0 Receive Packets permitted with Keychain authentication: 0 Receive Packets Dropped with Keychain authentication: 0

7.6 Maintaining IP PerformanceYou can maintain IP performance by clearing IP performance statistics, and monitoring the IPrunning status.

7.6.1 Clearing IP Performance StatisticsYou can run the following reset commands to clear IP performance statistics.



187

Context

CAUTIONThe IP/TCP/UDP traffic statistics cannot be restored after being cleared. Exercise caution whenyou run the commands.

Procedurel Run the reset ip statistics [ interface interface-type interface-number ] command in the

user view to clear the IP traffic statistics.l Run the reset ip socket monitor [ task-id task-id socket-id socket-id ] command in the

user view to clear information in a socket monitor.l Run the reset tcp statistics command in the user view to clear the TCP traffic statistics.l Run the reset udp statistics command in the user view to clear the UDP traffic statistics.

----End

7.6.2 Monitoring the IP Running StatusYou can monitor the IP running status by running display commands.

ContextIn routine maintenance, you can run the following commands in any view to view the IP runningstatus.

Procedurel Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipv4-

address ] [ local-port local-port-number ] [ remote-ip ipv4-address ] [ remote-portremote-port-number ] ] command in any view to check the TCP connection status.

l Run the display tcp statistics command in any view to check the TCP traffic statistics.l Run the display udp statistics command in any view to check the UDP traffic statistics.l Run the display ip interface [ interface-type interface-number ] command in any view to

check information about an interface.l Run the display ip statistics command in any view to check the IP traffic statistics.l Run the display icmp statistics command in any view to check the ICMP traffic statistics.l Run the display fib acl acl-number [ verbose ] command in any view to check FIB entries

matching the specified ACL.l Run the display fib [ slot-id ] destination-address1 [ destination-mask1 ] [ longer ]

[ verbose ] command in any view to check FIB entries matching the specified destinationaddress.

l Run the display fib [ slot-id ] destination-address1 destination-mask1 destination-address2 destination-mask2 [ verbose ] command in any view to check FIB entriesmatching destination addresses in the range of destination-address1 destination-mask1 todestination-address2 destination-mask2.



188

l Run the display fib ip-prefix prefix-name [ verbose ] command in any view to check FIBentries matching the specified IP prefix list.

l Run the display fib interface interface-type interface-number command in any view tocheck FIB entries matching a specified interface.

l Run the display fib next-hop ip-address command in any view to check FIB entriesmatching a specified next hop address.

l Run the display fib [ slot-id ] statistics command in any view to check the total numberof FIB entries.

l Run the display fib [ slot-id ] command in any view to check information about the FIBtable.

l Run the display ip socket [ monitor ] [ task-id task-id socket-id socket-id | sock-typesocket-type ] command in any view to check the IP socket information.

----End

7.7 Configuration ExamplesThis section provides IP performance configuration examples.

7.7.1 Example for Disabling the Sending of ICMP RedirectionPackets

Networking RequirementsAs shown in Figure 7-1, to limit the sending of ICMP redirection packets, RouterA, RouterB,and RouterC are required to be connected with each other by using layer 3 interfaces.

Figure 7-1 Network diagram of Disabling the Sending of ICMP Redirection Packets

Internet

RouterA

RouterC

Eth1/0/01.1.1.1/24

1.1.1.2/24Eth1/0/0Eth1/0/0

2.2.2.2/24

RouterB



189


1. Configure an IP address for each connected interface.2. Configure static routes to indirectly connected devices.3. Disable an interface from sending ICMP redirection packets.


l Static routes to indirectly connected devices.l IP addresses of interfaces.

Procedure

Step 1 Configure IP addresses for interfaces.


<Huawei> system-view[Huawei] sysname RouterA[RouterA] interface ethernet 1/0/0[RouterA-Ethernet1/0/0] ip address 1.1.1.1 24[RouterA-Ethernet1/0/0] quit


<Huawei> system-view[Huawei] sysname RouterB[RouterB] interface ethernet 1/0/0[RouterB-Ethernet1/0/0] ip address 1.1.1.2 24[RouterB-Ethernet1/0/0] quit

# Configure RouterC.

<Huawei> system-view[Huawei] sysname RouterC[RouterC] interface ethernet 1/0/0[RouterC-Ethernet1/0/0] ip address 2.2.2.2 24[RouterC-Ethernet1/0/0] quit

Step 2 Configure static routes.


[RouterA] ip route-static 2.2.2.0 255.255.255.0 1.1.1.2


[RouterB] ip route-static 2.2.2.0 255.255.255.0 1.1.1.1

Step 3 Disable Eth1/0/0 on RouterB from sending ICMP redirection packets.[RouterB] interface ethernet 1/0/0[RouterB-Ethernet1/0/0] undo icmp redirect send[RouterB-Ethernet1/0/0] quit


# Enable ICMP packet debugging on RouterB.

<RouterB> debugging ip icmp



190

# Ping RouterA. You can see that RouterB does not send ICMP redirection packets. There is noinformation about ICMP redirection packets in the debugging command output.

[RouterA] ping 2.2.2.2 PING 2.2.2.2: 56 data bytes, press CTRL_C to break Reply from 2.2.2.2: bytes=56 Sequence=1 ttl=255 time=3 ms Reply from 2.2.2.2: bytes=56 Sequence=2 ttl=255 time=3 ms Reply from 2.2.2.2: bytes=56 Sequence=3 ttl=255 time=3 ms Reply from 2.2.2.2: bytes=56 Sequence=4 ttl=255 time=3 ms Reply from 2.2.2.2: bytes=56 Sequence=5 ttl=255 time=3 ms

--- 2.2.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/3 ms

----End


# sysname RouterA#interface Ethernet1/0/0 ip address 1.1.1.1 255.255.255.0# ip route-static 2.2.2.0 255.255.255.0 1.1.1.2#return

l Configuration file of RouterB

# sysname RouterB#interface Ethernet1/0/0 ip address 1.1.1.2 255.255.255.0 undo icmp redirect send# ip route-static 2.2.2.0 255.255.255.0 1.1.1.1#return

l Configuration file of RouterC

# sysname RouterC#interface Ethernet1/0/0 ip address 2.2.2.2 255.255.255.0#return



191

8 IP Unicast PBR Configuration

About This Chapter

By configuring IP unicast PBR, you can improve the security of the network and perform loadbalancing.

8.1 PBR OverviewThis section describes the concept of PBR.

8.2 PBR Supported by the AR150/200

8.3 Configuring IP Policy-based RoutingBy configuring IP unicast PBR, you can ensure that a certain packet is forwarded through aspecified outbound interface.

8.4 Configuration ExamplesThis section includes the networking requirements, precautions for configuration, andconfiguration roadmap.

Huawei AR150&200 Series Enterprise RoutersConfiguration Guide - IP Service 8 IP Unicast PBR Configuration


192

8.1 PBR OverviewThis section describes the concept of PBR.

IP unicast PBR is a routing mechanism based on user-defined policies rather than the destinationIP addresses of data packets. PBR provides security and load balancing.

8.2 PBR Supported by the AR150/200The AR150/200 supports packet routing based on the source IP address and packet length of thepackets. Therefore, PBR can flexibly select routes. After a packet arrives, the system forwardsthe packet according to PBR. If no PBR is configured, or if PBR is configured but no matchingentry exists, the system forwards the packet according to the Forwarding Information Base (FIB)table.

The AR150/200 enforces the PBR to only the locally sent protocol packets, such as ICMP andBGP packets.

NOTE

A traffic policy can be configured on the AR150/200's interface to redirect the data packets of which thedestination address is not the local address. This traffic policy is invalid for the local packets sent to theCPU. It applies to the following situations:

l Load balancing: specifies a forwarding path for special packets.

l Security inspection: redirects certain packets to the firewall.

For details about the redirection configuration, see Configuring Redirection in the Huawei AR150&200Series Enterprise Routers Configuration Guide - QoS.

8.3 Configuring IP Policy-based RoutingBy configuring IP unicast PBR, you can ensure that a certain packet is forwarded through aspecified outbound interface.

8.3.1 Establishing the Configuration TaskThis section describes the applicable environment, pre-configuration tasks, data preparation, andconfiguration procedure for configuring IP unicast PBR.

Applicable EnvironmentAn internal network is connected to an external network through a router. The router has multipleegresses to the external network. You can use IP unicast PBR on the interface to control somepackets to pass the specified egress of the router.

To perform PBR on the packets generated by the router, you should configure the local PBR.

Pre-configuration TasksBefore configuring IP unicast PBR, complete the following tasks:

l Configuring the interface between the router and other devices



193

l Configuring the link layer protocol of the interface

l Configuring the ACL used for packet matching

l Configuring the VPN first if you want the packet to enter VPN

Data Preparation

To configure IP Policy-based Routing, you need the following data.

No. Data

1 PBR name, the policy node number and the defaultaction to the packet

2 Maximum and the minimum byte number of thepacket

3 ACL number of the matched packets

4 New precedence of the packet

5 Default next hop or output interface of the packetin the specified policy

6 Next hop or the output interface number of thepacket in the specified policy

7 VPN instance name to which the packet in thespecified policy belongs

8.3.2 Defining the Matching Rule of PBRBy defining the matching rule of PBR, you can determine the type of packets to which PBR isapplied.

Procedure



Step 2 Run:policy-based-route policy-name { deny | permit } node node-id

A policy or a policy node is created.

Step 3 Run:if-match packet-length min-length max-length or if-match acl acl-number

The match rule of the IP packet length is set.

----End



194

Follow-up Procedure

Note the following when configuring PBR:

l You can use the policy to import the routes or to forward the IP packets.l You can specify the routing policy by using the if-match and apply clauses.l A single policy can include multiple if-match clauses, such as if-match acl and if-match

packet-length, which can be used in combination.

– If if-match acl acl-number is used repeatedly to set ACL rules, the new configurationsupersedes the old configuration.

– If if-match packet-length min-length max-length is used repeatedly to set ACL rules,the new configuration supersedes the old configuration.

l permit means allowing the packets matching the rule to pass during the policy-basedrouting; deny means denying the packets that match the rule to pass during the policy-basedrouting.

l A routing policy contains several policy nodes. Each policy node is specified by a node-id. The smaller the node-id is, the higher the preference of the policy node is. The policyof a higher preference is first executed.

8.3.3 Defining Actions of PBRThis part describes how to define actions of PBR, including setting the outbound interface andnexthop for a packet.

Procedure



Step 2 Run:policy-based-route policy-name { deny | permit } node node-id

A policy or a policy node is created.

Step 3 Run:apply ip-precedence precedence

The precedence of the IP packet is set.

Step 4 Run:apply ip-address default next-hop ip-address1 [ ip-address2 ]

The default next hop of the packet is specified.

NOTEThe default next hop cannot be a local IP address.

Step 5 Run:apply default output-interface interface-type1 interface-number1 [ interface-type2 interface-number2 ]

The default outbound interface of the packet is specified.



195

NOTE

The default outbound interface cannot be a broadcast interface, such as an Ethernet interface.

Step 6 Run:apply ip-address next-hop ip-address1 [ ip-address2 ]

The next hop of the packet is specified.

NOTEThe next hop cannot be a local IP address.

Step 7 Run:apply output-interface interface-type interface-number

The outbound interface of the packet is specified.

NOTE

The outbound interface cannot be a broadcast interface, such as an Ethernet interface.

Step 8 Run:apply access-vpn vpn-instance vpn-instance-name &<1-6>

The VPN instance allowed to be accessed is specified.

The apply ip-precedence command is used to set the precedence of the packet. The value ofprecedence ranges from 0 to 7. In addition, some key words can be used as the value ofprecedence. Table 8-1 shows the relationship between key words and precedence.

Table 8-1 Relationship between keywords and precedence

Precedence Key Word

0 Routine

1 Priority

2 Immediate

3 Flash

4 Flash-override

5 Critical

6 Internet

7 Network

----End

Follow-up Procedure

Note the following when defining actions in PBR:

l A policy can include multiple apply clauses, which can be used in combination.



196

l If multiple next hops are specified, the load balancing is complemented among multiplenext hops.

l If multiple outbound interfaces are specified, the load balancing is complemented amongmultiple outbound interfaces.

l If outbound interfaces and next hops are configured at the same time, the load balancing isimplemented only on outbound interfaces.

l If you run the apply output-interface command to configure two egresses at first and thenrun the command again to configure another one. The thirdly configured egress supersedesonly the first configured one.

8.3.4 Applying PBRThis part describes how to apply PBR.

Procedurel Enabling local PBR

1. Run:system-view


ip local policy-based-route policy-name

The local PBR is enabled.

Here, PBR applies to only the local packets. You can configure only one local policy.

----End

8.3.5 Checking the ConfigurationYou can view the configuration of IP unicast PBR.

PrerequisitesThe configurations of the IP Policy-based Routing function are complete.

Procedurel Run the display ip policy-based-route command to check the enabled PBR.l Run the display ip policy-based-route setup local command to check the configuration

of local PBR.l Run the display ip policy-based-route statistics local command to check the statistics of

the local packet that is enabled with PBR.l Run the display policy-based-route [ policy-name ] command to check the created policy.

----End

ExampleRun the display ip policy-based-route command to check the enabled PBR.

<Huawei> display ip policy-based-route



197

policy Name interface aaa local

Run the display ip policy-based-route setup local command. If configurations of the local PBRare displayed, the configuration is successful.

<Huawei> display ip policy-based-route setup local policy-based-route aaa permit node 5 if-match acl 2000 apply output-interface Ethernet1/0/0

Run the display ip policy-based-route statistics local command. If statistics of local PBR isdisplayed, it means the configuration succeeds.

<Huawei> display ip policy-based-route statistics local Local policy based routing information: policy-based-route: aaa permit node 21 Total denied: 0, forwarded: 0

8.4 Configuration ExamplesThis section includes the networking requirements, precautions for configuration, andconfiguration roadmap.

8.4.1 Example for Configuring IP Unicast PBRThis section provides an example for configuring IP unicast PBR.


As shown in Figure 8-1, IP unicast PBR is applied to RouterA:

l The next hop address 150.1.1.2 is set for packets with 64 to 1400 bytes.l The next hop address 151.1.1.2 is set for packets with 1401 to 1500 bytes.l Packets with other lengths are routed based on destination addresses.

Figure 8-1 Networking diagram of IP unicast PBR configurations

Eth1/0/0

Eth2/0/0

Eth1/0/0

Eth2/0/0

Loopback0

150.1.1.1/24 150.1.1.2/24

151.1.1.1/24 151.1.1.2/24

10.1.2.1/24

RouterA RouterB

Loopback010.1.1.1/24



l Assign an IP address to each interface.



198

l Configure static routes.l Configure a PBR route that defines rules and actions.


l IP address and subnet mask of each interfacel Packet length and next hop address in the PBR route

Procedure

Step 1 Assign an IP address to each interface.

# Assign an IP address to each interface on RouterA.

<Huawei> system-view[Huawei] sysname RouterA[RouterA] interface ethernet 1/0/0[RouterA-Ethernet1/0/0] ip address 150.1.1.1 255.255.255.0[RouterA-Ethernet1/0/0] quit[RouterA] interface ethernet 2/0/0[RouterA-Ethernet2/0/0] ip address 151.1.1.1 255.255.255.0[RouterA-Ethernet2/0/0] quit

# Assign an IP address to each interface on RouterB.

<Huawei> system-view[Huawei] sysname RouterB[RouterB] interface ethernet 1/0/0[RouterB-Ethernet1/0/0] ip address 150.1.1.2 255.255.255.0[RouterB-Ethernet1/0/0] quit[RouterB] interface ethernet 2/0/0[RouterB-Ethernet2/0/0] ip address 151.1.1.2 255.255.255.0[RouterB-Ethernet2/0/0] quit

Step 2 Configure static routes.

# Configure a static route on RouterA.

[RouterA] ip route-static 10.1.2.0 24 150.1.1.2[RouterA] ip route-static 10.1.2.0 24 151.1.1.2

# Configure a static route on RouterB.

[RouterB] ip route-static 10.1.1.0 24 150.1.1.1[RouterB] ip route-static 10.1.1.0 24 151.1.1.1

Step 3 Configure a PBR route.

# Configure a PBR route lab1.

[RouterA] policy-based-route lab1 permit node 10[RouterA-policy-based-route-lab1-10] if-match packet-length 64 1400[RouterA-policy-based-route-lab1-10] apply ip-address next-hop 150.1.1.2[RouterA-policy-based-route-lab1-10] quit[RouterA] policy-based-route lab1 permit node 20[RouterA-policy-based-route-lab1-20] if-match packet-length 1401 1500[RouterA-policy-based-route-lab1-20] apply ip-address next-hop 151.1.1.2[RouterA-policy-based-route-lab1-20] quit

# Enable local PBR.

[RouterA] ip local policy-based-route lab1



199


# Run the debugging ip policy-based-route command on RouterA to debug the PBR route.

<RouterA> debugging ip policy-based-route<RouterA> terminal debugging<RouterA> terminal monitor

# On RouterA, ping the IP address of Loopback0 interface on RouterB and set the packet lengthto 80 bytes.

<RouterA> ping -s 80 10.1.2.1 PING 100.1.2.1: 80 data bytes, press CTRL_C to break Mar 9 2011 15:00:35.40.2 RouterA PBR/7/POLICY-ROUTING:IP Policy routing success : next-hop : 150.1.1.2 Reply from 100.1.2.1: bytes=80 Sequence=1 ttl=254 time=1 ms Reply from 100.1.2.1: bytes=80 Sequence=2 ttl=254 time=1 ms Reply from 100.1.2.1: bytes=80 Sequence=3 ttl=254 time=1 ms Reply from 100.1.2.1: bytes=80 Sequence=4 ttl=254 time=1 ms Reply from 100.1.2.1: bytes=80 Sequence=5 ttl=254 time=1 ms --- 100.1.2.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms

# The following information about the PBR route is displayed on RouterA:

<RouterA>Mar 9 2011 15:00:37.50.2 RouterA PBR/7/POLICY-ROUTING:IP Policy routing success : next-hop : 150.1.1.2 Mar 9 2011 15:00:37.50.3 RouterA PBR/7/POLICY-ROUTING:IP Policy routing success : next-hop : 150.1.1.2 Mar 9 2011 15:00:37.50.4 RouterA PBR/7/POLICY-ROUTING:IP Policy routing success : next-hop : 150.1.1.2 Mar 9 2011 15:00:37.50.5 RouterA PBR/7/POLICY-ROUTING:IP Policy routing success : next-hop : 150.1.1.2

RouterA forwards the received packets from Ethernet1/0/0 because the next hop address in thePBR route is 150.1.1.2.

# On RouterA, ping the IP address of Loopback0 interface on RouterB and set the packet lengthto 1401 bytes.

<RouterA> ping -s 1401 10.1.2.1 PING 100.1.2.1: 1401 data bytes, press CTRL_C to break Mar 9 2011 15:41:26.350.2 RouterA PBR/7/POLICY-ROUTING:IP Policy routing success : next-hop : 151.1.1.2 Mar 9 2011 15:41:26.350.3 RouterA PBR/7/POLICY-ROUTING:IP Policy routing success : next-hop : 151.1.1.2 Reply from 100.1.2.1: bytes=1401 Sequence=1 ttl=254 time=2 ms Mar 9 2011 15:41:26.850.1 RouterA PBR/7/POLICY-ROUTING:IP Policy routing success : next-hop : 151.1.1.2 Reply from 100.1.2.1: bytes=1401 Sequence=2 ttl=254 time=2 ms Mar 9 2011 15:41:27.340.1 RouterA PBR/7/POLICY-ROUTING:IP Policy routing success : next-hop : 151.1.1.2 Reply from 100.1.2.1: bytes=1401 Sequence=3 ttl=254 time=2 ms Mar 9 2011 15:41:27.840.1 RouterA PBR/7/POLICY-ROUTING:IP Policy routing success : next-hop : 151.1.1.2 Reply from 100.1.2.1: bytes=1401 Sequence=4 ttl=254 time=2 ms Mar 9 2011 15:41:28.340.1 RouterA PBR/7/POLICY-ROUTING:IP Policy routing success : next-hop : 151.1.1.2 Reply from 100.1.2.1: bytes=1401 Sequence=5 ttl=254 time=2 ms --- 100.1.2.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received



200

0.00% packet loss round-trip min/avg/max = 2/2/2 ms

RouterA forwards the received packets from Ethernet2/0/0 because the next hop address in thePBR route is 151.1.1.2.

----End


# sysname RouterA# interface Ethernet1/0/0 ip address 150.1.1.1 255.255.255.0 # interface Ethernet2/0/0 ip address 151.1.1.1 255.255.255.0 # ip route-static 10.1.2.0 255.255.255.0 150.1.1.2 ip route-static 10.1.2.0 255.255.255.0 151.1.1.2 # policy-based-route lab1 permit node 10 if-match packet-length 64 1400 apply ip-address next-hop 150.1.1.2 policy-based-route lab1 permit node 20 if-match packet-length 1401 1500 apply ip-address next-hop 151.1.1.2 # ip local policy-based-route lab1


# sysname RouterB# interface Ethernet1/0/0 ip address 150.1.1.2 255.255.255.0 # interface Ethernet2/0/0 ip address 151.1.1.2 255.255.255.0 # ip route-static 10.1.1.0 255.255.255.0 150.1.1.1 ip route-static 10.1.1.0 255.255.255.0 151.1.1.1



201

9 UDP Helper Configuration

About This Chapter

This chapter describes the principle and configuration of UDP helper, and provides configurationexamples.

9.1 UDP Helper OverviewThis section describes the principle of UDP helper.

9.2 UDP Helper Features Supported by the AR150/200This section describes the UDP helper features supported by the AR150/200.

9.3 Configuring UDP HelperThis section describes how to configure UDP helper to relay broadcast packets with a specifiedUDP port.

9.4 Maintaining UDP HelperThis section describes how to maintain UDP helper.

9.5 Configuration ExamplesThis section provides a UDP helper configuration example.

Huawei AR150&200 Series Enterprise RoutersConfiguration Guide - IP Service 9 UDP Helper Configuration


202

9.1 UDP Helper OverviewThis section describes the principle of UDP helper.

A host on an intranet needs to obtain the configuration from a server by sending broadcast packetssuch as UDP broadcast packets. If the host and the server are located in different broadcastdomains, broadcast packets cannot reach the server and the host cannot obtain the configurationfrom the server.

The AR150/200 provides the UDP Helper function to solve this problem. It can relay broadcastpackets with specified UDP ports by converting broadcast packets into unicast packets andsending the unicast packets to the specified destination server.

9.2 UDP Helper Features Supported by the AR150/200This section describes the UDP helper features supported by the AR150/200.

After UDP helper is enabled on the AR150/200, the AR150/200 relays broadcast packets withthe default UDP ports to corresponding destination servers. Table 9-1 lists the default UDPports. Other UDP ports must be configured manually after UDP helper is enabled.

Table 9-1 List of default UDP ports

Protocol UDP Port Number

Trivial File TransferProtocol (TFTP)

69

Domain NameSystem (DNS)

53

Time Service 37

NetBIOS NameService (NetBIOS-NS)

137

NetBIOS DatagramService (NetBIOS-DS)

138

Terminal AccessController AccessControl System(TACACS)

49

The UDP helper function cannot relay Dynamic Host Configuration Protocol (DHCP) messages,so the destination port numbers cannot be set to 67 or 68. To relay DHCP messages, enable theDHCP relay function.



203

9.3 Configuring UDP HelperThis section describes how to configure UDP helper to relay broadcast packets with a specifiedUDP port.

9.3.1 Establishing the Configuration TaskBefore configuring UDP helper, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the data required for the configuration. This will helpyou complete the configuration task quickly and accurately.

Applicable EnvironmentA host on an intranet needs to obtain the configuration from a server by sending broadcast packetssuch as UDP broadcast packets. If the host and the server are located in different broadcastdomains, broadcast packets cannot reach the server and the host cannot obtain the configurationfrom the server.

The AR150/200 provides the UDP Helper function to solve this problem. It can relay broadcastpackets with specified UDP ports by converting broadcast packets into unicast packets andsending the unicast packets to the specified destination server.

Pre-configuration TasksBefore configuring UDP helper, complete the following task:l Configuring a reachable route from the AR150/200 to the destination server

Data PreparationTo configure UDP helper, you need the following data.

No. Data

1 (Optional) UDP ports of packets need to berelayed

2 Interface that relays packets of UDP ports andIP address of the destination server

9.3.2 Enabling UDP HelperThis section describes how to enable UDP helper.

ContextAfter UDP helper is enabled, the Router checks the destination UDP port of a received broadcastpacket and determines whether to relay the packet:

l If the packet destination UDP port number is the same as the specified UDP port numberand the destination MAC address is a broadcast MAC address, the Router changes the



204

destination IP address in the IP packet header and sends the packet to a specified destinationserver.

l If the destination UDP port number of packets is different from the specified UDP portnumber, the Router discards the packet.

Procedure



Step 2 Run:udp-helper enable

UDP helper is enabled.

----End

9.3.3 (Optional) Configuring a UDP Port for Packets to Be RelayedThis section describes how to configure a UDP port for packets to be relayed.

PrerequisitesUDP helper has been enabled.

ContextAfter the UDP helper function is enabled, the AR150/200 relays broadcast packets with UDPports 37, 49, 53, 69, 137, and 138 by default. If the port number that needs to be configured isin the range of default UDP port numbers, you can skip this configuration procedure.

The AR150/200 does not relay DHCP messages with UDP ports 67 or 68.

Perform the following operations on the AR150/200.

Procedure



Step 2 Run:udp-helper port { port-number | dns | netbios-ds | netbios-ns | tacacs | tftp | time }

The UDP port of packets to be relayed is configured.

----End

9.3.4 Configuring a Destination ServerThis section describes how to configure a destination server.



205

Procedure





The interface must be a VLANIF interface.

Step 3 Run:udp-helper server ip-address

A destination server is configured.

After UDP helper is enabled, the interface forwards a received packet to the specified destinationserver if the destination UDP port of the packet received by an interface is the same as thespecified UDP port.

----End


Procedurel Run the display udp-helper server command to check the numbers of the interfaces that

have relayed UDP packets, IP addresses of destination servers, and the number of forwardedUDP packets.

l Run the display udp-helper port command to check the UDP port numbers of the packetsthat need to be relayed.

----End

Example# Run the display udp-helper server command to view UDP helper information.

<Huawei> display udp-helper serverServer-interface Server-Ip packet-num------------------------------------------------------------------------Vlanif20 1.1.1.2 0Ethernet1/0/0.1 192.168.1.200 0

# Run the display udp-helper port command to view the UDP port numbers of the packets thatneed to be relayed.

<Huawei> display udp-helper portUdp-Port-Number Description------------------------------------------------------------- 1 TCP Port Service Multiplexer 37 Time 49 Login Host Protocol 53 Domain Name Server 69 Trivial File Transfer 137 NETBIOS Name Service 138 NETBIOS Datagram Service



206

9.4 Maintaining UDP HelperThis section describes how to maintain UDP helper.

9.4.1 Clearing the UDP Helper Statistics

Context

CAUTIONUDP helper statistics cannot be restored after being cleared. Exercise caution when you run thereset udp-helper packet command.

Procedure

Step 1 Run the reset udp-helper packet command in the user view to clear UDP helper statistics.

----End

9.5 Configuration ExamplesThis section provides a UDP helper configuration example.

9.5.1 Example for Configuring UDP Helper

Networking RequirementsAs shown in Figure 9-1, the IP address of VLANIF 100 on the Router is 10.110.1.1/16; the IPaddress of the NetBIOS-NS name server is 10.2.1.1/16. The Router and the NetBIOS-NS nameserver are in different network segments, and there is a reachable route between the Router andthe NetBIOS-NS name server.

The Router is configured to forward broadcast packets with destination UDP port number 137and destination IP addresses 255.255.255.255 and 10.110.255.255 to the NetBIOS-NS nameserver. When the Router receives a broadcast NetBIOS-NS Register packet, it changes thedestination IP address to the IP address of the NetBIOS-NS name server and forwards the packetto the NetBIOS-NS name server.



207

Figure 9-1 Network diagram for configuring UDP helper

Router

NETBIOS-NS Name Server10.2.1.1/16

Internet

PC1 PC2

VLANIF10010.110.1.1/16

Ethernet0/0/0



1. Enable UDP helper on the Router.2. Create a VLAN and a VLANIF interface, configure an IP address for the VLANIF interface,

and configure the destination server to which UDP packets will be relayed on the VLANIFinterface.

NOTE

After UDP helper is enabled on the Router, the Router forwards broadcast packets with destination UDP port137 by default. The UDP port number, therefore, does not need to be configured here.

Data Preparation


l VLANIF interface from which UDP packets will be relayedl IP address of the destination server

Procedure

Step 1 Enable UDP helper.<Huawei> system-view[Huawei] sysname Router[Router] udp-helper enable

Step 2 Add Ethernet0/0/0 to VLAN 100.[Router] vlan 100[Router-Vlan100] quit[Router] interface ethernet 0/0/0[Router-Ethernet0/0/0] port hybrid pvid vlan 100



208

[Router-Ethernet0/0/0] port hybrid untagged vlan 100[Router-Ethernet0/0/0] quit

Step 3 Configure a destination server.[Router] interface vlanif 100[Router-Vlanif100] ip address 10.110.1.1 16[Router-Vlanif100] udp-helper server 10.2.1.1[Router-Vlanif100] quit[Router] quit


The destination server configured on VLANIF 100 is the NetBIOS-NS name server.

<Router> display udp-helper serverServer-interface Server-Ip packet-numVlanif100 10.2.1.1 0

----End


# sysname Router# udp-helper enable# vlan batch 100#interface Ethernet0/0/0 port hybrid pvid vlan 100 port hybrid untagged vlan 100#interface Vlanif100 ip address 10.110.1.1 255.255.0.0 udp-helper server 10.2.1.1#return



209