Beruflich Dokumente
Kultur Dokumente
V200R007
Issue 06
Date 2019-05-24
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://e.huawei.com
Intended Audience
This document describes the concepts and configuration procedures of IP Service features on
the device, and provides the configuration examples.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Security Conventions
l Password setting
Declaration
l This manual is only a reference for you to configure your devices. The contents in the
manual, such as web pages, command line syntax, and command outputs, are based on
the device conditions in the lab. The manual provides instructions for general scenarios,
but do not cover all usage scenarios of all product models. The contents in the manual
may be different from your actual device situations due to the differences in software
versions, models, and configuration files. The manual will not list every possible
difference. You should configure your devices according to actual situations.
l The specifications provided in this manual are tested in lab environment (for example,
the tested device has been installed with a certain type of boards or only one protocol is
run on the device). Results may differ from the listed specifications when you attempt to
obtain the maximum values with multiple functions enabled on the device.
l In this document, public IP addresses may be used in feature introduction and
configuration examples and are for reference only unless otherwise specified.
l In this document, AR series IOT gateway include
AR500&AR510&AR530&AR550&AR2500 Series.
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Contents
2 ARP Configuration......................................................................................................................21
2.1 ARP Overview..............................................................................................................................................................21
2.2 Principles...................................................................................................................................................................... 22
2.2.1 ARP Principles.......................................................................................................................................................... 22
2.2.2 Proxy ARP................................................................................................................................................................. 25
2.2.3 Gratuitous ARP..........................................................................................................................................................28
2.2.4 ARP-Ping...................................................................................................................................................................28
2.2.5 Multi-Interface ARP.................................................................................................................................................. 29
2.3 Configuration Task Summary.......................................................................................................................................31
3 DHCP Configuration.................................................................................................................. 63
3.1 DHCP Overview...........................................................................................................................................................64
3.2 Principles...................................................................................................................................................................... 66
3.2.1 Typical Networking................................................................................................................................................... 66
3.2.2 How a DHCP Server Allocates Network Parameters to New DHCP Clients........................................................... 66
3.2.3 How a DHCP Client Reuses an IP Address.............................................................................................................. 71
3.2.4 How a DHCP Client Renews Its IP Address Lease...................................................................................................72
3.3 Specifications................................................................................................................................................................74
3.4 Application................................................................................................................................................................... 75
3.4.1 DHCP Server Application......................................................................................................................................... 75
3.4.2 DHCP Relay Agent Application................................................................................................................................76
3.4.3 DHCP Client Application.......................................................................................................................................... 77
3.4.4 Master/Backup DHCP Server Application................................................................................................................78
3.5 Appendix...................................................................................................................................................................... 79
3.5.1 Introduction to DHCP Messages............................................................................................................................... 79
3.5.2 DHCP Options........................................................................................................................................................... 82
3.6 Default Configuration...................................................................................................................................................85
3.7 Configuration Task Summary.......................................................................................................................................86
3.8 Configuration Notes..................................................................................................................................................... 87
3.9 Configuring a DHCP Server.........................................................................................................................................87
3.9.1 Planning Data............................................................................................................................................................ 87
3.9.2 Enabling DHCP......................................................................................................................................................... 89
3.9.3 Configuring a DHCP Server to Allocate IP Addresses to Clients.............................................................................89
3.9.3.1 Creating an Address Pool....................................................................................................................................... 89
3.9.3.2 Enabling the DHCP Server Function......................................................................................................................92
3.9.3.3 (Optional) Configuring the Range of IP Addresses That Cannot Be Automatically Allocated to Clients from an
Address Pool.......................................................................................................................................................................94
3.9.3.4 (Optional) Configuring a DHCP Server to Allocate Fixed IP Addresses to Specified Clients..............................95
3.9.3.5 (Optional) Configuring an Address Lease Time.....................................................................................................98
3.9.3.6 (Optional) Configuring the Logging Function During IP Address Allocation...................................................... 99
3.9.3.7 (Optional) Configuring IP Address Conflict Detection Before a DHCP Server Allocates IP Addresses............100
3.9.3.8 (Optional) Configuring a DHCP Server to Automatically Save IP Address Allocation Information..................101
3.9.3.9 (Optional) Associating an IP Address Pool with NQA........................................................................................ 102
3.9.4 (Optional) Configuring a DHCP Server to Allocate Network Parameters Besides IP Addresses.......................... 106
3.9.4.1 Configuring a Gateway Address for Clients.........................................................................................................106
3.9.4.2 Configuring DNS and the NetBIOS Service on the DHCP Clients..................................................................... 108
3.9.4.3 Configuring a Configuration File for a DHCP Client...........................................................................................114
3.9.4.4 Configuring User-defined Options for Clients..................................................................................................... 117
3.9.5 (Optional) Configuring the DHCP Rate Limit Function......................................................................................... 124
3.9.6 Checking the Configuration.....................................................................................................................................127
3.10 Configuring a DHCP Relay Agent........................................................................................................................... 128
3.10.1 Enabling DHCP..................................................................................................................................................... 128
3.10.2 Enabling the DHCP Relay Function......................................................................................................................128
3.10.3 Specifying an IP Address for the DHCP Server on a DHCP Relay Agent........................................................... 129
3.10.4 (Optional) Configuring Strategies for Processing Option 82 Information on a DHCP Relay Agent....................132
3.10.5 (Optional) Configuring Rate Limit of DHCP Packets...........................................................................................134
3.10.6 Checking the Configuration...................................................................................................................................136
3.11 Configuring a DHCP Client......................................................................................................................................136
3.11.1 (Optional) Configuring Attributes for a DHCP Client.......................................................................................... 137
3.11.2 (Optional) Configuring an Expected Lease for a DHCP Client............................................................................ 138
3.11.3 (Optional) Configuring the Gateway Detection Function on a DHCP Client....................................................... 138
3.11.4 (Optional) Configuring a DHCP Client to Dynamically Obtain Routing Information......................................... 139
3.11.5 Enabling the DHCP Client Function..................................................................................................................... 140
3.11.6 Checking the Configuration...................................................................................................................................140
3.12 Configuring a BOOTP Client................................................................................................................................... 141
3.12.1 (Optional) Configuring Attributes for a BOOTP Client........................................................................................141
9.12.4 Example for Configuring a DHCPv6 Relay to Assign IPv6 Addresses to the Clients in Multiple Network
Segments Connected to the Relay.................................................................................................................................... 404
9.12.5 Example for Configuring a DHCPv6 PD Client................................................................................................... 408
9.12.6 Example for Configuring a DHCPv6 Client..........................................................................................................410
1 IP Address Configuration
Network devices can communicate at the network layer only after they are configured with IP
addresses.
Definition
Internet Protocol Version 4 (IPv4) is the core protocol in the TCP/IP protocol suite. IPv4
works at the network layer in the TCP/IP model. This layer corresponds to the network layer
in the Open System Interconnection Reference Model (OSI RM). The network layer provides
connectionless data transmission. Each IP datagram is transmitted independently.
Purpose
IPv4 is used on the network layer between the data link layer and the transport layer. IPv4
shields the differences at the link layer and provides a uniform format for the data packets
transmitted at the transport layer.
License Support
IP addresses functions are basic function of routers and can be obtained without licenses.
1.3 Principles
This section describes the implementation of IPv4.
Transport
TCP, UDP
layer
ICMP
Network
layer IP
RARP, ARP
Data link Various network
layer interfaces
As shown in Figure 1-1, ARP and RARP work between the data link layer and the network
layer for address resolution. ICMP works between the network layer and the transport layer to
ensure correct forwarding of IP datagrams.
ARP
ARP maps an IP address to a MAC address. ARP can be implemented in dynamic or static
mode. ARP provides some extended functions, such as proxy ARP, gratuitous ARP, ARP
security, and ARP-Ping.
RARP
RARP maps a MAC address to an IP address.
ICMP
ICMP works at the network layer to ensure correct forwarding of IP datagrams. ICMP allows
hosts and devices to report errors during packet transmission. An ICMP message is
encapsulated in an IP datagram as the data, and a header is added to the ICMP message to
form an IP datagram.
l Network ID (Net-id): The network ID identifies a network. The IP address and subnet
mask are converted to be binary numbers. The network ID is obtained after the bit-by-bit
AND operation is performed.
l Host ID (Host-id): The host ID identifies different hosts on a network. Network devices
with the same network ID are located on the same network, regardless of their physical
locations. The IP address and subnet mask are converted to be binary numbers. Taking
the reverse of the subnet mask, the host ID is obtained after the bit-by-bit AND operation
is performed.
l IP addresses do not show any geographical information. The network ID represents the
network to which a host belongs.
l When a host connects to two networks simultaneously, it must have two IP addresses
with different network IDs. In this case, the host is called a multihomed host.
l Networks allocated with the network ID are in the same class.
C 1 1 0 Host-id
Net-id
D 1 1 1 0 Multicast-address
E 1 1 1 1 Reserved
At present, most IP addresses in use belong to Class A, Class B, or Class C. Class D addresses
are multicast addresses and Class E addresses are reserved. The easiest way to determine the
class of an IP address is to check the first bits in its network ID. The class fields of Class A,
Class B, Class C, Class D, and Class E are binary digits 0, 10, 110, 1110, and 1111
respectively.
Certain IP addresses are reserved, and they cannot be allocated to users. Table 1-1 lists the
ranges of IP addresses for the five classes.
NOTE
A 10.0.0.0 to 10.255.255.255
B 172.16.0.0 to 172.31.255.255
C 192.168.0.0 to 192.168.255.255
Source IP address
Destination IP address
Options (variable length)
Data
An IPv4 datagram consists of a header and a data field. The first 20 bytes in the header are
mandatory for all IPv4 datagrams. The Options field following the 20 bytes has a variable
length.
Table 1-4 describes the meaning of each field in an IPv4 packet.
Type of Service 8 bits Specifies the type of service. This field takes effect only in
(ToS) the differentiated service model.
Total Length 16 bits Specifies the length of the header and data.
Flags 3 bits Only the rightmost two bits are valid. The rightmost bit
indicates whether the datagram is not the last data
fragment. The value 1 indicates the last fragment, and the
value 0 indicates non-last fragment. The middle bit is the
fragmentation flag. The value 1 indicates that the datagram
cannot be fragmented, and the value 0 indicates that the
datagram can be fragmented.
Time to Live 8 bits Specifies the life span of a datagram on a network. TTL is
(TTL) measured by the number of hops.
Protocol 8 bits Specifies the type of the protocol carried in the datagram.
Header 16 bits A device calculates the header checksum for each datagram
Checksum received. If the checksum is 0, the device knows that the
header remains unchanged and retains the datagram. This
field checks only the header but not the data.
1.3.4 Subnetting
A network can be divided into multiple subnets to conserve IP address space and support
flexible IP addressing.
When many hosts are distributed on an internal network, the internal host IDs can be divided
into multiple subnet IDs to facilitate management. Then the entire network contains multiple
small networks.
Subnetting is implemented within the internal network. The internal network has only one
network ID for the external network. When packets are transmitted from the external network
to the internal network, the device on the internal network selects a route for the packets based
on the subnet ID and finds the destination host.
Figure 1-4 shows subnetting of a Class B IP address. The subnet mask consists of a string of
continuous 1s and 0s. 1s indicate the network ID and the subnet ID field, and 0s indicate the
host ID.
Mask 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0
As shown in Figure 1-4, the first 5 bits of the host ID is used as the subnet ID. The subnet ID
ranges from 00000 to 11111, allowing a maximum of 32 (25) subnets. Each subnet ID has a
subnet mask. For example, the subnet mask of the subnet ID 11111 is 255.255.248.0. After
performing an AND operation on the IP address and the subnet mask, you can obtain the
network address.
Subnetting reduces the available IP addresses. For example, a Class B IP address contains
65534 ((216 − 2)) host IDs. After 5 bits in the host ID are used as the subnet ID, there can be a
maximum of 32 subnets, each having an 11-bit host ID. Each subnet has a maximum of 2046
host IDs (211 - 2, excluding the host IDs with all 1s and all 0s). Therefore, the IP address has a
maximum of 65472 (32 x 2046) host IDs, 62 less than the maximum number of host IDs
before subnetting.
To implement efficient network planning, subnetting and IP addressing should abide by the
following rules.
Hierarchy
To divide a network into multiple layers, you need to consider geographic and service factors.
Use a top-down subnetting mode to facilitate network management and simplify routing
tables. In most cases:
Consecutiveness
Consecutive addresses facilitate route summarization on a hierarchical network, which greatly
reduces the number of routing entries and improves route search efficiency.
Scalability
When allocating addresses, reserve certain addresses on each layer to ensure consecutive
address allocation in future network expansion.
A backbone network must have enough consecutive addresses for independent autonomous
systems (ASs) and further network expansion.
Efficiency
When planning subnets, fully utilize address resources to ensure that the subnets are sufficient
for hosts.
l Allocate IP addresses by using variable-length subnet masking (VLSM) to fully use
address resources.
l Consider the routing mechanisms in IP address planning to improve address utilization
efficiency in the allocated address spaces.
Pre-configuration Tasks
Before configuring IP addresses for interfaces, complete the following tasks:
l Setting link layer parameters for the interfaces to ensure that the link layer protocol
status of the interfaces is Up
Context
Interfaces on the same industrial switch router can be assigned IP addresses on overlapping
network segments, but the IP addresses cannot be located on the same network segment. For
example, an interface has been assigned 20.1.1.1/16. If you assign 20.1.1.2/24 to another
interface on the same industrial switch router, the system displays a warning message but the
configuration succeeds. If you assign 20.1.1.2/16 to another interface, the system displays an
error message, indicating that the configuration fails because of an IP address conflict.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
ip address ip-address { mask | mask-length }
Each interface has only one primary IP address. If you configure multiple primary IP
addresses for an interface, the last configured IP address becomes the primary IP address of
the interface.
----End
Context
Generally, an interface needs only a primary IP address. In some special scenarios, you need
to configure secondary IP addresses for an interface. For example, a industrial switch router
connects to a physical network through an interface, and hosts on this network belong to two
network segments. To enable the industrial switch router to communicate with all hosts on the
physical network, configure a primary IP address and a secondary IP address for this
interface. You can configure multiple IP address for a Layer 3 interface on a industrial switch
router, one as the primary IP address, and the others as secondary IP addresses. Each Layer 3
interface can have a maximum of 31 secondary IP addresses.
The primary IP address of one interface and secondary IP address of another interface on the
same industrial switch router can be located on overlapping network segments but not on the
same network segment. For example, if an interface has been assigned a primary IP address
20.1.1.1/16 and you assign secondary IP address 20.1.1.2/24 sub to another interface on the
industrial switch router, the system displays a warning message but the configuration
succeeds.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
ip address ip-address { mask | mask-length } sub
----End
Procedure
l Run the display interface [ interface-type [ interface-number ] ] command to check
information about an interface.
l Run the display ip interface [ interface-type interface-number ] command to check the
IP address configuration of an interface.
l Run the display ip interface brief [ interface-type [ interface-number ] ] command to
check brief information about interface IP addresses.
----End
Pre-configuration Tasks
Before configuring an IP unnumbered interface, complete the following tasks:
l Setting link layer parameters for the interfaces to ensure that the link layer protocol
status of the interfaces is Up
Context
An IP unnumbered interface cannot run dynamic routing protocols because it does not have
an IP address itself. To enable the interface to communicate with a peer network segment,
configure a static route to the network segment.
Procedure
Step 1 Run:
system-view
IP unnumbered interfaces can borrow interfaces from Ethernet, Loopback, Eth-Trunk, and
VLANIF interfaces.
Step 3 Run:
ip address ip-address { mask | mask-length }
Each interface has only one primary IP address. If you configure multiple primary IP
addresses for an interface, the last configured IP address becomes the primary IP address of
the interface.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
ip address unnumbered interface interface-type interface-number
----End
Procedure
l Run the display ip interface [ interface-type interface-number ] command to check the
IP address configuration of an interface.
l Run the display ip interface brief [ interface-type [ interface-number ] ] command to
check brief information about interface IP addresses.
----End
GE1/0/0
10.16.1.1/24
10.16.2.1/24 sub
Configuration Roadmap
The configuration roadmap is as follows:
Configure a primary IP address and a secondary IP address for the interface.
NOTE
Procedure
Step 1 Configure a primary IP address and a secondary IP address for GE1/0/0.
<Huawei> system-view
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] undo portswitch
[Huawei-GigabitEthernet1/0/0] ip address 10.16.1.1 24
[Huawei-GigabitEthernet1/0/0] ip address 10.16.2.1 24 sub
# Ping a host on network segment 10.16.2.0/24 from the Router. The ping operation succeeds.
<Huawei> ping 10.16.2.2
PING 10.16.2.2: 56 data bytes, press CTRL_C to break
Reply from 10.16.2.2: bytes=56 Sequence=1 ttl=128 time=25 ms
Reply from 10.16.2.2: bytes=56 Sequence=2 ttl=128 time=26 ms
Reply from 10.16.2.2: bytes=56 Sequence=3 ttl=128 time=26 ms
Reply from 10.16.2.2: bytes=56 Sequence=4 ttl=128 time=26 ms
Reply from 10.16.2.2: bytes=56 Sequence=5 ttl=128 time=26 ms
--- 10.16.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/25/26 ms
# The hosts of the two network segments can ping through each other.
----End
Configuration Files
Configuration file of the Router
#
interface GigabitEthernet1/0/0
undo portswitch
ip address 10.16.1.1 255.255.255.0
ip address 10.16.2.1 255.255.255.0 sub
#
return
Loopback 0
10.1.2.1/24
30.1.1.2/24
Loopback 0
20.1.1.1/24
10.1.1.1/24
Tunnel
Tunnel Tunnel
0/0/15 0/0/15
PC 1 PC 2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure OSPF to ensure that there are reachable routes between RouterA and RouterC.
2. Create tunnel interfaces on RouterA and RouterC and configure the tunnel interfaces to
borrow IP addresses from loopback interfaces to save IP addresses.
Procedure
Step 1 Configure IP addresses for physical interfaces.
# Configure RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface loopback 0
[RouterA-LoopBack0] ip address 10.1.1.1 255.255.255.0
[RouterA-LoopBack0] quit
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] undo portswitch
[RouterA-GigabitEthernet1/0/0] ip address 20.1.1.1 255.255.255.0
[RouterA-GigabitEthernet1/0/0] quit
# Configure RouterB.
<Huawei> system-view
[Huawei] sysname RouterB
[RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] undo portswitch
[RouterB-GigabitEthernet1/0/0] ip address 20.1.1.2 255.255.255.0
[RouterB-GigabitEthernet1/0/0] quit
[RouterB] interface gigabitethernet 2/0/0
[RouterB-GigabitEthernet2/0/0] undo portswitch
[RouterB-GigabitEthernet2/0/0] ip address 30.1.1.1 255.255.255.0
[RouterB-GigabitEthernet2/0/0] quit
# Configure RouterC.
<Huawei> system-view
[Huawei] sysname RouterC
# Configure RouterB.
[RouterB] ospf 1
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
[RouterB-ospf-1] quit
# Configure RouterC.
[RouterC] ospf 1
[RouterC-ospf-1] area 0
[RouterC-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[RouterC-ospf-1-area-0.0.0.0] quit
[RouterC-ospf-1] quit
# After the preceding configurations, run the display ip routing-table command on RouterA
and RouterC. The command output shows that RouterA and RouterC have learned OSPF
routes to the network segment of the peer.
# The following uses the display on RouterA as an example.
[RouterA] display ip routing-table protocol ospf
Route Flags: R - relay, D - download to
fib
------------------------------------------------------------------------------
# Configure RouterC.
[RouterC] interface tunnel 0/0/15
[RouterC-Tunnel0/0/15] tunnel-protocol gre
[RouterC-Tunnel0/0/15] ip address unnumbered interface loopback 0
[RouterC-Tunnel0/0/15] source 30.1.1.2
[RouterC-Tunnel0/0/15] destination 20.1.1.1
[RouterC-Tunnel0/0/15] quit
# Configure RouterC.
[RouterC] ip route-static 10.1.1.0 24 tunnel 0/0/15
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
interface
GigabitEthernet1/0/0
undo portswitch
ip address 20.1.1.1
255.255.255.0
#
interface LoopBack0
ip address 10.1.1.1 255.255.225.0
#
interface Tunnel0/0/15
ip address unnumbered interface LoopBack0
tunnel-protocol
gre
source
20.1.1.1
destination 30.1.1.2
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
interface
GigabitEthernet1/0/0
undo portswitch
ip address 20.1.1.2
255.255.255.0
#
interface
GigabitEthernet2/0/0
undo portswitch
ip address 30.1.1.1
255.255.255.0
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
l Configuration file of RouterC
#
sysname RouterC
#
interface
GigabitEthernet1/0/0
undo portswitch
ip address 30.1.1.2 255.255.255.0
#
interface LoopBack0
ip address 10.1.2.1 255.255.225.0
#
interface Tunnel0/0/15
ip address unnumbered interface LoopBack0
tunnel-protocol
gre
source
30.1.1.2
destination 20.1.1.1
#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
#
return
Procedure
l Check the error message and rectify the fault according to Table 1-5.
Error: The specified The primary IP address You do not need to delete the IP
primary address does to be deleted does not address.
not exist. exist.
NOTE
Each interface has only
one primary IP address. If
you configure multiple
primary IP addresses for
an interface, the last
configured IP address
becomes the primary IP
address of the interface.
Error: Please delete the The primary IP address Delete all the secondary IP
sub address in the cannot be deleted addresses from the interface,
interface view first. because the interface and then delete the primary IP
has secondary IP address.
addresses.
Error: The specified The command used to Run the undo ip address ip-
address cannot be delete a primary IP address { mask | mask-length }
deleted because it is not address cannot delete a sub command to delete the
the primary address of secondary IP address. secondary IP address.
this interface.
Error: The specified sub The secondary IP You do not need to delete the IP
address does not exist. address to be deleted address.
does not exist.
Error: The address The interface has been Configure a different IP address
already exists. configured with the for the interface.
same IP address.
----End
2 ARP Configuration
The Address Resolution Protocol (ARP) maps IP addresses to MAC addresses so that
Ethernet frames can be transmitted on a physical network.
2.1 ARP Overview
This section describes the definition, background, and functions of ARP.
2.2 Principles
This section describes the implementation of ARP.
2.3 Configuration Task Summary
ARP can be a dynamic ARP or a static ARP. ARP provides some extended functions, such as
proxy ARP, ARP-Ping.
2.4 Licensing Requirements and Limitations for ARP
2.5 Default Configuration
This section describes default ARP configurations.
2.6 Configuring ARP
This section describes the procedures for configuring ARP.
2.7 Maintaining ARP
Maintaining ARP includes clearing ARP entries and monitoring ARP running status.
2.8 Configuration Examples
This section provides configuration examples including networking requirements and
configuration roadmap.
Definition
The Address Resolution Protocol (ARP) maps IP addresses into MAC addresses.
Purpose
On a local area network (LAN), a host or a network device must learn the IP address of the
destination host or device before sending data to it. Additionally, the host or network device
must learn the physical address of the destination host or device because IP packets must be
encapsulated into frames for transmission over a physical network. Therefore, the mapping
from an IP address into a physical address is required. ARP is used to map IP addresses into
physical addresses.
2.2 Principles
This section describes the implementation of ARP.
l Hardware Type: indicates the hardware address type. For an Ethernet, the value of this
field is 1.
l Protocol Type: indicates the type of the protocol address to be mapped. For an IP
address, the value of this field is 0x0800.
l Hardware Length: indicates the hardware address length. For an ARP Request or Reply
packet, the value of this field is 6.
l Protocol Length: indicates the protocol address length. For an ARP Request or Reply
packet, the value of this field is 4.
l OP: indicates the operation type. The value 1 indicates ARP requesting, and the value 2
indicates ARP replying.
l Ethernet Address of sender: indicates the MAC address of the sender.
l IP Address of sender: indicates the IP address of the sender.
l Ethernet Address of destination: indicates the MAC address of the receiver.
l IP Address of destination: indicates the IP address of the receiver.
ARP Request
HOSTA HOSTB
As shown in Figure 2-2, HOSTA and HOSTB are on the same network segment. HOSTA
needs to send IP packets to HOSTB.
HOSTA searches the local ARP table for the ARP entry corresponding to HOSTB. If the
corresponding ARP entry is found, HOSTA encapsulates the IP packets into Ethernet frames
and forwards them to HOSTB based on its MAC address.
If the corresponding APR entry is not found, HOSTA caches the IP packets and broadcasts an
ARP Request packet. In the ARP Request packet, the IP address and MAC address of the
sender are the IP address and MAC address of HOSTA. The destination IP address is the IP
address of HOSTB, and the destination MAC address contains all 0s. All hosts on the same
network segment can receive the ARP Request packet, but only HOSTB processes the packet.
ARP Reply
HOSTA HOSTB
HOSTB compares its IP address with the destination IP address in the ARP Request packet. If
HOSTB finds that its IP address is the same as the destination IP address, HOSTB adds the IP
address and MAC address of the sender (HOSTA) to the local ARP table. Then HOSTB
unicasts an ARP Reply packet, which contains its MAC address, to HOSTA, as shown in
Figure 2-3.
After receiving the ARP Reply packet, HOSTA adds HOSTB's MAC address into the local
ARP table. Meanwhile, HOSTA encapsulates the IP packets and forwards them to HOSTB.
If the IP address of the peer device remains the same but the MAC address changes
frequently, it is recommended that you configure ARP aging probe packets to be
broadcast.
If the MAC address of the peer device remains the same, the network bandwidth is
insufficient, and the aging time of ARP entries is short, it is recommended that you
configure ARP aging probe packets to be unicast.
When a non-Huawei device connected to a Huawei device receives an ARP aging probe
packet whose destination MAC address is a broadcast address, the non-Huawei device
checks the ARP table. If the mapping between the IP address and the MAC address of
the Huawei device exists in the ARP table, the non-Huawei device drops the ARP aging
probe packet. The Huawei device cannot receive a response and therefore deletes the
corresponding ARP entry. As a result, traffic from the network cannot be forwarded. In
this scenario, the Huawei device needs to send ARP aging probe packets in unicast mode
and the non-Huawei device needs to respond to the ARP aging probe packets.
l Layer 2 topology detection
The Layer 2 topology detection function enables a device to retransmit ARP probe
packets to update ARP entries when a Layer 2 interface becomes Up and the aging time
of the ARP entries in the corresponding VLAN becomes 0.
Dynamic ARP
Dynamic ARP entries are generated and maintained dynamically by using ARP packets. They
can be aged out, updated, or overwritten by static ARP entries. When the aging time expires
or the interface is Down, the corresponding dynamic ARP entries are deleted.
Static ARP
Static ARP entries record fixed mapping between IP addresses and MAC addresses and are
configured manually by network administrators.
Routed proxy ARP Allows hosts on the same network segment but on different
physical networks to communicate.
Inter-VLAN proxy ARP Allows hosts in different VLANs or hosts in different sub-
VLANs of the same VLAN to communicate at Layer 3.
In practice, if a host connected to a router is not configured with a default gateway address
(that is, the host does not know how to reach the intermediate system of the network), the host
cannot transmit packets.
As shown in Figure 2-4, RouterA is connected to two networks through VLAN10 and
VLAN20. The IP addresses of VLANIF10 and VLANIF20 are on different network
segments. However, the masks make HOSTA and VLANIF10 on the same network segment,
HOSTB and VLANIF20 on the same network segment, and HOSTA and HOSTB on the same
network segment.
RouterA
172.16.2.10/16 172.16.1.20/16
VLANIF10 VLANIF20
HOSTA 172.16.2.9/24 172.16.1.9/24 HOSTB
The IP addresses of HOSTA and HOSTB are on the same network segment. When HOSTA
needs to communicate with HOSTB, HOSTA broadcasts an ARP Request packet, requesting
the MAC address of HOSTB. However, HOSTA and HOSTB are on different physical
networks (in different broadcast domains). Therefore, HOSTB cannot receive the ARP
Request packet sent from HOSTA and does not respond with an ARP Reply packet.
To solve this problem, enable proxy ARP on RouterA. After receiving an ARP Request
packet, RouterA enabled with proxy ARP searches for the routing table corresponding to
HOSTB. If the router corresponding to HOSTB exists, RouterA responds to the ARP Request
packet with its own MAC address. HOSTA forwards data based on the MAC address of
RouterA. RouterA functions as the proxy of HOSTB.
RouterA
HOSTA and HOSTB cannot communicate at Layer 2 because interface isolation in a VLAN
is configured on RouterA.
To solve this problem, enable intra-VLAN proxy ARP on the interfaces of RouterA. After
RouterA's interface connected to HOSTA receives an ARP Request packet whose destination
address is not its own address, RouterA does not discard the packet but searches for the ARP
entry corresponding to HOSTB. If the ARP entry corresponding to HOSTB exists, RouterA
sends its MAC address to HOSTA and forwards packets sent from HOSTA to HOSTB.
RouterA functions as the proxy of HOSTB.
HOSTA HOSTB
172.16.2.20/24 172.16.2.30/24
The interfaces connected to HOSTA and HOSTB belong to different VLANs. Therefore,
HOST A and HOSTB cannot communicate at Layer 2.
To solve this problem, enable inter-VLAN proxy ARP on the interfaces of RouterA. After
RouterA's interface connected to HOSTA receives an ARP Request packet whose destination
address is not its own address, RouterA does not discard the packet but searches for the ARP
entry corresponding to HOSTB. If the ARP entry corresponding to HOSTB exists, RouterA
sends its MAC address to HOSTA and forwards packets sent from HOSTA to HOSTB.
RouterA functions as the proxy of HOSTB.
l Checks duplicate IP addresses: Normally, a host does not receive an ARP Reply packet
after sending an ARP Request packet with the destination address being its own IP
address. If the host receives an ARP Reply packet, another host has the same IP address.
l Advertises a new MAC address. If the MAC address of a host changes because its
network adapter is replaced, the host sends a gratuitous ARP packet to notify all hosts of
the change before the ARP entry is aged out.
l Notifies an active/standby switchover in a VRRP backup group: After an active/standby
switchover, the master router sends a gratuitous ARP packet in the VRRP backup group
to notify the switchover.
When a device receives a gratuitous ARP packet, it checks whether the source IP address of
the packet is the same as the local IP address:
l If the IP addresses are the same, the device periodically broadcasts a gratuitous ARP
Reply packet to notify the address conflict until the conflict is removed.
l If the IP addresses are different, the device updates the ARP entry according to the
received gratuitous ARP packet only when it receives the packet on the VLANIF
interface and has the dynamic ARP entry mapping the source IP address of the packet. In
other cases, the device does not update the ARP entry.
NOTE
For the application of gratuitous ARP in the security feature, see Gratuitous ARP Packet Sending in the
Huawei AR Series IOT Gateway Configuration Guide - Security.
2.2.4 ARP-Ping
ARP-Ping includes ARP-Ping IP and ARP-Ping MAC. ARP-Ping sends ARP Request packets
or ICMP Echo Request packets to check whether a specified IP address or MAC address is
used.
ARP-Ping IP
ARP-Ping IP checks whether an IP address is used by another device on the LAN by sending
ARP packets.
Before configuring an IP address for a device, configure ARP-Ping IP on the device to check
whether this IP address has been used by sending ARP Request packets.
You can also run the ping command to check whether this IP address is used by another
device on the network. However, if the router or host that uses the IP address is enabled with
the firewall function and the firewall is configured not to respond to ping packets, you may be
misled into thinking that this IP address is not used. To solve the problem, use ARP-Ping IP.
ARP is a Layer 2 protocol. Therefore, ARP packets can pass through the firewall that is
configured not to respond to ping packets.
ARP-Ping MAC
The ARP-Ping MAC process is similar to the ping process. The difference is that ARP-Ping
MAC applies only to directly connected Ethernet LANs or Layer 2 VPN Ethernet networks.
ARP-Ping MAC sends ICMP Echo Request packets. ARP-Ping MAC is implemented as
follows:
1. After a MAC address is specified for a host using the arp-ping mac command, the host
sends an ICMP Echo Request packet and starts a timer of waiting for an ICMP Echo
Reply packet.
2. After receiving the ICMP Echo Request packet, the router device or host that uses this
MAC address in the LAN returns an ICMP Echo Reply packet.
3. The sender performs the following two operations based on whether it receives the
ICMP packet:
– If the sender receives an ICMP Echo Reply packet, the sender compares the source
MAC address carried in the ICMP Echo Reply packet with the MAC address
specified using the arp-ping mac command. If the two MAC addresses are the
same, the sender displays the source IP address of the ICMP Echo Reply packet and
displays a message indicating that the MAC address is used by another router
device or host. The timer is disabled.
– If the sender does not receive an ARP Reply packet before the timer of waiting for
an ICMP Echo Reply packet expires, the sender displays a message indicating that
the MAC address is not used by another router device or host.
l When NLB servers work in unicast mode, the virtual MAC address starts with 02BF.
l When NLB servers work in multicast mode, the virtual MAC address starts with 03BF.
As shown in Figure 2-7, each server in the NLB group has its own IP address and MAC
address. In addition, the servers share a virtual IP address and a virtual MAC address. Router
functions as the access gateway and directly connects to the NLB group. Router needs to
forward packets destined for the virtual IP address to all servers in the NLB group.
After servers in the NLB group receive ARP Request packets for the virtual MAC address
from Router, all the servers return ARP Reply packets. In the ARP Reply packets, the
protocol source IP address is the virtual IP address and the protocol source MAC address is
the virtual MAC address.
l When NLB servers work in unicast mode, Router learns only one outbound interface
(interface connecting Router to an NLB server) from the ARP entry matching the NLB
group virtual IP address in the ARP table. Therefore, Router can forward packets
destined for the virtual IP address to only one server in the NLB group.
l When NLB servers work in multicast mode, Router does not learn ARP entries after
receiving ARP Reply packets from NLB servers because the protocol source MAC
address is a multicast MAC address. If you configure a static ARP entry by binding the
virtual IP address to the virtual MAC address, only one outbound interface is specified.
Therefore, Router can forward packets destined for the virtual IP address to only one
server in the NLB group.
To resolve the preceding problems, you can deploy multi-interface ARP to allow Router to
forward packets destined for the virtual IP address to all servers in the NLB group.
Client
IP Network
Router
IF1 IF3
IF2
In multi-interface ARP, a static ARP entry is configured by binding the virtual IP address to
the virtual MAC address, and MAC address entries are configured by binding the virtual
MAC address to multiple outbound interfaces. When Router forwards packets destined for the
virtual IP address, Router first searches for the ARP entry matching the virtual IP address to
determine the virtual MAC address and the VLAN to which the NLB servers belong. Router
then searches the MAC address table for multiple outbound interfaces based on the virtual
MAC address and VLAN. Router forwards packets to each connected NLB server through the
outbound interfaces.
Licensing Requirements
ARP functions are basic function of routers and can be obtained without licenses.
Feature Limitations
None
Aging detection mode of dynamic An interface sends the last ARP Aging probe
ARP entries packet in broadcast mode, and the rest ARP
Aging probe packets are sent in unicast mode.
Dynamic Learning of ARP Entries Dynamic Learning of ARP Entries with Multicast
with Multicast MAC Addresses MAC Addresses is disabled.
Context
Static ARP entries are manually configured and maintained. They cannot be aged and
overridden by dynamic ARP entries. Therefore, static ARP entries improve communication
security. Static ARP entries ensure communication between the local device and a specified
device by using a specified MAC address so that attackers cannot modify mappings between
IP addresses and MAC addresses in static ARP entries.
NOTE
Static ARP entries cannot be modified. However, the configuration workload is heavy. Static ARP
entries cannot apply to a network where IP addresses of hosts may change or a small-sized network.
Procedure
Step 1 Run:
system-view
----End
l Run the display arp [ all | brief ] command to check all ARP mapping entries.
l Run the display arp network net-number net-mask [ dynamic | static ] command to
check ARP mapping entries of a specified network segment.
l Run the display arp static command to check static ARP mapping entries.
l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid
cevlan-id ] ] command to check ARP mapping entries of a specified interface.
l Run the display arp vpn-instance vpn-instance-name static command to check static
ARP mapping entries of a specified VPN instance.
Pre-configuration Tasks
Before optimizing dynamic ARP, complete the following tasks:
l Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status of the interfaces is Up
Context
Aging parameters of ARP entries include the aging time, the number of probes, detection
intervals, and detection modes. Proper adjustment of aging parameters improves network
reliability.
l Aging time of dynamic ARP entries: After the aging time of a dynamic ARP entry is
reached, the device sends an ARP Request packet to the corresponding outbound
interface and starts ARP aging detection. If the value of the aging time is set too small
(for example, 1 minute), the system consumes most resources on updating dynamic ARP
entries and cannot process other services. If the aging time is too long (for example, 15
hours), the device may not update dynamic ARP entries in a timely manner. The default
aging time (20 minutes) is recommended.
l Number of probes to dynamic ARP entries: Before aging a dynamic ARP entry, the
system first performs probes. If no answer is received after the times of probes reach the
upper limit, the ARP entry is deleted.
l Aging detection modes of dynamic ARP entries: Before an ARP entry is aged, an
interface sends an ARP aging probe packet.
NOTE
l If the IP address of the peer device remains the same but the MAC address changes frequently,
it is recommended that you configure ARP aging probe packets to be broadcast.
l If the MAC address of the peer device remains the same, and the network bandwidth is
insufficient, it is recommended that you configure ARP aging probe packets to be unicast.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
arp expire-time expire-time
By default, the aging time of dynamic ARP entries is 1200 seconds, that is, 20 minutes.
Step 4 Run:
arp detect-times detect-times
Step 5 Run:
arp detect-mode unicast
By default, an interface sends the last ARP Aging Detection packet in broadcast mode, and
the rest ARP Aging Detection packets are sent in unicast mode.
----End
Context
Layer 2 topology detection enables the system to update all the ARP entries in the VLAN that
a Layer 2 interface belongs to when the Layer 2 interface status changes from Down to Up.
Procedure
Step 1 Run:
system-view
Step 2 Run:
l2-topology detect enable
----End
Background Information
To improve network security, some devices do not support broadcast packets.
l Before an ARP entry ages out, the local device broadcasts an ARP request packet in an
attempt to update the ARP entry based on the reply from a peer device. If the peer device
does not support broadcast packets, it does not respond to the broadcast ARP request
packet, so the local device considers the peer device offline and deletes the ARP entry.
As a result, services will be interrupted between the two devices.
l If the local device is new, it will broadcast an ARP request packet to learn the MAC
addresses of other devices. If a peer device does not support broadcast packets, it will
discard the ARP request packet, so the local device will not learn the peer device's MAC
address. As a result, new services will not be started between the two devices.
To resolve these problems, enable the unicast ARP probe function. This function enables a
local interface to send a unicast ARP request packet that carries the specified IP and MAC
addresses. The unicast ARP probe function improves network security, without compromising
service stability. The ARP entries learned or updated by the local device will be deleted after
their aging time expires and can be updated again after the local device receives ARP request
packets from the peer device.
Procedure
l Run:
arp send-packet ip-address mac-address interface interface-type interface-
number [ vid vid [ cevid cevid ] ]
----End
Procedure
l Run the display arp [ all | brief ] command to check all ARP mapping entries.
l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid
cevlan-id ] ] command to check ARP mapping entries of a specified interface.
l Run the display arp network net-number net-mask [ dynamic | static ] command to
check ARP mapping entries of a specified network segment.
l Run the display arp dynamic command to check dynamic ARP mapping entries.
l Run the display arp vpn-instance vpn-instance-name static command to check static
ARP mapping entries of a specified VPN instance.
Pre-configuration Tasks
Before configuring proxy ARP, complete the following task:
l Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status of the interfaces is Up
Context
Proxy ARP enables PCs or industrial switch routers on the same network segment but on
different physical networks to communicate. In actual applications, if the current connected to
the industrial switch router is not configured with a default gateway address (that is, the host
does not know how to reach the intermediate system of the network), the host cannot forward
data packets. Routed proxy ARP solves this problem.
Figure 2-8 shows the routed proxy ARP networking. RouterA uses GE1/0/0 and GE2/0/0 to
connect two networks. IP addresses of the two GE interfaces are on different network
segments. However, the masks make Host A and VLANIF10 on the same network segment,
Host B and VLANIF20 on the same network segment, and Host A and Host B on the same
network segment.
GE1/0/0 GE2/0/0
172.16.2.9/24 172.16.1.9/24
HOSTA RouterA HOSTB
HOST A sends an ARP Request packet, requesting the MAC address of HOST B. After
receiving the packet, RouterA uses its MAC address to reply the Request packet. HOST A
then forwards data using the MAC address of RouterA.
IP addresses of the STAhosts on a subnet have the same network ID. Therefore, the default
gateway address does not need to be configured on the STAhosts.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
The interfaces connect routing devices to the physical networks and are enabled with routed
proxy ARP.
Step 3 Run:
ip address ip-address { mask | mask-length }
The IP address configured for the interface enabled with routed proxy ARP must be on the
same network segment as the IP address of the connected hostserver on a LAN.
Step 4 Run:
arp-proxy enable
After proxy ARP is enabled, the aging time of ARP entries on hosts should be shortened so
that invalid ARP entries can be deleted as soon as possible. The number of packets received
but cannot be forwarded by the device is decreased. To set ARP aging time, run the arp
expire-time expire-time command.
----End
l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid
cevlan-id ] ] command to check ARP mapping entries of a specified interface.
l Run the display arp vpn-instance vpn-instance-name [ dynamic | static ] command to
check ARP mapping entries of a specified VPN instance.
Context
If two hosts belong to the same VLAN but are isolated, enable intra-VLAN proxy ARP on an
interface associated with the VLAN to allow the hosts to communicate.
As shown in Figure 2-9, HOSTA and HOSTB connect to RouterA. The two interfaces that
connect HOSTA and HOSTB to RouterA belong to VLAN10.
RouterA
HOSTA and HOSTB cannot communicate at Layer 2 because interface isolation in a VLAN
is configured on RouterA.
To solve this problem, enable intra-VLAN proxy ARP on the interfaces of RouterA. After an
interface of RouterA receives an ARP Request packet whose destination address is not its
own address, RouterA does not discard the packet but searches for the ARP entry. If the ARP
entry matching HOSTB exists, RouterA sends its MAC address to HOSTA and forwards
packets sent from HOSTA to HOSTB. RouterA functions as the proxy of HOSTB.
Procedure
Step 1 Run:
system-view
----End
l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid
cevlan-id ] ] command to check ARP mapping entries of a specified interface.
l Run the display arp vpn-instance vpn-instance-name [ dynamic | static ] command to
check ARP mapping entries of a specified VPN instance.
Context
If two hosts belong to different VLANs, enable inter-VLAN proxy ARP on interfaces
associated with the VLANs to implement Layer 3 communication between the two hosts.
As shown in Figure 2-10, HOSTA and HOSTB connect to RouterA. Interfaces that connect
HOSTA and HOSTB to RouterA belong to VLAN10 and VLAN20 respectively.
HOSTA HOSTB
172.16.2.20/24 172.16.2.30/24
To solve this problem, inter-VLAN proxy ARP needs to be enabled on interfaces of RouterA.
After an interface of RouterA receives an ARP Request packet whose destination address is
not its own address, RouterA does not discard the packet but searches for the ARP entry. If
the ARP entry matching HOSTB exists, RouterA sends its MAC address to HOSTA and
forwards packets sent from HOSTA to HOSTB. RouterA functions as the proxy of HOSTB.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
arp-proxy inter-sub-vlan-proxy enable
----End
l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid
cevlan-id ] ] command to check ARP mapping entries of a specified interface.
l Run the display arp vpn-instance vpn-instance-name [ dynamic | static ] command to
check ARP mapping entries of a specified VPN instance.
Pre-configuration Tasks
Before configuring ARP-Ping, complete the following task:
l Configuring link layer protocol parameters and IP addresses for interfaces to ensure that
the link layer protocol status of the interfaces is Up.
Context
Before configuring an IP address for a device on a LAN, run the arp-ping ip command to
check whether the IP address is used by other network devices.
The ping command can also check whether an IP address is in use. If the destination host or
the industrial switch router configured with the firewall function are configured not to reply to
ping packets, there is no response to the ping packet. Consequently, the IP address is
considered unused. ARP is a Layer 2 protocol. In most cases, ARP packets can pass through
the firewall that is disabled from replying to the Ping packets to prevent the preceding
situation.
Procedure
l Run:
arp-ping ip ip-address [ timeout timeout-value ] [ interface interface-type
interface-number [ vlan-id vlan-id ] ]
----End
Context
When you know a specific MAC address but not the corresponding IP address on a network
segment, you can obtain the corresponding IP address using the arp-ping mac command to
send ICMP packets. In this way, you can obtain the IP address mapping the MAC address.
Procedure
l Run:
arp-ping mac mac-address { ip-address [ vpn-instance vpn-instance-name ] |
interface interface-type interface-number }
Check whether the MAC address is used. If the MAC address is in use, query the IP
address mapping the MAC address.
– If the following information is displayed, the MAC address is not used.
<Huawei> arp-ping mac 00e0-517d-f201 interface gigabitethernet 1/0/0
OutInterface: GigabitEthernet1/0/0 MAC[00-E0-51-7D-F2-01], press
CTRL_C to break
Request timed out
Request timed out
Request timed out
----- ARP-Ping MAC statistics -----
3 packet(s) transmitted
0 packet(s) received
MAC[00-E0-51-7D-F2-01] not be used
– If the following information is displayed, it means that the MAC address is used.
<Huawei> arp-ping mac 00e0-517d-f202 interface gigabitethernet 1/0/0
OutInterface: GigabitEthernet1/0/0 MAC[00-E0-51-7D-F2-02], press
CTRL_C to break
----- ARP-Ping MAC statistics -----
1 packet(s) transmitted
1 packet(s) received
IP ADDRESS MAC ADDRESS
10.1.1.1 00-E0-51-7D-F2-02
----End
Background Information
IP addresses may be mapped to multicast MAC addresses in some service scenarios. As
shown in Figure 2-11, the device is connected to the network load balance (NLB) group
through a Layer 2 LAN switch (LSW). The NLB group works in multicast mode; that is, the
MAC address of the NLB group is a multicast MAC address. In this case, a network
administrator can enable the device to dynamically learn multicast MAC addresses and
generate ARP entries. This reduces the network administrator's workload of configuring static
ARP entries and reduces network operation and maintenance costs.
Figure 2-11 Device connected to the NLB group through a Layer 2 LSW
Client
IP Network
Router
Eth2/0/0
LSW
Procedure
l Globally enable a device to learn multicast MAC addresses.
a. Run:
system-view
The device is globally enabled to learn multicast MAC addresses and generate
dynamic ARP entries.
NOTE
If a device is globally enabled to learn multicast MAC addresses, the interfaces of this
device are enabled to learn multicast MAC addresses.
----End
Pre-configuration Tasks
Before configuring multi-interface ARP, complete the following task:
l Creating VLANs and adding interfaces to these VLANs
NOTE
Context
All servers in an NLB group share a virtual IP address and a virtual MAC address. When the
NLB group works in unicast mode, the virtual MAC address is a unicast MAC address. When
the NLB group works in multicast mode, the virtual MAC address is a multicast MAC
address. In both modes, when a device directly connects to the NLB group and functions as
the access gateway, the device needs to forward packets destined for the virtual IP address to
all servers in the NLB group, and each server determines how to process the packets. You can
configure multi-interface ARP on the device to allow it to forward packets destined for the
virtual IP address to all servers in the NLB group.
Procedure
Step 1 Run:
system-view
Step 2 Use the following methods to configure a multi-interface MAC address entry.
Configure a multi-interface MAC address entry in the system view for the first time. When a
multi-interface MAC address entry has been created and you need to add or delete an
interface, add or delete the interface in its interface view.
The value of interface-number2 must be greater than that of interface-number1, and the
two values determine an interface range.
l Configure a multi-interface MAC address entry in the interface view.
a. Run:
interface interface-type interface-number
----End
Background
By default, the scheduled ARP refresh function is enabled on the device. That is, the device
updates ARP entries. And clears the fast forwarding table every ten hours. When fast
forwarding is enabled (using the ip fast-forwarding enable command) on interfaces of the
device, you can disable the scheduled ARP refresh function to prevent traffic jitter occurring
when the fast forwarding table is cleared.
Procedure
Step 1 Run:
system-view
Step 2 Run:
undo arp regularly-refresh enable
----End
Context
ARP entries cannot be restored after being cleared. When you delete static ARP entries, the
( arp static ) command is also deleted. Exercise caution when you delete the ARP entries.
Procedure
l Run the reset arp { all | dynamic | interface interface-type interface-number | packet
statistics | static } command to clear ARP entries in the ARP mapping table.
l Run the reset arp packet statistics command in user view to clear ARP packet statistics.
----End
Context
Monitoring the ARP running status includes checking ARP mapping entries, strict ARP entry
learning, ARP packet statistics, ARP packet processing rate, and maximum number of ARP
entries learnt by an interface.
Procedure
l Run the display arp [ all | brief ] command in any view to check all ARP mapping
entries.
l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid
cevlan-id ] ] command in any view to check ARP mapping entries of a specified
interface.
l Run the display arp network net-number net-mask [ dynamic | static ] command in any
view to check ARP mapping entries of a specified network segment.
l Run the display arp vpn-instance vpn-instance-name static command in any view to
check static ARP mapping entries of a specified VPN instance.
l Run the display arp statistics { all | interface interface-type interface-number }
command in any view to check ARP entry statistics.
l Run the display arp packet statistics command in any view to check ARP packet
statistics.
----End
10.164.10.1/24
0df0-fc01-003a 10.164.1.1/24
00e0-fc01-0001
GE3/0/0 Etherent2/0/0
10.164.10.10 /24 VLANIF10
PC A
10.164.1.20/24
Router
Marketing President's
department office
10.164.2.0/24 10.164.1.0/24
VLAN20 VLAN10
R&D
department
10.164.3.0/24
VLAN30
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure static ARP entries for hosts in the headquarters office on the router to prevent
ARP entries of the hosts in the headquarters office from being modified in ARP attack
packets.
2. Configure a static ARP entry for the file backup server on the router to prevent the ARP
entry of the file backup server from being modified in ARP attack packets.
Procedure
Step 1 Configure static ARP entries for the host in the headquarters office on the router.
# Create VLAN10.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan 10
[Router-vlan10] quit
# Configure static ARP entries for the host in the headquarters office. PC A is used as an
example. The IP address of PC A is 10.164.1.1 and maps the MAC address 00e0-fc01-0001,
the VLAN ID is 10 and the outbound interface is Ethernet2/0/0.
[Router] arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface ethernet 2/0/0
# Configure static ARP entries for other hosts in the headquarters office. The configuration
method is similar to that of PC A.
Step 2 Configure a static ARP entry for the file backup server on the router.
# Configure a static ARP entry for the file backup server, The IP address 10.164.10.1/24 maps
the MAC address 0df0-fc01-003a.
[Router] arp static 10.164.10.1 0df0-fc01-003a
[Router] quit
----End
Configuration Files
Routrr configuration file
#
sysname Router
#
vlan batch 10 20 30
#
interface Ethernet2/0/0
port hybrid tagged vlan 10
#
interface Vlanif10
ip address 10.164.1.20 255.255.255.0
#
interface GigabitEthernet3/0/0
undo portswitch
ip address 10.164.10.10 255.255.255.0
#
arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface Ethernet 2/0/0
arp static 10.164.10.1 0df0-fc01-003a
#
return
NOTE
AR500&AR510&AR530 functions as RouterA or RouterB.
Internet
Etherent2/0/0 Etherent2/0/0
VLAN10 VLAN20
Branch A Branch B
Host A Host B
10.16.1.2/16 10.16.2.2/16
0000-5e33-ee20 0000-5e33-ee10
Configuration Roadmap
The configuration roadmap is as follows:
1. Add the interface connecting RouterA and branch A to VLAN10 and add the interface
connecting RouterB and branch B to VLAN20.
2. Enable routed proxy ARP on VLANIF interfaces of branch A and branch B to
implement communication between the two branches.
Procedure
Step 1 Configure RouterA.
# Create VLAN10.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] vlan 10
[RouterA-vlan10] quit
# View the ARP mapping table of HostA. You can see that the MAC address of HostB is the
MAC address of VLANIF10.
C:\Documents and Settings\Administrator> arp -a
Interface: 10.16.1.2 --- 0x2
Internet Address Physical Address Type
10.16.2.2 00e0-fc39-80aa dynamic
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
vlan batch 10
#
interface Vlanif10
ip address 10.16.1.1 255.255.255.0
arp-proxy enable
#
interface Ethernet2/0/0
port link-type access
port default vlan 10
#
return
#
sysname RouterB
#
vlan batch 20
#
interface Vlanif20
ip address 10.16.2.1 255.255.255.0
arp-proxy enable
#
interface Ethernet2/0/0
port link-type access
port default vlan 20
#
return
Networking Requirements
As shown in Figure 2-14, hosts of the accounting department are located in a VLAN. Hosts
of the accounting department are attacked by viruses when they access the Internet. The
attacked hosts send a large number of broadcast packets, causing broadcast storms in the
VLAN. Even hosts cannot communicate. The company requires that broadcast storms be
prevented to ensure communication between hosts and information security.
Router
Ethernet2/0/0
VLANIF10
10.1.1.12/24
PC B PC A
10.1.1.100/24 10.1.1.10/24
VLAN10
Accounting department
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure interface isolation on the downstream interface of the switch to forbid Layer 2
communication and remove broadcast storms.
2. Enable intra-VLAN proxy ARP on the VLANIF interface to prevent broadcast storms
and implement Layer 3 communication between hosts in the accounting department.
Procedure
Step 1 Add Etherent2/0/0 to VLAN10.
# Create VLAN10.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan 10
[Router-vlan10] quit
----End
Configuration Files
Configuration file of the router
#
sysname Router
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.12 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
#
interface Ethernet2/0/0
port hybrid pvid vlan 10
port hybrid tagged vlan 10
#
return
Networking Requirements
In Figure 2-15, VLAN2 and VLAN3 belong to super-VLAN4. Hosts in VLAN2 and VLAN3
cannot ping each other. To implement communication between hosts in VLAN2 and VLAN3,
configure inter-VLAN proxy ARP.
VLAN2 VLAN3
VLAN4
VLAN2 VLAN3
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure a super-VLAN and sub-VLANs.
# Configure sub-VLAN2.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan 2
[Router-vlan2] quit
# Configure sub-VLAN3.
[Router] vlan 3
[Router-vlan3] quit
VLAN/CEVLAN
------------------------------------------------------------------------------
10.10.10.1 0018-2000-0083 I - Vlanif4
10.10.10.2 00e0-fc00-0002 19 D-0 Ethernet2/0/0
2/-
10.10.10.3 00e0-fc00-0003 19 D-0 Ethernet2/0/1
2/-
10.10.10.4 00e0-fc00-0004 19 D-0 Ethernet2/0/2
3/-
10.10.10.5 00e0-fc00-0005 19 D-0 Ethernet2/0/3
3/-
------------------------------------------------------------------------------
Total:5 Dynamic:4 Static:0 Interface:1
----End
Configuration Files
Only the configuration file of the router is provided.
#
sysname Router
#
vlan batch 2 to 4
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 10.10.10.1 255.255.255.0
arp-proxy inter-sub-vlan-proxy enable
#
interface Ethernet2/0/0
port link-type access
port default vlan 2
#
interface Ethernet2/0/1
port link-type access
port default vlan 2
#
interface Ethernet2/0/2
port link-type access
port default vlan 3
#
interface Ethernet2/0/3
port link-type access
port default vlan 3
#
return
PC A PC B
VLAN100
10.1.1.1/24 10.1.1.3/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Add two Ethernet interfaces to VLAN100 in default mode.
2. Enable Layer 2 topology detection to view changes of ARP entries.
Procedure
Step 1 Create VLAN100 and add two Ethernet interfaces to VLAN100 in default mode.
# Create VLAN100 and configure an IP address for the VLANIF interface.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan 100
[Router-vlan100] quit
[Router] interface vlanif 100
[Router-Vlanif100] ip address 10.1.1.2 24
[Router-Vlanif100] quit
Step 3 Restart Ethernet2/0/0 and view changes of ARP entries and aging time.
# View ARP entries on the router. You can find the router has learned the MAC address of the
PC.
[Router] display arp all
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-
INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------
10.1.1.2 00e0-c01a-4900 I - Vlanif100
10.1.1.1 00e0-c01a-4901 20 D-0 Ethernet2/0/0
10.1.1.3 00e0-de24-bf04 20 D-0 Ethernet2/0/1
-----------------------------------------------------------------------------
Total:3 Dynamic:2 Static:0 Interface:1
After 1 minute, run the shutdown command to shut down Ethernet2/0/0, simulate an interface
fault, and check the aging time of ARP entries. The command output shows that the ARP
entries learned from Ethernet2/0/0 are deleted after Ethernet2/0/0 is shut down.
[Router] interface ethernet 2/0/0
[Router-Ethernet2/0/0] shutdown
[Router-Ethernet2/0/0] display arp all
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
----------------------------------------------------------------------------
10.1.1.2 00e0-c01a-4900 I -
Vlanif100
10.1.1.3 00e0-de24-bf04 19 D-0 Ethernet2/0/1
------------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1
# Run the undo shutdown command to restart Ethernet2/0/0 and check the aging time of
ARP entries. The command output shows that Ethernet2/0/0 and Ethernet2/0/1 in VLAN100
update ARP entries after Ethernet2/0/0 is restarted and becomes Up.
[Router] display arp all
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-
INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------
10.1.1.2 00e0-c01a-4900 I - Vlanif100
10.1.1.1 00e0-c01a-4901 20 D-0 Ethernet2/0/0
10.1.1.3 00e0-de24-bf04 20 D-0 Ethernet2/0/1
-----------------------------------------------------------------------------
Total:3 Dynamic:2 Static:0 Interface:1
----End
Configuration Files
Configuration file of the router
#
sysname Router
#
l2-topolgy detect enable
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Ethernet2/0/0
port link-type access
port default vlan 100
#
interface Ethernet2/0/1
port link-type access
port default vlan 100
#
return
Client
IP Network
Router
Eth2/0/1 Eth2/0/3
Eth2/0/2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure IP addresses for interfaces and add the interfaces to a VLAN.
2. Configure a multi-interface MAC address entry and a static ARP entry so that the router
can forward packets destined for the group virtual IP address to the three servers in the
NLB group.
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.
# On the router, create a VLAN and add the interfaces to the VLAN.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface ethernet 2/0/1
[Router-Ethernet2/0/1] port link-type access
[Router-Ethernet2/0/1] quit
[Router] interface ethernet 2/0/2
[Router-Ethernet2/0/2] port link-type access
[Router-Ethernet2/0/2] quit
[Router] interface ethernet 2/0/3
[Router-Ethernet2/0/3] port link-type access
[Router-Ethernet2/0/3] quit
[Router] vlan 10
[Router-vlan10] port ethernet 2/0/1 to 2/0/3
[Router-vlan10] quit
Step 2 On the router, create a VLANIF interface and assign an IP address to it.
[Router] interface vlanif 10
[Router-Vlanif10] ip address 10.128.246.251 24
[Router-Vlanif10] quit
# On the router, run the display arp static command to check the static ARP entry.
<Router> display arp static
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
10.128.246.252 03bf-0a80-f6fc S-- Multi-port:3
------------------------------------------------------------------------------
Total:1 Dynamic:0 Static:1 Interface:0
----End
Configuration Files
Configuration file of the router
#
sysname Router
#
vlan batch 10
#
interface Vlanif10
ip address 10.128.246.251 255.255.255.0
#
interface Ethernet2/0/1
mac-address multiport 03bf-0a80-f6fc vlan 10
port link-type access
port default vlan 10
#
interface Ethernet2/0/2
mac-address multiport 03bf-0a80-f6fc vlan 10
port link-type access
port default vlan 10
#
interface Ethernet2/0/3
mac-address multiport 03bf-0a80-f6fc vlan 10
port link-type access
port default vlan 10
#
arp static 10.128.246.252 03bf-0a80-f6fc
#
return
3 DHCP Configuration
Dynamic Host Configuration Protocol (DHCP) can dynamically allocate network parameters
including IPv4 addresses to network hosts, helping network administrators to implement
centralized management and control on the network hosts.
3.1 DHCP Overview
This section provides an overview of Dynamic Host Configuration Protocol (DHCP) and
describes its purpose and benefits.
3.2 Principles
This section describes DHCP implementation.
3.3 Specifications
This section provides DHCP specifications.
3.4 Application
This section describes the application scenarios of DHCP.
3.5 Appendix
3.6 Default Configuration
This section describes the default DHCP configurations.
3.7 Configuration Task Summary
Based on the application scenarios in the following table, perform the appropriate DHCP
configuration tasks.
3.8 Configuration Notes
This section provides the points of attention when configuring DHCP.
3.9 Configuring a DHCP Server
A DHCP server dynamically allocates network parameters including IP addresses to network
hosts.
3.10 Configuring a DHCP Relay Agent
When a DHCP server resides on a different network segment from DHCP clients, configure a
DHCP relay agent to help the DHCP server allocate network parameters including IP
addresses to DHCP clients.
Definition
DHCP dynamically configures and uniformly manages network parameters of hosts on a
TCP/IP network. DHCP provides the following functions:
l Allocates IP addresses to hosts. DHCP supports two mechanisms for IP address
allocation. Network administrators can select different mechanisms for hosts based on
network requirements.
– Dynamic allocation: DHCP allocates an IP address with a limited validity period
(called lease) to a client. This mechanism applies to hosts that temporarily connect
to a network with fewer IP addresses than the total number of hosts. For example,
this mechanism can be used to allocate IP addresses to laptops used by employees
on business trips or mobile terminals in cafes.
– Static allocation: A network administrator uses DHCP to allocate fixed IP addresses
to specified clients. This mechanism applies to hosts with special IP address
requirements. For example, the file server of an enterprise needs to use a fixed IP
address to provide services for extranet users. Compared with manual IP address
configuration, DHCP-based static IP address allocation prevents manual
configuration errors and helps network administrators perform unified maintenance
and management.
l Allocates other network parameters to hosts, including the DNS server address, routing
information, and gateway address.
NOTE
This chapter deals exclusively with IPv4 addresses. To configure DHCP to dynamically allocate IPv6
addresses, see 9 DHCPv6 Configuration.
Purpose
To communicate with other networked devices, a host generally requires network parameters
including an IP address, gateway address, and DNS server address. If these network
parameters are manually configured on each host, errors may occur. In addition, it may be
difficult for administrators to centrally maintain the configurations.
The Bootstrap Protocol (BOOTP) is a transport protocol based on the client/server model.
BOOTP can dynamically allocate network parameters to hosts and diskless workstations.
When a host starts for the first time, it can obtain network parameters including the IP
address, gateway address, and DNS server address using BOOTP. When BOOTP is used, an
administrator must configure and maintain a BOOTP configuration file that defines mappings
between IP addresses and MAC addresses. Each host can obtain the configuration from the
BOOTP server and set up a permanent network connection. The BOOTP configuration file is
statically configured. When a host changes its location, the administrator must reconfigure the
corresponding BOOTP configuration file.
BOOTP cannot meet network parameter allocation requirements when available IP addresses
on a network are insufficient or hosts frequently change locations. DHCP is introduced to
resolve this issue. DHCP allows the reuse of IP addresses and dynamically allocates network
parameters to hosts.
DHCP is built on the client/server model, where a DHCP server manages IP addresses for
clients on a network segment in address pools. Administrators do not need to manually record
mappings between IP addresses and MAC addresses of the clients. After a host obtains an IP
address from a DHCP server, the DHCP server records the mapping between the IP address
and MAC address of the host. No manual intervention is required during this process. In
addition, the DHCP server can dynamically allocate the same network parameters, such as a
gateway address and DNS server IP address, to hosts on a network segment. DHCP can
allocate one IP address to different hosts in different time periods. When a host does not need
this IP address, this IP address can be released and allocated to other hosts.
Benefits
l Lower network access costs: Static IP address configuration must consider physical
locations of the hosts and requires a significant undertaking. DHCP allows an
administrator to perform unified configuration for hosts on a DHCP server, reducing
network access costs.
l Lower host configuration costs: Manual IP address allocation is labor consuming and has
high technical requirements for configuration personnel. DHCP allows hosts to
dynamically obtain required network parameters after they are powered on. No
additional configuration is required, reducing host configuration costs and lowering
technical requirements for configuration personnel.
l Higher IP address utilization: Static IP address configuration binds IP addresses to hosts.
DHCP can release the IP address of a host after the host goes offline and then allocate
the IP address to another host, improving IP address utilization.
l Unified management: Static IP address configuration cannot quickly respond to
configuration changes. When a network parameter changes (a gateway address, for
example), the administrator must modify the configuration on each host. With DHCP, the
administrator needs only to modify the configuration on the DHCP server, facilitating
unified management.
3.2 Principles
This section describes DHCP implementation.
IP Network
DHCP Client
DHCP Client
NOTE
DHCP messages are transmitted using the User Datagram Protocol (UDP). A DHCP client sends messages
with UDP port 68 to a DHCP server, and a DHCP server sends messages with UDP port 67 to a DHCP client.
Figure 3-2 Message exchange between a DHCP server and a new DHCP client when no
DHCP relay agent is deployed
options. For more information about well-known DHCP options, see RFC 2132.
Vendors can define their own options (for example, Option 43 is defined to indicate
vendor-specific information). For details about options, see 3.5.2 DHCP Options.
– The Flags field is defined in RFC 2131. The leftmost bit of this field indicates
whether the server is required to unicast or broadcast the DHCP Offer/ACK
message. The value 0 indicates unicast, and the value 1 indicates broadcast. The
Flags field is set to 1 on Huawei AR Series series switches functioning as DHCP
clients.
2. Offer stage: A DHCP server offers network parameters to the DHCP client.
All DHCP servers on the same network segment as the DHCP client can receive the
DHCP Discover message. Each DHCP server may have multiple address pools to
manage network parameters including allocatable IP addresses. A DHCP server selects
an address pool on the same network segment as the IP address of the interface receiving
the DHCP Discover message, and from the address pool selects an idle IP address. The
DHCP server then sends a DHCP Offer message carrying the allocated IP address (in the
Yiaddr field) to the DHCP client. The DHCP Offer message also carries other network
parameters such as the IP address lease.
In most cases, an address pool specifies the leases of IP addresses in it. If the DHCP
Discover message carries an expected lease, the DHCP server compares the expected
lease with the specified lease and allocates the IP address with a smaller lease to the
DHCP client.
IP addresses in an address pool are added to different IP address lists based on the IP
address status. Unallocated IP addresses are added to the allocatable IP address list.
Allocated IP addresses are added to the in-use IP address list. Conflicting IP addresses
are added to the conflicting IP address list. And IP addresses that cannot be allocated are
added to the unallocatable IP address list. The DHCP server selects an IP address for the
client from the address pool in the following sequence:
a. IP address statically bound to the MAC address of the client on the DHCP server
b. IP address that has been previously allocated to the client
c. IP address specified in the Option 50 field (requested IP address) in the DHCP
Discover message
d. Largest allocatable IP address
e. If the DHCP server does not find any allocatable IP address, it searches for expired
IP addresses and, if none are found, conflicting IP addresses. If a valid IP address is
found, the DHCP server allocates it to the client. Otherwise, the DHCP server
replies with a DHCP NAK message to notify the client that no IP address is
available. After receiving the DHCP NAK message, the DHCP client sends a
DHCP Discover message to apply for a new IP address.
DHCP servers can exclude some IP addresses that cannot be allocated through DHCP
from address pools. For example, if 192.168.1.100/24 has been manually configured for
a DNS server, the DHCP server excludes this IP address from the address pool on
network segment 192.168.1.0/24 so that it is not allocated through DHCP. This helps
prevent IP address conflicts.
To prevent a newly allocated IP address from conflicting with IP addresses of other
clients on the network, the DHCP server sends an ICMP Echo Request packet to check
whether the IP address to be allocated conflicts with other clients' IP addresses before
sending a DHCP Offer message. The source and destination IP addresses of the ICMP
Echo Request packet are the DHCP server's IP address and the IP address to be
allocated, respectively. If the DHCP server receives no ICMP Echo Reply packet within
the detection period, no client is using this IP address, and the DHCP server can allocate
it. If the DHCP server receives an ICMP Echo Reply packet within the detection period,
this IP address is in use by another client, and the DHCP server lists this IP address as a
conflicting IP address. The DHCP server then waits for the next DHCP Discover
message to start the IP address selection process again.
NOTE
The IP address allocated in this stage may not be the final IP address used by the client. This is because
the IP address may be allocated to another client if the DHCP server receives no response 16 seconds
after the DHCP Offer message is sent. The IP address for the client can be determined only after the
request and acknowledgment stages.
3. Request stage: The DHCP client selects an IP address.
The client broadcasts a DHCP Discover message to all DHCP servers on the local
network segment. If multiple DHCP servers reply with a DHCP Offer message to the
DHCP client, the client accepts only the first received DHCP Offer message. The client
then broadcasts a DHCP Request message carrying the selected DHCP server identifier
(Option 54) and IP address (Option 50, with the IP address specified in the Yiaddr field
of the accepted DHCP Offer message).
The DHCP Request message notifies all the DHCP servers that the DHCP client has
selected the IP address offered by a DHCP server. Then the other servers can allocate IP
addresses to other clients.
4. Acknowledgment stage: The DHCP server acknowledges the IP address offered to the
client.
After receiving the DHCP Request message, the DHCP server sends a DHCP ACK
message to the client, carrying the IP address specified in the Option 50 field of the
Request message.
After receiving the DHCP ACK message, the DHCP client broadcasts gratuitous ARP
packets to check whether any other terminal is using the IP address allocated by the
DHCP server. If no response is received within the specified time, the DHCP client can
use the IP address. If the DHCP client receives a response within the specified time, this
IP address is in use by another terminal. The client then sends a DHCP Decline message
to the DHCP server and applies for a new IP address. The DHCP server lists this IP
address as a conflicting IP address. The DHCP server allocates conflicting IP addresses
only when there is no idle IP address in the address pools, minimizing IP address
conflicts.
Occasionally, the DHCP server may fail to allocate the IP address specified in the Option
50 field because, for example, an error occurs during negotiation or it takes a long time
to receive the DHCP Request message. In this case, the DHCP server replies with a
DHCP NAK message to notify the DHCP client that the requested IP address cannot be
allocated. The DHCP client then sends a DHCP Discover message to apply for a new IP
address.
Figure 3-3 Message exchange among a new DHCP client, a DHCP server, and a DHCP relay
agent
DHCP Relay
DHCP Client Agent DHCP Server
1. Discovery stage
When receiving a DHCP Discover message broadcast by a DHCP client, the DHCP relay
agent performs the following steps:
a. Check the value of the Hops field. If this value exceeds 16, the DHCP relay agent
discards the message. Otherwise, the DHCP relay agent increases this value by 1
and proceeds to the next step.
The Hops field indicates the number of DHCP relay agents that a DHCP message
has passed through. This field is set to 0 by a DHCP client or server. Its value
increases by 1 each time the message passes through a DHCP relay agent. This field
limits the number of DHCP relay agents that a DHCP message can pass through. A
maximum of 16 DHCP relay agents are allowed between a DHCP client and server.
b. Check the value of the Giaddr field. If this value is 0, the DHCP relay agent sets the
Giaddr field to the IP address of the interface receiving the DHCP Discover
message. Otherwise, the DHCP relay agent does not change the field and proceeds
to the next step.
The Giaddr field indicates the gateway IP address. If the DHCP server and client
are located on different network segments, the first DHCP relay agent fills this field
with its own IP address and forwards the message to the DHCP server. Other DHCP
relay agents on the path forward the message without changing this field. The
DHCP server determines on which network segment the client resides based on the
Giaddr field, and allocates an IP address on this network segment to the client.
c. Change the destination IP address of the DHCP Discover message to the IP address
of the DHCP server or the next-hop DHCP relay agent, and change the source IP
address to the IP address of the interface connecting the DHCP relay agent to the
client. The message is then unicast to the DHCP server or the next-hop DHCP relay
agent.
If there are multiple DHCP relay agents between the DHCP client and server, the DHCP
relay agents process the DHCP Discover message using the same method.
2. Offer stage
After receiving the DHCP Discover message, the DHCP server selects an address pool
on the same network segment as that specified in the Giaddr field and allocates an IP
address and other network parameters from the address pool. The IP address selection
rule is the same as that described in Network Parameter Allocation Without a DHCP
Relay Agent. The DHCP server then sends a unicast DHCP Offer message to the DHCP
relay agent specified in the Giaddr field.
When receiving the DHCP Offer message, the DHCP relay agent performs the following
steps:
– Check the value of the Giaddr field. If this value is the IP address of the interface
receiving the DHCP Offer message, the DHCP relay agent discards the message.
Otherwise, the DHCP relay agent proceeds to the next step.
– Check the value of the Flags field. If this value is 1, the DHCP relay agent sends a
broadcast DHCP Offer message to the DHCP client. Otherwise, the DHCP relay
agent sends a unicast DHCP Offer message.
3. Request stage
The DHCP relay agent processes the DHCP Request message from the client using the
same method as that described in Discovery stage.
4. Acknowledgment stage
The DHCP relay agent processes the DHCP ACK message from the server using the
same method as that described in Offer stage.
Figure 3-4 Message exchange for IP address reuse between a DHCP client and a server
1. The DHCP client broadcasts a DHCP Request message carrying the IP address that the
client has used. The requested IP address is added in the Option 50 field.
2. After receiving the DHCP Request message, the DHCP server checks whether there is a
lease record based on the MAC address in the message. If there is a lease record
matching the MAC address, the DHCP server replies with a DHCP ACK message to
notify the DHCP client that the requested IP address can be used. Otherwise, the DHCP
server performs no operation and waits for a new DHCP Discover message from the
client.
1. When the lease reaches 50% (T1) of its validity period, the DHCP client sends a unicast
DHCP Request message to the DHCP server to request lease renewal. If the DHCP client
receives a DHCP ACK message, the IP address lease is successfully renewed (counted
from 0). If the DHCP client receives a DHCP NAK message, the DHCP client must send
a DHCP Discover message to apply for a new IP address.
2. If no response is received from the DHCP server when the lease reaches 87.5% (T2) of
its validity period, the DHCP client sends a broadcast DHCP Request message to request
lease renewal. If the DHCP client receives a DHCP ACK message, the IP address lease
is successfully renewed (counted from 0). If the DHCP client receives a DHCP NAK
message, the DHCP client must send a DHCP Discover message to apply for a new IP
address.
3. If no response is received when the lease expires, the DHCP client stops using the IP
address and sends a DHCP Discover message to apply for a new IP address.
If a DHCP client does not need to use the allocated IP address before the lease expires, the
DHCP client sends a DHCP Release message to the DHCP server to request IP address
release. The DHCP server saves the configuration of this DHCP client and records the IP
address in the allocated IP address list. The IP address can then be allocated to this DHCP
client or other clients.
A DHCP client can send a DHCP Inform message to the DHCP server to request
configuration update.
Figure 3-6 Renewing the IP address lease when a DHCP relay agent is deployed
DHCP Relay
DHCP Client Agent DHCP Server
1. When the lease reaches 50% (T1) of its validity period, the DHCP client sends a unicast
DHCP Request message to the DHCP server to request lease renewal. If the DHCP client
receives a DHCP ACK message, the IP address lease is successfully renewed (counted
from 0). If the DHCP client receives a DHCP NAK message, the DHCP client must send
a DHCP Discover message to apply for a new IP address.
2. If no response is received from the DHCP server when the lease reaches 87.5% (T2) of
its validity period, the DHCP client sends a broadcast DHCP Request message to request
lease renewal. The DHCP relay agent then sends a unicast DHCP Request message to
the DHCP server. For details about how the DHCP relay agent processes received
messages, see 3.2.2 How a DHCP Server Allocates Network Parameters to New
DHCP Clients. If the DHCP client receives a DHCP ACK message, the IP address lease
is successfully renewed (counted from 0). If the DHCP client receives a DHCP NAK
message, the DHCP client must send a DHCP Discover message to apply for a new IP
address.
3. If no response is received when the lease expires, the DHCP client stops using the IP
address and sends a DHCP Discover message to apply for a new IP address.
3.3 Specifications
This section provides DHCP specifications.
Table 3-1 lists DHCP specifications.
3.4 Application
This section describes the application scenarios of DHCP.
For unified management and control on network hosts, a DHCP server can be deployed on a
network to allocate network parameters including IP addresses to the hosts, as shown in
Figure 3-7.
Internet
Router
DHCP Server
LSW
DHCP Client
A DHCP Server and DHCP Relay Agents Are Located on the Local Network
As shown in Figure 3-8, an enterprise has departments A, and B. The egress gateway
functions as a DHCP server. Hosts in the departments are not on the same network segment as
the DHCP server. The enterprise requires that one DHCP server dynamically allocates the IP
addresses and DNS server address to the hosts. (The DNS server is used to resolve domain
names to IP addresses.) To meet this requirement, deploy DHCP relay agents between the
DHCP server and hosts.
Figure 3-8 Local network on which the DHCP server and DHCP relay agents are located
DNS Server
Department A:
192.168.100.0/24
RouterA
RouterC DHCP Relay Agent
Internet
DHCP Server
RouterB
DHCP Snooping
DHCP Client
DHCP Client
Department B:
192.168.101.0/24
In normal cases, a host gateway functions as a DHCP relay agent, and an enterprise egress
gateway functions as a DHCP server. A DHCP server can also be independently deployed.
DHCP Discover messages are broadcast to a network segment, bringing risks of DHCP
attacks, such as bogus DHCP server attacks and DoS attacks. To defend against DHCP attacks
and improve security, configure DHCP snooping on a user-side device (RouterB) between the
DHCP server and clients. DHCP snooping ensures that hosts can obtain IP addresses from the
authorized DHCP server. In addition, the device enabled with DHCP snooping records the
mapping between IP addresses and MAC addresses.
For detailed configuration of DHCP snooping, see DHCP Snooping Configuration in Huawei
AR Series Configuration Guide - Security.
Figure 3-9 DHCP relay agent connected to a DHCP server through the Internet
192.168.101.1/24 Egress
RouterB Gateway
DHCP DHCP Server
DHCP Client Snooping
DHCP Client
Department B in a Branch:
192.168.101.0/24
DHCP Client
Remote
Internet DHCP Server
LSW Router
DHCP Server
DHCP Client
In Figure 3-11, to improve network reliability, an enterprise deploys two DHCP servers. One
is the master, and the other is the backup. If the master DHCP server is faulty, the backup
DHCP server dynamically allocates IP addresses to hosts, ensuring uninterrupted services on
the hosts. The details are as follows.
Figure 3-11 Network on which master and backup DHCP servers are deployed
Router_1
Master DHCP Server
SwitchA
VRRP
The hot standby (HSB) and DHCP functions are deployed on Router_1 and Router_2.
Router_1 functions as the master device, and Router_2 functions as the backup device. In
normal cases, Router_1 dynamically allocates IP addresses to clients, and Router_2 only
backs up data. When Router_1 is faulty, a master/backup VRRP switchover is triggered to
switch Router_2 to the Master state. Router_2 then dynamically allocates IP addresses to
clients. Router_2 has backed up DHCP data, therefore ensuring uninterrupted services on the
clients. For example, a client obtains an IP address from Router_1. When Router_1 is faulty,
Router_2 becomes the master device. When the client sends a DHCP Request message to
request the IP address lease renewal, Router_2 determines whether the IP address is still
available based on DHCP data backed up from Router_1. If the IP address is available,
Router_2 replies with a DHCP ACK message to allow the client to renew the lease. If the IP
address has been allocated to another client, Router_2 sends a DHCP NAK message to the
client and the client needs to apply for a new IP address.
When the original master device (Router_1) recovers, service traffic can be switched back to
the master device or retained on the backup device, depending on the configuration.
3.5 Appendix
0 7 15 23 31
op (1) htype (1) hlen (1) hops (1)
xid (4)
secs (2) flags (2)
ciaddr (4)
yiaddr (4)
siaddr (4)
giaddr (4)
chaddr (16)
sname (64)
file (128)
options (variable)
op (op 1 byte Indicates the message type. The options are as follows:
code) l 1: DHCP Discover message
l 2: DHCP Offer message
htype 1 byte Indicates the hardware type. For an Ethernet address, the value of
(hardware this field is 1.
type)
hops 1 byte Indicates the number of DHCP relay agents that a DHCP message
passes through. This field is set to 0 by a DHCP client or a server.
Its value increases by 1 each time the message passes through a
DHCP relay agent. This field limits the number of DHCP relay
agents that a DHCP message can pass through.
NOTICE
A maximum of 16 DHCP relay agents are allowed between a DHCP server
and a DHCP client. That is, the number of hops must be less than or equal
to 16. Otherwise, DHCP messages are discarded.
secs 2 bytes Indicates the time elapsed since the client obtained or renewed an
(seconds) IP address, in seconds.
flags 2 bytes Indicates the Flags field. Only the leftmost bit in the Flags field is
valid, and other bits are set to 0. The leftmost bit determines
whether the DHCP server unicasts or broadcasts a DHCP Offer
message. The options are as follows:
l 0: The DHCP server unicasts a DHCP Offer message.
l 1: The DHCP server broadcasts a DHCP Offer message.
siaddr 4 bytes Indicates the server IP address from which a DHCP client obtains
(server ip the startup configuration file.
address)
giaddr 4 bytes Indicates the IP address of the first DHCP relay agent. If the
(gateway ip DHCP server and client are located on different network
address) segments, the first DHCP relay agent fills this field with its own
IP address and forwards the message to the DHCP server. The
DHCP server determines on which network segment the client
resides based on the Giaddr field, and allocates an IP address on
this network segment to the client.
The DHCP server also returns a DHCP Offer message to the first
DHCP relay agent. The DHCP relay agent then forwards the
DHCP Offer message to the client.
If the DHCP Discover message passes through multiple DHCP
relay agents before reaching the DHCP server, the value of this
field is the IP address of the first DHCP relay agent and remains
unchanged. However, the value of the Hops field increases by 1
each time the DHCP Discover message passes through a DHCP
relay agent.
sname 64 Indicates the name of the server from which a client obtains the
(server host bytes configuration. This field is optional and is filled in by a DHCP
name) server. The field must be filled in with a character string that ends
with 0.
file (file 128 Indicates the startup configuration file name specified by the
name) bytes DHCP server for a DHCP client. The DHCP server fills this field
and then delivers it together with the IP address to the client. This
field is optional. The field must be filled in with a character string
that ends with 0.
options Variabl Indicates the DHCP Options field, which has a maximum of 312
e bytes. This field contains the DHCP message type and
configuration parameters allocated by a DHCP server to a client.
The configuration parameters include the gateway IP address,
DNS server IP address, and IP address lease.
For details about the Options field, see 3.5.2 DHCP Options.
DHCP Offer A DHCP Offer message is sent by a DHCP server to respond to a DHCP
Discover message. A DHCP Offer message carries various
configurations.
DHCP Ack A DHCP ACK message is sent by a DHCP server to acknowledge the
DHCP Request message from a DHCP client. After receiving a DHCP
ACK message, the DHCP client obtains the configuration parameters
including the IP address.
DHCP Nak A DHCP NAK message is sent by a DHCP server to reject the DHCP
Request message from a DHCP client. For example, if a DHCP server
cannot find matching lease records after receiving a DHCP Request
message, the DHCP server sends a DHCP NAK message to notify the
DHCP client that no IP address is available.
DHCP Decline A DHCP Decline message is sent by a DHCP client to notify the DHCP
server that the allocated IP address conflicts with another IP address. The
DHCP client then applies to the DHCP server for another IP address.
DHCP Release A DHCP Release message is sent by a DHCP client to release its IP
address. After receiving a DHCP Release message, the DHCP server can
allocate this IP address to another DHCP client.
DHCP Inform A DHCP Inform message is sent by a DHCP client to obtain other
network configuration parameters such as the gateway address and DNS
server address after the DHCP client has obtained an IP address.
0 7 15
Type Length Value
The Options field consists of Type, Length, and Value, which are described in the following
table.
The value of the Options field ranges from 1 to 255. Table 3-5 lists well-known DHCP
options.
The objects of this field vary with the functions of the Options field. For example, Option 77
is used on a DHCP client to identify user types of the DHCP client. The DHCP server selects
an address pool to allocate an IP address and configuration parameters to the DHCP client
based on the User Class in the Options field. Option 77 is manually configured only on the
DHCP client but not on the server.
NOTE
A device functioning as a DHCP client can receive static routes delivered from a DHCP server through
Option 121.
For more information about well-known DHCP options, see RFC 2132.
field to a DHCP Discover message sent from a DHCP client and then forwards the DHCP
Discover message to a DHCP server.
The administrator can use the Option 82 field to locate a DHCP client and control the security
and accounting of the DHCP client. A DHCP server that supports the Option 82 field can
determine policies to allocate IP addresses and other parameters according to information in
the Option 82 field. IP addresses can be allocated flexibly.
The Option 82 field contains a maximum of 255 suboptions. If the Option 82 field is defined,
at least one suboption must be defined. Currently, the device supports only two suboptions:
suboption 1 (circuit ID) and suboption 2 (remote ID).
The content of the Option 82 field is not defined uniformly, and vendors fill in the Option 82
field as required.
A device functions as Perform the tasks specified in 3.9 Configuring a DHCP Server
a DHCP server and in the following sequence:
allocates IP addresses 1. 3.9.2 Enabling DHCP
to clients on the local
network segment. 2. 3.9.3.2 Enabling the DHCP Server Function
3. 3.9.3 Configuring a DHCP Server to Allocate IP Addresses
to Clients
A device functions as Perform the tasks specified in 3.9 Configuring a DHCP Server
a DHCP server and in the following sequence:
allocates IP addresses 1. 3.9.2 Enabling DHCP
and other network
parameters (including 2. 3.9.3.2 Enabling the DHCP Server Function
a gateway address, 3. 3.9.3 Configuring a DHCP Server to Allocate IP Addresses
DNS service, to Clients
NetBIOS Service, and 4. Configuring a DHCP Server to Allocate Network
options) to clients on Parameters Besides IP Addresses
the local network
segment.
Scenario Task
License Support
DHCP is a basic feature of the device and is not under license control.
Pre-configuration Tasks
Before configuring a device as a DHCP server, ensure that routes between DHCP clients and
the device are reachable.
Planning IP Addresses
l IP address range that can be automatically allocated
Plan an IP address range based on the number of concurrent online clients on the
network. If the number of IP addresses in this range is too small, some clients cannot
obtain IP addresses. If the number of IP addresses in this range is too large, IP addresses
are wasted.
l (Optional) IP addresses that cannot be automatically allocated
Some IP addresses in an address pool are reserved for devices that require static IP
addresses. For example, in an address pool ranging from 192.168.100.1 to
192.168.100.254, 192.168.100.2 is reserved for a DNS server. Exclude the IP address
192.168.100.2 from the address pool so that the DHCP server will not allocate
192.168.100.2 to other clients.
l IP address allocation
DHCP supports two mechanisms for IP address allocation. Select the mechanism based
on network requirements.
– Dynamic allocation: DHCP allocates an IP address with a limited validity period
(known as a lease) to a client. This mechanism applies to hosts that temporarily
connect to a network with fewer IP addresses than the total number of hosts. For
example, this mechanism can be used to allocate IP addresses to laptops used by
employees on business trips or mobile terminals in cafes.
– Static allocation: DHCP allocates fixed IP addresses to specified clients with special
IP address requirements. For example, the file server of an enterprise needs to use a
fixed IP address to provide services for extranet users. Compared with manual IP
address configuration, DHCP static allocation prevents manual configuration errors
and helps network administrators perform unified maintenance and management.
Planning Leases
Plan an IP address lease for a client based on the online duration of the client. By default, the
IP address lease is one day.
l In locations where clients often move and stay online for a short period of time, for
example, in cafes, airports, and hotels, plan a short-term lease to ensure that IP addresses
are released quickly after the clients go offline.
l In locations where clients seldom move and stay online for a long period of time, for
example, in office areas of an enterprise, plan a long-term lease to prevent services from
being affected by frequent lease or address renewals.
Procedure
Step 1 Run:
system-view
DHCP is enabled.
By default, DHCP is disabled.
NOTE
If STP is enabled on a device functioning as the DHCP server, the speed of allocating IP addresses may be
slower. By default, STP is enabled. To disable STP, run the undo stp enable command.
----End
Context
Address pools allow DHCP servers to allocate network parameters including IP addresses to
clients. You can specify network parameters in an address pool, including an IP address range,
gateway address, and the IP address of a DNS server.
Address pools are classified into interface address pools and global address pools.
l Interface address pool: After an IP address is configured for an interface on a DHCP
server, you can create an address pool on the same network segment as this interface.
Addresses in the address pool can be allocated only to clients connected to the interface.
The interface address pool can allocate IP addresses to clients on the same network
segment as the DHCP server. When no DHCP relay agent is deployed. A DHCP server
allocates IP addresses to clients connected to one interface or allocates IP addresses on
different network segments to clients connected to multiple interfaces.
l Global address pool: On a DHCP server, you can create an address pool on the specified
network segment in the system view. Addresses in the address pool can be allocated to
all clients connected to the DHCP server. The global address pool applies to the
following scenarios:
– The DHCP server and clients are not on the same network segment, and a DHCP
relay agent is deployed.
– The DHCP server and clients are on the same network segment, and the DHCP
server needs to allocate an IP address to a client connected to one interface or
allocate IP addresses to clients connected to multiple interfaces.
NOTE
Configuring interface address pools is recommended for scenarios where a DHCP server and clients reside on
the same network segment.
Procedure
l Create an interface address pool.
a. Run:
system-view
d. Run:
ip address ip-address { mask | mask-length }
A global address pool is created and the global address pool view is displayed.
The parameter ip-pool-name uniquely specifies the name of an address pool. For
example, create a global address pool named global_f1 for employees on the first
floor.
[Huawei] ip pool global_f1
d. Run:
network ip-address [ mask { mask | mask-length } ]
The range of IP addresses that can be dynamically allocated from the global address
pool is specified.
An address pool can be configured with only one IP address segment. The IP
address range is determined by the mask length.
NOTE
When specifying the IP address range, ensure that IP addresses within the range are on the same
network segment as the interface IP address of the DHCP server or DHCP relay agent to avoid
incorrect IP address allocation.
e. (Optional) Run:
vpn-instance vpn-instance-name
Context
After the DHCP server function is enabled on an interface, the DHCP function can allocate
network parameters including IP addresses to clients.
Procedure
l Enabling the DHCP server function based on an interface address pool:
a. Run:
system-view
The interface is enabled to use the interface address pool to provide the DHCP
server function.
By default, an interface does not use the interface address pool to provide the
DHCP server function.
An interface address pool is actually the network segment where the interface IP
address resides, and such an interface address pool applies only to this interface.
If the device functioning as the DHCP server provides the DHCP service for clients
connected to multiple interfaces, repeat this step to enable the DHCP server
function on all the interfaces.
When a client on the interface applies for an IP address after the interface IP
addresses are configured:
n If the device and client are located in the same network segment (that is, no
relay exists), the device first selects the address pool in the same network
segment as the primary interface IP address to assign an IP address. If this
address pool is used up or no mapping address pool is configured for the
primary IP address, the device uses the address pool mapping the secondary IP
address.If the interface is not configured with an IP address or no address pool
is in the same network segment as the interface address, the client cannot
obtain an IP address.
NOTE
The device can select the global address pool based on the primary and secondary interface
IP addresses only when the DHCP client and server are located in the same network
segment.
n If the device and client are located in different network segments (that is, a
relay exists), the DHCP server parses the IP address specified by the giaddr
field in the received DHCP request packet and selects the address pool in the
same network segment as this IP address to assign an IP address to the client.
If no address pool matches the parsed IP address, the client cannot obtain an IP
address.
d. Run:
dhcp select global
The interface is enabled to use the global address pool to provide the DHCP server
function.
By default, an interface does not use the global address pool to provide the DHCP
server function.
NOTE
This step is optional if a DHCP relay agent exists between the device and clients; this step is
mandatory if no relay agent exists.
----End
Follow-up Procedure
A DHCP client sends a DHCP Discover message in broadcast mode. When multiple DHCP
servers including bogus DHCP servers exist on a network segment, the DHCP client accepts
only the first received DHCP Offer message and therefore may obtain an unexpected IP
address from a bogus DHCP server. To ensure that a client obtains an IP address from the
correct DHCP server, configure DHCP snooping on the client. For detailed configuration of
DHCP snooping, see DHCP Snooping Configuration in Huawei AR Series IOT Gateway
Configuration Guide - Security.
Context
Some servers and clients may use specific IP addresses in an address pool, so that the DHCP
server does not automatically allocate these IP addresses to other clients. For example, in an
enterprise, a DHCP server allocates IP addresses on the network segment 192.168.1.0/24 to
employee PCs. On this network segment, 192.168.1.1 is used as the gateway IP address, and
192.168.1.10 is used as the DNS server IP address. The DNS server IP address is manually
configured to ensure stability, and other hosts obtain IP addresses using DHCP. Therefore,
192.168.1.10 must be excluded from the range of IP addresses that can be automatically
allocated.
NOTE
A DHCP server automatically excludes a gateway address configured using the gateway-list command and
the IP addresses of interfaces that connect a DHCP server to clients. The DHCP server automatically adds
these addresses to the list of IP addresses that cannot be automatically allocated.
Procedure
l Exclude IP addresses from an interface address pool.
a. Run:
system-view
The range of IP addresses that are not automatically allocated from the address pool
is configured.
By default, all IP addresses are automatically allocated from the address pool.
To set multiple IP address ranges that cannot be automatically allocated from the
address pool, run this command multiple times.
For example, to exclude 192.168.1.10 from the range of IP addresses that can be
automatically allocated, run:
[Huawei-GigabitEthernet0/0/1] dhcp server excluded-ip-address
192.168.1.10
The range of IP addresses that are not automatically allocated from the address pool
is configured.
By default, all IP addresses are automatically allocated from the address pool.
To set multiple IP address ranges that cannot be automatically allocated from the
address pool, run this command multiple times.
For example, to exclude 192.168.1.10 from the range of IP addresses that can be
automatically allocated, run:
[Huawei-ip-pool-global_f1] excluded-ip-address 192.168.1.10
----End
Context
A DHCP server leases IP addresses to clients. When the lease expires, the clients must apply
for new IP addresses. To ensure stability, certain clients require fixed IP addresses. In this
case, configure the DHCP server to allocate fixed IP addresses to these clients. The MAC
addresses of these clients are then bound to fixed IP addresses. When such a client applies to
the DHCP server for an IP address, the DHCP server searches the binding entries for the
MAC address of the client and allocates the matched IP address to the client. DHCP static
allocation prevents manual configuration errors and facilitates unified management.
Before performing this configuration task, ensure that the IP addresses for static allocation
have not been allocated. (To check related information, run the display ip pool { interface
interface-pool-name | name ip-pool-name } used command.) If such an IP address has been
allocated, use another IP address or release the allocated address using the reset ip pool
{ interface pool-name | name ip-pool-name } start-ip-address [ end-ip-address ] command
and perform the binding again.
DHCP static allocation,IPSG Configuration, and static ARP all involve the binding of IP
addresses and MAC addresses. For their usage scenarios and implementations, see the
following Table 3-8.
Table 3-8 Differences between DHCP static allocation, IPSG, and static ARP
Function Scenario Implementation
DHCP static allocation Some clients (such as The MAC addresses of these
servers and PCs) require clients are bound to fixed IP
fixed IP addresses from a addresses. When such a
DHCP server. client applies to the DHCP
server for an IP address, the
DHCP server searches the
binding entries for the MAC
address of the client and
allocates the matched IP
address to the client.
Procedure
l Configure a DHCP server to allocate fixed IP addresses from an interface address pool.
a. Run:
system-view
Context
NOTE
Except for allocating fixed IP addresses to specified clients, a DHCP server can
dynamically allocate IP addresses with leases to clients in scenarios where hosts temporarily
access the network and the number of idle IP addresses is less than the total number of hosts.
The lease time varies depending on network access requirements. By default, the IP address
lease is one day.
l In locations where clients often move, for example, in cafes, airports, and hotels, plan a
short-term lease to ensure that IP addresses are released quickly after the clients go
offline.
l In locations where clients seldom move, for example, in office areas of an enterprise,
plan a long-term lease to prevent services from being affected by frequent address
renewals.
Different address pools on a DHCP server can be configured with different IP address leases,
but the IP addresses in the same address pool must be configured with the same lease.
Procedure
l Configure a lease time based on an interface address pool.
a. Run:
system-view
Context
When the DHCP server allocates IP addresses to clients, it records address allocation
information to facilitate routine maintenance and fault location. After the logging function
during IP address allocation of the DHCP server is configured, the DHCP server records logs
about address allocation, conflict, lease renewal, and release.
NOTE
If a large number of DHCP clients request for IP addresses after the logging function during IP address
allocation of the DHCP server is configured, the server frequently records logs and therefore the device
performance may be affected.
Procedure
l Based on interfaces:
a. Run:
system-view
c. Run:
dhcp server logging
The logging function during IP address allocation of the DHCP server is enabled.
By default, the logging function during IP address allocation of the DHCP server is
disabled.
l Based on the global mode:
a. Run:
system-view
The global address pool is created and the global address pool view is displayed.
The logging function during IP address allocation of the DHCP server is enabled.
By default, the logging function during IP address allocation of the DHCP server is
disabled.
----End
Follow-up Procedure
Configure the information center to display the IP address allocation logs recorded by the
DHCP server on user terminals or log hosts or generate them in log files. For details on how
to configure the information center, see Configuring Log Output in Huawei AR Series IOT
Gateway Configuration Guide - Device Management - Information Center Configuration.
Context
A DHCP server configured with IP address conflict detection checks whether an IP address to
be allocated to a client conflicts with other IP addresses.
After IP address conflict detection is configured, a DHCP server sends an ICMP Echo
Request packet before it sends a DHCP Offer message. The packet contains the source and
destination IP addresses, which are both a specified IP address. If the DHCP server does not
receive an ICMP Echo Reply packet after the maximum waiting period (specified using the
dhcp server ping timeout milliseconds command), the DHCP server continues to send the
ICMP Echo Request packet until the maximum number of detection times (specified using the
dhcp server ping packet number command) has been reached.
l If the DHCP server receives no ICMP Echo Reply packet within the detection period
(number of detection times x maximum waiting period), this IP address is not used by
any client, and the DHCP server allocates the IP address to the client by sending a DHCP
Offer message to the client.
l If the DHCP server receives an ICMP Echo Reply packet within the detection period
(number of detection times x maximum waiting period), this IP address is being used by
a client, and the DHCP server lists this IP address as a conflicting IP address and waits
for the next DHCP Discover message.
This configuration task takes effect for both the interface and global address pools.
NOTE
If the detection period is too long, clients may fail to obtain IP addresses. Set the detection period to less than
8 seconds.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp server ping packet number
The number of times that the device detects IP address conflicts before allocating IP addresses
is set.
By default, the device does not detect IP address conflicts before allocating IP addresses.
Step 3 Run:
dhcp server ping timeout milliseconds
By default, the maximum wait time for each conflict detection is 500 milliseconds.
----End
Context
If a DHCP server is restarted upon an upgrade or is faulty, IP address allocation information
on the DHCP server is lost. After the restart, the DHCP server must re-allocate IP addresses.
To prevent data loss and to support data recovery upon a restart, configure a DHCP server to
automatically save IP address allocation information, including address leases and conflicting
IP addresses, in files. When the DHCP server restarts, it can recover the data from the files.
This configuration task takes effect for both the interface and global address pools.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp server database enable
By default, a DHCP server does not periodically save IP address allocation information.
After this function is enabled, the DHCP server generates lease.txt and conflict.txt files in the
DHCP folder in storage. The lease.txt file stores lease information, and the conflict.txt file
stores conflicting IP addresses. To view information about the DHCP database, run the
display dhcp server database command.
Step 3 Run:
dhcp server database write-delay interval
The interval at which the DHCP server saves IP address allocation information is set.
By default, IP address allocation information is saved every 300 seconds in data files. The
new data files overwrite the earlier data files.
Step 4 Run:
dhcp server database recover
After this command is run, the DHCP server can recover IP address allocation information
from the data files in storage.
----End
Context
As shown in Figure 3-14 and Figure 3-15, the router functions as the backup DHCP server.
You can associate the IP address pool on the router with NQA test instances to check the
DHCP server status (including the link and DHCP server function). This can improve network
reliability. When the DHCP server is working properly, the IP address pool on the router is
locked, and PC1 and PC2 obtain IP addresses through the DHCP server. When NQA detects
that the DHCP server is faulty, the IP address pool on the router is unlocked and assigns an IP
address to PC3 that is newly online. When NQA detects that the DHCP server fault is
rectified, the IP address pool on the router is locked again, and PC4 that is newly online
obtains an IP address through the DHCP server.
NOTE
When the DHCP server is faulty, PC3 obtains an IP address from the router; when the DHCP server is
recovered, the DHCP function is switched back to the DHCP server. At this time, if the IP address lease of
PC3 has expired, the lease renewal will fail. After PC3 goes offline temporarily, it re-obtains an IP address
from the DHCP server. In addition, the two IP addresses obtained by PC3 are different because the IP address
pools on the DHCP server and router have different address ranges.
Figure 3-14 Associating the IP address pool with NQA (router and client locating in the same
network segment)
Figure 3-15 Associating the IP address pool with NQA (router and client locating in different
network segments)
Procedure
Step 1 Configure and start NQA test instances.
An IP address pool can be associated with NQA test instances of the DHCP and ICMP types.
NQA test instances of the DHCP type are used to test whether the DHCP server function is
normal; those of the ICMP type are used to test whether routes to the DHCP server are
reachable. When the device uses NQA test instances of the ICMP type, it cannot detect the
status of the DHCP server function. Therefore, the device cannot detect the situation in which
the route is reachable but the DHCP server function is unavailable, and users cannot go
online.
l Configuring and starting an NQA test instance of the DHCP type
a. Run:
system-view
An NQA test instance is created and the test instance view is displayed.
By default, no NQA test instance is configured.
c. Run:
test-type dhcp
The automatic test interval is set for the NQA test instance.
By default, no automatic test interval is set. The system performs the test only once.
f. Run:
start
Before using the test instance of the DHCP type, ensure that the DHCP server provides the address
pool for the network segment of the source interface (specified running the source-interface
interface-type interface-number command). You can use the source interface to simulate a DHCP
client to send a DHCP request, and determine the DHCP server status depending on whether an IP
address can be obtained.
An NQA test instance is created and the test instance view is displayed.
By default, no NQA test instance is configured.
c. Run:
test-type icmp
The automatic test interval is set for the NQA test instance.
By default, no automatic test interval is set. The system performs the test only once.
f. Run:
start
l To persistently detect the DHCP server status, you need to perform periodical test for NQA test
instances. Therefore, run the frequency interval command to set the automatic test interval for NQA
test instances.
l This section only mentions basic configuration parameters of the DHCP and ICMP NQA test
instances. For details on how to configure other parameters, see Configuring DHCP Test and
Configuring ICMP Test in the Huawei AR Series IOT Gateway Configuration Guide-Network
Management and Monitoring-Configuring the NQA.
Step 2 Run:
ip pool ip-pool-name
The IP addresses that are not automatically allocated in the address pool are configured.
By default, all IP addresses in an address pool can be automatically allocated to clients.
NOTE
The IP addresses assigned by the backup DHCP server cannot overlap with those assigned by the DHCP
server, which prevents repeated assignment of an IP address. Therefore, you need to run the excluded-
ip-address start-ip-address [ end-ip-address ] command to exclude the IP addresses that are repeated
with those of the remote DHCP service.
Step 4 Run:
lock track nqa admin-name test-name
The IP address pool is associated with the NQA test instance. The device determines whether
to lock the address pool according to the test result of the NQA test instance.
By default, no IP address pool is locked.
NOTE
When the NQA test instance type is not DHCP and ICMP, the association between the IP address pool and
NQA do not take effect. In this case, the IP address pool is locked.
----End
Context
When a DHCP client connects to a DHCP server or host outside the local network segment,
data must be forwarded through an egress gateway. You can configure the gateway address for
clients. This configuration is required only when the global address pool is used. When the
interface address pool is used, the gateway address is the IP address of the interface
connecting the DHCP server to the DHCP client.
NOTE
l For a global address pool, if a gateway address is configured on the DHCP server, a DHCP client
obtains the gateway address from the DHCP server and automatically generates a default route to the
gateway address. If you run the option121 command on the DHCP server to allocate classless static
routes to DHCP clients, the DHCP client uses an allocated classless static route and does not
automatically generate a default route to the gateway address.
l For an interface address pool, the egress gateway address is the IP address of the interface
connecting the DHCP server to the DHCP client. The DHCP client obtains the IP address as the
gateway address and automatically generates a default route to the gateway address. If you run the
dhcp server option121 command on the DHCP server to allocate classless static routes to DHCP
clients, the DHCP client uses an allocated classless static route and does not automatically generate a
default route to the gateway address.
Do not configure a gateway address for DHCP clients in the following scenarios:
l When no DHCP relay agent is deployed, the gateway address is the IP address of the
interface connecting the DHCP server to the DHCP client.
l When a DHCP relay agent is deployed, the gateway address is the IP address of the
interface connecting the DHCP relay agent to the client.
In a scenario where Virtual Router Redundancy Protocol (VRRP) and DHCP are deployed, if
the VRRP group functions as the DHCP server, perform this task to configure the group
virtual IP address as the gateway address.
To load balance traffic and improve network reliability, configure multiple egress gateways.
Each address pool can be configured with a maximum of eight gateway addresses.
When a global address pool is used to allocate network parameters, configuration commands
are different for dynamic and static clients. Network parameters for dynamic clients are
configured in the global address pool view, whereas network parameters for static clients are
configured in the global address pool view or DHCP Option template view. The DHCP
Option template must be configured when static clients require network parameters that are
different from those of dynamic clients. Network parameters configured in the DHCP Option
template view take effect only for static clients. If a network parameter is configured
differently in the global address pool and DHCP Option template views, the configuration in
the DHCP Option template view takes effect.
Procedure
l In the global address pool view:
a. Run:
system-view
3.9.4.2 Configuring DNS and the NetBIOS Service on the DHCP Clients
Context
To enable DHCP clients to communicate with devices on other networks through host names,
configure the DNS or NetBIOS service.
DNS, defined by RFC 1034 and provided by TCP/IP, translates host names into IP addresses.
NetBIOS, defined by IBM, is applicable to small LANs with dozens of PCs to provide the
following services:
l Host naming service on a network segment through UDP port 137
l Data services (through UDP port 138), including transmitting data between programs,
notifying browser services, and setting up network neighbors on users' desktop systems
l Session services (through TCP port 139), including file sharing and printing
Clients running on the Microsoft Windows operating system use the NetBIOS protocol for
communication. When such clients are used, the Windows Internet Naming Service (WINS)
server translates host names into IP addresses. NetBIOS is vulnerable to attacks, so it is
optional on Windows operating systems later than Windows 2000. Users can enable or disable
NetBIOS as required.
When a DHCP client uses the NetBIOS protocol for communication, its host name must be
mapped to an IP address. Based on the modes to obtain mapping, NetBIOS nodes are
classified into the following types:
l b-node: indicates a node in broadcast mode. This node obtains its mapping in broadcast
mode.
l p-node: indicates a node in peer-to-peer mode. This node obtains its mapping by
communicating with the NetBIOS server in unicast mode.
l m-node: indicates a node in mixed mode. An m-node is a p-node that has certain
broadcast features. The node first sends broadcast packets to obtain its mapping. If no
mapping is obtained, the node sends unicast packets.
l h-node: indicates a node in hybrid mode. An h-node is a b-node enabled with an end-to-
end communication mechanism. The node first sends unicast packets to obtain its
mapping. If no mapping is obtained, the node sends broadcast packets.
When installing a Microsoft Windows operating system on a PC, you must define a host
name. Otherwise, the system generates a host name at random. Host names are unique on a
network.
When a global address pool is used to allocate network parameters, configuration commands
are different for dynamic and static clients. Network parameters for dynamic clients are
configured in the global address pool view, whereas network parameters for static clients are
configured in the global address pool view or DHCP Option template view. The DHCP
Option template must be configured when static clients require network parameters that are
different from those of dynamic clients. Network parameters configured in the DHCP Option
template view take effect only for static clients. If a network parameter is configured
differently in the global address pool and DHCP Option template views, the configuration in
the DHCP Option template view takes effect.
The DNS server IP address, DNS domain name suffix, and NetBIOS server IP address in the
address pool can be statistically specified or automatically obtained. The NetBIOS node type
can only be statically specified.
l If the configuration is to be automatically obtained, the device as the DHCP server also
needs to function as the DHCP client (the DHCP client function is configured on the
interface connected to the remote DHCP server). The device obtains the DNS server IP
address, DNS domain name suffix, and NetBIOS server IP address from the remote
DHCP server, and then uses the import function of the address pool to allocate the
information to the downlink client. For example, the DHCP server of a company needs
to obtain the uniform DNS server IP address, DNS domain name suffix, and NetBIOS
server IP address from the carrier, and allocate the information to the downlink client. In
this case, the configuration can be automatically obtained.
l If the configuration needs to be specified after the automatically obtaining function is
enabled, the statically specifying method is used.
NOTE
If the address pool contains the configurations that are statistically specified and automatically obtained, the
statistically specified configuration takes precedence.
Procedure
l Based on an interface address pool:
– Configure a DNS service.
i. Run:
system-view
Context
Some clients require certain network parameters, in addition to IP addresses, to be configured
before they can work normally. A DHCP server can allocate configuration information such
as the startup configuration file to clients. Configuration files are usually saved on the DHCP
server or a dedicated file server. The DHCP server can specify the address of the file server so
that clients can easily obtain files from the file server.
If the startup configuration file is saved on a file server, the route between the DHCP client
and file server must be reachable.
When a global address pool is used to allocate network parameters, configuration commands
are different for dynamic and static clients. Network parameters for dynamic clients are
configured in the global address pool view, whereas network parameters for static clients are
configured in the global address pool view or DHCP Option template view. The DHCP
Option template must be configured when static clients require network parameters that are
different from those of dynamic clients. Network parameters configured in the DHCP Option
template view take effect only for static clients. If a network parameter is configured
differently in the global address pool and DHCP Option template views, the configuration in
the DHCP Option template view takes effect.
Procedure
l Configure a configuration file based on an interface address pool.
a. Run:
system-view
The name of the startup configuration file for DHCP clients is configured.
By default, the name is not configured.
d. Run:
dhcp server sname sname
The name of the server from which DHCP clients obtain the startup configuration
file is configured.
By default, the name of the server is not configured.
e. Run:
dhcp server next-server ip-address
The IP address of the server is configured for the client after the client
automatically obtains an IP address.
By default, the server IP address is not configured.
You can also specify an IP address for the file server by configuring user-defined
options for clients.
l Configure a configuration file based on a global address pool.
– In the global address pool view:
i. Run:
system-view
The name of the startup configuration file for DHCP clients is configured.
The name of the server from which DHCP clients obtain the startup
configuration file is configured.
By default, the name of the server is not configured.
v. Run:
next-server ip-address
The IP address of a network service server is configured for the client after the
client automatically obtains an IP address.
By default, the server IP address is not configured.
You can also specify an IP address for the file server by configuring user-
defined options for clients.
– In the DHCP Option template view:
i. Run:
system-view
The name of the startup configuration file for DHCP clients is configured.
By default, the name is not configured.
iv. Run:
sname sname
The name of the server from which DHCP clients obtain the startup
configuration file is configured.
By default, the name of the server is not configured.
v. Run:
next-server ip-address
The IP address of a network service server is configured for the client after the
client automatically obtains an IP address.
By default, the server IP address is not configured.
You can also specify an IP address for the file server by configuring user-
defined options for clients.
If you need to configure other items in the DHCP Option template view,
complete them first before performing the following steps.
vi. (Optional) Run:
quit
Context
Vendors can define DHCP options. A device functioning as a DHCP server can allocate
vendor-defined network parameters to clients using the following methods:
l Based on the options in DHCP Discovery messages: Options are configured using the
dhcp server option (based on an interface address pool) or option (based on a global
address pool) command. The device provides options only when requested by clients.
l By forcibly appending the Options field: Options are configured using the dhcp server
force insert option (based on an interface address pool) or force insert option (based on
a global address pool) command. The device inserts the Options field to DHCP Reply
messages, regardless of whether the options are requested by clients.
When a global address pool is used to allocate network parameters, configuration commands
are different for dynamic and static clients. Network parameters for dynamic clients are
configured in the global address pool view, whereas network parameters for static clients are
configured in the global address pool view or DHCP Option template view. The DHCP
Option template must be configured when static clients require network parameters that are
different from those of dynamic clients. Network parameters configured in the DHCP Option
template view take effect only for static clients. If a network parameter is configured
differently in the global address pool and DHCP Option template views, the configuration in
the DHCP Option template view takes effect.
Procedure
l Configure user-defined options for clients based on an interface address pool.
a. Run:
system-view
The Option 82 field is called the DHCP relay agent information field. It records the
location of a DHCP client, based on which a DHCP server can select address
allocation policies including IP addresses and other network parameters. Vendors
can define Option 82 based on their requirements. Currently, a device functioning
as the DHCP server cannot allocate network parameters to clients based on policies.
After the device is enabled to trust Option 82, the device normally allocates IP
addresses to clients. If the device is disabled from trusting Option 82, the device
discards received messages carrying Option 82.
c. Run:
interface interface-type interface-number [.subinterface-number ]
The DHCP server is configured to forcibly insert an Option field to DHCP Reply
messages sent to DHCP clients.
By default, the DHCP server does not forcibly insert an Option field to DHCP
Reply messages.
After this function is configured, the device inserts an Option field to a DHCP
Reply message regardless of whether the option has been requested.
e. Run:
dhcp server option code [ sub-option sub-code ] { ascii ascii-string |
hex hex-string | cipher cipher-string | ip-address ip-address &<1-8> }
NOTE
If an option carries a password, using ascii or hex is insecure. Using cipher is recommended. For
security purposes, the password must be at least six characters long and contain at least two of the
following: digits, lowercase letters, uppercase letters, and special characters.
After an option is configured, the device provides this option only when requested
by clients.
Some options are configured using other commands, as described in the following
table.
f. Run:
dhcp server option121 ip-address { ip-address mask-length gateway-
address } &<1-8>
NOTE
vi. Run:
option121 ip-address { ip-address mask-length gateway-address }
&<1-8>
----End
Context
To prevent an attacker from sending a large number of DHCP messages, you can configure
the DHCP rate limit function on the device to limit the rate of DHCP messages from clients.
The device can send only a specified number of DHCP messages in a certain period of time
and discards excess DHCP messages.
You are advised to configure DHCP message rate limit on user-side devices. If the device
functions as a DHCP server and directly connects to DHCP clients, configure rate limit on the
device; if the device functions as a DHCP server and connects to a DHCP relay agent or
DHCP snooping device, configure rate limit on the DHCP relay agent or DHCP snooping
device.
You can configure rate limit in the system, VLAN, or interface view. The configuration takes
effect in the interface view, VLAN view, and system view in descending order of priority.
Procedure
l Configure DHCP rate limit in the system view.
a. Run:
system-view
The maximum rate of sending DHCP messages to the DHCP stack is configured.
By default, DHCP messages are sent to the DHCP stack at a rate of 100 pps. Excess
packets in a specified period of time are discarded.
d. (Optional) Run:
dhcp alarm dhcp-rate enable
a. Run:
system-view
The maximum rate of sending DHCP messages to the DHCP stack is configured.
By default, the maximum rate of sending DHCP messages to the DHCP stack is not
configured.
l Configure DHCP rate limit in the interface view.
a. Run:
system-view
The maximum rate of sending DHCP messages to the DHCP stack is configured.
By default, the rate of sending DHCP messages to the DHCP stack is not
configured.
e. (Optional) Run:
dhcp alarm dhcp-rate enable
By default, the alarm threshold for checking DHCP message rates is not specified.
After the trap function for the rate limit is enabled, the device discards packets
whose rate exceeds the rate limit. When the number of discarded packets exceeds
the alarm threshold, the system generates an alarm.
----End
l Run the display dhcp server database command to view the path for storing the DHCP
database.
l Run the display dhcp option template [ name template-name ] command to view the
configuration of a DHCP Option template.
l Run the display ip pool import all command to view the DNS and NetBIOS
configurations that the address pool automatically obtains and allocates to the DHCP
clients.
----End
Pre-configuration Tasks
Before configuring a DHCP relay agent, complete the following tasks:
Context
Before enabling the DHCP relay function, enable DHCP in the system view.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp enable
DHCP is enabled.
NOTE
If STP is enabled on a device functioning as a DHCP relay, allocating IP addresses may be slowed. By
default, STP is enabled. To disable STP, run the undo stp enable command.
----End
Context
Enable the DHCP relay function on an interface so that the interface functions as a DHCP
relay agent.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number [.subinterface-number ]
Step 3 Run:
ip address ip-address { mask | mask-length }
NOTE
When the IP address of the interface connecting the DHCP relay agent to clients functions as the gateway
address of the clients, configure the IP address on the same network segment as the address pool on the
DHCP server. Otherwise, clients cannot obtain IP addresses.
Step 4 Run:
dhcp select relay
NOTE
When enabling the DHCP relay function on a sub-interface, run the arp broadcast enable command on the
sub-interface to enable ARP broadcast. By default, ARP broadcast is not enabled on a VLAN tag termination
sub-interface.
----End
Context
A device functioning as a DHCP relay agent transparently transmits DHCP Discovery
messages to the destination DHCP server. The DHCP server can then allocate network
parameters including IP addresses to clients. After an IP address is specified for the DHCP
server on the DHCP relay agent, clients can send DHCP Discovery messages to the DHCP
server to apply for IP addresses.
A maximum of 16 DHCP relay agents are allowed between a DHCP server and a DHCP
client. If there are more than 16 DHCP relay agents, DHCP messages are discarded.
Procedure
l Specify an IP address for the DHCP server in the interface view.
a. Run:
system-view
The DHCP server polling function is configured on the DHCP relay agent.
By default, DHCP server polling is disabled on a DHCP relay agent.
If IP addresses are specified for multiple DHCP servers, by default, the DHCP relay
agent forwards DHCP Discovery messages to all DHCP servers. To reduce the
burden on the device, configure the DHCP server polling function so that the device
forwards DHCP Discovery messages to only one DHCP server at a time. If the
device receives no DHCP Reply message from the DHCP server for a specified
period of time, the device forwards the DHCP Discovery messages to another
DHCP server until it receives a DHCP Reply message.
c. Run:
interface interface-type interface-number [.subinterface-number ]
The DHCP server polling function is configured on the DHCP relay agent.
By default, DHCP server polling is disabled on a DHCP relay agent.
If IP addresses are specified for multiple DHCP servers, by default, the DHCP relay
agent forwards DHCP Discovery messages to all DHCP servers. To reduce the
burden on the device, configure the DHCP server polling function so that the device
forwards DHCP Discovery messages to only one DHCP server at a time. If the
device receives no DHCP Reply message from the DHCP server for a specified
period of time, the device forwards the DHCP Discovery messages to another
DHCP server until it receives a DHCP Reply message.
c. Run:
dhcp server group group-name
If the IP address of the interface that connects the DHCP relay agent to clients
functions as the gateway address, skip this step.
The gateway address specified in this step must be the same as the egress gateway
address of clients specified on the DHCP server. If an Huawei AR Series series
switch functions as the DHCP server, refer to 3.9.4.1 Configuring a Gateway
Address for Clients for details about how to specify the egress gateway address for
clients.
f. (Optional) Run:
vpn-instance vpn-instance-name
Only the S5720HI and S5720EI support this step.Only the S5320EI supports this
step.Only the S5720HI, S5720EI, S5720SI, S5720S-SI and S6720EI support this
step.Only the S5320EI, S5320SI and S6320EI support this step.
If the DHCP relay agent is deployed on a VPN network, bind the DHCP server
group to the VPN instance that is also bound to the address pool of the DHCP
server. Otherwise, clients cannot obtain IP addresses.
g. Run:
interface interface-type interface-number [.subinterface-number ]
----End
Context
Option 82 is also called the Relay Agent Information Option. It records the location of a
DHCP client, based on which a DHCP server can select address allocation policies including
IP addresses and other network parameters. You can configure strategies for processing
Option 82 information on a DHCP relay agent.
You are advised to perform the configuration on a user-side device. If the DHCP relay agent
connects to a DHCP snooping device, configure the strategies for processing Option 82
information on the DHCP snooping device. When a industrial switch router functions as the
DHCP snooping device, refer to Inserting the Option 82 Field in a DHCP Message in Huawei
AR Series IOT Gateway Configuration Guide - Security - DHCP Snooping to perform the
configuration.
NOTE
If the device functions as the first-hop DHCP relay agent, it can process Option 82 information. If the device
functions as the second-hop or subsequent DHCP relay agent, it cannot process Option 82 information.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp relay trust option82
When this function is enabled, the DHCP relay agent can receive and forward DHCP
messages that carry Option 82. If the DHCP relay agent is disabled from trusting Option 82
using the undo dhcp relay trust option82 command, the device discards the DHCP
messages carrying Option 82.
Step 3 Configure strategies for processing Option 82 information on the DHCP relay agent.
l Configure the DHCP relay agent to insert the Option 82 field to DHCP messages in a
VLAN view. This configuration takes effect on all DHCP messages from this VLAN
received on the interfaces of the DHCP relay agent.
a. Run:
vlan vlan-id
The DHCP relay agent is enabled to insert the Option 82 field to received DHCP
messages.
By default, a DHCP relay agent is disabled from inserting the Option 82 field to
received DHCP messages.
c. Run:
quit
The DHCP relay agent is enabled to insert the Option 82 field to received DHCP
messages.
By default, a DHCP relay agent is disabled from inserting the Option 82 field to
received DHCP messages.
DHCP messages received on the DHCP relay agent may carry the Option 82 field.
Select a strategy based on network requirements.
n When insert is configured: If a DHCP message does not carry the Option 82
field, the DHCP relay agent inserts the Option 82 field. If a DHCP message
carries the Option 82 field, the DHCP relay agent checks whether the Option
82 field contains remote-id. If yes, the Option 82 field remains unchanged; if
no, the DHCP relay agent inserts remote-id.
n When rebuild is configured: If a DHCP message does not carry the Option 82
field, the DHCP relay agent inserts the Option 82 field. If a DHCP message
carries the Option 82 field, the DHCP relay agent deletes the original Option
82 field and inserts the locally configured Option 82 field.
c. Run:
quit
l All Option82 fields configured in the system view or in the same interface view share a
length of 1-255 bytes. If their total length exceeds 255 bytes, some Option82 information
will be lost.
l There is no limit on the number of Option 82 fields configured on the device. However, a
large number of Option 82 fields will occupy a lot of memory and prolong the device
processing time. To ensure device performance, you are advised to configure Option 82
fields based on the service requirements and device memory size.
----End
Context
You can configure rate limit of DHCP packets on the device to prevent DHCP packet attacks.
After rate limit is configured, the device is allowed to process only a specified number of
DHCP packets within a certain period and discards extra packets.
Rate limit is configured for the DHCP packets sent by the clients, so you are advised to
configure the rate limit function on the device close to the user side. If the device functions as
the DHCP relay and is connected to a DHCP snooping-enabled device, you are advised to
configure the rate limit function on the DHCP snooping-enabled device.
You can configure the rate limit function in the system view, VLAN view, or interface view.
The configuration in the interface view takes precedence over those in the VLAN view and
global view; the configuration in the VLAN view takes precedence over that in the system
view.
Procedure
l Configure DHCP rate limit in the system view.
a. Run:
system-view
The maximum rate of sending DHCP messages to the DHCP stack is configured.
By default, DHCP messages are sent to the DHCP stack at a rate of 100 pps. Excess
packets in a specified period of time are discarded.
d. (Optional) Run:
dhcp alarm dhcp-rate enable
The maximum rate of sending DHCP messages to the DHCP stack is configured.
By default, the maximum rate of sending DHCP messages to the DHCP stack is not
configured.
l Configure DHCP rate limit in the interface view.
a. Run:
system-view
The maximum rate of sending DHCP messages to the DHCP stack is configured.
By default, the rate of sending DHCP messages to the DHCP stack is not
configured.
e. (Optional) Run:
dhcp alarm dhcp-rate enable
This function allows the system to generate an alarm when the number of discarded
DHCP messages on the interface reaches the threshold.
f. (Optional) Run:
dhcp alarm dhcp-rate threshold threshold
By default, the alarm threshold for checking DHCP message rates is not specified.
After the trap function for the rate limit is enabled, the device discards packets
whose rate exceeds the rate limit. When the number of discarded packets exceeds
the alarm threshold, the system generates an alarm.
----End
Procedure
l Run the display dhcp relay { all | interface interface-type interface-number } command
to view information about the DHCP server or DHCP server group on the interface
functioning as a DHCP relay agent.
l Run the display dhcp server group [ group-name ] command to view the configuration
of the DHCP server group.
----End
Pre-configuration Tasks
Before configuring a DHCP client, complete the following tasks:
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp client class-id class-id
The DHCP client is configured to send DHCP Discovery messages that carry the Option 60
field.
By default, the default value of the Option60 field depends on the device type, which is "
huawei Device Model".
Option 60 identifies the vendor type and configuration of a DHCP client. Vendors can define
the Option 60 field to transfer specified identification information or configurations of clients
to DHCP servers.
Step 3 Run:
interface interface-type interface-number [.subinterface-number ]
Step 4 Run:
dhcp client hostname hostname
The host name allows access to a DHCP client through the domain name. A domain name
consists of a host name and domain name suffix.
Step 5 Run:
dhcp client client-id client-id
Client identifiers are filled in the Option 61 field to uniquely identify DHCP clients.
The DHCP client is configured to send DHCP Discovery messages that carry the Option 60
field.
The Option 60 field can be configured in the system view and in the interface view. The
configuration in the interface view has a higher priority than that in the system view. If the
Option 60 field is configured in both views, the configuration performed in the interface view
takes effect.
----End
Context
When a DHCP server dynamically allocates an IP address with a lease to a client, the DHCP
server compares the configured lease with the expected lease of the client and selects the
smaller value as the lease of the IP address. A device functioning as a DHCP client supports
the configuration of an expected lease.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number [.subinterface-number ]
Step 3 Run:
dhcp client expected-lease time
----End
Context
A DHCP client enabled with the gateway detection function sends an ARP Request packet to
detect the gateway status after obtaining an IP address. If the DHCP client receives no ARP
Reply packet within the detection period, it considers the gateway address incorrect or the
gateway device faulty, and then re-applies for an IP address.
Procedure
Step 1 Run:
system-view
----End
Context
To allow a DHCP client to communicate with other network devices, you need to configure a
route in which the next hop address is the gateway address of the client. If the gateway
address of the client is dynamically obtained from the DHCP server and the route is statically
configured on the client, the static route must be manually modified when the gateway
address changes. After the DHCP client is configured to dynamically obtain routing entries
through DHCP, the next hop address in the static route is automatically updated when the
gateway address changes, lowering maintenance costs.
A DHCP server can allocate routing entries to DHCP clients. On a device functioning as the
DHCP client, you can set the priorities of routing entries allocated by the DHCP server so that
the DHCP client can dynamically update its routing table.
Procedure
Step 1 Run:
system-view
Step 4 Run:
dhcp client default-route preference preference-value
The priority of routing entries allocated by the DHCP server to DHCP clients is set.
The default priority of routing entries allocated by the DHCP server to DHCP clients is 60.
----End
Context
After an interface is enabled with the DHCP client function, the device can obtain network
parameters including an IP address from a DHCP server.
If the allocated IP address and IP addresses of other interfaces are on the same network
segment, the interface does not use the allocated IP address and does not re-apply for an IP
address. To allow the interface to re-apply for an IP address, run the shutdown and then the
undo shutdown commands on the interface. Alternatively, run the undo ip address dhcp-
alloc and then the ip address dhcp-alloc commands on the interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number [.subinterface-number ]
Step 3 Run:
ip address dhcp-alloc
----End
Procedure
l On an interface enabled with the DHCP client function, run the display this command to
view the configuration of the DHCP client.
l Run the display dhcp client command to view the status of the DHCP client.
----End
Pre-configuration Tasks
Before configuring a device as a BOOTP client, complete the following tasks:
l Configure a DHCP server.
l (Optional) Configure a DHCP relay agent.
l Configure a routing protocol between the device and DHCP server to ensure that the
route between them is reachable.
----End
Context
A BOOTP client enabled with the gateway detection function sends an ARP Request packet
to detect the gateway status after obtaining an IP address. If the BOOTP client receives no
ARP Reply packet within the detection period, it considers the gateway address incorrect or
the gateway device faulty, and then re-applies for an IP address.
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
Step 4 Run:
dhcp client default-route preference preference-value
The priority of routing entries allocated by the DHCP server to BOOTP clients is set.
The default priority of routing entries allocated by the DHCP server to BOOTP clients is 60.
----End
Context
After an interface is enabled with the BOOTP client function, the interface can obtain network
parameters including the IP address from the DHCP server.
If the allocated IP address and IP addresses of other interfaces are on the same network
segment, the interface does not use the allocated IP address and does not re-apply for an IP
address. To allow the interface to re-apply for an IP address, run the shutdown and then the
undo shutdown commands on the interface. Alternatively, run the undo ip address bootp-
alloc and then the ip address bootp-alloc commands on the interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number [.subinterface-number ]
Step 3 Run:
ip address bootp-alloc
----End
Procedure
l On an interface enabled with the DHCP client function, run the display this command to
view the configuration of the DHCP client.
l Run the display dhcp client command to view the status of the DHCP client.
----End
Procedure
l Run the display dhcp server statistics command to view statistics about DHCP
messages sent and received on a DHCP server.
l Run the display dhcp relay statistics [ server-group group-name ] command to view
statistics about DHCP messages sent and received on a DHCP relay agent.
l Run the display dhcp client statistics [ interface interface-type interface-number ]
command to view statistics about DHCP messages sent and received on a DHCP client.
l Run the display dhcp statistics command to view statistics about DHCP messages sent
and received on a device.
----End
DHCP statistics cannot be restored after they are cleared. Exercise caution when performing
this operation.
Procedure
l Run the reset dhcp server statistics command to clear statistics about DHCP messages
sent and received on a DHCP server.
l Run the reset dhcp relay statistics [ server-group group-name ] command to clear
statistics about DHCP messages sent and received on a DHCP relay agent.
l Run the reset dhcp client statistics [ interface interface-type interface-number ]
command to clear statistics about DHCP messages sent and received on a DHCP client.
l Run the reset dhcp statistics command to clear statistics about DHCP messages sent
and received on a device.
----End
Context
To force a DHCP server to re-allocate IP addresses to clients or to set IP addresses in an
address pool to idle (idle IP addresses will be preferentially allocated), reset an address pool.
Procedure
l Run the following commands to reset address pools on the device.
– Interface address pool:
reset ip pool interface pool-name { start-ip-address [ end-ip-address ] | all |
conflict | expired | used }
– Global address pool:
reset ip pool name ip-pool-name { start-ip-address [ end-ip-address ] | all |
conflict | expired | used }
Parameter Description
l Run the reset ip pool import { all | dns | domain-name | nbns } command to clear the
DNS and NetBIOS configurations that the address pool automatically obtains and
allocates to the DHCP clients.
l Configure a DHCP relay agent to request a DHCP server to release IP addresses of
clients.
After a DHCP relay agent is configured to request the DHCP server to release IP
addresses of clients, the DHCP relay agent sends DHCP Release messages to the
specified DHCP server. After receiving the message, the DHCP server restores specified
IP addresses to the idle status. Released IP addresses can then be allocated to other
clients. Run the following commands to configure the DHCP relay agent to request the
DHCP server to release IP addresses of clients:
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the ip pool ip-pool-name command to enter the global address pool view.
----End
Networking Requirements
As shown in Figure 3-16, an enterprise plans two network segments for office terminals. The
PCs on the network segment 10.1.1.0/24 are fixed office terminals for employees; the network
segment 10.1.2.0/24 is used for employees on business trips to temporarily access the
network. To facilitate management, the administrator requires that the enterprise terminals
automatically obtain IP addresses and the DNS server IP address. (When users want to use
domain names for access, the DNS server for domain name resolution needs to be
configured.) The PC (Client_1) of the enterprise manager needs to use the fixed IP address
10.1.1.100/24 based on service requirements.
DNS Server
10.1.1.2/24
IP Network
Eth2/0/0 Eth2/0/1
VLANIF10 VLANIF11
10.1.1.1/24 10.1.2.1/24
Router
DHCP Server
LSW_1 LSW_2
Configuration Roadmap
The configuration roadmap is as follows:
Configure the DHCP server function on the router to dynamically assign IP addresses and the
DNS server address to the terminals on the two network segments of the enterprise. The PCs
on 10.1.1.0/24 are fixed office terminals for employees with the IP address lease of 30 days,
and DHCP Client_1 is assigned with the fixed IP address (10.1.1.100/24) in DHCP static
mode. The network segment 10.1.2.0/24 is used for employees on business trips to
temporarily access the network, with the IP address lease of 2 days.
NOTE
Configure the interface link type and VLANs on the Layer 2 switches LSW_1 and LSW_2 to implement
Layer 2 communication.
Procedure
Step 1 Enable the DHCP service.
<Huawei> system-view
[Huawei] sysname Router
[Router] dhcp enable
# Configure the clients connected to VLANIF 11 to obtain IP addresses and other network
parameters from the interface address pool.
[Router] interface vlanif 11
[Router-Vlanif11] dhcp select interface
[Router-Vlanif11] dhcp server lease day 2
[Router-Vlanif11] dhcp server domain-name huawei.com
[Router-Vlanif11] dhcp server dns-list 10.1.1.2
[Router-Vlanif11] quit
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 1 251(0) 0 1
-----------------------------------------------------------------------------
[Router] display ip pool interface vlanif11
Pool-name : Vlanif11
Pool-No : 1
Lease : 2 Days 0 Hours 0 Minutes
Domain-name : huawei.com
DNS-server0 : 10.1.1.2
NBNS-server0 : -
Netbios-type : -
Position : Interface Status : Unlocked
Gateway-0 : 10.1.2.1
Network : 10.1.2.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.1.2.1 10.1.2.254 253 1 252(0) 0 0
-----------------------------------------------------------------------------
----End
Configuration Files
Configuration file of the router
#
sysname Router
#
vlan batch 10 to 11
#
dhcp enable
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.1.1.2
dhcp server static-bind ip-address 10.1.1.100 mac-address 286e-d488-b684
dhcp server lease day 30 hour 0 minute 0
dhcp server dns-list 10.1.1.2
dhcp server domain-name huawei.com
#
interface Vlanif11
ip address 10.1.2.1 255.255.255.0
dhcp select interface
dhcp server lease day 2 hour 0 minute 0
dhcp server dns-list 10.1.1.2
dhcp server domain-name huawei.com
#
interface Ethernet2/0/0
port link-type access
port default vlan 10
#
interface Ethernet2/0/1
port link-type access
port default vlan 11
#
return
Networking Requirements
As shown in Figure 3-17, the router functions as the enterprise egress gateway. The IP phone
and PCs are devices in an office area. To uniformly manage devices and reduce manual
configuration costs, the administrator needs to configure hosts to dynamically obtain IP
addresses through DHCP. The PCs are the fixed terminal in the duty room. It should always
be online and use domain names to access network devices. Besides obtaining an IP address
dynamically, the PCs requires an unlimited IP address lease and obtains information about the
DNS server. The IP phone uses a fixed IP address 10.1.1.4/24 and its MAC address is dcd2-
fc96-e4c0. Besides obtaining an IP address, the IP phone needs to dynamically obtain the
startup configuration file. The startup configuration file named configuration.ini is saved on
the FTP file server. There are reachable routes between the IP phone and the FTP file server.
The gateway address of the PCs and IP phone is 10.1.1.1/24.
Figure 3-17 Networking diagram of configuring the DHCP server to allocate different
network parameters to dynamic clients and static clients
DNS Server
10.1.1.2/24
Switch GE1/0/0
10.1.1.1/24 Internet
Router
IP Phone DHCP Server
10.1.1.4/24
PC PC PC FTP Server
10.1.1.3/24
Configuration Roadmap
1. Create a DHCP Option template on the router. In the DHCP Option template view,
configure the startup configuration file for the static client IP phone, and configure an IP
address for the network server that provides the startup configuration file.
2. Create a global address pool on the router. In the global address pool view, configure the
IP address lease and information about the DNS server for the dynamic client PCs. Bind
an IP address to the MAC address of the static client IP phone and bind a DHCP Option
template. In this way, the DHCP server can allocate different network parameters to
dynamic and static clients.
Procedure
Step 1 Configure an IP address for the interface.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[Router-GigabitEthernet1/0/0] quit
Step 3 Create a DHCP Option template. In the DHCP Option template view, configure the startup
configuration file for the static client IP phone, and configure an IP address for the network
server that provides the startup configuration file.
[Router] dhcp option template template1
[Router-dhcp-option-template-template1] gateway-list 10.1.1.1
[Router-dhcp-option-template-template1] bootfile configuration.ini
[Router-dhcp-option-template-template1] next-server 10.1.1.3
[Router-dhcp-option-template-template1] quit
Step 4 Create an IP address pool. In the IP address pool view, configure the gateway address, IP
address lease, and IP address of the DNS server for the PCs. Allocate a fixed IP address to the
IP phone and configure the startup configuration file.
[Router] ip pool pool1
[Router-ip-pool-pool1] network 10.1.1.0 mask 255.255.255.0
[Router-ip-pool-pool1] dns-list 10.1.1.2
[Router-ip-pool-pool1] gateway-list 10.1.1.1
[Router-ip-pool-pool1] excluded-ip-address 10.1.1.2 10.1.1.3
[Router-ip-pool-pool1] lease unlimited
[Router-ip-pool-pool1] static-bind ip-address 10.1.1.4 mac-address dcd2-fc96-e4c0
option-template template1
[Router-ip-pool-pool1] quit
Domain-name : -
DNS-server0 : 10.1.1.2
NBNS-server0 : -
Netbios-type : -
Position : Local Status : Unlocked
Gateway-0 : 10.1.1.1
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 4 247(0) 0 2
-----------------------------------------------------------------------------
# Run the display dhcp option template name template1 command on the router to check
the DHCP Option template configuration.
[Router] display dhcp option template name template1
-----------------------------------------------------------------------------
Template-Name : template1
Template-No : 0
Next-server : 10.1.1.3
Domain-name : -
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Gateway-0 : 10.1.1.1
Bootfile : configuration.ini
----End
Configuration File
Configuration file of the router
#
sysname Router
#
dhcp enable
#
dhcp option template template1
gateway-list 10.1.1.1
next-server 10.1.1.3
bootfile configuration.ini
#
ip pool pool1
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
excluded-ip-address 10.1.1.2 10.1.1.3
static-bind ip-address 10.1.1.4 mac-address dcd2-fc96-e4c0 option-template
template1
lease unlimited
dns-list 10.1.1.2
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
dhcp select global
#
return
Internet
RouterB
DHCP server
Eth2/0/0
VLANIF200 10.10.20.2/24
Eth2/0/0
VLANIF200 10.10.20.1/24
RouterA
DHCP relay
Eth2/0/1
VLANIF100 10.20.20.1/24
LSW
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the DHCP relay function on the aggregation device RouterA (user gateway)
so that the device functions as the DHCP relay to forward the DHCP packets between
the terminals and DHCP server.
2. On the core device RouterB, configure the DHCP server based on the global address
pool so that the DHCP server allocates the IP addresses from the global address pool to
the terminals.
NOTE
Procedure
Step 1 Configure the DHCP relay function on RouterA.
Step 3 Configure the DHCP server function based on the global IP address pool on RouterB.
Create an address pool and set the attributes of the address pool.
[RouterB] ip pool pool1
[RouterB-ip-pool-pool1] network 10.20.20.0 mask 24
[RouterB-ip-pool-pool1] gateway-list 10.20.20.1
[RouterB-ip-pool-pool1] option121 ip-address 10.10.20.0 24 10.20.20.1
[RouterB-ip-pool-pool1] quit
# Run the display dhcp relay interface vlanif 100 command on RouterA to view the DHCP
relay configuration.
[RouterA] display dhcp relay interface vlanif 100
DHCP relay agent running information of interface Vlanif100 :
Server IP address [00] : 10.10.20.2
Gateway address in use : 10.20.20.1
# Run the display ip pool name pool1 command on RouterB to view the allocation of the
address pool. The Used field indicates the number of allocated IP addresses.
[RouterB] display ip pool name pool1
Pool-name : pool1
Pool-No : 0
Lease : 1 Days 0 Hours 0 Minutes
Domain-name : -
Option-code : 121
Option-subcode : --
Option-type : hex
Option-value : 18640A1414141401
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Position : Local Status : Unlocked
Gateway-0 : 10.20.20.1
Network : 10.20.20.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.20.20.1 10.20.20.254 253 1 252(0) 0 0
-----------------------------------------------------------------------------
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
vlan batch 100 200
#
dhcp enable
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 200
#
interface Ethernet2/0/1
port link-type access
port default vlan 100
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return
Figure 3-19 Networking diagram for configuring a device as the DHCP relay agent
DHCP Client
10.1.1.0/24
Branch 1:
vpna
GE0/0/1
CE_1
DHCP Relay Agent Loopback0 MCE
GE0/0/2 10.20.20.9/32 DHCP Server
GE2/0/0
Loopback0 GE3/0/0 GE2/0/0 GE1/0/0
10.10.10.9/32 GE0/0/1
GE1/0/0 PE_1 PE_2
GE0/0/2
CE_2
DHCP Relay Agent
GE0/0/1
Branch 2:
vpnb
DHCP Client
10.1.1.0/24
Configuration Roadmap
1. Configure OSPF between PE_1 and PE_2 to implement interworking between them and
configure MP-IBGP to exchange VPN routing information.
2. Configure basic MPLS capabilities and MPLS LDP on PE_1 and PE_2 to set up LDP
LSPs.
3. Create VPN instances vpna and vpnb on the MCE, PE_1, and PE_2 to isolate services.
4. Set up EBGP peer relationships between PE_1 and its connected CEs, and import BGP
routes to the VPN routing table of PE1.
5. Configure the MCE as the DHCP server to allocate IP addresses from the global address
pool to terminals in branch 1 and branch 2.
6. Configure the DHCP relay function on CE_1 and CE_2 to forward DHCP messages
between the DHCP server and terminals so that the terminals can apply to the DHCP
server for IP addresses.
7. Configure the terminals to dynamically obtain IP addresses from the DHCP server.
Procedure
Step 1 Configure IP addresses for the interfaces.
# Configure PE_1.
<Huawei> system-view
[Huawei] sysname PE_1
[PE_1] interface loopback 0
[PE_1-LoopBack0] ip address 10.10.10.9 32
[PE_1-LoopBack0] quit
[PE_1] interface gigabitethernet 3/0/0
[PE_1-GigabitEthernet3/0/0] ip address 10.1.3.1 24
[PE_1-GigabitEthernet3/0/0] quit
# Configure PE_2.
<Huawei> system-view
[Huawei] sysname PE_2
[PE_2] interface loopback 0
[PE_2-LoopBack0] ip address 10.20.20.9 32
[PE_2-LoopBack0] quit
[PE_2] interface gigabitethernet 2/0/0
[PE_2-GigabitEthernet2/0/0] ip address 10.1.3.2 24
[PE_2-GigabitEthernet2/0/0] quit
# Configure PE_1.
[PE_1] ospf 1
[PE_1-ospf-1] area 0
[PE_1-ospf-1-area-0.0.0.0] network 10.10.10.9 0.0.0.0
[PE_1-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[PE_1-ospf-1-area-0.0.0.0] quit
[PE_1-ospf-1] quit
# Configure PE_2.
[PE_2] ospf 1
[PE_2-ospf-1] area 0
[PE_2-ospf-1-area-0.0.0.0] network 10.20.20.9 0.0.0.0
[PE_2-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[PE_2-ospf-1-area-0.0.0.0] quit
[PE_2-ospf-1] quit
# After the configuration is complete, PE_1 and PE_2 set up the OSPF neighbor relationship.
Run the display ip routing-table command on PE_1 and PE_2 to view the routes to each
other.
Step 3 Configure basic MPLS capabilities and MPLS LDP on PE_1 and PE_2 to set up LDP LSPs.
# Configure PE_1.
[PE_1] mpls lsr-id 10.10.10.9
[PE_1] mpls
[PE_1-mpls] quit
[PE_1] mpls ldp
[PE_1-mpls-ldp] quit
[PE_1] interface gigabitethernet 3/0/0
[PE_1-GigabitEthernet3/0/0] mpls
[PE_1-GigabitEthernet3/0/0] mpls ldp
[PE_1-GigabitEthernet3/0/0] quit
# Configure PE_2.
[PE_2] mpls lsr-id 10.20.20.9
[PE_2] mpls
[PE_2-mpls] quit
[PE_2] mpls ldp
[PE_2-mpls-ldp] quit
[PE_2] interface gigabitethernet 2/0/0
[PE_2-GigabitEthernet2/0/0] mpls
[PE_2-GigabitEthernet2/0/0] mpls ldp
[PE_2-GigabitEthernet2/0/0] quit
# After the configuration is complete, PE_1 and PE_2 set up LDP sessions. Run the display
mpls ldp session command on PE_1 and PE_2. The command output shows that the Status
field is Operational. Run the display mpls ldp lsp command. Information about the
established LDP LSPs is displayed.
Step 4 Configure VPN instances on the MCE, PE_1, and PE_2.
# Configure PE_1.
[PE_1] ip vpn-instance vpna
[PE_1-vpn-instance-vpna] ipv4-family
[PE_1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[PE_1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE_1-vpn-instance-vpna-af-ipv4] quit
[PE_1-vpn-instance-vpna] quit
[PE_1] ip vpn-instance vpnb
[PE_1-vpn-instance-vpnb] ipv4-family
[PE_1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[PE_1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE_1-vpn-instance-vpnb-af-ipv4] quit
[PE_1-vpn-instance-vpnb] quit
[PE_1] interface gigabitethernet 2/0/0
[PE_1-GigabitEthernet2/0/0] ip binding vpn-instance vpna
[PE_1-GigabitEthernet2/0/0] ip address 10.1.2.2 24
[PE_1-GigabitEthernet2/0/0] quit
[PE_1] interface gigabitethernet 1/0/0
[PE_1-GigabitEthernet1/0/0] ip binding vpn-instance vpnb
[PE_1-GigabitEthernet1/0/0] ip address 10.1.2.2 24
[PE_1-GigabitEthernet1/0/0] quit
# Configure PE_2.
[PE_2] ip vpn-instance vpna
[PE_2-vpn-instance-vpna] ipv4-family
[PE_2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[PE_2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE_2-vpn-instance-vpna-af-ipv4] quit
[PE_2-vpn-instance-vpna] quit
Step 5 Set up the MP-IBGP peer relationship between PE_1 and PE_2.
# Configure PE_1.
[PE_1] bgp 100
[PE_1-bgp] peer 10.20.20.9 as-number 100
[PE_1-bgp] peer 10.20.20.9 connect-interface loopback 0
[PE_1-bgp] ipv4-family vpnv4
[PE_1-bgp-af-vpnv4] peer 10.20.20.9 enable
[PE_1-bgp-af-vpnv4] quit
[PE_1-bgp] ipv4-family vpn-instance vpna
[PE_1-bgp-vpna] import-route direct
[PE_1-bgp-vpna] quit
[PE_1-bgp] ipv4-family vpn-instance vpnb
[PE_1-bgp-vpnb] import-route direct
[PE_1-bgp-vpnb] quit
[PE_1-bgp] quit
# Configure PE_2.
[PE_2] bgp 100
[PE_2-bgp] peer 10.10.10.9 as-number 100
# After the configuration is complete, run the display bgp peer command on PE_1 and PE_2.
The command output shows that the MP-IBGP peer relationship has been set up between PEs
and the relationship is in Established state.
Step 6 Configure EBGP peer relationships between CE_1 and PE_1 and between CE_2 and PE_1.
# Configure the egress gateway CE1 of branch 1.
[CE_1] bgp 65410
[CE_1-bgp] peer 10.1.2.2 as-number 100
[CE_1-bgp] ipv4-family unicast
[CE_1-bgp-af-ipv4] undo synchronization
[CE_1-bgp-af-ipv4] import-route direct
[CE_1-bgp-af-ipv4] quit
[CE_1-bgp] quit
# Configure PE_1.
[PE_1] bgp 100
[PE_1-bgp] ipv4-family vpn-instance vpna
[PE_1-bgp-vpna] peer 10.1.2.1 as-number 65410
[PE_1-bgp-vpna] import-route direct
[PE_1-bgp-vpna] quit
[PE_1-bgp] ipv4-family vpn-instance vpnb
[PE_1-bgp-vpnb] peer 10.1.2.1 as-number 65411
[PE_1-bgp-vpnb] import-route direct
[PE_1-bgp-vpnb] quit
[PE_1-bgp] quit
NOTE
To configure OSPF multi-instance between the MCE and PE2, perform the following tasks on PE_2:
l In the OSPF view, import BGP routes and advertise VPN routes of PE_1 to the MCE.
l In the BGP view, import routes of the OSPF processes and advertise the VPN routes of the MCE to PE_1.
[PE_2] ospf 100 vpn-instance vpna
[PE_2-ospf-100] import-route bgp
[PE_2-ospf-100] area 0
[PE_2-ospf-100-area-0.0.0.0] network 10.1.4.0 0.0.0.255
[PE_2-ospf-100-area-0.0.0.0] quit
[PE_2-ospf-100] quit
[PE_2] ospf 200 vpn-instance vpnb
NOTE
# Run the display ip routing-table vpn-instance command on PE_1 to view the routes to the
remote CEs.
# Create global address pools pool1 and pool2 to allocate IP addresses to terminals in branch
1 and branch 2.
[MCE] ip pool pool1
[MCE-ip-pool-pool1] network 10.1.1.0 mask 255.255.255.0
[MCE-ip-pool-pool1] vpn-instance vpna
[MCE-ip-pool-pool1] gateway-list 10.1.1.1
[MCE-ip-pool-pool1] quit
[MCE] ip pool pool2
[MCE-ip-pool-pool2] network 10.1.1.0 mask 255.255.255.0
[MCE-ip-pool-pool2] vpn-instance vpnb
[MCE-ip-pool-pool2] gateway-list 10.1.1.1
[MCE-ip-pool-pool2] quit
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 1 252(0) 0 0
-----------------------------------------------------------------------------
----End
Configuration Files
l Configuration file of PE_1
#
sysname PE_1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 10.10.10.9
mpls
#
mpls ldp
#
interface GigabitEthernet3/0/0
ip address 10.1.3.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpnb
ip address 10.1.2.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpna
ip address 10.1.2.2 255.255.255.0
#
interface LoopBack0
ip address 10.10.10.9 255.255.255.255
#
bgp 100
peer 10.20.20.9 as-number 100
peer 10.20.20.9 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 10.20.20.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 10.20.20.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 10.1.2.1 as-number 65410
#
ipv4-family vpn-instance vpnb
import-route direct
peer 10.1.2.1 as-number 65411
#
ospf 1
area 0.0.0.0
network 10.1.3.0 0.0.0.255
network 10.10.10.9 0.0.0.0
#
return
l Configuration file of PE_2
#
sysname PE_2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 10.20.20.9
mpls
#
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 10.1.3.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0.1
#
return
l Configuration file of CE_2
#
sysname CE_2
#
dhcp enable
#
interface GigabitEthernet0/0/1
ip address 10.1.1.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.5.1
#
interface GigabitEthernet0/0/2
ip address 10.1.2.1 255.255.255.0
#
bgp 65411
peer 10.1.2.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.2.2 enable
#
return
l Configuration file of the MCE
#
sysname MCE
#
dhcp enable
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
ip pool pool1
vpn-instance vpna
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
#
ip pool pool2
vpn-instance vpnb
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
#
interface GigabitEthernet0/0/1.1
dot1q termination vid 10
ip binding vpn-instance vpna
ip address 10.1.4.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet0/0/1.2
dot1q termination vid 20
ip binding vpn-instance vpnb
ip address 10.1.5.1 255.255.255.0
dhcp select global
#
ospf 100 vpn-instance vpna
vpn-instance-capability simple
area 0.0.0.0
Networking Requirements
As shown in Figure 3-20, GE0/0/1 on the router is enabled with the DHCP client function,
and dynamically obtains network information such as IP addresses from the carrier's DHCP
server.
GE0/0/2 on the router is enabled with the DHCP server function, and allocates information
such as IP addresses and gateway addresses to the connected PCs. In addition, the function is
enabled on the router that the DNS and NetBIOS server configurations can be automatically
obtained from the address pool of GE0/0/2, so that these configurations assigned to PCs are
the same as those assigned by the carrier.
PC
Configuration Roadmap
1. Enable the DHCP client function on GE0/0/1 so that the router can dynamically obtain
IP addresses, DNS and NetBIOS server configurations from the DHCP server.
2. Enable the DHCP server function on GE0/0/2 to use the interface address pool for
address allocation. Enable the function of automatically obtaining DNS and NetBIOS
server configurations to assign network parameters such as IP addresses, DNS and
NetBIOS server configurations to PCs.
NOTE
Before the configuration, ensure that the devices on the network can communicate with each other.
In this example, the carrier's DHCP server will deliver the configurations to the router. The configurations
include the DNS server address 10.1.2.1, domain name suffix huawei, and NetBIOS server address 10.1.3.1.
Configure the carrier's DHCP server before configuring the router.
Procedure
Step 1 Configure the DHCP client function on GE0/0/1.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address dhcp-alloc
[Router-GigabitEthernet0/0/1] quit
Step 2 Enable the DHCP server function on GE0/0/2 to use the interface address pool for address
allocation, and enable the function of automatically obtaining DNS and NetBIOS server
configurations.
1. Enable the DHCP service.
[Router] dhcp enable
3. Enable the function of automatically obtaining DNS and NetBIOS server configurations
on GE0/0/2.
[Router-GigabitEthernet0/0/2] dhcp server import all
[Router-GigabitEthernet0/0/2] quit
# Run the display ip pool import all command to view the DNS and NetBIOS server
configurations dynamically obtained by the router.
[Router] display ip pool import all
-----------------------------------------------------------------------------
Parameter Update time Protocol Value
-----------------------------------------------------------------------------
domain-name 2015-02-10 08:47:41 dhcp huawei
dns-server 2015-02-10 08:47:41 dhcp 10.1.2.1
nbns-server 2015-02-10 08:47:41 dhcp 10.1.3.1
-----------------------------------------------------------------------------
----End
Example
Configuration file of the router
#
sysname Router
#
dhcp enable
#
interface GigabitEthernet0/0/1
ip address dhcp-alloc
#
interface GigabitEthernet0/0/2
ip address 192.168.1.1 255.255.255.0
dhcp select interface
dhcp server import all
#
return
Networking Requirements
As shown in Figure 3-21, RouterA functions as the BOOTP client to dynamically obtain
information including the IP address, DNS server address, and gateway address from the
DHCP server (RouterB).
GE0/0/1
RouterA
BOOTP Client
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure RouterA as the BOOTP client to dynamically obtain the IP address from the
DHCP server.
2. Create a global address pool on RouterB and set corresponding attributes.
Procedure
Step 1 Configure the BOOTP client function on RouterA.
# Enable the BOOTP client function on GE0/0/1.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface gigabitethernet 0/0/1
[RouterA-GigabitEthernet0/0/1] ip address bootp-alloc
Step 2 Create a global address pool on RouterB and set corresponding attributes.
# Enable the DHCP service.
<Huawei> system-view
[Huawei] sysname RouterB
[RouterB] dhcp enable
[RouterB] dhcp server bootp
[RouterB] dhcp server bootp automatic
interface GigabitEthernet0/0/1
ip address bootp-
alloc
return
[RouterA-GigabitEthernet0/0/1] quit
# After GE0/0/1 obtains an IP address, run the display dhcp client command on RouterA to
view the status of the BOOTP client on GE0/0/1.
[RouterA] display dhcp client
BOOTP client lease information on interface GigabitEthernet0/0/1 :
Current machine state : Bound
Internet address assigned via : BOOTP
Physical address : 5489-98f7-310f
IP address : 192.168.1.254
Subnet mask : 255.255.255.0
Gateway ip address : 192.168.1.1
Lease obtained at : 2015-02-10 16:03:43
DNS : 192.168.2.2
# Run the display ip pool name pool1 command on RouterB to view the address pool
configuration.The Used field displays the number of used IP addresses in an address pool.
[RouterB] display ip pool name pool1
Pool-name : pool1
Pool-No : 5
Lease : 1 Days 0 Hours 0 Minutes
Domain-name : -
DNS-server0 : 192.168.2.2
NBNS-server0 : -
Netbios-type : -
Position : Local Status : Unlocked
Gateway-0 : 192.168.1.1
Network : 192.168.1.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
192.168.1.1 192.168.1.254 253 1 252(0) 0 0
-----------------------------------------------------------------------------
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
interface
GigabitEthernet0/0/1
ip address bootp-
alloc
#
return
Eth0/0/1 Eth0/0/3
Eth0/0/2 Eth0/0/4
VLAN2 VLAN3
VLAN4
VLANIF4:10.1.1.12/24
Department A: Department B:
VLAN 2 VLAN 3
Configuration Roadmap
1. Configure sub-VLANs on the Router to implement Layer 2 isolation between users in
different sub-VLANs. The sub-VLANs are on the same network segment, which reduces
the amount of required IP address resources.
2. Configure proxy ARP on the VLANIF interface of the super-VLAN to implement Layer
3 communication among sub-VLANs.
3. Configure a DHCP server in the super-VLAN to dynamically allocate IP addresses to
terminals in departments A and B.
Procedure
Step 1 Create VLAN 2, and add Eth0/0/1 and Eth0/0/2 to VLAN 2. Create VLAN 3, and add
Eth0/0/3 and Eth0/0/4 to VLAN 3.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 2 to 4
[Router] interface ethernet 0/0/1
[Router-Ethernet0/0/1] port link-type access
[Router-Ethernet0/0/1] port default vlan 2
[Router-Ethernet0/0/1] quit
[Router] interface ethernet 0/0/2
[Router-Ethernet0/0/2] port link-type access
[Router-Ethernet0/0/2] port default vlan 2
[Router-Ethernet0/0/2] quit
[Router] interface ethernet 0/0/3
[Router-Ethernet0/0/3] port link-type access
[Router-Ethernet0/0/3] port default vlan 3
[Router-Ethernet0/0/3] quit
[Router] interface ethernet 0/0/4
[Router-Ethernet0/0/4] port link-type access
[Router-Ethernet0/0/4] port default vlan 3
[Router-Ethernet0/0/4] quit
Step 4 Configure a DHCP server based on the interface address pool on VLANIF 4 to dynamically
allocate IP addresses to terminals in sub-VLANs.
[Router] dhcp enable
[Router] interface vlanif 4
[Router-Vlanif4] dhcp select interface
[Router-Vlanif4] quit
Pool-No :
0
Domain-name :
-
DNS-server0 :
-
NBNS-server0 :
-
Netbios-type :
-
Network :
10.1.1.0
Mask :
255.255.255.0
VPN instance :
--
Logging : Disable
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
----End
Configuration Files
Configuration file of the Router
#
sysname Router
#
vlan batch 2 to 4
#
dhcp enable
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 10.1.1.12 255.255.255.0
arp-proxy inter-sub-vlan-proxy enable
dhcp select interface
#
interface Ethernet0/0/1
port link-type access
port default vlan 2
#
interface Ethernet0/0/2
port link-type access
port default vlan 2
#
interface Ethernet0/0/3
port link-type access
port default vlan 3
#
interface Ethernet0/0/4
port link-type access
port default vlan 3
#
return
The IP address is manually Disable the network adapter l Change the manually
configured for another host of the client or disconnect configured IP address of
on the network. The DHCP the network cable. Then, the host.
server does not exclude this perform a ping operation on l Exclude the conflicting
IP address from the address another host to check IP address from the
pool, leading to the IP whether the host with this IP address pool on the
address conflict. address exists. If the ping DHCP server by running
operation is successful, the either of the following
IP address has been commands: dhcp server
manually configured. excluded-ip-address for
an interface address pool
or excluded-ip-address
for a global address pool.
l Release the conflicting
IP address of the client
and apply for a new IP
address. A PC running
on Windows 7 is used as
an example. Run the
cmd command to enter
the DOS environment.
Run the ipconfig/release
command to release the
IP address and then run
the ipconfig/renew
command to apply for a
new IP address.
To prevent clients from
obtaining conflicting IP
addresses, configure IP
address conflict detection on
the DHCP server. When an
IP address conflict is
detected, the DHCP server
allocates another available
IP address. For details, see
3.9.3.7 (Optional)
Configuring IP Address
Conflict Detection Before a
DHCP Server Allocates IP
Addresses.
The address pool has no Run the display ip pool Determine the number of
available IP addresses. command to check whether DHCP clients on the
there are available IP network.
addresses in the address l If the number of DHCP
pool. The Idle(Expired) clients is larger than the
field displays the number of number of available IP
idle IP addresses in the addresses in the address
address pool. If the value of pool, increase the range
this field is 0, there are no of IP addresses in the
available IP addresses in the address pool by using
address pool. either of the following
methods: Run the ip
address ip-address
{ mask | mask-length }
command in the interface
view to reduce the mask
length. Or run the
network ip-address
[ mask { mask | mask-
length } ] command in
the global address pool
view to reduce the mask
length.
l If the number of DHCP
clients is less than the
number of available IP
addresses in the address
pool, check whether the
lease is too long and
whether the DHCP
server reclaims IP
addresses of offline or
disconnected clients. If
the lease is too long,
shorten the lease of IP
addresses in the address
pool. For details, see
3.9.3.5 (Optional)
Configuring an
Address Lease Time.
In locations where
clients often move
(cafes, for example),
clients' online time
generally does not
exceed one day. In this
situation, reduce the
default lease (one day) of
IP addresses assigned by
a device functioning as a
DHCP server.
Multiple DHCP servers are If multiple DHCP servers are Configure DHCP
deployed on the network. deployed on the same network snooping on the access
segment as the DHCP client, device of the client so that
the client accepts the first the client receives DHCP
DHCP Offer message. messages only from the
trusted DHCP server.
For detailed configuration
of DHCP snooping on the
Huawei AR Series IOT
Gateway , see DHCP
Snooping Configuration
in Huawei AR Series IOT
Gateway Configuration
Guide - Security.
A malicious attack occurs. Run the display cpu-defend Add this MAC address to
statistics command to check the blacklist. For detailed
statistics about packets sent to configuration, see
the CPU of the DHCP server. Configuring CPU Attack
If a large number of DHCP Defense in Huawei AR
messages simultaneously sent Series IOT Gateway
from one MAC address are Configuration Guide -
discarded, this MAC address is Security - Local Attack
the source of a DHCP flood Defense Configuration.
attack.
The STP function is enabled By default, the STP function is If the STP function does
on the DHCP server or enabled. If the STP function is not need to be enabled,
relay. enabled on the DHCP server or run the undo stp enable
relay, address allocation may command to disable it.
be slow.
The DHCP client does not The DHCP client can obtain Run the gateway-list ip-
obtain the egress gateway an IP address through the address &<1-8> command
address. DHCP relay agent, but in the global address pool
cannot access the Internet or view of the DHCP server to
ping the DHCP server. The configure the egress
phenomenon indicates that gateway address for DHCP
the DHCP relay agent and clients.
DHCP server work properly.
The possible cause is that
the DHCP client does not
obtain the egress gateway
address. Run the display ip
pool command to check
whether the egress gateway
address for DHCP clients is
configured in the address
pool. If the Gateway-0 field
in the command output
displays -, the egress
gateway address for DHCP
clients is not configured in
the address pool.
3.16 FAQ
This section provides answers to frequently asked questions (FAQs) about the use of DHCP.
3.16.1 How Can I Ensure that a DHCP Client Selects the Correct
DHCP Server?
A DHCP client sends a DHCP Discover message in broadcast mode. When there are multiple
DHCP servers including bogus DHCP servers on a network segment, the DHCP client accepts
only the first received DHCP Offer message and therefore may obtain an unexpected IP
address from a bogus DHCP server. To ensure that a client obtains an IP address from the
correct DHCP server, configure DHCP snooping on the client.
For detailed configuration of DHCP snooping, see DHCP Snooping Configuration in Huawei
AR Series IOT Gateway Configuration Guide - Security.
3.16.3 When Both the DHCP Server and Relay Functions Are
Enabled on an Interface, Which Function Is Processed
Preferentially?
When both the DHCP server function and the DHCP relay function are enabled on an
interface, the DHCP server function is processed preferentially. The local DHCP server that is
on the same network segment as the interface's IP address is used preferentially to allocate IP
addresses. If the local DHCP server cannot allocate IP addresses, a remote DHCP server
allocates IP addresses through the DHCP relay agent.
4 DNS Configuration
This chapter describes the principles, basic functions and configuration procedures of DNS,
and provides configuration examples.
Definition
Domain Name System (DNS) is a distributed database used in TCP and IP applications and
completes resolution between IP addresses and domain names.
Purpose
Each host on the network is identified by an IP address. To access a host, a user must obtain
the host IP address first. It is difficult for users to remember IP addresses of hosts. Therefore,
host names in the format of strings are designed. Each host name maps an IP address. In this
way, users can use the simple and meaningful domain names instead of the complicated IP
addresses to access hosts.
4.2 Principles
This section describes the implementation of DNS.
Domain name resolution is classified into dynamic resolution and static resolution that
complement each other. During domain name resolution, static resolution is preferentially
used. If static resolution fails, dynamic resolution is used. Dynamic DNS resolution takes a
period of time, and the cooperation of the DNS server is required. To improve the domain
name resolution efficiency, you are advised to add commonly used domain names to a static
domain name resolution table.
Static DNS
A static domain name resolution table is manually set up, describing the mappings between
domain names and IP addresses. Some common domain names are added to the table. To
obtain the IP address by resolving a domain name, domain names are resolved based on the
static domain name resolution table. In this manner, the efficiency of domain name resolution
is improved.
Dynamic DNS
User programs, such as ping and tracert, access the DNS server using the resolver of the DNS
client.
Figure 4-1 shows the relationship between user programs, the resolver, the DNS server, and
the cache on the resolver.
Request Request
User Resolver
program
Response Response
Save Read DNS
Server
The DNS client, consisting of the resolver and the cache, is used to accept and respond to the
DNS queries from user programs. Generally, user programs(ping,Tracert), the cache, and the
resolver are on the same host; whereas the DNS server is on another host.
system adds a suffix to the domain name for resolution. For example, a user has set the
domain name suffix com in the suffix list. To visit huawei.com, the user only needs to enter
huawei. The system adds the suffix com to the domain name.
When the domain name suffix list is used, the resolution modes vary according to domain
names entered by users.
l If a user enters a domain name without a dot (.), for example, huawei, the system
identifies it as a host name and adds a suffix to the domain name for resolution. If the
resolution fails, the system resolves the entered domain name.
l If a user enters a domain name with a dot (.), for example, www.huawei or
huawei.com., the system resolves the domain name. If the resolution fails, the system
adds a suffix to the domain name for resolution.
Query Type
Class-A query is a common type of query, which is used to obtain the IP address
corresponding to a specified domain name. For example, when you ping or tracert a domain
name, the ping or tracert, as a user program, sends a query to the DNS client for the IP
address corresponding to the domain name. If the corresponding IP address does not exist on
the DNS client, the DNS client sends a Class-A query to the DNS server to obtain the
corresponding IP address.
DNS DNS
Proxy Server
Internet
DNS Server
Host A
Dialer Interface
DNS Client
ISP
DNS Proxy
DNS Spoofing
Host B
HTTP Server
DNS Client
As shown in Figure 4-3, the device functions as the DNS proxy and connects to the network
using the dial-up interface. The dial-up interface is triggered to set up a connection only when
data packets are forwarded by the dial-up interface. When the device functions as the DNS
proxy, hosts A and B consider the device as the DNS server. When the dial-up connection is
set up, the device obtains the DNS server IP address using DHCP.
When receiving a DNS query message from a DNS client, the device not enabled with DNS
spoofing sends a DNS query message to the DNS server when no matching entry is found. If
the dial-up connection is not set up, the device cannot obtain the DNS server IP address. The
device does not send a DNS query message to the DNS server or respond to the request from
the DNS client. The domain name resolution fails. No data packet traffic triggers the dial-up
interface to set up a connection.
DNS spoofing enables the device to send a spoofing IP address to the DNS client that sends a
DNS query message regardless of whether the DNS server IP address is configured or the
route to the DNS server exists on the device. Data packets sent by the DNS client triggers the
dial-up interface to set up a connection.
As shown in Figure 4-3, a DNS client wants to access the HTTP server. The process is
described as follows:
1. A DNS client sends a DNS query message to the DNS proxy for resolving the HTTP
server domain name to an IP address.
2. After receiving the DNS query message, the DNS proxy cannot send the correct IP
address to the DNS client because no matching entry is found locally, no dial-up
connection is set up, and the DNS server IP address is not obtained. The DNS proxy
sends the spoofing IP address as the resolution result to the DNS client. The aging time
of a DNS resolution response message is 0. A reachable route between the DNS client
and the IP address in the response message must exist. The outbound interface of the
route is the dial-up interface.
3. After receiving the response message, the host sends an HTTP request to the IP address
in the response message.
4. The DNS proxy forwards the HTTP request using the dial-up interface. The traffic
triggers the dial-up interface to set up a connection with the DNS server. Then the DNS
proxy obtains the DNS server IP address using DHCP.
5. After the DNS resolution response message is aged, the DNS client sends a DNS query
message again.
6. The DNS proxy sends the correct IP address to the DNS client.
7. After obtaining the correct HTTP server IP address, the DNS client can access the HTTP
server.
DDNS Overview
DNS resolves domain names into IP addresses so that you can access network nodes using
domain names. DNS provides static mappings between domain names and IP addresses.
When IP addresses of nodes change, DNS server cannot dynamically update mappings. If a
user uses the original domain name to access the node, the user will fail to access the node
because the IP address mapping the domain name is incorrect. The Dynamic Domain Name
System (DDNS) updates mappings between domain names and the IP addresses on the DNS
server to ensure that the IP address can be resolved correctly.
Figure 4-4 Typical DDNS networking for the update mode implemented through the
DDNS server
DNS Server
HTTP Server
DDNS Client 2
Internet
HTTP Client
1
DDNS Server
– DDNS client: When an IP address changes, the DNS server needs to update the
mapping between the domain name and IP address. Internet users use domain
names to access servers that provide application-layer services, such as HTTP and
FTP servers. When the IP address of a server changes, the server functions as a
DDNS client and sends a request for updating the mapping between the domain
name and the IP address to the DDNS server.
– DDNS server: After receiving the DDNS update request, the DDNS server instructs
the DNS server to dynamically update the mapping between the domain name and
the IP address on the DNS server to ensure that the IP address can be resolved
correctly and Internet users can access the DDNS client using the domain name.
No unified standard is defined for the DDNS update process. DDNS update processes
are different on different DDNS servers. DDNS servers provided at www.3322.org,
www.oray.cn, and www.dyndns.com.
4.3 Applications
This section describes the applicable scenario of DNS.
RouterA
DNS Client
DNS Server
RouterB
DNS Client
As shown in Figure 4-5, the device functions as a DNS client and can dynamically obtain the
corresponding IP address of a domain name from a DNS server. This facilitates user
communication.
DNS DNS
Proxy Server
Internet
After being configured with DNS proxy, the device can forward DNS request and reply
packets between the internal DNS clients and external DNS server. When the DNS server
address changes, you only need to configure the DNS proxy, not the DNS clients. This
facilitates centralized network management.
License Support
DNS is a basic feature of the device and is not under license control.
Pre-configuration Tasks
Before configuring a DNS client, complete the following tasks:
l Configuring link layer protocol parameters for interfaces to ensure that the link layer
protocol status on the interfaces is Up
l Configuring a route between the industrial switch router and the DNS server
Context
A static domain name resolution table is manually set up, describing the mappings between
domain names and IP addresses. Some common domain names are added to the table. Static
domain name resolution can be performed based on the static domain name resolution table.
To obtain the IP address by resolving a domain name, the client searches the static domain
name resolution table for the specified domain name. In this manner, the efficiency of domain
name resolution is improved.
Procedure
Step 1 Run:
system-view
----End
Follow-up Procedure
Each host name can be mapped to only one IP address. When multiple IP addresses are
mapped to a host name, only the latest configuration takes effect. If multiple host names need
to be resolved, repeat step 2.
You can configure a maximum of 50 static DNS entries.
Procedure
Step 1 Run:
system-view
The source IP address is configured for the local device to receive DNS packets.
By default, no source IP address is configured for the local device to receive DNS packets.
Step 5 (Optional) Run:
----End
Context
After a DNS server is associated with NQA, the device sends a query packet only to the DNS
server in Up state during dynamic domain name resolution. This improves the domain name
resolution efficiency.
Procedure
Step 1 Configure and start NQA test instances. A DNS server can be associated with NQA test
instances of the DNS and ICMP types. According to the test mechanism, NQA test instances
of the DNS type are used to test whether the DNS server function is normal; those of the
ICMP type are used to test whether routes to the DNS server are reachable. You can select one
NQA test instance type based on the site requirements.
l Configuring and starting an NQA test instance of the DNS type
a. Run:
system-view
An NQA test instance is created and the test instance view is displayed.
By default, no NQA test instance is configured.
c. Run:
test-type dns
NOTE
Ensure that the configured DNS server address is the same as that specified in the dns
server ip-address track nqa admin-name test-name command. If the addresses are different,
the NQA check result will not match the associated DNS server.
e. Run:
destination-address url urlstring
The automatic test interval is set for the NQA test instance.
By default, no automatic test interval is set. The system performs the test only once.
g. Run:
start
An NQA test instance is created and the test instance view is displayed.
By default, no NQA test instance is configured.
c. Run:
test-type icmp
e. Run:
frequency interval
The automatic test interval is set for the NQA test instance.
By default, no automatic test interval is set. The system performs the test only once.
f. Run:
start
l To persistently detect the DNS server status, you need to perform periodical test for NQA test
instances. Therefore, run the frequency interval command to set the automatic test interval for NQA
test instances.
l This section only mentions basic configuration parameters of the DNS and ICMP NQA test
instances. For details on how to configure other parameters, see Configuring DNS Test and
Configuring ICMP Test in the Huawei AR Series IOT Gateway Configuration Guide-Network
Management and Monitoring-Configuring the NQA.
Step 2 Run:
dns resolve
An IP address for the DNS server is configured and the DNS server is associated with NQA.
During dynamic domain name resolution, the device sends a query request only to the DNS
server in Up state.
By default, no DNS server IP address is configured.
NOTE
You can run the display dns server command to check the DNS server status. When the DNS server is not
associated with NQA, the server is in Up state. After the DNS server is associated with NQA, the server
status depends on the NQA check result. When the NQA test instance type is not DNS and ICMP, the
association between the DNS server and NQA does not take effect and the DNS server is in Up state.
----End
Pre-configuration Tasks
Before configuring DNS proxy or relay, complete the following tasks:
l Configuring link layer protocol parameters for interfaces to ensure that the link layer
protocol status on the interfaces is Up
l Configuring the DNS server
l Configuring routes between the device and the DNS server and between the device and
the DNS client
Procedure
Step 1 Run:
system-view
The DNS server that the DNS Proxy or Relay connects to is configured.
By default, no IP address is configured for the DNS server.
c. (Optional) Configure the DNS resolution policy function.
To control access traffic, the administrator requires that users can access only some
websites on which they can browse only texts or pictures. For example, in Wi-Fi
connection scenarios such as in metro or on bus, passengers can access only
specified websites. If they attempt to access other websites, their access requests are
rejected or redirected to the specified websites. To meet these requirements,
perform the following steps:
i. Run:
dns resolve policy a
The DNS resolution policy function for class-A query requests is enabled and
the DNS resolution policy view is displayed.
By default, the DNS resolution policy function for class-A query requests is
disabled.
ii. Run:
rule rule-id [ if-match name hostname ] { deny | permit | spoofing
ip-address }
The source IP address that the device uses to exchange packets with the DNS server
is configured.
By default, no source IP address is configured for the device.
e. (Optional) Run:
dns-server-select-algorithm { fixed | auto }
An algorithm used by the DNS Proxy or Relay to access the destination DNS server
is configured.
By default, the auto algorithm is used.
f. (Optional) Run:
dns forward retry-number number
The number of times for the DNS Proxy or Relay to retransmit query requests to the
destination DNS server is set.
By default, the number of times for the DNS Proxy or Relay to retransmit query
requests to the destination DNS server is 2.
g. (Optional) Run:
dns forward retry-timeout time
The retransmission timeout period that the DNS proxy or DNS relay agent sends
Query packets to the destination DNS server is set.
By default, the retransmission timeout period is 3 seconds.
----End
Context
If the device is enabled with DNS proxy or relay but is not configured with a DNS server
address or has no route to the DNS server, the device does not forward or respond to DNS
query messages from DNS clients. After DNS Spoofing is enabled, the device uses the
configured IP address to respond to all DNS query messages.
In addition to enabling DNS proxy or relay, one of the following requirements must be met to
make DNS Spoofing take effect:
l No DNS server is configured.
l A DNS server is configured, but dynamic DNS resolution is disabled.
l No route is reachable to the DNS server.
l No source IP address is available for the outbound interface connected to the DNS
server.
If one of the preceding requirements is met, when receiving an address record query, the DNS
proxy or relay return Spoofing reply messages using the configured IP address.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dns spoofing ip-address
----End
Context
After a DNS server is associated with NQA, the device sends a query packet only to the DNS
server in Up state during dynamic domain name resolution. This improves the domain name
resolution efficiency.
Procedure
Step 1 Configure and start NQA test instances. A DNS server can be associated with NQA test
instances of the DNS and ICMP types. According to the test mechanism, NQA test instances
of the DNS type are used to test whether the DNS server function is normal; those of the
ICMP type are used to test whether routes to the DNS server are reachable. You can select one
NQA test instance type based on the site requirements.
l Configuring and starting an NQA test instance of the DNS type
a. Run:
system-view
An NQA test instance is created and the test instance view is displayed.
By default, no NQA test instance is configured.
c. Run:
test-type dns
f. Run:
frequency interval
The automatic test interval is set for the NQA test instance.
By default, no automatic test interval is set. The system performs the test only once.
g. Run:
start
An NQA test instance is created and the test instance view is displayed.
By default, no NQA test instance is configured.
c. Run:
test-type icmp
The automatic test interval is set for the NQA test instance.
By default, no automatic test interval is set. The system performs the test only once.
f. Run:
start
l To persistently detect the DNS server status, you need to perform periodical test for NQA test
instances. Therefore, run the frequency interval command to set the automatic test interval for NQA
test instances.
l This section only mentions basic configuration parameters of the DNS and ICMP NQA test
instances. For details on how to configure other parameters, see Configuring DNS Test and
Configuring ICMP Test in the Huawei AR Series IOT Gateway Configuration Guide-Network
Management and Monitoring-Configuring the NQA.
Step 2 Run:
dns resolve
Step 3 Run:
dns server ip-address track nqa admin-name test-name
An IP address for the DNS server is configured and the DNS server is associated with NQA.
During dynamic domain name resolution, the device sends a query request only to the DNS
server in Up state.
NOTE
You can run the display dns server command to check the DNS server status. When the DNS server is not
associated with NQA, the server is in Up state. After the DNS server is associated with NQA, the server
status depends on the NQA check result. When the NQA test instance type is not DNS and ICMP, the
association between the DNS server and NQA does not take effect and the DNS server is in Up state.
----End
Procedure
l Run the display dns configuration command to display the global DNS configurations.
l Run the display ip host command to check static DNS entries.
l Run the display dns server [ verbose ] command to check the DNS server
configuration.
----End
Pre-configuration Tasks
Before configuring a DDNS client, complete the following tasks:
l (Optional) Registering on the DDNS server website
NOTE
The device functioning as the DDNS client supports the following update modes:
l DDNS update mode (defined by the RFC2136): The DDNS client dynamically updates the mapping
between domain names and IP addresses on the DNS server.
l Update mode implemented through the DDNS server: The DDNS client sends the mapping between
domain names and IP addresses to the DDNS server with a specified URL. The DDNS server then
informs the DNS server to dynamically update the mapping between domain names and IP
addresses.
When using the update mode implemented through the DDNS server, the DDNS client must register on
the DDNS server website. Currently, the device can be connected to the following DDNS servers:
DDNS servers provided at www.3322.org, www.dyndns.com, and www.oray.cn, Siemens DDNS server,
and HTTP-based common DDNS server.
Authentication steps are implemented in the update process through DDNS servers. All DDNS servers
except Siemens DDNS servers do not encrypt user passwords during the authentication. To improve
security, you are advised to configure IPSec when using these DDNS servers to implement update. For
details, see IPSec Configuration in the Huawei AR Series IOT Gateway Configuration Guide - VPN.
l Configuring a route between the device and the DDNS server or DNS Server
NOTE
Context
You can specify the DDNS or DNS server to which update requests are sent when configuring
the DDNS policy.
When the device functioning as a DDNS client needs to update the mapping between domain
names and IP addresses on the DNS server, the following update modes are supported:
l DDNS update mode (defined by the RFC2136): The DDNS client dynamically updates
the mapping between domain names and IP addresses on the DNS server. To configure
this mode, run the method ddns [ both ] command.
l Update mode implemented through the DDNS server: The DDNS client sends the
mapping between domain names and IP addresses to the DDNS server with a specified
URL. The DDNS server then informs the DNS server to dynamically update the
mapping between domain names and IP addresses.
– To use the Siemens DDNS server or DDNS servers provided at www.3322.org,
www.dyndns.com, or www.oray.cn, run the method vendor-specific command.
– To use an HTTP-based common DDNS server, run the method http command.
Procedure
Step 1 Run:
system-view
The update mode is configured for the device functioning as the DDNS client.
By default, the update mode is vendor-specific for the device functioning as the DDNS client.
l Configuring the update mode to ddns (DDNS update mode defined by the RFC2136)
a. Run:
name-server name-server
The DNS server for receiving update messages from the DDNS client is configured.
By default, no DNS server for receiving DDNS update messages is configured.
b. (Optional) Run:
interval interval-time
To ensure password security, you are advised to run the username username password password
command to configure a user name and password. The password information in the configuration
file is displayed in cipher text.
After a DDNS policy is created, enter the URL and specify a DDNS server in the
URL. The processes for the device to request DDNS updates from different DDNS
servers are different; therefore, the URL configurations of DDNS servers are
different.
n If username username password password is not specified, the URL contains
the user name and password, and their configurations are displayed in plain
text.
○ When the device uses HTTP to communicate with the DDNS server
provided at www.3322.org, the URL in a DDNS update request is:
http://username:password@members.3322.org/dyndns/update?
system=dyndns&hostname=<h>&myip=<a>
○ When the device uses HTTP to communicate with the DDNS server
provided at www.dyndns.com, the URL in a DDNS update request is:
http://username:password@update.dyndns.com/nic/update?
hostname=<h>&myip=<a>
○ When the device uses TCP to communicate with the DDNS server
provided at www.oray.cn, the URL in a DDNS update request is:
oray://username:password@phddnsdev.oray.net
○ When the device uses HTTPS to communicate with the Siemens DDNS
server, the URL in a DDNS update request is user-defined, for example,
https://x.x.x.x/nic/update?
group=med&user=huawei_test&password=12345&myip=192.168.19.2
NOTE
During the configuration, replace x.x.x.x with the DDNS server IP address of
Siemens.
○ When the device uses HTTP to communicate with a common DDNS
server, the URL in a DDNS update request is:
http://username:password@merri.s.dnaip.fi/reg/h=<h>&a=<a>
NOTE
In the preceding URLs, username and password indicate the user name and password
for logging in to the DDNS server. Set these parameters based on the registry
information. For example, in http://huawei1:huawei2@merri.s.dnaip.fi/reg/
h=<h>&a=<a>, huawei1 and huawei2 indicate the user name and password for
logging in to the DDNS server.
n If username username password password is specified, the URL only
contains the fixed format <username>:<password>, not the user name and
password. The user name and password are specified by username and
password, and the password configuration is displayed in cipher text.
○ When the device uses HTTP to communicate with the DDNS server
provided at www.3322.org, the URL in a DDNS update request is:
http://<username>:<password>@members.3322.org/dyndns/update?
system=dyndns&hostname=<h>&myip=<a>
○ When the device uses HTTP to communicate with the DDNS server
provided at www.dyndns.com, the URL in a DDNS update request is:
http://<username>:<password>@update.dyndns.com/nic/update?
hostname=<h>&myip=<a>
○ When the device uses TCP to communicate with the DDNS server
provided at www.oray.cn, the URL in a DDNS update request is:
oray://<username>:<password>@phddnsdev.oray.net
○ When the device uses HTTPS to communicate with the Siemens DDNS
server, the URL in a DDNS update request is user-defined, for example,
https://x.x.x.x/nic/update?
group=med&user=<username>&password=<password>&myip=192.168.
19.2
NOTE
During the configuration, replace x.x.x.x with the DDNS server IP address of
Siemens.
○ When the device uses HTTP to communicate with a common DDNS
server, the URL in a DDNS update request is:
http://<username>:<password>@merri.s.dnaip.fi/reg/h=<h>&a=<a>
NOTE
When the device functions as the DDNS client and communicates with the Siemens DDNS
server, the device needs to encrypt packets using SSL. An SSL policy needs to be bound to
the Siemens DDNS policy. To configure an SSL policy, see "SSL Configuration" in the
Huawei AR Series IOT Gateway Configuration Guide - Security.
c. (Optional) Run:
interval interval-time
----End
Context
You can bind a DDNS policy to an interface to update the mapping between the domain name
and an IP address and to start DDNS update.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
ddns apply policy policy-name [ fqdn domain-name ]
On the AR510, a maximum of five DDNS policies can be applied to an interface; on other
models, a maximum of six DDNS policies can be applied to an interface.
NOTE
l When the DDNS server is www.3322.org , www.dyndns.com or an HTTP-based common DDNS server,
you must configure the fully qualified domain name ( FQDN ), that is, the fqdn parameter is mandatory.
l The fqdn parameter is mandatory when the DDNS update mode defined by the RFC2136 is configured
using the method ddns [ both ] command.
----End
Procedure
l Run the display ddns policy [ policy-name ] command to view DDNS policy
information.
l Run the display ddns interface interface-type interface-number command to view
DDNS policy information on an interface.
----End
Context
Dynamic DNS entries cannot be restored after being deleted. Exercise caution when you run
the command.
Procedure
l Run the reset dns dynamic-host command to delete dynamic DNS entries.
----End
DNS entries of the DNS proxy or relay cannot be restored after being deleted. Exercise
caution when you run the command.
Procedure
l Run the reset dns forward table [ source-ip ip-address ] command to delete DNS
entries of the DNS proxy or relay.
----End
Context
Statistics on sent and received DNS packets cannot be restored after being cleared. Exercise
caution when you run the command.
Procedure
l Run the reset dns statistics command to clear statistics on sent and received DNS
packets.
----End
Procedure
l Run:
reset ddns policy policy-name [ interface interface-type interface-num ]
Mappings between all the IP addresses and host names in the DDNS policy are updated.
----End
Procedure
l Run the display dns forward table [ source-ip ip-address ] command to check the DNS
forwarding table.
l Run the display dns dynamic-host [ ip | naptr | srv ] [ domain-name ] command to
display dynamic DNS entries.
----End
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure DNS Proxy on the AC to implement domain name resolution for clients.
NOTE
After DNS Proxy is enabled, the RouterA can be regarded as the DNS server of HostA. You need to
configure the RouterA's IP address as the IP address of the DNS server on HostA, and configure the IP
address (10.2.1.1) of the DNS server on the Internet network on the RouterA. In this way, when the
DNS server address changes, you only need to modify the configurations on the RouterA, which is not
detected by the users.
Procedure
Step 1 Configure an IP address for GE1/0/0.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] undo portswitch
[RouterA-GigabitEthernet1/0/0] ip address 10.1.1.1 255.255.0.0
[RouterA-GigabitEthernet1/0/0] quit
Step 3 Configure the default route from the DNS proxy to the DNS server.
Assume that the IP address of the next hop from the DNS proxy to the DNS server is
10.1.1.2/16.
[RouterA] ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
[RouterA] quit
# Run the ping huawei.com command on LAN HostA. You can see that the ping operation
succeeds
C:\Documents and Settings\HostA>ping huawei.com
PING huawei.com [10.2.1.3] with 32 bytes of data:
Reply from 10.2.1.3: bytes=32 time=16ms TTL=255
Reply from 10.2.1.3: bytes=32 time<1ms TTL=255
Reply from 10.2.1.3: bytes=32 time<1ms TTL=255
Reply from 10.2.1.3: bytes=32 time<1ms TTL=255
----End
Configuration File
Configuration file of RouterA
#
sysname RouterA
#
interface GigabitEthernet1/0/0
undo portswitch
ip address 10.1.1.1 255.255.0.0
#
dns resolve
dns server 10.2.1.1
dns proxy enable
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
#
return
Networking Requirements
As shown in Figure 4-8, the router can function as the web server to provide web services for
network users, and the users access the web server by sending DNS requests. The domain
name www.abc.com of the web server corresponds to the interface IP address on the server.
The interface IP address may change. If the mapping between the domain name and IP
address of the web server is not updated on the DNS server in real time, a user access error
may occur. The user requires that the mapping between the domain name and IP address of
the web server should be updated on the DNS server in real time when the DDNS server is
not leased. The routes between the router and DNS server are reachable.
DNS Server
10.3.1.2
GE1/0/0
Internet
Router
DDNS Client
Configuration Roadmap
Configure the DDNS client whose update mode is ddns on the router so that the mapping
between the domain name and IP address of the web server is dynamically updated on the
DNS server when the interface IP address on the router changes.
Procedure
Step 1 Create a DDNS policy.
<Huawei> system-view
[Huawei] sysname Router
[Router] ddns policy mypolicy
[Router-ddns-policy-mypolicy] method ddns both
[Router-ddns-policy-mypolicy] name-server 10.3.1.2
[Router-ddns-policy-mypolicy] interval 3600
[Router-ddns-policy-mypolicy] quit
NOTE
When the IP address of GE1/0/0 changes, the router informs the DNS server to update the mapping between
the domain name www.abc.com and new IP address. Internet users then can parse the domain name to obtain
the latest IP address.
# Run the display ddns policy mypolicy command on the router to check the DDNS policy
named mypolicy.
<Router> display ddns policy mypolicy
Policy name : mypolicy
Policy interval time : 3600
Update method : ddns both
Name-server : 10.3.1.2
Policy bind count : 1
Interface : GigabitEthernet1/0/0
# Run the display ddns interface gigabitethernet 1/0/0 command on the router to check the
DDNS policy on GE1/0/0.
<Router> display ddns interface gigabitethernet 1/0/0
===== Policy mypolicy =======
Update method : ddns
Name-server : 10.3.1.2
----End
Configuration Files
Configuration file of the router
#
sysname Router
#
ddns policy mypolicy
method ddns both
name-server 10.3.1.2
#
interface GigabitEthernet1/0/0
undo portswitch
ddns apply policy mypolicy fqdn www.abc.com
#
return
DNS Server
Router
GE1/0/0
DDNS Client
DDNS Server
Configuration Roadmap
Create and bind a DDNS policy on Router. When the interface IP address on Router changes,
Router can send a request for dynamically updating DNS entries.
NOTE
Authentication steps are implemented in the update process through DDNS servers. All DDNS servers except
Siemens DDNS servers do not encrypt user passwords during the authentication. To improve security, you are
advised to configure IPSec when using these DDNS servers to implement update. For details, see IPSec
Configuration in the Huawei AR Series IOT Gateway Configuration Guide - VPN.
Procedure
Step 1 Configure Router.
NOTE
By default, the update mode of the DDNS client is vendor-specific. If the default update mode is not
modified by running the method command, do not run the method vendor-specific command.
NOTE
If the IP address of GE1/0/0 changes, Router notifies the DDNS server of the change, and then the DDNS
server instructs the DNS server to reconfigure the mapping between the domain name www.abc.com and the
IP address to ensure that the IP address can be resolved correctly.
# Run the display ddns policy mypolicy command on Router, and information about the
DDNS policy named mypolicy is displayed.
<Router> display ddns policy mypolicy
Policy name : mypolicy
Policy interval time : 3600
Policy URL : oray://<username>:<password>@phddnsdev.oray.net username
steven password %^%#SjZ)YyY0"8eB@"LQK<C19m5])(oyX>*&n+#lBBHT%^%#
Policy bind count : 1
# Run the display ddns interface gigabitethernet 1/0/0 command on Router, and
information about the DDNS policy on GE1/0/0 is displayed.
<Router> display ddns interface gigabitethernet 1/0/0
===== Policy mypolicy =======
URL: oray://<username>:<password>@phddnsdev.oray.net
Status: ESTABLISH
Refresh: enable
----End
Configuration File
Configuration file of Router
#
sysname Router
#
dns resolve
dns server 10.3.1.2
#
ddns policy mypolicy
url oray://<username>:<password>@phddnsdev.oray.net username steven password %^
%#SjZ)YyY0"8eB@"LQK<C19m5])(oyX>*&n+#lBBHT%^%#
#
interface GigabitEthernet1/0/0
undo portswitch
ddns apply policy mypolicy
#
return
Figure 4-10 Configuring the DDNS client to communicate with the Siemens DDNS server
DNS Server
Router
GE1/0/0
DDNS Client
DDNS Server
Configuration Roadmap
Create and bind a DDNS policy on Router. When the interface IP address on Router changes,
Router can send a request for dynamically updating DNS entries.
Procedure
Step 1 Configure Router.
# Create a DDNS policy.
<Huawei> system-view
[Huawei] sysname Router
[Router] ddns policy mypolicy
[Router-ddns-policy-mypolicy] method vendor-specific
[Router-ddns-policy-mypolicy] url "https://10.2.1.3/nic/update?
group=med&user=<username>&password=<password>&myip=<a>" username huawei_test
password 12345
[Router-ddns-policy-mypolicy] quit
NOTE
l During the configuration, replace 10.2.1.3 with the DDNS server IP address of Siemens.
l By default, the update mode of the DDNS client is vendor-specific. If the default update mode is not
modified by running the method command, do not run the method vendor-specific command.
# Configure a client SSL policy siemens. Assume that the SSL policy uses the default
protocol version and cipher suite.
[Router] pki entity siemens
[Router-pki-entity-siemens] common-name hello
[Router-pki-entity-siemens] country cn
[Router-pki-entity-siemens] state jiangsu
[Router-pki-entity-siemens] organization huawei
[Router-pki-entity-siemens] organization-unit info
[Router-pki-entity-siemens] quit
[Router] pki realm siemens
[Router-pki-realm-siemens] entity siemens
[Router-pki-realm-siemens] ca id ca_root
[Router-pki-realm-siemens] enrollment-url http://10.137.145.158:8080/certsrv/
mscep/mscep.dll ra
[Router-pki-realm-siemens] fingerprint sha1
7bb05ada0482273388ed4ec228d79f77309ea3f4
[Router-pki-realm-siemens] auto-enroll regenerate
[Router-pki-realm-siemens] quit
[Router] ssl policy siemens type client
[Router-ssl-policy-siemens] server-verify enable
[Router-ssl-policy-siemens] pki-realm siemens
[Router-ssl-policy-siemens] quit
NOTE
When the IP address of GE1/0/0 changes, Router notifies the DNS server to establish the mapping between
the domain name www.abc.com and the new IP address through the DDNS server so that users on the Internet
can resolve the latest IP address mapping www.abc.com.
# Run the display ddns interface gigabitethernet 1/0/0 command on Router. You can view
information about the DDNS policy on GigabitEthernet1/0/0.
<Router> display ddns interface gigabitethernet 1/0/0
===== Policy mypolicy =======
URL: https://10.2.1.3/nic/update?
group=med&user=huawei_test&password=12345&myip=<a>
Status: ESTABLISH
Refresh: enable
----End
Configuration Files
Configuration file of Router
#
sysname Router
#
dns resolve
dns server 10.3.1.2
#
pki entity siemens
country CN
state jiangsu
organization huawei
organization-unit info
common-name hello
#
pki realm siemens
ca id ca_root
enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra
entity siemens
auto-enroll regenerate
fingerprint sha1 7bb05ada0482273388ed4ec228d79f77309ea3f4
#
ssl policy siemens type client
pki-realm siemens
server-verify enable
#
ddns policy mypolicy
interval 36000
url https://10.2.1.3/nic/update?
group=med&user=<username>&password=<password>&myip=<a> username huawei_test
password %^%#o:2u<@1H~VkNyxJdJ.B=I\(V@2D=}Ht`G'0]mlAL%^%#
ssl-policy siemens
#
interface GigabitEthernet1/0/0
undo portswitch
ddns apply policy mypolicy
#
return
Figure 4-11 Configuring association between the DNS Server and NQA
Remote DNS Server_2
IP:10.20.1.2
The mapping between the domain name
www.huawei123.com and IP address
10.46.1.1
GE0/0/2 IP:10.20.1.1
Router
DNS Proxy
GE0/0/1 IP:10.1.1.1
GE0/0/1
Switch GE0/0/2
Local DNS Server_1
GE0/0/3 IP:10.1.1.2
The mapping between the domain
name www.huawei.com and IP address
10.82.42.59
PC
DNS Client
IP:10.1.1.3
Configuration Roadmap
Associate DNS servers with NQA on Router, so that query requests are only sent to the DNS
servers whose dns function is normal.
Procedure
Step 1 Configure VLANs for interfaces on the switch (using a Huawei S series switch as an
example).
<Huawei> system-view
[Huawei] sysname Switch
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 10
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type access
NOTE
To persistently detect the DNS server status, you need to perform periodical test for NQA test instances.
Therefore, run the frequency interval command to set the automatic test interval for NQA test instances.
----End
Configuration Files
l Configuration file of the switch
#
sysname Switch
#
vlan batch 10
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 10
#
return
Fault Description
The industrial switch router functions as a DNS client that is configured with dynamic domain
name resolution but cannot resolve domain names to IP addresses correctly.
Procedure
Step 1 Run the display dns dynamic-host to command check whether the specified domain name
exists in the dynamic domain name cache.
l If not, check whether the DNS client communicates with the DNS server properly, the
DNS server runs properly, and dynamic domain name resolution is enabled.
----End
5 NAT Configuration
Network Address Translation (NAT) enables translation between private IP addresses and
public IP addresses, alleviates the IPv4 address shortage, and shields the topology of private
networks, therefore improving network security.
Purpose
The rapid development of the Internet brings an increasing number of network applications.
Exhaustion of IPv4 addresses has become a bottleneck for the network development. IPv6 can
solve the problem of IPv4 address shortage, but numerous network devices and applications
are based on IPv4. Major transitional technologies such as classless inter-domain routing
(CIDR) and private network addresses are used before the wide use of IPv6 addresses. NAT
enables users on private networks to access public networks. When a host on a private
network accesses a public network, NAT translates the host's private IP address to a public IP
address. Multiple hosts on a private network can share one public IP address. This implements
network communication while saving public IP addresses. For the classification of private IP
addresses, see 1.3.2 IPv4 Address.
Benefits
As a transitional plan, NAT enables address reuse to meet the demand for IP addresses,
therefore alleviating the IPv4 address shortage. In addition to solving the problem of IP
address shortage, NAT provides the following advantages:
l Protects private networks against external attacks, greatly improving network security.
l This function controls not only access to external networks from internal hosts, but also
access to the internal network from external users.
5.2 Principles
5.2.1 Overview
NAT translates the IP address in an IP datagram header to another IP address, allowing users
on private networks to access public networks. Basic NAT implements one-to-one translation
between one private IP address and one public IP address, whereas Network Address and Port
Translation (NAPT) implements one-to-many translation between one public IP address and
multiple private IP addresses.
Basic NAT
Basic NAT implements one-to-one IP address translation. In this mode, only the IP address is
translated, whereas the TCP/UDP port number remains unchanged. Basic NAT cannot
translate multiple private IP addresses to the same public IP address.
NAT table
Internal host sends a request
Way Before Router After Router
External host responds to the request Outbound 10.1.1.100 162.105.178.65
Inbound 162.105.178.65 10.1.1.100
Basic NAT cannot solve the problem of public IP address shortage because it cannot implement address
reuse. Therefore, basic NAT is seldom used in practice.
The number of public IP addresses owned by the NAT device is far less than the number of hosts on
private networks because not all the hosts on private networks access public networks at the same time.
The number of public IP addresses needs to be determined based on the number of hosts on private
networks that access public networks during peak hours.
NAPT
In addition to one-to-one address translation, NAPT allows multiple private IP addresses to be
mapped to the same public IP address. It is also called many-to-one address translation or
address reuse.
NAPT translates the IP address and port number of a packet so that multiple users on a private
network can use the same public IP address to access the public network.
Source address
1.1.1.1:16400 2.2.2.2/24
Host B Source address
10.1.1.200:1028
Destination address
1.1.1.1:16400
10.1.1.200/8 Destination address
10.1.1.200:1028
NAPT table
NAT address pool and Easy IP are implemented in similar ways. This section describes only
Easy IP. For the implementation of NAT address pool, see NAPT in 5.2.1 Overview.
Easy IP
Easy IP uses access control lists (ACLs) to control the private IP addresses that can be
translated.
Easy IP is applied to the scenario where hosts on small-scale LANs access the Internet. Small-
scale LANs are usually deployed at small and medium-sized cybercafes or small-sized offices
where only a few internal hosts are used and the outbound interface obtains a temporary
public IP address through dial-up. The temporary public IP address is used by the internal
hosts to access the Internet. Easy IP allows the hosts to access the Internet using this
temporary public address.
Source address
Host A 10.1.1.100:1540
Source address
162.10.2.8:5480
the forward Easy IP entry, and sends the packet to the server on the public network. After
the translation, the packet's source IP address is 1.1.1.1, and its port number is 5480.
3. After receiving a response packet from the server on the public network, the Router
queries the reverse Easy IP entry based on the packet's destination IP address and port
number. The Router translates the packet's destination IP address and port number to the
private IP address and port number of the host on the private network based on the
reverse Easy IP entry, and sends the packet to the host. After the translation, the packet's
destination IP address is 10.1.1.100, and its port number is 1540.
NAT Server
NAT can shield hosts on private networks from public network users. When a private network
needs to provide services such as WWW and FTP services for public network users, servers
on the private network must be accessible to public network users at any time.
The NAT server can address the preceding problem by translating the public IP address and
port number to the private IP address and port number based on the preset mapping.
NAT Server:
Global: 1.1.1.1:80 External host
Local: 192.168.1.68:80 2.2.2.2
Internal server
192.168.1.68 Destination address Router Destination address
192.168.1.68:80 1.1.1.1:80
Internet
NAT table
External host sends a request Way Before Router After Router
As shown in Figure 5-4, the address translation process of the NAT server is as follows:
1. Address translation entries of the NAT server are configured on the Router.
2. The Router receives an access request sent from a host on the public network. The
Router queries the address translation entry based on the packet's destination IP address
and port number. The Router translates the packet's destination IP address and port
number to the private IP address and port number based on the address translation entry,
and sends the packet to the server on the private network. The destination IP address of
the packet sent by the host on the public network is 1.1.1.1, and its port number is 80.
After the translation by the Router, the destination IP address of the packet is
192.168.1.68, and its port number remains unchanged.
3. After receiving a response packet sent from the server on the private network, the Router
queries the address translation entry based on the packet's source IP address and port
number. The Router translates the packet's source IP address and port number to the
public IP address and port number based on the address translation entry, and sends the
packet to the host on the public network. The source of the response packet sent from the
host on the private network is 192.168.1.68, and its port number is 80. After translation
by the Router, the source IP address of the packet is 1.1.1.1, and its port number remains
unchanged.
Static NAT/NAPT
Static NAT indicates that a private IP address is statically bound to a public IP address when
NAT is performed. Only this private IP address can be translated to this public IP address.
Static NAPT indicates that the combination of a private IP address, protocol number, and port
number is statically bound to the combination of a public IP address, protocol number, and
port number. Multiple private IP addresses can be translated to the same public IP address.
Static NAT/NAPT can also translate host IP addresses in the specified private address range to
host IP addresses in the specified public address range. When an internal host accesses the
external network, static NAT or NAPT translates the IP address of the internal host to a public
address if the IP address of the internal host is in the specified address range. An external host
can directly access an internal host if the private IP address translated from the IP address of
the external host is in the specified internal address range.
211.100.7.34/24
Host www.test.com=162.10.2.5
DNS response=162.10.2.5
DNS Mapping:
162.10.2.5->10.1.1.200
DNS response=10.1.1.200
As shown in Figure 5-5, the host on the private network needs to access the web server using
the domain name, and the Router functions as a NAT server. After receiving a DNS response
packet, the Router searches the DNS mapping table for the information about the web server
based on the domain name carried in the response packet. Then, the Router replaces the public
IP address carried in the DNS response packet with the private IP address of the web server.
In this manner, the DNS response packet received by the host carries the private IP address of
the web server. Then, the host can access the web server using the domain name.
Figure 5-6 Networking diagram for source NAT associated with VPNs
Server
External
外部网络
network
Router Host A
Host B
IP address:10.1.1.1 IP address:10.1.1.1
Private IP
VPN 2 addresses of VPN VPN 1
1 and VPN 2 are
overlapped.
Figure 5-7 Networking diagram for NAT server associated with VPNs
External
外部网络
network
Router
Server B Server A
IP address: 10.1.1.1 IP address: 10.1.1.1
Private IP
VPN 2 addresses of VPN VPN 1
1 and VPN 2 are
overlapped.
As shown in Figure 5-7, the IP addresses of server A in VPN 1 and server B in VPN 2 are
10.1.1.1. The public address of server A is 202.1.10.1 and that of server B is 202.1.20.1.
Hosts on the public network can access server A using 202.1.10.1 and access server B using
202.1.20.1.
The NAT server associated with VPNs is implemented as follows:
1. A host on the public network sends a packet with the destination IP address as
202.1.10.1 to server A in VPN 1 and sends a packet with the destination IP address as
202.1.20.1 to server B in VPN 2.
2. The router functions as the NAT server. Based on the packets' destination IP addresses
and VPN information:
– The router translates the destination address 202.1.10.1 to 10.1.1.1 and sends the
packet to server A in VPN 1.
– The router translates the destination address 202.1.20.1 to 10.1.1.1 and sends the
packet to server B in VPN 2.
In addition, the router records the VPN information in the NAT translation table.
3. When the response packets sent from server A and server B to the host on the public
network pass through the router:
– The NAT module translates the source IP address 10.1.1.1 of the packet sent from
server A to 202.1.10.1 based on the NAT translation table, and sends the packet to
the host on the public network.
– The NAT module translates the source IP address 10.1.1.1 of the packet sent from
server B to 202.1.20.1 based on the NAT translation table, and sends the packet to
the host on the public network.
Twice NAT refers to translation of both the source and destination IP addresses of a data
packet. It is applied to the situation where a private IP address is the same as a public IP
address.
DNS server
Figure 5-9 Networking diagram for twice NAT when multiple VPNs are deployed on a
private network
Host C
Host B 1.1.1.1
1.1.1.1 Address group:
3.3.3.1 www.example.com
4.4.4.1
VPN B
Host A External
1.1.1.1 network
Router
VPN A
DNS server
A private network may consist of multiple VPNs and hosts in the VPNs may have the same IP
address. When configuring DNS ALG on a router, you need to add the VPN information that
is used as the condition for mapping identical IP addresses of the hosts in the VPNs to IP
addresses in the temporary address pool. Figure 5-9 shows the networking for twice NAT
when multiple VPNs are deployed on a private network. When multiple VPNs are deployed
on a private network, the twice NAT process remains unchanged. The source IP address of
host A in VPN A is translated to the temporary address 3.3.3.1, and the source IP address of
host B in VPN B is translated to the temporary address 4.4.4.1.
NAT Filtering
A NAT device filters the traffic from external network to internal network. NAT filtering
includes the following modes:
l Endpoint-independent filtering
l Endpoint-dependent filtering
l Endpoint and port-dependent filtering
Figure 5-10 shows the NAT filtering applications.
Internet
PC 1
Data packet 2'
Data packet 2
Source IP:2.2.2.2
Source IP:2.2.2.2
Source port:4444
Source port:4444 PC 3: 2.2.2.2
Destination IP:3.3.3.3
Destination IP:10.1.1.1
Destination port:1111
Destination port:1111
As shown in the preceding figure, PC-1 on the private network communicates with PC-2 and
PC-3 on the public network using a NAT device. Datagram 1 is sent from PC-1 to PC-2. The
source port number of the datagram is 1111 and the destination port number is 2222. The NAT
device translates the source IP address to 3.3.3.3.
After PC-1 sends an access request to a PC on the public network, the PC on the public
network transmits traffic to PC-1, and the NAT device filters the traffic destined for PC-1.
Datagram 2', datagram 3', and datagram 4' are sent in three scenarios corresponding to the
preceding three NAT filtering modes.
l Datagram 2' is sent from PC-3 to PC-1. The destination address of datagram 2 is
different from that of datagram 1, and the destination port number is 1111. Datagram 2
can pass through the NAT device only when endpoint-independent filtering is used.
l Datagram 3' is sent from PC-2 to PC-1. The destination address of datagram 3 is the
same as that of datagram 1, and the destination port number is 1111. The source port
number of datagram 3 is 3333, which is different from that of datagram 1. Datagram 3
can pass through the NAT device only when endpoint-dependent filtering or endpoint-
independent filtering is used.
l Datagram 4' is sent from PC-2 to PC-1. The destination address of datagram 4 is the
same as that of datagram 1, and the destination port number is 1111. The source port
number of datagram 4 is 2222, which is the same as that of datagram 1. In this case,
endpoint and port-dependent filtering is used, which is the default one. Datagram 4 can
pass through the NAT device no matter whether a filtering mode is configured or no
matter which filtering mode is configured.
NAT Mapping
After NAT mapping is enabled on a public network, it seems that all flows from a private
network come from the same IP address because hosts on the private network share the same
public IP address. When a host on the private network initiates a session request to a host on
the public network, the NAT device searches the NAT translation table for the related session
record. If the NAT device finds the session record, it translates the private IP address and port
number and forwards the request. If the NAT device does not find the session record, it
translates the private IP address and port number and meanwhile adds a session record to the
NAT translation table. NAT mapping includes the following modes:
l Endpoint-independent mapping: The NAT uses the same IP address and port mapping for
packets sent from the same private IP address and port to any public IP address and port.
l Endpoint and port-dependent mapping: The NAT uses the same port mapping for packets
sent from the same private IP address and port to the same public IP address and port if
the mapping is still active.
5.3 Applications
Figure 5-11 Networking diagram for private network hosts accessing public network servers
Host A
192.168.1.1/24
Server
Host B Router
External
network
192.168.1.2/24 211.100.7.34/24
Host C
192.168.1.3/24
the NAT server is configured. That is, mapping between the public IP address and port
number and the private IP address and port number is defined. As a result, the host on the
public network can access the server on the private network using the mapping.
Figure 5-12 Networking diagram for public network hosts accessing private network servers
Host A
192.168.1.1/24
Router Host C
Host B
External
network
192.168.1.2/24 211.138.7.94/24
Server
192.168.1.100/24
Figure 5-13 Networking diagram for private network hosts accessing private network servers
using the domain name
Host A
192.168.1.1/24
Router DNS server
Host B
External
network
192.168.1.2/24 210.33.5.1/24
www.test.com=211.65.3.1
Web server
192.168.1.100/24
www.test.com
Important During dynamic NAT, it cannot use 5.7 Configuring Static NAT
internal fixed public IP addresses and
hosts use interface numbers to replace the
fixed public private IP addresses and interface
IP numbers. When some important
addresses hosts need to access the external
and network, they must use fixed public
interface IP addresses and interface numbers.
numbers to Dynamic NAT cannot meet this
communica requirement.
te with Static NAT sets up a fixed mapping
external between public and private IP
hosts. addresses. A specific private IP
address can be replaced only by the
specified public IP address. In this
way, the important hosts can access
the external network using fixed
public IP addresses.
External NAT can shield IP addresses off 5.8 Configuring an Internal NAT
users access internal hosts. When the internal Server
internal network needs to provide services
servers. such as web and FTP services for
external users, internal servers must
be accessible to external users at any
time.
The NAT server enables the internal
servers to be accessible at any time.
By configuring the mapping between
the public and private IP addresses
and between the public and private
interface numbers, the NAT device
can translate public IP addresses to
private IP addresses.
License Support
NAT is a basic feature of a router and is not under license control.
Procedure
Step 1 Run:
system-view
Step 2 Run:
acl [ number ] acl-number [ match-order { auto | config } ]
An ACL with the specified number is created and the ACL view is displayed.
Step 3 Configure basic or advanced ACLs as required. For details, see Configuring a Basic ACL or
Configuring an Advanced ACL in the Huawei AR Series IOT Gateway Configuration Guide -
Security - ACL Configuration.
NOTE
Only basic ACLs (2000 to 2999) and advanced ACLs (3000 to 3999) can be used to configure the NAT
function.
1. When permit is used in the ACL rule, the system uses the address pool to translate addresses for the
packets of which the source IP address is specified in the ACL rule.
2. When permit is not used in the ACL rule, the NAT policy referencing the ACL does not take effect.
That is, the system searches routes for packets, but does not translate addresses.
----End
Context
The address pool used by outbound NAT stores a set of public IP addresses used by dynamic
NAT. When dynamic NAT is performed, an address in the address pool is selected for NAT
address translation.
To access external networks through dynamic NAT, intranet users can choose one of the
following modes based on their public IP address plan:
l After users configure the IP address of outbound ports and other applications on the NAT
device, there are still some available public IP addresses. Users can choose outbound
NAT with an address pool.
l After users configure the IP address of outbound ports on the NAT device and other
applications, there are no available public IP addresses. Users can choose Easy IP that
uses the IP address of outbound ports on the NAT device to implement dynamic NAT.
Procedure
Step 1 Run:
system-view
Step 2 Configure outbound NAT. Users can choose one of the following configuration methods
based on actual situations:
l Configure outbound NAT with an address pool.
a. Run:
nat address-group group-index start-address end-address
Easy IP is configured.
----End
Context
Generally, NAT translates only the IP address in the IP packet header and the interface
number in the TCP/UDP header. Packets of some protocols such as DNS and FTP contain the
IP address or interface number in the Data field. Such content cannot be translated using NAT.
Therefore, communication between internal and external networks will fail.
The application level gateway (ALG) function enables the NAT device to identify the IP
address or interface number in the Data field, and translate addresses based on the mapping
table. In this way, packets can traverse NAT devices. Currently, the ALG function supports
DNS, FTP, SIP, PPTP and RTSP.
NOTE
Procedure
Step 1 Run:
system-view
The aging time of a TCP connection set up by the TCP proxy is configured.
By default, the aging time of a TCP connection set up by the TCP proxy is 120 seconds.
NOTE
----End
NOTE
Procedure
Step 1 Run:
system-view
CAC is enabled and the total bandwidth is set to limit the bandwidth of SIP calls.
By default, the bandwidth limit is 0, indicating that the bandwidth is not limited.
----End
Context
NAT conserves IPv4 addresses and improves network security. Different vendors provide
different NAT features. As a result, applications using STUN, TURN, and ICE technologies
may fail to traverse NAT devices because these technologies are implemented using SIP
proxy. SIP proxy is a multi-channel application and needs to create multiple data channels to
implement its function. To ensure connection of multiple data channels, NAT filtering and
NAT mapping must be configured to allow only packets that meet the filtering and mapping
conditions to pass through.
The device supports the following NAT mapping types:
l Endpoint-and-port-independent mapping: The NAT reuses the interface mapping for
subsequent packets sent from the same internal IP address and interface to any external
IP address and port.
l Endpoint-and-port-dependent mapping: The NAT reuses the interface mapping for
subsequent packets sent from the same internal IP address and interface to the same
external IP address and interface while the mapping is still active.
The device supports the following NAT filtering types:
l Endpoint-and-port-independent filtering
l Endpoint-dependent and port-independent filtering
l Endpoint-and-port-dependent filtering
NOTE
Configure endpoint-and-port-dependent NAT mapping and filtering to enable SIP proxy to traverse NAT
devices.
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
The mapping between the overlapping address pool and the temporary address pool is
configured.
NOTE
l A maximum of 255 addresses can be configured in the overlapping address pool and the temporary
address pool.
l When the VPN instance specified in the command is deleted, the configuration of twice NAT is also
deleted.
----End
ports, and translated source IP addresses and source ports, as well as user actions and time
stamps. You can view NAT logs to learn about information about users have accessed a
network using NAT.
The industrial switch router can send NAT logs to a specified log host, as shown in Figure
5-14.
Host
NAT logs
Internet
NAT Device
Procedure
Step 1 Run:
system-view
Sets the NAT log format to eLog. The logs are generated in the format specified by the eLog
server.
Step 5 Run the following command to output logs to the information center log host or session log
host:
l Output logs to the information center log host
a. Run:
info-center enable
The channel through which logs are output to the log host is configured.
The industrial switch router supports a maximum of eight log hosts to implement
backup among log hosts.
NOTE
For details on how to configure the industrial switch router to send logs to a log host, see
Example for Outputting Log Information to a Log Host in "Information Center
Configuration" of the Huawei AR Series IOT Gateway Configuration Guide - Device
Management.
l Output logs to the session log host
Run:
firewall log binary-log host host-ip-address host-port source source-ip-
address source-port [ vpn-instance vpn-instance-name ]
----End
Procedure
Step 1 Run:
system-view
----End
Procedure
l Run the display nat address-group [ group-index ] [ verbose ] command to check the
configuration of a NAT address pool.
l Run the display nat outbound [ acl acl-number | address-group group-index |
interface interface-type interface-number [ .subnumber ] ] command to check the
configuration of outbound NAT.
l Run the display nat alg command to check the NAT ALG configuration.
l Run the display nat overlap-address { map-index | all | inside-vpn-instance inside-
vpn-instance-name } command to check the configuration of twice NAT.
l Run the display firewall-nat session aging-time command to check the aging time of
NAT mapping entries.
l Run the display nat sip cac bandwidth information [ verbose ] command to check the
current total bandwidth and occupied bandwidth on the device.
l Run the display nat filter-mode command to check the current NAT filtering mode.
l Run the display nat mapping-mode command to check the NAT mapping mode.
l Run the display nat mapping table { all | number } or display nat mapping table
inside-address ip-address protocol protocol-name port port-number [ vpn-instance
vpn-instance-name ] command to check the NAT table information or the number of
entries in the NAT table.
----End
Procedure
Step 1 You can configure static address mapping as follows:
1. Run:
system-view
1. Run:
system-view
l To specify a global VPN, you are advised to configure static NAT in the interface view. Then the
device can automatically obtain information about the VPN instance associated with the interface,
and you do not need to manually specify the VPN instance at the public network side (global). To
associate static NAT with a global VPN in the system view, you can specify a loopback interface as
the outbound interface at the public network side, and then specify a VPN instance.
l When configuring static NAT, ensure that global-address and host-address are different from IP
addresses of interfaces and IP addresses in the user address pool.
l If you run the undo nat static command, static mapping entries are not immediately deleted. To
clear static mapping entries, run the reset nat session command.
l You are advised to use the second method if multiple interfaces use the same static NAT mapping.
l When you configure static one-to-one NAT that borrows an interface IP address (no interface
number is specified and the IP address is mapped to a private network address), other services
enabled on the interface may become unavailable. Confirm your action before performing the
configuration. If you want to enable other applications on the interface, add an ACL rule after the
configuration to filter out the number of the interface on which the applications are enabled.
----End
Context
Generally, NAT translates only the IP address in the IP packet header and the interface
number in the TCP/UDP header. Packets of some protocols such as DNS and FTP contain the
IP address or interface number in the Data field. Such content cannot be translated using NAT.
Therefore, communication between internal and external networks will fail.
The application level gateway (ALG) function enables the NAT device to identify the IP
address or interface number in the Data field, and translate addresses based on the mapping
table. In this way, packets can traverse NAT devices. Currently, the ALG function supports
DNS, FTP, SIP, PPTP and RTSP.
NOTE
Procedure
Step 1 Run:
system-view
The aging time of a TCP connection set up by the TCP proxy is configured.
By default, the aging time of a TCP connection set up by the TCP proxy is 120 seconds.
NOTE
----End
NOTE
Procedure
Step 1 Run:
system-view
Step 2 Run:
nat sip cac enable bandwidth { bandwidth-value | percent value interface
interface-type interface-number [ .subnumber ] }
CAC is enabled and the total bandwidth is set to limit the bandwidth of SIP calls.
By default, the bandwidth limit is 0, indicating that the bandwidth is not limited.
----End
Context
If an enterprise has no internal DNS server but needs to access internal servers using the
domain name, intranet users of the enterprise must use DNS servers on external networks.
Intranet users can use the external DNS server to access an external server by performing
NAT; however, intranet users cannot use the external DNS server to access an internal server
because the IP address resolved by the external DNS server is not the real private IP address
of the internal server.
When configuring static NAT and DNS mapping at the same time, you can create a mapping
entry containing the domain name, public IP address, public interface number, and protocol
type. When receiving a DNS resolution packet, the NAT device searches the private IP
address mapped to the public address in the mapping entry. The NAT device then replaces the
address resolved by the DNS server with the private IP address and forwards the resolution
result to users.
Procedure
Step 1 Run:
system-view
Step 2 Run:
nat dns-map domain-name { global-address | interface interface-type interface-
number [ .subnumber ] } global-port protocol-name
A mapping from a domain name to a public IP address, an interface number, and a protocol
type is configured.
NOTE
After DNS mapping is configured, the nat alg dns enable command must be run to enable the ALG
DNS function. In this way, DNS response packets can traverse NAT devices. If the ALG DNS function
is disabled, internal hosts cannot access internal servers using the domain name.
----End
Context
NAT conserves IPv4 addresses and improves network security. Different vendors provide
different NAT features. As a result, applications using STUN, TURN, and ICE technologies
may fail to traverse NAT devices because these technologies are implemented using SIP
proxy. SIP proxy is a multi-channel application and needs to create multiple data channels to
implement its function. To ensure connection of multiple data channels, NAT filtering and
NAT mapping must be configured to allow only packets that meet the filtering and mapping
conditions to pass through.
l Endpoint-and-port-independent filtering
l Endpoint-dependent and port-independent filtering
l Endpoint-and-port-dependent filtering
NOTE
Configure endpoint-and-port-dependent NAT mapping and filtering to enable SIP proxy to traverse NAT
devices.
Procedure
Step 1 Run:
system-view
Step 2 Run:
nat mapping-mode endpoint-independent [ protocol-name [ dest-port port-number ] ]
Step 3 Run:
nat filter-mode { endpoint-dependent | endpoint-independent | endpoint-and-port-
dependent }
----End
Procedure
Step 1 Run:
system-view
The mapping between the overlapping address pool and the temporary address pool is
configured.
NOTE
l A maximum of 255 addresses can be configured in the overlapping address pool and the temporary
address pool.
l When the VPN instance specified in the command is deleted, the configuration of twice NAT is also
deleted.
----End
Host
NAT logs
Internet
NAT Device
Procedure
Step 1 Run:
system-view
Sets the NAT log format to eLog. The logs are generated in the format specified by the eLog
server.
Step 5 Run the following command to output logs to the information center log host or session log
host:
l Output logs to the information center log host
a. Run:
info-center enable
The channel through which logs are output to the log host is configured.
The industrial switch router supports a maximum of eight log hosts to implement
backup among log hosts.
NOTE
For details on how to configure the industrial switch router to send logs to a log host, see
Example for Outputting Log Information to a Log Host in "Information Center
Configuration" of the Huawei AR Series IOT Gateway Configuration Guide - Device
Management.
----End
Procedure
Step 1 Run:
system-view
----End
Procedure
l Run the display nat alg command to check the NAT ALG configuration.
l Run the display nat dns-map [ domain-name ] command to check the configuration of
DNS mapping.
l Run the display nat overlap-address { map-index | all | inside-vpn-instance inside-
vpn-instance-name } command to check the configuration of twice NAT.
l Run the display firewall-nat session aging-time command to check the aging time of
NAT mapping entries.
l Run the display nat static [ global global-address | inside host-address [ vpn-instance
vpn-instance-name ] | interface interface-type interface-name [ .subnumber ] | acl acl-
number] command to check the configuration of static NAT.
l Run the display nat sip cac bandwidth information [ verbose ] command to check the
current total bandwidth and occupied bandwidth on the device.
l Run the display nat filter-mode command to check the the current NAT filtering mode.
l Run the display nat mapping-mode command to check the NAT mapping mode.
l Run the display nat mapping table { all | number } or display nat mapping table
inside-address ip-address protocol protocol-name port port-number [ vpn-instance
vpn-instance-name ] command to check the NAT table information or the number of
entries in the NAT table.
l Run the display nat static interface enable command to check whether the static NAT
function is enabled.
----End
l When configuring an internal NAT server, ensure that global-address and host-address are different
from IP addresses of ports and IP addresses in the user address pool.
l You can use the IP address of current-interface or loopback as the internal server's IP address.
l The undo nat server command does not delete mapping entries immediately. You can run the reset
nat session command to delete mapping entries.
l Compared with static NAT, NAT Server translates only the IP address, but not the port number,
when the private network initiatively accesses the public network.
l When you configure one-to-one NAT Server that borrows an interface IP address (no interface
number is specified and the IP address is mapped to a private network address), other services
enabled on the interface may become unavailable. Confirm your action before performing the
configuration. If you want to enable other applications on the interface, add an ACL rule after the
configuration to filter out the number of the interface on which the applications are enabled.
l To enable the device to directly discard packets that cannot be processed using NAT, run the nat
miss forward deny command.
----End
Context
Generally, NAT translates only the IP address in the IP packet header and the interface
number in the TCP/UDP header. Packets of some protocols such as DNS and FTP contain the
IP address or interface number in the Data field. Such content cannot be translated using NAT.
Therefore, communication between internal and external networks will fail.
The application level gateway (ALG) function enables the NAT device to identify the IP
address or interface number in the Data field, and translate addresses based on the mapping
table. In this way, packets can traverse NAT devices. Currently, the ALG function supports
DNS, FTP, SIP, PPTP and RTSP.
NOTE
Procedure
Step 1 Run:
system-view
Step 2 Run:
nat alg { all | protocol-name } enable
Run the port-mapping protocol to configure port mapping when the application protocol that
is enabled with the NAT ALG function uses a non-well-known port number, namely a non-
default port number.
The aging time of a TCP connection set up by the TCP proxy is configured.
By default, the aging time of a TCP connection set up by the TCP proxy is 120 seconds.
NOTE
----End
Context
When the SIP server is deployed on the public network and SIP phones in public and private
networks are interconnected, the call quality is affected if the bandwidth on the NAT device is
insufficient. You can enable call admission control (CAC) and set the total bandwidth on the
NAT device to limit the bandwidth of SIP calls. If the bandwidth of a SIP exceeds the
specified value, the SIP call is rejected.
NOTE
Procedure
Step 1 Run:
system-view
CAC is enabled and the total bandwidth is set to limit the bandwidth of SIP calls.
By default, the bandwidth limit is 0, indicating that the bandwidth is not limited.
----End
Context
If an enterprise has no internal DNS server but needs to access internal servers using the
domain name, intranet users of the enterprise must use DNS servers on external networks.
Intranet users can use the external DNS server to access an external server by performing
NAT; however, intranet users cannot use the external DNS server to access an internal server
because the IP address resolved by the external DNS server is not the real private IP address
of the internal server.
When configuring static NAT and DNS mapping at the same time, you can create a mapping
entry containing the domain name, public IP address, public interface number, and protocol
type. When receiving a DNS resolution packet, the NAT device searches the private IP
address mapped to the public address in the mapping entry. The NAT device then replaces the
address resolved by the DNS server with the private IP address and forwards the resolution
result to users.
Procedure
Step 1 Run:
system-view
A mapping from a domain name to a public IP address, an interface number, and a protocol
type is configured.
NOTE
After DNS mapping is configured, the nat alg dns enable command must be run to enable the ALG
DNS function. In this way, DNS response packets can traverse NAT devices. If the ALG DNS function
is disabled, internal hosts cannot access internal servers using the domain name.
----End
Configure endpoint-and-port-dependent NAT mapping and filtering to enable SIP proxy to traverse NAT
devices.
Procedure
Step 1 Run:
system-view
Step 2 Run:
nat mapping-mode endpoint-independent [ protocol-name [ dest-port port-number ] ]
Step 3 Run:
nat filter-mode { endpoint-dependent | endpoint-independent | endpoint-and-port-
dependent }
----End
Context
If the external addresses of internal hosts overlap with addresses of external hosts, twice NAT
can be configured. The overlapping addresses are replaced with temporary addresses and then
translated by NAT so that the internal and external hosts can access each other.
l An overlapping address pool specifies which internal IP addresses can overlap with
public IP addresses. Twice NAT is performed only on the addresses in the overlapping
address pool.
l A temporary address pool specifies which temporary IP addresses can replace addresses
in the overlapping address pool.
Procedure
Step 1 Run:
system-view
Step 2 Run:
nat overlap-address map-index overlappool-startaddress temppool-startaddress pool-
length length [ inside-vpn-instance inside-vpn-instance-name ]
The mapping between the overlapping address pool and the temporary address pool is
configured.
NOTE
l A maximum of 255 addresses can be configured in the overlapping address pool and the temporary
address pool.
l When the VPN instance specified in the command is deleted, the configuration of twice NAT is also
deleted.
----End
Host
NAT logs
Internet
NAT Device
Procedure
Step 1 Run:
system-view
Sets the NAT log format to eLog. The logs are generated in the format specified by the eLog
server.
Step 5 Run the following command to output logs to the information center log host or session log
host:
l Output logs to the information center log host
a. Run:
info-center enable
b. Run:
info-center loghost ip-address [ channel { channel-number | channel-
name } | facility local-number | language language-name | transport
{ udp | tcp ssl-policy policy-name } | { vpn-instance vpn-instance-name
| public-net | local-time } ] *
The channel through which logs are output to the log host is configured.
The industrial switch router supports a maximum of eight log hosts to implement
backup among log hosts.
NOTE
For details on how to configure the industrial switch router to send logs to a log host, see
Example for Outputting Log Information to a Log Host in "Information Center
Configuration" of the Huawei AR Series IOT Gateway Configuration Guide - Device
Management.
l Output logs to the session log host
Run:
firewall log binary-log host host-ip-address host-port source source-ip-
address source-port [ vpn-instance vpn-instance-name ]
----End
Procedure
Step 1 Run:
system-view
----End
Procedure
l Run the display nat server [ global global-address | inside host-address [ vpn-instance
vpn-instance-name ] | interface interface-type interface-number [ .subnumber ] | acl acl-
number ] command to check the configuration of the NAT server.
l Run the display nat alg command to check the NAT ALG configuration.
l Run the display nat dns-map [ domain-name ] command to check the configuration of
DNS mapping.
l Run the display nat overlap-address { map-index | all | inside-vpn-instance inside-
vpn-instance-name } command to check the configuration of twice NAT.
l Run the display firewall-nat session aging-time command to check the aging time of
NAT mapping entries.
l Run the display nat sip cac bandwidth information [ verbose ] command to check the
current total bandwidth and occupied bandwidth on the device.
l Run the display nat filter-mode command to check the the current NAT filtering mode.
l Run the display nat mapping-mode command to check the NAT mapping mode.
l Run the display nat mapping table { all | number } or display nat mapping table
inside-address ip-address protocol protocol-name port port-number [ vpn-instance
vpn-instance-name ] command to check the NAT table information or the number of
entries in the NAT table.
----End
Context
NOTE
The cleared entries cannot be restored; therefore, confirm the action before you use the command.
Procedure
l After you are determined to clear NAT mapping entries, run the reset nat session { all |
transit interface interface-type interface-number [ .subnumber ] } command in the
system view.
----End
Procedure
l Run the display nat session { all [ verbose ] | number },display nat session protocol
{ protocol-name | protocol-number } [ source source-address [ source-port ] ]
[ destination destination-address [ destination-port ] ] [ verbose ], display nat session
source source-address [ source-port ] [ destination destination-address [ destination-
port ] ] [ verbose ], or display nat session destination destination-address [ destination-
port ] [ verbose ] command to display information about entries in the NAT mapping
table.
----End
Networking Requirements
As shown in Figure 5-17, private network users in Area A and Area B of a company connect
to the Internet. The public IP address of GigabitEthernet3/0/0 on the router is
202.169.10.1/24. The IP address of the carrier device connected to the router is
202.169.10.2/24. Users in Area A want to use addresses in the public address pool
(202.169.10.100 to 202.169.10.200) to replace IP addresses (192.168.20.0/24) of hosts in
Area A in NAT mode to access the Internet. Users in Area B want to use addresses in the
public address pool (202.169.10.80 to 202.169.10.83) to replace IP addresses (10.0.0.0/24) of
hosts in Area B to access the Internet.
Area A
PC 1...PC n
192.168.20.0/24
202.169.10.2/24
Router
VLAN 100
Eth2/0/0 GE3/0/0
Internet
202.169.10.1/24
Eth2/0/1
VLAN 200
Area B
PC 1...PC n
10.0.0.0/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure IP addresses for ports, default route, and outbound NAT on the WAN interface
to allow internal hosts to access external networks.
Procedure
Step 1 Configure an IP address for ports on the router.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan 100
[Router-vlan100] quit
[Router] interface vlanif 100
[Router-Vlanif100] ip address 192.168.20.1 24
[Router-Vlanif100] quit
[Router] interface ethernet 2/0/0
[Router-Ethernet2/0/0] port link-type access
[Router-Ethernet2/0/0] port default vlan 100
[Router-Ethernet2/0/0] quit
[Router] vlan 200
[Router-vlan200] quit
[Router] interface vlanif 200
[Router-Vlanif200] ip address 10.0.0.1 24
[Router-Vlanif200] quit
[Router] interface ethernet 2/0/1
[Router-Ethernet2/0/1] port link-type access
[Router-Ethernet2/0/1] port default vlan 200
[Router-Ethernet2/0/1] quit
[Router] interface gigabitethernet 3/0/0
[Router-GigabitEthernet3/0/0] undo portswitch
[Router-GigabitEthernet3/0/0] ip address 202.169.10.1 24
[Router-GigabitEthernet3/0/0] quit
Step 2 Configure a default route with next hop address 202.169.10.2 on the router.
[Router] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
NOTE
To run the ping -a source-ip-address command that has a source IP address specified on the router to verify
that intranet users can access the Internet, you need to run the ip soft-forward enhance enable command to
enable the enhanced forwarding function for control packets generated by the device so that the private source
IP addresses can be translated into public IP addresses by the NAT function. By default, the the enhanced
forwarding function for control packets generated by the device is enabled. If the function has been disabled
using the undo ip soft-forward enhance enable command, you need to run the ip soft-forward enhance
enable command in the system view to enable the function again.
# Run the ping command on the router to verify that users on the internal network can access
the Internet.
----End
Configuration Files
Configuration file of the router
#
sysname Router
#
vlan batch 100 200
#
acl number 2000
rule 5 permit source 192.168.20.0 0.0.0.255
#
acl number 2001
rule 5 permit source 10.0.0.0 0.0.0.255
#
nat address-group 1 202.169.10.100 202.169.10.200
nat address-group 2 202.169.10.80 202.169.10.83
#
interface Vlanif100
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif200
ip address 10.0.0.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type access
port default vlan 100
#
interface Ethernet2/0/1
port link-type access
port default vlan 200
#
interface GigabitEthernet3/0/0
undo portswitch
ip address 202.169.10.1
255.255.255.0
nat outbound 2000 address-group 1 no-pat
nat outbound 2001 address-group 2
#
ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
#
return
Networking Requirements
As shown in Figure 5-18, the IP address of outbound interface GE2/0/0 on the router is
202.10.1.2/24 and the LAN gateway address is 192.168.0.1/24. The IP address of the carrier
device connected to the router is 202.10.1.1/24. The private IP address of the host is
192.168.0.2/24 and the fixed IP address the host needs to use is 202.10.1.3/24. In this case,
the private IP address of this company must be translated to a public IP address to allow the
host to access the WAN.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the IP address of ports, default route, and static NAT on the WAN interface to
implements one-to-one translation between a private IP address and a public IP address.
Procedure
Step 1 Configure an IP address for ports on the router.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] undo portswitch
[Router-GigabitEthernet2/0/0] ip address 202.10.1.2 24
[Router-GigabitEthernet2/0/0] quit
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] undo portswitch
[Router-GigabitEthernet1/0/0] ip address 192.168.0.1 24
[Router-GigabitEthernet1/0/0] quit
Step 2 Configure a default route with next hop address 202.10.1.1 on the router.
[Router] ip route-static 0.0.0.0 0.0.0.0 202.10.1.1
Step 3 Configure one-to-one NAT mapping on uplink interface GE2/0/0 on the router.
Total : 1
----End
Configuration Files
Configuration file of the router
#
sysname Router
#
interface
GigabitEthernet1/0/0
undo portswitch
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet2/0/0
undo portswitch
ip address 202.10.1.2 255.255.255.0
nat static global 202.10.1.3 inside 192.168.0.2 netmask 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 202.10.1.1
#
return
Networking Requirements
As shown in Figure 5-19, the network of a company provides the WWW server and FTP
server for external network users to access the internal network. The web server uses private
IP address 192.168.20.2/24, port 8080, and public address 202.169.10.5/24. The private IP
address of the FTP server is 10.0.0.3/24 and its public address is 202.169.10.33/24. The IP
address of the carrier device connected to the router is 202.169.10.2/24. In this case, the NAT
function of the router enables the internal network of the company to connect to the Internet.
Eth2/0/1 External
user
FTP server
10.0.0.3/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an IP address for ports on the router and configure an NAT server on
Gigabitethernet 3/0/0 to allow external users to access internal servers.
2. Configure a default route on the router.
3. Enable the FTP NAT ALG function to allow external FTP packets to traverse the NAT
server.
Procedure
Step 1 Configure an IP address for the ports on the router and configure a NAT server.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan 100
[Router-vlan100] quit
[Router] interface vlanif 100
[Router-Vlanif100] ip address 192.168.20.1 24
[Router-Vlanif100] quit
[Router] interface ethernet 2/0/0
[Router-Ethernet2/0/0] port link-type access
[Router-Ethernet2/0/0] port default vlan 100
[Router-Ethernet2/0/0] quit
[Router] vlan 200
[Router-vlan200] quit
[Router] interface vlanif 200
[Router-Vlanif200] ip address 10.0.0.1 24
[Router-Vlanif200] quit
[Router] interface ethernet 2/0/1
[Router-Ethernet2/0/1] port link-type access
[Router-Ethernet2/0/1] port default vlan 200
[Router-Ethernet2/0/1] quit
[Router] interface gigabitethernet 3/0/0
[Router-GigabitEthernet3/0/0] undo portswitch
[Router-GigabitEthernet3/0/0] ip address 202.169.10.1 24
[Router-GigabitEthernet3/0/0] nat server protocol tcp global 202.169.10.5 www
inside 192.168.20.2 8080
[Router-GigabitEthernet3/0/0] nat server protocol tcp global 202.169.10.33 ftp
inside 10.0.0.3 ftp
[Router-GigabitEthernet3/0/0] quit
Step 2 Configure a default route with next hop address 202.169.10.2 on the router.
[Router] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
Step 3 Enable the NAT ALG function for FTP packets on the router.
[Router] nat alg ftp enable
Total : 2
# Run the display nat alg command on the router. The command output is as follows:
<Router> display nat alg
NAT Application Level Gateway Information:
----------------------------------
Application Status
----------------------------------
dns Disabled
ftp Enabled
rtsp Disabled
sip Disabled
pptp Disabled
----------------------------------
# Verify that external users can access the WWW server and FTP server.The details are not
provided here.
----End
Configuration Files
Configuration file of the router
#
sysname Router
#
vlan batch 100 200
#
nat alg ftp enable
#
interface Vlanif100
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif200
ip address 10.0.0.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type access
port default vlan 100
#
interface Ethernet2/0/1
port link-type access
port default vlan 200
#
interface gigabitethernet 3/0/0
undo portswitch
ip address 202.169.10.1 255.255.255.0
nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080
nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp
#
ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
#
return
Networking Requirements
As shown in Figure 5-20, the IP address of the outbound interface on the router is
202.11.1.2/24. The IP address of the LAN gateway is 202.10.0.1/24 and that of the carrier
device connected to the router is 202.11.1.1/24. IP addresses of internal hosts are not assigned
properly. The IP address of PC1 on the internal network overlaps with that of Server A on the
external network. In this case, PC2 can access this server using the domain name of Server A,
but PC2 may access PC1 on the same network segment based on the DNS resolution result.
Users want packets to be forwarded correctly.
202.10.0.100/24
Server A
Router
202.10.0.1/24 202.11.1.2/24
GE2/0/0 GE1/0/0
Internet
DNS server
PC 2
202.10.0.16/24
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure an IP address for ports on the router.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] undo portswitch
[Router-GigabitEthernet1/0/0] ip address 202.11.1.2 24
[Router-GigabitEthernet1/0/0] quit
[Router] interface gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] undo portswitch
[Router-GigabitEthernet2/0/0] ip address 202.10.0.1 24
[Router-GigabitEthernet2/0/0] quit
Step 2 Configure a default route with next hop address 202.11.1.1 on the router.
[Router] ip route-static 0.0.0.0 0.0.0.0 202.11.1.1
Step 3 Configure the mapping between the overlapped address pool and the temporary address pool
on the router.
[Router] nat overlap-address 0 202.10.0.100 202.12.1.100 pool-length 254
Step 4 Configure a static route on the router from the temporary address pool to outbound interface
GE1/0/0.
[Router] ip route-static 202.12.1.100 32 gigabitethernet 1/0/0 202.11.1.1
Step 5 Configure the DNS NAT ALG function in the system view.
[Router] nat alg dns enable
# Run the display nat outbound command to display the configuration of NAT.
[Router] display nat outbound
NAT Outbound Information:
-----------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
-----------------------------------------------------------------
GigabitEthernet1/0/0 3180 1 pat
-----------------------------------------------------------------
Total : 1
----End
Configuration Files
Configuration file of the router
#
sysname Router
#
acl number 3180
rule 5 permit ip source 202.10.0.0 0.0.0.255
#
nat alg dns enable
#
nat address-group 1 202.11.1.100 202.11.1.200
#
nat overlap-address 0 202.10.0.100 202.12.1.100 pool-length 254
#
interface GigabitEthernet2/0/0
undo portswitch
ip address 202.10.0.1 255.255.255.0
#
interface GigabitEthernet1/0/0
undo portswitch
ip address 202.11.1.2 255.255.255.0
nat outbound 3180 address-group 1
#
ip route-static 0.0.0.0 0.0.0.0 202.11.1.1
ip route-static 202.12.1.100 255.255.255.255 GigabitEthernet1/0/0 202.11.1.1
# return
Internal server
Internal IP: 192.168.1.2/24
External IP: 11.11.11.6/8
GE2/0/0
11.11.11.1/8
Internet
GE1/0/0
GE1/0/0
11.11.11.2/8
192.168.1.1/24
External host
Internal host 12.1.1.2/8
192.168.1.3/24
Configuration Roadmap
The configuration roadmap is as follows:
l Configure IP addresses for interfaces.
l Configure a default route.
l Configure outbound NAT and static NAT in Easy IP mode on the LAN-side interface of
the router to ensure that the intranet host can use a public IP address to access the
intranet server.
l Configure outbound NAT and static NAT in Easy IP mode on the WAN-side interface of
the router to ensure that the intranet host can access the Internet and the extranet host can
use a public IP address to access the intranet server.
Procedure
Step 1 Configure IP addresses for interfaces on the router.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] ip address 192.168.1.1 24
[Router-GigabitEthernet1/0/0] quit
[Router] interface gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] ip address 11.11.11.1 8
[Router-GigabitEthernet2/0/0] quit
Step 2 Configure a default route on the router and specify the next hop address as 11.11.11.2.
[Router] ip route-static 0.0.0.0 0.0.0.0 11.11.11.2
Step 3 Configure outbound NAT and static NAT in Easy IP mode on GE1/0/0 of the router to ensure
that the intranet host can use a public IP address to access the intranet server.
[Router] acl 3000
[Router-acl-adv-3000] rule 5 permit ip source 192.168.1.0 0.0.0.255 destination
11.11.11.6 0
[Router-acl-adv-3000] quit
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] nat outbound 3000
Step 4 Configure outbound NAT and static NAT in Easy IP mode on GE2/0/0 of the router to ensure
that the intranet host can access the Internet and the extranet host can use a public IP address
to access the intranet server.
[Router] acl 2000
[Router-acl-basic-2000] rule 5 permit source 192.168.1.0 0.0.0.255
[Router-acl-basic-2000] quit
[Router] interface gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] nat outbound 2000
[Router-GigabitEthernet2/0/0] nat static global 11.11.11.6 inside 192.168.1.2
netmask 255.255.255.255
[Router-GigabitEthernet2/0/0] quit
----End
Configuration Files
Router configuration file
#
acl number 2000
rule 5 permit source 192.168.1.0 0.0.0.255
#
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 11.11.11.6 0
#
interface GigabitEthernet1/0/0
ip address 192.168.1.1 255.255.255.0
nat static global 11.11.11.6 inside 192.168.1.2 netmask 255.255.255.255
nat outbound 3000
#
interface GigabitEthernet2/0/0
ip address 11.11.11.1 255.0.0.0
nat static global 11.11.11.6 inside 192.168.1.2 netmask 255.255.255.255
nat outbound 2000
#
ip route-static 0.0.0.0 0.0.0.0 11.11.11.2
#
return
Networking Requirements
The command output is as follows: As shown in Figure 5-22, the router obtains an IP address
from the PPPoE server. The IP address of Eth2/0/1 on the router is 192.168.0.1/24 and the IP
address of the PPPoE server is 2.2.2.2/16. Internal hosts connect to the network using routers.
The router obtains a public IP address from the PPPoE server in PPPoE dialup mode. Users
hope that internal hosts can access external networks.
Figure 5-22 Networking diagram for configuring PPPoE dialup access in Easy IP mode
Host 1
Eth2/0/1 GE1/0/0
Host 2 Internet
……
Host n
Configuration Roadmap
The configuration roadmap is as follows:
Create a dialer interface and set parameters of the dialer port, establish a PPPoE session,
configure a static route on the router, and configure Easy IP on the dialer interface to
implement external network access by configuring PPPoE dialup in Easy IP mode.
Procedure
Step 1 Configure a PPPoE server.
Configure the authentication mode, IP address allocation mode, and IP address or IP address
pool for the PPPoE client. For details about the configuration procedure, see the
documentation of the PPPoE server. If the router functions as a PPPoE server, see Example
for Configuring the PPPoE Server.
Step 2 Configure a dialer port.
<Huawei> system-view
[Huawei] sysname Router
[Router] dialer-rule
[Router-dialer-rule] dialer-rule 1 ip permit
[Router-dialer-rule] quit
[Router] interface dialer 1
[Router-Dialer1] dialer user user2
[Router-Dialer1] dialer-group 1
[Router-Dialer1] dialer bundle 1
[Router-Dialer1] dialer timer idle 300
INFO: The configuration will become effective after link reset.
[Router-Dialer1] dialer queue-length 8
[Router-Dialer1] ppp chap user user1@system
[Router-Dialer1] ppp chap password cipher huawei123
[Router-Dialer1] ip address ppp-negotiate
[Router-Dialer1] quit
# Run the display pppoe-client session summary command to check the PPPoE session
status and configuration. Check whether the session status is Up and whether the
configuration is consistent with the data plan and networking according to command output.
<Router> display pppoe-client session summary
PPPoE Client Session:
ID Bundle Dialer Intf Client-MAC Server-MAC State
1 1 1 GE1/0/0 00e0fc030201 00e0fc030206 PPPUP
# Run the display nat outbound command on the router. The command output is as follows:
<Router> display nat outbound
NAT Outbound Information:
---------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
---------------------------------------------------------------------------
Dialer1 2000 1.1.1.1 easyip
---------------------------------------------------------------------------
Total : 1
----End
Configuration Files
Configuration file of the router
#
sysname Router
#
acl number 2000
rule 5 permit source 192.168.0.0 0.0.0.255
#
dialer-rule
dialer-rule 1 ip permit
#
interface Dialer1
link-protocol ppp
ppp chap user user1@system
ppp chap password cipher %^%#R=>NT8A-8KmWU38WOZq(s%MsRSg>3,}l9b%K.%!S%^
%#
ip address ppp-negotiate
dialer user user2
dialer bundle 1
dialer queue-length 8
dialer timer idle 300
dialer-group 1
nat outbound 2000
#
interface GigabitEthernet1/0/0
undo portswitch
pppoe-client dial-bundle-number 1 on-demand
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
#
return
Networking Requirements
As shown in Figure 5-23, the Router functions as the NAT gateway to connect to the
enterprise internal network and Internet. Multiple SIP phones on the enterprise internal
network often call the SIP phone, UserA, on the Internet. For example, multiple users on the
enterprise internal network often hold call conferences with the SIP phone on the Internet.
The voice configurations of the SIP phones and NAT configuration of the Router are
complete, and enterprise internal users can call the user on the Internet. The NAT device has
limited bandwidth, so the SIP call bandwidth limit needs to be configured on the NAT device
to reject the SIP calls that exceed the configured bandwidth limit.
Figure 5-23 Configuring the SIP call bandwidth limit on a NAT device
User 1
192.168.0.2/24 User A
202.10.1.8/24
Router
192.168.0.1/24 202.10.1.1/24
User 2 GE1/0/0 GE2/0/0
192.168.0.3/24 Internet
……
SIP Server
User n 202.10.1.10/24
192.168.0.44/24
Configuration Roadmap
The configuration roadmap is as follows:
Enable CAC and set the total bandwidth to limit the bandwidth of SIP calls.
Procedure
Step 1 Enable CAC on the Router and set the total bandwidth of the Router to 2000 Kbps.
<Huawei> system-view
[Huawei] sysname Router
[Router] nat sip cac enable bandwidth 2000
[Router] quit
# Run the display nat sip cac bandwidth information verbose command on the Router to
check detailed information about the configured total bandwidth and occupied bandwidth.
# User 1, User 2, and User 3 in the enterprise's intranet can concurrently have a conference
call with User A on the Internet (the bandwidth does not exceed 2000 Kbps). If the total
bandwidth of the users who attempt to access the conference exceeds 2000 Kbps, the call
fails.
----End
Configuration Files
Configuration file of the Router
#
sysname Router
#
nat sip cac enable bandwidth
2000
#
return
Fault Description
This fault is commonly caused by one of the following:
l Outbound NAT is not properly configured on the outbound interface connected to the
public network.
l The configuration of the ACL bound to outbound NAT is incorrect.
Procedure
Step 1 Check whether packets are received on interfaces of device.
Run the display interface interface-type interface-number command on the device to display
the value of the Input field.
l If the value of the Input field is 0, the device does not receive any packets. Check the
interface configuration to ensure that the interface can receive packets.
l If the value of the Input field is not 0, go to step 2.
NOTE
The device supports GE, FE, Eth-Trunk, and sub-interfaces. If an Eth-Trunk sub-interface is used, run
the display interface eth-trunk [ trunk-id [.subnumber ] ] command to check whether the Eth-Trunk
sub-interface receives packets.
Step 2 Check whether the ACL rule bound to outbound NAT allows NAT service packets to pass
through.
Run the display nat outbound command on the device to check whether outbound NAT is
correctly configured.
[Huawei]display nat outbound
NAT Outbound Information:
---------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
---------------------------------------------------------------------------
GigabitEthernet0/0/0 2000 1 no-pat
---------------------------------------------------------------------------
Total : 1
The preceding information indicates that ACL 2000 is bound to outbound NAT on
GigabitEthernet0/0/0.
Check whether the rule of ACL 2000 is configured correctly. If the IP address, interface
number, or protocol type in the rule of ACL 2000 is configured incorrectly, packets cannot be
transmitted correctly.
Run thedisplay acl 2000 command to check the configuration of outbound NAT bound to
ACL 2000.
[Huawei] display acl 2000
Basic ACL2000, 1 rule
Acl's step is 5
rule 5 permit source 192.168.1.100 0
The rule of ACL 2000 matches packets with the source address 192.168.1.100.
Run the display nat address-group command on the device to check whether the address
pool bound to outbound NAT on the outbound interface is correct.
[Huawei] display nat address-group 1
NAT Address-Group Information:
--------------------------------------
Index Start-address End-address
--------------------------------------
1 10.0.0.100 10.0.0.110
--------------------------------------
Total : 1
To check Easy IP information on the outbound port, run the display nat outbound command
on the device. For example:
[Huawei] display nat outbound
NAT Outbound Information:
--------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
--------------------------------------------------------------------------
GigabitEthernet0/0/1 2000 1.1.1.1 easyip
--------------------------------------------------------------------------
Total : 1
----End
Fault Description
This fault is commonly caused by one of the following:
l The NAT server is configured on an incorrect interface such as an outbound port or other
irrelated interfaces. The NAT server must be configured on the inbound interface of an
external host that connects to the internal network.
l The NAT server configuration is incorrect. For example, the corresponding public and
private IP addresses of internal servers are incorrect, and private ports and enabled ports
of internal servers are different.
Procedure
Step 1 Check whether services on the internal NAT server are running properly.
When the external network cannot access the internal NAT server, check whether services
such as HTTP server and FTP server are enabled on the internal NAT server. Access the
internal NAT server from an internal host to check whether the services are running properly.
l If services on the internal NAT server are not running properly, enable the services.
l If services on the internal NAT server are running properly but the fault persists, go to
step 2.
Run the display nat server command on the device to check that the NAT server is
configured on the correct NAT interface and the correct protocol type, interface number, and
IP address are configured.
[Huawei] display nat server
Nat Server Information:
Interface : GigabitEthernet 2/0/0
Global IP/Port : 1.1.1.1/80 (www)
Inside IP/Port : 192.168.0.100/8080
Protocol : 6(tcp)
VPN instance-name : ----
Acl number : ----
Vrrp id : ----
Description : ----
Total : 1
Ensure that the mapped internal address and interface are correct. When some services such as
FTP and TFTP transmit data packets, several interfaces (some of them are randomly
generated) are used. Therefore, to configure the NAT server providing such services, cancel
the limitation on the ports so that the internal server can provide services normally.
l If the NAT server is configured correctly but the fault persists, go to step 3.
Step 3 Check the connection between the external host and NAT server and the configurations of the
connected ports.
Check that the IP address of the outbound interface on the NAT server is correct and the
external IP address of the NAT server is correct. The IP addresses cannot conflict with the
addresses on other network segments. Ping the external interface of the NAT server on an
external host. Ensure that the external host can ping the NAT server successfully.
l If the external host cannot connect to the NAT server, check the connection.
l If the external host and NAT server are connected correctly but the fault persists, go to
step 4.
Step 4 Check that the internal NAT server is configured with the correct gateway address or route.
The internal NAT server must be configured with the correct route or gateway address so that
packets destined for the external host can be sent to the gateway.
l If the gateway address or route on the internal NAT server is configured incorrectly,
reconfigure it.
l If the gateway address or route on the internal NAT server is configured correctly but the
fault persists, contact technical support personnel.
----End
Fault Description
This fault is commonly caused by one of the following:
l Outbound NAT is incorrectly configured on the outbound port.
l NAT ALG is disabled for the DNS protocol.
l The DNS mapping entry is configured incorrectly. For example, the corresponding
public address is different from the IP address of an external server.
l The route between the temporary address pool and the outbound interface is not
configured.
Procedure
Step 1 Check that outbound NAT is configured correctly.
Run the display nat outbound command on the device to check whether outbound NAT is
configured correctly.
[Huawei]display nat outbound
NAT Outbound Information:
---------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
---------------------------------------------------------------------------
GigabitEthernet0/0/1 3180 1 pat
---------------------------------------------------------------------------
Total : 1
The preceding information indicates that ACL 3180 is bound to outbound NAT and the
address pool index is 1. Check that outbound NAT references a correct address pool. When
configuring an address pool, ensure that the destination address on the external network is
different from any address in the address pool. Run the display nat address-group command
to check the configuration of the address pool.
[Huawei]display nat address-group 1
NAT Address-Group Information:
--------------------------------------
Index Start-address End-address
--------------------------------------
1 202.10.10.10 202.10.10.100
--------------------------------------
Total : 1
Check that ACL rules bound to outbound NAT are correct. Generally, incorrect addresses,
protocol types, or interface numbers are defined in ACL rules. When an ACL problem occurs,
packets on the internal network cannot be sent out or packets on the external network cannot
be sent to the internal network.
Run the display acl 3180 command to check the ACL bound to outbound NAT.
[Huawei]display acl 3180
Advanced ACL 3180, 1 rule
Acl's step is 5
rule 5 permit tcp source 1.1.1.1 0
NOTE
An ACL strictly controls the permitted address segments, protocols, and ports based on the networking
requirements. If certain protocol packets are rejected by the NAT gateway, check whether the packets of
this protocol are permitted by the ACL.
l If outbound NAT is configured incorrectly, correct the configuration.
l If outbound NAT is configured correctly but the fault persists, go to step 2.
Run the display nat dns-map command on the device to check whether the NAT server is
configured on the correct NAT interface and check whether the protocol type, interface
number, and IP address are correctly configured.
[Huawei]display nat dns-map
NAT DNS mapping information:
Domain-name : test1
Global IP : 10.1.1.1
Global port : 2012
Protocol : tcp
Total : 1
l If the DNS mapping entry is configured incorrectly, run the nat dns-map command in
the system view to configure a DNS mapping entry correctly.
l If the DNS mapping entry is configured correctly but the fault persists, go to step 3.
Step 3 Check that NAT ALG is enabled for the DNS protocol.
Run the display nat alg command on the device to check whether NAT ALG is enabled for
the DNS protocol.
[Huawei]display nat alg
NAT Application Level Gateway Information:
----------------------------------
Application Status
----------------------------------
dns Disabled
ftp Disabled
rtsp Enabled
sip Disabled
pptp Disabled
----------------------------------
l If NAT ALG is disabled for the DNS protocol, run the nat alg command to enable it.
l If NAT ALG is enabled for the DNS protocol but the fault persists, go to step 4.
Step 4 Check that the mappings between overlapped address pools and temporary address pools are
correct.
Run the display nat overlap-address command on the device to check whether all the
mappings between overlapped address pools and temporary address pools are correct.
[Huawei]display nat overlap-address all
Nat Overlap Address Pool To Temp Address Pool Map Information:
----------------------------------------------------------------------
Id Overlap-Address Temp-Address Pool-Length Inside-VPN-Instance-Name
----------------------------------------------------------------------
1 1.1.1.1 20.20.20.20 34
-----------------------------------------------------------------------
Total : 1
NOTE
The temporary address pool contains available IP addresses on the device. The IP addresses in the
address pool cannot conflict with any interface address, VRRP address, or NAT address. In the
preceding information, Inside-VPN-Instance-Name specifies the VPN instance to which the internal
interface connected to the host belongs.
NOTE
If the name of the VPN instance where the internal interface is located has been configured, run the
display ip routing-table vpn-instance vpn-name command to check the routes.
----End
This chapter describes the principle and configuration of UDP helper, and provides
configuration examples.
Background
Hosts on a network may need to obtain the network configuration or resolve host names by
sending UDP broadcast packets to the server. If the hosts and server are located in different
broadcast domains, broadcast packets cannot reach the server and the hosts cannot obtain the
required information from the server.
The industrial switch router provides the UDP helper function to solve this problem. UDP
helper can relay the UDP broadcast packets with specified destination ports. It converts the
broadcast packets into unicast packets and sends the unicast packets to the specified
destination servers.
As shown in Figure 6-1, HostA uses a host name to access HostB, and the NetBIOS Name
Service (NetBIOS-NS) server resolves the host name of HostB. The NetBIOS-NS server and
HostA are in different broadcast domains, so the UDP broadcast packet with destination port
UDP 137 sent by HostA cannot reach the NetBIOS-NS server. After UDP helper is enabled
on the Router, the Router can forward the packet with destination port UDP 137 to the
NetBIOS-NS server through unicast so that the NetBIOS-NS server can resolve the host name
of HostB.
UDP
Bro
adc
ast
HostA LSW Router
UDP Unicast
NetBIOS-NS
HostB
Time Service 37
NOTE
UDP helper does not relay DHCP packets. That is, the destination port number cannot be 67 or 68. To
relay DHCP packets, enable the DHCP relay function on the industrial switch router. For details about
DHCP relay, see .
License Support
UDP Helper functions are basic function of routers and can be obtained without licenses.
Pre-configuration Tasks
Before configuring UDP helper, complete the following task:
l Configuring a reachable route from the industrial switch router to the destination server
.
Procedure
Step 1 Run:
system-view
Step 2 Run:
udp-helper enable
The UDP destination port to which UDP broadcast packets are relayed is specified.
NOTE
After UDP helper is enabled, the industrial switch router relays the UDP packets with the following
destination ports by default: Time (37), TACACS (49), DNS (53), TFTP (69), NetBIOS-NS (137), and
NetBIOS-DS (138). If the UDP destination port you want to specify is among the six ports, skip this
step.
Step 4 Run:
interface interface-type interface-number
The interface must be a VLANIF interface, Layer 3 Ethernet interface, or Layer 3 Ethernet
sub-interface.
Step 5 Run:
udp-helper server ip-address
----End
Procedure
l Run the display udp-helper server command to display the packet relay interface,
destination server address, and number of forwarded packets.
----End
Context
UDP helper statistics cannot be restored after being cleared. Exercise caution when you run
the reset ip udp-helper packet command.
Procedure
l Run the reset udp-helper packet command in the user view to clear UDP helper
statistics.
----End
NetBIOS-NS
1.1.1.1/16
GE2/0/0
1.1.1.2/16
Router
GE1/0/0
10.110.1.1/16
LSW
PC1 PC2
Configuration Roadmap
1. Because the PCs on the LAN need to access each other using host names, the host names
must be resolved into IP addresses. However, the NetBIOS-NS and PCs are in different
broadcast domains. The NetBIOS-NS Register packets cannot reach the NetBIOS-NS
server. The Router must be enabled with UDP helper to forward the UDP packets with
destination port 137 (NetBIOS-NS port) to the NetBIOS-NS server.
2. After UDP helper is enabled, specify the IP address of destination NetBIOS-NS server
on GE1/0/0 of Router.
NOTE
After UDP helper is enabled on the Router, the Router relays the broadcast packets with UDP destination port
137 by default. The UDP port number, therefore, does not need to be configured in this example.
Procedure
Step 1 Assign an IP address to GE1/0/0 on Router.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] undo portswitch
[Router-GigabitEthernet1/0/0] ip address 10.110.1.1 16
[Router-GigabitEthernet1/0/0] quit
# Run the display udp-helper port command to check the configured destination port
number of UDP packets to be forwarded using the UDP Helper.
<Router> display udp-helper port
Udp-Port-Number Description
-------------------------------------------------------------
37 Time
49 TAC Access Control System
53 Domain Name Server
69 Trivial File Transfer Protocol
137 NETBIOS Name Service
138 NETBIOS Datagram Service
----End
Configuration Files
Configuration file of the Router
#
sysname Router
#
udp-helper enable
#
interface GigabitEthernet1/0/0
undo portswitch
7 IP Performance Configuration
A large number of packets need to be forwarded on the network, which may cause network
congestion and degrade network performance.IP performance optimization can solve the
problem. You can adjust parameters or forwarding modes for IP packets to achieve optimal
network performance.
License Support
IP performance functions are basic function of routers and can be obtained without licenses.
Prerequisite
Before optimizing IP performance, complete the following task:
Procedure
Step 1 Run:
system-view
Step 3 Run:
ip verify source-address
----End
Procedure
Step 1 Run:
system-view
NOTE
The function that clears the DF field is valid for outgoing packets; therefore, this function must be
configured on the outbound interface.
Step 3 Run:
clear ip df
----End
NOTE
If the NAT, firewall, smart application control (SAC), or in-depth security defense functions is configured on
the device, virtual fragment reassembly is enabled by default and cannot be disabled. That is, the undo ip
virtual-reassembly command does not take effect.
Procedure
Step 1 Run:
system-view
----End
integral multiple of the minimum bandwidth, the system still uses an integral multiple of the
minimum bandwidth to process. For example, if the bandwidths of four links participating in
UCMP are configured to 2 Kbps, 3 Kbps, 4 Kbps, and 5 Kbps, the final bandwidths of the
links are 2 Kbps, 2 Kbps, 4 Kbps, and 4 Kbps.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number [.subinterface-number ]
NOTE
Among all subinterfaces, only the Ethernet sub-interfaces (Dot1q and QinQ termination sub-interfaces) and
Eth-trunk sub-interfaces (Dot1q termination sub-interfaces) support configuration of unequal cost multiple
path.
For a logical interface, the interface bandwidth is not configured by default; for a physical
interface, the actual interface bandwidth is used by default. Therefore, this step is mandatory
for the logical interface.
Perform this step if you need to adjust the bandwidth of equal-cost links so that the equal-cost
links load balance traffic based on the configured bandwidth.
Step 4 Run:
load-balance unequal-cost enable
Step 5 Run:
shutdown
Step 6 Run:
undo shutdown
Step 7 Run:
quit
NOTE
Equal-cost links load balance proportional traffic based on the configured bandwidth only when UCMP
is enabled on the outbound interfaces of all equal-cost links and the shutdown and undo shutdown
commands are executed on the outbound interfaces in sequence to trigger FIB entry update. If UCMP is
not enabled on any outbound interface, the equal-cost links evenly load balance traffic even though FIB
entry update is triggered.
----End
Procedure
Step 1 Run:
system-view
----End
broadcast packets in some scenarios. For example, to enable the Wake on LAN function so
that directed broadcast packets can be sent to wake up computers on a remote network, enable
the interface to receive and forward directed broadcast packets destined for its direct network
segment.
As shown in Figure 7-1, on the router, GE1/0/0 is on the same network segment with PC A;
GE2/0/0 is on another network segment with the WOL server. The WOL server uses directed
broadcast packets to wake up PC A. In normal cases, the directed broadcast packets are
isolated by the router. After the ip forward-broadcast command is run on the router's
GE1/0/0 to enable the interface to forward the directed broadcast packets, PC A can receive
the directed broadcast packets from the WOL server.
Figure 7-1 Configuring the interface to forward directed broadcast packets in the WOL
scenario
GE1/0/0 GE2/0/0
10.1.1.1/24 10.2.2.1/24
10.1.1.2/24 10.2.2.2/24
NOTE
By default, the device identifies directed broadcast packets as malformed packets, and intercepts and
discards them because the attack defense function of malformed packets is enabled on the device. In this
case, the interface on the device cannot forward the directed broadcast packets.
To solve this problem, use either of the following methods:
l Run the anti-attack abnormal disable command to disable the attack defense function of
malformed packets. However, after this command is configured, other malformed packets will not
be intercepted and discarded, which brings certain security risks. Use this command with caution.
l Run the anti-attack disable command to disable all attack defense functions. However, after this
command is configured, not only malformed packets but also fragmented, tcp-syn, udp-flood, and
icmp-flood attack packets will not be intercepted and discarded, which brings certain security risks.
Use this command with caution.
The device can also be enabled to receive and forward a certain type of directed broadcast
packets based on ACLs. For example, if the basic ACL is used, run the acl (system view) and
rule (basic ACL view) commands to define the directed broadcast packets to be received and
forwarded as permit, and then run the ip forward-broadcast command to bind this ACL.
Procedure
Step 1 Configure the basic or advanced ACL. For details, see Configuring a Basic ACL or
Configuring an Advanced ACL in the Huawei AR Series IOT Gateway Configuration Guide -
Security - ACL Configuration.
Step 2 Run:
system-view
Step 3 Run:
interface interface-type interface-number
Step 4 Run:
ip forward-broadcast [ acl acl-number ]
----End
Context
QoS policies take effect only for data packets. In certain cases, control packets need to be
managed. For example, bandwidth limitation is required for the control packets generated by
Telnet applications. The enhanced forwarding function can meet the requirement. You can
configure this function to apply QoS policies to the control packets generated by the device.
Currently, the enhanced forwarding function is valid only for the control packets generated by
the device.
Procedure
Step 1 Run:
system-view
NOTE
If you set the DSCP priority for control packets according to both the protocol type and ACL rule, the
DSCP priority configured according to the protocol type takes effect.
Step 4 (Optional) Configure the control packets to support QoS policies using one or more of the
following commands.
1. Run:
undo control-packet { bgp | icmp | igmp | ospf | pim | rip | snmp | ssh |
telnet | vrrp| other-protocols } * output car bypass or undo control-packet
all output car bypass
Control packets are configured to support QoS queue functions (including traffic
shaping, congestion management, and congestion avoidance).
By default, control packets do not support QoS queue functions.
3. Run:
undo control-packet { bgp | icmp | igmp | ospf | pim | rip | snmp | ssh |
telnet | vrrp| other-protocols } * output filter bypass or undo control-
packet all output filter bypass
The device is configured to discard control packets when the traffic policy or ACL-based
simplified traffic policy contain the deny action.
By default, the device does not discard control packets when the traffic policy and ACL-
based simplified traffic policy contain the deny action.
After this command is executed, the device discards control packets.
----End
Follow-up Procedures
After the enhanced forwarding function is configured for control packets, you can only make
QoS policies take effect for the control packets. To implement differentiated services for
control packets, configure QoS policies. For details, see Huawei AR Series IOT Gateway
Configuration Guide - QoS.
A router forwards broadcast packets according to its IP routing table by default. Broadcast
packets carry the destination MAC address of FFFF-FFFF-FFFF and a unicast destination IP
address. To prohibit broadcast packets from being forwarded using routes, disable routing
forwarding for broadcast packets.
In Figure 7-2, the PC connects to the Switch and traffic of the PC reaches the Firewall
through two links: LinkA and LinkB. The Firewall may receive through RouterA and
RouterB two copies of broadcast packets with the MAC address of FFFF-FFFF-FFFF from
the PC after the Switch forwards the packets. As a result, the Firewall may consider these
packets as abnormal packets after checking the packets.
To ensure that the Firewall receives only one copy of packets, run the broadcast routing
disable command on RouterA. This command will disable RouterA from forwarding
broadcast packets so that only RouterB forwards these packets to the Firewall.
Firewall
PC Switch LinkB
Router B
Procedure
Step 1 Run:
system-view
Step 2 Run:
broadcast routing disable
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
icmp-reply fast
NOTE
After the fast ICMP reply function is enabled on the device, the local policy-based routing function does not
take effect for ICMP packets. Therefore, if the local policy-based routing function is configured on the
device, you are advised to disable the fast ICMP reply function.
Step 3 Run:
icmp ttl-exceeded drop
The device is configured to discard the ICMP packets whose TTL values are 1.
By default, the function of discarding ICMP packets with TTL values 1 is disabled.
Step 4 Run:
icmp with-options drop
The device is configured to discard the ICMP packets that carry options.
By default, the function of discarding ICMP packets that carry options is disabled.
Step 5 Run:
icmp unreachable drop
The BRAS is disabled from sending a Destination Unreachable ICMP packet to an initiator
when a tracert packet matches an IPv4 blackhole route.
By default, the BRAS is disabled from sending a Destination Unreachable ICMP packet to an
initiator when a tracert packet matches an IPv4 blackhole route.
Step 9 Run:
interface interface-type interface-number
Step 11 Run:
icmp host-unreachable send
----End
Procedure
Step 1 Run:
system-view
By default, the minimum MSS value for a TCP connection is 216 bytes.
Step 6 Run:
interface interface-type interface-number
Step 7 Run:
tcp adjust-mss value
The MSS of TCP packets is an option defined in TCP. It refers to the maximum length of a
TCP packet segment that can be received by the peer device. When establishing the TCP
connection, the local and peer ends negotiate the MSS value to determine the maximum data
length of TCP packets. If the length of a TCP packet sent by the peer device exceeds the
negotiated MSS, the TCP packet is fragmented.
When configuring the MSS of TCP packets, pay attention to the following points:
l To ensure that TCP packets are not fragmented, pay attention to the relationship between
the MSS and MTU during configuration. MTU is an option defined by the data link layer
to identify whether IP packets need to be fragmented. If the size of an IP packet sent by
the peer device exceeds the MTU, the IP packet is fragmented. To ensure that the packet
transmission is not affected, the MSS value plus the header lengths (such as the TCP
header and IP header) does not exceed the MTU value. For example, the default MTU
value of an Ethernet interface is 1500 bytes. To ensure that packets are not fragmented,
the MSS value can be set to 1460 bytes. The formula is as follows: Default MTU value
(1500 bytes) – Minimum length of the TCP header (20 bytes) – Minimum length of
the IP header (20 bytes). The recommended MSS value is 1200 bytes.
l The tcp adjust-mss command does not only take effect for the industrial switch router
functioning as the client or server used for TCP connections. When another device
functions as the client to perform MSS negotiation through the industrial switch router,
the negotiation result is modified based on the MSS configured on the industrial switch
router. In addition, the MSS value is changed to the value configured using the tcp
adjust-mss command only when the MSS value received by the industrial switch router
is larger than the value configured using the tcp adjust-mss command executed on the
industrial switch router.
l If you run the tcp adjust-mss multiple times in the same interface view, only the latest
configuration takes effect.
Step 8 Run:
tcp timer pathmtu-age age-time
By default, the aging time of the PMTU is 0 minutes, that is, the PMTU never ages.
----End
Only routers in V200R007C00 support the source-ip ip-address and destination-ip ip-address
parameters.
l Run the display load-sharing ip-address ip-address mask vrf vrf-id to check the UCMP
configuration.
----End
The IP/TCP/UDP traffic statistics cannot be restored after being cleared. Therefore, confirm
your operation before clearing the IP performance statistics.
Procedure
l After you are determined to clear IP statistics, run the reset ip statistics [ interface
interface-type interface-number ] command in the user view.
l After you are determined to clear statistics in a socket monitor, run the reset ip socket
monitor [ task-id task-id socket-id socket-id ] command in the user view.
l After you are determined to clear statistics on the dual receive buffer of the socket, run
the reset ip socket pktsort task-id task-id socket-id socket-id command in the user
view.
l After you are determined to clear statistics about RawIP packets, run the reset rawip
statistics command in the user view.
l After you are determined to clear TCP statistics, run the reset tcp statistics command in
the user view.
l After you are determined to clear UDP statistics, run the reset udp statistics command
in the user view.
----End
The IPv6 protocol stack supports routing protocols and application protocols on an IPv6
network.
8.1 IPv6 Overview
8.2 Principles
This section explains the fundamentals of IPv6 addresses, IPv6 packets, ICMPv6, Neighbor
Discovery Protocol (NDP), and path maximum transmission units (PMTUs).
8.3 Configuration Notes
8.4 Default Configuration
8.5 Configuring IPv6 Addresses for Interfaces
8.6 Configuring ICMPv6 Packet Control
8.7 Configuring IPv6 Neighbor Discovery
8.8 Configuring PMTU
When the device functions as the source node and sends IPv6 packets to the destination node,
the device fragments packets based on PMTU. The intermediate device does not need to
fragment packets, reducing the burden of the intermediate device to effectively use network
resources and obtain the maximum throughput.
8.9 Configuring TCP6
8.10 Configuring the Enhanced Forwarding Function for IPv6 Control Packets Generated by
the Device
8.11 Maintaining IPv6
8.12 Configuration Examples
Purpose
IPv6 was developed in response to rapidly increasing Internet use. IPv4, despite being easy to
implement, simple to use, and providing good interoperability, is no longer feasible as the
dominant network layer protocol. This is mainly due to IPv4 address exhaustion.
Table 8-1 shows how IPv6 overcomes many of the deficiencies found in IPv4.
Address IPv4 addresses are 32 bits long, IPv6 addresses are 128 bits long. A
space theoretically giving an available IP 128 bit structure allows for an
address space that contains about 4.3 address space of 2128 (4.3 billion x
billion IP addresses. The currently 4.3 billion x 4.3 billion x 4.3
available IP addresses are no longer billion) possible addresses. This
sufficient to continually support the vast address space makes it very
rapid expansion of the Internet. IPv4 unlikely that IPv6 address
address resources are allocated exhaustion will ever occur.
unevenly. USA address resources
account for almost half of the global
address space, with barely enough
addresses left for Europe, and still
fewer for the Asia-Pacific area.
Furthermore, the development of
mobile IP and broadband technologies
still requires more IP addresses. The
process of IP addresses being used up
is known as IP address exhaustion.
While several solutions to IPv4
exhaustion are currently in place, such
as Classless Inter-domain Routing
(CIDR) and Network Address
Translator (NAT), they all have
significant disadvantages. These
disadvantages prompted the
development of IPv6.
Packet The IPv4 packet header carries the Unlike the IPv4 packet header, the
format Options field, including security, IPv6 packet header does not carry
timestamp, and record route options. IHL, identifier, flag, fragment
The variable length of the Options offset, header checksum, option, or
field makes the IPv4 packet header padding fields, but it does carry the
length range from 20 bytes to 60 flow label field. This facilitates
bytes. IPv4 packets often need to be IPv6 packet processing and
forwarded by intermediate devices. improves processing efficiency. To
Therefore, using the Options field support various options without
occupies a large amount of resources, changing the existing packet
which means this field is rarely used format, the Extension Header
in practice. information field is added to the
IPv6 packet header, improving
IPv6 flexibility.
Route Many non-contiguous IPv4 addresses The enormous address space allows
summarizat are allocated. Routes cannot be for the hierarchical network design
ion summarized effectively due to in IPv6 to facilitate route
incorrect IPv4 address allocation and summarization and improve
planning. The increasingly large forwarding efficiency.
routing table consumes a lot of
memory and affects forwarding
efficiency. Manufacturers must
continually upgrade devices to
improve route addressing and
forwarding performance.
End-to-end The original IPv4 framework does not IPv6 supports IP Security (IPSec)
security support end-to-end security because authentication and encryption at the
support security was not fully considered network layer, providing end-to-
during the initial design. end security.
Quality of IPv4 has no native mechanism to The Flow Label field in IPv6
Service support QoS, especially when guarantees QoS for voice, data, and
(QoS) regarding real-time forwarding of video services.
support voice, data, and video services such as
network conferencing, network
telephones, and network TVs.
8.2 Principles
This section explains the fundamentals of IPv6 addresses, IPv6 packets, ICMPv6, Neighbor
Discovery Protocol (NDP), and path maximum transmission units (PMTUs).
An IPv6 address can contain only one double colon (::). Otherwise, a computer cannot determine the
number of zeros in a group when restoring the compressed address to the original 128-bit address.
If the first 3 bits of an IPv6 unicast address are not 000, the interface ID must contain 64 bits. If the first
3 bits are 000, there is no such limitation.
You can manually configure the interface ID, generate it through system software, or generate
it in IEEE 64-bit Extended Unique Identifier (EUI-64) format. Generating an interface ID in
EUI-64 format is the most common practice.
IEEE EUI-64 standards convert an interface MAC address into an IPv6 interface ID. Figure
8-1 shows a 48-bit MAC address. When used as an interface ID, the first 24 bits (expressed
by c) are a vendor identifier, and the last 24 bits (expressed by m) are an extension identifier.
If the higher seventh bit is 0, the MAC address is locally unique. During conversion, EUI-64
inserts FFFE between the vendor identifier and extension identifier. The higher seventh bit
also changes from 0 to 1 to indicate that the interface ID is globally unique.
MAC
addresscccccc0cccccccccccccccccmmmmmmmmmmmmmmmmmmmmmmmm
1111111111111110
Insert
FFFE cccccc0ccccccccccccccccc1111111111111110mmmm...mmmm
Change the
seventh high
bit to 1 cccccc1ccccccccccccccccc1111111111111110mmmm...mmmm
l Unspecified address
The IPv6 unspecified address is 0:0:0:0:0:0:0:0/128 or ::/128, indicating that an interface
or a node does not have an IP address. It can be used as the source IP address of some
packets, such as Neighbor Solicitation (NS) messages, in duplicate address detection.
Devices do not forward packets with an unspecified address as the source IP address.
l Loopback address
The IPv6 loopback address is 0:0:0:0:0:0:0:1/128 or ::1/128. Similar to the IPv4
loopback address 127.0.0.1, the IPv6 loopback address is used when a node needs to
send IPv6 packets to itself. This IPv6 loopback address is usually used as the IP address
of a virtual interface, such as a loopback interface. The loopback address cannot be used
as the source or destination IP address of packets needing to be forwarded.
l Global unicast address
An IPv6 global unicast address is an IPv6 address with a global unicast prefix, which is
similar to an IPv4 public address. IPv6 global unicast addresses support route prefix
summarization, helping limit the number of global routing entries.
Figure 8-2 shows a global unicast address consisting of a global routing prefix, subnet
ID, and interface ID.
001
0 Interface ID
1111 1110 10
FE80::/10
10 bit
1111 110
FC00::/7
– Has a well-known prefix (FC00::/7) that allows for easy route filtering at site
boundaries.
– Does not conflict with any other addresses if it is accidentally routed offsite.
– Functions as a global unicast address to applications.
– Is independent of Internet Service Providers (ISPs).
IPv6 Multicast Address
Like IPv4 multicast addresses, IPv6 multicast addresses identify groups of interfaces, which
usually belong to different nodes. A node may belong to any number of multicast groups.
Packets sent to an IPv6 multicast address are delivered to all the interfaces identified by the
multicast address. For example, the multicast address FF02::1 indicates all nodes within the
link-local scope, and FF02::2 indicates all routers within the link-local scope.
An IPv6 multicast address is composed of a prefix, a flag, a scope, and a group ID (global
ID).
l Prefix: is fixed as FF00::/8.
l Flag: is 4 bits long. The high-order 3 bits are reserved and must be set to 0s. The last bit
0 indicates a permanently-assigned, well-known multicast address allocated by the
Internet Assigned Numbers Authority (IANA). The last bit 1 indicates a non-
permanently-assigned (transient) multicast address.
l Scope: is 4 bits long. It limits the scope where multicast data flows are sent on the
network. Figure 8-5 shows the field values and meanings.
l Group ID (global ID): is 112 bits long. It identifies a multicast group. RFC does not
define all the 112 bits as a group ID but recommends using the low-order 32 bits as the
group ID and setting all of the remaining 80 bits to 0s. In this case, each multicast group
ID maps to a unique Ethernet multicast MAC address.
Figure 8-5 shows the IPv6 multicast address format.
fieldvalue description
1111 1111 1 temporary multicast address
Flag
FF Flag Scope 0 permanent multicast address
1 node
8 bit 4 bit 4 bit link
2
4 management
Scope 5 site
8 organization
E global
the rest unsigned or reserved
multicast address is generated for the node, and the node joins the multicast group that
corresponds to its IPv6 unicast or anycast address. Each unicast or anycast address
corresponds to a single solicited-node multicast address, which is often used in neighbor
discovery and duplicate address detection.
IPv6 does not support broadcast addresses or Address Resolution Protocol (ARP). In
IPv6, Neighbor Solicitation (NS) packets are used to resolve IP addresses to MAC
addresses. When a node needs to resolve an IPv6 address to a MAC address, it sends an
NS packet in which the destination IP address is the solicited-node multicast address
corresponding to the IPv6 address.
The solicited-node multicast address consists of the prefix FF02::1:FF00:0/104 and the
last 24 bits of the corresponding unicast address.
IPv6 Anycast Address
An anycast address identifies a group of network interfaces, which usually belong to different
nodes. Packets sent to an anycast address are delivered to the nearest interface that is
identified by the anycast address, depending on the routing protocols.
Anycast addresses implement redundancy backup and load balancing functions when multiple
hosts or nodes are provided with the same services. Currently, a unicast address is assigned to
more than one interface to make a unicast address become an anycast address. When sending
data packets to anycast addresses, senders cannot determine which of the assigned devices
will receive the packets. Which device receives the packets depends on the routing protocols
running on the network. Anycast addresses are used in stateless applications, such as Domain
Name Service (DNS).
IPv6 anycast addresses are allocated from the unicast address space. Mobile IPv6 applications
also use anycast addresses.
NOTE
IPv6 anycast addresses can be assigned only to routing devices but not hosts. Anycast addresses cannot
be used as the source IP addresses of IPv6 packets.
l Subnet-router Anycast Address
RFC predefines a subnet-router anycast address. Packets sent to a subnet-router anycast
address are delivered to the nearest device on the subnet identified by the anycast
address, depending on the routing protocols. All devices must support subnet-router
anycast addresses. A subnet-router anycast address is used when a node needs to
communicate with any of the devices on the subnet identified by the anycast address. For
example, a mobile node needs to communicate with one of the mobile agents on the
home subnet.
In a subnet-router anycast address, the n-bit subnet prefix identifies a subnet, and the
remaining bits are padded with 0s. Figure 8-6 shows the subnet-router anycast address
format.
Subnet prefix 0
Source 40 octets
Address Basic Header
Destination
Address
l Next Header: 8 bits long. This field identifies the type of the first extension header that
follows the IPv6 basic header or the protocol type in the upper-layer PDU.
l Hop Limit: 8 bits long. This field is similar to the Time to Live field in an IPv4 packet,
defining the maximum number of hops that an IP packet can pass through. Each device
that forwards the packet decrements the field value by 1. If the field value is reduced to
0, the packet is discarded.
l Source Address: 128 bits long. This field indicates the address of the packet originator.
l Destination Address: 128 bits long. This field indicates the address of the packet
recipient.
Unlike the IPv4 packet header, the IPv6 packet header does not carry IHL, identifier, flag,
fragment offset, header checksum, option, or padding fields, but it does carry the flow label
field. This facilitates IPv6 packet processing and improves processing efficiency. To support
various options without changing the existing packet format, the Extension Header
information field is added to the IPv6 packet header, improving flexibility. The following
paragraphs describe IPv6 extension headers.
...
Header
Next Header Extension Header Len
Extension Head Data(last)
... Data
Hop- 0 This header carries information that every node must examine along the
by- delivery path of a packet. This header is used in the following
Hop applications:
Option l Jumbo payload (if the payload length exceeds 65535 bytes)
s
header l Prompting devices to check this option before the devices forward
packets.
l Resource Reservation Protocol (RSVP)
Destin 60 This header carries information that only the destination node of a
ation packet examines. Currently, this header is used in mobile IPv6.
Option
s
header
Routin 43 An IPv6 source node uses this header to specify the intermediate nodes
g that a packet must pass through on the way to its destination. This
header option is similar to the Loose Source and Record Route option in IPv4.
Fragm 44 Like IPv4 packets, the length of IPv6 packets to be forwarded cannot
ent exceed the maximum transmission unit (MTU). When the packet length
header exceeds the MTU, the packet needs to be fragmented. In IPv6, the
Fragment header is used by an IPv6 source node to send a packet larger
than the MTU.
Authen 51 IPSec uses this header to provide data origin authentication, data
tication integrity check, and packet anti-replay functions. It also protects some
header fields in the IPv6 basic header.
Encaps 50 This header provides the same functions as the Authentication header
ulating plus IPv6 packet encryption.
Securit
y
Payloa
d
header
When a single packet uses more than one extension header, the headers must be listed in the
following order:
l Routing header
l Fragment header
l Authentication header
l Encapsulating Security Payload header
l Destination Options header
l Upper-layer header
Intermediate devices determine whether to process extension headers based on the Next
Header field value in the IPv6 basic header. The intermediate devices do not need to examine
or process all extension headers.
Each extension header can only occur once in an IPv6 packet, except for the Destination
Options header which may occur twice (once before a Routing header and once before the
upper-layer header).
8.2.3 ICMPv6
The Internet Control Message Protocol version 6 (ICMPv6) is one of the basic IPv6 protocols.
In IPv4, ICMP reports IP packet forwarding information and errors to the source node. ICMP
defines certain messages such as Destination Unreachable, Packet Too Big, Time Exceeded,
Echo Request, and Echo Reply to facilitate fault diagnosis and information management.
ICMPv6 provides additional mechanisms alongside the current ICMPv4 functions such as
Neighbor Discovery (ID), stateless address configuration (including duplicate address
detection), and Path Maximum Transmission Unit (PMTU) discovery.
The protocol number of ICMPv6 (that is, the value of the Next Header field in an IPv6
packet) is 58. Figure 8-9 shows the ICMPv6 packet format.
IPv6 basic
header
Next header = 58
ICMPv6 packet
ICMPv6 packet
ICMPv6 Data
l Type: specifies a message type. Values 0 to 127 indicate the error message type, and
values 128 to 255 indicate the informational message type.
l Code: indicates a specific message type.
l Checksum: indicates the checksum of an ICMPv6 packet.
Address Resolution
In IPv4, a host needs to obtain the link-layer address of the destination host through the ARP
protocol for communication. Similar to IPv4, the IPv6 NDP protocol parses the IP address to
obtain the link-layer address.
ARP packets are encapsulated in Ethernet packets. The Ethernet type value is 0x0806. ARP is
defined as a protocol that runs between Layer 2 and Layer 3. ND is implemented through
ICMPv6 packets. The Ethernet type value is 0x86dd. The Next Header value in the IPv6
header is 58, indicating that the packets are ICMPv6 packets. NDP packets are encapsulated
in ICMPv6 packets. NDP is a Layer 3 protocol. Layer 3 address resolution has the following
advantages:
l Layer 3 address resolution enables Layer 2 devices to use the same address resolution
protocol.
l Layer 3 security mechanisms are used to prevent address resolution attacks.
l Request packets can be sent in multicast mode, reducing load on Layer 2 networks.
During address resolution, Neighbor Solicitation (NS) packets and Neighbor Advertisement
(NA) packets are used.
l In NS packets, the Type field value is 135 and the Code field value is 0. NS packets are
similar to IPv4 ARP Request packets.
l In NA packets, the Type field value is 136 and the Code field value is 0. NA packets are
similar to IPv4 ARP Reply packets.
Figure 8-10 shows the process of address resolution.
Host A Host B
Host A needs to parse the link-layer address of Host B before sending packets to Host B. Host
A sends an NS message with its IPv6 address as the source address and the solicited-node
multicast address of Host B as the destination address. The Options field in the NS message
carries the link-layer address of Host A.
After receiving the NS message, Host B replies with an NA Reply message. In the NA reply
message, the source address is the IPv6 address of Host B, and the destination address is the
IPv6 address of Host A (the NS message is sent to Host A in unicast mode using the link-
layer address of Host A). The Options field carries the link-layer address of Host B. This is
the whole address resolution process.
Neighbor Tracking
A neighbor state can transit from one to another. Hardware faults and hot swapping of
interface cards interrupt communication with neighboring devices. Communication cannot be
restored if the destination of a neighboring device becomes invalid, but it can be restored if
the path fails. Nodes need to maintain a neighbor table to monitor the state of each
neighboring device.
RFC defines five neighbor states: Incomplete, Reachable, Stale, Delay, and Probe.
Figure 8-11 shows the transition of neighbor states. The Empty state indicates that the
neighbor table is empty.
The following example describes changes in neighbor state of node A during its first
communication with node B.
1. Node A sends an NS message and generates a cache entry. The neighbor state of node A
is Incomplete.
2. If node B replies with an NA message, the neighbor state of node A changes from
Incomplete to Reachable. Otherwise, the neighbor state changes from Incomplete to
Empty after a certain period of time, and node A deletes this entry.
3. After the neighbor reachable time times out, the neighbor state changes from Reachable
to Stale, indicating that the neighbor reachable state is unknown.
4. If node A in the Reachable state receives a non-NA Request message from node B, and
the link-layer address of node B carried in the message is different from that learned by
node A, the neighbor state of node A changes to Stale.
5. Node A sends data to node B. The state of node A changes from Stale to Delay. Node A
then sends an NS Request message.
6. After a period of time, the neighbor state changes from Delay to Probe. During this time,
if node A receives an NA Reply message, the neighbor state of node A changes to
Reachable.
7. Node A in the Probe state sends several unicast NS messages at the configured interval.
If node A receives a Reply message, the neighbor state of node A changes from Probe to
Reachable. Otherwise, the state changes to Empty and node A deletes the entry.
IPv6 DAD is similar to IPv4 gratuitous ARP. A node sends an NS message that requests the
tentative address as the destination address to the Solicited-node multicast group. If the node
receives an NA Reply message, another node is using the tentative address for
communication. This node will not use this tentative address for communication.
The IPv6 address FC00::1 is assigned to Host A as a tentative IPv6 address. To check the
validity of this address, Host A sends an NS message containing the requested address
FC00::1 to the Solicited-node multicast group to which FC00::1 belongs. Since FC00::1 is not
specified, the source address of the NS message is an unspecified address. After receiving the
NS message, Host B processes the message in one of the following ways:
l If FC00::1 is a tentative address of Host B, Host B will not use this address as an
interface address and will not send an NA message.
l If FC00::1 is in use on Host B, Host B sends an NA message to FF02::1 carrying IP
address FC00::1. In this way, Host A can find and mark the duplicate tentative address
after receiving the message so it will not take effect.
Router Discovery
Router discovery is used to locate neighboring devices and learn their address prefixes and
configuration parameters for address autoconfiguration.
IPv6 supports stateless address autoconfiguration. Hosts obtain IPv6 prefixes and
automatically generate interface IDs. Router Discovery is the basis of IPv6 address
autoconfiguration and is implemented through the following two types of packets:
RA RS RA
Address Autoconfiguration
IPv4 uses DHCP to automatically configure IP addresses and default gateways. This
simplifies network management. The length of an IPv6 address is increased to 128 bits.
Multiple terminal nodes require the function of automatic configuration. IPv6 allows both
stateful and stateless address autoconfiguration. Stateless autoconfiguration enables hosts to
automatically generate link-local addresses. Hosts automatically configure global unicast
addresses and obtain other information based on prefixes in the RA message.
1. A host automatically configures the link-local address based on the interface ID.
2. The host sends an NS message for duplicate address detection.
3. If address conflict occurs, the host stops address autoconfiguration. Then addresses need
to be configured manually.
4. If addresses do not conflict, the link-local address takes effect. The host then connects to
the network and communicates with the local node.
5. The host either sends an RS message or receives RA messages devices periodically send.
6. The host obtains the IPv6 address based on the prefixes carried in the RA message and
the interface ID.
Default Router Priority and Route Information Discovery
If there are multiple devices on the network where hosts reside, hosts need to select
forwarding devices based on the destination address of the packet. In such a case, devices
advertise default router priorities and route information, which allows hosts to select the
optimal forwarding device based on the packet destination address.
The fields of default router priority and route information are defined in an RA message.
These two fields enable hosts to select the optimal forwarding device.
After receiving an RA message containing route information, hosts update their routing
tables. When sending packets to other devices, hosts check the routing table and select the
optimal route.
When receiving an RA message carrying default router priorities, hosts update their default
router lists. When sending packets to other devices, hosts select the device with the highest
priority to forward packets from the router list. If the selected router does not work, hosts
select the subsequent device in descending order of priority.
Redirection
To choose an optimal gateway device, the gateway device sends a Redirection message to
notify the sender that another gateway device can send packets. Redirection messages are
contained within ICMPv6 messages and have a Type field value of 137. They carry a better
next hop address and destination address for packets that need to be redirected.
Figure 8-14 shows an example of packet redirection.
IPv6 packet
Host A needs to communicate with Host B. By default, Router A sends packets from Host A
to Host B. After receiving packets from Host A, Router A discovers that sending packets
directly to Router B is more efficient. Router A sends a Redirection message carrying the
destination address of Host B to Host A to notify Host A that Router B is a better next hop
address. After receiving the Redirection message, Host A adds a host route to the default
routing table. Packets sent to Host B will be sent directly to Router B.
A device sends a Redirection message in the following situations:
l The destination address of the packet is not a multicast address.
l Packets are not forwarded to the device through routing.
l After route calculation, the outbound interface of the next hop is the interface that
receives the packets.
l The device discovers that a better next hop IP address of the packet is on the same
network segment as the source IP address of the packet.
l After checking the source address of the packet, the device discovers a neighboring
device in the neighbor entries using this address as the global unicast address or the link-
local unicast address.
The PMTU protocol is implemented through ICMPv6 Packet Too Big messages. A source
node first uses the MTU of its outbound interface as the PMTU and sends a probe packet. If a
smaller PMTU exists on the transmission path, the transit device sends a Packet Too Big
message to the source node. The Packet Too Big message contains the MTU value of the
outbound interface on the transit device. After receiving this message, the source node
changes the PMTU value to the received MTU value and sends packets based on the new
MTU. This process repeats until packets are sent to the destination address. The source node
obtains the PMTU of the destination address.
Packet received
Path MTU=1300
Packets are transmitted through four links with MTU values of 1500, 1500, 1400, and 1300
bytes. Before sending a packet, the source node fragments the packet based on a PMTU of
1500. When the packet is sent to the outbound interface with MTU 1400, the device returns a
Packet Too Big message carrying MTU 1400. The source node then fragments the packet
based on MTU 1400 and sends the fragmented packet again. The process repeats when the
packet based on MTU 1400 is sent to the outbound interface with MTU 1300, the device
returns another Packet Too Big message that carries MTU 1300. The source node receives the
message and fragments the packet based on MTU 1300. In this way, the source node sends the
packet to the destination address and discovers the PMTU of the transmission path.
NOTE
IPv6 allows a minimum MTU of 1280 bytes. Therefore, the PMTU must be greater than 1280 bytes.
PMTU of 1500 bytes is recommended.
License Support
IPv6 functions are basic function of routers and can be obtained without licenses.
Context
A global unicast address is similar to an IPv4 public address and provided for the Internet
Service Provider (ISP). A global unicast address can be generated by either of the following
methods:
l Generated in EUI-64 format: An IPv6 global unicast address in EUI-64 format contains a
manually configured prefix and an automatically generated interface identifier.
l Configured manually: You can manually configure an IPv6 global unicast address.
NOTE
l You can configure an interface with multiple global unicast addresses with different network
prefixes.
l Manually configured global unicast addresses have a higher priority than automatically generated
ones. Manually configured addresses can overwrite automatically generated ones with the same
prefix. The overwritten automatically generated addresses do not take effect even if manually
configured addresses are deleted. A device needs to generate a new global unicast address based on
the IP prefix carried in the received RA packet.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ipv6
Step 3 Run:
interface interface-type interface-number
Step 4 Run:
ipv6 enable
Step 5 Run either of the following commands to configure an IPv6 global unicast address for an
interface:
l Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
----End
Context
Link-local addresses are used in neighbor discovery or stateless autoconfiguration. An IPv6
link-local address is generated by either of the following methods:
l Generated automatically: A device automatically generates a link-local address for an
interface based on the link-local prefix (FE80::/10) and link layer address of the
interface.
l Configured manually: You can manually configure an IPv6 link-local address for an
interface.
NOTE
l Each interface can be configured with only one link-local address. To prevent link-local address
conflict, automatically generated link-local addresses are recommended. After an interface is
configured with an IPv6 global unicast address, it automatically generates a link-local address.
l Manually configured link-local addresses have a higher priority than automatically generated ones.
Manually configured addresses can overwrite automatically generated ones, but automatically
generated addresses cannot overwrite manually configured ones. If manually configured addresses
are deleted, the automatically generated ones that were previously overwritten take effect again.
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
Step 3 Run:
interface interface-type interface-number
----End
Pre-configuration Tasks
Before setting rate limit for sending ICMPv6 error packets, complete the following task:
Procedure
l Control ICMPv6 error messages in the system view.
a. Run:
system-view
e. Run:
undo ipv6 icmp hop-limit-exceeded send
The interface is disabled from sending ICMPv6 Hop Limit Exceeded messages.
By default, the function of sending ICMPv6 Hop Limit Exceeded messages
configured globally also takes effect on an interface.
----End
Procedure
Step 1 Run:
system-view
----End
NOTE
After the IPv6 function is enabled on the industrial switch router, the industrial switch router
automatically implements address resolution, DAD, and redirection. Neighbor unreachability detection,
router/prefix discovery, and address autoconfiguration need to be manually configured. You can also
configure the industrial switch router to send RA packets to enable router/prefix discovery and address
autoconfiguration, and enable the automatic detection of ND entries to check whether neighbors are
reachable.
After the automatic detection of ND entries is enabled on the industrial switch router, the
industrial switch router can send NS packets to check whether neighbors are reachable before
aging ND entries. If neighbors are reachable, the industrial switch router updates ND entries;
otherwise, the industrial switch router ages ND entries.
You can enable the industrial switch router to send RA packets. After receiving the RA
packets, network nodes perform address autoconfiguration and router/prefix discovery based
on the prefix and other configuration information contained in RA packets.
After the preceding configurations are complete, NDP functions work properly. You can also
adjust ND parameters based on service requirements.
Procedure
Step 1 Run the following commands to enable NDP functions to work properly.
1. Run:
system-view
To configure neighbor discovery on a subinterface, you need to run the ipv6 nd ns multicast-enable
command to enable the subinterface to send NS multicast packets.
Step 2 (Optional) After completing the preceding steps, adjust ND parameters to meet service
requirements.
Run the following commands in the system view.
Run:
quit
The hop limit for IPv6 unicast packets initially sent by a device is set.
By default, the IPv6 unicast packets initially sent by a device can travel a maximum of
64 hops.
l In the system view, run:
ipv6 nd stale-timeout timeout-value
RA messages are configured not to carry the default prefix generated based on the
interface IPv6 address.
By default, RA messages carry the default prefix generated based on the interface IPv6
address.
l Run:
ipv6 nd ra prefix ipv6-address prefix-length valid-lifetime preferred-
lifetime [ no-autoconfig ] [ off-link ]
The other configuration flag (O flag) for stateful autoconfiguration in RA packets is set.
By default, the O flag in an RA packet is not set.
l Run:
ipv6 nd nud reachable-time value
The number of times NS packets are sent when the system performs DAD is set.
By default, the number of times NS packets are sent when the system performs DAD is
1.
----End
Procedure
l Run the display ipv6 interface [ interface-type interface-number | brief ] command to
check IPv6 information about a specified interface.
l Run the display ipv6 neighbors [ ipv6-address | [ vid vid ] interface-type interface-
number | vpn-instance vpn-instance-name ] command to check information about
neighbor entries.
Pre-configuration Tasks
l 8.5 Configuring IPv6 Addresses for Interfaces
Context
Generally, PMTU is dynamically negotiated according to the IPv6 MTU value of an interface.
In special situations, to protect devices on the network and avoid attacks from large-sized
packets, you can manually configure the PMTU to a specified destination node to control the
maximum length of packets forwarded from the device to the destination node.
NOTE
When the PMTU from the device to a specified destination node is set, the IPv6 MTU values for interfaces on
all intermediate devices cannot be smaller than the configured PMTU value. Otherwise, packets are
discarded.
Procedure
Step 1 Run:
system-view
NOTE
----End
Context
When the device functions as a source node and sends packets to a destination node, the
device dynamically negotiates the PMTU with the destination node according to the IPv6
MTU values of interfaces and fragments packets based on the PMTU. After the PMTU ages
out, the dynamic PMTU is deleted. The source node dynamically renegotiates the PMTU with
the destination node.
NOTE
When both static and dynamic PMTUs are configured, only static PMTU takes effect. Static PMTU
entries never age.
The interface MTU, IPv6 interface MTU, and PMTU are valid only for packets generated on the device,
not for packets forwarded by the host.
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
tcp ipv6 timer syn-timeout interval
Step 3 Run:
tcp ipv6 timer fin-timeout interval
----End
Context
You can set a TCP6 sliding window size to improve network performance. The sliding
window size indicates the receive or send buffer size of a TCP6 socket.
Procedure
Step 1 Run:
system-view
Step 2 Run:
tcp ipv6 window window-size
By default, the receive or send buffer size of a TCP6 socket is 8 KB. The receive or send
buffer size of a TCP6 socket ranges from 1 KB to 32 KB.
----End
Context
Setting a minimum Maximum Segment Size (MSS) value for a TCP6 connection defines the
smallest TCP6 packet size, preventing Denial of Service (DoS) attacks caused by packets with
small MSS values.
Setting a maximum MSS value for a TCP6 connection defines the largest TCP6 packet size,
allowing TCP6 packets to be successfully forwarded by intermediate devices when no Path
MTU is available.
Procedure
Step 1 Run:
system-view
Step 2 Run:
tcp ipv6 min-mss mss-value
By default, the minimum MSS value for a TCP6 connection is 216 bytes.
Step 3 Run:
tcp ipv6 max-mss mss-value
By default, the maximum MSS value is not configured for TCP6 connections.
NOTE
The maximum MSS value configured using the tcp ipv6 max-mss command must be greater than the
minimum MSS value configured using the tcp ipv6 min-mss command.
----End
Procedure
l Run the display tcp ipv6 status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip
ipv6-address ] [ local-port local-port-number ] [ remote-ip ipv6-address ] [ remote-
port remote-port-number ] ] command to check the status of all IPv6 TCP connections.
l Run the display tcp ipv6 statistics command to check TCP6 traffic statistics.
l Run the display ipv6 [ ha ] socket [ socketype socket-type | task-id task-id socket-id
socket-id ] command to check information about a specified socket.
----End
Context
QoS policies take effect only for data packets. In certain cases, IPv6 control packets need to
be managed. For example, bandwidth limitation is required for the IPv6 control packets
generated by Telnet applications. The enhanced forwarding function can meet the
requirement. You can configure this function to apply QoS policies to the IPv6 control
packets generated by the device. Currently, the enhanced forwarding function is valid only for
the IPv6 control packets generated by the device.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ipv6 soft-forward enhance enable
The enhanced forwarding function for IPv6 control packets generated by the device is
enabled.
By default, the enhanced forwarding function is enabled for IPv6 control packets generated by
the device.
The DSCP priority of IPv6 control packets generated by the device is configured
based on the protocol type.
– Run:
set priority acl6 acl6-number dscp dscp-value
The DSCP priority of IPv6 control packets generated by the device is configured
based on the ACL rule.
You can configure the DSCP priority of BGP4+, IPv6 DNS, ICMPv6, IPv6 SNMP, IPv6
SSH, IPv6 Telnet and IPv6 UDP control packets based on the protocol type. To
configure the DSCP priority of other types of control packets, configure advanced ACL6
rules based on the protocol type (see Configuring an Advanced ACL6), and configure
the DSCP priority of control packets based on the ACL rule.
NOTE
If you specify the DSCP priority of IPv6 control packets based on both the protocol type and ACL rule,
the protocol type configuration takes effect preferentially.
Step 4 (Optional) Run one or more of the following commands to configure packets to support QoS
policies:
l Run:
undo control-packet-ipv6 { bgp4plus | icmpv6 | dns6 | snmp | ssh | telnet |
udp } * output car bypass or undo control-packet-ipv6 all output car bypass
IPv6 control packets generated by the device are configured to support traffic policing
function.
By default, IPv6 control packets generated by the device do not support traffic policing
function.
l Run:
IPv6 control packets generated by the device are configured to support QoS queue
functions (such as traffic shaping, congestion management, and congestion avoidance).
By default, IPv6 control packets generated by the device do not support QoS queue
functions.
l Run:
undo control-packet-ipv6 { bgp4plus | icmpv6 | dns6 | snmp | ssh | telnet |
udp } * output filter bypass or undo control-packet-ipv6 all output filter
bypass
The device is configured to discard generated IPv6 control packets when the traffic
policy and ACL-based simplified traffic policy contain the deny action.
By default, the device does not discard generated IPv6 control packets when the traffic
policy and ACL-based simplified traffic policy contain the deny action.
After this step is performed, the device discards IPv6 control packets.
----End
Follow-up Procedures
After the enhanced forwarding function is configured for IPv6 control packets, you can only
make QoS policies take effect for the control packets. To implement differentiated services for
control packets, configure QoS policies. For details, see Huawei AR Series IOT Gateway
Configuration Guide - QoS.
Context
IPv6 statistics cannot be restored after being cleared. Therefore, exercise caution before
clearing IPv6 statistics.
Procedure
l Run the reset ipv6 statistics command in the user view to clear IPv6 traffic statistics.
l Run the reset tcp ipv6 statistics command in the user view to clear TCP6 statistics.
l Run the reset udp ipv6 statistics command in the user view to clear UDP6 statistics.
l Run the reset ipv6 pathmtu [ vpn-instance vpn-instance-name ] { all | dynamic |
static } command in the user view to clear PMTU entries.
l Run the reset ipv6 neighbors { all | dynamic | static | vid vlan-id [ interface-type
interface-number] | interface-type interface-number [ dynamic | static ] } command in
the user view to clear IPv6 neighbor entries.
----End
Context
You can run the following commands in any view to check IPv6 running status.
Procedure
l Run the display ipv6 interface [ interface-type interface-number | brief ] command to
check IPv6 information about a specified interface.
l Run the display ipv6 statistics [ interface interface-type interface-number ] command
to check IPv6 traffic statistics.
l Run the display icmpv6 statistics [ interface interface-type interface-number ]
command to check ICMPv6 traffic statistics.
l Run the display tcp ipv6 statistics command to check IPv6 TCP traffic statistics.
l Run the display ipv6 neighbors [ ipv6-address | [ vid vid ] interface-type interface-
number | vpn-instance vpn-instance-name ] command to check neighbor entries.
l Run the display ipv6 pathmtu [ vpn-instance vpn-instance-name ] { ipv6-address | all |
dynamic | static } command to check all PMTU entries.
----End
Networking Requirements
As shown in Figure 8-16, RouterA and RouterB are connected using GE1/0/0. RouterA and
RouterB need to establish a neighbor relationship, and RouterB can obtain an IPv6 address
using the neighbor discovery function.
GE1/0/0 GE1/0/0
fc01::1/64
RouterA RouterB
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable the IPv6 forwarding function on RouterA and configure an IPv6 address for
RouterA so that RouterA can forward IPv6 packets.
2. Configure RouterA to send RA packets and allow GE1/0/0 of RouterB to automatically
configure an IPv6 address based on the route prefix carried in the received RA packets.
Procedure
Step 1 Configure RouterA.
# Configure an IPv6 address for GE1/0/0 of RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] ipv6
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] undo portswitch
[RouterA-GigabitEthernet1/0/0] ipv6 enable
[RouterA-GigabitEthernet1/0/0] ipv6 address fc01::1/64
[RouterA-GigabitEthernet1/0/0] quit
----End
Configuration File
l RouterA configuration file
#
sysname RouterA
#
ipv6
#
interface GigabitEthernet1/0/0
undo portswitch
ipv6 enable
ipv6 address fc01::1/64
undo ipv6 nd ra halt
#
return
9 DHCPv6 Configuration
This section describes how to configure the DHCPv6 function. Currently, the industrial switch
router can function as the DHCPv6 server, DHCPv6 PD server, DHCPv6 relay, DHCPv6
client, and DHCPv6 PD client.
When the DHCPv6 PD client function is configured on the device, the device dynamically
obtains IPv6 address prefix and other network configuration parameters from the DHCPv6
PD server.
9.11 Maintaining DHCPv6
Maintaining DHCPv6 includes monitoring the running status of the DHCPv6 relay agent,
clearing DHCPv6 packet statistics, and resetting the status of the IPv6 address pool.
9.12 Configuration Examples
This section provides DHCPv6 configuration examples including networking requirements
and configuration roadmap.
Definition
Dynamic Host Configuration Protocol for IPv6 (DHCPv6) is designed to assign IPv6
addresses, prefixes, and other network configuration parameters to hosts.
Purpose
The IPv6 protocol provides huge address space formed by 128-bit IPv6 addresses that require
proper and efficient assignment and management policies. IPv6 stateless address
autoconfiguration is widely used. Hosts configured with the stateless address
autoconfiguration function automatically configure IPv6 addresses based on prefixes carried
in Route Advertisement (RA) packets sent from a neighboring device.
When stateless address autoconfiguration is used, devices do not record IPv6 addresses of
hosts. Therefore, stateless address autoconfiguration has poor manageability. In addition,
hosts configured with stateless address autoconfiguration cannot obtain other configuration
parameters such as the DNS server address. Internet service providers (ISPs) do not provide
instructions for automatic allocation of IPv6 prefixes for devices. Therefore, users need to
manually configure IPv6 addresses for devices during IPv6 network deployment.
DHCPv6 solves this problem. DHCPv6 is a stateful protocol for configuring IPv6 addresses
automatically.
Compared with manual address configuration and IPv6 stateless address autoconfiguration
that uses network prefixes in RA packets, DHCPv6 has the following advantages:
l Controls IPv6 address assignment better. A DHCPv6 device can record addresses
assigned to hosts and assign requested addresses. This function facilitates network
management.
l Assigns IPv6 address prefixes to network devices. This function facilitates automatic
configuration and hierarchical network management.
l Provides other network configuration parameters such as the DNS server address.
9.2 Principles
This section describes the implementation of DHCPv6.
DHCPv6 Architecture
Figure 9-1 shows the DHCPv6 architecture.
IPv6
Network
DHCPv6 Relay
DHCPv6 Clients
DHCPv6 Server
l DHCPv6 client
A DHCPv6 client applies to a DHCPv6 server for IPv6 addresses, prefixes, and network
configuration parameters to complete its address configuration.
l DHCPv6 relay
A DHCPv6 relay agent relays DHCPv6 packets between a DHCPv6 client and a
DHCPv6 server to help the DHCPv6 client complete its address configuration.
Generally, a DHCPv6 client communicates with a DHCPv6 server through the link-local
multicast address to obtain IPv6 addresses, prefixes, and other network configuration
parameters. If a DHCPv6 server and a DHCPv6 client are on different links, a DHCPv6
relay agent is required to forward DHCPv6 packets. In this case, you do not need to
deploy a DHCPv6 server on each link, which saves costs and facilitates centralized
management.
A DHCPv6 relay agent is optional. If a DHCPv6 client and a DHCPv6 server are on the
same link or a DHCPv6 client communicates with a DHCPv6 server in unicast mode to
complete address allocation or information configuration, you do not need to deploy a
DHCPv6 relay agent. A DHCPv6 relay agent is required only when a DHCPv6 client
and a DHCPv6 server are located on different links or a DHCPv6 client cannot
communicate with a DHCPv6 server in unicast mode.
l DHCPv6 server
A DHCPv6 server processes requests of address allocation, address lease extension, and
address release from a DHCPv6 client or a DHCPv6 relay agent, and assigns IPv6
addresses and other network configuration parameters to the DHCPv6 client.
– A DUID identifies a DHCPv6 device. Each DHCPv6 server or client has a unique
DUID. DHCPv6 servers use DUIDs to identify DHCPv6 clients and DHCPv6
clients use DUIDs to identify DHCPv6 servers.
– The DUIDs of a DHCPv6 client and a DHCPv6 server are carried in the Client
Identifier option and the Server Identifier option respectively. The Client Identifier
option and the Server Identifier option have the same format and are distinguished
by the option-code field value.
l Identity association (IA)
– An IA enables a DHCPv6 server and a DHCPv6 client to identify, group, and
manage IPv6 addresses. Each IA consists of an identity association identifier
(IAID) and associated configuration information.
– A DHCPv6 client must associate at least one IA with each of its network interfaces
for which the DHCPv6 client requests IPv6 addresses from a DHCP server. The
DHCPv6 client uses IAs associated with network interfaces to obtain configuration
information from a DHCPv6 server. Each IA must be associated with at least one
interface.
– The IAID identifies an IA, and IAIDs on the same DHCPv6 client must be unique.
The IAID is not lost or changed because of factors such as DHCPv6 client reboot.
– The configuration information in an IA consists of one or more IPv6 addresses
along with the lifetimes T1 and T2. Each address in an IA has a preferred lifetime
and a valid lifetime.
– An interface must be associated with at least one IA; an IA can contain information
about one or more addresses.
msg-type 1 byte Indicates the packet type. The value ranges from 1 to 13. For
details, see the DHCPv6 Packet Type.
transaction- 3 bytes Identifies packet transaction between DHCPv6 clients and servers.
ID For example, a DHCPv6 client initiates a Solicit/Advertise
transaction or a Request/Reply transaction. Their transaction IDs
are different. Transaction IDs have the following characteristics:
l The transaction ID is randomly generated by a DHCPv6 client.
l Transaction IDs of request and reply packets must be the same.
l The transaction ID of a packet initiated by a DHCPv6 server is
0.
Options Variabl Indicates the option field in a DHCPv6 packet. The option field
e contains configurations that the DHCPv6 server assigns to IPv6
hosts, such as the IPv6 address of the DNS server.
DHCPv6 DHCPv6
Client Server
(1)Solicit
(2)Advertise
(3)Request
(4)Reply
1. A DHCPv6 client sends a Solicit packet to request a DHCPv6 server to allocate IPv6
addresses and network configuration parameters.
2. If the DHCPv6 server does not support fast address allocation, the DHCPv6 server
returns an Advertise packet containing the allocated addresses and network configuration
parameters regardless of whether the Solicit packet contains the Rapid Commit option.
3. If receiving Advertise packets from multiple DHCPv6 servers, the DHCPv6 client
selects the DHCPv6 server with the highest priority and sends Request multicast packets
to all DHCPv6 servers. The Request multicast packets carry the DUID of the selected
DHCPv6 server.
4. The DHCPv6 server responds with a Reply packet that contains the addresses and
network configuration parameters allocated to the client.
Two-message exchange applies to a network where only one DHCPv6 server is available. A
DHCPv6 client multicasts a Solicit packet to locate the DHCPv6 server that can allocate
addresses and configuration parameters. After receiving the Solicit packet, the DHCPv6
server responds with a Reply packet carrying addresses and configuration parameters
allocated to the DHCPv6 client.
This packet exchange improves address allocation efficiency. On the network where multiple
DHCPv6 servers are available, multiple DHCPv6 servers can allocate addresses to DHCPv6
clients and respond with Reply packets. The DHCPv6 clients, however, use the addresses and
configuration parameters allocated by one DHCPv6 server. To prevent the preceding situation,
the administrator can configure only one DHCPv6 server to support two-message exchange.
l If a DHCPv6 server is configured with two-message exchange and the Solicit packet
from a DHCPv6 client contains the Rapid Commit option, the DHCPv6 server allocates
IPv6 addresses and configuration parameters in two-message exchange mode.
l If a DHCPv6 server does not support fast address allocation, the DHCPv6 server
allocates IPv6 addresses and other network configuration parameters to clients using
four-message exchange.
Figure 9-4 shows the process of address allocation using two-message exchange.
DHCPv6 DHCPv6
Client Server
(2)Reply
1. A DHCPv6 client sends a Solicit packet carrying the Rapid Commit option, indicating
that the DHCPv6 client requires fast address allocation and network configuration
parameters from a DHCPv6 server.
2. DHCPv6 server receives the Solicit message, it will processed as follows:
– If the DHCPv6 server supports fast address allocation, it returns a Reply packet and
allocates IPv6 addresses and other network configuration parameters to the
DHCPv6 client.
– If the DHCPv6 server does not support fast address allocation, the DHCPv6 server
uses four-message exchange to allocate IPv6 addresses, prefixes, and other network
configuration parameters.
Information-request:
includes an Option Request option
Reply:
includes the requested options
device. In this way, you do not need to configure IPv6 prefixes for user-side links on the
downstream device. The downstream device divides the obtained prefix (the length of the
obtained prefix is smaller than 64 bits) into 64-bit prefix of subnet segments and sends a
Route Advertisement (RA) packet on the link that IPv6 hosts directly connect to. This enables
hosts to automatically configure addresses, completing IPv6 network deployment.
Router A Router B
DHCPv6 PD Client
DHCPv6 PD Server
1. A DHCPv6 PD client sends a Solicit packet, requesting an IPv6 address prefix from a
DHCPv6 PD server.
2. If the DHCPv6 PD server does not support fast address allocation, the DHCPv6 PD
server returns an Advertise packet containing the allocated address prefixes regardless of
whether the Solicit packet contains the Rapid Commit option.
3. If receiving Advertise packets from multiple DHCPv6 PD servers, the DHCPv6 PD
client selects the DHCPv6 PD server with the highest priority and sends a Request
packet to this DHCPv6 PD server to request address prefixes.
4. The DHCPv6 PD server responds with a Reply packet to assign an IPv6 address prefix to
the DHCPv6 PD client.
DHCPv6 PD also supports two-message exchange using packets carrying the Rapid Commit
option. For details, see DHCPv6 Two-Message Exchange
Figure 9-7 shows the working process of a DHCPv6 relay agent. A DHCPv6 client sends
packets to a DHCPv6 server through a DHCPv6 relay agent to obtain IPv6 addresses,
prefixes, and other network configuration parameters, such as IPv6 addresses of DNS servers.
(2)Relay-forward
(3)Relay-reply
DHCPv6 DHCPv6
Client Server
(1)Renew
T1
(2)Reply
1. A DHCPv6 client sends a Renew packet to request to update the address lease at T1 (the
recommended value of T1 is half the preferred lifetime).
2. A DHCPv6 server responds with a Reply packet.
– If the DHCPv6 client can continue to use the address, the DHCPv6 server responds
with a Reply packet indicating that the address lease is extended successfully. In
addition, the DHCPv6 server informs the DHCPv6 client that the address lease is
updated successfully.
– If the DHCPv6 client cannot use the address, the DHCPv6 server responds with a
Reply packet indicating that address lease extension fails. In addition, the DHCPv6
server informs the DHCPv6 client that the DHCPv6 client cannot obtain a new
address lease.
Figure 9-9 shows the process of updating the address lease at T2.
DHCPv6 DHCPv6
Client Server
(1)Renew
T1
(2)Rebind
T2
(3)Reply
1. A DHCPv6 client sends a Renew packet to request to update the address lease at T1, but
does not receive a response packet from a DHCPv6 server.
2. The DHCPv6 client multicasts a Rebind packet to all the DHCPv6 servers to request
them to update the address lease at T2 (the recommended value of T2 is 0.8 times the
preferred lifetime).
3. A DHCPv6 server responds with a Reply packet.
– If the DHCPv6 client can continue to use the address, the DHCPv6 server responds
with a Reply packet indicating that the address lease is extended successfully. In
addition, the DHCPv6 server informs the DHCPv6 client that the address or prefix
lease is updated successfully.
– If the DHCPv6 client cannot use the address, the DHCPv6 server responds with a
Reply packet indicating that address lease extension fails. In addition, the DHCPv6
server informs the DHCPv6 client that the DHCPv6 client cannot obtain a new
address lease.
If the DHCPv6 client does not receive a response packet from the DHCPv6 server, the
DHCPv6 client stops using this address after the valid lifetime is reached.
IP Address Reservation
The DHCPv6 server supports reserved IPv6 addresses that cannot be dynamically allocated.
For example, an IPv6 address can be reserved for a DNS server.
9.3 Applications
This section describes the applicable scenario of DHCPv6.
The device functions as the DHCPv6 server to assign IPv6 addresses to clients. The DHCPv6
client applies to the DHCPv6 server for configurations including an IPv6 address and DNS
server address. The DHCPv6 server replies with related configurations according to policies.
The DHCPv6 server assigns a complete IPv6 address to a host and provides other
configuration parameters such as the DNS server address. The DHCPv6 server also provides
stateless DHCPv6 services. That is, the DHCPv6 server does not assign IPv6 addresses but
provides hosts with configuration parameters such as the DNS server address and domain
name. Hosts automatically configure IPv6 addresses based on RA messages. This overcomes
the limitations of IPv6 stateless address autoconfiguration.
RouterB RouterA
The device functions as the DHCPv6 PD server to assign IPv6 address prefixes to DHCPv6
PD clients.
Internet
The device functions as a DHCPv6 relay agent, the client can communicate with a DHCPv6
server on another network segment through the DHCPv6 relay agent, and obtain an IPv6
address and other configuration parameters from the global address pool on the DHCP server.
In this manner, DHCPv6 clients on multiple network segments can share one DHCPv6 server.
This reduces costs and facilitates centralized management.
RouterA
DHCPv6 Client
RouterC
DHCPv6 Server
RouterB
DHCPv6 Client
When the DHCPv6 client function is configured on the device, the device dynamically
obtains IPv6 addresses and other network configuration parameters from the DHCPv6 server.
This operation facilitates user configurations and centralized management.
Router A Router B
GE0/0/1
GE0/0/1
DHCPv6 PD Client
DHCPv6 PD Server
The DHCPv6 PD client function is configured on the device, the device dynamically obtains
IPv6 addresses and other network configuration parameters from the DHCPv6 PD server.
This operation facilitates user configurations and centralized management. The device divides
the obtained IPv6 prefix (the length of the obtained prefix is smaller than 64 bits) into 64-bit
prefix of subnet segments and sends an RA message on the link that hosts directly connect to.
The RA message contains 64-bit prefix of subnet segments. This enables hosts to
automatically configure addresses.
License Support
DHCPv6 is a basic feature of the device and is not under license control.
Pre-configuration Tasks
Before configuring the DHCPv6 server, complete the following tasks:
l Ensuring that the link between the DHCPv6 client and the industrial switch router works
properly and the DHCPv6 client can communicate with the industrial switch router
l (Optional) In the scenario where the DHCPv6 relay exists, configuring the route between
the industrial switch router and DHCPv6 relay agent or client
Configuration Process
The configuration tasks are performed in sequence.
Context
The DUID identifies a DHCPv6 device. Each DHCPv6 server or client has a unique DUID.
DHCPv6 servers use DUIDs to identify DHCPv6 clients and DHCPv6 clients use DUIDs to
identify DHCPv6 servers.
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
An IPv6 address pool is created and the address pool view is displayed.
By default, no IPv6 address pool is created on the device.
Step 3 Run the commands in the IPv6 address pool view to configure the network prefix.
When functioning as a DHCPv6 server, the device supports the DHCPv6 stateful mode and
DHCPv6 stateless mode to assign network parameters to clients. In DHCPv6 stateful mode,
the DHCPv6 server automatically provides IPv6 addresses, prefixes, and other network
configuration parameters, such as DNS, NIS, and SNTP server addresses. In DHCPv6
stateless mode, the DHCPv6 server does not provide IPv6 addresses but provides other
configuration parameters about the DNS, NIS, and SNTP servers. IPv6 addresses for clients
are still generated based on Route Advertisement (RA) packets.
l When the DHCPv6 service needs to automatically assign network parameters in
DHCPv6 stateful mode, run the address prefix ipv6-prefix/ipv6-prefix-length [ life-time
{ valid-lifetime | infinite } { preferred-lifetime | infinite } ] command to configure
network prefixes and lifetimes in the IPv6 address pool view.
By default, no network prefix and lifetime are configured in the address pool view.
l When the DHCPv6 service needs to automatically assign network parameters in
DHCPv6 stateless mode, run the link-address ipv6-prefix/ipv6-prefix-length command
to configure networks prefixes in the IPv6 address pool view.
By default, no network prefix is configured in the IPv6 address pool view.
The DHCPv6 server determines the clients on network segments to which the server
assigns network configuration parameters from an address pool based on the configured
network prefixes.
Step 4 (Optional) Run:
static-bind address ipv6-address duid client-duid [ iaid iaid ] [ life-time
{ valid-lifetime | infinite } { preferred-lifetime | infinite } ]
The range of the IPv6 addresses that cannot be automatically assigned is specified in the IPv6
address pool. If only one IPv6 address is not automatically assigned, you can specify only the
value of start-ipv6-address.
By default, all IPv6 addresses in the address pool can be automatically assigned to clients.
Step 6 (Optional) Run:
information-refresh time
The time is configured for updating configuration parameters assigned to clients through
stateless DHCPv6 address autoconfiguration.
By default, the time for updating IPv6 address pool configuration is 86400s (24 hours).
Step 7 (Optional) Run:
capwap-ac ipv6-address
In the AC+Fit AP scenario, the AC needs to establish connections with APs. The device
functioning as a DHCPv6 server can specify the AC's IPv6 address for an AP. The AP then
can connect to the specified AC. If the AC and AP are located in the same network segment,
this step is optional because the AP will send a broadcast packet to automatically discover the
AC. If the AC and AP are located in different network segments, this step is mandatory.
----End
Context
To successfully connect DHCPv6 clients to the Internet, the DHCPv6 server needs to specify
network service configurations such as the DNS server address and SIP server address when
assigning IPv6 addresses to the clients. The DHCPv6 server dynamically allocates carrier-
assigned configurations such as the DNS server address and SIP server address to DHCPv6
clients.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcpv6 pool pool-name
An IPv6 address pool is created and the address pool view is displayed.
Step 3 In the IPv6 address pool view, you can run one or multiple following commands to configure
network server addresses.
l Run dns-server ipv6-address command to configure the DNS server address for the
DHCPv6 address pool.
l Run dns-domain-name dns-domain-name command to configure the DNS domain
name suffix allocated by the DHCPv6 server to the client.
l Run sip-server ipv6-address command to configure the SIP server IPv6 address for the
DHCPv6 address pool.
l Run sip-domain-name sip-domain-name command to configure the SIP domain name
suffix allocated by the DHCPv6 server to the client.
l Run nis-server ipv6-address command to configure the NIS server IPv6 address for the
DHCPv6 address pool.
l Run nis-domain-name nis-domain-name command to configure the NIS domain name
suffix allocated by the DHCPv6 server to the client.
l Run nisp-server ipv6-address command to configure the NISP server IPv6 address for
the DHCPv6 address pool.
l Run nisp-domain-name nisp-domain-name command to configure the NISP domain
name suffix allocated by the DHCPv6 server to the client.
l Run sntp-server ipv6-address command to configure the SNTP server IPv6 address for
the DHCPv6 address pool.
By default, DNS, SIP, NIS, NISP, and SNTP server addresses are not configured for the IPv6
address pool.
----End
Context
DHCPv6 provides various options. To use these options, add them to the attribute list of the
DHCPv6 server manually. If the DHCPv6 server is configured with the vendor-defined
Option field, the client can obtain the configuration information in the Option field of the
DHCPv6 reply packet from the server when a DHCPv6 client applies for an IPv6 address.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcpv6 pool pool-name
An IPv6 address pool is created and the address pool view is displayed.
Step 3 Run:
vendor-specific vendor-id
Vendor-defined options are configured for the IPv6 address pool and the vendor-defined mode
view is displayed.
vendor-id indicates the vendor identifier ID, which is assigned by the IANA. The identifier ID
of Huawei is 2011.
Step 4 Run:
suboption suboption-code { address ipv6-address &<1-4> | ascii ascii-string |
hex hex-string }
----End
Context
When the device functions as a DHCPv6 or DHCPv6 PD server, you can configure the
DHCPv6 data saving function to prevent data loss caused by device faults. After the DHCPv6
data saving function is enabled, the device periodically saves DHCPv6 data. The data includes
the last data recording time, address pool name, client DUID, IAID, address and prefix bound
to the client DUID and IAID, conflicted address, and address detection time.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcpv6 server database url [ write-delay interval ]
You can specify write-delay to modify the DHCPv6 data saving interval. By default, the
device saves DHCPv6 data every 86400 seconds.
----End
Context
When the device functions as a DHCPv6 server, the DHCPv6 server function can be enabled
in the system view or interface view.
l Enable the DHCPv6 server function in the interface view.
Enable the DHCPv6 server function and specify the IPv6 address pool on the interface
that connects the device to the DHCPv6 clients. After receiving the DHCPv6 request
packets sent by the clients from the interface, the device assigns configuration
parameters such as IPv6 addresses or DNS server addresses to the DHCPv6 clients from
the IPv6 address pool bound to the interface.
– If the DHCPv6 server and DHCPv6 clients are in the same link scope (that is, no
DHCPv6 relay exists), configuration parameters such as IPv6 addresses or DNS
server addresses are assigned to the DHCPv6 clients on the interface of the
DHCPv6 server.
– If the DHCPv6 server and DHCPv6 clients are in different link scopes (that is, a
DHCPv6 relay exists), configuration parameters such as IPv6 addresses or DNS
server addresses are assigned to the DHCPv6 clients in one network segment
connected to the DHCPv6 relay.
NOTE
l If the DHCPv6 server function is enabled in the system view, the configuration information takes
effect on all interfaces of the device.
l If the DHCPv6 server function is enabled concurrently in the system view and interface view, the
configuration in the interface view takes precedence over that in the system view.
Procedure
l Enable the DHCPv6 server function in the interface view.
a. Run:
system-view
f. Run:
ipv6 address { ipv6-address prefix-length |ipv6-address/prefix-length }
When functioning as a DHCPv6 server, the device may be configured with multiple
IPv6 address pools. After receiving the DHCPv6 request packets, the DHCPv6
server chooses the IPv6 address pool based on the following rules:
n If a relay exists, the server chooses the address pool that belongs to the same
link scope with the configured network prefix (using the link-address
command) or IPv6 address prefix (using the address prefix command) based
on the first link-address field that is not 0. The link-address field identifies the
link scope of the DHCPv6 clients.
n If no relay exists, the device that functions as the DHCPv6 server only assigns
configuration parameters to clients in DHCPv6 stateless mode. This indicates
that the DHCPv6 server only assigns configuration parameters excluding IPv6
addresses and including DNS, NIS, and SNTP servers, and the IPv6 addresses
for clients are automatically generated based on the Route Advertisement (RA)
packets. To enable the DHCPv6 server to assign network parameters in
DHCPv6 stateful mode, enable the DHCPv6 server function in the interface
view.
----End
Follow-up Procedure
For clients (such as PCs) that automatically obtain IPv6 addresses based on IPv6 RA packets
by default, flags in RA messages need to be configured on the client gateways so that the
clients can obtain IPv6 addresses using DHCPv6.
l When the DHCPv6 relay does not exist and the device function as the client gateway:
a. Run:
system-view
Context
To prevent clients from sending a large number of messages to attack the device, the device
limits the rate of DHCPv6 messages.
After rate limit of DHCPv6 messages is enabled, the DHCPv6 messages are discarded when
the rate threshold is exceeded. After the alarm function of DHCPv6 messages discarded is
enabled, the device sends alarms when the number of discarded DHCPv6 messages exceeds
the threshold.
Procedure
Step 1 Run:
system-view
DHCP is enabled.
By default, DHCP is disabled.
Step 3 Run:
dhcpv6 packet-rate packet-rate
Rate limit of DHCPv6 packets is enabled and the rate threshold is configured.
By default, rate limit of DHCPv6 messages is disabled on the industrial switch router.
Step 4 Run:
dhcpv6 packet-rate drop-alarm enable
A alarm threshold for the number of discarded DHCPv6 messages when the DHCPv6
message rate exceeds the rate threshold is set.
By default, the alarm threshold is 100 when the alarm function of DHCPv6 messages
discarded is enabled.
----End
Procedure
l Run the display dhcpv6 duid command to check the DUID of the DHCPv6 device on
the network.
l Run the display dhcpv6 pool pool-name [ allocated { address | prefix } | binding
[ duid ] | conflict address | ipv6-address | ipv6-prefix/prefix-length ] command to check
IPv6 address pool configurations.
l Run the display dhcpv6 server [ database | [ statistics ] [ interface interface-type
interface-number ] ] command to check information about the DHCPv6 server function.
----End
Pre-configuration Tasks
Before configuring the DHCPv6 PD server, complete the following tasks:
l Ensuring that the link between the DHCPv6 client and the industrial switch router works
properly and the DHCPv6 client can communicate with the industrial switch router
l (Optional) In the scenario where the DHCPv6 relay exists, configuring the route between
the industrial switch router and DHCPv6 relay agent or client
Configuration Logic
The configuration tasks are performed in sequence.
Context
The DUID identifies a DHCPv6 device. Each DHCPv6 server or client has a unique DUID.
DHCPv6 servers use DUIDs to identify DHCPv6 clients and DHCPv6 clients use DUIDs to
identify DHCPv6 servers.
Procedure
Step 1 Run:
system-view
----End
Context
IPv6 PD address pool refers to an IPv6 address pool used by a DHCPv6 server to assign IPv6
address prefixes to DHCPv6 clients.
Procedure
Step 1 Run:
system-view
An IPv6 PD address pool is created and the address pool view is displayed.
By default, no IPv6 PD address pool is created on the device.
Step 3 Run:
prefix-delegation ipv6-prefix/ipv6-prefix-length assign-prefix-length [ life-time
{ valid-lifetime | infinite } { preferred-lifetime | infinite }]
An IPv6 address prefix agent is statically bound to the DHCPv6 PD client in the address pool
view.
By default, no IPv6 address prefix agent is bound to the DHCPv6 PD client.
To statically assign specified IPv6 address prefixes to some specific clients, specify the
mapping between IPv6 address prefixes and client DUIDs. When such a client requests an
IPv6 address from the DHCPv6 PD server, the device functioning as the DHCPv6 PD server
assigns the specified IPv6 address to the client.
Configure the specified IPv6 address prefixes to be assigned only to the clients with specified
DUIDs.
----End
Procedure
Step 1 Run:
system-view
An IPv6 address pool is created and the address pool view is displayed.
By default, no IPv6 address pool is created on the device.
Step 3 In the IPv6 address pool view, you can run one or multiple following commands to configure
network server addresses.
l Run dns-server ipv6-address command to configure the DNS server address for the
DHCPv6 address pool.
l Run dns-domain-name dns-domain-name command to configure the DNS domain
name suffix allocated by the DHCPv6 server to the client.
l Run sip-server ipv6-address command to configure the SIP server IPv6 address for the
DHCPv6 address pool.
l Run sip-domain-name sip-domain-name command to configure the SIP domain name
suffix allocated by the DHCPv6 server to the client.
l Run nis-server ipv6-address command to configure the NIS server IPv6 address for the
DHCPv6 address pool.
l Run nis-domain-name nis-domain-name command to configure the NIS domain name
suffix allocated by the DHCPv6 server to the client.
l Run nisp-server ipv6-address command to configure the NISP server IPv6 address for
the DHCPv6 address pool.
l Run nisp-domain-name nisp-domain-name command to configure the NISP domain
name suffix allocated by the DHCPv6 server to the client.
l Run sntp-server ipv6-address command to configure the SNTP server IPv6 address for
the DHCPv6 address pool.
By default, DNS, SIP, NIS, NISP, and SNTP server addresses are not configured for the IPv6
address pool.
----End
Context
DHCPv6 provides various options. To use these options, add them to the attribute list of the
DHCPv6 server manually. If the DHCPv6 server is configured with the vendor-defined
Option field, the client can obtain the configuration information in the Option field of the
DHCPv6 reply packet from the server when a DHCPv6 client applies for an IPv6 address.
Procedure
Step 1 Run:
system-view
An IPv6 address pool is created and the address pool view is displayed.
Step 3 Run:
vendor-specific vendor-id
Vendor-defined options are configured for the IPv6 address pool and the vendor-defined mode
view is displayed.
vendor-id indicates the vendor identifier ID, which is assigned by the IANA. The identifier ID
of Huawei is 2011.
Step 4 Run:
suboption suboption-code { address ipv6-address &<1-4> | ascii ascii-string |
hex hex-string }
----End
Context
When the device functions as a DHCPv6 or DHCPv6 PD server, you can configure the
DHCPv6 data saving function to prevent data loss caused by device faults. After the DHCPv6
data saving function is enabled, the device periodically saves DHCPv6 data. The data includes
the last data recording time, address pool name, client DUID, IAID, address and prefix bound
to the client DUID and IAID, conflicted address, and address detection time.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcpv6 server database url [ write-delay interval ]
You can specify write-delay to modify the DHCPv6 data saving interval. By default, the
device saves DHCPv6 data every 86400 seconds.
----End
Context
When the device functions as a DHCPv6 PD server, the DHCPv6 server function can be
enabled in the system view or interface view.
l Enable the DHCPv6 PD server function in the interface view.
Enable the DHCPv6 PD server function and specify the IPv6 PD address pool on the
interface that connects the device to the DHCPv6 clients. After receiving the DHCPv6
request packets sent by the clients from the interface, the device assigns configuration
parameters such as IPv6 address prefixes or DNS server addresses to the DHCPv6
clients from the IPv6 address pool bound to the interface.
– If the DHCPv6 PD server and DHCPv6 PD clients are in the same link scope (that
is, no DHCPv6 relay exists), configuration parameters such as IPv6 address prefixes
or DNS server addresses are assigned to the DHCPv6 PD clients on the interface of
the DHCPv6 PD server.
– If the DHCPv6 PD server and DHCPv6 PD clients are in different link scopes (that
is, a DHCPv6 relay exists), configuration parameters such as IPv6 address prefixes
or DNS server addresses are assigned to the DHCPv6 PD clients in one network
segment connected to the DHCPv6 relay.
NOTE
l If the DHCPv6 PD server function is enabled in the system view, the configuration information
takes effect on all interfaces of the device.
l If the DHCPv6 PD server function is enabled concurrently in the system view and interface view,
the configuration in the interface view takes precedence over that in the system view.
Procedure
l Enable the DHCPv6 PD server function in the interface view.
a. Run:
system-view
----End
Context
To prevent clients from sending a large number of messages to attack the device, the device
limits the rate of DHCPv6 messages.
After rate limit of DHCPv6 messages is enabled, the DHCPv6 messages are discarded when
the rate threshold is exceeded. After the alarm function of DHCPv6 messages discarded is
enabled, the device sends alarms when the number of discarded DHCPv6 messages exceeds
the threshold.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp enable
DHCP is enabled.
Step 3 Run:
dhcpv6 packet-rate packet-rate
Rate limit of DHCPv6 packets is enabled and the rate threshold is configured.
By default, rate limit of DHCPv6 messages is disabled on the industrial switch router.
Step 4 Run:
dhcpv6 packet-rate drop-alarm enable
Step 5 Run:
dhcpv6 packet-rate drop-alarm threshold threshold
A alarm threshold for the number of discarded DHCPv6 messages when the DHCPv6
message rate exceeds the rate threshold is set.
By default, the alarm threshold is 100 when the alarm function of DHCPv6 messages
discarded is enabled.
----End
Procedure
l Run the display dhcpv6 duid command to check the DUID of the DHCPv6 device on
the network.
l Run the display dhcpv6 pool pool-name [ allocated { address | prefix } | binding
[ duid ] | conflict address | ipv6-address | ipv6-prefix/prefix-length ] command to check
IPv6 address pool configurations.
l Run the display dhcpv6 server [ database | [ statistics ] [ interface interface-type
interface-number ] ] command to check information about the DHCPv6 server function.
----End
Pre-configuration Tasks
Before configuring the DHCPv6 relay agent, complete the following tasks:
l Configuring the peer DHCPv6 server or DHCPv6 PD server
l Configuring a route from the industrial switch router to the DHCPv6 server or DHCPv6
PD server
Context
The DUID identifies a DHCPv6 device. Each DHCPv6 server or client has a unique DUID.
DHCPv6 servers use DUIDs to identify DHCPv6 clients and DHCPv6 clients use DUIDs to
identify DHCPv6 servers.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcpv6 duid { ll | llt }
----End
Context
The device supports the following methods of configuring the DHCPv6 relay function:
l Configure an IPv6 address for a DHCPv6 server or next-hop relay on an interface. This
method applies to the scenario in which the peer of the DHCPv6 relay is connected to
one DHCPv6 server or next-hop relay.
l Bind a DHCPv6 server group to an interface. The detailed procedure is as follows:
Create a DHCPv6 server group in the system view, add IPv6 addresses of multiple
DHCPv6 servers or next-hop relays to the DHCPv6 server group, and specify the
DHCPv6 server group for the DHCPv6 relay on an interface. This method applies to the
scenario in which the peer of the DHCPv6 relay is connected to multiple DHCPv6
servers or next-hop relays. In this way, the DHCPv6 relay can flexibly select and
uniformly manage the DHCPv6 servers or next-hop relays.
Multiple DHCPv6 relays can be connected between the DHCPv6 client and server. If the
device functions as a DHCPv6 relay and the peer is connected to the DHCPv6 server, you
must specify the IPv6 address for the DHCPv6 server when enabling the DHCPv6 relay. If the
peer is connected to the next-hop relay, you must specify the IPv6 address for the next-hop
relay and specify the IPv6 address for the peer DHCPv6 server or next-hop relay on the next-
hop relay.
Procedure
l Configure an IPv6 address for a DHCPv6 server or next-hop relay on an interface.
a. Run:
system-view
The DHCPv6 relay function is enabled on the interface, and the IPv6 address for the
DHCPv6 server or next-hop relay is configured.
By default, the DHCPv6 relay function is disabled on an interface.
The configured IPv6 address is a global unicast address or unique local address.
The device finds the route and sends relay packets to the configured IPv6 address.
If the peer of the DHCPv6 relay is connected to multiple DHCPv6 servers or next-
hop relays, you must repeat this step. The device supports a maximum of eight
DHCPv6 servers or next-hop relays.
l Bind a DHCPv6 server group to an interface.
a. Run:
system-view
The member address of the DHCPv6 server or next-hop relay is added to the
DHCPv6 server group.
By default, no member of the DHCPv6 server or next-hop relay is configure in the
DHCPv6 server group.
If the peer of the DHCPv6 relay is connected to multiple DHCPv6 servers or next-
hop relays, you must repeat this step. The device supports a maximum of 20
DHCPv6 servers or next-hop relays.
f. Run:
quit
Procedure
Step 1 Run:
system-view
If the user-defined parameter is specified, you can define the option format using the
following defining methods:
– Keyword defining method: You can define the format according to keywords
supported by the self-defined format. For example, you can define the format as
%sysname %svlan when you need to record the name of the device that users
connect to and the outer VLAN that users belong to. If the name of the device that
users connect to is HUAWEI and the outer VLAN that users belong to is 100, the
user location information recorded in the Interface-ID option is HUAWEI 100.
[Huawei] dhcpv6 interface-id format user-defined "%sysname %svlan"
– Common character string defining method: The Interface-ID option can be defined
as a character string. For example, if all users connected to the interface are in an
office building named N8, you can define the content of the Interface-ID option as
N8.
[Huawei] dhcpv6 interface-id format user-defined "N8"
2. Run:
dhcpv6 remote-id format { default | user-defined text }
----End
Context
To prevent clients from sending a large number of messages to attack the device, the device
limits the rate of DHCPv6 messages.
After rate limit of DHCPv6 messages is enabled, the DHCPv6 messages are discarded when
the rate threshold is exceeded. After the alarm function of DHCPv6 messages discarded is
enabled, the device sends alarms when the number of discarded DHCPv6 messages exceeds
the threshold.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp enable
DHCP is enabled.
Step 3 Run:
dhcpv6 packet-rate packet-rate
Rate limit of DHCPv6 packets is enabled and the rate threshold is configured.
By default, rate limit of DHCPv6 messages is disabled on the industrial switch router.
Step 4 Run:
dhcpv6 packet-rate drop-alarm enable
Step 5 Run:
dhcpv6 packet-rate drop-alarm threshold threshold
A alarm threshold for the number of discarded DHCPv6 messages when the DHCPv6
message rate exceeds the rate threshold is set.
By default, the alarm threshold is 100 when the alarm function of DHCPv6 messages
discarded is enabled.
----End
Procedure
l Run the display dhcpv6 relay [ interface interface-type interface-number ] command to
check the interface configuration of the DHCPv6 relay agent function.
l Run the display dhcpv6 server group [ group-name ] command to check the
configuration of the DHCPv6 server group.
l Run the display dhcpv6 relay statistics [ interface interface-type interface-number ]
command to check the packet statistics of the DHCPv6 relay agent function.
----End
Pre-configuration Tasks
Before configuring the DHCPv6 client function, complete the following tasks:
l Configuring a DHCPv6 server
l Configuring the DHCPv6 relay agent as service requires
l Configuring the industrial switch router between the router and DHCPv6 relay agent or
server
Context
When the DHCPv6 client function is configured on the WAN-side Layer 3 interface or sub-
interface of the industrial switch router, the industrial switch router dynamically obtains IPv6
addresses and other configuration parameters from the DHCPv6 server. This operation
facilitates user configurations and management.
Procedure
Step 1 Configure IPv6 functions on interfaces.
1. Run:
system-view
The DHCPv6 client is enabled and stateful DHCPv6 address autoconfiguration is used to
assign an IPv6 address and other configuration parameters (IPv6 addresses of the DNS
server and SNTP server) to the client.
Or run:
dhcpv6 client information-request
The DHCPv6 client is enabled and stateless DHCPv6 address autoconfiguration is used
to assign configuration parameters (not including IPv6 addresses) to the client.
By default, stateless or stateful DHCPv6 address autoconfiguration is not used on an
interface to assign IPv6 addresses and other configuration parameters.
The service can use the two-message exchange method to assign IPv6 addresses and
other configuration parameters to clients only when two-message exchange is enabled on
the DHCPv6 clients and server. Otherwise, the server assigns IPv6 addresses and other
configuration parameters to the clients using the four-message exchange method.
To modify the DHCPv6 address autoconfiguration mode, you must disable the original
mode. For example, the DHCPv6 client is enabled to use the stateful DHCPv6 address
autoconfiguration mode to obtain an IPv6 address and other network configuration
parameters including the IPv6 addresses of the DNS and SNTP servers. To enable the
DHCPv6 client to use the stateless DHCPv6 address autoconfiguration mode to obtain
network configuration parameters (excluding IPv6 addresses), run the undo ipv6
address auto dhcp command to disable stateful DHCPv6 address autoconfiguration and
then run the dhcpv6 client information-request command to enable stateless DHCPv6
address autoconfiguration.
----End
Context
To prevent clients from sending a large number of messages to attack the device, the device
limits the rate of DHCPv6 messages.
After rate limit of DHCPv6 messages is enabled, the DHCPv6 messages are discarded when
the rate threshold is exceeded. After the alarm function of DHCPv6 messages discarded is
enabled, the device sends alarms when the number of discarded DHCPv6 messages exceeds
the threshold.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp enable
DHCP is enabled.
Step 3 Run:
dhcpv6 packet-rate packet-rate
Rate limit of DHCPv6 packets is enabled and the rate threshold is configured.
By default, rate limit of DHCPv6 messages is disabled on the industrial switch router.
Step 4 Run:
dhcpv6 packet-rate drop-alarm enable
Step 5 Run:
dhcpv6 packet-rate drop-alarm threshold threshold
A alarm threshold for the number of discarded DHCPv6 messages when the DHCPv6
message rate exceeds the rate threshold is set.
By default, the alarm threshold is 100 when the alarm function of DHCPv6 messages
discarded is enabled.
----End
Pre-configuration Tasks
Before configuring the DHCPv6 PD client function, complete the following tasks:
l Configuring a DHCPv6 PD server
l Configuring the DHCPv6 relay agent as service requires
l Configuring the industrial switch router between the router and DHCPv6 relay agent or
PD server
Context
When the WAN-side Layer 3 interface or sub-interface of the device is configured as the
DHCPv6 PD client, the client uses the DHCPv6 protocol to dynamically obtain an IPv6
address prefix from the DHCPv6 PD server. The downlink interface is bound to the obtained
IPv6 address prefix, so that the IPv6 address can be automatically generated for the user in
route advertising mode.
Procedure
Step 1 Configure the IPv6 function on the uplink interface.
1. Run:
system-view
When the DHCPv6 PD client and server are located on the same network segment, you only need
to run the ipv6 address auto link-local or ipv6 address ipv6-address link-local command to
configure the link-local address on the interface.
By default, the device generates a DUID based on the link-layer (LL) address.
3. Run:
dhcp enable
WAN-side Layer 3 interfaces and Layer 3 sub-interfaces on the industrial switch router
can work in DHCP client mode.
5. Run:
dhcpv6 client pd prefix-name [ hint ipv6-prefix/ipv6-prefix-length ] [ rapid-
commit ]
You can specify the rapid-commit parameter to set the DHCPv6 PD client to request an
IPv6 address prefix using the two-message exchange. The service can use two-message
exchange to assign IPv6 address prefix to client only when two-message exchange is
enabled on the DHCPv6 PD client and server. Otherwise, the server assigns IPv6 address
prefix to the client using the four-message exchange method.
----End
Follow-up Procedure
Bind the downlink interface to the obtained IPv6 address prefix and enable the downlink
interface to send RA packets, so that the IPv6 address can be automatically generated for the
user in route advertising mode.
1. Run the system-view command to enter the system view.
2. Run the interface interface-type interface-number command to enter the interface view.
3. Run the ipv6 enable command to enable the IPv6 function on the interface.
By default, the IPv6 function is disabled on an interface.
4. Run the ipv6 address auto link-local or ipv6 address ipv6-address link-local command
to automatically or manually configure the link-local address on the interface.
By default, no link-local address is configured for an interface.
5. Run the ipv6 address dhcpv6-prefix { ipv6-address prefix-length | ipv6-address/prefix-
length } command to bind the interface to the IPv6 address prefix obtained by the
DHCPv6 PD client.
By default, the interface is not bound to the IPv6 address prefix obtained by the DHCPv6
PD client.
The value of prefix-length for the IPv6 address prefix bound to the interface must be
greater than the length of the prefix obtained by the DHCPv6 PD client; otherwise, the
interface cannot generate the global unicast IPv6 address based on the bound IPv6
address prefix and record the log DHCP/4/DHCPv6_CHECK_PREFIX_LENGTH.
You can run the display dhcpv6 client prefix [ name prefix-name ] command to check
the length of the prefix obtained by the DHCPv6 PD client.
6. Run the undo ipv6 nd ra halt command to enable the interface to send RA packets.
By default, the interface is disabled from sending RA packets.
Context
To prevent clients from sending a large number of messages to attack the device, the device
limits the rate of DHCPv6 messages.
After rate limit of DHCPv6 messages is enabled, the DHCPv6 messages are discarded when
the rate threshold is exceeded. After the alarm function of DHCPv6 messages discarded is
enabled, the device sends alarms when the number of discarded DHCPv6 messages exceeds
the threshold.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp enable
DHCP is enabled.
Step 3 Run:
dhcpv6 packet-rate packet-rate
Rate limit of DHCPv6 packets is enabled and the rate threshold is configured.
By default, rate limit of DHCPv6 messages is disabled on the industrial switch router.
Step 4 Run:
dhcpv6 packet-rate drop-alarm enable
Step 5 Run:
dhcpv6 packet-rate drop-alarm threshold threshold
A alarm threshold for the number of discarded DHCPv6 messages when the DHCPv6
message rate exceeds the rate threshold is set.
By default, the alarm threshold is 100 when the alarm function of DHCPv6 messages
discarded is enabled.
----End
Procedure
l Run the display dhcpv6 statistics command to check statistics on DHCPv6 packets.
l Run the display dhcpv6 server [ database | [ statistics ] [ interface interface-type
interface-number ] ] command to check information about the DHCPv6 server function.
l Run the display dhcpv6 relay [ interface interface-type interface-number ] command to
check the configuration of the interface where the DHCPv6 relay function is configured.
l Run the display dhcpv6 relay statistics [ interface interface-type interface-number ]
command to check DHCPv6 packet statistics on the DHCPv6 relay.
Context
Procedure
l Run the reset dhcpv6 server statistics [ interface interface-type interface-number ]
command to clear packet statistics of the DHCPv6 server.
l Run the reset dhcpv6 relay statistics [ interface interface-type interface-number ]
command to clear packet statistics of the DHCPv6 relay agent.
l Run the reset dhcpv6 client statistics [ interface interface-type interface-number ]
command to clear packet statistics of the DHCPv6 clients.
l Run the reset dhcpv6 statistics command to clear statistics on DHCPv6 packets.
----End
Context
When the client addresses conflict due to repeated IPv6 address assignment or IPv6 addresses
need to be re-assigned to clients based on the network plan, you can reset the status of the
IPv6 address pool. In this way, the IPv6 addresses in the address pool return to the idle state
and the clients can re-apply for these IPv6 addresses.
Procedure
l Run the reset dhcpv6 pool pool-name [ allocated { address | prefix } | binding [ duid ]
| conflict address | ipv6-address [ to ipv6-address ] | ipv6-prefix/prefix-length ]
command to clear IPv6 address pool configurations.
----End
Router B Router A
GE0/0/1 fc00:3::1/64
GE0/0/1
DHCPv6 Client DHCPv6 Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable IPv6 functions on the interface so that devices can communicate using IPv6.
2. Enable the DHCPv6 Server function so that devices can assign IPv6 addresses using
DHCPv6.
Procedure
Step 1 Enable the DHCP service.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] dhcp enable
Step 5 Configure M and O flag bits of RA messages through which the DHCPv6 client learns the
route to the IPv6 gateway.
[RouterA-GigabitEthernet0/0/1] undo ipv6 nd ra halt
[RouterA-GigabitEthernet0/0/1] ipv6 nd autoconfig managed-address-flag
[RouterA-GigabitEthernet0/0/1] ipv6 nd autoconfig other-flag
[RouterA-GigabitEthernet0/0/1] quit
[RouterA] quit
# Run the display dhcpv6 pool command on the industrial switch router to check information
about the DHCPv6 address pool.
<RouterA> display dhcpv6 pool
Address prefix: FC00:3::/64
Lifetime valid 172800 seconds, preferred 86400 seconds
0 in use, 0 conflicts
Excluded-address FC00:3::1
1 excluded addresses
Information refresh time: 86400
DNS server address: FC00:3::1
Conflict-address expire-time: 172800
Active normal clients: 0
# Run the display dhcpv6 server command on the industrial switch router to check
information about the DHCPv6 server.
<RouterA> display dhcpv6 server
Interface DHCPv6 pool
GigabitEthernet0/0/1 pool1
----End
Configuration File
Configuration file of RouterA
#
sysname RouterA
#
ipv6
#
dhcp enable
#
dhcpv6 pool pool1
address prefix FC00:3::/64
excluded-address FC00:3::1
dns-server FC00:3::1
#
interface GigabitEthernet0/0/1
undo portswitch
ipv6 enable
ipv6 address FC00:3::1/64
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
dhcpv6 server pool1
#
return
Networking Requirements
In Figure 9-16, the industrial switch router is required to function as a DHCPv6 PD server
and assign an IPv6 address prefix to the DHCPv6 PD client. Configure the industrial switch
router as a DHCPv6 PD server to assign IPv6 addresses and other network configuration
parameters to DHCPv6 clients. This facilitates centralized management and layered IPv6
network deployment. The DHCPv6 PD server assigns DNS server address fc00:2::1/64 to a
client. The DHCPv6 PD server and client are on the same link.
Router B Router A
GE0/0/1 fc00:1::1/64
GE0/0/1
DHCPv6 PD Client
DHCPv6 PD Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable IPv6 functions on the interface so that devices can communicate using IPv6.
2. Enable the DHCPv6 PD server function so that DHCPv6 PD server can assign IPv6
address using DHCPv6.
Procedure
Step 1 Enable the DHCP service.
<Huawei> system-view
[Huawei] sysname Router A
[Router A] dhcp enable
Step 5 Configure M and O flag bits of RA messages through which the DHCPv6 PD client learns the
route to the IPv6 gateway.
[RouterA-GigabitEthernet0/0/1] undo ipv6 nd ra halt
[RouterA-GigabitEthernet0/0/1] ipv6 nd autoconfig managed-address-flag
[RouterA-GigabitEthernet0/0/1] ipv6 nd autoconfig other-flag
[RouterA-GigabitEthernet0/0/1] quit
[RouterA] quit
# Run the display dhcpv6 pool command on the industrial switch router to check information
about the DHCPv6 address pool.
<Router A> display dhcpv6 pool
DHCPv6 pool: pool1
Prefix delegation: FC00:1::/60 63
Lifetime valid 172800 seconds, preferred 86400 seconds
0 in use
Information refresh time: 86400
DNS server address: FC00:2::1
Conflict-address expire-time: 172800
Active pd clients: 0
# Run the display dhcpv6 server command on the industrial switch router to check
information about the DHCPv6 server.
<Router A> display dhcpv6 server
Interface DHCPv6 pool
GigabitEthernet0/0/1 pool1
----End
Configuration File
Configuration file of Router A
#
sysname Router A
#
ipv6
#
dhcp enable
#
dhcpv6 pool pool1
prefix-delegation FC00:1::/60 63
dns-server FC00:2::1
#
interface GigabitEthernet0/0/1
undo portswitch
ipv6 enable
ipv6 address FC00:1::1/64
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
dhcpv6 server pool1
#
return
M flag bit and O flag bit in RA messages allow hosts on the network to obtain IPv6 addresses
and other network configuration parameters through DHCPv6.
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable IPv6 functions on the interface so that devices can implement IPv6
communication.
2. Enable the DHCPv6 relay function so that the DHCPv6 server and client on different
links can transmit packets.
Procedure
Step 1 Enable the DHCP service.
<Huawei> system-view
[Huawei] sysname Router A
[Router A] dhcp enable
# Run the display dhcpv6 relay command on RouterA to check configurations of DHCPv6
relay agent.
[Router A] display dhcpv6 relay
Interface Mode Destination
------------------------------------------------------------------
GigabitEthernet1/0/0 Relay FC00:2::3
------------------------------------------------------------------
dhcpv6 server group
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total count : 0
# Run the display dhcpv6 relay statistics on RouterA to check DHCP message statistics on
the DHCPv6 relay agent.
[Router A] display dhcpv6 relay statistics
MessageType Receive Send Error
Solicit 0 0 0
Advertise 0 0 0
Request 0 0 0
Confirm 0 0 0
Renew 0 0 0
Rebind 0 0 0
Reply 0 0 0
Release 0 0 0
Decline 0 0 0
Reconfigure 0 0 0
Information-request 0 0 0
Relay-forward 0 0 0
Relay-reply 0 0 0
UnknownType 0 0 0
----End
Configuration File
Configuration file of RouterA
#
sysname Router A
#
ipv6
#
dhcp enable
#
interface GigabitEthernet1/0/0
undo portswitch
ipv6 enable
ipv6 address FC00:1::1/64
dhcpv6 relay destination FC00:2::3
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
#
interface GigabitEthernet2/0/0
undo portswitch
ipv6 enable
ipv6 address FC00:2::1/64
#
return
Networking Requirements
As shown in Figure 9-18, the DHCPv6 server needs to dynamically assign IPv6 addresses to
the clients on two network segments fc00:1::/64 and fc00:2::/64, and the DHCPv6 server and
clients are in different links. The addresses fc00:1::1/64 and fc00:2::1/64 on RouterA are used
as the gateway addresses of the clients on the network segments fc00:1::/64 and fc00:2::/64.
Figure 9-18 Networking diagram for configuring a DHCPv6 relay to assign IPv6 addresses to
the clients in multiple network segments connected to the relay
DHCPv6 client DHCPv6 client
DHCPv6 Relay
RouterA
GE2/0/0 RouterB
fc00:2::1/64 DHCPv6 server
Configuration Roadmap
Configure the DHCPv6 relay function on RouterA to forward DHCPv6 packets between the
DHCPv6 server and clients so that the clients can dynamically obtain IPv6 addresses.
NOTE
The AR500&AR510&AR530 is used as an example to describe the DHCPv6 server configuration procedure.
Procedure
Step 1 Configure RouterA as the DHCPv6 relay.
# Enable the DHCP service.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] dhcp enable
[RouterA] ipv6
[RouterA] interface gigabitethernet 1/0/0
[Router A-GigabitEthernet1/0/0] undo portswitch
[RouterA-GigabitEthernet1/0/0] ipv6 enable
[RouterA-GigabitEthernet1/0/0] ipv6 address fc00:1::1 64
[RouterA-GigabitEthernet1/0/0] quit
[RouterA] interface gigabitethernet 2/0/0
[Router A-GigabitEthernet2/0/0] undo portswitch
[RouterA-GigabitEthernet2/0/0] ipv6 enable
[RouterA-GigabitEthernet2/0/0] ipv6 address fc00:2::1 64
[RouterA-GigabitEthernet2/0/0] quit
[RouterA] interface gigabitethernet 3/0/0
[Router A-GigabitEthernet3/0/0] undo portswitch
[RouterA-GigabitEthernet3/0/0] ipv6 enable
[RouterA-GigabitEthernet3/0/0] ipv6 address fc00:3::1 64
[RouterA-GigabitEthernet3/0/0] quit
# Configure RouterA to function as the gateway to send the M and O flags of RA messages to
clients so that the clients can obtain IPv6 addresses through DHCPv6.
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] undo ipv6 nd ra halt
[RouterA-GigabitEthernet1/0/0] ipv6 nd autoconfig managed-address-flag
[RouterA-GigabitEthernet1/0/0] ipv6 nd autoconfig other-flag
[RouterA-GigabitEthernet1/0/0] quit
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] undo ipv6 nd ra halt
[RouterA-GigabitEthernet2/0/0] ipv6 nd autoconfig managed-address-flag
[RouterA-GigabitEthernet2/0/0] ipv6 nd autoconfig other-flag
[RouterA-GigabitEthernet2/0/0] quit
Step 3 Configure the DHCPv6 client (Windows 7 is used as an example of the operating system on
the PC).
1. Right-click Network and choose Properties to display the Network and Sharing
Center window.
2. Click Local Area Connection to display the Local Area Connection Status window.
3. Click Properties to display the Local Area Connection Properties window.
4. Select Internet Protocol Version 6 (TCP/IPv6) and click Properties to display the
Internet Protocol Version 6 (TCP/IPv6) Properties window. Select Obtain an IPv6
address automatically and Obtain DNS server address automatically, and click OK.
Step 4 Verify the configuration.
# Run the display dhcpv6 relay command on RouterA to check the DHCPv6 relay
configuration.
[RouterA] display dhcpv6 relay
Interface Mode Destination
--------------------------------------------------------------------------------
GigabitEthernet1/0/0 Relay FC00:3::3
GigabitEthernet2/0/0 Relay FC00:3::3
--------------------------------------------------------------------------------
dhcpv6 server group
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total count : 0
# Run the display dhcpv6 pool command on RouterB to check the DHCPv6 address pool
configuration.
[RouterB] display dhcpv6 pool
DHCPv6 pool: pool1
Address prefix: FC00:1::/64
Lifetime valid 172800 seconds, preferred 86400 seconds
4 in use, 0 conflicts
Excluded-address FC00:1::1
1 excluded addresses
Information refresh time: 86400
Conflict-address expire-time: 172800
Active normal clients: 4
# Run the display dhcpv6 pool pool1 allocated address and display dhcpv6 pool pool2
allocated address commands on RouterB to check the assignment of IPv6 addresses in the
DHCPv6 address pool.
[RouterB] display dhcpv6 pool pool1 allocated address
Address Valid Expires Left
-------------------------------------------------------------------------------
FC00:1::2 172800 2013-09-06 03:09:02 166610
FC00:1::3 172800 2013-09-06 03:09:02 166610
FC00:1::4 172800 2013-09-06 03:09:02 166610
FC00:1::5 172800 2013-09-06 03:09:02 166610
-------------------------------------------------------------------------------
Total : 4
[RouterB] display dhcpv6 pool pool2 allocated address
Address Valid Expires Left
-------------------------------------------------------------------------------
FC00:2::2 172800 2013-09-06 03:09:02 166610
FC00:2::3 172800 2013-09-06 03:09:02 166610
-------------------------------------------------------------------------------
Total : 2
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
ipv6
dhcp enable
#
interface
GigabitEthernet1/0/0
undo portswitch
ipv6 enable
ipv6 address FC00:1::1/64
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
dhcpv6 relay destination FC00:3::3
#
interface
GigabitEthernet2/0/0
undo portswitch
ipv6 enable
ipv6 address FC00:2::1/64
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
dhcpv6 relay destination FC00:3::3
#
interface
GigabitEthernet3/0/0
undo portswitch
ipv6 enable
ipv6 address FC00:3::1/64
#
return
dhcpv6 pool
pool1
address prefix
FC00:1::/64
excluded-address FC00:1::1
#
dhcpv6 pool
pool2
address prefix FC00:2::/64
excluded-address FC00:2::1
#
interface GigabitEthernet1/0/0
undo portswitch
ipv6 enable
ipv6 address FC00:3::3/64
Router A Router B
GE0/0/2 GE0/0/1 fc00:1::1/64
GE0/0/1
DHCPv6 PD Client DHCPv6 PD Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable IPv6 functions on the interface so that devices can communicate using IPv6.
2. Enable the DHCPv6 PD client function so that devices can obtain IPv6 address prefixes
using DHCPv6.
Procedure
Step 1 Enable the DHCP service.
<Huawei> system-view
[Huawei] sysname Router A
[Router A] dhcp enable
# Configure the device to send RA messages and configure M and O flag bits.
# Run the display dhcpv6 client command on the Router A to check the DHCPv6 client
configurations.
<Router A> display dhcpv6 client
GigabitEthernet0/0/1 is in DHCPv6-PD client mode.
State is BOUND.
Preferred server DUID : 000300060819A6CDA894
Reachable via address : FE80::A19:A6FF:FECD:A897
IA PD IA ID 0x00000051 T1 43200 T2 69120
Prefix name : myprefix
Obtained : 2012-12-22 09:33:09
Renews : 2012-12-22 21:33:09
Rebinds : 2012-12-23 04:45:09
Prefix : FC00:1::/48
Lifetime valid 172800 seconds, preferred 86400 seconds
Expires at 2012-12-24 09:33:09(172792 seconds left)
DNS server : FC00:2::1
# Run the display dhcpv6 client statistics on the Router A to check DHCPv6 message
statistics on the DHCPv6 client.
<Router A> display dhcpv6 client statistics
Message statistics of interface GigabitEthernet0/0/1:
Message Received
Advertise 1
Reply 1
Reconfigure 0
Invalid 0
Message Sent
Solicit 1
Request 1
Confirm 0
Renew 0
Rebind 0
Release 0
Decline 0
Information-request 0
----End
Configuration File
Configuration file of Router A
#
sysname Router A
#
ipv6
#
dhcp enable
#
interface GigabitEthernet0/0/1
undo portswitch
ipv6 enable
ipv6 address auto link-local
dhcpv6 client pd
myprefix
#
interface GigabitEthernet0/0/2
undo portswitch
ipv6 enable
ipv6 address auto link-local
undo ipv6 nd ra halt
ipv6 nd autoconfig other-flag
ipv6 address myprefix ::
1:0:0:0:1/64
#
return
Networking Requirements
In Figure 9-20, the industrial switch router is required to function as a DHCPv6 client and
obtain an IPv6 address and other configuration parameters from the DHCPv6 server. The
address of the DHCPv6 server is fc00:3::1/64. The DHCPv6 server and client are on the same
link.
Router A Router B
GE0/0/1 fc00:3::1/64
GE0/0/1
DHCPv6 Client DHCPv6 Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable IPv6 functions on the interface so that devices can communicate using IPv6.
2. Enable the DHCPv6 client function so that devices can obtain IPv6 addresses using
DHCPv6.
Procedure
Step 1 Enable the DHCP service.
<Huawei> system-view
[Huawei] sysname Router A
[Router A] dhcp enable
# Run the display dhcpv6 client statistics command on the Router A to check message
statistics on the DHCPv6 client.
<Router A> display dhcpv6 client statistics
Message statistics of interface GigabitEthernet0/0/1:
Message Received
Advertise 1
Reply 1
Reconfigure 0
Invalid 0
Message Sent
Solicit 1
Request 1
Confirm 0
Renew 0
Rebind 0
Release 0
Decline 0
Information-request 0
----End
Configuration File
Configuration file of Router A
#
sysname Router A
#
ipv6
#
dhcp enable
#
interface GigabitEthernet0/0/1
undo portswitch
ipv6 enable
ipv6 address auto link-local
ipv6 address auto
dhcp
#
return
This chapter describes the principles, basic functions and configuration procedures of IPv6
DNS, and provides configuration examples.
Each host on the IPv6 network is identified by an IPv6 address. To access a host, a user must
obtain the host IPv6 address first. It is difficult for users to remember IPv6 addresses of hosts.
Therefore, host names in the format of strings are designed. In this way, users can use the
simple and meaningful domain names instead of the complicated IPv6 addresses to access
hosts by resolution of the DNS server on the network.
The device can function as an IPv6 DNS client and IPv6 DNS proxy or relay.
RouterA
IPv6 DNS Client
RouterB
IPv6 DNS Client
As shown in Figure 10-1, the industrial switch router functions as an IPv6 DNS client and
supports static and dynamic domain name resolution.
l Static domain name resolution: Mappings between domain names and IPv6 addresses are
configured manually. To obtain the IPv6 address by resolving a domain name, the DNS
client searches the static domain name resolution table for the specified domain name.
l Dynamic domain name resolution: Dynamic domain name resolution is implemented by
a DNS server. The DNS server receives domain name resolution requests from DNS
clients. The DNS server searches for the corresponding IPv6 address of the domain name
in its DNS database. If no matching entry is found, it sends a query message to a higher-
level DNS server. This process continues until the DNS server finds the corresponding
IPv6 address or detects that the corresponding IPv6 address of the domain name does not
exist. Then the DNS server returns a result to the DNS client.
The industrial switch router IPv6 domain name resolution system must support the
following DNS query modes:
– AAAA query
– IPv6 PTR query.
– A6 query
Internet
As shown in Figure 10-2, an IPv6 DNS client on the LAN can connect to an external IPv6
DNS server through the industrial switch router enabled with IPv6 DNS proxy or relay. After
the external DNS server translates the domain name of the IPv6 DNS client to an IP address,
the IPv6 DNS client can access the Internet.
IPv6 DNS relay is similar to IPv6 DNS proxy. The difference is that the IPv6 DNS proxy
searches for DNS entries saved in the domain name cache after receiving DNS query
messages from DNS clients. The IPv6 DNS relay, however, directly forwards DNS query
messages to the DNS server, reducing the cache usage.
License Support
DNSv6 is a basic feature of the device and is not under license control.
Context
NOTE
Procedure
Step 1 Run:
system-view
----End
Context
The DNS client needs to complete dynamic domain name resolution through the DNS server.
During dynamic domain name resolution, the DNS server needs to provide the mapping
between domain names and IPv6 addresses and receive domain name resolution requests from
clients.
Configuring dynamic domain name resolution involves enabling dynamic domain name
resolution, configuring an IPv6 address for the DNS server, configuring an source IPv6
address for the local device, and configuring a domain name suffix. If the local device uses an
IPv6 address allocated by the DHCPv6 server and the information delivered by the DHCPv6
server to the local device contains the DNS server IPv6 address and the domain name suffix
list, you only need to enable dynamic DNS resolution.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dns resolve
Step 3 Run:
dns server ipv6 ipv6-address [ interface-type interface-number ]
A maximum of six DNS server IP (IPv4 and IPv6) addresses can be configured on the device.
During dynamic domain name resolution, the device sends a query packet to the DNS servers
according to the order in which they were configured. If the domain name query on the first
DNS server times out, the device sends the query request to the second DNS server.
After the IPv6 address of the local device is specified, the device uses the specified IPv6
address to communicate with the DNS server. If no source IPv6 address is configured, the
DNS client needs to select a source IPv6 address according to the destination address each
time it sends an IPv6 DNS request. If only one route from the DNS server to the device with
an IPv6 address is reachable, you need to specify the source IPv6 address in the DNS query
message when the device sends a DNS query to the DNS server.
----End
Procedure
l Run the display dns configuration command to display the global DNS configurations.
l Run the display ipv6 host command to check the IPv6 static domain name resolution
table.
l Run the display dns server command to check the DNS server configuration.
l Run the display dns domain command to check the domain name suffix list.
----End
Pre-configuration Tasks
Before configuring IPv6 DNS proxy or relay, complete the following tasks:
l Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical status of the interfaces is Up
l Configuring link layer protocol parameters for interfaces to ensure that the link layer
protocol status on the interfaces is Up
l Configuring a DNS server
l Configuring routes between the local routing device and the DNS server and between the
local routing device and the IPv6 DNS client
NOTE
Context
IPv6 DNS relay is similar to IPv6 DNS proxy. The IPv6 DNS proxy searches for DNS entries
saved in the domain name cache after receiving IPv6 DNS query packets from IPv6 DNS
clients. The IPv6 DNS relay, however, directly forwards IPv6 DNS query packets to the DNS
server, reducing the cache usage.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dns proxy enable or dns relay enable
Step 3 Run:
dns resolve
Step 4 Run:
dns server ipv6 ipv6-address [ interface-type interface-number ]
The DNS server that the IPv6 DNS proxy or relay connects to is configured.
----End
Context
A static domain name resolution table is manually set up, describing the mappings between
domain names and IPv6 addresses. Some common domain names are added to the table.
Static domain name resolution can be performed based on the static domain name resolution
table. To obtain the IPv6 address by resolving a domain name, the DNS server searches the
static domain name resolution table. In this manner, the efficiency of domain name resolution
is improved.
Procedure
Step 1 Run:
system-view
----End
Context
If the device is enabled with IPv6 DNS proxy or relay but is not configured with a DNS
server address or has no route to the DNS server, the device does not forward or respond to
DNS query messages from DNS clients. If IPv6 DNS spoofing is enabled, the device uses the
configured IPv6 address to respond to all DNS query messages.
In addition to enabling IPv6 DNS proxy or relay, one of the following requirements must be
met to make IPv6 DNS spoofing take effect:
l No DNS server is configured.
l A DNS server is configured, but dynamic DNS resolution is disabled.
l No route is reachable to the DNS server.
l No source IPv6 address is available for the outbound interface connected to the DNS
server.
If one of the preceding requirements is met, when receiving an AAAA or A6 query, the IPv6
DNS proxy or relay return spoofing reply messages using the configured IPv6 address.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dns spoofing ipv6 ipv6-address
IPv6 DNS spoofing is enabled and the IPv6 address in response packets is specified.
----End
Procedure
l Run the display dns configuration command to display the global DNS configurations.
l Run the display ipv6 host command to view the static IPv6 DNS table.
l Run the display dns server command to check the DNS server configuration.
----End
Context
IPv6 DNS entries in the domain name cache cannot be restored after being cleared. Exercise
caution when you run the command.
Procedure
l Run the reset dns ipv6 dynamic-host command to clear dynamic IPv6 DNS entries in
the domain name cache.
----End
Context
IPv6 DNS forwarding entries cannot be restored after being cleared. Exercise caution when
you run the command.
Procedure
l Run the reset dns ipv6 forward table [ source-ip ipv6-address ]command in the user
view to clear IPv6 DNS forwarding entries.
----End
Context
Statistics on sent and received IPv6 DNS packets cannot be restored after being cleared.
Exercise caution when you run the command.
Procedure
l Run the reset dns statistics command to clear statistics on sent and received IPv6 DNS
packets.
----End
Context
In routine maintenance, you can run the following commands in any view to check the
running status of IPv6 DNS.
Procedure
l Run the display dns ipv6 dynamic-host [ domain-name | a6 ] command to check
dynamic IPv6 DNS entries in the domain name cache.
----End
RouterB RouterC
GE1/0/0
GE1/0/0
fc00:1::1/64 fc00:3::1/64
GE1/0/0
fc00:1::2/64 GE2/0/0 GE2/0/0
IPv6 DNS client fc00:2::3/64 DNS server
fc00:2::2/64
RouterA fc00:3::2/64
huawei.com
fc00:2::1/64
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure static DNS entries on RouterA to access host B and C.
2. Configure the dynamic DNS resolution on RouterA to access the DNS server.
Procedure
Step 1 Configure RouterA.
# Configure IPv6 function.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] ipv6
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] undo portswitch
[RouterA-GigabitEthernet1/0/0] ipv6 enable
[RouterA-GigabitEthernet1/0/0] ipv6 address fc00:1::1/64
[RouterA-GigabitEthernet1/0/0] quit
NOTE
To resolve the domain name, you need to configure the route from RouterA to the IPv6 DNS server. For
details on how to configure the route, see Configure static route example in the Configuration Guide-
IP Routing.
# Run the display ipv6 host command on RouterA. You can view mappings between host
names and IPv6 addresses in static DNS entries.
<RouterA> display ipv6 host
Host Age Flags IPv6Address (es)
RouterB 0 static FC00:1::2
RouterC 0 static FC00:2::3
Run the display dns ipv6 dynamic-host command on RouterA. You can view information
about dynamic IPv6 DNS entries saved in the cache.
<RouterA> display dns ipv6 dynamic-host
Host TTL Type Address(es)
huawei.com 3579 IPv6 FC00:2::1
NOTE
The TTL field in the command output indicates the lifetime of a DNS entry, in seconds.
----End
Configuration File
l Configuration file of RouterA
#
sysname RouterA
#
ipv6
#
ipv6 host RouterB FC00:1::2
ipv6 host RouterC FC00:2::3
#
dns resolve
dns server ipv6 FC00:3::2
dns domain net
dns domain com
#
interface GigabitEthernet1/0/0
undo portswitch
ipv6 enable
ipv6 address FC00:1::1/64
#
Networking Requirements
As shown in Figure 10-4, Users access the DNS server to resolve domain names through
RouterA enabled with DNS proxy. If the route from RouterA to the DNS server is
unreachable, the IPv6 address configured for DNS spoofing is used to respond to the DNS
query packets.
NOTE
AR500&AR530 can function only as RouterA in this scenario.
HostA
RouterA
GE1/0/0 GE2/0/0
DNS Proxy
fc00:1::2/64 fc00:2::1/64
GE1/0/0
fc00:1::1/64 RouterB DNS Server
fc00:2::2/64
HostB
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the IPv6 address for the DNS server on RouterA to forward DNS packets.
2. Configure IPv6 DNS spoofing on RouterA.
Procedure
Step 1 Configure an IPv6 address for GE1/0/0.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] ipv6
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] undo portswitch
[RouterA-GigabitEthernet1/0/0] ipv6 enable
[RouterA-GigabitEthernet1/0/0] ipv6 address fc00:1::1 64
[RouterA-GigabitEthernet1/0/0] quit
# Configure a DNS server that the DNS proxy or relay connects to.
[RouterA] dns server ipv6 fc00:2::2
Step 3 Configure DNS spoofing and specify the IPv6 address in response messages as fc00:3::3.
[RouterA] dns spoofing ipv6 fc00:3::3
NOTE
You need to configure a static IPv6 route on the DNS server so that DNS packets can be sent and
received properly.
----End
Configuration File
l Configuration file of RouterA
#
sysname RouterA
#
ipv6
#
interface GigabitEthernet1/0/0
undo portswitch
ipv6 enable
ipv6 address FC00:1::1/64
#
dns resolve
dns server ipv6 FC00:2::2
dns proxy enable
dns spoofing ipv6 FC00:3::3
#
ipv6 route-static FC00:2:: 64 FC00:1::2
#
return
#
sysname RouterB
#
ipv6
#
interface GigabitEthernet1/0/0
undo portswitch
ipv6 enable
ipv6 address FC00:1::2/64
#
interface GigabitEthernet2/0/0
undo portswitch
ipv6 enable
ipv6 address FC00:2::1/64
#
return
11.2 Principles
11.2.1 Dual Protocol Stack
Dual protocol stack is a technology used for the transition from the IPv4 to IPv6 network.
Nodes on a dual stack network support both IPv4 and IPv6 protocol stacks. A source node
and a destination node use the same protocol stack. Network devices use protocol stacks to
process and forward packets based on the protocol type of packets. You can implement a dual
protocol stack on a unique device or a dual stack backbone network. On the dual stack
backbone network, all devices must support both IPv4 and IPv6 protocol stacks. Interfaces
connecting to the dual stack network must be configured with both IPv4 and IPv6 addresses.
Figure 11-1 shows the structures of an IPv4 stack and a dual protocol stack.
10.1.1.1
Huawei AR Series IOT Gateway
CLI-based Configuration Guide - IP Service 11 IPv6 over IPv4 Tunnel Configuration
In Figure 11-2, an application that supports dual protocol stack requests an IP address
corresponding to the domain name www.example.com from the DNS server. A host sends a
DNS request packet to the DNS server, requesting the IP address corresponding to the domain
name www.example.com. The DNS server responds with the requested IP address. The IP
address can be 10.1.1.1 or fc00::1. If the host sends a class A query packet, it requests the
IPv4 address from the DNS server. If the host sends a class AAAA query packet, it requests
the IPv6 address from the DNS server.
The router in the figure supports the dual protocol stack and uses the IPv4 protocol stack to
connect the host to the network server with the IPv4 address 10.1.1.1. The router also uses the
IPv6 protocol stack to connect the host to the network server with the IPv6 address fc00::1.
Figure 11-3 Networking diagram for applying the IPv6 over IPv4 tunnel
1. On the border device, the IPv4/IPv6 dual protocol stack is enabled, and an IPv6 over
IPv4 tunnel is configured.
2. After the border device receives a packet from the IPv6 network, the device appends an
IPv4 header to the IPv6 packet to encapsulate the IPv6 packet as an IPv4 packet if the
destination address of the IPv6 packet is not the device and the outbound interface of the
next hop is the tunnel interface.
3. On the IPv4 network, the encapsulated packet is transmitted to the remote border device.
4. The remote border device decapsulates the packet, removes the IPv4 header, and sends
the decapsulated IPv6 packet to the IPv6 network.
A tunnel is established when its start and end points are determined. You must manually
configure an IPv4 address at the start point of an IPv6 over IPv4 tunnel. The IPv4 address at
the end point of the tunnel can be determined manually or automatically. Based on the mode
in which the end point IPv4 address is obtained, IPv6 over IPv4 tunnels classify into manual
tunnels and automatic tunnels.
l Manual tunnel: If a tunnel is created manually, a border router cannot automatically
obtain an IPv4 address at the end point. You must manually configure an end point IPv4
address before packets can be transmitted to the remote border router.
l Automatic tunnel: If a tunnel is created automatically, a border router can automatically
obtain an IPv4 address at the end point. The addresses of two interfaces on both ends of
the tunnel are IPv6 addresses with IPv4 addresses embedded. The border router extracts
IPv4 addresses from destination IPv6 addresses.
Manual Tunnel
Based on encapsulation modes of IPv6 packets, manual tunnels classify into IPv6 over IPv4
manual tunnels or IPv6 over IPv4 Generic Routing Encapsulation (GRE) tunnels.
IPv6 over IPv4 Manual Tunnel
The border router uses the received IPv6 packet as the payload and encapsulates the IPv6
packet as an IPv4 packet. You must manually specify the source and destination addresses of
a manual tunnel. A manual tunnel is created between two border routers to connect IPv4
isolated IPv6 sites, or created between a border router and a host to enable the host to access
an IPv6 network. Hosts and border routers on both ends of a manual tunnel must support the
IPv4/IPv6 dual protocol stack. Other devices only need to support a single protocol stack. If
you create multiple IPv6 over IPv4 manual tunnels between one border router and multiple
hosts, the configuration workload is heavy. Therefore, an IPv6 over IPv4 manual tunnel is
commonly created between two border routers to connect IPv6 networks.
Figure 11-4 shows the encapsulation format of an IPv6 over IPv4 packet.
The forwarding mechanism of an IPv6 over IPv4 manual tunnel is as follows: After a border
router receives a packet from the IPv6 network, it searches the destination address of the IPv6
packet in the routing and forwarding table. If the packet is forwarded from a virtual tunnel
interface, the router encapsulates the packet based on the source and destination IPv4
addresses configured on the interface. The IPv6 packet is encapsulated as an IPv4 packet and
processed by the IPv4 protocol stack. The encapsulated packet is forwarded through the IPv4
network to the remote end of the tunnel. After the border router on the remote end of the
tunnel receives the encapsulated packet, it decapsulates the packet and processes the packet
using the IPv6 protocol stack.
IPv6 over IPv4 GRE Tunnel
An IPv6 over IPv4 GRE tunnel uses the standard GRE tunneling technology to provide P2P
connections. You must manually specify addresses for both ends of the tunnel. Any types of
protocol packets that GRE supports can be encapsulated and transmitted through a GRE
tunnel. The protocols may include IPv4, IPv6, Open Systems Interconnection (OSI), and
Multiprotocol Label Switching (MPLS).
Figure 11-5 shows the encapsulation and transmission process on an IPv6 over IPv4 GRE
tunnel.
IPv4
IPv6 IPv6
GRE Tunnel
The forwarding mechanism of an IPv6 over IPv4 GRE tunnel is the same as that of an IPv6
over IPv4 manual tunnel. For details, see the Configuration Guide - VPN.
Automatic Tunnel
You only need to configure the start point of an automatic tunnel, and the device
automatically obtains the end point of the tunnel. The tunnel interface uses a special form of
IPv6 address with an IPv4 address embedded. The device obtains the IPv4 address from the
destination IPv6 address and uses the IPv4 address as the end point address of the tunnel.
Based on the encapsulation modes of IPv6 packets, automatic tunnels classify into IPv4-
compatible IPv6 automatic tunnels, IPv6-to-IPv4 tunnels, and Intra-Site Automatic Tunnel
Addressing Protocol (ISATAP) tunnels.
IPv4-compatible IPv6 Automatic Tunnel
For an IPv4-compatible IPv6 automatic tunnel, the destination address contained in an IPv6
packet is an IPv4-compatible IPv6 address. The first 96 bits of an IPv4-compatible IPv6
address are all 0s and the last 32 bits are the IPv4 address. Figure 11-6 shows the format of an
IPv4-compatible IPv6 address.
0 IPv4 address
96 bit 32 bit
Figure 11-7 shows the forwarding mechanism of an IPv4-compatible IPv6 automatic tunnel.
IPv4
1.1.1.1/24 2.1.1.1/24
IPv4-Compatible IPv6 Tunnel
::1.1.1.1/96 ::2.1.1.1/96
Router A Router B
After receiving an IPv6 packet, Router A searches the routing table for the destination
address ::2.1.1.1 and finds that the next hop address is a virtual tunnel interface address.
Router A then encapsulates the IPv6 packet as an IPv4 address because the tunnel configured
on Router A is an IPv4-compatible IPv6 automatic tunnel. The source address of the
encapsulated IPv4 address is the start point address of the tunnel 1.1.1.1, and the destination
address is 2.1.1.1, which is the last 32 bits of the IPv4-compatible IPv6 address. Router A
sends the packet through the tunnel interface and forwards it on an IPv4 network to the
destination address 2.1.1.1 (Router B). Router B receives the packet, obtains the IPv6 packet,
and processes the IPv6 packet using the IPv6 protocol stack. Router B returns packets to
Router A in the same way.
NOTE
If the IPv4 address contained in an IPv4-compatible IPv6 address is a broadcast address, multicast
address, network broadcast address, subnet broadcast address of an outbound interface, address of all 0s,
or loopback address, the IPv6 packet will be discarded.
To deploy an IPv4-compatible IPv6 tunnel, each host must have a valid IP address, and hosts
that communicate with each other must support dual protocol stacks and IPv4-compatible
IPv6 tunnels. Therefore, it is unsuitable for large-scale networks. Currently, the IPv4-
compatible IPv6 tunnel has been replaced by the IPv6-to-IPv4 tunnel.
IPv6-to-IPv4 Tunnel
An IPv6-to-IPv4 tunnel also uses an IPv4 address that is embedded in an IPv6 address. Unlike
IPv4-compatible IPv6 tunnels, you can create IPv6-to-IPv4 tunnels between two routers, a
router and a host, and two hosts. An IPv6-to-IPv4 address uses the IPv4 address as the
network ID. Figure 11-8 shows the format of an IPv6-to-IPv4 address.
FP TLA
IPv4 address SLA ID Interface ID
001 0x0002
IPv4
6to4 6to4 tunnel 6to4
One IPv4 address can be used as the source address of only one IPv6-to-IPv4 tunnel. When a
border device connects to multiple IPv6-to-IPv4 networks using the same IPv4 address as the
source address of the tunnel, the IPv6-to-IPv4 networks share a tunnel and are identified by
SLA ID in the IPv6-to-IPv4 address. Figure 11-10 details this configuration.
6to4
IPv4
6to4
6to4 tunnel
6to4 Router
6to4 Router
6to4 2002:IPv4-Addr2::/48
Backed by the advance of IPv6 networks, IPv6 hosts need to communicate with IPv4 hosts
through IPv6-to-IPv4 networks. It can be implemented by deploying IPv6-to-IPv4 relays.
When the destination address of an IPv6 packet forwarded through an IPv6-to-IPv4 tunnel is
not an IPv6-to-IPv4 address, but the next hop address is an IPv6-to-IPv4 address, the next hop
router is an IPv6-to-IPv4 relay. The device obtains the destination IPv4 address from the next
hop IPv6-to-IPv4 address. Figure 11-11 shows an IPv6-to-IPv4 relay.
IPv4-Addr 1 IPv4-Addr 2
IPv6 Network
IPv4
6to4 Net-2
6to4 tunnel
2002:IPv4-Addr1:2::/64
When hosts on IPv6-to-IPv4 network 2 want to communicate with hosts on the IPv6 network,
configure the next hop address as the IPv6-to-IPv4 address of the IPv6-to-IPv4 relay on the
border router. The IPv6-to-IPv4 address matches the source address of the IPv6-to-IPv4
tunnel. Packets sent from IPv6-to-IPv4 network 2 to the IPv6 network are sent to the IPv6-to-
IPv4 relay router according to the routing table. The IPv6-to-IPv4 relay router then forwards
packets to the pure IPv6 network. When hosts on the IPv6 network send packets to IPv6-to-
IPv4 network 2, the IPv6-to-IPv4 relay router appends IPv4 headers to the packets and
forwards the packets to the destination addresses (IPv6-to-IPv4 addresses).
ISATAP Tunnel
ISATAP is another automatic tunneling technology. The ISATAP tunnel uses a specially
formatted IPv6 address with an IPv4 address embedded into it. Different from the IPv6-to-
IPv4 address that uses the IPv4 address as the network prefix, the ISATAP address uses the
IPv4 address as the interface ID. Figure 11-12 shows the format of the interface ID of an
ISATAP address.
The "u" bit in the IPv4 address that is globally unique is set to 1. Otherwise, the "u" bit is set
to 0. "g" is the individual/group bit. An ISATAP address contains an interface ID and it can be
a global unicast address, link-local address, ULA address, or multicast address. The device
obtains the first 64 bits of an ISATAP address by sending Request packets to the ISATAP
router. Devices on both ends of the ISATAP tunnel run the Neighbor Discovery (ND)
protocol. The ISATAP tunnel considers the IPv4 network as a non-broadcast multiple access
(NBMA) network.
ISATAP allows IPv6 networks to be deployed within existing IPv4 networks, which is simple
and makes networks easily expandable. ISATAP is suitable for transitions of local sites and
supports local routing within IPv6 sites, global IPv6 routing domains, and automatic IPv6
tunnels. ISATAP can be used together with NAT to allow the use of an IPv4 address that is not
globally unique within the site. Typically, an ISATAP tunnel is used within the site, and does
not require a globally unique IPv4 address embedded.
Host B
10.1.2.5
FE80::5EFE:0A01:0205
1::5EFE:0A01:0205
GE1/0/0
10.1.2.1 l
Host A ne
un
ISATAP Tunnel
3::8 PT
TA
ISA
IPv6 IPv4
ISATAP Router
Host C
Tunnel 1
10.1.2.6
FE80::5EFE:0A01:0201
FE80::5EFE:0A01:0206
1::5EFE:0A01:0201
1::5EFE:0A01:0206
In Figure 11-13, Host B and Host C are located on an IPv4 network. They both support dual
protocol stacks and have private IPv4 addresses. You can perform the following operations to
enable the ISATAP function on Host B and Host C:
License Support
IPv6 over IPv4 tunnel functions are basic function of routers and can be obtained without
licenses.
Context
To enable an interface to forward IPv6 packets, enable IPv6 packet forwarding in the system
view and in the interface view.
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
----End
Procedure
l Run the display ipv6 interface [ interface-type interface-number | brief ] command to
check IPv6 attributes of an interface.
----End
Prerequisites
Source and destination devices of an IPv6 over IPv4 tunnel must have forwarding routes.
Pre-configuration Tasks
Before configuring an IPv6 over IPv4 tunnel, complete the following task:
l 11.4 Configuring the IPv4/IPv6 Dual Stack
Configuration Process
You can perform the following configuration tasks in any sequence according to usage
scenarios shown in Table 11-1.
IPv6 over IPv4 GRE Source and IPv6 address Applies to simple
tunnel destination IP IPv6 networks or
addresses use point-to-point
manually configured connections. The
IPv4 addresses. IPv6 over IPv4 GRE
tunnel supports
multiple upper-layer
protocols including
IPv6.
Automatic IPv6 over The source IP IPv6 address that is Applies to point-to-
IPv4 tunnel address uses a compatible with an multipoint
manually configured IPv4 address in the connections of IPv6
IPv4 address, and format of ::IPv4- hosts.
the destination source-address/96
address is
automatically
generated.
Context
When configuring a manual IPv6 over IPv4 tunnel, note the following points:
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface tunnel interface-number
Step 3 Run:
tunnel-protocol ipv6-ipv4
Step 4 Run:
source { ip-address | interface-type interface-number }
NOTE
You can specify a physical interface or a loopback interface as the source interface of a tunnel. Similarly,
you can specify the IP address of a physical interface or loopback interface as the source address of the
tunnel.
Step 5 Run:
destination dest-ip-address
NOTE
The destination address of a tunnel can be the IP address of a physical interface or loopback interface.
Step 6 Run:
ipv6 enable
Step 7 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
----End
Context
When configuring an automatic IPv6 over IPv4 tunnel, pay attention to the following points:
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface tunnel interface-number
Step 3 Run:
tunnel-protocol ipv6-ipv4 auto-tunnel
Step 4 Run:
source { ip-address | interface-type interface-number }
Step 5 Run:
ipv6 enable
Step 6 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
----End
Context
When configuring a 6to4 tunnel, note the following points:
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface tunnel interface-number
Step 3 Run:
tunnel-protocol ipv6-ipv4 6to4
Step 4 Run:
source { source-ip-address | interface-type interface-number }
Step 5 Run:
ipv6 enable
Step 6 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
NOTE
The IPv6 address prefix of the specified tunnel interface must be the same as the address prefix of the
6to4 network that the device belongs to.
----End
Follow-up Procedure
Connect to an IPv6 network through a 6to4 relay agent. The procedure for connecting to an
IPv6 network through a 6to4 relay agent is similar to the procedure for configuring a 6to4
tunnel. For details, see Example for Configuring 6to4 Relay.
Procedure
Step 1 Run:
system-view
----End
Procedure
l Run the display ipv6 interface tunnel interface-number command to check IPv6
attributes of a tunnel interface.
----End
Procedure
l Run the display ipv6 interface tunnel interface-number command in any view to
monitor the running status of the tunnel interface.
----End
Figure 11-14 Networking diagram for configuring a manual IPv6 over IPv4 tunnel
IPv4
network
GE1/0/0 GE2/0/0
192.168.50.1/24 192.168.51.1/24
Router B
GE1/0/0 GE1/0/0
192.168.50.2/24 192.168.51.2/24
Dual Dual
Stack Stack
IPv6 RouterA RouterC IPv6
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure IP addresses for physical interfaces so that devices can communicate on the
IPv4 backbone network.
2. Configure IPv6 addresses, source interfaces, and destination addresses for tunnel
interfaces so that devices can communicate with hosts on the two IPv6 networks.
3. Set the tunnel protocol to IPv6-IPv4 so that hosts on the two IPv6 networks can
communicate through the IPv4 backbone network.
Procedure
Step 1 Configure RouterA.
# Configure an IPv6 address, a source interface, and a destination address for the tunnel
interface.
[RouterA-Tunnel0/0/1] ipv6 enable
[RouterA-Tunnel0/0/1] ipv6 address 2001::1/64
[RouterA-Tunnel0/0/1] source gigabitethernet 1/0/0
[RouterA-Tunnel0/0/1] destination 192.168.51.2
[RouterA-Tunnel0/0/1] quit
# Configure an IPv6 address, a source interface, and a destination address for the tunnel
interface.
[RouterC-Tunnel0/0/1] ipv6 enable
[RouterC-Tunnel0/0/1] ipv6 address 2001::2/64
[RouterC-Tunnel0/0/1] source gigabitethernet 1/0/0
[RouterC-Tunnel0/0/1] destination 192.168.50.2
[RouterC-Tunnel0/0/1] quit
# Ping the IPv6 address of Tunnel0/0/1 on RouterA from RouterC. RouterC can receive a
Reply packet from RouterA.
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
ipv6
#
interface GigabitEthernet1/0/0
undo portswitch
ip address 192.168.50.2 255.255.255.0
#
interface Tunnel0/0/1
ipv6 enable
ipv6 address 2001::1/64
tunnel-protocol ipv6-ipv4
source GigabitEthernet1/0/0
destination 192.168.51.2
#
ip route-static 192.168.51.0 255.255.255.0 192.168.50.1
#
return
ipv6 enable
ipv6 address 2001::2/64
tunnel-protocol ipv6-ipv4
source GigabitEthernet1/0/0
destination 192.168.50.2
#
ip route-static 192.168.50.0 255.255.255.0 192.168.51.1
#
return
Networking Requirements
As shown in Figure 11-15, two IPv6 networks connect to RouterB on an IPv4 backbone
network respectively through RouterA and RouterC. An IPv6 over IPv4 GRE tunnel needs to
be set up between RouterA and RouterC so that hosts on the two IPv6 networks can
communicate.
Figure 11-15 Networking diagram for configuring an IPv6 over IPv4 GRE tunnel
RouterB
GE1/0/0 GE2/0/0
10.1.1.2/24 10.1.2.1/24
GE1/0/0 GE1/0/0
10.1.1.1/24 10.1.2.2/24
RouterA GRE Tunnel RouterC
GE2/0/0 Tunnel0/0/1 Tunnel0/0/1 GE2/0/0
fc01::1/64 fc02::1/64 fc02::2/64 fc03::1/64
PC1
PC2
fc01::2/64 fc03::2/64
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure IP addresses for physical interfaces so that devices can communicate on the
IPv4 network.
2. Create tunnel interfaces on RouterA and RouterC, set up a GRE tunnel between them,
and specify the source and destination addresses of the tunnel interfaces, so that
encapsulated packets can be forwarded using OSPF routes. The source address is the IP
address of the interface sending packets, and the destination address is the IP address of
the interface receiving packets.
3. Configure static routes on RouterA and RouterC, so that traffic between PC1 and PC2
can be forwarded through the GRE tunnel. Set the destination address to the network
segment connected to the peer PC and the outbound interface to the tunnel interface on
the local device.
Procedure
Step 1 Configure an IP address for each physical interface.
# Configure RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] undo portswitch
[RouterA-GigabitEthernet1/0/0] ip address 10.1.1.1 255.255.255.0
[RouterA-GigabitEthernet1/0/0] quit
[RouterA] ipv6
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] undo portswitch
[RouterA-GigabitEthernet2/0/0] ipv6 enable
[RouterA-GigabitEthernet2/0/0] ipv6 address fc01::1 64
[RouterA-GigabitEthernet2/0/0] quit
# Configure RouterB.
<Huawei> system-view
[Huawei] sysname RouterB
[RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] undo portswitch
[RouterB-GigabitEthernet1/0/0] ip address 10.1.1.2 255.255.255.0
[RouterB-GigabitEthernet1/0/0] quit
[RouterB] interface gigabitethernet 2/0/0
[RouterB-GigabitEthernet2/0/0] undo portswitch
[RouterB-GigabitEthernet2/0/0] ip address 10.1.2.1 255.255.255.0
[RouterB-GigabitEthernet2/0/0] quit
# Configure RouterC.
<Huawei> system-view
[Huawei] sysname RouterC
[RouterC] interface gigabitethernet 1/0/0
[RouterC-GigabitEthernet1/0/0] undo portswitch
[RouterC-GigabitEthernet1/0/0] ip address 10.1.2.2 255.255.255.0
[RouterC-GigabitEthernet1/0/0] quit
[RouterC] ipv6
[RouterC] interface gigabitethernet 2/0/0
[RouterC-GigabitEthernet2/0/0] undo portswitch
[RouterC-GigabitEthernet2/0/0] ipv6 enable
[RouterC-GigabitEthernet2/0/0] ipv6 address fc03::1 64
[RouterC-GigabitEthernet2/0/0] quit
# Configure RouterC.
[RouterC] ip route-static 10.1.1.1 255.255.255.0 10.1.2.1
# Configure RouterC.
[RouterC] interface tunnel 0/0/1
[RouterC-Tunnel0/0/1] tunnel-protocol gre
[RouterC-Tunnel0/0/1] ipv6 enable
[RouterC-Tunnel0/0/1] ipv6 address fc02::2 64
[RouterC-Tunnel0/0/1] source 10.1.2.2
[RouterC-Tunnel0/0/1] destination 10.1.1.1
[RouterC-Tunnel0/0/1] quit
# Configure RouterC.
[RouterC] ipv6 route-static fc01::1 64 tunnel 0/0/1
# Ping the IPv6 address of RouterA from RouterC. RouterC can receive a Reply packet from
RouterA.
[RouterC] ping ipv6 fc01::1
PING fc01::1 : 56 data bytes, press CTRL_C to break
Reply from fc01::1
bytes=56 Sequence=1 hop limit=64 time = 28 ms
Reply from fc01::1
bytes=56 Sequence=2 hop limit=64 time = 27 ms
Reply from fc01::1
bytes=56 Sequence=3 hop limit=64 time = 26 ms
Reply from fc01::1
bytes=56 Sequence=4 hop limit=64 time = 27 ms
Reply from fc01::1
bytes=56 Sequence=5 hop limit=64 time = 26 ms
--- fc01::1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 26/26/28 ms
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
ipv6
#
interface GigabitEthernet1/0/0
undo portswitch
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
undo portswitch
ipv6 enable
ipv6 address fc01::1/64
#
interface Tunnel0/0/1
ipv6 enable
ipv6 address fc02::1/64
tunnel-protocol gre
source 10.1.1.1
destination 10.1.2.2
#
ip route-static 10.1.2.0 255.255.255.0 10.1.1.2
#
Figure 11-16 Networking diagram for configuring an automatic IPv6 over IPv4 tunnel
IPv4
Dual Dual
Stack Stack
RouterA GE1/0/0 GE1/0/0 RouterB
2.1.1.1/8 2.1.1.2/8
Tunnel0/0/1 Tunnel0/0/1
IPv6 ::2.1.1.1/96 ::2.1.1.2/96 IPv6
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure IP addresses for physical interfaces so that devices can communicate on the
IPv4 backbone network.
2. Configure IPv6 addresses and source interfaces for tunnel interfaces so that devices can
communicate with hosts on the two IPv6 networks.
3. Set the tunnel protocol to automatic so that hosts on the two IPv6 networks can
communicate through the IPv4 network.
Procedure
Step 1 Configure RouterA.
# Configure an IPv4/IPv6 dual stack.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] ipv6
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] undo portswitch
[RouterA-GigabitEthernet1/0/0] ip address 2.1.1.1 255.0.0.0
[RouterA-GigabitEthernet1/0/0] quit
# View the IPv6 status of tunnel0/0/1 on RouterA. You can see that the tunnel status is Up.
[RouterA] display ipv6 interface tunnel 0/0/1
Tunnel0/0/1 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::201:101
Global unicast address(es):
::2.1.1.1, subnet is ::/96
Joined group address(es):
FF02::1:FF01:101
FF02::2
FF02::1
MTU is 1500 bytes
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
# Ping the IPv6 address of the peer device that is compatible with the IPv4 address from
RouterA. The IPv6 address is pinged successfully.
[RouterA] ping ipv6 ::2.1.1.2
PING ::2.1.1.2 : 56 data bytes, press CTRL_C to break
Reply from ::2.1.1.2
bytes=56 Sequence=1 hop limit=64 time = 30 ms
Reply from ::2.1.1.2
bytes=56 Sequence=2 hop limit=64 time = 40 ms
Reply from ::2.1.1.2
bytes=56 Sequence=3 hop limit=64 time = 50 ms
Reply from ::2.1.1.2
bytes=56 Sequence=4 hop limit=64 time = 1 ms
Reply from ::2.1.1.2
bytes=56 Sequence=5 hop limit=64 time = 50 ms
--- ::2.1.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/34/50 ms
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
ipv6
#
interface GigabitEthernet1/0/0
undo portswitch
ip address 2.1.1.1 255.0.0.0
#
interface Tunnel 0/0/1
ipv6 enable
ipv6 address ::2.1.1.1/96
tunnel-protocol ipv6-ipv4 auto-tunnel
source GigabitEthernet1/0/0
#
return
IPv4
GE1/0/0 GE1/0/0
2.1.1.1 2.1.1.2
RouterA RouterB
GE2/0/0 GE2/0/0
2002:201:101:1::1/64 2001::1/64
Tunnel 0/0/1 Tunnel0/0/1
2002:201:101::1/64 2002:201:102::1/64
2002:201:101:1::2 2002:201:102:1::2
PC1 PC2
IPv6 IPv6
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an IPv4/IPv6 dual stack on routers so that they can access the IPv4 network
and the IPv6 network.
2. Configure a 6to4 tunnel on routers to connect IPv6 networks through the IPv4 backbone
network.
3. Configure a static route between RouterA and RouterB so that they can communicate
through the IPv4 backbone network.
Procedure
Step 1 Configure RouterA.
# Configure an IPv4/IPv6 dual stack.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] ipv6
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] undo portswitch
[RouterA-GigabitEthernet1/0/0] ip address 2.1.1.1 255.0.0.0
[RouterA-GigabitEthernet1/0/0] quit
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] undo portswitch
[RouterA-GigabitEthernet2/0/0] ipv6 enable
[RouterA-GigabitEthernet2/0/0] ipv6 address 2002:0201:0101:1::1/64
[RouterA-GigabitEthernet2/0/0] quit
[RouterA-Tunnel0/0/1] quit
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
ipv6
#
interface GigabitEthernet1/0/0
undo portswitch
ip address 2.1.1.1 255.0.0.0
#
interface GigabitEthernet2/0/0
undo portswitch
ipv6 enable
ipv6 address 2002:201:101:1::1/64
#
interface Tunnel 0/0/1
ipv6 enable
ipv6 address 2002:201:101::1/64
tunnel-protocol ipv6-ipv4 6to4
source GigabitEthernet1/0/0
#
ipv6 route-static :: 0 2002:201:102::1
#
ipv6 route-static 2002:: 16 Tunnel 0/0/1
#
return
ISATAP
Router
IPv6 IPv4
network network
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an IPv4/IPv6 dual stack on the router so that the router can communicate with
devices on the IPv4 and IPv6 networks.
2. Configure an ISATAP tunnel on the router so that IPv6 hosts on the IPv4 network can
communicate with IPv6 hosts on the IPv6 network.
3. Configure a static route.
Procedure
Step 1 Configure the ISATAP router.
# Enable the IPv4/IPv6 dual stack and configure an IP address for each interface.
<Huawei> system-view
[Huawei] sysname Router
[Router] ipv6
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] undo portswitch
[Router-GigabitEthernet1/0/0] ipv6 enable
[Router-GigabitEthernet1/0/0] ipv6 address fc01::1/64
[Router-GigabitEthernet1/0/0] quit
[Router] interface gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] undo portswitch
[Router-GigabitEthernet2/0/0] ip address 2.1.1.1 255.0.0.0
[Router-GigabitEthernet2/0/0] quit
The preceding information shows that the host obtains the prefix 2001::/64 and generates the
address 2001::200:5efe:2.1.1.2, and the ISATAP tunnel has been set up successfully.
Step 3 Configure the IPv6 host.
# Configure a static route to the border router tunnel on the IPv6 host so that PCs on two
different networks can communicate through the ISATAP tunnel.
C:\> netsh interface ipv6 set route 2001::/64 fc01::1
# Ping the global unicast address of the tunnel interface on the ISATAP host running Windows
XP operating system from the ISATAP router.
[Router] ping ipv6 2001::5efe:2.1.1.2
PING 2001::5efe:2.1.1.2 : 56 data bytes, press CTRL_C to break
Reply from 2001::5EFE:201:102
bytes=56 Sequence=1 hop limit=64 time = 4 ms
Reply from 2001::5EFE:201:102
bytes=56 Sequence=2 hop limit=64 time = 3 ms
Reply from 2001::5EFE:201:102
bytes=56 Sequence=3 hop limit=64 time = 2 ms
Reply from 2001::5EFE:201:102
bytes=56 Sequence=4 hop limit=64 time = 2 ms
Reply from 2001::5EFE:201:102
bytes=56 Sequence=5 hop limit=64 time = 2 ms
--- 2001::5efe:2.1.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/2/4 ms
# Ping the global unicast address of the ISATAP router from the ISATAP host running
Windows XP operating system.
C:\> ping6 2001::5efe:2.1.1.1
Pinging 2001::5efe:2.1.1.1
from 2001::5efe:2.1.1.2 with 32 bytes of data:
Reply from 2001::5efe:2.1.1.1: bytes=32 time=1ms
Reply from 2001::5efe:2.1.1.1: bytes=32 time=1ms
Reply from 2001::5efe:2.1.1.1: bytes=32 time=1ms
Reply from 2001::5efe:2.1.1.1: bytes=32 time=1ms
Ping statistics for 2001::5efe:2.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
# Ping the IPv6 host from the ISATAP host running Windows XP operating system. They can
ping each other.
C:\> ping6 fc01::2
Pinging fc01::2 with 32 bytes of data:
Reply from fc01::2: time<1ms
Reply from fc01::2: time<1ms
Reply from fc01::2: time<1ms
Reply from fc01::2: time<1ms
Ping statistics for fc01::2:
----End
Configuration Files
Configuration file of the ISATAP router
#
sysname ISATAP
#
ipv6
#
interface GigabitEthernet1/0/0
undo portswitch
ipv6 enable
ipv6 address fc01::1/64
#
interface GigabitEthernet2/0/0
undo portswitch
ip address 2.1.1.1 255.0.0.0
#
interface Tunnel0/0/2
ipv6 enable
ipv6 address 2001::/64 eui-64
undo ipv6 nd ra halt
tunnel-protocol ipv6-ipv4 isatap
source GigabitEthernet2/0/0
#
return
During the later stage of IPv4 to IPv6 transition, the IPv4 over IPv6 tunnel is used to connect
isolated IPv4 sites.
Figure 12-1 Networking diagram for applying the IPv4 over IPv6 tunnel
Dual Stack Dual Stack
Router IPv6
Router
network
IPv4 IPv4
network IPv4 over IPv6 Tunnel network
IPv4 IPv4
Host Host
1. On the border device, the IPv4/IPv6 dual protocol stack is enabled and the IPv4 over
IPv6 tunnel is configured.
2. After the border device receives a packet not destined for it from the IPv4 network, the
device appends an IPv6 header to the IPv4 packet and encapsulates the IPv4 packet as an
IPv6 packet.
3. On the IPv6 network, the encapsulated packet is transmitted to the remote border device.
4. The remote border device decapsulates the packet, removes the IPv6 header, and sends
the decapsulated IPv4 packet to the IPv4 network.
License Support
IPv4 over IPv6 tunnel functions are basic function of routers and can be obtained without
licenses.
Pre-configuration Tasks
Before configuring an IPv4 over IPv6 tunnel, complete the following task:
Context
Configuring a tunnel interface includes configuring the protocol type, source address, and
destination address and IP address.
NOTE
The device does not support fragmentation of packets that are transmitted over the IPv4 over IPv6
tunnel. Therefore, the IPv4 MTU of the tunnel interface must meet the following conditions:
IPv4 MTU of the tunnel interface < ( IPv6 MTU of the physical interface - Header length of IPv6
packets on the IPv4 over IPv6 tunnel )
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
Step 4 Run:
tunnel ipv4-ipv6 flow-label label-value
Step 5 Run:
tunnel ipv4-ipv6 hop-limit hop-limit
Step 6 Run:
tunnel ipv4-ipv6 traffic-class { original | class-value }
----End
Prerequisites
All configurations of the IPv4 over IPv6 tunnel are complete.
Procedure
l Run the display interface tunnel [ interface-number ] command to check the running
status of the tunnel interface.
l Run the display ip routing-table command to check the routing table.
----End
Context
In routine maintenance, you can run the following command in any view to monitor the
running status of the IPv4 over IPv6 tunnel.
Procedure
l Run the display interface tunnel [ interface-number] command in any view to monitor
the running status of the tunnel interface.
----End
Figure 12-2 Networking diagram for configuring an IPv4 over IPv6 tunnel
IPv6
IPv4 network
network GE1/0/0 GE1/0/0
GE1/0/0 RT2 fc00:1::2/64 RT3 fc00:2::2/64 RT4
10.1.2.1/30
GE1/0/0 GE2/0/0 GE2/0/0
RT1 10.1.2.2/30 fc00:1::1/64 fc00:2::1/64 GE2/0/0
10.1.3.1/30
GE1/0/0
10.1.3.2/30
RT5
IPv4
network
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an IPv4 over IPv6 tunnel on the border devices at both ends of the IPv6
network.
2. Use a dynamic routing protocol to configure a route for the tunnel interface to forward
packets.
Procedure
Step 1 Configure an IPv6 address for the physical interface and enable IPv6 capability for IS-IS on
the IPv6 network to implement IP connectivity of the IPv6 network.
# Configure RT2.
<Huawei> system-view
[Huawei] sysname RT2
[RT2] ipv6
[RT2] interface gigabitethernet 2/0/0
[RT2-GigabitEthernet2/0/0] undo portswitch
[RT2-GigabitEthernet2/0/0] ipv6 enable
[RT2-GigabitEthernet2/0/0] ipv6 address fc00:1::1 64
[RT2-GigabitEthernet2/0/0] quit
[RT2] isis 1
[RT2-isis-1] network-entity 10.0000.0000.0001.00
[RT2-isis-1] ipv6 enable topology standard
[RT2-isis-1] quit
[RT2] interface gigabitethernet 2/0/0
[RT2-GigabitEthernet2/0/0] isis ipv6 enable 1
[RT2-GigabitEthernet2/0/0] quit
# Configure RT3.
<Huawei> system-view
[Huawei] sysname RT3
[RT3] ipv6
[RT3] interface gigabitethernet 1/0/0
[RT3-GigabitEthernet1/0/0] undo portswitch
[RT3-GigabitEthernet1/0/0] ipv6 enable
[RT3-GigabitEthernet1/0/0] ipv6 address fc00:1::2 64
[RT3-GigabitEthernet1/0/0] quit
[RT3] interface gigabitethernet 2/0/0
[RT3-GigabitEthernet2/0/0] undo portswitch
[RT3-GigabitEthernet2/0/0] ipv6 enable
[RT3-GigabitEthernet2/0/0] ipv6 address fc00:2::1 64
[RT3-GigabitEthernet2/0/0] quit
[RT3] isis 1
[RT3-isis-1] network-entity 10.0000.0000.0002.00
[RT3-isis-1] ipv6 enable topology standard
[RT3-isis-1] quit
[RT3] interface gigabitethernet 1/0/0
[RT3-GigabitEthernet1/0/0] isis ipv6 enable 1
[RT3-GigabitEthernet1/0/0] quit
[RT3] interface gigabitethernet 2/0/0
[RT3-GigabitEthernet2/0/0] isis ipv6 enable 1
[RT3-GigabitEthernet2/0/0] quit
# Configure RT4.
<Huawei> system-view
[Huawei] sysname RT4
[RT4] ipv6
[RT4] interface gigabitethernet 1/0/0
[RT4-GigabitEthernet1/0/0] undo portswitch
[RT4-GigabitEthernet1/0/0] ipv6 enable
[RT4-GigabitEthernet1/0/0] ipv6 address fc00:2::2 64
[RT4-GigabitEthernet1/0/0] quit
[RT4] isis 1
[RT4-isis-1] network-entity 10.0000.0000.0003.00
[RT4-isis-1] ipv6 enable topology standard
[RT4-isis-1] quit
[RT4] interface gigabitethernet 1/0/0
[RT4-GigabitEthernet1/0/0] isis ipv6 enable 1
[RT4-GigabitEthernet1/0/0] quit
Step 2 Configure an IPv4 address for the physical interface and configure OSPF on the IPv4 network
to implement IP connectivity of the IPv4 network.
# Configure RT1.
<Huawei> system-view
[Huawei] sysname RT1
[RT1] interface gigabitethernet 1/0/0
[RT1-GigabitEthernet1/0/0] undo portswitch
[RT1-GigabitEthernet1/0/0] ip address 10.1.2.2 30
[RT1-GigabitEthernet1/0/0] quit
[RT1] ospf 1
[RT1-ospf-1] area 0
[RT1-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.3
# Configure RT2.
[RT2] interface gigabitethernet 1/0/0
[RT2-GigabitEthernet1/0/0] undo portswitch
[RT2-GigabitEthernet1/0/0] ip address 10.1.2.1 30
[RT2-GigabitEthernet1/0/0] quit
[RT2] ospf 1
[RT2-ospf-1] area 0
[RT2-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.3
# Configure RT4.
[RT4] interface gigabitethernet 1/0/0
[RT4-GigabitEthernet1/0/0] ip address 10.1.3.1 30
[RT4-GigabitEthernet1/0/0] quit
[RT4] ospf 1
[RT4-ospf-1] area 0
[RT4-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.3
# Configure RT5.
<Huawei> system-view
[Huawei] sysname RT5
[RT5] interface gigabitethernet 1/0/0
[RT5-GigabitEthernet1/0/0] undo portswitch
[RT5-GigabitEthernet1/0/0] ip address 10.1.3.2 30
[RT5-GigabitEthernet1/0/0] quit
[RT5] ospf 1
[RT5-ospf-1] area 0
[RT5-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.3
# Create a tunnel interface, and configure an IPv4 address, a source IPv6 address (or source
interface), and a destination IPv6 address for the tunnel interface.
# Configure RT2.
[RT2] interface tunnel 0/0/2
[RT2-Tunnel0/0/2] tunnel-protocol ipv4-ipv6
[RT2-Tunnel0/0/2] ip address 10.1.1.1 30
[RT2-Tunnel0/0/2] source gigabitethernet 2/0/0
[ET2-Tunnel0/0/2] destination fc00:2::2
# Configure RT4.
[RT4] interface tunnel 0/0/1
[RT4-Tunnel0/0/1] tunnel-protocol ipv4-ipv6
[RT4-Tunnel0/0/1] ip address 10.1.1.2 30
[RT4-Tunnel0/0/1] source gigabitethernet 1/0/0
[ET4-Tunnel0/0/1] destination fc00:1::1
Step 4 Use a dynamic routing protocol to configure a route for the tunnel interface to forward
packets.
# Configure RT2.
[RT2] ospf 1
[RT2-ospf-1] area 0
[RT2-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.3
[RT2-ospf-1-area-0.0.0.0] quit
[RT2-ospf-1] quit
# Configure RT4.
[RT4] ospf 1
[RT4-ospf-1] area 0
[RT4-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.3
# After the preceding configurations are complete, check the tunnel interface status on RT2
and RT4.
[RT2] display interface tunnel 0/0/2
Tunnel0/0/2 current state : UP
Line protocol current state : UP
Last line protocol up time: 2010-06-22, 19:33:19
Description : HUAWEI, AR Series, Tunnel0/0/2 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.1.1.1/30
Encapsulation is TUNNEL6, loopback not set
Tunnel protocol/transport (IPv6 or IPv4) over IPv6
Tunnel Source fc00:1::1 (GigabitEthernet2/0/0)
Tunnel Destination fc00:2::2
Tunnel Encapsulation limit 4
Tunnel Traffic class not set
Tunnel Flow label not set
Tunnel Hop limit 64
Current system time: 2012-09-05 10:28:33
300 seconds input rate 0 bits/sec, 0 packets/sec
300 seconds output rate 0 bits/sec, 0 packets/sec
102 seconds input rate 0 bits/sec, 0 packets/sec
102 seconds output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes
0 input error
0 packets output, 0 bytes
0 output error
Input bandwidth utilization : --
Output bandwidth utilization : --
You can see that the protocol status of the tunnel interface is Up.
You can see that the outbound interface of the route to the remote IPv4 network is a tunnel
interface.
----End
Configuration Files
l Configuration file of RT1
#
sysname RT1
#
interface GigabitEthernet1/0/0
undo portswitch
ip address 10.1.2.2 255.255.255.252
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.3
#
return
interface GigabitEthernet2/0/0
undo portswitch
ipv6 enable
ipv6 address fc00:2::1/64
isis ipv6 enable 1
#
return